Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⬆️ (dependencies): Update dependency caddyserver/caddy to v2.8.3 #139

Merged
merged 1 commit into from
Jun 2, 2024
Merged

⬆️ (dependencies): Update dependency caddyserver/caddy to v2.8.3 #139

merged 1 commit into from
Jun 2, 2024

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jun 2, 2024

Mend Renovate

This PR contains the following updates:

Package Update Change OpenSSF
caddyserver/caddy minor 2.7.6 -> 2.8.3 OpenSSF Scorecard

Release Notes

caddyserver/caddy (caddyserver/caddy)

v2.8.3

Compare Source

v2.8.2

Compare Source

A few more fixes of reported bugs related to ARI, try_files with the root path (/), and Caddyfile adapter detection on the CLI. See 2.8.0 release notes for details on 2.8.

Changelog

  • 01308b4 I'm so tired of typos
  • a63767d build(deps): bump golangci/golangci-lint-action from 5 to 6 (#​6361)
  • f8a2c60 caddyhttp: properly sanitize requests for root path (#​6360)
  • b7280e6 caddytls: Implement certmagic.RenewalInfoGetter
  • 15faeac cmd: fix auto-detetction of .caddyfile extension (#​6356)

Full Changelog: caddyserver/caddy@v2.8.1...v2.8.2

v2.8.1

Compare Source

Quick fixes for a few users related to directory permissions and matcher parsing.

Changelog

  • 40c582c caddyhttp: Fix merging consecutive client_ip or remote_ip matchers (#​6350)
  • a52917a core: MkdirAll appDataDir in InstanceID with 0o700 (#​6340)

v2.8.0

Compare Source

Caddy 2.8 is here! With hundreds of improvements, Caddy is more scalable and capable than ever before. Featuring ACME Renewal Information (ARI) support, HTTP/3 to proxy backends, and so much more than we can list in a sentence, we are pleased to bring you one of the biggest Caddy updates yet. Documentation on our website will be updated in the coming days.

We've implemented a ton of improvements, fixes, and awesome new features based on your feedback. While some of them aren't particularly visible changes, they allow Caddy to scale better and be more reliable in demanding deployments. Many of the changes are quality-of-life improvements we hope you'll appreciate. Then there's improvements to ACMEz, CertMagic, and other dependencies which make Caddy better that may not show up in this list.

There was a lot of code that had been documented as deprecated in place for a long time, so this version introduces a few more breaking changes than usual; please review the notes below.

Thank you to our sponsors and everyone in the community who contributed -- over 40 of you made your first contribution for this release. We couldn't have done it without your help. In particular, we'd like to recognize sponsors Stripe, Framer, and ZeroSSL for their positive influence which have greatly enhanced the project. Caddy 2.8 is already being used in our sponsors' large-scale, multi-region production deployments.

Want to join those ranks? Sponsor the Caddy project and benefit from development priority, dedicated private support, and much more.

As with any server upgrades, please be sure to test and validate your configurations in a staging or test environment before deploying to production. Thank you and have a great day!

⚠️ Breaking changes:

  • ZeroSSL (#​6229) (this is one overall change, but requires some explanation):
    • Up to now, Caddy used both Let's Encrypt and ZeroSSL by default to get certificates without any configuration. In 2.8, this is changing slightly. Due to upcoming changes to ZeroSSL accounting policies, ZeroSSL now requires your email address to be able to access their free ACME endpoint.
    • As such, Caddy will only implicitly add the ZeroSSL issuer to your config if you provide an email address in your Caddyfile using the email global option. (We have already recommended this for years.) If you already do this, you don't have to make any changes and you'll still get Let's Encrypt and ZeroSSL automatically as defaults.
    • If you use JSON to configure certificate automation policies, you will need to ensure you use the acme issuer with your email filled out, and the ca field set to ZeroSSL's ACME server URL.
    • The zerossl issuer module is no longer ACME-capable and is now exclusively for the ZeroSSL API. An API key from your ZeroSSL account is required. (The ZeroSSL ACME server can still be used with the acme module pointed to ZeroSSL's ACME server. You can provide your account email and/or EAB as well.) If you were using the ZeroSSL issuer with an API key, it will now start using ZeroSSL's API, which was probably the expected behavior anyways. The API has several advantages over the ACME endpoint, but may require payment:
      • Faster response times
      • IP certificates
      • Management tools in your ZeroSSL account dashboard
      • Technical support
    • To clarify, Let's Encrypt is still a default issuer even if you don't provide an email address (but we have always strongly recommended to do so).
    • You can still use ZeroSSL's ACME endpoint with your own External Account Binding (EAB) credentials.
    • See notes in #​6229 for some examples and further explanations.
  • Removed support for the lego_deprecated DNS provider module. It has been deprecated for 4 years. Use caddy-dns modules instead; there are over 50 to choose from already. They are more flexible, compile much leaner, and are easier to implement and support. If yours is not supported it can be easily implemented. Sponsors at or above the Business tier can request to have their provider implemented for free.
  • On-demand TLS: The ask option in the JSON has been deprecated in favor of a permission module (Caddyfile unchanged) (#​6055), and Caddyfile support for permission modules is added (6a02999)
  • Admin API: Etag (used for concurrency control) is now a header, not a trailer. This is less efficient, but still virtually no clients properly implement trailer support.
  • For consistency, the basicauth Caddyfile directive has been renamed to basic_auth (#​6092), and skip_log has been renamed to log_skip. The old names will continue to work for now, with a deprecation warning in the logs. (#​6066).
  • The basic_auth handler no longer supports scrypt (deprecated for nearly two years) (#​6091)
  • The forwarded option has been deprecated for a long time and has now been removed from the remote_ip matcher. Use the client_ip matcher instead. (#​6085)
  • Reverse proxy: The buffer_requests, buffer_responses, and max_buffer_size settings have been removed after being deprecated for 14 months. Use request_buffers and response_buffers instead if you need buffering.
  • Go API: If you called caddy.Context.AppIfConfigured(), it now returns an error, as part of a bug fix. (#​6292)

