From cf46ff0a3b6e7e9f1faecd83144361db22fd21d1 Mon Sep 17 00:00:00 2001 From: Wikid82 <176516789+Wikid82@users.noreply.github.com> Date: Mon, 9 Mar 2026 02:56:06 +0000 Subject: [PATCH 1/4] chore(docker): update GeoLite2-Country.mmdb checksum Automated checksum update for GeoLite2-Country.mmdb database. Old: d3031e02196523cbb5f74291122033f2be277b2130abedd4b5bee52ba79832be New: b79afc28a0a52f89c15e8d92b05c173f314dd4f687719f96cf921012d900fcce Auto-generated by: .github/workflows/update-geolite2.yml --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f26ed1e9..bf59d53a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -413,7 +413,7 @@ SHELL ["/bin/ash", "-o", "pipefail", "-c"] # Note: In production, users should provide their own MaxMind license key # This uses the publicly available GeoLite2 database # In CI, timeout quickly rather than retrying to save build time -ARG GEOLITE2_COUNTRY_SHA256=d3031e02196523cbb5f74291122033f2be277b2130abedd4b5bee52ba79832be +ARG GEOLITE2_COUNTRY_SHA256=b79afc28a0a52f89c15e8d92b05c173f314dd4f687719f96cf921012d900fcce RUN mkdir -p /app/data/geoip && \ if [ -n "$CI" ]; then \ echo "⏱️ CI detected - quick download (10s timeout, no retries)"; \ From 85b0bb1f5e38d06ee20cd8087b3a2b4e1ef57290 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 9 Mar 2026 16:40:30 +0000 Subject: [PATCH 2/4] fix(docker): update CADDY_VERSION to 2.11.2 for improved stability --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b8b85b1f..2274cc2c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ ARG BUILD_DEBUG=0 # this ARG to a specific v2.x tag when desired. ## Try to build the requested Caddy v2.x tag (Renovate can update this ARG). ## If the requested tag isn't available, fall back to a known-good v2.11.1 build. -ARG CADDY_VERSION=2.11.1 +ARG CADDY_VERSION=2.11.2 ARG CADDY_CANDIDATE_VERSION=2.11.1 ARG CADDY_USE_CANDIDATE=0 ARG CADDY_PATCH_SCENARIO=B From cd35f6d8c75895f24ea84d0c1da7c790885eebad Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 9 Mar 2026 16:47:48 +0000 Subject: [PATCH 3/4] fix(docker): update CADDY_CANDIDATE_VERSION to 2.11.2 for consistency --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2274cc2c..9723f61f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,9 +14,9 @@ ARG BUILD_DEBUG=0 # avoid accidentally pulling a v3 major release. Renovate can still update # this ARG to a specific v2.x tag when desired. ## Try to build the requested Caddy v2.x tag (Renovate can update this ARG). -## If the requested tag isn't available, fall back to a known-good v2.11.1 build. +## If the requested tag isn't available, fall back to a known-good v2.11.2 build. ARG CADDY_VERSION=2.11.2 -ARG CADDY_CANDIDATE_VERSION=2.11.1 +ARG CADDY_CANDIDATE_VERSION=2.11.2 ARG CADDY_USE_CANDIDATE=0 ARG CADDY_PATCH_SCENARIO=B # renovate: datasource=go depName=github.com/greenpau/caddy-security From aaf52475ee351266d06b9f9e0c248b74941c5de0 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 9 Mar 2026 16:51:01 +0000 Subject: [PATCH 4/4] fix(docker): update Caddy version to 2.11.2 for consistency across documentation and scripts --- .github/instructions/ARCHITECTURE.instructions.md | 2 +- .vscode/tasks.json | 2 +- ARCHITECTURE.md | 2 +- docs/reports/caddy-compatibility-matrix.md | 2 +- docs/reports/caddy-security-posture.md | 2 +- scripts/caddy-compat-matrix.sh | 4 ++-- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/instructions/ARCHITECTURE.instructions.md b/.github/instructions/ARCHITECTURE.instructions.md index 82c2a95c..f5f908e2 100644 --- a/.github/instructions/ARCHITECTURE.instructions.md +++ b/.github/instructions/ARCHITECTURE.instructions.md @@ -126,7 +126,7 @@ graph TB | **HTTP Framework** | Gin | Latest | Routing, middleware, HTTP handling | | **Database** | SQLite | 3.x | Embedded database | | **ORM** | GORM | Latest | Database abstraction layer | -| **Reverse Proxy** | Caddy Server | 2.11.1 | Embedded HTTP/HTTPS proxy | +| **Reverse Proxy** | Caddy Server | 2.11.2 | Embedded HTTP/HTTPS proxy | | **WebSocket** | gorilla/websocket | Latest | Real-time log streaming | | **Crypto** | golang.org/x/crypto | Latest | Password hashing, encryption | | **Metrics** | Prometheus Client | Latest | Application metrics | diff --git a/.vscode/tasks.json b/.vscode/tasks.json index 6a06bb9e..06b5cf43 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -727,7 +727,7 @@ { "label": "Security: Caddy PR-1 Compatibility Matrix", "type": "shell", - "command": "cd /projects/Charon && bash scripts/caddy-compat-matrix.sh --candidate-version 2.11.1 --patch-scenarios A,B,C --platforms linux/amd64,linux/arm64 --smoke-set boot_caddy,plugin_modules,config_validate,admin_api_health --output-dir test-results/caddy-compat --docs-report docs/reports/caddy-compatibility-matrix.md", + "command": "cd /projects/Charon && bash scripts/caddy-compat-matrix.sh --candidate-version 2.11.2 --patch-scenarios A,B,C --platforms linux/amd64,linux/arm64 --smoke-set boot_caddy,plugin_modules,config_validate,admin_api_health --output-dir test-results/caddy-compat --docs-report docs/reports/caddy-compatibility-matrix.md", "group": "test", "problemMatcher": [] }, diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md index 52387d26..4a5f57b8 100644 --- a/ARCHITECTURE.md +++ b/ARCHITECTURE.md @@ -126,7 +126,7 @@ graph TB | **HTTP Framework** | Gin | Latest | Routing, middleware, HTTP handling | | **Database** | SQLite | 3.x | Embedded database | | **ORM** | GORM | Latest | Database abstraction layer | -| **Reverse Proxy** | Caddy Server | 2.11.1 | Embedded HTTP/HTTPS proxy | +| **Reverse Proxy** | Caddy Server | 2.11.2 | Embedded HTTP/HTTPS proxy | | **WebSocket** | gorilla/websocket | Latest | Real-time log streaming | | **Crypto** | golang.org/x/crypto | Latest | Password hashing, encryption | | **Metrics** | Prometheus Client | Latest | Application metrics | diff --git a/docs/reports/caddy-compatibility-matrix.md b/docs/reports/caddy-compatibility-matrix.md index 15f104a4..6a4a5671 100644 --- a/docs/reports/caddy-compatibility-matrix.md +++ b/docs/reports/caddy-compatibility-matrix.md @@ -1,7 +1,7 @@ # PR-1 Caddy Compatibility Matrix Report - Generated at: 2026-02-23T13:52:26Z -- Candidate Caddy version: 2.11.1 +- Candidate Caddy version: 2.11.2 - Plugin set: caddy-security,coraza-caddy,caddy-crowdsec-bouncer,caddy-geoip2,caddy-ratelimit - Smoke set: boot_caddy,plugin_modules,config_validate,admin_api_health - Matrix dimensions: patch scenario × platform/arch × checked plugin modules diff --git a/docs/reports/caddy-security-posture.md b/docs/reports/caddy-security-posture.md index 893e6d55..d733f1dc 100644 --- a/docs/reports/caddy-security-posture.md +++ b/docs/reports/caddy-security-posture.md @@ -2,7 +2,7 @@ - Date: 2026-02-23 - Scope: PR-2 only (security patch posture + xcaddy patch retirement decision) -- Upstream target: Caddy 2.11.x line (`2.11.1` candidate in this repository) +- Upstream target: Caddy 2.11.x line (`2.11.2` candidate in this repository) - Inputs: - PR-1 compatibility matrix: `docs/reports/caddy-compatibility-matrix.md` - Plan authority: `docs/plans/current_spec.md` diff --git a/scripts/caddy-compat-matrix.sh b/scripts/caddy-compat-matrix.sh index bdc51524..4ec561de 100755 --- a/scripts/caddy-compat-matrix.sh +++ b/scripts/caddy-compat-matrix.sh @@ -2,7 +2,7 @@ set -euo pipefail -readonly DEFAULT_CANDIDATE_VERSION="2.11.1" +readonly DEFAULT_CANDIDATE_VERSION="2.11.2" readonly DEFAULT_PATCH_SCENARIOS="A,B,C" readonly DEFAULT_PLATFORMS="linux/amd64,linux/arm64" readonly DEFAULT_PLUGIN_SET="caddy-security,coraza-caddy,caddy-crowdsec-bouncer,caddy-geoip2,caddy-ratelimit" @@ -33,7 +33,7 @@ Usage: scripts/caddy-compat-matrix.sh [options] Options: --output-dir Output directory (default: test-results/caddy-compat) --docs-report Markdown report path (default: docs/reports/caddy-compatibility-matrix.md) - --candidate-version Candidate Caddy version (default: 2.11.1) + --candidate-version Candidate Caddy version (default: 2.11.2) --patch-scenarios Patch scenarios CSV (default: A,B,C) --platforms Platforms CSV (default: linux/amd64,linux/arm64) --plugin-set Plugin set descriptor for report metadata