v2.11.0-beta.1

Welcome to the beta version of 2.11. This is the first release made by our new, automated release process developed by @mohammed90 that was carried out and approved entirely by our maintainer team (together with @francislavoie) without intervention from @mholt, the original Caddy author. This represents a significant step forward in project autonomy and growth, ensuring that the project's stability and longevity is not reliant upon a single person.

This first beta release was primarily to test our new workflow, so there's still a couple things left to do before the stable release.

Featured here are numerous, mostly minor, bug fixes and enhancements, mostly affecting edge cases or niche corners of the software; for example, proxying H2C or HTTP/3, obscure Caddyfile scenarios, and named socket activation.

Some notable changes:

• SIGUSR1 can be used to reload configuration only if it was loaded from a file using the CLI, and not changed by the API since then.
• We replaced "lumberjack", our logging library, with a fork "timberjack" that supports the oft-requested time-rolling ability.
• Caddy can now bind listeners with named socket activation.

Before the final release, we expect ECH key rotation to be enabled as well as a few other patches/features

Thank you to our sponsors and contributors for all that you do!

Changelog

• 5473eb9 encode: fix response corruption when handle_errors is used (#7235)
• 13a4ec7 basicauth: Implement argon2id (#7186)
• 6d90c77 build(deps): bump github.com/slackhq/nebula from 1.9.5 to 1.9.7 (#7315)
• eead249 build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#7355)
• 2d0f3f8 build(deps): bump the actions-deps group with 5 updates (#7237)
• afbdcec build(deps): bump the actions-deps group with 8 updates (#7284)
• cd1c203 build(deps): bump the all-updates group across 1 directory with 2 updates (#7307)
• 39357d3 build(deps): bump the all-updates group with 17 updates (#7236)
• 786d537 build(deps): bump the all-updates group with 3 updates (#7376)
• 07d2aaf build(deps): bump the all-updates group with 4 updates (#7333)
• 0ba8786 caddyfile: Allow block to do nothing if nothing passed to import (#7206)
• 92c8bc7 caddyfile: fix nested quotes formatted incorrectly by fmt (#7045)
• 6d73d85 caddyfile: prevent adding trailing space on line before env variable (#7215)
• d7185fd caddyhttp: Add trusted_proxies_unix for trusting unix socket X-Forwarded-* headers (#7265)
• de6b780 caddyhttp: Add server options keepalive_idle and keepalive_count (#7298)
• e0a8f95 caddyhttp: Normalize (lowercase) {label.N} placeholders
• 5e29536 caddyhttp: add replacer placeholders for escaped values (#7181)
• 8285eba caddyhttp: allow customizing the Server header (#7338)
• bc0e184 caddyhttp: omit unnecessary reassignment (#7276)
• 3553cfb caddyhttp: remove redundant middleware next copy (#7217)
• 1ce2a13 caddyhttp: wrap accepted connection to suppress tls.ConnectionState (#7247)
• d9cc24f caddypki: Disable internal auto-CA when auto_https is disabled (fix #7211) (#7238)
• 1e82f96 caddypki: check intermediate lifetime to actual root cert lifetime (#7272)
• 38848f7 caddytls: Allow disabling distributed solving (except http-01)
• ddec183 caddytls: correct documentation of LeafFolderLoader (#7327)
• f5c3094 cmd: prevent commas in header values from being split (#7268)
• 65e0ddc core: Reloading with SIGUSR1 if config never changed via admin (#7258)
• b3f2db2 core: custom slog handlers for modules (log contextual data) (#7346)
• b2ab419 core: use reflect.TypeFor to check for encoding/json.RawMessage (#7274)
• 806fef8 encode: add graphql-response header to list (#7214)
• 2cb4267 encode: modernize, replace HasSuffix+TrimSuffix with CutSuffix (#7357)
• b462615 fileserver: set Content-Length for precompressed files (#7251)
• 0c8798f go.mod: update quic-go to v0.54.1 (#7273)
• 3c003de httpcaddyfile: Add missing DNS challenge check for acme_dns (#7270)
• 2f1d270 httpcaddyfile: Map default_bind to BindHost in globalACMEDefaults (#7278)
• a7885aa intercept: use already buffered response if possible when intercepting (#7028)
• 156ce99 listeners: Add support for named socket activation (#7243)
• 39ace45 logging: Adjustments to BufferedLog to keep logs in the correct order (#7257)
• 012b4b3 logging: Buffer the logs before config is loaded (#7245)
• 10ac7da logging: Switch from lumberjack to timberjack, add time-rolling options (#7244)
• f5f25d8 logging: fix multiple regexp filters on same field (fixes #7049) (#7061)
• 595aab8 metrics: resolve per-host inifinite cardinality (#7306)
• 57587ed refactor: use reflect.TypeFor (#7313)
• 2ec28bc reverse_proxy: use http1 for outbound tls requests with placeholder that are likely websockets (#7296)
• a6da1ac reverse_proxy: use interfaces to modify the behaviors of the transports (#7353)
• 67a9e06 reverseproxy: Fix retries for requests with bodies (#7360)
• 7fb39ec reverseproxy: Use http1.1 upgrade for websocket for extended connect of http2 and http3 (#7305)
• 8aca108 reverseproxy: do not disable keepalive if proxy protocol is used (#7300)
• abe0aca reverseproxy: set default values for keepalive if only some of them are set (#7318)
• 1e21b66 reverseproxy: use http.Protocols to handle h2c requests (#6990)
• b54e870 tracing: switch to autoexport for OpenTelemetry span exporter (#7317)

