Skip to content

0.9.5
Compare
Choose a tag to compare
@mholt mholt released this 24 Jan 15:34
· 1984 commits to master since this release
v0.9.5
This tag was signed with the committer’s verified signature.
mholt Matt Holt
GPG key ID: 2A349DD577D586A5
Learn about vigilant mode.
94e382e
This commit was signed with the committer’s verified signature.
mholt Matt Holt
GPG key ID: 2A349DD577D586A5
Learn about vigilant mode.

Caddy 0.9.5 contains several critical fixes and we recommend applying the update right away. Please read these notes first, though!

Thank you to the collaborators and contributors for all your hard work (especially @tw4452852 and @lhecker - among many others, see the commit history) while I've been busy working on the new website and build infrastructure!

HTTP Timeouts Enabled by Default

Caddy aims to be secure right out of the box. In order to prevent faulty or malicious clients from seeping resources away with slowloris behavior, Caddy now enables timeouts by default. In general, this will not affect most users. However, you may need to raise or disable these timeouts depending on your legitimate visitors' needs and your server's configuration. If your visitors have legitimately slow networks or you need to hold requests for a long time (e.g. long polling or proxying long requests to a trusted backend), consider raising these timeouts.

Default timeout values:

  • read: 10s (time spent reading request headers and body)
  • header: 10s (time spent reading just headers; not used until Go 1.8 is released)
  • write: 20s (starts at reading request body, ends when finished writing response body)
  • idle: 2m (time to hold connection between requests; not used until Go 1.8 is released)

As you can see, a couple of the timeout values will begin functioning when Caddy is built on Go 1.8, expected within about a month. Go ahead and set them now; they will just start working when supported. See the timeouts pull request and docs.

Critical Uptime/Connectivity Fix

This is a little embarrassing, but if conditions were just right, Caddy would initiate a certificate renewal using the TLS-SNI-01 challenge, which would cause a deadlock. Subsequent TLS handshakes would block forever until the server stopped responding to requests. It took months to find and fix this because it only happened when very specific conditions are met: certificate needs renewal (once every 60 days), TLS-SNI-01 challenge is chosen (by roll of dice), renewal is trigged from background maintenance goroutine (not on-demand or during startup), and Let's Encrypt did not have a cached authz for that domain. Now it's fixed.

A huge thanks to Bradley Falzon (@bradleyfalzon), Miek Gieben (@miekg), and Sebestian Erhart (@xenolf) for spending considerable time to help me debug this. It wasn't possible without their hours of help.

Proxy performance improvements

We continue to iterate on Caddy's proxy functionality. Caddy was never designed to be a reverse proxy except as a very simple one, just to say that it can do it. But it turns out that proxy is one of the most popular directives. So with this release, we've improved on a recent regression that buffered request bodies. Proxy configurations with a single upstream or with try_duration unset (0) will be much faster and use less memory. We're still improving upon failure conditions and retry behavior; we had a rich discussion in #1314 about it. You should also see better HTTPS+websockets support.

Also, the deprecated proxy_header subdirective is no longer accepted; use header_upstream instead.

Minor security fixes in browse

The browse middleware was improved a bit. First, a filter textbox was added to instantly filter the listings by file name. We also now sanitize the file names and links in case, for some reason, you are not already doing that with untrusted files. I want to thank Kevin Froman (@beardog108) for the responsible reporting of this as a precaution. I also went ahead and made sure the browse directive will hide the active Caddyfile if it is within your site's root, no matter the current working directory.

Other things

There's a new -validate flag to load and parse your Caddyfile, then terminate. It will tell you if the Caddyfile is syntactically valid or not. There's also new placeholders: {when_iso} gives you the UTC timestamp in ISO 8601 format, and {rewrite_path} gives you the URI path after a rewrite ({path} gives the path as it originally was on the request before any rewrites).

Full change list:

  • New -validate flag to only check a Caddyfile, then exit
  • New {when_iso} placeholder for timestamp ISO 8601 in UTC
  • New {rewrite_path} and {rewrite_path_escaped} placeholders
  • New 'timeouts' directive to configure or disable HTTP timeouts
  • HTTP-level timeouts enabled by default
  • browse: Added textbox to filter listing in default template
  • browse: Sanitize file names and links in default template
  • browse: Ensure active Caddyfile is hidden regardless of cwd
  • fastcgi: New 'root' property, mainly for use with containers
  • markdown: Apply some front matter fields as tags
  • proxy: Fixed HTTP/2 upstream to backend; honors -http CLI flag
  • proxy: Fixed websockets over HTTPS
  • proxy: Reduced memory usage and improved performance
  • proxy: Added support for HTTP trailers
  • tls: Fixed deadlock that affected some background renewals
  • Several other smaller bugs squashed and improvements made

Thanks for continuing to use Caddy!

Assets 17