Skip to content

@github-actions github-actions released this Jun 17, 2021 · 15 commits to master since this release

Guess what: this is our 100th release! 馃帀 馃コ 馃帄

A bug fix for the bug fix, and a couple other bug fixes, including one security fix for PHP sites. We think all users should upgrade after giving it a whirl in their test environments. Please note some changes in this patch:

  • 鈿狅笍 In reverse_proxy, the max_idle_conns_per_host option has been removed (both Caddyfile and JSON). This may be a breaking change for a few of you, but it only breaks configs that relied on a bug. Instead of silently failing, you will get an error if you continue using the property. For Caddyfile, we basically renamed the property to keepalive_idle_conns_per_host. In JSON, we simply removed the property, and you should instead set keep_alive/max_idle_conns_per_host if you weren't already. Previously, the Caddyfile subdirective set both MaxConnsPerHost and MaxIdleConnsPerHost, which was confusing; and the JSON properties overwrote each other, so one was removed. Issue #4201.
  • 馃洝锔 Security patch in the FastCGI transport that now sanitizes paths against directory traversal outside the site root. PR #4207.
  • 馃悰 Fix canonicalization redirects in file_server. v2.4.2 introduced a bugfix (#4179) for these redirects when used inside handle_path (i.e. rewriting the path by stripping a prefix), but caused a regression for many other use cases. This release includes a proper fix for all known, tested cases. Basically: these redirects are not issued if the filename of a path was rewritten internally. Issue #4205.


9d4ed3a caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
e8ae80a fileserver: Don't persist parsed template (fix #4202)
fbd6560 fileserver: Only redirect if filename not rewritten (fix #4205)
32c284b reverseproxy: Adjust test related to #4201
7c68809 reverseproxy: Fix overwriting of max_idle_conns_per_host (closes #4201)

18 people reacted
Assets 27