From 272ea1e767d808d66121d131e34fc1c109471736 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sun, 15 Mar 2026 10:33:48 -0700 Subject: [PATCH] =?UTF-8?q?Upgrade=20Caddy=20v2.10.2=20=E2=86=92=20v2.11.2?= =?UTF-8?q?,=20fix=20forge=20mirrors=20(#294)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Upgrade Caddy from v2.10.2 to v2.11.2 (7 CVE fixes across v2.11.1 and v2.11.2) - Create `mirrors/caddy-l4` forge mirror for Layer 4 plugin - Migrate all `~/code/3rd` clones on indri from `localhost:3001` to HTTPS `forge.ops.eblu.me/mirrors/` remotes - Remove stale clones (`apple-silicon-detector`, `whisper.cpp`) - Update caddy docs and service-versions tracking ## CVEs Fixed - CVE-2026-27585 through CVE-2026-27590 (path/host bypass, TLS fail-open, FastCGI issues) - Forward auth identity injection (privilege escalation) - `vars_regexp` placeholder secret exposure - Built on Go 1.26.1 (patches Go-level CVEs) ## What was done on indri (not in repo) - `xcaddy build` with Gandi DNS + Layer 4 plugins → `~/code/3rd/caddy/bin/caddy` now v2.11.2 - Remotes updated: caddy, forgejo-runner, zot → `https://forge.ops.eblu.me/mirrors/*.git` - Deleted: `~/code/3rd/apple-silicon-detector`, `~/code/3rd/whisper.cpp` ## Deployment and Testing - [x] Ansible dry-run passed (`--tags caddy --check --diff`) - [ ] Restart caddy LaunchAgent to pick up the new binary - [ ] Verify all proxied services respond via `*.ops.eblu.me` - [ ] Run `mise run services-check` Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/294 --- ansible/roles/caddy/defaults/main.yml | 2 +- .../feature-caddy-upgrade-v2.11.2.infra.md | 1 + docs/reference/services/caddy.md | 14 ++++++++++---- service-versions.yaml | 6 +++--- 4 files changed, 15 insertions(+), 8 deletions(-) create mode 100644 docs/changelog.d/feature-caddy-upgrade-v2.11.2.infra.md diff --git a/ansible/roles/caddy/defaults/main.yml b/ansible/roles/caddy/defaults/main.yml index 931e2a0..a9576a1 100644 --- a/ansible/roles/caddy/defaults/main.yml +++ b/ansible/roles/caddy/defaults/main.yml @@ -1,6 +1,6 @@ --- # Caddy reverse proxy configuration -# Caddy is built manually from ~/code/3rd/caddy with the Gandi DNS plugin +# Caddy is built from ~/code/3rd/caddy with Gandi DNS and Layer 4 plugins caddy_repo_dir: /Users/erichblume/code/3rd/caddy caddy_binary: "{{ caddy_repo_dir }}/bin/caddy" diff --git a/docs/changelog.d/feature-caddy-upgrade-v2.11.2.infra.md b/docs/changelog.d/feature-caddy-upgrade-v2.11.2.infra.md new file mode 100644 index 0000000..f0f213f --- /dev/null +++ b/docs/changelog.d/feature-caddy-upgrade-v2.11.2.infra.md @@ -0,0 +1 @@ +Upgrade Caddy from v2.10.2 to v2.11.2 (7 CVE fixes), create caddy-l4 forge mirror, migrate all ~/code/3rd clones on indri to HTTPS forge.ops.eblu.me remotes. diff --git a/docs/reference/services/caddy.md b/docs/reference/services/caddy.md index c6e5e4f..8896a86 100644 --- a/docs/reference/services/caddy.md +++ b/docs/reference/services/caddy.md @@ -1,6 +1,6 @@ --- title: Caddy -modified: 2026-02-12 +modified: 2026-03-15 tags: - service - networking @@ -87,14 +87,20 @@ Caddy has no authentication layer — it is a plain reverse proxy. Access contro ## Custom Build -Caddy is built from source with the Gandi DNS plugin: +Caddy is built from source using `xcaddy` with two plugins: + +- `github.com/caddy-dns/gandi` — ACME DNS-01 challenges via Gandi API +- `github.com/mholt/caddy-l4` — Layer 4 (TCP/UDP) proxying ```bash -# Build location +# Source and build location (mirrored on forge) ~/code/3rd/caddy/bin/caddy + +# Build via mise task in the caddy clone +cd ~/code/3rd/caddy && mise run build ``` -The build includes the `github.com/caddy-dns/gandi` plugin for ACME DNS-01 challenges. +Forge mirrors: `mirrors/caddy`, `mirrors/caddy-gandi`, `mirrors/xcaddy`, `mirrors/caddy-l4`. ## Related diff --git a/service-versions.yaml b/service-versions.yaml index 7d03295..85705cc 100644 --- a/service-versions.yaml +++ b/service-versions.yaml @@ -276,10 +276,10 @@ services: - name: caddy type: ansible - last-reviewed: null - current-version: null + last-reviewed: 2026-03-15 + current-version: "v2.11.2" upstream-source: https://github.com/caddyserver/caddy/releases - notes: Built from source with Gandi DNS plugin + notes: Built from source with Gandi DNS and Layer 4 plugins - name: borgmatic type: ansible