0.10.12

This release brings ACMEv2 and wildcard certificate support!

Read the release announcement blog post for details. There's some things in there you should know, including a description of how some really cool features work.

Thanks to everyone who contributed to this release!

Change list:

• Switch to Let's Encrypt ACMEv2 production endpoint
• Support for automated wildcard certificates
• Support distributed solving of HTTP-01 challenge
• New {labelN}, {tls_cipher}, and {tls_version} placeholders
• Curly braces can now be escaped when not used as placeholders
• New third-party plugin: geoip
• Updated QUIC
• fastcgi: Add SSL_CIPHER and SSL_PROTOCOL environment variables
• log: New 'except' subdirective to exempt paths from logging
• startup/shutdown: Removed in favor of 'on'
• tls: Default minimum version is TLS 1.2
• tls: Revert to fallback cert if no cert matches SNI
• tls: New 'wildcard' subdirective to force automated wildcard cert
• Several significant bug fixes and improvements!

0.10.11

This release improves automatic HTTPS in cluster configurations, internal TLS asset management, adds service discovery support to reverse proxying, reusable snippets for the Caddyfile, and more!

Read the details in the announcement blog post!

A few minor "breaking" changes include how signals are handled, conflicting TLS configurations are no longer allowed (an error is raised), and a TLS alert is raised if SNI is used but no certificate is available, rather than serving a default certificate.

Special thanks to Ed for helping us patch a minor path-based open redirect possibility!

Full change log:

• Built with Go 1.10
• Reusable snippets for the Caddyfile
• Updated QUIC
• Auto-HTTPS certificates may be shared by multiple instances
• Expand globbed values in -conf flag
• Swap behavior of SIGTERM and SIGQUIT; ignore SIGHUP
• 9 new DNS provider plugins for the ACME DNS challenge
• New placeholder for {<Response-Header} values
• basicauth: Username put in {user} placeholder
• fastcgi: GET requests can now send a body
• proxy: Service discovery with DNS SRV load balancing
• request_id: Allow reusing request ID from header field
• tls: Improved efficiency of many certificates and reloads
• tls: Raise error if conflicting TLS configurations collide
• tls: Raise TLS alert if SNI used and no cert matched
• tls: Reject OCSP responses that expire after the certificate
• tls: Clients can use SNI to request a specific certificate
• tls: Add option for backend to approve on-demand certificate
• tls: Synchronize maintenance of shared, managed certificates
• Numerous fabulous bug fixes

0.10.10

With this release, we also launch our updated pricing structure. Read the blog post for details!

Caddy 0.10.10 removes the Caddy-Sponsors header for all builds as well as featuring a number of incremental improvements and bug fixes. This version has one notable, possibly-breaking change, but it is for security reasons.

The new default of the CASE_SENSITIVE_PATH environment variable (if not set) is now false, meaning that matching a base path (using Path.Matches()) to a directive will be a case-insensitive comparison by default. This helps avoid common misconfigurations with security-related directives like basicauth (and similar auth-related third-party plugins) which protect resources by a base path. As far as static files go, this mainly affects Windows and macOS that have case-insensitive file systems. (Thanks to @magikstm for bringing this common misconfiguration caused by non-obvious documentation to our attention.)

Another notable change is that startup and shutdown have been deprecated in favor of on. You should use on soon as we will eventually remove startup and shutdown directives.

All changes:

• Built with Go 1.9.1
• Removed Caddy-Sponsors header
• New 'on' directive that deprecates 'startup' and 'shutdown'
• Changed CASE_SENSITIVE_PATH default to false
• fastcgi: Support for SRV upstreams
• redir: Rules with if statements are not checked for duplicates
• Several minor bug fixes

0.10.9

This release introduces our new EULA for binaries distributed through our website, as well as the Caddy-Sponsors header as a thank you to our sponsors for keeping Caddy free for personal use. We're very happy to have them on board, and invite others to sponsor the project to give the gift of privacy to site owners and Web users everywhere.

In this version we've also fixed a bug related to certificate renewals, where the renewed certificate wouldn't be loaded and used. The bug was introduced in v0.10.6, so everyone using v0.10.6, v0.10.7, or v0.10.8 should upgrade. This version also includes a fix for using templates + proxy together so that templates now sends the right status code in the response.

One new feature: Caddy can now act as a QUIC reverse proxy by using quic:// to specify a backend! This is experimental, but where you'd like, feel free to give it a try.

• EULA bundled with official binaries
• Caddy-Sponsors header to indicate personal-use license
• proxy: Support for QUIC backends
• templates: Write proper status code if proxied
• tls: Fix bug related to cert renewals

0.10.8

This is mainly a security release, with a couple other bug fixes (see commit history for details on those).

