0.8

Caddy 0.8 is the most progressive update we've ever released. We hope you'll enjoy this new version!

New Features

Automatic HTTPS via Let's Encrypt

All live sites are served over HTTPS automatically for free. Caddy works with any ACME-capable certificate authority but uses Let's Encrypt by default. A Caddyfile like this, for example:

mysite.com

root /www/mysite.com
gzip

will serve your site over HTTPS and redirect HTTP to HTTPS. Caddy will not automatically enable HTTPS for addresses that look like localhost or have tls off in their configuration.

Caddy stores the generated keys and certificates in the ~/.caddy folder on your system. If these assets are already available on the file system from a previous run, Caddy will use those when it starts.

With managed TLS, Caddy staples OCSP information and also keeps certificates renewed for you. This will cause Caddy to restart on occasion, so be aware of that if using a process manager.

The first time automatic HTTPS is triggered, Caddy will prompt for an email address and/or agreement to CA terms. This only happens once, and the email address is optional (but recommended for account recovery purposes). You can bypass the prompt by using the -email and -agree flags.

Known Issues

1. Specifying an address like http://example.com disables automatic HTTPS (because of explicit HTTP scheme) but http://example.com:8080 does not (because the explicit port overwrites the scheme) even though it should.
2. Gracefully reloading Caddy with a new host in the Caddyfile that qualifies for automatic HTTPS and needs a certificate fails (because the ports needed to issue the cert are already in use) but it should use existing listeners like renewals do.
3. If even one certificate fails to be obtained, none of the certificates are saved to disk. This is most notable with LE rate limiting. If a certificate fails, it should save what certificates it obtained to disk.

These will be addressed in a patch release coming soon, unless another more serious bug is discovered.

Graceful Reload

On POSIX-compliant systems, SIGUSR1 will cause Caddy to gracefully reload the Caddyfile (with zero downtime). This restarts the process, spinning up a new process with a new process ID. Make sure to use the -pidfile flag if you're using Caddy with a process manager that needs to keep track of the pid. Caddy will reload on its own if managing SSL certificates. There are also other new signals and flags you can use.

Caddy as a Library

You can use now Caddy as a library in your own Go programs.

import "github.com/mholt/caddy/caddy"

// You can start...
err := caddy.Start(caddyfile)
if err != nil {
    log.Fatal(err)
}

// restart...
err = caddy.Restart(newCaddyfile)
if err != nil {
    log.Fatal(err)
}

//  and stop Caddy services...
err = caddy.Stop()
if err != nil {
    log.Fatal(err)
}

// or just wait for them to close.
caddy.Wait()

See the godoc for more information.

Full Change List

• HTTPS by default via Let's Encrypt (certs & keys are fully managed)
• Graceful restarts (on POSIX-compliant systems)
• Major internal refactoring to allow use of Caddy as library
• New directive 'mime' to customize Content-Type based on file extension
• New -accept flag to accept Let's Encrypt SA without prompt
• New -email flag to customize default email used for ACME transactions
• New -ca flag to customize ACME CA server URL
• New -revoke flag to revoke a certificate
• New -log flag to enable process log
• New -pidfile flag to enable writing pidfile
• New -grace flag to customize the graceful shutdown timeout
• New support for SIGHUP, SIGTERM, and SIGQUIT signals
• browse: Render filenames with multiple whitespace properly
• core: Use environment variables in Caddyfile
• markdown: Include Last-Modified header in response
• markdown: Render tables, strikethrough, and fenced code blocks
• proxy: Ability to exclude/ignore paths from proxying
• startup, shutdown: Better Windows support
• templates: Bug fix for .Host when port is absent
• templates: Include Last-Modified header in response
• templates: Support for custom delimiters
• tls: For non-local hosts, default port is now 443 unless specified
• tls: Force-disable HTTPS
• tls: Specify Let's Encrypt email address
• Many, many more tests and numerous bug fixes and improvements

Credits and More Information

Many thanks to the dozens of contributors and testers who made this possible!

Please see the announcement blog post for the rest of the story. For more instructions about how to use this new Caddy version, see the docs.

0.7.6

This release contains bug fixes, security patches via new Go versions, and a few new features:

• Pass in simple Caddyfile as command line arguments
• basicauth: Support for legacy htpasswd files
• browse: JSON response with file listing
• core: Caddyfile as command line argument
• errors: Can write full stack trace to HTTP response for debugging
• errors, log: Roll log files after certain size or age
• proxy: Fix for 32-bit architectures
• rewrite: Better compatibility with fastcgi and PHP apps
• templates: Added .StripExt and .StripHTML methods
• Internal improvements and minor bug fixes

Along with this release we're pleased to welcome three new, very useful add-ons to the Caddy middleware family: jsonp, search, and hugo.

Please see the announcement blog post for more information about the changes and new add-ons.

Given that we've been sprinting ahead with a lot of new features and functionality lately, we'll be focusing a lot on polish, bug fixes, tests, the deployment process, etc., to lay a more solid foundation going forward.

0.7.5

Several significant refinements are introduced in 0.7.5, as well as fixes for bugs that were exposed from changes made in 0.7.4.

• core: All listeners bind to 0.0.0.0 unless 'bind' directive is used
• fastcgi: Set HTTPS env variable if connection is secure
• log: Output to system log (except Windows)
• markdown: Added dev command to disable caching during development
• markdown: Fixed error reporting during initial site generation
• markdown: Fixed crash if path does not exist when server starts
• markdown: Fixed site generation and link indexing when files change
• templates: Added .NowDate for use in date-related functions
• Several bug fixes related to startup and shutdown functions

Most notably, startup and shutdown functions now only execute once even if the server block is defined for more than one host. So where the following Caddyfile used to echo "Hello world" twice, it now echoes only once:

host1, host2 {
    startup "echo Hello world"
}

The fix in fastcgi should be good for any WordPress sites (or other PHP sites) served over HTTPS. Lots of effort went into improving Markdown features to make it easier to build sites with Markdown using only Caddy.

In earlier versions, every listener would bind to the IP address resolved by the hostname from the Caddyfile. This is no longer the case. Now, every listener always binds to the empty/wildcard host (0.0.0.0). This was done by request, but if it causes problems, please report them.

Finally, non-Windows users may output to the system log with the log and errors directives by specifying syslog as the log filename.

From here on out to version 1.0, most changes will be bug fixes, refinements, and enhancements to existing features with a focus on stability and usability.

We hope you enjoy this release, and thank you to all contributors who made it possible!

0.7.4

This release brings lots of improvements to markdown, browse, and redir directives, but some of the changes are breaking in some situations.

Breaking changes:

• If you used catch-all redirects (redir http://other-domain.com), it used to preserve the request URI. To give you more flexibility, this is no longer the case. Please use {uri} (redir http://other-domain.com{uri}) to preserve request URI.
• Markdown is quite a bit different. The structure of front matter was flattened, so instead of creating [variables] and indenting variables, all variables are defined without indentation. Also, markdown template actions are different. All values related to the Markdown document, including front matter variables, are in {{.Doc}}, so {{.Doc.body}} shows the rendered content instead of {{.markdown}}, and the title is now {{.Doc.title}} instead of {{.title}}.
• The template action .Date was renamed to .Now.

Full change list:

• browse: Sorting preference persisted in cookie
• browse: Added index.txt and default.txt to list of default files
• browse: Template files may now use Caddy template actions
• markdown: Template files may now use Caddy template actions
• markdown: Several bug fixes, especially for large and empty Markdown files
• markdown: Generate index pages to link to markdown pages (sitegen only)
• markdown: Flatten structure of front matter, changed template variables
• redir: Can use variables (placeholders) like log formats can
• redir: Catch-all redirects no longer preserve path; use {uri} instead
• redir: Syntax supports redirect tables by opening a block
• templates: Renamed .Date to .Now and added .Truncate, .Replace actions
• Other minor internal improvements and more tests

In addition, the build process was improved so that Linux and BSD downloads are in the .tar.gz file format. Windows and Mac downloads are still .zip.

The Caddy website also gets a blog with this release. We hope you like it, and we welcome guest contributions!

Note: This release introduced several bugs which are fixed in 0.7.5; it's highly recommended to use the newer version instead.

0.7.3

This patch release fixes bugs introduced in recent versions and refines some working features. Full change list:

• errors: Error log now shows timestamp with each entry
• gzip: Fixed; Default filtering is by extension; removed MIME type filter
• import: Fixed; works inside and outside server blocks
• redir: Query string preserved on catch-all redirects
• templates: Proper 403 or 404 errors for restricted or missing files

Also, the build server was updated so that it produces only purely static binaries. This may break Caddy in subtle ways on some platforms, but in our testing we were not able to see any problems. Please let us know if you think the static compilation has broken Caddy in your environment.

0.7.2

Version 0.7.2 is mostly small changes and fixes, with one breaking change - the git directive was removed. (It is still available as an add-on; keep reading.)

This version also pilots the new Caddy build server which is used to generate custom builds of Caddy for you on-the-fly via the download page or from your automated environments. With it, Caddy becomes a platform on which web services can be produced and consumed. Caddy can continue to grow its feature set without the burden of a growing code base or binary size. If you experience trouble with the build server, please let us know; it needs lots more development in the long term.

The git directive is now available as an add-on feature, which you can select from the Caddy website. Here is the full change list:

• Custom builds through caddyserver.com - extend Caddy by writing addons
• browse: Sort by clicking column heading or using query string
• core: Serving hostname that doesn't resolve issues warning then listens on 0.0.0.0
• errors: Missing error page during parse time is warning, not error
• ext: Extension only appended if request path does not end in /
• fastcgi: Fix for backend responding without status text
• fastcgi: Fix PATH_TRANSLATED when PATH_INFO is empty (RFC 3875)
• git: Removed from core (available as add-on)
• gzip: Enable by file path and/or extension
• gzip: Customize compression level
• log: Fix for missing status in log entry when error unhandled
• proxy: Strip prefix from path for proxy to path
• redir: Meta tag redirects
• templates: Support for nested includes
• Internal improvements and more tests

This version also sports faster SSL on 64-bit architecture thanks to Cloudflare's crypto enhancements. AES and ECDSA should see speedups of over ~20x. The RSA speed is roughly doubled as well. These changes are not directly related to Caddy, since it depends on compiling with their fork of Go.

Note: There's a bug in this release that breaks gzip. The next patch release fixes this.

0.7.1

This patch release fixes a timing vulnerability in the basicauth middleware, so any users who rely on it should upgrade. Version 0.7.1 also introduces upgrades to the tls and proxy directives. Full change list:

• basicauth: Patched timing vulnerability
• proxy: Support for WebSocket backends
• tls: Client authentication

We would like to thank Jonathan Hanks for reporting the vulnerability in basicauth.

0.7.0

The main improvements in this release involve HTTPS, Markdown, and usability. Websites running Caddy 0.7.0 will score an 'A' grade at Qualys SSL Labs, assuming the certificate chain is good. Static websites can be generated from Markdown files. Caddy will warn you if a non-localhost domain resolves to loopback or if your ulimit -n (file descriptor limit) is too low for a production (public-facing) site.

Full change list:

• New directive 'internal' to protect resources with X-Accel-Redirect
• New -version flag to show program name and version
• core: Fixed escaped backslash characters inside quoted strings
• core: Fixed parsing Caddyfile for IPv6 addresses missing ports
• core: A notice is shown when non-local address resolves to loopback interface
• core: Warns if file descriptor limit is too low for production site (Mac/Linux)
• fastcgi: Support for Unix sockets
• git: Fixed issue that prevented pulling at designated interval
• header: Remove a header field by prefixing field name with "-"
• markdown: Simple static site generation
• markdown: Support for metadata ("front matter") at beginning of files
• rewrite: Experimental support for regular expressions
• tls: Customize cipher suites and protocols
• tls: Removed RC4 ciphers
• Other internal improvements that are not user-facing (more tests, etc.)

Good work team! 👍 Lots of exciting things are still on the way.

0.6.0

It's been a busy week! Thanks to many contributions and tight feedback loops, Caddy has made significant progress in the last seven days. Notable new features are git push to deploy your site; multiple-backend proxying with load balancing, health checks, and failovers; and quite a few bug fixes and improvements. Full change list:

• New git directive to automatically pull changes
• New bind directive to override host server binds to
• New -root flag to specify root path to default site
• Ability to receive config data piped through stdin
• core: Warning if root directory doesn't exist at startup
• core: Entire process dies if any server fails to start
• gzip: Fixed Content-Length value when proxying requests
• errors: Error log now includes file and line number of panics
• fastcgi: Pass custom environment variables
• fastcgi: Support for HEAD, OPTIONS, PUT, PATCH, and DELETE methods
• fastcgi: Fixed SERVER_SOFTWARE variables
• markdown: Support for index files when URL points to a directory
• proxy: Load balancing with multiple backends, health checks, failovers, and multiple policies
• proxy: Add custom headers
• startup/shutdown: Run command in background with with '&' at end
• templates: Added .tpl and .tmpl as default extensions
• templates: Support for index files when URL points to a directory
• templates: Changed .RemoteAddr to .IP and stripped out remote port
• tls: TLS disabled (with warning) for servers that are explicitly http://
• websocket: Fixed SERVER_SOFTWARE and GATEWAY_INTERFACE variables
• Many internal improvements

0.5.1

This point release has several significant improvements. Changes are:

• Default host is now 0.0.0.0 (wildcard)
• New -host and -port flags to override default host and port
• core: Support for binding to 0.0.0.0
• core: Graceful error handling during heavy load; proper error responses
• errors: Fixed file path handling
• errors: Fixed panic due to nil Log file
• fastcgi: Support for index files
• fastcgi: Fix for handling errors that come from responder

Your feedback and contributions have been invaluable - keep 'em coming!