build(deps): bump the actions-deps group across 1 directory with 9 updates

Bumps the actions-deps group with 9 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/github-script](https://github.com/actions/github-script) | `8.0.0` | `9.0.0` | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.15.0` | `2.19.0` | | [actions/setup-go](https://github.com/actions/setup-go) | `6.3.0` | `6.4.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | `7.0.0` | `7.2.1` | | [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.8.3` | `4.9.0` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.10.0` | `4.1.1` | | [anchore/sbom-action](https://github.com/anchore/sbom-action) | `0.23.0` | `0.24.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.32.4` | `4.35.3` | Updates `actions/github-script` from 8.0.0 to 9.0.0 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/ed597411d8f924073f98dfc5c65a23a2325f34cd...3a2844b7e9c422d3c10d287c895573f7108da1b3) Updates `step-security/harden-runner` from 2.15.0 to 2.19.0 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/a90bcbc6539c36a85cdfeb73f7e2f433735f215b...8d3c67de8e2fe68ef647c8db1e6a09f647780f40) Updates `actions/setup-go` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/4b73464bb391d4059bd26b0524d20df3927bd417...4a3601121dd01d1626a1e23e37211e3254c1c06c) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a) Updates `goreleaser/goreleaser-action` from 7.0.0 to 7.2.1 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/ec59f474b9834571250b370d4735c50f8e2d1e29...1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8) Updates `actions/dependency-review-action` from 4.8.3 to 4.9.0 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/05fe4576374b728f0c523d6a13d64c25081e0803...2031cfc080254a8a887f58cffee85186f0e49e48) Updates `sigstore/cosign-installer` from 3.10.0 to 4.1.1 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/d7543c93d881b35a8faa02e8e3605f69b7a1ce62...cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003) Updates `anchore/sbom-action` from 0.23.0 to 0.24.0 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/sbom-action/compare/17ae1740179002c89186b61233e0f892c3118b11...e22c389904149dbc22b58101806040fa8d37a610) Updates `github/codeql-action` from 4.32.4 to 4.35.3 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/89a39a4e59826350b863aa6b6252a07ad50cf83e...e46ed2cbd01164d986452f91f178727624ae40d7) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-deps - dependency-name: step-security/harden-runner dependency-version: 2.19.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-deps - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: actions/dependency-review-action dependency-version: 4.9.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: sigstore/cosign-installer dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-deps - dependency-name: anchore/sbom-action dependency-version: 0.24.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps - dependency-name: github/codeql-action dependency-version: 4.35.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-deps ... Signed-off-by: dependabot[bot] <support@github.com>
2026-05-25 16:22:36 -04:00 · 2026-05-02 03:15:05 +00:00
76 changed files with 438 additions and 2088 deletions
@@ -20,7 +20,7 @@ jobs:
    
    steps:
      - name: Check approvals and update PR
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          MAINTAINER_LOGINS: ${{ secrets.MAINTAINER_LOGINS }}
        with:
@@ -165,7 +165,7 @@ jobs:
    
    steps:
      - name: Add cancelled label and comment
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const pr = context.payload.pull_request;
@@ -65,7 +65,7 @@ jobs:
      actions: write # to allow uploading artifacts and cache
    steps:
    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
      with:
        egress-policy: audit

@@ -73,7 +73,7 @@ jobs:
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Install Go
-      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true
@@ -120,7 +120,7 @@ jobs:
        ./caddy stop

    - name: Publish Build Artifact
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
        path: ${{ matrix.CADDY_BIN_PATH }}
@@ -162,7 +162,7 @@ jobs:
    continue-on-error: true  # August 2020: s390x VM is down due to weather and power issues
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
        with:
          egress-policy: audit
          allowed-endpoints: ci-s390x.caddyserver.com:22
@@ -221,19 +221,19 @@ jobs:
    if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
        with:
          egress-policy: audit

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      
-      - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+      - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
        with:
          version: latest
          args: check
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: "~1.26"
          check-latest: true
@@ -241,7 +241,7 @@ jobs:
        run: |
          go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
          xcaddy version
-      - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+      - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
        with:
          version: latest
          args: build --single-target --snapshot
@@ -51,7 +51,7 @@ jobs:
    continue-on-error: true
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
        with:
          egress-policy: audit

@@ -59,7 +59,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ matrix.GO_SEMVER }}
          check-latest: true
@@ -45,12 +45,12 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
        with:
          egress-policy: audit

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: '~1.26'
          check-latest: true
@@ -73,7 +73,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
        with:
          egress-policy: audit

@@ -90,14 +90,14 @@ jobs:
      pull-requests: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
        with:
          egress-policy: audit

      - name: 'Checkout Repository'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803 # v4.8.3
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
        with:
          comment-summary-in-pr: on-failure
          # https://github.com/actions/dependency-review-action/issues/430#issuecomment-1468975566
@@ -28,7 +28,7 @@ jobs:
    
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
        with:
          egress-policy: audit
      - name: Checkout code
@@ -73,7 +73,7 @@ jobs:

      - name: Check for existing proposal PR
        id: check_existing
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const version = '${{ steps.inputs.outputs.version }}';
@@ -177,7 +177,7 @@ jobs:

      - name: Create release proposal PR
        id: create_pr
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const changelog = `${{ steps.setup.outputs.changelog }}`;
@@ -144,7 +144,7 @@ jobs:

      - name: Find related release proposal
        id: find_proposal
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const version = '${{ steps.vars.outputs.version_tag }}';
@@ -262,7 +262,7 @@ jobs:

      - name: Update release proposal PR
        if: fromJson(steps.find_proposal.outputs.result).number != null
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const result = ${{ steps.find_proposal.outputs.result }};
@@ -355,7 +355,7 @@ jobs:

    steps:
    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
      with:
        egress-policy: audit

@@ -365,7 +365,7 @@ jobs:
        fetch-depth: 0

    - name: Install Go
-      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true
@@ -415,11 +415,11 @@ jobs:
      run: pip install --upgrade cloudsmith-cli

    - name: Install Cosign
-      uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # main
+      uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # main
    - name: Cosign version
      run: cosign version
    - name: Install Syft
-      uses: anchore/sbom-action/download-syft@17ae1740179002c89186b61233e0f892c3118b11 # main
+      uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # main
    - name: Syft version
      run: syft version
    - name: Install xcaddy
@@ -428,7 +428,7 @@ jobs:
        xcaddy version
    # GoReleaser will take care of publishing those artifacts into the release
    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+      uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
      with:
        version: latest
        args: release --clean --timeout 60m
@@ -497,7 +497,7 @@ jobs:

    - name: Update release proposal PR
      if: needs.verify-tag.outputs.proposal_issue_number != ''
-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
      with:
        script: |
          const prNumber = parseInt('${{ needs.verify-tag.outputs.proposal_issue_number }}');
@@ -24,7 +24,7 @@ jobs:

    # See https://github.com/peter-evans/repository-dispatch
    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
      with:
        egress-policy: audit

@@ -37,7 +37,7 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
        with:
          egress-policy: audit

@@ -72,7 +72,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: SARIF file
          path: results.sarif
@@ -81,6 +81,6 @@ jobs:
      # Upload the results to GitHub's code scanning dashboard (optional).
      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v3.29.5
+        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v3.29.5
        with:
          sarif_file: results.sarif
@@ -120,6 +120,10 @@ type AdminConfig struct {
 	//
 	// EXPERIMENTAL: This feature is subject to change.
 	Remote *RemoteAdmin `json:"remote,omitempty"`
+
+	// Holds onto the routers so that we can later provision them
+	// if they require provisioning.
+	routers []AdminRouter
 }

 // ConfigSettings configures the management of configuration.
@@ -218,7 +222,7 @@ type AdminPermissions struct {

 // newAdminHandler reads admin's config and returns an http.Handler suitable
 // for use in an admin endpoint server, which will be listening on listenAddr.
-func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool, ctx Context) (adminHandler, error) {
+func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool, _ Context) adminHandler {
 	muxWrap := adminHandler{mux: http.NewServeMux()}

 	// secure the local or remote endpoint respectively
@@ -275,21 +279,34 @@ func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool, ctx
 	// register third-party module endpoints
 	for _, m := range GetModules("admin.api") {
 		router := m.New().(AdminRouter)
-
-		// provision the router before registering its routes, so
-		// handlers have access to all provisioned state
-		if provisioner, ok := router.(Provisioner); ok {
-			if err := provisioner.Provision(ctx); err != nil {
-				return adminHandler{}, fmt.Errorf("provisioning admin router module %s: %v", m.ID, err)
-			}
-		}
-
 		for _, route := range router.Routes() {
 			addRoute(route.Pattern, handlerLabel, route.Handler)
 		}
+		admin.routers = append(admin.routers, router)
 	}

-	return muxWrap, nil
+	return muxWrap
+}
+
+// provisionAdminRouters provisions all the router modules
+// in the admin.api namespace that need provisioning.
+func (admin *AdminConfig) provisionAdminRouters(ctx Context) error {
+	for _, router := range admin.routers {
+		provisioner, ok := router.(Provisioner)
+		if !ok {
+			continue
+		}
+
+		err := provisioner.Provision(ctx)
+		if err != nil {
+			return err
+		}
+	}
+
+	// We no longer need the routers once provisioned, allow for GC
+	admin.routers = nil
+
+	return nil
 }

 // allowedOrigins returns a list of origins that are allowed.
@@ -413,7 +430,11 @@ func replaceLocalAdminServer(cfg *Config, ctx Context) error {
 		return err
 	}

-	handler, err := cfg.Admin.newAdminHandler(addr, false, ctx)
+	handler := cfg.Admin.newAdminHandler(addr, false, ctx)
+
+	// run the provisioners for loaded modules to make sure local
+	// state is properly re-initialized in the new admin server
+	err = cfg.Admin.provisionAdminRouters(ctx)
 	if err != nil {
 		return err
 	}
@@ -537,7 +558,11 @@ func replaceRemoteAdminServer(ctx Context, cfg *Config) error {

 	// make the HTTP handler but disable Host/Origin enforcement
 	// because we are using TLS authentication instead
-	handler, err := cfg.Admin.newAdminHandler(addr, true, ctx)
+	handler := cfg.Admin.newAdminHandler(addr, true, ctx)
+
+	// run the provisioners for loaded modules to make sure local
+	// state is properly re-initialized in the new admin server
+	err = cfg.Admin.provisionAdminRouters(ctx)
 	if err != nil {
 		return err
 	}
@@ -340,10 +340,7 @@ func TestAdminHandlerBuiltinRouteErrors(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to parse address: %v", err)
 	}
-	handler, err := cfg.Admin.newAdminHandler(addr, false, Context{})
-	if err != nil {
-		t.Fatalf("Failed to create admin handler: %v", err)
-	}
+	handler := cfg.Admin.newAdminHandler(addr, false, Context{})

 	tests := []struct {
 		name           string
@@ -464,10 +461,7 @@ func TestNewAdminHandlerRouterRegistration(t *testing.T) {
 	admin := &AdminConfig{
 		EnforceOrigin: false,
 	}
-	handler, err := admin.newAdminHandler(addr, false, Context{})
-	if err != nil {
-		t.Fatalf("Failed to create admin handler: %v", err)
-	}
+	handler := admin.newAdminHandler(addr, false, Context{})

 	req := httptest.NewRequest("GET", "/mock", nil)
 	req.Host = "localhost:2019"
@@ -479,6 +473,10 @@ func TestNewAdminHandlerRouterRegistration(t *testing.T) {
 		t.Errorf("Expected status code %d but got %d", http.StatusOK, rr.Code)
 		t.Logf("Response body: %s", rr.Body.String())
 	}
+
+	if len(admin.routers) != 1 {
+		t.Errorf("Expected 1 router to be stored, got %d", len(admin.routers))
+	}
 }

 type mockProvisionableRouter struct {
@@ -516,16 +514,19 @@ func TestAdminRouterProvisioning(t *testing.T) {
 		name         string
 		provisionErr error
 		wantErr      bool
+		routersAfter int // expected number of routers after provisioning
 	}{
 		{
 			name:         "successful provisioning",
 			provisionErr: nil,
 			wantErr:      false,
+			routersAfter: 0,
 		},
 		{
 			name:         "provisioning error",
 			provisionErr: fmt.Errorf("provision failed"),
 			wantErr:      true,
+			routersAfter: 1,
 		},
 	}

@@ -561,7 +562,8 @@ func TestAdminRouterProvisioning(t *testing.T) {
 				t.Fatalf("Failed to parse address: %v", err)
 			}

-			_, err = admin.newAdminHandler(addr, false, Context{})
+			_ = admin.newAdminHandler(addr, false, Context{})
+			err = admin.provisionAdminRouters(Context{})

 			if test.wantErr {
 				if err == nil {
@@ -572,6 +574,10 @@ func TestAdminRouterProvisioning(t *testing.T) {
 					t.Errorf("Expected no error but got: %v", err)
 				}
 			}
+
+			if len(admin.routers) != test.routersAfter {
+				t.Errorf("Expected %d routers after provisioning, got %d", test.routersAfter, len(admin.routers))
+			}
 		})
 	}
 }
@@ -440,6 +440,13 @@ func run(newCfg *Config, start bool) (Context, error) {
 		}
 	}()

+	// Provision any admin routers which may need to access
+	// some of the other apps at runtime
+	err = ctx.cfg.Admin.provisionAdminRouters(ctx)
+	if err != nil {
+		return ctx, err
+	}
+
 	// Start
 	err = func() error {
 		started := make([]string, 0, len(ctx.cfg.apps))
@@ -155,7 +155,7 @@ func (l *lexer) next() (bool, error) {
 			// want to keep.
 			if ch == '\n' {
 				if len(val) == 2 {
-					return false, fmt.Errorf("missing opening heredoc marker on line #%d; must contain only alphanumeric characters, dashes and underscores; got empty string", l.line)
+					return false, fmt.Errorf("missing opening heredoc marker on line #%d; must contain only alpha-numeric characters, dashes and underscores; got empty string", l.line)
 				}

 				// check if there's too many <
@@ -165,7 +165,7 @@ func (l *lexer) next() (bool, error) {

 				heredocMarker = string(val[2:])
 				if !heredocMarkerRegexp.Match([]byte(heredocMarker)) {
-					return false, fmt.Errorf("heredoc marker on line #%d must contain only alphanumeric characters, dashes and underscores; got '%s'", l.line, heredocMarker)
+					return false, fmt.Errorf("heredoc marker on line #%d must contain only alpha-numeric characters, dashes and underscores; got '%s'", l.line, heredocMarker)
 				}

 				inHeredoc = true
@@ -424,7 +424,7 @@ EOF
 		{
 			input:        []byte("not-a-heredoc <<\n"),
 			expectErr:    true,
-			errorMessage: "missing opening heredoc marker on line #1; must contain only alphanumeric characters, dashes and underscores; got empty string",
+			errorMessage: "missing opening heredoc marker on line #1; must contain only alpha-numeric characters, dashes and underscores; got empty string",
 		},
 		{
 			input: []byte(`heredoc <<<EOF
@@ -683,7 +683,7 @@ func (p *parser) directive() error {
 // openCurlyBrace expects the current token to be an
 // opening curly brace. This acts like an assertion
 // because it returns an error if the token is not
-// an opening curly brace. It does NOT advance the token.
+// a opening curly brace. It does NOT advance the token.
 func (p *parser) openCurlyBrace() error {
 	if p.Val() != "{" {
 		if p.valLooksLikeGlobalOptionsAfterImportedSnippets() {
@@ -1053,7 +1053,7 @@ func parseLogHelper(h Helper, globalLogNames map[string]struct{}) ([]ConfigValue
 					if !d.NextArg() {
 						return nil, d.ArgErr()
 					}
-					interval, err := caddy.ParseDuration(d.Val())
+					interval, err := time.ParseDuration(d.Val() + "ns")
 					if err != nil {
 						return nil, d.Errf("failed to parse interval: %v", err)
 					}
@@ -66,14 +66,14 @@ func TestLogDirectiveSyntax(t *testing.T) {
 			input: `:8080 {
 				log {
 					sampling {
-						interval 2s
+						interval 2
 						first 3
 						thereafter 4
 					}
 				}
 			}
 			`,
-			output:      `{"logging":{"logs":{"default":{"exclude":["http.log.access.log0"]},"log0":{"sampling":{"interval":2000000000,"first":3,"thereafter":4},"include":["http.log.access.log0"]}}},"apps":{"http":{"servers":{"srv0":{"listen":[":8080"],"logs":{"default_logger_name":"log0"}}}}}}`,
+			output:      `{"logging":{"logs":{"default":{"exclude":["http.log.access.log0"]},"log0":{"sampling":{"interval":2,"first":3,"thereafter":4},"include":["http.log.access.log0"]}}},"apps":{"http":{"servers":{"srv0":{"listen":[":8080"],"logs":{"default_logger_name":"log0"}}}}}}`,
 			expectError: false,
 		},
 	} {
@@ -1036,7 +1036,7 @@ outer:
 			// otherwise the one without any subjects (a catch-all) would be
 			// eaten up by the one with subjects; and if both have subjects, we
 			// need to combine their lists
-			if automationPoliciesHaveSameIssuers(aps[i], aps[j]) &&
+			if reflect.DeepEqual(aps[i].IssuersRaw, aps[j].IssuersRaw) &&
 				reflect.DeepEqual(aps[i].ManagersRaw, aps[j].ManagersRaw) &&
 				bytes.Equal(aps[i].StorageRaw, aps[j].StorageRaw) &&
 				aps[i].MustStaple == aps[j].MustStaple &&
@@ -1128,58 +1128,6 @@ func subjectQualifiesForPublicCert(ap *caddytls.AutomationPolicy, subj string) b
 		(strings.Count(subj, "*.") < 2 || ap.OnDemand)
 }

-func automationPoliciesHaveSameIssuers(a, b *caddytls.AutomationPolicy) bool {
-	if reflect.DeepEqual(a.IssuersRaw, b.IssuersRaw) {
-		return automationPoliciesHaveCompatibleImplicitIssuers(a, b)
-	}
-	return automationPolicyUsesDefaultInternalIssuer(a) && automationPolicyUsesDefaultInternalIssuer(b)
-}
-
-func automationPolicyUsesDefaultInternalIssuer(ap *caddytls.AutomationPolicy) bool {
-	if len(ap.IssuersRaw) == 0 && len(ap.Issuers) == 0 {
-		return automationPolicyImplicitIssuerClass(ap) == "internal"
-	}
-	return len(ap.IssuersRaw) == 1 &&
-		len(ap.Issuers) == 0 &&
-		string(bytes.TrimSpace(ap.IssuersRaw[0])) == `{"module":"internal"}`
-}
-
-// automationPoliciesHaveCompatibleImplicitIssuers returns whether two policies
-// without explicit issuers can be consolidated without changing default issuer
-// selection for their subjects.
-func automationPoliciesHaveCompatibleImplicitIssuers(a, b *caddytls.AutomationPolicy) bool {
-	if len(a.IssuersRaw) > 0 || len(a.Issuers) > 0 ||
-		len(b.IssuersRaw) > 0 || len(b.Issuers) > 0 {
-		return true
-	}
-
-	aClass := automationPolicyImplicitIssuerClass(a)
-	bClass := automationPolicyImplicitIssuerClass(b)
-	return aClass == "catch-all" || bClass == "catch-all" || aClass == bClass
-}
-
-func automationPolicyImplicitIssuerClass(ap *caddytls.AutomationPolicy) string {
-	if len(ap.SubjectsRaw) == 0 {
-		return "catch-all"
-	}
-
-	hasPublic := slices.ContainsFunc(ap.SubjectsRaw, func(subj string) bool {
-		return subjectQualifiesForPublicCert(ap, subj)
-	})
-	hasInternal := slices.ContainsFunc(ap.SubjectsRaw, func(subj string) bool {
-		return !subjectQualifiesForPublicCert(ap, subj)
-	})
-
-	switch {
-	case hasPublic && hasInternal:
-		return "mixed"
-	case hasPublic:
-		return "public"
-	default:
-		return "internal"
-	}
-}
-
 // automationPolicyHasAllPublicNames returns true if all the names on the policy
 // do NOT qualify for public certs OR are tailscale domains.
 func automationPolicyHasAllPublicNames(ap *caddytls.AutomationPolicy) bool {
@@ -3,7 +3,6 @@ package httpcaddyfile
 import (
 	"testing"

-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/caddy/v2/modules/caddytls"
 )

@@ -55,20 +54,3 @@ func TestAutomationPolicyIsSubset(t *testing.T) {
 		}
 	}
 }
-
-func TestAutomationPoliciesAllowSameHostOnDifferentPorts(t *testing.T) {
-	input := `https://example.com:5000 localhost:5000 {
-	respond "one"
-}
-
-https://example.net localhost:8080 {
-	respond "two"
-}
-`
-
-	adapter := caddyfile.Adapter{ServerType: ServerType{}}
-	_, _, err := adapter.Adapt([]byte(input), nil)
-	if err != nil {
-		t.Fatalf("adapting Caddyfile: %v", err)
-	}
-}
@@ -518,7 +518,7 @@ func (tc *Tester) AssertResponseCode(req *http.Request, expectedStatusCode int)
 	return resp
 }

-// AssertResponse requests a URI and asserts the status code and body.
+// AssertResponse request a URI and assert the status code and the body contains a string
 func (tc *Tester) AssertResponse(req *http.Request, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()

@@ -541,7 +541,7 @@ func (tc *Tester) AssertResponse(req *http.Request, expectedStatusCode int, expe

 // Verb specific test functions

-// AssertGetResponse requests a URI with GET and expects a status code and body text.
+// AssertGetResponse GET a URI and expect a statusCode and body text
 func (tc *Tester) AssertGetResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()

@@ -553,7 +553,7 @@ func (tc *Tester) AssertGetResponse(requestURI string, expectedStatusCode int, e
 	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
 }

-// AssertDeleteResponse requests a URI with DELETE and expects a status code and body text.
+// AssertDeleteResponse request a URI and expect a statusCode and body text
 func (tc *Tester) AssertDeleteResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()

@@ -565,7 +565,7 @@ func (tc *Tester) AssertDeleteResponse(requestURI string, expectedStatusCode int
 	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
 }

-// AssertPostResponseBody requests a URI with POST and asserts the response code and body.
+// AssertPostResponseBody POST to a URI and assert the response code and body
 func (tc *Tester) AssertPostResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()

@@ -580,7 +580,7 @@ func (tc *Tester) AssertPostResponseBody(requestURI string, requestHeaders []str
 	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
 }

-// AssertPutResponseBody requests a URI with PUT and asserts the response code and body.
+// AssertPutResponseBody PUT to a URI and assert the response code and body
 func (tc *Tester) AssertPutResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()

@@ -595,7 +595,7 @@ func (tc *Tester) AssertPutResponseBody(requestURI string, requestHeaders []stri
 	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
 }

-// AssertPatchResponseBody requests a URI with PATCH and asserts the response code and body.
+// AssertPatchResponseBody PATCH to a URI and assert the response code and body
 func (tc *Tester) AssertPatchResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()

@@ -1,7 +1,7 @@
 {
 	log {
 		sampling {
-			interval 5m
+			interval 300
 			first 50
 			thereafter 40
 		}
@@ -13,7 +13,7 @@
 		"logs": {
 			"default": {
 				"sampling": {
-					"interval": 300000000000,
+					"interval": 300,
 					"first": 50,
 					"thereafter": 40
 				}
@@ -6,4 +6,4 @@ handle {
    END!
 }
 ----------
-heredoc marker on line #4 must contain only alphanumeric characters, dashes and underscores; got 'END!'
+heredoc marker on line #4 must contain only alpha-numeric characters, dashes and underscores; got 'END!'
@@ -1,7 +1,7 @@
 :80 {
 	log {
 		sampling {
-			interval 5m
+			interval 300
 			first 50
 			thereafter 40
 		}
@@ -18,7 +18,7 @@
 			},
 			"log0": {
 				"sampling": {
-					"interval": 300000000000,
+					"interval": 300,
 					"first": 50,
 					"thereafter": 40
 				},
@@ -1,14 +1,7 @@
 package integration

 import (
-	"crypto/ed25519"
-	"crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"errors"
 	"fmt"
-	"math/big"
 	"net"
 	"net/http"
 	"os"
@@ -16,10 +9,8 @@ import (
 	"strings"
 	"sync/atomic"
 	"testing"
-	"time"

 	"github.com/caddyserver/caddy/v2/caddytest"
-	"github.com/quic-go/quic-go/http3"
 )

 func TestSRVReverseProxy(t *testing.T) {
@@ -802,140 +793,3 @@ func TestReverseProxyRetryMatchIsTransportError(t *testing.T) {
 	// Transport error on broken upstream should be retried to good upstream
 	tester.AssertGetResponse("http://localhost:9080/", 200, "ok")
 }
-
-func TestReverseProxyHTTP3SNIPlaceholderHost(t *testing.T) {
-	const expectedSNI = "app.test.local"
-
-	upstreamAddr, gotSNI := startHTTP3SNITestServer(t)
-
-	tester := caddytest.NewTester(t)
-	tester.InitServer(fmt.Sprintf(`
-	{
-		skip_install_trust
-		admin localhost:2999
-		http_port 9080
-		grace_period 1ns
-	}
-:9080 {
-		reverse_proxy https://%s {
-			transport http {
-				versions 3
-				tls_server_name {host}
-				tls_insecure_skip_verify
-			}
-		}
-	}
-	`, upstreamAddr), "caddyfile")
-
-	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:9080/", nil)
-	if err != nil {
-		t.Fatalf("failed to create request: %v", err)
-	}
-	req.Host = expectedSNI
-
-	tester.AssertResponse(req, 200, "ok")
-
-	select {
-	case sni := <-gotSNI:
-		if sni != expectedSNI {
-			t.Fatalf("HTTP/3 upstream SNI = %q, want %q", sni, expectedSNI)
-		}
-		if sni == "{http.request.host}" {
-			t.Fatal("HTTP/3 upstream SNI was not expanded from the adapted placeholder")
-		}
-	case <-time.After(5 * time.Second):
-		t.Fatal("timed out waiting for HTTP/3 upstream SNI")
-	}
-}
-
-func startHTTP3SNITestServer(t *testing.T) (string, <-chan string) {
-	t.Helper()
-
-	gotSNI := make(chan string, 1)
-	udpConn, err := net.ListenPacket("udp", "127.0.0.1:0")
-	if err != nil {
-		t.Fatalf("failed to listen for HTTP/3 upstream: %v", err)
-	}
-
-	server := &http3.Server{
-		TLSConfig: http3SNITestTLSConfig(t, func(sni string) {
-			select {
-			case gotSNI <- sni:
-			default:
-			}
-		}),
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-			fmt.Fprint(w, "ok")
-		}),
-	}
-
-	done := make(chan struct{})
-	errs := make(chan error, 1)
-	go func() {
-		defer close(done)
-		err := server.Serve(udpConn)
-		if err != nil && !errors.Is(err, http.ErrServerClosed) && !errors.Is(err, net.ErrClosed) {
-			errs <- err
-		}
-	}()
-
-	t.Cleanup(func() {
-		_ = server.Close()
-		_ = udpConn.Close()
-		select {
-		case <-done:
-		case <-time.After(5 * time.Second):
-			t.Error("timed out waiting for HTTP/3 upstream server to stop")
-		}
-		select {
-		case err := <-errs:
-			t.Errorf("HTTP/3 upstream server failed: %v", err)
-		default:
-		}
-	})
-
-	return udpConn.LocalAddr().String(), gotSNI
-}
-
-func http3SNITestTLSConfig(t *testing.T, recordSNI func(string)) *tls.Config {
-	t.Helper()
-
-	publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		t.Fatalf("failed to generate HTTP/3 upstream private key: %v", err)
-	}
-
-	certTemplate := &x509.Certificate{
-		SerialNumber: big.NewInt(1),
-		Subject: pkix.Name{
-			CommonName: "HTTP/3 SNI test upstream",
-		},
-		NotBefore:             time.Now().Add(-time.Hour),
-		NotAfter:              time.Now().Add(time.Hour),
-		DNSNames:              []string{"app.test.local"},
-		IPAddresses:           []net.IP{net.IPv4(127, 0, 0, 1)},
-		KeyUsage:              x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-	}
-
-	certDER, err := x509.CreateCertificate(rand.Reader, certTemplate, certTemplate, publicKey, privateKey)
-	if err != nil {
-		t.Fatalf("failed to create HTTP/3 upstream certificate: %v", err)
-	}
-	cert := tls.Certificate{
-		Certificate: [][]byte{certDER},
-		PrivateKey:  privateKey,
-	}
-	baseConfig := &tls.Config{
-		Certificates: []tls.Certificate{cert},
-	}
-
-	return &tls.Config{
-		Certificates: []tls.Certificate{cert},
-		GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
-			recordSNI(hello.ServerName)
-			return baseConfig.Clone(), nil
-		},
-	}
-}
@@ -159,7 +159,7 @@ func testH2ToH2CStreamServeH2C(t *testing.T) *http.Server {
 		}
 		// We only accept HTTP/2!
 		if r.ProtoMajor != 2 {
-			t.Error("Not an HTTP/2 request, rejected!")
+			t.Error("Not a HTTP/2 request, rejected!")
 			w.WriteHeader(http.StatusInternalServerError)
 			return
 		}
@@ -58,7 +58,7 @@ func cmdStart(fl Flags) (int, error) {

 	// open a listener to which the child process will connect when
 	// it is ready to confirm that it has successfully started
-	ln, err := listenTCPForPingback(net.Listen)
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		return caddy.ExitCodeFailedStartup,
 			fmt.Errorf("opening listener for success confirmation: %v", err)
@@ -169,22 +169,6 @@ func cmdStart(fl Flags) (int, error) {
 	return caddy.ExitCodeSuccess, nil
 }

-type tcpListenFunc func(network, address string) (net.Listener, error)
-
-func listenTCPForPingback(listen tcpListenFunc) (net.Listener, error) {
-	ln, ipv4Err := listen("tcp4", "127.0.0.1:0")
-	if ipv4Err == nil {
-		return ln, nil
-	}
-
-	ln, ipv6Err := listen("tcp6", "[::1]:0")
-	if ipv6Err == nil {
-		return ln, nil
-	}
-
-	return nil, fmt.Errorf("listen on 127.0.0.1:0: %v; listen on [::1]:0: %v", ipv4Err, ipv6Err)
-}
-
 func cmdRun(fl Flags) (int, error) {
 	caddy.TrapSignals()

@@ -566,7 +566,7 @@ argument of --directory. If the directory does not exist, it will be created.
 // following format:
 //
 //   - lowercase
-//   - ASCII lowercase letters, digits and hyphens only
+//   - alphanumeric and hyphen characters only
 //   - cannot start or end with a hyphen
 //   - hyphen cannot be adjacent to another hyphen
 //
@@ -1,8 +1,6 @@
 package caddycmd

 import (
-	"errors"
-	"net"
 	"reflect"
 	"strings"
 	"testing"
@@ -171,80 +169,6 @@ here"
 	}
 }

-func TestListenTCPForPingbackUsesIPv4Loopback(t *testing.T) {
-	var calls []string
-	expected := &stubListener{addr: &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: 1234}}
-
-	actual, err := listenTCPForPingback(func(network, address string) (net.Listener, error) {
-		calls = append(calls, network+" "+address)
-		return expected, nil
-	})
-	if err != nil {
-		t.Fatalf("listenTCPForPingback returned error: %v", err)
-	}
-	if actual != expected {
-		t.Fatalf("expected listener %p, got %p", expected, actual)
-	}
-
-	expectCalls := []string{"tcp4 127.0.0.1:0"}
-	if !reflect.DeepEqual(calls, expectCalls) {
-		t.Fatalf("expected calls %v, got %v", expectCalls, calls)
-	}
-}
-
-func TestListenTCPForPingbackFallsBackToIPv6Loopback(t *testing.T) {
-	var calls []string
-	expected := &stubListener{addr: &net.TCPAddr{IP: net.ParseIP("::1"), Port: 1234}}
-
-	actual, err := listenTCPForPingback(func(network, address string) (net.Listener, error) {
-		calls = append(calls, network+" "+address)
-		if len(calls) == 1 {
-			return nil, errors.New("ipv4 unavailable")
-		}
-		return expected, nil
-	})
-	if err != nil {
-		t.Fatalf("listenTCPForPingback returned error: %v", err)
-	}
-	if actual != expected {
-		t.Fatalf("expected listener %p, got %p", expected, actual)
-	}
-
-	expectCalls := []string{"tcp4 127.0.0.1:0", "tcp6 [::1]:0"}
-	if !reflect.DeepEqual(calls, expectCalls) {
-		t.Fatalf("expected calls %v, got %v", expectCalls, calls)
-	}
-}
-
-func TestListenTCPForPingbackReportsBothFailures(t *testing.T) {
-	_, err := listenTCPForPingback(func(network, address string) (net.Listener, error) {
-		return nil, errors.New(network + " failed")
-	})
-	if err == nil {
-		t.Fatal("expected error")
-	}
-	if !strings.Contains(err.Error(), "tcp4 failed") ||
-		!strings.Contains(err.Error(), "tcp6 failed") {
-		t.Fatalf("expected both listener errors, got: %v", err)
-	}
-}
-
-type stubListener struct {
-	addr net.Addr
-}
-
-func (sl *stubListener) Accept() (net.Conn, error) {
-	return nil, net.ErrClosed
-}
-
-func (sl *stubListener) Close() error {
-	return nil
-}
-
-func (sl *stubListener) Addr() net.Addr {
-	return sl.addr
-}
-
 func Test_isCaddyfile(t *testing.T) {
 	type args struct {
 		configFile  string
@@ -234,7 +234,7 @@ func getModules() (standard, nonstandard, unknown []moduleInfo, err error) {
 		// not sure why), and since New() should return a pointer
 		// value, we need to dereference it first
 		iface := any(modInfo.New())
-		if rv := reflect.ValueOf(iface); rv.Kind() == reflect.Pointer {
+		if rv := reflect.ValueOf(iface); rv.Kind() == reflect.Ptr {
 			iface = reflect.New(reflect.TypeOf(iface).Elem()).Elem().Interface()
 		}
 		modPkgPath := reflect.TypeOf(iface).PkgPath()
@@ -378,7 +378,7 @@ func (ctx Context) LoadModuleByID(id string, rawMsg json.RawMessage) (any, error
 	// value must be a pointer for unmarshaling into concrete type, even if
 	// the module's concrete type is a slice or map; New() *should* return
 	// a pointer, otherwise unmarshaling errors or panics will occur
-	if rv := reflect.ValueOf(val); rv.Kind() != reflect.Pointer {
+	if rv := reflect.ValueOf(val); rv.Kind() != reflect.Ptr {
 		log.Printf("[WARNING] ModuleInfo.New() for module '%s' did not return a pointer,"+
 			" so we are using reflection to make a pointer instead; please fix this by"+
 			" using new(Type) or &Type notation in your module's New() function.", id)
@@ -1,26 +1,26 @@
 module github.com/caddyserver/caddy/v2

-go 1.25.1
+go 1.25.0

 require (
 	github.com/BurntSushi/toml v1.6.0
 	github.com/DeRuina/timberjack v1.4.2
 	github.com/KimMachineGun/automemlimit v0.7.5
 	github.com/Masterminds/sprig/v3 v3.3.0
-	github.com/alecthomas/chroma/v2 v2.24.1
+	github.com/alecthomas/chroma/v2 v2.23.1
 	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
 	github.com/caddyserver/certmagic v0.25.3
 	github.com/caddyserver/zerossl v0.1.5
 	github.com/cloudflare/circl v1.6.3
 	github.com/dustin/go-humanize v1.0.1
 	github.com/go-chi/chi/v5 v5.2.5
-	github.com/google/cel-go v0.28.1
+	github.com/google/cel-go v0.28.0
 	github.com/google/uuid v1.6.0
-	github.com/klauspost/compress v1.18.6
+	github.com/klauspost/compress v1.18.5
 	github.com/klauspost/cpuid/v2 v2.3.0
 	github.com/mholt/acmez/v3 v3.1.6
 	github.com/prometheus/client_golang v1.23.2
-	github.com/quic-go/quic-go v0.59.1
+	github.com/quic-go/quic-go v0.59.0
 	github.com/smallstep/certificates v0.30.2
 	github.com/smallstep/nosql v0.8.0
 	github.com/smallstep/truststore v0.13.0
@@ -31,28 +31,28 @@ require (
 	github.com/yuin/goldmark v1.8.2
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	go.opentelemetry.io/contrib/bridges/prometheus v0.68.0
-	go.opentelemetry.io/contrib/exporters/autoexport v0.68.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0
-	go.opentelemetry.io/contrib/propagators/autoprop v0.68.0
+	go.opentelemetry.io/contrib/exporters/autoexport v0.65.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0
+	go.opentelemetry.io/contrib/propagators/autoprop v0.65.0
 	go.opentelemetry.io/otel v1.43.0
 	go.opentelemetry.io/otel/sdk v1.43.0
 	go.opentelemetry.io/otel/sdk/metric v1.43.0
-	go.step.sm/crypto v0.81.0
+	go.step.sm/crypto v0.77.1
 	go.uber.org/automaxprocs v1.6.0
-	go.uber.org/zap v1.28.0
+	go.uber.org/zap v1.27.1
 	go.uber.org/zap/exp v0.3.0
-	golang.org/x/crypto v0.52.0
+	golang.org/x/crypto v0.50.0
 	golang.org/x/crypto/x509roots/fallback v0.0.0-20260213171211-a408498e5541
-	golang.org/x/net v0.55.0
+	golang.org/x/net v0.53.0
 	golang.org/x/sync v0.20.0
-	golang.org/x/term v0.43.0
+	golang.org/x/term v0.42.0
 	golang.org/x/time v0.15.0
 	gopkg.in/yaml.v3 v3.0.1
 )

 require (
 	cel.dev/expr v0.25.1 // indirect
-	cloud.google.com/go/auth v0.20.0 // indirect
+	cloud.google.com/go/auth v0.18.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	dario.cat/mergo v1.0.2 // indirect
@@ -63,14 +63,14 @@ require (
 	github.com/coreos/go-oidc/v3 v3.17.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.5 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745 // indirect
 	github.com/google/go-tpm v0.9.8 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.15 // indirect
-	github.com/googleapis/gax-go/v2 v2.22.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
+	github.com/googleapis/gax-go/v2 v2.18.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	github.com/jackc/pgx/v5 v5.9.2 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
@@ -109,9 +109,9 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
 	golang.org/x/oauth2 v0.36.0 // indirect
-	google.golang.org/api v0.277.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260427160629-7cedc36a6bc4 // indirect
+	google.golang.org/api v0.271.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect
 )

@@ -129,7 +129,7 @@ require (
 	github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
 	github.com/dgraph-io/ristretto v0.2.0 // indirect
 	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
-	github.com/dlclark/regexp2 v1.12.0 // indirect
+	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -149,7 +149,7 @@ require (
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/pires/go-proxyproto v0.12.0
+	github.com/pires/go-proxyproto v0.11.0
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_model v0.6.2
 	github.com/prometheus/common v0.67.5 // indirect
@@ -169,10 +169,10 @@ require (
 	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/mod v0.35.0 // indirect
-	golang.org/x/sys v0.45.0
-	golang.org/x/text v0.37.0 // indirect
+	golang.org/x/sys v0.43.0
+	golang.org/x/text v0.36.0
 	golang.org/x/tools v0.44.0 // indirect
-	google.golang.org/grpc v1.81.0 // indirect
+	google.golang.org/grpc v1.80.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	howett.net/plist v1.0.0 // indirect
 )
@@ -2,18 +2,18 @@ cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
 cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
 cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
 cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
-cloud.google.com/go/auth v0.20.0 h1:kXTssoVb4azsVDoUiF8KvxAqrsQcQtB53DcSgta74CA=
-cloud.google.com/go/auth v0.20.0/go.mod h1:942/yi/itH1SsmpyrbnTMDgGfdy2BUqIKyd0cyYLc5Q=
+cloud.google.com/go/auth v0.18.2 h1:+Nbt5Ev0xEqxlNjd6c+yYUeosQ5TtEUaNcN/3FozlaM=
+cloud.google.com/go/auth v0.18.2/go.mod h1:xD+oY7gcahcu7G2SG2DsBerfFxgPAJz17zz2joOFF3M=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
-cloud.google.com/go/iam v1.7.0 h1:JD3zh0C6LHl16aCn5Akff0+GELdp1+4hmh6ndoFLl8U=
-cloud.google.com/go/iam v1.7.0/go.mod h1:tetWZW1PD/m6vcuY2Zj/aU0eCHNPuxedbnbRTyKXvdY=
-cloud.google.com/go/kms v1.31.0 h1:LS8N92OxFDgOLg5NCo3OmbvjtQAIVT5gUHVLKIDHaFE=
-cloud.google.com/go/kms v1.31.0/go.mod h1:YIyXZym11R5uovJJt4oN5eUL3oPmirF3yKeIh6QAf4U=
-cloud.google.com/go/longrunning v0.9.0 h1:0EzbDEGsAvOZNbqXopgniY0w0a1phvu5IdUFq8grmqY=
-cloud.google.com/go/longrunning v0.9.0/go.mod h1:pkTz846W7bF4o2SzdWJ40Hu0Re+UoNT6Q5t+igIcb8E=
+cloud.google.com/go/iam v1.5.3 h1:+vMINPiDF2ognBJ97ABAYYwRgsaqxPbQDlMnbHMjolc=
+cloud.google.com/go/iam v1.5.3/go.mod h1:MR3v9oLkZCTlaqljW6Eb2d3HGDGK5/bDv93jhfISFvU=
+cloud.google.com/go/kms v1.26.0 h1:cK9mN2cf+9V63D3H1f6koxTatWy39aTI/hCjz1I+adU=
+cloud.google.com/go/kms v1.26.0/go.mod h1:pHKOdFJm63hxBsiPkYtowZPltu9dW0MWvBa6IA4HM58=
+cloud.google.com/go/longrunning v0.8.0 h1:LiKK77J3bx5gDLi4SMViHixjD2ohlkwBi+mKA7EhfW8=
+cloud.google.com/go/longrunning v0.8.0/go.mod h1:UmErU2Onzi+fKDg2gR7dusz11Pe26aknR4kHmJJqIfk=
 code.pfad.fr/check v1.1.0 h1:GWvjdzhSEgHvEHe2uJujDcpmZoySKuHQNrZMfzfO0bE=
 code.pfad.fr/check v1.1.0/go.mod h1:NiUH13DtYsb7xp5wll0U4SXx7KhXQVCtRgdC96IPfoM=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
@@ -43,8 +43,8 @@ github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAE
 github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
 github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
 github.com/alecthomas/chroma/v2 v2.2.0/go.mod h1:vf4zrexSH54oEjJ7EdB65tGNHmH3pGZmVkgTP5RHvAs=
-github.com/alecthomas/chroma/v2 v2.24.1 h1:m5ffpfZbIb++k8AqFEKy9uVgY12xIQtBsQlc6DfZJQM=
-github.com/alecthomas/chroma/v2 v2.24.1/go.mod h1:l+ohZ9xRXIbGe7cIW+YZgOGbvuVLjMps/FYN/CwuabI=
+github.com/alecthomas/chroma/v2 v2.23.1 h1:nv2AVZdTyClGbVQkIzlDm/rnhk1E9bU9nXwmZ/Vk/iY=
+github.com/alecthomas/chroma/v2 v2.23.1/go.mod h1:NqVhfBR0lte5Ouh3DcthuUCTUpDC9cxBOfyMbMQPs3o=
 github.com/alecthomas/repr v0.0.0-20220113201626-b1b626ac65ae/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
 github.com/alecthomas/repr v0.5.2 h1:SU73FTI9D1P5UNtvseffFSGmdNci/O6RsqzeXJtP0Qs=
 github.com/alecthomas/repr v0.5.2/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
@@ -53,36 +53,36 @@ github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmO
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b h1:uUXgbcPDK3KpW29o4iy7GtuappbWT0l5NaMo9H9pJDw=
 github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A=
-github.com/aws/aws-sdk-go-v2 v1.41.7 h1:DWpAJt66FmnnaRIOT/8ASTucrvuDPZASqhhLey6tLY8=
-github.com/aws/aws-sdk-go-v2 v1.41.7/go.mod h1:4LAfZOPHNVNQEckOACQx60Y8pSRjIkNZQz1w92xpMJc=
-github.com/aws/aws-sdk-go-v2/config v1.32.17 h1:FpL4/758/diKwqbytU0prpuiu60fgXKUWCpDJtApclU=
-github.com/aws/aws-sdk-go-v2/config v1.32.17/go.mod h1:OXqUMzgXytfoF9JaKkhrOYsyh72t9G+MJH8mMRaexOE=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.16 h1:r3RJBuU7X9ibt8RHbMjWE6y60QbKBiII6wSrXnapxSU=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.16/go.mod h1:6cx7zqDENJDbBIIWX6P8s0h6hqHC8Avbjh9Dseo27ug=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23 h1:UuSfcORqNSz/ey3VPRS8TcVH2Ikf0/sC+Hdj400QI6U=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23/go.mod h1:+G/OSGiOFnSOkYloKj/9M35s74LgVAdJBSD5lsFfqKg=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 h1:GpT/TrnBYuE5gan2cZbTtvP+JlHsutdmlV2YfEyNde0=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23/go.mod h1:xYWD6BS9ywC5bS3sz9Xh04whO/hzK2plt2Zkyrp4JuA=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 h1:bpd8vxhlQi2r1hiueOw02f/duEPTMK59Q4QMAoTTtTo=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23/go.mod h1:15DfR2nw+CRHIk0tqNyifu3G1YdAOy68RftkhMDDwYk=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 h1:OQqn11BtaYv1WLUowvcA30MpzIu8Ti4pcLPIIyoKZrA=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24/go.mod h1:X5ZJyfwVrWA96GzPmUCWFQaEARPR7gCrpq2E92PJwAE=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 h1:FLudkZLt5ci0ozzgkVo8BJGwvqNaZbTWb3UcucAateA=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9/go.mod h1:w7wZ/s9qK7c8g4al+UyoF1Sp/Z45UwMGcqIzLWVQHWk=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23 h1:pbrxO/kuIwgEsOPLkaHu0O+m4fNgLU8B3vxQ+72jTPw=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23/go.mod h1:/CMNUqoj46HpS3MNRDEDIwcgEnrtZlKRaHNaHxIFpNA=
-github.com/aws/aws-sdk-go-v2/service/kms v1.51.1 h1:zuSf4olLKZW8cF/W9Y5wvGT+/0raY/3kVp49KsGs0QY=
-github.com/aws/aws-sdk-go-v2/service/kms v1.51.1/go.mod h1:Y0+uxvxz6ib4KktRdK0V4X45Vcs/JyYoz8H71pO8xeI=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.11 h1:TdJ+HdzOBhU8+iVAOGUTU63VXopcumCOF1paFulHWZc=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.11/go.mod h1:R82ZRExE/nheo0N+T8zHPcLRTcH8MGsnR3BiVGX0TwI=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.17 h1:7byT8HUWrgoRp6sXjxtZwgOKfhss5fW6SkLBtqzgRoE=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.17/go.mod h1:xNWknVi4Ezm1vg1QsB/5EWpAJURq22uqd38U8qKvOJc=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21 h1:+1Kl1zx6bWi4X7cKi3VYh29h8BvsCoHQEQ6ST9X8w7w=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21/go.mod h1:4vIRDq+CJB2xFAXZ+YgGUTiEft7oAQlhIs71xcSeuVg=
-github.com/aws/aws-sdk-go-v2/service/sts v1.42.1 h1:F/M5Y9I3nwr2IEpshZgh1GeHpOItExNM9L1euNuh/fk=
-github.com/aws/aws-sdk-go-v2/service/sts v1.42.1/go.mod h1:mTNxImtovCOEEuD65mKW7DCsL+2gjEH+RPEAexAzAio=
-github.com/aws/smithy-go v1.25.1 h1:J8ERsGSU7d+aCmdQur5Txg6bVoYelvQJgtZehD12GkI=
-github.com/aws/smithy-go v1.25.1/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
+github.com/aws/aws-sdk-go-v2 v1.41.4 h1:10f50G7WyU02T56ox1wWXq+zTX9I1zxG46HYuG1hH/k=
+github.com/aws/aws-sdk-go-v2 v1.41.4/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
+github.com/aws/aws-sdk-go-v2/config v1.32.12 h1:O3csC7HUGn2895eNrLytOJQdoL2xyJy0iYXhoZ1OmP0=
+github.com/aws/aws-sdk-go-v2/config v1.32.12/go.mod h1:96zTvoOFR4FURjI+/5wY1vc1ABceROO4lWgWJuxgy0g=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.12 h1:oqtA6v+y5fZg//tcTWahyN9PEn5eDU/Wpvc2+kJ4aY8=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.12/go.mod h1:U3R1RtSHx6NB0DvEQFGyf/0sbrpJrluENHdPy1j/3TE=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 h1:zOgq3uezl5nznfoK3ODuqbhVg1JzAGDUhXOsU0IDCAo=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20/go.mod h1:z/MVwUARehy6GAg/yQ1GO2IMl0k++cu1ohP9zo887wE=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 h1:CNXO7mvgThFGqOFgbNAP2nol2qAWBOGfqR/7tQlvLmc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20/go.mod h1:oydPDJKcfMhgfcgBUZaG+toBbwy8yPWubJXBVERtI4o=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 h1:tN6W/hg+pkM+tf9XDkWUbDEjGLb+raoBMFsTodcoYKw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20/go.mod h1:YJ898MhD067hSHA6xYCx5ts/jEd8BSOLtQDL3iZsvbc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 h1:qYQ4pzQ2Oz6WpQ8T3HvGHnZydA72MnLuFK9tJwmrbHw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 h1:2HvVAIq+YqgGotK6EkMf+KIEqTISmTYh5zLpYyeTo1Y=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20/go.mod h1:V4X406Y666khGa8ghKmphma/7C0DAtEQYhkq9z4vpbk=
+github.com/aws/aws-sdk-go-v2/service/kms v1.50.3 h1:s/zDSG/a/Su9aX+v0Ld9cimUCdkr5FWPmBV8owaEbZY=
+github.com/aws/aws-sdk-go-v2/service/kms v1.50.3/go.mod h1:/iSgiUor15ZuxFGQSTf3lA2FmKxFsQoc2tADOarQBSw=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 h1:0GFOLzEbOyZABS3PhYfBIx2rNBACYcKty+XGkTgw1ow=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.8/go.mod h1:LXypKvk85AROkKhOG6/YEcHFPoX+prKTowKnVdcaIxE=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 h1:kiIDLZ005EcKomYYITtfsjn7dtOwHDOFy7IbPXKek2o=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.13/go.mod h1:2h/xGEowcW/g38g06g3KpRWDlT+OTfxxI0o1KqayAB8=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 h1:jzKAXIlhZhJbnYwHbvUQZEB8KfgAEuG0dc08Bkda7NU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17/go.mod h1:Al9fFsXjv4KfbzQHGe6V4NZSZQXecFcvaIF4e70FoRA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 h1:Cng+OOwCHmFljXIxpEVXAGMnBia8MSU6Ch5i9PgBkcU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.9/go.mod h1:LrlIndBDdjA/EeXeyNBle+gyCwTlizzW5ycgWnvIxkk=
+github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
+github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/caddyserver/certmagic v0.25.3 h1:mGf5ba8F7xA4c5jfDZZbK2buY1VEkbnwpMDixaju94A=
@@ -133,8 +133,8 @@ github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 h1:fAjc9m62+UWV/WA
 github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
 github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
 github.com/dlclark/regexp2 v1.7.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/dlclark/regexp2 v1.12.0 h1:0j4c5qQmnC6XOWNjP3PIXURXN2gWx76rd3KvgdPkCz8=
-github.com/dlclark/regexp2 v1.12.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
+github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
@@ -149,8 +149,8 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
 github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
-github.com/go-jose/go-jose/v3 v3.0.5 h1:BLLJWbC4nMZOfuPVxoZIxeYsn6Nl2r1fITaJ78UQlVQ=
-github.com/go-jose/go-jose/v3 v3.0.5/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
+github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
 github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -168,8 +168,8 @@ github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/cel-go v0.28.1 h1:YWIwi77J4xIsYUwAF/iIuS6haffzIHS8yWI8glSbLWM=
-github.com/google/cel-go v0.28.1/go.mod h1:X0bD6iVNR8pkROSOoHVdgTkzmRcosof7WQqCD6wcMc8=
+github.com/google/cel-go v0.28.0 h1:KjSWstCpz/MN5t4a8gnGJNIYUsJRpdi/r97xWDphIQc=
+github.com/google/cel-go v0.28.0/go.mod h1:X0bD6iVNR8pkROSOoHVdgTkzmRcosof7WQqCD6wcMc8=
 github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
 github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745 h1:heyoXNxkRT155x4jTAiSv5BVSVkueifPUm+Q8LUXMRo=
 github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745/go.mod h1:zN0wUQgV9LjwLZeFHnrAbQi8hzMVvEWePyk+MhPOk7k=
@@ -179,18 +179,18 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-tpm v0.9.8 h1:slArAR9Ft+1ybZu0lBwpSmpwhRXaa85hWtMinMyRAWo=
 github.com/google/go-tpm v0.9.8/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
-github.com/google/go-tpm-tools v0.4.8 h1:V4oIYyAD3BykOycwYQzO29WefDouQMTsYZqmG3HxOfM=
-github.com/google/go-tpm-tools v0.4.8/go.mod h1:4DfiOtiS1KppJjwf1+tqtW4K3PrCJjAAqFKj/TYTJKg=
+github.com/google/go-tpm-tools v0.4.7 h1:J3ycC8umYxM9A4eF73EofRZu4BxY0jjQnUnkhIBbvws=
+github.com/google/go-tpm-tools v0.4.7/go.mod h1:gSyXTZHe3fgbzb6WEGd90QucmsnT1SRdlye82gH8QjQ=
 github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus=
 github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI=
 github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.15 h1:xolVQTEXusUcAA5UgtyRLjelpFFHWlPQ4XfWGc7MBas=
-github.com/googleapis/enterprise-certificate-proxy v0.3.15/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
-github.com/googleapis/gax-go/v2 v2.22.0 h1:PjIWBpgGIVKGoCXuiCoP64altEJCj3/Ei+kSU5vlZD4=
-github.com/googleapis/gax-go/v2 v2.22.0/go.mod h1:irWBbALSr0Sk3qlqb9SyJ1h68WjgeFuiOzI4Rqw5+aY=
+github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8=
+github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
+github.com/googleapis/gax-go/v2 v2.18.0 h1:jxP5Uuo3bxm3M6gGtV94P4lliVetoCB4Wk2x8QA86LI=
+github.com/googleapis/gax-go/v2 v2.18.0/go.mod h1:uSzZN4a356eRG985CzJ3WfbFSpqkLTjsnhWGJR6EwrE=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
@@ -211,8 +211,8 @@ github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
-github.com/klauspost/compress v1.18.6 h1:2jupLlAwFm95+YDR+NwD2MEfFO9d4z4Prjl1XXDjuao=
-github.com/klauspost/compress v1.18.6/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -259,8 +259,8 @@ github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58/go.mod h1:DXv8WO4yhM
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv/v3 v3.0.1 h1:x06SQA46+PKIUftmEujdwSEpIx8kR+M9eLYsUxeYveU=
 github.com/peterbourgon/diskv/v3 v3.0.1/go.mod h1:kJ5Ny7vLdARGU3WUuy6uzO6T0nb/2gWcT1JiBvRmb5o=
-github.com/pires/go-proxyproto v0.12.0 h1:TTCxD66dU898tahivkqc3hoceZp7P44FnorWyo9d5vM=
-github.com/pires/go-proxyproto v0.12.0/go.mod h1:qUvfqUMEoX7T8g0q7TQLDnhMjdTrxnG0hvpMn+7ePNI=
+github.com/pires/go-proxyproto v0.11.0 h1:gUQpS85X/VJMdUsYyEgyn59uLJvGqPhJV5YvG68wXH4=
+github.com/pires/go-proxyproto v0.11.0/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -280,8 +280,8 @@ github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEy
 github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
-github.com/quic-go/quic-go v0.59.1 h1:0Gmua0HW1Tv7ANR7hUYwRyD0MG5OJfgvYSZasGZzBic=
-github.com/quic-go/quic-go v0.59.1/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
+github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
+github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
@@ -375,14 +375,14 @@ go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/bridges/prometheus v0.68.0 h1:w3zlHYETbDwXyWHZlyyR58ZC39XGi8rAhkBgUgJ9d5w=
 go.opentelemetry.io/contrib/bridges/prometheus v0.68.0/go.mod h1:GR/mClR2nn7vE8RLwxKjoBNg+QtgdDhRzxVa93koy5o=
-go.opentelemetry.io/contrib/exporters/autoexport v0.68.0 h1:0D3GFvELGIwQGfC6agLsbrEYSGWZTRTxIXxcQUqrOuk=
-go.opentelemetry.io/contrib/exporters/autoexport v0.68.0/go.mod h1:DM2NV7Zb8CcGeVPt6glouY0FAiwZQ/iqgcWExhgWeN8=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 h1:yI1/OhfEPy7J9eoa6Sj051C7n5dvpj0QX8g4sRchg04=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0/go.mod h1:NoUCKYWK+3ecatC4HjkRktREheMeEtrXoQxrqYFeHSc=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
-go.opentelemetry.io/contrib/propagators/autoprop v0.68.0 h1:wLGFvNBPqQhzBn0QRBZjrriH8lZ9gqtTz8ufHEjLg7k=
-go.opentelemetry.io/contrib/propagators/autoprop v0.68.0/go.mod h1:evWK9nCqCzH8nhclTlpkdUzmxrmJQ2mrWCdKIvyOYec=
+go.opentelemetry.io/contrib/exporters/autoexport v0.65.0 h1:2gApdml7SznX9szEKFjKjM4qGcGSvAybYLBY319XG3g=
+go.opentelemetry.io/contrib/exporters/autoexport v0.65.0/go.mod h1:0QqAGlbHXhmPYACG3n5hNzO5DnEqqtg4VcK5pr22RI0=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
+go.opentelemetry.io/contrib/propagators/autoprop v0.65.0 h1:kTaCycF9Xkm8VBBvH0rJ4wFeRjtIV55Erk3uuVsIs5s=
+go.opentelemetry.io/contrib/propagators/autoprop v0.65.0/go.mod h1:rooPzAbXfxMX9fsPJjmOBg2SN4RhFEV8D7cfGK+N3tE=
 go.opentelemetry.io/contrib/propagators/aws v1.43.0 h1:EwnsB3cXRLAh7/Nr/9rMuGw73nfb3z6uAvVDjRrbeUg=
 go.opentelemetry.io/contrib/propagators/aws v1.43.0/go.mod h1:CJjTym6F87tEdm61Qvnz5xrV8vKlH4C92djiqcn62k8=
 go.opentelemetry.io/contrib/propagators/b3 v1.43.0 h1:CETqV3QLLPTy5yNrqyMr41VnAOOD4lsRved7n4QG00A=
@@ -431,8 +431,8 @@ go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09
 go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
 go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
-go.step.sm/crypto v0.81.0 h1:e+ouzpNt3Xm4dp7HGXhgYB5y4iFik3vh3phHKWmvugU=
-go.step.sm/crypto v0.81.0/go.mod h1:fsTizqQeASjTXnbv9O00XtRlIuXRkCdoRiJNyXGQujc=
+go.step.sm/crypto v0.77.1 h1:4EEqfKdv0egQ1lqz2RhnU8Jv6QgXZfrgoxWMqJF9aDs=
+go.step.sm/crypto v0.77.1/go.mod h1:U/SsmEm80mNnfD5WIkbhuW/B1eFp3fgFvdXyDLpU1AQ=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -441,8 +441,8 @@ go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.28.0 h1:IZzaP1Fv73/T/pBMLk4VutPl36uNC+OSUh3JLG3FIjo=
-go.uber.org/zap v1.28.0/go.mod h1:rDLpOi171uODNm/mxFcuYWxDsqWSAVkFdX4XojSKg/Q=
+go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc=
+go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
 go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
 go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ=
@@ -456,8 +456,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
-golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
-golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
 golang.org/x/crypto/x509roots/fallback v0.0.0-20260213171211-a408498e5541 h1:FmKxj9ocLKn45jiR2jQMwCVhDvaK7fKQFzfuT9GvyK8=
 golang.org/x/crypto/x509roots/fallback v0.0.0-20260213171211-a408498e5541/go.mod h1:+UoQFNBq2p2wO+Q6ddVtYc25GZ6VNdOMyyrd4nrqrKs=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
@@ -477,8 +477,8 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
-golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -506,8 +506,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
-golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -517,8 +517,8 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
-golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
-golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
+golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
+golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -528,8 +528,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
-golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
-golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
 golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -543,16 +543,16 @@ golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
 gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
-google.golang.org/api v0.277.0 h1:HJfyJUiNeBBUMai7ez8u14wkp/gH/I4wpGbbO9o+cSk=
-google.golang.org/api v0.277.0/go.mod h1:B9TqLBwJqVjp1mtt7WeoQwWRwvu/400y5lETOql+giQ=
-google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 h1:XzmzkmB14QhVhgnawEVsOn6OFsnpyxNPRY9QV01dNB0=
-google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:L43LFes82YgSonw6iTXTxXUX1OlULt4AQtkik4ULL/I=
-google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d h1:/aDRtSZJjyLQzm75d+a1wOJaqyKBMvIAfeQmoa3ORiI=
-google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d/go.mod h1:etfGUgejTiadZAUaEP14NP97xi1RGeawqkjDARA/UOs=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260427160629-7cedc36a6bc4 h1:tEkOQcXgF6dH1G+MVKZrfpYvozGrzb91k6ha7jireSM=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260427160629-7cedc36a6bc4/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
-google.golang.org/grpc v1.81.0 h1:W3G9N3KQf3BU+YuCtGKJk0CmxQNbAISICD/9AORxLIw=
-google.golang.org/grpc v1.81.0/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
+google.golang.org/api v0.271.0 h1:cIPN4qcUc61jlh7oXu6pwOQqbJW2GqYh5PS6rB2C/JY=
+google.golang.org/api v0.271.0/go.mod h1:CGT29bhwkbF+i11qkRUJb2KMKqcJ1hdFceEIRd9u64Q=
+google.golang.org/genproto v0.0.0-20260217215200-42d3e9bedb6d h1:vsOm753cOAMkt76efriTCDKjpCbK18XGHMJHo0JUKhc=
+google.golang.org/genproto v0.0.0-20260217215200-42d3e9bedb6d/go.mod h1:0oz9d7g9QLSdv9/lgbIjowW1JoxMbxmBVNe8i6tORJI=
+google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=
+google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
+google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 h1:F29+wU6Ee6qgu9TddPgooOdaqsxTMunOoj8KA5yuS5A=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1/go.mod h1:5KF+wpkbTSbGcR9zteSqZV6fqFOWBl4Yde8En8MryZA=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
@@ -20,6 +20,7 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
+	"maps"
 	"net"
 	"net/http"
 	"strconv"
@@ -240,7 +241,12 @@ func (app *App) Provision(ctx caddy.Context) error {

