logging: fix multiple regexp filters on same field (fixes #7049) (#7061)

* logging: fix multiple regexp filters on same field (fixes #7049)

* fix: add proper error handling in MultiRegexpFilter tests

* fix: resolve linter and test issues - Fix GCI import formatting issues - Fix MultiRegexpFilter input size limit test by ensuring output doesn't exceed max length after each operation - All tests now pass and linter issues resolved

* fix: update integration test for proper JSON encoding - Fix expected JSON output to use Unicode escape sequence for ampersand character - Integration tests now pass

.github/ISSUE_TEMPLATE/ISSUE.yml

@@ -0,0 +1,31 @@
+name: Issue
+description: An actionable development item, like a bug report or feature request
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for opening an issue! This is for actionable development items like bug reports and feature requests.
+        If you have a question about using Caddy, please [post on our forums](https://caddy.community) instead.
+  - type: textarea
+    id: content
+    attributes:
+      label: Issue Details
+      placeholder: Describe the issue here. Be specific by providing complete logs and minimal instructions to reproduce, or a thoughtful proposal, etc.
+    validations:
+      required: true
+  - type: dropdown
+    id: assistance-disclosure
+    attributes:
+      label: Assistance Disclosure
+      description: "Our project allows assistance by AI/LLM tools as long as it is disclosed and described so we can better respond. Please certify whether you have used any such tooling related to this issue:"
+      options:
+        - 
+        - AI used
+        - AI not used
+    validations:
+      required: true
+  - type: input
+    id: assistance-description
+    attributes:
+      label: If AI was used, describe the extent to which it was used.
+      description: 'Examples: "ChatGPT translated from my native language" or "Claude proposed this change/feature"'

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Caddy forum
+    url: https://caddy.community
+    about: If you have questions (or answers!) about using Caddy, please use our forum

.github/SECURITY.md

@@ -48,9 +48,9 @@ We consider publicly-registered domain names to be public information. This nece
 
 It will speed things up if you suggest a working patch, such as a code diff, and explain why and how it works. Reports that are not actionable, do not contain enough information, are too pushy/demanding, or are not able to convince us that it is a viable and practical attack on the web server itself may be deferred to a later time or possibly ignored, depending on available resources. Priority will be given to credible, responsible reports that are constructive, specific, and actionable. (We get a lot of invalid reports.) Thank you for understanding.
 
-When you are ready, please email Matt Holt (the author) directly: matt at dyanim dot com.
+When you are ready, please submit a [new private vulnerability report](https://github.com/caddyserver/caddy/security/advisories/new).
 
-Please don't encrypt the email body. It only makes the process more complicated.
+Please don't encrypt the message. It only makes the process more complicated.
 
 Please also understand that due to our nature as an open source project, we do not have a budget to award security bounties. We can only thank you.
 

.github/dependabot.yml

@@ -3,5 +3,20 @@ version: 2
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
+    open-pull-requests-limit: 1
+    groups:
+      actions-deps:
+        patterns:
+          - "*"
+    schedule:
+      interval: "monthly"
+    
+  - package-ecosystem: "gomod"
+    directory: "/"
+    open-pull-requests-limit: 1
+    groups:
+      all-updates:
+        patterns:
+          - "*"
     schedule:
       interval: "monthly"

.github/pull_request_template.md

@@ -0,0 +1,29 @@
+
+
+
+## Assistance Disclosure
+<!--
+Thank you for contributing! Please note:
+
+The use of AI/LLM tools is allowed so long as it is disclosed, so
+that we can provide better code review and maintain project quality.
+
+If you used AI/LLM tooling in any way related to this PR, please
+let us know to what extent it was utilized.
+
+Examples:
+
+"No AI was used."
+"I wrote the code, but Claude generated the tests."
+"I consulted ChatGPT for a solution, but I authored/coded it myself."
+"Cody generated the code, and I verified it is correct."
+"Copilot provided tab completion for code and comments."
+
+We expect that you have vetted your contributions for correctness.
+Additionally, signing our CLA certifies that you have the rights to
+contribute this change.
+
+Replace the text below with your disclosure:
+-->
+
+_This PR is missing an assistance disclosure._

.github/workflows/ai.yml

@@ -0,0 +1,30 @@
+name: AI Moderator
+permissions: read-all
+on:
+  issues:
+    types: [opened]
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+jobs:
+  spam-detection:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+      models: read
+      contents: read
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: github/ai-moderator@6bcdb2a79c2e564db8d76d7d4439d91a044c4eb6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          spam-label: 'spam'
+          ai-label: 'ai-generated'
+          minimize-detected-comments: true
+          # Built-in prompt configuration (all enabled by default)
+          enable-spam-detection: true
+          enable-link-spam-detection: true
+          enable-ai-detection: true
+          # custom-prompt-path: '.github/prompts/my-custom.prompt.yml'  # Optional

.github/workflows/ci.yml

@@ -13,9 +13,13 @@ on:
       - 2.*
 
 env:
+  GOFLAGS: '-tags=nobadger,nomysql,nopgx'
   # https://github.com/actions/setup-go/issues/491
   GOTOOLCHAIN: local
 
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
@@ -27,13 +31,13 @@ jobs:
           - mac
           - windows
         go:
-          - '1.24'
+          - '1.25'
 
         include:
         # Set the minimum Go patch version for the given Go minor
         # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.24'
+        - go: '1.25'
-          GO_SEMVER: '~1.24.1'
+          GO_SEMVER: '~1.25.0'
 
         # Set some variables per OS, usable via ${{ matrix.VAR }}
         # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
@@ -55,13 +59,21 @@ jobs:
           SUCCESS: 'True'
 
     runs-on: ${{ matrix.OS_LABEL }}
-
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: write # to allow uploading artifacts and cache
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version: ${{ matrix.GO_SEMVER }}
         check-latest: true
@@ -99,7 +111,7 @@ jobs:
       env:
         CGO_ENABLED: 0
       run: |
-        go build -tags nobadger,nomysql,nopgx -trimpath -ldflags="-w -s" -v
+        go build -trimpath -ldflags="-w -s" -v
 
     - name: Smoke test Caddy
       working-directory: ./cmd/caddy
@@ -108,7 +120,7 @@ jobs:
         ./caddy stop
 
     - name: Publish Build Artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
         path: ${{ matrix.CADDY_BIN_PATH }}
@@ -122,7 +134,7 @@ jobs:
       # continue-on-error: true
       run: |
         # (go test -v -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
-        go test -tags nobadger,nomysql,nopgx -v -coverprofile="cover-profile.out" -short -race ./...
+        go test -v -coverprofile="cover-profile.out" -short -race ./...
         # echo "status=$?" >> $GITHUB_OUTPUT
 
     # Relevant step if we reinvestigate publishing test/coverage reports
@@ -142,12 +154,21 @@ jobs:
 
   s390x-test:
     name: test (s390x on IBM Z)
+    permissions:
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
     continue-on-error: true  # August 2020: s390x VM is down due to weather and power issues
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+          allowed-endpoints: ci-s390x.caddyserver.com:22
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run Tests
         run: |
           set +e
@@ -170,7 +191,7 @@ jobs:
           retries=3
           exit_code=0
           while ((retries > 0)); do
-            CGO_ENABLED=0 go test -p 1 -tags nobadger,nomysql,nopgx -v ./...
+            CGO_ENABLED=0 go test -p 1 -v ./...
             exit_code=$?
             if ((exit_code == 0)); then
               break
@@ -194,25 +215,33 @@ jobs:
 
   goreleaser-check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       
-      - uses: goreleaser/goreleaser-action@v6
+      - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           version: latest
           args: check
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version: "~1.24"
+          go-version: "~1.25"
           check-latest: true
       - name: Install xcaddy
         run: |
           go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
           xcaddy version
-      - uses: goreleaser/goreleaser-action@v6
+      - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           version: latest
           args: build --single-target --snapshot

.github/workflows/cross-build.yml

@@ -11,9 +11,14 @@ on:
       - 2.*
 
 env:
+  GOFLAGS: '-tags=nobadger,nomysql,nopgx'
+  CGO_ENABLED: '0'
   # https://github.com/actions/setup-go/issues/491
   GOTOOLCHAIN: local
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -31,22 +36,30 @@ jobs:
           - 'darwin'
           - 'netbsd'
         go:
-          - '1.24'
+          - '1.25'
 
         include:
         # Set the minimum Go patch version for the given Go minor
         # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.24'
+        - go: '1.25'
-          GO_SEMVER: '~1.24.1'
+          GO_SEMVER: '~1.25.0'
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     continue-on-error: true
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: ${{ matrix.GO_SEMVER }}
           check-latest: true
@@ -63,11 +76,9 @@ jobs:
 
       - name: Run Build
         env:
-          CGO_ENABLED: 0
           GOOS: ${{ matrix.goos }}
           GOARCH: ${{ matrix.goos == 'aix' && 'ppc64' || 'amd64' }}
         shell: bash
         continue-on-error: true
         working-directory: ./cmd/caddy
-        run: |
+        run: go build -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null
-          GOOS=$GOOS GOARCH=$GOARCH go build -tags=nobadger,nomysql,nopgx -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null

.github/workflows/lint.yml

@@ -44,14 +44,19 @@ jobs:
     runs-on: ${{ matrix.OS_LABEL }}
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
-      - uses: actions/setup-go@v5
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
-          go-version: '~1.24'
+          egress-policy: audit
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: '~1.25'
           check-latest: true
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
 
@@ -62,10 +67,39 @@ jobs:
           # only-new-issues: true
 
   govulncheck:
+    permissions:
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     steps:
-      - name: govulncheck
+      - name: Harden the runner (Audit all outbound calls)
-        uses: golang/govulncheck-action@v1
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
-          go-version-input: '~1.24.1'
+          egress-policy: audit
+
+      - name: govulncheck
+        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
+        with:
+          go-version-input: '~1.25.0'
           check-latest: true
+  
+  dependency-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0
+        with:
+          comment-summary-in-pr: on-failure
+          # https://github.com/actions/dependency-review-action/issues/430#issuecomment-1468975566
+          base-ref: ${{ github.event.pull_request.base.sha || 'master' }}
+          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}

.github/workflows/release.yml

@@ -9,6 +9,9 @@ env:
   # https://github.com/actions/setup-go/issues/491
   GOTOOLCHAIN: local
 
+permissions:
+  contents: read
+
 jobs:
   release:
     name: Release
@@ -17,13 +20,13 @@ jobs:
         os: 
           - ubuntu-latest
         go: 
-          - '1.24'
+          - '1.25'
 
         include:
         # Set the minimum Go patch version for the given Go minor
         # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.24'
+        - go: '1.25'
-          GO_SEMVER: '~1.24.1'
+          GO_SEMVER: '~1.25.0'
 
     runs-on: ${{ matrix.os }}
     # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
@@ -35,19 +38,24 @@ jobs:
       contents: write
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0
 
     - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version: ${{ matrix.GO_SEMVER }}
         check-latest: true
 
     # Force fetch upstream tags -- because 65 minutes
-    # tl;dr: actions/checkout@v4 runs this line:
+    # tl;dr: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4.2.2 runs this line:
     #   git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +ebc278ec98bb24f2852b61fde2a9bf2e3d83818b:refs/tags/
     # which makes its own local lightweight tag, losing all the annotations in the process. Our earlier script ran:
     #   git fetch --prune --unshallow
@@ -101,11 +109,11 @@ jobs:
         git verify-tag "${{ steps.vars.outputs.version_tag }}" || exit 1
 
     - name: Install Cosign
-      uses: sigstore/cosign-installer@main
+      uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # main
     - name: Cosign version
       run: cosign version
     - name: Install Syft
-      uses: anchore/sbom-action/download-syft@main
+      uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # main
     - name: Syft version
       run: syft version
     - name: Install xcaddy
@@ -114,7 +122,7 @@ jobs:
         xcaddy version
     # GoReleaser will take care of publishing those artifacts into the release
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v6
+      uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
       with:
         version: latest
         args: release --clean --timeout 60m

.github/workflows/release_published.yml

@@ -5,6 +5,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   release:
     name: Release Published
@@ -13,12 +16,20 @@ jobs:
         os: 
           - ubuntu-latest
     runs-on: ${{ matrix.os }}
-
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: write
     steps:
 
     # See https://github.com/peter-evans/repository-dispatch
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
     - name: Trigger event on caddyserver/dist
-      uses: peter-evans/repository-dispatch@v3
+      uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
       with:
         token: ${{ secrets.REPO_DISPATCH_TOKEN }}
         repository: caddyserver/dist
@@ -26,7 +37,7 @@ jobs:
         client-payload: '{"tag": "${{ github.event.release.tag_name }}"}'
 
     - name: Trigger event on caddyserver/caddy-docker
-      uses: peter-evans/repository-dispatch@v3
+      uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
       with:
         token: ${{ secrets.REPO_DISPATCH_TOKEN }}
         repository: caddyserver/caddy-docker

.github/workflows/scorecard.yml

@@ -0,0 +1,86 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: OpenSSF Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 2 * * 5'
+  push:
+    branches: [ "master", "2.*" ]
+  pull_request:
+    branches: [ "master", "2.*" ]
+
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+          # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
+          # file_mode: git
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5
+        with:
+          sarif_file: results.sarif

