caddyserver/caddy v2.11.3

on GitHub

This release improves several aspects of Caddy with minor features, bug fixes, and security patches. Thank you to everyone and their bots who contributed to help make this release the best one yet!

Security patches:

• fastcgi: Carrying over a patch from FrankenPHP for a bug that could allow non-PHP files to be executed; collaborated on by @dunglas, @KC1zs4, and @chenjj.
• vars: A more thorough fix for GHSA-m2w3-8f23-hxxf, collaborated by @everping and @vnxme.
• admin: Array index normalization to prevent remote admin socket auth bypass, by @Amemoyoi and bot.
• admin: More rigorous path prefix matching to prevent remote admin socket auth bypass, by @Amemoyoi and bot.

We've also merged a couple PRs that fix upstream security bugs in other projects like quic-go and CertMagic. Thank you to @marten-seemann for maintaining quic-go so diligently!

What's Changed

• caddyhttp: Sync placeholder expansion in vars and vars_regexp by @vnxme in #7573
• caddytls: Avoid ACME fallback for implicit Tailscale *.ts.net policies by @steadytao in #7577
• chore: Resolve recent CI failures by @mholt in #7593
• caddytls: Consolidate empty APs more smartly by @mholt in #7567
• rewrite: skip query rename when source key is absent by @steadytao in #7599
• root: introduce down-propagating Helper.BlockState for other directives/plugins to use by @henderkes in #7594
• http: make zstd checksum configurable by @ottenhoff in #7586
• notify: Always send "READY=1" even after an error by @francislavoie in #7597
• reverseproxy: Fix check for header_up Host {upstream_hostport} redundancy by @yubiuser in #7564
• caddytls: Expand placeholders in dns_challenge override_domain tls parameter by @pberkel in #7609
• tls: add system and combined CA pool modules by @HarshPatel5940 in #7406
• vars: Don't expand placeholders in values by @vnxme in #7629
• build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.42.0 to 1.43.0 by @dependabot[bot] in #7637
• build(deps): bump the all-updates group across 1 directory with 11 updates by @dependabot[bot] in #7641
• reverseproxy: make stream copy buffer size configurable by @steadytao in #7627
• vars: Add matcher placeholder handling tests by @steadytao in #7640
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @dependabot[bot] in #7621
• logging: Add journald encoder wrapper by @steadytao in #7623
• caddyfile: Improve import/global options UX for imports before global options by @steadytao in #7642
• chore: replace interface{} with any for modernization by @tsinglua in #7571
• chore: bump timberjack to v1.4.1 by @DeRuina in #7618
• logging: Preserve ts for journald-wrapped JSON logs by @steadytao in #7644
• fileserver: show symlink targets verbatim (#7476) by @maxtruxa in #7579
• fix(caddyfile): {block} in snippet by @prettysunflower in #7558
• caddyhttp: Document missing placeholders for escaped URI and prefixed query by @steffenbusch in #7659
• chore: add AGENTS.md by @mohammed90 in #7652
• build(deps): bump github.com/jackc/pgx/v5 from 5.8.0 to 5.9.0 by @dependabot[bot] in #7655
• admin: Redact sensitive request headers in API logs by @steadytao in #7578
• reverseproxy: add lb_retry_match condition on response status by @seroperson in #7569
• caddyhttp: prefer port 443 in auto-HTTPS and add tests by @mholt in #7666
• fix: Propagate ECH keys to the QUIC listener by @steadytao in #7670
• chore: Use atomics where appropriate by @francislavoie in #7648
• metrics: Implement pushing via OLTP by @dunglas in #7664
• logging: Add regression coverage for rotated file mode by @steadytao in #7620
• httpcaddyfile: Inherit global ACME issuer settings in tls shortcuts by @steadytao in #7617
• build(deps): bump github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2 by @dependabot[bot] in #7668
• admin: require path segment boundary in remote access control by @Amemoyoi in #7673
• reverseproxy: Add ability to clear dynamic upstreams cache during retries by @mholt in #7662
• listeners: clean up stale Unix socket files on Windows by @mfrischknecht in #7676
• admin: reject non-canonical config array indices by @Amemoyoi in #7592
• caddytls: Expand ACME credentials by @tribut in #7554
• caddyauth: set user placeholders before auth rejection by @cyphercodes in #7685
• caddyauth: revert user placeholders on auth rejection by @steadytao in #7688
• chore: Fix golangci-lint 2.12.1 findings by @steadytao in #7690
• httpcaddyfile: accept duration strings for log sampling interval by @tomholford in #7694
• tls: Add alpn to managed HTTPS records by @steadytao in #7653
• caddytls: avoid duplicate automation for wildcard-covered hosts by @Rijul-A in #7697
• docs: add documentation for fileExists and fileStat template functions by @steffenbusch in #7700
• rewrite: escape file matcher paths before rewriting by @cyphercodes in #7683
• metrics: Add nil check for metricsHandler in AdminMetrics.serveHTTP by @Br1an67 in #7553

New Contributors

• @steadytao made their first contribution in #7577
• @henderkes made their first contribution in #7594
• @yubiuser made their first contribution in #7564
• @pberkel made their first contribution in #7609
• @HarshPatel5940 made their first contribution in #7406
• @tsinglua made their first contribution in #7571
• @maxtruxa made their first contribution in #7579
• @seroperson made their first contribution in #7569
• @Amemoyoi made their first contribution in #7673
• @mfrischknecht made their first contribution in #7676
• @tribut made their first contribution in #7554
• @cyphercodes made their first contribution in #7685
• @tomholford made their first contribution in #7694
• @Rijul-A made their first contribution in #7697
• @Br1an67 made their first contribution in #7553

Full Changelog: v2.11.2...v2.11.3