Caddy 2.1 introduces a variety of new features, bug fixes, and other enhancements! Highlights:

• Fully automated mTLS certificates. Caddy 2.1 can fully manage all its TLS certificates -- including TLS client certificates -- using any ACME endpoint you configure. New in this version, the reverse proxy module can be configured to present an automated client certificate, just by providing its subject name in the config. We've tested it with Caddy's built-in ACME server, Let's Encrypt, Sectigo, and Smallstep ACME endpoints. Using this feature, Caddy will keep the client certificate renewed automatically.

• Embedded ACME server (powered by Smallstep). This allows other ACME clients to use Caddy as an ACME endpoint. The idea here is to replace one-off self-signed, generated certificates with proper, short-lived, auto-renewing certificates for local development and internal deployments. In other words, if you're running a command every so often to produce a self-signed certificate, use Caddy instead for proper, fully-managed internal PKI. Simply add the acme_server directive to your Caddyfile for its default configuration, or use its JSON interface.

• H2C support. Although discouraged in the general case, HTTP/2 over Cleartext HTTP (h2c) can be useful when serving or proxying gRPC locally/internally on trusted networks; and due to current poor TLS support in gRPC services currently, h2c might even be required in some cases. Caddy can now serve HTTP/2 without encryption, and it can communicate as a client with an HTTP/2 server that does not support TLS. To proxy h2c, set the versions property to include "h2c". To serve h2c, enable allow_h2c in your HTTP server config.

• New handle_path Caddyfile directive. This works the exact same as handle, but it only accepts a path prefix matcher and it strips the matched portion of the path before executing the directives contained in its block. It's a shortcut for using handle and uri strip_prefix together, which was a common-enough use case that we consolidated it into a new directive.

• Auto HTTPS can be configured in the Caddyfile. You can use the auto_https global option to disable it entirely, or disable only HTTP->HTTPS redirects. This is useful if you don't want to bind to any HTTP port at all.

• Various other Caddyfile improvements. Several quality-of-life improvements for the Caddyfile, including one-line named matchers such as @foo not path /foobar/*, and the ability to use backticks (`) to enclose strings where double quotes (") are inconvenient.

• Reverse proxy response interception. The reverse proxy can now intercept and handle the response from upstream based on the response status code and/or headers. This allows you to invoke custom, arbitrary HTTP logic based on the response from a backend.

• Many bug fixes and other enhancements. We always say this, I know, but just look at that changelog.

Thank you to all who contributed and filed actionable bug reports as well as patches! Please keep it up. :)

