sdgoij/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-03-17 14:34:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,477 Commits 35 Branches 152 Tags
9798f6964d58eb5703d1498804962faca2dae4ea
Commit Graph

2477 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Fardjad Davari
9798f6964d caddyhttp: Avoid nil pointer dereference in proxyWrapper (#7521) 2026-02-25 04:08:41 -05:00
Francis Lavoie
9873752978 logging: Support zstd roll compression (#7515) 2026-02-23 16:04:45 -07:00
Dean Ruina
294dfff443 logging: add DirMode options and propagate FileMode to rotations (#7335) 
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
 2026-02-23 07:27:27 +00:00
Paulo Henrique
76b198f586 http: Sort auto-HTTPS redirect routes by host specificity (fixes #7390) (#7502) 2026-02-21 21:42:40 -05:00
Paulo Henrique
7ffb640a4d httpcaddyfile: Fix missing TLS connection policies when auto_https is default (#7325) (#7507) 2026-02-21 21:42:03 -05:00
Mohammed Al Sahaf
d7b21c6104 reverseproxy: fix tls dialing w/ proxy protocol (#7508) 2026-02-21 21:37:10 -05:00
Francis Lavoie
6610e2f1bd chore: Disable windows/arm build target (Go 1.26 disabled) (#7503) v2.11.1 2026-02-20 22:47:21 +00:00
Matthew Holt
03243e42fe go.mod: Upgrade dependencies v2.11.0 2026-02-20 12:28:11 -07:00
Matthew Holt
cb436f0a0e fileserver: Fix tests on Windows 2026-02-20 11:46:45 -07:00
Matt Holt
a1081194bf Merge commit from fork 
Necessary as otherwise the early-bail in `until =
strings.IndexByte(remaining, nextCh) ... if until == -1` can cause a
case-insensitive mismatch

Co-authored-by: Asim Viladi Oglu Manizada <manizada@users.noreply.github.com>
 2026-02-20 10:54:50 -07:00
Asim Viladi Oglu Manizada
eec32a0bb5 Merge commit from fork 
Normalize exact hosts at provisioning and reqHost in the fast path so case-different Host variants can’t bypass host-gated routes.

Co-authored-by: Asim Viladi Oglu Manizada <manizada@users.noreply.github.com>
 2026-02-20 10:19:42 -07:00
Matthew Holt
a2825c5dd9 fileserver: Replace \ with \\ in file matcher paths 2026-02-19 13:18:14 -07:00
dependabot[bot]
db256b53e5 build(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#7497) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-19 14:20:06 -05:00
Matthew Holt
6772ffb805 Revert "listeners: Add support for named socket activation (#7243)" 
This reverts commit 156ce99d3a.
 2026-02-19 11:32:26 -07:00
Matt Holt
95941a71e8 chore: Add nolints to work around haywire linters (#7493) 
* chore: Add nolints to work around haywire linters

* More lint wrangling
 2026-02-17 16:52:54 -07:00
Francis Lavoie
3adcafd4c1 admin: Fix tests locally, properly isolate storage (#7486) 
* admin: Fix tests locally, properly isolate storage

* Fix flaky pki_test

* Drop testdata dir logic

* Safer temp dir

* Test handlers without a full server
 2026-02-17 13:14:06 -07:00
Amirhf
091add5ae3 caddytest: make TestReverseProxyHealthCheck deterministic with poll instead of sleep (#7474) 
Start lightweight backend servers before starting Caddy so active health checks
probe a ready backend instead of the same Caddy instance during provisioning.
This removes the startup race without fixed sleeps or polling.
 2026-02-17 06:41:38 -05:00
Matthew Holt
bdcdaf77ba encode: Implement Flush for legacy compatibility 
(By sponsor request)
 2026-02-16 15:59:10 -07:00
Francis Lavoie
9fe694c79c caddytls: Enable debug logging for DNSManager (#7491) 2026-02-16 15:38:56 -07:00
wangjingcun
b8b00d9160 chore: fix some comments to improve readability (#7395) 
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
 2026-02-16 19:41:21 +00:00
zjumathcode
68d50020ee refactor: use strings.Builder to improve performance (#7364) 
* refactor: use strings.Builder to improve performance

