1549 Commits

Author	SHA1	Message	Date
Kévin Dunglas	fb324331f4	Merge commit from fork ... Both fallbacks in splitPos relied on golang.org/x/text/search with search.IgnoreCase, which performs Unicode equivalence matching far beyond ASCII case folding. Combined with the validated-ASCII guarantee on every SplitPath entry, that fallback turned non-PHP filenames into PHP scripts: - when the inner loop hit a non-ASCII byte and the IndexString fallback returned -1, the loop broke without resetting match=false, so a stale match=true caused a non-existent .php to be reported (PoC: "/name.<U+00A1>.txt"). - search.IgnoreCase folded fullwidth, mathematical and circled letters onto ASCII, so "/shell.<math sans-serif php>", "/shell.<fullwidth p>hp", "/shell.<circled php>" were all detected as ".php" files. Replace the fallback with strict byte-level ASCII case-insensitive matching: any byte >= utf8.RuneSelf in the path can never be part of a match, since SplitPath entries are validated ASCII-only and lower-cased in Provision(). This keeps the hot path branch-light and removes the x/text/search dependency from the main module. Reported against FrankenPHP as GHSA-3g8v-8r37-cgjm and GHSA-v4h7-cj44-8fc8. The vulnerable function in this module was adapted from the same FrankenPHP code.	2026-05-07 13:59:42 -06:00
Zen Dodd	d2172bea61	chore: Fix golangci-lint 2.12.1 findings (#7690)	2026-05-07 03:40:26 -04:00
Zen Dodd	c7c9f3108a	caddyauth: Revert "set user placeholders before auth rejection (#7685)" (#7688) ... This reverts commit 7e77eec0ae.	2026-05-05 09:12:46 -06:00
Rayan Salhab	7e77eec0ae	caddyauth: set user placeholders before auth rejection (#7685) ... * caddyauth: set user placeholders before auth rejection * docs: update auth placeholder comment	2026-05-03 13:40:11 +10:00
Felix Eckhofer	ef496e58ef	caddytls: Expand ACME credentials (#7554) ... * caddytls: Expand ACME credentials This allows using global placeholders such as {file./run/secrets/key_id} when setting up the tls configuration. * chore(formatting): gofmt on acmeissuer_test	2026-05-03 07:13:57 +10:00
Matt Holt	4d6945769d	reverseproxy: Add ability to clear dynamic upstreams cache during retries (#7662) ... * reverseproxy: Add ability to clear dynamic upstreams cache during retries This is an optional interface for dynamic upstream modules to implement if they cache results. TODO: More documentation; this is an experiment. * Add some godoc * Export interface; update godoc	2026-04-28 09:16:18 -06:00
Zen Dodd	fdbef2a6ef	logging: add regression coverage for rotated file mode (#7620)	2026-04-26 23:30:44 +10:00
Kévin Dunglas	2a3ed96f8c	metrics: Implement pushing via OLTP (#7664)	2026-04-25 06:52:08 -04:00
Francis Lavoie	355c178213	chore: Use atomics where appropriate (#7648) ... * chore: Use atomics where appropriate * Use atomic for shutdownAt	2026-04-25 03:47:54 -04:00
Matt Holt	441d5eb062	caddyhttp: prefer port 443 in auto-HTTPS and add tests (#7666)	2026-04-23 17:29:03 +10:00
Daniil Sivak	aed1af5976	reverseproxy: add lb_retry_match condition on response status (#7569)	2026-04-21 14:59:31 -04:00
Zen Dodd	4430756d5c	admin: Redact sensitive request headers in API logs (#7578) ... * admin: Redact sensitive request headers in API logs * Fix govulncheck and typed atomic lint failures * Sync Go module metadata after dependency downgrade	2026-04-17 14:56:42 -06:00
Steffen Busch	24bebd0a07	caddyhttp: Document missing placeholders for escaped URI and prefixed query (#7659)	2026-04-17 16:13:15 -04:00
Max Truxa	7586e68e27	fileserver: show symlink targets verbatim (#7579) ... `reveal_symlinks` was exposing symlink targets as fully resolved absolute paths, even if the target is a relative path. With this change the link target is shown as-is, without resolving anything.	2026-04-15 04:49:30 +10:00
Zen Dodd	0c7c91a447	logging: preserve ts for journald-wrapped JSON logs (#7644)	2026-04-13 17:33:02 -06:00
tsinglua	0722cf6fd8	chore: replace interface{} with any for modernization (#7571) ... Signed-off-by: tsinglua <tsinglua@outlook.com>	2026-04-11 19:53:12 +03:00
Zen Dodd	5f44ea0748	logging: add journald encoder wrapper (#7623)	2026-04-10 17:09:12 -06:00
Zen Dodd	7dcc041eec	vars: Add matcher placeholder handling tests (#7640) ... * vars: add matcher placeholder handling tests * vars: add query placeholder matcher coverage	2026-04-10 16:27:52 -06:00
Zen Dodd	ca0ca67fbd	reverseproxy: make stream copy buffer size configurable (#7627)	2026-04-10 14:49:32 -06:00
vnxme	5de1565ff6	vars: Don't expand placeholders in values (#7629)	2026-04-10 09:37:43 -06:00
