Skip to content
Choose a tag to compare

This release contains bug fixes and minor enhancements, including one patch with potential security implications related to path matching.

Notable patches:

  • Path matchers unescape/clean URI paths to normalize match space
  • Fix regex matching in map handler

Notable enhancements:

  • try_files can now accept =nnn (e.g. =404) to yield a status code instead of a file.
  • Template actions httpError (stop eval and return HTTP error) and import (like include but changes template context) were added
  • New placeholder {http.request.tls.client.certificate_der_base64}


749e55c caddycmd: Add --keep-backup to upgrade commands (#4387)
062657d caddycmd: Add --skip-standard to list-modules command, quieter output (#4386)
be5f77e caddycmd: fix caddy validate/fmt help message (#4377)
907e2d8 caddyhttp: Add support for triggering errors from try_files (#4346)
cbb045a caddyhttp: Placeholder for client cert in DER + base64 format (#4241)
e7457b4 caddyhttp: Sanitize the path before evaluating path matchers (#4407)
837cdc5 caddyhttp: reverseproxy: clarify warning for -insecure (#4379)
24fda75 caddytls: Mark storage clean timestamp at end of routine (#4401)
a779e1b fastcgi: Fix Caddyfile parsing when handle_response is used (#4342)
3f2c3ec fastcgi: Implement try_files override in Caddyfile directive (#4347)
64f8b55 fileserver: Fix compression breaks using httpInclude (#4352) (#4358)
d3a0259 fileserver: Fix displayed file size if it is symlink (#4354)
0a5f7a6 fileserver: Make file listing links purple once visited (#4356)
a21d5a0 fileserver: Prevent focusing filter from scrolling on page load (#4393)
33c70f4 fileserver: properly handle escaped/non-ascii paths (#4332)
c4790d7 go.mod: Carefully upgrade some dependencies (fix #4251)
997e41d go.mod: Replace promptui with Apache-compatible fork (fix #4394)
f376a38 go.mod: Update ACMEz and CertMagic
a437206 headers: Canonicalize case in replace (fix #4330)
012d235 httpcaddyfile: Empty tls policy for internal http localhost (#4398)
0ffb222 httpcaddyfile: Preserve IPv6 addresses through normalization (fix #4381)
a2119c0 map: Fix 95c0350 (avoid repeated expansions)
95c0350 map: Fix regex mappings
3336faf reverseproxy: Log error at error level (fix #4360)
b092061 reverseproxy: Prevent copying the response if a response handler ran (#4388)
f73f55d reverseproxy: Sanitize scheme and host on incoming requests (#4237)
5fda961 templates: Add 'import' action (#4321)
16f7521 templates: Add tests for funcInclude and funcImport (#4357)
2392478 templates: Propagate httpError to HTTP response

Choose a tag to compare

A hotfix for a regression introduced in v2.4.4 related to combining the encode and reverse_proxy directives. Please see the v2.4.4 release notes for a more complete changelog.


9f6393c cmd: export CaddyVersion(), Commands() (#4316)
4ebf100 encode: ignore flushing until after first write (#4318)
46ab93b go.mod: Update CertMagic

Choose a tag to compare

This release contains numerous bug fixes, updated dependencies, and QoL improvements.

Update: This release contains a known regression in the combination of encode and reverse_proxy modules; please use v2.4.5 instead.

Thanks to all contributors, and a special thanks to @francislavoie and @mohammed90 for their dedication in helping to maintain the project and help others.


