v2.1.1

Version 2.1.1 fixes a minor regression in v2.1 related to the CEL (expression) matcher, as well as eliminating the warning about pb.proto. Both regressions were unfortunately introduced by patch updates on dependencies. This version also adds support for placeholders in the query matcher, and a WIP/experimental map handler that will be finalized before 2.2.

Changelog

6004d3f caddyhttp: Add 'map' handler (#3199)
77f233a caddyhttp: Corrected host label index check (fix #3502)
ddd690d caddyhttp: Support placeholders in query matcher (#3521)
d7dbf85 cel: fix validation of expression result type (#3526)

v2.1.0

Caddy 2.1 introduces a variety of new features, bug fixes, and other enhancements! Highlights:

• Fully automated mTLS certificates. Caddy 2.1 can fully manage all its TLS certificates -- including TLS client certificates -- using any ACME endpoint you configure. New in this version, the reverse proxy module can be configured to present an automated client certificate, just by providing its subject name in the config. We've tested it with Caddy's built-in ACME server, Let's Encrypt, Sectigo, and Smallstep ACME endpoints. Using this feature, Caddy will keep the client certificate renewed automatically.

• Embedded ACME server (powered by Smallstep). This allows other ACME clients to use Caddy as an ACME endpoint. The idea here is to replace one-off self-signed, generated certificates with proper, short-lived, auto-renewing certificates for local development and internal deployments. In other words, if you're running a command every so often to produce a self-signed certificate, use Caddy instead for proper, fully-managed internal PKI. Simply add the acme_server directive to your Caddyfile for its default configuration, or use its JSON interface.

• H2C support. Although discouraged in the general case, HTTP/2 over Cleartext HTTP (h2c) can be useful when serving or proxying gRPC locally/internally on trusted networks; and due to current poor TLS support in gRPC services currently, h2c might even be required in some cases. Caddy can now serve HTTP/2 without encryption, and it can communicate as a client with an HTTP/2 server that does not support TLS. To proxy h2c, set the versions property to include "h2c". To serve h2c, enable allow_h2c in your HTTP server config.

• New handle_path Caddyfile directive. This works the exact same as handle, but it only accepts a path prefix matcher and it strips the matched portion of the path before executing the directives contained in its block. It's a shortcut for using handle and uri strip_prefix together, which was a common-enough use case that we consolidated it into a new directive.

• Auto HTTPS can be configured in the Caddyfile. You can use the auto_https global option to disable it entirely, or disable only HTTP->HTTPS redirects. This is useful if you don't want to bind to any HTTP port at all.

• Various other Caddyfile improvements. Several quality-of-life improvements for the Caddyfile, including one-line named matchers such as @foo not path /foobar/*, and the ability to use backticks (`) to enclose strings where double quotes (") are inconvenient.

• Reverse proxy response interception. The reverse proxy can now intercept and handle the response from upstream based on the response status code and/or headers. This allows you to invoke custom, arbitrary HTTP logic based on the response from a backend.

• Many bug fixes and other enhancements. We always say this, I know, but just look at that changelog.

Thank you to all who contributed and filed actionable bug reports as well as patches! Please keep it up. :)

Changelog

1dc4ec2 admin: Disallow websockets
aef560c all: Recover from panics in goroutines
41a682d caddyauth: Add realm to basicauth Caddyfile directive (#3315)
9a7756c caddyauth: Cache basicauth results (fixes #3462) (#3465)
96d6d27 caddyconfig: Don't start comments in middle of tokens (#3267)
6c051cd caddyconfig: Minor internal and godoc tweaks
fdf2a77 caddyfile: Add args on imports (#3423)
d55c3b3 caddyhttp: Add client cert SAN placeholders
ffc125d caddyfile: Move NewTestDispenser into non-test file (#3439)
5230561 caddyfile: Support backticks as quotes (closes #2591) (#3242)
294910c caddyhttp: Add client.public_key(_sha256) placeholders
0cbf467 caddyhttp: Add time.now placeholder and update cel-go (closes #2594)
2d1f7b9 caddyhttp: Auto-redirects from all bind addresses (fix #3443)
21c00a3 caddyhttp: Better host matching for logger names (fix #3488) (#3522)
7b0962b caddyhttp: Default to error status if found in context
3af15c0 caddyhttp: Empty, not nil, query matcher matches empty query string
6db3615 caddyhttp: Enable matching empty query string
4c55d26 caddyhttp: Fix merging of Caddyfile matchers in not blocks (#3379)
d534162 caddyhttp: Match hostnames with wildcards to loggers (#3378)
7960b42 caddyhttp: Minor refactoring for preparing requests
e5bbed1 caddyhttp: Refactor header matching
a285fe4 caddypki: Add 'acme_server' Caddyfile directive
bde3823 caddytest: Refactor Caddyfile adapt tests to separate files (#3398)
e18c373 caddytls: Actually use configured test CA
11a132d caddytls: Configurable cache size limit
6d03fb4 caddytls: Don't decode HMAC
62c9f2c cmd: Add --envfile flag to run command (#3278)
4df56c7 cmd: Add pidfile support (closes #3235)
83551ed cmd: Only stop admin server on signal if it exists (fix #3470)
996af09 cmd: Support admin endpoint on unix socket (#3320)
aa20878 cmd: file-server: add --access-log flag (#3454)
bb67e19 cmd: hash-password: Fix broken terminal state on SIGINT (#3416)
5bde8d7 cmd: hash-password: Support reading from stdin (#3373)
44536a7 cmd: reverse-proxy: add --insecure flag (with warning) (#3389)
ef6e53b core: Add support for d duration unit (#3323)
28ab0bf core: Support loading modules from [][]json.RawMessage fields
b1480eb fastcgi: Fix php_fastcgi matcher regression (#3512)
fa4cdde fastcgi: Make sure splitPos handles empty SplitPath correctly (#3491)
7243454 fastcgi: php_fastcgi subdirectives to override shortcut behaviour (#3255)
1e8c976 file_server: Accept files args in one-liner of Caddyfile matcher (#3298)
c9049bd go.mod: Minor dependency updates
9dafa63 go.mod: Update dependencies
3fb2c39 go.mod: Update dependencies
d5d7fb5 go.mod: Update dependencies
cb0d983 go.mod: Update quic-go to 0.17.1 (draft 29) and certmagic 0.11.2 (eab)
fae0642 httpcaddyfile: Add auto_https global option (#3284)
1dfb114 httpcaddyfile: Add client_auth options to tls directive (#3335)
21de227 httpcaddyfile: Be stricter about log syntax (#3419)
32cafbb httpcaddyfile: Fix ordering of catch-all site blocks
cd9317e httpcaddyfile: Fix route ordering bug
cc8fb48 httpcaddyfile: Improve error on matcher declared outside site block (#3431)
a496308 httpcaddyfile: Let modules add listener wrappers (#3397)
dc9f4f1 httpcaddyfile: Make global options pluggable (#3265)
d84a5d8 httpcaddyfile: New acme_eab option (#3492)
8c5d00b httpcaddyfile: New handle_path directive (#3281)
2f59467 httpcaddyfile: Only append TLS conn policy if it's non-empty (#3319)
ea7e4b4 httpcaddyfile: Shorthands for parameterized placeholders (#3305)
97e61c1 httpcaddyfile: Sort site blocks with wildcards last (fix #3410)
26e5596 httpcaddyfile: Support single-line matchers (#3263)
41c7bd2 httpserver: Add experimental H2C support (#3289)
bf8c3c2 log: improve rounding logic for log rolling directives (#3367)
9415fec logging: Net writer redials if write fails (#3453)
c47ddbe pki: Add docs to some struct fields
184e8e9 pki: Embedded ACME server (#3198)
4b10ae5 reverseproxy: Add Caddyfile support for ClientCertificateAutomate
afecd90 reverseproxy: Add tls_server_name option to Caddyfile (#3322)
1c17e6c reverseproxy: Allow using TLS for port 80 upstreams (see #3361)
90c7b4b reverseproxy: Apply response header ops before copying it (fix #3382) (#3401)
b3bff13 reverseproxy: Close websocket conn if req context cancels
2a8a198 reverseproxy: Don't overwrite existing X-Forwarded-Proto header
812278a reverseproxy: Emit debug log before checking error (#3425)
7a99835 reverseproxy: Enable changing only the status code (close #2920)
538ddb8 reverseproxy: Enable response interception (#1447, #2920)
22055c5 reverseproxy: Fix https active health checks #3450 (#3451)
c1e5c09 reverseproxy: Improve error message when using scheme+placeholder (#3393)
9ee01dc reverseproxy: Make debug log safe if error occurs
881b826 reverseproxy: Pool copy buffers (minor optimization)
003403e templates: Add support for dots to close yaml frontmatter (#3498)
483e31b templates: trim windows whitespace in SplitFrontMatter; fix #3386 (#3387)
b814c0a tls/client auth: verify first certificates in client request (#3344)

2.1 beta 1

Caddy 2.1 is now in beta! Featuring:

• Embedded ACME server (powered by Smallstep). Enable it with the acme_server HTTP handler (or Caddyfile directive). Then by default, all requests under /acme/* will be handled by the ACME server using Caddy's default built-in CA.
• Fully-managed client certificate renewals. Caddy can obtain and renew client certificates it uses when reverse-proxying, totally hands-free! Combined with the embedded ACME server, Caddy 2.1 offers fully-automated mTLS.
• H2C (HTTP2 over Cleartext TCP) support, both server and client side. This means Caddy can proxy gRPC over plaintext HTTP/2 frames.
• New handle_path Caddyfile directive which works the same as handle but it must take a path matcher, and the path prefix will be stripped implicitly before invoking the handlers in the block.
• Many quality-of-life improvements in the Caddyfile.
• Several bug fixes and other enhancements.

Please test and upgrade to this version, and report bugs while it's still in beta! Thank you for participating in our development cycle.

v2.0.0

🎉 It's here! Caddy 2 is ready for production. Check out the v2 landing page!

💚 Please consider sponsoring - I work on this full-time, and it would not be possible without continued company and individual sponsors, thank you!

We recommend all users begin to upgrade. Please spend time in the documentation. We've worked hard to make everything as clear and simple as possible. Once you have tested Caddy 2, deploy it into production. We think you'll be very pleased with the results.

Keep in mind that this is just the beginning: "2.0" does not mean the software is perfect, only that it is stable. Its readiness is guided by your feedback! We will continue to develop features, quality-of-life improvements, and bug fixes (2.1 is already slated to have 30+ improvements)

Thank you to everyone in the community who helpfully reported bugs and contributed over the past year!

See all commits since RC 3 here.

Support:

• Community forum to ask questions, get community support, and lend your help
• Issue tracker for bug reports and dev discussion

Resources:

• Getting Started
• Full documentation
• List of community modules
• Extending Caddy

Changelog

9a57263 admin: Close admin endpoint when shutting down (fixes #3269)
f5ccb90 admin: Disable host checking if wildcard interface is specified
5ae1a56 caddyhttp: Add split_path to file matcher (used by php_fastcgi) (#3302)
f931c26 caddyhttp: Better duration logging
ebf07f8 caddyhttp: Fix auto redirects for catch-all HTTPS sites
bacf50a caddyhttp: Fix common_log format's user ID placeholder (#3300)
83c85c5 caddyhttp: Fix listener overlap detection on Linux
026937f caddyhttp: Fix trailers when recording responses (fixes #3236)
10db570 caddyhttp: General improvements to access logging (#3301)
a1796c2 caddytls: Adjust DNS challenge structure; clarify some docs
8e42661 caddytls: Finish upgrading to libdns DNS providers for ACME challenges
86a4f2c caddytls: Fix namespace tls.dns -> dns.providers
c11d0e4 cmd: Clean up, simplify reverse proxy command; fix some edge cases
100d19e dangit, of course I would bork my git commit
1fa8c18 go.mod: Remove DNSProviderMaker interface; update to lego 3.6
2609a72 go.mod: Update dependencies including CertMagic (fixes #3202)
97ed9e1 httpcaddyfile: Add nil check to prevent panic, fix validation logic
829e36d httpcaddyfile: Don't lowercase placeholder contents (fixes #3264)
bca610f httpcaddyfile: Minor fixes to parsing storage options
a77bd1d httpcaddyfile: Update tls parsing for DNS providers
295604d httpcaddyfile: Why was this code repeated??
0798459 readme: Fix broken links (#3283)
1b06181 reverseproxy: Don't forget to provision embedded headers handler
a507a5b reverseproxy: Remove circuitbreaker module (see #3331)
76bbb47 reverseproxy: Set X-Forwarded-Proto (closes #3275) (#3276)
da8686c reverseproxy: always set req.URL.Host with upstream (#3297)

2.0 release candidate 3

🎉 Release Candidate 3! It is anticipated that this is the final pre-release. No new bug fixes or enhancements are planned. Only critical fixes that require a significant change will result in a fourth release candidate; otherwise, next tag should be v2.0.0.

💚 Please consider sponsoring this project. I work on this full-time and appreciate your support!

This release is production-ready and should be used in production (after testing locally and in staging environments) as much as possible. We recommend that all users test and upgrade to this release candidate.

Thank you to everyone in the community who helpfully reported bugs and contributed to this release!

Some highlights:

• Fixed occasional logging-related panic on some HTTP requests (introduced in rc2)
• Enhanced default security of admin endpoint (thanks to @kalmi for the great feedback!)

See all commits since RC 2 here.

Support:

• Community forum to ask questions, get community support, and lend your help
• Issue tracker for bug reports and dev discussion

v2 Resources:

• Getting Started
• Full documentation
• Extending Caddy

Changelog

a3bdc22 admin: Always enforce Host header checks
999ab22 caddyhttp: Add nil check (fixes #3248 and fixes #3250)
ec45681 core: Don't return error on RegisterModule() and RegisterAdapter()
3bee569 httpcaddyfile: Don't remove empty TLS conn policies (fix #3249)

2.0 release candidate 2

🎉 Release Candidate 2! A release candidate means we think the software is good enough to release, but we want to allow another cycle for bug fixes based on issues raised from the community. Now is the time to upgrade!

💚 Please consider sponsoring this project. I work on this full-time and appreciate your support!

This release is production-ready and should be used in production (after testing locally and in staging environments) as much as possible. We recommend that all users test and upgrade to this release candidate.

Thank you to everyone in the community who helpfully reported bugs and contributed to this release!

Some highlights:

• ⚠️ The reverse proxy's NTLM transport module was moved into its own repository
• New key_type Caddyfile global option to customize certificate key type
• The not matcher in the Caddyfile can now be a one-liner to negate a single matcher
• Numerous bug fixes and other improvements
• Known issue, already fixed: Panic when logging an error when no logs configured; upgrade to latest commit on master for fix.

See all commits since RC 1 here.

Support:

• Community forum to ask questions, get community support, and lend your help
• Issue tracker for bug reports and dev discussion

v2 Resources:

• Getting Started
• Full documentation
• Extending Caddy

Changelog

fbd9515 basicauth: Re-prompt after invalid credentials (fix #3239) (#3240)
7be747f caddyhttp: Add missing LB policy Caddyfile unmarshalers (#3230)
e5dc76b caddyhttp: CEL matcher checks return type; slight refactor
0fe9803 caddyhttp: Fix logging name associations by adding a default
e30deed caddyhttp: Return port placeholders as ints
5b355cb caddyhttp: Strictly forbid unnecessary blocks on matchers (#3229)
a3cfe43 caddyhttp: Support single-line not matcher (#3228)
85f5f47 caddytls: Don't initialize default internal issuer unless necessary
d89ad2f caddytls: Fix for TLS conn policy being applied to HTTP-only servers (#3243)
6a32daa caddytls: Support custom bind host for challenges (#3232)
4d9b63d cel: Leverage DefaultAdapter to extend CEL's type system
346c33b cmd: Log warning if --resume and --config used together
8b2dbc5 core: Rename ParsedAddress -> NetworkAddress
1e8af27 fastcgi: Account for lack of split path configuration (fix #3221)
c5f9227 go.mod: Try smallstep again
c7ac7de go.mod: Update CertMagic (again) v0.10.10
b6482e5 go.mod: Update CertMagic to v0.10.8
d33926b go.mod: Update certmagic
b4a7d62 go.mod: Update dependencies
88d391c go.mod: Update smallstep/cli
05164c8 go.mod: Use latest Certmagic (v0.10.9)
28fdf64 httpcaddyfile, caddytls: Multiple edge case fixes; add tests
5110643 httpcaddyfile: Add key_type global option (#3231)
145aebb httpcaddyfile: Carry bind setting through to ACME issuer (fixes #3232)
3d6fc1e httpcaddyfile: Yield cleaner JSON when conn policy or log name is empty
6e4132e logging: Colorize output in all cases of stdout/stderr
6e4c688 logging: Only colorize console output
f29023b reverseproxy: Minor tweaks
2c1b663 reverseproxy: Remove NTLM transport; refactor and improve docs
b1ce9d4 templates: Add env function (closes #3237)
95f6bd7 templates: Update docs
437d509 templates: Use text/template; add experimental notice to docs

2.0 release candidate 1

🎉 Release Candidate 1! A release candidate means we think the software is good enough to release, but we want to allow another cycle for bug fixes based on issues raised from the community. Now is the time to upgrade!

💚 Please consider sponsoring this project. I work on this full-time and appreciate your support!

This release is production-ready and should be used in production (after testing locally and in staging environments) as much as possible. We recommend that all users test and upgrade to RC1.

Remember that release candidates are still pre-release, and there may be more than one release candidate depending on bug reports.

Thank you to everyone who participated in the improvements for this release, especially @mohammed90 for being our CI wizard! Also a huge thanks to @sarge for working on integration tests, which will get more attention in the coming months, and to @whitestrake and @francislavoie for helping in the community so much.

Some highlights:

• ⚠️ A few lesser-known/used properties in the JSON were changed: not request matchers now take an array of objects rather than a single object; removed manage_sync from TLS automation policies; renamed tag to any_tags and all_tags and removed policy in TLS certificate selection policies.
• The root directive now gets evaluated before redir and rewrite by default.
• New caddy trust command for installing Caddy's default root certificate.
• Supports ACME externalAccountBinding feature, for interop with commercial CAs.
• The not HTTP request matcher can now consult one or more matcher sets.
• Numerous bug fixes and other improvements.

See all commits since beta 20 here.

Support:

• Community forum to ask questions, get community support, and lend your help
• Issue tracker for bug reports and dev discussion

v2 Resources:

• Getting Started
• Full documentation
• Extending Caddy

Changelog

397e04e caddyauth: Add Metadata field to caddyauth.User (#3174)
6fe04a3 caddyfile: Export NewTestDispenser() (close #2930)
7ee3ab7 caddyfile: Formatter enhancements
deba26d caddyfile: Minor fixes to the formatter
73643ea caddyhttp: 'not' matcher now accepts multiple matcher sets and OR's them (#3208)
581f1de caddyhttp: Print actual listener address in log message (closes #2992)
ac65f69 caddyhttp: Rename MatchNegate type to MatchNot type
0d2a351 caddyhttp: Update host matcher docs about wildcards
9fb0b1e caddytls: Add support for externalAccountBinding ACME extension
7ca1586 caddytls: Encode big.Int as string with JSON
c87f82f caddytls: Match automation policies by wildcard subjects too
6ca5828 caddytls: Refactor certificate selection policies (close #1575)
ea3688e caddytls: Remove ManageSync
5c55e5d caddytls: Support placeholders in key_type (#3176)
ce3ca54 caddytls: Update cipher suite names and curve names
673d3d0 file_server: Fix dumb error check I must have written at 1am
19b4554 go.mod: Update smallstep/truststore
d322de6 gzip: Use klauspost/gzip, an optimized gzip implementation
37aa516 headers: Trim any trailing colon from field names as a courtesy
904d9ca httpcaddyfile: Include non-standard ports when mapping logger names
178ba02 httpcaddyfile: Put root directive first, before redir and rewrite
1c190b0 httpcaddyfile: Refactor site key parsing; detect conflicting schemes
244b839 pki: Add trust subcommand to install root cert (closes #3204)
1456f15 readme: So much more ... what? Fixed cliffhanger
e207240 reverse_proxy: Upstream.String() method returns either LookupSRV or Dial
809e727 rewrite: Fix for rewrites with URI placeholders (#3209)

2.0 beta 20

🏷 Caddy 2.0 beta 20 is the next and hopefully final pre-release in the development cycle of Caddy 2 and is the best one yet! We recommend that everyone on the beta track upgrade, test in a dev or staging environment, and then use in production.

