Caddy, a widely used open-source web and reverse proxy server, has just released version 2.11.1 as the first official release in the 2.11 series. According to devs, an external issue with release automation prevented a separate v2.11 release, so v2.11.1 is the first publicly available stable version and includes the same features. Here are the most important ones.
This update addresses several vulnerabilities across core modules. Fixes include a FastCGI transport path handling issue affecting SCRIPT_NAME and PATH_INFO, multiple matcher bypass conditions in HTTP routing, and a TLS client authentication failure when CA files are missing or malformed.
Additionally, cross-origin administrative API requests in no-cors mode are now properly blocked. The update also brings various improvements and quality-of-life enhancements.
One of the main new features is that Encrypted ClientHello keys now rotate automatically, reducing operational overhead for ECH deployments. Logging has been enhanced with time-rolling options and support for logging request and response bodies for debugging.
Moreover, the server now supports signal-based configuration reloads using SIGUSR1 when the configuration is loaded from a file and not modified through the admin API. Reverse proxy behavior has been improved to automatically rewrite the Host header to the upstream address when the backend uses HTTPS.
The release also contains extensive other changes, including updated QUIC dependencies, improved placeholder support, new trusted proxy options for Unix sockets, better handling of HTTP/3 connections, expanded tracing features, and various bug fixes and documentation updates.
Last but not least, the project adopted Assistance Disclosures for contributions involving AI and LLMs.
For more information, see the changelog.
