KingDownloads

caddy version history

10 releases tracked, newest first.

v2.11.4

Jun 3, 2026
This release patches more security, security-adjacent, and normal bugs. The FrankenPHP project has collaborated on PHP-adjacent patches, which we are grateful for. The recent surge of patches is mostly attributed to token predictors. We have had to reject more than 75% of "security" reports because they were AI slop spam (or just lazy/incorrect). Please use LLMs and agents wisely to avoid wasting precious maintainer resources. We have started blocking offending accounts that spam slop reports. Thank you to all who submit responsible reports following our security policy to make the project better. We appreciate that the community deems the Caddy project worthy of contribution to improve the broader ecosystem! Security-related patches: - caddyhttp: Normalize Windows backslashes in path matcher (thanks @Vincent550102) - rewrite: Prevent placeholder re-expansion in injected query (thanks @WhiskerEnt) - templates: Improved `stripHTML` action to more reliably remove malformed HTML (thanks to @jmrcsnchz) - caddyhttp: Ignore header fields with underscores to prevent collisions (thanks @Vincent550102 for the report and @dunglas for the patch) :warning: These security patches m

18 downloads

v2.11.3

May 12, 2026
This release improves several aspects of Caddy with minor features, bug fixes, and security patches. Thank you to everyone and their bots who contributed to help make this release the best one yet! **Security patches:** - fastcgi: Carrying over a patch from FrankenPHP for a bug that could allow non-PHP files to be executed; collaborated on by @dunglas, @KC1zs4, and @chenjj. - vars: A more thorough fix for https://github.com/advisories/GHSA-m2w3-8f23-hxxf, collaborated by @everping and @vnxme. - admin: Array index normalization to prevent remote admin socket auth bypass, by @Amemoyoi and bot. - admin: More rigorous path prefix matching to prevent remote admin socket auth bypass, by @Amemoyoi and bot. We've also merged a couple PRs that fix upstream security bugs in other projects like quic-go and CertMagic. Thank you to @marten-seemann for maintaining quic-go so diligently! ## What's Changed * caddyhttp: Sync placeholder expansion in `vars` and `vars_regexp` by @vnxme in https://github.com/caddyserver/caddy/pull/7573 * caddytls: Avoid ACME fallback for implicit Tailscale *.ts.net policies by @steadytao in https://github.com/caddyserver/caddy/pull/7577 * chore: Reso

18 downloads

v2.11.2

Mar 6, 2026
Caddy 2.11.2 contains numerous bug fixes and enhancements! I know that's a lame summary but it's really all over the place. ## Highlights - Reverse proxy got a lot of love with certain edge cases related to PROXY protocol, health check port, and closing body on retries. Dynamic upstreams are now tracked which enables passive health checking. - Performance improvements for metrics. - New `tls_resolvers` global option to control DNS resolvers for all sites when using the ACME DNS challenge. - Log rolling now supports `zstd` compression; deprecated `roll_gzip`, which will be removed in the future. Use `roll_compression` instead. - Refined logging and some error messages. - Fixed a bug in rewrite handler that could cause some URIs to not be rewritten when URI path is an escaped form of target path. Thanks to @MaherAzzouzi for the report. ## Security fixes This release fixes two CVEs. - @NucleiAv reported a bug in the `forward_auth` directive that could permit identity injection and potential privilege escalation. - @sammiee5311 reported that `vars_regexp` double-expanded placeholders, allowing some unusual configs to reveal secrets. In addition: - Built on Go

18 downloads

v2.11.1

Feb 23, 2026
Our community is pleased to announce Caddy 2.11! Of note are new features, numerous bug fixes including several security patches, and various QoL ("quality-of-life") enhancements. There are no code changes from v2.11.0 other than to a CI job. Due to a recent external change that broke our release process, the first release of 2.11 is v2.11.1. ## Special Sponsor Shoutout Extra big thanks to our major sponsors: - [ZeroSSL](https://zerossl.com) - [Stripe](https://stripe.com) - [Railway](https://railway.com/?utm_medium=sponsor&utm_source=oss&utm_campaign=caddy) They, along with dozens of smaller sponsors, make this project and new releases possible, together with our maintainer team. Thank you all! ## Notable changes - Encrypted ClientHello (ECH) keys are rotated automatically. - Time-rolling options for logs. - `SIGUSR1` can now reload configuration if it was initially loaded from a file on the command line and did not get changed via the API. - Reverse proxy now automatically rewrites the Host header to the address of the upstream when the upstream is HTTPS (#7454) - `log_append` can now log request and response bodies, useful for debugging. - Our project

18 downloads

v2.11.0-beta.2

Pre-releaseJan 6, 2026
Welcome to the second beta version of 2.11. We are closer to a final release. This includes some minor new features and enhancements, and a fix for the ZeroSSL API issuer. Thank you to everyone who contributed! ## Changelog * 8a87bb3ffb8706bbfcaada1d52008a8eb07ad790 build(deps): bump github.com/smallstep/certificates (#7381) * 7b031e1eb5bc0bae9a8394d93f20399932ebd4d3 build(deps): bump the all-updates group across 1 directory with 12 updates (#7421) * be5f49fbeb046fb123583e5887ddf576a312a8e4 caddyhttp: Fix logging on wildcard sites when SkipUnmappedHosts is true (#7372) * 6e0cbd0fa0d3022b41fc2c17b80f15402e685643 caddyhttp: create a placeholder for and log ech status (#7328) * 4037d0576094c5f9f570825601615b62cb8d85b1 caddyhttp: {http.request.body_base64} placeholder (#7367) * 7ebe72bbfe342688a325325ea79e46970d017eb7 caddypki: Add support for multiple intermediates in signing chain (#7057) * 3c9c67e804eb3db9a3ac6532ddd2434246058cd5 caddytls: ECH key rotation (#7356) * 374b7a637f2b6f8d0f2723ad2e7908a41023e8d5 caddytls: fix preferred chains options by appending values instead of replacing (#7387) * 6a4296b1a45d81f52bf8ab01d0bcaa4423fee3ff caddytls: panic when using tls.ca