 		// if no protocols configured explicitly, enable all except h2c
 		if len(srv.Protocols) == 0 {
-			srv.Protocols = srv.protocolsWithDefaults()
+			srv.Protocols = []string{"h1", "h2", "h3"}
+		}
+
+		srvProtocolsUnique := map[string]struct{}{}
+		for _, srvProtocol := range srv.Protocols {
+			srvProtocolsUnique[srvProtocol] = struct{}{}
 		}

 		if srv.ListenProtocols != nil {
@@ -251,7 +257,31 @@ func (app *App) Provision(ctx caddy.Context) error {

 			for i, lnProtocols := range srv.ListenProtocols {
 				if lnProtocols != nil {
-					srv.ListenProtocols[i] = srv.listenerProtocolsWithDefaults(lnProtocols)
+					// populate empty listen protocols with server protocols
+					lnProtocolsDefault := false
+					var lnProtocolsInclude []string
+					srvProtocolsInclude := maps.Clone(srvProtocolsUnique)
+
+					// keep existing listener protocols unless they are empty
+					for _, lnProtocol := range lnProtocols {
+						if lnProtocol == "" {
+							lnProtocolsDefault = true
+						} else {
+							lnProtocolsInclude = append(lnProtocolsInclude, lnProtocol)
+							delete(srvProtocolsInclude, lnProtocol)
+						}
+					}
+
+					// append server protocols to listener protocols if any listener protocols were empty
+					if lnProtocolsDefault {
+						for _, srvProtocol := range srv.Protocols {
+							if _, ok := srvProtocolsInclude[srvProtocol]; ok {
+								lnProtocolsInclude = append(lnProtocolsInclude, srvProtocol)
+							}
+						}
+					}
+
+					srv.ListenProtocols[i] = lnProtocolsInclude
 				}
 			}
 		}
@@ -173,7 +173,7 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
 		for d := range serverDomainSet {
 			echDomains = append(echDomains, d)
 		}
-		app.tlsApp.RegisterServerNames(echDomains, httpsRRALPNs(srv))
+		app.tlsApp.RegisterServerNames(echDomains)

 		// nothing more to do here if there are no domains that qualify for
 		// automatic HTTPS and there are no explicit TLS connection policies:
@@ -574,20 +574,6 @@ func (app *App) makeRedirRoute(redirToPort uint, matcherSet MatcherSet) Route {
 	}
 }

-func httpsRRALPNs(srv *Server) []string {
-	alpn := make(map[string]struct{}, 3)
-	if srv.protocol("h3") {
-		alpn["h3"] = struct{}{}
-	}
-	if srv.protocol("h2") {
-		alpn["h2"] = struct{}{}
-	}
-	if srv.protocol("h1") {
-		alpn["http/1.1"] = struct{}{}
-	}
-	return caddytls.OrderedHTTPSRRALPN(alpn)
-}
-
 // createAutomationPolicies ensures that automated certificates for this
 // app are managed properly. This adds up to two automation policies:
 // one for the public names, and one for the internal names. If a catch-all
@@ -1,47 +1,44 @@
 package caddyhttp

 import (
-	"reflect"
 	"testing"
+
+	"github.com/caddyserver/caddy/v2"
 )

-func TestHTTPSRRALPNsDefaultProtocols(t *testing.T) {
-	srv := &Server{}
+func TestRecordAutoHTTPSRedirectAddressPrefersHTTPSPort(t *testing.T) {
+	app := &App{HTTPSPort: 443}
+	redirDomains := make(map[string][]caddy.NetworkAddress)

-	got := httpsRRALPNs(srv)
-	want := []string{"h3", "h2", "http/1.1"}
+	app.recordAutoHTTPSRedirectAddress(redirDomains, "example.com", caddy.NetworkAddress{Network: "tcp", StartPort: 2345, EndPort: 2345})
+	app.recordAutoHTTPSRedirectAddress(redirDomains, "example.com", caddy.NetworkAddress{Network: "tcp", StartPort: 443, EndPort: 443})
+	app.recordAutoHTTPSRedirectAddress(redirDomains, "example.com", caddy.NetworkAddress{Network: "tcp", StartPort: 8443, EndPort: 8443})

-	if !reflect.DeepEqual(got, want) {
-		t.Fatalf("unexpected ALPN values: got %v want %v", got, want)
+	got := redirDomains["example.com"]
+	if len(got) != 1 {
+		t.Fatalf("expected 1 redirect address, got %d: %#v", len(got), got)
+	}
+	if got[0].StartPort != 443 {
+		t.Fatalf("expected redirect to prefer HTTPS port 443, got %#v", got[0])
 	}
 }

-func TestHTTPSRRALPNsListenProtocolOverrides(t *testing.T) {
-	srv := &Server{
-		Protocols: []string{"h1", "h2"},
-		ListenProtocols: [][]string{
-			{"h1"},
-			nil,
-			{},
-			{"h3", ""},
-		},
+func TestRecordAutoHTTPSRedirectAddressKeepsAllBindAddressesOnWinningPort(t *testing.T) {
+	app := &App{HTTPSPort: 443}
+	redirDomains := make(map[string][]caddy.NetworkAddress)
+
+	app.recordAutoHTTPSRedirectAddress(redirDomains, "example.com", caddy.NetworkAddress{Network: "tcp", Host: "10.0.0.189", StartPort: 8443, EndPort: 8443})
+	app.recordAutoHTTPSRedirectAddress(redirDomains, "example.com", caddy.NetworkAddress{Network: "tcp", Host: "10.0.0.189", StartPort: 443, EndPort: 443})
+	app.recordAutoHTTPSRedirectAddress(redirDomains, "example.com", caddy.NetworkAddress{Network: "tcp", Host: "2603:c024:8002:9500:9eb:e5d3:3975:d056", StartPort: 443, EndPort: 443})
+
+	got := redirDomains["example.com"]
+	if len(got) != 2 {
+		t.Fatalf("expected 2 redirect addresses for both bind addresses on the winning port, got %d: %#v", len(got), got)
 	}
-
-	got := httpsRRALPNs(srv)
-	want := []string{"h3", "h2", "http/1.1"}
-
-	if !reflect.DeepEqual(got, want) {
-		t.Fatalf("unexpected ALPN values: got %v want %v", got, want)
-	}
-}
-
-func TestHTTPSRRALPNsIgnoresH2COnly(t *testing.T) {
-	srv := &Server{
-		Protocols: []string{"h2c"},
-	}
-
-	got := httpsRRALPNs(srv)
-	if len(got) != 0 {
-		t.Fatalf("unexpected ALPN values: got %v want none", got)
+	if got[0].StartPort != 443 || got[1].StartPort != 443 {
+		t.Fatalf("expected both redirect addresses to stay on HTTPS port 443, got %#v", got)
+	}
+	if got[0].Host != "10.0.0.189" || got[1].Host != "2603:c024:8002:9500:9eb:e5d3:3975:d056" {
+		t.Fatalf("expected both bind addresses to be preserved, got %#v", got)
 	}
 }
@@ -37,12 +37,6 @@ func init() {
 // `{http.auth.user.*}` placeholders may be set for any authentication
 // modules that provide user metadata.
 //
-// If authentication is rejected but a provider returns user information,
-// the placeholder `{http.auth.candidate.id}` will be set to the candidate
-// username, and also `{http.auth.candidate.*}` placeholders may be set
-// for candidate user metadata. Candidate placeholders do not represent a
-// successfully authenticated principal.
-//
 // In case of an error, the placeholder `{http.auth.<provider>.error}`
 // will be set to the error message returned by the authentication
 // provider.
@@ -84,8 +78,6 @@ func (a *Authentication) Provision(ctx caddy.Context) error {
 func (a Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
 	repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
 	var user User
-	var candidate User
-	var hasCandidate bool
 	var authed bool
 	var err error
 	for provName, prov := range a.Providers {
@@ -102,34 +94,19 @@ func (a Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 		if authed {
 			break
 		}
-		if userHasInfo(user) {
-			candidate = user
-			hasCandidate = true
-		}
 	}
 	if !authed {
-		if hasCandidate {
-			setAuthUserPlaceholders(repl, "http.auth.candidate", candidate)
-		}
 		return caddyhttp.Error(http.StatusUnauthorized, fmt.Errorf("not authenticated"))
 	}

-	setAuthUserPlaceholders(repl, "http.auth.user", user)
+	repl.Set("http.auth.user.id", user.ID)
+	for k, v := range user.Metadata {
+		repl.Set("http.auth.user."+k, v)
+	}

 	return next.ServeHTTP(w, r)
 }

-func userHasInfo(user User) bool {
-	return user.ID != "" || len(user.Metadata) > 0
-}
-
-func setAuthUserPlaceholders(repl *caddy.Replacer, namespace string, user User) {
-	repl.Set(namespace+".id", user.ID)
-	for k, v := range user.Metadata {
-		repl.Set(namespace+"."+k, v)
-	}
-}
-
 // Authenticator is a type which can authenticate a request.
 // If a request was not authenticated, it returns false. An
 // error is only returned if authenticating the request fails
@@ -1,197 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package caddyauth
-
-import (
-	"context"
-	"errors"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"go.uber.org/zap"
-
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
-)
-
-func TestAuthenticationRejectedUserSetsCandidatePlaceholders(t *testing.T) {
-	auth := Authentication{
-		Providers: map[string]Authenticator{
-			"test": staticAuthenticator{
-				user: User{
-					ID: "alice",
-					Metadata: map[string]string{
-						"role": "admin",
-					},
-				},
-			},
-		},
-		logger: zap.NewNop(),
-	}
-	req, repl := newRequestWithReplacer()
-	nextCalled := false
-
-	err := auth.ServeHTTP(httptest.NewRecorder(), req, caddyhttp.HandlerFunc(func(http.ResponseWriter, *http.Request) error {
-		nextCalled = true
-		return nil
-	}))
-	if err == nil {
-		t.Fatal("expected authentication error")
-	}
-	var handlerErr caddyhttp.HandlerError
-	if !errors.As(err, &handlerErr) {
-		t.Fatalf("expected HandlerError, got %T", err)
-	}
-	if handlerErr.StatusCode != http.StatusUnauthorized {
-		t.Fatalf("expected status %d, got %d", http.StatusUnauthorized, handlerErr.StatusCode)
-	}
-	if nextCalled {
-		t.Fatal("next handler was called for rejected authentication")
-	}
-
-	assertPlaceholder(t, repl, "http.auth.candidate.id", "alice")
-	assertPlaceholder(t, repl, "http.auth.candidate.role", "admin")
-	assertPlaceholderAbsent(t, repl, "http.auth.user.id")
-	assertPlaceholderAbsent(t, repl, "http.auth.user.role")
-}
-
-func TestAuthenticationSuccessfulUserSetsUserPlaceholdersOnly(t *testing.T) {
-	auth := Authentication{
-		Providers: map[string]Authenticator{
-			"test": staticAuthenticator{
-				user: User{
-					ID: "alice",
-					Metadata: map[string]string{
-						"role": "admin",
-					},
-				},
-				authed: true,
-			},
-		},
-		logger: zap.NewNop(),
-	}
-	req, repl := newRequestWithReplacer()
-	nextCalled := false
-
-	err := auth.ServeHTTP(httptest.NewRecorder(), req, caddyhttp.HandlerFunc(func(http.ResponseWriter, *http.Request) error {
-		nextCalled = true
-		return nil
-	}))
-	if err != nil {
-		t.Fatalf("expected no authentication error, got %v", err)
-	}
-	if !nextCalled {
-		t.Fatal("next handler was not called for successful authentication")
-	}
-
-	assertPlaceholder(t, repl, "http.auth.user.id", "alice")
-	assertPlaceholder(t, repl, "http.auth.user.role", "admin")
-	assertPlaceholderAbsent(t, repl, "http.auth.candidate.id")
-	assertPlaceholderAbsent(t, repl, "http.auth.candidate.role")
-}
-
-func TestAuthenticationSuccessfulProviderDoesNotExposeEarlierCandidate(t *testing.T) {
-	auth := Authentication{
-		Providers: map[string]Authenticator{
-			"first": staticAuthenticator{
-				user: User{
-					ID: "rejected",
-					Metadata: map[string]string{
-						"role": "guest",
-					},
-				},
-			},
-			"second": staticAuthenticator{
-				user: User{
-					ID: "accepted",
-					Metadata: map[string]string{
-						"role": "admin",
-					},
-				},
-				authed: true,
-			},
-		},
-		logger: zap.NewNop(),
-	}
-	req, repl := newRequestWithReplacer()
-
-	err := auth.ServeHTTP(httptest.NewRecorder(), req, caddyhttp.HandlerFunc(func(http.ResponseWriter, *http.Request) error {
-		return nil
-	}))
-	if err != nil {
-		t.Fatalf("expected no authentication error, got %v", err)
-	}
-
-	assertPlaceholder(t, repl, "http.auth.user.id", "accepted")
-	assertPlaceholder(t, repl, "http.auth.user.role", "admin")
-	assertPlaceholderAbsent(t, repl, "http.auth.candidate.id")
-	assertPlaceholderAbsent(t, repl, "http.auth.candidate.role")
-}
-
-func TestAuthenticationRejectedEmptyUserDoesNotSetCandidatePlaceholders(t *testing.T) {
-	auth := Authentication{
-		Providers: map[string]Authenticator{
-			"test": staticAuthenticator{},
-		},
-		logger: zap.NewNop(),
-	}
-	req, repl := newRequestWithReplacer()
-
-	err := auth.ServeHTTP(httptest.NewRecorder(), req, caddyhttp.HandlerFunc(func(http.ResponseWriter, *http.Request) error {
-		t.Fatal("next handler was called for rejected authentication")
-		return nil
-	}))
-	if err == nil {
-		t.Fatal("expected authentication error")
-	}
-
-	assertPlaceholderAbsent(t, repl, "http.auth.candidate.id")
-}
-
-func newRequestWithReplacer() (*http.Request, *caddy.Replacer) {
-	req := httptest.NewRequest(http.MethodGet, "/", nil)
-	repl := caddy.NewReplacer()
-	ctx := context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl)
-	return req.WithContext(ctx), repl
-}
-
-func assertPlaceholder(t *testing.T, repl *caddy.Replacer, key, expected string) {
-	t.Helper()
-	actual, ok := repl.GetString(key)
-	if !ok {
-		t.Fatalf("expected placeholder %q to be set", key)
-	}
-	if actual != expected {
-		t.Fatalf("expected placeholder %q to be %q, got %q", key, expected, actual)
-	}
-}
-
-func assertPlaceholderAbsent(t *testing.T, repl *caddy.Replacer, key string) {
-	t.Helper()
-	if actual, ok := repl.GetString(key); ok {
-		t.Fatalf("expected placeholder %q to be absent, got %q", key, actual)
-	}
-}
-
-type staticAuthenticator struct {
-	user   User
-	authed bool
-	err    error
-}
-
-func (a staticAuthenticator) Authenticate(http.ResponseWriter, *http.Request) (User, bool, error) {
-	return a.user, a.authed, a.err
-}
@@ -108,7 +108,7 @@ func (m *MatchExpression) UnmarshalJSON(data []byte) error {
 		return json.Unmarshal(data, &m.Expr)
 	}
 	// otherwise, it's a full object, so unmarshal it,
-	// using a temp map to avoid infinite recursion
+	// using an temp map to avoid infinite recursion
 	var tmpJson map[string]any
 	err := json.Unmarshal(data, &tmpJson)
 	*m = MatchExpression{
@@ -118,7 +118,7 @@ func (m *MatchExpression) UnmarshalJSON(data []byte) error {
 	return err
 }

-// Provision sets up m.
+// Provision sets ups m.
 func (m *MatchExpression) Provision(ctx caddy.Context) error {
 	m.log = ctx.Logger()

@@ -319,7 +319,7 @@ func (cr celHTTPRequest) Value() any  { return cr }

 var pkixNameCELType = cel.ObjectType("pkix.Name", traits.ReceiverType)

-// celPkixName wraps a pkix.Name with
+// celPkixName wraps an pkix.Name with
 // methods to satisfy the ref.Val interface.
 type celPkixName struct{ *pkix.Name }

@@ -79,7 +79,7 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
 			wantResult: true,
 		},
 		{
-			name: "header matches a placeholder replaced during the header matcher (MatchHeader)",
+			name: "header matches an placeholder replaced during the header matcher (MatchHeader)",
 			expression: &MatchExpression{
 				Expr: `header({'Field': '\{http.request.uri.path}'})`,
 			},
@@ -162,7 +162,7 @@ func (enc *Encode) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyh

 			// to comply with RFC 9110 section 8.8.3(.3), we modify the Etag when encoding
 			// by appending a hyphen and the encoder name; the problem is, the client will
-			// send back that Etag in an If-None-Match header, but upstream handlers that set
+			// send back that Etag in a If-None-Match header, but upstream handlers that set
 			// the Etag in the first place don't know that we appended to their Etag! so here
 			// we have to strip our addition so the upstream handlers can still honor client
 			// caches without knowing about our changes...
@@ -369,7 +369,7 @@ const sniffLen = 512

 // ReadFrom will try to use sendfile to copy from the reader to the response writer.
 // It's only used if the response writer implements io.ReaderFrom and the data can't be compressed.
-// It's based on the standard library HTTP/1.1 response writer implementation.
+// It's based on stdlin http1.1 response writer implementation.
 // https://github.com/golang/go/blob/f4e3ec3dbe3b8e04a058d266adf8e048bab563f2/src/net/http/server.go#L586
 func (rw *responseWriter) ReadFrom(r io.Reader) (int64, error) {
 	rf, ok := rw.ResponseWriter.(io.ReaderFrom)
@@ -281,13 +281,7 @@ func (fsrv *FileServer) browseApplyQueryParams(w http.ResponseWriter, r *http.Re
 			sortParam = sortCookie.Value
 		}
 	case sortByName, sortByNameDirFirst, sortBySize, sortByTime:
-		http.SetCookie(w, &http.Cookie{ //nolint:gosec // Secure depends on whether the request itself used TLS
-			Name:     "sort",
-			Value:    sortParam,
-			Secure:   r.TLS != nil,
-			HttpOnly: true,
-			SameSite: http.SameSiteLaxMode,
-		})
+		http.SetCookie(w, &http.Cookie{Name: "sort", Value: sortParam, Secure: r.TLS != nil})
 	}

 	// then figure out the order
@@ -298,13 +292,7 @@ func (fsrv *FileServer) browseApplyQueryParams(w http.ResponseWriter, r *http.Re
 			orderParam = orderCookie.Value
 		}
 	case sortOrderAsc, sortOrderDesc:
-		http.SetCookie(w, &http.Cookie{ //nolint:gosec // Secure depends on whether the request itself used TLS
-			Name:     "order",
-			Value:    orderParam,
-			Secure:   r.TLS != nil,
-			HttpOnly: true,
-			SameSite: http.SameSiteLaxMode,
-		})
+		http.SetCookie(w, &http.Cookie{Name: "order", Value: orderParam, Secure: r.TLS != nil})
 	}

 	// finally, apply the sorting and limiting
@@ -28,7 +28,6 @@ import (
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/internal/filesystems"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
-	"github.com/caddyserver/caddy/v2/modules/caddyhttp/rewrite"
 )

 type testCase struct {
@@ -189,105 +188,6 @@ func fileMatcherTest(t *testing.T, i int, tc testCase) {
 	}
 }

-func TestTryFilesRewriteEscapesMatchedPath(t *testing.T) {
-	root := t.TempDir()
-
-	tests := []struct {
-		name           string
-		requestTarget  string
-		filename       string
-		extraFiles     []string
-		wantPath       string
-		wantRequestURI string
-		skipWindows    bool
-	}{
-		{
-			name:           "question mark in path",
-			requestTarget:  "/%3F.html",
-			filename:       "?.html",
-			wantPath:       "/?.html",
-			wantRequestURI: "/%3F.html",
-			skipWindows:    true,
-		},
-		{
-			name:           "percent in path",
-			requestTarget:  "/%25.html",
-			filename:       "%.html",
-			wantPath:       "/%.html",
-			wantRequestURI: "/%25.html",
-		},
-		{
-			name:           "encoded question mark remains percent-encoded",
-			requestTarget:  "/%253F.html",
-			filename:       "%3F.html",
-			wantPath:       "/%3F.html",
-			wantRequestURI: "/%253F.html",
-		},
-		{
-			name:           "question mark in nested path",
-			requestTarget:  "/nested/%3F.html",
-			filename:       filepath.Join("nested", "?.html"),
-			wantPath:       "/nested/?.html",
-			wantRequestURI: "/nested/%3F.html",
-			skipWindows:    true,
-		},
-		{
-			name:           "encoded slash in filename does not conflict with nesting",
-			requestTarget:  "/nested%252Ffile.html",
-			filename:       "nested%2Ffile.html",
-			extraFiles:     []string{filepath.Join("nested", "file.html")},
-			wantPath:       "/nested%2Ffile.html",
-			wantRequestURI: "/nested%252Ffile.html",
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			if tc.skipWindows && runtime.GOOS == "windows" {
-				t.Skip("Windows file names cannot contain question marks")
-			}
-
-			for _, name := range append([]string{tc.filename}, tc.extraFiles...) {
-				filename := filepath.Join(root, name)
-				if err := os.MkdirAll(filepath.Dir(filename), 0o700); err != nil {
-					t.Fatalf("creating test file parent directory: %v", err)
-				}
-				if err := os.WriteFile(filename, []byte(name), 0o600); err != nil {
-					t.Fatalf("writing test file: %v", err)
-				}
-			}
-
-			m := &MatchFile{
-				fsmap:    &filesystems.FileSystemMap{},
-				Root:     root,
-				TryFiles: []string{"{http.request.uri.path}"},
-			}
-			req := httptest.NewRequest(http.MethodGet, "http://example.com"+tc.requestTarget, nil)
-			repl := caddyhttp.NewTestReplacer(req)
-
-			matched, err := m.MatchWithError(req)
-			if err != nil {
-				t.Fatalf("matching file: %v", err)
-			}
-			if !matched {
-				t.Fatalf("expected request %s to match %s", tc.requestTarget, tc.filename)
-			}
-
-			rewrite.Rewrite{URI: "{http.matchers.file.relative}"}.Rewrite(req, repl)
-
-			if req.URL.Path != tc.wantPath {
-				t.Errorf("rewritten path = %q, want %q", req.URL.Path, tc.wantPath)
-			}
-			if req.RequestURI != tc.wantRequestURI {
-				t.Errorf("rewritten request URI = %q, want %q", req.RequestURI, tc.wantRequestURI)
-			}
-			if req.URL.RawQuery != "" {
-				t.Errorf("rewritten raw query = %q, want empty", req.URL.RawQuery)
-			}
-		})
-	}
-}
-
 func TestPHPFileMatcher(t *testing.T) {
 	for i, tc := range []struct {
 		path         string
@@ -29,7 +29,6 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
-	"time"

 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -124,7 +123,7 @@ type FileServer struct {
 	// put "hidden" in the list. To hide only ./hidden, put "./hidden" in the list.
 	//
 	// When possible, all paths are resolved to their absolute form before
-	// comparisons are made. For maximum clarity and explicitness, use complete,
+	// comparisons are made. For maximum clarity and explictness, use complete,
 	// absolute paths; or, for greater portability, use relative paths instead.
 	//
 	// Note that hide comparisons are case-sensitive. On case-insensitive
@@ -580,17 +579,7 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 	// that errors generated by ServeContent are written immediately
 	// to the response, so we cannot handle them (but errors there
 	// are rare)
-	//
-	// There are a few file modification times that aren't useful
-	// to send in Last-Modified headers, but the golang http library only
-	// omits Last-Modified headers for the Unix epoch time. So, force
-	// the modification time to the epoch time if it's not useful.
-	zeroTime := time.Time{}
-	modTime := info.ModTime()
-	if !usefulModTime(modTime) {
-		modTime = zeroTime
-	}
-	http.ServeContent(w, r, info.Name(), modTime, file.(io.ReadSeeker))
+	http.ServeContent(w, r, info.Name(), info.ModTime(), file.(io.ReadSeeker))

 	return nil
 }
@@ -737,14 +726,6 @@ func (fsrv *FileServer) notFound(w http.ResponseWriter, r *http.Request, next ca
 	return caddyhttp.Error(http.StatusNotFound, nil)
 }

-// Indicates whether a file's modification time is useful for validator
-// generation purposes (i.e. inclusion in ETag and Last-Modified headers).
-// See issues #5548 and #7730.
-func usefulModTime(modTime time.Time) bool {
-	mtimeunix := modTime.Unix()
-	return mtimeunix != 0 && mtimeunix != 1
-}
-
 // calculateEtag computes an entity tag using a strong validator
 // without consuming the contents of the file. It requires the
 // file info contain the correct size and modification time.
@@ -762,8 +743,8 @@ func usefulModTime(modTime time.Time) bool {
 // which we consider precise enough to qualify as a strong validator.
 func calculateEtag(d os.FileInfo) string {
 	mtime := d.ModTime()
-	if !usefulModTime(mtime) {
-		return ""
+	if mtimeUnix := mtime.Unix(); mtimeUnix == 0 || mtimeUnix == 1 {
+		return "" // not useful anyway; see issue #5548
 	}
 	var sb strings.Builder
 	sb.WriteRune('"')
@@ -804,7 +785,7 @@ func redirect(w http.ResponseWriter, r *http.Request, toPath string) error {
 	if r.URL.RawQuery != "" {
 		toPath += "?" + r.URL.RawQuery
 	}
-	http.Redirect(w, r, toPath, http.StatusPermanentRedirect) //nolint:gosec // toPath is a same-origin path and leading // is stripped above
+	http.Redirect(w, r, toPath, http.StatusPermanentRedirect)
 	return nil
 }

@@ -15,17 +15,10 @@
 package fileserver

 import (
-	"context"
-	"net/http"
-	"net/http/httptest"
-	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"testing"
-	"time"
-
-	"github.com/caddyserver/caddy/v2"
 )

 func TestFileHidden(t *testing.T) {
@@ -135,52 +128,3 @@ func TestFileHidden(t *testing.T) {
 		}
 	}
 }
-
-// Check to make sure that we don't serve ETag and Last-Modified headers
-// for files with invalid modification times
-func TestModTimeHeaders(t *testing.T) {
-	check_validator_headers(time.Now(), true, t)
-	check_validator_headers(time.Unix(0, 0), false, t)
-	check_validator_headers(time.Unix(1, 0), false, t)
-	check_validator_headers(time.Unix(2, 0), true, t)
-}
-
-func check_validator_headers(modTime time.Time, expect_headers bool, t *testing.T) {
-	f := false
-	fsrv := FileServer{
-		Root:          "./testdata",
-		CanonicalURIs: &f,
-	}
-	w := httptest.NewRecorder()
-	r, err := http.NewRequest("GET", "/modtime.txt", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	repl := caddy.NewReplacer()
-	ctx := context.WithValue(r.Context(), caddy.ReplacerCtxKey, repl)
-	r = r.WithContext(ctx)
-
-	ctx2, _ := caddy.NewContext(caddy.Context{Context: context.Background()}) // module will be nil by default
-	fsrv.Provision(ctx2)
-
-	path := "testdata/modtime.txt"
-	os.Chtimes(path, modTime, modTime)
-
-	fsrv.ServeHTTP(w, r, nil)
-
-	if expect_headers {
-		if w.Header().Get("ETag") == "" {
-			t.Errorf("Didn't get ETag header for file with valid mod time %s", modTime)
-		}
-		if w.Header().Get("Last-Modified") == "" {
-			t.Errorf("Didn't get Last-Modified header for file with valid mod time %s", modTime)
-		}
-	} else {
-		if w.Header().Get("ETag") != "" {
-			t.Errorf("Got ETag header for file with invalid mod time %s", modTime)
-		}
-		if w.Header().Get("Last-Modified") != "" {
-			t.Errorf("Got Last-Modified header for file with invalid mod time %s", modTime)
-		}
-	}
-}
@@ -15,7 +15,7 @@ type connectionStater interface {

 // http2Listener wraps the listener to solve the following problems:
 // 1. prevent genuine h2c connections from succeeding if h2c is not enabled
-// and the connection doesn't implement connectionStater or the resulting NegotiatedProtocol
+// and the connection doesn't implment connectionStater or the resulting NegotiatedProtocol
 // isn't http2.
 // This does allow a connection to pass as tls enabled even if it's not, listener wrappers
 // can do this.
@@ -101,7 +101,7 @@ type httpRedirectConn struct {

 // Read tries to peek at the first few bytes of the request, and if we get
 // an error reading the headers, and that error was due to the bytes looking
-// like an HTTP request, then we perform an HTTP->HTTPS redirect on the same
+// like an HTTP request, then we perform a HTTP->HTTPS redirect on the same
 // port as the original connection.
 func (c *httpRedirectConn) Read(p []byte) (int, error) {
 	if c.once {
@@ -435,12 +435,12 @@ func (m MatchPath) MatchWithError(r *http.Request) (bool, error) {
 	// can be used instead.
 	reqPath := strings.ToLower(r.URL.Path)

+	// See #2917; Windows ignores trailing dots and spaces
+	// when accessing files (sigh), potentially causing a
+	// security risk (cry) if PHP files end up being served
+	// as static files, exposing the source code, instead of
+	// being matched by *.php to be treated as PHP scripts.
 	if runtime.GOOS == "windows" { // issue #5613
-		// Windows treats backslashes as path separators and
-		// ignores trailing dots and spaces when accessing files
-		// (sigh), potentially causing a security risk (cry) if
-		// protected files are not matched as intended.
-		reqPath = strings.ReplaceAll(reqPath, `\`, "/")
 		reqPath = strings.TrimRight(reqPath, ". ")
 	}

@@ -478,12 +478,7 @@ func (m MatchPath) MatchWithError(r *http.Request) (bool, error) {
 		// the intent is to compare that part of the path in raw/escaped
 		// space; i.e. "%40"=="%40", not "@", and "%2F"=="%2F", not "/"
 		if strings.Contains(matchPattern, "%") {
-			escapedPath := r.URL.EscapedPath()
-			if runtime.GOOS == "windows" {
-				escapedPath = windowsEscapedPathSeparatorRepl.Replace(escapedPath)
-				matchPattern = windowsEscapedPathSeparatorRepl.Replace(matchPattern)
-			}
-			reqPathForPattern := CleanPath(escapedPath, mergeSlashes)
+			reqPathForPattern := CleanPath(r.URL.EscapedPath(), mergeSlashes)
 			if m.matchPatternWithEscapeSequence(reqPathForPattern, matchPattern) {
 				return true, nil
 			}
@@ -648,14 +643,6 @@ func (MatchPath) matchPatternWithEscapeSequence(escapedPath, matchPath string) b
 	return matches
 }

-// windowsEscapedPathSeparatorRepl normalizes Windows backslash separators
-// while preserving escaped-path matching semantics.
-var windowsEscapedPathSeparatorRepl = strings.NewReplacer(
-	`\`, "%2f",
-	"%5c", "%2f",
-	"%5C", "%2f",
-)
-
 // CELLibrary produces options that expose this matcher for use in CEL
 // expression matchers.
 //
@@ -461,61 +461,18 @@ func TestPathMatcherWindows(t *testing.T) {
 		return
 	}

+	req := &http.Request{URL: &url.URL{Path: "/index.php . . .."}}
 	repl := caddy.NewReplacer()
+	ctx := context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl)
+	req = req.WithContext(ctx)

-	for _, tc := range []struct {
-		name          string
-		path          string
-		requestTarget string
-		match         MatchPath
-	}{
-		{
-			name:  "trailing dots and spaces",
-			path:  "/index.php . . ..",
-			match: MatchPath{"*.php"},
-		},
-		{
-			name:          "encoded backslash path separator",
-			requestTarget: `/private%5csecret.txt`,
-			match:         MatchPath{"/private/*"},
-		},
-		{
-			name:          "encoded backslash path separator with escaped wildcard",
-			requestTarget: `/private%5csecret.txt`,
-			match:         MatchPath{"/private/%*"},
-		},
-		{
-			name:          "uppercase encoded backslash path separator with escaped wildcard",
-			requestTarget: `/private%5Csecret.txt`,
-			match:         MatchPath{"/private/%*"},
-		},
-		{
-			name:          "encoded backslash in escaped pattern",
-			requestTarget: `/private%5csecret.txt`,
-			match:         MatchPath{"/private%5c%*"},
-		},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			u := &url.URL{Path: tc.path}
-			if tc.requestTarget != "" {
-				var err error
-				u, err = url.ParseRequestURI(tc.requestTarget)
-				if err != nil {
-					t.Fatalf("Parsing request target: %v", err)
-				}
-			}
-			req := &http.Request{URL: u}
-			ctx := context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl)
-			req = req.WithContext(ctx)
-
-			matched, err := tc.match.MatchWithError(req)
-			if err != nil {
-				t.Errorf("Expected no error, but got: %v", err)
-			}
-			if !matched {
-				t.Errorf("Expected %q to match %v", req.URL.Path, tc.match)
-			}
-		})
+	match := MatchPath{"*.php"}
+	matched, err := match.MatchWithError(req)
+	if err != nil {
+		t.Errorf("Expected no error, but got: %v", err)
+	}
+	if !matched {
+		t.Errorf("Expected to match; should ignore trailing dots and spaces")
 	}
 }

@@ -135,8 +135,8 @@ type client struct {
 	logger *zap.Logger
 }

-// Do makes the request and returns an io.Reader that translates the data read
-// from the FastCGI responder out of FastCGI packets before returning it.
+// Do made the request and returns a io.Reader that translates the data read
+// from fcgi responder out of fcgi packet before returning it.
 func (c *client) Do(p map[string]string, req io.Reader) (r io.Reader, err error) {
 	// check for CONTENT_LENGTH, since the lack of it or wrong value will cause the backend to hang
 	if clStr, ok := p["CONTENT_LENGTH"]; !ok {
@@ -179,7 +179,7 @@ func (c *client) Do(p map[string]string, req io.Reader) (r io.Reader, err error)
 	return r, err
 }

-// clientCloser is an io.ReadCloser. It wraps an io.Reader with a Closer
+// clientCloser is a io.ReadCloser. It wraps a io.Reader with a Closer
 // that closes the client connection.
 type clientCloser struct {
 	rwc net.Conn
@@ -208,8 +208,8 @@ func (f clientCloser) Close() error {
 	return f.rwc.Close()
 }

-// Request returns an HTTP response with header and body
-// from the FastCGI responder.
+// Request returns a HTTP Response with Header and Body
+// from fcgi responder
 func (c *client) Request(p map[string]string, req io.Reader) (resp *http.Response, err error) {
 	r, err := c.Do(p, req)
 	if err != nil {
@@ -28,6 +28,8 @@ import (

 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
+	"golang.org/x/text/language"
+	"golang.org/x/text/search"

 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
@@ -416,19 +418,14 @@ func (t Transport) buildEnv(r *http.Request) (envVars, error) {
 	return env, nil
 }

+var splitSearchNonASCII = search.New(language.Und, search.IgnoreCase)
+
 // splitPos returns the index where path should
 // be split based on t.SplitPath.
 //
 // example: if splitPath is [".php"]
 // "/path/to/script.php/some/path": ("/path/to/script.php", "/some/path")
 //
-// Matching is strictly ASCII case-insensitive. Bytes >= utf8.RuneSelf in path
-// never match any split entry: split strings are validated ASCII-only and
-// lower-cased in Provision(), so any Unicode equivalence (e.g. fullwidth or
-// mathematical letters folding to ASCII) would let an attacker upload a file
-// whose name contains such code points and have it served as PHP. See
-// FrankenPHP advisories GHSA-3g8v-8r37-cgjm and GHSA-v4h7-cj44-8fc8.
-//
 // Adapted from FrankenPHP's code (copyright 2026 Kévin Dunglas, MIT license)
 func (t Transport) splitPos(path string) int {
 	// TODO: from v1...
@@ -441,18 +438,31 @@ func (t Transport) splitPos(path string) int {

 	pathLen := len(path)

+	// We are sure that split strings are all ASCII-only and lower-case because of validation and normalization in Provision().
 	for _, split := range t.SplitPath {
 		splitLen := len(split)
-		if splitLen == 0 || splitLen > pathLen {
-			continue
-		}

-		for i := 0; i <= pathLen-splitLen; i++ {
+		for i := range pathLen {
+			if path[i] >= utf8.RuneSelf {
+				if _, end := splitSearchNonASCII.IndexString(path, split); end > -1 {
+					return end
+				}
+
+				break
+			}
+
+			if i+splitLen > pathLen {
+				continue
+			}
+
 			match := true
 			for j := range splitLen {
 				c := path[i+j]
+
 				if c >= utf8.RuneSelf {
-					match = false
+					if _, end := splitSearchNonASCII.IndexString(path, split); end > -1 {
+						return end
+					}

 					break
 				}
@@ -191,65 +191,6 @@ func TestSplitPos(t *testing.T) {
 			splitPath: []string{".php"},
 			wantPos:   9,
 		},
-		// Regression tests adapted from FrankenPHP advisories
-		// GHSA-3g8v-8r37-cgjm and GHSA-v4h7-cj44-8fc8: search.IgnoreCase
-		// matched Unicode equivalents of ASCII letters as ".php", and an
-		// inner non-ASCII byte path could leave the match flag stale.
-		{
-			name:      "non-ascii byte after dot must not match",
-			path:      "/PoC-match-unset.¡.txt",
-			splitPath: []string{".php"},
-			wantPos:   -1,
-		},
-		{
-			name:      "non-ascii byte mid-extension must not match",
-			path:      "/script.p\xc2\xa1p",
-			splitPath: []string{".php"},
-			wantPos:   -1,
-		},
-		{
-			name:      "small full stop ﹒ in extension must not match",
-			path:      "/shell﹒php",
-			splitPath: []string{".php"},
-			wantPos:   -1,
-		},
-		{
-			name:      "fullwidth full stop ． in extension must not match",
-			path:      "/shell．php",
-			splitPath: []string{".php"},
-			wantPos:   -1,
-		},
-		{
-			name:      "fullwidth p in extension must not match",
-			path:      "/shell.ｐhp",
-			splitPath: []string{".php"},
-			wantPos:   -1,
-		},
-		{
-			name:      "circled php must not match",
-			path:      "/shell.ⓟⓗⓟ",
-			splitPath: []string{".php"},
-			wantPos:   -1,
-		},
-		{
-			name:      "mathematical sans-serif bold php must not match",
-			path:      "/shell.\U0001D5FD\U0001D5F5\U0001D5FD",
-			splitPath: []string{".php"},
-			wantPos:   -1,
-		},
-		{
-			name:      "mathematical script php must not match",
-			path:      "/shell.\U0001D4C5\U0001D4BD\U0001D4C5",
-			splitPath: []string{".php"},
-			wantPos:   -1,
-		},
-		{
-			name:      "circled php with later real php still picks the real one",
-			path:      "/shell.ⓟⓗⓟ.anything-after-payload.php",
-			splitPath: []string{".php"},
-			// "/shell." (7) + "ⓟⓗⓟ" (3*3 bytes) + ".anything-after-payload.php" (27) = 43
-			wantPos: 43,
-		},
 	}

 	for _, tt := range tests {
@@ -303,31 +244,3 @@ func TestSplitPosUnicodeSecurityRegression(t *testing.T) {
 		assert.Equal(t, ".txt.php", pathInfo, "path info should be the remainder after first .php")
 	}
 }
-
-// TestSplitPosSecurityRegressionUnicodeBypass guards against the FrankenPHP
-// advisories GHSA-3g8v-8r37-cgjm (uninitialized match flag on inner non-ASCII
-// byte) and GHSA-v4h7-cj44-8fc8 (Unicode equivalence via search.IgnoreCase
-// folding fullwidth/mathematical/circled letters onto ASCII). Every payload
-// below produced a false positive in the vulnerable implementation; none
-// must match here.
-func TestSplitPosSecurityRegressionUnicodeBypass(t *testing.T) {
-	t.Parallel()
-
-	tr := Transport{SplitPath: []string{".php"}}
-	payloads := []string{
-		"/PoC-match-unset.¡.txt",                // GHSA-3g8v: stale match=true on IndexString fallback
-		"/shell﹒php",                            // U+FE52 small full stop
-		"/shell．php",                            // U+FF0E fullwidth full stop
-		"/shell.ｐhp",                            // U+FF50 fullwidth p
-		"/shell.pｈp",                            // U+FF48 fullwidth h
-		"/shell.phｐ",                            // U+FF50 fullwidth p (trailing)
-		"/shell.\U0001D5C1\U0001D5B5\U0001D5C1", // mathematical sans-serif p/h
-		"/shell.\U0001D5FD\U0001D5F5\U0001D5FD", // mathematical sans-serif bold p/h
-		"/shell.\U0001D4C5\U0001D4BD\U0001D4C5", // mathematical script p/h
-		"/shell.ⓟⓗⓟ",                            // circled latin small
-	}
-
-	for _, p := range payloads {
-		assert.Equalf(t, -1, tr.splitPos(p), "payload %q must not be detected as .php", p)
-	}
-}
@@ -522,7 +522,7 @@ func (h *Handler) doActiveHealthCheck(dialInfo DialInfo, hostAddr string, networ
 		body = io.LimitReader(body, h.HealthChecks.Active.MaxSize)
 	}
 	defer func() {
-		// drain any remaining body so connection could be reused
+		// drain any remaining body so connection could be re-used
 		_, _ = io.Copy(io.Discard, body)
 		resp.Body.Close()
 	}()
@@ -32,7 +32,6 @@ import (
 	"time"

 	"github.com/pires/go-proxyproto"
-	"github.com/quic-go/quic-go"
 	"github.com/quic-go/quic-go/http3"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -162,8 +161,7 @@ type HTTPTransport struct {
 	// `HTTPS_PROXY`, and `NO_PROXY` environment variables.
 	NetworkProxyRaw json.RawMessage `json:"network_proxy,omitempty" caddy:"namespace=caddy.network_proxy inline_key=from"`

-	h3Transport   *http3.Transport // TODO: EXPERIMENTAL (May 2024)
-	quicTransport *quic.Transport  // used by h3Transport if sni placeholder is used, otherwise nil
+	h3Transport *http3.Transport // TODO: EXPERIMENTAL (May 2024)
 }

 // CaddyModule returns the Caddy module information.
@@ -501,25 +499,6 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
 			if err != nil {
 				return nil, fmt.Errorf("making TLS client config for HTTP/3 transport: %v", err)
 			}
-
-			if strings.Contains(h.TLS.ServerName, "{") {
-				// copied from quic-go
-				udpConn, err := net.ListenUDP("udp", nil)
-				if err != nil {
-					return nil, fmt.Errorf("making udp socket for HTTP/3 transport: %v", err)
-				}
-				h.quicTransport = &quic.Transport{Conn: udpConn}
-				h.h3Transport.Dial = func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) {
-					// tlsCfg is already cloned from h3Transport.TLSClientConfig
-					repl := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
-					tlsCfg.ServerName = repl.ReplaceAll(tlsCfg.ServerName, "")
-					udpAddr, err := resolveUDPAddr(ctx, "udp", addr)
-					if err != nil {
-						return nil, err
-					}
-					return h.quicTransport.DialEarly(ctx, udpAddr, tlsCfg, cfg)
-				}
-			}
 		}
 	} else if len(h.Versions) > 1 && slices.Contains(h.Versions, "3") {
 		return nil, fmt.Errorf("if HTTP/3 is enabled to the upstream, no other HTTP versions are supported")
@@ -546,71 +525,6 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
 	return rt, nil
 }

-// TODO: EXPERIMENTAL (May 2025)
-// copied from quic-go
-func resolveUDPAddr(ctx context.Context, network, addr string) (*net.UDPAddr, error) {
-	host, portStr, err := net.SplitHostPort(addr)
-	if err != nil {
-		return nil, err
-	}
-	port, err := net.LookupPort(network, portStr)
-	if err != nil {
-		return nil, err
-	}
-	resolver := net.DefaultResolver
-	ipAddrs, err := resolver.LookupIPAddr(ctx, host)
-	if err != nil {
-		return nil, err
-	}
-	addrs := addrList(ipAddrs)
-	ip := addrs.forResolve(network, addr)
-	return &net.UDPAddr{IP: ip.IP, Port: port, Zone: ip.Zone}, nil
-}
-
-// TODO: EXPERIMENTAL (May 2025)
-// copied from quic-go
-// An addrList represents a list of network endpoint addresses.
-// Copy from [net.addrList] and change type from [net.Addr] to [net.IPAddr]
-type addrList []net.IPAddr
-
-// isIPv4 reports whether addr contains an IPv4 address.
-func isIPv4(addr net.IPAddr) bool {
-	return addr.IP.To4() != nil
-}
-
-// isNotIPv4 reports whether addr does not contain an IPv4 address.
-func isNotIPv4(addr net.IPAddr) bool { return !isIPv4(addr) }
-
-// forResolve returns the most appropriate address in address for
-// a call to ResolveTCPAddr, ResolveUDPAddr, or ResolveIPAddr.
-// IPv4 is preferred, unless addr contains an IPv6 literal.
-func (addrs addrList) forResolve(network, addr string) net.IPAddr {
-	var want6 bool
-	switch network {
-	case "ip":
-		// IPv6 literal (addr does NOT contain a port)
-		want6 = strings.ContainsRune(addr, ':')
-	case "tcp", "udp":
-		// IPv6 literal. (addr contains a port, so look for '[')
-		want6 = strings.ContainsRune(addr, '[')
-	}
-	if want6 {
-		return addrs.first(isNotIPv4)
-	}
-	return addrs.first(isIPv4)
-}
-
-// first returns the first address which satisfies strategy, or if
-// none do, then the first address of any kind.
-func (addrs addrList) first(strategy func(net.IPAddr) bool) net.IPAddr {
-	for _, addr := range addrs {
-		if strategy(addr) {
-			return addr
-		}
-	}
-	return addrs[0]
-}
-
 // RequestHeaderOps implements TransportHeaderOpsProvider. It returns header
 // operations for requests when the transport's configuration indicates they
 // should be applied. In particular, when TLS is enabled for this transport,
@@ -709,16 +623,6 @@ func (h HTTPTransport) Cleanup() error {
 		return nil
 	}
 	h.Transport.CloseIdleConnections()
-	// h3 related cleanup, errors are ignored as nothing can be done.
-	// TODO: log these errors if any
-	if h.h3Transport != nil {
-		h.h3Transport.CloseIdleConnections()
-		_ = h.h3Transport.Close()
-		if h.quicTransport != nil {
-			_ = h.quicTransport.Close()
-			_ = h.quicTransport.Conn.Close()
-		}
-	}
 	return nil
 }

@@ -4,14 +4,11 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"net"
-	"net/url"
 	"reflect"
 	"testing"

 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
-	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 )

 func TestHTTPTransportUnmarshalCaddyFileWithCaPools(t *testing.T) {
@@ -197,85 +194,3 @@ func TestHTTPTransport_DialTLSContext_ProxyProtocol(t *testing.T) {
 		})
 	}
 }
-
-// TestHTTPTransport_DialContext_DialInfoOverride is a regression test for
-// issue #6447: a `tcp4/`-prefixed upstream silently fell back to plain `tcp`
-// because dialContext only honored DialInfo for unix networks. PR #7300 widened
-// the condition so DialInfo is honored when no upstream HTTP proxy is in use,
-// and skipped (for non-unix networks) when one is. Both halves are pinned here.
-func TestHTTPTransport_DialContext_DialInfoOverride(t *testing.T) {
-	ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
-	defer cancel()
-
-	ln, err := net.Listen("tcp4", "127.0.0.1:0")
-	if err != nil {
-		t.Fatalf("listen: %v", err)
-	}
-	t.Cleanup(func() { ln.Close() })
-	go func() {
-		for {
-			c, err := ln.Accept()
-			if err != nil {
-				return
-			}
-			c.Close()
-		}
-	}()
-
-	ht := &HTTPTransport{}
-	rt, err := ht.NewTransport(ctx)
-	if err != nil {
-		t.Fatalf("NewTransport: %v", err)
-	}
-
-	proxyURL, err := url.Parse("http://proxy.example:8080")
-	if err != nil {
-		t.Fatalf("parse proxy URL: %v", err)
-	}
-
-	tests := []struct {
-		name        string
-		proxy       bool
-		dialInfo    string
-		defaultAddr string
-	}{
-		{
-			// no proxy: DialInfo should be applied, so the dial lands on
-			// the live listener despite the bogus default address.
-			name:        "honors DialInfo when no proxy",
-			proxy:       false,
-			dialInfo:    ln.Addr().String(),
-			defaultAddr: "127.0.0.1:1",
-		},
-		{
-			// proxy active: DialInfo must NOT be applied for non-unix
-			// networks; the default address (the live listener) is used.
-			name:        "skips DialInfo when proxy active",
-			proxy:       true,
-			dialInfo:    "127.0.0.1:1",
-			defaultAddr: ln.Addr().String(),
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			dialCtx := context.WithValue(context.Background(), caddyhttp.VarsCtxKey, make(map[string]any))
-			caddyhttp.SetVar(dialCtx, dialInfoVarKey, DialInfo{
-				Network: "tcp4",
-				Address: tt.dialInfo,
-			})
-			if tt.proxy {
-				caddyhttp.SetVar(dialCtx, proxyVarKey, proxyURL)
-			}
-
-			conn, err := rt.DialContext(dialCtx, "tcp", tt.defaultAddr)
-			if err != nil {
-				t.Fatalf("DialContext: %v", err)
-			}
-			t.Cleanup(func() { conn.Close() })
-			if got := conn.RemoteAddr().String(); got != ln.Addr().String() {
-				t.Fatalf("conn.RemoteAddr() = %s, want %s", got, ln.Addr().String())
-			}
-		})
-	}
-}
@@ -730,58 +730,3 @@ func TestRetryMatchAllowsExpressionMixedWithOtherMatchers(t *testing.T) {
 		})
 	}
 }
-
-// TestSubrouteErrorFallbackWithBody is similar to TestDialErrorBodyRetry but
-// mimics Subroute's Error handler rather than testing retries specifically
-func TestSubrouteErrorFallbackWithBody(t *testing.T) {
-	// Good upstream: echoes the request body with 200 OK.
-	goodServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		body, err := io.ReadAll(r.Body)
-		if err != nil {
-			http.Error(w, "read body: "+err.Error(), http.StatusInternalServerError)
-			return
-		}
-		w.WriteHeader(http.StatusOK)
-		_, err = w.Write(body)
-		if err != nil {
-			t.Errorf("error writing in good server: %v", err)
-		}
-	}))
-	t.Cleanup(goodServer.Close)
-
-	// Handler which will dial error
-	badProxy := minimalHandler(0, &Upstream{Host: new(Host), Dial: deadUpstreamAddr(t)})
-
-	bodyReader := newCloseOnCloseReader("hello world")
-	req := httptest.NewRequest("POST", "http://localhost/", bodyReader)
-	// httptest.NewRequest wraps the reader in NopCloser; replace
-	// it with our close-aware reader so Close() is propagated.
-	req.Body = bodyReader
-
-	req = prepareTestRequest(req)
-	rec := httptest.NewRecorder()
-	err := badProxy.ServeHTTP(rec, req, caddyhttp.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
-		return nil
-	}))
-	if err == nil {
-		t.Fatalf("Expected error from badProxy.ServeHTTP")
-	}
-
-	// Simulate the Subroute's Error handler by calling another handler with the
-	// same request and recorder
-	goodProxy := minimalHandler(0, &Upstream{Host: new(Host), Dial: goodServer.Listener.Addr().String()})
-	err = goodProxy.ServeHTTP(rec, req, caddyhttp.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
-		return nil
-	}))
-
-	if err != nil {
-		t.Fatalf("Expected no error from goodProxy.ServeHTTP, got: %v", err)
-	}
-	if rec.Code != http.StatusOK {
-		t.Errorf("status: got %d, want %d", rec.Code, http.StatusOK)
-	}
-	expectedBody := "hello world"
-	if rec.Body.String() != expectedBody {
-		t.Errorf("body: got %q, want %q", rec.Body.String(), expectedBody)
-	}
-}
@@ -449,39 +449,6 @@ func (h *Handler) Cleanup() error {
 	return err
 }

-// bodyNopCloserIfNotRead wraps a request body to prevent closing if not read, i.e., when
-// dialing to upstream fails.
-// It will close the body as normal if the body is read.
-type bodyNopCloserIfNotRead struct {
-	io.ReadCloser
-	read int // tracks the number of bytes read, -1 when first Read returns 0, io.EOF
-}
-
-func (b *bodyNopCloserIfNotRead) Read(p []byte) (int, error) {
-	if b.read == -1 {
-		return 0, io.EOF
-	}
-	n, err := b.ReadCloser.Read(p)
-	// first Read returns 0, io.EOF
-	if b.read == 0 && n == 0 && err == io.EOF {
-		b.read = -1
-	} else {
-		b.read += n
-	}
-	return n, err
-}
-
-func (b *bodyNopCloserIfNotRead) Close() error {
-	// don't close the body
-	if b.read == 0 {
-		return nil
-	}
-	// close as usual, when -1, any read will return EOF as the original read will do
-	// in other cases, the read will fail as body is closed because we do not want partial bodies to be sent to the upstream
-	// users can buffer the entire request body to allow the request to be resent
-	return b.ReadCloser.Close()
-}
-
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
 	repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)

@@ -521,19 +488,20 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyht
 	reqHost := clonedReq.Host
 	reqHeader := clonedReq.Header

-	// If the request contained a body, wrap it in io.NopCloser
-	// to prevent Go's transport from closing it on dial errors.
-	// cloneRequest does a shallow copy, so clonedReq.Body and
+	// When retries are configured and there is a body, wrap it in
+	// io.NopCloser to prevent Go's transport from closing it on dial
+	// errors. cloneRequest does a shallow copy, so clonedReq.Body and
 	// r.Body share the same io.ReadCloser — a dial-failure Close()
-	// would kill the original body for all subsequent retry
-	// attempts or subsequent handlers. The real body is closed by
-	// the HTTP server when the handler returns.
+	// would kill the original body for all subsequent retry attempts.
+	// The real body is closed by the HTTP server when the handler
+	// returns.
 	//
 	// If the body was already fully buffered (via request_buffers),
 	// we also extract the buffer so the retry loop can replay it
-	// from the beginning on each attempt. (see #6259, #7546, #7713)
+	// from the beginning on each attempt. (see #6259, #7546)
 	var bufferedReqBody *bytes.Buffer
-	if clonedReq.Body != nil {
+	if clonedReq.Body != nil && h.LoadBalancing != nil &&
+		(h.LoadBalancing.Retries > 0 || h.LoadBalancing.TryDuration > 0) {
 		if reqBodyBuf, ok := clonedReq.Body.(bodyReadCloser); ok && reqBodyBuf.body == nil && reqBodyBuf.buf != nil {
 			bufferedReqBody = reqBodyBuf.buf
 			reqBodyBuf.buf = nil
@@ -543,7 +511,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyht
 				bufPool.Put(bufferedReqBody)
 			}()
 		} else {
-			clonedReq.Body = &bodyNopCloserIfNotRead{ReadCloser: clonedReq.Body}
+			clonedReq.Body = io.NopCloser(clonedReq.Body)
 		}
 	}

@@ -664,12 +664,10 @@ func (s CookieHashSelection) Select(pool UpstreamPool, req *http.Request, w http
 			return upstream
 		}
 		cookie := &http.Cookie{
-			Name:     s.Name,
-			Value:    sha,
-			Path:     "/",
-			Secure:   false,
-			HttpOnly: true,
-			SameSite: http.SameSiteLaxMode,
+			Name:   s.Name,
+			Value:  sha,
+			Path:   "/",
+			Secure: false,
 		}
 		isProxyHttps := false
 		if trusted, ok := caddyhttp.GetVar(req.Context(), caddyhttp.TrustedProxyVarKey).(bool); ok && trusted {
@@ -568,7 +568,7 @@ func TestQueryHashPolicy(t *testing.T) {
 	pool[1].setHealthy(false)
 	h = queryPolicy.Select(pool, request, nil)
 	if h != nil {
-		t.Error("Expected query policy host to be nil.")
+		t.Error("Expected query policy policy host to be nil.")
 	}

 	request = httptest.NewRequest(http.MethodGet, "/?foo=aa11&foo=bb22", nil)
@@ -630,7 +630,7 @@ func TestURIHashPolicy(t *testing.T) {
 	pool[1].setHealthy(false)
 	h = uriPolicy.Select(pool, request, nil)
 	if h != nil {
-		t.Error("Expected uri policy host to be nil.")
+		t.Error("Expected uri policy policy host to be nil.")
 	}
 }

@@ -211,7 +211,12 @@ func (rewr Rewrite) Rewrite(r *http.Request, repl *caddy.Replacer) bool {
 		var newPath, newQuery, newFrag string

 		if path != "" {
-			path = escapePathPlaceholders(path, r, repl)
+			// replace the `path` placeholder to escaped path
+			pathPlaceholder := "{http.request.uri.path}"
+			if strings.Contains(path, pathPlaceholder) {
+				path = strings.ReplaceAll(path, pathPlaceholder, r.URL.EscapedPath())
+			}
+
 			newPath = repl.ReplaceAll(path, "")
 		}

@@ -295,31 +300,6 @@ func (rewr Rewrite) Rewrite(r *http.Request, repl *caddy.Replacer) bool {
 	return r.Method != oldMethod || r.RequestURI != oldURI
 }

-func escapePathPlaceholders(path string, r *http.Request, repl *caddy.Replacer) string {
-	// Replace path-valued placeholders in escaped form before the URI is parsed,
-	// otherwise literal '?' and '%' bytes from the path can be interpreted as URI
-	// delimiters or percent-escape sequences during the rewrite.
-	pathPlaceholder := "{http.request.uri.path}"
-	if strings.Contains(path, pathPlaceholder) {
-		path = strings.ReplaceAll(path, pathPlaceholder, r.URL.EscapedPath())
-	}
-
-	fileMatchRelativePlaceholder := "{http.matchers.file.relative}"
-	if strings.Contains(path, fileMatchRelativePlaceholder) {
-		if val, ok := repl.Get("http.matchers.file.relative"); ok {
-			if relativePath, ok := val.(string); ok {
-				path = strings.ReplaceAll(path, fileMatchRelativePlaceholder, escapePathPreservingSlashes(relativePath))
-			}
-		}
-	}
-
-	return path
-}
-
-func escapePathPreservingSlashes(path string) string {
-	return strings.ReplaceAll(url.PathEscape(path), "%2F", "/")
-}
-
 // buildQueryString takes an input query string and
 // performs replacements on each component, returning
 // the resulting query string. This function appends
@@ -18,7 +18,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"slices"
 	"strings"

 	"github.com/caddyserver/caddy/v2"
@@ -242,8 +241,8 @@ func (routes RouteList) Compile(next Handler) Handler {
 		mid = append(mid, wrapRoute(route))
 	}
 	stack := next
-	for _, middleware := range slices.Backward(mid) {
-		stack = middleware(stack)
+	for i := len(mid) - 1; i >= 0; i-- {
+		stack = mid[i](stack)
 	}
 	return stack
 }
@@ -306,8 +305,8 @@ func wrapRoute(route Route) Middleware {
 			}

 			// compile this route's handler stack
-			for _, middleware := range slices.Backward(route.middleware) {
-				nextCopy = middleware(nextCopy)
+			for i := len(route.middleware) - 1; i >= 0; i-- {
+				nextCopy = route.middleware[i](nextCopy)
 			}

 			// Apply metrics instrumentation once for the entire route,
@@ -300,8 +300,6 @@ type Server struct {
 	onStopFuncs      []func(context.Context) error // TODO: Experimental (Nov. 2023)
 }

-var defaultProtocols = []string{"h1", "h2", "h3"}
-
 var (
 	ServerHeader = "Caddy"
 	serverHeader = []string{ServerHeader}
@@ -901,56 +899,20 @@ func (s *Server) logRequest(
 // protocol returns true if the protocol proto is configured/enabled.
 func (s *Server) protocol(proto string) bool {
 	if s.ListenProtocols == nil {
-		return slices.Contains(s.protocolsWithDefaults(), proto)
-	}
-
-	for _, lnProtocols := range s.ListenProtocols {
-		if slices.Contains(s.listenerProtocolsWithDefaults(lnProtocols), proto) {
+		if slices.Contains(s.Protocols, proto) {
 			return true
 		}
-	}
-
-	return false
-}
-
-func (s *Server) protocolsWithDefaults() []string {
-	if len(s.Protocols) == 0 {
-		return defaultProtocols
-	}
-	return s.Protocols
-}
-
-func (s *Server) listenerProtocolsWithDefaults(lnProtocols []string) []string {
-	serverProtocols := s.protocolsWithDefaults()
-	if len(lnProtocols) == 0 {
-		return serverProtocols
-	}
-
-	lnProtocolsDefault := false
-	lnProtocolsInclude := make([]string, 0, len(lnProtocols)+len(serverProtocols))
-	srvProtocolsInclude := make(map[string]struct{}, len(serverProtocols))
-	for _, srvProtocol := range serverProtocols {
-		srvProtocolsInclude[srvProtocol] = struct{}{}
-	}
-
-	for _, lnProtocol := range lnProtocols {
-		if lnProtocol == "" {
-			lnProtocolsDefault = true
-			continue
-		}
-		lnProtocolsInclude = append(lnProtocolsInclude, lnProtocol)
-		delete(srvProtocolsInclude, lnProtocol)
-	}
-
-	if lnProtocolsDefault {
-		for _, srvProtocol := range serverProtocols {
-			if _, ok := srvProtocolsInclude[srvProtocol]; ok {
-				lnProtocolsInclude = append(lnProtocolsInclude, srvProtocol)
+	} else {
+		for _, lnProtocols := range s.ListenProtocols {
+			for _, lnProtocol := range lnProtocols {
+				if lnProtocol == "" && slices.Contains(s.Protocols, proto) || lnProtocol == proto {
+					return true
+				}
 			}
 		}
 	}

-	return lnProtocolsInclude
+	return false
 }

 // Listeners returns the server's listeners. These are active listeners,
@@ -1123,11 +1085,11 @@ func strictUntrustedClientIp(r *http.Request, headers []string, trusted []netip.
 	for _, headerName := range headers {
 		parts := strings.Split(strings.Join(r.Header.Values(headerName), ","), ",")

-		for _, part := range slices.Backward(parts) {
+		for i := len(parts) - 1; i >= 0; i-- {
 			// Some proxies may retain the port number, so split if possible
-			host, _, err := net.SplitHostPort(part)
+			host, _, err := net.SplitHostPort(parts[i])
 			if err != nil {
-				host = part
+				host = parts[i]
 			}

 			// Remove any zone identifier from the IP address
@@ -36,22 +36,13 @@ func init() {
 // Templates is a middleware which executes response bodies as Go templates.
 // The syntax is documented in the Go standard library's
 // [text/template package](https://golang.org/pkg/text/template/).
-// Note that ANY response body that matches and qualifies may be evaluated,
-// even if it comes from a proxied backend.
 //
-// ⚠️ Template functions/actions can access the environment, files on disk,
-// and make HTTP requests. This is extremely useful, but you need to make
-// sure templates are only evaluated on content that you trust, control, or
-// at least sanitize properly.
+// ⚠️ Template functions/actions are still experimental, so they are subject to change.
 //
-// ⚠️ Templates are still experimental, so they are subject to change.
+// Custom template functions can be registered by creating a plugin module under the `http.handlers.templates.functions.*` namespace that implements the `CustomFunctions` interface.
 //
 // [All Sprig functions](https://masterminds.github.io/sprig/) are supported.
 //
-// Custom template functions can be registered by creating a plugin module
-// under the `http.handlers.templates.functions.*` namespace that implements
-// the `CustomFunctions` interface.
-//
 // In addition to the standard functions and the Sprig library, Caddy adds
 // extra functions and data that are available to a template:
 //
@@ -171,25 +162,6 @@ func init() {
 // {{listFiles "/mydir"}}
 // ```
 //
-// ##### `fileExists`
-//
-// Returns true if the given file name, relative to the template context's file root,
-// can be opened successfully.
-//
-// ```
-// {{fileExists "path/to/file.html"}}
-// ```
-//
-// ##### `fileStat`
-//
-// Returns [FileInfo](https://pkg.go.dev/io/fs#FileInfo) using [Stat](https://pkg.go.dev/io/fs#Stat)
-// on the given file name, relative to the template context's file root.
-//
-// ```
-// {{$css := fileStat "css/style.css" -}}
-// <link rel="stylesheet" href="/css/style.css?v={{ $css.ModTime.Unix }}">
-// ```
-//
 // ##### `markdown`
 //
 // Renders the given Markdown text as HTML and returns it. This uses the
@@ -140,42 +140,6 @@ func (iss *ACMEIssuer) Provision(ctx caddy.Context) error {
 		iss.Email = email
 	}

-	// expand CA endpoint, if non-empty
-	if iss.CA != "" {
-		ca, err := repl.ReplaceOrErr(iss.CA, true, true)
-		if err != nil {
-			return fmt.Errorf("expanding CA endpoint '%s': %v", iss.CA, err)
-		}
-		iss.CA = ca
-	}
-
-	// expand TestCA endpoint, if non-empty
-	if iss.TestCA != "" {
-		testca, err := repl.ReplaceOrErr(iss.TestCA, true, true)
-		if err != nil {
-			return fmt.Errorf("expanding TestCA endpoint '%s': %v", iss.TestCA, err)
-		}
-		iss.TestCA = testca
-	}
-
-	// expand EAB credentials, if non-empty
-	if iss.ExternalAccount != nil {
-		if iss.ExternalAccount.KeyID != "" {
-			keyID, err := repl.ReplaceOrErr(iss.ExternalAccount.KeyID, true, true)
-			if err != nil {
-				return fmt.Errorf("expanding EAB key ID '%s': %v", iss.ExternalAccount.KeyID, err)
-			}
-			iss.ExternalAccount.KeyID = keyID
-		}
-		if iss.ExternalAccount.MACKey != "" {
-			macKey, err := repl.ReplaceOrErr(iss.ExternalAccount.MACKey, true, true)
-			if err != nil {
-				return fmt.Errorf("expanding EAB MAC key (redacted): %v", err)
-			}
-			iss.ExternalAccount.MACKey = macKey
-		}
-	}
-
 	// expand account key, if non-empty
 	if iss.AccountKey != "" {
 		accountKey, err := repl.ReplaceOrErr(iss.AccountKey, true, true)
@@ -1,43 +0,0 @@
-package caddytls
-
-import (
-	"github.com/caddyserver/caddy/v2"
-	"github.com/mholt/acmez/v3/acme"
-	"testing"
-)
-
-func TestACMEIssuerExpandPlaceholders(t *testing.T) {
-	t.Setenv("CADDY_TEST_CA_URL", "https://acme.example.com/directory")
-	t.Setenv("CADDY_TEST_TEST_CA_URL", "https://acme2.example.com/directory")
-	t.Setenv("CADDY_TEST_EAB_KEY_ID", "example-key-id")
-	t.Setenv("CADDY_TEST_EAB_MAC_KEY", "example-mac-key")
-
-	caddyCtx, cancel := caddy.NewContext(caddy.Context{Context: t.Context()})
-	defer cancel()
-
-	iss := &ACMEIssuer{
-		CA:     "{env.CADDY_TEST_CA_URL}",
-		TestCA: "{env.CADDY_TEST_TEST_CA_URL}",
-		ExternalAccount: &acme.EAB{
-			KeyID:  "{env.CADDY_TEST_EAB_KEY_ID}",
-			MACKey: "{env.CADDY_TEST_EAB_MAC_KEY}",
-		},
-	}
-
-	if err := iss.Provision(caddyCtx); err != nil {
-		t.Fatalf("Provision() returned unexpected error: %v", err)
-	}
-
-	if want := "https://acme.example.com/directory"; iss.CA != want {
-		t.Errorf("CA: got %q, want %q", iss.CA, want)
-	}
-	if want := "https://acme2.example.com/directory"; iss.TestCA != want {
-		t.Errorf("TestCA: got %q, want %q", iss.TestCA, want)
-	}
-	if want := "example-key-id"; iss.ExternalAccount.KeyID != want {
-		t.Errorf("ExternalAccount.KeyID: got %q, want %q", iss.ExternalAccount.KeyID, want)
-	}
-	if want := "example-mac-key"; iss.ExternalAccount.MACKey != want {
-		t.Errorf("ExternalAccount.MACKey: got %q, want %q", iss.ExternalAccount.MACKey, want)
-	}
-}
@@ -158,7 +158,7 @@ type AutomationPolicy struct {
 	DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"`

 	// Overrides the URLs of OCSP responders embedded in certificates.
-	// Each key is an OCSP server URL to override, and its value is the
+	// Each key is a OCSP server URL to override, and its value is the
 	// replacement. An empty value will disable querying of that server.
 	// EXPERIMENTAL. Subject to change.
 	OCSPOverrides map[string]string `json:"ocsp_overrides,omitempty"`
@@ -107,8 +107,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
 				if sni, ok := m.(MatchServerName); ok {
 					for _, sniName := range sni {
 						// index for fast lookups during handshakes
-						indexName := asciiServerNameForMatch(sniName)
-						indexedBySNI[indexName] = append(indexedBySNI[indexName], p)
+						indexedBySNI[sniName] = append(indexedBySNI[sniName], p)
 					}
 				}
 			}
@@ -119,7 +118,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
 		// filter policies by SNI first, if possible, to speed things up
 		// when there may be lots of policies
 		possiblePolicies := cp
-		if indexedPolicies, ok := indexedBySNI[asciiServerNameForMatch(hello.ServerName)]; ok {
+		if indexedPolicies, ok := indexedBySNI[hello.ServerName]; ok {
 			possiblePolicies = indexedPolicies
 		}

@@ -154,9 +153,9 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
 			// in its config (remember, TLS connection policies are used by *other* apps to
 			// run TLS servers) -- we skip names with placeholders
 			if tlsApp.EncryptedClientHello.Publication == nil {
+				var echNames []string
 				repl := caddy.NewReplacer()
 				for _, p := range cp {
-					var echNames []string
 					for _, m := range p.matchers {
 						if sni, ok := m.(MatchServerName); ok {
 							for _, name := range sni {
@@ -165,8 +164,8 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
 							}
 						}
 					}
-					tlsApp.RegisterServerNames(echNames, p.ALPN)
 				}
+				tlsApp.RegisterServerNames(echNames)
 			}

 			tlsCfg.GetEncryptedClientHelloKeys = func(chi *tls.ClientHelloInfo) ([]tls.EncryptedClientHelloKey, error) {
@@ -897,19 +896,18 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
 // Unlike VerifyPeerCertificate, VerifyConnection is called on every
 // connection including resumed sessions, preventing session-resumption bypass.
 func (clientauth *ClientAuthentication) verifyConnection(cs tls.ConnectionState) error {
-	rawCerts := make([][]byte, len(cs.PeerCertificates))
-	for i, cert := range cs.PeerCertificates {
-		rawCerts[i] = cert.Raw
-	}
-
 	// first use any pre-existing custom verification function
 	if clientauth.existingVerifyPeerCert != nil {
+		rawCerts := make([][]byte, len(cs.PeerCertificates))
+		for i, cert := range cs.PeerCertificates {
+			rawCerts[i] = cert.Raw
+		}
 		if err := clientauth.existingVerifyPeerCert(rawCerts, cs.VerifiedChains); err != nil {
 			return err
 		}
 	}
 	for _, verifier := range clientauth.verifiers {
-		if err := verifier.VerifyClientCertificate(rawCerts, cs.VerifiedChains); err != nil {
+		if err := verifier.VerifyClientCertificate(nil, cs.VerifiedChains); err != nil {
 			return err
 		}
 	}
@@ -15,8 +15,6 @@
 package caddytls

 import (
-	"context"
-	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"reflect"
@@ -26,40 +24,6 @@ import (
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )

-func TestConnectionPolicyIDNSNIMatcherFastPath(t *testing.T) {
-	ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
-	defer cancel()
-
-	targetTLSConfig := &tls.Config{ClientAuth: tls.RequireAnyClientCert}
-	policies := ConnectionPolicies{
-		{
-			matchers:  []ConnectionMatcher{MatchServerName{"つ.Localhost"}},
-			TLSConfig: targetTLSConfig,
-		},
-	}
-
-	const sniFastPathThreshold = 30
-	for i := len(policies); i < sniFastPathThreshold; i++ {
-		policies = append(policies, &ConnectionPolicy{
-			matchers:  []ConnectionMatcher{MatchServerName{fmt.Sprintf("example-%d.localhost", i)}},
-			TLSConfig: &tls.Config{},
-		})
-	}
-	policies = append(policies, &ConnectionPolicy{
-		matchers:  []ConnectionMatcher{MatchServerName{"xn--k9j.localhost"}},
-		TLSConfig: &tls.Config{ClientAuth: tls.NoClientCert},
-	})
-
-	tlsConfig := policies.TLSConfig(ctx)
-	got, err := tlsConfig.GetConfigForClient(&tls.ClientHelloInfo{ServerName: "XN--K9J.LOCALHOST"})
-	if err != nil {
-		t.Fatalf("GetConfigForClient() error = %v", err)
-	}
-	if got != targetTLSConfig {
-		t.Fatalf("expected Unicode IDN policy to match before later punycode policy")
-	}
-}
-
 func TestClientAuthenticationUnmarshalCaddyfileWithDirectiveName(t *testing.T) {
 	const test_der_1 = `MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==`
 	const test_cert_file_1 = "../../caddytest/caddy.ca.cer"
@@ -1,59 +0,0 @@
-package caddytls
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"errors"
-	"reflect"
-	"testing"
-)
-
-type testClientCertificateVerifier struct {
-	rawCerts       [][]byte
-	verifiedChains [][]*x509.Certificate
-	err            error
-}
-
-func (v *testClientCertificateVerifier) VerifyClientCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-	v.rawCerts = rawCerts
-	v.verifiedChains = verifiedChains
-	return v.err
-}
-
-func TestClientAuthenticationVerifyConnectionPassesRawCertsToVerifiers(t *testing.T) {
-	verifier := &testClientCertificateVerifier{}
-	clientauth := &ClientAuthentication{
-		verifiers: []ClientCertificateVerifier{verifier},
-	}
-
-	peerCert := &x509.Certificate{Raw: []byte("peer-cert-raw")}
-	verifiedChains := [][]*x509.Certificate{{peerCert}}
-	connState := tls.ConnectionState{
-		PeerCertificates: []*x509.Certificate{peerCert},
-		VerifiedChains:   verifiedChains,
-	}
-
-	if err := clientauth.verifyConnection(connState); err != nil {
-		t.Fatalf("verifyConnection failed: %v", err)
-	}
-
-	if !reflect.DeepEqual(verifier.rawCerts, [][]byte{[]byte("peer-cert-raw")}) {
-		t.Fatalf("unexpected raw certs: got %#v", verifier.rawCerts)
-	}
-	if !reflect.DeepEqual(verifier.verifiedChains, verifiedChains) {
-		t.Fatalf("unexpected verified chains: got %#v", verifier.verifiedChains)
-	}
-}
-
-func TestClientAuthenticationVerifyConnectionReturnsVerifierError(t *testing.T) {
-	wantErr := errors.New("verify failed")
-	verifier := &testClientCertificateVerifier{err: wantErr}
-	clientauth := &ClientAuthentication{
-		verifiers: []ClientCertificateVerifier{verifier},
-	}
-
-	err := clientauth.verifyConnection(tls.ConnectionState{})
-	if !errors.Is(err, wantErr) {
-		t.Fatalf("expected error %v, got %v", wantErr, err)
-	}
-}
@@ -440,10 +440,6 @@ func (t *TLS) publishECHConfigs(logger *zap.Logger) error {
 				zap.Strings("domains", dnsNamesToPublish),
 				zap.Uint8s("config_ids", configIDs))

-			if dnsPublisher, ok := publisher.(*ECHDNSPublisher); ok {
-				dnsPublisher.alpnByDomain = t.alpnValuesForServerNames(dnsNamesToPublish)
-			}
-
 			// publish this ECH config list with this publisher
 			pubTime := time.Now()
 			err := publisher.PublishECHConfigList(t.ctx, dnsNamesToPublish, echCfgListBin)
@@ -780,8 +776,7 @@ type ECHDNSPublisher struct {
 	ProviderRaw json.RawMessage `json:"provider,omitempty" caddy:"namespace=dns.providers inline_key=name"`
 	provider    ECHDNSProvider

-	alpnByDomain map[string][]string
-	logger       *zap.Logger
+	logger *zap.Logger
 }

 // CaddyModule returns the Caddy module information.
@@ -877,7 +872,12 @@ nextName:
 			continue
 		}
 		params := httpsRec.Params
-		params = dnsPub.publishedSvcParams(domain, params, configListBin)
+		if params == nil {
+			params = make(libdns.SvcParams)
+		}
+
+		// overwrite only the "ech" SvcParamKey
+		params["ech"] = []string{base64.StdEncoding.EncodeToString(configListBin)}

 		// publish record
 		_, err = dnsPub.provider.SetRecords(ctx, zone, []libdns.Record{
@@ -903,25 +903,6 @@ nextName:
 	return nil
 }

-func (dnsPub *ECHDNSPublisher) publishedSvcParams(domain string, existing libdns.SvcParams, configListBin []byte) libdns.SvcParams {
-	params := make(libdns.SvcParams, len(existing)+2)
-	for key, values := range existing {
-		params[key] = append([]string(nil), values...)
-	}
-
-	params["ech"] = []string{base64.StdEncoding.EncodeToString(configListBin)}
-
-	if len(dnsPub.alpnByDomain) == 0 {
-		return params
-	}
-
-	if alpn := dnsPub.alpnByDomain[strings.ToLower(domain)]; len(alpn) > 0 {
-		params["alpn"] = append([]string(nil), alpn...)
-	}
-
-	return params
-}
-
 // echConfig represents an ECHConfig from the specification,
 // [draft-ietf-tls-esni-22](https://www.ietf.org/archive/id/draft-ietf-tls-esni-22.html).
 type echConfig struct {
@@ -1,65 +0,0 @@
-package caddytls
-
-import (
-	"encoding/base64"
-	"reflect"
-	"sync"
-	"testing"
-
-	"github.com/libdns/libdns"
-)
-
-func TestRegisterServerNamesWithALPN(t *testing.T) {
-	tlsApp := &TLS{
-		serverNames:   make(map[string]serverNameRegistration),
-		serverNamesMu: new(sync.Mutex),
-	}
-
-	tlsApp.RegisterServerNames([]string{
-		"Example.com:443",
-		"example.com",
-		"127.0.0.1:443",
-	}, []string{"h2", "http/1.1"})
-	tlsApp.RegisterServerNames([]string{"EXAMPLE.COM"}, []string{"h3"})
-
-	got := tlsApp.alpnValuesForServerNames([]string{"example.com:443", "127.0.0.1:443"})
-	want := map[string][]string{
-		"example.com": {"h3", "h2", "http/1.1"},
-	}
-
-	if !reflect.DeepEqual(got, want) {
-		t.Fatalf("unexpected ALPN values: got %#v want %#v", got, want)
-	}
-}
-
-func TestECHDNSPublisherPublishedSvcParams(t *testing.T) {
-	dnsPub := &ECHDNSPublisher{
-		alpnByDomain: map[string][]string{
-			"example.com": {"h3", "h2", "http/1.1"},
-		},
-	}
-
-	existing := libdns.SvcParams{
-		"alpn":     {"h2"},
-		"ipv4hint": {"203.0.113.10"},
-	}
-
-	got := dnsPub.publishedSvcParams("Example.com", existing, []byte{0x01, 0x02, 0x03})
-
-	if !reflect.DeepEqual(existing["alpn"], []string{"h2"}) {
-		t.Fatalf("existing params mutated: got %v", existing["alpn"])
-	}
-
-	if !reflect.DeepEqual(got["alpn"], []string{"h3", "h2", "http/1.1"}) {
-		t.Fatalf("unexpected ALPN params: got %v", got["alpn"])
-	}
-
-	if !reflect.DeepEqual(got["ipv4hint"], []string{"203.0.113.10"}) {
-		t.Fatalf("unexpected preserved params: got %v", got["ipv4hint"])
-	}
-
-	wantECH := base64.StdEncoding.EncodeToString([]byte{0x01, 0x02, 0x03})
-	if !reflect.DeepEqual(got["ech"], []string{wantECH}) {
-		t.Fatalf("unexpected ECH params: got %v want %v", got["ech"], wantECH)
-	}
-}
@@ -28,7 +28,6 @@ import (
 	"github.com/caddyserver/certmagic"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
-	"golang.org/x/net/idna"

 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
@@ -70,45 +69,15 @@ func (m MatchServerName) Match(hello *tls.ClientHelloInfo) bool {
 		repl = caddy.NewReplacer()
 	}

-	serverName := asciiServerNameForMatch(hello.ServerName)
 	for _, name := range m {
-		rs := asciiServerNameForMatch(repl.ReplaceAll(name, ""))
-		if certmagic.MatchWildcard(serverName, rs) {
+		rs := repl.ReplaceAll(name, "")
+		if certmagic.MatchWildcard(hello.ServerName, rs) {
 			return true
 		}
 	}
 	return false
 }

-func asciiServerNameForMatch(name string) string {
-	if name == "" {
-		return name
-	}
-
-	// SNI is ASCII on the wire, but config can use Unicode IDNs.
-	ascii, err := idna.ToASCII(name)
-	if err == nil {
-		return strings.ToLower(ascii)
-	}
-
-	if !strings.Contains(name, "*") {
-		return strings.ToLower(name)
-	}
-
-	labels := strings.Split(name, ".")
-	for i, label := range labels {
-		if label == "" || label == "*" {
-			continue
-		}
-		ascii, err := idna.ToASCII(label)
-		if err != nil {
-			return strings.ToLower(name)
-		}
-		labels[i] = strings.ToLower(ascii)
-	}
-	return strings.Join(labels, ".")
-}
-
 // UnmarshalCaddyfile sets up the MatchServerName from Caddyfile tokens. Syntax:
 //
 //	sni <domains...>
@@ -79,26 +79,6 @@ func TestServerNameMatcher(t *testing.T) {
 			input:  "sub2.sub.example.com",
 			expect: true,
 		},
-		{
-			names:  []string{"つ.localhost"},
-			input:  "xn--k9j.localhost",
-			expect: true,
-		},
-		{
-			names:  []string{"つ.Localhost"},
-			input:  "XN--K9J.LOCALHOST",
-			expect: true,
-		},
-		{
-			names:  []string{"*.つ.localhost"},
-			input:  "sub.xn--k9j.localhost",
-			expect: true,
-		},
-		{
-			names:  []string{"*.つ.Localhost"},
-			input:  "Sub.XN--K9J.LOCALHOST",
-			expect: true,
-		},
 	} {
 		chi := &tls.ClientHelloInfo{ServerName: tc.input}
 		actual := MatchServerName(tc.names).Match(chi)
@@ -137,10 +137,11 @@ func (s *SessionTicketService) stayUpdated() {
 		case newKeys := <-keysChan:
 			s.mu.Lock()
 			s.currentKeys = newKeys
-			for cfg := range s.configs {
+			configs := s.configs
+			s.mu.Unlock()
+			for cfg := range configs {
 				cfg.SetSessionTicketKeys(newKeys)
 			}
-			s.mu.Unlock()
 		case <-s.stopChan:
 			return
 		}
@@ -23,7 +23,6 @@ import (
 	"net"
 	"net/http"
 	"runtime/debug"
-	"slices"
 	"strings"
 	"sync"
 	"time"
@@ -141,7 +140,7 @@ type TLS struct {
 	logger             *zap.Logger
 	events             *caddyevents.App

-	serverNames   map[string]serverNameRegistration
+	serverNames   map[string]struct{}
 	serverNamesMu *sync.Mutex

 	// set of subjects with managed certificates,
@@ -169,7 +168,7 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 	t.logger = ctx.Logger()
 	repl := caddy.NewReplacer()
 	t.managing, t.loaded = make(map[string]string), make(map[string]string)
-	t.serverNames = make(map[string]serverNameRegistration)
+	t.serverNames = make(map[string]struct{})
 	t.serverNamesMu = new(sync.Mutex)

 	// set up default DNS module, if any, and make sure it implements all the
@@ -440,7 +439,7 @@ func (t *TLS) Start() error {
 					t.EncryptedClientHello.configsMu.Unlock()
 					if err != nil {
 						echLogger.Error("rotating ECH configs failed", zap.Error(err))
-						continue
+						return
 					}
 					err := t.publishECHConfigs(echLogger)
 					if err != nil {
@@ -614,8 +613,8 @@ func (t *TLS) Manage(subjects map[string]struct{}) error {

 // managingWildcardFor returns true if the app is managing a certificate that covers that
 // subject name (including consideration of wildcards), either from its internal list of
-// names that it IS managing certs for, from the otherSubjsToManage which includes names
-// that WILL be managed, or from names configured in the 'automate' loader.
+// names that it IS managing certs for, or from the otherSubjsToManage which includes names
+// that WILL be managed.
 func (t *TLS) managingWildcardFor(subj string, otherSubjsToManage map[string]struct{}) bool {
 	// TODO: we could also consider manually-loaded certs using t.HasCertificateForSubject(),
 	// but that does not account for how manually-loaded certs may be restricted as to which
@@ -630,9 +629,7 @@ func (t *TLS) managingWildcardFor(subj string, otherSubjsToManage map[string]str
 		return managing
 	}

-	// replace labels of the domain with wildcards until we get a match from names
-	// already being managed, those about to be managed in this batch, or those
-	// configured for automation
+	// replace labels of the domain with wildcards until we get a match
 	labels := strings.Split(subj, ".")
 	for i := range labels {
 		if labels[i] == "*" {
@@ -646,117 +643,32 @@ func (t *TLS) managingWildcardFor(subj string, otherSubjsToManage map[string]str
 		if _, ok := otherSubjsToManage[candidate]; ok {
 			return true
 		}
-		if _, ok := t.automateNames[candidate]; ok {
-			return true
-		}
 	}

 	return false
 }

-// RegisterServerNames registers the provided DNS names with the TLS app and
-// associates them with the given HTTPS RR ALPN values, if any. This is
-// currently used to auto-publish Encrypted ClientHello (ECH) configurations,
-// if enabled. Use of this function by apps using the TLS app removes the need
-// for the user to redundantly specify domain names in their configuration.
-// This function separates hostname and port, keeping only the hostname, and
-// filters IP addresses which can't be used with ECH.
+// RegisterServerNames registers the provided DNS names with the TLS app.
+// This is currently used to auto-publish Encrypted ClientHello (ECH)
+// configurations, if enabled. Use of this function by apps using the TLS
+// app removes the need for the user to redundantly specify domain names
+// in their configuration. This function separates hostname and port
+// (keeping only the hotsname) and filters IP addresses, which can't be
+// used with ECH.
 //
 // EXPERIMENTAL: This function and its semantics/behavior are subject to change.
-func (t *TLS) RegisterServerNames(dnsNames, alpnValues []string) {
+func (t *TLS) RegisterServerNames(dnsNames []string) {
 	t.serverNamesMu.Lock()
-	defer t.serverNamesMu.Unlock()
-
 	for _, name := range dnsNames {
 		host, _, err := net.SplitHostPort(name)
 		if err != nil {
 			host = name
 		}
-		host = strings.ToLower(strings.TrimSpace(host))
-		if host == "" || certmagic.SubjectIsIP(host) {
-			continue
-		}
-
-		registration := t.serverNames[host]
-
-		if len(alpnValues) == 0 {
-			t.serverNames[host] = registration
-			continue
-		}
-
-		if registration.alpnValues == nil {
-			registration.alpnValues = make(map[string]struct{}, len(alpnValues))
-		}
-		for _, alpn := range alpnValues {
-			if alpn == "" {
-				continue
-			}
-			registration.alpnValues[alpn] = struct{}{}
-		}
-		t.serverNames[host] = registration
-	}
-}
-
-func (t *TLS) alpnValuesForServerNames(dnsNames []string) map[string][]string {
-	t.serverNamesMu.Lock()
-	defer t.serverNamesMu.Unlock()
-
-	result := make(map[string][]string, len(dnsNames))
-	for _, name := range dnsNames {
-		host, _, err := net.SplitHostPort(name)
-		if err != nil {
-			host = name
-		}
-		host = strings.ToLower(strings.TrimSpace(host))
-		if host == "" {
-			continue
-		}
-
-		registration, ok := t.serverNames[host]
-		if !ok || len(registration.alpnValues) == 0 {
-			continue
-		}
-		result[host] = OrderedHTTPSRRALPN(registration.alpnValues)
-	}
-
-	return result
-}
-
-// OrderedHTTPSRRALPN returns the HTTPS RR ALPN values in preferred order.
-func OrderedHTTPSRRALPN(alpnSet map[string]struct{}) []string {
-	if len(alpnSet) == 0 {
-		return nil
-	}
-
-	knownOrder := append([]string{"h3"}, defaultALPN...)
-	ordered := make([]string, 0, len(alpnSet))
-	seen := make(map[string]struct{}, len(alpnSet))
-
-	for _, alpn := range knownOrder {
-		if _, ok := alpnSet[alpn]; ok {
-			ordered = append(ordered, alpn)
-			seen[alpn] = struct{}{}
+		if strings.TrimSpace(host) != "" && !certmagic.SubjectIsIP(host) {
+			t.serverNames[strings.ToLower(host)] = struct{}{}
 		}
 	}
-
-	if len(ordered) == len(alpnSet) {
-		return ordered
-	}
-
-	var remaining []string
-	for alpn := range alpnSet {
-		if _, ok := seen[alpn]; ok {
-			continue
-		}
-		remaining = append(remaining, alpn)
-	}
-	slices.Sort(remaining)
-
-	return append(ordered, remaining...)
-}
-
-type serverNameRegistration struct {
-	alpnValues map[string]struct{}
+	t.serverNamesMu.Unlock()
 }

 // HandleHTTPChallenge ensures that the ACME HTTP challenge or ZeroSSL HTTP
@@ -879,8 +791,6 @@ func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy {
 // AllMatchingCertificates returns the list of all certificates in
 // the cache which could be used to satisfy the given SAN.
 func AllMatchingCertificates(san string) []certmagic.Certificate {
-	certCacheMu.RLock()
-	defer certCacheMu.RUnlock()
 	return certCache.AllMatchingCertificates(san)
 }

@@ -1,96 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package caddytls
-
-import (
-	"encoding/json"
-	"testing"
-
-	"github.com/caddyserver/caddy/v2"
-)
-
-func TestAvoidDuplicateAutomation(t *testing.T) {
-	tests := []struct {
-		name             string
-		automateNames    []string
-		expectedToManage bool
-	}{
-		{
-			name:             "do not manage if wildcard is automated",
-			automateNames:    []string{"*.example.com"},
-			expectedToManage: false,
-		},
-		{
-			name:             "manage if no automation configured",
-			automateNames:    []string{},
-			expectedToManage: true,
-		},
-		{
-			name:             "manage if explicitly requested even when wildcard automated",
-			automateNames:    []string{"*.example.com", "sub.example.com"},
-			expectedToManage: true,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			automateJSON, err := json.Marshal(tc.automateNames)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			tlsApp := &TLS{
-				Automation: &AutomationConfig{
-					Policies: []*AutomationPolicy{
-						{
-							IssuersRaw: []json.RawMessage{
-								[]byte(`{"module": "internal"}`),
-							},
-						},
-					},
-				},
-				CertificatesRaw: map[string]json.RawMessage{
-					"automate": automateJSON,
-				},
-			}
-
-			var cfg caddy.Config
-			ctx, err := caddy.ProvisionContext(&cfg)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			if err := tlsApp.Provision(ctx); err != nil {
-				t.Fatal(err)
-			}
-
-			// simulate a case wherein the HTTP app starts first and
-			// tells the TLS app about the following auto-HTTPS domains
-			httpDomains := map[string]struct{}{"sub.example.com": {}}
-			if err := tlsApp.Manage(httpDomains); err != nil {
-				t.Fatal(err)
-			}
-
-			_, actuallyManaged := tlsApp.managing["sub.example.com"]
-			if actuallyManaged != tc.expectedToManage {
-				t.Errorf(
-					"expected sub.example.com individually managed: %v, got: %v",
-					tc.expectedToManage,
-					actuallyManaged,
-				)
-			}
-		})
-	}
-}
@@ -149,10 +149,10 @@ func (f *ReplaceFilter) Filter(in zapcore.Field) zapcore.Field {
 // list of IP addresses, where all of the values
 // will be masked.
 type IPMaskFilter struct {
-	// The IPv4 mask, as a subnet size CIDR.
+	// The IPv4 mask, as an subnet size CIDR.
 	IPv4MaskRaw int `json:"ipv4_cidr,omitempty"`

-	// The IPv6 mask, as a subnet size CIDR.
+	// The IPv6 mask, as an subnet size CIDR.
 	IPv6MaskRaw int `json:"ipv6_cidr,omitempty"`

 	v4Mask net.IPMask