akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
Files
eec8c28fb3c2e8c0bc387bb3139184b8d67f1b21
Charon/docs/plans/archive/caddy_upgrade_plan.md
akanealw eec8c28fb3
Some checks failed
Go Benchmark / Performance Regression Check (push) Has been cancelled
Details
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Details
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Details
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
Details
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
Details
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
Details
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Details
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Details
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Details
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Details
Quality Checks / Backend (Go) (push) Has been cancelled
Details
Quality Checks / Frontend (React) (push) Has been cancelled
Details
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Details
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Details
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
Details
WAF integration / Coraza WAF Integration (push) Has been cancelled
Details
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Details
Repo Health Check / Repo health (push) Has been cancelled
Details
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Details
Prune Renovate Branches / prune (push) Has been cancelled
Details
Renovate / renovate (push) Has been cancelled
Details
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Details
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Details
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Details
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Details
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
Details
changed perms
2026-04-22 18:19:14 +00:00

3.3 KiB
Executable File
Raw Blame History

Caddy v2.11.0-beta.2 Upgrade Plan

Created: 2026-01-06 Risk Level: LOW Estimated Duration: 30-45 minutes

Overview

Upgrade Caddy from v2.10.2 to v2.11.0-beta.2 to gain:

  • Built-in quic-go v0.58.0 (removes need for CVE patch)
  • Built-in smallstep/certificates v0.29.0 (removes need for manual patch)
  • Various bug fixes and enhancements

Phase 1: Dockerfile Changes

File: /projects/Charon/Dockerfile

1.1 Update Caddy Version

Change line ~17:

# FROM:
ARG CADDY_VERSION=2.10.2

# TO:
ARG CADDY_VERSION=2.11.0-beta.2

1.2 Remove Obsolete Dependency Patches

In the Caddy builder stage (~line 108-115), remove these patches that are now included upstream:

# REMOVE these lines:
# renovate: datasource=go depName=github.com/quic-go/quic-go
go get github.com/quic-go/quic-go@v0.57.1; \
# renovate: datasource=go depName=github.com/smallstep/certificates
go get github.com/smallstep/certificates@v0.29.0; \

KEEP this patch (still required):

# renovate: datasource=go depName=github.com/expr-lang/expr
go get github.com/expr-lang/expr@v1.17.7; \

1.3 Update Comments

Update the version comment block (~lines 9-17) to reflect the beta version.

Phase 2: Build Verification

2.1 Build Docker Image

docker build --no-cache -t charon:caddy-upgrade-test .

2.2 Verify Caddy Starts

docker run --rm charon:caddy-upgrade-test caddy version

Expected output should show v2.11.0-beta.2.

2.3 Verify Plugins Load

docker run --rm charon:caddy-upgrade-test caddy list-modules | grep -E "security|coraza|crowdsec|maxmind|rate"

Expected plugins:

  • http.handlers.crowdsec
  • http.handlers.waf (coraza)
  • http.matchers.maxminddb
  • http.handlers.rate_limit
  • security (caddy-security)

Phase 3: Testing

3.1 Backend Unit Tests

# Using existing task
# Task: "Test: Backend Unit Tests"
cd backend && go test ./... -v

3.2 Integration Tests

# Start the container
docker compose -f .docker/compose/docker-compose.local.yml up -d

# Run Coraza WAF tests
# Task: "Integration: Coraza WAF"

# Run CrowdSec tests
# Task: "Integration: CrowdSec"

3.3 Manual Verification Checklist

  • Caddy health endpoint responds: curl http://localhost:2019/config/
  • Config reload works: curl -X POST http://localhost:2019/load -H "Content-Type: application/json" -d @test-config.json
  • HTTPS/certificate automation works (if applicable)
  • WAF rules trigger correctly
  • CrowdSec bouncer integration works

Phase 4: Documentation

4.1 Update CHANGELOG.md

Add entry under next release:

### Changed
- Upgraded Caddy from v2.10.2 to v2.11.0-beta.2
- Removed manual quic-go and smallstep/certificates patches (now included upstream)

4.2 Update Version References

Search and update any version references:

grep -r "2.10.2" docs/

Rollback Plan

If issues are encountered:

  1. Revert ARG CADDY_VERSION to 2.10.2
  2. Restore the removed dependency patches
  3. Rebuild the image

Post-Upgrade Monitoring

After deployment:

  • Monitor Caddy logs for errors: docker logs -f <container> 2>&1 | grep -i caddy
  • Check certificate renewal works
  • Verify no performance regressions
Reference in New Issue View Git Blame Copy Permalink