deps(go): bump github.com/caddyserver/caddy/v2 from 2.8.4 to 2.9.0

[dependabot]

Bumps github.com/caddyserver/caddy/v2 from 2.8.4 to 2.9.0.

Release notes

Sourced from github.com/caddyserver/caddy/v2's releases.

v2.9.0

Happy New Year! We're pleased to release Caddy 2.9. Aside from some minor new features, this release is mainly focused on refinements and bug fixes in many areas, including:

• Config loading
• Events
• Logging
• Placeholders
• Reverse proxy and HTTP server performance
• Matchers
• HTTP (esp. HTTP/3)
• Metrics (per-host metrics)
• Security
• TLS automation & ACME ARI

We realize there is extensive interest in Encrypted Client Hello (ECH) and post-quantum ciphers. These are slated to be supported in Go 1.24, which is scheduled for a stable release in approximately February. We did not want to force users to go through the inconvenience of installing pre-release, non-stock installations of Go, even though the RCs are quite stable and production-ready, in order to even compile Caddy, which is quite common given our plugin ecosystem. We anticipate a Caddy 2.10 release in the near future with these capabilities, built on Go 1.24.

We hope you will enjoy the 2.9 release. Thanks to all contributors, bug reporters, and helpers, and those organizations which deployed pre-release versions to production to help verify patches and features.

Changelog

• ef4e0224a8495fc29847d865087febdee8736e3b caddyfile: Fix comma edgecase in address parsing (#6616)
• b116dcea3d022cd2b060a978c499ac17e5d0a2e1 caddyhttp: Add {?query} placeholder (#6714)
• c216cf551dcbd2de1da1b9fe8a7e179b76827753 caddyhttp: Allow matching Transfer-Encoding, add to access logs (#6629)
• 197c564f2032becba14aeec0152fe5eeb639d6c1 caddyhttp: Set default ReadHeaderTimeout (1 min)
• 09b2cbcf4d839adec91b189fea549d64a69e0595 caddyhttp: Add MatchWithError to replace SetVar hack (#6596)
• c6f2979986d87d7236b132c687c8887c92248dd8 caddyhttp: Close http3 server gracefully (#6213)
• 88fd5f3491ab888f69f0be02cea68a49164298eb caddyhttp: Use internal issuer for IPs when no APs configured
• 5c8dc344181c49bc7feade4a293bb4eed882b838 caddytls: Allow disabling storage cleaning, avoids writing two files (#6593)
• d7564d632fbed209e81978c5c2c529a7bf1836f7 caddytls: Drop rate_limit and burst, has been deprecated (#6611)
• d398898b352a6a7e8ac5c24da01dd948fc334d77 cmd: Allow add-package to select version of package (#6665)
• 66c80caf236e2d98e61bf1bc8bb062d7b8c25430 cmd: Disable go1.23 tlskyber=1 experiment
• fb72793269d419b2b37b5f1db8141c63818be514 cmd: Reject multiple configs for fmt command (#6717)
• b3ce260389a88a35c9b0e0a19a93abfe92fb6e9f cmd: ignore missing keys during storage export (#6697)
• 0182fb87fa7276463086c2360431a1c0dc797edf core: addresses.go funcs renames (#6622)
• e76405d55058b0a3e5ba222b44b5ef00516116aa core: Change ListenerFunc signature (#6651)
• 315715e90ffa25c4ad0d8a96e828dbdf6f638583 core: Implement FastAbs to avoid repeated os.Getwd calls (#6687)
• d0e209e1da6cd6d7d61e83b851f2913ee31454f8 encode: good defaults (#6737)
• 5ba1e06fd661aac2cbaab6d4a2ef63a9eb877a46 encode: try to use sendfile when compression is not used (#6749)
• bcaa8aaf114629031d10dcef0ca7680ae8163e32 encode: write status immediate for success response for CONNECT requests (#6738)
• 1d156527ea8fef0a96faa54d7ff61244e4be4094 events: Use WithLazy to prevent eager serialization of the event data (#6671)
• 6790c0e38abcc534c4b3365b6e438148001fd6df fastcgi: check for CONTENT_LENGTH when sending requests (#6661)
• eddbccd298f637c4785c891f5f96dbf103580fa8 fastcgi: remove dir redirection when useless in php_fastcgi (#6698)
• efd9251ad38a4fd9f7d900445400ac3c8e564c28 fileserver: Add first_exist_fallback strategy for try_files (#6699)
• d0123bd760f6c140f3b935159a55ba64899c84f8 fileserver: Fix policy Validate() oversight (#6727)
• 290cfea08f2486fb86dbc11eec96d79751180eda fileserver: add a test for precompressed defaults (#6743)
• 5c2617ebf9303100fc8c6be2a80b966b2c7fb7f1 fileserver: good default for precompressed (#6736)
• cc23ad6402e6dace30b04f0d9113530a4d9541a9 fileserver: Add file_limit option for browse (to be experimental) (#6648)
• 350ad38f63f7a49ceb3821c58d689b85a27ec4e5 fileserver: Fix Caddyfile parsing
• 9753c4451077d4459ec10cb3df27ab9dc4456290 fileserver: fix try_policy when instantiating file matcher from CEL (#6624)
• 05cfb121ec3f214c0e45206c188f34bad4d4eb8c forwardauth: Skip copying missing response headers (#6608)
• ed1c594cdbddf89829eaf1174f414028577b432d go.mod: Upgrade ACMEz to v3; and upgrade CertMagic

... (truncated)

Commits

• 3f3f8b3 go.mod: Upgrade CertMagic to v0.21.5
• f2c17d1 testing: sort force-automated hosts (#6756)
• afa778a httpcaddyfile: Implement experimental force_automate option (#6712)
• 5ba1e06 encode: try to use sendfile when compression is not used (#6749)
• c216cf5 caddyhttp: Allow matching Transfer-Encoding, add to access logs (#6629)
• ed1c594 go.mod: Upgrade ACMEz to v3; and upgrade CertMagic
• 66c80ca cmd: Disable go1.23 tlskyber=1 experiment
• 47391e4 Update SECURITY.md
• 6790c0e fastcgi: check for CONTENT_LENGTH when sending requests (#6661)
• c864b82 reverseproxy: Set Content-Length when body is fully buffered (#6638)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)