Caddy v2.1.1 Release Notes

Release Date: 2020-06-30 // about 1 month ago
  • 🔖 Version 2.1.1 fixes a minor regression in v2.1 related to the CEL (expression) matcher, as well as eliminating the warning about pb.proto. Both regressions were unfortunately introduced by patch updates on dependencies. This version also adds support for placeholders in the query matcher, and a WIP/experimental map handler that will be finalized before 2.2.

    🔄 Changelog

    6004d3f caddyhttp: Add 'map' handler (#3199)
    77f233a caddyhttp: Corrected host label index check (fix #3502)
    👍 ddd690d caddyhttp: Support placeholders in query matcher (#3521)
    d7dbf85 cel: fix validation of expression result type (#3526)


Previous changes from v2.1.0

  • 🛠 Caddy 2.1 introduces a variety of new features, bug fixes, and other enhancements! Highlights:

    Fully automated mTLS certificates. Caddy 2.1 can fully manage all its TLS certificates -- including TLS client certificates -- using any ACME endpoint you configure. New in this version, the reverse proxy module can be configured to present an automated client certificate, just by providing its subject name in the config. We've tested it with Caddy's built-in ACME server, Let's Encrypt, Sectigo, and Smallstep ACME endpoints. Using this feature, Caddy will keep the client certificate renewed automatically.

    Embedded ACME server (powered by Smallstep). This allows other ACME clients to use Caddy as an ACME endpoint. The idea here is to replace one-off self-signed, generated certificates with proper, short-lived, auto-renewing certificates for local development and internal deployments. In other words, if you're running a command every so often to produce a self-signed certificate, use Caddy instead for proper, fully-managed internal PKI. Simply add the acme_server directive to your Caddyfile for its default configuration, or use its JSON interface.

    👍 H2C support. Although discouraged in the general case, HTTP/2 over Cleartext HTTP (h2c) can be useful when serving or proxying gRPC locally/internally on trusted networks; and due to current poor TLS support in gRPC services currently, h2c might even be required in some cases. Caddy can now serve HTTP/2 without encryption, and it can communicate as a client with an HTTP/2 server that does not support TLS. To proxy h2c, set the versions property to include "h2c". To serve h2c, enable allow_h2c in your HTTP server config.

    🆕 New handle_path Caddyfile directive. This works the exact same as handle, but it only accepts a path prefix matcher and it strips the matched portion of the path before executing the directives contained in its block. It's a shortcut for using handle and uri strip_prefix together, which was a common-enough use case that we consolidated it into a new directive.

    🔧 Auto HTTPS can be configured in the Caddyfile. You can use the auto_https global option to disable it entirely, or disable only HTTP->HTTPS redirects. This is useful if you don't want to bind to any HTTP port at all.

    Various other Caddyfile improvements. Several quality-of-life improvements for the Caddyfile, including one-line named matchers such as @foo not path /foobar/*, and the ability to use backticks (`) to enclose strings where double quotes (") are inconvenient.

    Reverse proxy response interception. The reverse proxy can now intercept and handle the response from upstream based on the response status code and/or headers. This allows you to invoke custom, arbitrary HTTP logic based on the response from a backend.

    🛠 Many bug fixes and other enhancements. We always say this, I know, but just look at that changelog.

    Thank you to all who contributed and filed actionable bug reports as well as patches! Please keep it up. :)

    🔄 Changelog

    1dc4ec2 admin: Disallow websockets
    aef560c all: Recover from panics in goroutines
    41a682d caddyauth: Add realm to basicauth Caddyfile directive (#3315)
    🛠 9a7756c caddyauth: Cache basicauth results (fixes #3462) (#3465)
    96d6d27 caddyconfig: Don't start comments in middle of tokens (#3267)
    6c051cd caddyconfig: Minor internal and godoc tweaks
    fdf2a77 caddyfile: Add args on imports (#3423)
    d55c3b3 caddyhttp: Add client cert SAN placeholders
    🚚 ffc125d caddyfile: Move NewTestDispenser into non-test file (#3439)
    👍 5230561 caddyfile: Support backticks as quotes (closes #2591) (#3242)
    294910c caddyhttp: Add client.public_key(_sha256) placeholders
    ⚡️ 0cbf467 caddyhttp: Add time.now placeholder and update cel-go (closes #2594)
    2d1f7b9 caddyhttp: Auto-redirects from all bind addresses (fix #3443)
    👍 21c00a3 caddyhttp: Better host matching for logger names (fix #3488) (#3522)
    0️⃣ 7b0962b caddyhttp: Default to error status if found in context
    3af15c0 caddyhttp: Empty, not nil, query matcher matches empty query string
    6db3615 caddyhttp: Enable matching empty query string
    🔀 4c55d26 caddyhttp: Fix merging of Caddyfile matchers in not blocks (#3379)
    d534162 caddyhttp: Match hostnames with wildcards to loggers (#3378)
    ♻️ 7960b42 caddyhttp: Minor refactoring for preparing requests
    ♻️ e5bbed1 caddyhttp: Refactor header matching
    a285fe4 caddypki: Add 'acme_server' Caddyfile directive
    ♻️ bde3823 caddytest: Refactor Caddyfile adapt tests to separate files (#3398)
    🔧 e18c373 caddytls: Actually use configured test CA
    🔧 11a132d caddytls: Configurable cache size limit
    6d03fb4 caddytls: Don't decode HMAC
    62c9f2c cmd: Add --envfile flag to run command (#3278)
    👍 4df56c7 cmd: Add pidfile support (closes #3235)
    🚦 83551ed cmd: Only stop admin server on signal if it exists (fix #3470)
    👍 996af09 cmd: Support admin endpoint on unix socket (#3320)
    🌲 aa20878 cmd: file-server: add --access-log flag (#3454)
    bb67e19 cmd: hash-password: Fix broken terminal state on SIGINT (#3416)
    👍 5bde8d7 cmd: hash-password: Support reading from stdin (#3373)
    44536a7 cmd: reverse-proxy: add --insecure flag (with warning) (#3389)
    👍 ef6e53b core: Add support for d duration unit (#3323)
    👍 28ab0bf core: Support loading modules from [][]json.RawMessage fields
    b1480eb fastcgi: Fix php_fastcgi matcher regression (#3512)
    fa4cdde fastcgi: Make sure splitPos handles empty SplitPath correctly (#3491)
    7243454 fastcgi: php_fastcgi subdirectives to override shortcut behaviour (#3255)
    1e8c976 file_server: Accept files args in one-liner of Caddyfile matcher (#3298)
    ⚡️ c9049bd go.mod: Minor dependency updates
    ⚡️ 9dafa63 go.mod: Update dependencies
    ⚡️ 3fb2c39 go.mod: Update dependencies
    ⚡️ d5d7fb5 go.mod: Update dependencies
    ⚡️ cb0d983 go.mod: Update quic-go to 0.17.1 (draft 29) and certmagic 0.11.2 (eab)
    fae0642 httpcaddyfile: Add auto_https global option (#3284)
    1dfb114 httpcaddyfile: Add client_auth options to tls directive (#3335)
    🌲 21de227 httpcaddyfile: Be stricter about log syntax (#3419)
    32cafbb httpcaddyfile: Fix ordering of catch-all site blocks
    cd9317e httpcaddyfile: Fix route ordering bug
    cc8fb48 httpcaddyfile: Improve error on matcher declared outside site block (#3431)
    a496308 httpcaddyfile: Let modules add listener wrappers (#3397)
    dc9f4f1 httpcaddyfile: Make global options pluggable (#3265)
    d84a5d8 httpcaddyfile: New acme_eab option (#3492)
    8c5d00b httpcaddyfile: New handle_path directive (#3281)
    2f59467 httpcaddyfile: Only append TLS conn policy if it's non-empty (#3319)
    ea7e4b4 httpcaddyfile: Shorthands for parameterized placeholders (#3305)
    97e61c1 httpcaddyfile: Sort site blocks with wildcards last (fix #3410)
    👍 26e5596 httpcaddyfile: Support single-line matchers (#3263)
    👍 41c7bd2 httpserver: Add experimental H2C support (#3289)
    🌲 bf8c3c2 log: improve rounding logic for log rolling directives (#3367)
    🌲 9415fec logging: Net writer redials if write fails (#3453)
    📄 c47ddbe pki: Add docs to some struct fields
    184e8e9 pki: Embedded ACME server (#3198)
    👍 4b10ae5 reverseproxy: Add Caddyfile support for ClientCertificateAutomate
    afecd90 reverseproxy: Add tls_server_name option to Caddyfile (#3322)
    👀 1c17e6c reverseproxy: Allow using TLS for port 80 upstreams (see #3361)
    90c7b4b reverseproxy: Apply response header ops before copying it (fix #3382) (#3401)
    b3bff13 reverseproxy: Close websocket conn if req context cancels
    2a8a198 reverseproxy: Don't overwrite existing X-Forwarded-Proto header
    🌲 812278a reverseproxy: Emit debug log before checking error (#3425)
    7a99835 reverseproxy: Enable changing only the status code (close #2920)
    538ddb8 reverseproxy: Enable response interception (#1447, #2920)
    22055c5 reverseproxy: Fix https active health checks #3450 (#3451)
    c1e5c09 reverseproxy: Improve error message when using scheme+placeholder (#3393)
    🌲 9ee01dc reverseproxy: Make debug log safe if error occurs
    881b826 reverseproxy: Pool copy buffers (minor optimization)
    👍 003403e templates: Add support for dots to close yaml frontmatter (#3498)
    🏁 483e31b templates: trim windows whitespace in SplitFrontMatter; fix #3386 (#3387)
    b814c0a tls/client auth: verify first certificates in client request (#3344)