Skip to content

Releases: caddyserver/caddy

0.8.2

25 Feb 18:04
Compare
Choose a tag to compare

With 0.8.2, Caddy gets On-Demand TLS, which means it can obtain certificates during TLS handshakes; it does not need to know all the names when you start the server. Caddy is now built on Go 1.6, meaning faster crypto and highly-optimized garbage collection. Caddy no longer restarts on its own; only if signaled with USR1 (all certificate maintenance is done in-process now). We've also added support for SHA384 cipher suites and the ability to load certificates in bulk from a folder.

On-Demand TLS is currently under tight rate limits to mitigate abuse. When you enable it, you have to set a hard limit of how many certificates it is allowed to issue using the max_certs property of the tls directive.

  • At most one certificate challenge happens at a time.
  • After 10 certificates are successfully obtained, new certificate challenges will not happen until 10 minutes after the last successful challenge.
  • A name that fails a challenge will not be allowed to be attempted again for 5 minutes.

This feature -- as well as all automatic HTTPS, even at startup -- is not guaranteed to be supported in the future if ACME CAs are not able to issue certificates in a reasonable timeframe (quicker than 10 minutes). Please speak with your CA if this is of interest to you.

See the relevant documentation and release announcement for more details.

All notable changes:

  • On-demand TLS can obtain certificates during handshakes
  • Built with Go 1.6
  • Process log (-log) is rotated when it gets large
  • Managed certificates get renewed 30 days early instead of just 14
  • fastcgi: Allow scheme prefix before address
  • markdown: Support for definition lists
  • proxy: Allow proxy to insecure HTTPS backends
  • proxy: Support proxy to unix socket
  • rewrite: Status code can be 2xx or 4xx
  • templates: New .Markdown action to interpret included file as Markdown
  • templates: .Truncate now truncates from end of string when length is negative
  • tls: Set hard limit for certificates obtained with on-demand TLS
  • tls: Load certificates from directory
  • tls: Add SHA384 cipher suites
  • Multiple bug fixes and internal changes

0.8.1

12 Jan 19:18
Compare
Choose a tag to compare

This is a patch release with few new features but with many significant, internal improvements and bug fixes.

All known issues introduced by 0.8 are fixed in this patch. The browse middleware gets a shiny new template that looks better on all screens and is easier to use. The rewrite directive was upgraded to implement powerful rewrite rules with conditions, regex captures, and status code responses. The import directive can import multiple files at once with glob matching.

Detailed change log:

  • Improved OCSP stapling
  • Better graceful reload when new hosts need certificates from Let's Encrypt
  • Current pidfile is now deleted when Caddy exits
  • browse: New default template
  • gzip: Added min_length setting
  • import: Support for glob patterns (*) to import multiple files
  • rewrite: New complex rules with conditions, regex captures, and status code
  • tls: Removed DES ciphers from default cipher suite list
  • tls: All supported certificates are OCSP-stapled
  • tls: Allow custom configuration without specifying certificate and key
  • tls: No longer allow HTTPS over port 80
  • Dozens of bug fixes, improvements, and more tests across the board

0.8

04 Dec 17:08
Compare
Choose a tag to compare
0.8

Caddy 0.8 is the most progressive update we've ever released. We hope you'll enjoy this new version!

New Features

Automatic HTTPS via Let's Encrypt

All live sites are served over HTTPS automatically for free. Caddy works with any ACME-capable certificate authority but uses Let's Encrypt by default. A Caddyfile like this, for example:

mysite.com

root /www/mysite.com
gzip

will serve your site over HTTPS and redirect HTTP to HTTPS. Caddy will not automatically enable HTTPS for addresses that look like localhost or have tls off in their configuration.

Caddy stores the generated keys and certificates in the ~/.caddy folder on your system. If these assets are already available on the file system from a previous run, Caddy will use those when it starts.

With managed TLS, Caddy staples OCSP information and also keeps certificates renewed for you. This will cause Caddy to restart on occasion, so be aware of that if using a process manager.

