2451 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Amirhf	affbb99275	pki: add per-CA configurable maintenance_interval and renewal_window_ratio (#7479) ... * pki: add per-CA configurable maintenance_interval and renewal_window_ratio - Add MaintenanceInterval and RenewalWindowRatio to CA struct (JSON + Caddyfile). - Run one maintenance goroutine per CA using its own interval. - needsRenewal uses per-CA RenewalWindowRatio; invalid/zero ratio falls back to defaults. - Caddyfile: maintenance_interval duration, renewal_window_ratio <0-1>. - Tests: TestCA_needsRenewal, TestParsePKIApp for new options. Fixes #7475 * fix codestyle	2026-02-15 09:10:12 -05:00
Aditya Bhargava	d6a6b486db	httpcaddyfile: Override global dns with acme_dns (fix #7294) (#7458) ... This brings the behaviour in line with what the documentation implies.	2026-02-15 09:04:59 +00:00
mehrdadbn9	929d0e502a	caddyfile: Add renewal_window_ratio global option and tls subdirective (#7473) ... * caddyfile: Add renewal_window_ratio global option Adds support for configuring the TLS certificate renewal window ratio directly in the Caddyfile global options block. This allows users to customize when certificates should be renewed without needing to use JSON configuration. Example usage: { renewal_window_ratio 0.1666 } Fixes #7467 * caddyfile: Add renewal_window_ratio to tls directive and tests Adds support for renewal_window_ratio in the tls directive (not just global options) and adds caddyfile adapt tests for both the global option and tls directive. * fix: inherit global renewal_window_ratio in site policies * fix: correct test expected output for policy consolidation * fix: properly inherit global renewal_window_ratio without removing other code	2026-02-13 16:47:02 -05:00
Matthew Holt	6718bd470f	caddytls: Finish removing prefer_wildcard ... Finish what should have been done a year ago in #6959)	2026-02-12 11:35:28 -07:00
Omer Cohen	80bf81839d	go.mod: update nebula v1.10.3 to resolve cve (#7471)	2026-02-12 08:54:48 -07:00
moscowchill	d42d39b4bc	caddytls: Return errors instead of nil in client auth provisioning (#7464) ... Two error returns in ClientAuthentication.provision() were returning nil instead of the actual error, silently swallowing failures when converting PEM files to DER and when provisioning the CA pool. This could cause mTLS client authentication to silently fall back to the system trust store, accepting any client certificate signed by a public CA instead of restricting to the configured trust anchors.	2026-02-12 08:42:54 -07:00
Oleh Konko | trust infra security audit & contribution | deterministic ai-augmented pipeline · human-verified	0188ef2e62	acmeserver: warn when policy rules unset (#7469)	2026-02-11 11:54:51 -07:00
Francis Lavoie	c0af7b665f	chore: bump Go to v1.26 (#7466)	2026-02-11 11:21:10 -07:00
Matthew Holt	72ac479f5d	admin: Enforce origin implicitly based on request headers	2026-02-11 09:52:56 -07:00
WeidiDeng	47f3e8f8dc	use math/rand/v2 instead of math/rand (#7413)	2026-02-11 09:15:51 -07:00
XYenon	03e6e439dd	reverseproxy: fix X-Forwarded-* headers for Unix socket requests (#7463) ... When a request arrives via a Unix domain socket (RemoteAddr == "@"), net.SplitHostPort fails, causing addForwardedHeaders to strip all X-Forwarded-* headers even when the connection is trusted via trusted_proxies_unix. Handle Unix socket connections before parsing RemoteAddr: if untrusted, strip headers for security; if trusted, let clientIP remain empty (no peer IP for a Unix socket hop) and fall through to the shared header logic, preserving the existing XFF chain without appending a spurious entry. Amp-Thread-ID: https://ampcode.com/threads/T-019c4225-a0ad-7283-ac56-e2c01eae1103 Co-authored-by: Amp <amp@ampcode.com>	2026-02-10 13:00:20 -07:00
Kévin Dunglas	7c28c0c07a	Merge commit from fork ... * fix: FastCGI split SCRIPT_NAME/PATH_INFO confusion * fix comment	2026-02-10 11:52:36 -07:00
Matt Holt	96f142c2a6	Update SECURITY.md	2026-02-10 11:44:40 -07:00
Matt Holt	5ff50779cc	Update LLM disclosure requirements in SECURITY.md ... Clarified disclosure requirements for LLMs in security reports.	2026-02-09 14:40:41 -07:00
Matthew Holt	1f43e8566b	caddyhttp: Use case-insensitive comparison for large Host lists	2026-02-09 14:18:55 -07:00
Matthew Holt	bd374ca9d7	caddyhttp: Lowercase comparison when matching with escape sequence	2026-02-09 13:12:00 -07:00
