This is the first release candidate. We think 2.3 is ready to go, but we want to be extra sure! Please try it out in low-risk deployments and report any problems. Thank you!
Docs will be updated over the coming days and weeks. See the additional release notes from the beta release if you're coming from 2.2.
⚠️ The remote_ip matcher no longer reads the X-Forwarded-For header by default. This was undocumented behavior, and an unsafe default. If you happened to be relying on this, please enable forwarded (in the Caddyfile, just put forwarded as the first argument before the ranges) to maintain that behavior. Remember that headers are very easy to spoof.
⚠️ The experimental_http3 global option in the Caddyfile has been replaced with global server options, one of which is the experimental_http3 protocol. Docs will be updated shortly. This is still an unstable feature until HTTP/3 is finalized and our upstream QUIC/H3 lib is stable and we've decided to keep HTTP/3 enabled in the core by default.
Changelog
4cff36d caddyauth: Use buffered channel passed to signal.Notify (#3895)
3d0e046 caddyauth: Use structured log
63bda6a caddyhttp: Clean up internal auto-HTTPS redirect code
b8a799d caddyhttp: Document that remote_ip reads X-Forwarded-For header
9157051 caddyhttp: Optimize large host matchers
deedf8a caddyhttp: Optionally use forwarded IP for remote_ip matcher
e7a5a38 cmd: add ability to read config from stdin (#3898)
6e9ac24 fastcgi: Set PATH_INFO to file matcher remainder as fallback (#3739)
a748151 go.mod: Update CertMagic (fix #3911)
31fbcd7 go.mod: Upgrade some dependencies
5643dc3 go.mod: update quic-go to v0.19.3 (#3901)
7e71915 httpcaddyfile: Decrement counter when removing conn policy (fix #3906)
c898a37 httpcaddyfile: support matching headers that do not exist (#3909)