The first time automatic HTTPS is triggered, Caddy will prompt for an email address and/or agreement to CA terms. This only happens once, and the email address is optional (but recommended for account recovery purposes). You can bypass the prompt by using the -email and -agree flags.

Known Issues
  1. Specifying an address like http://example.com disables automatic HTTPS (because of explicit HTTP scheme) but http://example.com:8080 does not (because the explicit port overwrites the scheme) even though it should.
  2. Gracefully reloading Caddy with a new host in the Caddyfile that qualifies for automatic HTTPS and needs a certificate fails (because the ports needed to issue the cert are already in use) but it should use existing listeners like renewals do.
  3. If even one certificate fails to be obtained, none of the certificates are saved to disk. This is most notable with LE rate limiting. If a certificate fails, it should save what certificates it obtained to disk.

These will be addressed in a patch release coming soon, unless another more serious bug is discovered.

Graceful Reload

On POSIX-compliant systems, SIGUSR1 will cause Caddy to gracefully reload the Caddyfile (with zero downtime). This restarts the process, spinning up a new process with a new process ID. Make sure to use the -pidfile flag if you're using Caddy with a process manager that needs to keep track of the pid. Caddy will reload on its own if managing SSL certificates. There are also other new signals and flags you can use.

Caddy as a Library

You can use now Caddy as a library in your own Go programs.

import "github.com/mholt/caddy/caddy"

// You can start...
err := caddy.Start(caddyfile)
if err != nil {
    log.Fatal(err)
}

// restart...
err = caddy.Restart(newCaddyfile)
if err != nil {
    log.Fatal(err)
}

//  and stop Caddy services...
err = caddy.Stop()
if err != nil {
    log.Fatal(err)
}

// or just wait for them to close.
caddy.Wait()

See the godoc for more information.

Full Change List

  • HTTPS by default via Let's Encrypt (certs & keys are fully managed)
  • Graceful restarts (on POSIX-compliant systems)
  • Major internal refactoring to allow use of Caddy as library
  • New directive 'mime' to customize Content-Type based on file extension
  • New -accept flag to accept Let's Encrypt SA without prompt
  • New -email flag to customize default email used for ACME transactions
  • New -ca flag to customize ACME CA server URL
  • New -revoke flag to revoke a certificate
  • New -log flag to enable process log
  • New -pidfile flag to enable writing pidfile
  • New -grace flag to customize the graceful shutdown timeout
  • New support for SIGHUP, SIGTERM, and SIGQUIT signals
  • browse: Render filenames with multiple whitespace properly
  • core: Use environment variables in Caddyfile
  • markdown: Include Last-Modified header in response
  • markdown: Render tables, strikethrough, and fenced code blocks
  • proxy: Ability to exclude/ignore paths from proxying
  • startup, shutdown: Better Windows support
  • templates: Bug fix for .Host when port is absent
  • templates: Include Last-Modified header in response
  • templates: Support for custom delimiters
  • tls: For non-local hosts, default port is now 443 unless specified
  • tls: Force-disable HTTPS
  • tls: Specify Let's Encrypt email address
  • Many, many more tests and numerous bug fixes and improvements

Credits and More Information

Many thanks to the dozens of contributors and testers who made this possible!

Please see the announcement blog post for the rest of the story. For more instructions about how to use this new Caddy version, see the docs.

0.7.6

29 Sep 13:42
Compare
Choose a tag to compare

This release contains bug fixes, security patches via new Go versions, and a few new features:

  • Pass in simple Caddyfile as command line arguments
  • basicauth: Support for legacy htpasswd files
  • browse: JSON response with file listing
  • core: Caddyfile as command line argument
  • errors: Can write full stack trace to HTTP response for debugging
  • errors, log: Roll log files after certain size or age
  • proxy: Fix for 32-bit architectures
  • rewrite: Better compatibility with fastcgi and PHP apps
  • templates: Added .StripExt and .StripHTML methods
  • Internal improvements and minor bug fixes

Along with this release we're pleased to welcome three new, very useful add-ons to the Caddy middleware family: jsonp, search, and hugo.

Please see the announcement blog post for more information about the changes and new add-ons.

Given that we've been sprinting ahead with a lot of new features and functionality lately, we'll be focusing a lot on polish, bug fixes, tests, the deployment process, etc., to lay a more solid foundation going forward.

0.7.5

05 Aug 19:37
Compare
Choose a tag to compare

Several significant refinements are introduced in 0.7.5, as well as fixes for bugs that were exposed from changes made in 0.7.4.

  • core: All listeners bind to 0.0.0.0 unless 'bind' directive is used
  • fastcgi: Set HTTPS env variable if connection is secure
  • log: Output to system log (except Windows)
  • markdown: Added dev command to disable caching during development
  • markdown: Fixed error reporting during initial site generation
  • markdown: Fixed crash if path does not exist when server starts
  • markdown: Fixed site generation and link indexing when files change
  • templates: Added .NowDate for use in date-related functions
  • Several bug fixes related to startup and shutdown functions

Most notably, startup and shutdown functions now only execute once even if the server block is defined for more than one host. So where the following Caddyfile used to echo "Hello world" twice, it now echoes only once:

host1, host2 {
    startup "echo Hello world"
}

The fix in fastcgi should be good for any WordPress sites (or other PHP sites) served over HTTPS. Lots of effort went into improving Markdown features to make it easier to build sites with Markdown using only Caddy.

In earlier versions, every listener would bind to the IP address resolved by the hostname from the Caddyfile. This is no longer the case. Now, every listener always binds to the empty/wildcard host (0.0.0.0). This was done by request, but if it causes problems, please report them.

Finally, non-Windows users may output to the system log with the log and errors directives by specifying syslog as the log filename.

From here on out to version 1.0, most changes will be bug fixes, refinements, and enhancements to existing features with a focus on stability and usability.

We hope you enjoy this release, and thank you to all contributors who made it possible!

0.7.4

05 Aug 19:29
Compare
Choose a tag to compare

This release brings lots of improvements to markdown, browse, and redir directives, but some of the changes are breaking in some situations.

Breaking changes:

  • If you used catch-all redirects (redir http://other-domain.com), it used to preserve the request URI. To give you more flexibility, this is no longer the case. Please use {uri} (redir http://other-domain.com{uri}) to preserve request URI.
  • Markdown is quite a bit different. The structure of front matter was flattened, so instead of creating [variables] and indenting variables, all variables are defined without indentation. Also, markdown template actions are different. All values related to the Markdown document, including front matter variables, are in {{.Doc}}, so {{.Doc.body}} shows the rendered content instead of {{.markdown}}, and the title is now {{.Doc.title}} instead of {{.title}}.
  • The template action .Date was renamed to .Now.

Full change list:

  • browse: Sorting preference persisted in cookie
  • browse: Added index.txt and default.txt to list of default files
  • browse: Template files may now use Caddy template actions
  • markdown: Template files may now use Caddy template actions
  • markdown: Several bug fixes, especially for large and empty Markdown files
  • markdown: Generate index pages to link to markdown pages (sitegen only)
  • markdown: Flatten structure of front matter, changed template variables
  • redir: Can use variables (placeholders) like log formats can
  • redir: Catch-all redirects no longer preserve path; use {uri} instead
  • redir: Syntax supports redirect tables by opening a block
  • templates: Renamed .Date to .Now and added .Truncate, .Replace actions
  • Other minor internal improvements and more tests

In addition, the build process was improved so that Linux and BSD downloads are in the .tar.gz file format. Windows and Mac downloads are still .zip.

The Caddy website also gets a blog with this release. We hope you like it, and we welcome guest contributions!

Note: This release introduced several bugs which are fixed in 0.7.5; it's highly recommended to use the newer version instead.

