Skip to content

fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 #210

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 18, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/caddyserver/caddy/v2 v2.9.1 -> v2.10.0 age adoption passing confidence

Release Notes

caddyserver/caddy (github.com/caddyserver/caddy/v2)

v2.10.0

Compare Source

Caddy 2.10 is here! Aside from bug fixes, this release features:

  • Encrypted ClientHello (ECH): This new technology encrypts the last plaintext portion of a TLS connection: the ClientHello, which includes the domain name being connected to. The draft spec for ECH is almost finalized, so we can now support this privacy feature for TLS. This is a powerful but nuanced capability; we highly recommend reading the ECH documentation on our website.
  • Post-quantum (PQC) key exchange: Caddy now supports the standardized x25519mlkem768 cryptographic group by default.
  • ACME profiles: ACME profiles are an experimental draft that allow you to choose properties of your certificates with more flexibility than traditional CSR methods. For example, Let's Encrypt will issue 6-day certificates under a certain profile. Caddy may eventually use that profile by default.
  • Via header: The reverse proxy now sets a Via header instead of a duplicate Server header.
  • Global DNS provider: You can now specify a default "global" DNS module to use instead of having to configure it locally in every part of your config that requires a DNS provider (for example, ACME DNS challenges, and ECH). This is the dns global option in the Caddyfile, or in JSON config, it's the dns parameter in the tls app configuration.
  • Wildcards used by default: Previously, Caddy would obtain individual certificates for every domain in your config literally; now wildcards, if present, will be utilized for subdomains, rather than obtaining individual certificates. This change was motivated by the novel possibility for subdomain privacy afforded by ECH. It can be overridden with tls force_automate in the Caddyfile. The experimental auto_https prefer_wildcard option has been removed.
  • libdns 1.0 APIs: Many of you use DNS provider modules to solve ACME DNS challenges or to enable dynamic DNS. They implement interfaces defined by libdns to get, set, append, and delete DNS records. After 5 years of production experience, including lessons learned with ECH, libdns APIs have been updated and 1.0 beta has been tagged. DNS provider packages will need to update their code to be compatible, which will help ensure stability and well-defined semantics for the future. Several packages have already updated or are in the process of updating (cloudflare, rfc2136, and desec to name a few).
  • Global dns config: Now that several components of Caddy configuration may affect DNS records (ACME challenges, ECH publication, etc.), there is a new dns global option that can be used to specify your DNS provider config in a single place. This prevents repetition of credentials for servers where all the domains are managed by a single DNS provider.

Thank you to the many contributors who have helped to make this possible! 🎉 🥳 🍾

⚠️ While have traditionally supported the last 2 minor Go versions to accommodate some distribution / package manager policies, we now only support the latest minor Go version. The privacy and security benefits added in new Go versions (such as post-quantum cryptography) are worth making available to everyone as soon as possible, rather than holding back the entire user base or maintaining multiple code compilation configurations.

Encrypted ClientHello (ECH) details

(This is a brief overview. We recommend reading the full documentation.)

Typically, server names (domain names, or "SNI") are sent in the plaintext ClientHello when establishing TLS connections. With ECH, the true server name is encrypted (and wrapped) by an "outer" ClientHello which has a generic SNI of your choosing. With many sites on the same server sharing the same outer SNI, both clients and the server have more privacy related to domain names.

Caddy implements fully automated ECH, meaning that it generates (and soon, rotates), publishes, and serves ECH configurations simply by specifying a DNS provider, and the outer/public domain name to use.

Fully automated ECH requires a DNS module built into your Caddy binary. In order for a client, such as a browser, to know it can use ECH, and what parameters to use, the server's ECH configuration must be published. This config includes the public name, cryptographic parameters, and a public key for encrypting the inner ClientHello. By convention, browsers read the standardized HTTPS-type DNS record containing a ech SvcParamKey. Caddy sets this DNS record for all domains being protected, but it needs that DNS provider module plugged in and configured in order to do this. If you are already using the DNS ACME challenge, you should already have a DNS provider plugged in. If you prefer to build Caddy from source with a DNS module, it's easy with xcaddy, for example: $ xcaddy build --with github.com/caddy-dns/cloudflare

The minimum config needed to enable ClientHello is also the recommended config, as it maximizes privacy benefits in most situations. You just need the ech global option and a DNS provider specified. Here's an example using Cloudflare as the nameserver:

Caddyfile:

{
	debug  # not required; recommended while testing
	dns cloudflare {env.CLOUDFLARE_API_KEY}
	ech ech.example.net
}

example.com {
	respond "Hello there!"
}

This protects all your sites (example.com in this case) behind the public name of ech.example.net. (As another example, Cloudflare uses cloudflare-ech.com for all the sites it serves. We recommend choosing a single public domain and use it to protect all your sites.)

The outer/public name you choose should point to your server. Caddy will obtain a certificate for this name in order to facilitate safe, reliable connections for clients when needed. Without a certificate, clients may be forced to connect insecurely, or fail to connect at all, in some cases, which not only leaves them vulnerable, but also risks exposing the names of your server's sites.

Caddy then uses the specified DNS provider to publish the ECH config(s) for your various site names. It creates (or augments) HTTPS-type records for the domains of your sites (not your ECH public name). Note that DNS provider modules are independently-maintained, and may not have been tested for compatibility with HTTPS-type records. Please contact your module's maintainers if you experience issues.

If you have more advanced configuration needs, you can use the JSON configuration (more details coming soon; for now, see #​6862 or look at the source code; or use caddy adapt to convert a Caddyfile to JSON).

Testing and verifying Encrypted ClientHello

First make sure Caddy runs successfully with ECH enabled (and a DNS module) in the config. You should see logs that it is generating an ECH config and publishing it to your domain name(s).

You will need to use a client that supports ECH. Some custom builds of curl do, and Firefox and modern Chrome-based browsers do as well, but you need to enable DNS-over-HTTPS or DNS-over-TLS first (since, obviously, querying DNS in plaintext for a protected domain name will expose the domain and defeat the purpose of ECH).

If reusing an existing domain name, clear your DNS cache. Firefox has a way of doing this for its cache at about:networking#dns.

Once you have a suitable client, use Wireshark to capture network packets as you load your site. You should see only the outer/public name as SNI (ServerName Indicator) values in the packet capture. If at any time you see the true site name, ECH is not working properly -- it could be a client or server issue. Before filing a bug, please try to pinpoint it as a server issue first. But definitely report server bugs! Thank you!

(Note that ECH is not automatically published for CNAME'd domains, and the domain must already have a record in the zone.)

Commits

Beta 1:
Beta 2:
Beta 3:
  • b3e692e caddyfile: Fix formatting for backquote wrapped braces (#​6903)
  • 55c89cc caddytls: Convert AP subjects to punycode
  • 1f8dab5 caddytls: Don't publish ECH configs if other records don't exist
  • 782a3c7 caddytls: Don't publish HTTPS record for CNAME'd domain (fix #​6922)
  • 49f9af9 caddytls: Fix TrustedCACerts backwards compatibility (#​6889)
  • e276994 caddytls: Initialize permission module earlier (fix #​6901)
  • 39262f8 caddytls: Minor fixes for ECH
  • 1735730 core: add modular network_proxy support (#​6399)
  • 86c620f go.mod: Minor dependency upgrades
  • af2d33a headers: Allow nil HeaderOps (fix #​6893)
  • dccf3d8 requestbody: Add set option to replace request body (#​5795)
  • 2ac09fd requestbody: Fix ContentLength calculation after body replacement (#​6896)
v2.10.0:
  • f297bc0 admin: Remove host checking for UDS (close #​6832)
  • 0b2802f build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 (#​6960)
  • 5be77d0 caddyauth: Set authentication provider error in placeholder (#​6932)
  • b06a949 caddyhttp: Document side effect of HTTP/3 early data (close #​6936)
  • 35c8c2d caddytls: Add remote_ip to HTTP cert manager (close #​6952)
  • fb22a26 caddytls: Allow missing ECH meta file
  • 1bfa111 caddytls: Prefer managed wildcard certs over individual subdomain certs (#​6959)
  • ea77a9a caddytls: Temporarily treat "" and "@​" as equivalent for DNS publication
  • 5a6b2f8 events: Refactor; move Event into core, so core can emit events (#​6930)
  • 137711a go.mod: Upgrade acmez and certmagic
  • 9becf61 go.mod: Upgrade to libdns 1.0 beta APIs (requires upgraded DNS providers)
  • 6c38ae7 reverseproxy: Add valid Upstream to DialInfo in active health checks (#​6949)

