CaddyUI v2.10.9 — Smart Caddyfile import: paste once, get Proxy Hosts

📥 Smart Caddyfile import — paste once, get the right resource type v2.10.7 → v2.10.9

This is the headline of the release. Until v2.10.6, pasting a Caddyfile into /caddyfile-import turned every site block into an Advanced (raw JSON) route — even the trivial example.com { reverse_proxy localhost:3000 } ones. They worked fine, but you lost the form-driven editor: the per-host security headers, health checks, alias management, all the things the proxy-host UI exists for.

v2.10.7 fixes that. Each pasted block is now inspected after Caddy's /adapt runs and routed to the right table:

The classification runs after Caddy normalises the Caddyfile, so you don't get false negatives from quirky-but-equivalent syntax. The auto-classify checkbox is on by default — uncheck it if you want the old "everything as Advanced" behaviour for full control of the JSON.

v2.10.8 — knowing what just happened

Importing 30 blocks in one paste produces 30 rows. v2.10.8 makes the result page tell you what each one became:

• "Imported as" column in the result table — coloured pill linking to the right list page (Proxy Host → /proxy-hosts, Redirection → /redirection-hosts, Advanced → /raw-routes).
• Per-kind tally banner — "Imported 12 routes — 8 proxy hosts · 2 redirections · 2 advanced" so you don't have to count rows to know the split.
• SSLVerifyUpstream import — reverse_proxy blocks with transport http { tls_insecure_skip_verify } now correctly land as proxy hosts with TLS-verify off, matching the Caddyfile's intent. Previously this fell through to Advanced because the importer didn't recognise the transport-TLS shape.

v2.10.9 — rescuing older imports

If you imported your Caddyfile under v2.10.6 or earlier, your proxy-shaped blocks are sitting on /raw-routes as Advanced rows. v2.10.9 adds a "Re-classify" button at the top of /raw-routes that re-runs the v2.10.7 classifier across every visible Advanced row:

• Each row's JSON is fed through the same classifier as the import path. Rows that now qualify as proxy or redirection get converted into the proper table; the original Advanced row is deleted in the same transaction.
• Genuinely-Advanced rows (custom matchers, multiple handlers) are left alone — re-clicking the button is idempotent.
• Per-row ownership is honoured — non-admins can only re-classify their own rows.
• A confirmation prompt fires before the bulk operation, and a flash banner reports the result count when it lands back on the page.

🔧 ~70 per-host options + path-based routing v2.10.0

v2.10.0 was the GA cut of a long preview cycle (v2.9.0 → v2.9.267). Two structural features and around seventy individual per-host options landed:

Two structural features

• proxy_redirect_rules — path-based redirects on a proxy host, fired before the reverse_proxy. Lets you express @root path / → redir /webmail 302 as a single proxy host with one redirect rule, instead of dropping into Advanced JSON.
• additional_upstream_rules — one proxy host can route different paths to different upstreams. The Nextcloud-style handle_path /push/* { reverse_proxy push:7867 } + handle /exapps/* { reverse_proxy harp:8780 } + handle { reverse_proxy nc:80 } pattern is now a single proxy host with two override rules plus the host's main forward target, with optional strip_prefix per rule.

~70 per-host options across four batches

Eight features per batch, four batches, plus ad-hoc additions. A non-exhaustive sample of the categories:

• Identity headers — X-Forwarded-Method, X-Request-Original-Host, canonical-host enforcement (301 to the canonical Host for SEO consolidation)
• Bot & admin-path blocking — built-in blocklist for AhrefsBot, SemrushBot, Bytespider, MJ12bot, etc. (legit crawlers untouched), plus 404-not-403 on /wp-admin, /.git, /.env, /phpmyadmin, /.aws, /.ssh, etc.
• Header strip / forward toggles — strip arbitrary request headers before forwarding (symmetric with strip_response_headers), Link: rel=dns-prefetch / rel=preconnect hints, X-Robots-Tag noindex one-click
• Health-check authentication — Basic auth or bearer token for active health probes against upstreams that require it
• Performance — SQLite tuning + access_daily rollup wiring shrank multi-second analytics scans to ~10ms

Migrations are additive (ALTER TABLE ADD COLUMN guarded by a column-existence check), so upgrading from any v2.7.x or v2.8.x doesn't require any manual steps.

🔍 Proxy-host form search / filter v2.10.2

With ~70 fields on the proxy-host edit form, finding the one you want became its own challenge. v2.10.2 adds a search box at the top of the form that filters fields live as you type — match against the field label, hint text, or the underlying option name. Tab headers stay visible; matching fields glow, non-matches fade. Clearing the box restores the full form.

Looking for the X-Forwarded-Proto toggle? Type "forwarded". CSP override? Type "csp". Fastest way to navigate a dense form without imposing a new IA on it.

🛡️ Baseline security headers on CaddyUI's own responses v2.10.3 → v2.10.5

CaddyUI itself is a web app, served by Caddy. v2.10.3 adds a baseline security-header bundle to CaddyUI's own response chain — separate from any per-host headers you toggle on for your downstream sites. Defaults that Mozilla Observatory rates A+ out of the box:

• Strict-Transport-Security with one-year max-age and includeSubDomains
• X-Content-Type-Options: nosniff
• Referrer-Policy: strict-origin-when-cross-origin
• X-Frame-Options: DENY + Content-Security-Policy: frame-ancestors 'none' (defence in depth — older browsers honour XFO, modern ones honour CSP frame-ancestors)
• Permissions-Policy denying camera, microphone, geolocation, payment, USB

v2.10.4 fixed a bundle-dedup bug where the initial implementation could ship two copies of the same header when both the global bundle and a per-host toggle set the same name. v2.10.5 generalised the fix: per-header response setters now go through a delete + set pattern so the upstream's value is unconditionally replaced, instead of being appended next to a CaddyUI-set value (which some clients honour differently).

📚 Caddyfile ↔ form-field mapping v2.10.6

Built-in docs at /docs got a new section: a side-by-side mapping of every Caddyfile directive to the proxy-host form field that produces it. Inline links from the Caddyfile-import page route you to the relevant doc anchor when a paste fails. Useful when you're hand-translating an old Caddyfile and want to know which form field corresponds to header_up, handle_errors, tls dns cloudflare, etc.

📦 Upgrade

docker compose pull && docker compose up -d

Or in Portainer: Recreate → enable Re-pull image. Migrations run automatically on startup. No downtime beyond the container restart.

Multi-arch on Docker Hub (linux/amd64 + linux/arm64, SBOM + provenance attestations, scratch base, non-root UID 10001):

docker pull applegater/caddyui:v2.10.9
# or, for the rolling preview tag (single-arch amd64)
docker pull applegater/caddyui:preview

Note: :latest still points at v2.10.0 — the :latest retag bundles roughly eight features at a time to keep the rolling tag stable. v2.10.7/8/9 are on :preview and the per-version tags. :latest will move forward once a few more features land.

🗺️ On the whiteboard

• Export as Caddyfile — reverse direction of the import path: turn a proxy host (or a whole server) back into a paste-able Caddyfile snippet for backup or hand-off.
• Raw-route conflict guard — extend the v2.7.7 duplicate-domain check into raw routes (host matchers live inside JSON, so this needs a parser pass).
• More DNS providers — Route 53, Gandi, Njalla if there's demand.
• Per-host rate limiting — Caddy supports it natively; the UI doesn't expose it yet.

Want something specific? Open an issue on GitHub.