Merge branch 'master' into leaf-verifier-caddyfile

2025-05-24 02:02:26 -04:00 · 2025-04-16 01:03:32 +03:00 · 2025-04-16 01:03:32 +03:00 · 01fa65ad56
commit 01fa65ad56
parent 5a9471f884 137711ae3e
69 changed files with 3380 additions and 609 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -12,28 +12,28 @@ on:
      - master
      - 2.*
 env:
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local
 jobs:
  test:
    strategy:
      # Default is true, cancels jobs for other platforms in the matrix if one fails
      fail-fast: false
      matrix:
-        os: 
+        os:
          - linux
          - mac
          - windows
-        go: 
+        go:
-          - '1.22'
+          - '1.24'
          - '1.23'
        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.22'
+        - go: '1.24'
-          GO_SEMVER: '~1.22.3'
+          GO_SEMVER: '~1.24.1'
        - go: '1.23'
          GO_SEMVER: '~1.23.0'
        # Set some variables per OS, usable via ${{ matrix.VAR }}
        # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
@ -99,7 +99,7 @@ jobs:
      env:
        CGO_ENABLED: 0
      run: |
-        go build -tags nobadger -trimpath -ldflags="-w -s" -v
+        go build -tags nobadger,nomysql,nopgx -trimpath -ldflags="-w -s" -v
    - name: Smoke test Caddy
      working-directory: ./cmd/caddy
@ -122,7 +122,7 @@ jobs:
      # continue-on-error: true
      run: |
        # (go test -v -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
-        go test -tags nobadger -v -coverprofile="cover-profile.out" -short -race ./...
+        go test -tags nobadger,nomysql,nopgx -v -coverprofile="cover-profile.out" -short -race ./...
        # echo "status=$?" >> $GITHUB_OUTPUT
    # Relevant step if we reinvestigate publishing test/coverage reports
@ -170,7 +170,7 @@ jobs:
          retries=3
          exit_code=0
          while ((retries > 0)); do
-            CGO_ENABLED=0 go test -p 1 -tags nobadger -v ./...
+            CGO_ENABLED=0 go test -p 1 -tags nobadger,nomysql,nopgx -v ./...
            exit_code=$?
            if ((exit_code == 0)); then
              break
@ -206,7 +206,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "~1.23"
+          go-version: "~1.24"
          check-latest: true
      - name: Install xcaddy
        run: |
--- a/.github/workflows/cross-build.yml
+++ b/.github/workflows/cross-build.yml
@ -10,12 +10,16 @@ on:
      - master
      - 2.*
 env:
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local
 jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
-        goos: 
+        goos:
          - 'aix'
          - 'linux'
          - 'solaris'
@ -26,18 +30,14 @@ jobs:
          - 'windows'
          - 'darwin'
          - 'netbsd'
-        go: 
+        go:
-          - '1.22'
+          - '1.24'
          - '1.23'
        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.22'
+        - go: '1.24'
-          GO_SEMVER: '~1.22.3'
+          GO_SEMVER: '~1.24.1'
        - go: '1.23'
          GO_SEMVER: '~1.23.0'
    runs-on: ubuntu-latest
    continue-on-error: true
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -13,6 +13,10 @@ on:
 permissions:
  contents: read
 env:
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local
 jobs:
  # From https://github.com/golangci/golangci-lint-action
  golangci:
@ -43,7 +47,7 @@ jobs:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
-          go-version: '~1.23'
+          go-version: '~1.24'
          check-latest: true
      - name: golangci-lint
@ -63,5 +67,5 @@ jobs:
      - name: govulncheck
        uses: golang/govulncheck-action@v1
        with:
-          go-version-input: '~1.23.0'
+          go-version-input: '~1.24.1'
          check-latest: true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -5,6 +5,10 @@ on:
    tags:
      - 'v*.*.*'
 env:
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local
 jobs:
  release:
    name: Release
@ -13,13 +17,13 @@ jobs:
        os: 
          - ubuntu-latest
        go: 
-          - '1.23'
+          - '1.24'
        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.23'
+        - go: '1.24'
-          GO_SEMVER: '~1.23.0'
+          GO_SEMVER: '~1.24.1'
    runs-on: ${{ matrix.os }}
    # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -111,7 +111,7 @@ archives:
  - id: default
    format_overrides:
      - goos: windows
-        format: zip
+        formats: zip
    name_template: >-
      {{ .ProjectName }}_
      {{- .Version }}_
--- a/README.md
+++ b/README.md
@ -16,7 +16,7 @@
 	<a href="https://github.com/caddyserver/caddy/actions/workflows/ci.yml"><img src="https://github.com/caddyserver/caddy/actions/workflows/ci.yml/badge.svg"></a>
 	<a href="https://pkg.go.dev/github.com/caddyserver/caddy/v2"><img src="https://img.shields.io/badge/godoc-reference-%23007d9c.svg"></a>
 	<br>
-	<a href="https://twitter.com/caddyserver" title="@caddyserver on Twitter"><img src="https://img.shields.io/badge/twitter-@caddyserver-55acee.svg" alt="@caddyserver on Twitter"></a>
+	<a href="https://x.com/caddyserver" title="@caddyserver on Twitter"><img src="https://img.shields.io/twitter/follow/caddyserver" alt="@caddyserver on Twitter"></a>
 	<a href="https://caddy.community" title="Caddy Forum"><img src="https://img.shields.io/badge/community-forum-ff69b4.svg" alt="Caddy Forum"></a>
 	<br>
 	<a href="https://sourcegraph.com/github.com/caddyserver/caddy?badge" title="Caddy on Sourcegraph"><img src="https://sourcegraph.com/github.com/caddyserver/caddy/-/badge.svg" alt="Caddy on Sourcegraph"></a>
@ -67,6 +67,7 @@
 	- Fully-managed local CA for internal names & IPs
 	- Can coordinate with other Caddy instances in a cluster
 	- Multi-issuer fallback
 	- Encrypted ClientHello (ECH) support
 - **Stays up when other servers go down** due to TLS/OCSP/certificate-related issues
 - **Production-ready** after serving trillions of requests and managing millions of TLS certificates
 - **Scales to hundreds of thousands of sites** as proven in production
@ -87,7 +88,7 @@ See [our online documentation](https://caddyserver.com/docs/install) for other i
 Requirements:
- [Go 1.22.3 or newer](https://golang.org/dl/)
+- [Go 1.24.0 or newer](https://golang.org/dl/)
 ### For development
@ -176,7 +177,7 @@ The docs are also open source. You can contribute to them here: https://github.c
 ## Getting help
- We advise companies using Caddy to secure a support contract through [Ardan Labs](https://www.ardanlabs.com/my/contact-us?dd=caddy) before help is needed.
+- We advise companies using Caddy to secure a support contract through [Ardan Labs](https://www.ardanlabs.com) before help is needed.
 - A [sponsorship](https://github.com/sponsors/mholt) goes a long way! We can offer private help to sponsors. If Caddy is benefitting your company, please consider a sponsorship. This not only helps fund full-time work to ensure the longevity of the project, it provides your company the resources, support, and discounts you need; along with being a great look for your company to your customers and potential customers!
@ -192,8 +193,8 @@ Matthew Holt began developing Caddy in 2014 while studying computer science at B
 **The name "Caddy" is trademarked.** The name of the software is "Caddy", not "Caddy Server" or "CaddyServer". Please call it "Caddy" or, if you wish to clarify, "the Caddy web server". Caddy is a registered trademark of Stack Holdings GmbH.
- _Project on Twitter: [@caddyserver](https://twitter.com/caddyserver)_
+- _Project on X: [@caddyserver](https://x.com/caddyserver)_
- _Author on Twitter: [@mholt6](https://twitter.com/mholt6)_
+- _Author on X: [@mholt6](https://x.com/mholt6)_
 Caddy is a project of [ZeroSSL](https://zerossl.com), a Stack Holdings company.
--- a/admin.go
+++ b/admin.go
@ -221,7 +221,8 @@ func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool, _ Co
 	if remote {
 		muxWrap.remoteControl = admin.Remote
 	} else {
-		muxWrap.enforceHost = !addr.isWildcardInterface()
+		// see comment in allowedOrigins() as to why we disable the host check for unix/fd networks
 		muxWrap.enforceHost = !addr.isWildcardInterface() && !addr.IsUnixNetwork() && !addr.IsFdNetwork()
 		muxWrap.allowedOrigins = admin.allowedOrigins(addr)
 		muxWrap.enforceOrigin = admin.EnforceOrigin
 	}
@ -310,47 +311,43 @@ func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []*url.URL {
 	for _, o := range admin.Origins {
 		uniqueOrigins[o] = struct{}{}
 	}
-	if admin.Origins == nil {
+	// RFC 2616, Section 14.26:
 	// "A client MUST include a Host header field in all HTTP/1.1 request
 	// messages. If the requested URI does not include an Internet host
 	// name for the service being requested, then the Host header field MUST
 	// be given with an empty value."
 	//
 	// UPDATE July 2023: Go broke this by patching a minor security bug in 1.20.6.
 	// Understandable, but frustrating. See:
 	// https://github.com/golang/go/issues/60374
 	// See also the discussion here:
 	// https://github.com/golang/go/issues/61431
 	//
 	// We can no longer conform to RFC 2616 Section 14.26 from either Go or curl
 	// in purity. (Curl allowed no host between 7.40 and 7.50, but now requires a
 	// bogus host; see https://superuser.com/a/925610.) If we disable Host/Origin
 	// security checks, the infosec community assures me that it is secure to do
 	// so, because:
 	//
 	// 1) Browsers do not allow access to unix sockets
 	// 2) DNS is irrelevant to unix sockets
 	//
 	// If either of those two statements ever fail to hold true, it is not the
 	// fault of Caddy.
 	//
 	// Thus, we do not fill out allowed origins and do not enforce Host
 	// requirements for unix sockets. Enforcing it leads to confusion and
 	// frustration, when UDS have their own permissions from the OS.
 	// Enforcing host requirements here is effectively security theater,
 	// and a false sense of security.
 	//
 	// See also the discussion in #6832.
 	if admin.Origins == nil && !addr.IsUnixNetwork() && !addr.IsFdNetwork() {
 		if addr.isLoopback() {
-			if addr.IsUnixNetwork() || addr.IsFdNetwork() {
+			uniqueOrigins[net.JoinHostPort("localhost", addr.port())] = struct{}{}
-				// RFC 2616, Section 14.26:
+			uniqueOrigins[net.JoinHostPort("::1", addr.port())] = struct{}{}
-				// "A client MUST include a Host header field in all HTTP/1.1 request
+			uniqueOrigins[net.JoinHostPort("127.0.0.1", addr.port())] = struct{}{}
-				// messages. If the requested URI does not include an Internet host
+		} else {
 				// name for the service being requested, then the Host header field MUST
 				// be given with an empty value."
 				//
 				// UPDATE July 2023: Go broke this by patching a minor security bug in 1.20.6.
 				// Understandable, but frustrating. See:
 				// https://github.com/golang/go/issues/60374
 				// See also the discussion here:
 				// https://github.com/golang/go/issues/61431
 				//
 				// We can no longer conform to RFC 2616 Section 14.26 from either Go or curl
 				// in purity. (Curl allowed no host between 7.40 and 7.50, but now requires a
 				// bogus host; see https://superuser.com/a/925610.) If we disable Host/Origin
 				// security checks, the infosec community assures me that it is secure to do
 				// so, because:
 				// 1) Browsers do not allow access to unix sockets
 				// 2) DNS is irrelevant to unix sockets
 				//
 				// I am not quite ready to trust either of those external factors, so instead
 				// of disabling Host/Origin checks, we now allow specific Host values when
 				// accessing the admin endpoint over unix sockets. I definitely don't trust
 				// DNS (e.g. I don't trust 'localhost' to always resolve to the local host),
 				// and IP shouldn't even be used, but if it is for some reason, I think we can
 				// at least be reasonably assured that 127.0.0.1 and ::1 route to the local
 				// machine, meaning that a hypothetical browser origin would have to be on the
 				// local machine as well.
 				uniqueOrigins[""] = struct{}{}
 				uniqueOrigins["127.0.0.1"] = struct{}{}
 				uniqueOrigins["::1"] = struct{}{}
 			} else {
 				uniqueOrigins[net.JoinHostPort("localhost", addr.port())] = struct{}{}
 				uniqueOrigins[net.JoinHostPort("::1", addr.port())] = struct{}{}
 				uniqueOrigins[net.JoinHostPort("127.0.0.1", addr.port())] = struct{}{}
 			}
 		}
 		if !addr.IsUnixNetwork() && !addr.IsFdNetwork() {
 			uniqueOrigins[addr.JoinHostPort(0)] = struct{}{}
 		}
 	}
@ -1139,7 +1136,7 @@ traverseLoop:
 						return fmt.Errorf("[%s] invalid array index '%s': %v",
 							path, idxStr, err)
 					}
-					if idx < 0 || idx >= len(arr) {
+					if idx < 0 || (method != http.MethodPut && idx >= len(arr)) || idx > len(arr) {
 						return fmt.Errorf("[%s] array index out of bounds: %s", path, idxStr)
 					}
 				}
--- a/admin_test.go
+++ b/admin_test.go
@ -15,12 +15,19 @@
 package caddy
 import (
 	"context"
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
 	"sync"
 	"testing"
 	"github.com/caddyserver/certmagic"
 	"github.com/prometheus/client_golang/prometheus"
 	dto "github.com/prometheus/client_model/go"
 )
 var testCfg = []byte(`{
@ -203,3 +210,727 @@ func BenchmarkLoad(b *testing.B) {
 		Load(testCfg, true)
 	}
 }
 func TestAdminHandlerErrorHandling(t *testing.T) {
 	initAdminMetrics()
 	handler := adminHandler{
 		mux: http.NewServeMux(),
 	}
 	handler.mux.Handle("/error", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		err := fmt.Errorf("test error")
 		handler.handleError(w, r, err)
 	}))
 	req := httptest.NewRequest(http.MethodGet, "/error", nil)
 	rr := httptest.NewRecorder()
 	handler.ServeHTTP(rr, req)
 	if rr.Code == http.StatusOK {
 		t.Error("expected error response, got success")
 	}
 	var apiErr APIError
 	if err := json.NewDecoder(rr.Body).Decode(&apiErr); err != nil {
 		t.Fatalf("decoding response: %v", err)
 	}
 	if apiErr.Message != "test error" {
 		t.Errorf("expected error message 'test error', got '%s'", apiErr.Message)
 	}
 }
 func initAdminMetrics() {
 	if adminMetrics.requestErrors != nil {
 		prometheus.Unregister(adminMetrics.requestErrors)
 	}
 	if adminMetrics.requestCount != nil {
 		prometheus.Unregister(adminMetrics.requestCount)
 	}
 	adminMetrics.requestErrors = prometheus.NewCounterVec(prometheus.CounterOpts{
 		Namespace: "caddy",
 		Subsystem: "admin_http",
 		Name:      "request_errors_total",
 		Help:      "Number of errors that occurred handling admin endpoint requests",
 	}, []string{"handler", "path", "method"})
 	adminMetrics.requestCount = prometheus.NewCounterVec(prometheus.CounterOpts{
 		Namespace: "caddy",
 		Subsystem: "admin_http",
 		Name:      "requests_total",
 		Help:      "Count of requests to the admin endpoint",
 	}, []string{"handler", "path", "code", "method"}) // Added code and method labels
 	prometheus.MustRegister(adminMetrics.requestErrors)
 	prometheus.MustRegister(adminMetrics.requestCount)
 }
 func TestAdminHandlerBuiltinRouteErrors(t *testing.T) {
 	initAdminMetrics()
 	cfg := &Config{
 		Admin: &AdminConfig{
 			Listen: "localhost:2019",
 		},
 	}
 	err := replaceLocalAdminServer(cfg, Context{})
 	if err != nil {
 		t.Fatalf("setting up admin server: %v", err)
 	}
 	defer func() {
 		stopAdminServer(localAdminServer)
 	}()
 	tests := []struct {
 		name           string
 		path           string
 		method         string
 		expectedStatus int
 	}{
 		{
 			name:           "stop endpoint wrong method",
 			path:           "/stop",
 			method:         http.MethodGet,
 			expectedStatus: http.StatusMethodNotAllowed,
 		},
 		{
 			name:           "config endpoint wrong content-type",
 			path:           "/config/",
 			method:         http.MethodPost,
 			expectedStatus: http.StatusBadRequest,
 		},
 		{
 			name:           "config ID missing ID",
 			path:           "/id/",
 			method:         http.MethodGet,
 			expectedStatus: http.StatusBadRequest,
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			req := httptest.NewRequest(test.method, fmt.Sprintf("http://localhost:2019%s", test.path), nil)
 			rr := httptest.NewRecorder()
 			localAdminServer.Handler.ServeHTTP(rr, req)
 			if rr.Code != test.expectedStatus {
 				t.Errorf("expected status %d but got %d", test.expectedStatus, rr.Code)
 			}
 			metricValue := testGetMetricValue(map[string]string{
 				"path":    test.path,
 				"handler": "admin",
 				"method":  test.method,
 			})
 			if metricValue != 1 {
 				t.Errorf("expected error metric to be incremented once, got %v", metricValue)
 			}
 		})
 	}
 }
 func testGetMetricValue(labels map[string]string) float64 {
 	promLabels := prometheus.Labels{}
 	for k, v := range labels {
 		promLabels[k] = v
 	}
 	metric, err := adminMetrics.requestErrors.GetMetricWith(promLabels)
 	if err != nil {
 		return 0
 	}
 	pb := &dto.Metric{}
 	metric.Write(pb)
 	return pb.GetCounter().GetValue()
 }
 type mockRouter struct {
 	routes []AdminRoute
 }
 func (m mockRouter) Routes() []AdminRoute {
 	return m.routes
 }
 type mockModule struct {
 	mockRouter
 }
 func (m *mockModule) CaddyModule() ModuleInfo {
 	return ModuleInfo{
 		ID: "admin.api.mock",
 		New: func() Module {
 			mm := &mockModule{
 				mockRouter: mockRouter{
 					routes: m.routes,
 				},
 			}
 			return mm
 		},
 	}
 }
 func TestNewAdminHandlerRouterRegistration(t *testing.T) {
 	originalModules := make(map[string]ModuleInfo)
 	for k, v := range modules {
 		originalModules[k] = v
 	}
 	defer func() {
 		modules = originalModules
 	}()
 	mockRoute := AdminRoute{
 		Pattern: "/mock",
 		Handler: AdminHandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
 			w.WriteHeader(http.StatusOK)
 			return nil
 		}),
 	}
 	mock := &mockModule{
 		mockRouter: mockRouter{
 			routes: []AdminRoute{mockRoute},
 		},
 	}
 	RegisterModule(mock)
 	addr, err := ParseNetworkAddress("localhost:2019")
 	if err != nil {
 		t.Fatalf("Failed to parse address: %v", err)
 	}
 	admin := &AdminConfig{
 		EnforceOrigin: false,
 	}
 	handler := admin.newAdminHandler(addr, false, Context{})
 	req := httptest.NewRequest("GET", "/mock", nil)
 	req.Host = "localhost:2019"
 	rr := httptest.NewRecorder()
 	handler.ServeHTTP(rr, req)
 	if rr.Code != http.StatusOK {
 		t.Errorf("Expected status code %d but got %d", http.StatusOK, rr.Code)
 		t.Logf("Response body: %s", rr.Body.String())
 	}
 	if len(admin.routers) != 1 {
 		t.Errorf("Expected 1 router to be stored, got %d", len(admin.routers))
 	}
 }
 type mockProvisionableRouter struct {
 	mockRouter
 	provisionErr error
 	provisioned  bool
 }
 func (m *mockProvisionableRouter) Provision(Context) error {
 	m.provisioned = true
 	return m.provisionErr
 }
 type mockProvisionableModule struct {
 	*mockProvisionableRouter
 }
 func (m *mockProvisionableModule) CaddyModule() ModuleInfo {
 	return ModuleInfo{
 		ID: "admin.api.mock_provision",
 		New: func() Module {
 			mm := &mockProvisionableModule{
 				mockProvisionableRouter: &mockProvisionableRouter{
 					mockRouter:   m.mockRouter,
 					provisionErr: m.provisionErr,
 				},
 			}
 			return mm
 		},
 	}
 }
 func TestAdminRouterProvisioning(t *testing.T) {
 	tests := []struct {
 		name         string
 		provisionErr error
 		wantErr      bool
 		routersAfter int // expected number of routers after provisioning
 	}{
 		{
 			name:         "successful provisioning",
 			provisionErr: nil,
 			wantErr:      false,
 			routersAfter: 0,
 		},
 		{
 			name:         "provisioning error",
 			provisionErr: fmt.Errorf("provision failed"),
 			wantErr:      true,
 			routersAfter: 1,
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			originalModules := make(map[string]ModuleInfo)
 			for k, v := range modules {
 				originalModules[k] = v
 			}
 			defer func() {
 				modules = originalModules
 			}()
 			mockRoute := AdminRoute{
 				Pattern: "/mock",
 				Handler: AdminHandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
 					return nil
 				}),
 			}
 			// Create provisionable module
 			mock := &mockProvisionableModule{
 				mockProvisionableRouter: &mockProvisionableRouter{
 					mockRouter: mockRouter{
 						routes: []AdminRoute{mockRoute},
 					},
 					provisionErr: test.provisionErr,
 				},
 			}
 			RegisterModule(mock)
 			admin := &AdminConfig{}
 			addr, err := ParseNetworkAddress("localhost:2019")
 			if err != nil {
 				t.Fatalf("Failed to parse address: %v", err)
 			}
 			_ = admin.newAdminHandler(addr, false, Context{})
 			err = admin.provisionAdminRouters(Context{})
 			if test.wantErr {
 				if err == nil {
 					t.Error("Expected error but got nil")
 				}
 			} else {
 				if err != nil {
 					t.Errorf("Expected no error but got: %v", err)
 				}
 			}
 			if len(admin.routers) != test.routersAfter {
 				t.Errorf("Expected %d routers after provisioning, got %d", test.routersAfter, len(admin.routers))
 			}
 		})
 	}
 }
 func TestAllowedOriginsUnixSocket(t *testing.T) {
 	// see comment in allowedOrigins() as to why we do not fill out allowed origins for UDS
 	tests := []struct {
 		name          string
 		addr          NetworkAddress
 		origins       []string
 		expectOrigins []string
 	}{
 		{
 			name: "unix socket with default origins",
 			addr: NetworkAddress{
 				Network: "unix",
 				Host:    "/tmp/caddy.sock",
 			},
 			origins:       nil, // default origins
 			expectOrigins: []string{},
 		},
 		{
 			name: "unix socket with custom origins",
 			addr: NetworkAddress{
 				Network: "unix",
 				Host:    "/tmp/caddy.sock",
 			},
 			origins: []string{"example.com"},
 			expectOrigins: []string{
 				"example.com",
 			},
 		},
 		{
 			name: "tcp socket on localhost gets all loopback addresses",
 			addr: NetworkAddress{
 				Network:   "tcp",
 				Host:      "localhost",
 				StartPort: 2019,
 				EndPort:   2019,
 			},
 			origins: nil,
 			expectOrigins: []string{
 				"localhost:2019",
 				"[::1]:2019",
 				"127.0.0.1:2019",
 			},
 		},
 	}
 	for i, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			admin := AdminConfig{
 				Origins: test.origins,
 			}
 			got := admin.allowedOrigins(test.addr)
 			var gotOrigins []string
 			for _, u := range got {
 				gotOrigins = append(gotOrigins, u.Host)
 			}
 			if len(gotOrigins) != len(test.expectOrigins) {
 				t.Errorf("%d: Expected %d origins but got %d", i, len(test.expectOrigins), len(gotOrigins))
 				return
 			}
 			expectMap := make(map[string]struct{})
 			for _, origin := range test.expectOrigins {
 				expectMap[origin] = struct{}{}
 			}
 			gotMap := make(map[string]struct{})
 			for _, origin := range gotOrigins {
 				gotMap[origin] = struct{}{}
 			}
 			if !reflect.DeepEqual(expectMap, gotMap) {
 				t.Errorf("%d: Origins mismatch.\nExpected: %v\nGot: %v", i, test.expectOrigins, gotOrigins)
 			}
 		})
 	}
 }
 func TestReplaceRemoteAdminServer(t *testing.T) {
 	const testCert = `MIIDCTCCAfGgAwIBAgIUXsqJ1mY8pKlHQtI3HJ23x2eZPqwwDQYJKoZIhvcNAQEL
 BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIzMDEwMTAwMDAwMFoXDTI0MDEw
 MTAwMDAwMFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
 AAOCAQ8AMIIBCgKCAQEA4O4S6BSoYcoxvRqI+h7yPOjF6KjntjzVVm9M+uHK4lzX
 F1L3pSxJ2nDD4wZEV3FJ5yFOHVFqkG2vXG3BIczOlYG7UeNmKbQnKc5kZj3HGUrS
 VGEktA4OJbeZhhWP15gcXN5eDM2eH3g9BFXVX6AURxLiUXzhNBUEZuj/OEyH9yEF
 /qPCE+EjzVvWxvBXwgz/io4r4yok/Vq/bxJ6FlV6R7DX5oJSXyO0VEHZPi9DIyNU
 kK3F/r4U1sWiJGWOs8i3YQWZ2ejh1C0aLFZpPcCGGgMNpoF31gyYP6ZuPDUyCXsE
 g36UUw1JHNtIXYcLhnXuqj4A8TybTDpgXLqvwA9DBQIDAQABo1MwUTAdBgNVHQ4E
 FgQUc13z30pFC63rr/HGKOE7E82vjXwwHwYDVR0jBBgwFoAUc13z30pFC63rr/HG
 KOE7E82vjXwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHO3j
 oeiUXXJ7xD4P8Wj5t9d+E8lE1Xv1Dk3Z+EdG5+dan+RcToE42JJp9zB7FIh5Qz8g
 W77LAjqh5oyqz3A2VJcyVgfE3uJP1R1mJM7JfGHf84QH4TZF2Q1RZY4SZs0VQ6+q
 5wSlIZ4NXDy4Q4XkIJBGS61wT8IzYFXYBpx4PCP1Qj0PIE4sevEGwjsBIgxK307o
 BxF8AWe6N6e4YZmQLGjQ+SeH0iwZb6vpkHyAY8Kj2hvK+cq2P7vU3VGi0t3r1F8L
 IvrXHCvO2BMNJ/1UK1M4YNX8LYJqQhg9hEsIROe1OE/m3VhxIYMJI+qZXk9yHfgJ
 vq+SH04xKhtFudVBAQ==`
 	tests := []struct {
 		name    string
 		cfg     *Config
 		wantErr bool
 	}{
 		{
 			name:    "nil config",
 			cfg:     nil,
 			wantErr: false,
 		},
 		{
 			name: "nil admin config",
 			cfg: &Config{
 				Admin: nil,
 			},
 			wantErr: false,
 		},
 		{
 			name: "nil remote config",
 			cfg: &Config{
 				Admin: &AdminConfig{},
 			},
 			wantErr: false,
 		},
 		{
 			name: "invalid listen address",
 			cfg: &Config{
 				Admin: &AdminConfig{
 					Remote: &RemoteAdmin{
 						Listen: "invalid:address",
 					},
 				},
 			},
 			wantErr: true,
 		},
 		{
 			name: "valid config",
 			cfg: &Config{
 				Admin: &AdminConfig{
 					Identity: &IdentityConfig{},
 					Remote: &RemoteAdmin{
 						Listen: "localhost:2021",
 						AccessControl: []*AdminAccess{
 							{
 								PublicKeys:  []string{testCert},
 								Permissions: []AdminPermissions{{Methods: []string{"GET"}, Paths: []string{"/test"}}},
 							},
 						},
 					},
 				},
 			},
 			wantErr: false,
 		},
 		{
 			name: "invalid certificate",
 			cfg: &Config{
 				Admin: &AdminConfig{
 					Identity: &IdentityConfig{},
 					Remote: &RemoteAdmin{
 						Listen: "localhost:2021",
 						AccessControl: []*AdminAccess{
 							{
 								PublicKeys:  []string{"invalid-cert-data"},
 								Permissions: []AdminPermissions{{Methods: []string{"GET"}, Paths: []string{"/test"}}},
 							},
 						},
 					},
 				},
 			},
 			wantErr: true,
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			ctx := Context{
 				Context: context.Background(),
 				cfg:     test.cfg,
 			}
 			if test.cfg != nil {
 				test.cfg.storage = &certmagic.FileStorage{Path: t.TempDir()}
 			}
 			if test.cfg != nil && test.cfg.Admin != nil && test.cfg.Admin.Identity != nil {
 				identityCertCache = certmagic.NewCache(certmagic.CacheOptions{
 					GetConfigForCert: func(certmagic.Certificate) (*certmagic.Config, error) {
 						return &certmagic.Config{}, nil
 					},
 				})
 			}
 			err := replaceRemoteAdminServer(ctx, test.cfg)
 			if test.wantErr {
 				if err == nil {
 					t.Error("Expected error but got nil")
 				}
 			} else {
 				if err != nil {
 					t.Errorf("Expected no error but got: %v", err)
 				}
 			}
 			// Clean up
 			if remoteAdminServer != nil {
 				_ = stopAdminServer(remoteAdminServer)
 			}
 		})
 	}
 }
 type mockIssuer struct {
 	configSet *certmagic.Config
 }
 func (m *mockIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error) {
 	return &certmagic.IssuedCertificate{
 		Certificate: []byte(csr.Raw),
 	}, nil
 }
 func (m *mockIssuer) SetConfig(cfg *certmagic.Config) {
 	m.configSet = cfg
 }
 func (m *mockIssuer) IssuerKey() string {
 	return "mock"
 }
 type mockIssuerModule struct {
 	*mockIssuer
 }
 func (m *mockIssuerModule) CaddyModule() ModuleInfo {
 	return ModuleInfo{
 		ID: "tls.issuance.acme",
 		New: func() Module {
 			return &mockIssuerModule{mockIssuer: new(mockIssuer)}
 		},
 	}
 }
 func TestManageIdentity(t *testing.T) {
 	originalModules := make(map[string]ModuleInfo)
 	for k, v := range modules {
 		originalModules[k] = v
 	}
 	defer func() {
 		modules = originalModules
 	}()
 	RegisterModule(&mockIssuerModule{})
 	certPEM := []byte(`-----BEGIN CERTIFICATE-----
 MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
 BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
 cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAw
 WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
 TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp
 bC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3lcub2pUwkjC
 5GJQA2ZZfJJi6d1QHhEmkX9VxKYGp6gagZuRqJWy9TXP6++1ZzQQxqZLD0TkuxZ9
 8i9Nz00000CCBjCCAQQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGgG
 CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t
 L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j
 b20vb2NzcDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/
 BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHREEEDAO
 ggxtYWlsLmdvb2dsZTANBgkqhkiG9w0BAQUFAAOCAQEAMP6IWgNGZE8wP9TjFjSZ
 3mmW3A1eIr0CuPwNZ2LJ5ZD1i70ojzcj4I9IdP5yPg9CAEV4hNASbM1LzfC7GmJE
 tPzW5tRmpKVWZGRgTgZI8Hp/xZXMwLh9ZmXV4kESFAGj5G5FNvJyUV7R5Eh+7OZX
 7G4jJ4ZGJh+5jzN9HdJJHQHGYNIYOzC7+HH9UMwCjX9vhQ4RjwFZJThS2Yb+y7pb
 9yxTJZoXC6J0H5JpnZb7kZEJ+Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 -----END CERTIFICATE-----`)
 	keyPEM := []byte(`-----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRS0LmTwUT0iwP
 ...