What's Changed

New Contributors

Full Changelog: caddyserver/caddy@v2.9.1...v2.10.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Apr 18, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -t ./...
go: module github.com/caddyserver/caddy/[email protected] requires go >= 1.24; switching to go1.24.6
go: downloading go1.24.6 (linux/amd64)
go: download go1.24.6: golang.org/[email protected]: verifying module: checksum database disabled by GOSUMDB=off

@renovate renovate bot force-pushed the renovate/github.com-caddyserver-caddy-v2-2.x branch 2 times, most recently from ec8903f to 8f6ee33 Compare May 1, 2025 08:59
@renovate renovate bot changed the title fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 - autoclosed May 20, 2025
@renovate renovate bot closed this May 20, 2025
@renovate renovate bot deleted the renovate/github.com-caddyserver-caddy-v2-2.x branch May 20, 2025 07:59
@renovate renovate bot changed the title fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 - autoclosed fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 May 20, 2025
@renovate renovate bot reopened this May 20, 2025
@renovate renovate bot force-pushed the renovate/github.com-caddyserver-caddy-v2-2.x branch from eba4672 to 8f6ee33 Compare May 20, 2025 11:31
@M4tteoP M4tteoP mentioned this pull request May 21, 2025
Closed
@renovate renovate bot force-pushed the renovate/github.com-caddyserver-caddy-v2-2.x branch from 8f6ee33 to b59c173 Compare May 21, 2025 19:57
@renovate renovate bot changed the title fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 - autoclosed Jun 20, 2025
@renovate renovate bot closed this Jun 20, 2025
@renovate renovate bot changed the title fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 - autoclosed fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 Jun 20, 2025
@renovate renovate bot reopened this Jun 20, 2025
@renovate renovate bot force-pushed the renovate/github.com-caddyserver-caddy-v2-2.x branch 3 times, most recently from 25d8d2a to 1c8329e Compare June 23, 2025 15:23
@renovate renovate bot force-pushed the renovate/github.com-caddyserver-caddy-v2-2.x branch from 1c8329e to 56a8b8e Compare July 7, 2025 16:53
@renovate renovate bot force-pushed the renovate/github.com-caddyserver-caddy-v2-2.x branch from 56a8b8e to 0cf22db Compare July 7, 2025 16:54
@renovate renovate bot changed the title fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 - autoclosed Jul 8, 2025
@renovate renovate bot closed this Jul 8, 2025
@renovate renovate bot changed the title fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 - autoclosed fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 Jul 8, 2025
@renovate renovate bot reopened this Jul 8, 2025
@renovate renovate bot force-pushed the renovate/github.com-caddyserver-caddy-v2-2.x branch from d1224d7 to 0cf22db Compare July 8, 2025 17:31
@renovate renovate bot changed the title fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 - autoclosed Jul 21, 2025
@renovate renovate bot closed this Jul 21, 2025
@renovate renovate bot changed the title fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 - autoclosed fix(deps): update module github.com/caddyserver/caddy/v2 to v2.10.0 Jul 21, 2025
@renovate renovate bot reopened this Jul 21, 2025
@renovate renovate bot force-pushed the renovate/github.com-caddyserver-caddy-v2-2.x branch from a7cf762 to 0cf22db Compare July 21, 2025 13:41
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants