Caddy 2.3 is the first web server to be able to get certificates from multiple issuers (for redundancy)! We've also optimized several things for large-scale deployments, as there are businesses using Caddy to serve tens of thousands of sites per instance.

The main highlights of this release include:

• Multi-issuer support. Caddy can now get certificates from multiple issuers for redundancy; if one fails, another will be tried. Caddy's new defaults are Let's Encrypt and ZeroSSL. You can customize these, including adding local/self-signed certificates as a last resort if desired. Caddy is the first web server to support multiple issuers, offering unrivaled reliability for your site's HTTPS. It is the first ACME client to support multiple CA fallbacks.

• Improved on-demand TLS. On-demand TLS is an operating mode by which certificate obtain/renew operations are triggered on a TLS handshake that requires them, rather than happening at config-load time. We've moved a lot of the processing to the background where possible (e.g. when an existing certificate is still usable) so more connections will finish their handshakes faster, and fewer handshakes will fail (however, you still need to watch the logs and fix the errors before it's too late). Several businesses we know of currently rely on this unique feature at a scale of tens of thousands of sites.

• Support for alternate certificate chains. You can now customize which certificate chains to download from ACME servers that offer more than one.

• New map handler is ready for production use. (Caddyfile docs) It's been in Caddy for a few versions now but it's finally ready for production, with enhanced efficiency and functionality. We have been using this handler with a customer in production for a while now, on an instance that is handling thousands of sites.

• Customize servers and listeners with the Caddyfile. The Caddyfile structure is oriented around sites for convenience, so customizing servers has not been possible until now. You can now use global options to configure servers and their listeners (for example, protocol options, socket read options, and more) without having to use JSON config.

Of course, there are also numerous bug fixes and other enhancements, including bringing more configuration options into the Caddyfile. Thank you to everyone who contributed code, code reviews, or participated in the pre-releases.

There are a couple of minor breaking changes, but one was not documented and the other has always been an experimental feature:

• :warning: The remote_ip matcher no longer reads the X-Forwarded-For header by default. This was undocumented behavior, and an unsafe default. If you happened to be relying on this, please enable forwarded (in the Caddyfile, just put forwarded as the first argument before the ranges) to maintain that behavior. Remember that headers are very easy to spoof.

• :warning: The experimental_http3 global option in the Caddyfile has been replaced with global server options, one of which is the experimental_http3 protocol. Docs will be updated shortly. This is still an unstable feature until HTTP/3 is finalized and our upstream QUIC/H3 lib is stable and we've decided to keep HTTP/3 enabled in the core by default.

• :warning: The "issuer" field in TLS automation policies is deprecated and will be removed in the future, please switch to "issuers".

Along with this release, we've taken the opportunity to consolidate our documentation regarding getting/installing Caddy. There is no more /docs/download page, instead it was combined with /docs/install which better organizes the various official and unofficial ways to get Caddy. (To be clear, our download page at /download is still available.) Also, we started using Cloudsmith for our Debian packaging -- they're donating this service to our open source project and their team has been a pleasure to work with.

This release is the work of at least 20 contributors. Thank you!

Changelog

c5197f5 acme_server: fix reload of acme database (#3874) 06ba006 acme_server: switch to bbolt storage (#3868) 7a3d9d8 basicauth: Minor internal improvements (#3861) 937ec34 caddyauth: Prevent user enumeration by timing 4cff36d7 caddyauth: Use buffered channel passed to signal.Notify (#3895) 3d0e0462 caddyauth: Use structured log c6dec30 caddyfile: Add support for env var defaults; add tests (#3682) 635f075 caddyfile: Fix minor bug in formatter 63bda6a0 caddyhttp: Clean up internal auto-HTTPS redirect code b8a799df caddyhttp: Document that remote_ip reads X-Forwarded-For header 4fc5707 caddyhttp: Fix header matcher when using nil 966d5e6 caddyhttp: Merge header matchers in Caddyfile (#3832) b4f49e2 caddyhttp: Merge query matchers in Caddyfile (#3839) 1438e4d caddyhttp: New idle_timeout default of 5m 9157051f caddyhttp: Optimize large host matchers deedf8ab caddyhttp: Optionally use forwarded IP for remote_ip matcher 349457c caddyhttp: Return error if error handling error b0f8fc7 caddytls: Configure trusted CAs from PEM files (#3882) e384f07 caddytls: Improve alt chain preference settings 95af426 caddytls: Support ACME alt cert chain preferences 13781e6 caddytls: Support multiple issuers (#3862) e7a5a385 cmd: add ability to read config from stdin (#3898) eda9a1b fastcgi: Add timeouts support to Caddyfile adapter (#3842) 6e9ac248 fastcgi: Set PATH_INFO to file matcher remainder as fallback (#3739) 7d7434c fileserver: Add debug logging d8bcf5b fileserver: Fix "go up" links in browse listings (closes #3942) 8d038ca fileserver: Improve and clarify file hiding logic (#3844) 0a7721d fileserver: Preserve transformed root (fix #3838) b6e96d6 go.mod: Update CertMagic a7481516 go.mod: Update CertMagic (fix #3911) 1e480b8 go.mod: update quic-go to v0.19.2 (#3880) 5643dc3f go.mod: update quic-go to v0.19.3 (#3901) 31fbcd74 go.mod: Upgrade some dependencies a26f70a headers: Fix Caddyfile parsing with request matcher (#3892) b0d5c2c headers: Support default header values in Caddyfile with '?' (#3807) 7c28ecb httpcaddyfile: Add certificate_pem placeholder short, add to godoc (#3846) 3cfefeb httpcaddyfile: Configure servers via global options (#3836) 7e719157 httpcaddyfile: Decrement counter when removing conn policy (fix #3906) 03d853e httpcaddyfile: Fix test on Windows b6686a5 httpcaddyfile: Improve AP logic with OnDemand 63afffc httpcaddyfile: Proper log config with catch-all blocks (fix #3878) db4f1c0 httpcaddyfile: Revise automation policy generation (#3824) c898a37f httpcaddyfile: support matching headers that do not exist (#3909) dd26875 logging: Fix for IP filtering ebc278e metrics: allow disabling OpenMetrics negotiation (#3944) 670b723 requestbody: Add Caddyfile support (#3859) 99b8f44 reverse_proxy: Fix random_choose selection policy (#3811) 4a641f6 reverseproxy: Add Caddyfile scheme shorthand for h2c (#3629) b660993 reverseproxy: Add max_idle_conns_per_host; fix godocs (#3829) 53aa60a reverseproxy: Handle "operation was canceled" errors (#3816) 6e0849d reverseproxy: Implement cookie hash selection policy (#3809) 9605853 reverseproxy: Logging for streaming and upgrades (#3689) 132525d reverseproxy: Minor lint fixes 860cc6a reverseproxy: Wire up some http transport options in Caddyfile (#3843) c9fdff9 reverseproxy: caddyfile: Don't add port if upstream has placeholder (#3819) 6ea6f3e reverseproxy: fix random hangs on http/2 requests with server push (#3875)