Harsh Patel	d7834676aa	tls: add system and combined CA pool modules (#7406) ... * feat: add system and combined CA pool modules * fix: combining pools using `CertificateProvider` * fix: lint issue * chore: caddyfiletests * doing it for first time, so not sure if its right. * fix: use `x509` native addCert * chore: explicit err handling * Apply suggestion from @mohammed90 --------- Co-authored-by: Mohammed Al Sahaf <mohammed@caffeinatedwonders.com>	2026-04-06 01:13:34 +03:00
Pieter Berkel	4f50458866	tls: expand placeholders in dns_challenge override_domain (#7609)	2026-03-31 05:46:32 +00:00
yubiuser	ea4ee3ae5d	reverseproxy: Fix check for header_up Host {upstream_hostport} redundancy (#7564) ... * Fix check for header_up Signed-off-by: yubiuser <github@yubiuser.dev> * Onyl check in case commonScheme == "https" Signed-off-by: yubiuser <github@yubiuser.dev> * Move check after TLS transport is enabled Signed-off-by: yubiuser <github@yubiuser.dev> --------- Signed-off-by: yubiuser <github@yubiuser.dev>	2026-03-30 10:56:10 -06:00
Sam Ottenhoff	7a630f2910	encode: make zstd checksum configurable (#7586) ... * http: make zstd checksum configurable * disable_checksum	2026-03-28 13:07:21 -06:00
Marc	62e9c05264	root: introduce down-propagating Helper.BlockState for other directives/plugins to use (#7594) ... * add 'root' key to Helper.State for access in frankenphp's `php_server` directive * clone state before passing it to child directives, but keep sharing it among sibling directives * propagate named route state from children to parent * use BlockState to set "root" instead * gofmt -w . * go fmt ./... * here we go	2026-03-28 17:44:42 +00:00
Tao	6f6771aa1d	rewrite: skip query rename when source key is absent (#7599)	2026-03-28 13:10:34 -04:00
Matt Holt	e98ed6232d	chore: Resolve recent CI failures (#7593)	2026-03-25 23:21:27 -06:00
Tao	5d189aff40	caddytls: Avoid default issuers for implicit tailscale policies (#7577)	2026-03-20 09:36:03 -06:00
vnxme	df65455b1f	caddyhttp: Sync placeholder expansion in vars and vars_regexp (#7573) ... * vars: Expand placeholders in custom variables like in `vars_regexp` * vars: Reuse variables inside match loops	2026-03-17 13:08:47 -06:00
Matthew Holt	8499e34e10	caddytls: Ensure key list always gets set (fix #7555)	2026-03-16 16:21:47 -06:00
Matthew Holt	1fbb28720b	Fix lint errors ... Use VerifyConnection instead of VerifyPeerCertificate; the other 2 fixes are "meh" not really a big deal or an issue at all.	2026-03-11 13:33:59 -06:00
Francis Lavoie	6e5e08cf58	Wire up Cause for most context cancels (#7538)	2026-03-04 17:14:52 -07:00
Matthew Holt	fbfb8fc517	rewrite: Force recomputing path when escaped path matches rewrite target ... Thank you for the report by @MaherAzzouzi, and the suggested fix!	2026-03-04 16:18:33 -07:00
Oleh Konko | semantic verification for trust infra | LLM-augmented operations pipeline (precision-first, claim≤evidence, submit-human) | verify the payload, not the signer	566e710991	fileserver: document hide case-sensitivity (F-CADDY-FILESERVER-HIDE-CASE-001) (#7548)	2026-03-04 17:00:10 -05:00
Tom Paulus	a5e7c6e232	reverseproxy: prevent body close on dial-error retries (#7547)	2026-03-04 15:17:02 -05:00
Francis Lavoie	db2986028f	reverseproxy: Track dynamic upstreams, enable passive healthchecking (#7539) ... * reverseproxy: Track dynamic upstreams, enable passive healthchecking * Add tests for dynamic upstream tracking, admin endpoint, health checks	2026-03-04 15:05:26 -05:00
Sam.An	7e83775e3a	Merge commit from fork ... Only apply repl.ReplaceAll() on values from literal variable names (e.g. map outputs), not on values resolved from placeholder keys (e.g. {http.request.header.*}). The placeholder path already resolves the value via repl.Get(), so a second expansion allows user-controlled input containing {env.*} or {file.*} to be evaluated, leaking environment variables and file contents. Add regression test to verify placeholder-sourced values are not re-expanded.	2026-03-04 09:08:39 -07:00
newklei	2dbcdefbbe	forward_auth: copy_headers does not strip client-supplied identity headers (Fixes GHSA-7r4p-vjf4-gxv4) (#7545) ... When using copy_headers in a forward_auth block, client-supplied headers with the same names were not being removed before being forwarded to the backend. This happens because PR #6608 added a MatchNot guard that skips the Set operation when the auth service does not return a given header. That guard prevents setting headers to empty strings, which is the correct behavior, but it also means a client can send X-User-Id: admin in their request and if the auth service validates the token without returning X-User-Id, Caddy skips the Set and the client value passes through unchanged to the backend. The fix adds an unconditional delete route for each copy_headers entry, placed just before the existing conditional set route. The delete always runs regardless of what the auth service returns. The conditional set still only runs when the auth service provides that header. The end result is: - Client-supplied headers are always removed - When the auth service returns the header, the backend gets that value - When the auth service does not return the header, the backend sees nothing Existing behavior is unchanged for any deployment where the auth service returns all of the configured copy_headers entries. Fixes GHSA-7r4p-vjf4-gxv4	2026-03-03 23:30:49 -05:00