 -----END PRIVATE KEY-----`)
 	testStorage := certmagic.FileStorage{Path: t.TempDir()}
 	err := testStorage.Store(context.Background(), "localhost/localhost.crt", certPEM)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = testStorage.Store(context.Background(), "localhost/localhost.key", keyPEM)
 	if err != nil {
 		t.Fatal(err)
 	}
 	tests := []struct {
 		name       string
 		cfg        *Config
 		wantErr    bool
 		checkState func(*testing.T, *Config)
 	}{
 		{
 			name: "nil config",
 			cfg:  nil,
 		},
 		{
 			name: "nil admin config",
 			cfg: &Config{
 				Admin: nil,
 			},
 		},
 		{
 			name: "nil identity config",
 			cfg: &Config{
 				Admin: &AdminConfig{},
 			},
 		},
 		{
 			name: "default issuer when none specified",
 			cfg: &Config{
 				Admin: &AdminConfig{
 					Identity: &IdentityConfig{
 						Identifiers: []string{"localhost"},
 					},
 				},
 				storage: &testStorage,
 			},
 			checkState: func(t *testing.T, cfg *Config) {
 				if len(cfg.Admin.Identity.issuers) == 0 {
 					t.Error("Expected at least 1 issuer to be configured")
 					return
 				}
 				if _, ok := cfg.Admin.Identity.issuers[0].(*mockIssuerModule); !ok {
 					t.Error("Expected mock issuer to be configured")
 				}
 			},
 		},
 		{
 			name: "custom issuer",
 			cfg: &Config{
 				Admin: &AdminConfig{
 					Identity: &IdentityConfig{
 						Identifiers: []string{"localhost"},
 						IssuersRaw: []json.RawMessage{
 							json.RawMessage(`{"module": "acme"}`),
 						},
 					},
 				},
 				storage: &certmagic.FileStorage{Path: "testdata"},
 			},
 			checkState: func(t *testing.T, cfg *Config) {
 				if len(cfg.Admin.Identity.issuers) != 1 {
 					t.Fatalf("Expected 1 issuer, got %d", len(cfg.Admin.Identity.issuers))
 				}
 				mockIss, ok := cfg.Admin.Identity.issuers[0].(*mockIssuerModule)
 				if !ok {
 					t.Fatal("Expected mock issuer")
 				}
 				if mockIss.configSet == nil {
 					t.Error("Issuer config was not set")
 				}
 			},
 		},
 		{
 			name: "invalid issuer module",
 			cfg: &Config{
 				Admin: &AdminConfig{
 					Identity: &IdentityConfig{
 						Identifiers: []string{"localhost"},
 						IssuersRaw: []json.RawMessage{
 							json.RawMessage(`{"module": "doesnt_exist"}`),
 						},
 					},
 				},
 			},
 			wantErr: true,
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			if identityCertCache != nil {
 				// Reset the cert cache before each test
 				identityCertCache.Stop()
 				identityCertCache = nil
 			}
 			ctx := Context{
 				Context:         context.Background(),
 				cfg:             test.cfg,
 				moduleInstances: make(map[string][]Module),
 			}
 			err := manageIdentity(ctx, test.cfg)
 			if test.wantErr {
 				if err == nil {
 					t.Error("Expected error but got nil")
 				}
 				return
 			}
 			if err != nil {
 				t.Fatalf("Expected no error but got: %v", err)
 			}
 			if test.checkState != nil {
 				test.checkState(t, test.cfg)
 			}
 		})
 	}
 }
--- a/caddy.go
+++ b/caddy.go
@ -81,13 +81,14 @@ type Config struct {
 	// associated value.
 	AppsRaw ModuleMap `json:"apps,omitempty" caddy:"namespace="`
-	apps    map[string]App
+	apps         map[string]App
-	storage certmagic.Storage
+	storage      certmagic.Storage
 	eventEmitter eventEmitter
 	cancelFunc context.CancelFunc
-	// filesystems is a dict of filesystems that will later be loaded from and added to.
+	// fileSystems is a dict of fileSystems that will later be loaded from and added to.
-	filesystems FileSystems
+	fileSystems FileSystems
 }
 // App is a thing that Caddy runs.
@ -442,6 +443,10 @@ func run(newCfg *Config, start bool) (Context, error) {
 	}
 	globalMetrics.configSuccess.Set(1)
 	globalMetrics.configSuccessTime.SetToCurrentTime()
 	// TODO: This event is experimental and subject to change.
 	ctx.emitEvent("started", nil)
 	// now that the user's config is running, finish setting up anything else,
 	// such as remote admin endpoint, config loader, etc.
 	return ctx, finishSettingUp(ctx, ctx.cfg)
@ -509,7 +514,7 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 	}
 	// create the new filesystem map
-	newCfg.filesystems = &filesystems.FilesystemMap{}
+	newCfg.fileSystems = &filesystems.FileSystemMap{}
 	// prepare the new config for use
 	newCfg.apps = make(map[string]App)
@ -696,6 +701,9 @@ func unsyncedStop(ctx Context) {
 		return
 	}
 	// TODO: This event is experimental and subject to change.
 	ctx.emitEvent("stopping", nil)
 	// stop each app
 	for name, a := range ctx.cfg.apps {
 		err := a.Stop()
@ -1038,6 +1046,92 @@ func Version() (simple, full string) {
 	return
 }
 // Event represents something that has happened or is happening.
 // An Event value is not synchronized, so it should be copied if
 // being used in goroutines.
 //
 // EXPERIMENTAL: Events are subject to change.
 type Event struct {
 	// If non-nil, the event has been aborted, meaning
 	// propagation has stopped to other handlers and
 	// the code should stop what it was doing. Emitters
 	// may choose to use this as a signal to adjust their
 	// code path appropriately.
 	Aborted error
 	// The data associated with the event. Usually the
 	// original emitter will be the only one to set or
 	// change these values, but the field is exported
 	// so handlers can have full access if needed.
 	// However, this map is not synchronized, so
 	// handlers must not use this map directly in new
 	// goroutines; instead, copy the map to use it in a
 	// goroutine. Data may be nil.
 	Data map[string]any
 	id     uuid.UUID
 	ts     time.Time
 	name   string
 	origin Module
 }
 // NewEvent creates a new event, but does not emit the event. To emit an
 // event, call Emit() on the current instance of the caddyevents app insteaad.
 //
 // EXPERIMENTAL: Subject to change.
 func NewEvent(ctx Context, name string, data map[string]any) (Event, error) {
 	id, err := uuid.NewRandom()
 	if err != nil {
 		return Event{}, fmt.Errorf("generating new event ID: %v", err)
 	}
 	name = strings.ToLower(name)
 	return Event{
 		Data:   data,
 		id:     id,
 		ts:     time.Now(),
 		name:   name,
 		origin: ctx.Module(),
 	}, nil
 }
 func (e Event) ID() uuid.UUID        { return e.id }
 func (e Event) Timestamp() time.Time { return e.ts }
 func (e Event) Name() string         { return e.name }
 func (e Event) Origin() Module       { return e.origin } // Returns the module that originated the event. May be nil, usually if caddy core emits the event.
 // CloudEvent exports event e as a structure that, when
 // serialized as JSON, is compatible with the
 // CloudEvents spec.
 func (e Event) CloudEvent() CloudEvent {
 	dataJSON, _ := json.Marshal(e.Data)
 	return CloudEvent{
 		ID:              e.id.String(),
 		Source:          e.origin.CaddyModule().String(),
 		SpecVersion:     "1.0",
 		Type:            e.name,
 		Time:            e.ts,
 		DataContentType: "application/json",
 		Data:            dataJSON,
 	}
 }
 // CloudEvent is a JSON-serializable structure that
 // is compatible with the CloudEvents specification.
 // See https://cloudevents.io.
 // EXPERIMENTAL: Subject to change.
 type CloudEvent struct {
 	ID              string          `json:"id"`
 	Source          string          `json:"source"`
 	SpecVersion     string          `json:"specversion"`
 	Type            string          `json:"type"`
 	Time            time.Time       `json:"time"`
 	DataContentType string          `json:"datacontenttype,omitempty"`
 	Data            json.RawMessage `json:"data,omitempty"`
 }
 // ErrEventAborted cancels an event.
 var ErrEventAborted = errors.New("event aborted")
 // ActiveContext returns the currently-active context.
 // This function is experimental and might be changed
 // or removed in the future.
--- a/caddyconfig/caddyfile/formatter.go
+++ b/caddyconfig/caddyfile/formatter.go
@ -61,7 +61,8 @@ func Format(input []byte) []byte {
 		heredocMarker        []rune
 		heredocClosingMarker []rune
-		nesting int // indentation level
+		nesting         int // indentation level
 		withinBackquote bool
 	)
 	write := func(ch rune) {
@ -88,6 +89,9 @@ func Format(input []byte) []byte {
 			}
 			panic(err)
 		}
 		if ch == '`' {
 			withinBackquote = !withinBackquote
 		}
 		// detect whether we have the start of a heredoc
 		if !quoted && !(heredoc != heredocClosed || heredocEscaped) &&
@ -236,14 +240,23 @@ func Format(input []byte) []byte {
 		switch {
 		case ch == '{':
 			openBrace = true
 			openBraceWritten = false
 			openBraceSpace = spacePrior && !beginningOfLine
 			if openBraceSpace {
 				write(' ')
 			}
 			openBraceWritten = false
 			if withinBackquote {
 				write('{')
 				openBraceWritten = true
 				continue
 			}
 			continue
 		case ch == '}' && (spacePrior || !openBrace):
 			if withinBackquote {
 				write('}')
 				continue
 			}
 			if last != '\n' {
 				nextLine()
 			}
--- a/caddyconfig/caddyfile/formatter_test.go
+++ b/caddyconfig/caddyfile/formatter_test.go
@ -434,6 +434,16 @@ block2 {
 }
 `,
 		},
 		{
 			description: "Preserve braces wrapped by backquotes",
 			input:       "block {respond `All braces should remain: {{now | date \"2006\"}}`}",
 			expect:      "block {respond `All braces should remain: {{now | date \"2006\"}}`}",
 		},
 		{
 			description: "Preserve braces wrapped by quotes",
 			input:       "block {respond \"All braces should remain: {{now | date `2006`}}\"}",
 			expect:      "block {respond \"All braces should remain: {{now | date `2006`}}\"}",
 		},
 	} {
 		// the formatter should output a trailing newline,
 		// even if the tests aren't written to expect that
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@ -99,7 +99,7 @@ func parseBind(h Helper) ([]ConfigValue, error) {
 //	    ca                            <acme_ca_endpoint>
 //	    ca_root                       <pem_file>
 //	    key_type                      [ed25519|p256|p384|rsa2048|rsa4096]
-//	    dns                           <provider_name> [...]
+//	    dns                           [<provider_name> [...]]    (required, though, if DNS is not configured as global option)
 //	    propagation_delay             <duration>
 //	    propagation_timeout           <duration>
 //	    resolvers                     <dns_servers...>
@ -312,10 +312,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			certManagers = append(certManagers, certManager)
 		case "dns":
 			if !h.NextArg() {
 				return nil, h.ArgErr()
 			}
 			provName := h.Val()
 			if acmeIssuer == nil {
 				acmeIssuer = new(caddytls.ACMEIssuer)
 			}
@ -325,12 +321,19 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
-			modID := "dns.providers." + provName
+			// DNS provider configuration optional, since it may be configured globally via the TLS app with global options
-			unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID)
+			if h.NextArg() {
-			if err != nil {
+				provName := h.Val()
-				return nil, err
+				modID := "dns.providers." + provName
 				unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID)
 				if err != nil {
 					return nil, err
 				}
 				acmeIssuer.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(unm, "name", provName, h.warnings)
 			} else if h.Option("dns") == nil {
 				// if DNS is omitted locally, it needs to be configured globally
 				return nil, h.ArgErr()
 			}
 			acmeIssuer.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(unm, "name", provName, h.warnings)
 		case "resolvers":
 			args := h.RemainingArgs()
--- a/caddyconfig/httpcaddyfile/httptype.go
+++ b/caddyconfig/httpcaddyfile/httptype.go
@ -191,7 +191,7 @@ func (st ServerType) Setup(
 	metrics, _ := options["metrics"].(*caddyhttp.Metrics)
 	for _, s := range servers {
 		if s.Metrics != nil {
-			metrics = cmp.Or[*caddyhttp.Metrics](metrics, &caddyhttp.Metrics{})
+			metrics = cmp.Or(metrics, &caddyhttp.Metrics{})
 			metrics = &caddyhttp.Metrics{
 				PerHost: metrics.PerHost || s.Metrics.PerHost,
 			}
@ -350,7 +350,7 @@ func (st ServerType) Setup(
 				// avoid duplicates by sorting + compacting
 				sort.Strings(defaultLog.Exclude)
-				defaultLog.Exclude = slices.Compact[[]string, string](defaultLog.Exclude)
+				defaultLog.Exclude = slices.Compact(defaultLog.Exclude)
 			}
 		}
 		// we may have not actually added anything, so remove if empty
@ -1121,6 +1121,12 @@ func consolidateConnPolicies(cps caddytls.ConnectionPolicies) (caddytls.Connecti
 					return nil, fmt.Errorf("two policies with same match criteria have conflicting default SNI: %s vs. %s",
 						cps[i].DefaultSNI, cps[j].DefaultSNI)
 				}
 				if cps[i].FallbackSNI != "" &&
 					cps[j].FallbackSNI != "" &&
 					cps[i].FallbackSNI != cps[j].FallbackSNI {
 					return nil, fmt.Errorf("two policies with same match criteria have conflicting fallback SNI: %s vs. %s",
 						cps[i].FallbackSNI, cps[j].FallbackSNI)
 				}
 				if cps[i].ProtocolMin != "" &&
 					cps[j].ProtocolMin != "" &&
 					cps[i].ProtocolMin != cps[j].ProtocolMin {
@ -1161,6 +1167,9 @@ func consolidateConnPolicies(cps caddytls.ConnectionPolicies) (caddytls.Connecti
 				if cps[i].DefaultSNI == "" && cps[j].DefaultSNI != "" {
 					cps[i].DefaultSNI = cps[j].DefaultSNI
 				}
 				if cps[i].FallbackSNI == "" && cps[j].FallbackSNI != "" {
 					cps[i].FallbackSNI = cps[j].FallbackSNI
 				}
 				if cps[i].ProtocolMin == "" && cps[j].ProtocolMin != "" {
 					cps[i].ProtocolMin = cps[j].ProtocolMin
 				}
--- a/caddyconfig/httpcaddyfile/options.go
+++ b/caddyconfig/httpcaddyfile/options.go
@ -19,6 +19,7 @@ import (
 	"strconv"
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/libdns"
 	"github.com/mholt/acmez/v3/acme"
 	"github.com/caddyserver/caddy/v2"
@ -45,7 +46,7 @@ func init() {
 	RegisterGlobalOption("ocsp_interval", parseOptDuration)
 	RegisterGlobalOption("acme_ca", parseOptSingleString)
 	RegisterGlobalOption("acme_ca_root", parseOptSingleString)
-	RegisterGlobalOption("acme_dns", parseOptACMEDNS)
+	RegisterGlobalOption("acme_dns", parseOptDNS)
 	RegisterGlobalOption("acme_eab", parseOptACMEEAB)
 	RegisterGlobalOption("cert_issuer", parseOptCertIssuer)
 	RegisterGlobalOption("skip_install_trust", parseOptTrue)
@ -62,6 +63,8 @@ func init() {
 	RegisterGlobalOption("log", parseLogOptions)
 	RegisterGlobalOption("preferred_chains", parseOptPreferredChains)
 	RegisterGlobalOption("persist_config", parseOptPersistConfig)
 	RegisterGlobalOption("dns", parseOptDNS)
 	RegisterGlobalOption("ech", parseOptECH)
 }
 func parseOptTrue(d *caddyfile.Dispenser, _ any) (any, error) { return true, nil }
@ -238,25 +241,6 @@ func parseOptDuration(d *caddyfile.Dispenser, _ any) (any, error) {
 	return caddy.Duration(dur), nil
 }
 func parseOptACMEDNS(d *caddyfile.Dispenser, _ any) (any, error) {
 	if !d.Next() { // consume option name
 		return nil, d.ArgErr()
 	}
 	if !d.Next() { // get DNS module name
 		return nil, d.ArgErr()
 	}
 	modID := "dns.providers." + d.Val()
 	unm, err := caddyfile.UnmarshalModule(d, modID)
 	if err != nil {
 		return nil, err
 	}
 	prov, ok := unm.(certmagic.DNSProvider)
 	if !ok {
 		return nil, d.Errf("module %s (%T) is not a certmagic.DNSProvider", modID, unm)
 	}
 	return prov, nil
 }
 func parseOptACMEEAB(d *caddyfile.Dispenser, _ any) (any, error) {
 	eab := new(acme.EAB)
 	d.Next() // consume option name
@ -570,3 +554,68 @@ func parseOptPreferredChains(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next()
 	return caddytls.ParseCaddyfilePreferredChainsOptions(d)
 }
 func parseOptDNS(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	if !d.Next() { // get DNS module name
 		return nil, d.ArgErr()
 	}
 	modID := "dns.providers." + d.Val()
 	unm, err := caddyfile.UnmarshalModule(d, modID)
 	if err != nil {
 		return nil, err
 	}
 	switch unm.(type) {
 	case libdns.RecordGetter,
 		libdns.RecordSetter,
 		libdns.RecordAppender,
 		libdns.RecordDeleter:
 	default:
 		return nil, d.Errf("module %s (%T) is not a libdns provider", modID, unm)
 	}
 	return unm, nil
 }
 func parseOptECH(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	ech := new(caddytls.ECH)
 	publicNames := d.RemainingArgs()
 	for _, publicName := range publicNames {
 		ech.Configs = append(ech.Configs, caddytls.ECHConfiguration{
 			PublicName: publicName,
 		})
 	}
 	if len(ech.Configs) == 0 {
 		return nil, d.ArgErr()
 	}
 	for nesting := d.Nesting(); d.NextBlock(nesting); {
 		switch d.Val() {
 		case "dns":
 			if !d.Next() {
 				return nil, d.ArgErr()
 			}
 			providerName := d.Val()
 			modID := "dns.providers." + providerName
 			unm, err := caddyfile.UnmarshalModule(d, modID)
 			if err != nil {
 				return nil, err
 			}
 			ech.Publication = append(ech.Publication, &caddytls.ECHPublication{
 				Configs: publicNames,
 				PublishersRaw: caddy.ModuleMap{
 					"dns": caddyconfig.JSON(caddytls.ECHDNSPublisher{
 						ProviderRaw: caddyconfig.JSONModuleObject(unm, "name", providerName, nil),
 					}, nil),
 				},
 			})
 		default:
 			return nil, d.Errf("ech: unrecognized subdirective '%s'", d.Val())
 		}
 	}
 	return ech, nil
 }
--- a/caddyconfig/httpcaddyfile/serveroptions.go
+++ b/caddyconfig/httpcaddyfile/serveroptions.go
@ -246,6 +246,8 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 				switch d.Val() {
 				case "per_host":
 					serverOpts.Metrics.PerHost = true
 				default:
 					return nil, d.Errf("unrecognized metrics option '%s'", d.Val())
 				}
 			}
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@ -340,7 +340,7 @@ func (st ServerType) buildTLSApp(
 					combined = reflect.New(reflect.TypeOf(cl)).Elem()
 				}
 				clVal := reflect.ValueOf(cl)
-				for i := 0; i < clVal.Len(); i++ {
+				for i := range clVal.Len() {
 					combined = reflect.Append(combined, clVal.Index(i))
 				}
 				loadersByName[name] = combined.Interface().(caddytls.CertificateLoader)
@ -359,6 +359,30 @@ func (st ServerType) buildTLSApp(
 		tlsApp.Automation.OnDemand = onDemand
 	}
 	// set up "global" (to the TLS app) DNS provider config
 	if globalDNS, ok := options["dns"]; ok && globalDNS != nil {
 		tlsApp.DNSRaw = caddyconfig.JSONModuleObject(globalDNS, "name", globalDNS.(caddy.Module).CaddyModule().ID.Name(), nil)
 	}
 	// set up ECH from Caddyfile options
 	if ech, ok := options["ech"].(*caddytls.ECH); ok {
 		tlsApp.EncryptedClientHello = ech
 		// outer server names will need certificates, so make sure they're included
 		// in an automation policy for them that applies any global options
 		ap, err := newBaseAutomationPolicy(options, warnings, true)
 		if err != nil {
 			return nil, warnings, err
 		}
 		for _, cfg := range ech.Configs {
 			ap.SubjectsRaw = append(ap.SubjectsRaw, cfg.PublicName)
 		}
 		if tlsApp.Automation == nil {
 			tlsApp.Automation = new(caddytls.AutomationConfig)
 		}
 		tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, ap)
 	}
 	// if the storage clean interval is a boolean, then it's "off" to disable cleaning
 	if sc, ok := options["storage_check"].(string); ok && sc == "off" {
 		tlsApp.DisableStorageCheck = true
@ -445,7 +469,7 @@ func (st ServerType) buildTLSApp(
 		globalPreferredChains := options["preferred_chains"]
 		hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS != nil || globalACMEEAB != nil || globalPreferredChains != nil
 		if hasGlobalACMEDefaults {
-			for i := 0; i < len(tlsApp.Automation.Policies); i++ {
+			for i := range tlsApp.Automation.Policies {
 				ap := tlsApp.Automation.Policies[i]
 				if len(ap.Issuers) == 0 && automationPolicyHasAllPublicNames(ap) {
 					// for public names, create default issuers which will later be filled in with configured global defaults
@ -553,7 +577,8 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	if globalPreferredChains != nil && acmeIssuer.PreferredChains == nil {
 		acmeIssuer.PreferredChains = globalPreferredChains.(*caddytls.ChainPreference)
 	}
-	if globalHTTPPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.HTTP == nil || acmeIssuer.Challenges.HTTP.AlternatePort == 0) {
+	// only configure alt HTTP and TLS-ALPN ports if the DNS challenge is not enabled (wouldn't hurt, but isn't necessary since the DNS challenge is exclusive of others)
 	if globalHTTPPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil) && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.HTTP == nil || acmeIssuer.Challenges.HTTP.AlternatePort == 0) {
 		if acmeIssuer.Challenges == nil {
 			acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 		}
@ -562,7 +587,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 		}
 		acmeIssuer.Challenges.HTTP.AlternatePort = globalHTTPPort.(int)
 	}
-	if globalHTTPSPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.TLSALPN == nil || acmeIssuer.Challenges.TLSALPN.AlternatePort == 0) {
+	if globalHTTPSPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil) && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.TLSALPN == nil || acmeIssuer.Challenges.TLSALPN.AlternatePort == 0) {
 		if acmeIssuer.Challenges == nil {
 			acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 		}
--- a/caddytest/caddytest.go
+++ b/caddytest/caddytest.go
@ -31,8 +31,8 @@ import (
 	_ "github.com/caddyserver/caddy/v2/modules/standard"
 )
-// Defaults store any configuration required to make the tests run
+// Config store any configuration required to make the tests run
-type Defaults struct {
+type Config struct {
 	// Port we expect caddy to listening on
 	AdminPort int
 	// Certificates we expect to be loaded before attempting to run the tests
@ -44,7 +44,7 @@ type Defaults struct {
 }
 // Default testing values
-var Default = Defaults{
+var Default = Config{
 	AdminPort:          2999, // different from what a real server also running on a developer's machine might be
 	Certificates:       []string{"/caddy.localhost.crt", "/caddy.localhost.key"},
 	TestRequestTimeout: 5 * time.Second,
@ -61,6 +61,7 @@ type Tester struct {
 	Client       *http.Client
 	configLoaded bool
 	t            testing.TB
 	config       Config
 }
 // NewTester will create a new testing client with an attached cookie jar
@ -78,9 +79,29 @@ func NewTester(t testing.TB) *Tester {
 		},
 		configLoaded: false,
 		t:            t,
 		config:       Default,
 	}
 }
 // WithDefaultOverrides this will override the default test configuration with the provided values.
 func (tc *Tester) WithDefaultOverrides(overrides Config) *Tester {
 	if overrides.AdminPort != 0 {
 		tc.config.AdminPort = overrides.AdminPort
 	}
 	if len(overrides.Certificates) > 0 {
 		tc.config.Certificates = overrides.Certificates
 	}
 	if overrides.TestRequestTimeout != 0 {
 		tc.config.TestRequestTimeout = overrides.TestRequestTimeout
 		tc.Client.Timeout = overrides.TestRequestTimeout
 	}
 	if overrides.LoadRequestTimeout != 0 {
 		tc.config.LoadRequestTimeout = overrides.LoadRequestTimeout
 	}
 	return tc
 }
 type configLoadError struct {
 	Response string
 }
@ -113,7 +134,7 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 		return nil
 	}
-	err := validateTestPrerequisites(tc.t)
+	err := validateTestPrerequisites(tc)
 	if err != nil {
 		tc.t.Skipf("skipping tests as failed integration prerequisites. %s", err)
 		return nil
@ -121,7 +142,7 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 	tc.t.Cleanup(func() {
 		if tc.t.Failed() && tc.configLoaded {
-			res, err := http.Get(fmt.Sprintf("http://localhost:%d/config/", Default.AdminPort))
+			res, err := http.Get(fmt.Sprintf("http://localhost:%d/config/", tc.config.AdminPort))
 			if err != nil {
 				tc.t.Log("unable to read the current config")
 				return
@ -151,10 +172,10 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 		tc.t.Logf("After: %s", rawConfig)
 	}
 	client := &http.Client{
-		Timeout: Default.LoadRequestTimeout,
+		Timeout: tc.config.LoadRequestTimeout,
 	}
 	start := time.Now()
-	req, err := http.NewRequest("POST", fmt.Sprintf("http://localhost:%d/load", Default.AdminPort), strings.NewReader(rawConfig))
+	req, err := http.NewRequest("POST", fmt.Sprintf("http://localhost:%d/load", tc.config.AdminPort), strings.NewReader(rawConfig))
 	if err != nil {
 		tc.t.Errorf("failed to create request. %s", err)
 		return err
@ -205,11 +226,11 @@ func (tc *Tester) ensureConfigRunning(rawConfig string, configType string) error
 	}
 	client := &http.Client{
-		Timeout: Default.LoadRequestTimeout,
+		Timeout: tc.config.LoadRequestTimeout,
 	}
 	fetchConfig := func(client *http.Client) any {
-		resp, err := client.Get(fmt.Sprintf("http://localhost:%d/config/", Default.AdminPort))
+		resp, err := client.Get(fmt.Sprintf("http://localhost:%d/config/", tc.config.AdminPort))
 		if err != nil {
 			return nil
 		}
@ -237,30 +258,30 @@ func (tc *Tester) ensureConfigRunning(rawConfig string, configType string) error
 }
 const initConfig = `{
-	admin localhost:2999
+	admin localhost:%d
 }
 `
 // validateTestPrerequisites ensures the certificates are available in the
 // designated path and Caddy sub-process is running.
-func validateTestPrerequisites(t testing.TB) error {
+func validateTestPrerequisites(tc *Tester) error {
 	// check certificates are found
-	for _, certName := range Default.Certificates {
+	for _, certName := range tc.config.Certificates {
 		if _, err := os.Stat(getIntegrationDir() + certName); errors.Is(err, fs.ErrNotExist) {
 			return fmt.Errorf("caddy integration test certificates (%s) not found", certName)
 		}
 	}
-	if isCaddyAdminRunning() != nil {
+	if isCaddyAdminRunning(tc) != nil {
 		// setup the init config file, and set the cleanup afterwards
 		f, err := os.CreateTemp("", "")
 		if err != nil {
 			return err
 		}
-		t.Cleanup(func() {
+		tc.t.Cleanup(func() {
 			os.Remove(f.Name())
 		})
-		if _, err := f.WriteString(initConfig); err != nil {
+		if _, err := f.WriteString(fmt.Sprintf(initConfig, tc.config.AdminPort)); err != nil {
 			return err
 		}
@ -271,23 +292,23 @@ func validateTestPrerequisites(t testing.TB) error {
 		}()
 		// wait for caddy to start serving the initial config
-		for retries := 10; retries > 0 && isCaddyAdminRunning() != nil; retries-- {
+		for retries := 10; retries > 0 && isCaddyAdminRunning(tc) != nil; retries-- {
 			time.Sleep(1 * time.Second)
 		}
 	}
 	// one more time to return the error
-	return isCaddyAdminRunning()
+	return isCaddyAdminRunning(tc)
 }
-func isCaddyAdminRunning() error {
+func isCaddyAdminRunning(tc *Tester) error {
 	// assert that caddy is running
 	client := &http.Client{
-		Timeout: Default.LoadRequestTimeout,
+		Timeout: tc.config.LoadRequestTimeout,
 	}
-	resp, err := client.Get(fmt.Sprintf("http://localhost:%d/config/", Default.AdminPort))
+	resp, err := client.Get(fmt.Sprintf("http://localhost:%d/config/", tc.config.AdminPort))
 	if err != nil {
-		return fmt.Errorf("caddy integration test caddy server not running. Expected to be listening on localhost:%d", Default.AdminPort)
+		return fmt.Errorf("caddy integration test caddy server not running. Expected to be listening on localhost:%d", tc.config.AdminPort)
 	}
 	resp.Body.Close()
--- a/caddytest/integration/caddyfile_adapt/header.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/header.caddyfiletest
@ -12,10 +12,14 @@
 	@images path /images/*
 	header @images {
 		Cache-Control "public, max-age=3600, stale-while-revalidate=86400"
 		match {
 			status 200
 		}
 	}
 	header {
 		+Link "Foo"
 		+Link "Bar"
 		match status 200
 	}
 	header >Set Defer
 	header >Replace Deferred Replacement
@ -42,6 +46,11 @@
 								{
 									"handler": "headers",
 									"response": {
 										"require": {
 											"status_code": [
 												200
 											]
 										},
 										"set": {
 											"Cache-Control": [
 												"public, max-age=3600, stale-while-revalidate=86400"
@ -136,6 +145,11 @@
 												"Foo",
 												"Bar"
 											]
 										},
 										"require": {
 											"status_code": [
 												200
 											]
 										}
 									}
 								},
--- a/caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_forward_proxy_url.txt
+++ b/caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_forward_proxy_url.txt
@ -0,0 +1,41 @@
 :8884
 reverse_proxy 127.0.0.1:65535 {
 	transport http {
 		forward_proxy_url http://localhost:8080
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":8884"
 					],
 					"routes": [
 						{
 							"handle": [
 								{
 									"handler": "reverse_proxy",
 									"transport": {
 										"network_proxy": {
 											"from": "url",
 											"url": "http://localhost:8080"
 										},
 										"protocol": "http"
 									},
 									"upstreams": [
 										{
 											"dial": "127.0.0.1:65535"
 										}
 									]
 								}
 							]
 						}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_none_proxy.txt
+++ b/caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_none_proxy.txt
@ -0,0 +1,40 @@
 :8884
 reverse_proxy 127.0.0.1:65535 {
 	transport http {
 		network_proxy none
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":8884"
 					],
 					"routes": [
 						{
 							"handle": [
 								{
 									"handler": "reverse_proxy",
 									"transport": {
 										"network_proxy": {
 											"from": "none"
 										},
 										"protocol": "http"
 									},
 									"upstreams": [
 										{
 											"dial": "127.0.0.1:65535"
 										}
 									]
 								}
 							]
 						}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_url_proxy.txt
+++ b/caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_url_proxy.txt
@ -0,0 +1,41 @@
 :8884
 reverse_proxy 127.0.0.1:65535 {
 	transport http {
 		network_proxy url http://localhost:8080
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":8884"
 					],
 					"routes": [
 						{
 							"handle": [
 								{
 									"handler": "reverse_proxy",
 									"transport": {
 										"network_proxy": {
 											"from": "url",
 											"url": "http://localhost:8080"
 										},
 										"protocol": "http"
 									},
 									"upstreams": [
 										{
 											"dial": "127.0.0.1:65535"
 										}
 									]
 								}
 							]
 						}
 					]
 				}
 			}
 		}
 	}
 }
--- a/cmd/commandfuncs.go
+++ b/cmd/commandfuncs.go
@ -171,6 +171,10 @@ func cmdStart(fl Flags) (int, error) {
 func cmdRun(fl Flags) (int, error) {
 	caddy.TrapSignals()
 	logger := caddy.Log()
 	undoMaxProcs := setResourceLimits(logger)
 	defer undoMaxProcs()
 	configFlag := fl.String("config")
 	configAdapterFlag := fl.String("adapter")
 	resumeFlag := fl.Bool("resume")
@ -196,18 +200,18 @@ func cmdRun(fl Flags) (int, error) {
 		config, err = os.ReadFile(caddy.ConfigAutosavePath)
 		if errors.Is(err, fs.ErrNotExist) {
 			// not a bad error; just can't resume if autosave file doesn't exist
-			caddy.Log().Info("no autosave file exists", zap.String("autosave_file", caddy.ConfigAutosavePath))
+			logger.Info("no autosave file exists", zap.String("autosave_file", caddy.ConfigAutosavePath))
 			resumeFlag = false
 		} else if err != nil {
 			return caddy.ExitCodeFailedStartup, err
 		} else {
 			if configFlag == "" {
-				caddy.Log().Info("resuming from last configuration",
+				logger.Info("resuming from last configuration",
 					zap.String("autosave_file", caddy.ConfigAutosavePath))
 			} else {
 				// if they also specified a config file, user should be aware that we're not
 				// using it (doing so could lead to data/config loss by overwriting!)
-				caddy.Log().Warn("--config and --resume flags were used together; ignoring --config and resuming from last configuration",
+				logger.Warn("--config and --resume flags were used together; ignoring --config and resuming from last configuration",
 					zap.String("autosave_file", caddy.ConfigAutosavePath))
 			}
 		}
@ -225,7 +229,7 @@ func cmdRun(fl Flags) (int, error) {
 	if pidfileFlag != "" {
 		err := caddy.PIDFile(pidfileFlag)
 		if err != nil {
-			caddy.Log().Error("unable to write PID file",
+			logger.Error("unable to write PID file",
 				zap.String("pidfile", pidfileFlag),
 				zap.Error(err))
 		}
@ -236,7 +240,7 @@ func cmdRun(fl Flags) (int, error) {
 	if err != nil {
 		return caddy.ExitCodeFailedStartup, fmt.Errorf("loading initial config: %v", err)
 	}
-	caddy.Log().Info("serving initial configuration")
+	logger.Info("serving initial configuration")
 	// if we are to report to another process the successful start
 	// of the server, do so now by echoing back contents of stdin
@ -272,15 +276,15 @@ func cmdRun(fl Flags) (int, error) {
 	switch runtime.GOOS {
 	case "windows":
 		if os.Getenv("HOME") == "" && os.Getenv("USERPROFILE") == "" && !hasXDG {
-			caddy.Log().Warn("neither HOME nor USERPROFILE environment variables are set - please fix; some assets might be stored in ./caddy")
+			logger.Warn("neither HOME nor USERPROFILE environment variables are set - please fix; some assets might be stored in ./caddy")
 		}
 	case "plan9":
 		if os.Getenv("home") == "" && !hasXDG {
-			caddy.Log().Warn("$home environment variable is empty - please fix; some assets might be stored in ./caddy")
+			logger.Warn("$home environment variable is empty - please fix; some assets might be stored in ./caddy")
 		}
 	default:
 		if os.Getenv("HOME") == "" && !hasXDG {
-			caddy.Log().Warn("$HOME environment variable is empty - please fix; some assets might be stored in ./caddy")
+			logger.Warn("$HOME environment variable is empty - please fix; some assets might be stored in ./caddy")
 		}
 	}
--- a/cmd/main.go
+++ b/cmd/main.go
@ -24,6 +24,7 @@ import (
 	"io"
 	"io/fs"
 	"log"
 	"log/slog"
 	"net"
 	"os"
 	"path/filepath"
@ -33,10 +34,12 @@ import (
 	"strings"
 	"time"
 	"github.com/KimMachineGun/automemlimit/memlimit"
 	"github.com/caddyserver/certmagic"
 	"github.com/spf13/pflag"
 	"go.uber.org/automaxprocs/maxprocs"
 	"go.uber.org/zap"
 	"go.uber.org/zap/exp/zapslog"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
@ -66,12 +69,6 @@ func Main() {
 		os.Exit(caddy.ExitCodeFailedStartup)
 	}
 	undo, err := maxprocs.Set()
 	defer undo()
 	if err != nil {
 		caddy.Log().Warn("failed to set GOMAXPROCS", zap.Error(err))
 	}
 	if err := defaultFactory.Build().Execute(); err != nil {
 		var exitError *exitError
 		if errors.As(err, &exitError) {
@ -467,6 +464,31 @@ func printEnvironment() {
 	}
 }
 func setResourceLimits(logger *zap.Logger) func() {
 	// Configure the maximum number of CPUs to use to match the Linux container quota (if any)
 	// See https://pkg.go.dev/runtime#GOMAXPROCS
 	undo, err := maxprocs.Set(maxprocs.Logger(logger.Sugar().Infof))
 	if err != nil {
 		logger.Warn("failed to set GOMAXPROCS", zap.Error(err))
 	}
 	// Configure the maximum memory to use to match the Linux container quota (if any) or system memory
 	// See https://pkg.go.dev/runtime/debug#SetMemoryLimit
 	_, _ = memlimit.SetGoMemLimitWithOpts(
 		memlimit.WithLogger(
 			slog.New(zapslog.NewHandler(logger.Core())),
 		),
 		memlimit.WithProvider(
 			memlimit.ApplyFallback(
 				memlimit.FromCgroup,
 				memlimit.FromSystem,
 			),
 		),
 	)
 	return undo
 }
 // StringSlice is a flag.Value that enables repeated use of a string flag.
 type StringSlice []string
--- a/context.go
+++ b/context.go
@ -91,14 +91,14 @@ func (ctx *Context) OnCancel(f func()) {
 	ctx.cleanupFuncs = append(ctx.cleanupFuncs, f)
 }
-// Filesystems returns a ref to the FilesystemMap.
+// FileSystems returns a ref to the FilesystemMap.
 // EXPERIMENTAL: This API is subject to change.
-func (ctx *Context) Filesystems() FileSystems {
+func (ctx *Context) FileSystems() FileSystems {
 	// if no config is loaded, we use a default filesystemmap, which includes the osfs
 	if ctx.cfg == nil {
-		return &filesystems.FilesystemMap{}
+		return &filesystems.FileSystemMap{}
 	}
-	return ctx.cfg.filesystems
+	return ctx.cfg.fileSystems
 }
 // Returns the active metrics registry for the context
@ -277,6 +277,14 @@ func (ctx Context) LoadModule(structPointer any, fieldName string) (any, error)
 	return result, nil
 }
 // emitEvent is a small convenience method so the caddy core can emit events, if the event app is configured.
 func (ctx Context) emitEvent(name string, data map[string]any) Event {
 	if ctx.cfg == nil || ctx.cfg.eventEmitter == nil {
 		return Event{}
 	}
 	return ctx.cfg.eventEmitter.Emit(ctx, name, data)
 }
 // loadModulesFromSomeMap loads modules from val, which must be a type of map[string]any.
 // Depending on inlineModuleKey, it will be interpreted as either a ModuleMap (key is the module
 // name) or as a regular map (key is not the module name, and module name is defined inline).
@ -385,6 +393,17 @@ func (ctx Context) LoadModuleByID(id string, rawMsg json.RawMessage) (any, error
 		return nil, fmt.Errorf("module value cannot be null")
 	}
 	// if this is an app module, keep a reference to it,
 	// since submodules may need to reference it during
 	// provisioning (even though the parent app module
 	// may not be fully provisioned yet; this is the case
 	// with the tls app's automation policies, which may
 	// refer to the tls app to check if a global DNS
 	// module has been configured for DNS challenges)
 	if appModule, ok := val.(App); ok {
 		ctx.cfg.apps[id] = appModule
 	}
 	ctx.ancestry = append(ctx.ancestry, val)
 	if prov, ok := val.(Provisioner); ok {
@ -418,6 +437,14 @@ func (ctx Context) LoadModuleByID(id string, rawMsg json.RawMessage) (any, error
 	ctx.moduleInstances[id] = append(ctx.moduleInstances[id], val)
 	// if the loaded module happens to be an app that can emit events, store it so the
 	// core can have access to emit events without an import cycle
 	if ee, ok := val.(eventEmitter); ok {
 		if _, ok := ee.(App); ok {
 			ctx.cfg.eventEmitter = ee
 		}
 	}
 	return val, nil
 }
@ -471,7 +498,6 @@ func (ctx Context) App(name string) (any, error) {
 	if appRaw != nil {
 		ctx.cfg.AppsRaw[name] = nil // allow GC to deallocate
 	}
 	ctx.cfg.apps[name] = modVal.(App)
 	return modVal, nil
 }
@ -590,3 +616,11 @@ func (ctx *Context) WithValue(key, value any) Context {
 		exitFuncs:       ctx.exitFuncs,
 	}
 }
 // eventEmitter is a small interface that inverts dependencies for
 // the caddyevents package, so the core can emit events without an
 // import cycle (i.e. the caddy package doesn't have to import
 // the caddyevents package, which imports the caddy package).
 type eventEmitter interface {
 	Emit(ctx Context, eventName string, data map[string]any) Event
 }
--- a/go.mod
+++ b/go.mod
@ -1,31 +1,31 @@
 module github.com/caddyserver/caddy/v2
-go 1.22.3
+go 1.24
 toolchain go1.23.0
 require (
 	github.com/BurntSushi/toml v1.4.0
 	github.com/KimMachineGun/automemlimit v0.7.1
 	github.com/Masterminds/sprig/v3 v3.3.0
-	github.com/alecthomas/chroma/v2 v2.14.0
+	github.com/alecthomas/chroma/v2 v2.15.0
 	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
-	github.com/caddyserver/certmagic v0.21.5
+	github.com/caddyserver/certmagic v0.23.0
 	github.com/caddyserver/zerossl v0.1.3
 	github.com/cloudflare/circl v1.6.0
 	github.com/dustin/go-humanize v1.0.1
-	github.com/go-chi/chi/v5 v5.0.12
+	github.com/go-chi/chi/v5 v5.2.1
-	github.com/google/cel-go v0.21.0
+	github.com/google/cel-go v0.24.1
 	github.com/google/uuid v1.6.0
-	github.com/klauspost/compress v1.17.11
+	github.com/klauspost/compress v1.18.0
-	github.com/klauspost/cpuid/v2 v2.2.9
+	github.com/klauspost/cpuid/v2 v2.2.10
-	github.com/mholt/acmez/v3 v3.0.0
+	github.com/mholt/acmez/v3 v3.1.2
 	github.com/prometheus/client_golang v1.19.1
-	github.com/quic-go/quic-go v0.48.2
+	github.com/quic-go/quic-go v0.50.1
 	github.com/smallstep/certificates v0.26.1
 	github.com/smallstep/nosql v0.6.1
 	github.com/smallstep/truststore v0.13.0
-	github.com/spf13/cobra v1.8.1
+	github.com/spf13/cobra v1.9.1
-	github.com/spf13/pflag v1.0.5
+	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	github.com/tailscale/tscert v0.0.0-20240608151842-d3f834017e53
 	github.com/yuin/goldmark v1.7.8
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
@ -37,32 +37,33 @@ require (
 	go.uber.org/automaxprocs v1.6.0
 	go.uber.org/zap v1.27.0
 	go.uber.org/zap/exp v0.3.0
-	golang.org/x/crypto v0.31.0
+	golang.org/x/crypto v0.36.0
-	golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9
+	golang.org/x/crypto/x509roots/fallback v0.0.0-20250305170421-49bf5b80c810
-	golang.org/x/net v0.33.0
+	golang.org/x/net v0.37.0
-	golang.org/x/sync v0.10.0
+	golang.org/x/sync v0.12.0
-	golang.org/x/term v0.27.0
+	golang.org/x/term v0.30.0
-	golang.org/x/time v0.7.0
+	golang.org/x/time v0.11.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v3 v3.0.1
 )
 require (
 	cel.dev/expr v0.19.1 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/francoispqt/gojay v1.2.13 // indirect
 	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/golang/glog v1.2.2 // indirect
 	github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745 // indirect
 	github.com/google/go-tpm v0.9.0 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/pprof v0.0.0-20231212022811-ec68065c825e // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect
 	github.com/onsi/ginkgo/v2 v2.13.2 // indirect
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935 // indirect
@ -74,7 +75,7 @@ require (
 	go.opentelemetry.io/contrib/propagators/b3 v1.17.0 // indirect
 	go.opentelemetry.io/contrib/propagators/jaeger v1.17.0 // indirect
 	go.opentelemetry.io/contrib/propagators/ot v1.17.0 // indirect
-	go.uber.org/mock v0.4.0 // indirect
+	go.uber.org/mock v0.5.0 // indirect
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect
@ -90,12 +91,12 @@ require (
 	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/chzyer/readline v1.5.1 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
 	github.com/dgraph-io/badger v1.6.2 // indirect
 	github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
-	github.com/dgraph-io/ristretto v0.1.0 // indirect
+	github.com/dgraph-io/ristretto v0.2.0 // indirect
 	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
-	github.com/dlclark/regexp2 v1.11.0 // indirect
+	github.com/dlclark/regexp2 v1.11.4 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-kit/kit v0.13.0 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
@ -115,18 +116,18 @@ require (
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
 	github.com/jackc/pgtype v1.14.0 // indirect
 	github.com/jackc/pgx/v4 v4.18.3 // indirect
-	github.com/libdns/libdns v0.2.2
+	github.com/libdns/libdns v1.0.0-beta.1
 	github.com/manifoldco/promptui v0.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
-	github.com/miekg/dns v1.1.62 // indirect
+	github.com/miekg/dns v1.1.63 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/pires/go-proxyproto v0.7.1-0.20240628150027-b718e7ce4964
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/client_model v0.5.0
 	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/rs/xid v1.5.0 // indirect
@ -147,10 +148,10 @@ require (
 	go.step.sm/crypto v0.45.0
 	go.step.sm/linkedca v0.20.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/sys v0.28.0
+	golang.org/x/sys v0.31.0
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/tools v0.22.0 // indirect
+	golang.org/x/tools v0.31.0 // indirect
 	google.golang.org/grpc v1.67.1 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	howett.net/plist v1.0.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -1,3 +1,5 @@
 cel.dev/expr v0.19.1 h1:NciYrtDRIR0lNCnH1LFJegdjspNx9fI59O7TWcua/W4=
 cel.dev/expr v0.19.1/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.31.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
@ -31,6 +33,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
 github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/KimMachineGun/automemlimit v0.7.1 h1:QcG/0iCOLChjfUweIMC3YL5Xy9C3VBeNmCZHrZfJMBw=
 github.com/KimMachineGun/automemlimit v0.7.1/go.mod h1:QZxpHaGOQoYvFhv/r4u3U0JTC2ZcOwbSr11UZF46UBM=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
@ -42,11 +46,11 @@ github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2y
 github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
 github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/alecthomas/assert/v2 v2.7.0 h1:QtqSACNS3tF7oasA8CU6A6sXZSBDqnm7RfpLl9bZqbE=
+github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
-github.com/alecthomas/assert/v2 v2.7.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
+github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
 github.com/alecthomas/chroma/v2 v2.2.0/go.mod h1:vf4zrexSH54oEjJ7EdB65tGNHmH3pGZmVkgTP5RHvAs=
-github.com/alecthomas/chroma/v2 v2.14.0 h1:R3+wzpnUArGcQz7fCETQBzO5n9IMNi13iIs46aU4V9E=
+github.com/alecthomas/chroma/v2 v2.15.0 h1:LxXTQHFoYrstG2nnV9y2X5O94sOBzf0CIUpSTbpxvMc=
-github.com/alecthomas/chroma/v2 v2.14.0/go.mod h1:QolEbTfmUHIMVpBqxeDnNBj2uoeI4EbYP4i6n68SG4I=
+github.com/alecthomas/chroma/v2 v2.15.0/go.mod h1:gUhVLrPDXPtp/f+L1jo9xepo9gL4eLwRuGAunSZMkio=
 github.com/alecthomas/repr v0.0.0-20220113201626-b1b626ac65ae/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
 github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc=
 github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
@ -89,15 +93,14 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
 github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
-github.com/caddyserver/certmagic v0.21.5 h1:iIga4nZRgd27EIEbX7RZmoRMul+EVBn/h7bAGL83dnY=
+github.com/caddyserver/certmagic v0.23.0 h1:CfpZ/50jMfG4+1J/u2LV6piJq4HOfO6ppOnOf7DkFEU=
-github.com/caddyserver/certmagic v0.21.5/go.mod h1:n1sCo7zV1Ez2j+89wrzDxo4N/T1Ws/Vx8u5NvuBFabw=
+github.com/caddyserver/certmagic v0.23.0/go.mod h1:9mEZIWqqWoI+Gf+4Trh04MOVPD0tGSxtqsxg87hAIH4=
 github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
 github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@ -110,6 +113,8 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn
 github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
 github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@ -120,8 +125,8 @@ github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
+github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@ -132,15 +137,15 @@ github.com/dgraph-io/badger/v2 v2.2007.4 h1:TRWBQg8UrlUhaFdco01nO2uXwzKS7zd+HVdw
 github.com/dgraph-io/badger/v2 v2.2007.4/go.mod h1:vSw/ax2qojzbN6eXHIx6KPKtCSHJN/Uz0X0VPruTIhk=
 github.com/dgraph-io/ristretto v0.0.2/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E=
 github.com/dgraph-io/ristretto v0.0.3-0.20200630154024-f66de99634de/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E=
-github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI=
+github.com/dgraph-io/ristretto v0.2.0 h1:XAfl+7cmoUDWW/2Lx8TGZQjjxIQ2Ley9DSf52dru4WE=
-github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug=
+github.com/dgraph-io/ristretto v0.2.0/go.mod h1:8uBHCU/PBV4Ag0CJrP47b9Ofby5dqWNh4FicAdoqFNU=
 github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
 github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 h1:fAjc9m62+UWV/WAFKLNi6ZS0675eEUC9y3AlwSbQu1Y=
 github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
 github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
 github.com/dlclark/regexp2 v1.7.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
+github.com/dlclark/regexp2 v1.11.4 h1:rPYF9/LECdNymJufQKmri9gV604RvvABwgOA8un7yAo=
-github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dlclark/regexp2 v1.11.4/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
@ -156,11 +161,11 @@ github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1t
 github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
-github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s=
+github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
-github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
-github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
+github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
-github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-kit/kit v0.4.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.13.0 h1:OoneCcHKHQ03LfBpoQCUfCluwd2Vt3ohz+kvbJneZAU=
 github.com/go-kit/kit v0.13.0/go.mod h1:phqEHMMUbyrCFCTgH48JueqrM3md2HcAZ8N3XE4FKDg=
@ -186,8 +191,6 @@ github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPh
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.2.2 h1:1+mZ9upx1Dh6FmUTFR1naJ77miKiXgALjWOZ3NVFPmY=
 github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
@ -203,8 +206,8 @@ github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEW
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI=
+github.com/google/cel-go v0.24.1 h1:jsBCtxG8mM5wiUJDSGUqU0K7Mtr3w7Eyv00rw4DiZxI=
-github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc=
+github.com/google/cel-go v0.24.1/go.mod h1:Hdf9TqOaTNSFQA1ybQaRqATVoK7m/zcf7IMhGXP5zI8=
 github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
 github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745 h1:heyoXNxkRT155x4jTAiSv5BVSVkueifPUm+Q8LUXMRo=
 github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745/go.mod h1:zN0wUQgV9LjwLZeFHnrAbQi8hzMVvEWePyk+MhPOk7k=
@ -302,10 +305,10 @@ github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCV
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
-github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
-github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@ -324,8 +327,8 @@ github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
+github.com/libdns/libdns v1.0.0-beta.1 h1:KIf4wLfsrEpXpZ3vmc/poM8zCATXT2klbdPe6hyOBjQ=
-github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
+github.com/libdns/libdns v1.0.0-beta.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@ -344,11 +347,11 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
-github.com/mholt/acmez/v3 v3.0.0 h1:r1NcjuWR0VaKP2BTjDK9LRFBw/WvURx3jlaEUl9Ht8E=
+github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc=
-github.com/mholt/acmez/v3 v3.0.0/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
+github.com/mholt/acmez/v3 v3.1.2/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
 github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
-github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
+github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=
-github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
+github.com/miekg/dns v1.1.63/go.mod h1:6NGHfjhpmr5lt3XPLuyfDJi5AXbNIPM9PY6H6sF1Nfs=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
@ -366,6 +369,8 @@ github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe
 github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
 github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
 github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
 github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 h1:onHthvaw9LFnH4t2DcNVpwGmV9E1BkGknEliJkfwQj0=
 github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58/go.mod h1:DXv8WO4yhMYhSNPKjeNKa5WY9YCIEBRbNzFFPJbWO6Y=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv/v3 v3.0.1 h1:x06SQA46+PKIUftmEujdwSEpIx8kR+M9eLYsUxeYveU=
 github.com/peterbourgon/diskv/v3 v3.0.1/go.mod h1:kJ5Ny7vLdARGU3WUuy6uzO6T0nb/2gWcT1JiBvRmb5o=
@ -392,8 +397,8 @@ github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
 github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
 github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.48.2 h1:wsKXZPeGWpMpCGSWqOcqpW2wZYic/8T3aqiOID0/KWE=
+github.com/quic-go/quic-go v0.50.1 h1:unsgjFIUqW8a2oopkY7YNONpV1gYND6Nt9hnt1PN94Q=
-github.com/quic-go/quic-go v0.48.2/go.mod h1:yBgs3rWBOADpga7F+jJsb6Ybg1LSYiQvwWlLX+/6HMs=
+github.com/quic-go/quic-go v0.50.1/go.mod h1:Vim6OmUvlYdwBhXP9ZVrtGmCMWa3wEqhq3NgYrI8b4E=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
@ -468,12 +473,12 @@ github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU
 github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
 github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
@ -491,8 +496,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tailscale/tscert v0.0.0-20240608151842-d3f834017e53 h1:uxMgm0C+EjytfAqyfBG55ZONKQ7mvd7x4YYCWsf8QHQ=
 github.com/tailscale/tscert v0.0.0-20240608151842-d3f834017e53/go.mod h1:kNGUQ3VESx3VZwRwA9MSCUegIl6+saPL8Noq82ozCaU=
 github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA=
@ -564,8 +569,8 @@ go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
+go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
-go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
+go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
@ -595,10 +600,10 @@ golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
-golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9 h1:4cEcP5+OjGppY79LCQ5Go2B1Boix2x0v6pvA01P3FoA=
+golang.org/x/crypto/x509roots/fallback v0.0.0-20250305170421-49bf5b80c810 h1:V5+zy0jmgNYmK1uW/sPpBw8ioFvalrhaUrYWmu1Fpe4=
-golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8=
+golang.org/x/crypto/x509roots/fallback v0.0.0-20250305170421-49bf5b80c810/go.mod h1:lxN5T34bK4Z/i6cMaU7frUU57VkDXFD4Kamfl/cp9oU=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
@ -610,8 +615,8 @@ golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKG
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
-golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -628,8 +633,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@ -644,8 +649,8 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -663,7 +668,6 @@ golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@ -675,16 +679,16 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
@ -695,12 +699,12 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
-golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030000716-a0a13e073c7b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -716,8 +720,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
-golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
+golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/internal/filesystems/map.go
+++ b/internal/filesystems/map.go
@ -7,10 +7,10 @@ import (
 )
 const (
-	DefaultFilesystemKey = "default"
+	DefaultFileSystemKey = "default"
 )
-var DefaultFilesystem = &wrapperFs{key: DefaultFilesystemKey, FS: OsFS{}}
+var DefaultFileSystem = &wrapperFs{key: DefaultFileSystemKey, FS: OsFS{}}
 // wrapperFs exists so can easily add to wrapperFs down the line
 type wrapperFs struct {
@ -18,24 +18,24 @@ type wrapperFs struct {
 	fs.FS
 }
-// FilesystemMap stores a map of filesystems
+// FileSystemMap stores a map of filesystems
 // the empty key will be overwritten to be the default key
 // it includes a default filesystem, based off the os fs
-type FilesystemMap struct {
+type FileSystemMap struct {
 	m sync.Map
 }
 // note that the first invocation of key cannot be called in a racy context.
