Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

WWW: https://caddyserver.com/
DOC: https://docs.opnsense.org/manual/how-tos/caddy.html

Plugin Changelog
================

2.0.4

Add: DNS-01 challenge delegation via CNAME (contributed by sdsys-ch) (opnsense/plugins/pull/4950)
Fix: Enabling HTTP access log wrongly excluded the process logs (opnsense/plugins/pull/4974)
Fix: fix setup.sh script not setting correct ownership in www user mode (opnsense/plugins/pull/4976)
Fix: Prevent sudo on startup via skip_install_trust (opnsense/plugins/pull/5015)
Fix: Fix race condition that moved domain filter selectpicker into invisible tab (opnsense/plugins/pull/5076)

2.0.3

Add: Tabulator groupBy of domain and subdomain (opnsense/plugins/pull/4909)
Cleanup: Grid HTML and style
Fix: Tabulator 'Data Load Response Blocked' warning
Fix: setup.sh interaction with caddy storage and permissions (opnsense/plugins/pull/4911)
Fix: Emit subdomain http access logs when wildcard parent has logging enabled (opnsense/plugins/issues/4914)

2.0.2

Add: Global server timeout options (opnsense/plugins/pull/4778)
Cleanup: Change all camelCase to snake_case in api notations (opnsense/plugins/pull/4767,4768,4776)
Cleanup: Use SimpleActionButton in general.volt (opnsense/plugins/pull/4779)
Cleanup: Change em into px, fix key/value display in formatter (opnsense/plugins/pull/4807)
Cleanup: Remove obsolete model_relation_domain formatter (opnsense/plugins/pull/4813)

2.0.1

Add: Active health checks to handlers (contributed by zaben903) (opnsense/plugins/pull/4721)
Fix: Add handler command sometimes clearing domain selection in open dialogue (opnsense/plugins/pull/4748)

2.0.0

* Attention - Breaking Change: All DNS Providers except Cloudflare have been removed and will not come back (opnsense/plugins/pull/4691)
              Going forward, if DNS-01 challenge or Dynamic DNS is a requirement, you could use os-acme-client and os-ddclient.
              Another option is to migrate to Cloudflare, as this module will stay a core component.

* Add: Request Matcher option to Access List (contributed by spawntty) (opnsense/plugins/pull/4680)
* Add: ECH can configure encrypted client hello with Cloudflare (opnsense/plugins/pull/4673)
* Add: Client Auth (mTLS) to subdomains (opnsense/plugins/pull/4673)
* Build: Update to caddy-v2.10.0 (opnsense/tools/pull/469)
* Change: Render subdomains in a new pattern in the Caddyfile to adhere to caddy-v2.10.0 standard (opnsense/plugins/pull/4673)
* Change: Show only wildcard domains in subdomain selection (opnsense/plugins/pull/4646)
* Fix: Missing translation and toggle filter icon (opnsense/plugins/pull/4648)

1.8.5

* Add: basic_auth per handler (opnsense/plugins/issues/4619)
* Change: the ACL has been changed to "page-caddy" in "System: Access: Privileges". Privilege must be reassigned if used. (opnsense/plugins/issues/4623)
* Change: standalone certificate widget has been removed, use system default certificate widget instead. (opnsense/plugins/pull/4637)
* Cleanup: UI improvements (opnsense/plugins/pull/4634)
    * Cleanup of styles, formatters, and dialog layouts
    * Dialog element hiding logic was improved
    * "Filter by Domain" can filter subdomains
    * "Filter by Domain" will preselect domain and subdomain in handler add dialog
    * Grids are now responsive with automatic overflow on small screens
    * Grids now lazy load on tab switch for improved performance
    * Grids format domains and upstreams with protocol, domain, port and path in a single line
    * "Layer4 Proxy" and "Reverse Proxy" now use the same volt template
    * "Search Handler" and "Add Handler" buttons added to domain and subdomain grids
    * Step buttons (Add Domain, Add Handler) have been removed since they are redundant
    * Success messages on configuration apply have been removed, only errors will be shown
    * Tabs use URL hash to preserve selection on refresh

1.8.4

* Add: Client Auth (mTLS) to domains (opnsense/plugins/issues/4089)
* Fix: Some selectpickers had incorrect style (opnsense/plugins/pull/4616)

1.8.3

* Add: Update DNS Providers with new optional choices (opnsense/plugins/issues/4543)
* Add: propagation_timeout and propagation_delay (opnsense/plugins/issues/4544)

1.8.2

* Add: client_ip_headers (opnsense/plugins/issues/4517)
* Add: CloudDNS provider (opnsense/plugins/pull/4507)
* Change: Generalize forward_auth copy_headers directive. Existing configuration from (issues/4488) will be emptied. (opnsense/plugins/pull/4519)
* Fix: Shortcut buttons in reverse_proxy.volt (opnsense/plugins/pull/4525)

1.8.1

* Add: Optional "Authorization" header to forward_auth (opnsense/plugins/issues/4488)
* Add: Persistent banner notification if custom imports are used (opnsense/plugins/issues/4244)
* Cleanup: Implement reusable grid template in views (opnsense/plugins/pull/4454)

1.8.0

* Build: Update Caddy to version 2.9.x and update dependencies (opnsense/plugins/issues/4437)
* Build: Fix caddy-l4 timeout issue (opnsense/plugins/issues/4384)
* Build: Mark DNS Providers optional that are not included per default (opnsense/plugins/pull/4441)
         digitalocean, route53, googleclouddns, netlify, ddnss, njalla, tencentcloud
         dinahosting, civo, easydns, hosttech; must be added via https://caddyserver.com/docs/command-line#caddy-add-package
* Cleanup: Refactor caddy.inc and add syslog function, change name from Caddy Web Server to Caddy (opnsense/plugins/issues/4426)
* Cleanup: Some small UI tweaks (opnsense/plugins/pull/4442)
* Change: Disable HTTP/3 to mitigate status 400 issue when reverse proxying the OPNsense WebGUI (opnsense/plugins/issues/4471)

1.7.6

* Fix: Web UI can still restart/stop Caddy when running as `www` user (opnsense/plugins/pull/4403)
* Fix: Wildcard certificates displaying in Certificate Widget (opnsense/plugins/pull/4390)
* Fix: http being correctly prepended on redirects (opnsense/plugins/pull/4385)

1.7.5

* Add: Load Balancing options to Layer 4 Proxy and HTTP Handle
* Add: Layer4 TLS Termination
* Add: h2c protocol to HTTP Handler
* Cleanup: Caddy Certificate widget hides unused automatic certificates
* Cleanup: Widgets error handling improved
* Cleanup: Refactor caddy_certs.php to Trust model

1.7.4

* Add: Layer4 OpenVPN matcher with mode, digest and static key support
* Add: Layer4 Winbox matcher
* Add: Layer4 QUIC matcher
* Build: Update dependency to lang/go123
* Build: Update caddy-l4 and caddy-dynamicdns module
* Build: Fix that caddy-l4 does not stop when ssh is proxied
* Build: DNS Providers: Update porkbun, dnsmadeeasy
* Cleanup: Layer4 default route in listener_wrappers has been removed (obsolete)
* Fix: Error when same Access List is set to wildcard and subdomain

1.7.3

* Add: Clear All button to Filter by Domain selectpicker
* Change: Layer4 Proxy has own menu entry
* Change: Domains and Subdomains are in same tab, Subdomains are not initially hidden anymore
* Fix: WebGUI port conflict validation triggers too aggressively

1.7.2

* Add: Directive in HTTP Handler can be chosen, "reverse_proxy" and "redir"
* Add: Layer4 routes feature. Routing Type "global" or "listener_wrapper" can be chosen
* Add: Any Layer4 TCP/UDP traffic can be proxied without choosing a Layer 7 protocol matcher
* Change: Layer4 routes are not ordered automatically anymore
* Change: Layer4 "not tls sni" matcher has been replaced by generalized "Invert Matchers" checkbox
* Build: Update Caddy Layer4 module, fixes TLS matcher in chromium based browsers
* Fix: When Apply takes longer than 20 seconds, Caddy will be forcefully restarted