Francis Lavoie	2ae0f7af69	reverseproxy: Set Host to {upstream_hostport} automatically if TLS (#7454)	2026-02-09 13:06:19 -07:00
Matthew Holt	58968b3fd3	Update detail in readme	2026-02-06 08:45:09 -07:00
Matthew Holt	42ca010e9d	admin: Reject requests with Sec-Fetch-Mode headers ... And buggy Origin: null headers. Resolves a low-risk security report by @1seal.	2026-02-05 09:39:11 -07:00
Matt Holt	40927d2f75	Require disclosure of LLM usage in security reports ... Added requirement to disclose the use of LLMs in security reports.	2026-02-05 06:12:26 -07:00
Matthew Holt	e0f8d9b204	caddytls: Check type assertion ... Fix https://github.com/mholt/caddy-l4/issues/378	2026-02-03 13:59:53 -07:00
Matthew Holt	3bb22672f9	reverseproxy: Customizable dial network for SRV upstreams ... By request of a sponsor	2026-02-02 11:25:51 -07:00
Matthew Holt	935b09de83	caddtls: Skip .ts.net domains for ECH (#6971) ... As it is also a special case in our automatic HTTPS.	2026-01-30 12:24:59 -07:00
Matthew Holt	7d24124430	caddyhttp: Reject invalid Host header (fix #7449)	2026-01-30 12:24:16 -07:00
Paulo Henrique	565c1c3054	autohttps: deterministic logic and strict bind checking on Linux (#7435) ... * http: fix non-deterministic auto-https and improve Linux bind matching * docs: restore historical context about Linux bind behavior	2026-01-16 08:51:23 -07:00
Francis Lavoie	d269405eab	core: Show JSON error offsets where possible (#7437)	2026-01-14 22:54:19 -05:00
Mohammed Al Sahaf	e40bd019ff	caddyfile: add observe_catchall_hosts option (#7434) ... * caddyfile: add `observe_catchall_hosts` option Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com> * correct JSON field name and doc comment Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com> --------- Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>	2026-01-14 00:06:16 +00:00
Francis Lavoie	cbebc1292b	core: Embed time/tzdata (#7432)	2026-01-13 15:11:35 -07:00
Paulo Henrique	e9d290de2f	caddyconfig: Fix indentation of multiline strings in fmt (#7425) (#7433)	2026-01-13 15:22:23 -05:00
Paulo Henrique	62134d65af	reverseproxy: fix error when remote address is not an IP (#7429)	2026-01-13 19:52:56 +00:00
Marten Seemann	5168acfb9c	update quic-go to v0.59.0 (#7431)	2026-01-13 14:47:36 -05:00
Francis Lavoie	90972fbebc	chore: Dumb prealloc lint fix (#7430)	2026-01-13 14:13:43 -05:00
Matthew Holt	28103aafba	Revise top of readme to include Warp sponsorship section	2026-01-06 16:44:11 -07:00
Tom Paulus	6a57142896	headers: Make ApplyTo nil-safe (#7426)	2026-01-06 17:39:58 -05:00
WeidiDeng	80f2ae92cd	reverseproxy: make error chan bigger when reverse proxying websocket (#7419)	2026-01-06 04:55:47 -05:00
dependabot[bot]	7b031e1eb5	build(deps): bump the all-updates group across 1 directory with 12 updates (#7421) ... Bumps the all-updates group with 9 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/BurntSushi/toml](https://github.com/BurntSushi/toml) | `1.5.0` | `1.6.0` | | [github.com/alecthomas/chroma/v2](https://github.com/alecthomas/chroma) | `2.20.0` | `2.21.1` | | [github.com/cloudflare/circl](https://github.com/cloudflare/circl) | `1.6.1` | `1.6.2` | | [github.com/spf13/cobra](https://github.com/spf13/cobra) | `1.10.1` | `1.10.2` | | [github.com/yuin/goldmark](https://github.com/yuin/goldmark) | `1.7.13` | `1.7.15` | | [go.opentelemetry.io/contrib/exporters/autoexport](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.63.0` | `0.64.0` | | [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.63.0` | `0.64.0` | | [go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.63.0` | `0.64.0` | | [go.step.sm/crypto](https://github.com/smallstep/crypto) | `0.74.0` | `0.75.0` | Updates `github.com/BurntSushi/toml` from 1.5.0 to 1.6.0 - [Release notes](https://github.com/BurntSushi/toml/releases) - [Commits](https://github.com/BurntSushi/toml/compare/v1.5.0...v1.6.0) Updates `github.com/alecthomas/chroma/v2` from 2.20.0 to 2.21.1 - [Release notes](https://github.com/alecthomas/chroma/releases) - [Commits](https://github.com/alecthomas/chroma/compare/v2.20.0...v2.21.1) Updates `github.com/cloudflare/circl` from 1.6.1 to 1.6.2 - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.6.1...v1.6.2) Updates `github.com/spf13/cobra` from 1.10.1 to 1.10.2 - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](https://github.com/spf13/cobra/compare/v1.10.1...v1.10.2) Updates `github.com/yuin/goldmark` from 1.7.13 to 1.7.15 - [Release notes](https://github.com/yuin/goldmark/releases) - [Commits](https://github.com/yuin/goldmark/compare/v1.7.13...v1.7.15) Updates `go.opentelemetry.io/contrib/exporters/autoexport` from 0.63.0 to 0.64.