0bdb8aa acmeserver: Don't set host for directory links by default
2de7e14 acmeserver: Trim slashes from path prefix
c131339 admin: Implement load_interval to pull config on a timer (#4246)
a10910f admin: Sync server variables (fix #4260) (#4274)
51f125b caddyfile: Better error message for missing site block braces (#4301)
d74913f caddyfile: Error on invalid site addresses containing comma (#4302)
b6f5125 caddyfile: keep error chain info in Dispenser.Errf (#4233)
1c6c771 caddyhttp: Fix edgecase with auto HTTP->HTTPS logic (#4243)
42e140b caddyhttp: Fix incorrect determination of gRPC protocol (#4236)
c1cd192 caddyhttp: Updated the documentation for MatchQuery (#4295)
81e5318 caddytls: Remove "IssuerRaw" field
ce5a45d cmd: Fix paths when using an env file (#4296)
68c5c71 cmd: New add-package and remove-package commands (#4226)
9e333c3 cmd: use net.ErrClosed for matching returned error (#4289)
1b1e625 core: Unix ns and Unix ms time placeholders (#4280)
69c9144 encode: Tweak compression settings (#4215)
4245ceb fileserver: Add disable_canonical_uris Caddyfile subdirective (#4222)
191dc86 fileserver: Clarify docs about canonicalization
9e16e80 fileserver: Fix browse name_dir_first sorting (#4218)
885a9aa go.mod: Update dependencies (close #4216)
f43fd6f go.mod: Upgrade CertMagic to v0.14.4
84b906a go.mod: Upgrade some dependencies
ab32440 httpcaddyfile: Add shortcut for proxy hostport placeholder (#4263)
b3d35a4 httpcaddyfile: Don't put localhost in public APs (fix #4220)
569ecdb httpcaddyfile: Ensure hosts to skip for logs can always be collected (#4258)
bfbc459 httpcaddyfile: Improve unrecognized directive errors
403732c httpcaddyfile: Reorder some directives (#4311)
46d99ab logging: Add missing interface guards for replace filter (#4244)
124ba1b logging: Prep for common_log removal (#4149)
8a974a4 logging: Warn for deprecated single_field encoder
e6c29ce reverseproxy: Incorporate latest proxy changes from stdlib (#4266)
d882211 reverseproxy: Keep path to unix socket as dial address (#4232)
f70a757 reverseproxy: Remove redundant flushing (#4299)

Choose a tag to compare

Guess what: this is our 100th release! 🎉 🥳 🎊

A bug fix for the bug fix, and a couple other bug fixes, including one security fix for PHP sites. We think all users should upgrade after giving it a whirl in their test environments. Please note some changes in this patch:

  • ⚠️ In reverse_proxy, the max_idle_conns_per_host option has been removed (both Caddyfile and JSON). This may be a breaking change for a few of you, but it only breaks configs that relied on a bug. Instead of silently failing, you will get an error if you continue using the property. For Caddyfile, we basically renamed the property to keepalive_idle_conns_per_host. In JSON, we simply removed the property, and you should instead set keep_alive/max_idle_conns_per_host if you weren't already. Previously, the Caddyfile subdirective set both MaxConnsPerHost and MaxIdleConnsPerHost, which was confusing; and the JSON properties overwrote each other, so one was removed. Issue #4201.
  • 🛡️ Security patch in the FastCGI transport that now sanitizes paths against directory traversal outside the site root. PR #4207.
  • 🐛 Fix canonicalization redirects in file_server. v2.4.2 introduced a bugfix (#4179) for these redirects when used inside handle_path (i.e. rewriting the path by stripping a prefix), but caused a regression for many other use cases. This release includes a proper fix for all known, tested cases. Basically: these redirects are not issued if the filename of a path was rewritten internally. Issue #4205.


9d4ed3a caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
e8ae80a fileserver: Don't persist parsed template (fix #4202)
fbd6560 fileserver: Only redirect if filename not rewritten (fix #4205)
32c284b reverseproxy: Adjust test related to #4201
7c68809 reverseproxy: Fix overwriting of max_idle_conns_per_host (closes #4201)

Choose a tag to compare

A few enhancements and bug fixes. Thanks to all who contributed to this release!


323ffd2 admin: Replace admin cert cache when reloading (fix #4184)
4c2da18 caddytls: Add Caddyfile support for propagation_timeout (#4178)
76913b1 fileserver: Fix browse not redirecting query parameters (#4196)
f9b5445 fileserver: Redirect within the original URL (#4179)
ecd5eea go.mod: Update direct dependencies
89aa3a5 go.mod: Use CertMagic v0.14.0 (fix #4191)
1e92258 httpcaddyfile: Add preferred_chains global option and issuer subdirective (#4192)
658772f httpcaddyfile: Add skip_install_trust global option (#4153)
05656a6 httpcaddyfile: Don't add HTTP hosts to TLS APs (fix #4176 and fix #4198)
94b7120 logging: Actually use level_key (#4189)
7b500e7 metrics: use buildinfo collector from new collectors pkg (#4187)
2a81094 reverseproxy: Always remove hop-by-hop headers

Choose a tag to compare

A small patch release that contains a few noncritical but pleasant fixes (unless you're using /id/ endpoints in the admin API; then you should definitely get this update).