1.7.1

* Add: Frontend HTTP Version can be selected in General Settings, can be used to disable QUIC protocol
* Add: Access Lists can now be defined per HTTP Handler in advanced mode
* Change: Caddy Domains widget will now open links to managed websites in new browser tabs
* Change: To select tls_insecure_skip_verify in a HTTP Handler, the protocol https:// must be chosen
* Change: Abort from General Settings has been removed, it is now automatically added to all Access Lists
* Cleanup: Caddyfile template logic for Access Lists has been rewritten
* Cleanup: TLS checkboxes have been converted to dropdowns with http/https for clarity
* Cleanup: Layer4, Domain and Handle dialogues have been cleaned up, some options are now hidden in advanced mode
* Fix: Layer4 default ports did not render due to regression in previous version
* Fix: Invert in Access Lists did not render due to regression in previous version

1.7.0

* Add: Layer4 protocols: DNS
* Add: DNS Providers: Hetzner
* Change: DNS Providers: Route53 field "max_retries" has been renamed to "hosted_zone_id"
* Cleanup: Refactor "general.volt" from "layout_partials/base_form" to "layout_partials/base_tabs"
* Cleanup: Refactor "general.volt", "reverse_proxy.volt" and "diagnostics.volt" to imported ajaxGet() and ajaxCall()
* Cleanup: Adjust style of all views
* Cleanup: Restructure "general.xml" to include tabs, add new "Advanced Settings" Tab
* Cleanup: Remove old custom migrations
* Cleanup: Refactor Caddyfile template, extracting duplicate logic into macros
* Fix: Removed email validation from Caddy.php since it made the default migration fail

1.6.3

* Add: Disable Propagation Timeout in DNS Provider Tab. This can help if the DNS Challenge fails due to DNS Propagation being too slow.
* Add: Set custom resolver for the DNS Challenge in the DNS Provider tab.

1.6.2

* Add: Authentik as authentication provider (contributed by Tim-Sc)
* Add: Feature Preview - Layer4 routing to proxy traffic without TLS termination. Can be enabled in advanced mode of "General Settings"
* Add: Layer4 protocols: HTTP, Postgres, Proxy Protocol, RDP, SOCKS4, SOCKS5, SSH, TLS, XMPP
* Add: Layer4 Remote IP matcher to restrict access to proxied services

1.6.1

* Add: Run Caddy as "www" user and group, by enabling "Disable Superuser" in General Settings
* Add: Shortcuts to add new Domains and Handlers
* Change: Description Fields are optional now, reducing the steps needed to create new entries
* Change: Subdomain Tab only appears when a wildcard domain has been configured
* Cleanup: Validations in general.volt are all appended to their form keys, instead of triggering a Bootstrap Dialog

1.6.0

* Add: New Dashboard widgets for 24.7, showing domain status and certificate validity status
* Add: forward_auth directive with Authelia as Authz Provider
* Add: Default HTTP and HTTPS ports can be changed in general settings
* Add: Introduce HTTP version to handler. HTTP/1.1, HTTP/2 and HTTP/3 can be chosen
* Add: HTTP Keepalive can be set in a handler
* Add: TLS can be deactivated in a domain
* Build: Update caddy-dns Cloudflare and Route53. Route53 field names changed due to upstream changes
* Change: Option "tls_trusted_ca_certs" is now "tls_trust_pool"
* Cleanup: PHP files refactored for PSR-12, Python files refactored for PEP-8
* Cleanup: Templates Caddyfile and rc.conf.d/caddy refactored for maintainability
* Cleanup: Spurious keys removed from Caddy.xml model
* Cleanup: Unused code removed from Caddy.php
* Fix: Caddyfile template fixed when IPv6 addresses and ports are used in Upstream. IPv6 address wraps into brackets now

1.5.7

* Add: Error message when OPNsense WebGUI settings conflict with Auto HTTPS
* Add: Error message when Auto HTTPS is enabled, and ACME email field is empty, for caddy v2.8.
* Add: Dynamic DNS now supports "Update Only", only updating existing records without creating new ones
* Add: DNS Providers: dnsmadeeasy, bunny, civo, scaleway, acmeproxy, inwx, namedotcom, easydns, infomaniak, directadmin, hosttech, vult
* Build: Update to Caddy v2.8.4 + caddy-dns plugins updated to latest upstream version
* Change: Dynamic DNS "TTL" and "Check Interval" have been changed to seconds. Existing values have been reset to use the defaults of the implementation
* Cleanup: Fix crash of searchAction when reverseUuids is null
* Cleanup: basicauth directive is now basic_auth in the Caddyfile template, for caddy v2.8
* Cleanup: Refactor dns provider configuration in Caddyfile template
* Fix: The subdomain port field has been removed, since it is unsupported. Subdomains track their ports from their parent wildcard domain
* Remove: DNS Providers: godaddy

1.5.6

* Add: DNS Providers: Netcup, RFC2136
* Fix: Wildcard domains with activated "Dynamic DNS" update their base domain with * instead of @

1.5.5

* Add: In Reverse Proxy, a new dropdown can select one or multiple domains, filtering the Bootgrids of Domains, Subdomains and Handlers for the selected Domain
* Add: Global Log Level can be set in Log Settings
* Add: Diagnostics view added where the current Caddyfile and JSON configuration can be displayed, validated and downloaded
* Add: HTTP-01 Challenge Redirection can also be configured for subdomains
* Change: ACME Email should be filled out since it's a requirement for ZeroSSL
* Cleanup: Javascript variables have been changed from var to let to reduce scope
* Cleanup: lang() and gettext() functions added for translations
* Cleanup: Rewritten most help texts in forms for consistency
* Fix: "Apply" could hang when websockets are in use by clients. A grace period of 10s has been added in General Settings that forces to close all connections on config changes
* Fix: "Apply" will always read all certificates from the filesystem, even if the Caddy configuration has remained unchanged. "reload" has been changed to "reloadssl"
* Fix: "Save" and "Apply" buttons in General Settings have been improved to reliably trigger validation of form
* Fix: Template has been fixed to allow any TLS option in Handlers to appear independant when filled out. This increases flexibility with the "tls_server_name" option
* Fix: The newly introduced "configctl caddy reload" action, which calls the "service caddy reloadssl" command, will now also trigger the setup.sh script

1.5.4

* Add: Simple Load Balancing support with the default random policy, by allowing to add multiple Upstream Domains in Handlers
* Add: Passive Health check for load balancing (Upstream Fail Duration) in Handlers
* Add: HTTP response code and HTTP response message can be set per access list in advanced mode
* Add: Header functionality added. Multiple header manipulations can be set per handler
* Change: All Description Fields are now required to be populated
* Change: Model Relation Fields now display two values instead of one to make most options appear unique
* Cleanup: Update searchBase() in ReverseProxyController.php for easier maintainability
* Fix: When pressing Apply, the Caddy service will be reloaded instead of restarted. This fixes long restart times and service interruptions
* Fix: Move selectpicker empty option to model in general.volt, using BlankDesc. This fixes the option IPv4+IPv6 not appearing in Dynamic DNS
* Fix: Input validation so a base domain like "example.com" and a wildcard domain like "*.example.com" can now be created at the same time in domains

1.5.3

* Add: tls_insecure_skip_verify to handlers
* Add: Possibility to restart Caddy with the ACME Client by using "Automations - Run Command - System or Plugin Command"
* Add: Option to redirect the ACME HTTP-01 challenge to an upstream destination as advanced option in domains
* Change: From "Phalcon Messages" to "OPNsense Messages" in Caddy.php
* Change: Default storage location from /usr/local/etc/caddy to /var/db/caddy/data/caddy/
* Change: Description from "TextField" to "DescriptionField" in Caddy.xml model
* Cleanup: Dialogs and UI to present all options better
* Remove: Unmaintained DNS Providers: dnspod, hetzner, namesilo, vercel, alidns, metaname, openstack-designate

