Caddy 2.11.1 Web Server Released With Automatic ECH Key Rotation

The open-source web server and reverse proxy Caddy has introduced version 2.11.1, marking the first public release in the 2.11 branch. Due to an issue in the release automation process, a standalone 2.11 build was skipped, making 2.11.1 the first stable version available — and it already includes the full feature set intended for the series.

This release focuses heavily on security and reliability improvements. Several vulnerabilities were resolved, including a FastCGI path-handling flaw related to SCRIPT_NAME and PATH_INFO, routing matcher bypass scenarios, and TLS client-authentication failures caused by missing or invalid CA files. Cross-origin administrative API calls made in no-cors mode are now correctly restricted as well.

Beyond security, the update introduces practical enhancements. Encrypted ClientHello (ECH) keys can now rotate automatically, simplifying maintenance for secure deployments. Logging capabilities have also expanded, offering time-based log rotation and optional recording of request and response bodies for troubleshooting.

Operational flexibility improves too: configurations loaded from files can now be reloaded using the SIGUSR1 signal, and reverse proxy handling automatically adjusts the Host header when forwarding to HTTPS backends.

Additional updates include refreshed QUIC libraries, better HTTP/3 stability, expanded tracing tools, improved placeholder handling, new trusted proxy options for Unix sockets, and various documentation and bug-fix updates. The project has also introduced a policy for disclosing contributions that involve AI or language models.

For full technical details, refer to the official changelog.