chore(deps): update dependency caddyserver/caddy to v2.6.0 #88
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "renovate/caddyserver-caddy-2.x"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
v2.5.2
->v2.6.0
Release Notes
caddyserver/caddy
v2.6.0
Compare Source
Caddy 2.6
This is our biggest release since Caddy 2.
Caddy 2 changed the way the world serves the Web. By providing an online config API, automatic HTTPS, unlimited extensibility, certificate automation at scale, modern protocols, sane defaults, and an unrivaled developer experience, we boldly raised the bar for web servers.
Now with Caddy 2.6, we're doing it again. Caddy 2.6 is the first general-purpose web server to seamlessly enable the newly-standardized HTTP/3 protocol for all configurations by default. We've virtualized the file system so you can serve content from anywhere or anything. New event features let you observe and control Caddy's internals with custom actions. Caddy is more useful than ever for developers with its enhanced CLI tooling and features. And it's faster than ever with non-trivial performance improvements. We think you will love this release.
Watch the livestream
Special dedication
This release is dedicated to the late Peter Eckersley, who passed away September 2, 2022. Peter is one of the brilliant minds behind Let's Encrypt; his work has benefited billions of people. I met Peter at the Let's Encrypt launch party in a little bar in San Francisco in 2015 and have never forgotten that occasion. He later co-authored a published research paper called Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web, which highly espoused Caddy's ACME integration: "We hope to see other popular server software follow Caddy’s lead."
We look forward to when other servers do that, and we hope to honor Peter's work and influence which will live on through his memory and the encrypted Web he made possible.
Sponsors
ZeroSSL remains Caddy's executive sponsor.
We were thrilled to welcome Stripe recently as an enterprise sponsor!
Other notable sponsors include AppCove, Dukaan, Suborbital, Tailscale, plus Bubble and GitHub which both made generous one-time donations.
We have many other vital sponsors and donors on which we also rely. Our sponsors come from all over the world and include independent professionals, startups, and small companies -- and they are the absolute best. Thank you for making a more secure Web possible!
Personal note from Matt: Recent life upgrades mean that your sponsorships now sustain a family of 5 so that I can continue to maintain Caddy. Two years ago, I don't think I would have taken this risk because I'd need to find other work to provide for a family. Thank you for coming together as a professional community to make the Caddy project possible!
We strongly recommend that companies who -- or companies whose customers -- use or benefit from Caddy become a sponsor to ensure ongoing maintenance, priority development, private support, and more. Sponsorship tiers can be tailored to your requirements!
Highlights
⚠️ Don't miss deprecations / breaking changes at the bottom. Notably, if you use metrics, you will now need to turn them on.
HTTP/3 is here (#4707)
Caddy now enables RFC 9114-compliant HTTP/3 by default. The
experimental_http3
option has graduated and been removed. We've removed another experimental option,allow_h2c
, and individual HTTP versions (h1 h2 h2c h3
) can now be toggled with the newprotocols
setting.Note that HTTP/3 utilizes the QUIC transport, which requires UDP. If your network or firewall configuration only allows TCP, HTTP/3 connections will fail and clients (should) fall back to HTTP/2. For servers with properly-configured UDP networks, HTTP/3 should "just work" for enabled clients.
HTTP/3 clients can connect by reading Caddy's Alt-Svc header to know how to connect to Caddy via UDP. This header is now emitted automatically and by default. Other than that, there are no other changes needed to existing servers, as Caddy opens a separate UDP socket for HTTP/3.
Our HTTP/3 server attempts to mitigate amplification and reflection attacks by requiring address validation when the server is under load. This adds one round-trip for clients, but is only done as a defensive measure when necessary.
Serious thanks to @marten-seeman who builds and maintains the quic-go library we depend on for this. (Go has not announced any plans to officially support or implement HTTP/3.) We expect numerous QUIC and HTTP/3 improvements to come as implementations and best practices mature with more production experience.
Virtual file systems (#4909)
Caddy's
file_server
module now supports virtual file systems. We've replaced all hard-codedos.Open()
,os.Stat()
, etc. calls with Go's relatively newio/fs
package, and introduced a new Caddy module namespacecaddy.fs
for implementations of such file systems.Some examples of what is possible:
caddy
binary and serve it from memory.zip
or.tar.gz
)Basically, instead of serving files from the local disk, you can have Caddy serve the "files" from somewhere or something else. The default is still the local file system.
Note that this feature isn't limited to just Caddy's
file_server
module. Potentially any module that reads the local disk may benefit from usingcaddy.fs
modules instead.I wrote a module that lets you embed your site within your
caddy
binary -- wherever your server goes, your site goes!We encourage the community to implement and publish new file system modules for Caddy. (From an early tweet there seems to be quite high demand.)
Events
Not surprisingly, many people prefer Caddy to automate certificates used with other software/services. Until now, there hasn't been a great way to know when Caddy has obtained or renewed a certificate (deferred in part by our opinion that certificate management should be baked into the software using the certificate in the first place). Cron jobs generally work for reloading new certificates into services because certificate expiry is mostly predictable, but now there is a better way with one of our most requested features: events!
We thought about events in general for a long time and discussed questions like, "What makes an event different from a log?" "Are events synchronous?" "Do self-initiated events get emitted before or after their code (are they past-tense or future-tense) -- or both? or neither (asynchronous)?" "What do we like from existing event systems?" "What do we wish event systems did differently?"
While we think we have pretty good answers to these questions now, we won't be sure until we gather more production experience. For this reason, events are implemented as an experimental app module -- not as part of the core. (Remember, Caddy's core currently only loads config and sets up logging/storage.) This means that Caddy's core cannot emit events.[^1] So even though our event implementation may change, it is likely to be only slight and gradual changes; and we encourage anyone and everyone to start using events as soon as possible and to give us your feedback. We think we have the start of a great event system, but we need you to prove it!
Caddy modules can emit events when interesting things happen. For example, the reverse proxy emits
healthy
andunhealthy
events when backends go up and down. The TLS app emitscert_obtaining
,cert_obtained
, andcert_failed
before and after obtaining a certificate or after the operation failed, respectively; andcert_ocsp_revoked
after a certificate is discovered to be revoked by OCSP. There are several more events already, with even more to be added later.Events can have data associated with them. For example,
healthy
/unhealthy
come with the address of the host;cert_obtained
has the domain name, issuer, and storage path. You can access this from config in placeholders, e.g.{event.data.identifier}
.Caddy modules can subscribe to events by specifying the name(s) of events to bind to, and the Caddy module ID(s) or namespace(s) to watch. When an event is emitted, it propagates from the module that emitted it up the provisioning heirarchy. This means that an event emitted by
http.handlers.reverse_proxy
will fire forhttp.handlers
andhttp
as well, similar to the DOM in HTML/JavaScript.Event handlers are invoked synchronously. We chose this for several reasons. First, despite how easy Go makes concurrency, there are many subtleties to concurrency in a server. Goroutines may be lightweight, but their operations might not be; and if event goroutines are starting more quickly than they are stopping, we either drop events arbitrarily or run out of memory/CPU. Also, we think one of the qualities that differentiates events from logs is the ability for an event to influence the emitting code's flow: a true "hook" in that sense. Instead of simply observing that something is happening (which is what a log tells you), you can influence its behavior. Maybe you want to run a command before a certificate is obtained to see if it should be obtained. Or maybe you want to change how a TLS handshake is completed on-the-fly. Asynchronous event handlers cannot do this. For simple behavioral changes, synchronous events can be a powerful and useful tool for customizing your server.
The new
event
app lets you easily configure subscriptions and event handlers. Event handling is modular, so you will need to plug in a module that does what you want: run a command, reload a service, make an HTTP request, or anything else!Because this feature is experimental and new, we don't yet know how people will be using it, so currently, Caddy does not ship with any event handler plugins. However, we're pretty sure based on feedback over the years that many of you would like to run commands on certain events (one of our top feature requests is to trigger a daemon reload after certificate renewals). So I went ahead and implemented an
exec
event handler plugin that can run commands. We almost included it in Caddy's standard distribution, but out of an abundance of caution we decided to keep it a separate plugin for now until we learn more about real production use cases from experience.Here's an example of handling events. In JSON, you configure the
events
app:or the equivalent Caddyfile global option:
It's that simple! Just make sure you have your event handler modules plugged in.
We hope you will provide feedback, report bugs, and request features related to events.
Renovate Ignore Notification
As this PR has been closed unmerged, Renovate will now ignore this update (v2.6.0). You will still receive a PR once a newer version is released, so if you wish to permanently ignore this dependency, please add it to the
ignoreDeps
array of your renovate config.If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.