Prepare v1.0.5 release

errors: Fix test
Don't use default log settings on custom logs (#2973 ) (#2976 )
2026-05-25 16:22:36 -04:00 · 2020-01-15 09:57:41 -07:00 · 2020-01-15 09:57:23 -07:00 · 2020-01-15 09:40:32 -07:00 · 2020-01-12 14:01:25 -07:00 · 2020-01-12 14:00:18 -07:00
1117 changed files with 15073 additions and 412201 deletions
@@ -9,6 +9,13 @@

 # go fmt will enforce this, but in case a user has not called "go fmt" allow GIT to catch this:
 *.go      text eol=lf core.whitespace whitespace=indent-with-non-tab,trailing-space,tabwidth=4
+go.mod    text eol=lf
+go.sum    text eol=lf

+*.txt     text eol=lf core.whitespace whitespace=tab-in-indent,trailing-space,tabwidth=2
+*.tpl     text eol=lf core.whitespace whitespace=tab-in-indent,trailing-space,tabwidth=2
+*.htm     text eol=lf core.whitespace whitespace=tab-in-indent,trailing-space,tabwidth=2
+*.html    text eol=lf core.whitespace whitespace=tab-in-indent,trailing-space,tabwidth=2
+*.md      text eol=lf core.whitespace whitespace=tab-in-indent,trailing-space,tabwidth=2
 *.yml     text eol=lf core.whitespace whitespace=tab-in-indent,trailing-space,tabwidth=2
 .git*     text eol=auto core.whitespace whitespace=trailing-space
@@ -23,15 +23,15 @@ Other menu items:

 ### Contributing code

-You can have a direct impact on the project by helping with its code. To contribute code to Caddy, open a [pull request](https://github.com/mholt/caddy/pulls) (PR). If you're new to our community, that's okay: **we gladly welcome pull requests from anyone, regardless of your native language or coding experience.** You can get familiar with Caddy's code base by using [code search at Sourcegraph](https://sourcegraph.com/github.com/mholt/caddy/-/search).
+You can have a huge impact on the project by helping with its code. To contribute code to Caddy, open a [pull request](https://github.com/caddyserver/caddy/pulls) (PR). If you're new to our community, that's okay: **we gladly welcome pull requests from anyone, regardless of your native language or coding experience.** You can get familiar with Caddy's code base by using [code search at Sourcegraph](https://sourcegraph.com/github.com/caddyserver/caddy/-/search).

-We hold contributions to a high standard for quality :bowtie:, so don't be surprised if we ask for revisions&mdash;even if it seems small or insignificant. Please don't take it personally. :wink: If your change is on the right track, we can guide you to make it mergable.
+We hold contributions to a high standard for quality :bowtie:, so don't be surprised if we ask for revisions&mdash;even if it seems small or insignificant. Please don't take it personally. :blue_heart: If your change is on the right track, we can guide you to make it mergable.

 Here are some of the expectations we have of contributors:

- If your change is more than just a minor alteration, **open an issue to propose your change first.** This way we can avoid confusion, coordinate what everyone is working on, and ensure that changes are in-line with the project's goals and the best interests of its users. If there's already an issue about it, comment on the existing issue to claim it.
+- **Open an issue to propose your change first.** This way we can avoid confusion, coordinate what everyone is working on, and ensure that any changes are in-line with the project's goals and the best interests of its users. We can also discuss the best possible implementation. If there's already an issue about it, comment on the existing issue to claim it.

- **Keep pull requests small.** Smaller PRs are more likely to be merged because they are easier to review! We might ask you to break up large PRs into smaller ones. [An example of what we DON'T do.](https://twitter.com/iamdevloper/status/397664295875805184)
+- **Keep pull requests small.** Smaller PRs are more likely to be merged because they are easier to review! We might ask you to break up large PRs into smaller ones. [An example of what we want to avoid.](https://twitter.com/iamdevloper/status/397664295875805184)

 - **Keep related commits together in a PR.** We do want pull requests to be small, but you should also keep multiple related commits in the same PR if they rely on each other.

@@ -52,17 +52,17 @@ We often grant [collaborator status](#collaborator-instructions) to contributors

 Contributing to Go projects on GitHub is fun and easy. We recommend the following workflow:

-1. [Fork this repo](https://github.com/mholt/caddy). This makes a copy of the code you can write to.
+1. [Fork this repo](https://github.com/caddyserver/caddy). This makes a copy of the code you can write to.

-2. If you don't already have this repo (mholt/caddy.git) repo on your computer, get it with `go get github.com/mholt/caddy/caddy`.
+2. If you don't already have this repo (caddyserver/caddy.git) repo on your computer, get it with `go get github.com/caddyserver/caddy/caddy`.

-3. Tell git that it can push the mholt/caddy.git repo to your fork by adding a remote: `git remote add myfork https://github.com/you/caddy.git`
+3. Tell git that it can push the caddyserver/caddy.git repo to your fork by adding a remote: `git remote add myfork https://github.com/you/caddy.git`

-4. Make your changes in the mholt/caddy.git repo on your computer.
+4. Make your changes in the caddyserver/caddy.git repo on your computer.

 5. Push your changes to your fork: `git push myfork`

-6. [Create a pull request](https://github.com/mholt/caddy/pull/new/master) to merge your changes into mholt/caddy @ master. (Click "compare across forks" and change the head fork.)
+6. [Create a pull request](https://github.com/caddyserver/caddy/pull/new/master) to merge your changes into caddyserver/caddy @ master. (Click "compare across forks" and change the head fork.)

 This workflow is nice because you don't have to change import paths. You can get fancier by using different branches if you want.

@@ -71,7 +71,7 @@ This workflow is nice because you don't have to change import paths. You can get

 Caddy can do more with plugins! Anyone can write a plugin. Plugins are Go libraries that get compiled into Caddy, extending its feature set. They can add directives to the Caddyfile, change how the Caddyfile is loaded, and even implement new server types (e.g. HTTP, DNS). When it's ready, you can submit your plugin to the Caddy website so others can download it.

-[Learn how to write and submit a plugin](https://github.com/mholt/caddy/wiki) on the wiki. You should also share and discuss your plugin idea [on the forums](https://caddy.community) to have people test it out. We don't use the Caddy issue tracker for plugins.
+[Learn how to write and submit a plugin](https://github.com/caddyserver/caddy/wiki) on the wiki. You should also share and discuss your plugin idea [on the forums](https://caddy.community) to have people test it out. We don't use the Caddy issue tracker for plugins.


 ### Getting help using Caddy
@@ -83,7 +83,7 @@ Many people on the forums could benefit from your experience and expertise, too.

 ### Reporting bugs

-Like every software, Caddy has its flaws. If you find one, [search the issues](https://github.com/mholt/caddy/issues) to see if it has already been reported. If not, [open a new issue](https://github.com/mholt/caddy/issues/new) and describe the bug, and somebody will look into it! (This repository is only for Caddy, not plugins.)
+Like every software, Caddy has its flaws. If you find one, [search the issues](https://github.com/caddyserver/caddy/issues) to see if it has already been reported. If not, [open a new issue](https://github.com/caddyserver/caddy/issues/new) and describe the bug, and somebody will look into it! (This repository is only for Caddy and its standard modules.)

 **You can help stop bugs in their tracks!** Speed up the patch by identifying the bug in the code. This can sometimes be done by adding `fmt.Println()` statements (or similar) in relevant code paths to narrow down where the problem may be. It's a good way to [introduce yourself to the Go language](https://tour.golang.org), too.

@@ -93,17 +93,42 @@ We suggest reading [How to Report Bugs Effectively](http://www.chiark.greenend.o

 Please be kind. :smile: Remember that Caddy comes at no cost to you, and you're getting free support when we fix your issues. If we helped you, please consider helping someone else!

+#### Bug reporting requirements
+
+Maintainers---or more generally, developers---need three things to act on bugs:
+
+1. To agree or be convinced that it's a bug (reporter's responsibility).
+	- A bug is undesired or surprising behavior which violates documentation or the spec.
+
+2. To be able to understand what is happening (mostly reporter's responsibility).
+	- If the reporter can provide satisfactory instructions such that a developer can reproduce the bug, the developer will likely be able to understand the bug, write a test case, and implement a fix.
+	- Otherwise, the burden is on the reporter to test possible solutions. This is discouraged because it loosens the feedback loop, slows down debugging efforts, obscures the true nature of the problem from the developers, and is unlikely to result in new test cases.
+
+3. A solution, or ideas toward a solution (mostly maintainer's responsibility).
+	- Sometimes the best solution is a documentation change.
+	- Usually the developers have the best domain knowledge for inventing a solution, but reporters may have ideas or preferences for how they would like the software to work.
+	- Security, correctness, and project goals/vision all take priority over a user's preferences.
+	- It's simply good business to yield a solution that satisfies the users, and it's even better business to leave them impressed.
+
+Thus, at the very least, the reporter is expected to:
+
+1. Convince the reader that it's a bug (if it's not obvious).
+2. Reduce the problem down to the minimum specific steps required to reproduce it.
+
+The maintainer is usually able to do the rest; but of course the reporter may invest additional effort to speed up the process.
+
+

 ### Suggesting features

-First, [search to see if your feature has already been requested](https://github.com/mholt/caddy/issues). If it has, you can add a :+1: reaction to vote for it. If your feature idea is new, open an issue to request the feature. You don't have to follow the bug template for feature requests. Please describe your idea thoroughly so that we know how to implement it! Really vague requests may not be helpful or actionable and without clarification will have to be closed.
+First, [search to see if your feature has already been requested](https://github.com/caddyserver/caddy/issues). If it has, you can add a :+1: reaction to vote for it. If your feature idea is new, open an issue to request the feature. Please describe your idea thoroughly so that we know how to implement it! Really vague requests may not be helpful or actionable and, without clarification, will have to be closed.

-While we really do value your requests and implement many of them, not all features are a good fit for Caddy. Most of those [make good plugins](https://github.com/mholt/caddy/wiki), though, which can be made by anyone! But if a feature is not in the best interest of the Caddy project or its users in general, we may politely decline to implement it into Caddy core.
+While we really do value your requests and implement many of them, not all features are a good fit for Caddy. Most of those [make good plugins](https://github.com/caddyserver/caddy/wiki), which can be made by anyone! But if a feature is not in the best interest of the Caddy project or its users in general, we may politely decline to implement it into Caddy core.


 ### Improving documentation

-Caddy's documentation is available at [https://caddyserver.com/docs](https://caddyserver.com/docs). If you would like to make a fix to the docs, feel free to contribute at the [caddyserver/website](https://github.com/caddyserver/website) repository!
+Caddy's documentation is available at [https://caddyserver.com/v1/docs](https://caddyserver.com/v1/docs). If you would like to make a fix to the docs, please submit an issue here describing the change to make.

 Note that plugin documentation is not hosted by the Caddy website, other than basic usage examples. They are managed by the individual plugin authors, and you will have to contact them to change their documentation.

@@ -111,7 +136,7 @@ Note that plugin documentation is not hosted by the Caddy website, other than ba

 ## Collaborator Instructions

-Collabators have push rights to the repository. We grant this permission after one or more successful, high-quality PRs are merged! We thank them for their help.The expectations we have of collaborators are:
+Collaborators have push rights to the repository. We grant this permission after one or more successful, high-quality PRs are merged! We thank them for their help.The expectations we have of collaborators are:

 - **Help review pull requests.** Be meticulous, but also kind. We love our contributors, but we critique the contribution to make it better. Multiple, thorough reviews make for the best contributions! Here are some questions to consider:
 	- Can the change be made more elegant?
@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: [mholt] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
@@ -1,32 +0,0 @@
-<!--
-Are you asking for help with using Caddy? Please use our forum instead: https://caddy.community. If you are filing a bug report, please take a few minutes to carefully answer the following questions. If your issue is not a bug report, you do not need to use this template. Thanks!)
-->
-
-### 1. What version of Caddy are you using (`caddy -version`)?
-
-
-### 2. What are you trying to do?
-
-
-### 3. What is your entire Caddyfile?
-```text
-(paste Caddyfile here)
-```
-
-### 4. How did you run Caddy (give the full command and describe the execution environment)?
-
-
-### 5. Please paste any relevant HTTP request(s) here.
-
-<!-- Paste curl command, or full HTTP request including headers and body, here. -->
-
-
-### 6. What did you expect to see?
-
-
-### 7. What did you see instead (give full error messages and/or log)?
-
-
-### 8. How can someone who is starting from scratch reproduce the bug as minimally as possible?
-
-<!-- Please strip away any extra infrastructure such as containers, reverse proxies, upstream apps, caches, dependencies, etc, to prove this is a bug in Caddy and not an external misconfiguration. Your chances of getting this bug fixed go way up the easier it is to replicate. Thank you! -->
@@ -1,19 +0,0 @@
-<!--
-Thank you for contributing to Caddy! Please fill this out to help us make the most of your pull request.
-->
-
-### 1. What does this change do, exactly?
-
-
-### 2. Please link to the relevant issues.
-
-
-### 3. Which documentation changes (if any) need to be made because of this PR?
-
-
-### 4. Checklist
-
- [ ] I have written tests and verified that they fail without my change
- [ ] I have squashed any insignificant commits
- [ ] This change has comments for package types, values, functions, and non-obvious lines of code
- [ ] I am willing to help maintain this change if there are issues with it later
@@ -13,7 +13,10 @@ access.log

 /*.conf
 Caddyfile
+!caddyfile/

 og_static/

-.vscode/
+.vscode/
+
+*.bat
@@ -1,39 +0,0 @@
-language: go
-
-go:
-  - 1.8.3
-  - tip
-
-matrix:
-  allow_failures:
-    - go: tip
-  fast_finish: true
-
-before_install:
-  # Decrypts a script that installs an authenticated cookie
-  # for git to use when cloning from googlesource.com.
-  # Bypasses "bandwidth limit exceeded" errors.
-  # See github.com/golang/go/issues/12933
- - if [ "$TRAVIS_PULL_REQUEST" = "false" ]; then openssl aes-256-cbc -K $encrypted_3df18f9af81d_key -iv $encrypted_3df18f9af81d_iv -in dist/gitcookie.sh.enc -out dist/gitcookie.sh -d; fi
-
-install:
-  - if [ "$TRAVIS_PULL_REQUEST" = "false" ]; then bash dist/gitcookie.sh; fi
-  - go get -t ./...
-  - go get github.com/golang/lint/golint
-  - go get github.com/FiloSottile/vendorcheck
-  # Install gometalinter and certain linters
-  - go get github.com/alecthomas/gometalinter
-  - go get github.com/client9/misspell/cmd/misspell
-  - go get github.com/gordonklaus/ineffassign
-  - go get golang.org/x/tools/cmd/goimports
-  - go get github.com/tsenart/deadcode
-
-script:
-  - gometalinter --disable-all -E vet -E gofmt -E misspell -E ineffassign -E goimports -E deadcode --tests --vendor ./...
-  - vendorcheck ./...
-  # TODO: When Go 1.9 is released, replace $(go list) subcommand with ./... because vendor folder should be ignored
-  - go test -race $(go list ./... | grep -v vendor)
-
-after_script:
-  # TODO: When Go 1.9 is released, replace $(go list) subcommand with ./... because vendor folder should be ignored
-  - golint $(go list ./... | grep -v vendor)
@@ -1,17 +1,16 @@
 <p align="center">
-	<a href="https://caddyserver.com"><img src="https://cloud.githubusercontent.com/assets/1128849/25305033/12916fce-2731-11e7-86ec-580d4d31cb16.png" alt="Caddy" width="400"></a>
+	<a href="https://caddyserver.com"><img src="https://user-images.githubusercontent.com/1128849/36338535-05fb646a-136f-11e8-987b-e6901e717d5a.png" alt="Caddy" width="450"></a>
 </p>
 <h3 align="center">Every Site on HTTPS <!-- Serve Confidently --></h3>
 <p align="center">Caddy is a general-purpose HTTP/2 web server that serves HTTPS by default.</p>
 <p align="center">
-	<a href="https://travis-ci.org/mholt/caddy"><img src="https://img.shields.io/travis/mholt/caddy.svg?label=linux+build"></a>
-	<a href="https://ci.appveyor.com/project/mholt/caddy"><img src="https://img.shields.io/appveyor/ci/mholt/caddy.svg?label=windows+build"></a>
-	<a href="https://godoc.org/github.com/mholt/caddy"><img src="https://img.shields.io/badge/godoc-reference-blue.svg"></a>
-	<a href="https://goreportcard.com/report/mholt/caddy"><img src="https://goreportcard.com/badge/github.com/mholt/caddy"></a>
+	<a href="https://dev.azure.com/mholt-dev/Caddy/_build?definitionId=5"><img src="https://img.shields.io/azure-devops/build/mholt-dev/afec6074-9842-457f-98cf-69df6adbbf2e/5/master.svg?label=cross-platform%20tests"></a>
+	<a href="https://godoc.org/github.com/caddyserver/caddy"><img src="https://img.shields.io/badge/godoc-reference-blue.svg"></a>
+	<a href="https://goreportcard.com/report/caddyserver/caddy"><img src="https://goreportcard.com/badge/github.com/caddyserver/caddy"></a>
 	<br>
 	<a href="https://twitter.com/caddyserver" title="@caddyserver on Twitter"><img src="https://img.shields.io/badge/twitter-@caddyserver-55acee.svg" alt="@caddyserver on Twitter"></a>
 	<a href="https://caddy.community" title="Caddy Forum"><img src="https://img.shields.io/badge/community-forum-ff69b4.svg" alt="Caddy Forum"></a>
-	<a href="https://sourcegraph.com/github.com/mholt/caddy?badge" title="Caddy on Sourcegraph"><img src="https://sourcegraph.com/github.com/mholt/caddy/-/badge.svg" alt="Caddy on Sourcegraph"></a>
+	<a href="https://sourcegraph.com/github.com/caddyserver/caddy?badge" title="Caddy on Sourcegraph"><img src="https://sourcegraph.com/github.com/caddyserver/caddy/-/badge.svg" alt="Caddy on Sourcegraph"></a>
 </p>
 <p align="center">
 	<a href="https://caddyserver.com/download">Download</a> ·
@@ -21,9 +20,15 @@

 ---

-Caddy is fast, easy to use, and makes you more productive.
+Caddy is a **production-ready** open-source web server that is fast, easy to use, and makes you more productive.

-Available for Windows, Mac, Linux, BSD, Solaris, and [Android](https://github.com/mholt/caddy/wiki/Running-Caddy-on-Android).
+Available for Windows, Mac, Linux, BSD, Solaris, and [Android](https://github.com/caddyserver/caddy/wiki/Running-Caddy-on-Android).
+
+<p align="center">
+	<b>Thanks to our special sponsor:</b>
+	<br><br>
+	<a href="https://relicabackup.com"><img src="https://caddyserver.com/resources/images/sponsors/relica.png" width="220" alt="Relica - Cross-platform file backup to the cloud, local disks, or other computers"></a>
+</p>

 ## Menu

@@ -41,25 +46,76 @@ Available for Windows, Mac, Linux, BSD, Solaris, and [Android](https://github.co
 - **Automatic HTTPS** on by default (via [Let's Encrypt](https://letsencrypt.org))
 - **HTTP/2** by default
 - **Virtual hosting** so multiple sites just work
- Experimental **QUIC support** for those that like speed
+- Experimental **QUIC support** for cutting-edge transmissions
 - TLS session ticket **key rotation** for more secure connections
 - **Extensible with plugins** because a convenient web server is a helpful one
 - **Runs anywhere** with **no external dependencies** (not even libc)

-There's way more, too! [See all features built into Caddy.](https://caddyserver.com/features) On top of all those, Caddy does even more with plugins: choose which plugins you want at [download](https://caddyserver.com/download).
+[See a more complete list of features built into Caddy.](https://caddyserver.com/features) On top of all those, Caddy does even more with plugins: choose which plugins you want at [download](https://caddyserver.com/download).
+
+Altogether, Caddy can do things other web servers simply cannot do. Its features and plugins save you time and mistakes, and will cheer you up. Your Caddy instance takes care of the details for you!
+
+
+<p align="center">
+	<b>Powered by</b>
+	<br>
+	<a href="https://github.com/mholt/certmagic"><img src="https://user-images.githubusercontent.com/1128849/49704830-49d37200-fbd5-11e8-8385-767e0cd033c3.png" alt="CertMagic" width="250"></a>
+</p>


 ## Install

-Caddy binaries have no dependencies and are available for every platform. Get Caddy any one of these ways:
+Caddy binaries have no dependencies and are available for every platform. Get Caddy any of these ways:

- **[Download page](https://caddyserver.com/download)** allows you to
-customize your build in the browser
- **[Latest release](https://github.com/mholt/caddy/releases/latest)** for
-pre-built, vanilla binaries
- **go get** to build from source: `go get github.com/mholt/caddy/caddy` (requires Go 1.8 or newer)
+- **[Download page](https://caddyserver.com/download)** (RECOMMENDED) allows you to customize your build in the browser
+- **[Latest release](https://github.com/caddyserver/caddy/releases/latest)** for pre-built, vanilla binaries
+- **[AWS Marketplace](https://aws.amazon.com/marketplace/pp/B07J1WNK75?qid=1539015041932&sr=0-1&ref_=srh_res_product_title&cl_spe=C)** makes it easy to deploy directly to your cloud environment. <a href="https://aws.amazon.com/marketplace/pp/B07J1WNK75?qid=1539015041932&sr=0-1&ref_=srh_res_product_title&cl_spe=C" target="_blank">
+<img src="https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png" alt="Get Caddy on the AWS Marketplace" height="25"/></a>

-Then make sure the `caddy` binary is in your PATH.
+
+## Build
+
+To build from source you need **[Git](https://git-scm.com/downloads)** and **[Go](https://golang.org/doc/install)** (1.13 or newer).
+
+**To build Caddy without plugins:**
+
+- Run `go get github.com/caddyserver/caddy/caddy`
+
+Caddy will be installed to your `$GOPATH/bin` folder.
+
+With these instructions, the binary will not have embedded version information (see [golang/go#29228](https://github.com/golang/go/issues/29228)), but it is fine for a quick start.
+
+**To build Caddy with plugins (and with version information):**
+
+There is no need to modify the Caddy code to build it with plugins. We will create a simple Go module with our own `main()` that you can use to make custom Caddy builds.
+- Create a new folder anywhere and within create a Go file (with an extension of `.go`, such as `main.go`) with the contents below, adjusting to import the plugins you want to include:
+```go
+package main
+
+import (
+	"github.com/caddyserver/caddy/caddy/caddymain"
+	
+	// plug in plugins here, for example:
+	// _ "import/path/here"
+)
+
+func main() {
+	// optional: disable telemetry
+	// caddymain.EnableTelemetry = false
+	caddymain.Run()
+}
+```
+3. `go mod init caddy`
+4. Run `go get github.com/caddyserver/caddy`
+5. `go install` will then create your binary at `$GOPATH/bin`, or `go build` will put it in the current directory.
+
+**To install Caddy's source code for development:**
+
+- Run `git clone https://github.com/caddyserver/caddy.git` in any folder (doesn't have to be in GOPATH).
+
+You can make changes to the source code from that clone and checkout any commit or tag you wish to develop on.
+
+When building from source, telemetry is enabled by default. You can disable it by changing `caddymain.EnableTelemetry = false` in run.go, or use the `-disabled-metrics` flag at runtime to disable only certain metrics.