What's Changed

• caddyhttp: add replacer placeholders for escaped values by @Qusic in #7181
• AI assistance disclosure by @mholt in #7212
• caddyfile: Prevent trailing space on line before env variable - Fixes #6881 by @arpansaha13 in #7215
• add: encode header Content-Type graphql-response by @aro-lew in #7214
• caddyhttp: Removing redundant middleware next copy by @maxcelant in #7217
• build(deps): bump the all-updates group with 17 updates by @dependabot[bot] in #7236
• build(deps): bump the actions-deps group with 5 updates by @dependabot[bot] in #7237
• encode: fix response corruption when handle_errors is used by @Siomachkin in #7235
• Fix PKI creation when auto_https is disabled (#7211) by @Siomachkin in #7238
• logging: Buffer the logs before config is loaded by @francislavoie in #7245
• fileserver: set Content-Length for precompressed files by @WeidiDeng in #7251
• refactor: use WaitGroup.Go to simplify code by @mickychang9 in #7253
• caddyfile: Allow block to do nothing if nothing passed to import by @BeeJay28 in #7206
• logging: Adjustments to BufferedLog to keep logs in the correct order by @francislavoie in #7257
• caddyhttp: Prevent commas in header values from being split in CLI commands by @gilbsgilbs in #7268
• update quic-go to v0.54.1 by @marten-seemann in #7273
• chore: ugh, lint fix... by @mohammed90 in #7275
• caddypki: check intermediate lifetime to actual root cert lifetime by @u5surf in #7272
• refactor: omit unnecessary reassignment by @asttool in #7276
• core: use reflect.TypeFor to check for encoding/json.RawMessage by @WeidiDeng in #7274
• core: Reloading with SIGUSR1 if config never changed via admin by @francislavoie in #7258
• build(deps): bump the actions-deps group with 8 updates by @dependabot[bot] in #7284
• httpcaddyfile: Add missing DNS challenge check for acme_dns b...

v2.10.2

This is a hotfix release to fix a couple critical issues from v2.10.1

What's Changed

• http: Make logger first, before TLS provisioning by @francislavoie in #7198
• httpcaddyfile: Fix acme_dns regression by @francislavoie in #7199
• caddyfile: Fix importing nested tokens for {block} by @BeeJay28 in #7189

Changelog

• 551f793 caddyfile: Fix importing nested tokens for {block} (#7189)
• 16fe83c http: Make logger first, before TLS provisioning (#7198)
• 4564261 httpcaddyfile: Fix acme_dns regression (#7199)

New Contributors

• @BeeJay28 made their first contribution in #7189

Full Changelog: v2.10.1...v2.10.2

v2.10.1

This is probably our biggest patch release ever -- not that lots of things were broken, but there's lots of refinement happening thanks to broader adoption and contributions from many more people. Just look at the New Contributors below!

