2026-02-13 23:14:08 -05:00
245 changed files with 3012 additions and 14048 deletions
--- a/.github/ISSUE_TEMPLATE/ISSUE.yml
+++ b/.github/ISSUE_TEMPLATE/ISSUE.yml
@ -1,31 +0,0 @@
 name: Issue
 description: An actionable development item, like a bug report or feature request
 body:
  - type: markdown
    attributes:
      value: |
        Thank you for opening an issue! This is for actionable development items like bug reports and feature requests.
        If you have a question about using Caddy, please [post on our forums](https://caddy.community) instead.
  - type: textarea
    id: content
    attributes:
      label: Issue Details
      placeholder: Describe the issue here. Be specific by providing complete logs and minimal instructions to reproduce, or a thoughtful proposal, etc.
    validations:
      required: true
  - type: dropdown
    id: assistance-disclosure
    attributes:
      label: Assistance Disclosure
      description: "Our project allows assistance by AI/LLM tools as long as it is disclosed and described so we can better respond. Please certify whether you have used any such tooling related to this issue:"
      options:
        - 
        - AI used
        - AI not used
    validations:
      required: true
  - type: input
    id: assistance-description
    attributes:
      label: If AI was used, describe the extent to which it was used.
      description: 'Examples: "ChatGPT translated from my native language" or "Claude proposed this change/feature"'
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -1,5 +0,0 @@
 blank_issues_enabled: false
 contact_links:
  - name: Caddy forum
    url: https://caddy.community
    about: If you have questions (or answers!) about using Caddy, please use our forum
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@ -18,7 +18,7 @@ A security report must demonstrate a security bug in the source code from this r
 Some security problems are the result of interplay between different components of the Web, rather than a vulnerability in the web server itself. Please only report vulnerabilities in the web server itself, as we cannot coerce the rest of the Web to be fixed (for example, we do not consider IP spoofing, BGP hijacks, or missing/misconfigured HTTP headers a vulnerability in the Caddy web server).
-Vulnerabilities caused by misconfigurations are out of scope. Yes, it is entirely possible to craft and use a configuration that is unsafe, just like with every other web server; we recommend against doing that. Similarly, external misconfigurations are out of scope. For example, an open or forwarded port from a public network to a Caddy instance intended to serve only internal clients is not a vulnerability in Caddy.
+Vulnerabilities caused by misconfigurations are out of scope. Yes, it is entirely possible to craft and use a configuration that is unsafe, just like with every other web server; we recommend against doing that.
 We do not accept reports if the steps imply or require a compromised system or third-party software, as we cannot control those. We expect that users secure their own systems and keep all their software patched. For example, if untrusted users are able to upload/write/host arbitrary files in the web root directory, it is NOT a security bug in Caddy if those files get served to clients; however, it _would_ be a valid report if a bug in Caddy's source code unintentionally gave unauthorized users the ability to upload unsafe files or delete files without relying on an unpatched system or piece of software.
@ -33,8 +33,6 @@ We get a lot of difficult reports that turn out to be invalid. Clear, obvious re
 First please ensure your report falls within the accepted scope of security bugs (above).
 **YOU MUST DISCLOSE THE USE OF LLMs ("AI") INVOLVED IN ANY WAY.** Whether you are using AI for discovery, as part of writing the report or its replies, and/or testing or validating proofs and changes, we require you to mention the extent of it. **FAILURE TO INCLUDE A DISCLOSURE MAY LEAD TO IMMEDIATE DISMISSAL OF YOUR REPORT AND POTENTIAL BLOCKLISTING.**
 We'll need enough information to verify the bug and make a patch. To speed things up, please include:
 - Most minimal possible config (without redactions!)
@ -50,9 +48,9 @@ We consider publicly-registered domain names to be public information. This nece
 It will speed things up if you suggest a working patch, such as a code diff, and explain why and how it works. Reports that are not actionable, do not contain enough information, are too pushy/demanding, or are not able to convince us that it is a viable and practical attack on the web server itself may be deferred to a later time or possibly ignored, depending on available resources. Priority will be given to credible, responsible reports that are constructive, specific, and actionable. (We get a lot of invalid reports.) Thank you for understanding.
-When you are ready, please submit a [new private vulnerability report](https://github.com/caddyserver/caddy/security/advisories/new).
+When you are ready, please email Matt Holt (the author) directly: matt at dyanim dot com.
-Please don't encrypt the message. It only makes the process more complicated.
+Please don't encrypt the email body. It only makes the process more complicated.
 Please also understand that due to our nature as an open source project, we do not have a budget to award security bounties. We can only thank you.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -3,20 +3,5 @@ version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    open-pull-requests-limit: 1
    groups:
      actions-deps:
        patterns:
          - "*"
    schedule:
      interval: "monthly"
  - package-ecosystem: "gomod"
    directory: "/"
    open-pull-requests-limit: 1
    groups:
      all-updates:
        patterns:
          - "*"
    schedule:
      interval: "monthly"
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,29 +0,0 @@
 ## Assistance Disclosure
 <!--
 Thank you for contributing! Please note:
 The use of AI/LLM tools is allowed so long as it is disclosed, so
 that we can provide better code review and maintain project quality.
 If you used AI/LLM tooling in any way related to this PR, please
 let us know to what extent it was utilized.
 Examples:
 "No AI was used."
 "I wrote the code, but Claude generated the tests."
 "I consulted ChatGPT for a solution, but I authored/coded it myself."
 "Cody generated the code, and I verified it is correct."
 "Copilot provided tab completion for code and comments."
 We expect that you have vetted your contributions for correctness.
 Additionally, signing our CLA certifies that you have the rights to
 contribute this change.
 Replace the text below with your disclosure:
 -->
 _This PR is missing an assistance disclosure._
--- a/.github/workflows/ai.yml
+++ b/.github/workflows/ai.yml
@ -1,30 +0,0 @@
 name: AI Moderator
 permissions: read-all
 on:
  issues:
    types: [opened]
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
 jobs:
  spam-detection:
    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
      models: read
      contents: read
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - uses: github/ai-moderator@6bcdb2a79c2e564db8d76d7d4439d91a044c4eb6
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          spam-label: 'spam'
          ai-label: 'ai-generated'
          minimize-detected-comments: true
          # Built-in prompt configuration (all enabled by default)
          enable-spam-detection: true
          enable-link-spam-detection: true
          enable-ai-detection: true
          # custom-prompt-path: '.github/prompts/my-custom.prompt.yml'  # Optional
--- a/.github/workflows/auto-release-pr.yml
+++ b/.github/workflows/auto-release-pr.yml
@ -1,221 +0,0 @@
 name: Release Proposal Approval Tracker
 on:
  pull_request_review:
    types: [submitted, dismissed]
  pull_request:
    types: [labeled, unlabeled, synchronize, closed]
 permissions:
  contents: read
  pull-requests: write
  issues: write
 jobs:
  check-approvals:
    name: Track Maintainer Approvals
    runs-on: ubuntu-latest
    # Only run on PRs with release-proposal label
    if: contains(github.event.pull_request.labels.*.name, 'release-proposal') && github.event.pull_request.state == 'open'
    steps:
      - name: Check approvals and update PR
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          MAINTAINER_LOGINS: ${{ secrets.MAINTAINER_LOGINS }}
        with:
          script: |
            const pr = context.payload.pull_request;
            // Extract version from PR title (e.g., "Release Proposal: v1.2.3")
            const versionMatch = pr.title.match(/Release Proposal:\s*(v[\d.]+(?:-[\w.]+)?)/);
            const commitMatch = pr.body.match(/\*\*Target Commit:\*\*\s*`([a-f0-9]+)`/);
            if (!versionMatch || !commitMatch) {
              console.log('Could not extract version from title or commit from body');
              return;
            }
            const version = versionMatch[1];
            const targetCommit = commitMatch[1];
            console.log(`Version: ${version}, Target Commit: ${targetCommit}`);
            // Get all reviews
            const reviews = await github.rest.pulls.listReviews({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: pr.number
            });
            // Get list of maintainers
            const maintainerLoginsRaw = process.env.MAINTAINER_LOGINS || '';
            const maintainerLogins = maintainerLoginsRaw
              .split(/[,;]/)
              .map(login => login.trim())
              .filter(login => login.length > 0);
            console.log(`Maintainer logins: ${maintainerLogins.join(', ')}`);
            // Get the latest review from each user
            const latestReviewsByUser = {};
            reviews.data.forEach(review => {
              const username = review.user.login;
              if (!latestReviewsByUser[username] || new Date(review.submitted_at) > new Date(latestReviewsByUser[username].submitted_at)) {
                latestReviewsByUser[username] = review;
              }
            });
            // Count approvals from maintainers
            const maintainerApprovals = Object.entries(latestReviewsByUser)
              .filter(([username, review]) => 
                maintainerLogins.includes(username) && 
                review.state === 'APPROVED'
              )
              .map(([username, review]) => username);
            const approvalCount = maintainerApprovals.length;
            console.log(`Found ${approvalCount} maintainer approvals from: ${maintainerApprovals.join(', ')}`);
            // Get current labels
            const currentLabels = pr.labels.map(label => label.name);
            const hasApprovedLabel = currentLabels.includes('approved');
            const hasAwaitingApprovalLabel = currentLabels.includes('awaiting-approval');
            if (approvalCount >= 2 && !hasApprovedLabel) {
              console.log('✅ Quorum reached! Updating PR...');
              // Remove awaiting-approval label if present
              if (hasAwaitingApprovalLabel) {
                await github.rest.issues.removeLabel({
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  issue_number: pr.number,
                  name: 'awaiting-approval'
                }).catch(e => console.log('Label not found:', e.message));
              }
              // Add approved label
              await github.rest.issues.addLabels({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: pr.number,
                labels: ['approved']
              });
              // Add comment with tagging instructions
              const approversList = maintainerApprovals.map(u => `@${u}`).join(', ');
              const commentBody = [
                '## ✅ Approval Quorum Reached',
                '',
                `This release proposal has been approved by ${approvalCount} maintainers: ${approversList}`,
                '',
                '### Tagging Instructions',
                '',
                'A maintainer should now create and push the signed tag:',
                '',
                '```bash',
                `git checkout ${targetCommit}`,
                `git tag -s ${version} -m "Release ${version}"`,
                `git push origin ${version}`,
                `git checkout -`,
                '```',
                '',
                'The release workflow will automatically start when the tag is pushed.'
              ].join('\n');
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: pr.number,
                body: commentBody
              });
              console.log('Posted tagging instructions');
            } else if (approvalCount < 2 && hasApprovedLabel) {
              console.log('⚠️  Approval count dropped below quorum, removing approved label');
              // Remove approved label
              await github.rest.issues.removeLabel({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: pr.number,
                name: 'approved'
              }).catch(e => console.log('Label not found:', e.message));
              // Add awaiting-approval label
              if (!hasAwaitingApprovalLabel) {
                await github.rest.issues.addLabels({
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  issue_number: pr.number,
                  labels: ['awaiting-approval']
                });
              }
            } else {
              console.log(`⏳ Waiting for more approvals (${approvalCount}/2 required)`);
            }
  handle-pr-closed:
    name: Handle PR Closed Without Tag
    runs-on: ubuntu-latest
    if: |
      contains(github.event.pull_request.labels.*.name, 'release-proposal') &&
      github.event.action == 'closed' && !contains(github.event.pull_request.labels.*.name, 'released')
    steps:
      - name: Add cancelled label and comment
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const pr = context.payload.pull_request;
            // Check if the release-in-progress label is present
            const hasReleaseInProgress = pr.labels.some(label => label.name === 'release-in-progress');
            if (hasReleaseInProgress) {
              // PR was closed while release was in progress - this is unusual
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: pr.number,
                body: '⚠️ **Warning:** This PR was closed while a release was in progress. This may indicate an error. Please verify the release status.'
              });
            } else {
              // PR was closed before tag was created - this is normal cancellation
              const versionMatch = pr.title.match(/Release Proposal:\s*(v[\d.]+(?:-[\w.]+)?)/);
              const version = versionMatch ? versionMatch[1] : 'unknown';
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: pr.number,
                body: `## 🚫 Release Proposal Cancelled\n\nThis release proposal for ${version} was closed without creating the tag.\n\nIf you want to proceed with this release later, you can create a new release proposal.`
              });
            }
            // Add cancelled label
            await github.rest.issues.addLabels({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: pr.number,
              labels: ['cancelled']
            });
            // Remove other workflow labels if present
            const labelsToRemove = ['awaiting-approval', 'approved', 'release-in-progress'];
            for (const label of labelsToRemove) {
              try {
                await github.rest.issues.removeLabel({
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  issue_number: pr.number,
                  name: label
                });
              } catch (e) {
                console.log(`Label ${label} not found or already removed`);
              }
            }
            console.log('Added cancelled label and cleaned up workflow labels');
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -12,32 +12,28 @@ on:
      - master
      - 2.*
 env:
  GOFLAGS: '-tags=nobadger,nomysql,nopgx'
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local
 permissions:
  contents: read
 jobs:
  test:
    strategy:
      # Default is true, cancels jobs for other platforms in the matrix if one fails
      fail-fast: false
      matrix:
-        os:
+        os: 
          - linux
          - mac
          - windows
-        go:
+        go: 
-          - '1.26'
+          - '1.22'
          - '1.23'
        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.26'
+        - go: '1.22'
-          GO_SEMVER: '~1.26.0'
+          GO_SEMVER: '~1.22.3'
        - go: '1.23'
          GO_SEMVER: '~1.23.0'
        # Set some variables per OS, usable via ${{ matrix.VAR }}
        # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
@ -59,21 +55,13 @@ jobs:
          SUCCESS: 'True'
    runs-on: ${{ matrix.OS_LABEL }}
    permissions:
      contents: read
      pull-requests: read
      actions: write # to allow uploading artifacts and cache
    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
      with:
        egress-policy: audit
    steps:
    - name: Checkout code
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
    - name: Install Go
-      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      uses: actions/setup-go@v5
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true
@ -111,7 +99,7 @@ jobs:
      env:
        CGO_ENABLED: 0
      run: |
-        go build -trimpath -ldflags="-w -s" -v
+        go build -tags nobadger -trimpath -ldflags="-w -s" -v
    - name: Smoke test Caddy
      working-directory: ./cmd/caddy
@ -120,7 +108,7 @@ jobs:
        ./caddy stop
    - name: Publish Build Artifact
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@v4
      with:
        name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
        path: ${{ matrix.CADDY_BIN_PATH }}
@ -134,7 +122,7 @@ jobs:
      # continue-on-error: true
      run: |
        # (go test -v -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
-        go test -v -coverprofile="cover-profile.out" -short -race ./...
+        go test -tags nobadger -v -coverprofile="cover-profile.out" -short -race ./...
        # echo "status=$?" >> $GITHUB_OUTPUT
    # Relevant step if we reinvestigate publishing test/coverage reports
@ -154,21 +142,12 @@ jobs:
  s390x-test:
    name: test (s390x on IBM Z)
    permissions:
      contents: read
      pull-requests: read
    runs-on: ubuntu-latest
    if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
    continue-on-error: true  # August 2020: s390x VM is down due to weather and power issues
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
          allowed-endpoints: ci-s390x.caddyserver.com:22
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@v4
      - name: Run Tests
        run: |
          set +e
@ -191,7 +170,7 @@ jobs:
          retries=3
          exit_code=0
          while ((retries > 0)); do
-            CGO_ENABLED=0 go test -p 1 -v ./...
+            CGO_ENABLED=0 go test -p 1 -tags nobadger -v ./...
            exit_code=$?
            if ((exit_code == 0)); then
              break
@ -215,33 +194,25 @@ jobs:
  goreleaser-check:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@v4
-      - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+      - uses: goreleaser/goreleaser-action@v6
        with:
          version: latest
          args: check
      - name: Install Go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@v5
        with:
-          go-version: "~1.26"
+          go-version: "~1.23"
          check-latest: true
      - name: Install xcaddy
        run: |
          go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
          xcaddy version
-      - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+      - uses: goreleaser/goreleaser-action@v6
        with:
          version: latest
          args: build --single-target --snapshot
--- a/.github/workflows/cross-build.yml
+++ b/.github/workflows/cross-build.yml
@ -10,21 +10,12 @@ on:
      - master
      - 2.*
 env:
  GOFLAGS: '-tags=nobadger,nomysql,nopgx'
  CGO_ENABLED: '0'
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local
 permissions:
  contents: read
 jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
-        goos:
+        goos: 
          - 'aix'
          - 'linux'
          - 'solaris'
@ -35,31 +26,27 @@ jobs:
          - 'windows'
          - 'darwin'
          - 'netbsd'
-        go:
+        go: 
-          - '1.26'
+          - '1.22'
          - '1.23'
        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.26'
+        - go: '1.22'
-          GO_SEMVER: '~1.26.0'
+          GO_SEMVER: '~1.22.3'
        - go: '1.23'
          GO_SEMVER: '~1.23.0'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    continue-on-error: true
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@v4
      - name: Install Go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ matrix.GO_SEMVER }}
          check-latest: true
@ -76,9 +63,11 @@ jobs:
      - name: Run Build
        env:
          CGO_ENABLED: 0
          GOOS: ${{ matrix.goos }}
          GOARCH: ${{ matrix.goos == 'aix' && 'ppc64' || 'amd64' }}
        shell: bash
        continue-on-error: true
        working-directory: ./cmd/caddy
-        run: go build -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null
+        run: |
          GOOS=$GOOS GOARCH=$GOARCH go build -tags=nobadger,nomysql,nopgx -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -13,10 +13,6 @@ on:
 permissions:
  contents: read
 env:
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local
 jobs:
  # From https://github.com/golangci/golangci-lint-action
  golangci:
@ -44,19 +40,14 @@ jobs:
    runs-on: ${{ matrix.OS_LABEL }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - uses: actions/checkout@v4
-        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: actions/setup-go@v5
        with:
-          egress-policy: audit
+          go-version: '~1.23'
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: '~1.26'
          check-latest: true
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@v6
        with:
          version: latest
@ -67,39 +58,10 @@ jobs:
          # only-new-issues: true
  govulncheck:
    permissions:
      contents: read
      pull-requests: read
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: govulncheck
-        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
+        uses: golang/govulncheck-action@v1
        with:
-          go-version-input: '~1.26.0'
+          go-version-input: '~1.23.0'
          check-latest: true
  dependency-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: 'Checkout Repository'
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0
        with:
          comment-summary-in-pr: on-failure
          # https://github.com/actions/dependency-review-action/issues/430#issuecomment-1468975566
          base-ref: ${{ github.event.pull_request.base.sha || 'master' }}
          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
--- a/.github/workflows/release-proposal.yml
+++ b/.github/workflows/release-proposal.yml
@ -1,249 +0,0 @@
 name: Release Proposal
 # This workflow creates a release proposal as a PR that requires approval from maintainers
 # Triggered manually by maintainers when ready to prepare a release
 on:
  workflow_dispatch:
    inputs:
      version:
        description: 'Version to release (e.g., v2.8.0)'
        required: true
        type: string
      commit_hash:
        description: 'Commit hash to release from'
        required: true
        type: string
 permissions:
  contents: read
 jobs:
  create-proposal:
    name: Create Release Proposal
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      issues: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: Checkout code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
      - name: Trim and validate inputs
        id: inputs
        run: |
          # Trim whitespace from inputs
          VERSION=$(echo "${{ inputs.version }}" | xargs)
          COMMIT_HASH=$(echo "${{ inputs.commit_hash }}" | xargs)
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "commit_hash=$COMMIT_HASH" >> $GITHUB_OUTPUT
          # Validate version format
          if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ ]]; then
            echo "Error: Version must follow semver format (e.g., v2.8.0 or v2.8.0-beta.1)"
            exit 1
          fi
          # Validate commit hash format
          if [[ ! "$COMMIT_HASH" =~ ^[a-f0-9]{7,40}$ ]]; then
            echo "Error: Commit hash must be a valid SHA (7-40 characters)"
            exit 1
          fi
          # Check if commit exists
          if ! git cat-file -e "$COMMIT_HASH"; then
            echo "Error: Commit $COMMIT_HASH does not exist"
            exit 1
          fi
      - name: Check if tag already exists
        run: |
          if git rev-parse "${{ steps.inputs.outputs.version }}" >/dev/null 2>&1; then
            echo "Error: Tag ${{ steps.inputs.outputs.version }} already exists"
            exit 1
          fi
      - name: Check for existing proposal PR
        id: check_existing
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const version = '${{ steps.inputs.outputs.version }}';
            // Search for existing open PRs with release-proposal label that match this version
            const openPRs = await github.rest.pulls.list({
              owner: context.repo.owner,
              repo: context.repo.repo,
              state: 'open',
              sort: 'updated',
              direction: 'desc'
            });
            const existingOpenPR = openPRs.data.find(pr => 
              pr.title.includes(version) && 
              pr.labels.some(label => label.name === 'release-proposal')
            );
            if (existingOpenPR) {
              const hasReleased = existingOpenPR.labels.some(label => label.name === 'released');
              const hasReleaseInProgress = existingOpenPR.labels.some(label => label.name === 'release-in-progress');
              if (hasReleased || hasReleaseInProgress) {
                core.setFailed(`A release for ${version} is already in progress or completed: ${existingOpenPR.html_url}`);
              } else {
                core.setFailed(`An open release proposal already exists for ${version}: ${existingOpenPR.html_url}\n\nPlease use the existing PR or close it first.`);
              }
              return;
            }
            // Check for closed PRs with this version that were cancelled
            const closedPRs = await github.rest.pulls.list({
              owner: context.repo.owner,
              repo: context.repo.repo,
              state: 'closed',
              sort: 'updated',
              direction: 'desc'
            });
            const cancelledPR = closedPRs.data.find(pr => 
              pr.title.includes(version) && 
              pr.labels.some(label => label.name === 'release-proposal') &&
              pr.labels.some(label => label.name === 'cancelled')
            );
            if (cancelledPR) {
              console.log(`Found previously cancelled proposal for ${version}: ${cancelledPR.html_url}`);
              console.log('Creating new proposal to replace cancelled one...');
            } else {
              console.log(`No existing proposal found for ${version}, proceeding...`);
            }
      - name: Generate changelog and create branch
        id: setup
        run: |
          VERSION="${{ steps.inputs.outputs.version }}"
          COMMIT_HASH="${{ steps.inputs.outputs.commit_hash }}"
          # Create a new branch for the release proposal
          BRANCH_NAME="release_proposal-$VERSION"
          git checkout -b "$BRANCH_NAME"
          # Calculate how many commits behind HEAD
          COMMITS_BEHIND=$(git rev-list --count ${COMMIT_HASH}..HEAD)
          if [ "$COMMITS_BEHIND" -eq 0 ]; then
            BEHIND_INFO="This is the latest commit (HEAD)"
          else
            BEHIND_INFO="This commit is **${COMMITS_BEHIND} commits behind HEAD**"
          fi
          echo "commits_behind=$COMMITS_BEHIND" >> $GITHUB_OUTPUT
          echo "behind_info=$BEHIND_INFO" >> $GITHUB_OUTPUT
          # Get the last tag
          LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
          if [ -z "$LAST_TAG" ]; then
            echo "No previous tag found, generating full changelog"
            COMMITS=$(git log --pretty=format:"- %s (%h)" --reverse "$COMMIT_HASH")
          else
            echo "Generating changelog since $LAST_TAG"
            COMMITS=$(git log --pretty=format:"- %s (%h)" --reverse "${LAST_TAG}..$COMMIT_HASH")
          fi
          # Store changelog for PR body
          CLEANSED_COMMITS=$(echo "$COMMITS" | sed 's/`/\\`/g')
          echo "changelog<<EOF" >> $GITHUB_OUTPUT
          echo "$CLEANSED_COMMITS" >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT
          # Create empty commit for the PR
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git commit --allow-empty -m "Release proposal for $VERSION"
          # Push the branch
          git push origin "$BRANCH_NAME"
          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
      - name: Create release proposal PR
        id: create_pr
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const changelog = `${{ steps.setup.outputs.changelog }}`;
            const pr = await github.rest.pulls.create({
              owner: context.repo.owner,
              repo: context.repo.repo,
              title: `Release Proposal: ${{ steps.inputs.outputs.version }}`,
              head: '${{ steps.setup.outputs.branch_name }}',
              base: 'master',
              body: `## Release Proposal: ${{ steps.inputs.outputs.version }}
            **Target Commit:** \`${{ steps.inputs.outputs.commit_hash }}\`
            **Requested by:** @${{ github.actor }}
            **Commit Status:** ${{ steps.setup.outputs.behind_info }}
            This PR proposes creating release tag \`${{ steps.inputs.outputs.version }}\` at commit \`${{ steps.inputs.outputs.commit_hash }}\`.
            ### Approval Process
            This PR requires **approval from 2+ maintainers** before the tag can be created.
