Change8

v2.11.1

📦 caddyView on GitHub →
12 features🐛 15 fixes🔧 13 symbols

Summary

Caddy 2.11.1 introduces significant security patches across multiple modules and adds features like automatic ECH key rotation and time-rolling log options. This release is functionally identical to v2.11.0 except for CI updates, and it emphasizes security hardening and quality-of-life improvements.

Migration Steps

  1. Plugin maintainers should only upgrade the Caddy dependency if there is a change to an exported API their plugin uses.
  2. If using FastCGI, be aware of changes related to Unicode case-folding length expansion.
  3. If relying on case-insensitivity for large host lists (>100) or path matching with escape sequences, review configuration due to security fixes making these checks case-sensitive/normalized.
  4. If TLS client authentication was configured, ensure CA certificate files are present and well-formed to avoid silent failures.
  5. If using file matchers with glob characters, review configurations due to improved sanitization.
  6. If using `handle_errors`, verify response encoding.
  7. If using `import` in caddyfile, note that `block` now does nothing if nothing is passed to `import`.

✨ New Features

  • Encrypted ClientHello (ECH) keys are rotated automatically.
  • Time-rolling options for logs.
  • `SIGUSR1` can now reload configuration if it was initially loaded from a file on the command line and did not get changed via the API.
  • Reverse proxy now automatically rewrites the Host header to the address of the upstream when the upstream is HTTPS.
  • `log_append` can now log request and response bodies, useful for debugging.
  • Project now implements and requires Assistance Disclosures (for AI/LLMs) on issues, PRs, comments, replies, reviews, etc.
  • Added replacer placeholders for escaped values in caddyhttp.
  • Added support for Argon2id in Basic Auth.
  • Added server options `keepalive_idle` and `keepalive_count` to caddyhttp.
  • Added `trusted_proxies_unix` for trusting unix socket `X-Forwarded-*` headers in caddyhttp.
  • Added support for named socket activation in listeners.
  • Reverseproxy now uses http1.1 upgrade for websocket for extended connect of http2 and http3.

🐛 Bug Fixes

  • Fixed PKI creation when auto_https is disabled.
  • Adjustments to BufferedLog to keep logs in the correct order.
  • Prevented commas in header values from being split in CLI commands.
  • Fixed response corruption when handle_errors is used in encode.
  • Fixed multiple regexp filters on same field in logging (fixes #7049).
  • Fixed trailing space issue before env variable in caddyfile.
  • Fixed case where Host matcher becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass (Security fix).
  • Fixed Path matcher skipping case normalization for escape sequences, enabling path-based route/auth bypass (Security fix).
  • Fixed TLS client authentication silently failing open when CA certificate file is missing or malformed (Security fix).
  • Fixed improper sanitization of glob characters in file matcher potentially leading to bypassing security protections (Security fix).
  • Fixed Unicode case-folding length expansion causing incorrect split_path index in FastCGI transport (Security fix).
  • Blocked cross-origin requests attempted with `no-cors` mode in admin API that could succeed (Security fix).
  • Fixed missing DNS challenge check for `acme_dns` in httpcaddyfile.
  • Fixed reverseproxy disabling keepalive when proxy protocol is used.
  • Resolved per-host infinite cardinality in metrics.

Affected Symbols

fastcgiadmincaddyhttpcaddytlscaddyfileencodefileserverloggingcaddypkihttpcaddyfilereverse_proxylistenersmetrics