Caddy 0.11.5 Released with TLS 1.3 Support

matt · March 4, 2019, 8:27pm

Caddy 0.11.5 is now available! Although this is technically a minor release, it is now built on Go 1.12 and enables TLS 1.3 by default for all TLS clients which are worthy of it. I believe Caddy is the first web server to enable TLS 1.3 by default, and still the first (and only?) web server to use HTTPS automatically and by default.

As you might expect, this forum and the Caddy website are now delivered over TLS 1.3 (if your browser supports it).

Download a custom build
GitHub release (includes change log and static binaries)

Thanks to all the contributors who made this possible.

Enjoy!

recklessnl · March 5, 2019, 4:30am

What’s the easiest way to upgrade to the newest version of Caddy if you have it already installed on a standard Debian server? Just run apt-get update & apt-get upgrade or is there more to it?

Whitestrake · March 5, 2019, 5:36am

The absolute easiest way is probably to run curl https://getcaddy.com | bash -s personal (or equivalent; browse to the site first and read the script for more details).

The Caddy developers don’t maintain any distro-specific packages, so when a new version is cut, we can’t really say how long the package maintainers might take to push the update for those distros that do opt to package Caddy.

matt · March 5, 2019, 5:58am

Even if we did maintain official distro repos, we can’t necessarily control how fast the distros will ship the updates. I think some distros are still shipping Go versions that are about 2-4 years old!

(That is the main reason we haven’t decided to ship official repos yet – and actually there is one other: plugins. Because most package managers suck, and can’t simply do a GET request to download the Caddy binary with chosen plugins. Sigh.)

recklessnl · March 5, 2019, 8:23am

Makes sense. I just did the bash command and redid the caddy command and everything works fine. Pretty easy indeed.

Is there a command to check what version of Caddy you’re using or is this something you have to manually check in the future?

eva2000 · March 5, 2019, 8:28am

just do

caddy -version

example

caddy -version
Caddy 0.11.5 (+fda7350 Tue Mar 05 06:04:26 UTC 2019) (unofficial)
1 file changed, 46 insertions(+), 1 deletion(-)
caddy/caddymain/run.go

to list compiled plugins

caddy -plugins
Server types:
  http

Caddyfile loaders:
  short
  flag
  default

Other plugins:
  http.authz
  http.awses
  http.awslambda
  http.basicauth
  http.bind
  http.browse
  http.cache
  http.cgi
  http.cors
  http.datadog
  http.errors
  http.expires
  http.expvar
  http.ext
  http.fastcgi
  http.filter
  http.forwardproxy
  http.geoip
  http.git
  http.gopkg
  http.grpc
  http.gzip
  http.header
  http.index
  http.internal
  http.ipfilter
  http.jwt
  http.limits
  http.locale
  http.log
  http.login
  http.mailout
  http.markdown
  http.mime
  http.minify
  http.nobots
  http.pprof
  http.prometheus
  http.proxy
  http.proxyprotocol
  http.push
  http.ratelimit
  http.realip
  http.reauth
  http.redir
  http.request_id
  http.restic
  http.rewrite
  http.root
  http.s3browser
  http.secrets
  http.status
  http.templates
  http.timeouts
  http.upload
  http.webdav
  http.websocket
  on
  tls
  tls.cluster.file
  tls.dns.azure
  tls.dns.cloudflare
  tls.dns.digitalocean
  tls.dns.dnsmadeeasy
  tls.dns.dyn
  tls.dns.godaddy
  tls.dns.googlecloud
  tls.dns.linode
  tls.dns.namecheap
  tls.dns.ns1
  tls.dns.ovh
  tls.dns.powerdns
  tls.dns.rackspace
  tls.dns.route53
  tls.dns.vultr

recklessnl · March 5, 2019, 8:31am

Very helpful, thanks!

eva2000 · March 5, 2019, 11:58am

TLS 1.3 seems to be working nicely

2 CPU Core - Intel Xeon Silver 4114 Skylake cpu KVM VPS
4GB ram
60GB NVMe SSD
CentOS 7.6 64bit

custom built binary

caddy -version
Caddy 0.11.5 (+fda7350 Tue Mar 05 06:04:26 UTC 2019) (unofficial)
1 file changed, 46 insertions(+), 1 deletion(-)
caddy/caddymain/run.go

h2load HTTP/2 HTTPS benchmark tool tests

h2load --version
h2load nghttp2/1.37.0-DEV

results

users=200
requests=25000
h2load -t1 -H 'Accept-Encoding: gzip' -c${users} -n${requests} https://test.com:444
starting benchmark...
spawning thread #0: 200 total client(s). 25000 total requests
TLS Protocol: TLSv1.3
Cipher: TLS_AES_128_GCM_SHA256
Server Temp Key: X25519 253 bits
Application protocol: h2
progress: 10% done
progress: 20% done
progress: 30% done
progress: 40% done
progress: 50% done
progress: 60% done
progress: 70% done
progress: 80% done
progress: 90% done
progress: 100% done

finished in 12.83s, 1949.13 req/s, 3.96MB/s
requests: 25000 total, 25000 started, 25000 done, 25000 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 25000 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 50.81MB (53276786) total, 406.04KB (415786) headers (space savings 94.70%), 49.97MB (52400000) data
                     min         max         mean         sd        +/- sd
time for request:      995us    593.22ms     97.70ms     47.46ms    75.41%
time for connect:    47.90ms    652.23ms    322.09ms    164.51ms    60.00%
time to 1st byte:   401.57ms    810.19ms    659.48ms     84.67ms    64.00%
req/s           :       9.75       10.85        9.98        0.21    79.50%

test header

curl -Isk https://test.com:444/
HTTP/2 200
accept-ranges: bytes
content-type: text/html; charset=utf-8
etag: "pnvigx520"
last-modified: Tue, 05 Mar 2019 03:17:21 GMT
server: Caddy
x-content-type-options: nosniff
x-powered-by: Caddy via CentminMod
x-xss-protection: 1; mode=block
content-length: 6552
date: Tue, 05 Mar 2019 10:23:33 GMT