Web server Caddy 2.10 released with ECH, post-quantum key exchange, and more enhancements

Caddy, a fast and extensible multi-platform HTTP web server, has launched its latest version, 2.10, introducing several enhancements and bug fixes. A key feature in this release is Encrypted ClientHello (ECH), which encrypts the last plaintext portion of a TLS connection — the ClientHello — to enhance privacy by concealing the domain name being connected to.

Version 2.10 also integrates Post-quantum (PQC) key exchange, with support for the standardized x25519mlkem768 cryptographic group by default. Additionally, Caddy now supports ACME profiles, an experimental draft allowing more flexible certificate properties compared to traditional CSR methods.

The reverse proxy functionality has been updated to set a Via header instead of a duplicate Server header. Users can now specify a default global DNS module, eliminating the need to configure it locally across various parts of the configuration. Moreover, Caddy will now utilize wildcard certificates by default for subdomains, reducing the need for individual certificates for each domain.

Lastly, the libdns APIs have been updated to version 1.0 beta, and a new dns global option allows users to specify DNS provider configuration in a single location, streamlining credential management for servers with domains managed by a single DNS provider.