Seven months after its previous 2.8 release, the team behind Caddy, a popular open-source web and reverse proxy server written in Go, has officially unveiled version 2.9, bringing a variety of refinements and bug fixes to deliver a smooth and high-performing web server experience.
We start by saying that Caddy 2.9 refines core functionalities related to config loading, events, matchers, and placeholders. These improvements, by design, reduce friction for system administrators while also maintaining a higher level of stability.
Additionally, performance gains in the reverse proxy and HTTP server components now provide more efficient traffic handling, contributing to a noticeably smoother experience for large-scale deployments.
The updated security and metrics capabilities should pique the interest of operations teams and DevSecOps professionals alike. In particular, new per-host metrics will help users monitor their installations in greater detail, enabling more effective troubleshooting and resource management.
In addition, Caddy’s TLS automation and ACME ARI now benefit from tweaks that ensure safe and reliable certificate provisioning.
According to the devs, the community has also shown considerable enthusiasm for Encrypted Client Hello (ECH) and post-quantum ciphers. These additions are expected to accompany the scheduled release of Go 1.24 in February.
We realize there is extensive interest in Encrypted Client Hello (ECH) and post-quantum ciphers. These are slated to be supported in Go 1.24, which is scheduled for a stable release in approximately February. We did not want to force users to go through the inconvenience of installing pre-release, non-stock installations of Go, even though the RCs are quite stable and production-ready, in order to even compile Caddy, which is quite common given our plugin ecosystem. We anticipate a Caddy 2.10 release in the near future with these capabilities, built on Go 1.24.
Lastly, the “What’s Changed” list is extensive, offering a quick overview of key modifications, including the option to disable storage checks for certmagic, more customizable file permissions in logging, and the introduction of a placeholder for active health check headers in reverse proxies.
Additional updates range from finer control over 0-RTT early data in IP matchers to flexible configuration options for health checks and TLS handshake matches. To review them in detail, refer to the Caddy 2.9’s changelog.
