Age | Commit message (Collapse) | Author |
|
This migrates a feature that was previously reserved for enterprise
users, according to https://github.com/caddyserver/caddy/issues/2786.
Custom certificate selection policies allow advanced control over which
cert is selected when multiple qualify to satisfy a TLS handshake.
|
|
This migrates a feature that was previously reserved for enterprise
users, according to https://github.com/caddyserver/caddy/issues/2786.
TLS session ticket keys are sensitive, so they should be rotated on a
regular basis. Only Caddy does this by default. However, a cluster of
servers that rotate keys without synchronization will lose the benefits
of having sessions in the first place if the client is routed to a
different backend. This module coordinates STEK rotation in a fleet so
the same keys are used, and rotated, across the whole cluster. No other
server does this, but Twitter wrote about how they hacked together a
solution a few years ago:
https://blog.twitter.com/engineering/en_us/a/2013/forward-secrecy-at-twitter.html
|
|
This migrates a feature that was previously reserved for enterprise
users, according to https://github.com/caddyserver/caddy/issues/2786.
The PEM loader allows you to embed PEM files (certificates and keys)
directly into your config, rather than requiring them to be stored on
potentially insecure storage, which adds attack vectors. This is useful
in automated settings where sensitive key material is stored only in
memory.
Note that if the config is persisted to disk, that added benefit may go
away, but there will still be the benefit of having lesser dependence on
external files.
|
|
This migrates a feature that was previously reserved for enterprise
users, according to https://github.com/caddyserver/caddy/issues/2786.
The local circuit breaker is a simple metrics counter that can cause
the reverse proxy to consider a backend unhealthy before it actually
goes offline, by measuring recent latencies over a sliding window.
Credit to Danny Navarro
|
|
This migrates a feature that was previously reserved for enterprise
users, according to https://github.com/caddyserver/caddy/issues/2786.
The cache HTTP handler will be a high-performing, distributed cache
layer for HTTP requests. Right now, the implementation is a very basic
proof-of-concept, and further development is required.
|
|
|
|
See https://caddy.community/t/http-proxy-and-non-get-retries/6304
|
|
|
|
|
|
See https://caddy.community/t/health-check-user-agent/6309
|
|
|
|
|
|
|
|
|
|
Making them pointers makes for cleaner JSON when adapting configs, if
the struct is empty now it will be omitted entirely.
The x/time/rate package was updated to support changing the burst, so
we've incorporated that here and removed a TODO.
|
|
This enables use of ACME CAs that issue shorter-lived certs
|
|
Closes #2702
|
|
Adds header_up and header_down subdirectives to reverse_proxy
|
|
|
|
See https://caddy.community/t/v2-issues-with-multiple-server-blocks-in-caddyfile-style-config/6206/13?u=matt
Also print pid when using `caddy start`
|
|
|
|
|
|
|
|
* fastcgi: Implement / redirect for index.php with php_fastcgi directive
See #2752 and https://caddy.community/t/v2-redirect-path-to-path-index-php-with-assets/6196?u=matt
* caddyhttp: MatchNegate implements json.Marshaler
* fastcgi: Add /index.php element to try_files matcher
* fastcgi: Make /index.php redirect permanent
|
|
|
|
|
|
|
|
|
|
Also a few bug fixes
|
|
|
|
This will probably be useful so the proxy can rewrite header values.
|
|
for small responses.
See https://caddy.community/t/v2-permanent-redirect-prompt/6190?u=matt
|
|
|
|
CertMagic uses the same defaults for us
|
|
|
|
|
|
|
|
We're done testing this in staging
|
|
|
|
Before this change, only response headers could be manipulated with the
Caddyfile's 'header' directive.
Also handle the request Host header specially, since the Go standard
library treats it separately from the other header fields...
|
|
|
|
|
|
|
|
This is unless each route's matcher is dynamically executed after
previous handlers...
|
|
|
|
|
|
* Begin WIP integration of HTTP/3 support
* http3: Set actual Handler, make fakeClosePacketConn type for UDP sockets
Also use latest quic-go for ALPN fix
* Manually keep track of and close HTTP/3 listeners
* Update quic-go after working through some http3 bugs
* Fix go mod
* Make http3 optional for now
|
|
|
|
v2: Refactor reverse proxy and add FastCGI support
|
|
|