Change8

v2.11.3

📦 caddyView on GitHub →
21 features🐛 17 fixes🔧 18 symbols

Summary

This release focuses on security patches across several components like fastcgi, vars, and admin, alongside numerous minor features and bug fixes to improve stability and functionality.

Migration Steps

  1. Replace usage of `interface{}` with `any` for modernization.

✨ New Features

  • Introduce down-propagating Helper.BlockState for other directives/plugins to use in the root directive.
  • Make zstd checksum configurable in http.
  • Always send "READY=1" notification even after an error in notify.
  • Expand placeholders in dns_challenge override_domain tls parameter in caddytls.
  • Add system and combined CA pool modules for tls.
  • Make stream copy buffer size configurable in reverseproxy.
  • Add journald encoder wrapper for logging.
  • Improve import/global options UX for imports before global options in caddyfile.
  • Show symlink targets verbatim in fileserver.
  • Document missing placeholders for escaped URI and prefixed query in caddyhttp.
  • Redact sensitive request headers in API logs in admin.
  • Add lb_retry_match condition on response status in reverseproxy.
  • Prefer port 443 in auto-HTTPS and add tests in caddyhttp.
  • Propagate ECH keys to the QUIC listener.
  • Implement pushing metrics via OLTP.
  • Inherit global ACME issuer settings in tls shortcuts in httpcaddyfile.
  • Add ability to clear dynamic upstreams cache during retries in reverseproxy.
  • Expand ACME credentials in caddytls.
  • Accept duration strings for log sampling interval in httpcaddyfile.
  • Add alpn to managed HTTPS records in tls.
  • Add documentation for fileExists and fileStat template functions.

🐛 Bug Fixes

  • Security patch for fastcgi: Prevent execution of non-PHP files.
  • Security patch for vars: More thorough fix for GHSA-m2w3-8f23-hxxf.
  • Security patch for admin: Array index normalization to prevent remote admin socket auth bypass.
  • Security patch for admin: More rigorous path prefix matching to prevent remote admin socket auth bypass.
  • Fix upstream security bugs in quic-go and CertMagic.
  • Sync placeholder expansion in `vars` and `vars_regexp` in caddyhttp.
  • Avoid ACME fallback for implicit Tailscale *.ts.net policies in caddytls.
  • Skip query rename when source key is absent in rewrite.
  • Fix check for `header_up Host {upstream_hostport}` redundancy in reverseproxy.
  • Don't expand placeholders in values in vars.
  • Fix {block} usage in snippet in caddyfile.
  • Fix regression coverage for rotated file mode in logging.
  • Clean up stale Unix socket files on Windows in listeners.
  • Revert user placeholders on auth rejection in caddyauth.
  • Avoid duplicate automation for wildcard-covered hosts in caddytls.
  • Escape file matcher paths before rewriting in rewrite.
  • Add nil check for metricsHandler in AdminMetrics.serveHTTP.

Affected Symbols

fastcgivarsadminquic-goCertMagiccaddyhttpcaddytlsrewriteroothttpnotifyreverseproxytlsloggingcaddyfilefileservercaddyauthmetrics