.golangci.yml

@@ -1,27 +1,19 @@
-linters-settings:
+version: "2"
-  errcheck:
+run:
-    exclude-functions:
+  issues-exit-code: 1
-      - fmt.*
+  tests: false
-      - (go.uber.org/zap/zapcore.ObjectEncoder).AddObject
+  build-tags:
-      - (go.uber.org/zap/zapcore.ObjectEncoder).AddArray
+    - nobadger
-  gci:
+    - nomysql
-    sections:
+    - nopgx
-      - standard # Standard section: captures all standard packages.
+output:
-      - default # Default section: contains all imports that could not be matched to another section type.
+  formats:
-      - prefix(github.com/caddyserver/caddy/v2/cmd) # ensure that this is always at the top and always has a line break.
+    text:
-      - prefix(github.com/caddyserver/caddy) # Custom section: groups all imports with the specified Prefix.
+      path: stdout
-    # Skip generated files.
+      print-linter-name: true
-    # Default: true
+      print-issued-lines: true
-    skip-generated: true
-    # Enable custom order of sections.
-    # If `true`, make the section order the same as the order of `sections`.
-    # Default: false
-    custom-order: true
-  exhaustive:
-    ignore-enum-types: reflect.Kind|svc.Cmd
-
 linters:
-  disable-all: true
+  default: none
   enable:
     - asasalint
     - asciicheck
@@ -35,148 +27,96 @@ linters:
     - errcheck
     - errname
     - exhaustive
-    - gci
-    - gofmt
-    - goimports
-    - gofumpt
     - gosec
-    - gosimple
     - govet
-    - ineffassign
     - importas
+    - ineffassign
     - misspell
     - prealloc
     - promlinter
     - sloglint
     - sqlclosecheck
     - staticcheck
-    - tenv
     - testableexamples
     - testifylint
     - tparallel
-    - typecheck
     - unconvert
     - unused
     - wastedassign
     - whitespace
     - zerologlint
-  # these are implicitly disabled:
+  settings:
-  # - containedctx
+    staticcheck:
-  # - contextcheck
+      checks: ["all", "-ST1000", "-ST1003", "-ST1016", "-ST1020", "-ST1021", "-ST1022",  "-QF1006", "-QF1008"] # default, and exclude 1 more undesired check
-  # - cyclop
+    errcheck:
-  # - depguard
+      exclude-functions:
-  # - errchkjson
+        - fmt.*
-  # - errorlint
+        - (go.uber.org/zap/zapcore.ObjectEncoder).AddObject
-  # - exhaustruct
+        - (go.uber.org/zap/zapcore.ObjectEncoder).AddArray
-  # - execinquery
+    exhaustive:
-  # - exhaustruct
+      ignore-enum-types: reflect.Kind|svc.Cmd
-  # - forbidigo
+  exclusions:
-  # - forcetypeassert
+    generated: lax
-  # - funlen
+    presets:
-  # - ginkgolinter
+      - comments
-  # - gocheckcompilerdirectives
+      - common-false-positives
-  # - gochecknoglobals
+      - legacy
-  # - gochecknoinits
+      - std-error-handling
-  # - gochecksumtype
+    rules:
-  # - gocognit
+      - linters:
-  # - goconst
+          - gosec
-  # - gocritic
+        text: G115 # TODO: Either we should fix the issues or nuke the linter if it's bad
-  # - gocyclo
+      - linters:
-  # - godot
+          - gosec
-  # - godox
+        text: G107 # we aren't calling unknown URL
-  # - goerr113
+      - linters:
-  # - goheader
+          - gosec
-  # - gomnd
+        text: G203 # as a web server that's expected to handle any template, this is totally in the hands of the user.
-  # - gomoddirectives
+      - linters:
-  # - gomodguard
+          - gosec
-  # - goprintffuncname
+        text: G204 # we're shelling out to known commands, not relying on user-defined input.
-  # - gosmopolitan
+      - linters:
-  # - grouper
+          - gosec
-  # - inamedparam
+        # the choice of weakrand is deliberate, hence the named import "weakrand"
-  # - interfacebloat
+        path: modules/caddyhttp/reverseproxy/selectionpolicies.go
-  # - ireturn
+        text: G404
-  # - lll
+      - linters:
-  # - loggercheck
+          - gosec
-  # - maintidx
+        path: modules/caddyhttp/reverseproxy/streaming.go
-  # - makezero
+        text: G404
-  # - mirror
+      - linters:
-  # - musttag
+          - dupl
-  # - nakedret
+        path: modules/logging/filters.go
-  # - nestif
+      - linters:
-  # - nilerr
+          - dupl
-  # - nilnil
+        path: modules/caddyhttp/matchers.go
-  # - nlreturn
+      - linters:
-  # - noctx
+          - dupl
-  # - nolintlint
+        path: modules/caddyhttp/vars.go
-  # - nonamedreturns
+      - linters:
-  # - nosprintfhostport
+          - errcheck
-  # - paralleltest
+        path: _test\.go
-  # - perfsprint
+    paths:
-  # - predeclared
+      - third_party$
-  # - protogetter
+      - builtin$
-  # - reassign
+      - examples$
-  # - revive
+formatters:
-  # - rowserrcheck
+  enable:
-  # - stylecheck
+    - gci
-  # - tagalign
+    - gofmt
-  # - tagliatelle
+    - gofumpt
-  # - testpackage
+    - goimports
-  # - thelper
+  settings:
-  # - unparam
+    gci:
-  # - usestdlibvars
+      sections:
-  # - varnamelen
+        - standard # Standard section: captures all standard packages.
-  # - wrapcheck
+        - default # Default section: contains all imports that could not be matched to another section type.
-  # - wsl
+        - prefix(github.com/caddyserver/caddy/v2/cmd) # ensure that this is always at the top and always has a line break.
-
+        - prefix(github.com/caddyserver/caddy) # Custom section: groups all imports with the specified Prefix.
-run:
+      custom-order: true
-  # default concurrency is a available CPU number.
+  exclusions:
-  # concurrency: 4 # explicitly omit this value to fully utilize available resources.
+    generated: lax
-  timeout: 5m
+    paths:
-  issues-exit-code: 1
+      - third_party$
-  tests: false
+      - builtin$
-
+      - examples$
-# output configuration options
-output:
-  formats:
-    - format: 'colored-line-number'
-  print-issued-lines: true
-  print-linter-name: true
-
-issues:
-  exclude-rules:
-    - text: 'G115' # TODO: Either we should fix the issues or nuke the linter if it's bad
-      linters:
-        - gosec
-    # we aren't calling unknown URL
-    - text: 'G107' # G107: Url provided to HTTP request as taint input
-      linters:
-        - gosec
-    # as a web server that's expected to handle any template, this is totally in the hands of the user.
-    - text: 'G203' # G203: Use of unescaped data in HTML templates
-      linters:
-        - gosec
-    # we're shelling out to known commands, not relying on user-defined input.
-    - text: 'G204' # G204: Audit use of command execution
-      linters:
-        - gosec
-    # the choice of weakrand is deliberate, hence the named import "weakrand"
-    - path: modules/caddyhttp/reverseproxy/selectionpolicies.go
-      text: 'G404' # G404: Insecure random number source (rand)
-      linters:
-        - gosec
-    - path: modules/caddyhttp/reverseproxy/streaming.go
-      text: 'G404' # G404: Insecure random number source (rand)
-      linters:
-        - gosec
-    - path: modules/logging/filters.go
-      linters:
-        - dupl
-    - path: modules/caddyhttp/matchers.go
-      linters:
-        - dupl
-    - path: modules/caddyhttp/vars.go
-      linters:
-        - dupl
-    - path: _test\.go
-      linters:
-        - errcheck

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/golangci/golangci-lint
+  rev: v1.52.2
+  hooks:
+  - id: golangci-lint-config-verify
+  - id: golangci-lint
+  - id: golangci-lint-fmt
+- repo: https://github.com/jumanjihouse/pre-commit-hooks
+  rev: 3.0.0
+  hooks:
+  - id: shellcheck
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace

README.md

@@ -14,6 +14,7 @@
 <p align="center">Caddy is an extensible server platform that uses TLS by default.</p>
 <p align="center">
 	<a href="https://github.com/caddyserver/caddy/actions/workflows/ci.yml"><img src="https://github.com/caddyserver/caddy/actions/workflows/ci.yml/badge.svg"></a>
+	<a href="https://www.bestpractices.dev/projects/7141"><img src="https://www.bestpractices.dev/projects/7141/badge"></a>
 	<a href="https://pkg.go.dev/github.com/caddyserver/caddy/v2"><img src="https://img.shields.io/badge/godoc-reference-%23007d9c.svg"></a>
 	<br>
 	<a href="https://x.com/caddyserver" title="@caddyserver on Twitter"><img src="https://img.shields.io/twitter/follow/caddyserver" alt="@caddyserver on Twitter"></a>
@@ -88,7 +89,7 @@ See [our online documentation](https://caddyserver.com/docs/install) for other i
 
 Requirements:
 
-- [Go 1.24.0 or newer](https://golang.org/dl/)
+- [Go 1.25.0 or newer](https://golang.org/dl/)
 
 ### For development
 

admin.go

@@ -424,6 +424,13 @@ func replaceLocalAdminServer(cfg *Config, ctx Context) error {
 
 	handler := cfg.Admin.newAdminHandler(addr, false, ctx)
 
+	// run the provisioners for loaded modules to make sure local
+	// state is properly re-initialized in the new admin server
+	err = cfg.Admin.provisionAdminRouters(ctx)
+	if err != nil {
+		return err
+	}
+
 	ln, err := addr.Listen(context.TODO(), 0, net.ListenConfig{})
 	if err != nil {
 		return err
@@ -545,6 +552,13 @@ func replaceRemoteAdminServer(ctx Context, cfg *Config) error {
 	// because we are using TLS authentication instead
 	handler := cfg.Admin.newAdminHandler(addr, true, ctx)
 
+	// run the provisioners for loaded modules to make sure local
+	// state is properly re-initialized in the new admin server
+	err = cfg.Admin.provisionAdminRouters(ctx)
+	if err != nil {
+		return err
+	}
+
 	// create client certificate pool for TLS mutual auth, and extract public keys
 	// so that we can enforce access controls at the application layer
 	clientCertPool := x509.NewCertPool()
@@ -932,7 +946,7 @@ func (h adminHandler) originAllowed(origin *url.URL) bool {
 	return false
 }
 
-// etagHasher returns a the hasher we used on the config to both
+// etagHasher returns the hasher we used on the config to both
 // produce and verify ETags.
 func etagHasher() hash.Hash { return xxhash.New() }
 
@@ -1015,6 +1029,13 @@ func handleConfig(w http.ResponseWriter, r *http.Request) error {
 			return err
 		}
 
+		// If this request changed the config, clear the last
+		// config info we have stored, if it is different from
+		// the original source.
+		ClearLastConfigIfDifferent(
+			r.Header.Get("Caddy-Config-Source-File"),
+			r.Header.Get("Caddy-Config-Source-Adapter"))
+
 	default:
 		return APIError{
 			HTTPStatus: http.StatusMethodNotAllowed,

admin_test.go

@@ -19,6 +19,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"maps"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
@@ -148,11 +149,9 @@ func TestLoadConcurrent(t *testing.T) {
 	var wg sync.WaitGroup
 
 	for i := 0; i < 100; i++ {
-		wg.Add(1)
+		wg.Go(func() {
-		go func() {
 			_ = Load(testCfg, true)
-			wg.Done()
+		})
-		}()
 	}
 	wg.Wait()
 }
@@ -206,7 +205,7 @@ func TestETags(t *testing.T) {
 }
 
 func BenchmarkLoad(b *testing.B) {
-	for i := 0; i < b.N; i++ {
+	for b.Loop() {
 		Load(testCfg, true)
 	}
 }
@@ -335,9 +334,7 @@ func TestAdminHandlerBuiltinRouteErrors(t *testing.T) {
 
 func testGetMetricValue(labels map[string]string) float64 {
 	promLabels := prometheus.Labels{}
-	for k, v := range labels {
+	maps.Copy(promLabels, labels)
-		promLabels[k] = v
-	}
 
 	metric, err := adminMetrics.requestErrors.GetMetricWith(promLabels)
 	if err != nil {
@@ -377,9 +374,7 @@ func (m *mockModule) CaddyModule() ModuleInfo {
 
 func TestNewAdminHandlerRouterRegistration(t *testing.T) {
 	originalModules := make(map[string]ModuleInfo)
-	for k, v := range modules {
+	maps.Copy(originalModules, modules)
-		originalModules[k] = v
-	}
 	defer func() {
 		modules = originalModules
 	}()
@@ -479,9 +474,7 @@ func TestAdminRouterProvisioning(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			originalModules := make(map[string]ModuleInfo)
-			for k, v := range modules {
+			maps.Copy(originalModules, modules)
-				originalModules[k] = v
-			}
 			defer func() {
 				modules = originalModules
 			}()
@@ -774,9 +767,7 @@ func (m *mockIssuerModule) CaddyModule() ModuleInfo {
 
 func TestManageIdentity(t *testing.T) {
 	originalModules := make(map[string]ModuleInfo)
-	for k, v := range modules {
+	maps.Copy(originalModules, modules)
-		originalModules[k] = v
-	}
 	defer func() {
 		modules = originalModules
 	}()

caddy.go

@@ -81,7 +81,10 @@ type Config struct {
 	// associated value.
 	AppsRaw ModuleMap `json:"apps,omitempty" caddy:"namespace="`
 
-	apps         map[string]App
+	apps map[string]App
+
+	// failedApps is a map of apps that failed to provision with their underlying error.
+	failedApps   map[string]error
 	storage      certmagic.Storage
 	eventEmitter eventEmitter
 
@@ -408,11 +411,23 @@ func run(newCfg *Config, start bool) (Context, error) {
 		return ctx, nil
 	}
 
+	defer func() {
+		// if newCfg fails to start completely, clean up the already provisioned modules
+		// partially copied from provisionContext
+		if err != nil {
+			globalMetrics.configSuccess.Set(0)
+			ctx.cfg.cancelFunc()
+
+			if currentCtx.cfg != nil {
+				certmagic.Default.Storage = currentCtx.cfg.storage
+			}
+		}
+	}()
+
 	// Provision any admin routers which may need to access
 	// some of the other apps at runtime
 	err = ctx.cfg.Admin.provisionAdminRouters(ctx)
 	if err != nil {
-		globalMetrics.configSuccess.Set(0)
 		return ctx, err
 	}
 
@@ -438,7 +453,6 @@ func run(newCfg *Config, start bool) (Context, error) {
 		return nil
 	}()
 	if err != nil {
-		globalMetrics.configSuccess.Set(0)
 		return ctx, err
 	}
 	globalMetrics.configSuccess.Set(1)
@@ -449,7 +463,8 @@ func run(newCfg *Config, start bool) (Context, error) {
 
 	// now that the user's config is running, finish setting up anything else,
 	// such as remote admin endpoint, config loader, etc.
-	return ctx, finishSettingUp(ctx, ctx.cfg)
+	err = finishSettingUp(ctx, ctx.cfg)
+	return ctx, err
 }
 
 // provisionContext creates a new context from the given configuration and provisions
@@ -505,19 +520,12 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 		return ctx, err
 	}
 
-	// start the admin endpoint (and stop any prior one)
-	if replaceAdminServer {
-		err = replaceLocalAdminServer(newCfg, ctx)
-		if err != nil {
-			return ctx, fmt.Errorf("starting caddy administration endpoint: %v", err)
-		}
-	}
-
 	// create the new filesystem map
 	newCfg.fileSystems = &filesystems.FileSystemMap{}
 
 	// prepare the new config for use
 	newCfg.apps = make(map[string]App)
+	newCfg.failedApps = make(map[string]error)
 
 	// set up global storage and make it CertMagic's default storage, too
 	err = func() error {
@@ -544,6 +552,14 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 		return ctx, err
 	}
 
+	// start the admin endpoint (and stop any prior one)
+	if replaceAdminServer {
+		err = replaceLocalAdminServer(newCfg, ctx)
+		if err != nil {
+			return ctx, fmt.Errorf("starting caddy administration endpoint: %v", err)
+		}
+	}
+
 	// Load and Provision each app and their submodules
 	err = func() error {
 		for appName := range newCfg.AppsRaw {
@@ -959,11 +975,11 @@ func Version() (simple, full string) {
 		if CustomVersion != "" {
 			full = CustomVersion
 			simple = CustomVersion
-			return
+			return simple, full
 		}
 		full = "unknown"
 		simple = "unknown"
-		return
+		return simple, full
 	}
 	// find the Caddy module in the dependency list
 	for _, dep := range bi.Deps {
@@ -1043,7 +1059,7 @@ func Version() (simple, full string) {
 		}
 	}
 
-	return
+	return simple, full
 }
 
 // Event represents something that has happened or is happening.
@@ -1104,9 +1120,15 @@ func (e Event) Origin() Module       { return e.origin } // Returns the module t
 // CloudEvents spec.
 func (e Event) CloudEvent() CloudEvent {
 	dataJSON, _ := json.Marshal(e.Data)
+	var source string
+	if e.Origin() == nil {
+		source = "caddy"
+	} else {
+		source = string(e.Origin().CaddyModule().ID)
+	}
 	return CloudEvent{
 		ID:              e.id.String(),
-		Source:          e.origin.CaddyModule().String(),
+		Source:          source,
 		SpecVersion:     "1.0",
 		Type:            e.name,
 		Time:            e.ts,
@@ -1175,6 +1197,91 @@ var (
 	rawCfgMu sync.RWMutex
 )
 
