Software Update: Caddy 2.5.1

Caddy is an open source http/2 web server available for Android, BSD, Linux, macOS, Solaris, and Windows. It turns on https by default and uses the integration with Let’s Encrypt if own certificates are not available. The own feature stack is already quite complete, but can be further expanded via modules† For example, it is possible to enable experimental support of http/3 via these modules. The development team released version 2.5.1 a few days ago with the following changes:

Version 2.5.1

This is a minor patch release that fixes some bugs and also enhances reverse_proxy with capabilities that weren’t ready in time for v2.5.0.

Highlights

• Fixed regression in Unix socket admin endpoints.
• Fixed regression in caddy trust commands.
• Hash-based load balancing policies (ip_hash, uri_hash, header, and cookie) use an improved highest-random-weight (HRW) algorithm for increased consistency. The new rendezvous hash will ensure a client or request is consistently mapped to a particular upstream even if the list of upstreams changes.
• The reverse proxy is now able to rewrite the method and URI on its internal copy of the request that goes to the upstream. Combined with new handle_response capabilities, this enables the reverse proxy to fire off “pre-check requests” (for lack of a better term) to make routing decisions based on the results of that call. This enables a commonly-emerging pattern called forward authentication wherein a backend is queried to assess a client’s authorization to be proxied. The full, verbose config for this is very flexible but tedious, so we made a new wrapper directive called forward_auth that eliminates the boilerplate (very similar to the php_fastcgi directive). This works with authentication providers like Authelia, and more.

What’s Changed

• caddypki: Fix caddy trust command to use the correct API endpoint
• reverse proxy: Improve hashing LB policies with HRW
• Add missing backticks
• caddyhttp: Improve listen addr error message for IPv6
• cmd: Fix unix socket addresses for admin API requests
• logging: Use RedirectStdLog
• logging: Implement rename filter, changes field key names
• httpcaddyfile: Fix duplicate access log when debug is on
• reverseproxy: Fix Caddyfile support for replace_status
• templates: Add custom template function registration
• reverseproxy: Permit resolver addresses to not specify a port
• caddyfile: Shortcut for remote_ip for private IP ranges
• reverse proxy: Support performing pre-check requests
• map: Prevent output destinations overlap with Caddyfile shorthands