Upgrade Caddy v2.10.2 → v2.11.2, fix forge mirrors #294

Merged

eblume merged 1 commit from feature/caddy-upgrade-v2.11.2 into main 2026-03-15 10:33:49 -07:00

Conversation 0 Commits 1 Files changed 4 +15 -8

eblume commented 2026-03-15 10:30:12 -07:00

Owner

Copy link

Summary

• Upgrade Caddy from v2.10.2 to v2.11.2 (7 CVE fixes across v2.11.1 and v2.11.2)
• Create mirrors/caddy-l4 forge mirror for Layer 4 plugin
• Migrate all ~/code/3rd clones on indri from localhost:3001 to HTTPS forge.ops.eblu.me/mirrors/ remotes
• Remove stale clones (apple-silicon-detector, whisper.cpp)
• Update caddy docs and service-versions tracking

CVEs Fixed

• CVE-2026-27585 through CVE-2026-27590 (path/host bypass, TLS fail-open, FastCGI issues)
• Forward auth identity injection (privilege escalation)
• vars_regexp placeholder secret exposure
• Built on Go 1.26.1 (patches Go-level CVEs)

What was done on indri (not in repo)

• xcaddy build with Gandi DNS + Layer 4 plugins → ~/code/3rd/caddy/bin/caddy now v2.11.2
• Remotes updated: caddy, forgejo-runner, zot → https://forge.ops.eblu.me/mirrors/*.git
• Deleted: ~/code/3rd/apple-silicon-detector, ~/code/3rd/whisper.cpp

Deployment and Testing

• Ansible dry-run passed (--tags caddy --check --diff)
• Restart caddy LaunchAgent to pick up the new binary
• Verify all proxied services respond via *.ops.eblu.me
• Run mise run services-check

## Summary - Upgrade Caddy from v2.10.2 to v2.11.2 (7 CVE fixes across v2.11.1 and v2.11.2) - Create `mirrors/caddy-l4` forge mirror for Layer 4 plugin - Migrate all `~/code/3rd` clones on indri from `localhost:3001` to HTTPS `forge.ops.eblu.me/mirrors/` remotes - Remove stale clones (`apple-silicon-detector`, `whisper.cpp`) - Update caddy docs and service-versions tracking ## CVEs Fixed - CVE-2026-27585 through CVE-2026-27590 (path/host bypass, TLS fail-open, FastCGI issues) - Forward auth identity injection (privilege escalation) - `vars_regexp` placeholder secret exposure - Built on Go 1.26.1 (patches Go-level CVEs) ## What was done on indri (not in repo) - `xcaddy build` with Gandi DNS + Layer 4 plugins → `~/code/3rd/caddy/bin/caddy` now v2.11.2 - Remotes updated: caddy, forgejo-runner, zot → `https://forge.ops.eblu.me/mirrors/*.git` - Deleted: `~/code/3rd/apple-silicon-detector`, `~/code/3rd/whisper.cpp` ## Deployment and Testing - [x] Ansible dry-run passed (`--tags caddy --check --diff`) - [ ] Restart caddy LaunchAgent to pick up the new binary - [ ] Verify all proxied services respond via `*.ops.eblu.me` - [ ] Run `mise run services-check`

eblume added 1 commit 2026-03-15 10:30:13 -07:00

Upgrade Caddy v2.10.2 → v2.11.2, fix forge mirror setup ... c0e5137b68

- Rebuild caddy binary with v2.11.2 (7 CVE fixes in v2.11.1/v2.11.2)
- Create mirrors/caddy-l4 on forge
- Migrate all ~/code/3rd clones on indri to HTTPS forge.ops.eblu.me remotes
- Remove stale clones (apple-silicon-detector, whisper.cpp)
- Update caddy docs and service-versions tracking

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume merged commit 272ea1e767 into main 2026-03-15 10:33:49 -07:00

eblume referenced this pull request from a commit 2026-03-15 10:33:51 -07:00

Upgrade Caddy v2.10.2 → v2.11.2, fix forge mirrors (#294)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!294

No description provided.