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.63.0...zpages/v0.64.0) Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.63.0 to 0.64.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.63.0...zpages/v0.64.0) Updates `go.opentelemetry.io/contrib/propagators/autoprop` from 0.63.0 to 0.64.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.63.0...zpages/v0.64.0) Updates `go.opentelemetry.io/otel` from 1.38.0 to 1.39.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.39.0) Updates `go.opentelemetry.io/otel/sdk` from 1.38.0 to 1.39.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.39.0) Updates `go.step.sm/crypto` from 0.74.0 to 0.75.0 - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](https://github.com/smallstep/crypto/compare/v0.74.0...v0.75.0) Updates `go.opentelemetry.io/otel/trace` from 1.38.0 to 1.39.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.39.0) --- updated-dependencies: - dependency-name: github.com/BurntSushi/toml dependency-version: 1.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: github.com/alecthomas/chroma/v2 dependency-version: 2.21.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: github.com/cloudflare/circl dependency-version: 1.6.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-updates - dependency-name: github.com/spf13/cobra dependency-version: 1.10.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-updates - dependency-name: github.com/yuin/goldmark dependency-version: 1.7.15 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-updates - dependency-name: go.opentelemetry.io/contrib/exporters/autoexport dependency-version: 0.64.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency-version: 0.64.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: go.opentelemetry.io/contrib/propagators/autoprop dependency-version: 0.64.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: go.opentelemetry.io/otel dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: go.step.sm/crypto dependency-version: 0.75.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: go.opentelemetry.io/otel/trace dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> v2.11.0-beta.2	2026-01-05 22:50:46 +03:00
Matthew Holt	b2d21f650a	go.mod: Upgrade CertMagic and ZeroSSL deps	2026-01-05 12:28:52 -07:00
Mohammed Al Sahaf	99d84be6dd	readme: fix fence (#7416)	2026-01-02 10:51:36 -05:00
Felix Hildén	1f1be3f4fe	tracing: Add span attributes to tracing module (#7269) ... * WIP tracing span attributes * better test * only write attributes after other middleware (and request) * Fix test to use header response placeholders	2025-12-31 11:33:18 -07:00
Paulo Henrique	9eabd443cb	cmd: Add --json flag to list-modules command (#7409)	2025-12-26 12:32:03 -05:00
Marten Seemann	5640611dfc	chore: update quic-go to v0.58.0 (#7404)	2025-12-21 12:09:55 +03:00
Francis Lavoie	decc8a4d6f	logging: log_append Early option, Supports {http.response.body} (#7368) ... * logging: `log_append` early option * logging: `log_append` supports `{http.response.body}` * Convenience auto-early for request body	2025-12-16 23:42:42 -05:00
Will Norris	34fd2dfcff	go.mod: update tscert package to latest (aea342f6) (#7397)	2025-12-16 10:38:32 -05:00
Francis Lavoie	4037d05760	caddyhttp: {http.request.body_base64} placeholder (#7367)	2025-12-13 21:01:12 -07:00
EINIER FREYRE CORONA	409a072135	notify: implement windows service status and error notifications (#7389) ... * implement service status and error notifications * adjust return of Error function * configure accepts on status * align windows with linux semantics	2025-12-12 07:56:30 -05:00
Paul B	6a4296b1a4	caddytls: panic when using tls.ca_pool.source.http -> tls.ca (#7393)	2025-12-11 19:27:15 +00:00
Matt Holt	3c9c67e804	caddytls: ECH key rotation (#7356) ... * caddytls: ECH key rotation * Stop rotation goroutine on config unload * Publish ECH keys after rotating	2025-12-10 11:50:35 -07:00
Kévin Dunglas	598b08f9ae	test: mark Assert* functions as test helpers (#7380)	2025-12-08 22:32:00 +00:00
okrc	374b7a637f	caddytls: fix preferred chains options by appending values instead of replacing (#7387)	2025-12-07 16:19:01 +00:00
WeidiDeng	6e0cbd0fa0	caddyhttp: create a placeholder for and log ech status (#7328) ... Co-authored-by: Francis Lavoie <lavofr@gmail.com>	2025-12-07 16:01:58 +00:00