-func (f *FilesystemMap) key(k string) string {
+func (f *FileSystemMap) key(k string) string {
 	if k == "" {
-		k = DefaultFilesystemKey
+		k = DefaultFileSystemKey
 	}
 	return k
 }
 // Register will add the filesystem with key to later be retrieved
 // A call with a nil fs will call unregister, ensuring that a call to Default() will never be nil
-func (f *FilesystemMap) Register(k string, v fs.FS) {
+func (f *FileSystemMap) Register(k string, v fs.FS) {
 	k = f.key(k)
 	if v == nil {
 		f.Unregister(k)
@ -47,23 +47,23 @@ func (f *FilesystemMap) Register(k string, v fs.FS) {
 // Unregister will remove the filesystem with key from the filesystem map
 // if the key is the default key, it will set the default to the osFS instead of deleting it
 // modules should call this on cleanup to be safe
-func (f *FilesystemMap) Unregister(k string) {
+func (f *FileSystemMap) Unregister(k string) {
 	k = f.key(k)
-	if k == DefaultFilesystemKey {
+	if k == DefaultFileSystemKey {
-		f.m.Store(k, DefaultFilesystem)
+		f.m.Store(k, DefaultFileSystem)
 	} else {
 		f.m.Delete(k)
 	}
 }
 // Get will get a filesystem with a given key
-func (f *FilesystemMap) Get(k string) (v fs.FS, ok bool) {
+func (f *FileSystemMap) Get(k string) (v fs.FS, ok bool) {
 	k = f.key(k)
 	c, ok := f.m.Load(strings.TrimSpace(k))
 	if !ok {
-		if k == DefaultFilesystemKey {
+		if k == DefaultFileSystemKey {
-			f.m.Store(k, DefaultFilesystem)
+			f.m.Store(k, DefaultFileSystem)
-			return DefaultFilesystem, true
+			return DefaultFileSystem, true
 		}
 		return nil, ok
 	}
@ -71,7 +71,7 @@ func (f *FilesystemMap) Get(k string) (v fs.FS, ok bool) {
 }
 // Default will get the default filesystem in the filesystem map
-func (f *FilesystemMap) Default() fs.FS {
+func (f *FileSystemMap) Default() fs.FS {
-	val, _ := f.Get(DefaultFilesystemKey)
+	val, _ := f.Get(DefaultFileSystemKey)
 	return val
 }
--- a/listeners.go
+++ b/listeners.go
@ -210,7 +210,7 @@ func (na NetworkAddress) IsUnixNetwork() bool {
 	return IsUnixNetwork(na.Network)
 }
-// IsUnixNetwork returns true if na.Network is
+// IsFdNetwork returns true if na.Network is
 // fd or fdgram.
 func (na NetworkAddress) IsFdNetwork() bool {
 	return IsFdNetwork(na.Network)
@ -641,7 +641,7 @@ func RegisterNetwork(network string, getListener ListenerFunc) {
 	if network == "tcp" || network == "tcp4" || network == "tcp6" ||
 		network == "udp" || network == "udp4" || network == "udp6" ||
 		network == "unix" || network == "unixpacket" || network == "unixgram" ||
-		strings.HasPrefix("ip:", network) || strings.HasPrefix("ip4:", network) || strings.HasPrefix("ip6:", network) ||
+		strings.HasPrefix(network, "ip:") || strings.HasPrefix(network, "ip4:") || strings.HasPrefix(network, "ip6:") ||
 		network == "fd" || network == "fdgram" {
 		panic("network type " + network + " is reserved")
 	}
--- a/modules.go
+++ b/modules.go
@ -18,6 +18,8 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/url"
 	"reflect"
 	"sort"
 	"strings"
@ -360,6 +362,14 @@ func isModuleMapType(typ reflect.Type) bool {
 		isJSONRawMessage(typ.Elem())
 }
 // ProxyFuncProducer is implemented by modules which produce a
 // function that returns a URL to use as network proxy. Modules
 // in the namespace `caddy.network_proxy` must implement this
 // interface.
 type ProxyFuncProducer interface {
 	ProxyFunc() func(*http.Request) (*url.URL, error)
 }
 var (
 	modules   = make(map[string]ModuleInfo)
 	modulesMu sync.RWMutex
--- a/modules/caddyevents/app.go
+++ b/modules/caddyevents/app.go
@ -20,9 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"strings"
 	"time"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
 	"github.com/caddyserver/caddy/v2"
@ -206,27 +204,26 @@ func (app *App) On(eventName string, handler Handler) error {
 //
 // Note that the data map is not copied, for efficiency. After Emit() is called, the
 // data passed in should not be changed in other goroutines.
-func (app *App) Emit(ctx caddy.Context, eventName string, data map[string]any) Event {
+func (app *App) Emit(ctx caddy.Context, eventName string, data map[string]any) caddy.Event {
 	logger := app.logger.With(zap.String("name", eventName))
-	id, err := uuid.NewRandom()
+	e, err := caddy.NewEvent(ctx, eventName, data)
 	if err != nil {
-		logger.Error("failed generating new event ID", zap.Error(err))
+		logger.Error("failed to create event", zap.Error(err))
 	}
-	eventName = strings.ToLower(eventName)
+	var originModule caddy.ModuleInfo
-
+	var originModuleID caddy.ModuleID
-	e := Event{
+	var originModuleName string
-		Data:   data,
+	if origin := e.Origin(); origin != nil {
-		id:     id,
+		originModule = origin.CaddyModule()
-		ts:     time.Now(),
+		originModuleID = originModule.ID
-		name:   eventName,
+		originModuleName = originModule.String()
 		origin: ctx.Module(),
 	}
 	logger = logger.With(
-		zap.String("id", e.id.String()),
+		zap.String("id", e.ID().String()),
-		zap.String("origin", e.origin.CaddyModule().String()))
+		zap.String("origin", originModuleName))
 	// add event info to replacer, make sure it's in the context
 	repl, ok := ctx.Context.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
@ -239,15 +236,15 @@ func (app *App) Emit(ctx caddy.Context, eventName string, data map[string]any) E
 		case "event":
 			return e, true
 		case "event.id":
-			return e.id, true
+			return e.ID(), true
 		case "event.name":
-			return e.name, true
+			return e.Name(), true
 		case "event.time":
-			return e.ts, true
+			return e.Timestamp(), true
 		case "event.time_unix":
-			return e.ts.UnixMilli(), true
+			return e.Timestamp().UnixMilli(), true
 		case "event.module":
-			return e.origin.CaddyModule().ID, true
+			return originModuleID, true
 		case "event.data":
 			return e.Data, true
 		}
@ -269,7 +266,7 @@ func (app *App) Emit(ctx caddy.Context, eventName string, data map[string]any) E
 	// invoke handlers bound to the event by name and also all events; this for loop
 	// iterates twice at most: once for the event name, once for "" (all events)
 	for {
-		moduleID := e.origin.CaddyModule().ID
+		moduleID := originModuleID
 		// implement propagation up the module tree (i.e. start with "a.b.c" then "a.b" then "a" then "")
 		for {
@ -292,7 +289,7 @@ func (app *App) Emit(ctx caddy.Context, eventName string, data map[string]any) E
 					zap.Any("handler", handler))
 				if err := handler.Handle(ctx, e); err != nil {
-					aborted := errors.Is(err, ErrAborted)
+					aborted := errors.Is(err, caddy.ErrEventAborted)
 					logger.Error("handler error",
 						zap.Error(err),
@ -326,76 +323,9 @@ func (app *App) Emit(ctx caddy.Context, eventName string, data map[string]any) E
 	return e
 }
 // Event represents something that has happened or is happening.
 // An Event value is not synchronized, so it should be copied if
 // being used in goroutines.
 //
 // EXPERIMENTAL: As with the rest of this package, events are
 // subject to change.
 type Event struct {
 	// If non-nil, the event has been aborted, meaning
 	// propagation has stopped to other handlers and
 	// the code should stop what it was doing. Emitters
 	// may choose to use this as a signal to adjust their
 	// code path appropriately.
 	Aborted error
 	// The data associated with the event. Usually the
 	// original emitter will be the only one to set or
 	// change these values, but the field is exported
 	// so handlers can have full access if needed.
 	// However, this map is not synchronized, so
 	// handlers must not use this map directly in new
 	// goroutines; instead, copy the map to use it in a
 	// goroutine.
 	Data map[string]any
 	id     uuid.UUID
 	ts     time.Time
 	name   string
 	origin caddy.Module
 }
 func (e Event) ID() uuid.UUID        { return e.id }
 func (e Event) Timestamp() time.Time { return e.ts }
 func (e Event) Name() string         { return e.name }
 func (e Event) Origin() caddy.Module { return e.origin }
 // CloudEvent exports event e as a structure that, when
 // serialized as JSON, is compatible with the
 // CloudEvents spec.
 func (e Event) CloudEvent() CloudEvent {
 	dataJSON, _ := json.Marshal(e.Data)
 	return CloudEvent{
 		ID:              e.id.String(),
 		Source:          e.origin.CaddyModule().String(),
 		SpecVersion:     "1.0",
 		Type:            e.name,
 		Time:            e.ts,
 		DataContentType: "application/json",
 		Data:            dataJSON,
 	}
 }
 // CloudEvent is a JSON-serializable structure that
 // is compatible with the CloudEvents specification.
 // See https://cloudevents.io.
 type CloudEvent struct {
 	ID              string          `json:"id"`
 	Source          string          `json:"source"`
 	SpecVersion     string          `json:"specversion"`
 	Type            string          `json:"type"`
 	Time            time.Time       `json:"time"`
 	DataContentType string          `json:"datacontenttype,omitempty"`
 	Data            json.RawMessage `json:"data,omitempty"`
 }
 // ErrAborted cancels an event.
 var ErrAborted = errors.New("event aborted")
 // Handler is a type that can handle events.
 type Handler interface {
-	Handle(context.Context, Event) error
+	Handle(context.Context, caddy.Event) error
 }
 // Interface guards
--- a/modules/caddyfs/filesystem.go
+++ b/modules/caddyfs/filesystem.go
@ -69,11 +69,11 @@ func (xs *Filesystems) Provision(ctx caddy.Context) error {
 		}
 		// register that module
 		ctx.Logger().Debug("registering fs", zap.String("fs", f.Key))
-		ctx.Filesystems().Register(f.Key, f.fileSystem)
+		ctx.FileSystems().Register(f.Key, f.fileSystem)
 		// remember to unregister the module when we are done
 		xs.defers = append(xs.defers, func() {
 			ctx.Logger().Debug("unregistering fs", zap.String("fs", f.Key))
-			ctx.Filesystems().Unregister(f.Key)
+			ctx.FileSystems().Unregister(f.Key)
 		})
 	}
 	return nil
--- a/modules/caddyhttp/app.go
+++ b/modules/caddyhttp/app.go
@ -73,7 +73,7 @@ func init() {
 // `{http.request.local.host}` | The host (IP) part of the local address the connection arrived on
 // `{http.request.local.port}` | The port part of the local address the connection arrived on
 // `{http.request.local}` | The local address the connection arrived on
-// `{http.request.remote.host}` | The host (IP) part of the remote client's address
+// `{http.request.remote.host}` | The host (IP) part of the remote client's address, if available (not known with HTTP/3 early data)
 // `{http.request.remote.port}` | The port part of the remote client's address
 // `{http.request.remote}` | The address of the remote client
 // `{http.request.scheme}` | The request scheme, typically `http` or `https`
@ -207,7 +207,7 @@ func (app *App) Provision(ctx caddy.Context) error {
 		if srv.Metrics != nil {
 			srv.logger.Warn("per-server 'metrics' is deprecated; use 'metrics' in the root 'http' app instead")
-			app.Metrics = cmp.Or[*Metrics](app.Metrics, &Metrics{
+			app.Metrics = cmp.Or(app.Metrics, &Metrics{
 				init:        sync.Once{},
 				httpMetrics: &httpMetrics{},
 			})
@ -529,21 +529,6 @@ func (app *App) Start() error {
 				// enable TLS if there is a policy and if this is not the HTTP port
 				useTLS := len(srv.TLSConnPolicies) > 0 && int(listenAddr.StartPort+portOffset) != app.httpPort()
 				// enable HTTP/3 if configured
 				if h3ok && useTLS {
 					app.logger.Info("enabling HTTP/3 listener", zap.String("addr", hostport))
 					if err := srv.serveHTTP3(listenAddr.At(portOffset), tlsCfg); err != nil {
 						return err
 					}
 				}
 				if h3ok && !useTLS {
 					// Can only serve h3 with TLS enabled
 					app.logger.Warn("HTTP/3 skipped because it requires TLS",
 						zap.String("network", listenAddr.Network),
 						zap.String("addr", hostport))
 				}
 				if h1ok || h2ok && useTLS || h2cok {
 					// create the listener for this socket
 					lnAny, err := listenAddr.Listen(app.ctx, portOffset, net.ListenConfig{KeepAlive: time.Duration(srv.KeepAliveInterval)})
@ -614,6 +599,33 @@ func (app *App) Start() error {
 						zap.String("network", listenAddr.Network),
 						zap.String("addr", hostport))
 				}
 				if h3ok {
 					// Can't serve HTTP/3 on the same socket as HTTP/1 and 2 because it uses
 					// a different transport mechanism... which is fine, but the OS doesn't
 					// differentiate between a SOCK_STREAM file and a SOCK_DGRAM file; they
 					// are still one file on the system. So even though "unixpacket" and
 					// "unixgram" are different network types just as "tcp" and "udp" are,
 					// the OS will not let us use the same file as both STREAM and DGRAM.
 					if listenAddr.IsUnixNetwork() {
 						app.logger.Warn("HTTP/3 disabled because Unix can't multiplex STREAM and DGRAM on same socket",
 							zap.String("file", hostport))
 						continue
 					}
 					if useTLS {
 						// enable HTTP/3 if configured
 						app.logger.Info("enabling HTTP/3 listener", zap.String("addr", hostport))
 						if err := srv.serveHTTP3(listenAddr.At(portOffset), tlsCfg); err != nil {
 							return err
 						}
 					} else {
 						// Can only serve h3 with TLS enabled
 						app.logger.Warn("HTTP/3 skipped because it requires TLS",
 							zap.String("network", listenAddr.Network),
 							zap.String("addr", hostport))
 					}
 				}
 			}
 		}
--- a/modules/caddyhttp/autohttps.go
+++ b/modules/caddyhttp/autohttps.go
@ -163,6 +163,7 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
 			}
 		}
 		// trim the list of domains covered by wildcards, if configured
 		if srv.AutoHTTPS.PreferWildcard {
 			wildcards := make(map[string]struct{})
 			for d := range serverDomainSet {
@ -184,6 +185,17 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
 			}
 		}
 		// build the list of domains that could be used with ECH (if enabled)
 		// so the TLS app can know to publish ECH configs for them; we do this
 		// after trimming domains covered by wildcards because, presumably,
 		// if the user wants to use wildcard certs, they also want to use the
 		// wildcard for ECH, rather than individual subdomains
 		echDomains := make([]string, 0, len(serverDomainSet))
 		for d := range serverDomainSet {
 			echDomains = append(echDomains, d)
 		}
 		app.tlsApp.RegisterServerNames(echDomains)
 		// nothing more to do here if there are no domains that qualify for
 		// automatic HTTPS and there are no explicit TLS connection policies:
 		// if there is at least one domain but no TLS conn policy (F&&T), we'll
--- a/modules/caddyhttp/fileserver/browse.go
+++ b/modules/caddyhttp/fileserver/browse.go
@ -130,9 +130,9 @@ func (fsrv *FileServer) serveBrowse(fileSystem fs.FS, root, dirPath string, w ht
 	// speed up browser/client experience and caching by supporting If-Modified-Since
 	if ifModSinceStr := r.Header.Get("If-Modified-Since"); ifModSinceStr != "" {
-		ifModSince, err := time.ParseInLocation(http.TimeFormat, ifModSinceStr, time.Local)
+		// basically a copy of stdlib file server's handling of If-Modified-Since
-		lastModTrunc := listing.lastModified.Truncate(time.Second)
+		ifModSince, err := http.ParseTime(ifModSinceStr)
-		if err == nil && (lastModTrunc.Equal(ifModSince) || lastModTrunc.Before(ifModSince)) {
+		if err == nil && listing.lastModified.Truncate(time.Second).Compare(ifModSince) <= 0 {
 			w.WriteHeader(http.StatusNotModified)
 			return nil
 		}
@ -213,6 +213,11 @@ func (fsrv *FileServer) serveBrowse(fileSystem fs.FS, root, dirPath string, w ht
 }
 func (fsrv *FileServer) loadDirectoryContents(ctx context.Context, fileSystem fs.FS, dir fs.ReadDirFile, root, urlPath string, repl *caddy.Replacer) (*browseTemplateContext, error) {
 	// modTime for the directory itself
 	stat, err := dir.Stat()
 	if err != nil {
 		return nil, err
 	}
 	dirLimit := defaultDirEntryLimit
 	if fsrv.Browse.FileLimit != 0 {
 		dirLimit = fsrv.Browse.FileLimit
@ -225,7 +230,7 @@ func (fsrv *FileServer) loadDirectoryContents(ctx context.Context, fileSystem fs
 	// user can presumably browse "up" to parent folder if path is longer than "/"
 	canGoUp := len(urlPath) > 1
-	return fsrv.directoryListing(ctx, fileSystem, files, canGoUp, root, urlPath, repl), nil
+	return fsrv.directoryListing(ctx, fileSystem, stat.ModTime(), files, canGoUp, root, urlPath, repl), nil
 }
 // browseApplyQueryParams applies query parameters to the listing.