Notable changes:

  • acme_server: Configurable allow/deny policies (#​5796)
  • acme_server: Specify allowed challenge types (#​5794)
  • caddyfile: Plugin authors can now specify a default ordering for directives, making manual ordering by users less necessary (#​5865)
  • cmd: The --adapter flag is not needed for config files ending with .caddyfile (#​5919)
  • encode: More media types are now compressed by default (#​6081)
  • encode: Modify ETag when encoding to comply with RFC 9110 section 8.8.3 (#​5849)
  • encode: Configurable compression level for zstd (#​6140)
  • handle_errors: Handling can now be filtered by response status code more easily (#​5965)
  • http: New fs directive can declare a file system plugin to use (#​5057)
  • http: Sensitive headers in the logs are now replaced with ["REDACTED"] instead of empty array. (#​5669)
  • http: Several improvements to size logging, websockets, flushing, 1xx statuses, and QUIC. (#​6173, #​6175, #​6202, #​6150, #​6164, #​6168)
  • http: Can now write access logs for a hostname to more than one logger (#​6088)
  • http: The log_append handler can add fields to the access logs (#​6066)
  • http: Add uuid field to access logs when the {http.request.uuid} placeholder is used (#​5859)
  • http: Changed PROXY protocol libraries add TLV support (#​5915)
  • http: A new tracing mode writes each individual middleware handler to logs (#​6313)
  • http: Access logs use a different message ("unhandled") when an HTTP request is a no-op (#​5182)
  • file_server: The browse feature can now return a plaintext response (useful for terminals) (#​6093)
  • file_server: File listings can dereference symlinks if enabled (#​5973)
  • file_server: Directory listings now include total file size (#​6003)
  • file_server: Can use precomputed ETags from sidecar files (#​6222)
  • replacer: A new {file.*} global placeholder is available, where * is a path to a file on disk which contains a value (generally used for secrets) (#​5463)
  • reverse_proxy: HTTP/3 supported to backends (experimental) (#​6312)
  • reverse_proxy: Active health checks can now be configured with consecutive passes/fails to change status (#​6154)
  • reverse_proxy: A forward proxy can now be specified in config other than a single env var (#​6114)
  • reverse_proxy: Configurable trusted root CAs is now modular (#​6065)
  • reverse_proxy: SRV upstreams now support failovers/grace period with cache (#​5832)
  • reverse_proxy: TLS curves can now be configured (potential preparation for post-quantum) (#​5851)
  • root, rewrite: A * matcher token is no longer required in the Caddyfile (#​5844)
  • tls: Client authentication validation methods are now modular/pluggable (#​6050)
  • tls: Trusted CA providers are now modular (#​5784)
  • tls: New local_ip connection matcher (#​6074)
  • tls: Improvements and fixes when certificate managers are configured (#​6229)
  • tls: Refactor the On-Demand TLS ask endpoint into a permission module, making it pluggable (#​6055)
  • tls: Storage cleaning is now synced across instances that share the storage (#​5940)
  • tls: Supports ACME Renewal Information (ARI) draft spec, together with cert lifetime and OCSP/revocation status, to trigger certificate renewals
  • uri: Can now perform structured query rewrites with uri query (#​6120, #​6165)

Changelog

Full Changelog: caddyserver/caddy@v2.7.6...v2.8.0

New Contributors

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
⬆️ (dependencies): Update dependency caddyserver/caddy to v2.8.3
3429bc1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot enabled auto-merge June 2, 2024 11:56
@renovate renovate bot added this pull request to the merge queue Jun 2, 2024
Merged via the queue into main with commit d764b49 Jun 2, 2024
11 checks passed
@renovate renovate bot deleted the renovate/caddyserver-caddy-2.x branch June 2, 2024 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renovate-approve renovate-approve renovate-approve approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants