v2.7.3

We're pleased to present Caddy 2.7, which makes significant strides in areas of scaling, performance, and niche features.

Special thank-you to @francislavoie, @mohammed90, and other core team members for the ongoing dedication of their time to help maintain the project and help in our forums.

And a big thank-you to everyone else who contributed! You're awesome, and we're glad this project has so many contributors and sponsors to make it possible.

Docs are being updated and will be pushed live shortly. Thank you for your patience and for using Caddy!

(Note: Versions 2.7.0-2.7.2 contain bugs that were hotfixed within minutes and hours and a day of the release. Thank you to everyone who helped with that! And sorry for the trouble, we have learned lessons to help mitigate that in the future.)

Highlights

• The in-memory TLS certificate cache is no longer purged and recreated during config reloads, making reloads extremely lightweight even when managing thousands of certificates.
• Significant HTTP/3 performance improvements (upstream in quic-go) including enabling 0-RTT. Caddy users should notice significantly better throughput for HTTP/3. Thanks for the fantastic work, @marten-seemann!
• New default template for the file server's "browse" listings - more modern, easier to use, grid view, filetype-specific icons, and better dark mode (see #5427 for more screenshots and info)
  
  
• The reverse proxy now supports the PROXY protocol. Using external modules is no longer required; specifically, the plugin by @mastercactapus is now built-in. (#5424)
• Caddyfile now supports Heredoc syntax for long embedded strings/documents. (#5385)
• @francislavoie implemented a suite of enhancements to bring you more reliable, trustworthy client IP information, even through proxies and CDNs (#5104)
• Certificate private keys will no longer be reused when renewing certificates.
• Caddyfile import arg placeholders support slice syntax, e.g. {args[2:]} (#5249)
• Customizable "fallback" policy for reverse proxy in case the primary policy isn't applicable. (#5488)
• Etags are generated more sensibly for NixOS environments which all have Modified time of 1; and if you set your own Etag, it will not be overwritten.
• EXPERIMENTAL: New short flags for the CLI. (#5379)
• EXPERIMENTAL: The reverse proxy may be configured to keep hijacked connections (streams, WebSockets, etc.) open through config reloads. (#5567)
• EXPERIMENTAL: Define "named routes" to reuse them without copying. Caddyfile snippets are useful for reusing config, but reusing the same HTTP routes involves lots of copied config and memory bloat. Named routes let you define a route once and reuse it throughout your HTTP server without copying. It is available for JSON and Caddyfile configs. (#5107)
• EXPERIMENTAL: You can specify permissions for unix sockets. (#4741)
• Many many bug fixes you may or may not notice 🙃

Deprecations and possible breaking changes for some:

• ⚠️ The ask endpoint is now required to enable On-Demand TLS (b97c76f) for catch-all or wildcard hosts. Our docs have always mentioned this is required in production environments, but now the code enforces it. The ask endpoint is not required for local-only or internal-only names (#5384 and a7af7c4).
• ⚠️ The on-demand config's throttle options are now deprecated because the 'ask' endpoint is required. Additionally, the 'ask' endpoint is checked and the throttle is applied before storage is queried for a certificate in order to limit load on the storage backend.
• ⚠️ The long-deprecated lookup_srv feature of the reverse proxy has been removed. It was replaced with the dynamic upstreams feature in 2.6. (#5396)
• ⚠️ The remote_ip forwarded matcher has been deprecated because it assumes trusting downstream proxies. Instead, the client_ip matcher should be used along with trusted_proxies configuration. (#5103 and #5104)
• ⚠️ Placeholder syntax {args.0} is now deprecated in favor of {args[0]}.
• ⚠️ Plugin authors will now need to use http.ResponseController to call Flush() or Hijack() on the response writer. (#5654)

Thank you to everyone who contributed! And thank you to our sponsors who truly make this project possible.

New Contributors

• @esell made their first contribution in #5417
• @krak3n made their first contribution in #5147
• @trea made their first contribution in #5435
• @heimoshuiyu made their first contribution in #5464
• @gucki made their first contribution in #5424
• @kidonng made their first contribution in #5475
• @taophp made their first contribution in #5497
• @eanavitarte made their first contribution in #5515
• @jonatan5524 made their first contribution in #5521
• @jjiang-stripe made their first contribution in #5531
• @TP-O made their first contribution in #5504
• @pistasjis made their first contribution in #5536
• @charles-dyfis-net made their first contribution in #5547
• @jpds made their first contribution in #5554
• @kassienull made their first contribution in #5553
• @Phrynobatrachus made their first contribution in #5532
• @365cent made their first contribution in #5564
• @oncilla made their first contribution in #5573
• @testwill made their first contribution in #5576
• @mmm444 made their first contribution in #5567
• @sabify made their first contribution in #5579
• @omerdemirok made their first contribution in #5586
• @bt90 made their first contribution in #5636
• @ydylla made their first contribution in #5646
• @kkroo made their first contribution in #5648