            ### What happens next?
            1. Maintainers review this proposal
            2. When 2+ maintainer approvals are received, an automated workflow will post tagging instructions
            3. A maintainer manually creates and pushes the signed tag
            4. The release workflow is triggered automatically by the tag push
            5. Upon release completion, this PR is closed and the branch is deleted
            ### Changes Since Last Release
            ${changelog}
            ### Release Checklist
            - [ ] All tests pass
            - [ ] Security review completed
            - [ ] Documentation updated
            - [ ] Breaking changes documented
            ---
            **Note:** Tag creation is manual and requires a signed tag from a maintainer.`,
              draft: true
            });
            // Add labels
            await github.rest.issues.addLabels({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: pr.data.number,
              labels: ['release-proposal', 'awaiting-approval']
            });
            console.log(`Created PR: ${pr.data.html_url}`);
            return { number: pr.data.number, url: pr.data.html_url };
          result-encoding: json
      - name: Post summary
        run: |
          echo "## Release Proposal PR Created! 🚀" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Version: **${{ steps.inputs.outputs.version }}**" >> $GITHUB_STEP_SUMMARY
          echo "Commit: **${{ steps.inputs.outputs.commit_hash }}**" >> $GITHUB_STEP_SUMMARY
          echo "Status: ${{ steps.setup.outputs.behind_info }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "PR: ${{ fromJson(steps.create_pr.outputs.result).url }}" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -5,342 +5,21 @@ on:
    tags:
      - 'v*.*.*'
 env:
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local
 permissions:
  contents: read
 jobs:
  verify-tag:
    name: Verify Tag Signature and Approvals
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      issues: write
    outputs:
      verification_passed: ${{ steps.verify.outputs.passed }}
      tag_version: ${{ steps.info.outputs.version }}
      proposal_issue_number: ${{ steps.find_proposal.outputs.result && fromJson(steps.find_proposal.outputs.result).number || '' }}
    steps:
      - name: Checkout code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
      # Force fetch upstream tags -- because 65 minutes
      # tl;dr: actions/checkout@v3 runs this line:
      #   git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +ebc278ec98bb24f2852b61fde2a9bf2e3d83818b:refs/tags/
      # which makes its own local lightweight tag, losing all the annotations in the process. Our earlier script ran:
      #   git fetch --prune --unshallow
      # which doesn't overwrite that tag because that would be destructive.
      # Credit to @francislavoie for the investigation.
      # https://github.com/actions/checkout/issues/290#issuecomment-680260080
      - name: Force fetch upstream tags
        run: git fetch --tags --force
      - name: Get tag info
        id: info
        run: |
          echo "version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
          echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       # https://github.community/t5/GitHub-Actions/How-to-get-just-the-tag-name/m-p/32167/highlight/true#M1027
      - name: Print Go version and environment
        id: vars
        run: |
          printf "Using go at: $(which go)\n"
          printf "Go version: $(go version)\n"
          printf "\n\nGo environment:\n\n"
          go env
          printf "\n\nSystem environment:\n\n"
          env
          echo "version_tag=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
          echo "short_sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
          # Add "pip install" CLI tools to PATH
          echo ~/.local/bin >> $GITHUB_PATH
          # Parse semver
          TAG=${GITHUB_REF/refs\/tags\//}
          SEMVER_RE='[^0-9]*\([0-9]*\)[.]\([0-9]*\)[.]\([0-9]*\)\([0-9A-Za-z\.-]*\)'
          TAG_MAJOR=`echo ${TAG#v} | sed -e "s#$SEMVER_RE#\1#"`
          TAG_MINOR=`echo ${TAG#v} | sed -e "s#$SEMVER_RE#\2#"`
          TAG_PATCH=`echo ${TAG#v} | sed -e "s#$SEMVER_RE#\3#"`
          TAG_SPECIAL=`echo ${TAG#v} | sed -e "s#$SEMVER_RE#\4#"`
          echo "tag_major=${TAG_MAJOR}" >> $GITHUB_OUTPUT
          echo "tag_minor=${TAG_MINOR}" >> $GITHUB_OUTPUT
          echo "tag_patch=${TAG_PATCH}" >> $GITHUB_OUTPUT
          echo "tag_special=${TAG_SPECIAL}" >> $GITHUB_OUTPUT
      - name: Validate commits and tag signatures
        id: verify
        env:
          signing_keys: ${{ secrets.SIGNING_KEYS }}
        run: |
          # Read the string into an array, splitting by IFS
          IFS=";" read -ra keys_collection <<< "$signing_keys"
          # ref: https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#example-usage-of-the-runner-context
          touch "${{ runner.temp }}/allowed_signers"
          # Iterate and print the split elements
          for item in "${keys_collection[@]}"; do
            # trim leading whitespaces
            item="${item##*( )}"
            # trim trailing whitespaces
            item="${item%%*( )}"
            IFS=" " read -ra key_components <<< "$item"
            # git wants it in format: email address, type, public key
            # ssh has it in format: type, public key, email address
            echo "${key_components[2]} namespaces=\"git\" ${key_components[0]} ${key_components[1]}" >> "${{ runner.temp }}/allowed_signers"
          done
          git config set --global gpg.ssh.allowedSignersFile "${{ runner.temp }}/allowed_signers"
          echo "Verifying the tag: ${{ steps.vars.outputs.version_tag }}"
          # Verify the tag is signed
          if ! git verify-tag -v "${{ steps.vars.outputs.version_tag }}" 2>&1; then
            echo "❌ Tag verification failed!"
            echo "passed=false" >> $GITHUB_OUTPUT
            git push --delete origin "${{ steps.vars.outputs.version_tag }}"
            exit 1
          fi
          # Run it again to capture the output
          git verify-tag -v "${{ steps.vars.outputs.version_tag }}" 2>&1 | tee /tmp/verify-output.txt;
          # SSH verification output typically includes the key fingerprint
          # Use GNU grep with Perl regex for cleaner extraction (Linux environment)
          KEY_SHA256=$(grep -oP "SHA256:[\"']?\K[A-Za-z0-9+/=]+(?=[\"']?)" /tmp/verify-output.txt | head -1 || echo "")
          if [ -z "$KEY_SHA256" ]; then
            # Try alternative pattern with "key" prefix
            KEY_SHA256=$(grep -oP "key SHA256:[\"']?\K[A-Za-z0-9+/=]+(?=[\"']?)" /tmp/verify-output.txt | head -1 || echo "")
          fi
          if [ -z "$KEY_SHA256" ]; then
            # Fallback: extract any base64-like string (40+ chars)
            KEY_SHA256=$(grep -oP '[A-Za-z0-9+/]{40,}=?' /tmp/verify-output.txt | head -1 || echo "")
          fi
          if [ -z "$KEY_SHA256" ]; then
            echo "Somehow could not extract SSH key fingerprint from git verify-tag output"
            echo "Cancelling flow and deleting tag"
            echo "passed=false" >> $GITHUB_OUTPUT
            git push --delete origin "${{ steps.vars.outputs.version_tag }}"
            exit 1
          fi
          echo "✅ Tag verification succeeded!"
          echo "passed=true" >> $GITHUB_OUTPUT
          echo "key_id=$KEY_SHA256" >> $GITHUB_OUTPUT
      - name: Find related release proposal
        id: find_proposal
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const version = '${{ steps.vars.outputs.version_tag }}';
            // Search for PRs with release-proposal label that match this version
            const prs = await github.rest.pulls.list({
              owner: context.repo.owner,
              repo: context.repo.repo,
              state: 'open', // Changed to 'all' to find both open and closed PRs
              sort: 'updated',
              direction: 'desc'
            });
            // Find the most recent PR for this version
            const proposal = prs.data.find(pr => 
              pr.title.includes(version) && 
              pr.labels.some(label => label.name === 'release-proposal')
            );
            if (!proposal) {
              console.log(`⚠️  No release proposal PR found for ${version}`);
              console.log('This might be a hotfix or emergency release');
              return { number: null, approved: true, approvals: 0, proposedCommit: null };
            }
            console.log(`Found proposal PR #${proposal.number} for version ${version}`);
            // Extract commit hash from PR body
            const commitMatch = proposal.body.match(/\*\*Target Commit:\*\*\s*`([a-f0-9]+)`/);
            const proposedCommit = commitMatch ? commitMatch[1] : null;
            if (proposedCommit) {
              console.log(`Proposal was for commit: ${proposedCommit}`);
            } else {
              console.log('⚠️  No target commit hash found in PR body');
            }
            // Get PR reviews to extract approvers
            let approvers = 'Validated by automation';
            let approvalCount = 2; // Minimum required
            try {
              const reviews = await github.rest.pulls.listReviews({
                owner: context.repo.owner,
                repo: context.repo.repo,
                pull_number: proposal.number
              });
              // Get latest review per user and filter for approvals
              const latestReviewsByUser = {};
              reviews.data.forEach(review => {
                const username = review.user.login;
                if (!latestReviewsByUser[username] || new Date(review.submitted_at) > new Date(latestReviewsByUser[username].submitted_at)) {
                  latestReviewsByUser[username] = review;
                }
              });
              const approvalReviews = Object.values(latestReviewsByUser).filter(review => 
                review.state === 'APPROVED'
              );
              if (approvalReviews.length > 0) {
                approvers = approvalReviews.map(r => '@' + r.user.login).join(', ');
                approvalCount = approvalReviews.length;
                console.log(`Found ${approvalCount} approvals from: ${approvers}`);
              }
            } catch (error) {
              console.log(`Could not fetch reviews: ${error.message}`);
            }
            return {
              number: proposal.number,
              approved: true,
              approvals: approvalCount,
              approvers: approvers,
              proposedCommit: proposedCommit
            };
          result-encoding: json
      - name: Verify proposal commit
        run: |
          APPROVALS='${{ steps.find_proposal.outputs.result }}'
          # Parse JSON
          PROPOSED_COMMIT=$(echo "$APPROVALS" | jq -r '.proposedCommit')
          CURRENT_COMMIT="${{ steps.info.outputs.sha }}"
          echo "Proposed commit: $PROPOSED_COMMIT"
          echo "Current commit: $CURRENT_COMMIT"
          # Check if commits match (if proposal had a target commit)
          if [ "$PROPOSED_COMMIT" != "null" ] && [ -n "$PROPOSED_COMMIT" ]; then
            # Normalize both commits to full SHA for comparison
            PROPOSED_FULL=$(git rev-parse "$PROPOSED_COMMIT" 2>/dev/null || echo "")
            CURRENT_FULL=$(git rev-parse "$CURRENT_COMMIT" 2>/dev/null || echo "")
            if [ -z "$PROPOSED_FULL" ]; then
              echo "⚠️  Could not resolve proposed commit: $PROPOSED_COMMIT"
            elif [ "$PROPOSED_FULL" != "$CURRENT_FULL" ]; then
              echo "❌ Commit mismatch!"
              echo "The tag points to commit $CURRENT_FULL but the proposal was for $PROPOSED_FULL"
              echo "This indicates an error in tag creation."
              # Delete the tag remotely
              git push --delete origin "${{ steps.vars.outputs.version_tag }}"
              echo "Tag ${{steps.vars.outputs.version_tag}} has been deleted"
              exit 1
            else
              echo "✅ Commit hash matches proposal"
            fi
          else
            echo "⚠️  No target commit found in proposal (might be legacy release)"
          fi
          echo "✅ Tag verification completed"
      - name: Update release proposal PR
        if: fromJson(steps.find_proposal.outputs.result).number != null
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const result = ${{ steps.find_proposal.outputs.result }};
            if (result.number) {
              // Add in-progress label
              await github.rest.issues.addLabels({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: result.number,
                labels: ['release-in-progress']
              });
              // Remove approved label if present
              try {
                await github.rest.issues.removeLabel({
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  issue_number: result.number,
                  name: 'approved'
                });
              } catch (e) {
                console.log('Approved label not found:', e.message);
              }
              const commentBody = [
                '## 🚀 Release Workflow Started',
                '',
                '- **Tag:** ${{ steps.info.outputs.version }}',
                '- **Signed by key:** ${{ steps.verify.outputs.key_id }}',
                '- **Commit:** ${{ steps.info.outputs.sha }}',
                '- **Approved by:** ' + result.approvers,
                '',
                'Release workflow is now running. This PR will be updated when the release is published.'
              ].join('\n');
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: result.number,
                body: commentBody
              });
            }
      - name: Summary
        run: |
          APPROVALS='${{ steps.find_proposal.outputs.result }}'
          PROPOSED_COMMIT=$(echo "$APPROVALS" | jq -r '.proposedCommit // "N/A"')
          APPROVERS=$(echo "$APPROVALS" | jq -r '.approvers // "N/A"')
          echo "## Tag Verification Summary 🔐" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "- **Tag:** ${{ steps.info.outputs.version }}" >> $GITHUB_STEP_SUMMARY
          echo "- **Commit:** ${{ steps.info.outputs.sha }}" >> $GITHUB_STEP_SUMMARY
          echo "- **Proposed Commit:** $PROPOSED_COMMIT" >> $GITHUB_STEP_SUMMARY
          echo "- **Signature:** ✅ Verified" >> $GITHUB_STEP_SUMMARY
          echo "- **Signed by:** ${{ steps.verify.outputs.key_id }}" >> $GITHUB_STEP_SUMMARY
          echo "- **Approvals:** ✅ Sufficient" >> $GITHUB_STEP_SUMMARY
          echo "- **Approved by:** $APPROVERS" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Proceeding with release build..." >> $GITHUB_STEP_SUMMARY
  release:
    name: Release
    needs: verify-tag
    if: ${{ needs.verify-tag.outputs.verification_passed == 'true' }}
    strategy:
      matrix:
        os: 
          - ubuntu-latest
        go: 
-          - '1.26'
+          - '1.23'
        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.26'
+        - go: '1.23'
-          GO_SEMVER: '~1.26.0'
+          GO_SEMVER: '~1.23.0'
    runs-on: ${{ matrix.os }}
    # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
@ -350,28 +29,21 @@ jobs:
      # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#permission-on-contents
      # "Releases" is part of `contents`, so it needs the `write`
      contents: write
      issues: write
      pull-requests: write
    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
      with:
        egress-policy: audit
    - name: Checkout code
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - name: Install Go
-      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      uses: actions/setup-go@v5
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true
    # Force fetch upstream tags -- because 65 minutes
-    # tl;dr: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4.2.2 runs this line:
+    # tl;dr: actions/checkout@v4 runs this line:
    #   git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +ebc278ec98bb24f2852b61fde2a9bf2e3d83818b:refs/tags/
    # which makes its own local lightweight tag, losing all the annotations in the process. Our earlier script ran:
    #   git fetch --prune --unshallow
@ -414,12 +86,22 @@ jobs:
    - name: Install Cloudsmith CLI
      run: pip install --upgrade cloudsmith-cli
    - name: Validate commits and tag signatures
      run: |
        # Import Matt Holt's key
        curl 'https://github.com/mholt.gpg' | gpg --import
        echo "Verifying the tag: ${{ steps.vars.outputs.version_tag }}"
        # tags are only accepted if signed by Matt's key
        git verify-tag "${{ steps.vars.outputs.version_tag }}" || exit 1
    - name: Install Cosign
-      uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # main
+      uses: sigstore/cosign-installer@main
    - name: Cosign version
      run: cosign version
    - name: Install Syft
-      uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # main
+      uses: anchore/sbom-action/download-syft@main
    - name: Syft version
      run: syft version
    - name: Install xcaddy
@ -428,7 +110,7 @@ jobs:
        xcaddy version
    # GoReleaser will take care of publishing those artifacts into the release
    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+      uses: goreleaser/goreleaser-action@v6
      with:
        version: latest
        args: release --clean --timeout 60m
@ -494,72 +176,3 @@ jobs:
          echo "Pushing $filename to 'testing'"
          cloudsmith push deb caddy/testing/any-distro/any-version $filename
        done
    - name: Update release proposal PR
      if: needs.verify-tag.outputs.proposal_issue_number != ''
      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
      with:
        script: |
          const prNumber = parseInt('${{ needs.verify-tag.outputs.proposal_issue_number }}');
          if (prNumber) {
            // Get PR details to find the branch
            const pr = await github.rest.pulls.get({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: prNumber
            });
            const branchName = pr.data.head.ref;
            // Remove in-progress label
            try {
              await github.rest.issues.removeLabel({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: prNumber,
                name: 'release-in-progress'
              });
            } catch (e) {
              console.log('Label not found:', e.message);
            }
            // Add released label
            await github.rest.issues.addLabels({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: prNumber,
              labels: ['released']
            });
            // Add final comment
            await github.rest.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: prNumber,
              body: '## ✅ Release Published\n\nThe release has been successfully published and is now available.'
            });
            // Close the PR if it's still open
            if (pr.data.state === 'open') {
              await github.rest.pulls.update({
                owner: context.repo.owner,
                repo: context.repo.repo,
                pull_number: prNumber,
                state: 'closed'
              });
              console.log(`Closed PR #${prNumber}`);
            }
            // Delete the branch
            try {
              await github.rest.git.deleteRef({
                owner: context.repo.owner,
                repo: context.repo.repo,
                ref: `heads/${branchName}`
              });
              console.log(`Deleted branch: ${branchName}`);
            } catch (e) {
              console.log(`Could not delete branch ${branchName}: ${e.message}`);
            }
          }
--- a/.github/workflows/release_published.yml
+++ b/.github/workflows/release_published.yml
@ -5,9 +5,6 @@ on:
  release:
    types: [published]
 permissions:
  contents: read
 jobs:
  release:
    name: Release Published
@ -16,20 +13,12 @@ jobs:
        os: 
          - ubuntu-latest
    runs-on: ${{ matrix.os }}
-    permissions:
+
      contents: read
      pull-requests: read
      actions: write
    steps:
    # See https://github.com/peter-evans/repository-dispatch
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
      with:
        egress-policy: audit
    - name: Trigger event on caddyserver/dist
-      uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
+      uses: peter-evans/repository-dispatch@v3
      with:
        token: ${{ secrets.REPO_DISPATCH_TOKEN }}
        repository: caddyserver/dist
@ -37,7 +26,7 @@ jobs:
        client-payload: '{"tag": "${{ github.event.release.tag_name }}"}'
    - name: Trigger event on caddyserver/caddy-docker
-      uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
+      uses: peter-evans/repository-dispatch@v3
      with:
        token: ${{ secrets.REPO_DISPATCH_TOKEN }}
        repository: caddyserver/caddy-docker
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -1,86 +0,0 @@
 # This workflow uses actions that are not certified by GitHub. They are provided
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.
 name: OpenSSF Scorecard supply-chain security
 on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
  branch_protection_rule:
  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  schedule:
    - cron: '20 2 * * 5'
  push:
    branches: [ "master", "2.*" ]
  pull_request:
    branches: [ "master", "2.*" ]
 # Declare default permissions as read only.
 permissions: read-all
 jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      # Needed to publish results and get a badge (see publish_results below).
      id-token: write
      # Uncomment the permissions below if installing in a private repository.
      # contents: read
      # actions: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: "Checkout code"
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
      - name: "Run analysis"
        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
        with:
          results_file: results.sarif
          results_format: sarif
          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
          # - you want to enable the Branch-Protection check on a *public* repository, or
          # - you are installing Scorecard on a *private* repository
          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
          # Public repositories:
          #   - Publish results to OpenSSF REST API for easy access by consumers
          #   - Allows the repository to include the Scorecard badge.
          #   - See https://github.com/ossf/scorecard-action#publishing-results.
          # For private repositories:
          #   - `publish_results` will always be set to `false`, regardless
          #     of the value entered here.
          publish_results: true
          # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
          # file_mode: git
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      # Upload the results to GitHub's code scanning dashboard (optional).
      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5
        with:
          sarif_file: results.sarif
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,19 +1,27 @@
-version: "2"
+linters-settings:
-run:
+  errcheck:
-  issues-exit-code: 1
+    exclude-functions:
-  tests: false
+      - fmt.*
-  build-tags:
+      - (go.uber.org/zap/zapcore.ObjectEncoder).AddObject
-    - nobadger
+      - (go.uber.org/zap/zapcore.ObjectEncoder).AddArray
-    - nomysql
+  gci:
-    - nopgx
+    sections:
-output:
+      - standard # Standard section: captures all standard packages.
-  formats:
+      - default # Default section: contains all imports that could not be matched to another section type.
-    text:
+      - prefix(github.com/caddyserver/caddy/v2/cmd) # ensure that this is always at the top and always has a line break.
-      path: stdout
+      - prefix(github.com/caddyserver/caddy) # Custom section: groups all imports with the specified Prefix.
-      print-linter-name: true
+    # Skip generated files.
-      print-issued-lines: true
+    # Default: true
    skip-generated: true
    # Enable custom order of sections.
    # If `true`, make the section order the same as the order of `sections`.
    # Default: false
    custom-order: true
  exhaustive:
    ignore-enum-types: reflect.Kind|svc.Cmd
 linters:
-  default: none
+  disable-all: true
  enable:
    - asasalint
    - asciicheck
@ -27,96 +35,148 @@ linters:
    - errcheck
    - errname
    - exhaustive
    - gci
    - gofmt
    - goimports
    - gofumpt
    - gosec
    - gosimple
    - govet
    - importas
    - ineffassign
    - importas
    - misspell
    - prealloc
    - promlinter
    - sloglint
    - sqlclosecheck
    - staticcheck
    - tenv
    - testableexamples
    - testifylint
    - tparallel
    - typecheck
    - unconvert
    - unused
    - wastedassign
    - whitespace
    - zerologlint
-  settings:
+  # these are implicitly disabled:
-    staticcheck:
+  # - containedctx
-      checks: ["all", "-ST1000", "-ST1003", "-ST1016", "-ST1020", "-ST1021", "-ST1022",  "-QF1006", "-QF1008"] # default, and exclude 1 more undesired check
+  # - contextcheck
-    errcheck:
+  # - cyclop
-      exclude-functions:
+  # - depguard
-        - fmt.*
+  # - errchkjson
-        - (go.uber.org/zap/zapcore.ObjectEncoder).AddObject
+  # - errorlint
-        - (go.uber.org/zap/zapcore.ObjectEncoder).AddArray
+  # - exhaustruct
-    exhaustive:
+  # - execinquery
-      ignore-enum-types: reflect.Kind|svc.Cmd
+  # - exhaustruct
-  exclusions:
+  # - forbidigo
-    generated: lax
+  # - forcetypeassert
-    presets:
+  # - funlen
-      - comments
+  # - ginkgolinter
-      - common-false-positives
+  # - gocheckcompilerdirectives
-      - legacy
+  # - gochecknoglobals
-      - std-error-handling
+  # - gochecknoinits
-    rules:
+  # - gochecksumtype
-      - linters:
+  # - gocognit
-          - gosec
+  # - goconst
-        text: G115 # TODO: Either we should fix the issues or nuke the linter if it's bad
+  # - gocritic
-      - linters:
+  # - gocyclo
-          - gosec
+  # - godot
-        text: G107 # we aren't calling unknown URL
+  # - godox
-      - linters:
+  # - goerr113
-          - gosec
+  # - goheader
-        text: G203 # as a web server that's expected to handle any template, this is totally in the hands of the user.
+  # - gomnd
-      - linters:
+  # - gomoddirectives
-          - gosec
+  # - gomodguard
-        text: G204 # we're shelling out to known commands, not relying on user-defined input.
+  # - goprintffuncname
-      - linters:
+  # - gosmopolitan
-          - gosec
+  # - grouper
-        # the choice of weakrand is deliberate, hence the named import "weakrand"
+  # - inamedparam
-        path: modules/caddyhttp/reverseproxy/selectionpolicies.go
+  # - interfacebloat
-        text: G404
+  # - ireturn
-      - linters:
+  # - lll
-          - gosec
+  # - loggercheck
-        path: modules/caddyhttp/reverseproxy/streaming.go
+  # - maintidx
-        text: G404
+  # - makezero
-      - linters:
+  # - mirror
-          - dupl
+  # - musttag
-        path: modules/logging/filters.go
+  # - nakedret
-      - linters:
+  # - nestif
-          - dupl
+  # - nilerr
-        path: modules/caddyhttp/matchers.go
+  # - nilnil
-      - linters:
+  # - nlreturn
-          - dupl
+  # - noctx
-        path: modules/caddyhttp/vars.go
+  # - nolintlint
-      - linters:
+  # - nonamedreturns
-          - errcheck
+  # - nosprintfhostport
-        path: _test\.go
+  # - paralleltest
-    paths:
+  # - perfsprint
-      - third_party$
+  # - predeclared
-      - builtin$
+  # - protogetter
-      - examples$
+  # - reassign
-formatters:
+  # - revive
-  enable:
+  # - rowserrcheck
-    - gci
+  # - stylecheck
-    - gofmt
+  # - tagalign
-    - gofumpt
+  # - tagliatelle
-    - goimports
+  # - testpackage
-  settings:
+  # - thelper
-    gci:
+  # - unparam
-      sections:
+  # - usestdlibvars
-        - standard # Standard section: captures all standard packages.
+  # - varnamelen
-        - default # Default section: contains all imports that could not be matched to another section type.
+  # - wrapcheck
-        - prefix(github.com/caddyserver/caddy/v2/cmd) # ensure that this is always at the top and always has a line break.
+  # - wsl
-        - prefix(github.com/caddyserver/caddy) # Custom section: groups all imports with the specified Prefix.
+
-      custom-order: true
+run:
-  exclusions:
+  # default concurrency is a available CPU number.
-    generated: lax
+  # concurrency: 4 # explicitly omit this value to fully utilize available resources.
-    paths:
+  timeout: 5m
-      - third_party$
+  issues-exit-code: 1
-      - builtin$
+  tests: false
-      - examples$
+
 # output configuration options
 output:
  formats:
    - format: 'colored-line-number'
  print-issued-lines: true
  print-linter-name: true
 issues:
  exclude-rules:
    - text: 'G115' # TODO: Either we should fix the issues or nuke the linter if it's bad
      linters:
        - gosec
    # we aren't calling unknown URL
    - text: 'G107' # G107: Url provided to HTTP request as taint input
      linters:
        - gosec
    # as a web server that's expected to handle any template, this is totally in the hands of the user.
    - text: 'G203' # G203: Use of unescaped data in HTML templates
      linters:
        - gosec
    # we're shelling out to known commands, not relying on user-defined input.
    - text: 'G204' # G204: Audit use of command execution
      linters:
        - gosec
    # the choice of weakrand is deliberate, hence the named import "weakrand"
    - path: modules/caddyhttp/reverseproxy/selectionpolicies.go
      text: 'G404' # G404: Insecure random number source (rand)
      linters:
        - gosec
    - path: modules/caddyhttp/reverseproxy/streaming.go
      text: 'G404' # G404: Insecure random number source (rand)
      linters:
        - gosec
    - path: modules/logging/filters.go
      linters:
        - dupl
    - path: modules/caddyhttp/matchers.go
      linters:
        - dupl
    - path: modules/caddyhttp/vars.go
      linters:
        - dupl
    - path: _test\.go
      linters:
        - errcheck
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -111,7 +111,7 @@ archives:
  - id: default
    format_overrides:
      - goos: windows
-        formats: zip
+        format: zip
    name_template: >-
      {{ .ProjectName }}_
      {{- .Version }}_
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -1,20 +0,0 @@
 repos:
 - repo: https://github.com/gitleaks/gitleaks
  rev: v8.16.3
  hooks:
  - id: gitleaks
 - repo: https://github.com/golangci/golangci-lint
  rev: v1.52.2
  hooks:
  - id: golangci-lint-config-verify
  - id: golangci-lint
  - id: golangci-lint-fmt
 - repo: https://github.com/jumanjihouse/pre-commit-hooks
  rev: 3.0.0
  hooks:
  - id: shellcheck
 - repo: https://github.com/pre-commit/pre-commit-hooks
  rev: v4.4.0
  hooks:
  - id: end-of-file-fixer
  - id: trailing-whitespace
--- a/README.md
+++ b/README.md
@ -12,52 +12,23 @@
 <hr>
 <h3 align="center">Every site on HTTPS</h3>
 <p align="center">Caddy is an extensible server platform that uses TLS by default.</p>
 <p align="center">
 	<a href="https://github.com/caddyserver/caddy/actions/workflows/ci.yml"><img src="https://github.com/caddyserver/caddy/actions/workflows/ci.yml/badge.svg"></a>
 	<a href="https://pkg.go.dev/github.com/caddyserver/caddy/v2"><img src="https://img.shields.io/badge/godoc-reference-%23007d9c.svg"></a>
 	<br>
 	<a href="https://twitter.com/caddyserver" title="@caddyserver on Twitter"><img src="https://img.shields.io/badge/twitter-@caddyserver-55acee.svg" alt="@caddyserver on Twitter"></a>
 	<a href="https://caddy.community" title="Caddy Forum"><img src="https://img.shields.io/badge/community-forum-ff69b4.svg" alt="Caddy Forum"></a>
 	<br>
 	<a href="https://sourcegraph.com/github.com/caddyserver/caddy?badge" title="Caddy on Sourcegraph"><img src="https://sourcegraph.com/github.com/caddyserver/caddy/-/badge.svg" alt="Caddy on Sourcegraph"></a>
 	<a href="https://cloudsmith.io/~caddy/repos/"><img src="https://img.shields.io/badge/OSS%20hosting%20by-cloudsmith-blue?logo=cloudsmith" alt="Cloudsmith"></a>
 </p>
 <p align="center">
 	<a href="https://github.com/caddyserver/caddy/releases">Releases</a> ·
 	<a href="https://caddyserver.com/docs/">Documentation</a> ·
 	<a href="https://caddy.community">Get Help</a>
 </p>
 <p align="center">
 	<a href="https://github.com/caddyserver/caddy/actions/workflows/ci.yml"><img src="https://github.com/caddyserver/caddy/actions/workflows/ci.yml/badge.svg"></a>
 	&nbsp;
 	<a href="https://www.bestpractices.dev/projects/7141"><img src="https://www.bestpractices.dev/projects/7141/badge"></a>
 	&nbsp;
 	<a href="https://pkg.go.dev/github.com/caddyserver/caddy/v2"><img src="https://img.shields.io/badge/godoc-reference-%23007d9c.svg"></a>
 	&nbsp;
 	<a href="https://x.com/caddyserver" title="@caddyserver on Twitter"><img src="https://img.shields.io/twitter/follow/caddyserver" alt="@caddyserver on Twitter"></a>
 	&nbsp;
 	<a href="https://caddy.community" title="Caddy Forum"><img src="https://img.shields.io/badge/community-forum-ff69b4.svg" alt="Caddy Forum"></a>
 	<br>
 	<a href="https://sourcegraph.com/github.com/caddyserver/caddy?badge" title="Caddy on Sourcegraph"><img src="https://sourcegraph.com/github.com/caddyserver/caddy/-/badge.svg" alt="Caddy on Sourcegraph"></a>
 	&nbsp;
 	<a href="https://cloudsmith.io/~caddy/repos/"><img src="https://img.shields.io/badge/OSS%20hosting%20by-cloudsmith-blue?logo=cloudsmith" alt="Cloudsmith"></a>
 </p>
 <p align="center">
 	<b>Powered by</b>
 	<br>
 	<a href="https://github.com/caddyserver/certmagic">
 		<picture>
 			<source media="(prefers-color-scheme: dark)" srcset="https://user-images.githubusercontent.com/55066419/206946718-740b6371-3df3-4d72-a822-47e4c48af999.png">
 			<source media="(prefers-color-scheme: light)" srcset="https://user-images.githubusercontent.com/1128849/49704830-49d37200-fbd5-11e8-8385-767e0cd033c3.png">
 			<img src="https://user-images.githubusercontent.com/1128849/49704830-49d37200-fbd5-11e8-8385-767e0cd033c3.png" alt="CertMagic" width="250">
 		</picture>
 	</a>
 </p>
 <!-- Warp sponsorship requests this section -->
 <div align="center" markdown="1">
 	<hr>
 	<sup>Special thanks to:</sup>
 	<br>
 	<a href="https://go.warp.dev/caddy">
 		<img alt="Warp sponsorship" width="400" src="https://github.com/user-attachments/assets/c8efffde-18c7-4af4-83ed-b1aba2dda394">
 	</a>
 ### [Warp, built for coding with multiple AI agents](https://go.warp.dev/caddy)
 [Available for MacOS, Linux, & Windows](https://go.warp.dev/caddy)<br>
 </div>
 <hr>
 ### Menu
@ -72,6 +43,18 @@
 - [Getting help](#getting-help)
 - [About](#about)
 <p align="center">
 	<b>Powered by</b>
 	<br>
 	<a href="https://github.com/caddyserver/certmagic">
 		<picture>
 			<source media="(prefers-color-scheme: dark)" srcset="https://user-images.githubusercontent.com/55066419/206946718-740b6371-3df3-4d72-a822-47e4c48af999.png">
 			<source media="(prefers-color-scheme: light)" srcset="https://user-images.githubusercontent.com/1128849/49704830-49d37200-fbd5-11e8-8385-767e0cd033c3.png">
 			<img src="https://user-images.githubusercontent.com/1128849/49704830-49d37200-fbd5-11e8-8385-767e0cd033c3.png" alt="CertMagic" width="250">
 		</picture>
 	</a>
 </p>
 ## [Features](https://caddyserver.com/features)
@ -84,7 +67,6 @@
 	- Fully-managed local CA for internal names & IPs
 	- Can coordinate with other Caddy instances in a cluster
 	- Multi-issuer fallback
 	- Encrypted ClientHello (ECH) support
 - **Stays up when other servers go down** due to TLS/OCSP/certificate-related issues
 - **Production-ready** after serving trillions of requests and managing millions of TLS certificates
 - **Scales to hundreds of thousands of sites** as proven in production
@ -105,7 +87,7 @@ See [our online documentation](https://caddyserver.com/docs/install) for other i
 Requirements:
- [Go 1.25.0 or newer](https://golang.org/dl/)
+- [Go 1.22.3 or newer](https://golang.org/dl/)
 ### For development
@ -133,18 +115,11 @@ username ALL=(ALL:ALL) NOPASSWD: /usr/sbin/setcap
 replacing `username` with your actual username. Please be careful and only do this if you know what you are doing! We are only qualified to document how to use Caddy, not Go tooling or your computer, and we are providing these instructions for convenience only; please learn how to use your own computer at your own risk and make any needful adjustments.