+// lastConfigFile and lastConfigAdapter remember the source config
+// file and adapter used when Caddy was started via the CLI "run" command.
+// These are consulted by the SIGUSR1 handler to attempt reloading from
+// the same source. They are intentionally not set for other entrypoints
+// such as "caddy start" or subcommands like file-server.
+var (
+	lastConfigMu      sync.RWMutex
+	lastConfigFile    string
+	lastConfigAdapter string
+)
+
+// reloadFromSourceFunc is the type of stored callback
+// which is called when we receive a SIGUSR1 signal.
+type reloadFromSourceFunc func(file, adapter string) error
+
+// reloadFromSourceCallback is the stored callback
+// which is called when we receive a SIGUSR1 signal.
+var reloadFromSourceCallback reloadFromSourceFunc
+
+// errReloadFromSourceUnavailable is returned when no reload-from-source callback is set.
+var errReloadFromSourceUnavailable = errors.New("reload from source unavailable in this process") //nolint:unused
+
+// SetLastConfig records the given source file and adapter as the
+// last-known external configuration source. Intended to be called
+// only when starting via "caddy run --config <file> --adapter <adapter>".
+func SetLastConfig(file, adapter string, fn reloadFromSourceFunc) {
+	lastConfigMu.Lock()
+	lastConfigFile = file
+	lastConfigAdapter = adapter
+	reloadFromSourceCallback = fn
+	lastConfigMu.Unlock()
+}
+
+// ClearLastConfigIfDifferent clears the recorded last-config if the provided
+// source file/adapter do not match the recorded last-config. If both srcFile
+// and srcAdapter are empty, the last-config is cleared.
+func ClearLastConfigIfDifferent(srcFile, srcAdapter string) {
+	if (srcFile != "" || srcAdapter != "") && lastConfigMatches(srcFile, srcAdapter) {
+		return
+	}
+	SetLastConfig("", "", nil)
+}
+
+// getLastConfig returns the last-known config file and adapter.
+func getLastConfig() (file, adapter string, fn reloadFromSourceFunc) {
+	lastConfigMu.RLock()
+	f, a, cb := lastConfigFile, lastConfigAdapter, reloadFromSourceCallback
+	lastConfigMu.RUnlock()
+	return f, a, cb
+}
+
+// lastConfigMatches returns true if the provided source file and/or adapter
+// matches the recorded last-config. Matching rules (in priority order):
+//  1. If srcAdapter is provided and differs from the recorded adapter, no match.
+//  2. If srcFile exactly equals the recorded file, match.
+//  3. If both sides can be made absolute and equal, match.
+//  4. If basenames are equal, match.
+func lastConfigMatches(srcFile, srcAdapter string) bool {
+	lf, la, _ := getLastConfig()
+
+	// If adapter is provided, it must match.
+	if srcAdapter != "" && srcAdapter != la {
+		return false
+	}
+
+	// Quick equality check.
+	if srcFile == lf {
+		return true
+	}
+
+	// Try absolute path comparison.
+	sAbs, sErr := filepath.Abs(srcFile)
+	lAbs, lErr := filepath.Abs(lf)
+	if sErr == nil && lErr == nil && sAbs == lAbs {
+		return true
+	}
+
+	// Final fallback: basename equality.
+	if filepath.Base(srcFile) == filepath.Base(lf) {
+		return true
+	}
+
+	return false
+}
+
 // errSameConfig is returned if the new config is the same
 // as the old one. This isn't usually an actual, actionable
 // error; it's mostly a sentinel value.

caddy_test.go

@@ -15,6 +15,7 @@
 package caddy
 
 import (
+	"context"
 	"testing"
 	"time"
 )
@@ -72,3 +73,21 @@ func TestParseDuration(t *testing.T) {
 		}
 	}
 }
+
+func TestEvent_CloudEvent_NilOrigin(t *testing.T) {
+	ctx, _ := NewContext(Context{Context: context.Background()}) // module will be nil by default
+	event, err := NewEvent(ctx, "started", nil)
+	if err != nil {
+		t.Fatalf("NewEvent() error = %v", err)
+	}
+
+	// This should not panic
+	ce := event.CloudEvent()
+
+	if ce.Source != "caddy" {
+		t.Errorf("Expected CloudEvent Source to be 'caddy', got '%s'", ce.Source)
+	}
+	if ce.Type != "started" {
+		t.Errorf("Expected CloudEvent Type to be 'started', got '%s'", ce.Type)
+	}
+}

caddyconfig/caddyfile/adapter.go

@@ -68,7 +68,7 @@ func (a Adapter) Adapt(body []byte, options map[string]any) ([]byte, []caddyconf
 // TODO: also perform this check on imported files
 func FormattingDifference(filename string, body []byte) (caddyconfig.Warning, bool) {
 	// replace windows-style newlines to normalize comparison
-	normalizedBody := bytes.Replace(body, []byte("\r\n"), []byte("\n"), -1)
+	normalizedBody := bytes.ReplaceAll(body, []byte("\r\n"), []byte("\n"))
 
 	formatted := Format(normalizedBody)
 	if bytes.Equal(formatted, normalizedBody) {

caddyconfig/caddyfile/dispenser.go

@@ -308,9 +308,9 @@ func (d *Dispenser) CountRemainingArgs() int {
 }
 
 // RemainingArgs loads any more arguments (tokens on the same line)
-// into a slice and returns them. Open curly brace tokens also indicate
+// into a slice of strings and returns them. Open curly brace tokens
-// the end of arguments, and the curly brace is not included in
+// also indicate the end of arguments, and the curly brace is not
-// the return value nor is it loaded.
+// included in the return value nor is it loaded.
 func (d *Dispenser) RemainingArgs() []string {
 	var args []string
 	for d.NextArg() {
@@ -320,9 +320,9 @@ func (d *Dispenser) RemainingArgs() []string {
 }
 
 // RemainingArgsRaw loads any more arguments (tokens on the same line,
-// retaining quotes) into a slice and returns them. Open curly brace
+// retaining quotes) into a slice of strings and returns them.
-// tokens also indicate the end of arguments, and the curly brace is
+// Open curly brace tokens also indicate the end of arguments,
-// not included in the return value nor is it loaded.
+// and the curly brace is not included in the return value nor is it loaded.
 func (d *Dispenser) RemainingArgsRaw() []string {
 	var args []string
 	for d.NextArg() {
@@ -331,6 +331,18 @@ func (d *Dispenser) RemainingArgsRaw() []string {
 	return args
 }
 
+// RemainingArgsAsTokens loads any more arguments (tokens on the same line)
+// into a slice of Token-structs and returns them. Open curly brace tokens
+// also indicate the end of arguments, and the curly brace is not included
+// in the return value nor is it loaded.
+func (d *Dispenser) RemainingArgsAsTokens() []Token {
+	var args []Token
+	for d.NextArg() {
+		args = append(args, d.Token())
+	}
+	return args
+}
+
 // NewFromNextSegment returns a new dispenser with a copy of
 // the tokens from the current token until the end of the
 // "directive" whether that be to the end of the line or

caddyconfig/caddyfile/dispenser_test.go

@@ -274,6 +274,66 @@ func TestDispenser_RemainingArgs(t *testing.T) {
 	}
 }
 
+func TestDispenser_RemainingArgsAsTokens(t *testing.T) {
+	input := `dir1 arg1 arg2 arg3
+			  dir2 arg4 arg5
+			  dir3 arg6 { arg7
+			  dir4`
+	d := NewTestDispenser(input)
+
+	d.Next() // dir1
+
+	args := d.RemainingArgsAsTokens()
+
+	tokenTexts := make([]string, 0, len(args))
+	for _, arg := range args {
+		tokenTexts = append(tokenTexts, arg.Text)
+	}
+
+	if expected := []string{"arg1", "arg2", "arg3"}; !reflect.DeepEqual(tokenTexts, expected) {
+		t.Errorf("RemainingArgsAsTokens(): Expected %v, got %v", expected, tokenTexts)
+	}
+
+	d.Next() // dir2
+
+	args = d.RemainingArgsAsTokens()
+
+	tokenTexts = tokenTexts[:0]
+	for _, arg := range args {
+		tokenTexts = append(tokenTexts, arg.Text)
+	}
+
+	if expected := []string{"arg4", "arg5"}; !reflect.DeepEqual(tokenTexts, expected) {
+		t.Errorf("RemainingArgsAsTokens(): Expected %v, got %v", expected, tokenTexts)
+	}
+
+	d.Next() // dir3
+
+	args = d.RemainingArgsAsTokens()
+	tokenTexts = tokenTexts[:0]
+	for _, arg := range args {
+		tokenTexts = append(tokenTexts, arg.Text)
+	}
+
+	if expected := []string{"arg6"}; !reflect.DeepEqual(tokenTexts, expected) {
+		t.Errorf("RemainingArgsAsTokens(): Expected %v, got %v", expected, tokenTexts)
+	}
+
+	d.Next() // {
+	d.Next() // arg7
+	d.Next() // dir4
+
+	args = d.RemainingArgsAsTokens()
+	tokenTexts = tokenTexts[:0]
+	for _, arg := range args {
+		tokenTexts = append(tokenTexts, arg.Text)
+	}
+
+	if len(args) != 0 {
+		t.Errorf("RemainingArgsAsTokens(): Expected %v, got %v", []string{}, tokenTexts)
+	}
+}
+
 func TestDispenser_ArgErr_Err(t *testing.T) {
 	input := `dir1 {
 			  }

caddyconfig/caddyfile/formatter.go

@@ -94,7 +94,7 @@ func Format(input []byte) []byte {
 		}
 
 		// detect whether we have the start of a heredoc
-		if !quoted && !(heredoc != heredocClosed || heredocEscaped) &&
+		if !quoted && (heredoc == heredocClosed && !heredocEscaped) &&
 			space && last == '<' && ch == '<' {
 			write(ch)
 			heredoc = heredocOpening
@@ -224,7 +224,7 @@ func Format(input []byte) []byte {
 			openBrace = false
 			if beginningOfLine {
 				indent()
-			} else if !openBraceSpace {
+			} else if !openBraceSpace || !unicode.IsSpace(last) {
 				write(' ')
 			}
 			write('{')
@@ -241,7 +241,7 @@ func Format(input []byte) []byte {
 		case ch == '{':
 			openBrace = true
 			openBraceSpace = spacePrior && !beginningOfLine
-			if openBraceSpace {
+			if openBraceSpace && newLines == 0 {
 				write(' ')
 			}
 			openBraceWritten = false

caddyconfig/caddyfile/formatter_test.go

@@ -444,6 +444,21 @@ block2 {
 			input:       "block {respond \"All braces should remain: {{now | date `2006`}}\"}",
 			expect:      "block {respond \"All braces should remain: {{now | date `2006`}}\"}",
 		},
+		{
+			description: "No trailing space on line before env variable",
+			input: `{
+	a
+
+	{$ENV_VAR}
+}
+`,
+			expect: `{
+	a
+
+	{$ENV_VAR}
+}
+`,
+		},
 	} {
 		// the formatter should output a trailing newline,
 		// even if the tests aren't written to expect that

caddyconfig/caddyfile/lexer.go

@@ -137,7 +137,7 @@ func (l *lexer) next() (bool, error) {
 		}
 
 		// detect whether we have the start of a heredoc
-		if !(quoted || btQuoted) && !(inHeredoc || heredocEscaped) &&
+		if (!quoted && !btQuoted) && (!inHeredoc && !heredocEscaped) &&
 			len(val) > 1 && string(val[:2]) == "<<" {
 			// a space means it's just a regular token and not a heredoc
 			if ch == ' ' {
@@ -323,7 +323,8 @@ func (l *lexer) finalizeHeredoc(val []rune, marker string) ([]rune, error) {
 
 		// if the padding doesn't match exactly at the start then we can't safely strip
 		if index != 0 {
-			return nil, fmt.Errorf("mismatched leading whitespace in heredoc <<%s on line #%d [%s], expected whitespace [%s] to match the closing marker", marker, l.line+lineNum+1, lineText, paddingToStrip)
+			cleanLineText := strings.TrimRight(lineText, "\r\n")
+			return nil, fmt.Errorf("mismatched leading whitespace in heredoc <<%s on line #%d [%s], expected whitespace [%s] to match the closing marker", marker, l.line+lineNum+1, cleanLineText, paddingToStrip)
 		}
 
 		// strip, then append the line, with the newline, to the output.

caddyconfig/caddyfile/parse.go

@@ -379,28 +379,23 @@ func (p *parser) doImport(nesting int) error {
 	if len(blockTokens) > 0 {
 		// use such tokens to create a new dispenser, and then use it to parse each block
 		bd := NewDispenser(blockTokens)
+
+		// one iteration processes one sub-block inside the import
 		for bd.Next() {
-			// see if we can grab a key
+			currentMappingKey := bd.Val()
-			var currentMappingKey string
+
-			if bd.Val() == "{" {
+			if currentMappingKey == "{" {
 				return p.Err("anonymous blocks are not supported")
 			}
-			currentMappingKey = bd.Val()
+
-			currentMappingTokens := []Token{}
+			// load up all arguments (if there even are any)
-			// read all args until end of line / {
+			currentMappingTokens := bd.RemainingArgsAsTokens()
-			if bd.NextArg() {
+
+			// load up the entire block
+			for mappingNesting := bd.Nesting(); bd.NextBlock(mappingNesting); {
 				currentMappingTokens = append(currentMappingTokens, bd.Token())
-				for bd.NextArg() {
-					currentMappingTokens = append(currentMappingTokens, bd.Token())
-				}
-				// TODO(elee1766): we don't enter another mapping here because it's annoying to extract the { and } properly.
-				// maybe someone can do that in the future
-			} else {
-				// attempt to enter a block and add tokens to the currentMappingTokens
-				for mappingNesting := bd.Nesting(); bd.NextBlock(mappingNesting); {
-					currentMappingTokens = append(currentMappingTokens, bd.Token())
-				}
 			}
+
 			blockMapping[currentMappingKey] = currentMappingTokens
 		}
 	}
@@ -538,29 +533,24 @@ func (p *parser) doImport(nesting int) error {
 		}
 		// if it is {block}, we substitute with all tokens in the block
 		// if it is {blocks.*}, we substitute with the tokens in the mapping for the *
-		var skip bool
 		var tokensToAdd []Token
+		foundBlockDirective := false
 		switch {
 		case token.Text == "{block}":
+			foundBlockDirective = true
 			tokensToAdd = blockTokens
 		case strings.HasPrefix(token.Text, "{blocks.") && strings.HasSuffix(token.Text, "}"):
+			foundBlockDirective = true
 			// {blocks.foo.bar} will be extracted to key `foo.bar`
 			blockKey := strings.TrimPrefix(strings.TrimSuffix(token.Text, "}"), "{blocks.")
 			val, ok := blockMapping[blockKey]
 			if ok {
 				tokensToAdd = val
 			}
-		default:
-			skip = true
 		}
-		if !skip {
+
-			if len(tokensToAdd) == 0 {
+		if foundBlockDirective {
-				// if there is no content in the snippet block, don't do any replacement
+			tokensCopy = append(tokensCopy, tokensToAdd...)
-				// this allows snippets which contained {block}/{block.*} before this change to continue functioning as normal
-				tokensCopy = append(tokensCopy, token)
-			} else {
-				tokensCopy = append(tokensCopy, tokensToAdd...)
-			}
 			continue
 		}
 

caddyconfig/caddyfile/parse_test.go

@@ -18,6 +18,7 @@ import (
 	"bytes"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 )
 