7f26a6b admin: Reinstate internal redirect for /id/ requests
b82db99 caddyfile: Add parse error on site address with trailing { (#4163)
2aefe15 cmd: upgrade: inherit the permissions of the original executable (#4160)
dbe164d httpcaddyfile: Fix automation policy consolidation again (fix #4161)
e3c369d logging: Implement dial timeout for net writer (fix #4083) (#4172)
aef8d4d reverseproxy: Set the headers in the replacer before handle_response (#4165)

Choose a tag to compare

Caddy v2.4.0 is our first stable release of 2021, ushering in over 110 patches including new features and bug fixes. Thank you to the many contributors who helped make this possible!


  • Secure remote management. You can now enable secure remote access to Caddy's admin API! It uses TLS mutual authentication, and you can even define permissions for different users. PR #3994
  • Config pull at start. Caddy can be configured to load a different config at startup. This is useful if your config is federated through a separate system that doesn't have the ability to push configs to Caddy. This feature is modular, so configurations can be loaded different ways! PR #3994
  • Server identity management. Caddy can automatically manage its own server identity certificate, which can be used when negotiating TLS connections with peers. This is required when enabling the secure admin API. PR #3994
  • Self-upgrade command. The new caddy upgrade command will replace the current Caddy binary with an upgraded one from our website, with all the same modules installed, including third-party plugins that are registered on our site! (We can use this code to add/remove modules later, too.)
  • Configure other apps from the HTTP Caddyfile. The global options block of the Caddyfile now allows configuration of Caddy apps other than HTTP (for example, dynamic_dns to keep DNS records pointed at your server with a dynamic IP address).
  • Caddyfile fmt lint check. When running with a Caddyfile, Caddy will emit a warning if the Caddyfile is not formatted with caddy fmt.
  • New abort directive. The abort directive is a special case of the static_response HTTP handler that prevents an HTTP response by aborting the handler chain immediately and forcefully closing the connection.
  • New error directive. The error directive returns internal error values in the HTTP handler chain, as if an HTTP error had occurred, causing your error routes to be invoked.
  • Configure response interception from Caddyfile. The reverse_proxy is capable of intercepting responses from the backend, and now this is exposed in the Caddyfile with handle_response.
  • Better caddy list-modules output. Now modules are organized by standard and non-standard modules, so you can easily see if a Caddy build has been customized.
  • Configure logging from Caddyfile. The process logs can now be configured from the global options of the Caddyfile.
  • Better content negotiation. The file server can now be configured to serve precompressed sidecar files, and content encoding preferences are better configured and honored.
  • Dark mode in directory listings. The file server's "browse" file listings now has a dark mode.
  • ⚠️ Removed the logfmt log encoder. It was broken anyways, and its deprecation has been warned in previous releases.
  • ⚠️ Deprecated common_log format. It will be removed in a future release. Issue #4148
  • ⚠️ Deprecated health_path in reverse_proxy directive. It has been replaced with health_uri and will be removed in the future.
  • Numerous bug fixes and improvements. Thanks for the detailed, helpful bug reports! We appreciate your collaboration in making Caddy better.

New content for sponsors

I've started writing high-quality, in-depth chatpers about how to get the most out of Caddy in my new Expert Caddy series, exclusively for sponsors! If you or your company are sponsoring, you can have access to this content, which I'll continue adding to over time.

If you aren't sponsoring yet, please do so! Sponsorships fund my full-time development of Caddy, and that's especially vital if your business relies on Caddy.

