Sourced from github.com/caddyserver/caddy/v2's releases.

v2.5.0

Caddy 2.5 introduces new features you'll love as well as a huge number of bug fixes and enhancements. Thank you to everyone who contributed!

Feel free to ask on the forum if you have any questions or feedback.

Highlights

• Reverse proxy: :sparkles: Dynamic upstreams, which is the ability to get the list of upstreams at every request (more specifically, every iteration in the proxy loop of every request) rather than just once at config-load time. Dynamic upstream modules can be plugged in to provide Caddy with the latest list of backends in real-time. Two standard modules have been implemented which can get upstreams from SRV and A/AAAA record lookups.
  • :warning: This deprecates the lookup_srv JSON field for upstreams (and srv+ scheme prefix in the Caddyfile), which will be removed in the future.
• Automatic HTTPS: Caddy will automatically try to get relevant certificates from the local Tailscale instance (if running with permission to access the Tailscale socket). This makes services running on a Tailscale network automatically available over trusted HTTPS with Caddy.
• Tracing: New OpenTelemetry integration with the tracing handler module and associated tracing directive.
• Reverse proxy: When using the response handlers, a new handler copy_response is available to copy the proxy's response back to the client, and copy_response_headers may be used to selectively copy header values from the proxy's response.
• API: Added new endpoints /pki/ca/<id> and /pki/ca/<id>/certificates for getting information about Caddy's managed CAs, including the chain of root and intermediate certificates.

Notable

• Reverse proxy: The X-Forwarded-Host header will now be automatically set, along with X-Forwarded-For and X-Forwarded-Proto.
• :warning: Reverse proxy: Incoming X-Forwarded-* headers will no longer be automatically trusted, to prevent spoofing. Now, trusted_proxies must be configured to specify a list of downstream proxies which are trusted to have sent good values. You only need to configure trusted proxies if Caddy is not the first server being connected to. For example, if you have Cloudflare in front of Caddy, then you should configure this with Cloudflare's list of IP ranges.
• Automatic HTTPS: Revoked certificates will be automatically replaced more reliably.
• Automatic HTTPS: Can now get certificates from Managers. As opposed to Issuers (such as the default ACME issuers) which give Caddy certificates to manage from a CSR, Managers give Caddy certificates to serve (rather than manage) during TLS handshakes.
• Automatic HTTPS: A DNS challenge domain override can be configured to delegate the solving of the challenge to a different domain.
• Automatic HTTPS: The DNS challenge propagation checks can now be delayed or disabled by setting propagation_delay or propagation_timeout to -1, respectively.
• Reverse proxy: The default dial timeout for the HTTP transport has been adjusted down to 3s (was 10s), which should allow for more easily configuring load balancing retries.
• Logging: HTTP access logs will now render empty values for often-sensitive HTTP headers such as Cookie, Authorization, and Proxy-Authorization. Logging such credentials is now opt-in with the log_credentials global option in the Caddyfile, or the server's logs > should_log_credentials field in JSON.
• Logging: Logs can now be filtered by query string parameters, cookie values, and regular expressions; and log values can be hashed. These features are useful for redacting sensitive information.
• Logging: Errors during request handling will now be logged at DEBUG level if the error was handled via errors routes (handle_errors in Caddyfile).
• :warning: Logging: Removed the deprecated common_log field from HTTP access logs, and the single_field encoder. If you relied on this, you may use the transform encoder plugin to encode logs in Common Log format.
• :warning: Logging: The remote_addr field has been replaced by remote_ip and remote_port fields in HTTP access logs, which split up the two parts of the remote address. This improves ease of use for some tooling which only expect an IP address, without a port.
• HTTP server: The vars matcher can now match on multiple possible values.
• HTTP server: Requests can now be assigned a random and unique UUID from the new {http.request.uuid} placeholder.
• HTTP server: New http_redirect listener wrapper which can be used to redirect HTTP requests that come in on a server listening for HTTPS requests to be redirected to https://.
• :warning: Caddyfile: Deprecated paths in site addresses. Prefer using path matchers within your site block instead.
• Caddyfile: New default_bind global option lets you specify the default interface all sockets should bind to.
• Caddyfile: New pki global option lets you configure the properties of the internal CAs managed by Caddy.
• Caddyfile: New method directive allows rewriting the request method via Caddyfile.
• :warning: Caddyfile: The reverse_proxy directive's handle_response subdirective has had its status replacement functionality moved to a new replace_status subdirective. This makes sure that the functionality of handle_response is not overloaded, and usage is clearer.
• Caddyfile: The map directive now casts outputs to the appropriate scalar type if possible (int, float, bool). If you need to force a string, you may use double quotes or backticks caddyserver/caddy#4643.
• Caddyfile: New vars directive allows setting some variables during request handling for later use in another handler or matcher.
• Caddyfile: The Caddyfile adapter is now stricter about curly braces for block openers to try to prevent parsing ambiguities.
• Caddyfile: The caddy fmt CLI command now has a --diff option which lets you visually see the formatting differences.
• :warning: Admin: Renamed experimental property load_interval :arrow_right: load_delay for clarification, and improved dynamic config loading.

---

:shield: Thanks to David Leadbeater for reporting a security vulnerability related to HTTP methods and metrics cardinality, which was fixed in this release.

New Contributors

• @​adamburgess made their first contribution in caddyserver/caddy#4460
• @​12f23eddde made their first contribution in caddyserver/caddy#4444
• @​rayjlinden made their first contribution in caddyserver/caddy#4023

... (truncated)

• a8bb4a6 httpcaddyfile: Add {vars.*} placeholder shortcut, reverse vars sort order...
• 3a1e0db httpcaddyfile: Deprecate paths in site addresses; use zap logs (#4728)
• 77a77c0 caddytls: Add propagation_delay, support propagation_timeout -1 (#4723)
• db62942 Make file modes consistent
• dadd4b5 Update smallstep/certificates
• d230b33 ci: use latest Go version on macOS (#4708)
• 0d13173 ci: Fix typo
• c3a82f5 ci: Ensure we always check for latest version of Go (#4703)
• 30b6d1f cmd: Enhance .env (dotenv) file parsing
• bc15b4b caddypki: Load intermediate for signing on-the-fly (#4669)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.