 ## Quick Start
@@ -80,7 +136,7 @@ If the `caddy` binary has permission to bind to low ports and your domain name's
 caddy -host example.com
 ```

-This command serves static files from the current directory over HTTPS. Certificates are automatically obtained and renewed for you!
+This command serves static files from the current directory over HTTPS. Certificates are automatically obtained and renewed for you! Caddy is also automatically configuring ports 80 and 443 for you, and redirecting HTTP to HTTPS. Cool, huh?

 ### Customizing your site

@@ -110,7 +166,7 @@ To host multiple sites and do more with the Caddyfile, please see the [Caddyfile

 Sites with qualifying hostnames are served over [HTTPS by default](https://caddyserver.com/docs/automatic-https).

-Caddy has a command line interface. Run `caddy -h` to view basic help or see the [CLI documentation](https://caddyserver.com/docs/cli) for details.
+Caddy has a nice little command line interface. Run `caddy -h` to view basic help or see the [CLI documentation](https://caddyserver.com/docs/cli) for details.


 ## Running in Production
@@ -119,7 +175,7 @@ Caddy is production-ready if you find it to be a good fit for your site and work

 **Running as root:** We advise against this. You can still listen on ports < 1024 on Linux using setcap like so: `sudo setcap cap_net_bind_service=+ep ./caddy`

-The Caddy project does not officially maintain any system-specific integrations nor suggest how to administer your own system. But your download file includes [unofficial resources](https://github.com/mholt/caddy/tree/master/dist/init) contributed by the community that you may find helpful for running Caddy in production.
+The Caddy project does not officially maintain any system-specific integrations nor suggest how to administer your own system. But your download file includes [unofficial resources](https://github.com/caddyserver/caddy/tree/master/dist/init) contributed by the community that you may find helpful for running Caddy in production.

 How you choose to run Caddy is up to you. Many users are satisfied with `nohup caddy &`. Others use `screen`. Users who need Caddy to come back up after reboots either do so in the script that caused the reboot, add a command to an init script, or configure a service with their OS.

@@ -128,13 +184,17 @@ If you have questions or concerns about Caddy' underlying crypto implementations

 ## Contributing

-**[Join our forum](https://caddy.community) where you can chat with other Caddy users and developers!** To get familiar with the code base, try [Caddy code search on Sourcegraph](https://sourcegraph.com/github.com/mholt/caddy/-/search)!
+**[Join our forum](https://caddy.community) where you can chat with other Caddy users and developers!** To get familiar with the code base, try [Caddy code search on Sourcegraph](https://sourcegraph.com/github.com/caddyserver/caddy/)!

-Please see our [contributing guidelines](https://github.com/mholt/caddy/blob/master/.github/CONTRIBUTING.md) for instructions. If you want to write a plugin, check out the [developer wiki](https://github.com/mholt/caddy/wiki).
+Please see our [contributing guidelines](https://github.com/caddyserver/caddy/blob/master/.github/CONTRIBUTING.md) for instructions. If you want to write a plugin, check out the [developer wiki](https://github.com/caddyserver/caddy/wiki).

 We use GitHub issues and pull requests only for discussing bug reports and the development of specific changes. We welcome all other topics on the [forum](https://caddy.community)!

-If you want to contribute to the documentation, please submit pull requests to [caddyserver/website](https://github.com/caddyserver/website).
+If you want to contribute to the documentation, please [submit an issue](https://github.com/caddyserver/caddy/issues/new) describing the change that should be made.
+
+### Good First Issue
+
+If you are looking for somewhere to start and would like to help out by working on an existing issue, take a look at our [`Good First Issue`](https://github.com/caddyserver/caddy/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) tag 

 Thanks for making Caddy -- and the Web -- better!

@@ -145,7 +205,7 @@ Thanks for making Caddy -- and the Web -- better!
 - [DNSimple](https://dnsimple.link/resolving-caddy) provides DNS services for Caddy's sites.
 - [DNS Spy](https://dnsspy.io) keeps an eye on Caddy's DNS properties.

-We thank them for their services. **If you want to help keep Caddy free, please [become a sponsor](https://caddyserver.com/pricing)!**
+We thank them for their services. **If you want to help keep Caddy free, please [become a sponsor](https://github.com/sponsors/mholt)!**


 ## About the Project
@@ -153,6 +213,6 @@ We thank them for their services. **If you want to help keep Caddy free, please
 Caddy was born out of the need for a "batteries-included" web server that runs anywhere and doesn't have to take its configuration with it. Caddy took inspiration from [spark](https://github.com/rif/spark), [nginx](https://github.com/nginx/nginx), lighttpd,
 [Websocketd](https://github.com/joewalnes/websocketd) and [Vagrant](https://www.vagrantup.com/), which provides a pleasant mixture of features from each of them.

-**The name "Caddy":** The name of the software is "Caddy", not "Caddy Server" or "CaddyServer". Please call it "Caddy" or, if you wish to clarify, "the Caddy web server". See [brand guidelines](https://caddyserver.com/brand).
+**The name "Caddy" is trademarked:** The name of the software is "Caddy", not "Caddy Server" or "CaddyServer". Please call it "Caddy" or, if you wish to clarify, "the Caddy web server". See [brand guidelines](https://caddyserver.com/brand). Caddy is a registered trademark of Light Code Labs, LLC.

 *Author on Twitter: [@mholt6](https://twitter.com/mholt6)*
@@ -1,39 +0,0 @@
-version: "{build}"
-
-os: Windows Server 2012 R2
-
-clone_folder: c:\gopath\src\github.com\mholt\caddy
-
-environment:
-  GOPATH: c:\gopath
-
-install:
-  - rmdir c:\go /s /q
-  - appveyor DownloadFile https://storage.googleapis.com/golang/go1.8.3.windows-amd64.zip
-  - 7z x go1.8.3.windows-amd64.zip -y -oC:\ > NUL
-  - set PATH=%GOPATH%\bin;%PATH%
-  - go version
-  - go env
-  - go get -t ./...
-  - go get github.com/golang/lint/golint
-  - go get github.com/FiloSottile/vendorcheck
-   # Install gometalinter and certain linters
-  - go get github.com/alecthomas/gometalinter
-  - go get github.com/client9/misspell/cmd/misspell
-  - go get github.com/gordonklaus/ineffassign
-  - go get golang.org/x/tools/cmd/goimports
-  - go get github.com/tsenart/deadcode
-
-build: off
-
-test_script:
-  - gometalinter --disable-all -E vet -E gofmt -E misspell -E ineffassign -E goimports -E deadcode --tests --vendor ./...
-  - vendorcheck ./... 
-  # TODO: When Go 1.9 comes out, replace this whole line with `go test -race ./...` b/c vendor folder should be ignored
-  - for /f "" %%G in ('go list ./... ^| find /i /v "/vendor/"') do (go test -race %%G & IF ERRORLEVEL == 1 EXIT 1)
-
-after_test:
-  # TODO: When Go 1.9 comes out, replace this whole line with `golint ./...` b/c vendor folder should be ignored
-  - for /f "" %%G in ('go list ./... ^| find /i /v "/vendor/"') do (golint %%G & IF ERRORLEVEL == 1 EXIT 1)
-
-deploy: off
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddy

 import (
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddy

 import (
@@ -11,9 +25,15 @@ func TestAssetsPath(t *testing.T) {
 		t.Errorf("Expected path to be a .caddy folder, got: %v", actual)
 	}

-	os.Setenv("CADDYPATH", "testpath")
+	err := os.Setenv("CADDYPATH", "testpath")
+	if err != nil {
+		t.Error("Could not set CADDYPATH")
+	}
 	if actual, expected := AssetsPath(), "testpath"; actual != expected {
 		t.Errorf("Expected path to be %v, got: %v", expected, actual)
 	}
-	os.Setenv("CADDYPATH", "")
+	err = os.Setenv("CADDYPATH", "")
+	if err != nil {
+		t.Error("Could not set CADDYPATH")
+	}
 }
@@ -0,0 +1,88 @@
+# Mutilated beyond recognition from the example at:
+# https://docs.microsoft.com/azure/devops/pipelines/languages/go
+
+trigger:
+- master
+
+strategy:
+  matrix:
+    linux:
+      imageName: ubuntu-16.04
+      gorootDir: /usr/local
+    mac:
+      imageName: macos-10.13
+      gorootDir: /usr/local
+    windows:
+      imageName: windows-2019
+      gorootDir: C:\
+
+pool:
+  vmImage: $(imageName)
+
+variables:
+  GOROOT: $(gorootDir)/go
+  GOPATH: $(system.defaultWorkingDirectory)/gopath
+  GOBIN:  $(GOPATH)/bin
+  modulePath: '$(GOPATH)/src/github.com/$(build.repository.name)'
+  # TODO: modules should be the default in Go 1.13, so this won't be needed
+  GO111MODULE: on
+
+steps:
+- bash: |
+    latestGo=$(curl "https://golang.org/VERSION?m=text")
+    echo "##vso[task.setvariable variable=LATEST_GO]$latestGo"
+    echo "Latest Go version: $latestGo"
+  displayName: "Get latest Go version"
+
+- bash: |
+    sudo rm -f $(which go)
+    echo '##vso[task.prependpath]$(GOBIN)'
+    echo '##vso[task.prependpath]$(GOROOT)/bin'
+    mkdir -p '$(modulePath)'
+    shopt -s extglob
+    shopt -s dotglob
+    mv !(gopath) '$(modulePath)'
+  displayName: Remove old Go, set GOBIN/GOROOT, and move project into GOPATH
+
+# Install Go (this varies by platform)
+
+- bash: |
+    wget "https://dl.google.com/go/$(LATEST_GO).linux-amd64.tar.gz"
+    sudo tar -C $(gorootDir) -xzf "$(LATEST_GO).linux-amd64.tar.gz"
+  condition: eq( variables['Agent.OS'], 'Linux' )
+  displayName: Install Go on Linux
+
+- bash: |
+    wget "https://dl.google.com/go/$(LATEST_GO).darwin-amd64.tar.gz"
+    sudo tar -C $(gorootDir) -xzf "$(LATEST_GO).darwin-amd64.tar.gz"
+  condition: eq( variables['Agent.OS'], 'Darwin' )
+  displayName: Install Go on macOS
+
+- powershell: |
+    Write-Host "Downloading Go... (please be patient, I am very slow)"
+    (New-Object System.Net.WebClient).DownloadFile("https://dl.google.com/go/$(LATEST_GO).windows-amd64.zip", "$(LATEST_GO).windows-amd64.zip")
+    Write-Host "Extracting Go... (I'm slow too)"
+    Expand-Archive "$(LATEST_GO).windows-amd64.zip" -DestinationPath "$(gorootDir)"
+  condition: eq( variables['Agent.OS'], 'Windows_NT' )
+  displayName: Install Go on Windows
+
+# TODO: When this issue is fixed, replace with installer script:
+# https://github.com/golangci/golangci-lint/issues/472
+- script: go get -v github.com/golangci/golangci-lint/cmd/golangci-lint
+  displayName: Install golangci-lint
+
+- bash: |
+    printf "Using go at: $(which go)\n"
+    printf "Go version: $(go version)\n"
+    printf "\n\nGo environment:\n\n"
+    go env
+    printf "\n\nSystem environment:\n\n"
+    env
+  displayName: Print Go version and environment
+
+- script: |
+    go get -v -t -d ./...
+    golangci-lint run -E gofmt -E goimports -E misspell
+    go test -race ./...
+  workingDirectory: '$(modulePath)'
+  displayName: Run tests
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Package caddy implements the Caddy server manager.
 //
 // To use this package:
@@ -6,7 +20,7 @@
 //   2. Call LoadCaddyfile() to get the Caddyfile.
 //      Pass in the name of the server type (like "http").
 //      Make sure the server type's package is imported
-//      (import _ "github.com/mholt/caddy/caddyhttp").
+//      (import _ "github.com/caddyserver/caddy/caddyhttp").
 //   3. Call caddy.Start() to start Caddy. You get back
 //      an Instance, on which you can call Restart() to
 //      restart it or Stop() to stop it.
@@ -17,6 +31,7 @@ package caddy

 import (
 	"bytes"
+	"encoding/gob"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -28,7 +43,8 @@ import (
 	"sync"
 	"time"

-	"github.com/mholt/caddy/caddyfile"
+	"github.com/caddyserver/caddy/caddyfile"
+	"github.com/caddyserver/caddy/telemetry"
 )

 // Configurable application parameters
@@ -51,7 +67,7 @@ var (
 	// isUpgrade will be set to true if this process
 	// was started as part of an upgrade, where a parent
 	// Caddy process started this one.
-	isUpgrade bool
+	isUpgrade = os.Getenv("CADDY__UPGRADE") == "1"

 	// started will be set to true when the first
 	// instance is started; it never gets set to
@@ -62,8 +78,18 @@ var (
 	mu sync.Mutex
 )

+func init() {
+	OnProcessExit = append(OnProcessExit, func() {
+		if PidFile != "" {
+			os.Remove(PidFile)
+		}
+	})
+}
+
 // Instance contains the state of servers created as a result of
 // calling Start and can be used to access or control those servers.
+// It is literally an instance of a server type. Instance values
+// should NOT be copied. Use *Instance for safety.
 type Instance struct {
 	// serverType is the name of the instance's server type
 	serverType string
@@ -74,18 +100,33 @@ type Instance struct {
 	// wg is used to wait for all servers to shut down
 	wg *sync.WaitGroup

-	// context is the context created for this instance.
+	// context is the context created for this instance,
+	// used to coordinate the setting up of the server type
 	context Context

-	// servers is the list of servers with their listeners.
+	// servers is the list of servers with their listeners
 	servers []ServerListener

 	// these callbacks execute when certain events occur
-	onFirstStartup  []func() error // starting, not as part of a restart
-	onStartup       []func() error // starting, even as part of a restart
-	onRestart       []func() error // before restart commences
-	onShutdown      []func() error // stopping, even as part of a restart
-	onFinalShutdown []func() error // stopping, not as part of a restart
+	OnFirstStartup  []func() error // starting, not as part of a restart
+	OnStartup       []func() error // starting, even as part of a restart
+	OnRestart       []func() error // before restart commences
+	OnRestartFailed []func() error // if restart failed
+	OnShutdown      []func() error // stopping, even as part of a restart
+	OnFinalShutdown []func() error // stopping, not as part of a restart
+
+	// storing values on an instance is preferable to
+	// global state because these will get garbage-
+	// collected after in-process reloads when the
+	// old instances are destroyed; use StorageMu
+	// to access this value safely
+	Storage   map[interface{}]interface{}
+	StorageMu sync.RWMutex
+}
+
+// Instances returns the list of instances.
+func Instances() []*Instance {
+	return instances
 }

 // Servers returns the ServerListeners in i.
@@ -122,13 +163,13 @@ func (i *Instance) Stop() error {
 // the rest. All the non-nil errors will be returned.
 func (i *Instance) ShutdownCallbacks() []error {
 	var errs []error
-	for _, shutdownFunc := range i.onShutdown {
+	for _, shutdownFunc := range i.OnShutdown {
 		err := shutdownFunc()
 		if err != nil {
 			errs = append(errs, err)
 		}
 	}
-	for _, finalShutdownFunc := range i.onFinalShutdown {
+	for _, finalShutdownFunc := range i.OnFinalShutdown {
 		err := finalShutdownFunc()
 		if err != nil {
 			errs = append(errs, err)
@@ -146,9 +187,28 @@ func (i *Instance) Restart(newCaddyfile Input) (*Instance, error) {
 	i.wg.Add(1)
 	defer i.wg.Done()

+	var err error
+	// if something went wrong on restart then run onRestartFailed callbacks
+	defer func() {
+		r := recover()
+		if err != nil || r != nil {
+			for _, fn := range i.OnRestartFailed {
+				if err := fn(); err != nil {
+					log.Printf("[ERROR] Restart failed callback returned error: %v", err)
+				}
+			}
+			if err != nil {
+				log.Printf("[ERROR] Restart failed: %v", err)
+			}
+			if r != nil {
+				log.Printf("[PANIC] Restart: %v", r)
+			}
+		}
+	}()
+
 	// run restart callbacks
-	for _, fn := range i.onRestart {
-		err := fn()
+	for _, fn := range i.OnRestart {
+		err = fn()
 		if err != nil {
 			return i, err
 		}
@@ -181,22 +241,28 @@ func (i *Instance) Restart(newCaddyfile Input) (*Instance, error) {
 	}

 	// create new instance; if the restart fails, it is simply discarded
-	newInst := &Instance{serverType: newCaddyfile.ServerType(), wg: i.wg}
+	newInst := &Instance{serverType: newCaddyfile.ServerType(), wg: i.wg, Storage: make(map[interface{}]interface{})}

 	// attempt to start new instance
-	err := startWithListenerFds(newCaddyfile, newInst, restartFds)
+	err = startWithListenerFds(newCaddyfile, newInst, restartFds)
 	if err != nil {
-		return i, err
+		return i, fmt.Errorf("starting with listener file descriptors: %v", err)
 	}

 	// success! stop the old instance
-	for _, shutdownFunc := range i.onShutdown {
-		err := shutdownFunc()
+	err = i.Stop()
+	if err != nil {
+		return i, err
+	}
+	for _, shutdownFunc := range i.OnShutdown {
+		err = shutdownFunc()
 		if err != nil {
 			return i, err
 		}
 	}
-	i.Stop()
+
+	// Execute instantiation events
+	EmitEvent(InstanceStartupEvent, newInst)

 	log.Println("[INFO] Reloading complete")

@@ -210,42 +276,6 @@ func (i *Instance) SaveServer(s Server, ln net.Listener) {
 	i.servers = append(i.servers, ServerListener{server: s, listener: ln})
 }

-// HasListenerWithAddress returns whether this package is
-// tracking a server using a listener with the address
-// addr.
-func HasListenerWithAddress(addr string) bool {
-	instancesMu.Lock()
-	defer instancesMu.Unlock()
-	for _, inst := range instances {
-		for _, sln := range inst.servers {
-			if listenerAddrEqual(sln.listener, addr) {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// listenerAddrEqual compares a listener's address with
-// addr. Extra care is taken to match addresses with an
-// empty hostname portion, as listeners tend to report
-// [::]:80, for example, when the matching address that
-// created the listener might be simply :80.
-func listenerAddrEqual(ln net.Listener, addr string) bool {
-	lnAddr := ln.Addr().String()
-	hostname, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		return lnAddr == addr
-	}
-	if lnAddr == net.JoinHostPort("::", port) {
-		return true
-	}
-	if lnAddr == net.JoinHostPort("0.0.0.0", port) {
-		return true
-	}
-	return hostname != "" && lnAddr == addr
-}
-
 // TCPServer is a type that can listen and serve connections.
 // A TCPServer must associate with exactly zero or one net.Listeners.
 type TCPServer interface {
@@ -324,6 +354,11 @@ type GracefulServer interface {
 	// address; you must store the address the
 	// server is to serve on some other way.
 	Address() string
+
+	// WrapListener wraps a listener with the
+	// listener middlewares configured for this
+	// server, if any.
+	WrapListener(net.Listener) net.Listener
 }

 // Listener is a net.Listener with an underlying file descriptor.
@@ -360,6 +395,16 @@ type AfterStartup interface {
 // is returned. Consequently, this function never returns a nil
 // value as long as there are no errors.
 func LoadCaddyfile(serverType string) (Input, error) {
+	// If we are finishing an upgrade, we must obtain the Caddyfile
+	// from our parent process, regardless of configured loaders.
+	if IsUpgrade() {
+		err := gob.NewDecoder(os.Stdin).Decode(&loadedGob)
+		if err != nil {
+			return nil, err
+		}
+		return loadedGob.Caddyfile, nil
+	}
+
 	// Ask plugged-in loaders for a Caddyfile
 	cdyfile, err := loadCaddyfileInput(serverType)
 	if err != nil {
@@ -424,17 +469,51 @@ func (i *Instance) Caddyfile() Input {
 //
 // This function blocks until all the servers are listening.
 func Start(cdyfile Input) (*Instance, error) {
-	writePidFile()
-	inst := &Instance{serverType: cdyfile.ServerType(), wg: new(sync.WaitGroup)}
-	return inst, startWithListenerFds(cdyfile, inst, nil)
+	inst := &Instance{serverType: cdyfile.ServerType(), wg: new(sync.WaitGroup), Storage: make(map[interface{}]interface{})}
+	err := startWithListenerFds(cdyfile, inst, nil)
+	if err != nil {
+		return inst, err
+	}
+	signalSuccessToParent()
+	if pidErr := writePidFile(); pidErr != nil {
+		log.Printf("[ERROR] Could not write pidfile: %v", pidErr)
+	}
+
+	// Execute instantiation events
+	EmitEvent(InstanceStartupEvent, inst)
+
+	return inst, nil
 }

 func startWithListenerFds(cdyfile Input, inst *Instance, restartFds map[string]restartTriple) error {
+	// save this instance in the list now so that
+	// plugins can access it if need be, for example
+	// the caddytls package, so it can perform cert
+	// renewals while starting up; we just have to
+	// remove the instance from the list later if
+	// it fails
+	instancesMu.Lock()
+	instances = append(instances, inst)
+	instancesMu.Unlock()
+	var err error
+	defer func() {
+		if err != nil {
+			instancesMu.Lock()
+			for i, otherInst := range instances {
+				if otherInst == inst {
+					instances = append(instances[:i], instances[i+1:]...)
+					break
+				}
+			}
+			instancesMu.Unlock()
+		}
+	}()
+
 	if cdyfile == nil {
 		cdyfile = CaddyfileInput{}
 	}

-	err := ValidateAndExecuteDirectives(cdyfile, inst, false)
+	err = ValidateAndExecuteDirectives(cdyfile, inst, false)
 	if err != nil {
 		return err
 	}
@@ -445,16 +524,17 @@ func startWithListenerFds(cdyfile Input, inst *Instance, restartFds map[string]r
 	}

 	// run startup callbacks
-	if restartFds == nil {
-		for _, firstStartupFunc := range inst.onFirstStartup {
-			err := firstStartupFunc()
+	if !IsUpgrade() && restartFds == nil {
+		// first startup means not a restart or upgrade
+		for _, firstStartupFunc := range inst.OnFirstStartup {
+			err = firstStartupFunc()
 			if err != nil {
 				return err
 			}
 		}
 	}
-	for _, startupFunc := range inst.onStartup {
-		err := startupFunc()
+	for _, startupFunc := range inst.OnStartup {
+		err = startupFunc()
 		if err != nil {
 			return err
 		}
@@ -465,10 +545,6 @@ func startWithListenerFds(cdyfile Input, inst *Instance, restartFds map[string]r
 		return err
 	}

-	instancesMu.Lock()
-	instances = append(instances, inst)
-	instancesMu.Unlock()
-
 	// run any AfterStartup callbacks if this is not
 	// part of a restart; then show file descriptor notice
 	if restartFds == nil {
@@ -479,6 +555,11 @@ func startWithListenerFds(cdyfile Input, inst *Instance, restartFds map[string]r
 		}
 		if !Quiet {
 			for _, srvln := range inst.servers {
+				// only show FD notice if the listener is not nil.
+				// This can happen when only serving UDP or TCP
+				if srvln.listener == nil {
+					continue
+				}
 				if !IsLoopback(srvln.listener.Addr().String()) {
 					checkFdlimit()
 					break
@@ -500,10 +581,9 @@ func startWithListenerFds(cdyfile Input, inst *Instance, restartFds map[string]r
 // callbacks will not be executed between directives, since the purpose
 // is only to check the input for valid syntax.
 func ValidateAndExecuteDirectives(cdyfile Input, inst *Instance, justValidate bool) error {
-
 	// If parsing only inst will be nil, create an instance for this function call only.
 	if justValidate {
-		inst = &Instance{serverType: cdyfile.ServerType(), wg: new(sync.WaitGroup)}
+		inst = &Instance{serverType: cdyfile.ServerType(), wg: new(sync.WaitGroup), Storage: make(map[interface{}]interface{})}
 	}

 	stypeName := cdyfile.ServerType()
@@ -520,23 +600,25 @@ func ValidateAndExecuteDirectives(cdyfile Input, inst *Instance, justValidate bo
 		return err
 	}

-	inst.context = stype.NewContext()
+	for _, sb := range sblocks {
+		for dir := range sb.Tokens {
+			telemetry.AppendUnique("directives", dir)
+		}
+	}
+
+	inst.context = stype.NewContext(inst)
 	if inst.context == nil {
 		return fmt.Errorf("server type %s produced a nil Context", stypeName)
 	}

 	sblocks, err = inst.context.InspectServerBlocks(cdyfile.Path(), sblocks)
 	if err != nil {
-		return err
+		return fmt.Errorf("error inspecting server blocks: %v", err)
 	}

-	err = executeDirectives(inst, cdyfile.Path(), stype.Directives(), sblocks, justValidate)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	telemetry.Set("num_server_blocks", len(sblocks))

+	return executeDirectives(inst, cdyfile.Path(), stype.Directives(), sblocks, justValidate)
 }

 func executeDirectives(inst *Instance, filename string,
@@ -609,6 +691,11 @@ func executeDirectives(inst *Instance, filename string,
 func startServers(serverList []Server, inst *Instance, restartFds map[string]restartTriple) error {
 	errChan := make(chan error, len(serverList))

+	// used for signaling to error logging goroutine to terminate
+	stopChan := make(chan struct{})
+	// used to track termination of servers
+	stopWg := &sync.WaitGroup{}
+
 	for _, s := range serverList {
 		var (
 			ln  net.Listener
@@ -616,6 +703,37 @@ func startServers(serverList []Server, inst *Instance, restartFds map[string]res
 			err error
 		)

+		// if performing an upgrade, obtain listener file descriptors
+		// from parent process
+		if IsUpgrade() {
+			if gs, ok := s.(GracefulServer); ok {
+				addr := gs.Address()
+				if fdIndex, ok := loadedGob.ListenerFds["tcp"+addr]; ok {
+					file := os.NewFile(fdIndex, "")
+					ln, err = net.FileListener(file)
+					if err != nil {
+						return fmt.Errorf("making listener from file: %v", err)
+					}
+					err = file.Close()
+					if err != nil {
+						return fmt.Errorf("closing copy of listener file: %v", err)
+					}
+				}
+				if fdIndex, ok := loadedGob.ListenerFds["udp"+addr]; ok {
+					file := os.NewFile(fdIndex, "")
+					pc, err = net.FilePacketConn(file)
+					if err != nil {
+						return fmt.Errorf("making packet connection from file: %v", err)
+					}
+					err = file.Close()
+					if err != nil {
+						return fmt.Errorf("closing copy of packet connection file: %v", err)
+					}
+				}
+				ln = gs.WrapListener(ln)
+			}
+		}
+
 		// If this is a reload and s is a GracefulServer,
 		// reuse the listener for a graceful restart.
 		if gs, ok := s.(GracefulServer); ok && restartFds != nil {
@@ -625,71 +743,97 @@ func startServers(serverList []Server, inst *Instance, restartFds map[string]res
 				if old.listener != nil {
 					file, err := old.listener.File()
 					if err != nil {
-						return err
+						return fmt.Errorf("getting old listener file: %v", err)
 					}
 					ln, err = net.FileListener(file)
 					if err != nil {
-						return err
+						return fmt.Errorf("getting file listener: %v", err)
+					}
+					err = file.Close()
+					if err != nil {
+						return fmt.Errorf("closing copy of listener file: %v", err)
 					}
-					file.Close()
 				}
 				// packetconn
 				if old.packet != nil {
 					file, err := old.packet.File()
 					if err != nil {
-						return err
+						return fmt.Errorf("getting old packet file: %v", err)
 					}
 					pc, err = net.FilePacketConn(file)
 					if err != nil {
-						return err
+						return fmt.Errorf("getting file packet connection: %v", err)
+					}
+					err = file.Close()
+					if err != nil {
+						return fmt.Errorf("close copy of packet file: %v", err)
 					}
-					file.Close()
 				}
+				ln = gs.WrapListener(ln)
 			}
 		}

 		if ln == nil {
 			ln, err = s.Listen()
 			if err != nil {
-				return err
+				return fmt.Errorf("Listen: %v", err)
 			}
 		}
 		if pc == nil {
 			pc, err = s.ListenPacket()
 			if err != nil {
-				return err
+				return fmt.Errorf("ListenPacket: %v", err)
 			}
 		}

+		inst.servers = append(inst.servers, ServerListener{server: s, listener: ln, packet: pc})
+	}
+
+	for _, s := range inst.servers {
 		inst.wg.Add(2)
-		go func(s Server, ln net.Listener, pc net.PacketConn, inst *Instance) {
-			defer inst.wg.Done()
+		stopWg.Add(2)
+		func(s Server, ln net.Listener, pc net.PacketConn, inst *Instance) {
+			go func() {
+				defer func() {
+					inst.wg.Done()
+					stopWg.Done()
+				}()
+				errChan <- s.Serve(ln)
+			}()

 			go func() {
-				errChan <- s.Serve(ln)
-				defer inst.wg.Done()
+				defer func() {
+					inst.wg.Done()
+					stopWg.Done()
+				}()
+				errChan <- s.ServePacket(pc)
 			}()
-			errChan <- s.ServePacket(pc)
-		}(s, ln, pc, inst)
-
-		inst.servers = append(inst.servers, ServerListener{server: s, listener: ln, packet: pc})
+		}(s.server, s.listener, s.packet, inst)
 	}

 	// Log errors that may be returned from Serve() calls,
 	// these errors should only be occurring in the server loop.
 	go func() {
-		for err := range errChan {
-			if err == nil {
-				continue
+		for {
+			select {
+			case err := <-errChan:
+				if err != nil {
+					if !strings.Contains(err.Error(), "use of closed network connection") {
+						// this error is normal when closing the listener; see https://github.com/golang/go/issues/4373
+						log.Println(err)
+					}
+				}
+			case <-stopChan:
+				return
 			}
-			if strings.Contains(err.Error(), "use of closed network connection") {
-				// this error is normal when closing the listener
-				continue
-			}
-			log.Println(err)
 		}
 	}()

+	go func() {
+		stopWg.Wait()
+		stopChan <- struct{}{}
+	}()
+
 	return nil
 }

@@ -739,10 +883,15 @@ func Stop() error {
 	for {
 		instancesMu.Lock()
 		if len(instances) == 0 {
+			instancesMu.Unlock()
 			break
 		}
 		inst := instances[0]
 		instancesMu.Unlock()
+		// Increase the instance waitgroup so that the last wait() call in
+		// caddymain/run.go blocks until this server instance has shut down
+		inst.wg.Add(1)
+		defer inst.wg.Done()
 		if err := inst.Stop(); err != nil {
 			log.Printf("[ERROR] Stopping %s: %v", inst.serverType, err)
 		}
@@ -754,7 +903,7 @@ func Stop() error {
 // explicitly like a common local hostname. addr must only
 // be a host or a host:port combination.
 func IsLoopback(addr string) bool {
-	host, _, err := net.SplitHostPort(addr)
+	host, _, err := net.SplitHostPort(strings.ToLower(addr))
 	if err != nil {
 		host = addr // happens if the addr is just a hostname
 	}
@@ -795,25 +944,6 @@ func IsInternal(addr string) bool {
 	return false
 }

-// Upgrade re-launches the process, preserving the listeners
-// for a graceful restart. It does NOT load new configuration;
-// it only starts the process anew with a fresh binary.
-//
-// TODO: This is not yet implemented
-func Upgrade() error {
-	return fmt.Errorf("not implemented")
-	// TODO: have child process set isUpgrade = true
-}
-
-// IsUpgrade returns true if this process is part of an upgrade
-// where a parent caddy process spawned this one to upgrade
-// the binary.
-func IsUpgrade() bool {
-	mu.Lock()
-	defer mu.Unlock()
-	return isUpgrade
-}
-
 // Started returns true if at least one instance has been
 // started by this package. It never gets reset to false
 // once it is set to true.
@@ -1,56 +0,0 @@
-#!/usr/bin/env bash
-#
-# Caddy build script. Automates proper versioning.
-#
-# Usage:
-#
-#     $ ./build.bash [output_filename] [git_repo]
-#
-# Outputs compiled program in current directory.
-# Default git repo is current directory.
-# Builds always take place from current directory.
-
-set -euo pipefail
-
-: ${output_filename:="${1:-}"}
-: ${output_filename:=""}
-
-: ${git_repo:="${2:-}"}
-: ${git_repo:="."}
-
-pkg=github.com/mholt/caddy/caddy/caddymain
-ldflags=()
-
-# Timestamp of build
-name="${pkg}.buildDate"
-value=$(date -u +"%a %b %d %H:%M:%S %Z %Y")
-ldflags+=("-X" "\"${name}=${value}\"")
-
-# Current tag, if HEAD is on a tag
-name="${pkg}.gitTag"
-set +e
-value="$(git -C "${git_repo}" describe --exact-match HEAD 2>/dev/null)"
-set -e
-ldflags+=("-X" "\"${name}=${value}\"")
-
-# Nearest tag on branch
-name="${pkg}.gitNearestTag"
-value="$(git -C "${git_repo}" describe --abbrev=0 --tags HEAD)"
-ldflags+=("-X" "\"${name}=${value}\"")
-
-# Commit SHA
-name="${pkg}.gitCommit"
-value="$(git -C "${git_repo}" rev-parse --short HEAD)"
-ldflags+=("-X" "\"${name}=${value}\"")
-
-# Summary of uncommitted changes
-name="${pkg}.gitShortStat"
-value="$(git -C "${git_repo}" diff-index --shortstat HEAD)"
-ldflags+=("-X" "\"${name}=${value}\"")
-
-# List of modified files
-name="${pkg}.gitFilesModified"
-value="$(git -C "${git_repo}" diff-index --name-only HEAD)"
-ldflags+=("-X" "\"${name}=${value}\"")
-
-go build -ldflags "${ldflags[*]}" -o "${output_filename}"
@@ -1,46 +1,73 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddymain

 import (
+	"bufio"
 	"errors"
 	"flag"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"log"
 	"os"
+	"path/filepath"
 	"runtime"
+	"runtime/debug"
 	"strconv"
 	"strings"

-	"gopkg.in/natefinch/lumberjack.v2"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyfile"
+	"github.com/caddyserver/caddy/caddytls"
+	"github.com/caddyserver/caddy/telemetry"
+	"github.com/google/uuid"
+	"github.com/klauspost/cpuid"
+	"github.com/mholt/certmagic"
+	lumberjack "gopkg.in/natefinch/lumberjack.v2"

-	"github.com/xenolf/lego/acme"
-
-	"github.com/mholt/caddy"
-	// plug in the HTTP server type
-	_ "github.com/mholt/caddy/caddyhttp"
-
-	"github.com/mholt/caddy/caddytls"
+	_ "github.com/caddyserver/caddy/caddyhttp" // plug in the HTTP server type
 	// This is where other plugins get plugged in (imported)
 )

 func init() {
 	caddy.TrapSignals()
-	setVersion()

-	flag.BoolVar(&caddytls.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement")
-	flag.StringVar(&caddytls.DefaultCAUrl, "ca", "https://acme-v01.api.letsencrypt.org/directory", "URL to certificate authority's ACME server directory")
-	flag.BoolVar(&caddytls.DisableHTTPChallenge, "disable-http-challenge", caddytls.DisableHTTPChallenge, "Disable the ACME HTTP challenge")
-	flag.BoolVar(&caddytls.DisableTLSSNIChallenge, "disable-tls-sni-challenge", caddytls.DisableTLSSNIChallenge, "Disable the ACME TLS-SNI challenge")
+	flag.BoolVar(&certmagic.Default.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement")
+	flag.StringVar(&certmagic.Default.CA, "ca", certmagic.Default.CA, "URL to certificate authority's ACME server directory")
+	flag.StringVar(&certmagic.Default.DefaultServerName, "default-sni", certmagic.Default.DefaultServerName, "If a ClientHello ServerName is empty, use this ServerName to choose a TLS certificate")
+	flag.BoolVar(&certmagic.Default.DisableHTTPChallenge, "disable-http-challenge", certmagic.Default.DisableHTTPChallenge, "Disable the ACME HTTP challenge")
+	flag.BoolVar(&certmagic.Default.DisableTLSALPNChallenge, "disable-tls-alpn-challenge", certmagic.Default.DisableTLSALPNChallenge, "Disable the ACME TLS-ALPN challenge")
+	flag.StringVar(&disabledMetrics, "disabled-metrics", "", "Comma-separated list of telemetry metrics to disable")
 	flag.StringVar(&conf, "conf", "", "Caddyfile to load (default \""+caddy.DefaultConfigFile+"\")")
 	flag.StringVar(&cpu, "cpu", "100%", "CPU cap")
+	flag.BoolVar(&printEnv, "env", false, "Enable to print environment variables")
+	flag.StringVar(&envFile, "envfile", "", "Path to file with environment variables to load in KEY=VALUE format")
+	flag.BoolVar(&fromJSON, "json-to-caddyfile", false, "From JSON stdin to Caddyfile stdout")
 	flag.BoolVar(&plugins, "plugins", false, "List installed plugins")
-	flag.StringVar(&caddytls.DefaultEmail, "email", "", "Default ACME CA account email address")
-	flag.DurationVar(&acme.HTTPClient.Timeout, "catimeout", acme.HTTPClient.Timeout, "Default ACME CA HTTP timeout")
+	flag.StringVar(&certmagic.Default.Email, "email", "", "Default ACME CA account email address")
+	flag.DurationVar(&certmagic.HTTPTimeout, "catimeout", certmagic.HTTPTimeout, "Default ACME CA HTTP timeout")
 	flag.StringVar(&logfile, "log", "", "Process log file")
+	flag.BoolVar(&logTimestamps, "log-timestamps", true, "Enable timestamps for the process log")
+	flag.IntVar(&logRollMB, "log-roll-mb", 100, "Roll process log when it reaches this many megabytes (0 to disable rolling)")
+	flag.BoolVar(&logRollCompress, "log-roll-compress", true, "Gzip-compress rolled process log files")
 	flag.StringVar(&caddy.PidFile, "pidfile", "", "Path to write pid file")
 	flag.BoolVar(&caddy.Quiet, "quiet", false, "Quiet mode (no initialization output)")
 	flag.StringVar(&revoke, "revoke", "", "Hostname for which to revoke the certificate")
 	flag.StringVar(&serverType, "type", "http", "Type of server to run")
+	flag.BoolVar(&toJSON, "caddyfile-to-json", false, "From Caddyfile stdin to JSON stdout")
 	flag.BoolVar(&version, "version", false, "Show version")
 	flag.BoolVar(&validate, "validate", false, "Parse the Caddyfile but do not start the server")

@@ -52,9 +79,18 @@ func init() {
 func Run() {
 	flag.Parse()

+	module := getBuildModule()
+	cleanModVersion := strings.TrimPrefix(module.Version, "v")
+
 	caddy.AppName = appName
-	caddy.AppVersion = appVersion
-	acme.UserAgent = appName + "/" + appVersion
+	caddy.AppVersion = module.Version
+	caddy.OnProcessExit = append(caddy.OnProcessExit, certmagic.CleanUpOwnLocks)
+	certmagic.UserAgent = appName + "/" + cleanModVersion
+
+	if !logTimestamps {
+		// Disable timestamps for logging
+		log.SetFlags(0)
+	}

 	// Set up process log before anything bad happens
 	switch logfile {
@@ -65,12 +101,47 @@ func Run() {
 	case "":
 		log.SetOutput(ioutil.Discard)
 	default:
-		log.SetOutput(&lumberjack.Logger{
-			Filename:   logfile,
-			MaxSize:    100,
-			MaxAge:     14,
-			MaxBackups: 10,
-		})
+		if logRollMB > 0 {
+			log.SetOutput(&lumberjack.Logger{
+				Filename:   logfile,
+				MaxSize:    logRollMB,
+				MaxAge:     14,
+				MaxBackups: 10,
+				Compress:   logRollCompress,
+			})
+		} else {
+			err := os.MkdirAll(filepath.Dir(logfile), 0755)
+			if err != nil {
+				mustLogFatalf("%v", err)
+			}
+			f, err := os.OpenFile(logfile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+			if err != nil {
+				mustLogFatalf("%v", err)
+			}
+			// don't close file; log should be writeable for duration of process
+			log.SetOutput(f)
+		}
+	}
+
+	// load all additional envs as soon as possible
+	if err := LoadEnvFromFile(envFile); err != nil {
+		mustLogFatalf("%v", err)
+	}
+
+	if printEnv {
+		for _, v := range os.Environ() {
+			fmt.Println(v)
+		}
+	}
+
+	// initialize telemetry client
+	if EnableTelemetry {
+		err := initTelemetry()
+		if err != nil {
+			mustLogFatalf("[ERROR] Initializing telemetry: %v", err)
+		}
+	} else if disabledMetrics != "" {
+		mustLogFatalf("[ERROR] Cannot disable specific metrics because telemetry is disabled")
 	}

 	// Check for one-time actions
@@ -83,9 +154,11 @@ func Run() {
 		os.Exit(0)
 	}
 	if version {
-		fmt.Printf("%s %s\n", appName, appVersion)
-		if devBuild && gitShortStat != "" {
-			fmt.Printf("%s\n%s\n", gitShortStat, gitFilesModified)
+		if module.Sum != "" {
+			// a build with a known version will also have a checksum
+			fmt.Printf("Caddy %s (%s)\n", module.Version, module.Sum)
+		} else {
+			fmt.Println(module.Version)
 		}
 		os.Exit(0)
 	}
@@ -94,6 +167,9 @@ func Run() {
 		os.Exit(0)
 	}

+	// Check if we just need to do a Caddyfile Convert and exit
+	checkJSONCaddyfile()
+
 	// Set CPU cap
 	err := setCPU(cpu)
 	if err != nil {
@@ -120,12 +196,35 @@ func Run() {
 		os.Exit(0)
 	}

+	// Log Caddy version before start
+	log.Printf("[INFO] Caddy version: %s", module.Version)
+
 	// Start your engines
 	instance, err := caddy.Start(caddyfileinput)
 	if err != nil {
 		mustLogFatalf("%v", err)
 	}

+	// Begin telemetry (these are no-ops if telemetry disabled)
+	telemetry.Set("caddy_version", module.Version)
+	telemetry.Set("num_listeners", len(instance.Servers()))
+	telemetry.Set("server_type", serverType)
+	telemetry.Set("os", runtime.GOOS)
+	telemetry.Set("arch", runtime.GOARCH)
+	telemetry.Set("cpu", struct {
+		BrandName  string `json:"brand_name,omitempty"`
+		NumLogical int    `json:"num_logical,omitempty"`
+		AESNI      bool   `json:"aes_ni,omitempty"`
+	}{
+		BrandName:  cpuid.CPU.BrandName,
+		NumLogical: runtime.NumCPU(),
+		AESNI:      cpuid.CPU.AesNi(),
+	})
+	if containerized := detectContainer(); containerized {
+		telemetry.Set("container", containerized)
+	}
+	telemetry.StartEmitting()
+
 	// Twiddle your thumbs
 	instance.Wait()
 }
@@ -153,10 +252,18 @@ func confLoader(serverType string) (caddy.Input, error) {
 		return caddy.CaddyfileFromPipe(os.Stdin, serverType)
 	}

-	contents, err := ioutil.ReadFile(conf)
-	if err != nil {
-		return nil, err
+	var contents []byte
+	if strings.Contains(conf, "*") {
+		// Let caddyfile.doImport logic handle the globbed path
+		contents = []byte("import " + conf)
+	} else {
+		var err error
+		contents, err = ioutil.ReadFile(conf)
+		if err != nil {
+			return nil, err
+		}
 	}
+
 	return caddy.CaddyfileInput{
 		Contents:       contents,
 		Filepath:       conf,
@@ -180,26 +287,63 @@ func defaultLoader(serverType string) (caddy.Input, error) {
 	}, nil
 }

-// setVersion figures out the version information
-// based on variables set by -ldflags.
-func setVersion() {
-	// A development build is one that's not at a tag or has uncommitted changes
-	devBuild = gitTag == "" || gitShortStat != ""
-
-	// Only set the appVersion if -ldflags was used
-	if gitNearestTag != "" || gitTag != "" {
-		if devBuild && gitNearestTag != "" {
-			appVersion = fmt.Sprintf("%s (+%s %s)",
-				strings.TrimPrefix(gitNearestTag, "v"), gitCommit, buildDate)
-		} else if gitTag != "" {
-			appVersion = strings.TrimPrefix(gitTag, "v")
+// getBuildModule returns the build info of Caddy
+// from debug.BuildInfo (requires Go modules). If
+// no version information is available, a non-nil
+// value will still be returned, but with an
+// unknown version.
+func getBuildModule() *debug.Module {
+	bi, ok := debug.ReadBuildInfo()
+	if ok {
+		// The recommended way to build Caddy involves
+		// creating a separate main module, which
+		// preserves caddy a read-only dependency
+		// TODO: track related Go issue: https://github.com/golang/go/issues/29228
+		for _, mod := range bi.Deps {
+			if mod.Path == "github.com/caddyserver/caddy" {
+				return mod
+			}
 		}
 	}
+	return &debug.Module{Version: "unknown"}
+}
+
+func checkJSONCaddyfile() {
+	if fromJSON {
+		jsonBytes, err := ioutil.ReadAll(os.Stdin)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Read stdin failed: %v", err)
+			os.Exit(1)
+		}
+		caddyfileBytes, err := caddyfile.FromJSON(jsonBytes)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Converting from JSON failed: %v", err)
+			os.Exit(2)
+		}
+		fmt.Println(string(caddyfileBytes))
+		os.Exit(0)
+	}
+	if toJSON {
+		caddyfileBytes, err := ioutil.ReadAll(os.Stdin)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Read stdin failed: %v", err)
+			os.Exit(1)
+		}
+		jsonBytes, err := caddyfile.ToJSON(caddyfileBytes)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Converting to JSON failed: %v", err)
+			os.Exit(2)
+		}
+		fmt.Println(string(jsonBytes))
+		os.Exit(0)
+	}
 }

 // setCPU parses string cpu and sets GOMAXPROCS
 // according to its value. It accepts either
 // a number (e.g. 3) or a percent (e.g. 50%).
+// If the percent resolves to less than a single
+// GOMAXPROCS, it rounds it up to GOMAXPROCS=1.
 func setCPU(cpu string) error {
 	var numCPU int

@@ -215,6 +359,9 @@ func setCPU(cpu string) error {
 		}
 		percent = float32(pctInt) / 100
 		numCPU = int(float32(availCPU) * percent)
+		if numCPU < 1 {
+			numCPU = 1
+		}
 	} else {
 		// Number
 		num, err := strconv.Atoi(cpu)
@@ -232,29 +379,234 @@ func setCPU(cpu string) error {
 	return nil
 }

+// detectContainer attempts to determine whether the process is
+// being run inside a container. References:
+// https://tuhrig.de/how-to-know-you-are-inside-a-docker-container/
+// https://stackoverflow.com/a/20012536/1048862
+// https://gist.github.com/anantkamath/623ce7f5432680749e087cf8cfba9b69
+func detectContainer() bool {
+	if runtime.GOOS != "linux" {
+		return false
+	}
+
+	file, err := os.Open("/proc/1/cgroup")
+	if err != nil {
+		return false
+	}
+	defer file.Close()
+
+	i := 0
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		i++
+		if i > 1000 {
+			return false
+		}
+
+		line := scanner.Text()
+		parts := strings.SplitN(line, ":", 3)
+		if len(parts) < 3 {
+			continue
+		}
+
+		if strings.Contains(parts[2], "docker") ||
+			strings.Contains(parts[2], "lxc") ||
+			strings.Contains(parts[2], "moby") {
+			return true
+		}
+	}
+
+	return false
+}
+
+// initTelemetry initializes the telemetry engine.
+func initTelemetry() error {
+	uuidFilename := filepath.Join(caddy.AssetsPath(), "uuid")
+	if customUUIDFile := os.Getenv("CADDY_UUID_FILE"); customUUIDFile != "" {
+		uuidFilename = customUUIDFile
+	}
+
+	newUUID := func() uuid.UUID {
+		id := uuid.New()
+		err := os.MkdirAll(caddy.AssetsPath(), 0700)
+		if err != nil {
+			log.Printf("[ERROR] Persisting instance UUID: %v", err)
+			return id
+		}
+		err = ioutil.WriteFile(uuidFilename, []byte(id.String()), 0600) // human-readable as a string
+		if err != nil {
+			log.Printf("[ERROR] Persisting instance UUID: %v", err)
+		}
+		return id
+	}
+
+	var id uuid.UUID
+
+	// load UUID from storage, or create one if we don't have one
+	if uuidFile, err := os.Open(uuidFilename); os.IsNotExist(err) {
+		// no UUID exists yet; create a new one and persist it
+		id = newUUID()
+	} else if err != nil {
+		log.Printf("[ERROR] Loading persistent UUID: %v", err)
+		id = newUUID()
+	} else {
+		defer uuidFile.Close()
+		uuidBytes, err := ioutil.ReadAll(uuidFile)
+		if err != nil {
+			log.Printf("[ERROR] Reading persistent UUID: %v", err)
+			id = newUUID()
+		} else {
+			id, err = uuid.ParseBytes(uuidBytes)
+			if err != nil {
+				log.Printf("[ERROR] Parsing UUID: %v", err)
+				id = newUUID()
+			}
+		}
+	}
+
+	// parse and check the list of disabled metrics
+	var disabledMetricsSlice []string
+	if len(disabledMetrics) > 0 {
+		if len(disabledMetrics) > 1024 {
+			// mitigate disk space exhaustion at the collection endpoint
+			return fmt.Errorf("too many metrics to disable")
+		}
+		disabledMetricsSlice = splitTrim(disabledMetrics, ",")
+		for _, metric := range disabledMetricsSlice {
+			if metric == "instance_id" || metric == "timestamp" || metric == "disabled_metrics" {
+				return fmt.Errorf("instance_id, timestamp, and disabled_metrics cannot be disabled")
+			}
+		}
+	}
+
+	// initialize telemetry
+	telemetry.Init(id, disabledMetricsSlice)
+
+	// if any metrics were disabled, report which ones (so we know how representative the data is)
+	if len(disabledMetricsSlice) > 0 {
+		telemetry.Set("disabled_metrics", disabledMetricsSlice)
+		log.Printf("[NOTICE] The following telemetry metrics are disabled: %s", disabledMetrics)
+	}
+
+	return nil
+}
+
+// Split string s into all substrings separated by sep and returns a slice of
+// the substrings between those separators.
+//
+// If s does not contain sep and sep is not empty, Split returns a
+// slice of length 1 whose only element is s.
+//
+// If sep is empty, Split splits after each UTF-8 sequence. If both s
+// and sep are empty, Split returns an empty slice.
+//
+// Each item that in result is trim space and not empty string
+func splitTrim(s string, sep string) []string {
+	splitItems := strings.Split(s, sep)
+	trimItems := make([]string, 0, len(splitItems))
+	for _, item := range splitItems {
+		if item = strings.TrimSpace(item); item != "" {
+			trimItems = append(trimItems, item)
+		}
+	}
+	return trimItems
+}
+
+// LoadEnvFromFile loads additional envs if file provided and exists
+// Envs in file should be in KEY=VALUE format
+func LoadEnvFromFile(envFile string) error {
+	if envFile == "" {
+		return nil
+	}
+
+	file, err := os.Open(envFile)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	envMap, err := ParseEnvFile(file)
+	if err != nil {
+		return err
+	}
+
+	for k, v := range envMap {
+		if err := os.Setenv(k, v); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ParseEnvFile implements parse logic for environment files
+func ParseEnvFile(envInput io.Reader) (map[string]string, error) {
+	envMap := make(map[string]string)
+
+	scanner := bufio.NewScanner(envInput)
+	var line string
+	lineNumber := 0
+
+	for scanner.Scan() {
+		line = strings.TrimSpace(scanner.Text())
+		lineNumber++
+
+		// skip lines starting with comment
+		if strings.HasPrefix(line, "#") {
+			continue
+		}
+
+		// skip empty line
+		if len(line) == 0 {
+			continue
+		}
+
+		fields := strings.SplitN(line, "=", 2)
+		if len(fields) != 2 {
+			return nil, fmt.Errorf("Can't parse line %d; line should be in KEY=VALUE format", lineNumber)
+		}
+
+		if strings.Contains(fields[0], " ") {
+			return nil, fmt.Errorf("Can't parse line %d; KEY contains whitespace", lineNumber)
+		}
+
+		key := fields[0]
+		val := fields[1]
+
+		if key == "" {
+			return nil, fmt.Errorf("Can't parse line %d; KEY can't be empty string", lineNumber)
+		}
+		envMap[key] = val
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+
+	return envMap, nil
+}
+
 const appName = "Caddy"

 // Flags that control program flow or startup
 var (
-	serverType string
-	conf       string
-	cpu        string
-	logfile    string
-	revoke     string
-	version    bool
-	plugins    bool
-	validate   bool
+	serverType      string
+	conf            string
+	cpu             string
+	envFile         string
+	fromJSON        bool
+	logfile         string
+	logTimestamps   bool
+	logRollMB       int
+	logRollCompress bool
+	revoke          string
+	toJSON          bool
+	version         bool
+	plugins         bool
+	printEnv        bool
+	validate        bool
+	disabledMetrics string
 )

-// Build information obtained with the help of -ldflags
-var (
-	appVersion = "(untracked dev build)" // inferred at startup
-	devBuild   = true                    // inferred at startup
-
-	buildDate        string // date -u
-	gitTag           string // git describe --exact-match HEAD 2> /dev/null
-	gitNearestTag    string // git describe --abbrev=0 --tags HEAD
-	gitCommit        string // git rev-parse HEAD
-	gitShortStat     string // git diff-index --shortstat
-	gitFilesModified string // git diff-index --name-only HEAD
-)
+// EnableTelemetry defines whether telemetry is enabled in Run.
+var EnableTelemetry = true
@@ -1,7 +1,23 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddymain

 import (
+	"reflect"
 	"runtime"
+	"strings"
 	"testing"
 )

@@ -27,6 +43,7 @@ func TestSetCPU(t *testing.T) {
 		{"invalid input", currentCPU, true},
 		{"invalid input%", currentCPU, true},
 		{"9999", maxCPU, false}, // over available CPU
+		{"1%", 1, false},        // under a single CPU; assume maxCPU < 100
 	} {
 		err := setCPU(test.input)
 		if test.shouldErr && err == nil {
@@ -42,3 +59,60 @@ func TestSetCPU(t *testing.T) {
 		runtime.GOMAXPROCS(currentCPU)
 	}
 }
+
+func TestSplitTrim(t *testing.T) {
+	for i, test := range []struct {
+		input  string
+		output []string
+		sep    string
+	}{
+		{"os,arch,cpu,caddy_version", []string{"os", "arch", "cpu", "caddy_version"}, ","},
+		{"os,arch,cpu,caddy_version,", []string{"os", "arch", "cpu", "caddy_version"}, ","},
+		{"os,,, arch, cpu, caddy_version,", []string{"os", "arch", "cpu", "caddy_version"}, ","},
+		{", , os, arch, cpu , caddy_version,, ,", []string{"os", "arch", "cpu", "caddy_version"}, ","},
+		{"os, ,, arch, cpu , caddy_version,, ,", []string{"os", "arch", "cpu", "caddy_version"}, ","},
+	} {
+		got := splitTrim(test.input, test.sep)
+		if len(got) != len(test.output) {
+			t.Errorf("Test %d: spliteTrim() = %v, want %v", i, got, test.output)
+			continue
+		}
+		for j, item := range test.output {
+			if item != got[j] {
+				t.Errorf("Test %d: spliteTrim() = %v, want %v", i, got, test.output)
+				break
+			}
+		}
+	}
+}
+
+func TestParseEnvFile(t *testing.T) {
+	tests := []struct {
+		name    string
+		input   string
+		want    map[string]string
+		wantErr bool
+	}{
+		{"parsing KEY=VALUE", "PORT=4096", map[string]string{"PORT": "4096"}, false},
+		{"empty KEY", "=4096", nil, true},
+		{"one value", "test", nil, true},
+		{"comments skipped", "#TEST=1\nPORT=8888", map[string]string{"PORT": "8888"}, false},
+		{"empty line", "\nPORT=7777", map[string]string{"PORT": "7777"}, false},
+		{"comments with space skipped", "  #TEST=1", map[string]string{}, false},
+		{"KEY with space", "PORT =8888", nil, true},
+		{"only spaces", "   ", map[string]string{}, false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			reader := strings.NewReader(tt.input)
+			got, err := ParseEnvFile(reader)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ParseEnvFile() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("ParseEnvFile() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // By moving the application's package main logic into
 // a package other than main, it becomes much easier to
 // wrap caddy for custom builds that are go-gettable.
@@ -5,7 +19,7 @@

 package main

-import "github.com/mholt/caddy/caddy/caddymain"
+import "github.com/caddyserver/caddy/caddy/caddymain"

 var run = caddymain.Run // replaced for tests

@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package main

 import "testing"
@@ -1,9 +1,27 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddy

 import (
-	"net"
-	"strconv"
+	"fmt"
+	"log"
+	"reflect"
+	"sync"
 	"testing"
+
+	"github.com/caddyserver/caddy/caddyfile"
 )

 /*
@@ -34,6 +52,77 @@ func TestCaddyStartStop(t *testing.T) {
 }
 */

+// CallbackTestContext implements Context interface
+type CallbackTestContext struct {
+	// If MakeServersFail is set to true then MakeServers returns an error
+	MakeServersFail bool
+}
+
+func (h *CallbackTestContext) InspectServerBlocks(name string, sblock []caddyfile.ServerBlock) ([]caddyfile.ServerBlock, error) {
+	return sblock, nil
+}
+func (h *CallbackTestContext) MakeServers() ([]Server, error) {
+	if h.MakeServersFail {
+		return make([]Server, 0), fmt.Errorf("MakeServers failed")
+	}
+	return make([]Server, 0), nil
+}
+
+func TestCaddyRestartCallbacks(t *testing.T) {
+	for i, test := range []struct {
+		restartFail   bool
+		expectedCalls []string
+	}{
+		{false, []string{"OnRestart", "OnShutdown"}},
+		{true, []string{"OnRestart", "OnRestartFailed"}},
+	} {
+		serverName := fmt.Sprintf("%v", i)
+		// RegisterServerType to make successful restart possible
+		RegisterServerType(serverName, ServerType{
+			Directives: func() []string { return []string{} },
+			// If MakeServersFail is true then the restart will fail due to context failure
+			NewContext: func(inst *Instance) Context { return &CallbackTestContext{MakeServersFail: test.restartFail} },
+		})
+		c := NewTestController(serverName, "")
+		c.instance = &Instance{
+			serverType: serverName,
+			wg:         new(sync.WaitGroup),
+		}
+
+		// Register callbacks which save the calls order
+		calls := make([]string, 0)
+		c.OnRestart(func() error {
+			calls = append(calls, "OnRestart")
+			return nil
+		})
+		c.OnRestartFailed(func() error {
+			calls = append(calls, "OnRestartFailed")
+			return nil
+		})
+		c.OnShutdown(func() error {
+			calls = append(calls, "OnShutdown")
+			return nil
+		})
+
+		_, err := c.instance.Restart(CaddyfileInput{Contents: []byte(""), ServerTypeName: serverName})
+		if err != nil {
+			log.Printf("[ERROR] Restart failed: %v", err)
+		}
+
+		if !reflect.DeepEqual(calls, test.expectedCalls) {
+			t.Errorf("Test %d: Callbacks expected: %v, got: %v", i, test.expectedCalls, calls)
+		}
+
+		err = c.instance.Stop()
+		if err != nil {
+			log.Printf("[ERROR] Stop failed: %v", err)
+		}
+
+		c.instance.Wait()
+	}
+
+}
+
 func TestIsLoopback(t *testing.T) {
 	for i, test := range []struct {
 		input  string
@@ -121,39 +210,3 @@ func TestIsInternal(t *testing.T) {
 		}
 	}
 }
-
-func TestListenerAddrEqual(t *testing.T) {
-	ln1, err := net.Listen("tcp", "[::]:0")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer ln1.Close()
-	ln1port := strconv.Itoa(ln1.Addr().(*net.TCPAddr).Port)
-
-	ln2, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer ln2.Close()
-	ln2port := strconv.Itoa(ln2.Addr().(*net.TCPAddr).Port)
-
-	for i, test := range []struct {
-		ln     net.Listener
-		addr   string
-		expect bool
-	}{
-		{ln1, ":" + ln2port, false},
-		{ln1, "0.0.0.0:" + ln2port, false},
-		{ln1, "0.0.0.0", false},
-		{ln1, ":" + ln1port, true},
-		{ln1, "0.0.0.0:" + ln1port, true},
-		{ln2, ":" + ln2port, false},
-		{ln2, "127.0.0.1:" + ln1port, false},
-		{ln2, "127.0.0.1", false},
-		{ln2, "127.0.0.1:" + ln2port, true},
-	} {
-		if got, want := listenerAddrEqual(test.ln, test.addr), test.expect; got != want {
-			t.Errorf("Test %d (%s == %s): expected %v but was %v", i, test.addr, test.ln.Addr().String(), want, got)
-		}
-	}
-}
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddyfile

 import (
@@ -210,9 +224,9 @@ func (d *Dispenser) EOFErr() error {
 	return d.Errf("Unexpected EOF")
 }

-// Err generates a custom parse error with a message of msg.
+// Err generates a custom parse-time error with a message of msg.
 func (d *Dispenser) Err(msg string) error {
-	msg = fmt.Sprintf("%s:%d - Parse error: %s", d.File(), d.Line(), msg)
+	msg = fmt.Sprintf("%s:%d - Error during parsing: %s", d.File(), d.Line(), msg)
 	return errors.New(msg)
 }

@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddyfile

 import (
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddyfile

 import (
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddyfile

 import "testing"
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddyfile

 import (
@@ -1,6 +1,21 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddyfile

 import (
+	"log"
 	"strings"
 	"testing"
 )
@@ -144,7 +159,9 @@ func TestLexer(t *testing.T) {

 func tokenize(input string) (tokens []Token) {
 	l := lexer{}
-	l.load(strings.NewReader(input))
+	if err := l.load(strings.NewReader(input)); err != nil {
+		log.Printf("[ERROR] load failed: %v", err)
+	}
 	for l.next() {
 		tokens = append(tokens, l.token)
 	}
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddyfile

 import (
@@ -40,6 +54,7 @@ type parser struct {
 	block           ServerBlock // current server block being parsed
 	validDirectives []string    // a directive must be valid or it's an error
 	eof             bool        // if we encounter a valid EOF in a hard place
+	definedSnippets map[string][]Token
 }

 func (p *parser) parseAll() ([]ServerBlock, error) {
@@ -81,6 +96,24 @@ func (p *parser) begin() error {
 		return nil
 	}

+	if ok, name := p.isSnippet(); ok {
+		if p.definedSnippets == nil {
+			p.definedSnippets = map[string][]Token{}
+		}
+		if _, found := p.definedSnippets[name]; found {
+			return p.Errf("redeclaration of previously declared snippet %s", name)
+		}
+		// consume all tokens til matched close brace
+		tokens, err := p.snippetTokens()
+		if err != nil {
+			return err
+		}
+		p.definedSnippets[name] = tokens
+		// empty block keys so we don't save this block as a real server.
+		p.block.Keys = nil
+		return nil
+	}
+
 	return p.blockContents()
 }

@@ -207,69 +240,57 @@ func (p *parser) doImport() error {
 	if p.NextArg() {
 		return p.Err("Import takes only one argument (glob pattern or file)")
 	}
-
-	// make path relative to Caddyfile rather than current working directory (issue #867)
-	// and then use glob to get list of matching filenames
-	absFile, err := filepath.Abs(p.Dispenser.filename)
-	if err != nil {
-		return p.Errf("Failed to get absolute path of file: %s", p.Dispenser.filename)
-	}
-
-	var matches []string
-	var globPattern string
-	if !filepath.IsAbs(importPattern) {
-		globPattern = filepath.Join(filepath.Dir(absFile), importPattern)
-	} else {
-		globPattern = importPattern
-	}
-	matches, err = filepath.Glob(globPattern)
-
-	if err != nil {
-		return p.Errf("Failed to use import pattern %s: %v", importPattern, err)
-	}
-	if len(matches) == 0 {
-		if strings.Contains(globPattern, "*") {
-			log.Printf("[WARNING] No files matching import pattern: %s", importPattern)
-		} else {
-			return p.Errf("File to import not found: %s", importPattern)
-		}
-	}
-
 	// splice out the import directive and its argument (2 tokens total)
 	tokensBefore := p.tokens[:p.cursor-1]
 	tokensAfter := p.tokens[p.cursor+1:]
-
-	// collect all the imported tokens
 	var importedTokens []Token
-	for _, importFile := range matches {
-		newTokens, err := p.doSingleImport(importFile)
+
+	// first check snippets. That is a simple, non-recursive replacement
+	if p.definedSnippets != nil && p.definedSnippets[importPattern] != nil {
+		importedTokens = p.definedSnippets[importPattern]
+	} else {
+		// make path relative to the file of the _token_ being processed rather
+		// than current working directory (issue #867) and then use glob to get
+		// list of matching filenames
+		absFile, err := filepath.Abs(p.Dispenser.File())
 		if err != nil {
-			return err
+			return p.Errf("Failed to get absolute path of file: %s: %v", p.Dispenser.filename, err)
 		}
-		var importLine int
-		importDir := filepath.Dir(importFile)
-		for i, token := range newTokens {
-			if token.Text == "import" {
-				importLine = token.Line
-				continue
-			}
-			if token.Line == importLine {
-				var abs string
-				if filepath.IsAbs(token.Text) {
-					abs = token.Text
-				} else if !filepath.IsAbs(importFile) {
-					abs = filepath.Join(filepath.Dir(absFile), token.Text)
-				} else {
-					abs = filepath.Join(importDir, token.Text)
-				}
-				newTokens[i] = Token{
-					Text: abs,
-					Line: token.Line,
-					File: token.File,
-				}
+
+		var matches []string
+		var globPattern string
+		if !filepath.IsAbs(importPattern) {
+			globPattern = filepath.Join(filepath.Dir(absFile), importPattern)
+		} else {
+			globPattern = importPattern
+		}
+		if strings.Count(globPattern, "*") > 1 || strings.Count(globPattern, "?") > 1 ||
+			(strings.Contains(globPattern, "[") && strings.Contains(globPattern, "]")) {
+			// See issue #2096 - a pattern with many glob expansions can hang for too long
+			return p.Errf("Glob pattern may only contain one wildcard (*), but has others: %s", globPattern)
+		}
+		matches, err = filepath.Glob(globPattern)
+
+		if err != nil {
+			return p.Errf("Failed to use import pattern %s: %v", importPattern, err)
+		}
+		if len(matches) == 0 {
+			if strings.ContainsAny(globPattern, "*?[]") {
+				log.Printf("[WARNING] No files matching import glob pattern: %s", importPattern)
+			} else {
+				return p.Errf("File to import not found: %s", importPattern)
 			}
 		}
-		importedTokens = append(importedTokens, newTokens...)
+
+		// collect all the imported tokens
+
+		for _, importFile := range matches {
+			newTokens, err := p.doSingleImport(importFile)
+			if err != nil {
+				return err
+			}
+			importedTokens = append(importedTokens, newTokens...)
+		}
 	}

 	// splice the imported tokens in the place of the import statement
@@ -300,8 +321,12 @@ func (p *parser) doSingleImport(importFile string) ([]Token, error) {
 		return nil, p.Errf("Could not read tokens while importing %s: %v", importFile, err)
 	}

-	// Tack the filename onto these tokens so errors show the imported file's name
-	filename := filepath.Base(importFile)
+	// Tack the file path onto these tokens so errors show the imported file's name
+	// (we use full, absolute path to avoid bugs: issue #1892)
+	filename, err := filepath.Abs(importFile)
+	if err != nil {
+		return nil, p.Errf("Failed to get absolute path of file: %s: %v", p.Dispenser.filename, err)
+	}
 	for i := 0; i < len(importedTokens); i++ {
 		importedTokens[i].File = filename
 	}
@@ -316,7 +341,7 @@ func (p *parser) doSingleImport(importFile string) ([]Token, error) {
 // are loaded into the current server block for later use
 // by directive setup functions.
 func (p *parser) directive() error {
-	dir := p.Val()
+	dir := replaceEnvVars(p.Val())
 	nesting := 0

 	// TODO: More helpful error message ("did you mean..." or "maybe you need to install its server type")
@@ -337,6 +362,12 @@ func (p *parser) directive() error {
 			nesting--
 		} else if p.Val() == "}" && nesting == 0 {
 			return p.Err("Unexpected '}' because no matching opening brace")
+		} else if p.Val() == "import" && p.isNewLine() {
+			if err := p.doImport(); err != nil {
+				return err
+			}
+			p.cursor-- // cursor is advanced when we continue, so roll back one more
+			continue
 		}
 		p.tokens[p.cursor].Text = replaceEnvVars(p.tokens[p.cursor].Text)
 		p.block.Tokens[dir] = append(p.block.Tokens[dir], p.tokens[p.cursor])
@@ -396,8 +427,13 @@ func replaceEnvVars(s string) string {
 func replaceEnvReferences(s, refStart, refEnd string) string {
 	index := strings.Index(s, refStart)
 	for index != -1 {
-		endIndex := strings.Index(s, refEnd)
-		if endIndex != -1 {
+		endIndex := strings.Index(s[index:], refEnd)
+		if endIndex == -1 {
+			break
+		}
+
+		endIndex += index
+		if endIndex > index+len(refStart) {
 			ref := s[index : endIndex+len(refEnd)]
 			s = strings.Replace(s, ref, os.Getenv(ref[len(refStart):len(ref)-len(refEnd)]), -1)
 		} else {
@@ -414,3 +450,41 @@ type ServerBlock struct {
 	Keys   []string
 	Tokens map[string][]Token
 }
+
+func (p *parser) isSnippet() (bool, string) {
+	keys := p.block.Keys
+	// A snippet block is a single key with parens. Nothing else qualifies.
+	if len(keys) == 1 && strings.HasPrefix(keys[0], "(") && strings.HasSuffix(keys[0], ")") {
+		return true, strings.TrimSuffix(keys[0][1:], ")")
+	}
+	return false, ""
+}
+
+// read and store everything in a block for later replay.
+func (p *parser) snippetTokens() ([]Token, error) {
+	// TODO: disallow imports in snippets for simplicity at import time
+	// snippet must have curlies.
+	err := p.openCurlyBrace()
+	if err != nil {
+		return nil, err
+	}
+	count := 1
+	tokens := []Token{}
+	for p.Next() {
+		if p.Val() == "}" {
+			count--
+			if count == 0 {
+				break
+			}
+		}
+		if p.Val() == "{" {
+			count++
+		}
+		tokens = append(tokens, p.tokens[p.cursor])
+	}
+	// make sure we're matched up
+	if count != 0 {
+		return nil, p.SyntaxErr("}")
+	}
+	return tokens, nil
+}
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddyfile

 import (
@@ -214,6 +228,17 @@ func TestParseOneAndImport(t *testing.T) {
 		{`""`, false, []string{}, map[string]int{}},

 		{``, false, []string{}, map[string]int{}},
+
+		// test cases found by fuzzing!
+		{`import }{$"`, true, []string{}, map[string]int{}},
+		{`import /*/*.txt`, true, []string{}, map[string]int{}},
+		{`import /???/?*?o`, true, []string{}, map[string]int{}},
+		{`import /??`, true, []string{}, map[string]int{}},
+		{`import /[a-z]`, true, []string{}, map[string]int{}},
+		{`import {$}`, true, []string{}, map[string]int{}},
+		{`import {%}`, true, []string{}, map[string]int{}},
+		{`import {$$}`, true, []string{}, map[string]int{}},
+		{`import {%%}`, true, []string{}, map[string]int{}},
 	} {
 		result, err := testParseOne(test.input)

@@ -346,6 +371,68 @@ func TestRecursiveImport(t *testing.T) {
 	}
 }

+func TestDirectiveImport(t *testing.T) {
+	testParseOne := func(input string) (ServerBlock, error) {
+		p := testParser(input)
+		p.Next() // parseOne doesn't call Next() to start, so we must
+		err := p.parseOne()
+		return p.block, err
+	}
+
+	isExpected := func(got ServerBlock) bool {
+		if len(got.Keys) != 1 || got.Keys[0] != "localhost" {
+			t.Errorf("got keys unexpected: expect localhost, got %v", got.Keys)
+			return false
+		}
+		if len(got.Tokens) != 2 {
+			t.Errorf("got wrong number of tokens: expect 2, got %d", len(got.Tokens))
+			return false
+		}
+		if len(got.Tokens["dir1"]) != 1 || len(got.Tokens["proxy"]) != 8 {
+			t.Errorf("got unexpect tokens: %v", got.Tokens)
+			return false
+		}
+		return true
+	}
+
+	directiveFile, err := filepath.Abs("testdata/directive_import_test")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = ioutil.WriteFile(directiveFile, []byte(`prop1 1
+	prop2 2`), 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(directiveFile)
+
+	// import from existing file
+	result, err := testParseOne(`localhost
+	dir1
+	proxy {
+		import testdata/directive_import_test
+		transparent
+	}`)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !isExpected(result) {
+		t.Error("directive import failed")
+	}
+
+	// import from nonexistent file
+	_, err = testParseOne(`localhost
+	dir1
+	proxy {
+		import testdata/nonexistent_file
+		transparent
+	}`)
+	if err == nil {
+		t.Fatal("expected error when importing a nonexistent file")
+	}
+}
+
 func TestParseAll(t *testing.T) {
 	for i, test := range []struct {
 		input     string
@@ -427,6 +514,7 @@ func TestEnvironmentReplacement(t *testing.T) {
 	os.Setenv("PORT", "8080")
 	os.Setenv("ADDRESS", "servername.com")
 	os.Setenv("FOOBAR", "foobar")
+	os.Setenv("PARTIAL_DIR", "r1")

 	// basic test; unix-style env vars
 	p := testParser(`{$ADDRESS}`)
@@ -435,6 +523,13 @@ func TestEnvironmentReplacement(t *testing.T) {
 		t.Errorf("Expected key to be '%s' but was '%s'", expected, actual)
 	}

+	// basic test; unix-style env vars
+	p = testParser(`di{$PARTIAL_DIR}`)
+	blocks, _ = p.parseAll()
+	if actual, expected := blocks[0].Keys[0], "dir1"; expected != actual {
+		t.Errorf("Expected key to be '%s' but was '%s'", expected, actual)
+	}
+
 	// multiple vars per token
 	p = testParser(`{$ADDRESS}:{$PORT}`)
 	blocks, _ = p.parseAll()
@@ -493,6 +588,13 @@ func TestEnvironmentReplacement(t *testing.T) {
 	if actual, expected := blocks[0].Tokens["dir1"][1].Text, "Test foobar test"; expected != actual {
 		t.Errorf("Expected argument to be '%s' but was '%s'", expected, actual)
 	}
+
+	// after end token
+	p = testParser(":1234\nanswer \"{{ .Name }} {$FOOBAR}\"")
+	blocks, _ = p.parseAll()
+	if actual, expected := blocks[0].Tokens["answer"][1].Text, "{{ .Name }} foobar"; expected != actual {
+		t.Errorf("Expected argument to be '%s' but was '%s'", expected, actual)
+	}
 }

 func testParser(input string) parser {
@@ -500,3 +602,119 @@ func testParser(input string) parser {
 	p := parser{Dispenser: NewDispenser("Caddyfile", buf)}
 	return p
 }
+
+func TestSnippets(t *testing.T) {
+	p := testParser(`
+		(common) {
+			gzip foo
+			errors stderr
+		}
+		http://example.com {
+			import common
+		}
+	`)
+	blocks, err := p.parseAll()
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, b := range blocks {
+		t.Log(b.Keys)
+		t.Log(b.Tokens)
+	}
+	if len(blocks) != 1 {
+		t.Fatalf("Expect exactly one server block. Got %d.", len(blocks))
+	}
+	if actual, expected := blocks[0].Keys[0], "http://example.com"; expected != actual {
+		t.Errorf("Expected server name to be '%s' but was '%s'", expected, actual)
+	}
+	if len(blocks[0].Tokens) != 2 {
+		t.Fatalf("Server block should have tokens from import")
+	}
+	if actual, expected := blocks[0].Tokens["gzip"][0].Text, "gzip"; expected != actual {
+		t.Errorf("Expected argument to be '%s' but was '%s'", expected, actual)
+	}
+	if actual, expected := blocks[0].Tokens["errors"][1].Text, "stderr"; expected != actual {
+		t.Errorf("Expected argument to be '%s' but was '%s'", expected, actual)
+	}
+
+}
+
+func writeStringToTempFileOrDie(t *testing.T, str string) (pathToFile string) {
+	file, err := ioutil.TempFile("", t.Name())
+	if err != nil {
+		panic(err) // get a stack trace so we know where this was called from.
+	}
+	if _, err := file.WriteString(str); err != nil {
+		panic(err)
+	}
+	if err := file.Close(); err != nil {
+		panic(err)
+	}
+	return file.Name()
+}
+
+func TestImportedFilesIgnoreNonDirectiveImportTokens(t *testing.T) {
+	fileName := writeStringToTempFileOrDie(t, `
+		http://example.com {
+			# This isn't an import directive, it's just an arg with value 'import'
+			basicauth / import password
+		}
+	`)
+	// Parse the root file that imports the other one.
+	p := testParser(`import ` + fileName)
+	blocks, err := p.parseAll()
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, b := range blocks {
+		t.Log(b.Keys)
+		t.Log(b.Tokens)
+	}
+	auth := blocks[0].Tokens["basicauth"]
+	line := auth[0].Text + " " + auth[1].Text + " " + auth[2].Text + " " + auth[3].Text
+	if line != "basicauth / import password" {
+		// Previously, it would be changed to:
+		//   basicauth / import /path/to/test/dir/password
+		// referencing a file that (probably) doesn't exist and changing the
+		// password!
+		t.Errorf("Expected basicauth tokens to be 'basicauth / import password' but got %#q", line)
+	}
+}
+
+func TestSnippetAcrossMultipleFiles(t *testing.T) {
+	// Make the derived Caddyfile that expects (common) to be defined.
+	fileName := writeStringToTempFileOrDie(t, `
+		http://example.com {
+			import common
+		}
+	`)
+
+	// Parse the root file that defines (common) and then imports the other one.
+	p := testParser(`
+		(common) {
+			gzip foo
+		}
+		import ` + fileName + `
+	`)
+
+	blocks, err := p.parseAll()
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, b := range blocks {
+		t.Log(b.Keys)
+		t.Log(b.Tokens)
+	}
+	if len(blocks) != 1 {
+		t.Fatalf("Expect exactly one server block. Got %d.", len(blocks))
+	}
+	if actual, expected := blocks[0].Keys[0], "http://example.com"; expected != actual {
+		t.Errorf("Expected server name to be '%s' but was '%s'", expected, actual)
+	}
+	if len(blocks[0].Tokens) != 1 {
+		t.Fatalf("Server block should have tokens from import")
+	}
+	if actual, expected := blocks[0].Tokens["gzip"][0].Text, "gzip"; expected != actual {
+		t.Errorf("Expected argument to be '%s' but was '%s'", expected, actual)
+	}
+}
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Package basicauth implements HTTP Basic Authentication for Caddy.
 //
 // This is useful for simple protections on a website, like requiring
@@ -12,14 +26,15 @@ import (
 	"crypto/subtle"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync"

+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 	"github.com/jimstudt/http-authentication/basic"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
 )

 // BasicAuth is middleware to protect resources with a username and password.
@@ -37,6 +52,15 @@ type BasicAuth struct {
 func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
 	var protected, isAuthenticated bool
 	var realm string
+	var username string
+	var password string
+	var ok bool
+
+	// do not check for basic auth on OPTIONS call
+	if r.Method == http.MethodOptions {
+		// Pass-through when no paths match
+		return a.Next.ServeHTTP(w, r)
+	}

 	for _, rule := range a.Rules {
 		for _, res := range rule.Resources {
@@ -49,7 +73,7 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
 			realm = rule.Realm

 			// parse auth header
-			username, password, ok := r.BasicAuth()
+			username, password, ok = r.BasicAuth()

 			// check credentials
 			if !ok ||
@@ -65,6 +89,10 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
 			// user; this replaces the request with a wrapped instance
 			r = r.WithContext(context.WithValue(r.Context(),
 				httpserver.RemoteUserCtxKey, username))
+
+			// Provide username to be used in log by replacer
+			repl := httpserver.NewReplacer(r, nil, "-")
+			repl.Set("user", username)
 		}
 	}

@@ -76,7 +104,13 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
 			realm = "Restricted"
 		}
 		w.Header().Set("WWW-Authenticate", "Basic realm=\""+realm+"\"")
-		return http.StatusUnauthorized, nil
+
+		// Get a replacer so we can provide basic info for the authentication error.
+		repl := httpserver.NewReplacer(r, nil, "-")
+		repl.Set("user", username)
+		errstr := repl.Replace("BasicAuth: user \"{user}\" was not found or password was incorrect. {remote} {host} {uri} {proto}")
+		err := fmt.Errorf("%s", errstr)
+		return http.StatusUnauthorized, err
 	}

 	// Pass-through when no paths match
@@ -160,11 +194,15 @@ func PlainMatcher(passw string) PasswordMatcher {
 	// compare hashes of equal length instead of actual password
 	// to avoid leaking password length
 	passwHash := sha1.New()
-	passwHash.Write([]byte(passw))
+	if _, err := passwHash.Write([]byte(passw)); err != nil {
+		log.Printf("[ERROR] unable to write password hash: %v", err)
+	}
 	passwSum := passwHash.Sum(nil)
 	return func(pw string) bool {
 		pwHash := sha1.New()
-		pwHash.Write([]byte(pw))
+		if _, err := pwHash.Write([]byte(pw)); err != nil {
+			log.Printf("[ERROR] unable to write password hash: %v", err)
+		}
 		pwSum := pwHash.Sum(nil)
 		return subtle.ConstantTimeCompare([]byte(pwSum), []byte(passwSum)) == 1
 	}
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package basicauth

 import (
@@ -8,9 +22,10 @@ import (
 	"net/http/httptest"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestBasicAuth(t *testing.T) {
@@ -46,17 +61,18 @@ func TestBasicAuth(t *testing.T) {
 		result   int
 		user     string
 		password string
+		haserror bool
 	}

 	tests := []testType{
-		{"/testing", http.StatusOK, "okuser", "okpass"},
-		{"/testing", http.StatusUnauthorized, "baduser", "okpass"},
-		{"/testing", http.StatusUnauthorized, "okuser", "badpass"},
-		{"/testing", http.StatusUnauthorized, "OKuser", "okpass"},
-		{"/testing", http.StatusUnauthorized, "OKuser", "badPASS"},
-		{"/testing", http.StatusUnauthorized, "", "okpass"},
-		{"/testing", http.StatusUnauthorized, "okuser", ""},
-		{"/testing", http.StatusUnauthorized, "", ""},
+		{"/testing", http.StatusOK, "okuser", "okpass", false},
+		{"/testing", http.StatusUnauthorized, "baduser", "okpass", true},
+		{"/testing", http.StatusUnauthorized, "okuser", "badpass", true},
+		{"/testing", http.StatusUnauthorized, "OKuser", "okpass", true},
+		{"/testing", http.StatusUnauthorized, "OKuser", "badPASS", true},
+		{"/testing", http.StatusUnauthorized, "", "okpass", true},
+		{"/testing", http.StatusUnauthorized, "okuser", "", true},
+		{"/testing", http.StatusUnauthorized, "", "", true},
 	}

 	var test testType
@@ -75,7 +91,9 @@ func TestBasicAuth(t *testing.T) {
 			rec := httptest.NewRecorder()
 			result, err := rw.ServeHTTP(rec, req)
 			if err != nil {
-				t.Fatalf("Test %d: Could not ServeHTTP: %v", i, err)
+				if !test.haserror || !strings.HasPrefix(err.Error(), "BasicAuth: user") {
+					t.Fatalf("Test %d: Could not ServeHTTP: %v", i, err)
+				}
 			}
 			if result != test.result {
 				t.Errorf("Test %d: Expected status code %d but was %d",
@@ -92,7 +110,7 @@ func TestBasicAuth(t *testing.T) {
 				}
 			} else {
 				if req.Header.Get("Authorization") == "" {
-					// see issue #1508: https://github.com/mholt/caddy/issues/1508
+					// see issue #1508: https://github.com/caddyserver/caddy/issues/1508
 					t.Errorf("Test %d: Expected Authorization header to be retained after successful auth, but was empty", i)
 				}
 			}
@@ -110,16 +128,17 @@ func TestMultipleOverlappingRules(t *testing.T) {
 	}

 	tests := []struct {
-		from   string
-		result int
-		cred   string
+		from     string
+		result   int
+		cred     string
+		haserror bool
 	}{
-		{"/t", http.StatusOK, "t:p1"},
-		{"/t/t", http.StatusOK, "t:p1"},
-		{"/t/t", http.StatusOK, "t1:p2"},
-		{"/a", http.StatusOK, "t1:p2"},
-		{"/t/t", http.StatusUnauthorized, "t1:p3"},
-		{"/t", http.StatusUnauthorized, "t1:p2"},
+		{"/t", http.StatusOK, "t:p1", false},
+		{"/t/t", http.StatusOK, "t:p1", false},
+		{"/t/t", http.StatusOK, "t1:p2", false},
+		{"/a", http.StatusOK, "t1:p2", false},
+		{"/t/t", http.StatusUnauthorized, "t1:p3", true},
+		{"/t", http.StatusUnauthorized, "t1:p2", true},
 	}

 	for i, test := range tests {
@@ -134,7 +153,9 @@ func TestMultipleOverlappingRules(t *testing.T) {
 		rec := httptest.NewRecorder()
 		result, err := rw.ServeHTTP(rec, req)
 		if err != nil {
-			t.Fatalf("Test %d: Could not ServeHTTP %v", i, err)
+			if !test.haserror || !strings.HasPrefix(err.Error(), "BasicAuth: user") {
+				t.Fatalf("Test %d: Could not ServeHTTP %v", i, err)
+			}
 		}
 		if result != test.result {
 			t.Errorf("Test %d: Expected Header '%d' but was '%d'",
@@ -157,7 +178,7 @@ md5:$apr1$l42y8rex$pOA2VJ0x/0TwaFeAF9nX61`

 	htfh, err := ioutil.TempFile("", "basicauth-")
 	if err != nil {
-		t.Skipf("Error creating temp file (%v), will skip htpassword test")
+		t.Skip("Error creating temp file, will skip htpassword test")
 		return
 	}
 	defer os.Remove(htfh.Name())
@@ -180,3 +201,30 @@ md5:$apr1$l42y8rex$pOA2VJ0x/0TwaFeAF9nX61`
 		}
 	}
 }
+
+func TestOptionsMethod(t *testing.T) {
+	rw := BasicAuth{
+		Next: httpserver.HandlerFunc(contentHandler),
+		Rules: []Rule{
+			{Username: "username", Password: PlainMatcher("password"), Resources: []string{"/testing"}},
+		},
+	}
+
+	req, err := http.NewRequest(http.MethodOptions, "/testing", nil)
+	if err != nil {
+		t.Fatalf("Could not create HTTP request: %v", err)
+	}
+
+	// add basic auth with invalid username
+	// and password to make sure basic auth is ignored
+	req.SetBasicAuth("invaliduser", "invalidpassword")
+
+	rec := httptest.NewRecorder()
+	result, err := rw.ServeHTTP(rec, req)
+	if err != nil {
+		t.Fatalf("Could not ServeHTTP: %v", err)
+	}
+	if result != http.StatusOK {
+		t.Errorf("Expected status code %d but was %d", http.StatusOK, result)
+	}
+}
@@ -1,10 +1,24 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package basicauth

 import (
 	"strings"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func init() {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package basicauth

 import (
@@ -7,8 +21,8 @@ import (
 	"strings"
 	"testing"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestSetup(t *testing.T) {
@@ -1,8 +1,22 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package bind

 import (
-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func init() {
@@ -18,7 +32,7 @@ func setupBind(c *caddy.Controller) error {
 		if !c.Args(&config.ListenHost) {
 			return c.ArgErr()
 		}
-		config.TLS.ListenHost = config.ListenHost // necessary for ACME challenges, see issue #309
+		config.TLS.Manager.ListenHost = config.ListenHost // necessary for ACME challenges, see issue #309
 	}
 	return nil
 }
@@ -1,10 +1,24 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package bind

 import (
 	"testing"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestSetupBind(t *testing.T) {
@@ -18,7 +32,7 @@ func TestSetupBind(t *testing.T) {
 	if got, want := cfg.ListenHost, "1.2.3.4"; got != want {
 		t.Errorf("Expected the config's ListenHost to be %s, was %s", want, got)
 	}
-	if got, want := cfg.TLS.ListenHost, "1.2.3.4"; got != want {
+	if got, want := cfg.TLS.Manager.ListenHost, "1.2.3.4"; got != want {
 		t.Errorf("Expected the TLS config's ListenHost to be %s, was %s", want, got)
 	}
 }
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Package browse provides middleware for listing files in a directory
 // when directory path is requested instead of a specific file.
 package browse
@@ -9,16 +23,15 @@ import (
 	"net/url"
 	"os"
 	"path"
-	"path/filepath"
 	"sort"
 	"strconv"
 	"strings"
 	"text/template"
 	"time"

+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/staticfiles"
 	"github.com/dustin/go-humanize"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
-	"github.com/mholt/caddy/caddyhttp/staticfiles"
 )

 const (
@@ -46,34 +59,34 @@ type Config struct {

 // A Listing is the context used to fill out a template.
 type Listing struct {
-	// The name of the directory (the last element of the path)
+	// The name of the directory (the last element of the path).
 	Name string

-	// The full path of the request
+	// The full path of the request.
 	Path string

-	// Whether the parent directory is browsable
+	// Whether the parent directory is browse-able.
 	CanGoUp bool

-	// The items (files and folders) in the path
+	// The items (files and folders) in the path.
 	Items []FileInfo

-	// The number of directories in the listing
+	// The number of directories in the listing.
 	NumDirs int

-	// The number of files (items that aren't directories) in the listing
+	// The number of files (items that aren't directories) in the listing.
 	NumFiles int

-	// Which sorting order is used
+	// Which sorting order is used.
 	Sort string

-	// And which order
+	// And which order.
 	Order string

-	// If ≠0 then Items have been limited to that many elements
+	// If ≠0 then Items have been limited to that many elements.
 	ItemsLimitedTo int

-	// Optional custom variables for use in browse templates
+	// Optional custom variables for use in browse templates.
 	User interface{}

 	httpserver.Context
@@ -173,7 +186,7 @@ func (l bySize) Less(i, j int) bool {
 	iSize, jSize := l.Items[i].Size, l.Items[j].Size

 	// Directory sizes depend on the filesystem implementation,
-	// which is opaque to a visitor, and should indeed does not change if the operator choses to change the fs.
+	// which is opaque to a visitor, and should indeed does not change if the operator chooses to change the fs.
 	// For a consistent user experience directories are pulled to the front…
 	if l.Items[i].IsDir {
 		iSize = directoryOffset
@@ -231,7 +244,7 @@ func (l Listing) applySort() {

 func directoryListing(files []os.FileInfo, canGoUp bool, urlPath string, config *Config) (Listing, bool) {
 	var (
-		fileinfos           []FileInfo
+		fileInfos           []FileInfo
 		dirCount, fileCount int
 		hasIndexFile        bool
 	)
@@ -239,14 +252,16 @@ func directoryListing(files []os.FileInfo, canGoUp bool, urlPath string, config
 	for _, f := range files {
 		name := f.Name()

-		for _, indexName := range staticfiles.IndexPages {
+		for _, indexName := range config.Fs.IndexPages {
 			if name == indexName {
 				hasIndexFile = true
 				break
 			}
 		}

-		if f.IsDir() {
+		isDir := f.IsDir() || isSymlinkTargetDir(f, urlPath, config)
+
+		if isDir {
 			name += "/"
 			dirCount++
 		} else {
@@ -257,14 +272,14 @@ func directoryListing(files []os.FileInfo, canGoUp bool, urlPath string, config
 			continue
 		}

-		url := url.URL{Path: "./" + name} // prepend with "./" to fix paths with ':' in the name
+		u := url.URL{Path: "./" + name} // prepend with "./" to fix paths with ':' in the name

-		fileinfos = append(fileinfos, FileInfo{
-			IsDir:     f.IsDir() || isSymlinkTargetDir(f, urlPath, config),
+		fileInfos = append(fileInfos, FileInfo{
+			IsDir:     isDir,
 			IsSymlink: isSymlink(f),
 			Name:      f.Name(),
 			Size:      f.Size(),
-			URL:       url.String(),
+			URL:       u.String(),
 			ModTime:   f.ModTime().UTC(),
 			Mode:      f.Mode(),
 		})
@@ -274,7 +289,7 @@ func directoryListing(files []os.FileInfo, canGoUp bool, urlPath string, config
 		Name:     path.Base(urlPath),
 		Path:     urlPath,
 		CanGoUp:  canGoUp,
-		Items:    fileinfos,
+		Items:    fileInfos,
 		NumDirs:  dirCount,
 		NumFiles: fileCount,
 	}, hasIndexFile
@@ -291,18 +306,18 @@ func isSymlinkTargetDir(f os.FileInfo, urlPath string, config *Config) bool {
 	if !isSymlink(f) {
 		return false
 	}
-	fullPath := func(fileName string) string {
-		fullPath := filepath.Join(string(config.Fs.Root.(http.Dir)), urlPath, fileName)
-		return filepath.Clean(fullPath)
-	}
-	target, err := os.Readlink(fullPath(f.Name()))
+
+	// a bit strange, but we want Stat thru the jailed filesystem to be safe
+	target, err := config.Fs.Root.Open(path.Join(urlPath, f.Name()))
 	if err != nil {
 		return false
 	}
-	targetInfo, err := os.Lstat(fullPath(target))
+	defer target.Close()
+	targetInfo, err := target.Stat()
 	if err != nil {
 		return false
 	}
+
 	return targetInfo.IsDir()
 }

@@ -489,7 +504,7 @@ func (b Browse) ServeListing(w http.ResponseWriter, r *http.Request, requestedFi

 	}

-	buf.WriteTo(w)
+	_, _ = buf.WriteTo(w)

 	return http.StatusOK, nil
 }
@@ -1,22 +1,42 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package browse

 import (
 	"context"
 	"encoding/json"
+	"fmt"
+	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"os"
 	"path/filepath"
+	"runtime"
 	"sort"
+	"strings"
 	"testing"
 	"text/template"
 	"time"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
-	"github.com/mholt/caddy/caddyhttp/staticfiles"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/staticfiles"
 )

+const testDirPrefix = "caddy_browse_test"
+
 func TestSort(t *testing.T) {
 	// making up []fileInfo with bogus values;
 	// to be used to make up our "listing"
@@ -221,7 +241,7 @@ func TestBrowseTemplate(t *testing.T) {
 func TestBrowseJson(t *testing.T) {
 	b := Browse{
 		Next: httpserver.HandlerFunc(func(w http.ResponseWriter, r *http.Request) (int, error) {
-			t.Fatalf("Next shouldn't be called")
+			t.Fatalf("Next shouldn't be called: %s", r.URL)
 			return 0, nil
 		}),
 		Configs: []Config{
@@ -346,25 +366,25 @@ func TestBrowseJson(t *testing.T) {
 		}

 		actualJSONResponse := rec.Body.String()
-		copyOflisting := listing
+		copyOfListing := listing
 		if test.SortBy == "" {
-			copyOflisting.Sort = "name"
+			copyOfListing.Sort = "name"
 		} else {
-			copyOflisting.Sort = test.SortBy
+			copyOfListing.Sort = test.SortBy
 		}
 		if test.OrderBy == "" {
-			copyOflisting.Order = "asc"
+			copyOfListing.Order = "asc"
 		} else {
-			copyOflisting.Order = test.OrderBy
+			copyOfListing.Order = test.OrderBy
 		}

-		copyOflisting.applySort()
+		copyOfListing.applySort()

 		limit := test.Limit
-		if limit <= len(copyOflisting.Items) && limit > 0 {
-			marsh, err = json.Marshal(copyOflisting.Items[:limit])
+		if limit <= len(copyOfListing.Items) && limit > 0 {
+			marsh, err = json.Marshal(copyOfListing.Items[:limit])
 		} else { // if the 'limit' query is empty, or has the wrong value, list everything
-			marsh, err = json.Marshal(copyOflisting.Items)
+			marsh, err = json.Marshal(copyOfListing.Items)
 		}

 		if err != nil {
@@ -453,3 +473,153 @@ func TestBrowseRedirect(t *testing.T) {
 		}
 	}
 }
+
+func TestDirSymlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		// Windows support for symlinks is limited, and we had a hard time getting
+		// all these tests to pass with the permissions of CI; so just skip them
+		fmt.Println("Skipping browse symlink tests on Windows...")
+		return
+	}
+
+	testCases := []struct {
+		source       string
+		target       string
+		pathScope    string
+		url          string
+		expectedName string
+		expectedURL  string
+	}{
+		// test case can expect a directory "dir" and a symlink to it called "symlink"
+
+		{"dir", "$TMP/rel_symlink_to_dir", "/", "/",
+			"rel_symlink_to_dir", "./rel_symlink_to_dir/"},
+		{"$TMP/dir", "$TMP/abs_symlink_to_dir", "/", "/",
+			"abs_symlink_to_dir", "./abs_symlink_to_dir/"},
+
+		{"../../dir", "$TMP/sub/dir/rel_symlink_to_dir", "/", "/sub/dir/",
+			"rel_symlink_to_dir", "./rel_symlink_to_dir/"},
+		{"$TMP/dir", "$TMP/sub/dir/abs_symlink_to_dir", "/", "/sub/dir/",
+			"abs_symlink_to_dir", "./abs_symlink_to_dir/"},
+
+		{"../../dir", "$TMP/with/scope/rel_symlink_to_dir", "/with/scope", "/with/scope/",
+			"rel_symlink_to_dir", "./rel_symlink_to_dir/"},
+		{"$TMP/dir", "$TMP/with/scope/abs_symlink_to_dir", "/with/scope", "/with/scope/",
+			"abs_symlink_to_dir", "./abs_symlink_to_dir/"},
+
+		{"../../../../dir", "$TMP/with/scope/sub/dir/rel_symlink_to_dir", "/with/scope", "/with/scope/sub/dir/",
+			"rel_symlink_to_dir", "./rel_symlink_to_dir/"},
+		{"$TMP/dir", "$TMP/with/scope/sub/dir/abs_symlink_to_dir", "/with/scope", "/with/scope/sub/dir/",
+			"abs_symlink_to_dir", "./abs_symlink_to_dir/"},
+
+		{"symlink", "$TMP/rel_symlink_to_symlink", "/", "/",
+			"rel_symlink_to_symlink", "./rel_symlink_to_symlink/"},
+		{"$TMP/symlink", "$TMP/abs_symlink_to_symlink", "/", "/",
+			"abs_symlink_to_symlink", "./abs_symlink_to_symlink/"},
+
+		{"../../symlink", "$TMP/sub/dir/rel_symlink_to_symlink", "/", "/sub/dir/",
+			"rel_symlink_to_symlink", "./rel_symlink_to_symlink/"},
+		{"$TMP/symlink", "$TMP/sub/dir/abs_symlink_to_symlink", "/", "/sub/dir/",
+			"abs_symlink_to_symlink", "./abs_symlink_to_symlink/"},
+
+		{"../../symlink", "$TMP/with/scope/rel_symlink_to_symlink", "/with/scope", "/with/scope/",
+			"rel_symlink_to_symlink", "./rel_symlink_to_symlink/"},
+		{"$TMP/symlink", "$TMP/with/scope/abs_symlink_to_symlink", "/with/scope", "/with/scope/",
+			"abs_symlink_to_symlink", "./abs_symlink_to_symlink/"},
+
+		{"../../../../symlink", "$TMP/with/scope/sub/dir/rel_symlink_to_symlink", "/with/scope", "/with/scope/sub/dir/",
+			"rel_symlink_to_symlink", "./rel_symlink_to_symlink/"},
+		{"$TMP/symlink", "$TMP/with/scope/sub/dir/abs_symlink_to_symlink", "/with/scope", "/with/scope/sub/dir/",
+			"abs_symlink_to_symlink", "./abs_symlink_to_symlink/"},
+	}
+
+	for i, tc := range testCases {
+		func() {
+			tmpdir, err := ioutil.TempDir("", testDirPrefix)
+			if err != nil {
+				t.Fatalf("failed to create test directory: %v", err)
+			}
+			defer os.RemoveAll(tmpdir)
+
+			if err := os.MkdirAll(filepath.Join(tmpdir, "dir"), 0755); err != nil {
+				t.Fatalf("failed to create test dir 'dir': %v", err)
+			}
+			if err := os.Symlink("dir", filepath.Join(tmpdir, "symlink")); err != nil {
+				t.Fatalf("failed to create test symlink 'symlink': %v", err)
+			}
+
+			sourceResolved := strings.Replace(tc.source, "$TMP", tmpdir, -1)
+			targetResolved := strings.Replace(tc.target, "$TMP", tmpdir, -1)
+
+			if err := os.MkdirAll(filepath.Dir(sourceResolved), 0755); err != nil {
+				t.Fatalf("failed to create source symlink dir: %v", err)
+			}
+			if err := os.MkdirAll(filepath.Dir(targetResolved), 0755); err != nil {
+				t.Fatalf("failed to create target symlink dir: %v", err)
+			}
+			if err := os.Symlink(sourceResolved, targetResolved); err != nil {
+				t.Fatalf("failed to create test symlink: %v", err)
+			}
+
+			b := Browse{
+				Next: httpserver.HandlerFunc(func(w http.ResponseWriter, r *http.Request) (int, error) {
+					t.Fatalf("Test %d - Next shouldn't be called", i)
+					return 0, nil
+				}),
+				Configs: []Config{
+					{
+						PathScope: tc.pathScope,
+						Fs: staticfiles.FileServer{
+							Root: http.Dir(tmpdir),
+						},
+					},
+				},
+			}
+
+			req, err := http.NewRequest("GET", tc.url, nil)
+			req.Header.Add("Accept", "application/json")
+			if err != nil {
+				t.Fatalf("Test %d - could not create HTTP request: %v", i, err)
+			}
+
+			rec := httptest.NewRecorder()
+
+			returnCode, _ := b.ServeHTTP(rec, req)
+			if returnCode != http.StatusOK {
+				t.Fatalf("Test %d - wrong return code, expected %d, got %d",
+					i, http.StatusOK, returnCode)
+			}
+
+			type jsonEntry struct {
+				Name      string
+				IsDir     bool
+				IsSymlink bool
+				URL       string
+			}
+			var entries []jsonEntry
+			if err := json.Unmarshal(rec.Body.Bytes(), &entries); err != nil {
+				t.Fatalf("Test %d - failed to parse json: %v", i, err)
+			}
+
+			found := false
+			for _, e := range entries {
+				if e.Name != tc.expectedName {
+					continue
+				}
+				found = true
+				if !e.IsDir {
+					t.Errorf("Test %d - expected to be a dir, got %v", i, e.IsDir)
+				}
+				if !e.IsSymlink {
+					t.Errorf("Test %d - expected to be a symlink, got %v", i, e.IsSymlink)
+				}
+				if e.URL != tc.expectedURL {
+					t.Errorf("Test %d - wrong URL, expected %v, got %v", i, tc.expectedURL, e.URL)
+				}
+			}
+			if !found {
+				t.Errorf("Test %d - failed, could not find name %v", i, tc.expectedName)
+			}
+		}()
+	}
+}
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package browse

 import (
@@ -6,9 +20,9 @@ import (
 	"net/http"
 	"text/template"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
-	"github.com/mholt/caddy/caddyhttp/staticfiles"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/staticfiles"
 )

 func init() {
@@ -64,8 +78,9 @@ func browseParse(c *caddy.Controller) ([]Config, error) {
 		}

 		bc.Fs = staticfiles.FileServer{
-			Root: http.Dir(cfg.Root),
-			Hide: cfg.HiddenFiles,
+			Root:       http.Dir(cfg.Root),
+			Hide:       cfg.HiddenFiles,
+			IndexPages: cfg.IndexPages,
 		}

 		// Second argument would be the template file to use
@@ -110,6 +125,7 @@ const defaultTemplate = `<!DOCTYPE html>
 body {
 	font-family: sans-serif;
 	text-rendering: optimizespeed;
+	background-color: #ffffff;
 }

 a {
@@ -130,12 +146,12 @@ header,

 th:first-child,
 td:first-child {
-	padding-left: 5%;
+	width: 5%;
 }

 th:last-child,
 td:last-child {
-	padding-right: 5%;
+	width: 5%;
 }

 header {
@@ -222,19 +238,24 @@ th svg {
 }

 td {
+	white-space: nowrap;
 	font-size: 14px;
 }

-td:first-child {
-	width: 50%;
+td:nth-child(2) {
+	width: 80%;
 }

-th:last-child,
-td:last-child {
+td:nth-child(3) {
+	padding: 0 20px 0 20px;
+}
+
+th:nth-child(4),
+td:nth-child(4) {
 	text-align: right;
 }

-td:first-child svg {
+td:nth-child(2) svg {
 	position: absolute;
 }

@@ -281,12 +302,12 @@ footer {
 		display: none;
 	}

-	td:first-child {
+	td:nth-child(2) {
 		width: auto;
 	}

-	th:nth-child(2),
-	td:nth-child(2) {
+	th:nth-child(3),
+	td:nth-child(3) {
 		padding-right: 5%;
 		text-align: right;
 	}
@@ -305,7 +326,7 @@ footer {
 }
 </style>
 	</head>
-	<body>
+	<body onload='filter()'>
 		<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" height="0" width="0" style="position: absolute;">