 Then you can run the tests in all modules or a specific one:
 ```bash
 $ go test ./...
 $ go test ./modules/caddyhttp/tracing/
 ```
 ### With version information and/or plugins
 Using [our builder tool, `xcaddy`](https://github.com/caddyserver/xcaddy)...
-```bash
+```
 $ xcaddy build
 ```
@ -201,7 +176,7 @@ The docs are also open source. You can contribute to them here: https://github.c
 ## Getting help
- We advise companies using Caddy to secure a support contract through [Ardan Labs](https://www.ardanlabs.com) before help is needed.
+- We advise companies using Caddy to secure a support contract through [Ardan Labs](https://www.ardanlabs.com/my/contact-us?dd=caddy) before help is needed.
 - A [sponsorship](https://github.com/sponsors/mholt) goes a long way! We can offer private help to sponsors. If Caddy is benefitting your company, please consider a sponsorship. This not only helps fund full-time work to ensure the longevity of the project, it provides your company the resources, support, and discounts you need; along with being a great look for your company to your customers and potential customers!
@ -217,9 +192,9 @@ Matthew Holt began developing Caddy in 2014 while studying computer science at B
 **The name "Caddy" is trademarked.** The name of the software is "Caddy", not "Caddy Server" or "CaddyServer". Please call it "Caddy" or, if you wish to clarify, "the Caddy web server". Caddy is a registered trademark of Stack Holdings GmbH.
- _Project on X: [@caddyserver](https://x.com/caddyserver)_
+- _Project on Twitter: [@caddyserver](https://twitter.com/caddyserver)_
- _Author on X: [@mholt6](https://x.com/mholt6)_
+- _Author on Twitter: [@mholt6](https://twitter.com/mholt6)_
-Caddy is a project of [ZeroSSL](https://zerossl.com), an HID Global company.
+Caddy is a project of [ZeroSSL](https://zerossl.com), a Stack Holdings company.
 Debian package repository hosting is graciously provided by [Cloudsmith](https://cloudsmith.com). Cloudsmith is the only fully hosted, cloud-native, universal package management solution, that enables your organization to create, store and share packages in any format, to any place, with total confidence.
--- a/admin.go
+++ b/admin.go
@ -221,8 +221,7 @@ func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool, _ Co
 	if remote {
 		muxWrap.remoteControl = admin.Remote
 	} else {
-		// see comment in allowedOrigins() as to why we disable the host check for unix/fd networks
+		muxWrap.enforceHost = !addr.isWildcardInterface()
 		muxWrap.enforceHost = !addr.isWildcardInterface() && !addr.IsUnixNetwork() && !addr.IsFdNetwork()
 		muxWrap.allowedOrigins = admin.allowedOrigins(addr)
 		muxWrap.enforceOrigin = admin.EnforceOrigin
 	}
@ -311,43 +310,47 @@ func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []*url.URL {
 	for _, o := range admin.Origins {
 		uniqueOrigins[o] = struct{}{}
 	}
-	// RFC 2616, Section 14.26:
+	if admin.Origins == nil {
 	// "A client MUST include a Host header field in all HTTP/1.1 request
 	// messages. If the requested URI does not include an Internet host
 	// name for the service being requested, then the Host header field MUST
 	// be given with an empty value."
 	//
 	// UPDATE July 2023: Go broke this by patching a minor security bug in 1.20.6.
 	// Understandable, but frustrating. See:
 	// https://github.com/golang/go/issues/60374
 	// See also the discussion here:
 	// https://github.com/golang/go/issues/61431
 	//
 	// We can no longer conform to RFC 2616 Section 14.26 from either Go or curl
 	// in purity. (Curl allowed no host between 7.40 and 7.50, but now requires a
 	// bogus host; see https://superuser.com/a/925610.) If we disable Host/Origin
 	// security checks, the infosec community assures me that it is secure to do
 	// so, because:
 	//
 	// 1) Browsers do not allow access to unix sockets
 	// 2) DNS is irrelevant to unix sockets
 	//
 	// If either of those two statements ever fail to hold true, it is not the
 	// fault of Caddy.
 	//
 	// Thus, we do not fill out allowed origins and do not enforce Host
 	// requirements for unix sockets. Enforcing it leads to confusion and
 	// frustration, when UDS have their own permissions from the OS.
 	// Enforcing host requirements here is effectively security theater,
 	// and a false sense of security.
 	//
 	// See also the discussion in #6832.
 	if admin.Origins == nil && !addr.IsUnixNetwork() && !addr.IsFdNetwork() {
 		if addr.isLoopback() {
-			uniqueOrigins[net.JoinHostPort("localhost", addr.port())] = struct{}{}
+			if addr.IsUnixNetwork() || addr.IsFdNetwork() {
-			uniqueOrigins[net.JoinHostPort("::1", addr.port())] = struct{}{}
+				// RFC 2616, Section 14.26:
-			uniqueOrigins[net.JoinHostPort("127.0.0.1", addr.port())] = struct{}{}
+				// "A client MUST include a Host header field in all HTTP/1.1 request
-		} else {
+				// messages. If the requested URI does not include an Internet host
 				// name for the service being requested, then the Host header field MUST
 				// be given with an empty value."
 				//
 				// UPDATE July 2023: Go broke this by patching a minor security bug in 1.20.6.
 				// Understandable, but frustrating. See:
 				// https://github.com/golang/go/issues/60374
 				// See also the discussion here:
 				// https://github.com/golang/go/issues/61431
 				//
 				// We can no longer conform to RFC 2616 Section 14.26 from either Go or curl
 				// in purity. (Curl allowed no host between 7.40 and 7.50, but now requires a
 				// bogus host; see https://superuser.com/a/925610.) If we disable Host/Origin
 				// security checks, the infosec community assures me that it is secure to do
 				// so, because:
 				// 1) Browsers do not allow access to unix sockets
 				// 2) DNS is irrelevant to unix sockets
 				//
 				// I am not quite ready to trust either of those external factors, so instead
 				// of disabling Host/Origin checks, we now allow specific Host values when
 				// accessing the admin endpoint over unix sockets. I definitely don't trust
 				// DNS (e.g. I don't trust 'localhost' to always resolve to the local host),
 				// and IP shouldn't even be used, but if it is for some reason, I think we can
 				// at least be reasonably assured that 127.0.0.1 and ::1 route to the local
 				// machine, meaning that a hypothetical browser origin would have to be on the
 				// local machine as well.
 				uniqueOrigins[""] = struct{}{}
 				uniqueOrigins["127.0.0.1"] = struct{}{}
 				uniqueOrigins["::1"] = struct{}{}
 			} else {
 				uniqueOrigins[net.JoinHostPort("localhost", addr.port())] = struct{}{}
 				uniqueOrigins[net.JoinHostPort("::1", addr.port())] = struct{}{}
 				uniqueOrigins[net.JoinHostPort("127.0.0.1", addr.port())] = struct{}{}
 			}
 		}
 		if !addr.IsUnixNetwork() && !addr.IsFdNetwork() {
 			uniqueOrigins[addr.JoinHostPort(0)] = struct{}{}
 		}
 	}
@ -424,13 +427,6 @@ func replaceLocalAdminServer(cfg *Config, ctx Context) error {
 	handler := cfg.Admin.newAdminHandler(addr, false, ctx)
 	// run the provisioners for loaded modules to make sure local
 	// state is properly re-initialized in the new admin server
 	err = cfg.Admin.provisionAdminRouters(ctx)
 	if err != nil {
 		return err
 	}
 	ln, err := addr.Listen(context.TODO(), 0, net.ListenConfig{})
 	if err != nil {
 		return err
@ -552,13 +548,6 @@ func replaceRemoteAdminServer(ctx Context, cfg *Config) error {
 	// because we are using TLS authentication instead
 	handler := cfg.Admin.newAdminHandler(addr, true, ctx)
 	// run the provisioners for loaded modules to make sure local
 	// state is properly re-initialized in the new admin server
 	err = cfg.Admin.provisionAdminRouters(ctx)
 	if err != nil {
 		return err
 	}
 	// create client certificate pool for TLS mutual auth, and extract public keys
 	// so that we can enforce access controls at the application layer
 	clientCertPool := x509.NewCertPool()
@ -807,38 +796,13 @@ func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 	// common mitigations in browser contexts
 	if strings.Contains(r.Header.Get("Upgrade"), "websocket") {
 		// I've never been able demonstrate a vulnerability myself, but apparently
 		// WebSocket connections originating from browsers aren't subject to CORS
 		// restrictions, so we'll just be on the safe side
-		h.handleError(w, r, APIError{
+		h.handleError(w, r, fmt.Errorf("websocket connections aren't allowed"))
 			HTTPStatus: http.StatusBadRequest,
 			Err:        errors.New("websocket connections aren't allowed"),
 			Message:    "WebSocket connections aren't allowed.",
 		})
 		return
 	}
 	if strings.Contains(r.Header.Get("Sec-Fetch-Mode"), "no-cors") {
 		// turns out web pages can just disable the same-origin policy (!???!?)
 		// but at least browsers let us know that's the case, holy heck
 		h.handleError(w, r, APIError{
 			HTTPStatus: http.StatusBadRequest,
 			Err:        errors.New("client attempted to make request by disabling same-origin policy using no-cors mode"),
 			Message:    "Disabling same-origin restrictions is not allowed.",
 		})
 		return
 	}
 	if r.Header.Get("Origin") == "null" {
 		// bug in Firefox in certain cross-origin situations (yikes?)
 		// (not strictly a security vuln on its own, but it's red flaggy,
 		// since it seems to manifest in cross-origin contexts)
 		h.handleError(w, r, APIError{
 			HTTPStatus: http.StatusBadRequest,
 			Err:        errors.New("invalid origin 'null'"),
 			Message:    "Buggy browser is sending null Origin header.",
 		})
 	}
 	if h.enforceHost {
 		// DNS rebinding mitigation
@ -849,9 +813,7 @@ func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	_, hasOriginHeader := r.Header["Origin"]
+	if h.enforceOrigin {
 	_, hasSecHeader := r.Header["Sec-Fetch-Mode"]
 	if h.enforceOrigin || hasOriginHeader || hasSecHeader {
 		// cross-site mitigation
 		origin, err := h.checkOrigin(r)
 		if err != nil {
@ -973,7 +935,7 @@ func (h adminHandler) originAllowed(origin *url.URL) bool {
 	return false
 }
-// etagHasher returns the hasher we used on the config to both
+// etagHasher returns a the hasher we used on the config to both
 // produce and verify ETags.
 func etagHasher() hash.Hash { return xxhash.New() }
@ -1056,13 +1018,6 @@ func handleConfig(w http.ResponseWriter, r *http.Request) error {
 			return err
 		}
 		// If this request changed the config, clear the last
 		// config info we have stored, if it is different from
 		// the original source.
 		ClearLastConfigIfDifferent(
 			r.Header.Get("Caddy-Config-Source-File"),
 			r.Header.Get("Caddy-Config-Source-Adapter"))
 	default:
 		return APIError{
 			HTTPStatus: http.StatusMethodNotAllowed,
@ -1137,10 +1092,7 @@ func unsyncedConfigAccess(method, path string, body []byte, out io.Writer) error
 	if len(body) > 0 {
 		err = json.Unmarshal(body, &val)
 		if err != nil {
-			if jsonErr, ok := err.(*json.SyntaxError); ok {
+			return fmt.Errorf("decoding request body: %v", err)
 				return fmt.Errorf("decoding request body: %w, at offset %d", jsonErr, jsonErr.Offset)
 			}
 			return fmt.Errorf("decoding request body: %w", err)
 		}
 	}
@ -1187,7 +1139,7 @@ traverseLoop:
 						return fmt.Errorf("[%s] invalid array index '%s': %v",
 							path, idxStr, err)
 					}
-					if idx < 0 || (method != http.MethodPut && idx >= len(arr)) || idx > len(arr) {
+					if idx < 0 || idx >= len(arr) {
 						return fmt.Errorf("[%s] array index out of bounds: %s", path, idxStr)
 					}
 				}
--- a/admin_test.go
+++ b/admin_test.go
@ -15,20 +15,12 @@
 package caddy
 import (
 	"context"
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	"maps"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
 	"sync"
 	"testing"
 	"github.com/caddyserver/certmagic"
 	"github.com/prometheus/client_golang/prometheus"
 	dto "github.com/prometheus/client_model/go"
 )
 var testCfg = []byte(`{
@ -149,9 +141,11 @@ func TestLoadConcurrent(t *testing.T) {
 	var wg sync.WaitGroup
 	for i := 0; i < 100; i++ {
-		wg.Go(func() {
+		wg.Add(1)
 		go func() {
 			_ = Load(testCfg, true)
-		})
+			wg.Done()
 		}()
 	}
 	wg.Wait()
 }
@ -205,723 +199,7 @@ func TestETags(t *testing.T) {
 }
 func BenchmarkLoad(b *testing.B) {
-	for b.Loop() {
+	for i := 0; i < b.N; i++ {
 		Load(testCfg, true)
 	}
 }
 func TestAdminHandlerErrorHandling(t *testing.T) {
 	initAdminMetrics()
 	handler := adminHandler{
 		mux: http.NewServeMux(),
 	}
 	handler.mux.Handle("/error", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		err := fmt.Errorf("test error")
 		handler.handleError(w, r, err)
 	}))
 	req := httptest.NewRequest(http.MethodGet, "/error", nil)
 	rr := httptest.NewRecorder()
 	handler.ServeHTTP(rr, req)
 	if rr.Code == http.StatusOK {
 		t.Error("expected error response, got success")
 	}
 	var apiErr APIError
 	if err := json.NewDecoder(rr.Body).Decode(&apiErr); err != nil {
 		t.Fatalf("decoding response: %v", err)
 	}
 	if apiErr.Message != "test error" {
 		t.Errorf("expected error message 'test error', got '%s'", apiErr.Message)
 	}
 }
 func initAdminMetrics() {
 	if adminMetrics.requestErrors != nil {
 		prometheus.Unregister(adminMetrics.requestErrors)
 	}
 	if adminMetrics.requestCount != nil {
 		prometheus.Unregister(adminMetrics.requestCount)
 	}
 	adminMetrics.requestErrors = prometheus.NewCounterVec(prometheus.CounterOpts{
 		Namespace: "caddy",
 		Subsystem: "admin_http",
 		Name:      "request_errors_total",
 		Help:      "Number of errors that occurred handling admin endpoint requests",
 	}, []string{"handler", "path", "method"})
 	adminMetrics.requestCount = prometheus.NewCounterVec(prometheus.CounterOpts{
 		Namespace: "caddy",
 		Subsystem: "admin_http",
 		Name:      "requests_total",
 		Help:      "Count of requests to the admin endpoint",
 	}, []string{"handler", "path", "code", "method"}) // Added code and method labels
 	prometheus.MustRegister(adminMetrics.requestErrors)
 	prometheus.MustRegister(adminMetrics.requestCount)
 }
 func TestAdminHandlerBuiltinRouteErrors(t *testing.T) {
 	initAdminMetrics()
 	cfg := &Config{
 		Admin: &AdminConfig{
 			Listen: "localhost:2019",
 		},
 	}
 	err := replaceLocalAdminServer(cfg, Context{})
 	if err != nil {
 		t.Fatalf("setting up admin server: %v", err)
 	}
 	defer func() {
 		stopAdminServer(localAdminServer)
 	}()
 	tests := []struct {
 		name           string
 		path           string
 		method         string
 		expectedStatus int
 	}{
 		{
 			name:           "stop endpoint wrong method",
 			path:           "/stop",
 			method:         http.MethodGet,
 			expectedStatus: http.StatusMethodNotAllowed,
 		},
 		{
 			name:           "config endpoint wrong content-type",
 			path:           "/config/",
 			method:         http.MethodPost,
 			expectedStatus: http.StatusBadRequest,
 		},
 		{
 			name:           "config ID missing ID",
 			path:           "/id/",
 			method:         http.MethodGet,
 			expectedStatus: http.StatusBadRequest,
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			req := httptest.NewRequest(test.method, fmt.Sprintf("http://localhost:2019%s", test.path), nil)
 			rr := httptest.NewRecorder()
 			localAdminServer.Handler.ServeHTTP(rr, req)
 			if rr.Code != test.expectedStatus {
 				t.Errorf("expected status %d but got %d", test.expectedStatus, rr.Code)
 			}
 			metricValue := testGetMetricValue(map[string]string{
 				"path":    test.path,
 				"handler": "admin",
 				"method":  test.method,
 			})
 			if metricValue != 1 {
 				t.Errorf("expected error metric to be incremented once, got %v", metricValue)
 			}
 		})
 	}
 }
 func testGetMetricValue(labels map[string]string) float64 {
 	promLabels := prometheus.Labels{}
 	maps.Copy(promLabels, labels)
 	metric, err := adminMetrics.requestErrors.GetMetricWith(promLabels)
 	if err != nil {
 		return 0
 	}
 	pb := &dto.Metric{}
 	metric.Write(pb)
 	return pb.GetCounter().GetValue()
 }
 type mockRouter struct {
 	routes []AdminRoute
 }
 func (m mockRouter) Routes() []AdminRoute {
 	return m.routes
 }
 type mockModule struct {
 	mockRouter
 }
 func (m *mockModule) CaddyModule() ModuleInfo {
 	return ModuleInfo{
 		ID: "admin.api.mock",
 		New: func() Module {
 			mm := &mockModule{
 				mockRouter: mockRouter{
 					routes: m.routes,
 				},
 			}
 			return mm
 		},
 	}
 }
 func TestNewAdminHandlerRouterRegistration(t *testing.T) {
 	originalModules := make(map[string]ModuleInfo)
 	maps.Copy(originalModules, modules)
 	defer func() {
 		modules = originalModules
 	}()
 	mockRoute := AdminRoute{
 		Pattern: "/mock",
 		Handler: AdminHandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
 			w.WriteHeader(http.StatusOK)
 			return nil
 		}),
 	}
 	mock := &mockModule{
 		mockRouter: mockRouter{
 			routes: []AdminRoute{mockRoute},
 		},
 	}
 	RegisterModule(mock)
 	addr, err := ParseNetworkAddress("localhost:2019")
 	if err != nil {
 		t.Fatalf("Failed to parse address: %v", err)
 	}
 	admin := &AdminConfig{
 		EnforceOrigin: false,
 	}
 	handler := admin.newAdminHandler(addr, false, Context{})
 	req := httptest.NewRequest("GET", "/mock", nil)
 	req.Host = "localhost:2019"
 	rr := httptest.NewRecorder()
 	handler.ServeHTTP(rr, req)
 	if rr.Code != http.StatusOK {
 		t.Errorf("Expected status code %d but got %d", http.StatusOK, rr.Code)
 		t.Logf("Response body: %s", rr.Body.String())
 	}
 	if len(admin.routers) != 1 {
 		t.Errorf("Expected 1 router to be stored, got %d", len(admin.routers))
 	}
 }
 type mockProvisionableRouter struct {
 	mockRouter
 	provisionErr error
 	provisioned  bool
 }
 func (m *mockProvisionableRouter) Provision(Context) error {
 	m.provisioned = true
 	return m.provisionErr
 }
 type mockProvisionableModule struct {
 	*mockProvisionableRouter
 }
 func (m *mockProvisionableModule) CaddyModule() ModuleInfo {
 	return ModuleInfo{
 		ID: "admin.api.mock_provision",
 		New: func() Module {
 			mm := &mockProvisionableModule{
 				mockProvisionableRouter: &mockProvisionableRouter{
 					mockRouter:   m.mockRouter,
 					provisionErr: m.provisionErr,
 				},
 			}
 			return mm
 		},
 	}
 }
 func TestAdminRouterProvisioning(t *testing.T) {
 	tests := []struct {
 		name         string
 		provisionErr error
 		wantErr      bool
 		routersAfter int // expected number of routers after provisioning
 	}{
 		{
 			name:         "successful provisioning",
 			provisionErr: nil,
 			wantErr:      false,
 			routersAfter: 0,
 		},
 		{
 			name:         "provisioning error",
 			provisionErr: fmt.Errorf("provision failed"),
 			wantErr:      true,
 			routersAfter: 1,
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			originalModules := make(map[string]ModuleInfo)
 			maps.Copy(originalModules, modules)
 			defer func() {
 				modules = originalModules
 			}()
 			mockRoute := AdminRoute{
 				Pattern: "/mock",
 				Handler: AdminHandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
 					return nil
 				}),
 			}
 			// Create provisionable module
 			mock := &mockProvisionableModule{
 				mockProvisionableRouter: &mockProvisionableRouter{
 					mockRouter: mockRouter{
 						routes: []AdminRoute{mockRoute},
 					},
 					provisionErr: test.provisionErr,
 				},
 			}
 			RegisterModule(mock)
 			admin := &AdminConfig{}
 			addr, err := ParseNetworkAddress("localhost:2019")
 			if err != nil {
 				t.Fatalf("Failed to parse address: %v", err)
 			}
 			_ = admin.newAdminHandler(addr, false, Context{})
 			err = admin.provisionAdminRouters(Context{})
 			if test.wantErr {
 				if err == nil {
 					t.Error("Expected error but got nil")
 				}
 			} else {
 				if err != nil {
 					t.Errorf("Expected no error but got: %v", err)
 				}
 			}
 			if len(admin.routers) != test.routersAfter {
 				t.Errorf("Expected %d routers after provisioning, got %d", test.routersAfter, len(admin.routers))
 			}
 		})
 	}
 }
 func TestAllowedOriginsUnixSocket(t *testing.T) {
 	// see comment in allowedOrigins() as to why we do not fill out allowed origins for UDS
 	tests := []struct {
 		name          string
 		addr          NetworkAddress
 		origins       []string
 		expectOrigins []string
 	}{
 		{
 			name: "unix socket with default origins",
 			addr: NetworkAddress{
 				Network: "unix",
 				Host:    "/tmp/caddy.sock",
 			},
 			origins:       nil, // default origins
 			expectOrigins: []string{},
 		},
 		{
 			name: "unix socket with custom origins",
 			addr: NetworkAddress{
 				Network: "unix",
 				Host:    "/tmp/caddy.sock",
 			},
 			origins: []string{"example.com"},
 			expectOrigins: []string{
 				"example.com",
 			},
 		},
 		{
 			name: "tcp socket on localhost gets all loopback addresses",
 			addr: NetworkAddress{
 				Network:   "tcp",
 				Host:      "localhost",
 				StartPort: 2019,
 				EndPort:   2019,
 			},
 			origins: nil,
 			expectOrigins: []string{
 				"localhost:2019",
 				"[::1]:2019",
 				"127.0.0.1:2019",
 			},
 		},
 	}
 	for i, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			admin := AdminConfig{
 				Origins: test.origins,
 			}
 			got := admin.allowedOrigins(test.addr)
 			var gotOrigins []string
 			for _, u := range got {
 				gotOrigins = append(gotOrigins, u.Host)
 			}
 			if len(gotOrigins) != len(test.expectOrigins) {
 				t.Errorf("%d: Expected %d origins but got %d", i, len(test.expectOrigins), len(gotOrigins))
 				return
 			}
 			expectMap := make(map[string]struct{})
 			for _, origin := range test.expectOrigins {
 				expectMap[origin] = struct{}{}
 			}
 			gotMap := make(map[string]struct{})
 			for _, origin := range gotOrigins {
 				gotMap[origin] = struct{}{}
 			}
 			if !reflect.DeepEqual(expectMap, gotMap) {
 				t.Errorf("%d: Origins mismatch.\nExpected: %v\nGot: %v", i, test.expectOrigins, gotOrigins)
 			}
 		})
 	}
 }
 func TestReplaceRemoteAdminServer(t *testing.T) {
 	const testCert = `MIIDCTCCAfGgAwIBAgIUXsqJ1mY8pKlHQtI3HJ23x2eZPqwwDQYJKoZIhvcNAQEL
 BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIzMDEwMTAwMDAwMFoXDTI0MDEw
 MTAwMDAwMFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
 AAOCAQ8AMIIBCgKCAQEA4O4S6BSoYcoxvRqI+h7yPOjF6KjntjzVVm9M+uHK4lzX
 F1L3pSxJ2nDD4wZEV3FJ5yFOHVFqkG2vXG3BIczOlYG7UeNmKbQnKc5kZj3HGUrS
 VGEktA4OJbeZhhWP15gcXN5eDM2eH3g9BFXVX6AURxLiUXzhNBUEZuj/OEyH9yEF
 /qPCE+EjzVvWxvBXwgz/io4r4yok/Vq/bxJ6FlV6R7DX5oJSXyO0VEHZPi9DIyNU
 kK3F/r4U1sWiJGWOs8i3YQWZ2ejh1C0aLFZpPcCGGgMNpoF31gyYP6ZuPDUyCXsE
 g36UUw1JHNtIXYcLhnXuqj4A8TybTDpgXLqvwA9DBQIDAQABo1MwUTAdBgNVHQ4E
 FgQUc13z30pFC63rr/HGKOE7E82vjXwwHwYDVR0jBBgwFoAUc13z30pFC63rr/HG
 KOE7E82vjXwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHO3j
 oeiUXXJ7xD4P8Wj5t9d+E8lE1Xv1Dk3Z+EdG5+dan+RcToE42JJp9zB7FIh5Qz8g
 W77LAjqh5oyqz3A2VJcyVgfE3uJP1R1mJM7JfGHf84QH4TZF2Q1RZY4SZs0VQ6+q
 5wSlIZ4NXDy4Q4XkIJBGS61wT8IzYFXYBpx4PCP1Qj0PIE4sevEGwjsBIgxK307o
 BxF8AWe6N6e4YZmQLGjQ+SeH0iwZb6vpkHyAY8Kj2hvK+cq2P7vU3VGi0t3r1F8L
 IvrXHCvO2BMNJ/1UK1M4YNX8LYJqQhg9hEsIROe1OE/m3VhxIYMJI+qZXk9yHfgJ
 vq+SH04xKhtFudVBAQ==`
 	tests := []struct {
 		name    string
 		cfg     *Config
 		wantErr bool
 	}{
 		{
 			name:    "nil config",
 			cfg:     nil,
 			wantErr: false,
 		},
 		{
 			name: "nil admin config",
 			cfg: &Config{
 				Admin: nil,
 			},
 			wantErr: false,
 		},
 		{
 			name: "nil remote config",
 			cfg: &Config{
 				Admin: &AdminConfig{},
 			},
 			wantErr: false,
 		},
 		{
 			name: "invalid listen address",
 			cfg: &Config{
 				Admin: &AdminConfig{
 					Remote: &RemoteAdmin{
 						Listen: "invalid:address",
 					},
 				},
 			},
 			wantErr: true,
 		},
 		{
 			name: "valid config",
 			cfg: &Config{
 				Admin: &AdminConfig{
 					Identity: &IdentityConfig{},
 					Remote: &RemoteAdmin{
 						Listen: "localhost:2021",
 						AccessControl: []*AdminAccess{
 							{
 								PublicKeys:  []string{testCert},
 								Permissions: []AdminPermissions{{Methods: []string{"GET"}, Paths: []string{"/test"}}},
 							},
 						},
 					},
 				},
 			},
 			wantErr: false,
 		},
 		{
 			name: "invalid certificate",
 			cfg: &Config{
 				Admin: &AdminConfig{
 					Identity: &IdentityConfig{},
 					Remote: &RemoteAdmin{
 						Listen: "localhost:2021",
 						AccessControl: []*AdminAccess{
 							{
 								PublicKeys:  []string{"invalid-cert-data"},
 								Permissions: []AdminPermissions{{Methods: []string{"GET"}, Paths: []string{"/test"}}},
 							},
 						},
 					},
 				},
 			},
 			wantErr: true,
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			ctx := Context{
 				Context: context.Background(),
 				cfg:     test.cfg,
 			}
 			if test.cfg != nil {
 				test.cfg.storage = &certmagic.FileStorage{Path: t.TempDir()}
 			}
 			if test.cfg != nil && test.cfg.Admin != nil && test.cfg.Admin.Identity != nil {
 				identityCertCache = certmagic.NewCache(certmagic.CacheOptions{
 					GetConfigForCert: func(certmagic.Certificate) (*certmagic.Config, error) {
 						return &certmagic.Config{}, nil
 					},
 				})
 			}
 			err := replaceRemoteAdminServer(ctx, test.cfg)
 			if test.wantErr {
 				if err == nil {
 					t.Error("Expected error but got nil")
 				}
 			} else {
 				if err != nil {
 					t.Errorf("Expected no error but got: %v", err)
 				}
 			}
 			// Clean up
 			if remoteAdminServer != nil {
 				_ = stopAdminServer(remoteAdminServer)
 			}
 		})
 	}
 }
 type mockIssuer struct {
 	configSet *certmagic.Config
 }
 func (m *mockIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error) {
 	return &certmagic.IssuedCertificate{
 		Certificate: []byte(csr.Raw),
 	}, nil
 }
 func (m *mockIssuer) SetConfig(cfg *certmagic.Config) {
 	m.configSet = cfg
 }
 func (m *mockIssuer) IssuerKey() string {
 	return "mock"
 }
 type mockIssuerModule struct {
 	*mockIssuer
 }
 func (m *mockIssuerModule) CaddyModule() ModuleInfo {
 	return ModuleInfo{
 		ID: "tls.issuance.acme",
 		New: func() Module {
 			return &mockIssuerModule{mockIssuer: new(mockIssuer)}
 		},
 	}
 }
 func TestManageIdentity(t *testing.T) {
 	originalModules := make(map[string]ModuleInfo)
 	maps.Copy(originalModules, modules)
 	defer func() {
 		modules = originalModules
 	}()
 	RegisterModule(&mockIssuerModule{})
 	certPEM := []byte(`-----BEGIN CERTIFICATE-----
 MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
 BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
 cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAw
 WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
 TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp
 bC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3lcub2pUwkjC
 5GJQA2ZZfJJi6d1QHhEmkX9VxKYGp6gagZuRqJWy9TXP6++1ZzQQxqZLD0TkuxZ9
 8i9Nz00000CCBjCCAQQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGgG
 CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t
 L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j
 b20vb2NzcDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/
 BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHREEEDAO
 ggxtYWlsLmdvb2dsZTANBgkqhkiG9w0BAQUFAAOCAQEAMP6IWgNGZE8wP9TjFjSZ
 3mmW3A1eIr0CuPwNZ2LJ5ZD1i70ojzcj4I9IdP5yPg9CAEV4hNASbM1LzfC7GmJE
 tPzW5tRmpKVWZGRgTgZI8Hp/xZXMwLh9ZmXV4kESFAGj5G5FNvJyUV7R5Eh+7OZX
 7G4jJ4ZGJh+5jzN9HdJJHQHGYNIYOzC7+HH9UMwCjX9vhQ4RjwFZJThS2Yb+y7pb
 9yxTJZoXC6J0H5JpnZb7kZEJ+Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 -----END CERTIFICATE-----`)
 	keyPEM := []byte(`-----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRS0LmTwUT0iwP
 ...
 -----END PRIVATE KEY-----`)
 	testStorage := certmagic.FileStorage{Path: t.TempDir()}
 	err := testStorage.Store(context.Background(), "localhost/localhost.crt", certPEM)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = testStorage.Store(context.Background(), "localhost/localhost.key", keyPEM)
 	if err != nil {
 		t.Fatal(err)
 	}
 	tests := []struct {
 		name       string
 		cfg        *Config
 		wantErr    bool
 		checkState func(*testing.T, *Config)
 	}{
 		{
 			name: "nil config",
 			cfg:  nil,
 		},
 		{
 			name: "nil admin config",
 			cfg: &Config{
 				Admin: nil,
 			},
 		},
 		{
 			name: "nil identity config",
 			cfg: &Config{
 				Admin: &AdminConfig{},
 			},
 		},
 		{
 			name: "default issuer when none specified",
 			cfg: &Config{
 				Admin: &AdminConfig{
 					Identity: &IdentityConfig{
 						Identifiers: []string{"localhost"},
 					},
 				},
 				storage: &testStorage,
 			},
 			checkState: func(t *testing.T, cfg *Config) {
 				if len(cfg.Admin.Identity.issuers) == 0 {
 					t.Error("Expected at least 1 issuer to be configured")
 					return
 				}
 				if _, ok := cfg.Admin.Identity.issuers[0].(*mockIssuerModule); !ok {
 					t.Error("Expected mock issuer to be configured")
 				}
 			},
 		},
 		{
 			name: "custom issuer",
 			cfg: &Config{
 				Admin: &AdminConfig{
 					Identity: &IdentityConfig{
 						Identifiers: []string{"localhost"},
 						IssuersRaw: []json.RawMessage{
 							json.RawMessage(`{"module": "acme"}`),
 						},
 					},
 				},
 				storage: &certmagic.FileStorage{Path: "testdata"},
 			},
 			checkState: func(t *testing.T, cfg *Config) {
 				if len(cfg.Admin.Identity.issuers) != 1 {
 					t.Fatalf("Expected 1 issuer, got %d", len(cfg.Admin.Identity.issuers))
 				}
 				mockIss, ok := cfg.Admin.Identity.issuers[0].(*mockIssuerModule)
 				if !ok {
 					t.Fatal("Expected mock issuer")
 				}
 				if mockIss.configSet == nil {
 					t.Error("Issuer config was not set")
 				}
 			},
 		},
 		{
 			name: "invalid issuer module",
 			cfg: &Config{
 				Admin: &AdminConfig{
 					Identity: &IdentityConfig{
 						Identifiers: []string{"localhost"},
 						IssuersRaw: []json.RawMessage{
 							json.RawMessage(`{"module": "doesnt_exist"}`),
 						},
 					},
 				},
 			},
 			wantErr: true,
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			if identityCertCache != nil {
 				// Reset the cert cache before each test
 				identityCertCache.Stop()
 				identityCertCache = nil
 			}
 			ctx := Context{
 				Context:         context.Background(),
 				cfg:             test.cfg,
 				moduleInstances: make(map[string][]Module),
 			}
 			err := manageIdentity(ctx, test.cfg)
 			if test.wantErr {
 				if err == nil {
 					t.Error("Expected error but got nil")
 				}
 				return
 			}
 			if err != nil {
 				t.Fatalf("Expected no error but got: %v", err)
 			}
 			if test.checkState != nil {
 				test.checkState(t, test.cfg)
 			}
 		})
 	}
 }
--- a/caddy.go
+++ b/caddy.go
@ -81,17 +81,13 @@ type Config struct {
 	// associated value.
 	AppsRaw ModuleMap `json:"apps,omitempty" caddy:"namespace="`
-	apps map[string]App
+	apps    map[string]App
-
+	storage certmagic.Storage
 	// failedApps is a map of apps that failed to provision with their underlying error.
 	failedApps   map[string]error
 	storage      certmagic.Storage
 	eventEmitter eventEmitter
 	cancelFunc context.CancelFunc
-	// fileSystems is a dict of fileSystems that will later be loaded from and added to.
+	// filesystems is a dict of filesystems that will later be loaded from and added to.
-	fileSystems FileSystems
+	filesystems FileSystems
 }
 // App is a thing that Caddy runs.
@ -411,23 +407,11 @@ func run(newCfg *Config, start bool) (Context, error) {
 		return ctx, nil
 	}
 	defer func() {
 		// if newCfg fails to start completely, clean up the already provisioned modules
 		// partially copied from provisionContext
 		if err != nil {
 			globalMetrics.configSuccess.Set(0)
 			ctx.cfg.cancelFunc()
 			if currentCtx.cfg != nil {
 				certmagic.Default.Storage = currentCtx.cfg.storage
 			}
 		}
 	}()
 	// Provision any admin routers which may need to access
 	// some of the other apps at runtime
 	err = ctx.cfg.Admin.provisionAdminRouters(ctx)
 	if err != nil {
 		globalMetrics.configSuccess.Set(0)
 		return ctx, err
 	}
@ -453,18 +437,14 @@ func run(newCfg *Config, start bool) (Context, error) {
 		return nil
 	}()
 	if err != nil {
 		globalMetrics.configSuccess.Set(0)
 		return ctx, err
 	}
 	globalMetrics.configSuccess.Set(1)
 	globalMetrics.configSuccessTime.SetToCurrentTime()
 	// TODO: This event is experimental and subject to change.
 	ctx.emitEvent("started", nil)
 	// now that the user's config is running, finish setting up anything else,
 	// such as remote admin endpoint, config loader, etc.
-	err = finishSettingUp(ctx, ctx.cfg)
+	return ctx, finishSettingUp(ctx, ctx.cfg)
 	return ctx, err
 }
 // provisionContext creates a new context from the given configuration and provisions
@ -520,12 +500,19 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 		return ctx, err
 	}
 	// start the admin endpoint (and stop any prior one)
 	if replaceAdminServer {
 		err = replaceLocalAdminServer(newCfg, ctx)
 		if err != nil {
 			return ctx, fmt.Errorf("starting caddy administration endpoint: %v", err)
 		}
 	}
 	// create the new filesystem map
-	newCfg.fileSystems = &filesystems.FileSystemMap{}
+	newCfg.filesystems = &filesystems.FilesystemMap{}
 	// prepare the new config for use
 	newCfg.apps = make(map[string]App)
 	newCfg.failedApps = make(map[string]error)
 	// set up global storage and make it CertMagic's default storage, too
 	err = func() error {
@ -552,14 +539,6 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 		return ctx, err
 	}
 	// start the admin endpoint (and stop any prior one)
 	if replaceAdminServer {
 		err = replaceLocalAdminServer(newCfg, ctx)
 		if err != nil {
 			return ctx, fmt.Errorf("starting caddy administration endpoint: %v", err)
 		}
 	}
 	// Load and Provision each app and their submodules
 	err = func() error {
 		for appName := range newCfg.AppsRaw {
@ -717,9 +696,6 @@ func unsyncedStop(ctx Context) {
 		return
 	}
 	// TODO: This event is experimental and subject to change.
 	ctx.emitEvent("stopping", nil)
 	// stop each app
 	for name, a := range ctx.cfg.apps {
 		err := a.Stop()
@ -749,10 +725,8 @@ func Validate(cfg *Config) error {
 // Errors are logged along the way, and an appropriate exit
 // code is emitted.
 func exitProcess(ctx context.Context, logger *zap.Logger) {
-	// let the rest of the program know we're quitting; only do it once
+	// let the rest of the program know we're quitting
-	if !atomic.CompareAndSwapInt32(exiting, 0, 1) {
+	atomic.StoreInt32(exiting, 1)
 		return
 	}
 	// give the OS or service/process manager our 2 weeks' notice: we quit
 	if err := notify.Stopping(); err != nil {
@ -975,11 +949,11 @@ func Version() (simple, full string) {
 		if CustomVersion != "" {
 			full = CustomVersion
 			simple = CustomVersion
-			return simple, full
+			return
 		}
 		full = "unknown"
 		simple = "unknown"
-		return simple, full
+		return
 	}
 	// find the Caddy module in the dependency list
 	for _, dep := range bi.Deps {
@ -1059,101 +1033,9 @@ func Version() (simple, full string) {
 		}
 	}
-	return simple, full
+	return
 }
 // Event represents something that has happened or is happening.
 // An Event value is not synchronized, so it should be copied if
 // being used in goroutines.
 //
 // EXPERIMENTAL: Events are subject to change.
 type Event struct {
 	// If non-nil, the event has been aborted, meaning
 	// propagation has stopped to other handlers and
 	// the code should stop what it was doing. Emitters
 	// may choose to use this as a signal to adjust their
 	// code path appropriately.
 	Aborted error
 	// The data associated with the event. Usually the
 	// original emitter will be the only one to set or
 	// change these values, but the field is exported
 	// so handlers can have full access if needed.
 	// However, this map is not synchronized, so
 	// handlers must not use this map directly in new
 	// goroutines; instead, copy the map to use it in a
 	// goroutine. Data may be nil.
 	Data map[string]any
 	id     uuid.UUID
 	ts     time.Time
 	name   string
 	origin Module
 }
 // NewEvent creates a new event, but does not emit the event. To emit an
 // event, call Emit() on the current instance of the caddyevents app insteaad.
 //
 // EXPERIMENTAL: Subject to change.
 func NewEvent(ctx Context, name string, data map[string]any) (Event, error) {
 	id, err := uuid.NewRandom()
 	if err != nil {
 		return Event{}, fmt.Errorf("generating new event ID: %v", err)
 	}
 	name = strings.ToLower(name)
 	return Event{
 		Data:   data,
 		id:     id,
 		ts:     time.Now(),
 		name:   name,
 		origin: ctx.Module(),
 	}, nil
 }
 func (e Event) ID() uuid.UUID        { return e.id }
 func (e Event) Timestamp() time.Time { return e.ts }
 func (e Event) Name() string         { return e.name }
 func (e Event) Origin() Module       { return e.origin } // Returns the module that originated the event. May be nil, usually if caddy core emits the event.
 // CloudEvent exports event e as a structure that, when
 // serialized as JSON, is compatible with the
 // CloudEvents spec.
 func (e Event) CloudEvent() CloudEvent {
 	dataJSON, _ := json.Marshal(e.Data)
 	var source string
 	if e.Origin() == nil {
 		source = "caddy"
 	} else {
 		source = string(e.Origin().CaddyModule().ID)
 	}
 	return CloudEvent{
 		ID:              e.id.String(),
 		Source:          source,
 		SpecVersion:     "1.0",
 		Type:            e.name,
 		Time:            e.ts,
 		DataContentType: "application/json",
 		Data:            dataJSON,
 	}
 }
 // CloudEvent is a JSON-serializable structure that
 // is compatible with the CloudEvents specification.
 // See https://cloudevents.io.
 // EXPERIMENTAL: Subject to change.
 type CloudEvent struct {
 	ID              string          `json:"id"`
 	Source          string          `json:"source"`
 	SpecVersion     string          `json:"specversion"`
 	Type            string          `json:"type"`
 	Time            time.Time       `json:"time"`
 	DataContentType string          `json:"datacontenttype,omitempty"`
 	Data            json.RawMessage `json:"data,omitempty"`
 }
 // ErrEventAborted cancels an event.
 var ErrEventAborted = errors.New("event aborted")
 // ActiveContext returns the currently-active context.
 // This function is experimental and might be changed
 // or removed in the future.
@ -1197,91 +1079,6 @@ var (
 	rawCfgMu sync.RWMutex
 )
 // lastConfigFile and lastConfigAdapter remember the source config
 // file and adapter used when Caddy was started via the CLI "run" command.
 // These are consulted by the SIGUSR1 handler to attempt reloading from
 // the same source. They are intentionally not set for other entrypoints
 // such as "caddy start" or subcommands like file-server.
 var (
 	lastConfigMu      sync.RWMutex
 	lastConfigFile    string
 	lastConfigAdapter string
 )
 // reloadFromSourceFunc is the type of stored callback
 // which is called when we receive a SIGUSR1 signal.
 type reloadFromSourceFunc func(file, adapter string) error
 // reloadFromSourceCallback is the stored callback
 // which is called when we receive a SIGUSR1 signal.
 var reloadFromSourceCallback reloadFromSourceFunc
 // errReloadFromSourceUnavailable is returned when no reload-from-source callback is set.
 var errReloadFromSourceUnavailable = errors.New("reload from source unavailable in this process") //nolint:unused
 // SetLastConfig records the given source file and adapter as the
 // last-known external configuration source. Intended to be called
 // only when starting via "caddy run --config <file> --adapter <adapter>".
 func SetLastConfig(file, adapter string, fn reloadFromSourceFunc) {
 	lastConfigMu.Lock()
 	lastConfigFile = file
 	lastConfigAdapter = adapter
 	reloadFromSourceCallback = fn
 	lastConfigMu.Unlock()
 }
 // ClearLastConfigIfDifferent clears the recorded last-config if the provided
 // source file/adapter do not match the recorded last-config. If both srcFile
 // and srcAdapter are empty, the last-config is cleared.
 func ClearLastConfigIfDifferent(srcFile, srcAdapter string) {
 	if (srcFile != "" || srcAdapter != "") && lastConfigMatches(srcFile, srcAdapter) {
 		return
 	}
 	SetLastConfig("", "", nil)
 }
 // getLastConfig returns the last-known config file and adapter.
 func getLastConfig() (file, adapter string, fn reloadFromSourceFunc) {
 	lastConfigMu.RLock()
 	f, a, cb := lastConfigFile, lastConfigAdapter, reloadFromSourceCallback
 	lastConfigMu.RUnlock()
 	return f, a, cb
 }
 // lastConfigMatches returns true if the provided source file and/or adapter
 // matches the recorded last-config. Matching rules (in priority order):
 //  1. If srcAdapter is provided and differs from the recorded adapter, no match.
 //  2. If srcFile exactly equals the recorded file, match.
 //  3. If both sides can be made absolute and equal, match.
 //  4. If basenames are equal, match.
 func lastConfigMatches(srcFile, srcAdapter string) bool {
 	lf, la, _ := getLastConfig()
 	// If adapter is provided, it must match.
 	if srcAdapter != "" && srcAdapter != la {
 		return false
 	}
 	// Quick equality check.
 	if srcFile == lf {
 		return true
 	}
 	// Try absolute path comparison.
 	sAbs, sErr := filepath.Abs(srcFile)
 	lAbs, lErr := filepath.Abs(lf)
 	if sErr == nil && lErr == nil && sAbs == lAbs {
 		return true
 	}
 	// Final fallback: basename equality.
 	if filepath.Base(srcFile) == filepath.Base(lf) {
 		return true
 	}
 	return false
 }
 // errSameConfig is returned if the new config is the same
 // as the old one. This isn't usually an actual, actionable
 // error; it's mostly a sentinel value.
--- a/caddy_test.go
+++ b/caddy_test.go
@ -15,7 +15,6 @@
 package caddy
 import (
 	"context"
 	"testing"
 	"time"
 )
@ -73,21 +72,3 @@ func TestParseDuration(t *testing.T) {
 		}
 	}
 }
 func TestEvent_CloudEvent_NilOrigin(t *testing.T) {
 	ctx, _ := NewContext(Context{Context: context.Background()}) // module will be nil by default
 	event, err := NewEvent(ctx, "started", nil)
 	if err != nil {
 		t.Fatalf("NewEvent() error = %v", err)
 	}
 	// This should not panic
 	ce := event.CloudEvent()
 	if ce.Source != "caddy" {
 		t.Errorf("Expected CloudEvent Source to be 'caddy', got '%s'", ce.Source)
 	}
 	if ce.Type != "started" {
 		t.Errorf("Expected CloudEvent Type to be 'started', got '%s'", ce.Type)
 	}
 }
--- a/caddyconfig/caddyfile/adapter.go
+++ b/caddyconfig/caddyfile/adapter.go
@ -68,7 +68,7 @@ func (a Adapter) Adapt(body []byte, options map[string]any) ([]byte, []caddyconf
 // TODO: also perform this check on imported files
 func FormattingDifference(filename string, body []byte) (caddyconfig.Warning, bool) {
 	// replace windows-style newlines to normalize comparison
-	normalizedBody := bytes.ReplaceAll(body, []byte("\r\n"), []byte("\n"))
+	normalizedBody := bytes.Replace(body, []byte("\r\n"), []byte("\n"), -1)
 	formatted := Format(normalizedBody)
 	if bytes.Equal(formatted, normalizedBody) {
--- a/caddyconfig/caddyfile/dispenser.go
+++ b/caddyconfig/caddyfile/dispenser.go
@ -308,9 +308,9 @@ func (d *Dispenser) CountRemainingArgs() int {
 }
 // RemainingArgs loads any more arguments (tokens on the same line)
-// into a slice of strings and returns them. Open curly brace tokens
+// into a slice and returns them. Open curly brace tokens also indicate
-// also indicate the end of arguments, and the curly brace is not
+// the end of arguments, and the curly brace is not included in
-// included in the return value nor is it loaded.
+// the return value nor is it loaded.
 func (d *Dispenser) RemainingArgs() []string {
 	var args []string
 	for d.NextArg() {
@ -320,9 +320,9 @@ func (d *Dispenser) RemainingArgs() []string {
 }
 // RemainingArgsRaw loads any more arguments (tokens on the same line,
-// retaining quotes) into a slice of strings and returns them.
+// retaining quotes) into a slice and returns them. Open curly brace
-// Open curly brace tokens also indicate the end of arguments,
+// tokens also indicate the end of arguments, and the curly brace is
-// and the curly brace is not included in the return value nor is it loaded.
+// not included in the return value nor is it loaded.
 func (d *Dispenser) RemainingArgsRaw() []string {
 	var args []string
 	for d.NextArg() {
@ -331,18 +331,6 @@ func (d *Dispenser) RemainingArgsRaw() []string {
 	return args
 }
 // RemainingArgsAsTokens loads any more arguments (tokens on the same line)
 // into a slice of Token-structs and returns them. Open curly brace tokens
 // also indicate the end of arguments, and the curly brace is not included
 // in the return value nor is it loaded.
 func (d *Dispenser) RemainingArgsAsTokens() []Token {
 	var args []Token
 	for d.NextArg() {
 		args = append(args, d.Token())
 	}
 	return args
 }
 // NewFromNextSegment returns a new dispenser with a copy of
 // the tokens from the current token until the end of the
 // "directive" whether that be to the end of the line or
--- a/caddyconfig/caddyfile/dispenser_test.go
+++ b/caddyconfig/caddyfile/dispenser_test.go
@ -274,66 +274,6 @@ func TestDispenser_RemainingArgs(t *testing.T) {
 	}
 }
 func TestDispenser_RemainingArgsAsTokens(t *testing.T) {
 	input := `dir1 arg1 arg2 arg3
 			  dir2 arg4 arg5
 			  dir3 arg6 { arg7
 			  dir4`
 	d := NewTestDispenser(input)
 	d.Next() // dir1
 	args := d.RemainingArgsAsTokens()
 	tokenTexts := make([]string, 0, len(args))
 	for _, arg := range args {
 		tokenTexts = append(tokenTexts, arg.Text)
 	}
 	if expected := []string{"arg1", "arg2", "arg3"}; !reflect.DeepEqual(tokenTexts, expected) {
 		t.Errorf("RemainingArgsAsTokens(): Expected %v, got %v", expected, tokenTexts)
 	}
 	d.Next() // dir2
 	args = d.RemainingArgsAsTokens()
 	tokenTexts = tokenTexts[:0]
 	for _, arg := range args {
 		tokenTexts = append(tokenTexts, arg.Text)
 	}
 	if expected := []string{"arg4", "arg5"}; !reflect.DeepEqual(tokenTexts, expected) {
 		t.Errorf("RemainingArgsAsTokens(): Expected %v, got %v", expected, tokenTexts)
 	}
 	d.Next() // dir3
 	args = d.RemainingArgsAsTokens()
 	tokenTexts = tokenTexts[:0]
 	for _, arg := range args {
 		tokenTexts = append(tokenTexts, arg.Text)
 	}
 	if expected := []string{"arg6"}; !reflect.DeepEqual(tokenTexts, expected) {
 		t.Errorf("RemainingArgsAsTokens(): Expected %v, got %v", expected, tokenTexts)
 	}
 	d.Next() // {
 	d.Next() // arg7
 	d.Next() // dir4
 	args = d.RemainingArgsAsTokens()
 	tokenTexts = tokenTexts[:0]
 	for _, arg := range args {
 		tokenTexts = append(tokenTexts, arg.Text)
 	}
 	if len(args) != 0 {
 		t.Errorf("RemainingArgsAsTokens(): Expected %v, got %v", []string{}, tokenTexts)
 	}
 }
 func TestDispenser_ArgErr_Err(t *testing.T) {
 	input := `dir1 {
 			  }
--- a/caddyconfig/caddyfile/formatter.go
+++ b/caddyconfig/caddyfile/formatter.go
@ -18,7 +18,6 @@ import (
 	"bytes"
 	"io"
 	"slices"
 	"strings"
 	"unicode"
 )
@ -53,9 +52,9 @@ func Format(input []byte) []byte {
 		newLines int // count of newlines consumed
-		comment bool   // whether we're in a comment
+		comment bool // whether we're in a comment
-		quotes  string // encountered quotes ('', '`', '"', '"`', '`"')
+		quoted  bool // whether we're in a quoted segment
-		escaped bool   // whether current char is escaped
+		escaped bool // whether current char is escaped
 		heredoc              heredocState // whether we're in a heredoc
 		heredocEscaped       bool         // whether heredoc is escaped
@ -89,8 +88,9 @@ func Format(input []byte) []byte {
 			}
 			panic(err)
 		}
 		// detect whether we have the start of a heredoc
-		if quotes == "" && (heredoc == heredocClosed && !heredocEscaped) &&
+		if !quoted && !(heredoc != heredocClosed || heredocEscaped) &&
 			space && last == '<' && ch == '<' {
 			write(ch)
 			heredoc = heredocOpening
@ -176,47 +176,16 @@ func Format(input []byte) []byte {
 			continue
 		}
-		if ch == '`' {
+		if quoted {
 			switch quotes {
 			case "\"`":
 				quotes = "\""
 			case "`":
 				quotes = ""
 			case "\"":
 				quotes = "\"`"
 			default:
 				quotes = "`"
 			}
 		}
 		if quotes == "\"" {
 			if ch == '"' {
-				quotes = ""
+				quoted = false
 			}
 			write(ch)
 			continue
 		}
-		if ch == '"' {
+		if space && ch == '"' {
-			switch quotes {
+			quoted = true
 			case "":
 				if space {
 					quotes = "\""
 				}
 			case "`\"":
 				quotes = "`"
 			case "\"`":
 				quotes = ""
 			}
 		}
 		if strings.Contains(quotes, "`") {
 			if ch == '`' && space && !beginningOfLine {
 				write(' ')
 			}
 			write(ch)
 			space = false
 			continue
 		}
 		if unicode.IsSpace(ch) {
@ -251,7 +220,7 @@ func Format(input []byte) []byte {
 			openBrace = false
 			if beginningOfLine {
 				indent()
-			} else if !openBraceSpace || !unicode.IsSpace(last) {
+			} else if !openBraceSpace {
 				write(' ')
 			}
 			write('{')
@ -267,23 +236,14 @@ func Format(input []byte) []byte {
 		switch {
 		case ch == '{':
 			openBrace = true
 			openBraceSpace = spacePrior && !beginningOfLine
 			if openBraceSpace && newLines == 0 {
 				write(' ')
 			}
 			openBraceWritten = false
-			if quotes == "`" {
+			openBraceSpace = spacePrior && !beginningOfLine
-				write('{')
+			if openBraceSpace {
-				openBraceWritten = true
+				write(' ')
 				continue
 			}
 			continue
 		case ch == '}' && (spacePrior || !openBrace):
 			if quotes == "`" {
 				write('}')
 				continue
 			}
 			if last != '\n' {
 				nextLine()
 			}
--- a/caddyconfig/caddyfile/formatter_test.go
+++ b/caddyconfig/caddyfile/formatter_test.go
@ -434,47 +434,6 @@ block2 {
 }
 `,
 		},
 		{
 			description: "Preserve braces wrapped by backquotes",
 			input:       "block {respond `All braces should remain: {{now | date \"2006\"}}`}",
 			expect:      "block {respond `All braces should remain: {{now | date \"2006\"}}`}",
 		},
 		{
 			description: "Preserve braces wrapped by quotes",
 			input:       "block {respond \"All braces should remain: {{now | date `2006`}}\"}",
 			expect:      "block {respond \"All braces should remain: {{now | date `2006`}}\"}",
 		},
 		{
 			description: "Preserve quoted backticks and backticked quotes",
 			input:       "block { respond \"`\" } block { respond `\"`}",
 			expect:      "block {\n\trespond \"`\"\n}\n\nblock {\n\trespond `\"`\n}",
 		},
 		{
 			description: "No trailing space on line before env variable",
 			input: `{
 	a
 	{$ENV_VAR}
 }
 `,
 			expect: `{
 	a
 	{$ENV_VAR}
 }
 `,
 		},
 		{
 			description: "issue #7425: multiline backticked string indentation",
 			input: `https://localhost:8953 {
    respond ` + "`" + `Here are some random numbers:
 {{randNumeric 16}}
 Hope this helps.` + "`" + `
 }`,
 			expect: "https://localhost:8953 {\n\trespond `Here are some random numbers:\n\n{{randNumeric 16}}\n\nHope this helps.`\n}",
 		},
 	} {
 		// the formatter should output a trailing newline,
 		// even if the tests aren't written to expect that
--- a/caddyconfig/caddyfile/lexer.go
+++ b/caddyconfig/caddyfile/lexer.go
@ -137,7 +137,7 @@ func (l *lexer) next() (bool, error) {
 		}
 		// detect whether we have the start of a heredoc
-		if (!quoted && !btQuoted) && (!inHeredoc && !heredocEscaped) &&
+		if !(quoted || btQuoted) && !(inHeredoc || heredocEscaped) &&
 			len(val) > 1 && string(val[:2]) == "<<" {
 			// a space means it's just a regular token and not a heredoc
 			if ch == ' ' {
@ -323,8 +323,7 @@ func (l *lexer) finalizeHeredoc(val []rune, marker string) ([]rune, error) {
 		// if the padding doesn't match exactly at the start then we can't safely strip
 		if index != 0 {
-			cleanLineText := strings.TrimRight(lineText, "\r\n")
+			return nil, fmt.Errorf("mismatched leading whitespace in heredoc <<%s on line #%d [%s], expected whitespace [%s] to match the closing marker", marker, l.line+lineNum+1, lineText, paddingToStrip)
 			return nil, fmt.Errorf("mismatched leading whitespace in heredoc <<%s on line #%d [%s], expected whitespace [%s] to match the closing marker", marker, l.line+lineNum+1, cleanLineText, paddingToStrip)
 		}
 		// strip, then append the line, with the newline, to the output.
--- a/caddyconfig/caddyfile/parse.go
+++ b/caddyconfig/caddyfile/parse.go
@ -379,23 +379,28 @@ func (p *parser) doImport(nesting int) error {
 	if len(blockTokens) > 0 {
 		// use such tokens to create a new dispenser, and then use it to parse each block
 		bd := NewDispenser(blockTokens)
 		// one iteration processes one sub-block inside the import
 		for bd.Next() {
-			currentMappingKey := bd.Val()
+			// see if we can grab a key
-
+			var currentMappingKey string
-			if currentMappingKey == "{" {
+			if bd.Val() == "{" {
 				return p.Err("anonymous blocks are not supported")
 			}
-
+			currentMappingKey = bd.Val()
-			// load up all arguments (if there even are any)
+			currentMappingTokens := []Token{}
-			currentMappingTokens := bd.RemainingArgsAsTokens()
+			// read all args until end of line / {
-
+			if bd.NextArg() {
 			// load up the entire block
 			for mappingNesting := bd.Nesting(); bd.NextBlock(mappingNesting); {
 				currentMappingTokens = append(currentMappingTokens, bd.Token())
 				for bd.NextArg() {
 					currentMappingTokens = append(currentMappingTokens, bd.Token())
 				}
 				// TODO(elee1766): we don't enter another mapping here because it's annoying to extract the { and } properly.
 				// maybe someone can do that in the future
 			} else {
 				// attempt to enter a block and add tokens to the currentMappingTokens
 				for mappingNesting := bd.Nesting(); bd.NextBlock(mappingNesting); {
 					currentMappingTokens = append(currentMappingTokens, bd.Token())
 				}
 			}
 			blockMapping[currentMappingKey] = currentMappingTokens
 		}
 	}
@ -533,24 +538,29 @@ func (p *parser) doImport(nesting int) error {
 		}
 		// if it is {block}, we substitute with all tokens in the block
 		// if it is {blocks.*}, we substitute with the tokens in the mapping for the *
 		var skip bool
 		var tokensToAdd []Token
 		foundBlockDirective := false
 		switch {
 		case token.Text == "{block}":
 			foundBlockDirective = true
 			tokensToAdd = blockTokens
 		case strings.HasPrefix(token.Text, "{blocks.") && strings.HasSuffix(token.Text, "}"):
 			foundBlockDirective = true
 			// {blocks.foo.bar} will be extracted to key `foo.bar`
 			blockKey := strings.TrimPrefix(strings.TrimSuffix(token.Text, "}"), "{blocks.")
 			val, ok := blockMapping[blockKey]
 			if ok {
 				tokensToAdd = val
 			}
 		default:
 			skip = true
 		}
-
+		if !skip {
-		if foundBlockDirective {
+			if len(tokensToAdd) == 0 {
-			tokensCopy = append(tokensCopy, tokensToAdd...)
+				// if there is no content in the snippet block, don't do any replacement
 				// this allows snippets which contained {block}/{block.*} before this change to continue functioning as normal
 				tokensCopy = append(tokensCopy, token)
 			} else {
 				tokensCopy = append(tokensCopy, tokensToAdd...)
 			}
 			continue
 		}
@ -761,7 +771,7 @@ type ServerBlock struct {
 }
 func (sb ServerBlock) GetKeysText() []string {
-	res := make([]string, 0, len(sb.Keys))
+	res := []string{}
 	for _, k := range sb.Keys {
 		res = append(res, k.Text)
 	}
--- a/caddyconfig/caddyfile/parse_test.go
+++ b/caddyconfig/caddyfile/parse_test.go
@ -18,7 +18,6 @@ import (
 	"bytes"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 )
@ -885,51 +884,6 @@ func TestRejectsGlobalMatcher(t *testing.T) {
 	}
 }
 func TestRejectAnonymousImportBlock(t *testing.T) {
 	p := testParser(`
 		(site) {
 			http://{args[0]} https://{args[0]} {
 				{block}
 			}
 		}
 		import site test.domain {
 			{ 
 				header_up Host {host}
 				header_up X-Real-IP {remote_host}
 			}
 		}
 	`)
 	_, err := p.parseAll()
 	if err == nil {
 		t.Fatal("Expected an error, but got nil")
 	}
 	expected := "anonymous blocks are not supported"
 	if !strings.HasPrefix(err.Error(), "anonymous blocks are not supported") {
 		t.Errorf("Expected error to start with '%s' but got '%v'", expected, err)
 	}
 }
 func TestAcceptSiteImportWithBraces(t *testing.T) {
 	p := testParser(`
 		(site) {
 			http://{args[0]} https://{args[0]} {
 				{block}
 			}
 		}
 		import site test.domain {
 			reverse_proxy http://192.168.1.1:8080 { 
 				header_up Host {host}
 			}
 		}
 	`)
 	_, err := p.parseAll()
 	if err != nil {
 		t.Errorf("Expected error to be nil but got '%v'", err)
 	}
 }
 func testParser(input string) parser {
 	return parser{Dispenser: NewTestDispenser(input)}
 }
--- a/caddyconfig/configadapters.go
+++ b/caddyconfig/configadapters.go
@ -81,11 +81,7 @@ func JSONModuleObject(val any, fieldName, fieldVal string, warnings *[]Warning)
 	err = json.Unmarshal(enc, &tmp)
 	if err != nil {
 		if warnings != nil {
-			message := err.Error()
+			*warnings = append(*warnings, Warning{Message: err.Error()})
 			if jsonErr, ok := err.(*json.SyntaxError); ok {
 				message = fmt.Sprintf("%v, at offset %d", jsonErr.Error(), jsonErr.Offset)
 			}
 			*warnings = append(*warnings, Warning{Message: message})
 		}
 		return nil
 	}
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@ -15,7 +15,6 @@
 package httpcaddyfile
 import (
 	"encoding/json"
 	"fmt"
 	"html"
 	"net/http"
@ -91,7 +90,7 @@ func parseBind(h Helper) ([]ConfigValue, error) {
 //	    curves    <curves...>
 //	    client_auth {
 //	        mode                   [request|require|verify_if_given|require_and_verify]
-//	        trust_pool             <module_name> [...]
+//	        trust_pool			   <module_name> [...]
 //	        trusted_leaf_cert      <base64_der>
 //	        trusted_leaf_cert_file <filename>
 //	    }
@ -100,7 +99,7 @@ func parseBind(h Helper) ([]ConfigValue, error) {
 //	    ca                            <acme_ca_endpoint>
 //	    ca_root                       <pem_file>
 //	    key_type                      [ed25519|p256|p384|rsa2048|rsa4096]
-//	    dns                           [<provider_name> [...]]    (required, though, if DNS is not configured as global option)
+//	    dns                           <provider_name> [...]
 //	    propagation_delay             <duration>
 //	    propagation_timeout           <duration>
 //	    resolvers                     <dns_servers...>
@ -113,7 +112,6 @@ func parseBind(h Helper) ([]ConfigValue, error) {
 //	    issuer                        <module_name> [...]
 //	    get_certificate               <module_name> [...]
 //	    insecure_secrets_log          <log_file>
 //	    renewal_window_ratio          <ratio>
 //	}
 func parseTLS(h Helper) ([]ConfigValue, error) {
 	h.Next() // consume directive name
@ -130,10 +128,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 	var onDemand bool
 	var reusePrivateKeys bool
 	var forceAutomate bool
 	var renewalWindowRatio float64
 	// Track which DNS challenge options are set
 	var dnsOptionsSet []string
 	firstLine := h.RemainingArgs()
 	switch len(firstLine) {
@ -318,6 +312,10 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			certManagers = append(certManagers, certManager)
 		case "dns":
 			if !h.NextArg() {
 				return nil, h.ArgErr()
 			}
 			provName := h.Val()
 			if acmeIssuer == nil {
 				acmeIssuer = new(caddytls.ACMEIssuer)
 			}
@ -327,19 +325,12 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
-			// DNS provider configuration optional, since it may be configured globally via the TLS app with global options
+			modID := "dns.providers." + provName
-			if h.NextArg() {
+			unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID)
-				provName := h.Val()
+			if err != nil {
-				modID := "dns.providers." + provName
+				return nil, err
 				unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID)
 				if err != nil {
 					return nil, err
 				}
 				acmeIssuer.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(unm, "name", provName, h.warnings)
 			} else if h.Option("dns") == nil {
 				// if DNS is omitted locally, it needs to be configured globally
 				return nil, h.ArgErr()
 			}
 			acmeIssuer.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(unm, "name", provName, h.warnings)
 		case "resolvers":
 			args := h.RemainingArgs()
@ -355,7 +346,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
 			dnsOptionsSet = append(dnsOptionsSet, "resolvers")
 			acmeIssuer.Challenges.DNS.Resolvers = args
 		case "propagation_delay":
@ -377,7 +367,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
 			dnsOptionsSet = append(dnsOptionsSet, "propagation_delay")
 			acmeIssuer.Challenges.DNS.PropagationDelay = caddy.Duration(delay)
 		case "propagation_timeout":
@ -405,7 +394,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
 			dnsOptionsSet = append(dnsOptionsSet, "propagation_timeout")
 			acmeIssuer.Challenges.DNS.PropagationTimeout = caddy.Duration(timeout)
 		case "dns_ttl":
@ -427,7 +415,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
 			dnsOptionsSet = append(dnsOptionsSet, "dns_ttl")
 			acmeIssuer.Challenges.DNS.TTL = caddy.Duration(ttl)
 		case "dns_challenge_override_domain":
@ -444,7 +431,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
 			dnsOptionsSet = append(dnsOptionsSet, "dns_challenge_override_domain")
 			acmeIssuer.Challenges.DNS.OverrideDomain = arg[0]
 		case "ca_root":
@ -475,37 +461,11 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			}
 			cp.InsecureSecretsLog = h.Val()
 		case "renewal_window_ratio":
 			arg := h.RemainingArgs()
 			if len(arg) != 1 {
 				return nil, h.ArgErr()
 			}
 			ratio, err := strconv.ParseFloat(arg[0], 64)
 			if err != nil {
 				return nil, h.Errf("parsing renewal_window_ratio: %v", err)
 			}
 			if ratio <= 0 || ratio >= 1 {
 				return nil, h.Errf("renewal_window_ratio must be between 0 and 1 (exclusive)")
 			}
 			renewalWindowRatio = ratio
 		default:
 			return nil, h.Errf("unknown subdirective: %s", h.Val())
 		}
 	}
 	// Validate DNS challenge config: any DNS challenge option except "dns" requires a DNS provider
 	if acmeIssuer != nil && acmeIssuer.Challenges != nil && acmeIssuer.Challenges.DNS != nil {
 		dnsCfg := acmeIssuer.Challenges.DNS
 		providerSet := dnsCfg.ProviderRaw != nil || h.Option("dns") != nil || h.Option("acme_dns") != nil
 		if len(dnsOptionsSet) > 0 && !providerSet {
 			return nil, h.Errf(
 				"setting DNS challenge options [%s] requires a DNS provider (set with the 'dns' subdirective or 'acme_dns' global option)",
 				strings.Join(dnsOptionsSet, ", "),
 			)
 		}
 	}
 	// a naked tls directive is not allowed
 	if len(firstLine) == 0 && !hasBlock {
 		return nil, h.ArgErr()
@ -613,14 +573,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 		})
 	}
 	// renewal window ratio
 	if renewalWindowRatio > 0 {
 		configVals = append(configVals, ConfigValue{
 			Class: "tls.renewal_window_ratio",
 			Value: renewalWindowRatio,
 		})
 	}
 	// if enabled, the names in the site addresses will be
 	// added to the automation policies
 	if forceAutomate {
@ -888,18 +840,13 @@ func parseHandleErrors(h Helper) ([]ConfigValue, error) {
 		return nil, h.Errf("segment was not parsed as a subroute")
 	}
 	// wrap the subroutes
 	wrappingRoute := caddyhttp.Route{
 		HandlersRaw: []json.RawMessage{caddyconfig.JSONModuleObject(subroute, "handler", "subroute", nil)},
 	}
 	subroute = &caddyhttp.Subroute{
 		Routes: []caddyhttp.Route{wrappingRoute},
 	}
 	if expression != "" {
 		statusMatcher := caddy.ModuleMap{
 			"expression": h.JSON(caddyhttp.MatchExpression{Expr: expression}),
 		}
-		subroute.Routes[0].MatcherSetsRaw = []caddy.ModuleMap{statusMatcher}
+		for i := range subroute.Routes {
 			subroute.Routes[i].MatcherSetsRaw = []caddy.ModuleMap{statusMatcher}
 		}
 	}
 	return []ConfigValue{
 		{
@ -954,7 +901,6 @@ func parseLogHelper(h Helper, globalLogNames map[string]struct{}) ([]ConfigValue
 	// modifications to the parsing behavior.
 	parseAsGlobalOption := globalLogNames != nil
 	// nolint:prealloc
 	var configValues []ConfigValue
 	// Logic below expects that a name is always present when a
@ -1211,11 +1157,6 @@ func parseLogSkip(h Helper) (caddyhttp.MiddlewareHandler, error) {
 	if h.NextArg() {
 		return nil, h.ArgErr()
 	}
 	if h.NextBlock(0) {
 		return nil, h.Err("log_skip directive does not accept blocks")
 	}
 	return caddyhttp.VarsMiddleware{"log_skip": true}, nil
 }
--- a/caddyconfig/httpcaddyfile/directives.go
+++ b/caddyconfig/httpcaddyfile/directives.go
@ -16,7 +16,6 @@ package httpcaddyfile
 import (
 	"encoding/json"
 	"maps"
 	"net"
 	"slices"
 	"sort"
@ -174,12 +173,10 @@ func RegisterDirectiveOrder(dir string, position Positional, standardDir string)
 		if d != standardDir {
 			continue
 		}
-		switch position {
+		if position == Before {
 		case Before:
 			newOrder = append(newOrder[:i], append([]string{dir}, newOrder[i:]...)...)
-		case After:
+		} else if position == After {
 			newOrder = append(newOrder[:i+1], append([]string{dir}, newOrder[i+1:]...)...)
 		case First, Last:
 		}
 		break
 	}
@ -368,7 +365,9 @@ func parseSegmentAsConfig(h Helper) ([]ConfigValue, error) {
 		// copy existing matcher definitions so we can augment
 		// new ones that are defined only in this scope
 		matcherDefs := make(map[string]caddy.ModuleMap, len(h.matcherDefs))
-		maps.Copy(matcherDefs, h.matcherDefs)
+		for key, val := range h.matcherDefs {
 			matcherDefs[key] = val
 		}
 		// find and extract any embedded matcher definitions in this scope
 		for i := 0; i < len(segments); i++ {
@ -484,29 +483,12 @@ func sortRoutes(routes []ConfigValue) {
 			// we can only confidently compare path lengths if both
 			// directives have a single path to match (issue #5037)
 			if iPathLen > 0 && jPathLen > 0 {
 				// trim the trailing wildcard if there is one
 				iPathTrimmed := strings.TrimSuffix(iPM[0], "*")
 				jPathTrimmed := strings.TrimSuffix(jPM[0], "*")
 				// if both paths are the same except for a trailing wildcard,
 				// sort by the shorter path first (which is more specific)
-				if iPathTrimmed == jPathTrimmed {
+				if strings.TrimSuffix(iPM[0], "*") == strings.TrimSuffix(jPM[0], "*") {
 					return iPathLen < jPathLen
 				}
 				// we use the trimmed length to compare the paths
 				// https://github.com/caddyserver/caddy/issues/7012#issuecomment-2870142195
 				// credit to https://github.com/Hellio404
 				// for sorts with many items, mixing matchers w/ and w/o wildcards will confuse the sort and result in incorrect orders
 				iPathLen = len(iPathTrimmed)
 				jPathLen = len(jPathTrimmed)
 				// if both paths have the same length, sort lexically
 				// https://github.com/caddyserver/caddy/pull/7015#issuecomment-2871993588
 				if iPathLen == jPathLen {
 					return iPathTrimmed < jPathTrimmed
 				}
 				// sort most-specific (longest) path first
 				return iPathLen > jPathLen
 			}
--- a/caddyconfig/httpcaddyfile/httptype.go
+++ b/caddyconfig/httpcaddyfile/httptype.go
@ -191,7 +191,7 @@ func (st ServerType) Setup(
 	metrics, _ := options["metrics"].(*caddyhttp.Metrics)
 	for _, s := range servers {
 		if s.Metrics != nil {
-			metrics = cmp.Or(metrics, &caddyhttp.Metrics{})
+			metrics = cmp.Or[*caddyhttp.Metrics](metrics, &caddyhttp.Metrics{})
 			metrics = &caddyhttp.Metrics{
 				PerHost: metrics.PerHost || s.Metrics.PerHost,
 			}
@ -350,7 +350,7 @@ func (st ServerType) Setup(
 				// avoid duplicates by sorting + compacting
 				sort.Strings(defaultLog.Exclude)
-				defaultLog.Exclude = slices.Compact(defaultLog.Exclude)
+				defaultLog.Exclude = slices.Compact[[]string, string](defaultLog.Exclude)
 			}
 		}
 		// we may have not actually added anything, so remove if empty
@ -633,6 +633,12 @@ func (st *ServerType) serversFromPairings(
 					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
 				}
 				srv.AutoHTTPS.IgnoreLoadedCerts = true
 			case "prefer_wildcard":
 				if srv.AutoHTTPS == nil {
 					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
 				}
 				srv.AutoHTTPS.PreferWildcard = true
 			}
 		}
@ -700,6 +706,16 @@ func (st *ServerType) serversFromPairings(
 			return specificity(iLongestHost) > specificity(jLongestHost)
 		})
 		// collect all hosts that have a wildcard in them
 		wildcardHosts := []string{}
 		for _, sblock := range p.serverBlocks {
 			for _, addr := range sblock.parsedKeys {
 				if strings.HasPrefix(addr.Host, "*.") {
 					wildcardHosts = append(wildcardHosts, addr.Host[2:])
 				}
 			}
 		}
 		var hasCatchAllTLSConnPolicy, addressQualifiesForTLS bool
 		autoHTTPSWillAddConnPolicy := srv.AutoHTTPS == nil || !srv.AutoHTTPS.Disabled
@ -785,13 +801,7 @@ func (st *ServerType) serversFromPairings(
 						cp.FallbackSNI = fallbackSNI
 					}
-					// only append this policy if it actually changes something,
+					// only append this policy if it actually changes something
 					// or if the configuration explicitly automates certs for
 					// these names (this is necessary to hoist a connection policy
 					// above one that may manually load a wildcard cert that would
 					// otherwise clobber the automated one; the code that appends
 					// policies that manually load certs comes later, so they're
 					// lower in the list)
 					if !cp.SettingsEmpty() || mapContains(forceAutomatedNames, hosts) {
 						srv.TLSConnPolicies = append(srv.TLSConnPolicies, cp)
 						hasCatchAllTLSConnPolicy = len(hosts) == 0
@ -831,6 +841,18 @@ func (st *ServerType) serversFromPairings(
 					addressQualifiesForTLS = true
 				}
 				// If prefer wildcard is enabled, then we add hosts that are
 				// already covered by the wildcard to the skip list
 				if addressQualifiesForTLS && srv.AutoHTTPS != nil && srv.AutoHTTPS.PreferWildcard {
 					baseDomain := addr.Host
 					if idx := strings.Index(baseDomain, "."); idx != -1 {
 						baseDomain = baseDomain[idx+1:]
 					}
 					if !strings.HasPrefix(addr.Host, "*.") && slices.Contains(wildcardHosts, baseDomain) {
 						srv.AutoHTTPS.SkipCerts = append(srv.AutoHTTPS.SkipCerts, addr.Host)
 					}
 				}
 				// predict whether auto-HTTPS will add the conn policy for us; if so, we
 				// may not need to add one for this server
 				autoHTTPSWillAddConnPolicy = autoHTTPSWillAddConnPolicy &&
@ -851,20 +873,6 @@ func (st *ServerType) serversFromPairings(
 				srv.ListenerWrappersRaw = append(srv.ListenerWrappersRaw, jsonListenerWrapper)
 			}
 			// Look for any config values that provide packet conn wrappers on the server block
 			for _, listenerConfig := range sblock.pile["packet_conn_wrapper"] {
 				packetConnWrapper, ok := listenerConfig.Value.(caddy.PacketConnWrapper)
 				if !ok {
 					return nil, fmt.Errorf("config for a packet conn wrapper did not provide a value that implements caddy.PacketConnWrapper")
 				}
 				jsonPacketConnWrapper := caddyconfig.JSONModuleObject(
 					packetConnWrapper,
 					"wrapper",
 					packetConnWrapper.(caddy.Module).CaddyModule().ID.Name(),
 					warnings)
 				srv.PacketConnWrappersRaw = append(srv.PacketConnWrappersRaw, jsonPacketConnWrapper)
 			}
 			// set up each handler directive, making sure to honor directive order
 			dirRoutes := sblock.pile["route"]
 			siteSubroute, err := buildSubroute(dirRoutes, groupCounter, true)
@ -1075,40 +1083,11 @@ func consolidateConnPolicies(cps caddytls.ConnectionPolicies) (caddytls.Connecti
 			// if they're exactly equal in every way, just keep one of them
 			if reflect.DeepEqual(cps[i], cps[j]) {
-				cps = slices.Delete(cps, j, j+1)
+				cps = append(cps[:j], cps[j+1:]...)
 				i--
 				break
 			}
 			// as a special case, if there are adjacent TLS conn policies that are identical except
 			// by their matchers, and the matchers are specifically just ServerName ("sni") matchers
 			// (by far the most common), we can combine them into a single policy
 			if i == j-1 && len(cps[i].MatchersRaw) == 1 && len(cps[j].MatchersRaw) == 1 {
 				if iSNIMatcherJSON, ok := cps[i].MatchersRaw["sni"]; ok {
 					if jSNIMatcherJSON, ok := cps[j].MatchersRaw["sni"]; ok {
 						// position of policies and the matcher criteria check out; if settings are
 						// the same, then we can combine the policies; we have to unmarshal and
 						// remarshal the matchers though
 						if cps[i].SettingsEqual(*cps[j]) {
 							var iSNIMatcher caddytls.MatchServerName
 							if err := json.Unmarshal(iSNIMatcherJSON, &iSNIMatcher); err == nil {
 								var jSNIMatcher caddytls.MatchServerName
 								if err := json.Unmarshal(jSNIMatcherJSON, &jSNIMatcher); err == nil {
 									iSNIMatcher = append(iSNIMatcher, jSNIMatcher...)
 									cps[i].MatchersRaw["sni"], err = json.Marshal(iSNIMatcher)
 									if err != nil {
 										return nil, fmt.Errorf("recombining SNI matchers: %v", err)
 									}
 									cps = slices.Delete(cps, j, j+1)
 									i--
 									break
 								}
 							}
 						}
 					}
 				}
 			}
 			// if they have the same matcher, try to reconcile each field: either they must
 			// be identical, or we have to be able to combine them safely
 			if reflect.DeepEqual(cps[i].MatchersRaw, cps[j].MatchersRaw) {
@ -1142,12 +1121,6 @@ func consolidateConnPolicies(cps caddytls.ConnectionPolicies) (caddytls.Connecti
 					return nil, fmt.Errorf("two policies with same match criteria have conflicting default SNI: %s vs. %s",
 						cps[i].DefaultSNI, cps[j].DefaultSNI)
 				}
 				if cps[i].FallbackSNI != "" &&
 					cps[j].FallbackSNI != "" &&
 					cps[i].FallbackSNI != cps[j].FallbackSNI {
 					return nil, fmt.Errorf("two policies with same match criteria have conflicting fallback SNI: %s vs. %s",
 						cps[i].FallbackSNI, cps[j].FallbackSNI)
 				}
 				if cps[i].ProtocolMin != "" &&
 					cps[j].ProtocolMin != "" &&
 					cps[i].ProtocolMin != cps[j].ProtocolMin {
@ -1188,9 +1161,6 @@ func consolidateConnPolicies(cps caddytls.ConnectionPolicies) (caddytls.Connecti
 				if cps[i].DefaultSNI == "" && cps[j].DefaultSNI != "" {
 					cps[i].DefaultSNI = cps[j].DefaultSNI
 				}
 				if cps[i].FallbackSNI == "" && cps[j].FallbackSNI != "" {
 					cps[i].FallbackSNI = cps[j].FallbackSNI
 				}
 				if cps[i].ProtocolMin == "" && cps[j].ProtocolMin != "" {
 					cps[i].ProtocolMin = cps[j].ProtocolMin
 				}
@ -1210,13 +1180,12 @@ func consolidateConnPolicies(cps caddytls.ConnectionPolicies) (caddytls.Connecti
 					}
 				}
-				cps = slices.Delete(cps, j, j+1)
+				cps = append(cps[:j], cps[j+1:]...)
 				i--
 				break
 			}
 		}
 	}
 	return cps, nil
 }
--- a/caddyconfig/httpcaddyfile/options.go
+++ b/caddyconfig/httpcaddyfile/options.go
@ -19,7 +19,6 @@ import (
 	"strconv"
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/libdns"
 	"github.com/mholt/acmez/v3/acme"
 	"github.com/caddyserver/caddy/v2"
@ -46,7 +45,7 @@ func init() {
 	RegisterGlobalOption("ocsp_interval", parseOptDuration)
 	RegisterGlobalOption("acme_ca", parseOptSingleString)
 	RegisterGlobalOption("acme_ca_root", parseOptSingleString)
-	RegisterGlobalOption("acme_dns", parseOptDNS)
+	RegisterGlobalOption("acme_dns", parseOptACMEDNS)
 	RegisterGlobalOption("acme_eab", parseOptACMEEAB)
 	RegisterGlobalOption("cert_issuer", parseOptCertIssuer)
 	RegisterGlobalOption("skip_install_trust", parseOptTrue)
@ -63,9 +62,6 @@ func init() {
 	RegisterGlobalOption("log", parseLogOptions)
 	RegisterGlobalOption("preferred_chains", parseOptPreferredChains)
 	RegisterGlobalOption("persist_config", parseOptPersistConfig)
 	RegisterGlobalOption("dns", parseOptDNS)
 	RegisterGlobalOption("ech", parseOptECH)
 	RegisterGlobalOption("renewal_window_ratio", parseOptRenewalWindowRatio)
 }
 func parseOptTrue(d *caddyfile.Dispenser, _ any) (any, error) { return true, nil }
@ -242,6 +238,25 @@ func parseOptDuration(d *caddyfile.Dispenser, _ any) (any, error) {
 	return caddy.Duration(dur), nil
 }
 func parseOptACMEDNS(d *caddyfile.Dispenser, _ any) (any, error) {
 	if !d.Next() { // consume option name
 		return nil, d.ArgErr()
 	}
 	if !d.Next() { // get DNS module name
 		return nil, d.ArgErr()
 	}
 	modID := "dns.providers." + d.Val()
 	unm, err := caddyfile.UnmarshalModule(d, modID)
 	if err != nil {
 		return nil, err
 	}
 	prov, ok := unm.(certmagic.DNSProvider)
 	if !ok {
 		return nil, d.Errf("module %s (%T) is not a certmagic.DNSProvider", modID, unm)
 	}
 	return prov, nil
 }
 func parseOptACMEEAB(d *caddyfile.Dispenser, _ any) (any, error) {
 	eab := new(acme.EAB)
 	d.Next() // consume option name
@ -458,8 +473,11 @@ func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ any) (any, error) {
 		case "disable_redirects":
 		case "disable_certs":
 		case "ignore_loaded_certs":
 		case "prefer_wildcard":
 			break
 		default:
-			return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', or 'ignore_loaded_certs'")
+			return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', 'ignore_loaded_certs', or 'prefer_wildcard'")
 		}
 	}
 	return val, nil
@ -472,8 +490,6 @@ func unmarshalCaddyfileMetricsOptions(d *caddyfile.Dispenser) (any, error) {
 		switch d.Val() {
 		case "per_host":
 			metrics.PerHost = true
 		case "observe_catchall_hosts":
 			metrics.ObserveCatchallHosts = true
 		default:
 			return nil, d.Errf("unrecognized servers option '%s'", d.Val())
 		}
@ -554,93 +570,3 @@ func parseOptPreferredChains(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next()
 	return caddytls.ParseCaddyfilePreferredChainsOptions(d)
 }
 func parseOptDNS(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	optName := d.Val()
 	// get DNS module name
 	if !d.Next() {
 		// this is allowed if this is the "acme_dns" option since it may refer to the globally-configured "dns" option's value
 		if optName == "acme_dns" {
 			return nil, nil
 		}
 		return nil, d.ArgErr()
 	}
 	modID := "dns.providers." + d.Val()
 	unm, err := caddyfile.UnmarshalModule(d, modID)
 	if err != nil {
 		return nil, err
 	}
 	switch unm.(type) {
 	case libdns.RecordGetter,
 		libdns.RecordSetter,
 		libdns.RecordAppender,
 		libdns.RecordDeleter:
 	default:
 		return nil, d.Errf("module %s (%T) is not a libdns provider", modID, unm)
 	}
 	return unm, nil
 }
 func parseOptECH(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	ech := new(caddytls.ECH)
 	publicNames := d.RemainingArgs()
 	for _, publicName := range publicNames {
 		ech.Configs = append(ech.Configs, caddytls.ECHConfiguration{
 			PublicName: publicName,
 		})
 	}
 	if len(ech.Configs) == 0 {
 		return nil, d.ArgErr()
 	}
 	for nesting := d.Nesting(); d.NextBlock(nesting); {
 		switch d.Val() {
 		case "dns":
 			if !d.Next() {
 				return nil, d.ArgErr()
 			}
 			providerName := d.Val()
 			modID := "dns.providers." + providerName
 			unm, err := caddyfile.UnmarshalModule(d, modID)
 			if err != nil {
 				return nil, err
 			}
 			ech.Publication = append(ech.Publication, &caddytls.ECHPublication{
 				Configs: publicNames,
 				PublishersRaw: caddy.ModuleMap{
 					"dns": caddyconfig.JSON(caddytls.ECHDNSPublisher{
 						ProviderRaw: caddyconfig.JSONModuleObject(unm, "name", providerName, nil),
 					}, nil),
 				},
 			})
 		default:
 			return nil, d.Errf("ech: unrecognized subdirective '%s'", d.Val())
 		}
 	}
 	return ech, nil
 }
 func parseOptRenewalWindowRatio(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	if !d.Next() {
 		return 0, d.ArgErr()
 	}
 	val := d.Val()
 	ratio, err := strconv.ParseFloat(val, 64)
 	if err != nil {
 		return 0, d.Errf("parsing renewal_window_ratio: %v", err)
 	}
 	if ratio <= 0 || ratio >= 1 {
 		return 0, d.Errf("renewal_window_ratio must be between 0 and 1 (exclusive)")
 	}
 	if d.Next() {
 		return 0, d.ArgErr()
 	}
 	return ratio, nil
 }
--- a/caddyconfig/httpcaddyfile/pkiapp.go
+++ b/caddyconfig/httpcaddyfile/pkiapp.go
@ -15,8 +15,6 @@
 package httpcaddyfile
 import (
 	"slices"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
@ -180,15 +178,6 @@ func (st ServerType) buildPKIApp(
 	if _, ok := options["skip_install_trust"]; ok {
 		skipInstallTrust = true
 	}
 	// check if auto_https is off - in that case we should not create
 	// any PKI infrastructure even with skip_install_trust directive
 	autoHTTPS := []string{}
 	if ah, ok := options["auto_https"].([]string); ok {
 		autoHTTPS = ah
 	}
 	autoHTTPSOff := slices.Contains(autoHTTPS, "off")
 	falseBool := false
 	// Load the PKI app configured via global options
@ -229,8 +218,7 @@ func (st ServerType) buildPKIApp(
 	// if there was no CAs defined in any of the servers,
 	// and we were requested to not install trust, then
 	// add one for the default/local CA to do so
-	// only if auto_https is not completely disabled
+	if len(pkiApp.CAs) == 0 && skipInstallTrust {
 	if len(pkiApp.CAs) == 0 && skipInstallTrust && !autoHTTPSOff {
 		ca := new(caddypki.CA)
 		ca.ID = caddypki.DefaultCAID
 		ca.InstallTrust = &falseBool
--- a/caddyconfig/httpcaddyfile/serveroptions.go
+++ b/caddyconfig/httpcaddyfile/serveroptions.go
@ -18,7 +18,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"slices"
 	"strconv"
 	"github.com/dustin/go-humanize"
@ -36,27 +35,23 @@ type serverOptions struct {
 	ListenerAddress string
 	// These will all map 1:1 to the caddyhttp.Server struct
-	Name                  string
+	Name                 string
-	ListenerWrappersRaw   []json.RawMessage
+	ListenerWrappersRaw  []json.RawMessage
-	PacketConnWrappersRaw []json.RawMessage
+	ReadTimeout          caddy.Duration
-	ReadTimeout           caddy.Duration
+	ReadHeaderTimeout    caddy.Duration
-	ReadHeaderTimeout     caddy.Duration
+	WriteTimeout         caddy.Duration
-	WriteTimeout          caddy.Duration
+	IdleTimeout          caddy.Duration
-	IdleTimeout           caddy.Duration
+	KeepAliveInterval    caddy.Duration
-	KeepAliveInterval     caddy.Duration
+	MaxHeaderBytes       int
-	KeepAliveIdle         caddy.Duration
+	EnableFullDuplex     bool
-	KeepAliveCount        int
+	Protocols            []string
-	MaxHeaderBytes        int
+	StrictSNIHost        *bool
-	EnableFullDuplex      bool
+	TrustedProxiesRaw    json.RawMessage
-	Protocols             []string
+	TrustedProxiesStrict int
-	StrictSNIHost         *bool
+	ClientIPHeaders      []string
-	TrustedProxiesRaw     json.RawMessage
+	ShouldLogCredentials bool
-	TrustedProxiesStrict  int
+	Metrics              *caddyhttp.Metrics
-	TrustedProxiesUnix    bool
+	Trace                bool // TODO: EXPERIMENTAL
 	ClientIPHeaders       []string
 	ShouldLogCredentials  bool
 	Metrics               *caddyhttp.Metrics
 	Trace                 bool // TODO: EXPERIMENTAL
 }
 func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
@ -100,26 +95,6 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 				serverOpts.ListenerWrappersRaw = append(serverOpts.ListenerWrappersRaw, jsonListenerWrapper)
 			}
 		case "packet_conn_wrappers":
 			for nesting := d.Nesting(); d.NextBlock(nesting); {
 				modID := "caddy.packetconns." + d.Val()
 				unm, err := caddyfile.UnmarshalModule(d, modID)
 				if err != nil {
 					return nil, err
 				}
 				packetConnWrapper, ok := unm.(caddy.PacketConnWrapper)
 				if !ok {
 					return nil, fmt.Errorf("module %s (%T) is not a packet conn wrapper", modID, unm)
 				}
 				jsonPacketConnWrapper := caddyconfig.JSONModuleObject(
 					packetConnWrapper,
 					"wrapper",
 					packetConnWrapper.(caddy.Module).CaddyModule().ID.Name(),
 					nil,
 				)
 				serverOpts.PacketConnWrappersRaw = append(serverOpts.PacketConnWrappersRaw, jsonPacketConnWrapper)
 			}
 		case "timeouts":
 			for nesting := d.Nesting(); d.NextBlock(nesting); {
 				switch d.Val() {
@ -167,7 +142,6 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 					return nil, d.Errf("unrecognized timeouts option '%s'", d.Val())
 				}
 			}
 		case "keepalive_interval":
 			if !d.NextArg() {
 				return nil, d.ArgErr()
@ -178,26 +152,6 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 			}
 			serverOpts.KeepAliveInterval = caddy.Duration(dur)
 		case "keepalive_idle":
 			if !d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			dur, err := caddy.ParseDuration(d.Val())
 			if err != nil {
 				return nil, d.Errf("parsing keepalive idle duration: %v", err)
 			}
 			serverOpts.KeepAliveIdle = caddy.Duration(dur)
 		case "keepalive_count":
 			if !d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			cnt, err := strconv.ParseInt(d.Val(), 10, 32)
 			if err != nil {
 				return nil, d.Errf("parsing keepalive count int: %v", err)
 			}
 			serverOpts.KeepAliveCount = int(cnt)
 		case "max_header_size":
 			var sizeStr string
 			if !d.AllArgs(&sizeStr) {
@ -273,12 +227,6 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 			}
 			serverOpts.TrustedProxiesStrict = 1
 		case "trusted_proxies_unix":
 			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			serverOpts.TrustedProxiesUnix = true
 		case "client_ip_headers":
 			headers := d.RemainingArgs()
 			for _, header := range headers {
@ -298,8 +246,6 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 				switch d.Val() {
 				case "per_host":
 					serverOpts.Metrics.PerHost = true
 				default:
 					return nil, d.Errf("unrecognized metrics option '%s'", d.Val())
 				}
 			}
@ -356,14 +302,11 @@ func applyServerOptions(
 		// set all the options
 		server.ListenerWrappersRaw = opts.ListenerWrappersRaw
 		server.PacketConnWrappersRaw = opts.PacketConnWrappersRaw
 		server.ReadTimeout = opts.ReadTimeout
 		server.ReadHeaderTimeout = opts.ReadHeaderTimeout
 		server.WriteTimeout = opts.WriteTimeout
 		server.IdleTimeout = opts.IdleTimeout
 		server.KeepAliveInterval = opts.KeepAliveInterval
 		server.KeepAliveIdle = opts.KeepAliveIdle
 		server.KeepAliveCount = opts.KeepAliveCount
 		server.MaxHeaderBytes = opts.MaxHeaderBytes
 		server.EnableFullDuplex = opts.EnableFullDuplex
 		server.Protocols = opts.Protocols
@ -371,7 +314,6 @@ func applyServerOptions(
 		server.TrustedProxiesRaw = opts.TrustedProxiesRaw
 		server.ClientIPHeaders = opts.ClientIPHeaders
 		server.TrustedProxiesStrict = opts.TrustedProxiesStrict
 		server.TrustedProxiesUnix = opts.TrustedProxiesUnix
 		server.Metrics = opts.Metrics
 		if opts.ShouldLogCredentials {
 			if server.Logs == nil {
--- a/caddyconfig/httpcaddyfile/shorthands.go
+++ b/caddyconfig/httpcaddyfile/shorthands.go
@ -64,13 +64,10 @@ func placeholderShorthands() []string {
 		"{orig_?query}", "{http.request.orig_uri.prefixed_query}",
 		"{method}", "{http.request.method}",
 		"{uri}", "{http.request.uri}",
 		"{%uri}", "{http.request.uri_escaped}",
 		"{path}", "{http.request.uri.path}",
 		"{%path}", "{http.request.uri.path_escaped}",
 		"{dir}", "{http.request.uri.path.dir}",
 		"{file}", "{http.request.uri.path.file}",
 		"{query}", "{http.request.uri.query}",
 		"{%query}", "{http.request.uri.query_escaped}",
 		"{?query}", "{http.request.uri.prefixed_query}",
 		"{remote}", "{http.request.remote}",
 		"{remote_host}", "{http.request.remote.host}",
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@ -92,7 +92,27 @@ func (st ServerType) buildTLSApp(
 		tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, catchAllAP)
 	}
-	forcedAutomatedNames := make(map[string]struct{}) // explicitly configured to be automated, even if covered by a wildcard
+	// collect all hosts that have a wildcard in them, and arent HTTP
 	wildcardHosts := []string{}
 	// hosts that have been explicitly marked to be automated,
 	// even if covered by another wildcard
 	forcedAutomatedNames := make(map[string]struct{})
 	for _, p := range pairings {
 		var addresses []string
 		for _, addressWithProtocols := range p.addressesWithProtocols {
 			addresses = append(addresses, addressWithProtocols.address)
 		}
 		if !listenersUseAnyPortOtherThan(addresses, httpPort) {
 			continue
 		}
 		for _, sblock := range p.serverBlocks {
 			for _, addr := range sblock.parsedKeys {
 				if strings.HasPrefix(addr.Host, "*.") {
 					wildcardHosts = append(wildcardHosts, addr.Host[2:])
 				}
 			}
 		}
 	}
 	for _, p := range pairings {
 		// avoid setting up TLS automation policies for a server that is HTTP-only
@ -117,6 +137,12 @@ func (st ServerType) buildTLSApp(
 				return nil, warnings, err
 			}
 			// make a plain copy so we can compare whether we made any changes
 			apCopy, err := newBaseAutomationPolicy(options, warnings, true)
 			if err != nil {
 				return nil, warnings, err
 			}
 			sblockHosts := sblock.hostsFromKeys(false)
 			if len(sblockHosts) == 0 && catchAllAP != nil {
 				ap = catchAllAP
@ -127,7 +153,7 @@ func (st ServerType) buildTLSApp(
 				ap.OnDemand = true
 			}
-			// collect hosts that are forced to have certs automated for their specific name
+			// collect hosts that are forced to be automated
 			if _, ok := sblock.pile["tls.force_automate"]; ok {
 				for _, host := range sblockHosts {
 					forcedAutomatedNames[host] = struct{}{}
@ -143,12 +169,6 @@ func (st ServerType) buildTLSApp(
 				ap.KeyType = keyTypeVals[0].Value.(string)
 			}
 			if renewalWindowRatioVals, ok := sblock.pile["tls.renewal_window_ratio"]; ok {
 				ap.RenewalWindowRatio = renewalWindowRatioVals[0].Value.(float64)
 			} else if globalRenewalWindowRatio, ok := options["renewal_window_ratio"]; ok {
 				ap.RenewalWindowRatio = globalRenewalWindowRatio.(float64)
 			}
 			// certificate issuers
 			if issuerVals, ok := sblock.pile["tls.cert_issuer"]; ok {
 				var issuers []certmagic.Issuer
@ -235,6 +255,16 @@ func (st ServerType) buildTLSApp(
 			hostsNotHTTP := sblock.hostsFromKeysNotHTTP(httpPort)
 			sort.Strings(hostsNotHTTP) // solely for deterministic test results
 			// if the we prefer wildcards and the AP is unchanged,
 			// then we can skip this AP because it should be covered
 			// by an AP with a wildcard
 			if slices.Contains(autoHTTPS, "prefer_wildcard") {
 				if hostsCoveredByWildcard(hostsNotHTTP, wildcardHosts) &&
 					reflect.DeepEqual(ap, apCopy) {
 					continue
 				}
 			}
 			// associate our new automation policy with this server block's hosts
 			ap.SubjectsRaw = hostsNotHTTP
@ -310,7 +340,7 @@ func (st ServerType) buildTLSApp(
 					combined = reflect.New(reflect.TypeOf(cl)).Elem()
 				}
 				clVal := reflect.ValueOf(cl)
-				for i := range clVal.Len() {
+				for i := 0; i < clVal.Len(); i++ {
 					combined = reflect.Append(combined, clVal.Index(i))
 				}
 				loadersByName[name] = combined.Interface().(caddytls.CertificateLoader)
@ -329,32 +359,6 @@ func (st ServerType) buildTLSApp(
 		tlsApp.Automation.OnDemand = onDemand
 	}
 	// set up "global" (to the TLS app) DNS provider config
 	if globalDNS, ok := options["dns"]; ok && globalDNS != nil {
 		tlsApp.DNSRaw = caddyconfig.JSONModuleObject(globalDNS, "name", globalDNS.(caddy.Module).CaddyModule().ID.Name(), nil)
 	}
 	// set up ECH from Caddyfile options
 	if ech, ok := options["ech"].(*caddytls.ECH); ok {
 		tlsApp.EncryptedClientHello = ech
 		// outer server names will need certificates, so make sure they're included
 		// in an automation policy for them that applies any global options
 		ap, err := newBaseAutomationPolicy(options, warnings, true)
 		if err != nil {
 			return nil, warnings, err
 		}
 		for _, cfg := range ech.Configs {
 			if cfg.PublicName != "" {
 				ap.SubjectsRaw = append(ap.SubjectsRaw, cfg.PublicName)
 			}
 		}
 		if tlsApp.Automation == nil {
 			tlsApp.Automation = new(caddytls.AutomationConfig)
 		}
 		tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, ap)
 	}
 	// if the storage clean interval is a boolean, then it's "off" to disable cleaning
 	if sc, ok := options["storage_check"].(string); ok && sc == "off" {
 		tlsApp.DisableStorageCheck = true
@ -436,12 +440,12 @@ func (st ServerType) buildTLSApp(
 		globalEmail := options["email"]
 		globalACMECA := options["acme_ca"]
 		globalACMECARoot := options["acme_ca_root"]
-		_, globalACMEDNS := options["acme_dns"] // can be set to nil (to use globally-defined "dns" value instead), but it is still set
+		globalACMEDNS := options["acme_dns"]
 		globalACMEEAB := options["acme_eab"]
 		globalPreferredChains := options["preferred_chains"]
-		hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS || globalACMEEAB != nil || globalPreferredChains != nil
+		hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS != nil || globalACMEEAB != nil || globalPreferredChains != nil
 		if hasGlobalACMEDefaults {
-			for i := range tlsApp.Automation.Policies {
+			for i := 0; i < len(tlsApp.Automation.Policies); i++ {
 				ap := tlsApp.Automation.Policies[i]
 				if len(ap.Issuers) == 0 && automationPolicyHasAllPublicNames(ap) {
 					// for public names, create default issuers which will later be filled in with configured global defaults
@ -521,12 +525,11 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	globalEmail := options["email"]
 	globalACMECA := options["acme_ca"]
 	globalACMECARoot := options["acme_ca_root"]
-	globalACMEDNS, globalACMEDNSok := options["acme_dns"] // can be set to nil (to use globally-defined "dns" value instead), but it is still set
+	globalACMEDNS := options["acme_dns"]
 	globalACMEEAB := options["acme_eab"]
 	globalPreferredChains := options["preferred_chains"]
 	globalCertLifetime := options["cert_lifetime"]
 	globalHTTPPort, globalHTTPSPort := options["http_port"], options["https_port"]
 	globalDefaultBind := options["default_bind"]
 	if globalEmail != nil && acmeIssuer.Email == "" {
 		acmeIssuer.Email = globalEmail.(string)
@ -537,21 +540,11 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	if globalACMECARoot != nil && !slices.Contains(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string)) {
 		acmeIssuer.TrustedRootsPEMFiles = append(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string))
 	}
-	if globalACMEDNSok && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil || acmeIssuer.Challenges.DNS.ProviderRaw == nil) {
+	if globalACMEDNS != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil) {
-		globalDNS := options["dns"]
+		acmeIssuer.Challenges = &caddytls.ChallengesConfig{
-		if globalDNS == nil && globalACMEDNS == nil {
+			DNS: &caddytls.DNSChallengeConfig{
-			return fmt.Errorf("acme_dns specified without DNS provider config, but no provider specified with 'dns' global option")
+				ProviderRaw: caddyconfig.JSONModuleObject(globalACMEDNS, "name", globalACMEDNS.(caddy.Module).CaddyModule().ID.Name(), nil),
-		}
+			},
 		if acmeIssuer.Challenges == nil {
 			acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 		}
 		if acmeIssuer.Challenges.DNS == nil {
 			acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 		}
 		// If global `dns` is set, do NOT set provider in issuer, just set empty dns config
 		if globalDNS == nil && acmeIssuer.Challenges.DNS.ProviderRaw == nil {
 			// Set a global DNS provider if `acme_dns` is set and `dns` is NOT set
 			acmeIssuer.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(globalACMEDNS, "name", globalACMEDNS.(caddy.Module).CaddyModule().ID.Name(), nil)
 		}
 	}
 	if globalACMEEAB != nil && acmeIssuer.ExternalAccount == nil {
@ -560,8 +553,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	if globalPreferredChains != nil && acmeIssuer.PreferredChains == nil {
 		acmeIssuer.PreferredChains = globalPreferredChains.(*caddytls.ChainPreference)
 	}
-	// only configure alt HTTP and TLS-ALPN ports if the DNS challenge is not enabled (wouldn't hurt, but isn't necessary since the DNS challenge is exclusive of others)
+	if globalHTTPPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.HTTP == nil || acmeIssuer.Challenges.HTTP.AlternatePort == 0) {
 	if globalHTTPPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil) && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.HTTP == nil || acmeIssuer.Challenges.HTTP.AlternatePort == 0) {
 		if acmeIssuer.Challenges == nil {
 			acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 		}
@ -570,7 +562,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 		}
 		acmeIssuer.Challenges.HTTP.AlternatePort = globalHTTPPort.(int)
 	}
-	if globalHTTPSPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil) && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.TLSALPN == nil || acmeIssuer.Challenges.TLSALPN.AlternatePort == 0) {
+	if globalHTTPSPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.TLSALPN == nil || acmeIssuer.Challenges.TLSALPN.AlternatePort == 0) {
 		if acmeIssuer.Challenges == nil {
 			acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 		}
@ -579,20 +571,6 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 		}
 		acmeIssuer.Challenges.TLSALPN.AlternatePort = globalHTTPSPort.(int)
 	}
 	// If BindHost is still unset, fall back to the first default_bind address if set
 	// This avoids binding the automation policy to the wildcard socket, which is unexpected behavior when a more selective socket is specified via default_bind
 	// In BSD it is valid to bind to the wildcard socket even though a more selective socket is already open (still unexpected behavior by the caller though)
 	// In Linux the same call will error with EADDRINUSE whenever the listener for the automation policy is opened
 	if acmeIssuer.Challenges == nil || (acmeIssuer.Challenges.DNS == nil && acmeIssuer.Challenges.BindHost == "") {
 		if defBinds, ok := globalDefaultBind.([]ConfigValue); ok && len(defBinds) > 0 {
 			if abp, ok := defBinds[0].Value.(addressesWithProtocols); ok && len(abp.addresses) > 0 {
 				if acmeIssuer.Challenges == nil {
 					acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 				}
 				acmeIssuer.Challenges.BindHost = abp.addresses[0]
 			}
 		}
 	}
 	if globalCertLifetime != nil && acmeIssuer.CertificateLifetime == 0 {
 		acmeIssuer.CertificateLifetime = globalCertLifetime.(caddy.Duration)
 	}
@ -613,19 +591,12 @@ func newBaseAutomationPolicy(
 	_, hasLocalCerts := options["local_certs"]
 	keyType, hasKeyType := options["key_type"]
 	ocspStapling, hasOCSPStapling := options["ocsp_stapling"]
 	renewalWindowRatio, hasRenewalWindowRatio := options["renewal_window_ratio"]
 	hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType || hasOCSPStapling || hasRenewalWindowRatio
-	globalACMECA := options["acme_ca"]
+	hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType || hasOCSPStapling
 	globalACMECARoot := options["acme_ca_root"]
 	_, globalACMEDNS := options["acme_dns"] // can be set to nil (to use globally-defined "dns" value instead), but it is still set
 	globalACMEEAB := options["acme_eab"]
 	globalPreferredChains := options["preferred_chains"]
 	hasGlobalACMEDefaults := globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS || globalACMEEAB != nil || globalPreferredChains != nil
 	// if there are no global options related to automation policies
 	// set, then we can just return right away
-	if !hasGlobalAutomationOpts && !hasGlobalACMEDefaults {
+	if !hasGlobalAutomationOpts {
 		if always {
 			return new(caddytls.AutomationPolicy), nil
 		}
@ -647,24 +618,12 @@ func newBaseAutomationPolicy(
 		ap.Issuers = []certmagic.Issuer{new(caddytls.InternalIssuer)}
 	}
 	if hasGlobalACMEDefaults {
 		for i := range ap.Issuers {
 			if err := fillInGlobalACMEDefaults(ap.Issuers[i], options); err != nil {
 				return nil, fmt.Errorf("filling in global issuer defaults for issuer %d: %v", i, err)
 			}
 		}
 	}
 	if hasOCSPStapling {
 		ocspConfig := ocspStapling.(certmagic.OCSPConfig)
 		ap.DisableOCSPStapling = ocspConfig.DisableStapling
 		ap.OCSPOverrides = ocspConfig.ResponderOverrides
 	}
 	if hasRenewalWindowRatio {
 		ap.RenewalWindowRatio = renewalWindowRatio.(float64)
 	}
 	return ap, nil
 }
@ -826,3 +785,20 @@ func automationPolicyHasAllPublicNames(ap *caddytls.AutomationPolicy) bool {
 func isTailscaleDomain(name string) bool {
 	return strings.HasSuffix(strings.ToLower(name), ".ts.net")
 }
 func hostsCoveredByWildcard(hosts []string, wildcards []string) bool {
 	if len(hosts) == 0 || len(wildcards) == 0 {
 		return false
 	}
 	for _, host := range hosts {
 		for _, wildcard := range wildcards {
 			if strings.HasPrefix(host, "*.") {
 				continue
 			}
 			if certmagic.MatchWildcard(host, "*."+wildcard) {
 				return true
 			}
 		}
 	}
 	return false
 }
--- a/caddyconfig/load.go
+++ b/caddyconfig/load.go
@ -121,13 +121,6 @@ func (adminLoad) handleLoad(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 	// If this request changed the config, clear the last
 	// config info we have stored, if it is different from
 	// the original source.