Varun Chawla	dc36082859	caddyhttp: Collect metrics once per route instead of per handler (#7492) ... * perf: collect metrics once per route instead of per handler (#4644) Move Prometheus metrics instrumentation from the per-handler level to the per-route level. Previously, every middleware handler in a route was individually wrapped with metricsInstrumentedHandler, causing metrics to be collected N times per request (once per handler in the chain). Since all handlers in a route see the same request, these per-handler metrics were redundant and added significant CPU overhead (73% of request handling time per the original profiling). The fix introduces metricsInstrumentedRoute which wraps the entire compiled handler chain once in wrapRoute, collecting metrics only when the route actually matches. The handler label uses the first handler's module name, which is the most meaningful identifier for the route. Benchmark results (5 handlers per route): Old (per-handler): ~4650 ns/op, 4400 B/op, 45 allocs/op New (per-route): ~940 ns/op, 816 B/op, 8 allocs/op Improvement: ~5x faster, ~5.4x less memory, ~5.6x fewer allocs Signed-off-by: Varun Chawla <varun_6april@hotmail.com> * Remove unused metricsInstrumentedHandler code Delete the metricsInstrumentedHandler type, its constructor, and ServeHTTP method since they are no longer used after switching to route-level metrics collection via metricsInstrumentedRoute. Also remove the unused metrics parameter from wrapMiddleware and the middlewareHandlerFunc test helper, and convert existing tests to use the new route-level API. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Address review feedback: restore comments, move function to bottom - Move computeApproximateRequestSize back to bottom of file to minimize diff - Restore all useful comments that were accidentally dropped - Old metricsInstrumentedHandler already removed in previous commit --------- Signed-off-by: Varun Chawla <varun_6april@hotmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-03 15:15:55 -07:00
Paulo Henrique	88616e86e6	api: Add all in-flight requests /reverse_proxy/upstreams (Fixes #7277) (#7517) ... This refactors the initial approach in PR #7281, replacing the UsagePool with a dedicated package-level sync.Map and atomic.Int64 to track in-flight requests without global lock contention. It also introduces a lookup map in the admin API to fix a potential O(n^2) iteration over upstreams, ensuring that draining upstreams are correctly exposed across config reloads without leaking memory. Co-authored-by: Y.Horie <u5.horie@gmail.com> reverseproxy: optimize in-flight tracking and admin API - Replaced sync.RWMutex with sync.Map and atomic.Int64 to avoid lock contention under high RPS. - Introduced a lookup map in the admin API to fix a potential O(n^2) iteration over upstreams.	2026-03-03 15:14:55 -07:00
Francis Lavoie	d935a6956c	autohttps: Ensure CertMagic config is recreated after autohttps runs (#7510)	2026-03-03 14:44:06 -07:00
Akın Demirci	11b56c6cfc	reverseproxy: Fix health_port being ignored in health checks (#7533)	2026-03-03 13:10:54 -05:00
WeidiDeng	2ab043b890	reverseproxy: query escape request urls when proxy protocol is enabled (#7537)	2026-03-02 02:04:06 -05:00
Pavel Siomachkin	f145bce553	tls: Add tls_resolvers global option for DNS challenge configuration (#7297) ... Co-authored-by: Francis Lavoie <lavofr@gmail.com>	2026-03-01 15:32:04 -05:00
Matt Holt	174fa2ddb9	caddyhttp: Evaluate tls.client placeholders more accurately (fix #7530) (#7534)	2026-02-28 22:03:18 -07:00
Matthew Holt	06a05e383c	Revert "encode: Implement Flush for legacy compatibility" ... This reverts commit bdcdaf77ba.	2026-02-27 14:14:19 -07:00
Matthew Holt	eac02ee98f	caddyhttp: Limit empty Host check to HTTP/1.1	2026-02-27 10:22:39 -07:00
Oleksandr Redko	72eaf2583a	chore: Enable modernize linter (#7519)	2026-02-26 14:01:35 -07:00
Fardjad Davari	9798f6964d	caddyhttp: Avoid nil pointer dereference in proxyWrapper (#7521)	2026-02-25 04:08:41 -05:00
Francis Lavoie	9873752978	logging: Support zstd roll compression (#7515)	2026-02-23 16:04:45 -07:00