1566 Commits

Author	SHA1	Message	Date
Lohit	176b043b01	rewrite: prevent placeholder re-expansion in injected query (#7761) ... When the rewrite URI template ends with a literal '?' and contains a placeholder that expands to client-controlled bytes (e.g. {http.request.header.X-Fwd}), those bytes flow into buildQueryString which runs a second Replacer pass. If the bytes contain placeholder syntax such as {env.SECRET}, that placeholder is evaluated, allowing disclosure of environment variables, files (via {file./path}), or internal request vars through the rewritten request URI. Escape '{' and '}' in the injected query before assigning it to the query variable, so the second pass cannot find any placeholder syntax to evaluate. Operator-written placeholders in the rewrite template are already expanded by the first pass on the path component, so the only '{' or '}' surviving into the injected query must have come from replacement values. Fixes GHSA-j8px-rmrx-76h9. Includes three regression tests mirroring the 'is not re-expanded' tests in modules/caddyhttp/vars_test.go. Co-authored-by: Matt Holt <mholt@users.noreply.github.com>	2026-05-26 16:51:18 -06:00
Vincent Yang	217a785824	caddyhttp: normalize Windows backslashes in path matcher (#7763)	2026-05-21 11:28:40 -06:00
Zen Dodd	9505c0baa0	caddytls: match IDN SNI in connection policies (#7742)	2026-05-20 13:52:28 -04:00
WeidiDeng	ad912569b5	reverseproxy: wraps request body to prevent closing if not read (#7719) ... Co-authored-by: Matt Holt <mholt@users.noreply.github.com>	2026-05-20 17:35:40 +00:00
Zen Dodd	408d20a0e5	caddyauth: add candidate placeholders for rejected identities (#7698)	2026-05-20 13:51:54 +00:00
Eyüp Can Akman	0b265eb845	reverseproxy: Add regression test for DialInfo network override (#7758)	2026-05-20 09:43:58 -04:00
Zen Dodd	88037f1666	chore: clean up wording and typo fixes (#7745) ... * chore: clean up wording and typo fixes * chore: ASCII -> alphanumeric in lexer for heredoc marker	2026-05-20 16:36:30 +10:00
cbro	325c244ea7	caddytls: fix TLS state races and ECH rotation retry (#7756) ... * caddytls: fix data race in session ticket key rotation stayUpdated copies the map header (configs := s.configs) under the lock, then iterates the original map after releasing it. Concurrent calls to register/unregister mutate the same map. Hold the lock for the entire iteration instead. * caddytls: fix data race in AllMatchingCertificates AllMatchingCertificates reads the package-level certCache without acquiring certCacheMu, while Cleanup sets certCache to nil under the write lock. The adjacent HasCertificateForSubject correctly acquires certCacheMu.RLock. Add the missing RLock/RUnlock to match. * caddytls: fix ECH key rotation stopping permanently on error When rotateECHKeys returns an error, the rotation goroutine returns immediately, stopping all future key rotation for the lifetime of the process. Change return to continue, matching the error handling for publishECHConfigs two lines below.	2026-05-20 16:35:40 +10:00
Brett Bethke	0125ae39cc	caddyhttp: omit Last-Modified for unusable mod times (#7740) ... See #5548 and #7730	2026-05-20 16:19:11 +10:00
Matt Holt	6c675e29f8	caddytls: Fix client auth (fix #7724) (#7727) ... The peer certificates should be loaded even if existingVerifyPeerCert is nil. Patched with the assistance of Copilot, as an experiment.	2026-05-14 10:05:57 -06:00
James Hartig	77e9ce7404	reverseproxy: further prevent body closes from dial errors (#7715)	2026-05-12 12:05:50 -06:00
Rayan Salhab	a4a38c3e88	rewrite: escape file matcher paths before rewriting (#7683) ... * fix: escape file matcher paths in rewrites Preserve matched file paths containing literal '?' or '%' when try_files rewrites to http.matchers.file.relative. * test: cover nested escaped try_files rewrite paths * test: cover encoded slash try_files rewrite paths * fix: assert file matcher placeholder as string --------- Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>	2026-05-11 17:16:33 -06:00
Matthew Holt	761347aa63	templates: Explicitly warn about misconfigurations	2026-05-11 16:45:49 -06:00
Steffen Busch	4ba16fe82c	docs: add documentation for fileExists and fileStat template functions (#7700)	2026-05-12 04:23:58 +10:00
Rijul	0fab9f0f7d	caddytls: avoid duplicate automation for wildcard-covered hosts (#7697) ... * caddytls: Fix wildcard race in auto-HTTPS launch When evaluating whether to skip managing an individual subdomain due to an existing wildcard configuration, we now explicitly consult the automate loader. Because Caddy apps can start in any order, relying strictly on the TLS app's internal management state was non-deterministic if the HTTP app started first. Checking the automate loader guarantees predictable behavior since it is fully populated during the Provision phase, well before any apps are started. * respond to review comments 1. update requested comment 2. remove personal domain from test 3. add regression test * remove unnecessary mutex lock * refactor: -integration test, +explicit cases * refactor: remove redundant test, add comment * rename file and add header * update copyright year	2026-05-11 00:08:40 +10:00
Zen Dodd	5e76b5ee43	tls: add alpn to managed HTTPS records (#7653) ... * tls: add alpn to managed HTTPS records * tls: centralise HTTPS RR ALPN defaults and registration Reuse shared protocol defaults instead of repeating the default HTTP protocol list, unify server name registration to carry ALPN in one experimental API and reuse the TLS default ALPN ordering for HTTPS RR publication * http: centralise effective protocol resolution for HTTPS RR ALPN	2026-05-10 13:10:29 +10:00
Matthew Holt	9c78b97f9e	fastcgi: Fix lint	2026-05-08 10:46:28 -06:00
Kévin Dunglas	fb324331f4	Merge commit from fork ... Both fallbacks in splitPos relied on golang.org/x/text/search with search.IgnoreCase, which performs Unicode equivalence matching far beyond ASCII case folding. Combined with the validated-ASCII guarantee on every SplitPath entry, that fallback turned non-PHP filenames into PHP scripts: - when the inner loop hit a non-ASCII byte and the IndexString fallback returned -1, the loop broke without resetting match=false, so a stale match=true caused a non-existent .php to be reported (PoC: "/name.<U+00A1>.txt"). - search.IgnoreCase folded fullwidth, mathematical and circled letters onto ASCII, so "/shell.<math sans-serif php>", "/shell.<fullwidth p>hp", "/shell.<circled php>" were all detected as ".php" files. Replace the fallback with strict byte-level ASCII case-insensitive matching: any byte >= utf8.RuneSelf in the path can never be part of a match, since SplitPath entries are validated ASCII-only and lower-cased in Provision(). This keeps the hot path branch-light and removes the x/text/search dependency from the main module. Reported against FrankenPHP as GHSA-3g8v-8r37-cgjm and GHSA-v4h7-cj44-8fc8. The vulnerable function in this module was adapted from the same FrankenPHP code.	2026-05-07 13:59:42 -06:00
Zen Dodd	d2172bea61	chore: Fix golangci-lint 2.12.1 findings (#7690)	2026-05-07 03:40:26 -04:00
Zen Dodd	c7c9f3108a	caddyauth: Revert "set user placeholders before auth rejection (#7685)" (#7688) ... This reverts commit 7e77eec0ae.	2026-05-05 09:12:46 -06:00
Rayan Salhab	7e77eec0ae	caddyauth: set user placeholders before auth rejection (#7685) ... * caddyauth: set user placeholders before auth rejection * docs: update auth placeholder comment	2026-05-03 13:40:11 +10:00
Felix Eckhofer	ef496e58ef	caddytls: Expand ACME credentials (#7554) ... * caddytls: Expand ACME credentials This allows using global placeholders such as {file./run/secrets/key_id} when setting up the tls configuration. * chore(formatting): gofmt on acmeissuer_test	2026-05-03 07:13:57 +10:00
Matt Holt	4d6945769d	reverseproxy: Add ability to clear dynamic upstreams cache during retries (#7662) ... * reverseproxy: Add ability to clear dynamic upstreams cache during retries This is an optional interface for dynamic upstream modules to implement if they cache results. TODO: More documentation; this is an experiment. * Add some godoc * Export interface; update godoc	2026-04-28 09:16:18 -06:00
Zen Dodd	fdbef2a6ef	logging: add regression coverage for rotated file mode (#7620)	2026-04-26 23:30:44 +10:00
Kévin Dunglas	2a3ed96f8c	metrics: Implement pushing via OLTP (#7664)	2026-04-25 06:52:08 -04:00
Francis Lavoie	355c178213	chore: Use atomics where appropriate (#7648) ... * chore: Use atomics where appropriate * Use atomic for shutdownAt	2026-04-25 03:47:54 -04:00
Matt Holt	441d5eb062	caddyhttp: prefer port 443 in auto-HTTPS and add tests (#7666)	2026-04-23 17:29:03 +10:00
Daniil Sivak	aed1af5976	reverseproxy: add lb_retry_match condition on response status (#7569)	2026-04-21 14:59:31 -04:00
Zen Dodd	4430756d5c	admin: Redact sensitive request headers in API logs (#7578) ... * admin: Redact sensitive request headers in API logs * Fix govulncheck and typed atomic lint failures * Sync Go module metadata after dependency downgrade	2026-04-17 14:56:42 -06:00
Steffen Busch	24bebd0a07	caddyhttp: Document missing placeholders for escaped URI and prefixed query (#7659)	2026-04-17 16:13:15 -04:00
Max Truxa	7586e68e27	fileserver: show symlink targets verbatim (#7579) ... `reveal_symlinks` was exposing symlink targets as fully resolved absolute paths, even if the target is a relative path. With this change the link target is shown as-is, without resolving anything.	2026-04-15 04:49:30 +10:00
Zen Dodd	0c7c91a447	logging: preserve ts for journald-wrapped JSON logs (#7644)	2026-04-13 17:33:02 -06:00
tsinglua	0722cf6fd8	chore: replace interface{} with any for modernization (#7571) ... Signed-off-by: tsinglua <tsinglua@outlook.com>	2026-04-11 19:53:12 +03:00
Zen Dodd	5f44ea0748	logging: add journald encoder wrapper (#7623)	2026-04-10 17:09:12 -06:00
Zen Dodd	7dcc041eec	vars: Add matcher placeholder handling tests (#7640) ... * vars: add matcher placeholder handling tests * vars: add query placeholder matcher coverage	2026-04-10 16:27:52 -06:00
Zen Dodd	ca0ca67fbd	reverseproxy: make stream copy buffer size configurable (#7627)	2026-04-10 14:49:32 -06:00
vnxme	5de1565ff6	vars: Don't expand placeholders in values (#7629)	2026-04-10 09:37:43 -06:00
Harsh Patel	d7834676aa	tls: add system and combined CA pool modules (#7406) ... * feat: add system and combined CA pool modules * fix: combining pools using `CertificateProvider` * fix: lint issue * chore: caddyfiletests * doing it for first time, so not sure if its right. * fix: use `x509` native addCert * chore: explicit err handling * Apply suggestion from @mohammed90 --------- Co-authored-by: Mohammed Al Sahaf <mohammed@caffeinatedwonders.com>	2026-04-06 01:13:34 +03:00
Pieter Berkel	4f50458866	tls: expand placeholders in dns_challenge override_domain (#7609)	2026-03-31 05:46:32 +00:00
yubiuser	ea4ee3ae5d	reverseproxy: Fix check for header_up Host {upstream_hostport} redundancy (#7564) ... * Fix check for header_up Signed-off-by: yubiuser <github@yubiuser.dev> * Onyl check in case commonScheme == "https" Signed-off-by: yubiuser <github@yubiuser.dev> * Move check after TLS transport is enabled Signed-off-by: yubiuser <github@yubiuser.dev> --------- Signed-off-by: yubiuser <github@yubiuser.dev>	2026-03-30 10:56:10 -06:00
Sam Ottenhoff	7a630f2910	encode: make zstd checksum configurable (#7586) ... * http: make zstd checksum configurable * disable_checksum	2026-03-28 13:07:21 -06:00
Marc	62e9c05264	root: introduce down-propagating Helper.BlockState for other directives/plugins to use (#7594) ... * add 'root' key to Helper.State for access in frankenphp's `php_server` directive * clone state before passing it to child directives, but keep sharing it among sibling directives * propagate named route state from children to parent * use BlockState to set "root" instead * gofmt -w . * go fmt ./... * here we go	2026-03-28 17:44:42 +00:00
Tao	6f6771aa1d	rewrite: skip query rename when source key is absent (#7599)	2026-03-28 13:10:34 -04:00
Matt Holt	e98ed6232d	chore: Resolve recent CI failures (#7593)	2026-03-25 23:21:27 -06:00
Tao	5d189aff40	caddytls: Avoid default issuers for implicit tailscale policies (#7577)	2026-03-20 09:36:03 -06:00
vnxme	df65455b1f	caddyhttp: Sync placeholder expansion in vars and vars_regexp (#7573) ... * vars: Expand placeholders in custom variables like in `vars_regexp` * vars: Reuse variables inside match loops	2026-03-17 13:08:47 -06:00
Matthew Holt	8499e34e10	caddytls: Ensure key list always gets set (fix #7555)	2026-03-16 16:21:47 -06:00
Matthew Holt	1fbb28720b	Fix lint errors ... Use VerifyConnection instead of VerifyPeerCertificate; the other 2 fixes are "meh" not really a big deal or an issue at all.	2026-03-11 13:33:59 -06:00
Francis Lavoie	6e5e08cf58	Wire up Cause for most context cancels (#7538)	2026-03-04 17:14:52 -07:00
Matthew Holt	fbfb8fc517	rewrite: Force recomputing path when escaped path matches rewrite target ... Thank you for the report by @MaherAzzouzi, and the suggested fix!	2026-03-04 16:18:33 -07:00