This release fixes issue #1859. Previously, Caddy would not compress/merge multiple consecutive forward slashes in the URL for comparisons, causing certain comparisons to fail falsely not because of technical correctness, but rather semantic correctness (i.e. it depends on what is using the path, but most often, file systems will annoyingly collapse multiple slashes). Now, Caddy's path matching behaves similar to NGINX's location block if merge_slashes is enabled. Caddy now merges slashes by default when comparing paths using Go's path.Clean(), which also evaluates .. in paths to ensure equivalence on a semantic level.

We recommend installing this update right away if you use middleware (including plugins) that rely on matching paths to protect resources. All the relevant, standard (built-in) directives should be remedied with this (including basicauth), but third-party plugins that do not use Path.Matches() will have to ensure that they are properly sanitizing the path before doing a comparison.

You can use getcaddy.com to automate updates, then send SIGUSR2 to gracefully upgrade the binary with no downtime.

0.10.7

This release introduces 3 new HTTP plugins: awses, jekyll, and forwardproxy, and supports SIGUSR2 for graceful binary upgrades. Read the release blog post for more information.

A huge thanks to our sponsors for making continued development possible, and for keeping this release of Caddy free for everyone to use: Minio, Uptime Robot, and Sourcegraph!

Change list:

• Built with Go 1.9
• New 3rd-party plugin HTTP directives: jekyll, awses, forwardproxy
• Different exit codes
• Plan 9 support
• Graceful binary upgrades with SIGUSR2
• internal: Support X-Accel-Redir without paths to protect
• templates: Can execute templates loaded by other middleware
• A few really good bug fixes

0.10.6

This is a hotfix for 0.10.5's fastcgi directive which invokes a runtime error on 32-bit and ARM architectures, due to a known, documented bug in Go. We don't run tests on 32-bit or ARM (yet) which would have been the only way to catch this error in an automated fashion. Sorry about that. Enjoy this release! It's the best one yet.

0.10.5

It's been kind of a crummy week for a lot of people, but here's some good news: Caddy 0.10.5 is out! This release fixes subtle issues that were present in proxying WebSockets or FastCGI connections. We've also improved MITM detection for iOS clients. There is a new header-based load balancing policy. On top of these changes, of note are these:

• The requestid directive has been renamed to request_id to be more consistent with other directives and subdirectives.

• There is a new default timeout in town: the idle timeout now has a default value of 5 minutes. Unlike the previous default timeouts, we don't expect this will negatively impact anyone. There is generally no good use for idle connections, and if you have a good use for them, you can disable this timeout in your Caddyfile. (We've tested this timeout on several kinds of sites for months and have had zero problems, only improvements in memory and FD usage.)

• This release is compatible with three new 3rd-party plugins! The http.cache plugin acts as a caching layer of middleware, which can drastically improve performance of serving your site. http.nobots attempts to dissuade bots from accessing your site. http.webdav was extracted from the filemanager plugin and enables webdav serving.

As usual, a HUGE thanks to contributors who made this possible! Most of these changes were implemented by contributors to the project, while the maintainers have been busy working on improved proxy middleware and other things (that hopefully we can reveal soon). Our community is fantastic, and we and all Caddy users appreciate you. Thank you!

Full change log:

• Renamed requestid directive to request_id
• Set default idle timeout of 5 minutes
• New 3rd-party plugin directives: cache, nobots, webdav
• New Unix timestamp placeholder {when_unix}
• Improved MITM detection on iOS clients
• errors, log: Fix log rolling parsing
• gzip: Convert any ETag header to weak etag
• fastcgi: Reverted persistent connections (issue #1736)
• proxy: Added header loaded balancing policy
• proxy: Fix hang on chunked WebSockets (e.g. with HomeAssistant)
• Several other bug fixes and minor internal improvements

0.10.4

This release is our first with vendored dependencies. Together with an updated build command, these builds should be fully reproducible, byte-for-byte (without plugins).

A huge thank-you to our sponsors for making this possible! We hope you enjoy this release!

Change list:

• Vendor all dependencies
• Improve MITM detection, add experimental Tor browser support
• New request_id directive to add request IDs to each request
• New HTTP plugins supported: authz, grpc, gopkg, reauth, restic
• browse: Refreshed default UI and added symlink indicators
• errors, log: Added rotate_compress directive to compress rolled logs
• markdown: Template files loaded at each request instead of just once
• proxy: Allow multiple Server header fields on downstream response
• proxy: Perform health checks by body substring
• rewrite,redir: Added 'not_starts_with' and 'not_ends_with' operators
• tls: New ca subdirective to specify CA endpoint per-site
• Several bug fixes

0.10.3

Caddy 0.10.3 includes support for new plugins (datadog and login) as well as a few minor fixes or changes, with one notable change: the maxrequestbody directive has been changed to the limits directive. You will need to change that in your Caddyfile.

Full change list:

• Replace 'maxrequestbody' directive with 'limits' directive
• proxy: Configurable port for health check
• proxy: New load balance policy: uri_hash
• templates: Renamed .Push context action to .AddLink
• tls: Allow narrower certificate renewal window at startup (#1680)
• tls: Prefer ChaCha20 if hardware does not have AES-NI
• A few other bug fixes