Skip to content

fix(deps): update caddy to v2.10.0#44

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/caddy
Apr 30, 2025
Merged

fix(deps): update caddy to v2.10.0#44
renovate[bot] merged 1 commit intomainfrom
renovate/caddy

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 16, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change Age Adoption Passing Confidence
caddy final minor 2.8.4-alpine -> 2.10.0-alpine age adoption passing confidence
caddy stage minor 2.8.4-builder-alpine -> 2.10.0-builder-alpine age adoption passing confidence
github.com/caddyserver/caddy/v2 require minor v2.8.4 -> v2.10.0 age adoption passing confidence

Release Notes

caddyserver/caddy (github.com/caddyserver/caddy/v2)

v2.10.0

Compare Source

Caddy 2.10 is here! Aside from bug fixes, this release features:

  • Encrypted ClientHello (ECH): This new technology encrypts the last plaintext portion of a TLS connection: the ClientHello, which includes the domain name being connected to. The draft spec for ECH is almost finalized, so we can now support this privacy feature for TLS. This is a powerful but nuanced capability; we highly recommend reading the ECH documentation on our website.
  • Post-quantum (PQC) key exchange: Caddy now supports the standardized x25519mlkem768 cryptographic group by default.
  • ACME profiles: ACME profiles are an experimental draft that allow you to choose properties of your certificates with more flexibility than traditional CSR methods. For example, Let's Encrypt will issue 6-day certificates under a certain profile. Caddy may eventually use that profile by default.
  • Via header: The reverse proxy now sets a Via header instead of a duplicate Server header.
  • Global DNS provider: You can now specify a default "global" DNS module to use instead of having to configure it locally in every part of your config that requires a DNS provider (for example, ACME DNS challenges, and ECH). This is the dns global option in the Caddyfile, or in JSON config, it's the dns parameter in the tls app configuration.
  • Wildcards used by default: Previously, Caddy would obtain individual certificates for every domain in your config literally; now wildcards, if present, will be utilized for subdomains, rather than obtaining individual certificates. This change was motivated by the novel possibility for subdomain privacy afforded by ECH. It can be overridden with tls force_automate in the Caddyfile. The experimental auto_https prefer_wildcard option has been removed.
  • libdns 1.0 APIs: Many of you use DNS provider modules to solve ACME DNS challenges or to enable dynamic DNS. They implement interfaces defined by libdns to get, set, append, and delete DNS records. After 5 years of production experience, including lessons learned with ECH, libdns APIs have been updated and 1.0 beta has been tagged. DNS provider packages will need to update their code to be compatible, which will help ensure stability and well-defined semantics for the future. Several packages have already updated or are in the process of updating (cloudflare, rfc2136, and desec to name a few).
  • Global dns config: Now that several components of Caddy configuration may affect DNS records (ACME challenges, ECH publication, etc.), there is a new dns global option that can be used to specify your DNS provider config in a single place. This prevents repetition of credentials for servers where all the domains are managed by a single DNS provider.

Thank you to the many contributors who have helped to make this possible! 🎉 🥳 🍾

⚠️ While have traditionally supported the last 2 minor Go versions to accommodate some distribution / package manager policies, we now only support the latest minor Go version. The privacy and security benefits added in new Go versions (such as post-quantum cryptography) are worth making available to everyone as soon as possible, rather than holding back the entire user base or maintaining multiple code compilation configurations.

Encrypted ClientHello (ECH) details

(This is a brief overview. We recommend reading the full documentation.)

Typically, server names (domain names, or "SNI") are sent in the plaintext ClientHello when establishing TLS connections. With ECH, the true server name is encrypted (and wrapped) by an "outer" ClientHello which has a generic SNI of your choosing. With many sites on the same server sharing the same outer SNI, both clients and the server have more privacy related to domain names.

Caddy implements fully automated ECH, meaning that it generates (and soon, rotates), publishes, and serves ECH configurations simply by specifying a DNS provider, and the outer/public domain name to use.