@@ -884,6 +885,51 @@ func TestRejectsGlobalMatcher(t *testing.T) {
 	}
 }
 
+func TestRejectAnonymousImportBlock(t *testing.T) {
+	p := testParser(`
+		(site) {
+			http://{args[0]} https://{args[0]} {
+				{block}
+			}
+		}
+
+		import site test.domain {
+			{ 
+				header_up Host {host}
+				header_up X-Real-IP {remote_host}
+			}
+		}
+	`)
+	_, err := p.parseAll()
+	if err == nil {
+		t.Fatal("Expected an error, but got nil")
+	}
+	expected := "anonymous blocks are not supported"
+	if !strings.HasPrefix(err.Error(), "anonymous blocks are not supported") {
+		t.Errorf("Expected error to start with '%s' but got '%v'", expected, err)
+	}
+}
+
+func TestAcceptSiteImportWithBraces(t *testing.T) {
+	p := testParser(`
+		(site) {
+			http://{args[0]} https://{args[0]} {
+				{block}
+			}
+		}
+
+		import site test.domain {
+			reverse_proxy http://192.168.1.1:8080 { 
+				header_up Host {host}
+			}
+		}
+	`)
+	_, err := p.parseAll()
+	if err != nil {
+		t.Errorf("Expected error to be nil but got '%v'", err)
+	}
+}
+
 func testParser(input string) parser {
 	return parser{Dispenser: NewTestDispenser(input)}
 }

caddyconfig/httpcaddyfile/builtins.go

@@ -15,6 +15,7 @@
 package httpcaddyfile
 
 import (
+	"encoding/json"
 	"fmt"
 	"html"
 	"net/http"
@@ -90,7 +91,7 @@ func parseBind(h Helper) ([]ConfigValue, error) {
 //	    curves    <curves...>
 //	    client_auth {
 //	        mode                   [request|require|verify_if_given|require_and_verify]
-//	        trust_pool			   <module_name> [...]
+//	        trust_pool             <module_name> [...]
 //	        trusted_leaf_cert      <base64_der>
 //	        trusted_leaf_cert_file <filename>
 //	    }
@@ -129,6 +130,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 	var reusePrivateKeys bool
 	var forceAutomate bool
 
+	// Track which DNS challenge options are set
+	var dnsOptionsSet []string
+
 	firstLine := h.RemainingArgs()
 	switch len(firstLine) {
 	case 0:
@@ -349,6 +353,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
+			dnsOptionsSet = append(dnsOptionsSet, "resolvers")
 			acmeIssuer.Challenges.DNS.Resolvers = args
 
 		case "propagation_delay":
@@ -370,6 +375,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
+			dnsOptionsSet = append(dnsOptionsSet, "propagation_delay")
 			acmeIssuer.Challenges.DNS.PropagationDelay = caddy.Duration(delay)
 
 		case "propagation_timeout":
@@ -397,6 +403,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
+			dnsOptionsSet = append(dnsOptionsSet, "propagation_timeout")
 			acmeIssuer.Challenges.DNS.PropagationTimeout = caddy.Duration(timeout)
 
 		case "dns_ttl":
@@ -418,6 +425,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
+			dnsOptionsSet = append(dnsOptionsSet, "dns_ttl")
 			acmeIssuer.Challenges.DNS.TTL = caddy.Duration(ttl)
 
 		case "dns_challenge_override_domain":
@@ -434,6 +442,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
+			dnsOptionsSet = append(dnsOptionsSet, "dns_challenge_override_domain")
 			acmeIssuer.Challenges.DNS.OverrideDomain = arg[0]
 
 		case "ca_root":
@@ -469,6 +478,18 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 		}
 	}
 
+	// Validate DNS challenge config: any DNS challenge option except "dns" requires a DNS provider
+	if acmeIssuer != nil && acmeIssuer.Challenges != nil && acmeIssuer.Challenges.DNS != nil {
+		dnsCfg := acmeIssuer.Challenges.DNS
+		providerSet := dnsCfg.ProviderRaw != nil || h.Option("dns") != nil || h.Option("acme_dns") != nil
+		if len(dnsOptionsSet) > 0 && !providerSet {
+			return nil, h.Errf(
+				"setting DNS challenge options [%s] requires a DNS provider (set with the 'dns' subdirective or 'acme_dns' global option)",
+				strings.Join(dnsOptionsSet, ", "),
+			)
+		}
+	}
+
 	// a naked tls directive is not allowed
 	if len(firstLine) == 0 && !hasBlock {
 		return nil, h.ArgErr()
@@ -843,13 +864,18 @@ func parseHandleErrors(h Helper) ([]ConfigValue, error) {
 		return nil, h.Errf("segment was not parsed as a subroute")
 	}
 
+	// wrap the subroutes
+	wrappingRoute := caddyhttp.Route{
+		HandlersRaw: []json.RawMessage{caddyconfig.JSONModuleObject(subroute, "handler", "subroute", nil)},
+	}
+	subroute = &caddyhttp.Subroute{
+		Routes: []caddyhttp.Route{wrappingRoute},
+	}
 	if expression != "" {
 		statusMatcher := caddy.ModuleMap{
 			"expression": h.JSON(caddyhttp.MatchExpression{Expr: expression}),
 		}
-		for i := range subroute.Routes {
+		subroute.Routes[0].MatcherSetsRaw = []caddy.ModuleMap{statusMatcher}
-			subroute.Routes[i].MatcherSetsRaw = []caddy.ModuleMap{statusMatcher}
-		}
 	}
 	return []ConfigValue{
 		{
@@ -1160,6 +1186,11 @@ func parseLogSkip(h Helper) (caddyhttp.MiddlewareHandler, error) {
 	if h.NextArg() {
 		return nil, h.ArgErr()
 	}
+
+	if h.NextBlock(0) {
+		return nil, h.Err("log_skip directive does not accept blocks")
+	}
+
 	return caddyhttp.VarsMiddleware{"log_skip": true}, nil
 }
 

caddyconfig/httpcaddyfile/directives.go

@@ -16,6 +16,7 @@ package httpcaddyfile
 
 import (
 	"encoding/json"
+	"maps"
 	"net"
 	"slices"
 	"sort"
@@ -173,10 +174,12 @@ func RegisterDirectiveOrder(dir string, position Positional, standardDir string)
 		if d != standardDir {
 			continue
 		}
-		if position == Before {
+		switch position {
+		case Before:
 			newOrder = append(newOrder[:i], append([]string{dir}, newOrder[i:]...)...)
-		} else if position == After {
+		case After:
 			newOrder = append(newOrder[:i+1], append([]string{dir}, newOrder[i+1:]...)...)
+		case First, Last:
 		}
 		break
 	}
@@ -365,9 +368,7 @@ func parseSegmentAsConfig(h Helper) ([]ConfigValue, error) {
 		// copy existing matcher definitions so we can augment
 		// new ones that are defined only in this scope
 		matcherDefs := make(map[string]caddy.ModuleMap, len(h.matcherDefs))
-		for key, val := range h.matcherDefs {
+		maps.Copy(matcherDefs, h.matcherDefs)
-			matcherDefs[key] = val
-		}
 
 		// find and extract any embedded matcher definitions in this scope
 		for i := 0; i < len(segments); i++ {
@@ -483,12 +484,29 @@ func sortRoutes(routes []ConfigValue) {
 			// we can only confidently compare path lengths if both
 			// directives have a single path to match (issue #5037)
 			if iPathLen > 0 && jPathLen > 0 {
+				// trim the trailing wildcard if there is one
+				iPathTrimmed := strings.TrimSuffix(iPM[0], "*")
+				jPathTrimmed := strings.TrimSuffix(jPM[0], "*")
+
 				// if both paths are the same except for a trailing wildcard,
 				// sort by the shorter path first (which is more specific)
-				if strings.TrimSuffix(iPM[0], "*") == strings.TrimSuffix(jPM[0], "*") {
+				if iPathTrimmed == jPathTrimmed {
 					return iPathLen < jPathLen
 				}
 
+				// we use the trimmed length to compare the paths
+				// https://github.com/caddyserver/caddy/issues/7012#issuecomment-2870142195
+				// credit to https://github.com/Hellio404
+				// for sorts with many items, mixing matchers w/ and w/o wildcards will confuse the sort and result in incorrect orders
+				iPathLen = len(iPathTrimmed)
+				jPathLen = len(jPathTrimmed)
+
+				// if both paths have the same length, sort lexically
+				// https://github.com/caddyserver/caddy/pull/7015#issuecomment-2871993588
+				if iPathLen == jPathLen {
+					return iPathTrimmed < jPathTrimmed
+				}
+
 				// sort most-specific (longest) path first
 				return iPathLen > jPathLen
 			}

caddyconfig/httpcaddyfile/options.go

@@ -458,8 +458,6 @@ func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ any) (any, error) {
 		case "disable_certs":
 		case "ignore_loaded_certs":
 		case "prefer_wildcard":
-			break
-
 		default:
 			return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', 'ignore_loaded_certs', or 'prefer_wildcard'")
 		}
@@ -557,8 +555,14 @@ func parseOptPreferredChains(d *caddyfile.Dispenser, _ any) (any, error) {
 
 func parseOptDNS(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
+	optName := d.Val()
 
-	if !d.Next() { // get DNS module name
+	// get DNS module name
+	if !d.Next() {
+		// this is allowed if this is the "acme_dns" option since it may refer to the globally-configured "dns" option's value
+		if optName == "acme_dns" {
+			return nil, nil
+		}
 		return nil, d.ArgErr()
 	}
 	modID := "dns.providers." + d.Val()

caddyconfig/httpcaddyfile/pkiapp.go

@@ -15,6 +15,8 @@
 package httpcaddyfile
 
 import (
+	"slices"
+
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
@@ -178,6 +180,15 @@ func (st ServerType) buildPKIApp(
 	if _, ok := options["skip_install_trust"]; ok {
 		skipInstallTrust = true
 	}
+
+	// check if auto_https is off - in that case we should not create
+	// any PKI infrastructure even with skip_install_trust directive
+	autoHTTPS := []string{}
+	if ah, ok := options["auto_https"].([]string); ok {
+		autoHTTPS = ah
+	}
+	autoHTTPSOff := slices.Contains(autoHTTPS, "off")
+
 	falseBool := false
 
 	// Load the PKI app configured via global options
@@ -218,7 +229,8 @@ func (st ServerType) buildPKIApp(
 	// if there was no CAs defined in any of the servers,
 	// and we were requested to not install trust, then
 	// add one for the default/local CA to do so
-	if len(pkiApp.CAs) == 0 && skipInstallTrust {
+	// only if auto_https is not completely disabled
+	if len(pkiApp.CAs) == 0 && skipInstallTrust && !autoHTTPSOff {
 		ca := new(caddypki.CA)
 		ca.ID = caddypki.DefaultCAID
 		ca.InstallTrust = &falseBool

caddyconfig/httpcaddyfile/serveroptions.go

@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"slices"
+	"strconv"
 
 	"github.com/dustin/go-humanize"
 
@@ -42,12 +43,15 @@ type serverOptions struct {
 	WriteTimeout         caddy.Duration
 	IdleTimeout          caddy.Duration
 	KeepAliveInterval    caddy.Duration
+	KeepAliveIdle        caddy.Duration
+	KeepAliveCount       int
 	MaxHeaderBytes       int
 	EnableFullDuplex     bool
 	Protocols            []string
 	StrictSNIHost        *bool
 	TrustedProxiesRaw    json.RawMessage
 	TrustedProxiesStrict int
+	TrustedProxiesUnix   bool
 	ClientIPHeaders      []string
 	ShouldLogCredentials bool
 	Metrics              *caddyhttp.Metrics
@@ -142,6 +146,7 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 					return nil, d.Errf("unrecognized timeouts option '%s'", d.Val())
 				}
 			}
+
 		case "keepalive_interval":
 			if !d.NextArg() {
 				return nil, d.ArgErr()
@@ -152,6 +157,26 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 			}
 			serverOpts.KeepAliveInterval = caddy.Duration(dur)
 
+		case "keepalive_idle":
+			if !d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			dur, err := caddy.ParseDuration(d.Val())
+			if err != nil {
+				return nil, d.Errf("parsing keepalive idle duration: %v", err)
+			}
+			serverOpts.KeepAliveIdle = caddy.Duration(dur)
+
+		case "keepalive_count":
+			if !d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			cnt, err := strconv.ParseInt(d.Val(), 10, 32)
+			if err != nil {
+				return nil, d.Errf("parsing keepalive count int: %v", err)
+			}
+			serverOpts.KeepAliveCount = int(cnt)
+
 		case "max_header_size":
 			var sizeStr string
 			if !d.AllArgs(&sizeStr) {
@@ -227,6 +252,12 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 			}
 			serverOpts.TrustedProxiesStrict = 1
 
+		case "trusted_proxies_unix":
+			if d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			serverOpts.TrustedProxiesUnix = true
+
 		case "client_ip_headers":
 			headers := d.RemainingArgs()
 			for _, header := range headers {
@@ -309,6 +340,8 @@ func applyServerOptions(
 		server.WriteTimeout = opts.WriteTimeout
 		server.IdleTimeout = opts.IdleTimeout
 		server.KeepAliveInterval = opts.KeepAliveInterval
+		server.KeepAliveIdle = opts.KeepAliveIdle
+		server.KeepAliveCount = opts.KeepAliveCount
 		server.MaxHeaderBytes = opts.MaxHeaderBytes
 		server.EnableFullDuplex = opts.EnableFullDuplex
 		server.Protocols = opts.Protocols
@@ -316,6 +349,7 @@ func applyServerOptions(
 		server.TrustedProxiesRaw = opts.TrustedProxiesRaw
 		server.ClientIPHeaders = opts.ClientIPHeaders
 		server.TrustedProxiesStrict = opts.TrustedProxiesStrict
+		server.TrustedProxiesUnix = opts.TrustedProxiesUnix
 		server.Metrics = opts.Metrics
 		if opts.ShouldLogCredentials {
 			if server.Logs == nil {

caddyconfig/httpcaddyfile/shorthands.go

@@ -64,10 +64,13 @@ func placeholderShorthands() []string {
 		"{orig_?query}", "{http.request.orig_uri.prefixed_query}",
 		"{method}", "{http.request.method}",
 		"{uri}", "{http.request.uri}",
+		"{%uri}", "{http.request.uri_escaped}",
 		"{path}", "{http.request.uri.path}",
+		"{%path}", "{http.request.uri.path_escaped}",
 		"{dir}", "{http.request.uri.path.dir}",
 		"{file}", "{http.request.uri.path.file}",
 		"{query}", "{http.request.uri.query}",
+		"{%query}", "{http.request.uri.query_escaped}",
 		"{?query}", "{http.request.uri.prefixed_query}",
 		"{remote}", "{http.request.remote}",
 		"{remote_host}", "{http.request.remote.host}",

caddyconfig/httpcaddyfile/tlsapp.go

@@ -464,10 +464,10 @@ func (st ServerType) buildTLSApp(
 		globalEmail := options["email"]
 		globalACMECA := options["acme_ca"]
 		globalACMECARoot := options["acme_ca_root"]
-		globalACMEDNS := options["acme_dns"]
+		_, globalACMEDNS := options["acme_dns"] // can be set to nil (to use globally-defined "dns" value instead), but it is still set
 		globalACMEEAB := options["acme_eab"]
 		globalPreferredChains := options["preferred_chains"]
-		hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS != nil || globalACMEEAB != nil || globalPreferredChains != nil
+		hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS || globalACMEEAB != nil || globalPreferredChains != nil
 		if hasGlobalACMEDefaults {
 			for i := range tlsApp.Automation.Policies {
 				ap := tlsApp.Automation.Policies[i]
@@ -549,11 +549,12 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	globalEmail := options["email"]
 	globalACMECA := options["acme_ca"]
 	globalACMECARoot := options["acme_ca_root"]
-	globalACMEDNS := options["acme_dns"]
+	globalACMEDNS, globalACMEDNSok := options["acme_dns"] // can be set to nil (to use globally-defined "dns" value instead), but it is still set
 	globalACMEEAB := options["acme_eab"]
 	globalPreferredChains := options["preferred_chains"]
 	globalCertLifetime := options["cert_lifetime"]
 	globalHTTPPort, globalHTTPSPort := options["http_port"], options["https_port"]
+	globalDefaultBind := options["default_bind"]
 