1.5.2

* Build: When selecting an interface in Dynamic DNS, at most one IPv6 GUA and IPv4 non-RFC1918 address will be extracted. Fixes all IP addresses being read
* Cleanup: Increased timeout of message area in reverse_proxy.volt and general.volt to 15 seconds
* Cleanup: Caddy.xml model to satisfy make lint
* Fix: When pressing Apply, the form is saved automatically before the reconfigure action

1.5.1

* Add: More DNS Providers: netlify, namesilo, njalla, vercel, googleclouddns, alidns, powerdns, tencentcloud, dinahosting, metaname, hexonet, ddnss, linode, mailinabox, ovh, namecheap, azure, openstack-designate
* Add: More input fields and better documentation for the DNS Provider API Keys
* Change: rc.d script to standard freebsd poudriere one packaged with the caddy-custom binary, included setup.sh script to rc.conf.d/caddy
* Change: Updated dependancy to caddy-custom instead of caddy
* Change: Enable $internalModelUseSafeDelete in ReverseProxyController.php - Items can only be deleted when they are not referenced by other items, making deleting in the GUI safer since there can't be any orphaned configuration left behind
* Cleanup: Turned syslog-ng configuration from template to static file
* Cleanup: A few typos in the general.volt and reverse_proxy.volt corrected
* Cleanup: The RealInterfaceField custom Fieldtype was removed and replaced with an OPNsense integrated template function to read the interface name
* Cleanup: Migration script M1_1_3 from "Description" to "description" added. Lower case description is needed to be in line with some OPNsense integrated functions
* Remove: +POST_DEINSTALL.post and +POST_INSTALL.post

1.5.0

* Add: ACME-DNS Provider for custom ACME Server support
* Add: When pressing save, a hint will appear that changes should be applied. Apply and Save now give feedback on success
* Add: Create ACL for Caddy
* Cleanup: General view cleanup by seperating options into different tabs
* Cleanup: Code consistency improved
* Remove: vultr from DNS-Providers since it can't be built without errors

1.4.5

* Add: New validate api action when pressing apply that validates the Caddyfile + Validation model fix
* Add: Configuration option to log HTTP access to plain JSON files (contributed by pmhausen)
* Add: Backend path prepend feature to handler configuration (contributed by pmhausen)

1.4.4

* Add: Route53 DNS Provider
* Cleanup: Dark Mode GUI

1.4.2

* Add: Basic Auth as additional access restriction, multiple users can be set per domain and subdomain
* Add: Porkbun DNS Provider for GUI configuration with additional DNS Secret Api Key input field
* Cleanup: Improve views with seperated General Settings and DNS Provider Settings, joined Access List and Basic Auth in new Access Tab
* Cleanup: Fixed some typos in forms.
* Fix: Template generation of Caddyfile for new DNS Provider deSEC

1.4.0

* Add: DynDNS (Dynamic DNS) Feature
* Add: HTTP Access Logs
* Add: More DNS Providers: Cloudflare, Duck DNS, DigitalOcean, DNSPod, Hetzner, GoDaddy, Gandi, Vultr, IONOS, deSEC
* Cleanup: Logging refactored to syslog-ng.

1.3.4

* Add: abort statement to close all connections that do not match any handle
* Add: tls_server_name to model
* Fix: DNS Challenge not adhering to the status of the DNS-01 Checkbox

1.3.3

* Change: Swapped processing order in template from wildcard domains -> subdomains to subdomains -> wildcard domains

1.3.2

* Add: Inline loop logic to template to always print empty handles last in the Caddyfile before specific handles

1.3.1

* Add: Access Lists
* Add: Reload for the ServiceControlUI after pressing Apply
* Fix: Small constraint to handle added. Handles have to start at least with / when they're not empty, or Caddy won't start

1.3.0 - Initial release

* Create easy Reverse Proxy entries, use the HTTP or DNS-01 Challenge to get quick and easy ACME Certificates with Let's Encrypt
* Control Caddy and view the Logfile in the OPNsense GUI
* Create more complicated nested handle structures with wildcard domains, subdomains, handles and catch all handles
* Use your own certificates where needed
* Use TLS, NTLM and CA certificates to communicate with your Backend Servers
* Use Caddy with two OPNsense Firewalls in HA - only fully supported with custom certificates from OPNsense trust store
