@mholt mholt released this May 10, 2018 · 88 commits to master since this release

Assets 11

This release has been about 6 months in the making! Featuring an integrated telemetry client, you can now view stats about your Caddy instance and contribute to Internet research. Telemetry is entirely optional. Read the blog post and telemetry docs for more information, and check out our global stats! You can also look up details about your own instances there.

Full change list:

  • Built with Go 1.10.2
  • Integrated optional telemetry client
  • proxy: Fixed file descriptor leak

@mholt mholt released this Apr 20, 2018 · 119 commits to master since this release

Assets 11

This is a hotfix release that addresses a regression in 0.10.13 related to obtaining and using ACME certificates. All users should upgrade to 0.10.14 within 30 days.

Change list:

  • tls: Fix error handling bug when obtaining certificates

@mholt mholt released this Apr 18, 2018 · 121 commits to master since this release

Assets 11

Caddy 0.10.13 is a minor release that fixes security flaws in TLS client authentication and On-Demand TLS. It is recommended that everyone relying on these capabilities upgrade. This release also has bug fixes for the Caddyfile parser (caught by fuzzing) and handling errors when a certificate could not be obtained via ACME.

Do not use this version, it cannot obtain certificates due to a bug. Version 0.10.14 fixed this.

Change list:

  • New third-party plugin: supervisor
  • Updated QUIC
  • proxy: Fix transparent pass-thru of X-Forwarded-For
  • proxy: Configurable timeout to upstream
  • rewrite: Now supports regular expressions on single-line
  • tls: StrictHostMatching mode to prevent client auth bypass
  • tls: Disable client auth when using QUIC
  • tls: Require same client auth cert pools per hostname
  • tls: Prevent On-Demand TLS directory traversal
  • tls: Fix empty files when using ACME fails to obtain cert
  • Fixed test broken by 1.1.1.1 resolving
  • Improved Caddyfile parser robustness by fuzzing

@mholt mholt released this Mar 27, 2018 · 135 commits to master since this release

Assets 11

This release brings ACMEv2 and wildcard certificate support!

Read the release announcement blog post for details. There's some things in there you should know, including a description of how some really cool features work.

Thanks to everyone who contributed to this release!

Change list:

  • Switch to Let's Encrypt ACMEv2 production endpoint
  • Support for automated wildcard certificates
  • Support distributed solving of HTTP-01 challenge
  • New {labelN}, {tls_cipher}, and {tls_version} placeholders
  • Curly braces can now be escaped when not used as placeholders
  • New third-party plugin: geoip
  • Updated QUIC
  • fastcgi: Add SSL_CIPHER and SSL_PROTOCOL environment variables
  • log: New 'except' subdirective to exempt paths from logging
  • startup/shutdown: Removed in favor of 'on'
  • tls: Default minimum version is TLS 1.2
  • tls: Revert to fallback cert if no cert matches SNI
  • tls: New 'wildcard' subdirective to force automated wildcard cert
  • Several significant bug fixes and improvements!

@mholt mholt released this Feb 20, 2018 · 160 commits to master since this release

Assets 11

This release improves automatic HTTPS in cluster configurations, internal TLS asset management, adds service discovery support to reverse proxying, reusable snippets for the Caddyfile, and more!

Read the details in the announcement blog post!

A few minor "breaking" changes include how signals are handled, conflicting TLS configurations are no longer allowed (an error is raised), and a TLS alert is raised if SNI is used but no certificate is available, rather than serving a default certificate.

Special thanks to Ed for helping us patch a minor path-based open redirect possibility!