--- a/modules/caddyhttp/fileserver/browsetplcontext.go
+++ b/modules/caddyhttp/fileserver/browsetplcontext.go
@ -35,15 +35,16 @@ import (
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 )
-func (fsrv *FileServer) directoryListing(ctx context.Context, fileSystem fs.FS, entries []fs.DirEntry, canGoUp bool, root, urlPath string, repl *caddy.Replacer) *browseTemplateContext {
+func (fsrv *FileServer) directoryListing(ctx context.Context, fileSystem fs.FS, parentModTime time.Time, entries []fs.DirEntry, canGoUp bool, root, urlPath string, repl *caddy.Replacer) *browseTemplateContext {
 	filesToHide := fsrv.transformHidePaths(repl)
 	name, _ := url.PathUnescape(urlPath)
 	tplCtx := &browseTemplateContext{
-		Name:    path.Base(name),
+		Name:         path.Base(name),
-		Path:    urlPath,
+		Path:         urlPath,
-		CanGoUp: canGoUp,
+		CanGoUp:      canGoUp,
 		lastModified: parentModTime,
 	}
 	for _, entry := range entries {
@ -131,6 +132,10 @@ func (fsrv *FileServer) directoryListing(ctx context.Context, fileSystem fs.FS,
 		})
 	}
 	// this time is used for the Last-Modified header and comparing If-Modified-Since from client
 	// both are expected to be in UTC, so we convert to UTC here
 	// see: https://github.com/caddyserver/caddy/issues/6828
 	tplCtx.lastModified = tplCtx.lastModified.UTC()
 	return tplCtx
 }
--- a/modules/caddyhttp/fileserver/matcher.go
+++ b/modules/caddyhttp/fileserver/matcher.go
@ -274,7 +274,7 @@ func celFileMatcherMacroExpander() parser.MacroExpander {
 func (m *MatchFile) Provision(ctx caddy.Context) error {
 	m.logger = ctx.Logger()
-	m.fsmap = ctx.Filesystems()
+	m.fsmap = ctx.FileSystems()
 	if m.Root == "" {
 		m.Root = "{http.vars.root}"
--- a/modules/caddyhttp/fileserver/matcher_test.go
+++ b/modules/caddyhttp/fileserver/matcher_test.go
@ -117,7 +117,7 @@ func TestFileMatcher(t *testing.T) {
 		},
 	} {
 		m := &MatchFile{
-			fsmap:    &filesystems.FilesystemMap{},
+			fsmap:    &filesystems.FileSystemMap{},
 			Root:     "./testdata",
 			TryFiles: []string{"{http.request.uri.path}", "{http.request.uri.path}/"},
 		}
@ -229,7 +229,7 @@ func TestPHPFileMatcher(t *testing.T) {
 		},
 	} {
 		m := &MatchFile{
-			fsmap:     &filesystems.FilesystemMap{},
+			fsmap:     &filesystems.FileSystemMap{},
 			Root:      "./testdata",
 			TryFiles:  []string{"{http.request.uri.path}", "{http.request.uri.path}/index.php"},
 			SplitPath: []string{".php"},
@ -273,7 +273,7 @@ func TestPHPFileMatcher(t *testing.T) {
 func TestFirstSplit(t *testing.T) {
 	m := MatchFile{
 		SplitPath: []string{".php"},
-		fsmap:     &filesystems.FilesystemMap{},
+		fsmap:     &filesystems.FileSystemMap{},
 	}
 	actual, remainder := m.firstSplit("index.PHP/somewhere")
 	expected := "index.PHP"
--- a/modules/caddyhttp/fileserver/staticfiles.go
+++ b/modules/caddyhttp/fileserver/staticfiles.go
@ -186,7 +186,7 @@ func (FileServer) CaddyModule() caddy.ModuleInfo {
 func (fsrv *FileServer) Provision(ctx caddy.Context) error {
 	fsrv.logger = ctx.Logger()
-	fsrv.fsmap = ctx.Filesystems()
+	fsrv.fsmap = ctx.FileSystems()
 	if fsrv.FileSystem == "" {
 		fsrv.FileSystem = "{http.vars.fs}"
--- a/modules/caddyhttp/headers/caddyfile.go
+++ b/modules/caddyhttp/headers/caddyfile.go
@ -99,6 +99,16 @@ func parseCaddyfile(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error)
 			handler.Response.Deferred = true
 			continue
 		}
 		if field == "match" {
 			responseMatchers := make(map[string]caddyhttp.ResponseMatcher)
 			err := caddyhttp.ParseNamedResponseMatcher(h.NewFromNextSegment(), responseMatchers)
 			if err != nil {
 				return nil, err
 			}
 			matcher := responseMatchers["match"]
 			handler.Response.Require = &matcher
 			continue
 		}
 		if hasArgs {
 			return nil, h.Err("cannot specify headers in both arguments and block") // because it would be weird
 		}
--- a/modules/caddyhttp/headers/headers.go
+++ b/modules/caddyhttp/headers/headers.go
@ -78,7 +78,7 @@ func (h Handler) Validate() error {
 			return err
 		}
 	}
-	if h.Response != nil {
+	if h.Response != nil && h.Response.HeaderOps != nil {
 		err := h.Response.validate()
 		if err != nil {
 			return err
@ -133,6 +133,9 @@ type HeaderOps struct {
 // Provision sets up the header operations.
 func (ops *HeaderOps) Provision(_ caddy.Context) error {
 	if ops == nil {
 		return nil // it's possible no ops are configured; fix #6893
 	}
 	for fieldName, replacements := range ops.Replace {
 		for i, r := range replacements {
 			if r.SearchRegexp == "" {
--- a/modules/caddyhttp/headers/headers_test.go
+++ b/modules/caddyhttp/headers/headers_test.go
@ -143,6 +143,28 @@ func TestHandler(t *testing.T) {
 				"Cache-Control": []string{"no-cache"},
 			},
 		},
 		{ // same as above, but checks that response headers are left alone when "Require" conditions are unmet
 			handler: Handler{
 				Response: &RespHeaderOps{
 					Require: &caddyhttp.ResponseMatcher{
 						Headers: http.Header{
 							"Cache-Control": nil,
 						},
 					},
 					HeaderOps: &HeaderOps{
 						Add: http.Header{
 							"Cache-Control": []string{"no-cache"},
 						},
 					},
 				},
 			},
 			respHeader: http.Header{
 				"Cache-Control": []string{"something"},
 			},
 			expectedRespHeader: http.Header{
 				"Cache-Control": []string{"something"},
 			},
 		},
 		{
 			handler: Handler{
 				Response: &RespHeaderOps{
--- a/modules/caddyhttp/logging.go
+++ b/modules/caddyhttp/logging.go
@ -211,6 +211,11 @@ func errLogValues(err error) (status int, msg string, fields func() []zapcore.Fi
 		}
 		return
 	}
 	fields = func() []zapcore.Field {
 		return []zapcore.Field{
 			zap.Error(err),
 		}
 	}
 	status = http.StatusInternalServerError
 	msg = err.Error()
 	return
--- a/modules/caddyhttp/matchers.go
+++ b/modules/caddyhttp/matchers.go
@ -1342,6 +1342,8 @@ func (m *MatchTLS) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 			case "early_data":
 				var false bool
 				m.HandshakeComplete = &false
 			default:
 				return d.Errf("unrecognized option '%s'", d.Val())
 			}
 		}
 		if d.NextArg() {
--- a/modules/caddyhttp/requestbody/caddyfile.go
+++ b/modules/caddyhttp/requestbody/caddyfile.go
@ -68,6 +68,12 @@ func parseCaddyfile(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, error)
 			}
 			rb.WriteTimeout = timeout
 		case "set":
 			var setStr string
 			if !h.AllArgs(&setStr) {
 				return nil, h.ArgErr()
 			}
 			rb.Set = setStr
 		default:
 			return nil, h.Errf("unrecognized request_body subdirective '%s'", h.Val())
 		}
--- a/modules/caddyhttp/requestbody/requestbody.go
+++ b/modules/caddyhttp/requestbody/requestbody.go
@ -18,6 +18,7 @@ import (
 	"errors"
 	"io"
 	"net/http"
 	"strings"
 	"time"
 	"go.uber.org/zap"
@ -43,6 +44,10 @@ type RequestBody struct {
 	// EXPERIMENTAL. Subject to change/removal.
 	WriteTimeout time.Duration `json:"write_timeout,omitempty"`
 	// This field permit to replace body on the fly
 	// EXPERIMENTAL. Subject to change/removal.
 	Set string `json:"set,omitempty"`
 	logger *zap.Logger
 }
@ -60,6 +65,18 @@ func (rb *RequestBody) Provision(ctx caddy.Context) error {
 }
 func (rb RequestBody) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
 	if rb.Set != "" {
 		if r.Body != nil {
 			err := r.Body.Close()
 			if err != nil {
 				return err
 			}
 		}
 		repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
 		replacedBody := repl.ReplaceAll(rb.Set, "")
 		r.Body = io.NopCloser(strings.NewReader(replacedBody))
 		r.ContentLength = int64(len(replacedBody))
 	}
 	if r.Body == nil {
 		return next.ServeHTTP(w, r)
 	}
--- a/modules/caddyhttp/responsewriter.go
+++ b/modules/caddyhttp/responsewriter.go
@ -154,16 +154,16 @@ func (rr *responseRecorder) WriteHeader(statusCode int) {
 	// connections by manually setting headers and writing status 101
 	rr.statusCode = statusCode
 	// decide whether we should buffer the response
 	if rr.shouldBuffer == nil {
 		rr.stream = true
 	} else {
 		rr.stream = !rr.shouldBuffer(rr.statusCode, rr.ResponseWriterWrapper.Header())
 	}
 	// 1xx responses aren't final; just informational
 	if statusCode < 100 || statusCode > 199 {
 		rr.wroteHeader = true
 		// decide whether we should buffer the response
 		if rr.shouldBuffer == nil {
 			rr.stream = true
 		} else {
 			rr.stream = !rr.shouldBuffer(rr.statusCode, rr.ResponseWriterWrapper.Header())
 		}
 	}
 	// if informational or not buffered, immediately write header
--- a/modules/caddyhttp/reverseproxy/buffering_test.go
+++ b/modules/caddyhttp/reverseproxy/buffering_test.go
@ -0,0 +1,84 @@
 package reverseproxy
 import (
 	"io"
 	"testing"
 )
 type zeroReader struct{}
 func (zeroReader) Read(p []byte) (int, error) {
 	for i := range p {
 		p[i] = 0
 	}
 	return len(p), nil
 }
 func TestBuffering(t *testing.T) {
 	var (
 		h  Handler
 		zr zeroReader
 	)
 	type args struct {
 		body  io.ReadCloser
 		limit int64
 	}
 	tests := []struct {
 		name        string
 		args        args
 		resultCheck func(io.ReadCloser, int64, args) bool
 	}{
 		{
 			name: "0 limit, body is returned as is",
 			args: args{
 				body:  io.NopCloser(&zr),
 				limit: 0,
 			},
 			resultCheck: func(res io.ReadCloser, read int64, args args) bool {
 				return res == args.body && read == args.limit && read == 0
 			},
 		},
 		{
 			name: "negative limit, body is read completely",
 			args: args{
 				body:  io.NopCloser(io.LimitReader(&zr, 100)),
 				limit: -1,
 			},
 			resultCheck: func(res io.ReadCloser, read int64, args args) bool {
 				brc, ok := res.(bodyReadCloser)
 				return ok && brc.body == nil && brc.buf.Len() == 100 && read == 100
 			},
 		},
 		{
 			name: "positive limit, body is read partially",
 			args: args{
 				body:  io.NopCloser(io.LimitReader(&zr, 100)),
 				limit: 50,
 			},
 			resultCheck: func(res io.ReadCloser, read int64, args args) bool {
 				brc, ok := res.(bodyReadCloser)
 				return ok && brc.body != nil && brc.buf.Len() == 50 && read == 50
 			},
 		},
 		{
 			name: "positive limit, body is read completely",
 			args: args{
 				body:  io.NopCloser(io.LimitReader(&zr, 100)),
 				limit: 101,
 			},
 			resultCheck: func(res io.ReadCloser, read int64, args args) bool {
 				brc, ok := res.(bodyReadCloser)
 				return ok && brc.body == nil && brc.buf.Len() == 100 && read == 100
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			res, read := h.bufferedBody(tt.args.body, tt.args.limit)
 			if !tt.resultCheck(res, read, tt.args) {
 				t.Error("Handler.bufferedBody() test failed")
 				return
 			}
 		})
 	}
 }
--- a/modules/caddyhttp/reverseproxy/caddyfile.go
+++ b/modules/caddyhttp/reverseproxy/caddyfile.go
@ -33,6 +33,7 @@ import (
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp/headers"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp/rewrite"
 	"github.com/caddyserver/caddy/v2/modules/caddytls"
 	"github.com/caddyserver/caddy/v2/modules/internal/network"
 )
 func init() {
@ -979,7 +980,9 @@ func (h *Handler) FinalizeUnmarshalCaddyfile(helper httpcaddyfile.Helper) error
 //	    read_buffer             <size>
 //	    write_buffer            <size>
 //	    max_response_header     <size>
-//	    forward_proxy_url       <url>
+//	    network_proxy           <module> {
 //	        ...
 //	    }
 //	    dial_timeout            <duration>
 //	    dial_fallback_delay     <duration>
 //	    response_header_timeout <duration>
@ -990,6 +993,9 @@ func (h *Handler) FinalizeUnmarshalCaddyfile(helper httpcaddyfile.Helper) error
 //	    tls_insecure_skip_verify
 //	    tls_timeout <duration>
 //	    tls_trusted_ca_certs <cert_files...>
 //	    tls_trust_pool <module> {
 //	        ...
 //	    }
 //	    tls_server_name <sni>
 //	    tls_renegotiation <level>
 //	    tls_except_ports <ports...>
@ -1068,10 +1074,24 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 			}
 		case "forward_proxy_url":
 			caddy.Log().Warn("The 'forward_proxy_url' field is deprecated. Use 'network_proxy <url>' instead.")
 			if !d.NextArg() {
 				return d.ArgErr()
 			}
-			h.ForwardProxyURL = d.Val()
+			u := network.ProxyFromURL{URL: d.Val()}
 			h.NetworkProxyRaw = caddyconfig.JSONModuleObject(u, "from", "url", nil)
 		case "network_proxy":
 			if !d.NextArg() {
 				return d.ArgErr()
 			}
 			modStem := d.Val()
 			modID := "caddy.network_proxy." + modStem
 			unm, err := caddyfile.UnmarshalModule(d, modID)
 			if err != nil {
 				return err
 			}
 			h.NetworkProxyRaw = caddyconfig.JSONModuleObject(unm, "from", modStem, nil)
 		case "dial_timeout":
 			if !d.NextArg() {
--- a/modules/caddyhttp/reverseproxy/fastcgi/caddyfile.go
+++ b/modules/caddyhttp/reverseproxy/fastcgi/caddyfile.go
@ -131,15 +131,18 @@ func (t *Transport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 // is equivalent to a route consisting of:
 //
 //	# Add trailing slash for directory requests
 //	# This redirection is automatically disabled if "{http.request.uri.path}/index.php"
 //	# doesn't appear in the try_files list
 //	@canonicalPath {
 //	    file {path}/index.php
 //	    not path */
 //	}
 //	redir @canonicalPath {path}/ 308
 //
-//	# If the requested file does not exist, try index files
+//	# If the requested file does not exist, try index files and assume index.php always exists
 //	@indexFiles file {
 //	    try_files {path} {path}/index.php index.php
 //	    try_policy first_exist_fallback
 //	    split_path .php
 //	}
 //	rewrite @indexFiles {http.matchers.file.relative}
--- a/modules/caddyhttp/reverseproxy/healthchecks.go
+++ b/modules/caddyhttp/reverseproxy/healthchecks.go
@ -309,7 +309,9 @@ func (h *Handler) doActiveHealthCheckForAllHosts() {
 				}
 			}()
-			networkAddr, err := caddy.NewReplacer().ReplaceOrErr(upstream.Dial, true, true)
+			repl := caddy.NewReplacer()
 			networkAddr, err := repl.ReplaceOrErr(upstream.Dial, true, true)
 			if err != nil {
 				if c := h.HealthChecks.Active.logger.Check(zapcore.ErrorLevel, "invalid use of placeholders in dial address for active health checks"); c != nil {
 					c.Write(
@ -344,14 +346,24 @@ func (h *Handler) doActiveHealthCheckForAllHosts() {
 				return
 			}
 			hostAddr := addr.JoinHostPort(0)
 			dialAddr := hostAddr
 			if addr.IsUnixNetwork() || addr.IsFdNetwork() {
 				// this will be used as the Host portion of a http.Request URL, and
 				// paths to socket files would produce an error when creating URL,
 				// so use a fake Host value instead; unix sockets are usually local
 				hostAddr = "localhost"
 			}
-			err = h.doActiveHealthCheck(DialInfo{Network: addr.Network, Address: dialAddr}, hostAddr, networkAddr, upstream)
+
 			// Fill in the dial info for the upstream
 			// If the upstream is set, use that instead
 			dialInfoUpstream := upstream
 			if h.HealthChecks.Active.Upstream != "" {
 				dialInfoUpstream = &Upstream{
 					Dial: h.HealthChecks.Active.Upstream,
 				}
 			}
 			dialInfo, _ := dialInfoUpstream.fillDialInfo(repl)
 			err = h.doActiveHealthCheck(dialInfo, hostAddr, networkAddr, upstream)
 			if err != nil {
 				if c := h.HealthChecks.Active.logger.Check(zapcore.ErrorLevel, "active health check failed"); c != nil {
 					c.Write(
--- a/modules/caddyhttp/reverseproxy/hosts.go
+++ b/modules/caddyhttp/reverseproxy/hosts.go
@ -17,7 +17,6 @@ package reverseproxy
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"net/netip"
 	"strconv"
 	"sync/atomic"
@ -100,8 +99,7 @@ func (u *Upstream) Full() bool {
 // fillDialInfo returns a filled DialInfo for upstream u, using the request
 // context. Note that the returned value is not a pointer.
-func (u *Upstream) fillDialInfo(r *http.Request) (DialInfo, error) {
+func (u *Upstream) fillDialInfo(repl *caddy.Replacer) (DialInfo, error) {
 	repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
 	var addr caddy.NetworkAddress
 	// use provided dial address
--- a/modules/caddyhttp/reverseproxy/httptransport.go
+++ b/modules/caddyhttp/reverseproxy/httptransport.go
@ -24,7 +24,6 @@ import (
 	weakrand "math/rand"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"reflect"
 	"slices"
@ -38,8 +37,10 @@ import (
 	"golang.org/x/net/http2"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 	"github.com/caddyserver/caddy/v2/modules/caddytls"
 	"github.com/caddyserver/caddy/v2/modules/internal/network"
 )
 func init() {
@ -90,6 +91,7 @@ type HTTPTransport struct {
 	//  forward_proxy_url -> upstream
 	//
 	// Default: http.ProxyFromEnvironment
 	// DEPRECATED: Use NetworkProxyRaw|`network_proxy` instead. Subject to removal.
 	ForwardProxyURL string `json:"forward_proxy_url,omitempty"`
 	// How long to wait before timing out trying to connect to
@ -141,6 +143,22 @@ type HTTPTransport struct {
 	// The pre-configured underlying HTTP transport.
 	Transport *http.Transport `json:"-"`
 	// The module that provides the network (forward) proxy
 	// URL that the HTTP transport will use to proxy
 	// requests to the upstream. See [http.Transport.Proxy](https://pkg.go.dev/net/http#Transport.Proxy)
 	// for information regarding supported protocols.
 	//
 	// Providing a value to this parameter results in requests
 	// flowing through the reverse_proxy in the following way:
 	//
 	// User Agent ->
 	//  reverse_proxy ->
 	//  [proxy provided by the module] -> upstream
 	//
 	// If nil, defaults to reading the `HTTP_PROXY`,
 	// `HTTPS_PROXY`, and `NO_PROXY` environment variables.
 	NetworkProxyRaw json.RawMessage `json:"network_proxy,omitempty" caddy:"namespace=caddy.network_proxy inline_key=from"`
 	h2cTransport *http2.Transport
 	h3Transport  *http3.Transport // TODO: EXPERIMENTAL (May 2024)
 }
@ -328,16 +346,22 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
 	}
 	// negotiate any HTTP/SOCKS proxy for the HTTP transport
-	var proxy func(*http.Request) (*url.URL, error)
+	proxy := http.ProxyFromEnvironment
 	if h.ForwardProxyURL != "" {
-		pUrl, err := url.Parse(h.ForwardProxyURL)
+		caddyCtx.Logger().Warn("forward_proxy_url is deprecated; use network_proxy instead")
 		u := network.ProxyFromURL{URL: h.ForwardProxyURL}
 		h.NetworkProxyRaw = caddyconfig.JSONModuleObject(u, "from", "url", nil)
 	}
 	if len(h.NetworkProxyRaw) != 0 {
 		proxyMod, err := caddyCtx.LoadModule(h, "ForwardProxyRaw")
 		if err != nil {
-			return nil, fmt.Errorf("failed to parse transport proxy url: %v", err)
+			return nil, fmt.Errorf("failed to load network_proxy module: %v", err)
 		}
 		if m, ok := proxyMod.(caddy.ProxyFuncProducer); ok {
 			proxy = m.ProxyFunc()
 		} else {
 			return nil, fmt.Errorf("network_proxy module is not `(func(*http.Request) (*url.URL, error))``")
 		}
 		caddyCtx.Logger().Info("setting transport proxy url", zap.String("url", h.ForwardProxyURL))
 		proxy = http.ProxyURL(pUrl)
 	} else {
 		proxy = http.ProxyFromEnvironment
 	}
 	rt := &http.Transport{
--- a/modules/caddyhttp/reverseproxy/metrics.go
+++ b/modules/caddyhttp/reverseproxy/metrics.go
@ -1,32 +1,47 @@
 package reverseproxy
 import (
 	"errors"
 	"runtime/debug"
 	"sync"
 	"time"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 	"github.com/caddyserver/caddy/v2"
 )
 var reverseProxyMetrics = struct {
-	init             sync.Once
+	once             sync.Once
 	upstreamsHealthy *prometheus.GaugeVec
 	logger           *zap.Logger
 }{}
-func initReverseProxyMetrics(handler *Handler) {
+func initReverseProxyMetrics(handler *Handler, registry *prometheus.Registry) {
 	const ns, sub = "caddy", "reverse_proxy"
 	upstreamsLabels := []string{"upstream"}
-	reverseProxyMetrics.upstreamsHealthy = promauto.NewGaugeVec(prometheus.GaugeOpts{
+	reverseProxyMetrics.once.Do(func() {
-		Namespace: ns,
+		reverseProxyMetrics.upstreamsHealthy = prometheus.NewGaugeVec(prometheus.GaugeOpts{
-		Subsystem: sub,
+			Namespace: ns,
-		Name:      "upstreams_healthy",
+			Subsystem: sub,
-		Help:      "Health status of reverse proxy upstreams.",
+			Name:      "upstreams_healthy",
-	}, upstreamsLabels)
+			Help:      "Health status of reverse proxy upstreams.",
 		}, upstreamsLabels)
 	})
 	// duplicate registration could happen if multiple sites with reverse proxy are configured; so ignore the error because
 	// there's no good way to capture having multiple sites with reverse proxy. If this happens, the metrics will be
 	// registered twice, but the second registration will be ignored.
 	if err := registry.Register(reverseProxyMetrics.upstreamsHealthy); err != nil &&
 		!errors.Is(err, prometheus.AlreadyRegisteredError{
 			ExistingCollector: reverseProxyMetrics.upstreamsHealthy,
 			NewCollector:      reverseProxyMetrics.upstreamsHealthy,
 		}) {
 		panic(err)
 	}
 	reverseProxyMetrics.logger = handler.logger.Named("reverse_proxy.metrics")
 }
@ -35,17 +50,14 @@ type metricsUpstreamsHealthyUpdater struct {
 	handler *Handler
 }
-func newMetricsUpstreamsHealthyUpdater(handler *Handler) *metricsUpstreamsHealthyUpdater {
+func newMetricsUpstreamsHealthyUpdater(handler *Handler, ctx caddy.Context) *metricsUpstreamsHealthyUpdater {
-	reverseProxyMetrics.init.Do(func() {
+	initReverseProxyMetrics(handler, ctx.GetMetricsRegistry())
 		initReverseProxyMetrics(handler)
 	})
 	reverseProxyMetrics.upstreamsHealthy.Reset()
 	return &metricsUpstreamsHealthyUpdater{handler}
 }
-func (m *metricsUpstreamsHealthyUpdater) Init() {
+func (m *metricsUpstreamsHealthyUpdater) init() {
 	go func() {
 		defer func() {
 			if err := recover(); err != nil {
--- a/modules/caddyhttp/reverseproxy/reverseproxy.go
+++ b/modules/caddyhttp/reverseproxy/reverseproxy.go
@ -382,8 +382,8 @@ func (h *Handler) Provision(ctx caddy.Context) error {
 		}
 	}
-	upstreamHealthyUpdater := newMetricsUpstreamsHealthyUpdater(h)
+	upstreamHealthyUpdater := newMetricsUpstreamsHealthyUpdater(h, ctx)
-	upstreamHealthyUpdater.Init()
+	upstreamHealthyUpdater.init()
 	return nil
 }
@ -532,7 +532,7 @@ func (h *Handler) proxyLoopIteration(r *http.Request, origReq *http.Request, w h
 	// the dial address may vary per-request if placeholders are
 	// used, so perform those replacements here; the resulting
 	// DialInfo struct should have valid network address syntax
-	dialInfo, err := upstream.fillDialInfo(r)
+	dialInfo, err := upstream.fillDialInfo(repl)
 	if err != nil {
 		return true, fmt.Errorf("making dial info: %v", err)
 	}
@ -683,7 +683,7 @@ func (h Handler) prepareRequest(req *http.Request, repl *caddy.Replacer) (*http.
 		req.Header.Set("Early-Data", "1")
 	}
-	reqUpType := upgradeType(req.Header)
+	reqUpgradeType := upgradeType(req.Header)
 	removeConnectionHeaders(req.Header)
 	// Remove hop-by-hop headers to the backend. Especially
@ -704,9 +704,9 @@ func (h Handler) prepareRequest(req *http.Request, repl *caddy.Replacer) (*http.
 	// After stripping all the hop-by-hop connection headers above, add back any
 	// necessary for protocol upgrades, such as for websockets.
-	if reqUpType != "" {
+	if reqUpgradeType != "" {
 		req.Header.Set("Connection", "Upgrade")
-		req.Header.Set("Upgrade", reqUpType)
+		req.Header.Set("Upgrade", reqUpgradeType)
 		normalizeWebsocketHeaders(req.Header)
 	}
@ -732,6 +732,9 @@ func (h Handler) prepareRequest(req *http.Request, repl *caddy.Replacer) (*http.
 		return nil, err
 	}
 	// Via header(s)
 	req.Header.Add("Via", fmt.Sprintf("%d.%d Caddy", req.ProtoMajor, req.ProtoMinor))
 	return req, nil
 }
@ -882,13 +885,15 @@ func (h *Handler) reverseProxy(rw http.ResponseWriter, req *http.Request, origRe
 		}),
 	)
 	const logMessage = "upstream roundtrip"
 	if err != nil {
-		if c := logger.Check(zapcore.DebugLevel, "upstream roundtrip"); c != nil {
+		if c := logger.Check(zapcore.DebugLevel, logMessage); c != nil {
 			c.Write(zap.Error(err))
 		}
 		return err
 	}
-	if c := logger.Check(zapcore.DebugLevel, "upstream roundtrip"); c != nil {
+	if c := logger.Check(zapcore.DebugLevel, logMessage); c != nil {
 		c.Write(
 			zap.Object("headers", caddyhttp.LoggableHTTPHeader{
 				Header:               res.Header,
@ -1024,6 +1029,14 @@ func (h *Handler) finalizeResponse(
 		res.Header.Del(h)
 	}
 	// delete our Server header and use Via instead (see #6275)
 	rw.Header().Del("Server")
 	var protoPrefix string
 	if !strings.HasPrefix(strings.ToUpper(res.Proto), "HTTP/") {
 		protoPrefix = res.Proto[:strings.Index(res.Proto, "/")+1]
 	}
 	rw.Header().Add("Via", fmt.Sprintf("%s%d.%d Caddy", protoPrefix, res.ProtoMajor, res.ProtoMinor))
 	// apply any response header operations
 	if h.Headers != nil && h.Headers.Response != nil {
 		if h.Headers.Response.Require == nil ||
@ -1221,6 +1234,10 @@ func (h Handler) provisionUpstream(upstream *Upstream) {
 // then returns a reader for the buffer along with how many bytes were buffered. Always close
 // the return value when done with it, just like if it was the original body! If limit is 0
 // (which it shouldn't be), this function returns its input; i.e. is a no-op, for safety.
 // Otherwise, it returns bodyReadCloser, the original body will be closed and body will be nil
 // if it's explicitly configured to buffer all or EOF is reached when reading.
 // TODO: the error during reading is discarded if the limit is negative, should the error be propagated
 // to upstream/downstream?
 func (h Handler) bufferedBody(originalBody io.ReadCloser, limit int64) (io.ReadCloser, int64) {
 	if limit == 0 {
 		return originalBody, 0
--- a/modules/caddyhttp/server.go
+++ b/modules/caddyhttp/server.go
@ -408,7 +408,6 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 					if fields == nil {
 						fields = errFields()
 					}
 					c.Write(fields...)
