eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Upgrade Caddy v2.10.2 → v2.11.2, fix forge mirrors (#294)

Browse source 
## Summary
- Upgrade Caddy from v2.10.2 to v2.11.2 (7 CVE fixes across v2.11.1 and v2.11.2)
- Create `mirrors/caddy-l4` forge mirror for Layer 4 plugin
- Migrate all `~/code/3rd` clones on indri from `localhost:3001` to HTTPS `forge.ops.eblu.me/mirrors/` remotes
- Remove stale clones (`apple-silicon-detector`, `whisper.cpp`)
- Update caddy docs and service-versions tracking

## CVEs Fixed
- CVE-2026-27585 through CVE-2026-27590 (path/host bypass, TLS fail-open, FastCGI issues)
- Forward auth identity injection (privilege escalation)
- `vars_regexp` placeholder secret exposure
- Built on Go 1.26.1 (patches Go-level CVEs)

## What was done on indri (not in repo)
- `xcaddy build` with Gandi DNS + Layer 4 plugins → `~/code/3rd/caddy/bin/caddy` now v2.11.2
- Remotes updated: caddy, forgejo-runner, zot → `https://forge.ops.eblu.me/mirrors/*.git`
- Deleted: `~/code/3rd/apple-silicon-detector`, `~/code/3rd/whisper.cpp`

## Deployment and Testing
- [x] Ansible dry-run passed (`--tags caddy --check --diff`)
- [ ] Restart caddy LaunchAgent to pick up the new binary
- [ ] Verify all proxied services respond via `*.ops.eblu.me`
- [ ] Run `mise run services-check`

Reviewed-on: #294
This commit is contained in:
Erich Blume 2026-03-15 10:33:48 -07:00
commit 272ea1e767
4 changed files with 15 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

2
ansible/roles/caddy/defaults/main.yml
View file

@ -1,6 +1,6 @@
--- ---
# Caddy reverse proxy configuration # Caddy reverse proxy configuration
# Caddy is built manually from ~/code/3rd/caddy with the Gandi DNS plugin # Caddy is built from ~/code/3rd/caddy with Gandi DNS and Layer 4 plugins
caddy_repo_dir: /Users/erichblume/code/3rd/caddy caddy_repo_dir: /Users/erichblume/code/3rd/caddy
caddy_binary: "{{ caddy_repo_dir }}/bin/caddy" caddy_binary: "{{ caddy_repo_dir }}/bin/caddy"

1
docs/changelog.d/feature-caddy-upgrade-v2.11.2.infra.md Normal file
View file

@ -0,0 +1 @@
Upgrade Caddy from v2.10.2 to v2.11.2 (7 CVE fixes), create caddy-l4 forge mirror, migrate all ~/code/3rd clones on indri to HTTPS forge.ops.eblu.me remotes.

14
docs/reference/services/caddy.md
View file

@ -1,6 +1,6 @@
--- ---
title: Caddy title: Caddy
modified: 2026-02-12 modified: 2026-03-15
tags: tags:
- service - service
- networking - networking
@ -87,14 +87,20 @@ Caddy has no authentication layer — it is a plain reverse proxy. Access contro
## Custom Build ## Custom Build
Caddy is built from source with the Gandi DNS plugin: Caddy is built from source using `xcaddy` with two plugins:
- `github.com/caddy-dns/gandi` — ACME DNS-01 challenges via Gandi API
- `github.com/mholt/caddy-l4` — Layer 4 (TCP/UDP) proxying
```bash ```bash
# Build location # Source and build location (mirrored on forge)
~/code/3rd/caddy/bin/caddy ~/code/3rd/caddy/bin/caddy
# Build via mise task in the caddy clone
cd ~/code/3rd/caddy && mise run build
``` ```
The build includes the `github.com/caddy-dns/gandi` plugin for ACME DNS-01 challenges. Forge mirrors: `mirrors/caddy`, `mirrors/caddy-gandi`, `mirrors/xcaddy`, `mirrors/caddy-l4`.
## Related ## Related

6
service-versions.yaml
View file

@ -276,10 +276,10 @@ services:
- name: caddy - name: caddy
type: ansible type: ansible
last-reviewed: null last-reviewed: 2026-03-15
current-version: null current-version: "v2.11.2"
upstream-source: https://github.com/caddyserver/caddy/releases upstream-source: https://github.com/caddyserver/caddy/releases
notes: Built from source with Gandi DNS plugin notes: Built from source with Gandi DNS and Layer 4 plugins
- name: borgmatic - name: borgmatic
type: ansible type: ansible