🎉 This should be the last beta version before the release candidates. Unless major bugs or changes are found soon, the next tag will probably be RC1. Most new features are now slated for 2.1.

💚 Please consider sponsoring this project. I work on this full-time and appreciate your support!

Some highlights:

• ⚠️ Removed jsonc and json5 config adapters, brotli encoder module, and cache HTTP middleware. We wanted to slim up the code base a little by removing modules that we deemed non-essential for our initial release. They will be available in other repositories, and you can still plug them in if you need them.
• Fix for ACME error that sometimes occurred in new/first-time deployments
• reverse_proxy: Service discovery through DNS SRV records
• Numerous other bug fixes and improvements

See all commits since beta 19 here.

Please remember that Caddy 2 is still pre-release so there may be breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find!

This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team!

Support:

• Community forum to ask questions, get community support, and lend your help
• Issue tracker for bug reports and dev discussion

v2 Resources:

• Getting Started
• Full documentation
• Extending Caddy

2.0 beta 19

Caddy 2.0 beta 19 is the next pre-release in the development cycle of Caddy 2 and is the best one yet! We recommend that everyone on the beta track upgrade, test in a dev or staging environment, and then use in production!

💚 Please consider sponsoring this project. I work on this full-time and appreciate your support!

Some highlights:

• New handle_errors directive for powerful, flexible error handling logic
• New CEL matcher
• New --watch flag for caddy run|start commands to auto-reload config
• Fix sporadic ACME HTTP challenge hangs
• Fix matching wildcard TLS connection policies
• Several fixes and improvements to auto-HTTPS logic
• Numerous other little fixes and improvements!
• Known bug: Some default configurations fail to create new Let's Encrypt accounts when needed with term agreement errors; as a workaround, specify "http_port": 80 or "https_port": 443 in your HTTP app config. Fixed in 4c43bf8.

See all commits since beta 18 here.

Please remember that Caddy 2 is still pre-release so there may be breaking changes between tags. We hope you will find ways to use Caddy 2 beta in production and report any issues you find!

This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team!

Support:

• Community forum to ask questions, get community support, and lend your help
• Issue tracker for bug reports and dev discussion

v2 Resources:

• Getting Started
• Full documentation
• Extending Caddy

2.0 beta 18

Caddy 2.0 beta 18 is the next pre-release in the development cycle of Caddy 2 and is the best one yet! We recommend that everyone on the beta track upgrade, test in a dev or staging environment, and then use in production!

🎉 This tag marks feature-completeness for 2.0. While we may still add new features before v2, they are not blocking its release. Most work going forward will be cleanup, refinement, and bug fixing, for the release candidates.

💚 Please consider sponsoring this project. I work on this full-time!

⚠️ This release contains breaking changes. ⚠️

Some highlights:

• On-demand TLS is now configurable in the Caddyfile. This enables getting certificates during TLS handshakes, convenient for SaaS deployments.
• ⚠️ strip_prefix, strip_suffix, and uri_replace Caddyfile directives were replaced by the unified uri directive
• New --templates flag for the file-server command
• Support for listener wrapper modules
• Default log format is now JSON for non-interactive shells
• local_certs global option for the Caddyfile, to default to all locally-trusted certificates
• New experimental expression matcher supports CEL, for complex request matching logic
• Built on Go 1.14.1, which fixes the spinning CPU bug in the runtime on Mac
• Numerous bug fixes and enhancements!

See all commits since beta 17 here.

This is a community effort, so please report bugs, join the discussion, and submit pull requests to be a part of the team!

Support:

• Community forum to ask questions, get community support, and lend your help
• Issue tracker for bug reports and dev discussion

v2 Resources:

• Getting Started
• Full documentation
• Extending Caddy