 				}
 			}
--- a/modules/caddypki/acmeserver/caddyfile.go
+++ b/modules/caddypki/acmeserver/caddyfile.go
@ -15,8 +15,6 @@
 package acmeserver
 import (
 	"time"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/httpcaddyfile"
 	"github.com/caddyserver/caddy/v2/modules/caddypki"
@ -74,14 +72,10 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
 			if !h.NextArg() {
 				return nil, h.ArgErr()
 			}
 			dur, err := caddy.ParseDuration(h.Val())
 			if err != nil {
 				return nil, err
 			}
 			if d := time.Duration(ca.IntermediateLifetime); d > 0 && dur > d {
 				return nil, h.Errf("certificate lifetime (%s) exceeds intermediate certificate lifetime (%s)", dur, d)
 			}
 			acmeServer.Lifetime = caddy.Duration(dur)
 		case "resolvers":
 			acmeServer.Resolvers = h.RemainingArgs()
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@ -60,6 +60,14 @@ type ACMEIssuer struct {
 	// other than ACME transactions.
 	Email string `json:"email,omitempty"`
 	// Optionally select an ACME profile to use for certificate
 	// orders. Must be a profile name offered by the ACME server,
 	// which are listed at its directory endpoint.
 	//
 	// EXPERIMENTAL: Subject to change.
 	// See https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/
 	Profile string `json:"profile,omitempty"`
 	// If you have an existing account with the ACME server, put
 	// the private key here in PEM format. The ACME client will
 	// look up your account information with this key first before
@ -98,6 +106,9 @@ type ACMEIssuer struct {
 	// be used. EXPERIMENTAL: Subject to change.
 	CertificateLifetime caddy.Duration `json:"certificate_lifetime,omitempty"`
 	// Forward proxy module
 	NetworkProxyRaw json.RawMessage `json:"network_proxy,omitempty" caddy:"namespace=caddy.network_proxy inline_key=from"`
 	rootPool *x509.CertPool
 	logger   *zap.Logger
@ -138,15 +149,30 @@ func (iss *ACMEIssuer) Provision(ctx caddy.Context) error {
 		iss.AccountKey = accountKey
 	}
-	// DNS providers
+	// DNS challenge provider, if not already established
-	if iss.Challenges != nil && iss.Challenges.DNS != nil && iss.Challenges.DNS.ProviderRaw != nil {
+	if iss.Challenges != nil && iss.Challenges.DNS != nil && iss.Challenges.DNS.solver == nil {
-		val, err := ctx.LoadModule(iss.Challenges.DNS, "ProviderRaw")
+		var prov certmagic.DNSProvider
-		if err != nil {
+		if iss.Challenges.DNS.ProviderRaw != nil {
-			return fmt.Errorf("loading DNS provider module: %v", err)
+			// a challenge provider has been locally configured - use it
 			val, err := ctx.LoadModule(iss.Challenges.DNS, "ProviderRaw")
 			if err != nil {
 				return fmt.Errorf("loading DNS provider module: %v", err)
 			}
 			prov = val.(certmagic.DNSProvider)
 		} else if tlsAppIface, err := ctx.AppIfConfigured("tls"); err == nil {
 			// no locally configured DNS challenge provider, but if there is
 			// a global DNS module configured with the TLS app, use that
 			tlsApp := tlsAppIface.(*TLS)
 			if tlsApp.dns != nil {
 				prov = tlsApp.dns.(certmagic.DNSProvider)
 			}
 		}
 		if prov == nil {
 			return fmt.Errorf("DNS challenge enabled, but no DNS provider configured")
 		}
 		iss.Challenges.DNS.solver = &certmagic.DNS01Solver{
 			DNSManager: certmagic.DNSManager{
-				DNSProvider:        val.(certmagic.DNSProvider),
+				DNSProvider:        prov,
 				TTL:                time.Duration(iss.Challenges.DNS.TTL),
 				PropagationDelay:   time.Duration(iss.Challenges.DNS.PropagationDelay),
 				PropagationTimeout: time.Duration(iss.Challenges.DNS.PropagationTimeout),
@ -171,7 +197,7 @@ func (iss *ACMEIssuer) Provision(ctx caddy.Context) error {
 	}
 	var err error
-	iss.template, err = iss.makeIssuerTemplate()
+	iss.template, err = iss.makeIssuerTemplate(ctx)
 	if err != nil {
 		return err
 	}
@ -179,11 +205,12 @@ func (iss *ACMEIssuer) Provision(ctx caddy.Context) error {
 	return nil
 }
-func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEIssuer, error) {
+func (iss *ACMEIssuer) makeIssuerTemplate(ctx caddy.Context) (certmagic.ACMEIssuer, error) {
 	template := certmagic.ACMEIssuer{
 		CA:                iss.CA,
 		TestCA:            iss.TestCA,
 		Email:             iss.Email,
 		Profile:           iss.Profile,
 		AccountKeyPEM:     iss.AccountKey,
 		CertObtainTimeout: time.Duration(iss.ACMETimeout),
 		TrustedRoots:      iss.rootPool,
@ -192,6 +219,18 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEIssuer, error) {
 		Logger:            iss.logger,
 	}
 	if len(iss.NetworkProxyRaw) != 0 {
 		proxyMod, err := ctx.LoadModule(iss, "ForwardProxyRaw")
 		if err != nil {
 			return template, fmt.Errorf("failed to load network_proxy module: %v", err)
 		}
 		if m, ok := proxyMod.(caddy.ProxyFuncProducer); ok {
 			template.HTTPProxy = m.ProxyFunc()
 		} else {
 			return template, fmt.Errorf("network_proxy module is not `(func(*http.Request) (*url.URL, error))``")
 		}
 	}
 	if iss.Challenges != nil {
 		if iss.Challenges.HTTP != nil {
 			template.DisableHTTPChallenge = iss.Challenges.HTTP.Disabled
@ -338,6 +377,7 @@ func (iss *ACMEIssuer) generateZeroSSLEABCredentials(ctx context.Context, acct a
 //	    dir <directory_url>
 //	    test_dir <test_directory_url>
 //	    email <email>
 //	    profile <profile_name>
 //	    timeout <duration>
 //	    disable_http_challenge
 //	    disable_tlsalpn_challenge
@ -400,6 +440,11 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 				return d.ArgErr()
 			}
 		case "profile":
 			if !d.AllArgs(&iss.Profile) {
 				return d.ArgErr()
 			}
 		case "timeout":
 			var timeoutStr string
 			if !d.AllArgs(&timeoutStr) {
@ -477,21 +522,20 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 			iss.TrustedRootsPEMFiles = d.RemainingArgs()
 		case "dns":
 			if !d.NextArg() {
 				return d.ArgErr()
 			}
 			provName := d.Val()
 			if iss.Challenges == nil {
 				iss.Challenges = new(ChallengesConfig)
 			}
 			if iss.Challenges.DNS == nil {
 				iss.Challenges.DNS = new(DNSChallengeConfig)
 			}
-			unm, err := caddyfile.UnmarshalModule(d, "dns.providers."+provName)
+			if d.NextArg() {
-			if err != nil {
+				provName := d.Val()
-				return err
+				unm, err := caddyfile.UnmarshalModule(d, "dns.providers."+provName)
 				if err != nil {
 					return err
 				}
 				iss.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(unm, "name", provName, nil)
 			}
 			iss.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(unm, "name", provName, nil)
 		case "propagation_delay":
 			if !d.NextArg() {
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@ -28,6 +28,7 @@ import (
 	"github.com/mholt/acmez/v3"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 	"golang.org/x/net/idna"
 	"github.com/caddyserver/caddy/v2"
 )
@ -172,9 +173,6 @@ type AutomationPolicy struct {
 	subjects []string
 	magic    *certmagic.Config
 	storage  certmagic.Storage
 	// Whether this policy had explicit managers configured directly on it.
 	hadExplicitManagers bool
 }
 // Provision sets up ap and builds its underlying CertMagic config.
@ -183,7 +181,12 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
 	repl := caddy.NewReplacer()
 	subjects := make([]string, len(ap.SubjectsRaw))
 	for i, sub := range ap.SubjectsRaw {
-		subjects[i] = repl.ReplaceAll(sub, "")
+		sub = repl.ReplaceAll(sub, "")
 		subASCII, err := idna.ToASCII(sub)
 		if err != nil {
 			return fmt.Errorf("could not convert automation policy subject '%s' to punycode: %v", sub, err)
 		}
 		subjects[i] = subASCII
 	}
 	ap.subjects = subjects
@ -206,8 +209,9 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
 	// store them on the policy before putting it on the config
 	// load and provision any cert manager modules
 	var hadExplicitManagers bool
 	if ap.ManagersRaw != nil {
-		ap.hadExplicitManagers = true
+		hadExplicitManagers = true
 		vals, err := tlsApp.ctx.LoadModule(ap, "ManagersRaw")
 		if err != nil {
 			return fmt.Errorf("loading external certificate manager modules: %v", err)
@ -267,9 +271,9 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
 		// prevent issuance from Issuers (when Managers don't provide a certificate) if there's no
 		// permission module configured
 		noProtections := ap.isWildcardOrDefault() && !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.permission == nil)
-		failClosed := noProtections && !ap.hadExplicitManagers // don't allow on-demand issuance (other than implicit managers) if no managers have been explicitly configured
+		failClosed := noProtections && !hadExplicitManagers // don't allow on-demand issuance (other than implicit managers) if no managers have been explicitly configured
 		if noProtections {
-			if !ap.hadExplicitManagers {
+			if !hadExplicitManagers {
 				// no managers, no explicitly-configured permission module, this is a config error
 				return fmt.Errorf("on-demand TLS cannot be enabled without a permission module to prevent abuse; please refer to documentation for details")
 			}
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@ -93,7 +93,7 @@ func (cp ConnectionPolicies) Provision(ctx caddy.Context) error {
 // TLSConfig returns a standard-lib-compatible TLS configuration which
 // selects the first matching policy based on the ClientHello.
-func (cp ConnectionPolicies) TLSConfig(_ caddy.Context) *tls.Config {
+func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
 	// using ServerName to match policies is extremely common, especially in configs
 	// with lots and lots of different policies; we can fast-track those by indexing
 	// them by SNI, so we don't have to iterate potentially thousands of policies
@ -104,6 +104,7 @@ func (cp ConnectionPolicies) TLSConfig(_ caddy.Context) *tls.Config {
 			for _, m := range p.matchers {
 				if sni, ok := m.(MatchServerName); ok {
 					for _, sniName := range sni {
 						// index for fast lookups during handshakes
 						indexedBySNI[sniName] = append(indexedBySNI[sniName], p)
 					}
 				}
@ -111,32 +112,79 @@ func (cp ConnectionPolicies) TLSConfig(_ caddy.Context) *tls.Config {
 		}
 	}
-	return &tls.Config{
+	getConfigForClient := func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
-		MinVersion: tls.VersionTLS12,
+		// filter policies by SNI first, if possible, to speed things up
-		GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
+		// when there may be lots of policies
-			// filter policies by SNI first, if possible, to speed things up
+		possiblePolicies := cp
-			// when there may be lots of policies
+		if indexedPolicies, ok := indexedBySNI[hello.ServerName]; ok {
-			possiblePolicies := cp
+			possiblePolicies = indexedPolicies
-			if indexedPolicies, ok := indexedBySNI[hello.ServerName]; ok {
+		}
 				possiblePolicies = indexedPolicies
 			}
-		policyLoop:
+	policyLoop:
-			for _, pol := range possiblePolicies {
+		for _, pol := range possiblePolicies {
-				for _, matcher := range pol.matchers {
+			for _, matcher := range pol.matchers {
-					if !matcher.Match(hello) {
+				if !matcher.Match(hello) {
-						continue policyLoop
+					continue policyLoop
 				}
 			}
 			if pol.Drop {
 				return nil, fmt.Errorf("dropping connection")
 			}
 			return pol.TLSConfig, nil
 		}
 		return nil, fmt.Errorf("no server TLS configuration available for ClientHello: %+v", hello)
 	}
 	tlsCfg := &tls.Config{
 		MinVersion:         tls.VersionTLS12,
 		GetConfigForClient: getConfigForClient,
 	}
 	// enable ECH, if configured
 	if tlsAppIface, err := ctx.AppIfConfigured("tls"); err == nil {
 		tlsApp := tlsAppIface.(*TLS)
 		if tlsApp.EncryptedClientHello != nil && len(tlsApp.EncryptedClientHello.configs) > 0 {
 			// if no publication was configured, we apply ECH to all server names by default,
 			// but the TLS app needs to know what they are in this case, since they don't appear
 			// in its config (remember, TLS connection policies are used by *other* apps to
 			// run TLS servers) -- we skip names with placeholders
 			if tlsApp.EncryptedClientHello.Publication == nil {
 				var echNames []string
 				repl := caddy.NewReplacer()
 				for _, p := range cp {
 					for _, m := range p.matchers {
 						if sni, ok := m.(MatchServerName); ok {
 							for _, name := range sni {
 								finalName := strings.ToLower(repl.ReplaceAll(name, ""))
 								echNames = append(echNames, finalName)
 							}
 						}
 					}
 				}
-				if pol.Drop {
+				tlsApp.RegisterServerNames(echNames)
 					return nil, fmt.Errorf("dropping connection")
 				}
 				return pol.TLSConfig, nil
 			}
-			return nil, fmt.Errorf("no server TLS configuration available for ClientHello: %+v", hello)
+			// TODO: Ideally, ECH keys should be rotated. However, as of Go 1.24, the std lib implementation
-		},
+			// does not support safely modifying the tls.Config's EncryptedClientHelloKeys field.
 			// So, we implement static ECH keys temporarily. See https://github.com/golang/go/issues/71920.
 			// Revisit this after Go 1.25 is released and implement key rotation.
 			var stdECHKeys []tls.EncryptedClientHelloKey
 			for _, echConfigs := range tlsApp.EncryptedClientHello.configs {
 				for _, c := range echConfigs {
 					stdECHKeys = append(stdECHKeys, tls.EncryptedClientHelloKey{
 						Config:      c.configBin,
 						PrivateKey:  c.privKeyBin,
 						SendAsRetry: c.sendAsRetry,
 					})
 				}
 			}
 			tlsCfg.EncryptedClientHelloKeys = stdECHKeys
 		}
 	}
 	return tlsCfg
 }
 // ConnectionPolicy specifies the logic for handling a TLS handshake.
@ -409,6 +457,7 @@ func (p ConnectionPolicy) SettingsEmpty() bool {
 		p.ProtocolMax == "" &&
 		p.ClientAuthentication == nil &&
 		p.DefaultSNI == "" &&
 		p.FallbackSNI == "" &&
 		p.InsecureSecretsLog == ""
 }
@ -749,10 +798,14 @@ func (clientauth *ClientAuthentication) provision(ctx caddy.Context) error {
 	// if we have TrustedCACerts explicitly set, create an 'inline' CA and return
 	if len(clientauth.TrustedCACerts) > 0 {
-		clientauth.ca = InlineCAPool{
+		caPool := InlineCAPool{
 			TrustedCACerts: clientauth.TrustedCACerts,
 		}
-		return nil
+		err := caPool.Provision(ctx)
 		if err != nil {
 			return nil
 		}
 		clientauth.ca = caPool
 	}
 	// if we don't have any CARaw set, there's not much work to do
@ -884,22 +937,13 @@ func setDefaultTLSParams(cfg *tls.Config) {
 	cfg.CipherSuites = append([]uint16{tls.TLS_FALLBACK_SCSV}, cfg.CipherSuites...)
 	if len(cfg.CurvePreferences) == 0 {
-		// We would want to write
+		cfg.CurvePreferences = defaultCurves
 		//
 		//	cfg.CurvePreferences = defaultCurves
 		//
 		// but that would disable the post-quantum key agreement X25519Kyber768
 		// supported in Go 1.23, for which the CurveID is not exported.
 		// Instead, we'll set CurvePreferences to nil, which will enable PQC.
 		// See https://github.com/caddyserver/caddy/issues/6540
 		cfg.CurvePreferences = nil
 	}
-	if cfg.MinVersion == 0 {
+	// crypto/tls docs:
-		cfg.MinVersion = tls.VersionTLS12
+	// "If EncryptedClientHelloKeys is set, MinVersion, if set, must be VersionTLS13."
-	}
+	if cfg.EncryptedClientHelloKeys != nil && cfg.MinVersion != 0 && cfg.MinVersion < tls.VersionTLS13 {
-	if cfg.MaxVersion == 0 {
+		cfg.MinVersion = tls.VersionTLS13
 		cfg.MaxVersion = tls.VersionTLS13
 	}
 }
--- a/modules/caddytls/connpolicy_test.go
+++ b/modules/caddytls/connpolicy_test.go
@ -20,6 +20,7 @@ import (
 	"reflect"
 	"testing"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
@ -278,3 +279,49 @@ func TestClientAuthenticationUnmarshalCaddyfileWithDirectiveName(t *testing.T) {
 		})
 	}
 }
 func TestClientAuthenticationProvision(t *testing.T) {
 	tests := []struct {
 		name    string
 		ca      ClientAuthentication
 		wantErr bool
 	}{
 		{
 			name: "specifying both 'CARaw' and 'TrustedCACerts' produces an error",
 			ca: ClientAuthentication{
 				CARaw:          json.RawMessage(`{"provider":"inline","trusted_ca_certs":["foo"]}`),
 				TrustedCACerts: []string{"foo"},
 			},
 			wantErr: true,
 		},
 		{
 			name: "specifying both 'CARaw' and 'TrustedCACertPEMFiles' produces an error",
 			ca: ClientAuthentication{
 				CARaw:                 json.RawMessage(`{"provider":"inline","trusted_ca_certs":["foo"]}`),
 				TrustedCACertPEMFiles: []string{"foo"},
 			},
 			wantErr: true,
 		},
 		{
 			name: "setting 'TrustedCACerts' provisions the cert pool",
 			ca: ClientAuthentication{
 				TrustedCACerts: []string{test_der_1},
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := tt.ca.provision(caddy.Context{})
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ClientAuthentication.provision() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if !tt.wantErr {
 				if tt.ca.ca.CertPool() == nil {
 					t.Error("CertPool is nil, expected non-nil value")
 				}
 			}
 		})
 	}
 }
--- a/modules/caddytls/ech.go
+++ b/modules/caddytls/ech.go
@ -0,0 +1,978 @@
 package caddytls
 import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io/fs"
 	weakrand "math/rand/v2"
 	"path"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/caddyserver/certmagic"
 	"github.com/cloudflare/circl/hpke"
 	"github.com/cloudflare/circl/kem"
 	"github.com/libdns/libdns"
 	"go.uber.org/zap"
 	"golang.org/x/crypto/cryptobyte"
 	"github.com/caddyserver/caddy/v2"
 )
 func init() {
 	caddy.RegisterModule(ECHDNSPublisher{})
 }
 // ECH enables Encrypted ClientHello (ECH) and configures its management.
 //
 // ECH helps protect site names (also called "server names" or "domain names"
 // or "SNI"), which are normally sent over plaintext when establishing a TLS
 // connection. With ECH, the true ClientHello is encrypted and wrapped by an
 // "outer" ClientHello that uses a more generic, shared server name that is
 // publicly known.
 //
 // Clients need to know which public name (and other parameters) to use when
 // connecting to a site with ECH, and the methods for this vary; however,
 // major browsers support reading ECH configurations from DNS records (which
 // is typically only secure when DNS-over-HTTPS or DNS-over-TLS is enabled in
 // the client). Caddy has the ability to automatically publish ECH configs to
 // DNS records if a DNS provider is configured either in the TLS app or with
 // each individual publication config object. (Requires a custom build with a
 // DNS provider module.)
 //
 // ECH requires at least TLS 1.3, so any TLS connection policies with ECH
 // applied will automatically upgrade the minimum TLS version to 1.3, even if
 // configured to a lower version.
 //
 // Note that, as of Caddy 2.10.0 (~March 2025), ECH keys are not automatically
 // rotated due to a limitation in the Go standard library (see
 // https://github.com/golang/go/issues/71920). This should be resolved when
 // Go 1.25 is released (~Aug. 2025), and Caddy will be updated to automatically
 // rotate ECH keys/configs at that point.
 //
 // EXPERIMENTAL: Subject to change.
 type ECH struct {
 	// The list of ECH configurations for which to automatically generate
 	// and rotate keys. At least one is required to enable ECH.
 	//
 	// It is strongly recommended to use as few ECH configs as possible
 	// to maximize the size of your anonymity set (see the ECH specification
 	// for a definition). Typically, each server should have only one public
 	// name, i.e. one config in this list.
 	Configs []ECHConfiguration `json:"configs,omitempty"`
 	// Publication describes ways to publish ECH configs for clients to
 	// discover and use. Without publication, most clients will not use
 	// ECH at all, and those that do will suffer degraded performance.
 	//
 	// Most major browsers support ECH by way of publication to HTTPS
 	// DNS RRs. (This also typically requires that they use DoH or DoT.)
 	Publication []*ECHPublication `json:"publication,omitempty"`
 	// map of public_name to list of configs
 	configs map[string][]echConfig
 }
 // Provision loads or creates ECH configs and returns outer names (for certificate
 // management), but does not publish any ECH configs. The DNS module is used as
 // a default for later publishing if needed.
 func (ech *ECH) Provision(ctx caddy.Context) ([]string, error) {
 	logger := ctx.Logger().Named("ech")
 	// set up publication modules before we need to obtain a lock in storage,
 	// since this is strictly internal and doesn't require synchronization
 	for i, pub := range ech.Publication {
 		mods, err := ctx.LoadModule(pub, "PublishersRaw")
 		if err != nil {
 			return nil, fmt.Errorf("loading ECH publication modules: %v", err)
 		}
 		for _, modIface := range mods.(map[string]any) {
 			ech.Publication[i].publishers = append(ech.Publication[i].publishers, modIface.(ECHPublisher))
 		}
 	}
 	// the rest of provisioning needs an exclusive lock so that instances aren't
 	// stepping on each other when setting up ECH configs
 	storage := ctx.Storage()
 	const echLockName = "ech_provision"
 	if err := storage.Lock(ctx, echLockName); err != nil {
 		return nil, err
 	}
 	defer func() {
 		if err := storage.Unlock(ctx, echLockName); err != nil {
 			logger.Error("unable to unlock ECH provisioning in storage", zap.Error(err))
 		}
 	}()
 	var outerNames []string //nolint:prealloc // (FALSE POSITIVE - see https://github.com/alexkohler/prealloc/issues/30)
 	// start by loading all the existing configs (even the older ones on the way out,
 	// since some clients may still be using them if they haven't yet picked up on the
 	// new configs)
 	cfgKeys, err := storage.List(ctx, echConfigsKey, false)
 	if err != nil && !errors.Is(err, fs.ErrNotExist) { // OK if dir doesn't exist; it will be created
 		return nil, err
 	}
 	for _, cfgKey := range cfgKeys {
 		cfg, err := loadECHConfig(ctx, path.Base(cfgKey))
 		if err != nil {
 			return nil, err
 		}
 		// if any part of the config's folder was corrupted, the load function will
 		// clean it up and not return an error, since configs are immutable and
 		// fairly ephemeral... so just check that we actually got a populated config
 		if cfg.configBin == nil || cfg.privKeyBin == nil {
 			continue
 		}
 		logger.Debug("loaded ECH config",
 			zap.String("public_name", cfg.RawPublicName),
 			zap.Uint8("id", cfg.ConfigID))
 		ech.configs[cfg.RawPublicName] = append(ech.configs[cfg.RawPublicName], cfg)
 		outerNames = append(outerNames, cfg.RawPublicName)
 	}
 	// all existing configs are now loaded; see if we need to make any new ones
 	// based on the input configuration, and also mark the most recent one(s) as
 	// current/active, so they can be used for ECH retries
 	for _, cfg := range ech.Configs {
 		publicName := strings.ToLower(strings.TrimSpace(cfg.PublicName))
 		if list, ok := ech.configs[publicName]; ok && len(list) > 0 {
 			// at least one config with this public name was loaded, so find the
 			// most recent one and mark it as active to be used with retries
 			var mostRecentDate time.Time
 			var mostRecentIdx int
 			for i, c := range list {
 				if mostRecentDate.IsZero() || c.meta.Created.After(mostRecentDate) {
 					mostRecentDate = c.meta.Created
 					mostRecentIdx = i
 				}
 			}
 			list[mostRecentIdx].sendAsRetry = true
 		} else {
 			// no config with this public name was loaded, so create one
 			echCfg, err := generateAndStoreECHConfig(ctx, publicName)
 			if err != nil {
 				return nil, err
 			}
 			logger.Debug("generated new ECH config",
 				zap.String("public_name", echCfg.RawPublicName),
 				zap.Uint8("id", echCfg.ConfigID))
 			ech.configs[publicName] = append(ech.configs[publicName], echCfg)
 			outerNames = append(outerNames, publicName)
 		}
 	}
 	return outerNames, nil
 }
 func (t *TLS) publishECHConfigs() error {
 	logger := t.logger.Named("ech")
 	// make publication exclusive, since we don't need to repeat this unnecessarily
 	storage := t.ctx.Storage()
 	const echLockName = "ech_publish"
 	if err := storage.Lock(t.ctx, echLockName); err != nil {
 		return err
 	}
 	defer func() {
 		if err := storage.Unlock(t.ctx, echLockName); err != nil {
 			logger.Error("unable to unlock ECH provisioning in storage", zap.Error(err))
 		}
 	}()
 	// get the publication config, or use a default if not specified
 	// (the default publication config should be to publish all ECH
 	// configs to the app-global DNS provider; if no DNS provider is
 	// configured, then this whole function is basically a no-op)
 	publicationList := t.EncryptedClientHello.Publication
 	if publicationList == nil {
 		if dnsProv, ok := t.dns.(ECHDNSProvider); ok {
 			publicationList = []*ECHPublication{
 				{
 					publishers: []ECHPublisher{
 						&ECHDNSPublisher{
 							provider: dnsProv,
 							logger:   t.logger,
 						},
 					},
 				},
 			}
 		}
 	}
 	// for each publication config, build the list of ECH configs to
 	// publish with it, and figure out which inner names to publish
 	// to/for, then publish
 	for _, publication := range publicationList {
 		// this publication is either configured for specific ECH configs,
 		// or we just use an implied default of all ECH configs
 		var echCfgList echConfigList
 		var configIDs []uint8 // TODO: use IDs or the outer names?
 		if publication.Configs == nil {
 			// by default, publish all configs
 			for _, configs := range t.EncryptedClientHello.configs {
 				echCfgList = append(echCfgList, configs...)
 				for _, c := range configs {
 					configIDs = append(configIDs, c.ConfigID)
 				}
 			}
 		} else {
 			for _, cfgOuterName := range publication.Configs {
 				if cfgList, ok := t.EncryptedClientHello.configs[cfgOuterName]; ok {
 					echCfgList = append(echCfgList, cfgList...)
 					for _, c := range cfgList {
 						configIDs = append(configIDs, c.ConfigID)
 					}
 				}
 			}
 		}
 		// marshal the ECH config list as binary for publication
 		echCfgListBin, err := echCfgList.MarshalBinary()
 		if err != nil {
 			return fmt.Errorf("marshaling ECH config list: %v", err)
 		}
 		// now we have our list of ECH configs to publish and the inner names
 		// to publish for (i.e. the names being protected); iterate each publisher
 		// and do the publish for any config+name that needs a publish
 		for _, publisher := range publication.publishers {
 			publisherKey := publisher.PublisherKey()
 			// by default, publish for all (non-outer) server names, unless
 			// a specific list of names is configured
 			var serverNamesSet map[string]struct{}
 			if publication.Domains == nil {
 				serverNamesSet = make(map[string]struct{}, len(t.serverNames))
 				for name := range t.serverNames {
 					serverNamesSet[name] = struct{}{}
 				}
 			} else {
 				serverNamesSet = make(map[string]struct{}, len(publication.Domains))
 				for _, name := range publication.Domains {
 					serverNamesSet[name] = struct{}{}
 				}
 			}
 			// remove any domains from the set which have already had all configs in the
 			// list published by this publisher, to avoid always re-publishing unnecessarily
 			for configuredInnerName := range serverNamesSet {
 				allConfigsPublished := true
 				for _, cfg := range echCfgList {
 					// TODO: Potentially utilize the timestamp (map value) for recent-enough publication, instead of just checking for existence
 					if _, ok := cfg.meta.Publications[publisherKey][configuredInnerName]; !ok {
 						allConfigsPublished = false
 						break
 					}
 				}
 				if allConfigsPublished {
 					delete(serverNamesSet, configuredInnerName)
 				}
 			}
 			// if all the (inner) domains have had this ECH config list published
 			// by this publisher, then try the next publication config
 			if len(serverNamesSet) == 0 {
 				logger.Debug("ECH config list already published by publisher for associated domains",
 					zap.Uint8s("config_ids", configIDs),
 					zap.String("publisher", publisherKey))
 				continue
 			}
 			// convert the set of names to a slice
 			dnsNamesToPublish := make([]string, 0, len(serverNamesSet))
 			for name := range serverNamesSet {
 				dnsNamesToPublish = append(dnsNamesToPublish, name)
 			}
 			logger.Debug("publishing ECH config list",
 				zap.Strings("domains", dnsNamesToPublish),
 				zap.Uint8s("config_ids", configIDs))
 			// publish this ECH config list with this publisher
 			pubTime := time.Now()
 			err := publisher.PublishECHConfigList(t.ctx, dnsNamesToPublish, echCfgListBin)
 			if err == nil {
 				t.logger.Info("published ECH configuration list",
 					zap.Strings("domains", publication.Domains),
 					zap.Uint8s("config_ids", configIDs),
 					zap.Error(err))
 				// update publication history, so that we don't unnecessarily republish every time
 				for _, cfg := range echCfgList {
 					if cfg.meta.Publications == nil {
 						cfg.meta.Publications = make(publicationHistory)
 					}
 					if _, ok := cfg.meta.Publications[publisherKey]; !ok {
 						cfg.meta.Publications[publisherKey] = make(map[string]time.Time)
 					}
 					for _, name := range dnsNamesToPublish {
 						cfg.meta.Publications[publisherKey][name] = pubTime
 					}
 					metaBytes, err := json.Marshal(cfg.meta)
 					if err != nil {
 						return fmt.Errorf("marshaling ECH config metadata: %v", err)
 					}
 					metaKey := path.Join(echConfigsKey, strconv.Itoa(int(cfg.ConfigID)), "meta.json")
 					if err := t.ctx.Storage().Store(t.ctx, metaKey, metaBytes); err != nil {
 						return fmt.Errorf("storing updated ECH config metadata: %v", err)
 					}
 				}
 			} else {
 				t.logger.Error("publishing ECH configuration list",
 					zap.Strings("domains", publication.Domains),
 					zap.Uint8s("config_ids", configIDs),
 					zap.Error(err))
 			}
 		}
 	}
 	return nil
 }
 // loadECHConfig loads the config from storage with the given configID.