Anyway, this release does contain some bug fixes and dependency upgrades which we hope will serve you well. Let us know if there's any issues! And thank you to all who contributed, especially our reliable maintainer team!

This version of Caddy requires Go v1.25.0 or newer.

What's Changed

• update quic-go to v0.51.0 by @marten-seemann in #6972
• forwardproxy: reference correct field name in LoadModule by @mohammed90 in #6978
• fix: Remove nil arg from zapslog.NewHandler call by @IndraGunawan in #6984
• fileserver: Add support for .avif image format by @steffenbusch in #6988
• reverseproxy: use DialTLSContext for TLS if servername has placeholder by @WeidiDeng in #6955
• admin: Make sure that any admin routers are provisioned when local/re… by @Compy in #6997
• log: default logger should respect {in,ex}clude by @mohammed90 in #6995
• Move local admin server replacement logic below data structure initia… by @Compy in #7004
• acme_server: fix policy parsing in caddyfile by @mohammed90 in #7006
• implement Unwrap for interceptedResponseHandler by @WeidiDeng in #7016
• fileserver: map invalid path errors to fs.ErrInvalid, and return 400 … by @Compy in #7017
• caddyhttp: fix route sort by comparing paths without wildcard if they don't shar… by @WeidiDeng in #7015
• refactor: use maps.Copy for cleaner map handling by @eveneast in #7009
• refactor: use slices.Contains to simplify code by @tongjicoder in #7039
• chore: upgrade .golangci.yml and workflow to v2 by @mohammed90 in #6924
• build(deps): bump golangci/golangci-lint-action from 6 to 8 by @dependabot[bot] in #7044
• fix: crash - null check on event origin by @suxatcode in #7047
• fix: prevent error handler from overriding sub handler matchers by @Hellio404 in #6999
• client_auth: wire up leaf verifier Caddyfile by @mohammed90 in #6772
• caddyfile: reject blocks in log_skip directive by @IwatsukaYura in #7056
• build(deps): bump github.com/cloudflare/circl from 1.6.0 to 1.6.1 by @dependabot[bot] in #7058
• cmd: fix Commands function not returning all registered commands by @hslatman in #7059
• ci: add dep review, OSSF scorecard actions by @mohammed90 in #7063
• ci: add {base,head}-ref to dep review check by @mohammed90 in #7064
• core: clean up new config if it failed to run by @WeidiDeng in #7068
• chore: apply security best practices for CI by @mohammed90 in #7066
• refactor: use the built-in max/min to simplify the code by @xiaoxiangirl in #7081
• [ADD] sort buttons in grid mode by @filipRatajczak in #7089
• update quic-go to v0.53.0 by @marten-seemann in #7094
• refactor: replace HasPrefix+TrimPrefix with CutPrefix by @gopherorg in #7095
• docs: fix some minor issues in the comments by @mountdisk in #7101
• httpcaddyfile: Validates TLS DNS challenge options by @francislavoie in #7099
• chore: fix struct name in comment by @bytetigers in #7114
• reverse proxy: validate versions in http transport by @WeidiDeng in #7112
• chore: fix function in comment by @bytesingsong in #7121
• Fix: Support placeholders in header replacement search patterns by @zongzewu23 in #7117
• fileserver: specify license for embedded JavaScript by @infertux in #7127
• fix dead link by @eeemmmmmm in #7136
• update quic-go to v0.54.0 by @marten-seemann in #7138
• chore: fix minor issue in comment by @pingshuijie in #7140
• refactor: use slices.Equal to simplify code by @minxinyi in #7141
• ci: reduce dependabot spam by @mohammed90 in #7078
• fix(provisioning): Context.App or Context.AppIfConfigured will return (val, nil) even if the app failed to provision or validate the first time by @alexandre-daubois in #7070
• build(deps): bump the actions-deps group with 6 updates by @dependabot[bot] in #7142
• Use KeepAliveConfig to pass keepalive_interval to listener's accepted sockets by @joshuamcbeth in #7151
• build(deps): bump the all-updates group across 1 directory with 17 updates by @dependabot[bot] in #7155
• cmd: Allow caddy adapt to read from stdin by @bosdhill in #7163
• feat: add bcrypt cost parameter to hash-password by @GreyXor in #7149
• fix typo in bcrypt cost flag name by @GreyXor in #7168
• chore: fix inconsistent function name in comment by @youzichuan in #7174
• caddytls: fix regression in external certificate manager support by @quagsirus in #7179
• http: free up quic listener when stopping by @WeidiDeng in #7177
• chore: bump Go to v1.25 by @dunglas in #7184
• caddyhttp: refactor to use reflect.TypeFor by @cuiweixie in #7187
• refactor: use a more modern writing style to simplify code by @joemicky in #7182
• http: disable keepalive when KeepAliveInterval is negative by @WeidiDeng in #7158
• http: clean up listeners if some of the listeners fail to bind by @WeidiDeng in #7176
• reverse_proxy: use the new KeepAliveConfig to set probe interval by @WeidiDeng in #7157
• ci: set proper build tags in golangci and minor cleanup by @dunglas in #7183
• doc: Add a few lines about Etag file content by @Pizmovc in #7173
• file_server: set Range header for precompressed static files to force Content Length header to appear by @WeidiDeng in #7042
• caddyhttp: use the new http.Protocols to handle h1, h2 and h2c requests by @WeidiDeng in #6961

Changelog

• 44d078b acme_server: fix policy parsing in caddyfile (#7006)
• 320c572 admin: Make sure that any admin routers are provisioned when local/re… (#6997)
• 49dac61 bcrypt: add cost parameter to hash-password (#7149)
• 4bfc3b9 bcrypt: wrong cost flag name (#7168)
• 4b01d77 build(deps): bump github.com/cloudflare/circl from 1.6.0 to 1.6.1 (#7058)
• 45c9341 build(deps): bump golangci/golangci-lint-action from 6 to 8 (#7044)
• 5bc2afb build(deps): bump the actions-deps group with 6 updates (#7142)
• 007f406 build(deps): bump the all-updates group across 1 directory with 17 updates (#7155)
• 8524386 caddyhttp: Compare paths w/o wildcard if prefixes differ (#7015)
• 7590c9c caddyhttp: Free up quic listener when stopping (#7177)
• b15ed9b caddyhttp: refactor to use reflect.TypeFor (#7187)
• 14a63a2 caddyhttp: use the new http.Protocols to handle h1, h2 and h2c requests (#6961)
• 731e6c2 caddytls: Improve ECH error logging (close #7152)
• 105eee6 caddytls: Set local_ip, not remote_ip (#6952)
• b898873 caddytls: fix regression in external certificate manager support (#7179)
• 1481c04 caddytls: wire up client_auth leaf verifier Caddyfile (#6772)
• 19ff47a cmd: Allow caddy adapt to read from stdin (#7163)
• e633d01 cmd: fix Commands function not returning all registered commands (#7059)
• 7099892...

v2.10.0

Caddy 2.10 is here! Aside from bug fixes, this release features:

• Encrypted ClientHello (ECH): This new technology encrypts the last plaintext portion of a TLS connection: the ClientHello, which includes the domain name being connected to. The draft spec for ECH is almost finalized, so we can now support this privacy feature for TLS. This is a powerful but nuanced capability; we highly recommend reading the ECH documentation on our website.
• Post-quantum (PQC) key exchange: Caddy now supports the standardized x25519mlkem768 cryptographic group by default.
• ACME profiles: ACME profiles are an experimental draft that allow you to choose properties of your certificates with more flexibility than traditional CSR methods. For example, Let's Encrypt will issue 6-day certificates under a certain profile. Caddy may eventually use that profile by default.
• Via header: The reverse proxy now sets a Via header instead of a duplicate Server header.
• Global DNS provider: You can now specify a default "global" DNS module to use instead of having to configure it locally in every part of your config that requires a DNS provider (for example, ACME DNS challenges, and ECH). This is the dns global option in the Caddyfile, or in JSON config, it's the dns parameter in the tls app configuration.
• Wildcards used by default: Previously, Caddy would obtain individual certificates for every domain in your config literally; now wildcards, if present, will be utilized for subdomains, rather than obtaining individual certificates. This change was motivated by the novel possibility for subdomain privacy afforded by ECH. It can be overridden with tls force_automate in the Caddyfile. The experimental auto_https prefer_wildcard option has been removed.
• libdns 1.0 APIs: Many of you use DNS provider modules to solve ACME DNS challenges or to enable dynamic DNS. They implement interfaces defined by libdns to get, set, append, and delete DNS records. After 5 years of production experience, including lessons learned with ECH, libdns APIs have been updated and 1.0 beta has been tagged. DNS provider packages will need to update their code to be compatible, which will help ensure stability and well-defined semantics for the future. Several packages have already updated or are in the process of updating (cloudflare, rfc2136, and desec to name a few).
• Global dns config: Now that several components of Caddy configuration may affect DNS records (ACME challenges, ECH publication, etc.), there is a new dns global option that can be used to specify your DNS provider config in a single place. This prevents repetition of credentials for servers where all the domains are managed by a single DNS provider.

Thank you to the many contributors who have helped to make this possible! 🎉 🥳 🍾

⚠️ While have traditionally supported the last 2 minor Go versions to accommodate some distribution / package manager policies, we now only support the latest minor Go version. The privacy and security benefits added in new Go versions (such as post-quantum cryptography) are worth making available to everyone as soon as possible, rather than holding back the entire user base or maintaining multiple code compilation configurations.

Encrypted ClientHello (ECH) details

(This is a brief overview. We recommend reading the full documentation.)

Typically, server names (domain names, or "SNI") are sent in the plaintext ClientHello when establishing TLS connections. With ECH, the true server name is encrypted (and wrapped) by an "outer" ClientHello which has a generic SNI of your choosing. With many sites on the same server sharing the same outer SNI, both clients and the server have more privacy related to domain names.

Caddy implements fully automated ECH, meaning that it generates (and soon, rotates), publishes, and serves ECH configurations simply by specifying a DNS provider, and the outer/public domain name to use.

Fully automated ECH requires a DNS module built into your Caddy binary. In order for a client, such as a browser, to know it can use ECH, and what parameters to use, the server's ECH configuration must be published. This config includes the public name, cryptographic parameters, and a public key for encrypting the inner ClientHello. By convention, browsers read the standardized HTTPS-type DNS record containing a ech SvcParamKey. Caddy sets this DNS record for all domains being protected, but it needs that DNS provider module plugged in and configured in order to do this. If you are already using the DNS ACME challenge, you should already have a DNS provider plugged in. If you prefer to build Caddy from source with a DNS module, it's easy with xcaddy, for example: $ xcaddy build --with github.com/caddy-dns/cloudflare

The minimum config needed to enable ClientHello is also the recommended config, as it maximizes privacy benefits in most situations. You just need the ech global option and a DNS provider specified. Here's an example using Cloudflare as the nameserver:

Caddyfile:

{
	debug  # not required; recommended while testing
	dns cloudflare {env.CLOUDFLARE_API_KEY}
	ech ech.example.net
}

example.com {
	respond "Hello there!"
}

This protects all your sites (example.com in this case) behind the public name of ech.example.net. (As another example, Cloudflare uses cloudflare-ech.com for all the sites it serves. We recommend choosing a single public domain and use it to protect all your sites.)

The outer/public name you choose should point to your server. Caddy will obtain a certificate for this name in order to facilitate safe, reliable connections for clients when needed. Without a certificate, clients may be forced to connect insecurely, or fail to connect at all, in some cases, which not only leaves them vulnerable, but also risks exposing the names of your server's sites.