0.7.3

15 Jul 15:55
Compare
Choose a tag to compare

This patch release fixes bugs introduced in recent versions and refines some working features. Full change list:

  • errors: Error log now shows timestamp with each entry
  • gzip: Fixed; Default filtering is by extension; removed MIME type filter
  • import: Fixed; works inside and outside server blocks
  • redir: Query string preserved on catch-all redirects
  • templates: Proper 403 or 404 errors for restricted or missing files

Also, the build server was updated so that it produces only purely static binaries. This may break Caddy in subtle ways on some platforms, but in our testing we were not able to see any problems. Please let us know if you think the static compilation has broken Caddy in your environment.

0.7.2

01 Jul 18:33
Compare
Choose a tag to compare

Version 0.7.2 is mostly small changes and fixes, with one breaking change - the git directive was removed. (It is still available as an add-on; keep reading.)

This version also pilots the new Caddy build server which is used to generate custom builds of Caddy for you on-the-fly via the download page or from your automated environments. With it, Caddy becomes a platform on which web services can be produced and consumed. Caddy can continue to grow its feature set without the burden of a growing code base or binary size. If you experience trouble with the build server, please let us know; it needs lots more development in the long term.

The git directive is now available as an add-on feature, which you can select from the Caddy website. Here is the full change list:

  • Custom builds through caddyserver.com - extend Caddy by writing addons
  • browse: Sort by clicking column heading or using query string
  • core: Serving hostname that doesn't resolve issues warning then listens on 0.0.0.0
  • errors: Missing error page during parse time is warning, not error
  • ext: Extension only appended if request path does not end in /
  • fastcgi: Fix for backend responding without status text
  • fastcgi: Fix PATH_TRANSLATED when PATH_INFO is empty (RFC 3875)
  • git: Removed from core (available as add-on)
  • gzip: Enable by file path and/or extension
  • gzip: Customize compression level
  • log: Fix for missing status in log entry when error unhandled
  • proxy: Strip prefix from path for proxy to path
  • redir: Meta tag redirects
  • templates: Support for nested includes
  • Internal improvements and more tests

This version also sports faster SSL on 64-bit architecture thanks to Cloudflare's crypto enhancements. AES and ECDSA should see speedups of over ~20x. The RSA speed is roughly doubled as well. These changes are not directly related to Caddy, since it depends on compiling with their fork of Go.

Note: There's a bug in this release that breaks gzip. The next patch release fixes this.

0.7.1

02 Jun 18:39
Compare
Choose a tag to compare

This patch release fixes a timing vulnerability in the basicauth middleware, so any users who rely on it should upgrade. Version 0.7.1 also introduces upgrades to the tls and proxy directives. Full change list:

  • basicauth: Patched timing vulnerability
  • proxy: Support for WebSocket backends
  • tls: Client authentication

We would like to thank Jonathan Hanks for reporting the vulnerability in basicauth.

0.7.0

25 May 22:46
Compare
Choose a tag to compare

The main improvements in this release involve HTTPS, Markdown, and usability. Websites running Caddy 0.7.0 will score an 'A' grade at Qualys SSL Labs, assuming the certificate chain is good. Static websites can be generated from Markdown files. Caddy will warn you if a non-localhost domain resolves to loopback or if your ulimit -n (file descriptor limit) is too low for a production (public-facing) site.

Full change list:

  • New directive 'internal' to protect resources with X-Accel-Redirect
  • New -version flag to show program name and version
  • core: Fixed escaped backslash characters inside quoted strings
  • core: Fixed parsing Caddyfile for IPv6 addresses missing ports
  • core: A notice is shown when non-local address resolves to loopback interface
  • core: Warns if file descriptor limit is too low for production site (Mac/Linux)
  • fastcgi: Support for Unix sockets
  • git: Fixed issue that prevented pulling at designated interval
  • header: Remove a header field by prefixing field name with "-"
  • markdown: Simple static site generation
  • markdown: Support for metadata ("front matter") at beginning of files
  • rewrite: Experimental support for regular expressions
  • tls: Customize cipher suites and protocols
  • tls: Removed RC4 ciphers
  • Other internal improvements that are not user-facing (more tests, etc.)

Good work team! 👍 Lots of exciting things are still on the way.