 // An error is not actually returned in some cases the config fails to
 // load because in some cases it just means the config ID folder has
 // been cleaned up in storage, maybe due to an incomplete set of keys
 // or corrupted contents; in any case, the only rectification is to
 // delete it and make new keys (an error IS returned if deleting the
 // corrupted keys fails, for example). Check the returned echConfig for
 // non-nil privKeyBin and configBin values before using.
 func loadECHConfig(ctx caddy.Context, configID string) (echConfig, error) {
 	storage := ctx.Storage()
 	logger := ctx.Logger()
 	cfgIDKey := path.Join(echConfigsKey, configID)
 	keyKey := path.Join(cfgIDKey, "key.bin")
 	configKey := path.Join(cfgIDKey, "config.bin")
 	metaKey := path.Join(cfgIDKey, "meta.json")
 	// if loading anything fails, might as well delete this folder and free up
 	// the config ID; spec is designed to rotate configs frequently anyway
 	// (I consider it a more serious error if we can't clean up the folder,
 	// since leaving stray storage keys is confusing)
 	privKeyBytes, err := storage.Load(ctx, keyKey)
 	if err != nil {
 		delErr := storage.Delete(ctx, cfgIDKey)
 		if delErr != nil {
 			return echConfig{}, fmt.Errorf("error loading private key (%v) and cleaning up parent storage key %s: %v", err, cfgIDKey, delErr)
 		}
 		logger.Warn("could not load ECH private key; deleting its config folder",
 			zap.String("config_id", configID),
 			zap.Error(err))
 		return echConfig{}, nil
 	}
 	echConfigBytes, err := storage.Load(ctx, configKey)
 	if err != nil {
 		delErr := storage.Delete(ctx, cfgIDKey)
 		if delErr != nil {
 			return echConfig{}, fmt.Errorf("error loading ECH config (%v) and cleaning up parent storage key %s: %v", err, cfgIDKey, delErr)
 		}
 		logger.Warn("could not load ECH config; deleting its config folder",
 			zap.String("config_id", configID),
 			zap.Error(err))
 		return echConfig{}, nil
 	}
 	var cfg echConfig
 	if err := cfg.UnmarshalBinary(echConfigBytes); err != nil {
 		delErr := storage.Delete(ctx, cfgIDKey)
 		if delErr != nil {
 			return echConfig{}, fmt.Errorf("error loading ECH config (%v) and cleaning up parent storage key %s: %v", err, cfgIDKey, delErr)
 		}
 		logger.Warn("could not load ECH config; deleted its config folder",
 			zap.String("config_id", configID),
 			zap.Error(err))
 		return echConfig{}, nil
 	}
 	metaBytes, err := storage.Load(ctx, metaKey)
 	if err != nil {
 		delErr := storage.Delete(ctx, cfgIDKey)
 		if delErr != nil {
 			return echConfig{}, fmt.Errorf("error loading ECH metadata (%v) and cleaning up parent storage key %s: %v", err, cfgIDKey, delErr)
 		}
 		logger.Warn("could not load ECH metadata; deleted its config folder",
 			zap.String("config_id", configID),
 			zap.Error(err))
 		return echConfig{}, nil
 	}
 	var meta echConfigMeta
 	if err := json.Unmarshal(metaBytes, &meta); err != nil {
 		// even though it's just metadata, reset the whole config since we can't reliably maintain it
 		delErr := storage.Delete(ctx, cfgIDKey)
 		if delErr != nil {
 			return echConfig{}, fmt.Errorf("error decoding ECH metadata (%v) and cleaning up parent storage key %s: %v", err, cfgIDKey, delErr)
 		}
 		logger.Warn("could not JSON-decode ECH metadata; deleted its config folder",
 			zap.String("config_id", configID),
 			zap.Error(err))
 		return echConfig{}, nil
 	}
 	cfg.privKeyBin = privKeyBytes
 	cfg.configBin = echConfigBytes
 	cfg.meta = meta
 	return cfg, nil
 }
 func generateAndStoreECHConfig(ctx caddy.Context, publicName string) (echConfig, error) {
 	// Go currently has very strict requirements for server-side ECH configs,
 	// to quote the Go 1.24 godoc (with typos of AEAD IDs corrected):
 	//
 	// "Config should be a marshalled ECHConfig associated with PrivateKey. This
 	// must match the config provided to clients byte-for-byte. The config
 	// should only specify the DHKEM(X25519, HKDF-SHA256) KEM ID (0x0020), the
 	// HKDF-SHA256 KDF ID (0x0001), and a subset of the following AEAD IDs:
 	// AES-128-GCM (0x0001), AES-256-GCM (0x0002), ChaCha20Poly1305 (0x0003)."
 	//
 	// So we need to be sure we generate a config within these parameters
 	// so the Go TLS server can use it.
 	// generate a key pair
 	const kemChoice = hpke.KEM_X25519_HKDF_SHA256
 	publicKey, privateKey, err := kemChoice.Scheme().GenerateKeyPair()
 	if err != nil {
 		return echConfig{}, err
 	}
 	// find an available config ID
 	configID, err := newECHConfigID(ctx)
 	if err != nil {
 		return echConfig{}, fmt.Errorf("generating unique config ID: %v", err)
 	}
 	echCfg := echConfig{
 		PublicKey:     publicKey,
 		Version:       draftTLSESNI22,
 		ConfigID:      configID,
 		RawPublicName: publicName,
 		KEMID:         kemChoice,
 		CipherSuites: []hpkeSymmetricCipherSuite{
 			{
 				KDFID:  hpke.KDF_HKDF_SHA256,
 				AEADID: hpke.AEAD_AES128GCM,
 			},
 			{
 				KDFID:  hpke.KDF_HKDF_SHA256,
 				AEADID: hpke.AEAD_AES256GCM,
 			},
 			{
 				KDFID:  hpke.KDF_HKDF_SHA256,
 				AEADID: hpke.AEAD_ChaCha20Poly1305,
 			},
 		},
 		sendAsRetry: true,
 	}
 	meta := echConfigMeta{
 		Created: time.Now(),
 	}
 	privKeyBytes, err := privateKey.MarshalBinary()
 	if err != nil {
 		return echConfig{}, fmt.Errorf("marshaling ECH private key: %v", err)
 	}
 	echConfigBytes, err := echCfg.MarshalBinary()
 	if err != nil {
 		return echConfig{}, fmt.Errorf("marshaling ECH config: %v", err)
 	}
 	metaBytes, err := json.Marshal(meta)
 	if err != nil {
 		return echConfig{}, fmt.Errorf("marshaling ECH config metadata: %v", err)
 	}
 	parentKey := path.Join(echConfigsKey, strconv.Itoa(int(configID)))
 	keyKey := path.Join(parentKey, "key.bin")
 	configKey := path.Join(parentKey, "config.bin")
 	metaKey := path.Join(parentKey, "meta.json")
 	if err := ctx.Storage().Store(ctx, keyKey, privKeyBytes); err != nil {
 		return echConfig{}, fmt.Errorf("storing ECH private key: %v", err)
 	}
 	if err := ctx.Storage().Store(ctx, configKey, echConfigBytes); err != nil {
 		return echConfig{}, fmt.Errorf("storing ECH config: %v", err)
 	}
 	if err := ctx.Storage().Store(ctx, metaKey, metaBytes); err != nil {
 		return echConfig{}, fmt.Errorf("storing ECH config metadata: %v", err)
 	}
 	echCfg.privKeyBin = privKeyBytes
 	echCfg.configBin = echConfigBytes // this contains the public key
 	echCfg.meta = meta
 	return echCfg, nil
 }
 // ECH represents an Encrypted ClientHello configuration.
 //
 // EXPERIMENTAL: Subject to change.
 type ECHConfiguration struct {
 	// The public server name (SNI) that will be used in the outer ClientHello.
 	// This should be a domain name for which this server is authoritative,
 	// because Caddy will try to provision a certificate for this name. As an
 	// outer SNI, it is never used for application data (HTTPS, etc.), but it
 	// is necessary for enabling clients to connect securely in some cases.
 	// If this field is empty or missing, or if Caddy cannot get a certificate
 	// for this domain (e.g. the domain's DNS records do not point to this server),
 	// client reliability becomes brittle, and you risk coercing clients to expose
 	// true server names in plaintext, which compromises both the privacy of the
 	// server and makes clients more vulnerable.
 	PublicName string `json:"public_name"`
 }
 // ECHPublication configures publication of ECH config(s). It pairs a list
 // of ECH configs with the list of domains they are assigned to protect, and
 // describes how to publish those configs for those domains.
 //
 // Most servers will have only a single publication config, unless their
 // domains are spread across multiple DNS providers or require different
 // methods of publication.
 //
 // EXPERIMENTAL: Subject to change.
 type ECHPublication struct {
 	// The list of ECH configurations to publish, identified by public name.
 	// If not set, all configs will be included for publication by default.
 	//
 	// It is generally advised to maximize the size of your anonymity set,
 	// which implies using as few public names as possible for your sites.
 	// Usually, only a single public name is used to protect all the sites
 	// for a server
 	//
 	// EXPERIMENTAL: This field may be renamed or have its structure changed.
 	Configs []string `json:"configs,omitempty"`
 	// The list of ("inner") domain names which are protected with the associated
 	// ECH configurations.
 	//
 	// If not set, all server names registered with the TLS module will be
 	// added to this list implicitly. (This registration is done automatically
 	// by other Caddy apps that use the TLS module. They should register their
 	// configured server names for this purpose. For example, the HTTP server
 	// registers the hostnames for which it applies automatic HTTPS. This is
 	// not something you, the user, have to do.) Most servers
 	//
 	// Names in this list should not appear in any other publication config
 	// object with the same publishers, since the publications will likely
 	// overwrite each other.
 	//
 	// NOTE: In order to publish ECH configs for domains configured for
 	// On-Demand TLS that are not explicitly enumerated elsewhere in the
 	// config, those domain names will have to be listed here. The only
 	// time Caddy knows which domains it is serving with On-Demand TLS is
 	// handshake-time, which is too late for publishing ECH configs; it
 	// means the first connections would not protect the server names,
 	// revealing that information to observers, and thus defeating the
 	// purpose of ECH. Hence the need to list them here so Caddy can
 	// proactively publish ECH configs before clients connect with those
 	// server names in plaintext.
 	Domains []string `json:"domains,omitempty"`
 	// How to publish the ECH configurations so clients can know to use
 	// ECH to connect more securely to the server.
 	PublishersRaw caddy.ModuleMap `json:"publishers,omitempty" caddy:"namespace=tls.ech.publishers"`
 	publishers    []ECHPublisher
 }
 // ECHDNSProvider can service DNS entries for ECH purposes.
 type ECHDNSProvider interface {
 	libdns.RecordGetter
 	libdns.RecordSetter
 }
 // ECHDNSPublisher configures how to publish an ECH configuration to
 // DNS records for the specified domains.
 //
 // EXPERIMENTAL: Subject to change.
 type ECHDNSPublisher struct {
 	// The DNS provider module which will establish the HTTPS record(s).
 	ProviderRaw json.RawMessage `json:"provider,omitempty" caddy:"namespace=dns.providers inline_key=name"`
 	provider    ECHDNSProvider
 	logger *zap.Logger
 }
 // CaddyModule returns the Caddy module information.
 func (ECHDNSPublisher) CaddyModule() caddy.ModuleInfo {
 	return caddy.ModuleInfo{
 		ID:  "tls.ech.publishers.dns",
 		New: func() caddy.Module { return new(ECHDNSPublisher) },
 	}
 }
 func (dnsPub *ECHDNSPublisher) Provision(ctx caddy.Context) error {
 	dnsProvMod, err := ctx.LoadModule(dnsPub, "ProviderRaw")
 	if err != nil {
 		return fmt.Errorf("loading ECH DNS provider module: %v", err)
 	}
 	prov, ok := dnsProvMod.(ECHDNSProvider)
 	if !ok {
 		return fmt.Errorf("ECH DNS provider module is not an ECH DNS Provider: %v", err)
 	}
 	dnsPub.provider = prov
 	dnsPub.logger = ctx.Logger()
 	return nil
 }
 // PublisherKey returns the name of the DNS provider module.
 // We intentionally omit specific provider configuration (or a hash thereof,
 // since the config is likely sensitive, potentially containing an API key)
 // because it is unlikely that specific configuration, such as an API key,
 // is relevant to unique key use as an ECH config publisher.
 func (dnsPub ECHDNSPublisher) PublisherKey() string {
 	return string(dnsPub.provider.(caddy.Module).CaddyModule().ID)
 }
 // PublishECHConfigList publishes the given ECH config list to the given DNS names.
 func (dnsPub *ECHDNSPublisher) PublishECHConfigList(ctx context.Context, innerNames []string, configListBin []byte) error {
 	nameservers := certmagic.RecursiveNameservers(nil) // TODO: we could make resolvers configurable
 nextName:
 	for _, domain := range innerNames {
 		zone, err := certmagic.FindZoneByFQDN(ctx, dnsPub.logger, domain, nameservers)
 		if err != nil {
 			dnsPub.logger.Error("could not determine zone for domain",
 				zap.String("domain", domain),
 				zap.Error(err))
 			continue
 		}
 		relName := libdns.RelativeName(domain+".", zone)
 		// get existing records for this domain; we need to make sure another
 		// record exists for it so we don't accidentally trample a wildcard; we
 		// also want to get any HTTPS record that may already exist for it so
 		// we can augment the ech SvcParamKey with any other existing SvcParams
 		recs, err := dnsPub.provider.GetRecords(ctx, zone)
 		if err != nil {
 			dnsPub.logger.Error("unable to get existing DNS records to publish ECH data to HTTPS DNS record",
 				zap.String("domain", domain),
 				zap.Error(err))
 			continue
 		}
 		var httpsRec libdns.ServiceBinding
 		var nameHasExistingRecord bool
 		for _, rec := range recs {
 			rr := rec.RR()
 			if rr.Name == relName {
 				// CNAME records are exclusive of all other records, so we cannot publish an HTTPS
 				// record for a domain that is CNAME'd. See #6922.
 				if rr.Type == "CNAME" {
 					dnsPub.logger.Warn("domain has CNAME record, so unable to publish ECH data to HTTPS record",
 						zap.String("domain", domain),
 						zap.String("cname_value", rr.Data))
 					continue nextName
 				}
 				nameHasExistingRecord = true
 				if svcb, ok := rec.(libdns.ServiceBinding); ok && svcb.Scheme == "https" {
 					if svcb.Target == "" || svcb.Target == "." {
 						httpsRec = svcb
 						break
 					}
 				}
 			}
 		}
 		if !nameHasExistingRecord {
 			// Turns out if you publish a DNS record for a name that doesn't have any DNS record yet,
 			// any wildcard records won't apply for the name anymore, meaning if a wildcard A/AAAA record
 			// is used to resolve the domain to a server, publishing an HTTPS record could break resolution!
 			// In theory, this should be a non-issue, at least for A/AAAA records, if the HTTPS record
 			// includes ipv[4|6]hint SvcParamKeys,
 			dnsPub.logger.Warn("domain does not have any existing records, so skipping publication of HTTPS record",
 				zap.String("domain", domain),
 				zap.String("relative_name", relName),
 				zap.String("zone", zone))
 			continue
 		}
 		params := httpsRec.Params
 		if params == nil {
 			params = make(libdns.SvcParams)
 		}
 		// overwrite only the "ech" SvcParamKey
 		params["ech"] = []string{base64.StdEncoding.EncodeToString(configListBin)}
 		// publish record
 		_, err = dnsPub.provider.SetRecords(ctx, zone, []libdns.Record{
 			libdns.ServiceBinding{
 				// HTTPS and SVCB RRs: RFC 9460 (https://www.rfc-editor.org/rfc/rfc9460)
 				Scheme:   "https",
 				Name:     relName,
 				TTL:      1 * time.Minute, // TODO: for testing only
 				Priority: 2,               // allows a manual override with priority 1
 				Target:   ".",
 				Params:   params,
 			},
 		})
 		if err != nil {
 			// TODO: Maybe this should just stop and return the error...
 			dnsPub.logger.Error("unable to publish ECH data to HTTPS DNS record",
 				zap.String("domain", domain),
 				zap.String("zone", zone),
 				zap.String("dns_record_name", relName),
 				zap.Error(err))
 			continue
 		}
 	}
 	return nil
 }
 // echConfig represents an ECHConfig from the specification,
 // [draft-ietf-tls-esni-22](https://www.ietf.org/archive/id/draft-ietf-tls-esni-22.html).
 type echConfig struct {
 	// "The version of ECH for which this configuration is used.
 	// The version is the same as the code point for the
 	// encrypted_client_hello extension. Clients MUST ignore any
 	// ECHConfig structure with a version they do not support."
 	Version uint16
 	// The "length" and "contents" fields defined next in the
 	// structure are implicitly taken care of by cryptobyte
 	// when encoding the following fields:
 	// HpkeKeyConfig fields:
 	ConfigID     uint8
 	KEMID        hpke.KEM
 	PublicKey    kem.PublicKey
 	CipherSuites []hpkeSymmetricCipherSuite
 	// ECHConfigContents fields:
 	MaxNameLength uint8
 	RawPublicName string
 	RawExtensions []byte
 	// these fields are not part of the spec, but are here for
 	// our use when setting up TLS servers or maintenance
 	configBin   []byte
 	privKeyBin  []byte
 	meta        echConfigMeta
 	sendAsRetry bool
 }
 func (echCfg echConfig) MarshalBinary() ([]byte, error) {
 	var b cryptobyte.Builder
 	if err := echCfg.marshalBinary(&b); err != nil {
 		return nil, err
 	}
 	return b.Bytes()
 }
 // UnmarshalBinary decodes the data back into an ECH config.
 //
 // Borrowed from github.com/OmarTariq612/goech with modifications.
 // Original code: Copyright (c) 2023 Omar Tariq AbdEl-Raziq
 func (echCfg *echConfig) UnmarshalBinary(data []byte) error {
 	var content cryptobyte.String
 	b := cryptobyte.String(data)
 	if !b.ReadUint16(&echCfg.Version) {
 		return errInvalidLen
 	}
 	if echCfg.Version != draftTLSESNI22 {
 		return fmt.Errorf("supported version must be %d: got %d", draftTLSESNI22, echCfg.Version)
 	}
 	if !b.ReadUint16LengthPrefixed(&content) || !b.Empty() {
 		return errInvalidLen
 	}
 	var t cryptobyte.String
 	var pk []byte
 	if !content.ReadUint8(&echCfg.ConfigID) ||
 		!content.ReadUint16((*uint16)(&echCfg.KEMID)) ||
 		!content.ReadUint16LengthPrefixed(&t) ||
 		!t.ReadBytes(&pk, len(t)) ||
 		!content.ReadUint16LengthPrefixed(&t) ||
 		len(t)%4 != 0 /* the length of (KDFs and AEADs) must be divisible by 4 */ {
 		return errInvalidLen
 	}
 	if !echCfg.KEMID.IsValid() {
 		return fmt.Errorf("invalid KEM ID: %d", echCfg.KEMID)
 	}
 	var err error
 	if echCfg.PublicKey, err = echCfg.KEMID.Scheme().UnmarshalBinaryPublicKey(pk); err != nil {
 		return fmt.Errorf("parsing public_key: %w", err)
 	}
 	echCfg.CipherSuites = echCfg.CipherSuites[:0]
 	for !t.Empty() {
 		var hpkeKDF, hpkeAEAD uint16
 		if !t.ReadUint16(&hpkeKDF) || !t.ReadUint16(&hpkeAEAD) {
 			// we have already checked that the length is divisible by 4
 			panic("this must not happen")
 		}
 		if !hpke.KDF(hpkeKDF).IsValid() {
 			return fmt.Errorf("invalid KDF ID: %d", hpkeKDF)
 		}
 		if !hpke.AEAD(hpkeAEAD).IsValid() {
 			return fmt.Errorf("invalid AEAD ID: %d", hpkeAEAD)
 		}
 		echCfg.CipherSuites = append(echCfg.CipherSuites, hpkeSymmetricCipherSuite{
 			KDFID:  hpke.KDF(hpkeKDF),
 			AEADID: hpke.AEAD(hpkeAEAD),
 		})
 	}
 	var rawPublicName []byte
 	if !content.ReadUint8(&echCfg.MaxNameLength) ||
 		!content.ReadUint8LengthPrefixed(&t) ||
 		!t.ReadBytes(&rawPublicName, len(t)) ||
 		!content.ReadUint16LengthPrefixed(&t) ||
 		!t.ReadBytes(&echCfg.RawExtensions, len(t)) ||
 		!content.Empty() {
 		return errInvalidLen
 	}
 	echCfg.RawPublicName = string(rawPublicName)
 	return nil
 }
 var errInvalidLen = errors.New("invalid length")
 // marshalBinary writes this config to the cryptobyte builder. If there is an error,
 // it will occur before any writes have happened.
 func (echCfg echConfig) marshalBinary(b *cryptobyte.Builder) error {
 	pk, err := echCfg.PublicKey.MarshalBinary()
 	if err != nil {
 		return err
 	}
 	if l := len(echCfg.RawPublicName); l == 0 || l > 255 {
 		return fmt.Errorf("public name length (%d) must be in the range 1-255", l)
 	}
 	b.AddUint16(echCfg.Version)
 	b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { // "length" field
 		b.AddUint8(echCfg.ConfigID)
 		b.AddUint16(uint16(echCfg.KEMID))
 		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
 			b.AddBytes(pk)
 		})
 		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
 			for _, cs := range echCfg.CipherSuites {
 				b.AddUint16(uint16(cs.KDFID))
 				b.AddUint16(uint16(cs.AEADID))
 			}
 		})
 		b.AddUint8(uint8(min(len(echCfg.RawPublicName)+16, 255)))
 		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
 			b.AddBytes([]byte(echCfg.RawPublicName))
 		})
 		b.AddUint16LengthPrefixed(func(child *cryptobyte.Builder) {
 			child.AddBytes(echCfg.RawExtensions)
 		})
 	})
 	return nil
 }
 type hpkeSymmetricCipherSuite struct {
 	KDFID  hpke.KDF
 	AEADID hpke.AEAD
 }
 type echConfigList []echConfig
 func (cl echConfigList) MarshalBinary() ([]byte, error) {
 	var b cryptobyte.Builder
 	var err error
 	// the list's length prefixes the list, as with most opaque values
 	b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
 		for _, cfg := range cl {
 			if err = cfg.marshalBinary(b); err != nil {
 				break
 			}
 		}
 	})
 	if err != nil {
 		return nil, err
 	}
 	return b.Bytes()
 }
 func newECHConfigID(ctx caddy.Context) (uint8, error) {
 	// uint8 can be 0-255 inclusive
 	const uint8Range = 256
 	// avoid repeating storage checks
 	tried := make([]bool, uint8Range)
 	// Try to find an available number with random rejection sampling;
 	// i.e. choose a random number and see if it's already taken.
 	// The hard limit on how many times we try to find an available
 	// number is flexible... in theory, assuming uniform distribution,
 	// 256 attempts should make each possible value show up exactly
 	// once, but obviously that won't be the case. We can try more
 	// times to try to ensure that every number gets a chance, which
 	// is especially useful if few are available, or we can lower it
 	// if we assume we should have found an available value by then
 	// and want to limit runtime; for now I choose the middle ground
 	// and just try as many times as there are possible values.
 	for i := 0; i < uint8Range && ctx.Err() == nil; i++ {
 		num := uint8(weakrand.N(uint8Range)) //nolint:gosec
 		// don't try the same number a second time
 		if tried[num] {
 			continue
 		}
 		tried[num] = true
 		// check to see if any of the subkeys use this config ID
 		numStr := strconv.Itoa(int(num))
 		trialPath := path.Join(echConfigsKey, numStr)
 		if ctx.Storage().Exists(ctx, trialPath) {
 			continue
 		}
 		return num, nil
 	}
 	if err := ctx.Err(); err != nil {
 		return 0, err
 	}
 	return 0, fmt.Errorf("depleted attempts to find an available config_id")
 }
 // ECHPublisher is an interface for publishing ECHConfigList values
 // so that they can be used by clients.
 type ECHPublisher interface {
 	// Returns a key that is unique to this publisher and its configuration.
