0.9.2

Caddy 0.9.2 contains delicious bug fixes and improvements; the only real external change is the addition of the -catimeout option which can be used in some cases where network latency to the ACME CA is exceptionally high.

This release is vital for Caddyfiles that use the wildcard site address syntax with on-demand TLS. For example, if you have:

*.mysite.com
tls {
     max_certs 10
}

Then this release is critical for you; it fixes a bug that would prevent certificate renewal. However, everyone should consider upgrading anyway to get the latest improvements!

This release is built on Go 1.7.1 (which has some http/2 fixes in it as well).

Known issues (already fixed on master): Site addresses in the Caddyfile that are not lowercased cause duplicate site configs.

Change list:

• New -catimeout option to customize ACME CA HTTP timeout
• import: Fix nested import absolute/relative paths
• log: Fix multiple log outputs
• proxy: Fix for keepalive in certain cases
• tls: Fix for PreferServerCipherSuites
• Numerous other bug fixes and internal improvements

Two new plugins were published as well: awslambda and multipass.

(No blog post this time, because notable changes are few and I've also been really busy.)

0.9.1

This patch release fixes many of the bugs introduced in 0.9 including a few other enhancements and minor features. Caddy is now built on Go 1.7. This update is recommended for all Caddy users.

For more information, read the announcement blog post.

Change log:

• New {request_body} placeholder to log request body
• {remote} placeholder no longer uses X-Forwarded-For header
• {latency} placeholder rounds to nice looking number
• Add support for ratelimit plugin
• basicauth: Declaring realm named "Restricted"
• errors: Define catch-all/default error page with * character
• header: More control to add, set, or remove headers
• proxy: New keepalive setting to help accommodate busy servers
• proxy: New load balancing policy ip_hash
• proxy: Fixed WebSocket connections
• proxy: Fixed broken header logic
• proxy: Reuse existing connection for Upgrade requests
• proxy: Support for basic auth from header or upstream address
• templates: New .Env action to access environment variables
• tls: OCSP staples persisted to disk
• tls: ACME challenges honor bind directive
• tls: Fix default protocol version (minimum TLS 1.1)
• tls: Consume challenge requests only for names Caddy is solving for
• tls: The protocol syntax allows just one value if desired
• tls: Scoped max_certs limit to site instead of global maximum
• Many other bug fixes and minor enhancements

0.9

After more than 6 months since 0.8, I'm very pleased to release Caddy 0.9! We've got a whole lot of improvements here, including some breaking changes, so pay attention before pushing into production. Please see the blog post for more information.

Notable changes are an entirely new core, new plugin model, ACME DNS challenge support, experimental QUIC support, in-process graceful restarts, easy self-signed certificates, and major code refactoring.

Hope you like it. Stay tuned for any patch releases and please report bugs! Also, a huge thanks to all contributors who made this possible.

Note: Some plugins that were available for earlier versions of Caddy are not yet available with Caddy 0.9 because they have not been updated to be compatible with version 0.9. We have a wiki page for plugin authors about how to do this. I know that's annoying; sorry for the inconvenience.

Known issues: #941 is about a deadlock when calling caddy.Stop() and #943 is about setting TLS protocol versions. #916 relates to headers not being set properly in proxy situations. All are already fixed on master.

Full change log:

• New core
• New experimental QUIC support with -quic flag (HTTPS only)
• New -type option to specify other server types
• Moved ~/.caddy/letsencrypt to ~/.caddy/acme and reorganized assets
• Moved caddy package to top level folder, and pushed main to subfolder
• New {request} placeholder to dump entire request (without body)
• New {hostonly} placeholder for only hostname portion of host value
• Site addresses can have paths
• Site addresses can make some use of wildcards in domains
• Renamed -directives flag to -plugins
• Restarting no longer requires spawning a new process
• Removed -restart option
• fastcgi: Env variables now support placeholders
• import: Import paths now relative to Caddyfile, not current working dir
• markdown: Overhauled; removed site generation features
• proxy: More control of headers; deprecating proxy_header subdirective
• proxy: Specify multiple upstreams with optional port ranges
• proxy: New preset 'transparent' to simplify common pass-thru headers
• proxy: Chooses longest matching path; order declared is irrelevant
• redir: Added if and if_op subdirectives to make conditional redirects
• rewrite: Support for if_op to change how conditions are evaluated
• tls: Generate self-signed certificates in memory
• tls: Support for ACME DNS challenge with 10 providers
• tls: Support for TLS-SNI challenge during restarts
• Various bug fixes and enhancements

0.8.3

Caddy 0.8.3 introduces TLS session ticket key rotation and a number of bug fixes and other internal improvements. There are also two new middlewares: expvar and pprof, mostly useful for debugging purposes.

All users are encouraged to upgrade as soon as possible with proper testing. Thank you to all who made this possible!

Change list:

• Built with Go 1.6.2
• New pprof middleware for exposing process profiling endpoints
• New expvar middleware for exposing memory/GC performance
• New -restart option to force in-process restarts on Unix systems
• Only fail to start if managed certificate is expired (issue #642)
• Toggle case-sensitive path matching with environment variable
• File server now adds ETag header for static files
• browse: Replace .LinkedPath action with .BreadcrumbMap
• fastcgi: New except clause to exclude paths
• proxy: New max_conns setting to limit max connections per upstream
• proxy: New replaceable value for name of upstream host
• templates: New utility actions for dealing with strings
• tls: Customize certificate key with key_type (+ECC)
• tls: Session ticket keys are now rotated
• Many other minor internal improvements and bug fixes

0.8.2

With 0.8.2, Caddy gets On-Demand TLS, which means it can obtain certificates during TLS handshakes; it does not need to know all the names when you start the server. Caddy is now built on Go 1.6, meaning faster crypto and highly-optimized garbage collection. Caddy no longer restarts on its own; only if signaled with USR1 (all certificate maintenance is done in-process now). We've also added support for SHA384 cipher suites and the ability to load certificates in bulk from a folder.

On-Demand TLS is currently under tight rate limits to mitigate abuse. When you enable it, you have to set a hard limit of how many certificates it is allowed to issue using the max_certs property of the tls directive.

• At most one certificate challenge happens at a time.
• After 10 certificates are successfully obtained, new certificate challenges will not happen until 10 minutes after the last successful challenge.
• A name that fails a challenge will not be allowed to be attempted again for 5 minutes.

This feature -- as well as all automatic HTTPS, even at startup -- is not guaranteed to be supported in the future if ACME CAs are not able to issue certificates in a reasonable timeframe (quicker than 10 minutes). Please speak with your CA if this is of interest to you.

See the relevant documentation and release announcement for more details.

All notable changes:

• On-demand TLS can obtain certificates during handshakes
• Built with Go 1.6
• Process log (-log) is rotated when it gets large
• Managed certificates get renewed 30 days early instead of just 14
• fastcgi: Allow scheme prefix before address
• markdown: Support for definition lists
• proxy: Allow proxy to insecure HTTPS backends
• proxy: Support proxy to unix socket
• rewrite: Status code can be 2xx or 4xx
• templates: New .Markdown action to interpret included file as Markdown
• templates: .Truncate now truncates from end of string when length is negative
• tls: Set hard limit for certificates obtained with on-demand TLS
• tls: Load certificates from directory
• tls: Add SHA384 cipher suites
• Multiple bug fixes and internal changes

0.8.1

This is a patch release with few new features but with many significant, internal improvements and bug fixes.

All known issues introduced by 0.8 are fixed in this patch. The browse middleware gets a shiny new template that looks better on all screens and is easier to use. The rewrite directive was upgraded to implement powerful rewrite rules with conditions, regex captures, and status code responses. The import directive can import multiple files at once with glob matching.

Detailed change log:

• Improved OCSP stapling
• Better graceful reload when new hosts need certificates from Let's Encrypt
• Current pidfile is now deleted when Caddy exits
• browse: New default template
• gzip: Added min_length setting
• import: Support for glob patterns (*) to import multiple files
• rewrite: New complex rules with conditions, regex captures, and status code
• tls: Removed DES ciphers from default cipher suite list
• tls: All supported certificates are OCSP-stapled
• tls: Allow custom configuration without specifying certificate and key
• tls: No longer allow HTTPS over port 80
• Dozens of bug fixes, improvements, and more tests across the board

0.8

Caddy 0.8 is the most progressive update we've ever released. We hope you'll enjoy this new version!

New Features

Automatic HTTPS via Let's Encrypt

All live sites are served over HTTPS automatically for free. Caddy works with any ACME-capable certificate authority but uses Let's Encrypt by default. A Caddyfile like this, for example:

mysite.com

root /www/mysite.com
gzip

will serve your site over HTTPS and redirect HTTP to HTTPS. Caddy will not automatically enable HTTPS for addresses that look like localhost or have tls off in their configuration.

Caddy stores the generated keys and certificates in the ~/.caddy folder on your system. If these assets are already available on the file system from a previous run, Caddy will use those when it starts.

With managed TLS, Caddy staples OCSP information and also keeps certificates renewed for you. This will cause Caddy to restart on occasion, so be aware of that if using a process manager.

The first time automatic HTTPS is triggered, Caddy will prompt for an email address and/or agreement to CA terms. This only happens once, and the email address is optional (but recommended for account recovery purposes). You can bypass the prompt by using the -email and -agree flags.

Known Issues

1. Specifying an address like http://example.com disables automatic HTTPS (because of explicit HTTP scheme) but http://example.com:8080 does not (because the explicit port overwrites the scheme) even though it should.
2. Gracefully reloading Caddy with a new host in the Caddyfile that qualifies for automatic HTTPS and needs a certificate fails (because the ports needed to issue the cert are already in use) but it should use existing listeners like renewals do.
3. If even one certificate fails to be obtained, none of the certificates are saved to disk. This is most notable with LE rate limiting. If a certificate fails, it should save what certificates it obtained to disk.

These will be addressed in a patch release coming soon, unless another more serious bug is discovered.

Graceful Reload

On POSIX-compliant systems, SIGUSR1 will cause Caddy to gracefully reload the Caddyfile (with zero downtime). This restarts the process, spinning up a new process with a new process ID. Make sure to use the -pidfile flag if you're using Caddy with a process manager that needs to keep track of the pid. Caddy will reload on its own if managing SSL certificates. There are also other new signals and flags you can use.

Caddy as a Library

You can use now Caddy as a library in your own Go programs.

import "github.com/mholt/caddy/caddy"

// You can start...
err := caddy.Start(caddyfile)
if err != nil {
    log.Fatal(err)
}

// restart...
err = caddy.Restart(newCaddyfile)
if err != nil {
    log.Fatal(err)
}

//  and stop Caddy services...
err = caddy.Stop()
if err != nil {
    log.Fatal(err)
}

// or just wait for them to close.
caddy.Wait()

See the godoc for more information.

Full Change List

• HTTPS by default via Let's Encrypt (certs & keys are fully managed)
• Graceful restarts (on POSIX-compliant systems)
• Major internal refactoring to allow use of Caddy as library
• New directive 'mime' to customize Content-Type based on file extension
• New -accept flag to accept Let's Encrypt SA without prompt
• New -email flag to customize default email used for ACME transactions
• New -ca flag to customize ACME CA server URL
• New -revoke flag to revoke a certificate
• New -log flag to enable process log
• New -pidfile flag to enable writing pidfile
• New -grace flag to customize the graceful shutdown timeout
• New support for SIGHUP, SIGTERM, and SIGQUIT signals
• browse: Render filenames with multiple whitespace properly
• core: Use environment variables in Caddyfile
• markdown: Include Last-Modified header in response
• markdown: Render tables, strikethrough, and fenced code blocks
• proxy: Ability to exclude/ignore paths from proxying
• startup, shutdown: Better Windows support
• templates: Bug fix for .Host when port is absent
• templates: Include Last-Modified header in response
• templates: Support for custom delimiters
• tls: For non-local hosts, default port is now 443 unless specified
• tls: Force-disable HTTPS
• tls: Specify Let's Encrypt email address
• Many, many more tests and numerous bug fixes and improvements

Credits and More Information

Many thanks to the dozens of contributors and testers who made this possible!

Please see the announcement blog post for the rest of the story. For more instructions about how to use this new Caddy version, see the docs.

