Per upstream: >Reverse proxy got a lot of love with certain edge cases related to PROXY >protocol, health check port, and closing body on retries. Dynamic upstreams >are now tracked which enables passive health checking. >Performance improvements for metrics. >New tls_resolvers global option to control DNS resolvers for all sites when >using the ACME DNS challenge. >Log rolling now supports zstd compression; deprecated roll_gzip, which will be >removed in the future. Use roll_compression instead. >Refined logging and some error messages. >Fixed a bug in rewrite handler that could cause some URIs to not be rewritten >when URI path is an escaped form of target path. Thanks to @MaherAzzouzi for >the report. >Security fixes
>This release fixes two CVEs. >@NucleiAv reported a bug in the forward_auth directive that could permit >identity injection and potential privilege escalation. >@sammiee5311 reported that vars_regexp double-expanded placeholders, allowing >some unusual configs to reveal secrets. Please find diff attached. OK?
caddy.diff
Description: Binary data