Full change log:

  • Built with Go 1.10
  • Reusable snippets for the Caddyfile
  • Updated QUIC
  • Auto-HTTPS certificates may be shared by multiple instances
  • Expand globbed values in -conf flag
  • Swap behavior of SIGTERM and SIGQUIT; ignore SIGHUP
  • 9 new DNS provider plugins for the ACME DNS challenge
  • New placeholder for {<Response-Header} values
  • basicauth: Username put in {user} placeholder
  • fastcgi: GET requests can now send a body
  • proxy: Service discovery with DNS SRV load balancing
  • request_id: Allow reusing request ID from header field
  • tls: Improved efficiency of many certificates and reloads
  • tls: Raise error if conflicting TLS configurations collide
  • tls: Raise TLS alert if SNI used and no cert matched
  • tls: Reject OCSP responses that expire after the certificate
  • tls: Clients can use SNI to request a specific certificate
  • tls: Add option for backend to approve on-demand certificate
  • tls: Synchronize maintenance of shared, managed certificates
  • Numerous fabulous bug fixes

@mholt mholt released this Oct 9, 2017 · 234 commits to master since this release

Assets 11

With this release, we also launch our updated pricing structure. Read the blog post for details!

Caddy 0.10.10 removes the Caddy-Sponsors header for all builds as well as featuring a number of incremental improvements and bug fixes. This version has one notable, possibly-breaking change, but it is for security reasons.

The new default of the CASE_SENSITIVE_PATH environment variable (if not set) is now false, meaning that matching a base path (using Path.Matches()) to a directive will be a case-insensitive comparison by default. This helps avoid common misconfigurations with security-related directives like basicauth (and similar auth-related third-party plugins) which protect resources by a base path. As far as static files go, this mainly affects Windows and macOS that have case-insensitive file systems. (Thanks to @magikstm for bringing this common misconfiguration caused by non-obvious documentation to our attention.)

Another notable change is that startup and shutdown have been deprecated in favor of on. You should use on soon as we will eventually remove startup and shutdown directives.

All changes:

  • Built with Go 1.9.1
  • Removed Caddy-Sponsors header
  • New 'on' directive that deprecates 'startup' and 'shutdown'
  • Changed CASE_SENSITIVE_PATH default to false
  • fastcgi: Support for SRV upstreams
  • redir: Rules with if statements are not checked for duplicates
  • Several minor bug fixes

@mholt mholt released this Sep 12, 2017 · 258 commits to master since this release

Assets 11

This release introduces our new EULA for binaries distributed through our website, as well as the Caddy-Sponsors header as a thank you to our sponsors for keeping Caddy free for personal use. We're very happy to have them on board, and invite others to sponsor the project to give the gift of privacy to site owners and Web users everywhere.

In this version we've also fixed a bug related to certificate renewals, where the renewed certificate wouldn't be loaded and used. The bug was introduced in v0.10.6, so everyone using v0.10.6, v0.10.7, or v0.10.8 should upgrade. This version also includes a fix for using templates + proxy together so that templates now sends the right status code in the response.

One new feature: Caddy can now act as a QUIC reverse proxy by using quic:// to specify a backend! This is experimental, but where you'd like, feel free to give it a try.

  • EULA bundled with official binaries
  • Caddy-Sponsors header to indicate personal-use license
  • proxy: Support for QUIC backends
  • templates: Write proper status code if proxied
  • tls: Fix bug related to cert renewals

@mholt mholt released this Sep 8, 2017 · 267 commits to master since this release

Assets 11

This is mainly a security release, with a couple other bug fixes (see commit history for details on those).

This release fixes issue #1859. Previously, Caddy would not compress/merge multiple consecutive forward slashes in the URL for comparisons, causing certain comparisons to fail falsely not because of technical correctness, but rather semantic correctness (i.e. it depends on what is using the path, but most often, file systems will annoyingly collapse multiple slashes). Now, Caddy's path matching behaves similar to NGINX's location block if merge_slashes is enabled. Caddy now merges slashes by default when comparing paths using Go's path.Clean(), which also evaluates .. in paths to ensure equivalence on a semantic level.

We recommend installing this update right away if you use middleware (including plugins) that rely on matching paths to protect resources. All the relevant, standard (built-in) directives should be remedied with this (including basicauth), but third-party plugins that do not use Path.Matches() will have to ensure that they are properly sanitizing the path before doing a comparison.

You can use getcaddy.com to automate updates, then send SIGUSR2 to gracefully upgrade the binary with no downtime.