 	if globalEmail != nil && acmeIssuer.Email == "" {
 		acmeIssuer.Email = globalEmail.(string)
@@ -564,11 +565,21 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	if globalACMECARoot != nil && !slices.Contains(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string)) {
 		acmeIssuer.TrustedRootsPEMFiles = append(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string))
 	}
-	if globalACMEDNS != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil) {
+	if globalACMEDNSok && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil || acmeIssuer.Challenges.DNS.ProviderRaw == nil) {
-		acmeIssuer.Challenges = &caddytls.ChallengesConfig{
+		globalDNS := options["dns"]
-			DNS: &caddytls.DNSChallengeConfig{
+		if globalDNS == nil && globalACMEDNS == nil {
-				ProviderRaw: caddyconfig.JSONModuleObject(globalACMEDNS, "name", globalACMEDNS.(caddy.Module).CaddyModule().ID.Name(), nil),
+			return fmt.Errorf("acme_dns specified without DNS provider config, but no provider specified with 'dns' global option")
-			},
+		}
+		if acmeIssuer.Challenges == nil {
+			acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
+		}
+		if acmeIssuer.Challenges.DNS == nil {
+			acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
+		}
+		// If global `dns` is set, do NOT set provider in issuer, just set empty dns config
+		if globalDNS == nil && acmeIssuer.Challenges.DNS.ProviderRaw == nil {
+			// Set a global DNS provider if `acme_dns` is set and `dns` is NOT set
+			acmeIssuer.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(globalACMEDNS, "name", globalACMEDNS.(caddy.Module).CaddyModule().ID.Name(), nil)
 		}
 	}
 	if globalACMEEAB != nil && acmeIssuer.ExternalAccount == nil {
@@ -596,6 +607,20 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 		}
 		acmeIssuer.Challenges.TLSALPN.AlternatePort = globalHTTPSPort.(int)
 	}
+	// If BindHost is still unset, fall back to the first default_bind address if set
+	// This avoids binding the automation policy to the wildcard socket, which is unexpected behavior when a more selective socket is specified via default_bind
+	// In BSD it is valid to bind to the wildcard socket even though a more selective socket is already open (still unexpected behavior by the caller though)
+	// In Linux the same call will error with EADDRINUSE whenever the listener for the automation policy is opened
+	if acmeIssuer.Challenges == nil || (acmeIssuer.Challenges.DNS == nil && acmeIssuer.Challenges.BindHost == "") {
+		if defBinds, ok := globalDefaultBind.([]ConfigValue); ok && len(defBinds) > 0 {
+			if abp, ok := defBinds[0].Value.(addressesWithProtocols); ok && len(abp.addresses) > 0 {
+				if acmeIssuer.Challenges == nil {
+					acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
+				}
+				acmeIssuer.Challenges.BindHost = abp.addresses[0]
+			}
+		}
+	}
 	if globalCertLifetime != nil && acmeIssuer.CertificateLifetime == 0 {
 		acmeIssuer.CertificateLifetime = globalCertLifetime.(caddy.Duration)
 	}
@@ -616,12 +641,18 @@ func newBaseAutomationPolicy(
 	_, hasLocalCerts := options["local_certs"]
 	keyType, hasKeyType := options["key_type"]
 	ocspStapling, hasOCSPStapling := options["ocsp_stapling"]
-
 	hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType || hasOCSPStapling
 
+	globalACMECA := options["acme_ca"]
+	globalACMECARoot := options["acme_ca_root"]
+	_, globalACMEDNS := options["acme_dns"] // can be set to nil (to use globally-defined "dns" value instead), but it is still set
+	globalACMEEAB := options["acme_eab"]
+	globalPreferredChains := options["preferred_chains"]
+	hasGlobalACMEDefaults := globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS || globalACMEEAB != nil || globalPreferredChains != nil
+
 	// if there are no global options related to automation policies
 	// set, then we can just return right away
-	if !hasGlobalAutomationOpts {
+	if !hasGlobalAutomationOpts && !hasGlobalACMEDefaults {
 		if always {
 			return new(caddytls.AutomationPolicy), nil
 		}
@@ -643,6 +674,14 @@ func newBaseAutomationPolicy(
 		ap.Issuers = []certmagic.Issuer{new(caddytls.InternalIssuer)}
 	}
 
+	if hasGlobalACMEDefaults {
+		for i := range ap.Issuers {
+			if err := fillInGlobalACMEDefaults(ap.Issuers[i], options); err != nil {
+				return nil, fmt.Errorf("filling in global issuer defaults for issuer %d: %v", i, err)
+			}
+		}
+	}
+
 	if hasOCSPStapling {
 		ocspConfig := ocspStapling.(certmagic.OCSPConfig)
 		ap.DisableOCSPStapling = ocspConfig.DisableStapling

caddyconfig/load.go

@@ -121,6 +121,13 @@ func (adminLoad) handleLoad(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
+	// If this request changed the config, clear the last
+	// config info we have stored, if it is different from
+	// the original source.
+	caddy.ClearLastConfigIfDifferent(
+		r.Header.Get("Caddy-Config-Source-File"),
+		r.Header.Get("Caddy-Config-Source-Adapter"))
+
 	caddy.Log().Named("admin.api").Info("load complete")
 
 	return nil

caddytest/caddytest.go

@@ -281,7 +281,7 @@ func validateTestPrerequisites(tc *Tester) error {
 		tc.t.Cleanup(func() {
 			os.Remove(f.Name())
 		})
-		if _, err := f.WriteString(fmt.Sprintf(initConfig, tc.config.AdminPort)); err != nil {
+		if _, err := fmt.Fprintf(f, initConfig, tc.config.AdminPort); err != nil {
 			return err
 		}
 

caddytest/integration/acme_test.go

@@ -12,13 +12,14 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez/v3"
 	"github.com/mholt/acmez/v3/acme"
 	smallstepacme "github.com/smallstep/certificates/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/exp/zapslog"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddytest"
 )
 
 const acmeChallengePort = 9081

caddytest/integration/acmeserver_test.go

@@ -9,11 +9,12 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez/v3"
 	"github.com/mholt/acmez/v3/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/exp/zapslog"
+
+	"github.com/caddyserver/caddy/v2/caddytest"
 )
 
 func TestACMEServerDirectory(t *testing.T) {

caddytest/integration/caddyfile_adapt/acme_dns_configured.caddyfiletest

@@ -0,0 +1,69 @@
+{
+	acme_dns mock foo
+}
+
+example.com {
+	respond "Hello World"
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "Hello World",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {
+										"provider": {
+											"argument": "foo",
+											"name": "mock"
+										}
+									}
+								},
+								"module": "acme"
+							}
+						]
+					}
+				]
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/acme_dns_naked_use_dns_defaults.caddyfiletest

@@ -0,0 +1,53 @@
+{
+	dns mock
+	acme_dns
+}
+
+example.com {
+
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {}
+								},
+								"module": "acme"
+							}
+						]
+					}
+				]
+			},
+			"dns": {
+				"name": "mock"
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/acme_dns_naked_without_dns.caddyfiletest

@@ -0,0 +1,9 @@
+{
+	acme_dns
+}
+
+example.com {
+	respond "Hello World"
+}
+----------
+acme_dns specified without DNS provider config, but no provider specified with 'dns' global option

caddytest/integration/caddyfile_adapt/acme_server_policy-allow.caddyfiletest

@@ -0,0 +1,72 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		allow {
+			domains host-1.internal.example.com host-2.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"allow": {
+															"domains": [
+																"host-1.internal.example.com",
+																"host-2.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/acme_server_policy-both.caddyfiletest

@@ -0,0 +1,80 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		allow {
+			domains host-1.internal.example.com host-2.internal.example.com
+		}
+		deny {
+			domains dc.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"allow": {
+															"domains": [
+																"host-1.internal.example.com",
+																"host-2.internal.example.com"
+															]
+														},
+														"deny": {
+															"domains": [
+																"dc.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/acme_server_policy-deny.caddyfiletest

@@ -0,0 +1,71 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		deny {
+			domains dc.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"deny": {
+															"domains": [
+																"dc.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/ambiguous_site_definition.caddyfiletest

@@ -0,0 +1,12 @@
+example.com
+handle {
+	respond "one"
+}
+
+example.com
+handle {
+	respond "two"
+}
+----------
+Caddyfile:6: unrecognized directive: example.com
+Did you mean to define a second site? If so, you must use curly braces around each site to separate their configurations.

caddytest/integration/caddyfile_adapt/ambiguous_site_definition_duplicate_key.caddyfiletest

@@ -0,0 +1,9 @@
+:8080 {
+	respond "one"
+}
+
+:8080 {
+	respond "two"
+}
+----------
+ambiguous site definition: :8080

caddytest/integration/caddyfile_adapt/directive_as_site_address.caddyfiletest

@@ -0,0 +1,5 @@
+handle
+
+respond "should not work"
+----------
+Caddyfile:1: parsed 'handle' as a site address, but it is a known directive; directives must appear in a site block

caddytest/integration/caddyfile_adapt/duplicate_listener_address_global.caddyfiletest

@@ -0,0 +1,12 @@
+{
+	servers {
+		srv0 {
+			listen :8080
+		}
+		srv1 {
+			listen :8080
+		}
+	}
+}
+----------
+parsing caddyfile tokens for 'servers': unrecognized servers option 'srv0', at Caddyfile:3

caddytest/integration/caddyfile_adapt/error_example.caddyfiletest

@@ -106,20 +106,29 @@ example.com {
 										"handler": "subroute",
 										"routes": [
 											{
-												"group": "group0",
 												"handle": [
 													{
-														"handler": "rewrite",
+														"handler": "subroute",
-														"uri": "/{http.error.status_code}.html"
+														"routes": [
-													}
+															{
-												]
+																"group": "group0",
-											},
+																"handle": [
-											{
+																	{
-												"handle": [
+																		"handler": "rewrite",
-													{
+																		"uri": "/{http.error.status_code}.html"
-														"handler": "file_server",
+																	}
-														"hide": [
+																]
-															"./Caddyfile"
+															},
+															{
+																"handle": [
+																	{
+																		"handler": "file_server",
+																		"hide": [
+																			"./Caddyfile"
+																		]
+																	}
+																]
+															}
 														]
 													}
 												]

caddytest/integration/caddyfile_adapt/error_multi_site_blocks.caddyfiletest

@@ -165,8 +165,17 @@ bar.localhost {
 											{
 												"handle": [
 													{
-														"body": "404 or 410 error",
+														"handler": "subroute",
-														"handler": "static_response"
+														"routes": [
+															{
+																"handle": [
+																	{
+																		"body": "404 or 410 error",
+																		"handler": "static_response"
+																	}
+																]
+															}
+														]
 													}
 												],
 												"match": [
@@ -178,8 +187,17 @@ bar.localhost {
 											{
 												"handle": [
 													{
-														"body": "Error In range [500 .. 599]",
+														"handler": "subroute",
-														"handler": "static_response"
+														"routes": [
+															{
+																"handle": [
+																	{
+																		"body": "Error In range [500 .. 599]",
+																		"handler": "static_response"
+																	}
+																]
+															}
+														]
 													}
 												],
 												"match": [
@@ -208,8 +226,17 @@ bar.localhost {
 											{
 												"handle": [
 													{
-														"body": "404 or 410 error from second site",
+														"handler": "subroute",
-														"handler": "static_response"
+														"routes": [
+															{
+																"handle": [
+																	{
+																		"body": "404 or 410 error from second site",
+																		"handler": "static_response"
+																	}
+																]
+															}
+														]
 													}
 												],
 												"match": [
@@ -221,8 +248,17 @@ bar.localhost {
 											{
 												"handle": [
 													{
-														"body": "Error In range [500 .. 599] from second site",
+														"handler": "subroute",
-														"handler": "static_response"
+														"routes": [
+															{
+																"handle": [
+																	{
+																		"body": "Error In range [500 .. 599] from second site",
+																		"handler": "static_response"
+																	}
+																]
+															}
+														]
 													}
 												],
 												"match": [

caddytest/integration/caddyfile_adapt/error_range_codes.caddyfiletest

@@ -96,8 +96,17 @@ localhost:3010 {
 											{
 												"handle": [
 													{
-														"body": "Error in the [400 .. 499] range",
+														"handler": "subroute",
-														"handler": "static_response"
+														"routes": [
+															{
+																"handle": [
+																	{
+																		"body": "Error in the [400 .. 499] range",
+																		"handler": "static_response"
+																	}
+																]
+															}
+														]
 													}
 												],
 												"match": [

caddytest/integration/caddyfile_adapt/error_range_simple_codes.caddyfiletest

@@ -116,8 +116,17 @@ localhost:2099 {
 											{
 												"handle": [
 													{
-														"body": "Error in the [400 .. 499] range",
+														"handler": "subroute",
-														"handler": "static_response"
+														"routes": [
+															{
+																"handle": [
+																	{
+																		"body": "Error in the [400 .. 499] range",
+																		"handler": "static_response"
+																	}
+																]
+															}
+														]
 													}
 												],
 												"match": [
@@ -129,8 +138,17 @@ localhost:2099 {
 											{
 												"handle": [
 													{
-														"body": "Error code is equal to 500 or in the [300..399] range",
+														"handler": "subroute",
-														"handler": "static_response"
+														"routes": [
+															{
+																"handle": [
+																	{
+																		"body": "Error code is equal to 500 or in the [300..399] range",
+																		"handler": "static_response"
+																	}
+																]
+															}
+														]
 													}
 												],
 												"match": [

caddytest/integration/caddyfile_adapt/error_simple_codes.caddyfiletest

@@ -96,8 +96,17 @@ localhost:3010 {
 											{
 												"handle": [
 													{
-														"body": "404 or 410 error",
+														"handler": "subroute",
-														"handler": "static_response"
+														"routes": [
+															{
+																"handle": [
+																	{
+																		"body": "404 or 410 error",
+																		"handler": "static_response"
+																	}
+																]
+															}
+														]
 													}
 												],
 												"match": [

caddytest/integration/caddyfile_adapt/error_sort.caddyfiletest

@@ -116,8 +116,17 @@ localhost:2099 {
 											{
 												"handle": [
 													{
-														"body": "Error in the [400 .. 499] range",
+														"handler": "subroute",
-														"handler": "static_response"
+														"routes": [
+															{
+																"handle": [
+																	{
+																		"body": "Error in the [400 .. 499] range",
+																		"handler": "static_response"
+																	}
+																]
+															}
+														]
 													}
 												],
 												"match": [
@@ -129,8 +138,17 @@ localhost:2099 {
 											{
 												"handle": [
 													{
-														"body": "Fallback route: code outside the [400..499] range",
+														"handler": "subroute",
-														"handler": "static_response"
+														"routes": [
+															{
+																"handle": [
+																	{
+																		"body": "Fallback route: code outside the [400..499] range",
+																		"handler": "static_response"
+																	}
+																]
+															}
+														]
 													}
 												]
 											}

caddytest/integration/caddyfile_adapt/error_subhandlers.caddyfiletest

@@ -0,0 +1,260 @@
+{
+	http_port 2099
+}
+localhost:2099 {
+	root * /var/www/
+	file_server
+
+	handle_errors 404 {
+		handle /en/* {
+			respond "not found" 404
+		}
+		handle /es/* {
+			respond "no encontrado"
+		}
+		handle {
+			respond "default not found"
+		}
+	}
+	handle_errors {
+		handle /en/* {
+			respond "English error"
+		}
+		handle /es/* {
+			respond "Spanish error"
+		}
+		handle {
+			respond "Default error"
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"http_port": 2099,
+			"servers": {
+				"srv0": {
+					"listen": [
+						":2099"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"handler": "vars",
+													"root": "/var/www/"
+												},
+												{
+													"handler": "file_server",
+													"hide": [
+														"./Caddyfile"
+													]
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"errors": {
+						"routes": [
+							{
+								"match": [
+									{
+										"host": [
+											"localhost"
+										]
+									}
+								],
+								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
+															{
+																"group": "group3",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "not found",
+																						"handler": "static_response",
+																						"status_code": 404
+																					}
+																				]
+																			}
+																		]
+																	}
+																],
+																"match": [
+																	{
+																		"path": [
+																			"/en/*"
+																		]
+																	}
+																]
+															},
+															{
+																"group": "group3",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "no encontrado",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																],
+																"match": [
+																	{
+																		"path": [
+																			"/es/*"
+																		]
+																	}
+																]
+															},
+															{
+																"group": "group3",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "default not found",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																]
+															}
+														]
+													}
+												],
+												"match": [
+													{
+														"expression": "{http.error.status_code} in [404]"
+													}
+												]
+											},
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
+															{
+																"group": "group8",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "English error",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																],
+																"match": [
+																	{
+																		"path": [
+																			"/en/*"
+																		]
+																	}
+																]
+															},
+															{
+																"group": "group8",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "Spanish error",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																],
+																"match": [
+																	{
+																		"path": [
+																			"/es/*"
+																		]
+																	}
+																]
+															},
+															{
+																"group": "group8",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "Default error",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																]
+															}
+														]
+													}
+												]
+											}
+										]
+									}
+								],
+								"terminal": true
+							}
+						]
+					}
+				}
+			}
+		}
+	}
+}
+

caddytest/integration/caddyfile_adapt/global_options_preferred_chains.caddyfiletest

@@ -31,9 +31,6 @@ example.com
 			"automation": {
 				"policies": [
 					{
-						"subjects": [
-							"example.com"
-						],
 						"issuers": [
 							{
 								"module": "acme",

caddytest/integration/caddyfile_adapt/global_server_options_single.caddyfiletest

@@ -18,6 +18,9 @@
 		trusted_proxies static private_ranges
 		client_ip_headers Custom-Real-Client-IP X-Forwarded-For
 		client_ip_headers A-Third-One
+		keepalive_interval 20s
+		keepalive_idle 20s
+		keepalive_count 10
 	}
 }
 
@@ -45,6 +48,9 @@ foo.com {
 					"read_header_timeout": 30000000000,
 					"write_timeout": 30000000000,
 					"idle_timeout": 30000000000,
+					"keepalive_interval": 20000000000,
+					"keepalive_idle": 20000000000,
+					"keepalive_count": 10,
 					"max_header_bytes": 100000000,
 					"enable_full_duplex": true,
 					"routes": [
@@ -89,4 +95,4 @@ foo.com {
 			}
 		}
 	}
-}
+}

caddytest/integration/caddyfile_adapt/header_placeholder_search.caddyfiletest

@@ -0,0 +1,64 @@
+:80 {
+	header Test-Static ":443" "STATIC-WORKS"
+	header Test-Dynamic ":{http.request.local.port}" "DYNAMIC-WORKS"
+	header Test-Complex "port-{http.request.local.port}-end" "COMPLEX-{http.request.method}"
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":80"
+					],
+					"routes": [
+						{
+							"handle": [
+								{
+									"handler": "headers",
+									"response": {
+										"replace": {
+											"Test-Static": [
+												{
+													"replace": "STATIC-WORKS",
+													"search_regexp": ":443"
+												}
+											]
+										}
+									}
+								},
+								{
+									"handler": "headers",
+									"response": {
+										"replace": {
+											"Test-Dynamic": [
+												{
+													"replace": "DYNAMIC-WORKS",
+													"search_regexp": ":{http.request.local.port}"
+												}
+											]
+										}
+									}
+								},
+								{
+									"handler": "headers",
+									"response": {
+										"replace": {
+											"Test-Complex": [
+												{
+													"replace": "COMPLEX-{http.request.method}",
+													"search_regexp": "port-{http.request.local.port}-end"
+												}
+											]
+										}
+									}
+								}
+							]
+						}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/heredoc_extra_indentation.caddyfiletest

@@ -0,0 +1,41 @@
+:80
+
+handle {
+	respond <<END
+        line1
+        line2
+  END
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":80"
+					],
+					"routes": [
+						{
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "      line1\n      line2",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							]
+						}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/heredoc_incomplete.caddyfiletest

@@ -0,0 +1,9 @@
+:80
+
+handle {
+    respond <<EOF
+    Hello
+# missing EOF marker
+}
+----------
+mismatched leading whitespace in heredoc <<EOF on line #5 [    Hello], expected whitespace [# missing ] to match the closing marker

caddytest/integration/caddyfile_adapt/heredoc_invalid_marker.caddyfiletest

@@ -0,0 +1,9 @@
+:80
+
+handle {
+    respond <<END!
+    Hello
+    END!
+}
+----------
+heredoc marker on line #4 must contain only alpha-numeric characters, dashes and underscores; got 'END!'

caddytest/integration/caddyfile_adapt/heredoc_mismatched_whitespace.caddyfiletest

@@ -0,0 +1,10 @@
+:80
+
+handle {
+	respond <<END
+	line1
+	line2
+  END
+}
+----------
+mismatched leading whitespace in heredoc <<END on line #5 [	line1], expected whitespace [  ] to match the closing marker

caddytest/integration/caddyfile_adapt/heredoc_missing_marker.caddyfiletest

@@ -0,0 +1,9 @@
+:80
+
+handle {
+    respond << 
+    Hello
+    END
+}
+----------
+parsing caddyfile tokens for 'handle': unrecognized directive: Hello - are you sure your Caddyfile structure (nesting and braces) is correct?, at Caddyfile:7

caddytest/integration/caddyfile_adapt/heredoc_too_many_angle_brackets.caddyfiletest

@@ -0,0 +1,9 @@
+:80
+
+handle {
+    respond <<<END
+    Hello
+    END
+}
+----------
+too many '<' for heredoc on line #4; only use two, for example <<END

caddytest/integration/caddyfile_adapt/import_block_anonymous.caddyfiletest

@@ -0,0 +1,13 @@
+(site) {
+    http://{args[0]} https://{args[0]} {
+        {block}
+    }
+}
+import site test.domain {
+    { 
+        header_up Host {host}
+        header_up X-Real-IP {remote_host}
+    }
+}
+----------
+anonymous blocks are not supported

caddytest/integration/caddyfile_adapt/import_block_snippet_non_replaced_block.caddyfiletest

@@ -0,0 +1,57 @@
+(snippet) {
+	header {
+		reverse_proxy localhost:3000
+		{block}
+	}
+}
+
+example.com {
+	import snippet
+}
+---------- 
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"handler": "headers",
+													"response": {
+														"set": {
+															"Reverse_proxy": [
+																"localhost:3000"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/import_block_snippet_non_replaced_key_block.caddyfiletest

@@ -0,0 +1,57 @@
+(snippet) {
+	header {
+		reverse_proxy localhost:3000
+		{blocks.content_type}
+	}
+}
+
+example.com {
+	import snippet
+}
+---------- 
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"handler": "headers",
+													"response": {
+														"set": {
+															"Reverse_proxy": [
+																"localhost:3000"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/import_block_with_site_block.caddyfiletest

@@ -0,0 +1,65 @@
+(site) {
+	https://{args[0]} {
+		{block}
+	}
+}
+
+import site test.domain {
+	reverse_proxy http://192.168.1.1:8080 {
+		header_up Host {host}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"test.domain"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"handler": "reverse_proxy",
+													"headers": {
+														"request": {
+															"set": {
+																"Host": [
+																	"{http.request.host}"
+																]
+															}
+														}
+													},
+													"upstreams": [
+														{
+															"dial": "192.168.1.1:8080"
+														}
+													]
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/import_cycle.caddyfiletest

@@ -0,0 +1,12 @@
+(import1) {
+	import import2
+}
+
+(import2) {
+	import import1
+}
+
+import import1
+
+----------
+a cycle of imports exists between Caddyfile:import2 and Caddyfile:import1

caddytest/integration/caddyfile_adapt/invoke_undefined_named_route.caddyfiletest

@@ -0,0 +1,5 @@
+example.com {
+	invoke foo
+}
+----------
+cannot invoke named route 'foo', which was not defined

caddytest/integration/caddyfile_adapt/log_multiple_regexp_filters.caddyfiletest

@@ -0,0 +1,95 @@
+:80
+
+log {
+	output stdout
+	format filter {
+		wrap console
+		
+		# Multiple regexp filters for the same field - this should work now!
+		request>headers>Authorization regexp "Bearer\s+([A-Za-z0-9_-]+)" "Bearer [REDACTED]"
+		request>headers>Authorization regexp "Basic\s+([A-Za-z0-9+/=]+)" "Basic [REDACTED]"
+		request>headers>Authorization regexp "token=([^&\s]+)" "token=[REDACTED]"
+		
+		# Single regexp filter - this should continue to work as before
+		request>headers>Cookie regexp "sessionid=[^;]+" "sessionid=[REDACTED]"
+		
+		# Mixed filters (non-regexp) - these should work normally
+		request>headers>Server delete
+		request>remote_ip ip_mask {
+			ipv4 24
+			ipv6 32
+		}
+	}
+}
+----------
+{
+	"logging": {
+		"logs": {
+			"default": {
+				"exclude": [
+					"http.log.access.log0"
+				]
+			},
+			"log0": {
+				"writer": {
+					"output": "stdout"
+				},
+				"encoder": {
+					"fields": {
+						"request\u003eheaders\u003eAuthorization": {
+							"filter": "multi_regexp",
+							"operations": [
+								{
+									"regexp": "Bearer\\s+([A-Za-z0-9_-]+)",
+									"value": "Bearer [REDACTED]"
+								},
+								{
+									"regexp": "Basic\\s+([A-Za-z0-9+/=]+)",
+									"value": "Basic [REDACTED]"
+								},
+								{
+									"regexp": "token=([^\u0026\\s]+)",
+									"value": "token=[REDACTED]"
+								}
+							]
+						},
+						"request\u003eheaders\u003eCookie": {
+							"filter": "regexp",
+							"regexp": "sessionid=[^;]+",
+							"value": "sessionid=[REDACTED]"
+						},
+						"request\u003eheaders\u003eServer": {
+							"filter": "delete"
+						},
+						"request\u003eremote_ip": {
+							"filter": "ip_mask",
+							"ipv4_cidr": 24,
+							"ipv6_cidr": 32
+						}
+					},
+					"format": "filter",
+					"wrap": {
+						"format": "console"
+					}
+				},
+				"include": [
+					"http.log.access.log0"
+				]
+			}
+		}
+	},
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":80"
+					],
+					"logs": {
+						"default_logger_name": "log0"
+					}
+				}
+			}
+		}
+	}
+} 

caddytest/integration/caddyfile_adapt/matcher_outside_site_block.caddyfiletest

@@ -0,0 +1,9 @@
+@foo {
+	path /foo
+}
+
+handle {
+	respond "should not work"
+}
+----------
+request matchers may not be defined globally, they must be in a site block; found @foo, at Caddyfile:1

caddytest/integration/caddyfile_adapt/reverse_proxy_trusted_proxies_unix.caddyfiletest

@@ -0,0 +1,59 @@
+{
+	servers {
+		trusted_proxies_unix
+	}
+}
+
+example.com {
+	reverse_proxy https://local:8080
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"handler": "reverse_proxy",
+													"transport": {
+														"protocol": "http",
+														"tls": {}
+													},
+													"upstreams": [
+														{
+															"dial": "local:8080"
+														}
+													]
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"trusted_proxies_unix": true
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/site_address_invalid_port.caddyfiletest

@@ -0,0 +1,7 @@
+:70000
+
+handle {
+	respond "should not work"
+}
+----------
+port 70000 is out of range

caddytest/integration/caddyfile_adapt/site_address_negative_port.caddyfiletest

@@ -0,0 +1,7 @@
+:-1
+
+handle {
+	respond "should not work"
+}
+----------
+port -1 is out of range

caddytest/integration/caddyfile_adapt/site_address_unsupported_scheme.caddyfiletest

@@ -0,0 +1,7 @@
+foo://example.com
+
+handle {
+	respond "hello"
+}
+----------
+unsupported URL scheme foo://

caddytest/integration/caddyfile_adapt/site_address_wss_invalid_port.caddyfiletest

@@ -0,0 +1,7 @@
+wss://example.com:70000
+
+handle {
+	respond "should not work"
+}
+----------
+port 70000 is out of range

caddytest/integration/caddyfile_adapt/site_address_wss_scheme.caddyfiletest

@@ -0,0 +1,7 @@
+wss://example.com
+
+handle {
+	respond "hello"
+}
+----------
+the scheme wss:// is only supported in browsers; use https:// instead

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_block.caddyfiletest

@@ -0,0 +1,87 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf {
+			file ../caddy.ca.cer
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"files": [
+													"../caddy.ca.cer"
+												],
+												"loader": "file"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_inline.caddyfiletest

@@ -0,0 +1,85 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf file ../caddy.ca.cer
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"files": [
+													"../caddy.ca.cer"
+												],
+												"loader": "file"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_multi-in-block.caddyfiletest

@@ -0,0 +1,94 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf {
+			file ../caddy.ca.cer
+			file ../caddy.ca.cer
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"files": [
+													"../caddy.ca.cer"
+												],
+												"loader": "file"
+											},
+											{
+												"files": [
+													"../caddy.ca.cer"
+												],
+												"loader": "file"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_block.caddyfiletest

@@ -0,0 +1,87 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf {
+			folder ../
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"folders": [
+													"../"
+												],
+												"loader": "folder"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_inline.caddyfiletest

@@ -0,0 +1,85 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf folder ../
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"folders": [
+													"../"
+												],
+												"loader": "folder"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_multi-in-block.caddyfiletest

@@ -0,0 +1,94 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf {
+			folder ../
+			folder ../
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"folders": [
+													"../"
+												],
+												"loader": "folder"
+											},
+											{
+												"folders": [
+													"../"
+												],
+												"loader": "folder"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_dns_multiple_options_without_provider.caddyfiletest

@@ -0,0 +1,9 @@
+localhost
+
+tls {
+	propagation_delay 10s
+	dns_ttl 5m
+}
+
+----------
+parsing caddyfile tokens for 'tls': setting DNS challenge options [propagation_delay, dns_ttl] requires a DNS provider (set with the 'dns' subdirective or 'acme_dns' global option), at Caddyfile:6

caddytest/integration/caddyfile_adapt/tls_dns_override_acme_dns.caddyfiletest

@@ -0,0 +1,79 @@
+{
+	acme_dns mock foo
+}
+
+localhost {
+	tls {
+		dns mock bar
+		resolvers 8.8.8.8 8.8.4.4
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"subjects": [
+							"localhost"
+						],
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {
+										"provider": {
+											"argument": "bar",
+											"name": "mock"
+										},
+										"resolvers": [
+											"8.8.8.8",
+											"8.8.4.4"
+										]
+									}
+								},
+								"module": "acme"
+							}
+						]
+					},
+					{
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {
+										"provider": {
+											"argument": "foo",
+											"name": "mock"
+										}
+									}
+								},
+								"module": "acme"
+							}
+						]
+					}
+				]
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_dns_override_global_dns.caddyfiletest

@@ -0,0 +1,68 @@
+{
+	dns mock foo
+}
+
+localhost {
+	tls {
+		dns mock bar
+		resolvers 8.8.8.8 8.8.4.4
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"subjects": [
+							"localhost"
+						],
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {
+										"provider": {
+											"argument": "bar",
+											"name": "mock"
+										},
+										"resolvers": [
+											"8.8.8.8",
+											"8.8.4.4"
+										]
+									}
+								},
+								"module": "acme"
+							}
+						]
+					}
+				]
+			},
+			"dns": {
+				"argument": "foo",
+				"name": "mock"
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_dns_propagation_timeout_without_provider.caddyfiletest