 	caddy.ClearLastConfigIfDifferent(
 		r.Header.Get("Caddy-Config-Source-File"),
 		r.Header.Get("Caddy-Config-Source-Adapter"))
 	caddy.Log().Named("admin.api").Info("load complete")
 	return nil
--- a/caddytest/caddytest.go
+++ b/caddytest/caddytest.go
@ -31,8 +31,8 @@ import (
 	_ "github.com/caddyserver/caddy/v2/modules/standard"
 )
-// Config store any configuration required to make the tests run
+// Defaults store any configuration required to make the tests run
-type Config struct {
+type Defaults struct {
 	// Port we expect caddy to listening on
 	AdminPort int
 	// Certificates we expect to be loaded before attempting to run the tests
@ -44,7 +44,7 @@ type Config struct {
 }
 // Default testing values
-var Default = Config{
+var Default = Defaults{
 	AdminPort:          2999, // different from what a real server also running on a developer's machine might be
 	Certificates:       []string{"/caddy.localhost.crt", "/caddy.localhost.key"},
 	TestRequestTimeout: 5 * time.Second,
@ -61,7 +61,6 @@ type Tester struct {
 	Client       *http.Client
 	configLoaded bool
 	t            testing.TB
 	config       Config
 }
 // NewTester will create a new testing client with an attached cookie jar
@ -79,29 +78,9 @@ func NewTester(t testing.TB) *Tester {
 		},
 		configLoaded: false,
 		t:            t,
 		config:       Default,
 	}
 }
 // WithDefaultOverrides this will override the default test configuration with the provided values.
 func (tc *Tester) WithDefaultOverrides(overrides Config) *Tester {
 	if overrides.AdminPort != 0 {
 		tc.config.AdminPort = overrides.AdminPort
 	}
 	if len(overrides.Certificates) > 0 {
 		tc.config.Certificates = overrides.Certificates
 	}
 	if overrides.TestRequestTimeout != 0 {
 		tc.config.TestRequestTimeout = overrides.TestRequestTimeout
 		tc.Client.Timeout = overrides.TestRequestTimeout
 	}
 	if overrides.LoadRequestTimeout != 0 {
 		tc.config.LoadRequestTimeout = overrides.LoadRequestTimeout
 	}
 	return tc
 }
 type configLoadError struct {
 	Response string
 }
@ -134,7 +113,7 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 		return nil
 	}
-	err := validateTestPrerequisites(tc)
+	err := validateTestPrerequisites(tc.t)
 	if err != nil {
 		tc.t.Skipf("skipping tests as failed integration prerequisites. %s", err)
 		return nil
@ -142,7 +121,7 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 	tc.t.Cleanup(func() {
 		if tc.t.Failed() && tc.configLoaded {
-			res, err := http.Get(fmt.Sprintf("http://localhost:%d/config/", tc.config.AdminPort))
+			res, err := http.Get(fmt.Sprintf("http://localhost:%d/config/", Default.AdminPort))
 			if err != nil {
 				tc.t.Log("unable to read the current config")
 				return
@ -172,10 +151,10 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 		tc.t.Logf("After: %s", rawConfig)
 	}
 	client := &http.Client{
-		Timeout: tc.config.LoadRequestTimeout,
+		Timeout: Default.LoadRequestTimeout,
 	}
 	start := time.Now()
-	req, err := http.NewRequest("POST", fmt.Sprintf("http://localhost:%d/load", tc.config.AdminPort), strings.NewReader(rawConfig))
+	req, err := http.NewRequest("POST", fmt.Sprintf("http://localhost:%d/load", Default.AdminPort), strings.NewReader(rawConfig))
 	if err != nil {
 		tc.t.Errorf("failed to create request. %s", err)
 		return err
@ -226,11 +205,11 @@ func (tc *Tester) ensureConfigRunning(rawConfig string, configType string) error
 	}
 	client := &http.Client{
-		Timeout: tc.config.LoadRequestTimeout,
+		Timeout: Default.LoadRequestTimeout,
 	}
 	fetchConfig := func(client *http.Client) any {
-		resp, err := client.Get(fmt.Sprintf("http://localhost:%d/config/", tc.config.AdminPort))
+		resp, err := client.Get(fmt.Sprintf("http://localhost:%d/config/", Default.AdminPort))
 		if err != nil {
 			return nil
 		}
@ -258,30 +237,30 @@ func (tc *Tester) ensureConfigRunning(rawConfig string, configType string) error
 }
 const initConfig = `{
-	admin localhost:%d
+	admin localhost:2999
 }
 `
 // validateTestPrerequisites ensures the certificates are available in the
 // designated path and Caddy sub-process is running.
-func validateTestPrerequisites(tc *Tester) error {
+func validateTestPrerequisites(t testing.TB) error {
 	// check certificates are found
-	for _, certName := range tc.config.Certificates {
+	for _, certName := range Default.Certificates {
 		if _, err := os.Stat(getIntegrationDir() + certName); errors.Is(err, fs.ErrNotExist) {
 			return fmt.Errorf("caddy integration test certificates (%s) not found", certName)
 		}
 	}
-	if isCaddyAdminRunning(tc) != nil {
+	if isCaddyAdminRunning() != nil {
 		// setup the init config file, and set the cleanup afterwards
 		f, err := os.CreateTemp("", "")
 		if err != nil {
 			return err
 		}
-		tc.t.Cleanup(func() {
+		t.Cleanup(func() {
 			os.Remove(f.Name())
 		})
-		if _, err := fmt.Fprintf(f, initConfig, tc.config.AdminPort); err != nil {
+		if _, err := f.WriteString(initConfig); err != nil {
 			return err
 		}
@ -292,23 +271,23 @@ func validateTestPrerequisites(tc *Tester) error {
 		}()
 		// wait for caddy to start serving the initial config
-		for retries := 10; retries > 0 && isCaddyAdminRunning(tc) != nil; retries-- {
+		for retries := 10; retries > 0 && isCaddyAdminRunning() != nil; retries-- {
 			time.Sleep(1 * time.Second)
 		}
 	}
 	// one more time to return the error
-	return isCaddyAdminRunning(tc)
+	return isCaddyAdminRunning()
 }
-func isCaddyAdminRunning(tc *Tester) error {
+func isCaddyAdminRunning() error {
 	// assert that caddy is running
 	client := &http.Client{
-		Timeout: tc.config.LoadRequestTimeout,
+		Timeout: Default.LoadRequestTimeout,
 	}
-	resp, err := client.Get(fmt.Sprintf("http://localhost:%d/config/", tc.config.AdminPort))
+	resp, err := client.Get(fmt.Sprintf("http://localhost:%d/config/", Default.AdminPort))
 	if err != nil {
-		return fmt.Errorf("caddy integration test caddy server not running. Expected to be listening on localhost:%d", tc.config.AdminPort)
+		return fmt.Errorf("caddy integration test caddy server not running. Expected to be listening on localhost:%d", Default.AdminPort)
 	}
 	resp.Body.Close()
@ -362,8 +341,6 @@ func CreateTestingTransport() *http.Transport {
 // AssertLoadError will load a config and expect an error
 func AssertLoadError(t *testing.T, rawConfig string, configType string, expectedError string) {
 	t.Helper()
 	tc := NewTester(t)
 	err := tc.initServer(rawConfig, configType)
@ -374,8 +351,6 @@ func AssertLoadError(t *testing.T, rawConfig string, configType string, expected
 // AssertRedirect makes a request and asserts the redirection happens
 func (tc *Tester) AssertRedirect(requestURI string, expectedToLocation string, expectedStatusCode int) *http.Response {
 	tc.t.Helper()
 	redirectPolicyFunc := func(req *http.Request, via []*http.Request) error {
 		return http.ErrUseLastResponse
 	}
@ -413,8 +388,6 @@ func (tc *Tester) AssertRedirect(requestURI string, expectedToLocation string, e
 // CompareAdapt adapts a config and then compares it against an expected result
 func CompareAdapt(t testing.TB, filename, rawConfig string, adapterName string, expectedResponse string) bool {
 	t.Helper()
 	cfgAdapter := caddyconfig.GetAdapter(adapterName)
 	if cfgAdapter == nil {
 		t.Logf("unrecognized config adapter '%s'", adapterName)
@ -474,8 +447,6 @@ func CompareAdapt(t testing.TB, filename, rawConfig string, adapterName string,
 // AssertAdapt adapts a config and then tests it against an expected result
 func AssertAdapt(t testing.TB, rawConfig string, adapterName string, expectedResponse string) {
 	t.Helper()
 	ok := CompareAdapt(t, "Caddyfile", rawConfig, adapterName, expectedResponse)
 	if !ok {
 		t.Fail()
@ -504,8 +475,6 @@ func applyHeaders(t testing.TB, req *http.Request, requestHeaders []string) {
 // AssertResponseCode will execute the request and verify the status code, returns a response for additional assertions
 func (tc *Tester) AssertResponseCode(req *http.Request, expectedStatusCode int) *http.Response {
 	tc.t.Helper()
 	resp, err := tc.Client.Do(req)
 	if err != nil {
 		tc.t.Fatalf("failed to call server %s", err)
@ -520,8 +489,6 @@ func (tc *Tester) AssertResponseCode(req *http.Request, expectedStatusCode int)
 // AssertResponse request a URI and assert the status code and the body contains a string
 func (tc *Tester) AssertResponse(req *http.Request, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()
 	resp := tc.AssertResponseCode(req, expectedStatusCode)
 	defer resp.Body.Close()
@ -543,8 +510,6 @@ func (tc *Tester) AssertResponse(req *http.Request, expectedStatusCode int, expe
 // AssertGetResponse GET a URI and expect a statusCode and body text
 func (tc *Tester) AssertGetResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()
 	req, err := http.NewRequest("GET", requestURI, nil)
 	if err != nil {
 		tc.t.Fatalf("unable to create request %s", err)
@ -555,8 +520,6 @@ func (tc *Tester) AssertGetResponse(requestURI string, expectedStatusCode int, e
 // AssertDeleteResponse request a URI and expect a statusCode and body text
 func (tc *Tester) AssertDeleteResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()
 	req, err := http.NewRequest("DELETE", requestURI, nil)
 	if err != nil {
 		tc.t.Fatalf("unable to create request %s", err)
@ -567,8 +530,6 @@ func (tc *Tester) AssertDeleteResponse(requestURI string, expectedStatusCode int
 // AssertPostResponseBody POST to a URI and assert the response code and body
 func (tc *Tester) AssertPostResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()
 	req, err := http.NewRequest("POST", requestURI, requestBody)
 	if err != nil {
 		tc.t.Errorf("failed to create request %s", err)
@ -582,8 +543,6 @@ func (tc *Tester) AssertPostResponseBody(requestURI string, requestHeaders []str
 // AssertPutResponseBody PUT to a URI and assert the response code and body
 func (tc *Tester) AssertPutResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()
 	req, err := http.NewRequest("PUT", requestURI, requestBody)
 	if err != nil {
 		tc.t.Errorf("failed to create request %s", err)
@ -597,8 +556,6 @@ func (tc *Tester) AssertPutResponseBody(requestURI string, requestHeaders []stri
 // AssertPatchResponseBody PATCH to a URI and assert the response code and body
 func (tc *Tester) AssertPatchResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()
 	req, err := http.NewRequest("PATCH", requestURI, requestBody)
 	if err != nil {
 		tc.t.Errorf("failed to create request %s", err)
--- a/caddytest/integration/acme_test.go
+++ b/caddytest/integration/acme_test.go
@ -12,14 +12,13 @@ import (
 	"strings"
 	"testing"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez/v3"
 	"github.com/mholt/acmez/v3/acme"
 	smallstepacme "github.com/smallstep/certificates/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/exp/zapslog"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddytest"
 )
 const acmeChallengePort = 9081
--- a/caddytest/integration/acmeserver_test.go
+++ b/caddytest/integration/acmeserver_test.go
@ -9,12 +9,11 @@ import (
 	"strings"
 	"testing"
 	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez/v3"
 	"github.com/mholt/acmez/v3/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/exp/zapslog"
 	"github.com/caddyserver/caddy/v2/caddytest"
 )
 func TestACMEServerDirectory(t *testing.T) {
--- a/caddytest/integration/caddyfile_adapt/acme_dns_configured.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/acme_dns_configured.caddyfiletest
@ -1,69 +0,0 @@
 {
 	acme_dns mock foo
 }
 example.com {
 	respond "Hello World"
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "Hello World",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"tls": {
 			"automation": {
 				"policies": [
 					{
 						"issuers": [
 							{
 								"challenges": {
 									"dns": {
 										"provider": {
 											"argument": "foo",
 											"name": "mock"
 										}
 									}
 								},
 								"module": "acme"
 							}
 						]
 					}
 				]
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/acme_dns_naked_use_dns_defaults.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/acme_dns_naked_use_dns_defaults.caddyfiletest
@ -1,53 +0,0 @@
 {
 	dns mock
 	acme_dns
 }
 example.com {
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"example.com"
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"tls": {
 			"automation": {
 				"policies": [
 					{
 						"issuers": [
 							{
 								"challenges": {
 									"dns": {}
 								},
 								"module": "acme"
 							}
 						]
 					}
 				]
 			},
 			"dns": {
 				"name": "mock"
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/acme_dns_naked_without_dns.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/acme_dns_naked_without_dns.caddyfiletest
@ -1,9 +0,0 @@
 {
 	acme_dns
 }
 example.com {
 	respond "Hello World"
 }
 ----------
 acme_dns specified without DNS provider config, but no provider specified with 'dns' global option
--- a/caddytest/integration/caddyfile_adapt/acme_server_policy-allow.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/acme_server_policy-allow.caddyfiletest
@ -1,72 +0,0 @@
 {
 	pki {
 		ca custom-ca {
 			name "Custom CA"
 		}
 	}
 }
 acme.example.com {
 	acme_server {
 		ca custom-ca
 		allow {
 			domains host-1.internal.example.com host-2.internal.example.com
 		}
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"acme.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"ca": "custom-ca",
 													"handler": "acme_server",
 													"policy": {
 														"allow": {
 															"domains": [
 																"host-1.internal.example.com",
 																"host-2.internal.example.com"
 															]
 														}
 													}
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"pki": {
 			"certificate_authorities": {
 				"custom-ca": {
 					"name": "Custom CA"
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/acme_server_policy-both.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/acme_server_policy-both.caddyfiletest
@ -1,80 +0,0 @@
 {
 	pki {
 		ca custom-ca {
 			name "Custom CA"
 		}
 	}
 }
 acme.example.com {
 	acme_server {
 		ca custom-ca
 		allow {
 			domains host-1.internal.example.com host-2.internal.example.com
 		}
 		deny {
 			domains dc.internal.example.com
 		}
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"acme.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"ca": "custom-ca",
 													"handler": "acme_server",
 													"policy": {
 														"allow": {
 															"domains": [
 																"host-1.internal.example.com",
 																"host-2.internal.example.com"
 															]
 														},
 														"deny": {
 															"domains": [
 																"dc.internal.example.com"
 															]
 														}
 													}
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"pki": {
 			"certificate_authorities": {
 				"custom-ca": {
 					"name": "Custom CA"
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/acme_server_policy-deny.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/acme_server_policy-deny.caddyfiletest
@ -1,71 +0,0 @@
 {
 	pki {
 		ca custom-ca {
 			name "Custom CA"
 		}
 	}
 }
 acme.example.com {
 	acme_server {
 		ca custom-ca
 		deny {
 			domains dc.internal.example.com
 		}
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"acme.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"ca": "custom-ca",
 													"handler": "acme_server",
 													"policy": {
 														"deny": {
 															"domains": [
 																"dc.internal.example.com"
 															]
 														}
 													}
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"pki": {
 			"certificate_authorities": {
 				"custom-ca": {
 					"name": "Custom CA"
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/ambiguous_site_definition.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/ambiguous_site_definition.caddyfiletest
@ -1,12 +0,0 @@
 example.com
 handle {
 	respond "one"
 }
 example.com
 handle {
 	respond "two"
 }
 ----------
 Caddyfile:6: unrecognized directive: example.com
 Did you mean to define a second site? If so, you must use curly braces around each site to separate their configurations.
--- a/caddytest/integration/caddyfile_adapt/ambiguous_site_definition_duplicate_key.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/ambiguous_site_definition_duplicate_key.caddyfiletest
@ -1,9 +0,0 @@
 :8080 {
 	respond "one"
 }
 :8080 {
 	respond "two"
 }
 ----------
 ambiguous site definition: :8080
--- a/caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard.caddyfiletest
@ -0,0 +1,109 @@
 {
 	auto_https prefer_wildcard
 }
 *.example.com {
 	tls {
 		dns mock
 	}
 	respond "fallback"
 }
 foo.example.com {
 	respond "foo"
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"foo.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "foo",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						},
 						{
 							"match": [
 								{
 									"host": [
 										"*.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "fallback",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"automatic_https": {
 						"skip_certificates": [
 							"foo.example.com"
 						],
 						"prefer_wildcard": true
 					}
 				}
 			}
 		},
 		"tls": {
 			"automation": {
 				"policies": [
 					{
 						"subjects": [
 							"*.example.com"
 						],
 						"issuers": [
 							{
 								"challenges": {
 									"dns": {
 										"provider": {
 											"name": "mock"
 										}
 									}
 								},
 								"module": "acme"
 							}
 						]
 					}
 				]
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard_multi.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard_multi.caddyfiletest
@ -0,0 +1,268 @@
 {
 	auto_https prefer_wildcard
 }
 # Covers two domains
 *.one.example.com {
 	tls {
 		dns mock
 	}
 	respond "one fallback"
 }
 # Is covered, should not get its own AP
 foo.one.example.com {
 	respond "foo one"
 }
 # This one has its own tls config so it doesn't get covered (escape hatch)
 bar.one.example.com {
 	respond "bar one"
 	tls bar@bar.com
 }
 # Covers nothing but AP gets consolidated with the first
 *.two.example.com {
 	tls {
 		dns mock
 	}
 	respond "two fallback"
 }
 # Is HTTP so it should not cover
 http://*.three.example.com {
 	respond "three fallback"
 }
 # Has no wildcard coverage so it gets an AP
 foo.three.example.com {
 	respond "foo three"
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"foo.three.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "foo three",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						},
 						{
 							"match": [
 								{
 									"host": [
 										"foo.one.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "foo one",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						},
 						{
 							"match": [
 								{
 									"host": [
 										"bar.one.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "bar one",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						},
 						{
 							"match": [
 								{
 									"host": [
 										"*.one.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "one fallback",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						},
 						{
 							"match": [
 								{
 									"host": [
 										"*.two.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "two fallback",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"automatic_https": {
 						"skip_certificates": [
 							"foo.one.example.com",
 							"bar.one.example.com"
 						],
 						"prefer_wildcard": true
 					}
 				},
 				"srv1": {
 					"listen": [
 						":80"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"*.three.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "three fallback",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"automatic_https": {
 						"prefer_wildcard": true
 					}
 				}
 			}
 		},
 		"tls": {
 			"automation": {
 				"policies": [
 					{
 						"subjects": [
 							"foo.three.example.com"
 						]
 					},
 					{
 						"subjects": [
 							"bar.one.example.com"
 						],
 						"issuers": [
 							{
 								"email": "bar@bar.com",
 								"module": "acme"
 							},
 							{
 								"ca": "https://acme.zerossl.com/v2/DV90",
 								"email": "bar@bar.com",
 								"module": "acme"
 							}
 						]
 					},
 					{
 						"subjects": [
 							"*.one.example.com",
 							"*.two.example.com"
 						],
 						"issuers": [
 							{
 								"challenges": {
 									"dns": {
 										"provider": {
 											"name": "mock"
 										}
 									}
 								},
 								"module": "acme"
 							}
 						]
 					}
 				]
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/directive_as_site_address.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/directive_as_site_address.caddyfiletest
@ -1,5 +0,0 @@
 handle
 respond "should not work"
 ----------
 Caddyfile:1: parsed 'handle' as a site address, but it is a known directive; directives must appear in a site block
--- a/caddytest/integration/caddyfile_adapt/duplicate_listener_address_global.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/duplicate_listener_address_global.caddyfiletest
@ -1,12 +0,0 @@
 {
 	servers {
 		srv0 {
 			listen :8080
 		}
 		srv1 {
 			listen :8080
 		}
 	}
 }
 ----------
 parsing caddyfile tokens for 'servers': unrecognized servers option 'srv0', at Caddyfile:3
--- a/caddytest/integration/caddyfile_adapt/error_example.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/error_example.caddyfiletest
@ -106,29 +106,20 @@ example.com {
 										"handler": "subroute",
 										"routes": [
 											{
 												"group": "group0",
 												"handle": [
 													{
-														"handler": "subroute",
+														"handler": "rewrite",
-														"routes": [
+														"uri": "/{http.error.status_code}.html"
-															{
+													}
-																"group": "group0",
+												]
-																"handle": [
+											},
-																	{
+											{
-																		"handler": "rewrite",
+												"handle": [
-																		"uri": "/{http.error.status_code}.html"
+													{
-																	}
+														"handler": "file_server",
-																]
+														"hide": [
-															},
+															"./Caddyfile"
 															{
 																"handle": [
 																	{
 																		"handler": "file_server",
 																		"hide": [
 																			"./Caddyfile"
 																		]
 																	}
 																]
 															}
 														]
 													}
 												]
--- a/caddytest/integration/caddyfile_adapt/error_multi_site_blocks.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/error_multi_site_blocks.caddyfiletest
@ -165,17 +165,8 @@ bar.localhost {
 											{
 												"handle": [
 													{
-														"handler": "subroute",
+														"body": "404 or 410 error",
-														"routes": [
+														"handler": "static_response"
 															{
 																"handle": [
 																	{
 																		"body": "404 or 410 error",
 																		"handler": "static_response"
 																	}
 																]
 															}
 														]
 													}
 												],
 												"match": [
@ -187,17 +178,8 @@ bar.localhost {
 											{
 												"handle": [
 													{
-														"handler": "subroute",
+														"body": "Error In range [500 .. 599]",
-														"routes": [
+														"handler": "static_response"
 															{
 																"handle": [
 																	{
 																		"body": "Error In range [500 .. 599]",
 																		"handler": "static_response"
 																	}
 																]
 															}
 														]
 													}
 												],
 												"match": [
@ -226,17 +208,8 @@ bar.localhost {
 											{
 												"handle": [
 													{
-														"handler": "subroute",
+														"body": "404 or 410 error from second site",
-														"routes": [
+														"handler": "static_response"
 															{
 																"handle": [
 																	{
 																		"body": "404 or 410 error from second site",
 																		"handler": "static_response"
 																	}
 																]
 															}
 														]
 													}
 												],
 												"match": [
@ -248,17 +221,8 @@ bar.localhost {
 											{
 												"handle": [
 													{
-														"handler": "subroute",
+														"body": "Error In range [500 .. 599] from second site",
-														"routes": [
+														"handler": "static_response"
 															{
 																"handle": [
 																	{
 																		"body": "Error In range [500 .. 599] from second site",
 																		"handler": "static_response"
 																	}
 																]
 															}
 														]
 													}
 												],
 												"match": [
--- a/caddytest/integration/caddyfile_adapt/error_range_codes.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/error_range_codes.caddyfiletest
@ -96,17 +96,8 @@ localhost:3010 {
 											{
 												"handle": [
 													{
-														"handler": "subroute",
+														"body": "Error in the [400 .. 499] range",
-														"routes": [
+														"handler": "static_response"
 															{
 																"handle": [
 																	{
 																		"body": "Error in the [400 .. 499] range",
 																		"handler": "static_response"
 																	}
 																]
 															}
 														]
 													}
 												],
 												"match": [
--- a/caddytest/integration/caddyfile_adapt/error_range_simple_codes.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/error_range_simple_codes.caddyfiletest
@ -116,17 +116,8 @@ localhost:2099 {
 											{
 												"handle": [
 													{
-														"handler": "subroute",
+														"body": "Error in the [400 .. 499] range",
-														"routes": [
+														"handler": "static_response"
 															{
 																"handle": [
 																	{
 																		"body": "Error in the [400 .. 499] range",
 																		"handler": "static_response"
 																	}
 																]
 															}
 														]
 													}
 												],
 												"match": [
@ -138,17 +129,8 @@ localhost:2099 {
 											{
 												"handle": [
 													{
-														"handler": "subroute",
+														"body": "Error code is equal to 500 or in the [300..399] range",
-														"routes": [
+														"handler": "static_response"
 															{
 																"handle": [
 																	{
 																		"body": "Error code is equal to 500 or in the [300..399] range",
 																		"handler": "static_response"
 																	}
 																]
 															}
 														]
 													}
 												],
 												"match": [
--- a/caddytest/integration/caddyfile_adapt/error_simple_codes.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/error_simple_codes.caddyfiletest
@ -96,17 +96,8 @@ localhost:3010 {
 											{
 												"handle": [
 													{
-														"handler": "subroute",
+														"body": "404 or 410 error",
-														"routes": [
+														"handler": "static_response"
 															{
 																"handle": [
 																	{
 																		"body": "404 or 410 error",
 																		"handler": "static_response"
 																	}
 																]
 															}
 														]
 													}
 												],
 												"match": [
--- a/caddytest/integration/caddyfile_adapt/error_sort.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/error_sort.caddyfiletest
@ -116,17 +116,8 @@ localhost:2099 {
 											{
 												"handle": [
 													{
-														"handler": "subroute",
+														"body": "Error in the [400 .. 499] range",
-														"routes": [
+														"handler": "static_response"
 															{
 																"handle": [
 																	{
 																		"body": "Error in the [400 .. 499] range",
 																		"handler": "static_response"
 																	}
 																]
 															}
 														]
 													}
 												],
 												"match": [
@ -138,17 +129,8 @@ localhost:2099 {
 											{
 												"handle": [
 													{
-														"handler": "subroute",
+														"body": "Fallback route: code outside the [400..499] range",
-														"routes": [
+														"handler": "static_response"
 															{
 																"handle": [
 																	{
 																		"body": "Fallback route: code outside the [400..499] range",
 																		"handler": "static_response"
 																	}
 																]
 															}
 														]
 													}
 												]
 											}
--- a/caddytest/integration/caddyfile_adapt/error_subhandlers.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/error_subhandlers.caddyfiletest
@ -1,260 +0,0 @@
 {
 	http_port 2099
 }
 localhost:2099 {
 	root * /var/www/
 	file_server
 	handle_errors 404 {
 		handle /en/* {
 			respond "not found" 404
 		}
 		handle /es/* {
 			respond "no encontrado"
 		}
 		handle {
 			respond "default not found"
 		}
 	}
 	handle_errors {
 		handle /en/* {
 			respond "English error"
 		}
 		handle /es/* {
 			respond "Spanish error"
 		}
 		handle {
 			respond "Default error"
 		}
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"http_port": 2099,
 			"servers": {
 				"srv0": {
 					"listen": [
 						":2099"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/var/www/"
 												},
 												{
 													"handler": "file_server",
 													"hide": [
 														"./Caddyfile"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"errors": {
 						"routes": [
 							{
 								"match": [
 									{
 										"host": [
 											"localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
 															{
 																"group": "group3",
 																"handle": [
 																	{
 																		"handler": "subroute",
 																		"routes": [
 																			{
 																				"handle": [
 																					{
 																						"body": "not found",
 																						"handler": "static_response",
 																						"status_code": 404
 																					}
 																				]
 																			}
 																		]
 																	}
 																],
 																"match": [
 																	{
 																		"path": [
 																			"/en/*"
 																		]
 																	}
 																]
 															},
 															{
 																"group": "group3",
 																"handle": [
 																	{
 																		"handler": "subroute",
 																		"routes": [
 																			{
 																				"handle": [
 																					{
 																						"body": "no encontrado",
 																						"handler": "static_response"
 																					}
 																				]
 																			}
 																		]
 																	}
 																],
 																"match": [
 																	{
 																		"path": [
 																			"/es/*"
 																		]
 																	}
 																]
 															},
 															{
 																"group": "group3",
 																"handle": [
 																	{
 																		"handler": "subroute",
 																		"routes": [
 																			{
 																				"handle": [
 																					{
 																						"body": "default not found",
 																						"handler": "static_response"
 																					}
 																				]
 																			}
 																		]
 																	}
 																]
 															}
 														]
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} in [404]"
 													}
 												]
 											},
 											{
 												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
 															{
 																"group": "group8",
 																"handle": [
 																	{
 																		"handler": "subroute",
 																		"routes": [
 																			{
 																				"handle": [
 																					{
 																						"body": "English error",
 																						"handler": "static_response"
 																					}
 																				]
 																			}
 																		]
 																	}
 																],
 																"match": [
 																	{
 																		"path": [
 																			"/en/*"
 																		]
 																	}
 																]
 															},
 															{
 																"group": "group8",
 																"handle": [
 																	{
 																		"handler": "subroute",
 																		"routes": [
 																			{
 																				"handle": [
 																					{
 																						"body": "Spanish error",
 																						"handler": "static_response"
 																					}
 																				]
 																			}
 																		]
 																	}
 																],
 																"match": [
 																	{
 																		"path": [
 																			"/es/*"
 																		]
 																	}
 																]
 															},
 															{
 																"group": "group8",
 																"handle": [
 																	{
 																		"handler": "subroute",
 																		"routes": [
 																			{
 																				"handle": [
 																					{
 																						"body": "Default error",
 																						"handler": "static_response"
 																					}
 																				]
 																			}
 																		]
 																	}
 																]
 															}
 														]
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							}
 						]
 					}
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/global_options_preferred_chains.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/global_options_preferred_chains.caddyfiletest
@ -31,6 +31,9 @@ example.com
 			"automation": {
 				"policies": [
 					{
 						"subjects": [
 							"example.com"
 						],
 						"issuers": [
 							{
 								"module": "acme",
--- a/caddytest/integration/caddyfile_adapt/global_server_options_single.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/global_server_options_single.caddyfiletest
@ -18,9 +18,6 @@
 		trusted_proxies static private_ranges
 		client_ip_headers Custom-Real-Client-IP X-Forwarded-For
 		client_ip_headers A-Third-One
 		keepalive_interval 20s
 		keepalive_idle 20s
 		keepalive_count 10
 	}
 }
@ -48,9 +45,6 @@ foo.com {
 					"read_header_timeout": 30000000000,
 					"write_timeout": 30000000000,
 					"idle_timeout": 30000000000,
 					"keepalive_interval": 20000000000,
 					"keepalive_idle": 20000000000,
 					"keepalive_count": 10,
 					"max_header_bytes": 100000000,
 					"enable_full_duplex": true,
 					"routes": [
@ -95,4 +89,4 @@ foo.com {
 			}
 		}
 	}
-}
+}
--- a/caddytest/integration/caddyfile_adapt/header.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/header.caddyfiletest
@ -12,14 +12,10 @@
 	@images path /images/*
 	header @images {
 		Cache-Control "public, max-age=3600, stale-while-revalidate=86400"
 		match {
 			status 200
 		}
 	}
 	header {
 		+Link "Foo"
 		+Link "Bar"
 		match status 200
 	}
 	header >Set Defer
 	header >Replace Deferred Replacement
@ -46,11 +42,6 @@
 								{
 									"handler": "headers",
 									"response": {
 										"require": {
 											"status_code": [
 												200
 											]
 										},
 										"set": {
 											"Cache-Control": [
 												"public, max-age=3600, stale-while-revalidate=86400"
@ -145,11 +136,6 @@
 												"Foo",
 												"Bar"
 											]
 										},
 										"require": {
 											"status_code": [
 												200
 											]
 										}
 									}
 								},
--- a/caddytest/integration/caddyfile_adapt/header_placeholder_search.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/header_placeholder_search.caddyfiletest
@ -1,64 +0,0 @@
 :80 {
 	header Test-Static ":443" "STATIC-WORKS"
 	header Test-Dynamic ":{http.request.local.port}" "DYNAMIC-WORKS"
 	header Test-Complex "port-{http.request.local.port}-end" "COMPLEX-{http.request.method}"
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":80"
 					],
 					"routes": [
 						{
 							"handle": [
 								{
 									"handler": "headers",
 									"response": {
 										"replace": {
 											"Test-Static": [
 												{
 													"replace": "STATIC-WORKS",
 													"search_regexp": ":443"
 												}
 											]
 										}
 									}
 								},
 								{
 									"handler": "headers",
 									"response": {
 										"replace": {
 											"Test-Dynamic": [
 												{
 													"replace": "DYNAMIC-WORKS",
 													"search_regexp": ":{http.request.local.port}"
 												}
 											]
 										}
 									}
 								},
 								{
 									"handler": "headers",
 									"response": {
 										"replace": {
 											"Test-Complex": [
 												{
 													"replace": "COMPLEX-{http.request.method}",
 													"search_regexp": "port-{http.request.local.port}-end"
 												}
 											]
 										}
 									}
 								}
 							]
 						}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/heredoc_extra_indentation.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/heredoc_extra_indentation.caddyfiletest
@ -1,41 +0,0 @@
 :80
 handle {
 	respond <<END
        line1
        line2
  END
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":80"
 					],
 					"routes": [
 						{
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "      line1\n      line2",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							]
 						}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/heredoc_incomplete.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/heredoc_incomplete.caddyfiletest
@ -1,9 +0,0 @@
 :80
 handle {
    respond <<EOF
    Hello
 # missing EOF marker
 }
 ----------
 mismatched leading whitespace in heredoc <<EOF on line #5 [    Hello], expected whitespace [# missing ] to match the closing marker
--- a/caddytest/integration/caddyfile_adapt/heredoc_invalid_marker.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/heredoc_invalid_marker.caddyfiletest
@ -1,9 +0,0 @@
 :80
 handle {
    respond <<END!
    Hello
    END!
 }
 ----------
 heredoc marker on line #4 must contain only alpha-numeric characters, dashes and underscores; got 'END!'
--- a/caddytest/integration/caddyfile_adapt/heredoc_mismatched_whitespace.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/heredoc_mismatched_whitespace.caddyfiletest
@ -1,10 +0,0 @@
 :80
 handle {
 	respond <<END
 	line1
 	line2
  END
 }
 ----------
 mismatched leading whitespace in heredoc <<END on line #5 [	line1], expected whitespace [  ] to match the closing marker
--- a/caddytest/integration/caddyfile_adapt/heredoc_missing_marker.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/heredoc_missing_marker.caddyfiletest
@ -1,9 +0,0 @@
 :80
 handle {
    respond << 
    Hello
    END
 }
 ----------
 parsing caddyfile tokens for 'handle': unrecognized directive: Hello - are you sure your Caddyfile structure (nesting and braces) is correct?, at Caddyfile:7
--- a/caddytest/integration/caddyfile_adapt/heredoc_too_many_angle_brackets.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/heredoc_too_many_angle_brackets.caddyfiletest
@ -1,9 +0,0 @@
 :80
 handle {
    respond <<<END
    Hello
    END
 }
 ----------
 too many '<' for heredoc on line #4; only use two, for example <<END
--- a/caddytest/integration/caddyfile_adapt/import_block_anonymous.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/import_block_anonymous.caddyfiletest
@ -1,13 +0,0 @@
 (site) {
    http://{args[0]} https://{args[0]} {
        {block}
    }
 }
 import site test.domain {
    { 
        header_up Host {host}
        header_up X-Real-IP {remote_host}
    }
 }
 ----------
 anonymous blocks are not supported
--- a/caddytest/integration/caddyfile_adapt/import_block_snippet_non_replaced_block.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/import_block_snippet_non_replaced_block.caddyfiletest
@ -1,57 +0,0 @@
 (snippet) {
 	header {
 		reverse_proxy localhost:3000
 		{block}
 	}
 }
 example.com {
 	import snippet
 }
 ---------- 
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "headers",
 													"response": {
 														"set": {
 															"Reverse_proxy": [
 																"localhost:3000"
 															]
 														}
 													}
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/import_block_snippet_non_replaced_key_block.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/import_block_snippet_non_replaced_key_block.caddyfiletest
@ -1,57 +0,0 @@
 (snippet) {
 	header {
 		reverse_proxy localhost:3000
 		{blocks.content_type}
 	}
 }
 example.com {
 	import snippet
 }
 ---------- 
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "headers",
 													"response": {
 														"set": {
 															"Reverse_proxy": [
 																"localhost:3000"
 															]
 														}
 													}
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/import_block_with_site_block.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/import_block_with_site_block.caddyfiletest
@ -1,65 +0,0 @@
 (site) {
 	https://{args[0]} {
 		{block}
 	}
 }
 import site test.domain {
 	reverse_proxy http://192.168.1.1:8080 {
 		header_up Host {host}
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"test.domain"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "reverse_proxy",
 													"headers": {
 														"request": {
 															"set": {
 																"Host": [
 																	"{http.request.host}"
 																]
 															}
 														}
 													},
 													"upstreams": [
 														{
 															"dial": "192.168.1.1:8080"
 														}
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/import_cycle.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/import_cycle.caddyfiletest
@ -1,12 +0,0 @@
 (import1) {
 	import import2
 }
 (import2) {
 	import import1
 }
 import import1
 ----------
 a cycle of imports exists between Caddyfile:import2 and Caddyfile:import1
--- a/caddytest/integration/caddyfile_adapt/invoke_undefined_named_route.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/invoke_undefined_named_route.caddyfiletest
@ -1,5 +0,0 @@
 example.com {
 	invoke foo
 }
 ----------
 cannot invoke named route 'foo', which was not defined
--- a/caddytest/integration/caddyfile_adapt/log_multiple_regexp_filters.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/log_multiple_regexp_filters.caddyfiletest
@ -1,95 +0,0 @@
 :80
 log {
 	output stdout
 	format filter {
 		wrap console
 		# Multiple regexp filters for the same field - this should work now!
 		request>headers>Authorization regexp "Bearer\s+([A-Za-z0-9_-]+)" "Bearer [REDACTED]"
 		request>headers>Authorization regexp "Basic\s+([A-Za-z0-9+/=]+)" "Basic [REDACTED]"
 		request>headers>Authorization regexp "token=([^&\s]+)" "token=[REDACTED]"
 		# Single regexp filter - this should continue to work as before
 		request>headers>Cookie regexp "sessionid=[^;]+" "sessionid=[REDACTED]"
 		# Mixed filters (non-regexp) - these should work normally
 		request>headers>Server delete
 		request>remote_ip ip_mask {
 			ipv4 24
 			ipv6 32
 		}
 	}
 }
 ----------
 {
 	"logging": {
 		"logs": {
 			"default": {
 				"exclude": [
 					"http.log.access.log0"
 				]
 			},
 			"log0": {
 				"writer": {
 					"output": "stdout"
 				},
 				"encoder": {
 					"fields": {
 						"request\u003eheaders\u003eAuthorization": {
 							"filter": "multi_regexp",
 							"operations": [
 								{
 									"regexp": "Bearer\\s+([A-Za-z0-9_-]+)",
 									"value": "Bearer [REDACTED]"
 								},
 								{
 									"regexp": "Basic\\s+([A-Za-z0-9+/=]+)",
 									"value": "Basic [REDACTED]"
 								},
 								{
 									"regexp": "token=([^\u0026\\s]+)",
 									"value": "token=[REDACTED]"
 								}
 							]
 						},
 						"request\u003eheaders\u003eCookie": {
 							"filter": "regexp",
 							"regexp": "sessionid=[^;]+",
 							"value": "sessionid=[REDACTED]"
 						},
 						"request\u003eheaders\u003eServer": {
 							"filter": "delete"
 						},
 						"request\u003eremote_ip": {
 							"filter": "ip_mask",
 							"ipv4_cidr": 24,
 							"ipv6_cidr": 32
 						}
 					},
 					"format": "filter",
 					"wrap": {
 						"format": "console"
 					}
 				},
 				"include": [
 					"http.log.access.log0"
 				]
 			}
 		}
 	},
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":80"
 					],
 					"logs": {
 						"default_logger_name": "log0"
 					}
 				}
 			}
 		}
 	}
 } 
--- a/caddytest/integration/caddyfile_adapt/matcher_outside_site_block.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/matcher_outside_site_block.caddyfiletest
@ -1,9 +0,0 @@
@foo {
 	path /foo
 }
 handle {
 	respond "should not work"
 }
 ----------
 request matchers may not be defined globally, they must be in a site block; found @foo, at Caddyfile:1
--- a/caddytest/integration/caddyfile_adapt/renewal_window_ratio_global.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/renewal_window_ratio_global.caddyfiletest
@ -1,41 +0,0 @@
 {
 	renewal_window_ratio 0.1666
 }
 example.com {
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"example.com"
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"tls": {
 			"automation": {
 				"policies": [
 					{
 						"renewal_window_ratio": 0.1666
 					}
 				]
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/renewal_window_ratio_tls_directive.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/renewal_window_ratio_tls_directive.caddyfiletest
@ -1,63 +0,0 @@
 {
 	renewal_window_ratio 0.1666
 }
 a.example.com {
 	tls {
 		renewal_window_ratio 0.25
 	}
 }
 b.example.com {
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"a.example.com"
 									]
 								}
 							],
 							"terminal": true
 						},
 						{
 							"match": [
 								{
 									"host": [
 										"b.example.com"
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"tls": {
 			"automation": {
 				"policies": [
 					{
 						"subjects": [
 							"a.example.com"
 						],
 						"renewal_window_ratio": 0.25
 					},
 					{
 						"renewal_window_ratio": 0.1666
 					}
 				]
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_forward_proxy_url.txt
+++ b/caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_forward_proxy_url.txt
@ -1,41 +0,0 @@
 :8884
 reverse_proxy 127.0.0.1:65535 {
 	transport http {
 		forward_proxy_url http://localhost:8080
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":8884"
 					],
 					"routes": [
 						{
 							"handle": [
 								{
 									"handler": "reverse_proxy",
 									"transport": {
 										"network_proxy": {
 											"from": "url",
 											"url": "http://localhost:8080"
 										},
 										"protocol": "http"
 									},
 									"upstreams": [
 										{
 											"dial": "127.0.0.1:65535"
 										}
 									]
 								}
 							]
 						}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_none_proxy.txt
+++ b/caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_none_proxy.txt
@ -1,40 +0,0 @@
 :8884
 reverse_proxy 127.0.0.1:65535 {
 	transport http {
 		network_proxy none
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":8884"
 					],
 					"routes": [
 						{
 							"handle": [
 								{
 									"handler": "reverse_proxy",
 									"transport": {
 										"network_proxy": {
 											"from": "none"
 										},
 										"protocol": "http"
 									},
 									"upstreams": [
 										{
 											"dial": "127.0.0.1:65535"
 										}
 									]
 								}
 							]
 						}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_url_proxy.txt
+++ b/caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_url_proxy.txt
@ -1,41 +0,0 @@
 :8884
 reverse_proxy 127.0.0.1:65535 {
 	transport http {
 		network_proxy url http://localhost:8080
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":8884"
 					],
 					"routes": [
 						{
 							"handle": [
 								{
 									"handler": "reverse_proxy",
 									"transport": {
 										"network_proxy": {
 											"from": "url",
 											"url": "http://localhost:8080"
 										},
 										"protocol": "http"
 									},
 									"upstreams": [
 										{
 											"dial": "127.0.0.1:65535"
 										}
 									]
 								}
 							]
 						}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/reverse_proxy_trusted_proxies_unix.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/reverse_proxy_trusted_proxies_unix.caddyfiletest
@ -1,59 +0,0 @@
 {
 	servers {
 		trusted_proxies_unix
 	}
 }
 example.com {
 	reverse_proxy https://local:8080
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "reverse_proxy",
 													"transport": {
 														"protocol": "http",
 														"tls": {}
 													},
 													"upstreams": [
 														{
 															"dial": "local:8080"
 														}
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"trusted_proxies_unix": true
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/site_address_invalid_port.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/site_address_invalid_port.caddyfiletest
@ -1,7 +0,0 @@
 :70000
 handle {
 	respond "should not work"
 }
 ----------
 port 70000 is out of range
--- a/caddytest/integration/caddyfile_adapt/site_address_negative_port.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/site_address_negative_port.caddyfiletest
@ -1,7 +0,0 @@
 :-1
 handle {
 	respond "should not work"
 }
 ----------
 port -1 is out of range
--- a/caddytest/integration/caddyfile_adapt/site_address_unsupported_scheme.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/site_address_unsupported_scheme.caddyfiletest
@ -1,7 +0,0 @@
 foo://example.com
 handle {
 	respond "hello"
 }
 ----------
 unsupported URL scheme foo://
--- a/caddytest/integration/caddyfile_adapt/site_address_wss_invalid_port.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/site_address_wss_invalid_port.caddyfiletest
@ -1,7 +0,0 @@
 wss://example.com:70000
 handle {
 	respond "should not work"
 }
 ----------
 port 70000 is out of range
--- a/caddytest/integration/caddyfile_adapt/site_address_wss_scheme.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/site_address_wss_scheme.caddyfiletest
@ -1,7 +0,0 @@
 wss://example.com
 handle {
 	respond "hello"
 }
 ----------
 the scheme wss:// is only supported in browsers; use https:// instead
--- a/caddytest/integration/caddyfile_adapt/tls_automation_wildcard_force_automate.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/tls_automation_wildcard_force_automate.caddyfiletest
@ -131,7 +131,13 @@ shadowed.example.com {
 						{
 							"match": {
 								"sni": [
-									"automated1.example.com",
+									"automated1.example.com"
 								]
 							}
 						},
 						{
 							"match": {
 								"sni": [
 									"automated2.example.com"
 								]
 							}
--- a/caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_block.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_block.caddyfiletest
@ -1,87 +0,0 @@
 localhost
 respond "hello from localhost"
 tls {
 	client_auth {
 		mode request
 		trust_pool inline {
 			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
 		}
 		verifier leaf {
 			file ../caddy.ca.cer
 		}
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "hello from localhost",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"tls_connection_policies": [
 						{
 							"match": {
 								"sni": [
 									"localhost"
 								]
 							},
 							"client_authentication": {
 								"ca": {
 									"provider": "inline",
 									"trusted_ca_certs": [
 										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
 									]
 								},
 								"verifiers": [
 									{
 										"leaf_certs_loaders": [
 											{
 												"files": [
 													"../caddy.ca.cer"
 												],
 												"loader": "file"
 											}
 										],
 										"verifier": "leaf"
 									}
 								],
 								"mode": "request"
 							}
 						},
 						{}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_inline.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_inline.caddyfiletest
@ -1,85 +0,0 @@
 localhost
 respond "hello from localhost"
 tls {
 	client_auth {
 		mode request
 		trust_pool inline {
 			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
 		}
 		verifier leaf file ../caddy.ca.cer
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "hello from localhost",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"tls_connection_policies": [
 						{
 							"match": {
 								"sni": [
 									"localhost"
 								]
 							},
 							"client_authentication": {
 								"ca": {
 									"provider": "inline",
 									"trusted_ca_certs": [
 										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
 									]
 								},
 								"verifiers": [
 									{
 										"leaf_certs_loaders": [
 											{
 												"files": [
 													"../caddy.ca.cer"
 												],
 												"loader": "file"
 											}
 										],
 										"verifier": "leaf"
 									}
 								],
 								"mode": "request"
 							}
 						},
 						{}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_multi-in-block.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_multi-in-block.caddyfiletest
@ -1,94 +0,0 @@
 localhost
 respond "hello from localhost"
 tls {
 	client_auth {
 		mode request
 		trust_pool inline {
 			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
 		}
 		verifier leaf {
 			file ../caddy.ca.cer
 			file ../caddy.ca.cer
 		}
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "hello from localhost",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"tls_connection_policies": [
 						{
 							"match": {
 								"sni": [
 									"localhost"
 								]
 							},
 							"client_authentication": {
 								"ca": {
 									"provider": "inline",
 									"trusted_ca_certs": [
 										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
 									]
 								},
 								"verifiers": [
 									{
 										"leaf_certs_loaders": [
 											{
 												"files": [
 													"../caddy.ca.cer"
 												],
 												"loader": "file"
 											},
 											{
 												"files": [
 													"../caddy.ca.cer"
 												],
 												"loader": "file"
 											}
 										],
 										"verifier": "leaf"
 									}
 								],
 								"mode": "request"
 							}
 						},
 						{}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_block.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_block.caddyfiletest
@ -1,87 +0,0 @@
 localhost
 respond "hello from localhost"
 tls {
 	client_auth {
 		mode request
 		trust_pool inline {
 			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
 		}
 		verifier leaf {
 			folder ../
 		}
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "hello from localhost",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"tls_connection_policies": [
 						{
 							"match": {
 								"sni": [
 									"localhost"
 								]
 							},
 							"client_authentication": {
 								"ca": {
 									"provider": "inline",
 									"trusted_ca_certs": [
 										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
 									]
 								},
 								"verifiers": [
 									{
 										"leaf_certs_loaders": [
 											{
 												"folders": [
 													"../"
 												],
 												"loader": "folder"
 											}
 										],
 										"verifier": "leaf"
 									}
 								],
 								"mode": "request"
 							}
 						},
 						{}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_inline.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_inline.caddyfiletest
@ -1,85 +0,0 @@
 localhost
 respond "hello from localhost"
 tls {
 	client_auth {
 		mode request
 		trust_pool inline {
 			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
 		}
 		verifier leaf folder ../
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "hello from localhost",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"tls_connection_policies": [
 						{
 							"match": {
 								"sni": [
 									"localhost"
 								]
 							},
 							"client_authentication": {
 								"ca": {
 									"provider": "inline",
 									"trusted_ca_certs": [
 										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
 									]
 								},
 								"verifiers": [
 									{
 										"leaf_certs_loaders": [
 											{
 												"folders": [
 													"../"
 												],
 												"loader": "folder"
 											}
 										],
 										"verifier": "leaf"
 									}
 								],
 								"mode": "request"
 							}
 						},
 						{}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_multi-in-block.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_multi-in-block.caddyfiletest
@ -1,94 +0,0 @@
 localhost
 respond "hello from localhost"
 tls {
 	client_auth {
 		mode request
 		trust_pool inline {
 			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
 		}
 		verifier leaf {
 			folder ../
 			folder ../
 		}
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"body": "hello from localhost",
 													"handler": "static_response"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"tls_connection_policies": [
 						{
 							"match": {
 								"sni": [
 									"localhost"
 								]
 							},
 							"client_authentication": {
 								"ca": {
 									"provider": "inline",
 									"trusted_ca_certs": [
 										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
 									]
 								},
 								"verifiers": [
 									{
 										"leaf_certs_loaders": [
 											{
 												"folders": [
 													"../"
 												],
 												"loader": "folder"
 											},
 											{
 												"folders": [
 													"../"
 												],
 												"loader": "folder"
 											}
 										],
 										"verifier": "leaf"
 									}
 								],
 								"mode": "request"
 							}
 						},
 						{}
 					]
 				}
 			}
 		}
 	}
 }
--- a/caddytest/integration/caddyfile_adapt/tls_dns_multiple_options_without_provider.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/tls_dns_multiple_options_without_provider.caddyfiletest
@ -1,9 +0,0 @@
 localhost
 tls {
 	propagation_delay 10s
 	dns_ttl 5m
 }
 ----------
 parsing caddyfile tokens for 'tls': setting DNS challenge options [propagation_delay, dns_ttl] requires a DNS provider (set with the 'dns' subdirective or 'acme_dns' global option), at Caddyfile:6
--- a/caddytest/integration/caddyfile_adapt/tls_dns_override_acme_dns.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/tls_dns_override_acme_dns.caddyfiletest
@ -1,79 +0,0 @@
 {
 	acme_dns mock foo
 }
 localhost {
 	tls {
 		dns mock bar
 		resolvers 8.8.8.8 8.8.4.4
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"tls": {
 			"automation": {
 				"policies": [
 					{
 						"subjects": [
 							"localhost"
 						],
 						"issuers": [
 							{
 								"challenges": {
 									"dns": {
 										"provider": {
 											"argument": "bar",
 											"name": "mock"
 										},
 										"resolvers": [
 											"8.8.8.8",
 											"8.8.4.4"
 										]
 									}
 								},
 								"module": "acme"
 							}
 						]
 					},
 					{
 						"issuers": [
 							{
 								"challenges": {
 									"dns": {
 										"provider": {
 											"argument": "foo",
 											"name": "mock"
 										}
 									}
 								},
 								"module": "acme"
 							}
 						]
 					}
 				]
 			}
 		}
 	}
 }
--- a/Show More
+++ b/Show More