Signed-off-by: zjumathcode <pai314159@2980.com>

* refactor: small builder improvements per review (WriteByte / split writes)

also revert builder change in client_test.go

refactor(logging): build IP mask output via join of parts (more efficient)

---------

Signed-off-by: zjumathcode <pai314159@2980.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
 2026-02-16 19:30:44 +00:00
dependabot[bot]
8a18acc025 build(deps): bump the all-updates group across 1 directory with 12 updates (#7490) 
Bumps the all-updates group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/alecthomas/chroma/v2](https://github.com/alecthomas/chroma) | `2.21.1` | `2.23.1` |
| [github.com/cloudflare/circl](https://github.com/cloudflare/circl) | `1.6.2` | `1.6.3` |
| [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) | `5.2.4` | `5.2.5` |
| [github.com/klauspost/compress](https://github.com/klauspost/compress) | `1.18.2` | `1.18.4` |
| [github.com/yuin/goldmark](https://github.com/yuin/goldmark) | `1.7.15` | `1.7.16` |
| [go.opentelemetry.io/contrib/exporters/autoexport](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.64.0` | `0.65.0` |
| [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.64.0` | `0.65.0` |
| [go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.64.0` | `0.65.0` |
| [github.com/pires/go-proxyproto](https://github.com/pires/go-proxyproto) | `0.8.1` | `0.11.0` |



Updates `github.com/alecthomas/chroma/v2` from 2.21.1 to 2.23.1
- [Release notes](https://github.com/alecthomas/chroma/releases)
- [Commits](https://github.com/alecthomas/chroma/compare/v2.21.1...v2.23.1)

Updates `github.com/cloudflare/circl` from 1.6.2 to 1.6.3
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.6.2...v1.6.3)

Updates `github.com/go-chi/chi/v5` from 5.2.4 to 5.2.5
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](https://github.com/go-chi/chi/compare/v5.2.4...v5.2.5)

Updates `github.com/klauspost/compress` from 1.18.2 to 1.18.4
- [Release notes](https://github.com/klauspost/compress/releases)
- [Commits](https://github.com/klauspost/compress/compare/v1.18.2...v1.18.4)

Updates `github.com/yuin/goldmark` from 1.7.15 to 1.7.16
- [Release notes](https://github.com/yuin/goldmark/releases)
- [Commits](https://github.com/yuin/goldmark/compare/v1.7.15...v1.7.16)

Updates `go.opentelemetry.io/contrib/exporters/autoexport` from 0.64.0 to 0.65.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.64.0...zpages/v0.65.0)

Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.64.0 to 0.65.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.64.0...zpages/v0.65.0)

Updates `go.opentelemetry.io/contrib/propagators/autoprop` from 0.64.0 to 0.65.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.64.0...zpages/v0.65.0)

Updates `go.opentelemetry.io/otel` from 1.39.0 to 1.40.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.39.0...v1.40.0)

Updates `go.opentelemetry.io/otel/sdk` from 1.39.0 to 1.40.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.39.0...v1.40.0)

Updates `github.com/pires/go-proxyproto` from 0.8.1 to 0.11.0
- [Release notes](https://github.com/pires/go-proxyproto/releases)
- [Commits](https://github.com/pires/go-proxyproto/compare/v0.8.1...v0.11.0)

Updates `go.opentelemetry.io/otel/trace` from 1.39.0 to 1.40.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.39.0...v1.40.0)

---
updated-dependencies:
- dependency-name: github.com/alecthomas/chroma/v2
  dependency-version: 2.23.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: github.com/cloudflare/circl
  dependency-version: 1.6.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-updates
- dependency-name: github.com/go-chi/chi/v5
  dependency-version: 5.2.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-updates
- dependency-name: github.com/klauspost/compress
  dependency-version: 1.18.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-updates
- dependency-name: github.com/yuin/goldmark
  dependency-version: 1.7.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-updates
- dependency-name: go.opentelemetry.io/contrib/exporters/autoexport
  dependency-version: 0.65.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  dependency-version: 0.65.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: go.opentelemetry.io/contrib/propagators/autoprop
  dependency-version: 0.65.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: go.opentelemetry.io/otel
  dependency-version: 1.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: go.opentelemetry.io/otel/sdk
  dependency-version: 1.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: github.com/pires/go-proxyproto
  dependency-version: 0.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: go.opentelemetry.io/otel/trace
  dependency-version: 1.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-16 13:38:55 -05:00
Mohammed Al Sahaf
23d07ac89d dep: upgrade cel-go (#7478) 
* dep: upgrade cel-go

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* Try handling `map[any]any`, fix error messages

---------

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
 2026-02-16 18:25:49 +00:00
Francis Lavoie
d64c7e67a4 caddyhttp: Option to disable 0-RTT (#7485) 2026-02-16 10:20:47 -07:00
Francis Lavoie
ff4f79aebe chore: Remove obsolete comment in ech.go (#7487) 2026-02-16 10:17:01 -07:00
Francis Lavoie
f2213e943e chore: Bump zerossl dependency to 0.1.5 (#7489) 2026-02-16 10:08:29 -07:00
Amirhf
affbb99275 pki: add per-CA configurable maintenance_interval and renewal_window_ratio (#7479) 
* pki: add per-CA configurable maintenance_interval and renewal_window_ratio

- Add MaintenanceInterval and RenewalWindowRatio to CA struct (JSON + Caddyfile).
- Run one maintenance goroutine per CA using its own interval.
- needsRenewal uses per-CA RenewalWindowRatio; invalid/zero ratio falls back to defaults.
- Caddyfile: maintenance_interval duration, renewal_window_ratio <0-1>.
- Tests: TestCA_needsRenewal, TestParsePKIApp for new options.

Fixes #7475

* fix codestyle
 2026-02-15 09:10:12 -05:00
Aditya Bhargava
d6a6b486db httpcaddyfile: Override global dns with acme_dns (fix #7294) (#7458) 
This brings the behaviour in line with what the documentation implies.
 2026-02-15 09:04:59 +00:00
mehrdadbn9
929d0e502a caddyfile: Add renewal_window_ratio global option and tls subdirective (#7473) 
* caddyfile: Add renewal_window_ratio global option

Adds support for configuring the TLS certificate renewal window ratio
directly in the Caddyfile global options block. This allows users to
customize when certificates should be renewed without needing to use
JSON configuration.

Example usage:
    {
        renewal_window_ratio 0.1666
    }

Fixes #7467

* caddyfile: Add renewal_window_ratio to tls directive and tests

Adds support for renewal_window_ratio in the tls directive (not just
global options) and adds caddyfile adapt tests for both the global
option and tls directive.

* fix: inherit global renewal_window_ratio in site policies

* fix: correct test expected output for policy consolidation

* fix: properly inherit global renewal_window_ratio without removing other code
 2026-02-13 16:47:02 -05:00
Matthew Holt
6718bd470f caddytls: Finish removing prefer_wildcard 
Finish what should have been done a year ago in #6959)
 2026-02-12 11:35:28 -07:00
Omer Cohen
80bf81839d go.mod: update nebula v1.10.3 to resolve cve (#7471) 2026-02-12 08:54:48 -07:00
moscowchill
d42d39b4bc caddytls: Return errors instead of nil in client auth provisioning (#7464) 
Two error returns in ClientAuthentication.provision() were
returning nil instead of the actual error, silently swallowing
failures when converting PEM files to DER and when provisioning
the CA pool. This could cause mTLS client authentication to
silently fall back to the system trust store, accepting any
client certificate signed by a public CA instead of restricting
to the configured trust anchors.
 2026-02-12 08:42:54 -07:00
Oleh Konko | trust infra security audit & contribution | deterministic ai-augmented pipeline · human-verified
0188ef2e62 acmeserver: warn when policy rules unset (#7469) 2026-02-11 11:54:51 -07:00
Francis Lavoie
c0af7b665f chore: bump Go to v1.26 (#7466) 2026-02-11 11:21:10 -07:00
Matthew Holt
72ac479f5d admin: Enforce origin implicitly based on request headers 2026-02-11 09:52:56 -07:00
WeidiDeng
47f3e8f8dc use math/rand/v2 instead of math/rand (#7413) 2026-02-11 09:15:51 -07:00
XYenon
03e6e439dd reverseproxy: fix X-Forwarded-* headers for Unix socket requests (#7463) 
When a request arrives via a Unix domain socket (RemoteAddr == "@"),
net.SplitHostPort fails, causing addForwardedHeaders to strip all
X-Forwarded-* headers even when the connection is trusted via
trusted_proxies_unix.

Handle Unix socket connections before parsing RemoteAddr: if untrusted,
strip headers for security; if trusted, let clientIP remain empty (no
peer IP for a Unix socket hop) and fall through to the shared header
logic, preserving the existing XFF chain without appending a spurious
entry.

Amp-Thread-ID: https://ampcode.com/threads/T-019c4225-a0ad-7283-ac56-e2c01eae1103

Co-authored-by: Amp <amp@ampcode.com>
 2026-02-10 13:00:20 -07:00
Kévin Dunglas
7c28c0c07a Merge commit from fork 
* fix: FastCGI split SCRIPT_NAME/PATH_INFO confusion

* fix comment
 2026-02-10 11:52:36 -07:00
Matt Holt
96f142c2a6 Update SECURITY.md 2026-02-10 11:44:40 -07:00
Matt Holt
5ff50779cc Update LLM disclosure requirements in SECURITY.md 
Clarified disclosure requirements for LLMs in security reports.
 2026-02-09 14:40:41 -07:00
Matthew Holt
1f43e8566b caddyhttp: Use case-insensitive comparison for large Host lists 2026-02-09 14:18:55 -07:00
Matthew Holt
bd374ca9d7 caddyhttp: Lowercase comparison when matching with escape sequence 2026-02-09 13:12:00 -07:00
Francis Lavoie
2ae0f7af69 reverseproxy: Set Host to {upstream_hostport} automatically if TLS (#7454) 2026-02-09 13:06:19 -07:00
Matthew Holt
58968b3fd3 Update detail in readme 2026-02-06 08:45:09 -07:00
Matthew Holt
42ca010e9d admin: Reject requests with Sec-Fetch-Mode headers 
And buggy Origin: null headers.

Resolves a low-risk security report by @1seal.
 2026-02-05 09:39:11 -07:00
Matt Holt
40927d2f75 Require disclosure of LLM usage in security reports 
Added requirement to disclose the use of LLMs in security reports.
 2026-02-05 06:12:26 -07:00
Matthew Holt
e0f8d9b204 caddytls: Check type assertion 
Fix https://github.com/mholt/caddy-l4/issues/378
 2026-02-03 13:59:53 -07:00
Matthew Holt
3bb22672f9 reverseproxy: Customizable dial network for SRV upstreams 
By request of a sponsor
 2026-02-02 11:25:51 -07:00
Matthew Holt
935b09de83 caddtls: Skip .ts.net domains for ECH (#6971) 
As it is also a special case in our automatic HTTPS.
 2026-01-30 12:24:59 -07:00
Matthew Holt
7d24124430 caddyhttp: Reject invalid Host header (fix #7449) 2026-01-30 12:24:16 -07:00