caddyserver/caddy v2.5.1

on GitHub

This is a minor patch release that fixes some bugs and also enhances reverse_proxy with capabilities that weren't ready in time for v2.5.0.

Highlights

• Fixed regression in Unix socket admin endpoints.
• Fixed regression in caddy trust commands.
• Hash-based load balancing policies (ip_hash, uri_hash, header, and cookie) use an improved highest-random-weight (HRW) algorithm for increased consistency. The new rendezvous hash will ensure a client or request is consistently mapped to a particular upstream even if the list of upstreams changes.
• The reverse proxy is now able to rewrite the method and URI on its internal copy of the request that goes to the upstream. Combined with new handle_response capabilities, this enables the reverse proxy to fire off "pre-check requests" (for lack of a better term) to make routing decisions based on the results of that call. This enables a commonly-emerging pattern called forward authentication wherein a backend is queried to assess a client's authorization to be proxied. The full, verbose config for this is very flexible but tedious, so we made a new wrapper directive called forward_auth that eliminates the boilerplate (very similar to the php_fastcgi directive):

forward_auth authelia:9091 {
	uri /api/verify?rd=https://auth.example.com
	copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}

This works with authentication providers like Authelia, and more.

What's Changed

• caddypki: Fix caddy trust command to use the correct API endpoint by @francislavoie in #4730
• reverseproxy: Improve hashing LB policies with HRW by @mholt in #4724
• Add missing backticks by @mahgoh in #4737
• caddyhttp: Improve listen addr error message for IPv6 by @francislavoie in #4740
• cmd: Fix unix socket addresses for admin API requests by @francislavoie in #4742
• logging: Use RedirectStdLog by @francislavoie in #4732
• logging: Implement rename filter, changes field key names by @francislavoie in #4745
• httpcaddyfile: Fix duplicate access log when debug is on by @francislavoie in #4746
• reverseproxy: Fix Caddyfile support for replace_status by @francislavoie in #4754
• templates: Add custom template function registration by @kroppt in #4757
• reverseproxy: Permit resolver addresses to not specify a port by @francislavoie in #4760
• caddyfile: Shortcut for remote_ip for private IP ranges by @francislavoie in #4753
• reverseproxy: Support performing pre-check requests by @francislavoie in #4739
• map: Prevent output destinations overlap with Caddyfile shorthands by @francislavoie in #4657

New Contributors

• @mahgoh made their first contribution in #4737

Changelog

• ec86a2f caddyfile: Shortcut for remote_ip for private IP ranges (#4753)
• dcc98da caddyhttp: Improve listen addr error message for IPv6 (#4740)
• d543ad1 caddypki: Fix caddy trust command to use the correct API endpoint (#4730)
• 2e4c091 cmd: Fix unix socket addresses for admin API requests (#4742)
• af73215 httpcaddyfile: Fix duplicate access log when debug is on (#4746)
• 0be3d99 logging: Implement rename filter, changes field key names (#4745)
• 3017b24 logging: Use RedirectStdLog to capture more stdlib logs (#4732)
• f7be0ee map: Prevent output destinations overlap with Caddyfile shorthands (#4657)
• 4a223f5 reverseproxy: Fix Caddyfile support for replace_status (#4754)
• 40b193f reverseproxy: Improve hashing LB policies with HRW (#4724)
• e7fbee8 reverseproxy: Permit resolver addresses to not specify a port (#4760)
• f6900fc reverseproxy: Support performing pre-check requests (#4739)
• e84e19a templates: Add custom template function registration (#4757)
• 3ab6483 templates: Add missing backticks in docs (#4737)

Full Changelog: v2.5.0...v2.5.1