@@ -0,0 +1,7 @@
+:443 {
+	tls {
+		propagation_timeout 30s
+	}
+}
+----------
+parsing caddyfile tokens for 'tls': setting DNS challenge options [propagation_timeout] requires a DNS provider (set with the 'dns' subdirective or 'acme_dns' global option), at Caddyfile:4

caddytest/integration/caddyfile_adapt/tls_dns_propagation_without_provider.caddyfiletest

@@ -0,0 +1,7 @@
+:443 {
+	tls {
+		propagation_delay 30s
+	}
+}
+----------
+parsing caddyfile tokens for 'tls': setting DNS challenge options [propagation_delay] requires a DNS provider (set with the 'dns' subdirective or 'acme_dns' global option), at Caddyfile:4

caddytest/integration/caddyfile_adapt/tls_dns_resolvers_with_global_provider.caddyfiletest

@@ -0,0 +1,76 @@
+{
+	acme_dns mock
+}
+
+localhost {
+	tls {
+		resolvers 8.8.8.8 8.8.4.4
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"subjects": [
+							"localhost"
+						],
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {
+										"provider": {
+											"name": "mock"
+										},
+										"resolvers": [
+											"8.8.8.8",
+											"8.8.4.4"
+										]
+									}
+								},
+								"module": "acme"
+							}
+						]
+					},
+					{
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {
+										"provider": {
+											"name": "mock"
+										}
+									}
+								},
+								"module": "acme"
+							}
+						]
+					}
+				]
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_dns_ttl.caddyfiletest

@@ -2,6 +2,7 @@ localhost
 
 respond "hello from localhost"
 tls {
+	dns mock
 	dns_ttl 5m10s
 }
 ----------
@@ -54,6 +55,9 @@ tls {
 							{
 								"challenges": {
 									"dns": {
+										"provider": {
+											"name": "mock"
+										},
 										"ttl": 310000000000
 									}
 								},

caddytest/integration/caddyfile_adapt/tls_propagation_options.caddyfiletest

@@ -2,6 +2,7 @@ localhost
 
 respond "hello from localhost"
 tls {
+	dns mock
 	propagation_delay 5m10s
 	propagation_timeout 10m20s
 }
@@ -56,7 +57,10 @@ tls {
 								"challenges": {
 									"dns": {
 										"propagation_delay": 310000000000,
-										"propagation_timeout": 620000000000
+										"propagation_timeout": 620000000000,
+										"provider": {
+											"name": "mock"
+										}
 									}
 								},
 								"module": "acme"

caddytest/integration/caddyfile_adapt_test.go

@@ -9,8 +9,8 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/caddytest"
-
 	_ "github.com/caddyserver/caddy/v2/internal/testmocks"
 )
 
@@ -28,30 +28,48 @@ func TestCaddyfileAdaptToJSON(t *testing.T) {
 		if f.IsDir() {
 			continue
 		}
-
-		// read the test file
 		filename := f.Name()
-		data, err := os.ReadFile("./caddyfile_adapt/" + filename)
-		if err != nil {
-			t.Errorf("failed to read %s dir: %s", filename, err)
-		}
 
-		// split the Caddyfile (first) and JSON (second) parts
+		// run each file as a subtest, so that we can see which one fails more easily
-		// (append newline to Caddyfile to match formatter expectations)
+		t.Run(filename, func(t *testing.T) {
-		parts := strings.Split(string(data), "----------")
+			// read the test file
-		caddyfile, json := strings.TrimSpace(parts[0])+"\n", strings.TrimSpace(parts[1])
+			data, err := os.ReadFile("./caddyfile_adapt/" + filename)
+			if err != nil {
+				t.Errorf("failed to read %s dir: %s", filename, err)
+			}
 
-		// replace windows newlines in the json with unix newlines
+			// split the Caddyfile (first) and JSON (second) parts
-		json = winNewlines.ReplaceAllString(json, "\n")
+			// (append newline to Caddyfile to match formatter expectations)
+			parts := strings.Split(string(data), "----------")
+			caddyfile, expected := strings.TrimSpace(parts[0])+"\n", strings.TrimSpace(parts[1])
 
-		// replace os-specific default path for file_server's hide field
+			// replace windows newlines in the json with unix newlines
-		replacePath, _ := jsonMod.Marshal(fmt.Sprint(".", string(filepath.Separator), "Caddyfile"))
+			expected = winNewlines.ReplaceAllString(expected, "\n")
-		json = strings.ReplaceAll(json, `"./Caddyfile"`, string(replacePath))
 
-		// run the test
+			// replace os-specific default path for file_server's hide field
-		ok := caddytest.CompareAdapt(t, filename, caddyfile, "caddyfile", json)
+			replacePath, _ := jsonMod.Marshal(fmt.Sprint(".", string(filepath.Separator), "Caddyfile"))
-		if !ok {
+			expected = strings.ReplaceAll(expected, `"./Caddyfile"`, string(replacePath))
-			t.Errorf("failed to adapt %s", filename)
+
-		}
+			// if the expected output is JSON, compare it
+			if len(expected) > 0 && expected[0] == '{' {
+				ok := caddytest.CompareAdapt(t, filename, caddyfile, "caddyfile", expected)
+				if !ok {
+					t.Errorf("failed to adapt %s", filename)
+				}
+				return
+			}
+
+			// otherwise, adapt the Caddyfile and check for errors
+			cfgAdapter := caddyconfig.GetAdapter("caddyfile")
+			_, _, err = cfgAdapter.Adapt([]byte(caddyfile), nil)
+			if err == nil {
+				t.Errorf("expected error for %s but got none", filename)
+			} else {
+				normalizedErr := winNewlines.ReplaceAllString(err.Error(), "\n")
+				if !strings.Contains(normalizedErr, expected) {
+					t.Errorf("expected error for %s to contain:\n%s\nbut got:\n%s", filename, expected, normalizedErr)
+				}
+			}
+		})
 	}
 }

caddytest/integration/caddyfile_test.go

@@ -615,7 +615,6 @@ func TestReplaceWithReplacementPlaceholder(t *testing.T) {
 	respond "{query}"`, "caddyfile")
 
 	tester.AssertGetResponse("http://localhost:9080/endpoint?placeholder=baz&foo=bar", 200, "foo=baz&placeholder=baz")
-
 }
 
 func TestReplaceWithKeyPlaceholder(t *testing.T) {
@@ -783,6 +782,46 @@ func TestHandleErrorRangeAndCodes(t *testing.T) {
 	tester.AssertGetResponse("http://localhost:9080/private", 410, "Error in the [400 .. 499] range")
 }
 
+func TestHandleErrorSubHandlers(t *testing.T) {
+	tester := caddytest.NewTester(t)
+	tester.InitServer(`{
+		admin localhost:2999
+		http_port     9080
+	}
+	localhost:9080 {
+		root * /srv
+		file_server
+		error /*/internalerr* "Internal Server Error" 500
+
+		handle_errors 404 {
+			handle /en/* {
+				respond "not found" 404
+			}
+			handle /es/* {
+				respond "no encontrado" 404
+			}
+			handle {
+				respond "default not found"
+			}
+		}
+		handle_errors {
+			handle {
+				respond "Default error"
+			}
+			handle /en/* {
+				respond "English error"
+			}
+		}
+	}
+	`, "caddyfile")
+	// act and assert
+	tester.AssertGetResponse("http://localhost:9080/en/notfound", 404, "not found")
+	tester.AssertGetResponse("http://localhost:9080/es/notfound", 404, "no encontrado")
+	tester.AssertGetResponse("http://localhost:9080/notfound", 404, "default not found")
+	tester.AssertGetResponse("http://localhost:9080/es/internalerr", 500, "Default error")
+	tester.AssertGetResponse("http://localhost:9080/en/internalerr", 500, "English error")
+}
+
 func TestInvalidSiteAddressesAsDirectives(t *testing.T) {
 	type testCase struct {
 		config, expectedError string

caddytest/integration/h2listener_test.go

@@ -0,0 +1,129 @@
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"slices"
+	"strings"
+	"testing"
+
+	"github.com/caddyserver/caddy/v2/caddytest"
+)
+
+func newH2ListenerWithVersionsWithTLSTester(t *testing.T, serverVersions []string, clientVersions []string) *caddytest.Tester {
+	const baseConfig = `
+	{
+		skip_install_trust
+		admin localhost:2999
+		http_port     9080
+		https_port    9443
+		servers :9443 {
+            protocols %s
+        }
+	}
+	localhost {
+		respond "{http.request.tls.proto} {http.request.proto}"
+	}
+	`
+	tester := caddytest.NewTester(t)
+	tester.InitServer(fmt.Sprintf(baseConfig, strings.Join(serverVersions, " ")), "caddyfile")
+
+	tr := tester.Client.Transport.(*http.Transport)
+	tr.TLSClientConfig.NextProtos = clientVersions
+	tr.Protocols = new(http.Protocols)
+	if slices.Contains(clientVersions, "h2") {
+		tr.ForceAttemptHTTP2 = true
+		tr.Protocols.SetHTTP2(true)
+	}
+	if !slices.Contains(clientVersions, "http/1.1") {
+		tr.Protocols.SetHTTP1(false)
+	}
+
+	return tester
+}
+
+func TestH2ListenerWithTLS(t *testing.T) {
+	tests := []struct {
+		serverVersions []string
+		clientVersions []string
+		expectedBody   string
+		failed         bool
+	}{
+		{[]string{"h2"}, []string{"h2"}, "h2 HTTP/2.0", false},
+		{[]string{"h2"}, []string{"http/1.1"}, "", true},
+		{[]string{"h1"}, []string{"http/1.1"}, "http/1.1 HTTP/1.1", false},
+		{[]string{"h1"}, []string{"h2"}, "", true},
+		{[]string{"h2", "h1"}, []string{"h2"}, "h2 HTTP/2.0", false},
+		{[]string{"h2", "h1"}, []string{"http/1.1"}, "http/1.1 HTTP/1.1", false},
+	}
+	for _, tc := range tests {
+		tester := newH2ListenerWithVersionsWithTLSTester(t, tc.serverVersions, tc.clientVersions)
+		t.Logf("running with server versions %v and client versions %v:", tc.serverVersions, tc.clientVersions)
+		if tc.failed {
+			resp, err := tester.Client.Get("https://localhost:9443")
+			if err == nil {
+				t.Errorf("unexpected response: %d", resp.StatusCode)
+			}
+		} else {
+			tester.AssertGetResponse("https://localhost:9443", 200, tc.expectedBody)
+		}
+	}
+}
+
+func newH2ListenerWithVersionsWithoutTLSTester(t *testing.T, serverVersions []string, clientVersions []string) *caddytest.Tester {
+	const baseConfig = `
+	{
+		skip_install_trust
+		admin localhost:2999
+		http_port     9080
+		servers :9080 {
+            protocols %s
+        }
+	}
+	http://localhost {
+		respond "{http.request.proto}"
+	}
+	`
+	tester := caddytest.NewTester(t)
+	tester.InitServer(fmt.Sprintf(baseConfig, strings.Join(serverVersions, " ")), "caddyfile")
+
+	tr := tester.Client.Transport.(*http.Transport)
+	tr.Protocols = new(http.Protocols)
+	if slices.Contains(clientVersions, "h2c") {
+		tr.Protocols.SetHTTP1(false)
+		tr.Protocols.SetUnencryptedHTTP2(true)
+	} else if slices.Contains(clientVersions, "http/1.1") {
+		tr.Protocols.SetHTTP1(true)
+		tr.Protocols.SetUnencryptedHTTP2(false)
+	}
+
+	return tester
+}
+
+func TestH2ListenerWithoutTLS(t *testing.T) {
+	tests := []struct {
+		serverVersions []string
+		clientVersions []string
+		expectedBody   string
+		failed         bool
+	}{
+		{[]string{"h2c"}, []string{"h2c"}, "HTTP/2.0", false},
+		{[]string{"h2c"}, []string{"http/1.1"}, "", true},
+		{[]string{"h1"}, []string{"http/1.1"}, "HTTP/1.1", false},
+		{[]string{"h1"}, []string{"h2c"}, "", true},
+		{[]string{"h2c", "h1"}, []string{"h2c"}, "HTTP/2.0", false},
+		{[]string{"h2c", "h1"}, []string{"http/1.1"}, "HTTP/1.1", false},
+	}
+	for _, tc := range tests {
+		tester := newH2ListenerWithVersionsWithoutTLSTester(t, tc.serverVersions, tc.clientVersions)
+		t.Logf("running with server versions %v and client versions %v:", tc.serverVersions, tc.clientVersions)
+		if tc.failed {
+			resp, err := tester.Client.Get("http://localhost:9080")
+			if err == nil {
+				t.Errorf("unexpected response: %d", resp.StatusCode)
+			}
+		} else {
+			tester.AssertGetResponse("http://localhost:9080", 200, tc.expectedBody)
+		}
+	}
+}

caddytest/integration/mockdns_test.go

@@ -3,10 +3,11 @@ package integration
 import (
 	"context"
 
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/libdns"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 
 func init() {
@@ -14,7 +15,9 @@ func init() {
 }
 
 // MockDNSProvider is a mock DNS provider, for testing config with DNS modules.
-type MockDNSProvider struct{}
+type MockDNSProvider struct {
+	Argument string `json:"argument,omitempty"` // optional argument useful for testing
+}
 
 // CaddyModule returns the Caddy module information.
 func (MockDNSProvider) CaddyModule() caddy.ModuleInfo {
@@ -30,7 +33,15 @@ func (MockDNSProvider) Provision(ctx caddy.Context) error {
 }
 
 // UnmarshalCaddyfile sets up the module from Caddyfile tokens.
-func (MockDNSProvider) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+func (p *MockDNSProvider) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	d.Next() // consume directive name
+
+	if d.NextArg() {
+		p.Argument = d.Val()
+	}
+	if d.NextArg() {
+		return d.Errf("unexpected argument '%s'", d.Val())
+	}
 	return nil
 }
 
@@ -55,7 +66,9 @@ func (MockDNSProvider) SetRecords(ctx context.Context, zone string, recs []libdn
 }
 
 // Interface guard
-var _ caddyfile.Unmarshaler = (*MockDNSProvider)(nil)
+var (
-var _ certmagic.DNSProvider = (*MockDNSProvider)(nil)
+	_ caddyfile.Unmarshaler = (*MockDNSProvider)(nil)
-var _ caddy.Provisioner = (*MockDNSProvider)(nil)
+	_ certmagic.DNSProvider = (*MockDNSProvider)(nil)
-var _ caddy.Module = (*MockDNSProvider)(nil)
+	_ caddy.Provisioner     = (*MockDNSProvider)(nil)
+	_ caddy.Module          = (*MockDNSProvider)(nil)
+)

caddytest/integration/stream_test.go

@@ -13,9 +13,10 @@ import (
 	"testing"
 	"time"
 
-	"github.com/caddyserver/caddy/v2/caddytest"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
+
+	"github.com/caddyserver/caddy/v2/caddytest"
 )
 
 // (see https://github.com/caddyserver/caddy/issues/3556 for use case)

cmd/commandfuncs.go

@@ -24,6 +24,7 @@ import (
 	"io"
 	"io/fs"
 	"log"
+	"maps"
 	"net"
 	"net/http"
 	"os"
@@ -171,9 +172,19 @@ func cmdStart(fl Flags) (int, error) {
 func cmdRun(fl Flags) (int, error) {
 	caddy.TrapSignals()
 
-	logger := caddy.Log()
+	// set up buffered logging for early startup
+	// so that we can hold onto logs until after
+	// the config is loaded (or fails to load)
+	// so that we can write the logs to the user's
+	// configured output. we must be sure to flush
+	// on any error before the config is loaded.
+	logger, defaultLogger, logBuffer := caddy.BufferedLog()
+
 	undoMaxProcs := setResourceLimits(logger)
 	defer undoMaxProcs()
+	// release the local reference to the undo function so it can be GC'd;
+	// the deferred call above has already captured the actual function value.
+	undoMaxProcs = nil //nolint:ineffassign,wastedassign
 
 	configFlag := fl.String("config")
 	configAdapterFlag := fl.String("adapter")
@@ -186,6 +197,7 @@ func cmdRun(fl Flags) (int, error) {
 	// load all additional envs as soon as possible
 	err := handleEnvFileFlag(fl)
 	if err != nil {
+		logBuffer.FlushTo(defaultLogger)
 		return caddy.ExitCodeFailedStartup, err
 	}
 
@@ -203,6 +215,7 @@ func cmdRun(fl Flags) (int, error) {
 			logger.Info("no autosave file exists", zap.String("autosave_file", caddy.ConfigAutosavePath))
 			resumeFlag = false
 		} else if err != nil {
+			logBuffer.FlushTo(defaultLogger)
 			return caddy.ExitCodeFailedStartup, err
 		} else {
 			if configFlag == "" {
@@ -218,9 +231,11 @@ func cmdRun(fl Flags) (int, error) {
 	}
 	// we don't use 'else' here since this value might have been changed in 'if' block; i.e. not mutually exclusive
 	var configFile string
+	var adapterUsed string
 	if !resumeFlag {
-		config, configFile, err = LoadConfig(configFlag, configAdapterFlag)
+		config, configFile, adapterUsed, err = LoadConfig(configFlag, configAdapterFlag)
 		if err != nil {
+			logBuffer.FlushTo(defaultLogger)
 			return caddy.ExitCodeFailedStartup, err
 		}
 	}
@@ -235,11 +250,35 @@ func cmdRun(fl Flags) (int, error) {
 		}
 	}
 
+	// If we have a source config file (we're running via 'caddy run --config ...'),
+	// record it so SIGUSR1 can reload from the same file. Also provide a callback
+	// that knows how to load/adapt that source when requested by the main process.
+	if configFile != "" {
+		caddy.SetLastConfig(configFile, adapterUsed, func(file, adapter string) error {
+			cfg, _, _, err := LoadConfig(file, adapter)
+			if err != nil {
+				return err
+			}
+			return caddy.Load(cfg, true)
+		})
+	}
+
 	// run the initial config
 	err = caddy.Load(config, true)
 	if err != nil {
+		logBuffer.FlushTo(defaultLogger)
 		return caddy.ExitCodeFailedStartup, fmt.Errorf("loading initial config: %v", err)
 	}
+	// release the reference to the config so it can be GC'd
+	config = nil //nolint:ineffassign,wastedassign
+
+	// at this stage the config will have replaced the
+	// default logger to the configured one, so we can
+	// log normally, now that the config is running.
+	// also clear our ref to the buffer so it can get GC'd
+	logger = caddy.Log()
+	defaultLogger = nil //nolint:ineffassign,wastedassign
+	logBuffer = nil     //nolint:wastedassign,ineffassign
 	logger.Info("serving initial configuration")
 
 	// if we are to report to another process the successful start
@@ -255,18 +294,22 @@ func cmdRun(fl Flags) (int, error) {
 			return caddy.ExitCodeFailedStartup,
 				fmt.Errorf("dialing confirmation address: %v", err)
 		}
-		defer conn.Close()
 		_, err = conn.Write(confirmationBytes)
 		if err != nil {
 			return caddy.ExitCodeFailedStartup,
 				fmt.Errorf("writing confirmation bytes to %s: %v", pingbackFlag, err)
 		}
+		// close (non-defer because we `select {}` below)
+		// and release references so they can be GC'd
+		conn.Close()
+		confirmationBytes = nil //nolint:ineffassign,wastedassign
+		conn = nil              //nolint:wastedassign,ineffassign
 	}
 
 	// if enabled, reload config file automatically on changes
 	// (this better only be used in dev!)
 	if watchFlag {
-		go watchConfigFile(configFile, configAdapterFlag)
+		go watchConfigFile(configFile, adapterUsed)
 	}
 
 	// warn if the environment does not provide enough information about the disk
@@ -288,6 +331,9 @@ func cmdRun(fl Flags) (int, error) {
 		}
 	}
 
+	// release the last local logger reference
+	logger = nil //nolint:wastedassign,ineffassign
+
 	select {}
 }
 
@@ -318,7 +364,7 @@ func cmdReload(fl Flags) (int, error) {
 	forceFlag := fl.Bool("force")
 
 	// get the config in caddy's native format
-	config, configFile, err := LoadConfig(configFlag, configAdapterFlag)
+	config, configFile, adapterUsed, err := LoadConfig(configFlag, configAdapterFlag)
 	if err != nil {
 		return caddy.ExitCodeFailedStartup, err
 	}
@@ -336,6 +382,10 @@ func cmdReload(fl Flags) (int, error) {
 	if forceFlag {
 		headers.Set("Cache-Control", "must-revalidate")
 	}
+	// Provide the source file/adapter to the running process so it can
+	// preserve its last-config knowledge if this reload came from the same source.
+	headers.Set("Caddy-Config-Source-File", configFile)
+	headers.Set("Caddy-Config-Source-Adapter", adapterUsed)
 
 	resp, err := AdminAPIRequest(adminAddr, http.MethodPost, "/load", headers, bytes.NewReader(config))
 	if err != nil {
@@ -440,16 +490,20 @@ func cmdEnviron(fl Flags) (int, error) {
 }
 
 func cmdAdaptConfig(fl Flags) (int, error) {
-	inputFlag := fl.String("config")
+	configFlag := fl.String("config")
 	adapterFlag := fl.String("adapter")
 	prettyFlag := fl.Bool("pretty")
 	validateFlag := fl.Bool("validate")
 
 	var err error
-	inputFlag, err = configFileWithRespectToDefault(caddy.Log(), inputFlag)
+	configFlag, err = configFileWithRespectToDefault(caddy.Log(), configFlag)
 	if err != nil {
 		return caddy.ExitCodeFailedStartup, err
 	}
+	if configFlag == "" {
+		return caddy.ExitCodeFailedStartup,
+			fmt.Errorf("input file required when there is no Caddyfile in current directory (use --config flag)")
+	}
 
 	// load all additional envs as soon as possible
 	err = handleEnvFileFlag(fl)
@@ -468,13 +522,19 @@ func cmdAdaptConfig(fl Flags) (int, error) {
 			fmt.Errorf("unrecognized config adapter: %s", adapterFlag)
 	}
 
-	input, err := os.ReadFile(inputFlag)
+	var input []byte
+	// read from stdin if the file name is "-"
+	if configFlag == "-" {
+		input, err = io.ReadAll(os.Stdin)
+	} else {
+		input, err = os.ReadFile(configFlag)
+	}
 	if err != nil {
 		return caddy.ExitCodeFailedStartup,
 			fmt.Errorf("reading input file: %v", err)
 	}
 
-	opts := map[string]any{"filename": inputFlag}
+	opts := map[string]any{"filename": configFlag}
 
 	adaptedConfig, warnings, err := cfgAdapter.Adapt(input, opts)
 	if err != nil {
@@ -540,7 +600,7 @@ func cmdValidateConfig(fl Flags) (int, error) {
 			fmt.Errorf("input file required when there is no Caddyfile in current directory (use --config flag)")
 	}
 
-	input, _, err := LoadConfig(configFlag, adapterFlag)
+	input, _, _, err := LoadConfig(configFlag, adapterFlag)
 	if err != nil {
 		return caddy.ExitCodeFailedStartup, err
 	}
@@ -703,9 +763,7 @@ func AdminAPIRequest(adminAddr, method, uri string, headers http.Header, body io
 	if body != nil {
 		req.Header.Set("Content-Type", "application/json")
 	}
-	for k, v := range headers {
+	maps.Copy(req.Header, headers)
-		req.Header[k] = v
-	}
 
 	// make an HTTP client that dials our network type, since admin
 	// endpoints aren't always TCP, which is what the default transport
@@ -757,7 +815,7 @@ func DetermineAdminAPIAddress(address string, config []byte, configFile, configA
 		loadedConfig := config
 		if len(loadedConfig) == 0 {
 			// get the config in caddy's native format
-			loadedConfig, loadedConfigFile, err = LoadConfig(configFile, configAdapter)
+			loadedConfig, loadedConfigFile, _, err = LoadConfig(configFile, configAdapter)
 			if err != nil {
 				return "", err
 			}

cmd/commands.go

@@ -20,6 +20,7 @@ import (
 	"os"
 	"regexp"
 	"strings"
+	"sync"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/cobra/doc"
@@ -80,10 +81,16 @@ type CommandFunc func(Flags) (int, error)
 // Commands returns a list of commands initialised by
 // RegisterCommand
 func Commands() map[string]Command {
+	commandsMu.RLock()
+	defer commandsMu.RUnlock()
+
 	return commands
 }
 
-var commands = make(map[string]Command)
+var (
+	commandsMu sync.RWMutex
+	commands   = make(map[string]Command)
+)
 
 func init() {
 	RegisterCommand(Command{
@@ -286,6 +293,8 @@ zero exit status will be returned.
 
 If --envfile is specified, an environment file with environment variables
 in the KEY=VALUE format will be loaded into the Caddy process.
+
+If you wish to use stdin instead of a regular file, use - as the path.
 `,
 		CobraFunc: func(cmd *cobra.Command) {
 			cmd.Flags().StringP("config", "c", "", "Configuration file to adapt (required)")
@@ -383,7 +392,7 @@ lines will be prefixed with '-' and '+' where they differ. Note that
 unchanged lines are prefixed with two spaces for alignment, and that this
 is not a valid patch format.
 
-If you wish you use stdin instead of a regular file, use - as the path.
+If you wish to use stdin instead of a regular file, use - as the path.
 When reading from stdin, the --overwrite flag has no effect: the result
 is always printed to stdout.
 `,
@@ -441,7 +450,7 @@ EXPERIMENTAL: May be changed or removed.
 	})
 
 	defaultFactory.Use(func(rootCmd *cobra.Command) {
-		rootCmd.AddCommand(caddyCmdToCobra(Command{
+		manpageCommand := Command{
 			Name:  "manpage",
 			Usage: "--directory <path>",
 			Short: "Generates the manual pages for Caddy commands",
@@ -471,11 +480,12 @@ argument of --directory. If the directory does not exist, it will be created.
 					return caddy.ExitCodeSuccess, nil
 				})
 			},
-		}))
+		}
 
-		// source: https://github.com/spf13/cobra/blob/main/shell_completions.md
+		// source: https://github.com/spf13/cobra/blob/6dec1ae26659a130bdb4c985768d1853b0e1bc06/site/content/completions/_index.md
-		rootCmd.AddCommand(&cobra.Command{
+		completionCommand := Command{
-			Use:   "completion [bash|zsh|fish|powershell]",
+			Name:  "completion",
+			Usage: "[bash|zsh|fish|powershell]",
 			Short: "Generate completion script",
 			Long: fmt.Sprintf(`To load completions:
 
@@ -516,24 +526,37 @@ argument of --directory. If the directory does not exist, it will be created.
 	  PS> %[1]s completion powershell > %[1]s.ps1
 	  # and source this file from your PowerShell profile.
 	`, rootCmd.Root().Name()),
-			DisableFlagsInUseLine: true,
+			CobraFunc: func(cmd *cobra.Command) {
-			ValidArgs:             []string{"bash", "zsh", "fish", "powershell"},
+				cmd.DisableFlagsInUseLine = true
-			Args:                  cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs),
+				cmd.ValidArgs = []string{"bash", "zsh", "fish", "powershell"}
-			RunE: func(cmd *cobra.Command, args []string) error {
+				cmd.Args = cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs)
-				switch args[0] {
+				cmd.RunE = func(cmd *cobra.Command, args []string) error {
-				case "bash":
+					switch args[0] {
-					return cmd.Root().GenBashCompletion(os.Stdout)
+					case "bash":
-				case "zsh":
+						return cmd.Root().GenBashCompletion(os.Stdout)
-					return cmd.Root().GenZshCompletion(os.Stdout)
+					case "zsh":
-				case "fish":
+						return cmd.Root().GenZshCompletion(os.Stdout)
-					return cmd.Root().GenFishCompletion(os.Stdout, true)
+					case "fish":
-				case "powershell":
+						return cmd.Root().GenFishCompletion(os.Stdout, true)
-					return cmd.Root().GenPowerShellCompletionWithDesc(os.Stdout)
+					case "powershell":
-				default:
+						return cmd.Root().GenPowerShellCompletionWithDesc(os.Stdout)
-					return fmt.Errorf("unrecognized shell: %s", args[0])
+					default:
+						return fmt.Errorf("unrecognized shell: %s", args[0])
+					}
 				}
 			},
-		})
+		}
+
+		rootCmd.AddCommand(caddyCmdToCobra(manpageCommand))
+		rootCmd.AddCommand(caddyCmdToCobra(completionCommand))
+
+		// add manpage and completion commands to the map of
+		// available commands, because they're not registered
+		// through RegisterCommand.
+		commandsMu.Lock()
+		commands[manpageCommand.Name] = manpageCommand
+		commands[completionCommand.Name] = completionCommand
+		commandsMu.Unlock()
 	})
 }
 
@@ -552,6 +575,9 @@ argument of --directory. If the directory does not exist, it will be created.
 //
 // This function should be used in init().
 func RegisterCommand(cmd Command) {
+	commandsMu.Lock()
+	defer commandsMu.Unlock()
+
 	if cmd.Name == "" {
 		panic("command name is required")
 	}
@@ -570,6 +596,7 @@ func RegisterCommand(cmd Command) {
 	defaultFactory.Use(func(rootCmd *cobra.Command) {
 		rootCmd.AddCommand(caddyCmdToCobra(cmd))
 	})
+	commands[cmd.Name] = cmd
 }
 
 var commandNameRegex = regexp.MustCompile(`^[a-z0-9]$|^([a-z0-9]+-?[a-z0-9]*)+[a-z0-9]$`)

cmd/commands_test.go

@@ -0,0 +1,39 @@
+package caddycmd
+
+import (
+	"maps"
+	"reflect"
+	"slices"
+	"testing"
+)
+
+func TestCommandsAreAvailable(t *testing.T) {
+	// trigger init, and build the default factory, so that
+	// all commands from this package are available
+	cmd := defaultFactory.Build()
+	if cmd == nil {
+		t.Fatal("default factory failed to build")
+	}
+
+	// check that the default factory has 17 commands; it doesn't
+	// include the commands registered through calls to init in
+	// other packages
+	cmds := Commands()
+	if len(cmds) != 17 {
+		t.Errorf("expected 17 commands, got %d", len(cmds))
+	}
+
+	commandNames := slices.Collect(maps.Keys(cmds))
+	slices.Sort(commandNames)
+
+	expectedCommandNames := []string{
+		"adapt", "add-package", "build-info", "completion",
+		"environ", "fmt", "list-modules", "manpage",
+		"reload", "remove-package", "run", "start",
+		"stop", "storage", "upgrade", "validate", "version",
+	}
+
+	if !reflect.DeepEqual(expectedCommandNames, commandNames) {
+		t.Errorf("expected %v, got %v", expectedCommandNames, commandNames)
+	}
+}