Gotea/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-02-14 02:58:10 +02:00
Code Issues Projects Releases Wiki Activity
2,449 Commits 33 Branches 149 Tags
master
Commit Graph

2449 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
mehrdadbn9
929d0e502a caddyfile: Add renewal_window_ratio global option and tls subdirective (#7473) 
* caddyfile: Add renewal_window_ratio global option

Adds support for configuring the TLS certificate renewal window ratio
directly in the Caddyfile global options block. This allows users to
customize when certificates should be renewed without needing to use
JSON configuration.

Example usage:
    {
        renewal_window_ratio 0.1666
    }

Fixes #7467

* caddyfile: Add renewal_window_ratio to tls directive and tests

Adds support for renewal_window_ratio in the tls directive (not just
global options) and adds caddyfile adapt tests for both the global
option and tls directive.

* fix: inherit global renewal_window_ratio in site policies

* fix: correct test expected output for policy consolidation

* fix: properly inherit global renewal_window_ratio without removing other code
 2026-02-13 16:47:02 -05:00
Matthew Holt
6718bd470f caddytls: Finish removing prefer_wildcard 
Finish what should have been done a year ago in #6959)
 2026-02-12 11:35:28 -07:00
Omer Cohen
80bf81839d go.mod: update nebula v1.10.3 to resolve cve (#7471) 2026-02-12 08:54:48 -07:00
moscowchill
d42d39b4bc caddytls: Return errors instead of nil in client auth provisioning (#7464) 
Two error returns in ClientAuthentication.provision() were
returning nil instead of the actual error, silently swallowing
failures when converting PEM files to DER and when provisioning
the CA pool. This could cause mTLS client authentication to
silently fall back to the system trust store, accepting any
client certificate signed by a public CA instead of restricting
to the configured trust anchors.
 2026-02-12 08:42:54 -07:00
Oleh Konko | trust infra security audit & contribution | deterministic ai-augmented pipeline · human-verified
0188ef2e62 acmeserver: warn when policy rules unset (#7469) 2026-02-11 11:54:51 -07:00
Francis Lavoie
c0af7b665f chore: bump Go to v1.26 (#7466) 2026-02-11 11:21:10 -07:00
Matthew Holt
72ac479f5d admin: Enforce origin implicitly based on request headers 2026-02-11 09:52:56 -07:00
WeidiDeng
47f3e8f8dc use math/rand/v2 instead of math/rand (#7413) 2026-02-11 09:15:51 -07:00
XYenon
03e6e439dd reverseproxy: fix X-Forwarded-* headers for Unix socket requests (#7463) 
When a request arrives via a Unix domain socket (RemoteAddr == "@"),
net.SplitHostPort fails, causing addForwardedHeaders to strip all
X-Forwarded-* headers even when the connection is trusted via
trusted_proxies_unix.

Handle Unix socket connections before parsing RemoteAddr: if untrusted,
strip headers for security; if trusted, let clientIP remain empty (no
peer IP for a Unix socket hop) and fall through to the shared header
logic, preserving the existing XFF chain without appending a spurious
entry.

Amp-Thread-ID: https://ampcode.com/threads/T-019c4225-a0ad-7283-ac56-e2c01eae1103

Co-authored-by: Amp <amp@ampcode.com>
 2026-02-10 13:00:20 -07:00
Kévin Dunglas
7c28c0c07a Merge commit from fork 
* fix: FastCGI split SCRIPT_NAME/PATH_INFO confusion

* fix comment
 2026-02-10 11:52:36 -07:00
Matt Holt
96f142c2a6 Update SECURITY.md 2026-02-10 11:44:40 -07:00
Matt Holt
5ff50779cc Update LLM disclosure requirements in SECURITY.md 
Clarified disclosure requirements for LLMs in security reports.
 2026-02-09 14:40:41 -07:00
Matthew Holt
1f43e8566b caddyhttp: Use case-insensitive comparison for large Host lists 2026-02-09 14:18:55 -07:00
Matthew Holt
bd374ca9d7 caddyhttp: Lowercase comparison when matching with escape sequence 2026-02-09 13:12:00 -07:00
Francis Lavoie
2ae0f7af69 reverseproxy: Set Host to {upstream_hostport} automatically if TLS (#7454) 2026-02-09 13:06:19 -07:00
Matthew Holt
58968b3fd3 Update detail in readme 2026-02-06 08:45:09 -07:00
Matthew Holt
42ca010e9d admin: Reject requests with Sec-Fetch-Mode headers 
And buggy Origin: null headers.