0.7.6

This release contains bug fixes, security patches via new Go versions, and a few new features:

• Pass in simple Caddyfile as command line arguments
• basicauth: Support for legacy htpasswd files
• browse: JSON response with file listing
• core: Caddyfile as command line argument
• errors: Can write full stack trace to HTTP response for debugging
• errors, log: Roll log files after certain size or age
• proxy: Fix for 32-bit architectures
• rewrite: Better compatibility with fastcgi and PHP apps
• templates: Added .StripExt and .StripHTML methods
• Internal improvements and minor bug fixes

Along with this release we're pleased to welcome three new, very useful add-ons to the Caddy middleware family: jsonp, search, and hugo.

Please see the announcement blog post for more information about the changes and new add-ons.

Given that we've been sprinting ahead with a lot of new features and functionality lately, we'll be focusing a lot on polish, bug fixes, tests, the deployment process, etc., to lay a more solid foundation going forward.

0.7.5

Several significant refinements are introduced in 0.7.5, as well as fixes for bugs that were exposed from changes made in 0.7.4.

• core: All listeners bind to 0.0.0.0 unless 'bind' directive is used
• fastcgi: Set HTTPS env variable if connection is secure
• log: Output to system log (except Windows)
• markdown: Added dev command to disable caching during development
• markdown: Fixed error reporting during initial site generation
• markdown: Fixed crash if path does not exist when server starts
• markdown: Fixed site generation and link indexing when files change
• templates: Added .NowDate for use in date-related functions
• Several bug fixes related to startup and shutdown functions

Most notably, startup and shutdown functions now only execute once even if the server block is defined for more than one host. So where the following Caddyfile used to echo "Hello world" twice, it now echoes only once:

host1, host2 {
    startup "echo Hello world"
}

The fix in fastcgi should be good for any WordPress sites (or other PHP sites) served over HTTPS. Lots of effort went into improving Markdown features to make it easier to build sites with Markdown using only Caddy.

In earlier versions, every listener would bind to the IP address resolved by the hostname from the Caddyfile. This is no longer the case. Now, every listener always binds to the empty/wildcard host (0.0.0.0). This was done by request, but if it causes problems, please report them.

Finally, non-Windows users may output to the system log with the log and errors directives by specifying syslog as the log filename.

From here on out to version 1.0, most changes will be bug fixes, refinements, and enhancements to existing features with a focus on stability and usability.

We hope you enjoy this release, and thank you to all contributors who made it possible!

0.7.4

This release brings lots of improvements to markdown, browse, and redir directives, but some of the changes are breaking in some situations.

Breaking changes:

• If you used catch-all redirects (redir http://other-domain.com), it used to preserve the request URI. To give you more flexibility, this is no longer the case. Please use {uri} (redir http://other-domain.com{uri}) to preserve request URI.
• Markdown is quite a bit different. The structure of front matter was flattened, so instead of creating [variables] and indenting variables, all variables are defined without indentation. Also, markdown template actions are different. All values related to the Markdown document, including front matter variables, are in {{.Doc}}, so {{.Doc.body}} shows the rendered content instead of {{.markdown}}, and the title is now {{.Doc.title}} instead of {{.title}}.
• The template action .Date was renamed to .Now.

Full change list:

• browse: Sorting preference persisted in cookie
• browse: Added index.txt and default.txt to list of default files
• browse: Template files may now use Caddy template actions
• markdown: Template files may now use Caddy template actions
• markdown: Several bug fixes, especially for large and empty Markdown files
• markdown: Generate index pages to link to markdown pages (sitegen only)
• markdown: Flatten structure of front matter, changed template variables
• redir: Can use variables (placeholders) like log formats can
• redir: Catch-all redirects no longer preserve path; use {uri} instead
• redir: Syntax supports redirect tables by opening a block
• templates: Renamed .Date to .Now and added .Truncate, .Replace actions
• Other minor internal improvements and more tests

In addition, the build process was improved so that Linux and BSD downloads are in the .tar.gz file format. Windows and Mac downloads are still .zip.

The Caddy website also gets a blog with this release. We hope you like it, and we welcome guest contributions!

Note: This release introduced several bugs which are fixed in 0.7.5; it's highly recommended to use the newer version instead.