21 downloads

v2.11.0-beta.1

Pre-releaseDec 4, 2025
Welcome to the beta version of 2.11. This is the first release made by our [new, automated release process](https://github.com/caddyserver/caddy/pull/7383) developed by @Mohammed90 that was carried out and approved entirely by our maintainer team (together with @francislavoie) without intervention from @mholt, the original Caddy author. This represents a significant step forward in [project autonomy and growth](https://caddy.community/t/next-steps-for-the-caddy-project-maintainership/33076), ensuring that the project's stability and longevity is not reliant upon a single person. This first beta release was primarily to test our new workflow, so there's still a couple things left to do before the stable release. Featured here are numerous, mostly minor, bug fixes and enhancements, mostly affecting edge cases or niche corners of the software; for example, proxying H2C or HTTP/3, obscure Caddyfile scenarios, and named socket activation. Some notable changes: - SIGUSR1 can be used to reload configuration only if it was loaded from a file using the CLI, and not changed by the API since then. - We replaced "lumberjack", our logging library, with a fork "timberjack" that supp

21 downloads

v2.10.2

Aug 23, 2025
This is a hotfix release to fix a couple critical issues from v2.10.1 ## What's Changed * http: Make logger first, before TLS provisioning by @francislavoie in https://github.com/caddyserver/caddy/pull/7198 * httpcaddyfile: Fix `acme_dns` regression by @francislavoie in https://github.com/caddyserver/caddy/pull/7199 * caddyfile: Fix importing nested tokens for `{block}` by @BeeJay28 in https://github.com/caddyserver/caddy/pull/7189 ## Changelog * 551f793700fe1550845c824470b623fd1aa03d36 caddyfile: Fix importing nested tokens for `{block}` (#7189) * 16fe83c7afe2152b0bb53ae35078a28f87e6dcf2 http: Make logger first, before TLS provisioning (#7198) * 4564261d8350f8010b7e001e646e260e9bba5746 httpcaddyfile: Fix `acme_dns` regression (#7199) ## New Contributors * @BeeJay28 made their first contribution in https://github.com/caddyserver/caddy/pull/7189 **Full Changelog**: https://github.com/caddyserver/caddy/compare/v2.10.1...v2.10.2

21 downloads

v2.10.1

Aug 22, 2025
This is probably our biggest patch release ever -- not that lots of things were broken, but there's lots of refinement happening thanks to broader adoption and contributions from many more people. Just look at the New Contributors below! Anyway, this release does contain some bug fixes and dependency upgrades which we hope will serve you well. Let us know if there's any issues! And thank you to all who contributed, especially our reliable maintainer team! This version of Caddy requires [Go v1.25.0 or newer](https://golang.org/dl/). ## What's Changed * update quic-go to v0.51.0 by @marten-seemann in https://github.com/caddyserver/caddy/pull/6972 * forwardproxy: reference correct field name in LoadModule by @mohammed90 in https://github.com/caddyserver/caddy/pull/6978 * fix: Remove `nil` arg from `zapslog.NewHandler` call by @IndraGunawan in https://github.com/caddyserver/caddy/pull/6984 * fileserver: Add support for .avif image format by @steffenbusch in https://github.com/caddyserver/caddy/pull/6988 * reverseproxy: use DialTLSContext for TLS if servername has placeholder by @WeidiDeng in https://github.com/caddyserver/caddy/pull/6955 * admin: Make sure that any admin

21 downloads

v2.10.0

Apr 18, 2025
Caddy 2.10 is here! Aside from bug fixes, this release features: - **Encrypted ClientHello (ECH):** This new technology encrypts the last plaintext portion of a TLS connection: the ClientHello, which includes the domain name being connected to. The [draft spec](https://www.ietf.org/archive/id/draft-ietf-tls-esni-24.html) for ECH is almost finalized, so we can now support this privacy feature for TLS. This is a powerful but nuanced capability; we highly recommend reading [the ECH documentation](https://caddyserver.com/docs/automatic-https#encrypted-clienthello-ech) on our website. - **Post-quantum (PQC) key exchange:** Caddy now supports the standardized `x25519mlkem768` cryptographic group by default. - **ACME profiles:** ACME profiles are an experimental draft that allow you to choose properties of your certificates with more flexibility than traditional CSR methods. For example, [Let's Encrypt will issue 6-day certificates](https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/) under a certain profile. Caddy may eventually use that profile by default. - **Via header:** The reverse proxy now sets a Via header instead of a duplicate Server header. - **Global DNS provider:**

21 downloads

v2.10.0-beta.4

Pre-releaseMar 25, 2025
This prerelease is outdated. Please see the latest release for notes. Thanks!

21 downloads