Fully automated ECH requires a DNS module built into your Caddy binary. In order for a client, such as a browser, to know it can use ECH, and what parameters to use, the server's ECH configuration must be published. This config includes the public name, cryptographic parameters, and a public key for encrypting the inner ClientHello. By convention, browsers read the standardized HTTPS-type DNS record containing a ech SvcParamKey. Caddy sets this DNS record for all domains being protected, but it needs that DNS provider module plugged in and configured in order to do this. If you are already using the DNS ACME challenge, you should already have a DNS provider plugged in. If you prefer to build Caddy from source with a DNS module, it's easy with xcaddy, for example: $ xcaddy build --with github.com/caddy-dns/cloudflare

The minimum config needed to enable ClientHello is also the recommended config, as it maximizes privacy benefits in most situations. You just need the ech global option and a DNS provider specified. Here's an example using Cloudflare as the nameserver:

Caddyfile:

{
	debug  # not required; recommended while testing
	dns cloudflare {env.CLOUDFLARE_API_KEY}
	ech ech.example.net
}

example.com {
	respond "Hello there!"
}

This protects all your sites (example.com in this case) behind the public name of ech.example.net. (As another example, Cloudflare uses cloudflare-ech.com for all the sites it serves. We recommend choosing a single public domain and use it to protect all your sites.)

The outer/public name you choose should point to your server. Caddy will obtain a certificate for this name in order to facilitate safe, reliable connections for clients when needed. Without a certificate, clients may be forced to connect insecurely, or fail to connect at all, in some cases, which not only leaves them vulnerable, but also risks exposing the names of your server's sites.

Caddy then uses the specified DNS provider to publish the ECH config(s) for your various site names. It creates (or augments) HTTPS-type records for the domains of your sites (not your ECH public name). Note that DNS provider modules are independently-maintained, and may not have been tested for compatibility with HTTPS-type records. Please contact your module's maintainers if you experience issues.

If you have more advanced configuration needs, you can use the JSON configuration (more details coming soon; for now, see #​6862 or look at the source code; or use caddy adapt to convert a Caddyfile to JSON).

Testing and verifying Encrypted ClientHello

First make sure Caddy runs successfully with ECH enabled (and a DNS module) in the config. You should see logs that it is generating an ECH config and publishing it to your domain name(s).

You will need to use a client that supports ECH. Some custom builds of curl do, and Firefox and modern Chrome-based browsers do as well, but you need to enable DNS-over-HTTPS or DNS-over-TLS first (since, obviously, querying DNS in plaintext for a protected domain name will expose the domain and defeat the purpose of ECH).

If reusing an existing domain name, clear your DNS cache. Firefox has a way of doing this for its cache at about:networking#dns.

Once you have a suitable client, use Wireshark to capture network packets as you load your site. You should see only the outer/public name as SNI (ServerName Indicator) values in the packet capture. If at any time you see the true site name, ECH is not working properly -- it could be a client or server issue. Before filing a bug, please try to pinpoint it as a server issue first. But definitely report server bugs! Thank you!

(Note that ECH is not automatically published for CNAME'd domains, and the domain must already have a record in the zone.)

Commits

Beta 1:
Beta 2:
Beta 3:
  • b3e692e caddyfile: Fix formatting for backquote wrapped braces (#​6903)
  • 55c89cc caddytls: Convert AP subjects to punycode
  • 1f8dab5 caddytls: Don't publish ECH configs if other records don't exist
  • 782a3c7 caddytls: Don't publish HTTPS record for CNAME'd domain (fix #​6922)
  • 49f9af9 caddytls: Fix TrustedCACerts backwards compatibility (#​6889)
  • e276994 caddytls: Initialize permission module earlier (fix #​6901)
  • 39262f8 caddytls: Minor fixes for ECH
  • 1735730 core: add modular network_proxy support (#​6399)
  • 86c620f go.mod: Minor dependency upgrades
  • af2d33a headers: Allow nil HeaderOps (fix #​6893)
  • dccf3d8 requestbody: Add set option to replace request body (#​5795)
  • 2ac09fd requestbody: Fix ContentLength calculation after body replacement (#​6896)
v2.10.0:
  • f297bc0 admin: Remove host checking for UDS (close #​6832)
  • 0b2802f build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 (#​6960)
  • 5be77d0 caddyauth: Set authentication provider error in placeholder (#​6932)
  • b06a949 caddyhttp: Document side effect of HTTP/3 early data (close #​6936)
  • 35c8c2d caddytls: Add remote_ip to HTTP cert manager (close #​6952)
  • fb22a26 caddytls: Allow missing ECH meta file
  • 1bfa111 caddytls: Prefer managed wildcard certs over individual subdomain certs (#​6959)
  • ea77a9a caddytls: Temporarily treat "" and "@​" as equivalent for DNS publication
  • 5a6b2f8 events: Refactor; move Event into core, so core can emit events (#​6930)
  • 137711a go.mod: Upgrade acmez and certmagic
  • 9becf61 go.mod: Upgrade to libdns 1.0 beta APIs (requires upgraded DNS providers)
  • 6c38ae7 reverseproxy: Add valid Upstream to DialInfo in active health checks (#​6949)

