Caddy 2.10 Web Server Debuts Enhanced TLS Privacy

Caddy 2.10 web & reverse proxy server lands with support for ECH, post-quantum key exchange, global DNS config, and wildcard certs by default.

Caddy 2.10 Web Server Debuts Enhanced TLS Privacy

Over three months after its previous 2.9 release, the team behind Caddy, a popular open-source web and reverse proxy server written in Go, has officially unveiled version 2.10, with a bundle of security‑oriented capabilities.

The main highlight – Caddy now offers fully automated support for Encrypted ClientHello (ECH). ECH hides the true server name (SNI) inside an outer, generic ClientHello, frustrating passive observers who rely on SNI sniffing.

In practice, administrators need only set a public “outer” domain and point Caddy at a compatible DNS provider; the server then generates, publishes, and, when necessary, rotates ECH configuration records behind the scenes. For organizations worried about name-based traffic analysis or multi-tenant privacy, that’s a pretty big deal.

In parallel, the server now defaults to the X25519MLKEM768 hybrid group. This pairing of classic elliptic‑curve Diffie–Hellman with ML‑KEM‑768—the new NIST FIPS 203 algorithm—gives every fresh session forward secrecy against both classical and quantum adversaries while ensuring compatibility with today’s clients.

Caddy 2.10 also debuts an experimental ACME “profile” mechanism, allowing administrators to request certificates with non‑standard lifetimes (e.g., Let’s Encrypt’s six‑day test certificates) or other bespoke properties. At the same time, wildcard certificates now take precedence over individual host certs by default.

Operational refinements complement the headline cryptography. The reverse proxy inserts a Via header instead of duplicating Server, reducing ambiguity for downstream diagnostics. Administrators may define a single global DNS provider to eliminate credential repetition across ACME challenges and ECH publication.

Lastly, the Caddy project has revised its policy to track only the most recent minor release of Go. The maintainers argue that new Go versions increasingly embed security features—post‑quantum primitives among them—and broad adoption outweighs the cost of maintaining multiple code paths.​

For more information, see the changelog.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Related Posts