Skip to content

Upgrade Caddy to 2.11.0-beta.2 across proxy components #21242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
geropl merged 5 commits into from
Jan 12, 2026
Merged

Upgrade Caddy to 2.11.0-beta.2 across proxy components #21242

geropl merged 5 commits into from
Jan 12, 2026

Conversation

@geropl
Copy link
Member

@geropl geropl commented Jan 9, 2026
edited
Loading

Description

Upgrade Caddy to 2.11.0-beta.2 across all proxy-related components to fix a critical security vulnerability (GHSA-h8cp-697h-8c8p).

Changes

ide-proxy & dashboard (commit 1):

  • Update caddy/caddy image from 2.9.1 to 2.11-alpine

proxy component (commit 2):

  • Update Dockerfile to use caddy:builder with xcaddy build v2.11.0-beta.2
  • Update runtime base to caddy/caddy:2.11-alpine
  • Update all 10 plugin go.mod files from Caddy v2.7.6 to v2.11.0-beta.2
  • Fix sshtunnel plugin: replace deprecated caddy.Listen() with NetworkAddress.Listen() API

Additional upgrade to beta.2 (commit 3):

  • Upgrade from 2.10.2 to 2.11.0-beta.2 to fix critical vulnerability

Vulnerabilities Fixed

CRITICAL severity:

  • GHSA-h8cp-697h-8c8p - smallstep/certificates authorization bypass in ACME/SCEP (fixed in v0.29.0, included in Caddy 2.11.0-beta.2)

HIGH severity:

MEDIUM severity:

Note on Beta Version

Using Caddy 2.11.0-beta.2 because:

  1. It's the only version with the fix for the critical GHSA-h8cp-697h-8c8p vulnerability
  2. The beta was released Jan 6, 2026 and specifically bumps smallstep/certificates to v0.29.0
  3. Gitpod doesn't use the affected ACME provisioner features (pre-configured TLS certs are used)
  4. All proxy functionality tested and verified working

Related Issue(s)

Fixes CLC-2189

How to test

Tested on preview environment gpl-clc-21b31317cbc2.preview.gitpod-dev.com:

  • Proxy health check returns 200
  • Dashboard loads without errors
  • Workspace starts successfully
  • Terminal works (WebSocket connection)
  • SSH tunnel connectivity
  • Workspace port forwarding
  • Workspace download
  • CORS preflight requests
  • ConfigCat endpoint responds
  • Analytics endpoint responds
  • Static binary downloads work

All tests verified on 2026-01-12.

@socket-security
Copy link

socket-security bot commented Jan 9, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgolang/​github.com/​caddyserver/​caddy/​v2@​v2.7.6 ⏵ v2.11.0-beta.274 +1100100100100
Updatedgolang/​go.uber.org/​zap@​v1.25.0 ⏵ v1.27.198 +1100100100100

View full report

kylos101
kylos101 approved these changes Jan 9, 2026
View reviewed changes
Copy link
Contributor

@kylos101 kylos101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a couple observations, no blocking questions or concerns, adding ✅ to unblock.

components/proxy/Dockerfile
Comment on lines -7 to -11
RUN go install golang.org/dl/go1.24.3@latest && \
go1.24.3 download && \
rm -rf /usr/local/go && \
mv /go /usr/local/go && \
mv /usr/local/go/bin/go1.24.3 /usr/local/go/bin/go
Copy link
Contributor

@kylos101 kylos101 Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, i see caddy 2.10 has go built-in now as the base image

components/proxy/Dockerfile Outdated
--with github.com/gitpod-io/gitpod/proxy/plugins/frontend_dev=/plugins/frontend_dev

FROM cgr.dev/chainguard/wolfi-base:latest@sha256:815b27b8a70713c70404e44a718eddd52ea6f4a2bfad5f56455b52cd2789a9b2
FROM caddy/caddy:2.10.2-alpine
Copy link
Contributor

@kylos101 kylos101 Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only bummer here, is that we're switching from chainguard to caddy. But I get it, and see dashboard and ide-proxy already use.

geropl and others added 2 commits January 12, 2026 07:27
@geropl @ona-agent
Upgrade caddy 2.9.1 -> 2.10.2
59409c9 
Co-authored-by: Ona <no-reply@ona.com>
@geropl @ona-agent
Upgrade proxy component to Caddy 2.10.2
142b6c2 
- Update Dockerfile to use caddy:2.10.2-builder and caddy/caddy:2.10.2-alpine
- Update all 10 plugin go.mod files from Caddy v2.7.6 to v2.10.2
- Fix sshtunnel plugin: replace deprecated caddy.Listen() with NetworkAddress.Listen()
- Remove intermediate Go version upgrade stage (caddy:2.10.2-builder includes Go 1.24+)

Fixes several HIGH severity vulnerabilities:
- GHSA-7jwh-3vrq-q3m8 (pgproto3 SQL injection)
- GHSA-m7wr-2xf7-cm9p (pgx SQL injection)
- GHSA-mrww-27vc-gghv (pgx SQL injection)
- GHSA-c33x-xqrf-c478 (quic-go DoS)
- GHSA-vrw8-fxc6-2r93 (chi host header injection)

Co-authored-by: Ona <no-reply@ona.com>
@geropl geropl force-pushed the gpl/clc-2189-proxy-caddy-upgrade branch from 0dd7f3c to 142b6c2 Compare January 12, 2026 07:27
@geropl
Copy link
Member Author

geropl commented Jan 12, 2026

Test Protocol

Tested on preview environment gpl-clc-21b31317cbc2.preview.gitpod-dev.com

Test Command / Action Result
Proxy health curl https://<domain>/api/health ✅ 200 OK
Dashboard loads Browser ✅ No errors
Start workspace Dashboard ✅ Workspace starts
Terminal (WebSocket) Workspace terminal ✅ Commands execute
SSH tunnel ssh <ws>@<domain> ✅ Connection established
Workspace port access Access workspace port URL ✅ Content served
Workspace download Dashboard download option ✅ Download starts
CORS preflight curl -X OPTIONS -H "Origin: ..." /api/gitpod ✅ 204, headers present
ConfigCat endpoint curl /configcat ✅ 200 (empty body expected)
Analytics endpoint curl -X POST /analytics -d '{...}' ✅ 200 (empty body expected)
Static binary download curl -I /static/bin/gitpod-local-companion-linux-amd64 ✅ 200, 22MB binary served

All proxy functionality verified working after Caddy 2.10.2 upgrade.

@geropl geropl marked this pull request as ready for review January 12, 2026 09:43
@geropl geropl requested a review from a team as a code owner January 12, 2026 09:43
@geropl @ona-agent
[protocol] Fix dirty git state on rebuild
9989742 
Co-authored-by: Ona <no-reply@ona.com>
@geropl @ona-agent
Upgrade to Caddy 2.11.0-beta.2 to fix critical vulnerability
abb443a 
Upgrade from Caddy 2.10.2 to 2.11.0-beta.2 to fix GHSA-h8cp-697h-8c8p
(Critical - authorization bypass in smallstep/certificates ACME/SCEP).

- proxy: Use caddy:builder with xcaddy build v2.11.0-beta.2
- ide-proxy, dashboard: Use caddy/caddy:2.11-alpine
- Update all plugin go.mod files to Caddy v2.11.0-beta.2

Co-authored-by: Ona <no-reply@ona.com>
@geropl geropl changed the title Upgrade Caddy to 2.10.2 across proxy components Upgrade Caddy to 2.11.0-beta.2 across proxy components Jan 12, 2026
@geropl geropl merged commit 1bb0e32 into main Jan 12, 2026
27 checks passed
@geropl geropl deleted the gpl/clc-2189-proxy-caddy-upgrade branch January 12, 2026 12:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kylos101 kylos101 kylos101 approved these changes

Assignees

No one assigned

Labels

team: team-enterprise

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@geropl @kylos101