What's Changed

New Contributors

Full Changelog: caddyserver/caddy@v2.9.1...v2.10.0

v2.9.1

Compare Source

This is a patch release fixing a few issues related to FastCGI, HTTP/3 and unix sockets, log file permissions, repeated TERM signals, and an ARI edge case. It also adds Caddyfile support for response matching in the header directive.

Thanks to everyone who reported bugs and helped with fixes!

Changelog

  • 34cff4a core: Only initiate exit once (should fix #​6707)
  • 50778b5 fix: disable h3 for unix domain socket (#​6769)
  • 0e570e0 go.mod: Upgrade CertMagic to 0.21.6 (fix ARI handshake maintenance)
  • e48b758 header: match subdirective for response matching (#​6765)
  • 1f927d6 log: Only chmod if permission bits differ; make log dir (#​6761)
  • 1bd567d reverseproxy: buffer requests for fastcgi by default (#​6759)

What's Changed

New Contributors

Full Changelog: caddyserver/caddy@v2.9.0...v2.9.1

v2.9.0

Compare Source

Happy New Year! We're pleased to release Caddy 2.9. Aside from some minor new features, this release is mainly focused on refinements and bug fixes in many areas, including:

  • Config loading
  • Events
  • Logging
  • Placeholders
  • Reverse proxy and HTTP server performance
  • Matchers
  • HTTP (esp. HTTP/3)
  • Metrics (per-host metrics)
  • Security
  • TLS automation & ACME ARI

We realize there is extensive interest in Encrypted Client Hello (ECH) and post-quantum ciphers. These are slated to be supported in Go 1.24, which is scheduled for a stable release in approximately February. We did not want to force users to go through the inconvenience of installing pre-release, non-stock installations of Go, even though the RCs are quite stable and production-ready, in order to even compile Caddy, which is quite common given our plugin ecosystem. We anticipate a Caddy 2.10 release in the near future with these capabilities, built on Go 1.24.

We hope you will enjoy the 2.9 release. Thanks to all contributors, bug reporters, and helpers, and those organizations which deployed pre-release versions to production to help verify patches and features.