Changelog (since RC 1)

For a detailed list of all commits since v2.3.0, please refer to prior pre-release changelogs.

bc22102 caddyfile: Fix caddy fmt nesting not decrementing (#4157)
d4b2f1b caddyhttp: Fix fallback for the error handler chain (#4131)
61642b7 caddytls: Run replacer on ask URL, for env vars (#4154)
7776471 encode: Default to order the formats are enabled for prefer in Caddyfile (#4151)
f5db41c encode: Drop prefer from Caddyfile (#4156)
74f5d66 fileserver: Fix file matcher with empty try_files (#4147)
3cf443f httpcaddyfile: Add grace_period global option (#4152)
a17c3b5 reverseproxy: Minor logging improvements

Choose a tag to compare



This is a Release Candidate, meaning we think it's good enough to release but we want your help to make sure. It contains over 100 commits from the last stable release! Please report any bugs.

If you're coming from v2.3, be sure to check the change logs from the previous pre-releases as well.


a8d4527 caddyfile: Fix import replacing unrelated placeholders (#4129)
3401f91 caddyfile: Normalize line endings before comparing fmt result (#4103)
3903642 caddyfile: reject cyclic imports (#4022)
d789596 caddyhttp: Implement better logic for inserting the HTTP->HTTPS redirs (#4033)
53ececd caddyhttp: performance improvement in HeaderRE Matcher (#4143)
1e218e1 caddytls: Add load_storage module (#4055)
42b7134 caddytls: Configurable storage clean interval
2250920 caddytls: Disable OCSP stapling for manual certs (#4064)
956f011 caddytls: Implement remote IP connection matcher (#4123)
e6f6d3a cmd: Add --envfile flag to start command (#4141)
3f6283b fileserver: Add status code override (#4076)
3a1e81d fileserver: Better handling of HTTP status override (#4132)
637fd8f fileserver: Share template logic for both templates and file_server browse (#4093)
00e12aa fuzz: fix the FuzzFormat comparison (#4117)
efe8449 go.mod: CertMagic v0.13.1
66783eb go.mod: Update quic-go to v0.20.1 (#4075)
ef7f15f httpcaddyfile: Add auto_https ignore_loaded_certs (#4077)
6e0e3e1 httpcaddyfile: Add global option for storage_clean_interval (#4134)
1455d6b httpcaddyfile: Fix panic in automation policy consolidation (#4104)
ff6ca57 httpcaddyfile: Fix unexpectedly removed policy (#4128)
96bb365 httpcaddyfile: Take into account host scheme/port (fix #4113)
45fb720 notify: Send all sd_notify signals from main caddy process (#4060)
e4a22de reverseproxy: Add handle_response blocks to reverse_proxy (#3712) (#4021)
4d0474e reverseproxy: Admin endpoint for reporting upstream statuses (#4125)
9017557 reverseproxy: fix hash selection policy (#4137)

Choose a tag to compare



The beta channel marches on for 2.4 with beta 2. In addition to the changes/additions/improvements from the previous beta, this release includes:

(Please see release notes for v2.4 stable for highlights.)


a87f757 .gitignore: add IDE files (#4087)
28a4159 CONTRIBUTING: fix spelling (#4070)
aac1ccf caddy: Add InstanceID() method
ec3ac84 caddy: Support SetReadBuffer and SyscallConn for QUIC (fix #3998)
2a127ac caddyconfig: add global option for configuring loggers (#4028)
d63d5ae caddyhttp: improve grammar of comment for AllowH2C (#4072)
ec309c6 caddypki: Add SignWithRoot option for ACME server
f6bb02b caddytls: Remove old asset migration code (close #3894)
911c8a3 cmd: Use formatted logger for config adapter warnings (#4080)
87fbc07 cmd: main: fix minor doc typos (#4082)
a8fdc0a core: Initialize logging before admin
f35a7fa encode,staticfiles: Content negotiation, precompressed files (#4045)
0018b9b fileserver: Add a few more debug lines (#4063)
a48c620 fileserver: Browse listing supports dark mode (#4066)
5bf0a55 fileserver: Don't replace in request paths (fix #4027)
427bbe9 go.mod: Latest CertMagic (updated libdns conventions)
1c8ea00 go.mod: Migrate to (#4073)
a0a7c60 go.mod: Use latest CertMagic
f1c3668 headers: Fix Caddyfile parsing for request_header with matchers (#4085)
0d7fe36 httpcaddyfile: Add error directive for the existing handler (#4034)
bafb562 httpcaddyfile: Configure other apps from global options (#3990)
edb362a httpcaddyfile: Fix catch-all site block sorting
f137b82 logging: add replace filter for static value replacement (#4029)
802f80c map: Accept regex substitution in outputs (#3991)
6722ae3 reverseproxy: Add duration/latency placeholders (close #4012) (#4013)
ce5a093 reverseproxy: Fix round robin data race (#4038)
51f35ba reverseproxy: Fix upstreams with placeholders with no port (#4046)
75f797d reverseproxy: Implement health_uri, deprecate health_path, supports query (#4050)
bd357bf reverseproxy: Set cookie path to / when using cookie lb_policy (#4096)
ad8d01c rewrite: Implement regex path replacements
a6bc581 sigtrap_posix: add missing comma to SIGTERM info (#4078)

Choose a tag to compare



"Surprise, surprise, surprise!" (Do you know which classic TV character that quote is from?) We've made a lot of progress on new features since v2.3, and all the major work slated for v2.4 is already done! This is a preview release.

This is a preview release. There's still some fine-tuning we need to do which is delaying the release candidates, but I wanted to roll out some of the exciting improvements early so you can start testing them. As far as I can tell, this tag is relatively stable. However, please expect bugs; though I bet most of them will be minor or limited to edge cases.

Documentation will be updated in the coming weeks. Until then, please refer to individual commits/issues (below) and the code base directly (it is easy to search and read) for docs. We're happy to help on our forums too.

For highlights, see release notes for v2.4.0 stable.

Many other things have been added, changed, or improved as well. See all the commits for details.

Please give this a try in low-risk environments as soon as you can, and we'll be able to ship a better v2.4 stable!


bf50d70 acmeserver: Support custom CAs from Caddyfile
ab80ff4 admin: Identity management, remote admin, config loaders (#3994)
3366384 caddycmd: Add upgrade command (#3972)
c8557dc caddyfile: Introduce basic linting and fmt check (#3923)
f021696 caddyfile: Refactor unmarshaling of module tokens
8ec90f1 caddyhttp: Check for invalid subdirectives of static_response
bef80cd caddyhttp: Fix redir html status code, improve flow (#3987)
e2c5c28 caddyhttp: Implement handler abort; new 'abort' directive (close #3871) (#3983)
cc63c58 caddyhttp: Support placeholders in header matcher values (close #3916)
160d199 caddytest: Update Caddyfile tests for formatting, HTTP-only blocks
09432ba caddytls: Configurable OCSP stapling; global option (closes #3714)
51e3fdb caddytls: Save email with account if not already specified
8b6fdc0 caddytls: add 'key_type' subdirective (#3956)
2772ede cmd: Add --force flag to reload command (close #4005)
ed67823 cmd: Clean up build-info and upgrade output
59071ea cmd: Implement sd_notify() to notify systemd about readiness (#3963)
144b65c cmd: Organize list-modules output; --packages flag (#3925)
8f6f986 cmd: Print more detailed version with --environ
b1bec8c go.mod: Update CertMagic and acmez (improved IDN support)
8c29129 httpcaddyfile: Add resolvers subdir of tls (close #4008)
7846bc1 httpcaddyfile: Adjust iterator when removing AP (fix #3953)
653a0d3 httpcaddyfile: Fix automation policies
90284e8 httpcaddyfile: Fix default issuers when email provided
d68cff8 httpcaddyfile: Skip TLS APs for HTTP-only hosts (fix #3977)
55e49ff httpcaddyfile: Sort catch-all site blocks properly (fix #4003)
c2b91db httpcaddyfile: Support repeated use of cert_issuer global option
c986110 httpcaddyfile: Warn if site address uses unspecified IP (close #4004)
ef54483 logging: Remove logfmt encoder (close #3575)
58e83a8 map: Add missing json struct tag
3c9256a reverseproxy: Caddyfile health check headers, host header support (#3948)
5ef76ff reverseproxy: Response buffering & configurable buffer size
88a38bd rewrite: Use RawPath instead of Path (fix #3596) (#3918)
14f50d9 templates: Add fileExists and httpError template actions