Resolves a low-risk security report by @1seal.
 2026-02-05 09:39:11 -07:00
Matt Holt
40927d2f75 Require disclosure of LLM usage in security reports 
Added requirement to disclose the use of LLMs in security reports.
 2026-02-05 06:12:26 -07:00
Matthew Holt
e0f8d9b204 caddytls: Check type assertion 
Fix https://github.com/mholt/caddy-l4/issues/378
 2026-02-03 13:59:53 -07:00
Matthew Holt
3bb22672f9 reverseproxy: Customizable dial network for SRV upstreams 
By request of a sponsor
 2026-02-02 11:25:51 -07:00
Matthew Holt
935b09de83 caddtls: Skip .ts.net domains for ECH (#6971) 
As it is also a special case in our automatic HTTPS.
 2026-01-30 12:24:59 -07:00
Matthew Holt
7d24124430 caddyhttp: Reject invalid Host header (fix #7449) 2026-01-30 12:24:16 -07:00
Paulo Henrique
565c1c3054 autohttps: deterministic logic and strict bind checking on Linux (#7435) 
* http: fix non-deterministic auto-https and improve Linux bind matching

* docs: restore historical context about Linux bind behavior
 2026-01-16 08:51:23 -07:00
Francis Lavoie
d269405eab core: Show JSON error offsets where possible (#7437) 2026-01-14 22:54:19 -05:00
Mohammed Al Sahaf
e40bd019ff caddyfile: add observe_catchall_hosts option (#7434) 
* caddyfile: add `observe_catchall_hosts` option

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* correct JSON field name and doc comment

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

---------

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2026-01-14 00:06:16 +00:00
Francis Lavoie
cbebc1292b core: Embed time/tzdata (#7432) 2026-01-13 15:11:35 -07:00
Paulo Henrique
e9d290de2f caddyconfig: Fix indentation of multiline strings in fmt (#7425) (#7433) 2026-01-13 15:22:23 -05:00
Paulo Henrique
62134d65af reverseproxy: fix error when remote address is not an IP (#7429) 2026-01-13 19:52:56 +00:00
Marten Seemann
5168acfb9c update quic-go to v0.59.0 (#7431) 2026-01-13 14:47:36 -05:00
Francis Lavoie
90972fbebc chore: Dumb prealloc lint fix (#7430) 2026-01-13 14:13:43 -05:00
Matthew Holt
28103aafba Revise top of readme to include Warp sponsorship section 2026-01-06 16:44:11 -07:00
Tom Paulus
6a57142896 headers: Make ApplyTo nil-safe (#7426) 2026-01-06 17:39:58 -05:00
WeidiDeng
80f2ae92cd reverseproxy: make error chan bigger when reverse proxying websocket (#7419) 2026-01-06 04:55:47 -05:00
dependabot[bot]
7b031e1eb5 build(deps): bump the all-updates group across 1 directory with 12 updates (#7421) 
Bumps the all-updates group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/BurntSushi/toml](https://github.com/BurntSushi/toml) | `1.5.0` | `1.6.0` |
| [github.com/alecthomas/chroma/v2](https://github.com/alecthomas/chroma) | `2.20.0` | `2.21.1` |
| [github.com/cloudflare/circl](https://github.com/cloudflare/circl) | `1.6.1` | `1.6.2` |
| [github.com/spf13/cobra](https://github.com/spf13/cobra) | `1.10.1` | `1.10.2` |
| [github.com/yuin/goldmark](https://github.com/yuin/goldmark) | `1.7.13` | `1.7.15` |
| [go.opentelemetry.io/contrib/exporters/autoexport](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.63.0` | `0.64.0` |
| [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.63.0` | `0.64.0` |
| [go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.63.0` | `0.64.0` |
| [go.step.sm/crypto](https://github.com/smallstep/crypto) | `0.74.0` | `0.75.0` |



Updates `github.com/BurntSushi/toml` from 1.5.0 to 1.6.0
- [Release notes](https://github.com/BurntSushi/toml/releases)
- [Commits](https://github.com/BurntSushi/toml/compare/v1.5.0...v1.6.0)

Updates `github.com/alecthomas/chroma/v2` from 2.20.0 to 2.21.1
- [Release notes](https://github.com/alecthomas/chroma/releases)
- [Commits](https://github.com/alecthomas/chroma/compare/v2.20.0...v2.21.1)

Updates `github.com/cloudflare/circl` from 1.6.1 to 1.6.2
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.6.1...v1.6.2)

Updates `github.com/spf13/cobra` from 1.10.1 to 1.10.2
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](https://github.com/spf13/cobra/compare/v1.10.1...v1.10.2)

Updates `github.com/yuin/goldmark` from 1.7.13 to 1.7.15
- [Release notes](https://github.com/yuin/goldmark/releases)
- [Commits](https://github.com/yuin/goldmark/compare/v1.7.13...v1.7.15)

Updates `go.opentelemetry.io/contrib/exporters/autoexport` from 0.63.0 to 0.64.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.63.0...zpages/v0.64.0)

Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.63.0 to 0.64.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.63.0...zpages/v0.64.0)

Updates `go.opentelemetry.io/contrib/propagators/autoprop` from 0.63.0 to 0.64.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.63.0...zpages/v0.64.0)

Updates `go.opentelemetry.io/otel` from 1.38.0 to 1.39.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.39.0)

Updates `go.opentelemetry.io/otel/sdk` from 1.38.0 to 1.39.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.39.0)

Updates `go.step.sm/crypto` from 0.74.0 to 0.75.0
- [Release notes](https://github.com/smallstep/crypto/releases)
- [Commits](https://github.com/smallstep/crypto/compare/v0.74.0...v0.75.0)

Updates `go.opentelemetry.io/otel/trace` from 1.38.0 to 1.39.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.39.0)

---
updated-dependencies:
- dependency-name: github.com/BurntSushi/toml
  dependency-version: 1.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: github.com/alecthomas/chroma/v2
  dependency-version: 2.21.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: github.com/cloudflare/circl
  dependency-version: 1.6.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-updates
- dependency-name: github.com/spf13/cobra
  dependency-version: 1.10.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-updates
- dependency-name: github.com/yuin/goldmark
  dependency-version: 1.7.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-updates
- dependency-name: go.opentelemetry.io/contrib/exporters/autoexport
  dependency-version: 0.64.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  dependency-version: 0.64.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: go.opentelemetry.io/contrib/propagators/autoprop
  dependency-version: 0.64.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: go.opentelemetry.io/otel
  dependency-version: 1.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: go.opentelemetry.io/otel/sdk
  dependency-version: 1.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: go.step.sm/crypto
  dependency-version: 0.75.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
- dependency-name: go.opentelemetry.io/otel/trace
  dependency-version: 1.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
v2.11.0-beta.2 		2026-01-05 22:50:46 +03:00
Matthew Holt
b2d21f650a go.mod: Upgrade CertMagic and ZeroSSL deps 2026-01-05 12:28:52 -07:00
Mohammed Al Sahaf
99d84be6dd readme: fix fence (#7416) 2026-01-02 10:51:36 -05:00
Felix Hildén
1f1be3f4fe tracing: Add span attributes to tracing module (#7269) 
* WIP tracing span attributes

* better test

* only write attributes after other middleware (and request)

* Fix test to use header response placeholders
 2025-12-31 11:33:18 -07:00
Paulo Henrique
9eabd443cb cmd: Add --json flag to list-modules command (#7409) 2025-12-26 12:32:03 -05:00
Marten Seemann
5640611dfc chore: update quic-go to v0.58.0 (#7404) 2025-12-21 12:09:55 +03:00
Francis Lavoie
decc8a4d6f logging: log_append Early option, Supports {http.response.body} (#7368) 
* logging: `log_append` early option

* logging: `log_append` supports `{http.response.body}`

* Convenience auto-early for request body
 2025-12-16 23:42:42 -05:00
Will Norris
34fd2dfcff go.mod: update tscert package to latest (aea342f6) (#7397) 2025-12-16 10:38:32 -05:00
Francis Lavoie
4037d05760 caddyhttp: {http.request.body_base64} placeholder (#7367) 2025-12-13 21:01:12 -07:00
EINIER FREYRE CORONA
409a072135 notify: implement windows service status and error notifications (#7389) 
* implement service status and error notifications

* adjust return of Error function

* configure accepts on status

* align windows with linux semantics
 2025-12-12 07:56:30 -05:00
Paul B
6a4296b1a4 caddytls: panic when using tls.ca_pool.source.http -> tls.ca (#7393) 2025-12-11 19:27:15 +00:00
Matt Holt
3c9c67e804 caddytls: ECH key rotation (#7356) 
* caddytls: ECH key rotation

* Stop rotation goroutine on config unload

* Publish ECH keys after rotating
 2025-12-10 11:50:35 -07:00
Kévin Dunglas
598b08f9ae test: mark Assert* functions as test helpers (#7380) 2025-12-08 22:32:00 +00:00
okrc
374b7a637f caddytls: fix preferred chains options by appending values instead of replacing (#7387) 2025-12-07 16:19:01 +00:00
WeidiDeng
6e0cbd0fa0 caddyhttp: create a placeholder for and log ech status (#7328) 
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
 2025-12-07 16:01:58 +00:00
Steffen Busch
bfdb04912d docs: add maybe template function documentation (#7388) 2025-12-06 06:51:28 -05:00
vnxme
31960dc998 Introduce packet conn wrappers (#7180) 
* packet_conn_wrappers: Initial changes

* packet_conn_wrappers: Unwrap a packet conn only if there are no wrappers

---------

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
 2025-12-04 14:15:56 -07:00