Caddy then uses the specified DNS provider to publish the ECH config(s) for your various site names. It creates (or augments) HTTPS-type records for the domains of your sites (not your ECH public name). Note that DNS provider modules are independently-maintained, and may not have been tested for compatibility with HTTPS-type records. Please contact your module's maintainers if you experience issues.

If you have more advanced configuration needs, you can use the JSON configuration (more details coming soon; for now, see #6862 or look at the source code; or use caddy adapt to convert a Caddyfile to JSON).

Testing and verifying Encrypted ClientHello

First make sure Caddy runs successfully with ECH enabled (and a DNS module) in the config. You should see logs that it is generating an ECH config and publishing it to your domain name(s).

You will need to use a client that supports ECH. Some custom builds of curl do, and Firefox and modern Chrome-based browsers do as well, but you need to enable DNS-over-HTTPS or DNS-over-TLS first (since, obviously, querying DNS in plaintext for a protected domain name will expose the domain and defeat the purpose of ECH).

If reusing an existing domain name, clear your DNS cache. Firefox has a way of doing this for its cache at about:networking#dns.

Once you have a suitable client, use Wireshark to capture network packets as you load your site. You should see only the outer/public name as SNI (ServerName Indicator) values in the packet capture. If at any time you see the true site name, ECH is not working properly -- it could be a client or server issue. Before filing a bug, please try to pinpoint it as a server issue first. But definitely report server bugs! Thank you!

(Note that ECH is not automatically published for CNAME'd domains, and the domain must already have a record in the zone.)

Commits

Beta 1:

• 96c5c55 admin: fix index validation for PUT requests (#6824)
• 3644ee3 build(deps): bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 (#6876)
• eacd772 build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 (#6871)
• 9996d6a build(deps): bump github.com/golang/glog from 1.2.2 to 1.2.4 (#6814)
• 1115158 caddyhttp: ResponseRecorder sets stream regardless of 1xx
• 8861eae caddytest: Support configuration defaults override (#6850)
• d7764df caddytls: Encrypted ClientHello (ECH) (#6862)
• a807fe0 caddytls: Enhance ECH documentation
• bc3d497 caddytls: Fix broken refactor
• 7b8f350 caddytls: Fix sni_regexp matcher to obtain layer4 contexts (#6804)
• 2c4295e caddytls: Initial support for ACME profiles
• d7872c3 caddytls: Refactor sni matcher (#6812)
• 172136a caddytls: Support post-quantum key exchange mechanism X25519MLKEM768
• 066d770 cmd: automatically set GOMEMLIMIT (#6809)
• 1f35a8a fastcgi: improve parsePHPFastCGI docs (#6779)
• 22563a7 file_server: use the UTC timezone for modified time (#6830)
• cfc3af6...

v2.10.0-beta.4

This prerelease is outdated. Please see the latest release for notes. Thanks!

v2.10.0-beta.3

This prerelease is outdated. Please see the latest release for notes and a hotfix for a regression. Thanks!

v2.10.0-beta.2

This prerelease is outdated. Please see the latest release for notes. Thanks!

v2.10.0-beta.1

This prerelease is outdated. Please see the latest release for notes. Thanks!

v2.9.1

This is a patch release fixing a few issues related to FastCGI, HTTP/3 and unix sockets, log file permissions, repeated TERM signals, and an ARI edge case. It also adds Caddyfile support for response matching in the header directive.

Thanks to everyone who reported bugs and helped with fixes!