Changelog

What's Changed

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 16, 2025

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 35 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.21.0 -> 1.22.3
github.com/Masterminds/semver/v3 v3.2.1 -> v3.3.0
github.com/Masterminds/sprig/v3 v3.2.3 -> v3.3.0
github.com/caddyserver/certmagic v0.21.3 -> v0.21.6
github.com/cespare/xxhash/v2 v2.2.0 -> v2.3.0
github.com/cpuguy83/go-md2man/v2 v2.0.3 -> v2.0.4
github.com/golang/glog v1.2.0 -> v1.2.2
github.com/google/cel-go v0.20.1 -> v0.21.0
github.com/huandu/xstrings v1.4.0 -> v1.5.0
github.com/klauspost/compress v1.17.8 -> v1.17.11
github.com/klauspost/cpuid/v2 v2.2.7 -> v2.2.9
github.com/miekg/dns v1.1.59 -> v1.1.62
github.com/pires/go-proxyproto v0.7.0 -> v0.7.1-0.20240628150027-b718e7ce4964
github.com/quic-go/qpack v0.4.0 -> v0.5.1
github.com/quic-go/quic-go v0.44.0 -> v0.48.2
github.com/shopspring/decimal v1.3.1 -> v1.4.0
github.com/spf13/cast v1.5.1 -> v1.7.0
github.com/spf13/cobra v1.8.0 -> v1.8.1
github.com/tailscale/tscert v0.0.0-20240517230440-bbccfbf48933 -> v0.0.0-20240608151842-d3f834017e53
github.com/zeebo/blake3 v0.2.3 -> v0.2.4
go.uber.org/automaxprocs v1.5.3 -> v1.6.0
go.uber.org/zap/exp v0.2.0 -> v0.3.0
golang.org/x/crypto v0.23.0 -> v0.31.0
golang.org/x/crypto/x509roots/fallback v0.0.0-20240507223354-67b13616a595 -> v0.0.0-20241104001025-71ed71b4faf9
golang.org/x/mod v0.17.0 -> v0.18.0
golang.org/x/net v0.25.0 -> v0.33.0
golang.org/x/sync v0.7.0 -> v0.10.0
golang.org/x/sys v0.20.0 -> v0.28.0
golang.org/x/term v0.20.0 -> v0.27.0
golang.org/x/text v0.15.0 -> v0.21.0
golang.org/x/time v0.5.0 -> v0.7.0
golang.org/x/tools v0.21.0 -> v0.22.0
google.golang.org/genproto/googleapis/api v0.0.0-20240506185236-b8a5c65736ae -> v0.0.0-20241007155032-5fefd90f89a9
google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 -> v0.0.0-20241007155032-5fefd90f89a9
google.golang.org/grpc v1.63.2 -> v1.67.1
google.golang.org/protobuf v1.34.1 -> v1.35.1

@renovate renovate Bot force-pushed the renovate/caddy branch from af31804 to 99989b3 Compare April 19, 2025 08:06
@renovate renovate Bot changed the title fix(deps): update caddy to v2.9.1 fix(deps): update caddy Apr 19, 2025
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 19, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -d -t ./...
go: module github.com/caddyserver/caddy/v2@v2.10.0 requires go >= 1.24; switching to go1.24.2
go: downloading go1.24.2 (linux/amd64)
go: download go1.24.2: golang.org/toolchain@v0.0.1-go1.24.2.linux-amd64: verifying module: checksum database disabled by GOSUMDB=off

@renovate renovate Bot force-pushed the renovate/caddy branch from 99989b3 to d4167b5 Compare April 23, 2025 00:11
@renovate renovate Bot changed the title fix(deps): update caddy fix(deps): update caddy to v2.10.0 Apr 23, 2025
@renovate renovate Bot force-pushed the renovate/caddy branch from d4167b5 to f014814 Compare April 29, 2025 17:31
@renovate renovate Bot force-pushed the renovate/caddy branch from f014814 to ddd466f Compare April 29, 2025 17:38
@renovate renovate Bot force-pushed the renovate/caddy branch from ddd466f to 2fd44fe Compare April 30, 2025 03:12
@renovate renovate Bot force-pushed the renovate/caddy branch from 2fd44fe to d21b895 Compare April 30, 2025 03:30
@renovate renovate Bot force-pushed the renovate/caddy branch from d21b895 to ae13124 Compare April 30, 2025 03:33
@renovate renovate Bot force-pushed the renovate/caddy branch from ae13124 to cf175c4 Compare April 30, 2025 05:25
@renovate renovate Bot enabled auto-merge (squash) April 30, 2025 17:02
@renovate renovate Bot force-pushed the renovate/caddy branch from cf175c4 to 3913534 Compare April 30, 2025 17:02
@renovate renovate Bot force-pushed the renovate/caddy branch from 3913534 to 65f8f7b Compare April 30, 2025 17:51
@renovate renovate Bot force-pushed the renovate/caddy branch from 65f8f7b to ec64945 Compare April 30, 2025 18:07
@renovate renovate Bot merged commit 8eccdd8 into main Apr 30, 2025
3 of 4 checks passed
@renovate renovate Bot deleted the renovate/caddy branch April 30, 2025 18:17
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 1, 2025

🎉 This PR is included in version 1.0.5 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants