Update module github.com/caddyserver/caddy/v2 to v2.11.2

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/caddyserver/caddy/v2	v2.10.2 → v2.11.2

---

Release Notes

caddyserver/caddy (github.com/caddyserver/caddy/v2)

v2.11.2

Compare Source

Caddy 2.11.2 contains numerous bug fixes and enhancements! I know that's a lame summary but it's really all over the place.

Highlights

• Reverse proxy got a lot of love with certain edge cases related to PROXY protocol, health check port, and closing body on retries. Dynamic upstreams are now tracked which enables passive health checking.
• Performance improvements for metrics.
• New tls_resolvers global option to control DNS resolvers for all sites when using the ACME DNS challenge.
• Log rolling now supports zstd compression; deprecated roll_gzip, which will be removed in the future. Use roll_compression instead.
• Refined logging and some error messages.
• Fixed a bug in rewrite handler that could cause some URIs to not be rewritten when URI path is an escaped form of target path. Thanks to @​MaherAzzouzi for the report.

Security fixes

This release fixes two CVEs.

• @​NucleiAv reported a bug in the forward_auth directive that could permit identity injection and potential privilege escalation.
• @​sammiee5311 reported that vars_regexp double-expanded placeholders, allowing some unusual configs to reveal secrets.

In addition:

• Built on Go 1.26.1 (also released today) which patches several CVEs.
• Our documentation has been updated to note that file system case sensitivity may affect the behavior of the hide option of the file_server handler.

Thank you to everyone who contributed, and for our ongoing sponsorships that make this development possible!

Changelog

• 88616e8 api: Add all in-flight requests /reverse_proxy/upstreams (Fixes #​7277) (#​7517)
• d935a69 autohttps: Ensure CertMagic config is recreated after autohttps runs (#​7510)
• 5d20adc build(deps): bump github.com/smallstep/certificates (#​7535)
• 9371ee6 build(deps): bump the actions-deps group across 1 directory with 12 updates (#​7536)
• 9798f69 caddyhttp: Avoid nil pointer dereference in proxyWrapper (#​7521)
• dc36082 caddyhttp: Collect metrics once per route instead of per handler (#​7492)
• 174fa2d caddyhttp: Evaluate tls.client placeholders more accurately (fix #​7530) (#​7534)
• eac02ee caddyhttp: Limit empty Host check to HTTP/1.1
• f283062 cmd: Custom binary names through CustomBinaryName and CustomLongDescription (#​7513)
• cd9e166 cmd: Pass configFile, not configFlag, for reload command (#​7532)
• 7b34e31 core: Check whether @​id is unique (#​7002)
• 566e710 fileserver: document hide case-sensitivity (F-CADDY-FILESERVER-HIDE-CASE-001) (#​7548)
• 2dd3852 fix(caddyfile): Prevent parser to panic when no token were added by empty {block} (#​7543)
• 2dbcdef forward_auth: copy_headers does not strip client-supplied identity headers (Fixes GHSA-7r4p-vjf4-gxv4) (#​7545)
• ce203aa go.mod: Upgrade x/net
• 76b198f http: Sort auto-HTTPS redirect routes by host specificity (fixes #​7390) (#​7502)
• 7ffb640 httpcaddyfile: Fix missing TLS connection policies when auto_https is default (#​7325) (#​7507)
• 45cf61b logging: Ensure slog error level logs don't print stack traces (#​7512)
• 9873752 logging: Support zstd roll compression (#​7515)
• 294dfff logging: add DirMode options and propagate FileMode to rotations (#​7335)
• a6acb39 proxyproto: Generated test coverage (#​7540)
• 11b56c6 reverseproxy: Fix health_port being ignored in health checks (#​7533)
• db29860 reverseproxy: Track dynamic upstreams, enable passive healthchecking (#​7539)
• d7b21c6 reverseproxy: fix tls dialing w/ proxy protocol (#​7508)
• a5e7c6e reverseproxy: prevent body close on dial-error retries (#​7547)
• 2ab043b reverseproxy: query escape request urls when proxy protocol is enabled (#​7537)
• fbfb8fc rewrite: Force recomputing path when escaped path matches rewrite target
• f145bce tls: Add tls_resolvers global option for DNS challenge configuration (#​7297)

v2.11.1

Compare Source

Our community is pleased to announce Caddy 2.11! Of note are new features, numerous bug fixes including several security patches, and various QoL ("quality-of-life") enhancements.

There are no code changes from v2.11.0 other than to a CI job. Due to a recent external change that broke our release process, the first release of 2.11 is v2.11.1.

Special Sponsor Shoutout

Extra big thanks to our major sponsors:

• ZeroSSL
• Stripe
• Railway

They, along with dozens of smaller sponsors, make this project and new releases possible, together with our maintainer team. Thank you all!

Notable changes

• Encrypted ClientHello (ECH) keys are rotated automatically.
• Time-rolling options for logs.
• SIGUSR1 can now reload configuration if it was initially loaded from a file on the command line and did not get changed via the API.
• Reverse proxy now automatically rewrites the Host header to the address of the upstream when the upstream is HTTPS (#​7454)
• log_append can now log request and response bodies, useful for debugging.
• Our project now implements and requires Assistance Disclosures (for AI/LLMs) on issues, PRs, comments, replies, reviews, etc.
• Many, many other minor improvements and bug fixes.

Thank you to everyone who was involved this release!

⚠️ Security patches

• fastcgi: CVE-2026-27590 by @​dunglas and @​AbdrrahimDahmani - Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport.
• admin: CVE-2026-27589 by @​1seal - Cross-origin requests attempted with no-cors mode could cause some API requests to succeed; such requests are now blocked. (In order for this to be practically exploitable, a web browser executing a malicious web page must be running locally to a production Caddy process.)
• caddyhttp: CVE-2026-27588 by Asim Viladi Oglu Manizada - The Host matcher becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass.
• caddyhttp: CVE-2026-27587 by Asim Viladi Oglu Manizada - The Path matcher skips case normalization for escape sequences, enabling path-based route/auth bypass.
• caddytls: CVE-2026-27586 by @​moscowchill - TLS client authentication silently fails open when CA certificate file is missing or malformed.
• caddyhttp: CVE-2026-27585 by @​parrot409 - Improper sanitization of glob characters in file matcher may lead to bypassing security protections.

🚨 Notice for Caddy plugin maintainers: Dependabot will probably alert you to the security fixes in Caddy and urge you to upgrade it in your go.mod file. Please ONLY upgrade the Caddy dependency if there's a change to an exported API your plugin uses. (Then, turn Dependabot off.)

What's Changed

• caddyhttp: add replacer placeholders for escaped values by @​Qusic in #​7181
• AI assistance disclosure by @​mholt in #​7212
• caddyfile: Prevent trailing space on line before env variable - Fixes #​6881 by @​arpansaha13 in #​7215
• add: encode header Content-Type graphql-response by @​aro-lew in #​7214
• caddyhttp: Removing redundant middleware next copy by @​maxcelant in #​7217
• build(deps): bump the all-updates group with 17 updates by @​dependabot[bot] in #​7236
• build(deps): bump the actions-deps group with 5 updates by @​dependabot[bot] in #​7237
• encode: fix response corruption when handle_errors is used by @​Siomachkin in #​7235
• Fix PKI creation when auto_https is disabled (#​7211) by @​Siomachkin in #​7238
• logging: Buffer the logs before config is loaded by @​francislavoie in #​7245
• fileserver: set Content-Length for precompressed files by @​WeidiDeng in #​7251
• refactor: use WaitGroup.Go to simplify code by @​mickychang9 in #​7253
• caddyfile: Allow block to do nothing if nothing passed to import by @​BeeJay28 in #​7206
• logging: Adjustments to BufferedLog to keep logs in the correct order by @​francislavoie in #​7257
• caddyhttp: Prevent commas in header values from being split in CLI commands by @​gilbsgilbs in #​7268
• update quic-go to v0.54.1 by @​marten-seemann in #​7273
• chore: ugh, lint fix... by @​mohammed90 in #​7275
• caddypki: check intermediate lifetime to actual root cert lifetime by @​u5surf in #​7272
• refactor: omit unnecessary reassignment by @​asttool in #​7276
• core: use reflect.TypeFor to check for encoding/json.RawMessage by @​WeidiDeng in #​7274
• core: Reloading with SIGUSR1 if config never changed via admin by @​francislavoie in #​7258
• build(deps): bump the actions-deps group with 8 updates by @​dependabot[bot] in #​7284
• httpcaddyfile: Add missing DNS challenge check for acme_dns by @​rightaditya in #​7270
• httpcaddyfile: Map default_bind to BindHost in globalACMEDefaults by @​Monviech in #​7278
• Argon2id Support for Basic Auth by @​GreyXor in #​7186
• update quic-go to v0.55.0 by @​marten-seemann in #​7288
• reverse_proxy: use http1 for outbound tls requests with placeholder t… by @​WeidiDeng in #​7296
• caddyhttp: Add server options keepalive_idle and keepalive_count by @​joshuamcbeth in #​7298
• chore: fix some comments by @​wyrapeseed in #​7303
• logging: Switch from lumberjack to timberjack, add time-rolling options by @​aeris in #​7244
• reverseproxy: Use http1.1 upgrade for websocket for extended connect of http2 and http3. by @​tonyb486 in #​7305
• caddyhttp: Add trusted_proxies_unix for trusting unix socket X-Forwarded-* headers by @​cseufert in #​7265
• caddyhttp: wrap accepted connection to suppress tls.ConnectionState by @​WeidiDeng in #​7247
• logging: fix multiple regexp filters on same field (fixes #​7049) by @​s2010 in #​7061
• intercept: use already buffered response if possible when intercepting by @​WeidiDeng in #​7028
• listeners: Add support for named socket activation by @​Siomachkin in #​7243
• reverseproxy: do not disable keepalive if proxy protocol is used by @​WeidiDeng in #​7300
• metrics: resolve per-host inifinite cardinality by @​mohammed90 in #​7306
• reverseproxy: use http.Protocols to handle h2c requests by @​WeidiDeng in #​6990
• refactor: use reflect.TypeFor by @​wyrapeseed in #​7313
• build(deps): bump the all-updates group across 1 directory with 2 updates by @​dependabot[bot] in #​7307
• build(deps): bump github.com/slackhq/nebula from 1.9.5 to 1.9.7 by @​dependabot[bot] in #​7315
• feat: switch to autoexport for OpenTelemetry span exporter by @​PKeidel in #​7317
• reverse_proxy: set default values for keepalive if only some of them are set by @​WeidiDeng in #​7318
• fix quote within quotes formatted incorrectly by fmt by @​keystroke3 in #​7045
• caddytls: correct documentation of LeafFolderLoader by @​mohammed90 in #​7327
• fix golangci-lint error G602 in caddyhttp by @​cdenicola in #​7334
• feat: allow customizing the Server header by @​dunglas in #​7338
• update quic-go to v0.56.0, enable qlog for HTTP/3 by @​marten-seemann in #​7345
• build(deps): bump the all-updates group with 4 updates by @​dependabot[bot] in #​7333
• feat: custom slog handlers for modules (log contextual data) by @​dunglas in #​7346
• ci: implement new release flow by @​mohammed90 in #​7341
• reverse_proxy: use interfaces to modify the behaviors of the transports by @​WeidiDeng in #​7353
• build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 by @​dependabot[bot] in #​7355
• update quic-go to v0.57.0 by @​marten-seemann in #​7359
• refactor: replace HasSuffix+TrimSuffix with CutSuffix by @​ledigang in #​7357
• Fix retries for requests with bodies by @​chebyrash in #​7360
• build(deps): bump the all-updates group with 3 updates by @​dependabot[bot] in #​7376
• ci: escape backticks in changelogs embedded in JS by @​mohammed90 in #​7382
• build(deps): bump github.com/smallstep/certificates from 0.28.4 to 0.29.0 by @​dependabot[bot] in #​7381
• caddypki: Add support for multiple intermediates in signing chain by @​hslatman in #​7057
• caddyhttp: Fix logging on wildcard sites when SkipUnmappedHosts is true by @​francislavoie in #​7372
• multiplexing: Introduce packet conn wrappers by @​vnxme in #​7180
• docs: add maybe template function documentation by @​steffenbusch in #​7388
• caddyhttp: create a placeholder for and log ech status by @​WeidiDeng in #​7328
• caddytls: fix preferred chains options by appending values instead of replacing by @​okrc in #​7387
• feat: mark Assert* functions as test helpers by @​dunglas in #​7380
• caddytls: ECH key rotation by @​mholt in #​7356
• caddytls: panic when using tls.ca_pool.source.http -> tls.ca by @​Zenexer in #​7393
• notify: implement windows service status and error notifications by @​FreyreCorona in #​7389
• caddyhttp: {http.request.body_base64} placeholder by @​francislavoie in #​7367
• chore: update tscert package to latest (aea342f) by @​willnorris in #​7397
• logging: log_append Early option, Supports {http.response.body} by @​francislavoie in #​7368
• update quic-go to v0.58.0 by @​marten-seemann in #​7404
• cmd: add --json flag to list-modules by @​pauloappbr in #​7409
• Add span attributes to tracing module by @​felix-hilden in #​7269
• readme: fix fence by @​mohammed90 in #​7416
• build(deps): bump the all-updates group across 1 directory with 12 updates by @​dependabot[bot] in #​7421
• reverseproxy: make error chan bigger when reverse proxying websocket by @​WeidiDeng in #​7419
• headers: Make ApplyTo nil-safe by @​tpaulus in #​7426
• chore: Dumb prealloc lint fix by @​francislavoie in #​7430
• update quic-go to v0.59.0 by @​marten-seemann in #​7431
• reverseproxy: Avoid returning error if remote address is not an IP by @​pauloappbr in #​7429
• caddyfile: Fix indentation of multiline strings in fmt (#​7425) by @​pauloappbr in #​7433
• core: Embed time/tzdata by @​francislavoie in #​7432
• caddyfile: add observe_catchall_hosts option by @​mohammed90 in #​7434
• core: Show JSON error offsets where possible by @​francislavoie in #​7437
• autohttps: deterministic logic and strict bind checking on Linux by @​pauloappbr in #​7435
• reverseproxy: Set Host to {upstream_hostport} automatically if TLS by @​francislavoie in #​7454
• reverseproxy: fix X-Forwarded-* headers for Unix socket requests by @​XYenon in #​7463
• chore: use math/rand/v2 instead of math/rand by @​WeidiDeng in #​7413
• chore: bump Go to v1.26 by @​francislavoie in #​7466
• acmeserver: warn when policy rules unset by @​1seal in #​7469
• caddytls: Return errors instead of nil in client auth provisioning by @​moscowchill in #​7464
• fix(deps): update nebula v1.10.3 to resolve cve by @​omercnet in #​7471
• caddyfile: Add renewal_window_ratio global option by @​mehrdadbn9 in #​7473
• httpcaddyfile: Override global dns with acme_dns (fix #​7294) by @​rightaditya in #​7458
• pki: add per-CA configurable maintenance_interval and renewal_window_ratio by @​Amirhf1 in #​7479
• chore: Bump zerossl dependency to 0.1.5 by @​francislavoie in #​7489
• chore: Remove obsolete comment in ech.go by @​francislavoie in #​7487
• caddyhttp: Option to disable 0-RTT by @​francislavoie in #​7485
• dep: upgrade cel-go by @​mohammed90 in #​7478
• build(deps): bump the all-updates group across 1 directory with 12 updates by @​dependabot[bot] in #​7490
• refactor: use strings.Builder to improve performance by @​zjumathcode in #​7364
• chore: fix some comments to improve readability by @​wangjingcun in #​7395
• caddytls: Enable debug logging for DNSManager by @​francislavoie in #​7491
• caddytest: make TestReverseProxyHealthCheck deterministic with poll instead of sleep by @​Amirhf1 in #​7474
• admin: Fix tests locally, properly isolate storage by @​francislavoie in #​7486
• chore: Add nolints to work around haywire linters by @​mholt in #​7493
• build(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 by @​dependabot[bot] in #​7497
• chore: Disable windows/arm build target (Go 1.26 disabled) by @​francislavoie in #​7503

New Contributors

• @​Qusic made their first contribution in #​7181
• @​arpansaha13 made their first contribution in #​7215
• @​aro-lew made their first contribution in #​7214
• @​maxcelant made their first contribution in #​7217
• @​Siomachkin made their first contribution in #​7235
• @​mickychang9 made their first contribution in #​7253
• @​asttool made their first contribution in #​7276
• @​rightaditya made their first contribution in #​7270
• @​Monviech made their first contribution in #​7278
• @​wyrapeseed made their first contribution in #​7303
• @​aeris made their first contribution in #​7244
• @​tonyb486 made their first contribution in #​7305
• @​cseufert made their first contribution in #​7265
• @​s2010 made their first contribution in #​7061
• @​PKeidel made their first contribution in #​7317
• @​cdenicola made their first contribution in #​7334
• @​ledigang made their first contribution in #​7357
• @​chebyrash made their first contribution in #​7360
• @​okrc made their first contribution in #​7387
• @​Zenexer made their first contribution in #​7393
• @​FreyreCorona made their first contribution in #​7389
• @​pauloappbr made their first contribution in #​7409
• @​felix-hilden made their first contribution in #​7269
• @​tpaulus made their first contribution in #​7426
• @​1seal made their first contribution in #​7469
• @​moscowchill made their first contribution in #​7464
• @​omercnet made their first contribution in #​7471
• @​mehrdadbn9 made their first contribution in #​7473
• @​Amirhf1 made their first contribution in #​7479
• @​zjumathcode made their first contribution in #​7364
• @​wangjingcun made their first contribution in #​7395

Full Changelog: caddyserver/caddy@v2.10.2...v2.11.1

v2.11.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 58 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25 -> 1.25.0
cel.dev/expr	v0.24.0 -> v0.25.1
cloud.google.com/go/auth	v0.16.2 -> v0.18.1
cloud.google.com/go/compute/metadata	v0.7.0 -> v0.9.0
dario.cat/mergo	v1.0.1 -> v1.0.2
filippo.io/edwards25519	v1.1.0 -> v1.2.0
github.com/KimMachineGun/automemlimit	v0.7.4 -> v0.7.5
github.com/Masterminds/semver/v3	v3.3.0 -> v3.4.0
github.com/antlr4-go/antlr/v4	v4.13.0 -> v4.13.1
github.com/caddyserver/certmagic	v0.24.0 -> v0.25.2
github.com/caddyserver/zerossl	v0.1.3 -> v0.1.5
github.com/cloudflare/circl	v1.6.1 -> v1.6.3
github.com/coreos/go-oidc/v3	v3.14.1 -> v3.17.0
github.com/go-jose/go-jose/v4	v4.0.5 -> v4.1.3
github.com/golang/glog	v1.2.4 -> v1.2.5
github.com/google/cel-go	v0.26.0 -> v0.27.0
github.com/googleapis/enterprise-certificate-proxy	v0.3.6 -> v0.3.11
github.com/googleapis/gax-go/v2	v2.14.2 -> v2.17.0
github.com/klauspost/compress	v1.18.0 -> v1.18.4
github.com/libdns/libdns	v1.1.0 -> v1.1.1
github.com/mattn/go-colorable	v0.1.13 -> v0.1.14
github.com/mholt/acmez/v3	v3.1.2 -> v3.1.6
github.com/miekg/dns	v1.1.63 -> v1.1.72
github.com/prometheus/client_golang	v1.23.0 -> v1.23.2
github.com/prometheus/common	v0.65.0 -> v0.67.5
github.com/prometheus/procfs	v0.16.1 -> v0.19.2
github.com/quic-go/qpack	v0.5.1 -> v0.6.0
github.com/quic-go/quic-go	v0.54.0 -> v0.59.0
github.com/slackhq/nebula	v1.9.5 -> v1.10.3
github.com/smallstep/certificates	v0.28.4 -> v0.30.0-rc3
github.com/smallstep/cli-utils	v0.12.1 -> v0.12.2
github.com/smallstep/linkedca	v0.23.0 -> v0.25.0
github.com/smallstep/scep	v0.0.0-20240926084937-8cf1ca453101 -> v0.0.0-20250318231241-a25cabb69492
github.com/spf13/cobra	v1.9.1 -> v1.10.2
github.com/spf13/pflag	v1.0.7 -> v1.0.10
github.com/tailscale/tscert	v0.0.0-20240608151842-d3f834017e53 -> v0.0.0-20251216020129-aea342f6d747
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.61.0 -> v0.65.0
go.opentelemetry.io/otel	v1.37.0 -> v1.40.0
go.opentelemetry.io/otel/metric	v1.37.0 -> v1.40.0
go.opentelemetry.io/otel/trace	v1.37.0 -> v1.40.0
go.step.sm/crypto	v0.67.0 -> v0.76.2
go.uber.org/mock	v0.5.2 -> v0.6.0
go.uber.org/zap	v1.27.0 -> v1.27.1
golang.org/x/crypto	v0.40.0 -> v0.48.0
golang.org/x/crypto/x509roots/fallback	v0.0.0-20250305170421-49bf5b80c810 -> v0.0.0-20260213171211-a408498e5541
golang.org/x/exp	v0.0.0-20250408133849-7e4ce0ab07d0 -> v0.0.0-20251023183803-a4bb9ffd2546
golang.org/x/mod	v0.25.0 -> v0.33.0
golang.org/x/net	v0.42.0 -> v0.51.0
golang.org/x/oauth2	v0.30.0 -> v0.35.0
golang.org/x/sync	v0.16.0 -> v0.19.0
golang.org/x/sys	v0.34.0 -> v0.41.0
golang.org/x/term	v0.33.0 -> v0.40.0
golang.org/x/text	v0.27.0 -> v0.34.0
golang.org/x/time	v0.12.0 -> v0.14.0
golang.org/x/tools	v0.34.0 -> v0.42.0
google.golang.org/api	v0.240.0 -> v0.266.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250603155806-513f23925822 -> v0.0.0-20260128011058-8636f8732409
google.golang.org/protobuf	v1.36.6 -> v1.36.11