Full Changelog: v2.6.4...v2.7.3

Changelog

• 3f20a7c acmeserver: Configurable resolvers, fix smallstep deprecations (#5500)
• b1366c7 build(deps): bump actions/setup-go from 3 to 4 (#5474)
• dfe17c3 caddyconfig: Specify config adapter for HTTP loader (close #5607)
• f3379f6 caddyfile: Fix heredoc fuzz crasher, drop trailing newline (#5404)
• 960150b caddyfile: Implement heredoc support (#5385)
• 8bc05e5 caddyfile: Implement variadics for import args placeholders (#5249)
• 53b6fab caddyfile: Stricter parsing, error for brace on new line (#5505)
• cee4441 caddyfile: Do not replace import tokens if they are part of a snippet (#5539)
• 9cde715 caddyfile: Track import name instead of modifying filename (#5540)
• bbe1952 caddyfile: Fix comparing if two tokens are on the same line (#5626)
• 9f34383 caddyfile: check that matched key is not a substring of the replacement key (#5685)
• cfc85ae caddyhttp: Add a getter for Server.name (#5531)
• 05e9974 caddyhttp: Determine real client IP if trusted proxies configured (#5104)
• c05e389 caddyhttp: Enable 0-RTT QUIC (#5425)
• 8537586 caddyhttp: Fix vars_regexp matcher with placeholders (#5408)
• 1c9ea01 caddyhttp: Impl ResponseWriter.Unwrap(), prep for Go 1.20's ResponseController (#5509)
• cbf16f6 caddyhttp: Implement named routes, invoke directive (#5107)
• 2b3046d caddyhttp: Log request body bytes read (#5461)
• 96919ac caddyhttp: Refactor cert Managers (fix #5415) (#5533)
• d8d87a3 caddyhttp: Serve http2 when listener wrapper doesn't return *tls.Conn (#4929)
• 808b05c caddyhttp: Update quic's TLS configs after reload (#5517) (fix #4849)
• 2945264 caddyhttp: Fix h3 shutdown (#5541)
• 6a41b62 caddyhttp: Support custom network for HTTP/3 (#5573)
• a7af7c4 caddytls: Allow on-demand w/o ask for internal-only
• cd486c2 caddyhttp: Make use of http.ResponseController (#5654)
• 18c309b caddyhttp: Preserve original error (fix #5652)
• 66114cb caddyhttp: Trim dot/space only on Windows (fix #5613)
• a02ecb0 caddytls: Check for nil ALPN; close #5470 (#5473)
• faf0399 caddytls: Configurable fallback SNI (#5527)
• e16a886 caddytls: Eval replacer on automation policy subjects (#5459)
• be53e43 caddytls: Relax the warning for on-demand (#5384)
• b97c76f caddytls: Require 'ask' endpoint for on-demand TLS
• 0cc49c0 caddytls: Zero out throttle window first (#5443)
• 4ba03c9 caddytls: Clarify some JSON config docs
• 0e2c7e1 caddytls: Reuse certificate cache through reloads (#5623)
• b301a3d celmatcher: Implement pkix.Name conversion to string (#5492)
• 096971e ci/cd: ship tarballs with vendored deps (#5403)
• 5ded580 cmd: Adjust documentation for commands (#5377)
• 508cf2a cmd: Create pidfile before config load (close #5477)
• 9e69195 cmd: Expand cobra support, add short flags (#5379)
• 5ebb7d4 cmd: Reduce spammy logs from --watch
• 79de6df cmd: Strict unmarshal for validate (#5383)
• 205b142 cmd: Support ' quotes in envfile parsing (#5437)
• bf54892 cmd: make caddy fmt hints more clear (#5378)
• 38cb587 cmd: Avoid spammy log messages (fix #5538)
• 078f130 cmd: Implement storage import/export (#5532)
• 8d304a4 cmd: Split unix sockets for admin endpoint addresses (#5696)
• f6bab8b context: Rename func to AppIfConfigured (#5397)
• 806341e core: Properly preserve unix sockets (fix #5568)
• 942fbb3 core: Use SO_REUSEPORT_LB on FreeBSD (#5554)
• 99d4705 core: Eliminate unnecessary shutdown delay on Unix (#5413)
• c6ac350 core: Return default logger if no modules loaded
• 22927e2 core: Add optional unix socket file permissions (#4741)
• f66493e core: Allow loopback hosts for admin endpoint (fix #5650) (#5664)
• 710824c core: Embed net.UDPConn to gain optimizations (#5606)
• b51dc5d core: Refine mutex during reloads (fix #5628) (#5645)
• 119e879 core: Skip chmod for abstract unix sockets (#5596)
• b3f0cea encode: flush status code when hijacked. (#5419)
• 1913930 encode: Fix infinite recursion (#5672)
• c803286 fastcgi: Fix capture_stderr (#5515)
• 571fc03 feature: watch include directory (#5521)
• f9bd2d3 fileserver: Add color-scheme meta tag (#5475)
• 6cc3cbb fileserver: New file browse template (#5427)
• 94d41a9 fileserver: Remove trailing slash on fs filenames (#5417)
• 52d7335 fileserver: Use EscapedPath for browse (#5534)
