chore(deps): bump github.com/caddyserver/caddy/v2 from 2.10.2 to 2.11.1

[dependabot]

Bumps github.com/caddyserver/caddy/v2 from 2.10.2 to 2.11.1.

Release notes

Sourced from github.com/caddyserver/caddy/v2's releases.

v2.11.1

Our community is pleased to announce Caddy 2.11! Of note are new features, numerous bug fixes including several security patches, and various QoL ("quality-of-life") enhancements.

There are no code changes from v2.11.0 other than to a CI job. Due to a recent external change that broke our release process, the first release of 2.11 is v2.11.1.

Special Sponsor Shoutout

Extra big thanks to our major sponsors:

• ZeroSSL
• Stripe
• Railway

They, along with dozens of smaller sponsors, make this project and new releases possible, together with our maintainer team. Thank you all!

Notable changes

• Encrypted ClientHello (ECH) keys are rotated automatically.
• Time-rolling options for logs.
• SIGUSR1 can now reload configuration if it was initially loaded from a file on the command line and did not get changed via the API.
• Reverse proxy now automatically rewrites the Host header to the address of the upstream when the upstream is HTTPS (#7454)
• log_append can now log request and response bodies, useful for debugging.
• Our project now implements and requires Assistance Disclosures (for AI/LLMs) on issues, PRs, comments, replies, reviews, etc.
• Many, many other minor improvements and bug fixes.

Thank you to everyone who was involved this release!

⚠️ Security patches

• fastcgi: CVE-2026-27590 by @​dunglas and @​AbdrrahimDahmani - Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport.
• admin: CVE-2026-27589 by @​1seal - Cross-origin requests attempted with no-cors mode could cause some API requests to succeed; such requests are now blocked. (In order for this to be practically exploitable, a web browser executing a malicious web page must be running locally to a production Caddy process.)
• caddyhttp: CVE-2026-27588 by Asim Viladi Oglu Manizada - The Host matcher becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass.
• caddyhttp: CVE-2026-27587 by Asim Viladi Oglu Manizada - The Path matcher skips case normalization for escape sequences, enabling path-based route/auth bypass.
• caddytls: CVE-2026-27586 by @​moscowchill - TLS client authentication silently fails open when CA certificate file is missing or malformed.
• caddyhttp: CVE-2026-27585 by @​parrot409 - Improper sanitization of glob characters in file matcher may lead to bypassing security protections.

What's Changed

• caddyhttp: add replacer placeholders for escaped values by @​Qusic in caddyserver/caddy#7181
• AI assistance disclosure by @​mholt in caddyserver/caddy#7212
• caddyfile: Prevent trailing space on line before env variable - Fixes #6881 by @​arpansaha13 in caddyserver/caddy#7215
• add: encode header Content-Type graphql-response by @​aro-lew in caddyserver/caddy#7214
• caddyhttp: Removing redundant middleware next copy by @​maxcelant in caddyserver/caddy#7217
• build(deps): bump the all-updates group with 17 updates by @​dependabot[bot] in caddyserver/caddy#7236
• build(deps): bump the actions-deps group with 5 updates by @​dependabot[bot] in caddyserver/caddy#7237
• encode: fix response corruption when handle_errors is used by @​Siomachkin in caddyserver/caddy#7235
• Fix PKI creation when auto_https is disabled (#7211) by @​Siomachkin in caddyserver/caddy#7238
• logging: Buffer the logs before config is loaded by @​francislavoie in caddyserver/caddy#7245
• fileserver: set Content-Length for precompressed files by @​WeidiDeng in caddyserver/caddy#7251
• refactor: use WaitGroup.Go to simplify code by @​mickychang9 in caddyserver/caddy#7253
• caddyfile: Allow block to do nothing if nothing passed to import by @​BeeJay28 in caddyserver/caddy#7206

... (truncated)

Commits

• 6610e2f chore: Disable windows/arm build target (Go 1.26 disabled) (#7503)
• 03243e4 go.mod: Upgrade dependencies
• cb436f0 fileserver: Fix tests on Windows
• a108119 Merge commit from fork
• eec32a0 Merge commit from fork
• a2825c5 fileserver: Replace \ with \ in file matcher paths
• db256b5 build(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#7497)
• 6772ffb Revert "listeners: Add support for named socket activation (#7243)"
• 95941a7 chore: Add nolints to work around haywire linters (#7493)
• 3adcafd admin: Fix tests locally, properly isolate storage (#7486)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #131.