Changelog

1dc4ec2d admin: Disallow websockets aef560c7 all: Recover from panics in goroutines 41a682dd caddyauth: Add realm to basicauth Caddyfile directive (#3315) 9a7756c6 caddyauth: Cache basicauth results (fixes #3462) (#3465) 96d6d277 caddyconfig: Don't start comments in middle of tokens (#3267) 6c051cd2 caddyconfig: Minor internal and godoc tweaks fdf2a77f caddyfile: Add args on imports (#3423) d55c3b31 caddyhttp: Add client cert SAN placeholders ffc125d6 caddyfile: Move NewTestDispenser into non-test file (#3439) 52305618 caddyfile: Support backticks as quotes (closes #2591) (#3242) 294910c6 caddyhttp: Add client.public_key(_sha256) placeholders 0cbf467b caddyhttp: Add time.now placeholder and update cel-go (closes #2594) 2d1f7b9d caddyhttp: Auto-redirects from all bind addresses (fix #3443) 21c00a3c caddyhttp: Better host matching for logger names (fix #3488) (#3522) 7b0962ba caddyhttp: Default to error status if found in context 3af15c07 caddyhttp: Empty, not nil, query matcher matches empty query string 6db36155 caddyhttp: Enable matching empty query string 4c55d26f caddyhttp: Fix merging of Caddyfile matchers in not blocks (#3379) d5341625 caddyhttp: Match hostnames with wildcards to loggers (#3378) 7960b425 caddyhttp: Minor refactoring for preparing requests e5bbed10 caddyhttp: Refactor header matching a285fe41 caddypki: Add 'acme_server' Caddyfile directive bde3823b caddytest: Refactor Caddyfile adapt tests to separate files (#3398) e18c3730 caddytls: Actually use configured test CA 11a132d4 caddytls: Configurable cache size limit 6d03fb48 caddytls: Don't decode HMAC 62c9f2cf cmd: Add --envfile flag to run command (#3278) 4df56c77 cmd: Add pidfile support (closes #3235) 83551edf cmd: Only stop admin server on signal if it exists (fix #3470) 996af091 cmd: Support admin endpoint on unix socket (#3320) aa208788 cmd: file-server: add --access-log flag (#3454) bb67e19d cmd: hash-password: Fix broken terminal state on SIGINT (#3416) 5bde8d70 cmd: hash-password: Support reading from stdin (#3373) 44536a75 cmd: reverse-proxy: add --insecure flag (with warning) (#3389) ef6e53bb core: Add support for d duration unit (#3323) 28ab0bfb core: Support loading modules from [][]json.RawMessage fields b1480eb5 fastcgi: Fix php_fastcgi matcher regression (#3512) fa4cdde7 fastcgi: Make sure splitPos handles empty SplitPath correctly (#3491) 7243454a fastcgi: php_fastcgi subdirectives to override shortcut behaviour (#3255) 1e8c9764 file_server: Accept files args in one-liner of Caddyfile matcher (#3298) c9049bdc go.mod: Minor dependency updates 9dafa639 go.mod: Update dependencies 3fb2c394 go.mod: Update dependencies d5d7fb59 go.mod: Update dependencies cb0d9838 go.mod: Update quic-go to 0.17.1 (draft 29) and certmagic 0.11.2 (eab) fae06426 httpcaddyfile: Add auto_https global option (#3284) 1dfb1148 httpcaddyfile: Add client_auth options to tls directive (#3335) 21de227f httpcaddyfile: Be stricter about log syntax (#3419) 32cafbb6 httpcaddyfile: Fix ordering of catch-all site blocks cd9317e5 httpcaddyfile: Fix route ordering bug cc8fb488 httpcaddyfile: Improve error on matcher declared outside site block (#3431) a496308f httpcaddyfile: Let modules add listener wrappers (#3397) dc9f4f13 httpcaddyfile: Make global options pluggable (#3265) d84a5d84 httpcaddyfile: New acme_eab option (#3492) 8c5d00b2 httpcaddyfile: New handle_path directive (#3281) 2f59467a httpcaddyfile: Only append TLS conn policy if it's non-empty (#3319) ea7e4b40 httpcaddyfile: Shorthands for parameterized placeholders (#3305) 97e61c16 httpcaddyfile: Sort site blocks with wildcards last (fix #3410) 26e55966 httpcaddyfile: Support single-line matchers (#3263) 41c7bd27 httpserver: Add experimental H2C support (#3289) bf8c3c25 log: improve rounding logic for log rolling directives (#3367) 9415feca logging: Net writer redials if write fails (#3453) c47ddbef pki: Add docs to some struct fields 184e8e9f pki: Embedded ACME server (#3198) 4b10ae5c reverseproxy: Add Caddyfile support for ClientCertificateAutomate afecd90a reverseproxy: Add tls_server_name option to Caddyfile (#3322) 1c17e6c6 reverseproxy: Allow using TLS for port 80 upstreams (see #3361) 90c7b4b0 reverseproxy: Apply response header ops before copying it (fix #3382) (#3401) b3bff13f reverseproxy: Close websocket conn if req context cancels 2a8a1985 reverseproxy: Don't overwrite existing X-Forwarded-Proto header 812278ac reverseproxy: Emit debug log before checking error (#3425) 7a99835d reverseproxy: Enable changing only the status code (close #2920) 538ddb85 reverseproxy: Enable response interception (#1447, #2920) 22055c5e reverseproxy: Fix https active health checks #3450 (#3451) c1e5c092 reverseproxy: Improve error message when using scheme+placeholder (#3393) 9ee01dce reverseproxy: Make debug log safe if error occurs 881b826f reverseproxy: Pool copy buffers (minor optimization) 003403ec templates: Add support for dots to close yaml frontmatter (#3498) 483e31b9 templates: trim windows whitespace in SplitFrontMatter; fix #3386 (#3387) b814c0af tls/client auth: verify first certificates in client request (#3344)