Merge branch 'master' into tls-ech-ph

modules/caddyhttp/reverseproxy/fastcgi/writer.go

@@ -112,7 +112,7 @@ func encodeSize(b []byte, size uint32) int {
 		binary.BigEndian.PutUint32(b, size)
 		return 4
 	}
-	b[0] = byte(size)
+	b[0] = byte(size) //nolint:gosec // false positive; b is made 8 bytes long, then this function is always called with b being at least 4 or 1 byte long
 	return 1
 }
 

modules/caddyhttp/server.go

@@ -285,6 +285,11 @@ type Server struct {
 	onStopFuncs      []func(context.Context) error // TODO: Experimental (Nov. 2023)
 }
 
+var (
+	ServerHeader = "Caddy"
+	serverHeader = []string{ServerHeader}
+)
+
 // ServeHTTP is the entry point for all HTTP requests.
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// If there are listener wrappers that process tls connections but don't return a *tls.Conn, this field will be nil.
@@ -294,16 +299,14 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	w.Header().Set("Server", "Caddy")
+	h := w.Header()
+	h["Server"] = serverHeader
 
 	// advertise HTTP/3, if enabled
-	if s.h3server != nil {
-		if r.ProtoMajor < 3 {
-			err := s.h3server.SetQUICHeaders(w.Header())
-			if err != nil {
-				if c := s.logger.Check(zapcore.ErrorLevel, "setting HTTP/3 Alt-Svc header"); c != nil {
-					c.Write(zap.Error(err))
-				}
+	if s.h3server != nil && r.ProtoMajor < 3 {
+		if err := s.h3server.SetQUICHeaders(h); err != nil {
+			if c := s.logger.Check(zapcore.ErrorLevel, "setting HTTP/3 Alt-Svc header"); c != nil {
+				c.Write(zap.Error(err))
 			}
 		}
 	}
@@ -328,9 +331,7 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// enable full-duplex for HTTP/1, ensuring the entire
 	// request body gets consumed before writing the response
 	if s.EnableFullDuplex && r.ProtoMajor == 1 {
-		//nolint:bodyclose
-		err := http.NewResponseController(w).EnableFullDuplex()
-		if err != nil {
+		if err := http.NewResponseController(w).EnableFullDuplex(); err != nil { //nolint:bodyclose
 			if c := s.logger.Check(zapcore.WarnLevel, "failed to enable full duplex"); c != nil {
 				c.Write(zap.Error(err))
 			}
@@ -417,8 +418,7 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	var fields []zapcore.Field
 	if s.Errors != nil && len(s.Errors.Routes) > 0 {
 		// execute user-defined error handling route
-		err2 := s.errorHandlerChain.ServeHTTP(w, r)
-		if err2 == nil {
+		if err2 := s.errorHandlerChain.ServeHTTP(w, r); err2 == nil {
 			// user's error route handled the error response
 			// successfully, so now just log the error
 			for _, logger := range errLoggers {

modules/caddytls/leaffolderloader.go

@@ -29,9 +29,9 @@ func init() {
 	caddy.RegisterModule(LeafFolderLoader{})
 }
 
-// LeafFolderLoader loads certificates and their associated keys from disk
+// LeafFolderLoader loads certificates from disk
 // by recursively walking the specified directories, looking for PEM
-// files which contain both a certificate and a key.
+// files which contain a certificate.
 type LeafFolderLoader struct {
 	Folders []string `json:"folders,omitempty"`
 }

modules/logging/filters_test.go

@@ -404,12 +404,12 @@ func TestMultiRegexpFilterInputSizeLimit(t *testing.T) {
 	// Test with very large input (should be truncated)
 	largeInput := strings.Repeat("test", 300000) // Creates ~1.2MB string
 	out := f.Filter(zapcore.Field{String: largeInput})
-	
+
 	// The input should be truncated to 1MB and still processed
 	if len(out.String) > 1000000 {
 		t.Fatalf("output string not truncated: length %d", len(out.String))
 	}
-	
+
 	// Should still contain replacements within the truncated portion
 	if !strings.Contains(out.String, "REPLACED") {
 		t.Fatalf("replacements not applied to truncated input")