 	// A publisher's ID combined with its config is a valid key.
 	// It is used to prevent duplicating publications.
 	PublisherKey() string
 	// Publishes the ECH config list for the given innerNames. Some publishers
 	// may not need a list of inner/protected names, and can ignore the argument;
 	// most, however, will want to use it to know which inner names are to be
 	// associated with the given ECH config list.
 	PublishECHConfigList(ctx context.Context, innerNames []string, echConfigList []byte) error
 }
 type echConfigMeta struct {
 	Created      time.Time          `json:"created"`
 	Publications publicationHistory `json:"publications"`
 }
 // publicationHistory is a map of publisher key to
 // map of inner name to timestamp
 type publicationHistory map[string]map[string]time.Time
 // The key prefix when putting ECH configs in storage. After this
 // comes the config ID.
 const echConfigsKey = "ech/configs"
 // https://www.ietf.org/archive/id/draft-ietf-tls-esni-22.html
 const draftTLSESNI22 = 0xfe0d
 // Interface guard
 var _ ECHPublisher = (*ECHDNSPublisher)(nil)
--- a/modules/caddytls/internalissuer.go
+++ b/modules/caddytls/internalissuer.go
@ -178,6 +178,9 @@ func (iss *InternalIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 				return d.ArgErr()
 			}
 			iss.SignWithRoot = true
 		default:
 			return d.Errf("unrecognized subdirective '%s'", d.Val())
 		}
 	}
 	return nil
--- a/modules/caddytls/matchers.go
+++ b/modules/caddytls/matchers.go
@ -15,6 +15,7 @@
 package caddytls
 import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	"net"
@ -55,7 +56,7 @@ func (MatchServerName) CaddyModule() caddy.ModuleInfo {
 // Match matches hello based on SNI.
 func (m MatchServerName) Match(hello *tls.ClientHelloInfo) bool {
-	repl := caddy.NewReplacer()
+	var repl *caddy.Replacer
 	// caddytls.TestServerNameMatcher calls this function without any context
 	if ctx := hello.Context(); ctx != nil {
 		// In some situations the existing context may have no replacer
@ -64,6 +65,10 @@ func (m MatchServerName) Match(hello *tls.ClientHelloInfo) bool {
 		}
 	}
 	if repl == nil {
 		repl = caddy.NewReplacer()
 	}
 	for _, name := range m {
 		rs := repl.ReplaceAll(name, "")
 		if certmagic.MatchWildcard(hello.ServerName, rs) {
@ -224,15 +229,28 @@ func (MatchServerNameRE) CaddyModule() caddy.ModuleInfo {
 // Match matches hello based on SNI using a regular expression.
 func (m MatchServerNameRE) Match(hello *tls.ClientHelloInfo) bool {
-	repl := caddy.NewReplacer()
+	// Note: caddytls.TestServerNameMatcher calls this function without any context
-	// caddytls.TestServerNameMatcher calls this function without any context
+	ctx := hello.Context()
-	if ctx := hello.Context(); ctx != nil {
+	if ctx == nil {
 		// layer4.Connection implements GetContext() to pass its context here,
 		// since hello.Context() returns nil
 		if mayHaveContext, ok := hello.Conn.(interface{ GetContext() context.Context }); ok {
 			ctx = mayHaveContext.GetContext()
 		}
 	}
 	var repl *caddy.Replacer
 	if ctx != nil {
 		// In some situations the existing context may have no replacer
 		if replAny := ctx.Value(caddy.ReplacerCtxKey); replAny != nil {
 			repl = replAny.(*caddy.Replacer)
 		}
 	}
 	if repl == nil {
 		repl = caddy.NewReplacer()
 	}
 	return m.MatchRegexp.Match(hello.ServerName, repl)
 }
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@ -20,12 +20,15 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
 	"net"
 	"net/http"
 	"runtime/debug"
 	"strings"
 	"sync"
 	"time"
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/libdns"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@ -79,6 +82,7 @@ type TLS struct {
 	// Disabling OCSP stapling puts clients at greater risk, reduces their
 	// privacy, and usually lowers client performance. It is NOT recommended
 	// to disable this unless you are able to justify the costs.
 	//
 	// EXPERIMENTAL. Subject to change.
 	DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"`
@ -89,6 +93,7 @@ type TLS struct {
 	//
 	// Disabling these checks should only be done when the storage
 	// can be trusted to have enough capacity and no other problems.
 	//
 	// EXPERIMENTAL. Subject to change.
 	DisableStorageCheck bool `json:"disable_storage_check,omitempty"`
@ -100,9 +105,23 @@ type TLS struct {
 	// The instance.uuid file is used to identify the instance of Caddy
 	// in a cluster. The last_clean.json file is used to store the last
 	// time the storage was cleaned.
 	//
 	// EXPERIMENTAL. Subject to change.
 	DisableStorageClean bool `json:"disable_storage_clean,omitempty"`
 	// Enable Encrypted ClientHello (ECH). ECH protects the server name
 	// (SNI) and other sensitive parameters of a normally-plaintext TLS
 	// ClientHello during a handshake.
 	//
 	// EXPERIMENTAL: Subject to change.
 	EncryptedClientHello *ECH `json:"encrypted_client_hello,omitempty"`
 	// The default DNS provider module to use when a DNS module is needed.
 	//
 	// EXPERIMENTAL: Subject to change.
 	DNSRaw json.RawMessage `json:"dns,omitempty" caddy:"namespace=dns.providers inline_key=name"`
 	dns    any             // technically, it should be any/all of the libdns interfaces (RecordSetter, RecordAppender, etc.)
 	certificateLoaders []CertificateLoader
 	automateNames      []string
 	ctx                caddy.Context
@ -111,6 +130,9 @@ type TLS struct {
 	logger             *zap.Logger
 	events             *caddyevents.App
 	serverNames   map[string]struct{}
 	serverNamesMu *sync.Mutex
 	// set of subjects with managed certificates,
 	// and hashes of manually-loaded certificates
 	// (managing's value is an optional issuer key, for distinction)
@ -136,6 +158,29 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 	t.logger = ctx.Logger()
 	repl := caddy.NewReplacer()
 	t.managing, t.loaded = make(map[string]string), make(map[string]string)
 	t.serverNames = make(map[string]struct{})
 	t.serverNamesMu = new(sync.Mutex)
 	// set up default DNS module, if any, and make sure it implements all the
 	// common libdns interfaces, since it could be used for a variety of things
 	// (do this before provisioning other modules, since they may rely on this)
 	if len(t.DNSRaw) > 0 {
 		dnsMod, err := ctx.LoadModule(t, "DNSRaw")
 		if err != nil {
 			return fmt.Errorf("loading overall DNS provider module: %v", err)
 		}
 		switch dnsMod.(type) {
 		case interface {
 			libdns.RecordAppender
 			libdns.RecordDeleter
 			libdns.RecordGetter
 			libdns.RecordSetter
 		}:
 		default:
 			return fmt.Errorf("DNS module does not implement the most common libdns interfaces: %T", dnsMod)
 		}
 		t.dns = dnsMod
 	}
 	// set up a new certificate cache; this (re)loads all certificates
 	cacheOpts := certmagic.CacheOptions{
@ -178,7 +223,7 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 				for i, sub := range *automateNames {
 					subjects[i] = repl.ReplaceAll(sub, "")
 				}
-				t.automateNames = subjects
+				t.automateNames = append(t.automateNames, subjects...)
 			} else {
 				return fmt.Errorf("loading certificates with 'automate' requires array of strings, got: %T", modIface)
 			}
@ -187,6 +232,36 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 		t.certificateLoaders = append(t.certificateLoaders, modIface.(CertificateLoader))
 	}
 	// using the certificate loaders we just initialized, load
 	// manual/static (unmanaged) certificates - we do this in
 	// provision so that other apps (such as http) can know which
 	// certificates have been manually loaded, and also so that
 	// commands like validate can be a better test
 	certCacheMu.RLock()
 	magic := certmagic.New(certCache, certmagic.Config{
 		Storage: ctx.Storage(),
 		Logger:  t.logger,
 		OnEvent: t.onEvent,
 		OCSP: certmagic.OCSPConfig{
 			DisableStapling: t.DisableOCSPStapling,
 		},
 		DisableStorageCheck: t.DisableStorageCheck,
 	})
 	certCacheMu.RUnlock()
 	for _, loader := range t.certificateLoaders {
 		certs, err := loader.LoadCertificates()
 		if err != nil {
 			return fmt.Errorf("loading certificates: %v", err)
 		}
 		for _, cert := range certs {
 			hash, err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
 			if err != nil {
 				return fmt.Errorf("caching unmanaged certificate: %v", err)
 			}
 			t.loaded[hash] = ""
 		}
 	}
 	// on-demand permission module
 	if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.PermissionRaw != nil {
 		if t.Automation.OnDemand.Ask != "" {
@ -199,21 +274,6 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 		t.Automation.OnDemand.permission = val.(OnDemandPermission)
 	}
 	// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
 	if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
 		t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)
 		if err != nil {
 			return fmt.Errorf("preparing 'ask' endpoint: %v", err)
 		}
 		perm := PermissionByHTTP{
 			Endpoint: t.Automation.OnDemand.Ask,
 		}
 		if err := perm.Provision(ctx); err != nil {
 			return fmt.Errorf("provisioning 'ask' module: %v", err)
 		}
 		t.Automation.OnDemand.permission = perm
 	}
 	// automation/management policies
 	if t.Automation == nil {
 		t.Automation = new(AutomationConfig)
@ -246,6 +306,21 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 		}
 	}
 	// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
 	if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
 		t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)
 		if err != nil {
 			return fmt.Errorf("preparing 'ask' endpoint: %v", err)
 		}
 		perm := PermissionByHTTP{
 			Endpoint: t.Automation.OnDemand.Ask,
 		}
 		if err := perm.Provision(ctx); err != nil {
 			return fmt.Errorf("provisioning 'ask' module: %v", err)
 		}
 		t.Automation.OnDemand.permission = perm
 	}
 	// session ticket ephemeral keys (STEK) service and provider
 	if t.SessionTickets != nil {
 		err := t.SessionTickets.provision(ctx)
@ -254,32 +329,19 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 		}
 	}
-	// load manual/static (unmanaged) certificates - we do this in
+	// ECH (Encrypted ClientHello) initialization
-	// provision so that other apps (such as http) can know which
+	if t.EncryptedClientHello != nil {
-	// certificates have been manually loaded, and also so that
+		t.EncryptedClientHello.configs = make(map[string][]echConfig)
-	// commands like validate can be a better test
+		outerNames, err := t.EncryptedClientHello.Provision(ctx)
 	certCacheMu.RLock()
 	magic := certmagic.New(certCache, certmagic.Config{
 		Storage: ctx.Storage(),
 		Logger:  t.logger,
 		OnEvent: t.onEvent,
 		OCSP: certmagic.OCSPConfig{
 			DisableStapling: t.DisableOCSPStapling,
 		},
 		DisableStorageCheck: t.DisableStorageCheck,
 	})
 	certCacheMu.RUnlock()
 	for _, loader := range t.certificateLoaders {
 		certs, err := loader.LoadCertificates()
 		if err != nil {
-			return fmt.Errorf("loading certificates: %v", err)
+			return fmt.Errorf("provisioning Encrypted ClientHello components: %v", err)
 		}
-		for _, cert := range certs {
+
-			hash, err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
+		// outer names should have certificates to reduce client brittleness
-			if err != nil {
+		for _, outerName := range outerNames {
-				return fmt.Errorf("caching unmanaged certificate: %v", err)
+			if !t.HasCertificateForSubject(outerName) {
 				t.automateNames = append(t.automateNames, outerNames...)
 			}
 			t.loaded[hash] = ""
 		}
 	}
@ -339,6 +401,16 @@ func (t *TLS) Start() error {
 		return fmt.Errorf("automate: managing %v: %v", t.automateNames, err)
 	}
 	// publish ECH configs in the background; does not need to block
 	// server startup, as it could take a while
 	if t.EncryptedClientHello != nil {
 		go func() {
 			if err := t.publishECHConfigs(); err != nil {
 				t.logger.Named("ech").Error("publication(s) failed", zap.Error(err))
 			}
 		}()
 	}
 	if !t.DisableStorageClean {
 		// start the storage cleaner goroutine and ticker,
 		// which cleans out expired certificates and more
@ -422,11 +494,16 @@ func (t *TLS) Cleanup() error {
 			}
 		}
 	} else {
-		// no more TLS app running, so delete in-memory cert cache
+		// no more TLS app running, so delete in-memory cert cache, if it was created yet
-		certCache.Stop()
+		certCacheMu.RLock()
-		certCacheMu.Lock()
+		hasCache := certCache != nil
-		certCache = nil
+		certCacheMu.RUnlock()
-		certCacheMu.Unlock()
+		if hasCache {
 			certCache.Stop()
 			certCacheMu.Lock()
 			certCache = nil
 			certCacheMu.Unlock()
 		}
 	}
 	return nil
@ -478,6 +555,29 @@ func (t *TLS) Manage(names []string) error {
 	return nil
 }
 // RegisterServerNames registers the provided DNS names with the TLS app.
 // This is currently used to auto-publish Encrypted ClientHello (ECH)
 // configurations, if enabled. Use of this function by apps using the TLS
 // app removes the need for the user to redundantly specify domain names
 // in their configuration. This function separates hostname and port
 // (keeping only the hotsname) and filters IP addresses, which can't be
 // used with ECH.
 //
 // EXPERIMENTAL: This function and its semantics/behavior are subject to change.
 func (t *TLS) RegisterServerNames(dnsNames []string) {
 	t.serverNamesMu.Lock()
 	for _, name := range dnsNames {
 		host, _, err := net.SplitHostPort(name)
 		if err != nil {
 			host = name
 		}
 		if strings.TrimSpace(host) != "" && !certmagic.SubjectIsIP(host) {
 			t.serverNames[strings.ToLower(host)] = struct{}{}
 		}
 	}
 	t.serverNamesMu.Unlock()
 }
 // HandleHTTPChallenge ensures that the ACME HTTP challenge or ZeroSSL HTTP
 // validation request is handled for the certificate named by r.Host, if it
 // is an HTTP challenge request. It requires that the automation policy for
--- a/modules/caddytls/values.go
+++ b/modules/caddytls/values.go
@ -81,13 +81,15 @@ func getOptimalDefaultCipherSuites() []uint16 {
 	return defaultCipherSuitesWithoutAESNI
 }
-// SupportedCurves is the unordered map of supported curves.
+// SupportedCurves is the unordered map of supported curves
 // or key exchange mechanisms ("curves" traditionally).
 // https://golang.org/pkg/crypto/tls/#CurveID
 var SupportedCurves = map[string]tls.CurveID{
-	"x25519":    tls.X25519,
+	"x25519mlkem768": tls.X25519MLKEM768,
-	"secp256r1": tls.CurveP256,
+	"x25519":         tls.X25519,
-	"secp384r1": tls.CurveP384,
+	"secp256r1":      tls.CurveP256,
-	"secp521r1": tls.CurveP521,
+	"secp384r1":      tls.CurveP384,
 	"secp521r1":      tls.CurveP521,
 }
 // supportedCertKeyTypes is all the key types that are supported
@ -100,20 +102,16 @@ var supportedCertKeyTypes = map[string]certmagic.KeyType{
 	"ed25519": certmagic.ED25519,
 }
-// defaultCurves is the list of only the curves we want to use
+// defaultCurves is the list of only the curves or key exchange
-// by default, in descending order of preference.
+// mechanisms we want to use by default. The order is irrelevant.
 //
-// This list should only include curves which are fast by design
+// This list should only include mechanisms which are fast by
-// (e.g. X25519) and those for which an optimized assembly
+// design (e.g. X25519) and those for which an optimized assembly
 // implementation exists (e.g. P256). The latter ones can be
 // found here:
 // https://github.com/golang/go/tree/master/src/crypto/elliptic
 //
 // Temporily we ignore these default, to take advantage of X25519Kyber768
 // in Go's defaults (X25519Kyber768, X25519, P-256, P-384, P-521), which
 // isn't exported. See https://github.com/caddyserver/caddy/issues/6540
 // nolint:unused
 var defaultCurves = []tls.CurveID{
 	tls.X25519MLKEM768,
 	tls.X25519,
 	tls.CurveP256,
 }
--- a/modules/internal/network/networkproxy.go
+++ b/modules/internal/network/networkproxy.go
@ -0,0 +1,144 @@
 package network
 import (
 	"errors"
 	"net/http"
 	"net/url"
 	"strings"
 	"go.uber.org/zap"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 func init() {
 	caddy.RegisterModule(ProxyFromURL{})
 	caddy.RegisterModule(ProxyFromNone{})
 }
 // The "url" proxy source uses the defined URL as the proxy
 type ProxyFromURL struct {
 	URL string `json:"url"`
 	ctx    caddy.Context
 	logger *zap.Logger
 }
 // CaddyModule implements Module.
 func (p ProxyFromURL) CaddyModule() caddy.ModuleInfo {
 	return caddy.ModuleInfo{
 		ID: "caddy.network_proxy.url",
 		New: func() caddy.Module {
 			return &ProxyFromURL{}
 		},
 	}
 }
 func (p *ProxyFromURL) Provision(ctx caddy.Context) error {
 	p.ctx = ctx
 	p.logger = ctx.Logger()
 	return nil
 }
 // Validate implements Validator.
 func (p ProxyFromURL) Validate() error {
 	if _, err := url.Parse(p.URL); err != nil {
 		return err
 	}
 	return nil
 }
 // ProxyFunc implements ProxyFuncProducer.
 func (p ProxyFromURL) ProxyFunc() func(*http.Request) (*url.URL, error) {
 	if strings.Contains(p.URL, "{") && strings.Contains(p.URL, "}") {
 		// courtesy of @ImpostorKeanu: https://github.com/caddyserver/caddy/pull/6397
 		return func(r *http.Request) (*url.URL, error) {
 			// retrieve the replacer from context.
 			repl, ok := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
 			if !ok {
 				err := errors.New("failed to obtain replacer from request")
 				p.logger.Error(err.Error())
 				return nil, err
 			}
 			// apply placeholders to the value
 			// note: h.ForwardProxyURL should never be empty at this point
 			s := repl.ReplaceAll(p.URL, "")
 			if s == "" {
 				p.logger.Error("network_proxy URL was empty after applying placeholders",
 					zap.String("initial_value", p.URL),
 					zap.String("final_value", s),
 					zap.String("hint", "check for invalid placeholders"))
 				return nil, errors.New("empty value for network_proxy URL")
 			}
 			// parse the url
 			pUrl, err := url.Parse(s)
 			if err != nil {
 				p.logger.Warn("failed to derive transport proxy from network_proxy URL")
 				pUrl = nil
 			} else if pUrl.Host == "" || strings.Split("", pUrl.Host)[0] == ":" {
 				// url.Parse does not return an error on these values:
 				//
 				// - http://:80
 				//   - pUrl.Host == ":80"
 				// - /some/path
 				//   - pUrl.Host == ""
 				//
 				// Super edge cases, but humans are human.
 				err = errors.New("supplied network_proxy URL is missing a host value")
 				pUrl = nil
 			} else {
 				p.logger.Debug("setting transport proxy url", zap.String("url", s))
 			}
 			return pUrl, err
 		}
 	}
 	return func(r *http.Request) (*url.URL, error) {
 		return url.Parse(p.URL)
 	}
 }
 // UnmarshalCaddyfile implements caddyfile.Unmarshaler.
 func (p *ProxyFromURL) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 	d.Next()
 	d.Next()
 	p.URL = d.Val()
 	return nil
 }
 // The "none" proxy source module disables the use of network proxy.
 type ProxyFromNone struct{}
 func (p ProxyFromNone) CaddyModule() caddy.ModuleInfo {
 	return caddy.ModuleInfo{
 		ID: "caddy.network_proxy.none",
 		New: func() caddy.Module {
 			return &ProxyFromNone{}
 		},
 	}
 }
 // UnmarshalCaddyfile implements caddyfile.Unmarshaler.
 func (p ProxyFromNone) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 	return nil
 }
 // ProxyFunc implements ProxyFuncProducer.
 func (p ProxyFromNone) ProxyFunc() func(*http.Request) (*url.URL, error) {
 	return nil
 }
 var (
 	_ caddy.Module            = ProxyFromURL{}
 	_ caddy.Provisioner       = (*ProxyFromURL)(nil)
 	_ caddy.Validator         = ProxyFromURL{}
 	_ caddy.ProxyFuncProducer = ProxyFromURL{}
 	_ caddyfile.Unmarshaler   = (*ProxyFromURL)(nil)
 	_ caddy.Module            = ProxyFromNone{}
 	_ caddy.ProxyFuncProducer = ProxyFromNone{}
 	_ caddyfile.Unmarshaler   = ProxyFromNone{}
 )
--- a/modules/logging/filewriter.go
+++ b/modules/logging/filewriter.go
@ -20,6 +20,7 @@ import (
 	"io"
 	"math"
 	"os"
 	"path/filepath"
 	"strconv"
 	"github.com/dustin/go-humanize"
@ -146,51 +147,68 @@ func (fw FileWriter) WriterKey() string {
 // OpenWriter opens a new file writer.
 func (fw FileWriter) OpenWriter() (io.WriteCloser, error) {
-	if fw.Mode == 0 {
+	modeIfCreating := os.FileMode(fw.Mode)
-		fw.Mode = 0o600
+	if modeIfCreating == 0 {
 		modeIfCreating = 0o600
 	}
-	// roll log files by default
+	// roll log files as a sensible default to avoid disk space exhaustion
-	if fw.Roll == nil || *fw.Roll {
+	roll := fw.Roll == nil || *fw.Roll
 		if fw.RollSizeMB == 0 {
 			fw.RollSizeMB = 100
 		}
 		if fw.RollCompress == nil {
 			compress := true
 			fw.RollCompress = &compress
 		}
 		if fw.RollKeep == 0 {
 			fw.RollKeep = 10
 		}
 		if fw.RollKeepDays == 0 {
 			fw.RollKeepDays = 90
 		}
-		// create the file if it does not exist with the right mode.
+	// create the file if it does not exist; create with the configured mode, or default
-		// lumberjack will reuse the file mode across log rotation.
+	// to restrictive if not set. (lumberjack will reuse the file mode across log rotation)
-		f_tmp, err := os.OpenFile(fw.Filename, os.O_WRONLY|os.O_APPEND|os.O_CREATE, os.FileMode(fw.Mode))
+	if err := os.MkdirAll(filepath.Dir(fw.Filename), 0o700); err != nil {
 		return nil, err
 	}
 	file, err := os.OpenFile(fw.Filename, os.O_WRONLY|os.O_APPEND|os.O_CREATE, modeIfCreating)
 	if err != nil {
 		return nil, err
 	}
 	info, err := file.Stat()
 	if roll {
 		file.Close() // lumberjack will reopen it on its own
 	}
 	// Ensure already existing files have the right mode, since OpenFile will not set the mode in such case.
 	if configuredMode := os.FileMode(fw.Mode); configuredMode != 0 {
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("unable to stat log file to see if we need to set permissions: %v", err)
 		}
-		f_tmp.Close()
+		// only chmod if the configured mode is different
-		// ensure already existing files have the right mode,
+		if info.Mode()&os.ModePerm != configuredMode&os.ModePerm {
-		// since OpenFile will not set the mode in such case.
+			if err = os.Chmod(fw.Filename, configuredMode); err != nil {
-		if err = os.Chmod(fw.Filename, os.FileMode(fw.Mode)); err != nil {
+				return nil, err
-			return nil, err
+			}
 		}
 		return &lumberjack.Logger{
 			Filename:   fw.Filename,
 			MaxSize:    fw.RollSizeMB,
 			MaxAge:     fw.RollKeepDays,
 			MaxBackups: fw.RollKeep,
 			LocalTime:  fw.RollLocalTime,
 			Compress:   *fw.RollCompress,
 		}, nil
 	}
-	// otherwise just open a regular file
+	// if not rolling, then the plain file handle is all we need
-	return os.OpenFile(fw.Filename, os.O_WRONLY|os.O_APPEND|os.O_CREATE, os.FileMode(fw.Mode))
+	if !roll {
 		return file, nil
 	}
 	// otherwise, return a rolling log
 	if fw.RollSizeMB == 0 {
 		fw.RollSizeMB = 100
 	}
 	if fw.RollCompress == nil {
 		compress := true
 		fw.RollCompress = &compress
 	}
 	if fw.RollKeep == 0 {
 		fw.RollKeep = 10
 	}
 	if fw.RollKeepDays == 0 {
 		fw.RollKeepDays = 90
 	}
 	return &lumberjack.Logger{
 		Filename:   fw.Filename,
 		MaxSize:    fw.RollSizeMB,
 		MaxAge:     fw.RollKeepDays,
 		MaxBackups: fw.RollKeep,
 		LocalTime:  fw.RollLocalTime,
 		Compress:   *fw.RollCompress,
 	}, nil
 }
 // UnmarshalCaddyfile sets up the module from Caddyfile tokens. Syntax:
@ -295,6 +313,9 @@ func (fw *FileWriter) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 				return d.Errf("negative roll_keep_for duration: %v", keepFor)
 			}
 			fw.RollKeepDays = int(math.Ceil(keepFor.Hours() / 24))
 		default:
 			return d.Errf("unrecognized subdirective '%s'", d.Val())
 		}
 	}
 	return nil
--- a/modules/logging/filewriter_test.go
+++ b/modules/logging/filewriter_test.go
@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"os"
 	"path"
 	"path/filepath"
 	"syscall"
 	"testing"
@ -77,7 +78,7 @@ func TestFileCreationMode(t *testing.T) {
 				t.Fatalf("failed to create tempdir: %v", err)
 			}
 			defer os.RemoveAll(dir)
-			fpath := path.Join(dir, "test.log")
+			fpath := filepath.Join(dir, "test.log")
 			tt.fw.Filename = fpath
 			logger, err := tt.fw.OpenWriter()
@ -92,7 +93,7 @@ func TestFileCreationMode(t *testing.T) {
 			}
 			if st.Mode() != tt.wantMode {
-				t.Errorf("file mode is %v, want %v", st.Mode(), tt.wantMode)
+				t.Errorf("%s: file mode is %v, want %v", tt.name, st.Mode(), tt.wantMode)
 			}
 		})
 	}
--- a/modules/logging/netwriter.go
+++ b/modules/logging/netwriter.go
@ -145,6 +145,9 @@ func (nw *NetWriter) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 				return d.ArgErr()
 			}
 			nw.SoftStart = true
 		default:
 			return d.Errf("unrecognized subdirective '%s'", d.Val())
 		}
 	}
 	return nil