Changelog

• 34cff4a core: Only initiate exit once (should fix #6707)
• 50778b5 fix: disable h3 for unix domain socket (#6769)
• 0e570e0 go.mod: Upgrade CertMagic to 0.21.6 (fix ARI handshake maintenance)
• e48b758 header: match subdirective for response matching (#6765)
• 1f927d6 log: Only chmod if permission bits differ; make log dir (#6761)
• 1bd567d reverseproxy: buffer requests for fastcgi by default (#6759)

What's Changed

• reverse proxy: fastcgi buffer requests for fastcgi by default by @WeidiDeng in #6759
• fix: disable h3 for unix domain socket by @Geun-Oh in #6769
• log: Only chmod if permission bits differ by @mholt in #6761
• header: match subdirective for response matching by @lilnasy in #6765

New Contributors

• @Geun-Oh made their first contribution in #6769
• @lilnasy made their first contribution in #6765

Full Changelog: v2.9.0...v2.9.1

v2.9.0

Happy New Year! We're pleased to release Caddy 2.9. Aside from some minor new features, this release is mainly focused on refinements and bug fixes in many areas, including:

• Config loading
• Events
• Logging
• Placeholders
• Reverse proxy and HTTP server performance
• Matchers
• HTTP (esp. HTTP/3)
• Metrics (per-host metrics)
• Security
• TLS automation & ACME ARI

We realize there is extensive interest in Encrypted Client Hello (ECH) and post-quantum ciphers. These are slated to be supported in Go 1.24, which is scheduled for a stable release in approximately February. We did not want to force users to go through the inconvenience of installing pre-release, non-stock installations of Go, even though the RCs are quite stable and production-ready, in order to even compile Caddy, which is quite common given our plugin ecosystem. We anticipate a Caddy 2.10 release in the near future with these capabilities, built on Go 1.24.

We hope you will enjoy the 2.9 release. Thanks to all contributors, bug reporters, and helpers, and those organizations which deployed pre-release versions to production to help verify patches and features.

Changelog

• ef4e022 caddyfile: Fix comma edgecase in address parsing (#6616)
• b116dce caddyhttp: Add {?query} placeholder (#6714)
• c216cf5 caddyhttp: Allow matching Transfer-Encoding, add to access logs (#6629)
• 197c564 caddyhttp: Set default ReadHeaderTimeout (1 min)
• 09b2cbc caddyhttp: Add MatchWithError to replace SetVar hack (#6596)
• c6f2979 caddyhttp: Close http3 server gracefully (#6213)
• 88fd5f3 caddyhttp: Use internal issuer for IPs when no APs configured
• 5c8dc34 caddytls: Allow disabling storage cleaning, avoids writing two files (#6593)
• d7564d6 caddytls: Drop rate_limit and burst, has been deprecated (#6611)
• d398898 cmd: Allow add-package to select version of package (#6665)
• 66c80ca cmd: Disable go1.23 tlskyber=1 experiment
• fb72793 cmd: Reject multiple configs for fmt command (#6717)
• b3ce260 cmd: ignore missing keys during storage export (#6697)
• 0182fb8 core: addresses.go funcs renames (#6622)
• e76405d core: Change ListenerFunc signature (#6651)
• 315715e core: Implement FastAbs to avoid repeated os.Getwd calls (#6687)
• d0e209e encode: good defaults (#6737)
• 5ba1e06 encode: try to use sendfile when compression is not used (#6749)
• bcaa8aa encode: write status immediate for success response for CONNECT requests (#6738)
• 1d15652 events: Use WithLazy to prevent eager serialization of the event data (#6671)
• 6790c0e fastcgi: check for CONTENT_LENGTH when sending requests (#6661)
• eddbccd fastcgi: remove dir redirection when useless in php_fastcgi (#6698)
• efd9251 fileserver: Add first_exist_fallback strategy for try_files (#6699)
• d0123bd fileserver: Fix policy Validate() oversight (#6727)
• 290cfea fileserver: add a test for precompressed defaults (#6743)
• 5c2617e fileserver: good default for precompressed (#6736)
• cc23ad6 fileserver: Add file_limit option for browse (to be experimental) (#6648)
• 350ad38 fileserver: Fix Caddyfile parsing
• 9753c44 fileserver: fix try_policy when instantiating file matcher from CEL (#6624)
• 05cfb12 forwardauth: Skip copying missing response headers (#6608)
• ed1c594 go.mod: Upgrade ACMEz to v3; and upgrade CertMagic
• 3f3f8b3 go.mod: Upgrade CertMagic to v0.21.5
• 91e3413 go.mod: upgrade only some otel deps (#6676)
• 22b9d51 go.mod: Upgrade quic-go to 0.48.2
• b129ed6 httpcaddyfile: Fixes for prefer_wildcard mode (#6636)
• afa778a httpcaddyfile: Implement experimental force_automate option (#6712)
• b183aec httpcaddyfile: Implement log sampling config (#6682)
• 1d106fa metrics: add go and process collectors (#6704)
• 388c7e8 metrics: move metrics up, outside servers (#6606)
• 8c3dd3d requestbody: Type-based error handling for MaxBytesError (#6701)
• 5e6024c reverseproxy: Fix log message
• 48ce47f reverseproxy: Use correct cases for websocket related headers (#6621)
• 825fe48 reverseproxy: Allow 0 as weights for weighted_round_robin (#6681)
• 328fb61 reverseproxy: Only handle websocket protocol (#6740)
• 238f110 reverseproxy: Revert #4952 - don't ignore context cancellation in stream mode
• 9c0c71e reverseproxy: Rewrite requests and responses for websocket over http2 (#6567)
• c864b82 reverseproxy: Set Content-Length when body is fully buffered (#6638)
• fbf0f4c reverseproxy: Sync changes from stdlib for 1xx handling (#6656)
• 5823ecc rewrite: Don't add / in Caddyfile, do it after replacer (#6662)
• b443190 sigtrap: always ignore SIGPIPE (#6645)
• f2c17d1 testing: sort force-automated hosts (#6756)
• 669fc41 tracing: Add spanID field to access logs and http.vars.span_id placeholder (#6646)

What's Changed

• Make it possible to configure the DisableStorageCheck setting for certmagic by @ankon in #6368
• caddyhttp: Add test case to corpus by @mholt in #6374
• cmd: remove zealous check of Caddyfile auto-detection by @mohammed90 in #6370
• ci: upgrade to goreleaser v2 by @mohammed90 in #6376
• logging: Allow setting log file permissions by @ririsoft in #6314
• Split run into a public BuildContext and a private part by @ankon in #6378
• Write the header if none had been written in WriteResponse by @ankon in #6380
• fix file mode configuration parsing by @ririsoft in #6383
• go.mod: update tscert package by @willnorris in #6384
• logging: Customizable zapcore.Core by @kkroo in #6381
• logging: set file mode when the file already exist. by @ririsoft in #6391
• caddyfile: Pass blocks to import for snippets by @elee1766 in #6130
• reverseproxy: add Max-Age option to sticky cookie by @JasonYuan869 in #6398
• fileserver: Remove newline characters from precomputed etags by @armadi1809 in #6394
• fix: http.intercept.header.* placeholders by @dunglas in #6429
• reverseproxy: Only log host is up status on change by @klaxa in #6419
• fix: don't compress already compressed fonts by @dunglas in #6432
• caddyhttp: Reject 0-RTT early data in IP matchers and set Early-Data header when proxying by @mholt in #6427
• reverseproxy: Add placeholder for host in active health check headers by @francislavoie in #6440
• browse: add Content-Security-Policy w/ nonce by @steffenbusch in #6425
• browse: fix Content-Security-Policy warnings in Firefox by @steffenbusch in #6443
• fileserver: Exclude symlink target size from total, show arrow on size by @francislavoie in #6412
• reverseproxy: Fix dynamic upstreams ip version by @armadi1809 in #6448
• reverseproxy: Add placeholder for networkAddr in active health check headers by @dylanschultzie in #6450
• Add option to set which HTTP method to use for active health checks by @jbro in #6453
• reverseproxy: Caddyfile support for health_method by @jbro in #6454
• reverseproxy: add health_upstream subdirective by @dylanschultzie in #6451
• ci: correct -tags nobadger on binary build by @girlbossceo in #6470
• Caddyfile support for TLS handshake matchers by @vnxme in #6461
• Caddyfile suppor...