• 5bd9c49 fileserver: Don't set Etag if mtime is 0 or 1 (close #5548) (#5550)
• 5336bc0 fileserver: Fix file browser breadcrumb font (#5543)
• 2d236ea fileserver: Fix file browser footer in grid mode (#5536)
• bd34cb6 fileserver: More filetypes for browse icons
• 2615c9c fileserver: Only set Etag if not already set (fix #5546) (#5547)
• 56af1ce fileserver: browse: Better grid layout (#5564)
• cdd3884 fileserver: browse: minor tweaks for grid view, dark mode (#5545)
• 4e36b4c fileserver: Tweak grid view of browse template
• 27bc16a fileserver: add export-template sub-command to file-server (#5630)
• e041962 fileserver: add lazy image loading (#5646)
• c049bab fileserver: browse: Render SVG images in grid
• 1af419e go.mod: Update some dependencies
• 774f228 go.mod: Upgrade CertMagic
• 0de6064 go.mod: Upgrade CertMagic again
• 9e94331 go.mod: Upgrade dependencies
• 8cb1bb4 go.mod: Upgrade quic-go to v0.33.0 (Go 1.19 min)
• 36546cd go.mod: Upgrade several dependencies
• 398c12a go.mod: Update quic-go to v0.36.0 (#5584)
• 0468508 go.mod: Upgrade CertMagic for hotfix
• 9c180a5 go.mod: Upgrade quic-go to 0.35.1
• 415d1e7 go.mod: Upgrade some dependencies
• f45a6de go.mod: Update quic-go to v0.37.0, bump to Go 1.20 minimum (#5644)
• e198c60 go.mod: Upgrade dependencies esp. smallstep/certificates
• 4df27a2 go.mod: Use latest CertMagic (v0.19.1)
• 94749e1 go.mod: Use quic-go 0.37.1
• f857b32 go.mod: update quic-go to v0.36.2 (#5636)
• 51b1bfb go.mod: Upgrade quic-go to v0.37.2 (fix #5680)
• a8cc5d1 go.mod: Upgrade to quic-go v0.37.3
• e8352ae headers: Add > Caddyfile shortcut for enabling defer (#5535)
• dd86171 headers: Support deleting all headers as first op (#5464)
• 3b19aa2 headers: Allow > to defer shortcut for replacements (#5574)
• 330be2d httpcaddyfile: Adjust path matcher sorting to solve for specificity (#5462)
• ca14b6e httpcaddyfile: Sort Caddyfile slice
• 5c51c1d httpcaddyfile: Allow hostnames & logger name overrides for log directive (#5643)
• 4aa4f3a httpcaddyfile: Fix string does not match ~[]E error (#5675)
• 1aef807 log: Make sink logs encodable (#5441)
• cdce452 logging: Actually honor the SoftStart parameter
• f0e3981 logging: Add traceID field to access logs when tracing is active (#5507)
• f3e8b9d logging: Soft start for net writer (close #5520)
• b6fe5d4 proxyprotocol: Add PROXY protocol support to reverse_proxy, add HTTP listener wrapper (#5424)
• f5a13a4 replacer: Add HTTP time format (#5458)
• 48598e1 reverseproxy: Add fallback for some policies, instead of always random (#5488)
• f8b59e7 reverseproxy: Add query and client_ip_hash lb policies (#5468)
• 66e571e reverseproxy: Add mention of which half a copyBuffer err comes from (#5472)
• 75b690d reverseproxy: Expand port ranges to multiple upstreams in CLI + Caddyfile (#5494)
• 335cd2e reverseproxy: Fix active health check header canonicalization, refactor (#5446)
• 2b04e09 reverseproxy: Fix reinitialize upstream healthy metrics (#5498)
• 10b265d reverseproxy: Header up/down support for CLI command (#5460)
• b19946f reverseproxy: Optimize base case for least_conn and random_choose policies (#5487)
• 4636109 reverseproxy: Remove deprecated lookup_srv (#5396)
• 2182270 reverseproxy: Reset Content-Length to prevent FastCGI from hanging (#5435)
• 941eae5 reverseproxy: allow specifying ip version for dynamic a upstream (#5401)
• e3909cc reverseproxy: refactor HTTP transport layer (#5369)
• 424ae0f reverseproxy: Experimental streaming timeouts (#5567)
• 2ddb717 reverseproxy: Fix parsing of source IP in case it's an ipv6 address (#5569)
• 361946e reverseproxy: weighted_round_robin load balancing policy (#5579)
• da23501 reverseproxy: Connection termination cleanup (#5663)
• d7d1636 reverseproxy: Export ipVersions type (#5648)
• 7a69ae7 reverseproxy: Honor tls_except_port for active health checks (#5591)
• 5dec11f reverseproxy: Pointer receiver
• 65e33fc reverseproxy: do not parse upstream address too early if it contains replaceble parts (#5695)
• 13a3768 rewrite: use escaped path, fix #5278 (#5504)
• 2943c41 templates: Add fileStat function (#5497)
• 31d75ac templates: Add readFile action that does not evaluate templates (#5553)
• b420561 tracing: Support autoprop from OTEL_PROPAGATORS (#5147)