 			<defs>
 				<!-- Folder -->
@@ -370,6 +391,7 @@ footer {
 				<table aria-describedby="summary">
 					<thead>
 					<tr>
+						<th></th>
 						<th>
 							{{- if and (eq .Sort "namedirfirst") (ne .Order "desc")}}
 							<a href="?sort=namedirfirst&order=desc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}" class="icon"><svg width="1em" height=".5em" version="1.1" viewBox="0 0 12.922194 6.0358899"><use xlink:href="#up-arrow"></use></svg></a>
@@ -405,11 +427,13 @@ footer {
 							<a href="?sort=time&order=asc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}">Modified</a>
 							{{- end}}
 						</th>
+						<th class="hideable"></th>
 					</tr>
 					</thead>
 					<tbody>
 					{{- if .CanGoUp}}
 					<tr>
+						<td></td>
 						<td>
 							<a href="..">
 								<span class="goup">Go up</span>
@@ -417,10 +441,12 @@ footer {
 						</td>
 						<td>&mdash;</td>
 						<td class="hideable">&mdash;</td>
+						<td class="hideable"></td>
 					</tr>
 					{{- end}}
 					{{- range .Items}}
 					<tr class="file">
+						<td></td>
 						<td>
 							<a href="{{html .URL}}">
 								{{- if .IsDir}}
@@ -437,6 +463,7 @@ footer {
 						<td data-order="{{.Size}}">{{.HumanSize}}</td>
 						{{- end}}
 						<td class="hideable"><time datetime="{{.HumanModTime "2006-01-02T15:04:05Z"}}">{{.HumanModTime "01/02/2006 03:04:05 PM -07:00"}}</time></td>
+						<td class="hideable"></td>
 					</tr>
 					{{- end}}
 					</tbody>
@@ -479,7 +506,7 @@ footer {
 						return;
 					}
 				}
-				e.textContent = d.toLocaleString();
+				e.textContent = d.toLocaleString([], {day: "2-digit", month: "2-digit", year: "numeric", hour: "2-digit", minute: "2-digit", second: "2-digit"});
 			}
 			var timeList = Array.prototype.slice.call(document.getElementsByTagName("time"));
 			timeList.forEach(localizeDatetime);
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package browse

 import (
@@ -8,8 +22,8 @@ import (
 	"testing"
 	"time"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestSetup(t *testing.T) {
@@ -39,7 +53,7 @@ func TestSetup(t *testing.T) {
 		// test case #1 tests instantiation of Config with default values
 		{"browse /", []string{"/"}, false},

-		// test case #2 tests detectaction of custom template
+		// test case #2 tests detection of custom template
 		{"browse . " + tempTemplatePath, []string{"."}, false},

 		// test case #3 tests detection of non-existent template
@@ -1,35 +1,49 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddyhttp

 import (
 	// plug in the server
-	_ "github.com/mholt/caddy/caddyhttp/httpserver"
+	_ "github.com/caddyserver/caddy/caddyhttp/httpserver"

 	// plug in the standard directives
-	_ "github.com/mholt/caddy/caddyhttp/basicauth"
-	_ "github.com/mholt/caddy/caddyhttp/bind"
-	_ "github.com/mholt/caddy/caddyhttp/browse"
-	_ "github.com/mholt/caddy/caddyhttp/errors"
-	_ "github.com/mholt/caddy/caddyhttp/expvar"
-	_ "github.com/mholt/caddy/caddyhttp/extensions"
-	_ "github.com/mholt/caddy/caddyhttp/fastcgi"
-	_ "github.com/mholt/caddy/caddyhttp/gzip"
-	_ "github.com/mholt/caddy/caddyhttp/header"
-	_ "github.com/mholt/caddy/caddyhttp/index"
-	_ "github.com/mholt/caddy/caddyhttp/internalsrv"
-	_ "github.com/mholt/caddy/caddyhttp/limits"
-	_ "github.com/mholt/caddy/caddyhttp/log"
-	_ "github.com/mholt/caddy/caddyhttp/markdown"
-	_ "github.com/mholt/caddy/caddyhttp/mime"
-	_ "github.com/mholt/caddy/caddyhttp/pprof"
-	_ "github.com/mholt/caddy/caddyhttp/proxy"
-	_ "github.com/mholt/caddy/caddyhttp/push"
-	_ "github.com/mholt/caddy/caddyhttp/redirect"
-	_ "github.com/mholt/caddy/caddyhttp/requestid"
-	_ "github.com/mholt/caddy/caddyhttp/rewrite"
-	_ "github.com/mholt/caddy/caddyhttp/root"
-	_ "github.com/mholt/caddy/caddyhttp/status"
-	_ "github.com/mholt/caddy/caddyhttp/templates"
-	_ "github.com/mholt/caddy/caddyhttp/timeouts"
-	_ "github.com/mholt/caddy/caddyhttp/websocket"
-	_ "github.com/mholt/caddy/startupshutdown"
+	_ "github.com/caddyserver/caddy/caddyhttp/basicauth"
+	_ "github.com/caddyserver/caddy/caddyhttp/bind"
+	_ "github.com/caddyserver/caddy/caddyhttp/browse"
+	_ "github.com/caddyserver/caddy/caddyhttp/errors"
+	_ "github.com/caddyserver/caddy/caddyhttp/expvar"
+	_ "github.com/caddyserver/caddy/caddyhttp/extensions"
+	_ "github.com/caddyserver/caddy/caddyhttp/fastcgi"
+	_ "github.com/caddyserver/caddy/caddyhttp/gzip"
+	_ "github.com/caddyserver/caddy/caddyhttp/header"
+	_ "github.com/caddyserver/caddy/caddyhttp/index"
+	_ "github.com/caddyserver/caddy/caddyhttp/internalsrv"
+	_ "github.com/caddyserver/caddy/caddyhttp/limits"
+	_ "github.com/caddyserver/caddy/caddyhttp/log"
+	_ "github.com/caddyserver/caddy/caddyhttp/markdown"
+	_ "github.com/caddyserver/caddy/caddyhttp/mime"
+	_ "github.com/caddyserver/caddy/caddyhttp/pprof"
+	_ "github.com/caddyserver/caddy/caddyhttp/proxy"
+	_ "github.com/caddyserver/caddy/caddyhttp/push"
+	_ "github.com/caddyserver/caddy/caddyhttp/redirect"
+	_ "github.com/caddyserver/caddy/caddyhttp/requestid"
+	_ "github.com/caddyserver/caddy/caddyhttp/rewrite"
+	_ "github.com/caddyserver/caddy/caddyhttp/root"
+	_ "github.com/caddyserver/caddy/caddyhttp/status"
+	_ "github.com/caddyserver/caddy/caddyhttp/templates"
+	_ "github.com/caddyserver/caddy/caddyhttp/timeouts"
+	_ "github.com/caddyserver/caddy/caddyhttp/websocket"
+	_ "github.com/caddyserver/caddy/onevent"
 )
@@ -1,10 +1,24 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package caddyhttp

 import (
 	"strings"
 	"testing"

-	"github.com/mholt/caddy"
+	"github.com/caddyserver/caddy"
 )

 // TODO: this test could be improved; the purpose is to
@@ -13,7 +27,7 @@ import (
 func TestStandardPlugins(t *testing.T) {
 	numStandardPlugins := 32 // importing caddyhttp plugs in this many plugins
 	s := caddy.DescribePlugins()
-	if got, want := strings.Count(s, "\n"), numStandardPlugins+5; got != want {
+	if got, want := strings.Count(s, "\n"), numStandardPlugins+4; got != want {
 		t.Errorf("Expected all standard plugins to be plugged in, got:\n%s", s)
 	}
 }
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Package errors implements an HTTP error handling middleware.
 package errors

@@ -8,10 +22,9 @@ import (
 	"os"
 	"runtime"
 	"strings"
-	"time"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func init() {
@@ -36,7 +49,7 @@ func (h ErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, er
 	status, err := h.Next.ServeHTTP(w, r)

 	if err != nil {
-		errMsg := fmt.Sprintf("%s [ERROR %d %s] %v", time.Now().Format(timeFormat), status, r.URL.Path, err)
+		errMsg := fmt.Sprintf("[ERROR %d %s] %v", status, r.URL.Path, err)
 		if h.Debug {
 			// Write error to response instead of to log
 			w.Header().Set("Content-Type", "text/plain; charset=utf-8")
@@ -65,8 +78,7 @@ func (h ErrorHandler) errorPage(w http.ResponseWriter, r *http.Request, code int
 		errorPage, err := os.Open(pagePath)
 		if err != nil {
 			// An additional error handling an error... <insert grumpy cat here>
-			h.Log.Printf("%s [NOTICE %d %s] could not load error page: %v",
-				time.Now().Format(timeFormat), code, r.URL.String(), err)
+			h.Log.Printf("[NOTICE %d %s] could not load error page: %v", code, r.URL.String(), err)
 			httpserver.DefaultErrorFunc(w, r, code)
 			return
 		}
@@ -79,8 +91,7 @@ func (h ErrorHandler) errorPage(w http.ResponseWriter, r *http.Request, code int

 		if err != nil {
 			// Epic fail... sigh.
-			h.Log.Printf("%s [NOTICE %d %s] could not respond with %s: %v",
-				time.Now().Format(timeFormat), code, r.URL.String(), pagePath, err)
+			h.Log.Printf("[NOTICE %d %s] could not respond with %s: %v", code, r.URL.String(), pagePath, err)
 			httpserver.DefaultErrorFunc(w, r, code)
 		}

@@ -128,13 +139,13 @@ func (h ErrorHandler) recovery(w http.ResponseWriter, r *http.Request) {
 	}

 	// Trim file path
-	delim := "/caddy/"
+	delim := "/github.com/caddyserver/caddy/"
 	pkgPathPos := strings.Index(file, delim)
 	if pkgPathPos > -1 && len(file) > pkgPathPos+len(delim) {
 		file = file[pkgPathPos+len(delim):]
 	}

-	panicMsg := fmt.Sprintf("%s [PANIC %s] %s:%d - %v", time.Now().Format(timeFormat), r.URL.String(), file, line, rec)
+	panicMsg := fmt.Sprintf("[PANIC %s] %s:%d - %v", r.URL.String(), file, line, rec)
 	if h.Debug {
 		// Write error and stack trace to the response rather than to a log
 		var stackBuf [4096]byte
@@ -146,5 +157,3 @@ func (h ErrorHandler) recovery(w http.ResponseWriter, r *http.Request) {
 		h.errorPage(w, r, http.StatusInternalServerError)
 	}
 }
-
-const timeFormat = "02/Jan/2006:15:04:05 -0700"
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package errors

 import (
@@ -12,7 +26,7 @@ import (
 	"strings"
 	"testing"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestErrors(t *testing.T) {
@@ -139,7 +153,7 @@ func TestVisibleErrorWithPanic(t *testing.T) {

 	body := rec.Body.String()

-	if !strings.Contains(body, "[PANIC /] caddyhttp/errors/errors_test.go") {
+	if !strings.Contains(body, "[PANIC /]") {
 		t.Errorf("Expected response body to contain error log line, but it didn't:\n%s", body)
 	}
 	if !strings.Contains(body, panicMsg) {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package errors

 import (
@@ -6,8 +20,8 @@ import (
 	"path/filepath"
 	"strconv"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 // setup configures a new errors middleware instance.
@@ -109,6 +123,10 @@ func errorsParse(c *caddy.Controller) (*ErrorHandler, error) {
 			}
 		}

+		if len(args) > 1 {
+			return handler, c.Errf("Only 1 Argument expected for errors directive")
+		}
+
 		// Configuration may be in a block
 		err := optionalBlock()
 		if err != nil {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package errors

 import (
@@ -5,8 +19,8 @@ import (
 	"reflect"
 	"testing"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestSetup(t *testing.T) {
@@ -165,6 +179,11 @@ func TestErrorsParse(t *testing.T) {
 			* generic_error.html
 			* generic_error.html
 		}`, true, ErrorHandler{ErrorPages: map[int]string{}, Log: &httpserver.Logger{}}},
+		{`errors /path error.txt {
+			404 
+		}`, true, ErrorHandler{ErrorPages: map[int]string{}, Log: &httpserver.Logger{}}},
+
+		{`errors /path error.txt`, true, ErrorHandler{ErrorPages: map[int]string{}, Log: &httpserver.Logger{}}},
 	}

 	for i, test := range tests {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package expvar

 import (
@@ -5,7 +19,7 @@ import (
 	"fmt"
 	"net/http"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 // ExpVar is a simple struct to hold expvar's configuration
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package expvar

 import (
@@ -6,7 +20,7 @@ import (
 	"net/http/httptest"
 	"testing"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestExpVar(t *testing.T) {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package expvar

 import (
@@ -5,8 +19,8 @@ import (
 	"runtime"
 	"sync"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func init() {
@@ -1,10 +1,24 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package expvar

 import (
 	"testing"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestSetup(t *testing.T) {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Package extensions contains middleware for clean URLs.
 //
 // The root path of the site is passed in as well as possible extensions
@@ -12,7 +26,7 @@ import (
 	"path"
 	"strings"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 // Ext can assume an extension from clean URLs.
@@ -1,8 +1,22 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package extensions

 import (
-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func init() {
@@ -1,10 +1,24 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package extensions

 import (
 	"testing"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestSetup(t *testing.T) {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Package fastcgi has middleware that acts as a FastCGI client. Requests
 // that get forwarded to FastCGI stop the middleware execution chain.
 // The most common use for this package is to serve PHP websites via php-fpm.
@@ -6,6 +20,7 @@ package fastcgi
 import (
 	"context"
 	"errors"
+	"fmt"
 	"io"
 	"net"
 	"net/http"
@@ -18,7 +33,11 @@ import (
 	"sync/atomic"
 	"time"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"crypto/tls"
+
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddytls"
 )

 // Handler is a middleware type that can handle requests as a FastCGI client.
@@ -66,6 +85,8 @@ func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error)
 		// but we also want to be flexible for the script we proxy to.

 		fpath := r.URL.Path
+		// We trim those characters because they are served as plain text if appended after .php on Windows 
+		fpath = strings.TrimRight(fpath, " .")

 		if idx, ok := httpserver.IndexFile(h.FileSys, fpath, rule.IndexFiles); ok {
 			fpath = idx
@@ -83,7 +104,8 @@ func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error)
 		}

 		// These criteria work well in this order for PHP sites
-		if !h.exists(fpath) || fpath[len(fpath)-1] == '/' || strings.HasSuffix(fpath, rule.Ext) {
+		// We lower path and Ext as on Windows, the system is case insensitive, so .PHP is served as .php
+		if !h.exists(fpath) || fpath[len(fpath)-1] == '/' || strings.HasSuffix(strings.ToLower(fpath), strings.ToLower(rule.Ext)) {

 			// Create environment for CGI script
 			env, err := h.buildEnv(r, rule, fpath)
@@ -92,7 +114,11 @@ func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error)
 			}

 			// Connect to FastCGI gateway
-			network, address := parseAddress(rule.Address())
+			address, err := rule.Address()
+			if err != nil {
+				return http.StatusBadGateway, err
+			}
+			network, address := parseAddress(address)

 			ctx := context.Background()
 			if rule.ConnectTimeout > 0 {
@@ -128,7 +154,7 @@ func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error)
 			case "HEAD":
 				resp, err = fcgiBackend.Head(env)
 			case "GET":
-				resp, err = fcgiBackend.Get(env)
+				resp, err = fcgiBackend.Get(env, r.Body, contentLength)
 			case "OPTIONS":
 				resp, err = fcgiBackend.Options(env)
 			default:
@@ -219,9 +245,6 @@ func (h Handler) exists(path string) bool {
 func (h Handler) buildEnv(r *http.Request, rule Rule, fpath string) (map[string]string, error) {
 	var env map[string]string

-	// Get absolute path of requested resource
-	absPath := filepath.Join(rule.Root, fpath)
-
 	// Separate remote IP and port; more lenient than net.SplitHostPort
 	var ip, port string
 	if idx := strings.LastIndex(r.RemoteAddr, ":"); idx > -1 {
@@ -243,11 +266,18 @@ func (h Handler) buildEnv(r *http.Request, rule Rule, fpath string) (map[string]
 	docURI := fpath[:splitPos+len(rule.SplitPath)]
 	pathInfo := fpath[splitPos+len(rule.SplitPath):]
 	scriptName := fpath
-	scriptFilename := absPath

 	// Strip PATH_INFO from SCRIPT_NAME
 	scriptName = strings.TrimSuffix(scriptName, pathInfo)

+	// SCRIPT_FILENAME is the absolute path of SCRIPT_NAME
+	scriptFilename := filepath.Join(rule.Root, scriptName)
+
+	// Add vhost path prefix to scriptName. Otherwise, some PHP software will
+	// have difficulty discovering its URL.
+	pathPrefix, _ := r.Context().Value(caddy.CtxKey("path_prefix")).(string)
+	scriptName = path.Join(pathPrefix, scriptName)
+
 	// Get the request URI from context. The context stores the original URI in case
 	// it was changed by a middleware such as rewrite. By default, we pass the
 	// original URI in as the value of REQUEST_URI (the user can overwrite this
@@ -258,6 +288,11 @@ func (h Handler) buildEnv(r *http.Request, rule Rule, fpath string) (map[string]
 	// Retrieve name of remote user that was set by some downstream middleware such as basicauth.
 	remoteUser, _ := r.Context().Value(httpserver.RemoteUserCtxKey).(string)

+	requestScheme := "http"
+	if r.TLS != nil {
+		requestScheme = "https"
+	}
+
 	// Some variables are unused but cleared explicitly to prevent
 	// the parent environment from interfering.
 	env = map[string]string{
@@ -274,6 +309,7 @@ func (h Handler) buildEnv(r *http.Request, rule Rule, fpath string) (map[string]
 		"REMOTE_IDENT":      "", // Not used
 		"REMOTE_USER":       remoteUser,
 		"REQUEST_METHOD":    r.Method,
+		"REQUEST_SCHEME":    requestScheme,
 		"SERVER_NAME":       h.ServerName,
 		"SERVER_PORT":       h.ServerPort,
 		"SERVER_PROTOCOL":   r.Proto,
@@ -298,6 +334,19 @@ func (h Handler) buildEnv(r *http.Request, rule Rule, fpath string) (map[string]
 	// Some web apps rely on knowing HTTPS or not
 	if r.TLS != nil {
 		env["HTTPS"] = "on"
+		// and pass the protocol details in a manner compatible with apache's mod_ssl
+		// (which is why they have a SSL_ prefix and not TLS_).
+		v, ok := tlsProtocolStringToMap[r.TLS.Version]
+		if ok {
+			env["SSL_PROTOCOL"] = v
+		}
+		// and pass the cipher suite in a manner compatible with apache's mod_ssl
+		for k, v := range caddytls.SupportedCiphersMap {
+			if v == r.TLS.CipherSuite {
+				env["SSL_CIPHER"] = k
+				break
+			}
+		}
 	}

 	// Add env variables from config (with support for placeholders in values)
@@ -361,7 +410,7 @@ type Rule struct {
 type balancer interface {
 	// Address picks an upstream address from the
 	// underlying load balancer.
-	Address() string
+	Address() (string, error)
 }

 // roundRobin is a round robin balancer for fastcgi upstreams.
@@ -373,9 +422,34 @@ type roundRobin struct {
 	addresses []string
 }

-func (r *roundRobin) Address() string {
+func (r *roundRobin) Address() (string, error) {
 	index := atomic.AddInt64(&r.index, 1) % int64(len(r.addresses))
-	return r.addresses[index]
+	return r.addresses[index], nil
+}
+
+// srvResolver is a private interface used to abstract
+// the DNS resolver. It is mainly used to facilitate testing.
+type srvResolver interface {
+	LookupSRV(ctx context.Context, service, proto, name string) (string, []*net.SRV, error)
+}
+
+// srv is a service locator for fastcgi upstreams
+type srv struct {
+	resolver srvResolver
+	service  string
+}
+
+// Address looks up the service and returns the address:port
+// from first result in resolved list.
+// No explicit balancing is required because net.LookupSRV
+// sorts the results by priority and randomizes within priority.
+func (s *srv) Address() (string, error) {
+	_, addrs, err := s.resolver.LookupSRV(context.Background(), "", "", s.service)
+	if err != nil {
+		return "", err
+	}
+
+	return fmt.Sprintf("%s:%d", strings.TrimRight(addrs[0].Target, "."), addrs[0].Port), nil
 }

 // canSplit checks if path can split into two based on rule.SplitPath.
@@ -415,3 +489,11 @@ type LogError string
 func (l LogError) Error() string {
 	return string(l)
 }
+
+// Map of supported protocols to Apache ssl_mod format
+// Note that these are slightly different from SupportedProtocols in caddytls/config.go's
+var tlsProtocolStringToMap = map[uint16]string{
+	tls.VersionTLS10: "TLSv1",
+	tls.VersionTLS11: "TLSv1.1",
+	tls.VersionTLS12: "TLSv1.2",
+}
@@ -1,18 +1,35 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package fastcgi

 import (
 	"context"
+	"log"
 	"net"
 	"net/http"
 	"net/http/fcgi"
 	"net/http/httptest"
 	"net/url"
+	"path/filepath"
 	"strconv"
 	"sync"
 	"testing"
 	"time"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestServeHTTP(t *testing.T) {
@@ -23,11 +40,20 @@ func TestServeHTTP(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Unable to create listener for test: %v", err)
 	}
-	defer listener.Close()
-	go fcgi.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Length", bodyLenStr)
-		w.Write([]byte(body))
-	}))
+	defer func() { _ = listener.Close() }()
+
+	go func() {
+		err := fcgi.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Length", bodyLenStr)
+			_, err := w.Write([]byte(body))
+			if err != nil {
+				log.Printf("[ERROR] unable to write header: %v", err)
+			}
+		}))
+		if err != nil {
+			log.Printf("[ERROR] unable to start server: %v", err)
+		}
+	}()

 	handler := Handler{
 		Next:  nil,
@@ -69,11 +95,15 @@ func TestRuleParseAddress(t *testing.T) {
 	}

 	for _, entry := range getClientTestTable {
-		if actualnetwork, _ := parseAddress(entry.rule.Address()); actualnetwork != entry.expectednetwork {
-			t.Errorf("Unexpected network for address string %v. Got %v, expected %v", entry.rule.Address(), actualnetwork, entry.expectednetwork)
+		addr, err := entry.rule.Address()
+		if err != nil {
+			t.Errorf("Unexpected error in retrieving address: %s", err.Error())
 		}
-		if _, actualaddress := parseAddress(entry.rule.Address()); actualaddress != entry.expectedaddress {
-			t.Errorf("Unexpected parsed address for address string %v. Got %v, expected %v", entry.rule.Address(), actualaddress, entry.expectedaddress)
+		if actualnetwork, _ := parseAddress(addr); actualnetwork != entry.expectednetwork {
+			t.Errorf("Unexpected network for address string %v. Got %v, expected %v", addr, actualnetwork, entry.expectednetwork)
+		}
+		if _, actualaddress := parseAddress(addr); actualaddress != entry.expectedaddress {
+			t.Errorf("Unexpected parsed address for address string %v. Got %v, expected %v", addr, actualaddress, entry.expectedaddress)
 		}
 	}
 }
@@ -122,8 +152,12 @@ func TestBuildEnv(t *testing.T) {
 		}
 	}

-	rule := Rule{}
-	url, err := url.Parse("http://localhost:2015/fgci_test.php?test=foobar")
+	rule := Rule{
+		Ext:        ".php",
+		SplitPath:  ".php",
+		IndexFiles: []string{"index.php"},
+	}
+	u, err := url.Parse("http://localhost:2015/fgci_test.php?test=foobar")
 	if err != nil {
 		t.Error("Unexpected error:", err.Error())
 	}
@@ -131,7 +165,7 @@ func TestBuildEnv(t *testing.T) {
 	var newReq = func() *http.Request {
 		r := http.Request{
 			Method:     "GET",
-			URL:        url,
+			URL:        u,
 			Proto:      "HTTP/1.1",
 			ProtoMajor: 1,
 			ProtoMinor: 1,
@@ -156,6 +190,7 @@ func TestBuildEnv(t *testing.T) {
 			"QUERY_STRING":    "test=foobar",
 			"REQUEST_METHOD":  "GET",
 			"HTTP_HOST":       "localhost:2015",
+			"SCRIPT_NAME":     "/fgci_test.php",
 		}
 	}

@@ -206,6 +241,29 @@ func TestBuildEnv(t *testing.T) {
 	envExpected["CUSTOM_URI"] = "custom_uri/fgci_test.php?test=foobar"
 	envExpected["CUSTOM_QUERY"] = "custom=true&test=foobar"
 	testBuildEnv(r, rule, fpath, envExpected)
+
+	// 6. Test SCRIPT_NAME includes path prefix
+	r = newReq()
+	ctx := context.WithValue(r.Context(), caddy.CtxKey("path_prefix"), "/test")
+	r = r.WithContext(ctx)
+	envExpected = newEnv()
+	envExpected["SCRIPT_NAME"] = "/test/fgci_test.php"
+	testBuildEnv(r, rule, fpath, envExpected)
+
+	// 7. Test SCRIPT_NAME,SCRIPT_FILENAME do not include PATH_INFO
+	fpath = "/fgci_test.php/extra/paths"
+	r = newReq()
+	envExpected = newEnv()
+	envExpected["PATH_INFO"] = "/extra/paths"
+	envExpected["SCRIPT_NAME"] = "/fgci_test.php"
+	envExpected["SCRIPT_FILENAME"] = filepath.FromSlash("/fgci_test.php")
+	testBuildEnv(r, rule, fpath, envExpected)
+
+	// 8. Test REQUEST_SCHEME in env
+	r = newReq()
+	envExpected = newEnv()
+	envExpected["REQUEST_SCHEME"] = "http"
+	testBuildEnv(r, rule, fpath, envExpected)
 }

 func TestReadTimeout(t *testing.T) {
@@ -226,7 +284,7 @@ func TestReadTimeout(t *testing.T) {
 		if err != nil {
 			t.Fatalf("Test %d: Unable to create listener for test: %v", i, err)
 		}
-		defer listener.Close()
+		defer func() { _ = listener.Close() }()

 		handler := Handler{
 			Next: nil,
@@ -245,11 +303,16 @@ func TestReadTimeout(t *testing.T) {
 		w := httptest.NewRecorder()

 		wg.Add(1)
-		go fcgi.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			time.Sleep(test.sleep)
-			w.WriteHeader(http.StatusOK)
-			wg.Done()
-		}))
+		go func() {
+			err := fcgi.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				time.Sleep(test.sleep)
+				w.WriteHeader(http.StatusOK)
+				wg.Done()
+			}))
+			if err != nil {
+				log.Printf("[ERROR] unable to start server: %v", err)
+			}
+		}()

 		got, err := handler.ServeHTTP(w, r)
 		if test.shouldErr {
@@ -286,7 +349,7 @@ func TestSendTimeout(t *testing.T) {
 		if err != nil {
 			t.Fatalf("Test %d: Unable to create listener for test: %v", i, err)
 		}
-		defer listener.Close()
+		defer func() { _ = listener.Close() }()

 		handler := Handler{
 			Next: nil,
@@ -304,9 +367,14 @@ func TestSendTimeout(t *testing.T) {
 		}
 		w := httptest.NewRecorder()

-		go fcgi.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.WriteHeader(http.StatusOK)
-		}))
+		go func() {
+			err := fcgi.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			}))
+			if err != nil {
+				log.Printf("[ERROR] unable to start server: %v", err)
+			}
+		}()

 		got, err := handler.ServeHTTP(w, r)
 		if test.shouldErr {
@@ -337,7 +405,10 @@ func TestBalancer(t *testing.T) {
 	for i, test := range tests {
 		b := address(test...)
 		for _, host := range test {
-			a := b.Address()
+			a, err := b.Address()
+			if err != nil {
+				t.Errorf("Unexpected error in trying to retrieve address: %s", err.Error())
+			}
 			if a != host {
 				t.Errorf("Test %d: expected %s, found %s", i, host, a)
 			}
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Forked Jan. 2015 from http://bitbucket.org/PinIdea/fcgi_client
 // (which is forked from https://code.google.com/p/go-fastcgi-client/)

@@ -161,15 +175,13 @@ func (rec *record) read(r io.Reader) (buf []byte, err error) {
 // FCGIClient implements a FastCGI client, which is a standard for
 // interfacing external applications with Web servers.
 type FCGIClient struct {
-	mutex       sync.Mutex
-	rwc         io.ReadWriteCloser
-	h           header
-	buf         bytes.Buffer
-	stderr      bytes.Buffer
-	keepAlive   bool
-	reqID       uint16
-	readTimeout time.Duration
-	sendTimeout time.Duration
+	mutex     sync.Mutex
+	rwc       io.ReadWriteCloser
+	h         header
+	buf       bytes.Buffer
+	stderr    bytes.Buffer
+	keepAlive bool
+	reqID     uint16
 }

 // DialWithDialerContext connects to the fcgi responder at the specified network address, using custom net.Dialer
@@ -202,7 +214,7 @@ func Dial(network, address string) (fcgi *FCGIClient, err error) {
 	return DialContext(context.Background(), network, address)
 }

-// Close closes fcgi connnection
+// Close closes fcgi connection
 func (c *FCGIClient) Close() {
 	c.rwc.Close()
 }
@@ -383,7 +395,7 @@ func (c *FCGIClient) Do(p map[string]string, req io.Reader) (r io.Reader, err er

 	body := newWriter(c, Stdin)
 	if req != nil {
-		io.Copy(body, req)
+		_, _ = io.Copy(body, req)
 	}
 	body.Close()

@@ -446,12 +458,12 @@ func (c *FCGIClient) Request(p map[string]string, req io.Reader) (resp *http.Res
 }

 // Get issues a GET request to the fcgi responder.
-func (c *FCGIClient) Get(p map[string]string) (resp *http.Response, err error) {
+func (c *FCGIClient) Get(p map[string]string, body io.Reader, l int64) (resp *http.Response, err error) {

 	p["REQUEST_METHOD"] = "GET"
-	p["CONTENT_LENGTH"] = "0"
+	p["CONTENT_LENGTH"] = strconv.FormatInt(l, 10)

-	return c.Request(p, nil)
+	return c.Request(p, body)
 }

 // Head issues a HEAD request to the fcgi responder.
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // NOTE: These tests were adapted from the original
 // repository from which this package was forked.
 // The tests are slow (~10s) and in dire need of rewriting.
@@ -30,7 +44,7 @@ import (
 // test fcgi protocol includes:
 // Get, Post, Post in multipart/form-data, and Post with files
 // each key should be the md5 of the value or the file uploaded
-// sepicify remote fcgi responer ip:port to test with php
+// specify remote fcgi responder ip:port to test with php
 // test failed if the remote fcgi(script) failed md5 verification
 // and output "FAILED" in response
 const (
@@ -45,7 +59,9 @@ type FastCGIServer struct{}

 func (s FastCGIServer) ServeHTTP(resp http.ResponseWriter, req *http.Request) {

-	req.ParseMultipartForm(100000000)
+	if err := req.ParseMultipartForm(100000000); err != nil {
+		log.Printf("[ERROR] failed to parse: %v", err)
+	}

 	stat := "PASSED"
 	fmt.Fprintln(resp, "-")
@@ -54,15 +70,15 @@ func (s FastCGIServer) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
 		length := 0
 		for k0, v0 := range req.Form {
 			h := md5.New()
-			io.WriteString(h, v0[0])
-			md5 := fmt.Sprintf("%x", h.Sum(nil))
+			_, _ = io.WriteString(h, v0[0])
+			_md5 := fmt.Sprintf("%x", h.Sum(nil))

 			length += len(k0)
 			length += len(v0[0])

-			// echo error when key != md5(val)
-			if md5 != k0 {
-				fmt.Fprintln(resp, "server:err ", md5, k0)
+			// echo error when key != _md5(val)
+			if _md5 != k0 {
+				fmt.Fprintln(resp, "server:err ", _md5, k0)
 				stat = "FAILED"
 			}
 		}
@@ -126,7 +142,8 @@ func sendFcgi(reqType int, fcgiParams map[string]string, data []byte, posts map[
 			}
 			resp, err = fcgi.PostForm(fcgiParams, values)
 		} else {
-			resp, err = fcgi.Get(fcgiParams)
+			rd := bytes.NewReader(data)
+			resp, err = fcgi.Get(fcgiParams, rd, int64(rd.Len()))
 		}

 	default:
@@ -155,7 +172,7 @@ func sendFcgi(reqType int, fcgiParams map[string]string, data []byte, posts map[
 	fcgi.Close()
 	time.Sleep(1 * time.Second)

-	if bytes.Index(content, []byte("FAILED")) >= 0 {
+	if bytes.Contains(content, []byte("FAILED")) {
 		globalt.Error("Server return failed message")
 	}

@@ -182,8 +199,12 @@ func generateRandFile(size int) (p string, m string) {
 	for i := 0; i < size/16; i++ {
 		buf := make([]byte, 16)
 		binary.PutVarint(buf, rand.Int63())
-		fo.Write(buf)
-		h.Write(buf)
+		if _, err := fo.Write(buf); err != nil {
+			log.Printf("[ERROR] failed to write buffer: %v\n", err)
+		}
+		if _, err := h.Write(buf); err != nil {
+			log.Printf("[ERROR] failed to write buffer: %v\n", err)
+		}
 	}
 	m = fmt.Sprintf("%x", h.Sum(nil))
 	return
@@ -199,12 +220,13 @@ func DisabledTest(t *testing.T) {
 	go func() {
 		listener, err := net.Listen("tcp", ipPort)
 		if err != nil {
-			// handle error
 			log.Println("listener creation failed: ", err)
 		}

 		srv := new(FastCGIServer)
-		fcgi.Serve(listener, srv)
+		if err := fcgi.Serve(listener, srv); err != nil {
+			log.Print("[ERROR] failed to start server: ", err)
+		}
 	}()

 	time.Sleep(1 * time.Second)
@@ -229,7 +251,7 @@ func DisabledTest(t *testing.T) {
 	for i := 0x00; i < 0xff; i++ {
 		v0 := strings.Repeat(string(i), 256)
 		h := md5.New()
-		io.WriteString(h, v0)
+		_, _ = io.WriteString(h, v0)
 		k0 := fmt.Sprintf("%x", h.Sum(nil))
 		data += k0 + "=" + url.QueryEscape(v0) + "&"
 	}
@@ -246,7 +268,7 @@ func DisabledTest(t *testing.T) {
 	for i := 0x00; i < 0xff; i++ {
 		v0 := strings.Repeat(string(i), 4096)
 		h := md5.New()
-		io.WriteString(h, v0)
+		_, _ = io.WriteString(h, v0)
 		k0 := fmt.Sprintf("%x", h.Sum(nil))
 		p1[k0] = v0
 	}
@@ -270,6 +292,10 @@ func DisabledTest(t *testing.T) {
 	delete(f0, "m0")
 	sendFcgi(1, fcgiParams, nil, nil, f0)

-	os.Remove(path0)
-	os.Remove(path1)
+	if err := os.Remove(path0); err != nil {
+		log.Println("[ERROR] failed to remove path: ", err)
+	}
+	if err := os.Remove(path1); err != nil {
+		log.Println("[ERROR] failed to remove path: ", err)
+	}
 }
@@ -1,15 +1,34 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package fastcgi

 import (
 	"errors"
+	"fmt"
+	"net"
 	"net/http"
 	"path/filepath"
+	"strings"
 	"time"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

+var defaultTimeout = 60 * time.Second
+
 func init() {
 	caddy.RegisterPlugin("fastcgi", caddy.Plugin{
 		ServerType: "http",
@@ -59,11 +78,20 @@ func fastcgiParse(c *caddy.Controller) ([]Rule, error) {
 		}

 		rule := Rule{
-			Root: absRoot,
-			Path: args[0],
+			Root:           absRoot,
+			Path:           args[0],
+			ConnectTimeout: defaultTimeout,
+			ReadTimeout:    defaultTimeout,
+			SendTimeout:    defaultTimeout,
 		}
+
 		upstreams := []string{args[1]}

+		srvUpstream := false
+		if strings.HasPrefix(upstreams[0], "srv://") {
+			srvUpstream = true
+		}
+
 		if len(args) == 3 {
 			if err := fastcgiPreset(args[2], &rule); err != nil {
 				return rules, err
@@ -98,6 +126,10 @@ func fastcgiParse(c *caddy.Controller) ([]Rule, error) {
 				rule.IndexFiles = args

 			case "upstream":
+				if srvUpstream {
+					return rules, c.Err("additional upstreams are not supported with SRV upstream")
+				}
+
 				args := c.RemainingArgs()

 				if len(args) != 1 {
@@ -147,13 +179,32 @@ func fastcgiParse(c *caddy.Controller) ([]Rule, error) {
 			}
 		}

-		rule.balancer = &roundRobin{addresses: upstreams, index: -1}
+		if srvUpstream {
+			balancer, err := parseSRV(upstreams[0])
+			if err != nil {
+				return rules, c.Err("malformed service locator string: " + err.Error())
+			}
+			rule.balancer = balancer
+		} else {
+			rule.balancer = &roundRobin{addresses: upstreams, index: -1}
+		}

 		rules = append(rules, rule)
 	}
 	return rules, nil
 }

+func parseSRV(locator string) (*srv, error) {
+	if locator[6:] == "" {
+		return nil, fmt.Errorf("%s does not include the host", locator)
+	}
+
+	return &srv{
+		service:  locator[6:],
+		resolver: &net.Resolver{},
+	}, nil
+}
+
 // fastcgiPreset configures rule according to name. It returns an error if
 // name is not a recognized preset name.
 func fastcgiPreset(name string, rule *Rule) error {
@@ -1,11 +1,28 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package fastcgi

 import (
+	"context"
 	"fmt"
+	"net"
 	"testing"
+	"time"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestSetup(t *testing.T) {
@@ -29,10 +46,26 @@ func TestSetup(t *testing.T) {
 	if myHandler.Rules[0].Path != "/" {
 		t.Errorf("Expected / as the Path")
 	}
-	if myHandler.Rules[0].Address() != "127.0.0.1:9000" {
+	addr, err := myHandler.Rules[0].Address()
+	if err != nil {
+		t.Errorf("Unexpected error in trying to retrieve address: %s", err.Error())
+	}
+
+	if addr != "127.0.0.1:9000" {
 		t.Errorf("Expected 127.0.0.1:9000 as the Address")
 	}

+	if myHandler.Rules[0].ConnectTimeout != 60*time.Second {
+		t.Errorf("Expected default value of 60 seconds")
+	}
+
+	if myHandler.Rules[0].ReadTimeout != 60*time.Second {
+		t.Errorf("Expected default value of 60 seconds")
+	}
+
+	if myHandler.Rules[0].SendTimeout != 60*time.Second {
+		t.Errorf("Expected default value of 60 seconds")
+	}
 }

 func TestFastcgiParse(t *testing.T) {
@@ -44,21 +77,23 @@ func TestFastcgiParse(t *testing.T) {

 		{`fastcgi /blog 127.0.0.1:9000 php`,
 			false, []Rule{{
-				Path:       "/blog",
-				balancer:   &roundRobin{addresses: []string{"127.0.0.1:9000"}},
-				Ext:        ".php",
-				SplitPath:  ".php",
-				IndexFiles: []string{"index.php"},
+				Path:        "/blog",
+				balancer:    &roundRobin{addresses: []string{"127.0.0.1:9000"}},
+				Ext:         ".php",
+				SplitPath:   ".php",
+				IndexFiles:  []string{"index.php"},
+				SendTimeout: 60 * time.Second,
 			}}},
 		{`fastcgi / 127.0.0.1:9001 {
 	              split .html
 	              }`,
 			false, []Rule{{
-				Path:       "/",
-				balancer:   &roundRobin{addresses: []string{"127.0.0.1:9001"}},
-				Ext:        "",
-				SplitPath:  ".html",
-				IndexFiles: []string{},
+				Path:        "/",
+				balancer:    &roundRobin{addresses: []string{"127.0.0.1:9001"}},
+				Ext:         "",
+				SplitPath:   ".html",
+				IndexFiles:  []string{},
+				SendTimeout: 60 * time.Second,
 			}}},
 		{`fastcgi / 127.0.0.1:9001 {
 	              split .html
@@ -71,6 +106,17 @@ func TestFastcgiParse(t *testing.T) {
 				SplitPath:       ".html",
 				IndexFiles:      []string{},
 				IgnoredSubPaths: []string{"/admin", "/user"},
+				SendTimeout:     60 * time.Second,
+			}}},
+		{`fastcgi / 127.0.0.1:9001 {
+					send_timeout 30s
+				}`,
+			false, []Rule{{
+				Path:        "/",
+				balancer:    &roundRobin{addresses: []string{"127.0.0.1:9001"}},
+				Ext:         "",
+				IndexFiles:  []string{},
+				SendTimeout: 30 * time.Second,
 			}}},
 	}
 	for i, test := range tests {
@@ -92,9 +138,19 @@ func TestFastcgiParse(t *testing.T) {
 					i, j, test.expectedFastcgiConfig[j].Path, actualFastcgiConfig.Path)
 			}

-			if actualFastcgiConfig.Address() != test.expectedFastcgiConfig[j].Address() {
+			actualAddr, err := actualFastcgiConfig.Address()
+			if err != nil {
+				t.Errorf("Test %d unexpected error in trying to retrieve %dth actual address: %s", i, j, err.Error())
+			}
+
+			expectedAddr, err := test.expectedFastcgiConfig[j].Address()
+			if err != nil {
+				t.Errorf("Test %d unexpected error in trying to retrieve %dth expected address: %s", i, j, err.Error())
+			}
+
+			if actualAddr != expectedAddr {
 				t.Errorf("Test %d expected %dth FastCGI Address to be  %s  , but got %s",
-					i, j, test.expectedFastcgiConfig[j].Address(), actualFastcgiConfig.Address())
+					i, j, expectedAddr, actualAddr)
 			}

 			if actualFastcgiConfig.Ext != test.expectedFastcgiConfig[j].Ext {
@@ -116,7 +172,84 @@ func TestFastcgiParse(t *testing.T) {
 				t.Errorf("Test %d expected %dth FastCGI IgnoredSubPaths to be  %s  , but got %s",
 					i, j, test.expectedFastcgiConfig[j].IgnoredSubPaths, actualFastcgiConfig.IgnoredSubPaths)
 			}
+
+			if actualFastcgiConfig.SendTimeout != test.expectedFastcgiConfig[j].SendTimeout {
+				t.Errorf("Test %d expected %dth FastCGI SendTimeout to be %s   , but got %s",
+					i, j, test.expectedFastcgiConfig[j].SendTimeout, actualFastcgiConfig.SendTimeout)
+			}
 		}
 	}

 }
+
+func TestFastCGIResolveSRV(t *testing.T) {
+	tests := []struct {
+		inputFastcgiConfig string
+		locator            string
+		target             string
+		port               uint16
+		shouldErr          bool
+	}{
+		{
+			`fastcgi / srv://fpm.tcp.service.consul {
+				upstream yolo
+			}`,
+			"fpm.tcp.service.consul",
+			"127.0.0.1",
+			9000,
+			true,
+		},
+		{
+			`fastcgi / srv://fpm.tcp.service.consul`,
+			"fpm.tcp.service.consul",
+			"127.0.0.1",
+			9000,
+			false,
+		},
+	}
+
+	for i, test := range tests {
+		actualFastcgiConfigs, err := fastcgiParse(caddy.NewTestController("http", test.inputFastcgiConfig))
+
+		if err == nil && test.shouldErr {
+			t.Errorf("Test %d didn't error, but it should have", i)
+		} else if err != nil && !test.shouldErr {
+			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
+		}
+
+		for _, actualFastcgiConfig := range actualFastcgiConfigs {
+			resolver, ok := (actualFastcgiConfig.balancer).(*srv)
+			if !ok {
+				t.Errorf("Test %d upstream balancer is not srv", i)
+			}
+			resolver.resolver = buildTestResolver(test.target, test.port)
+
+			addr, err := actualFastcgiConfig.Address()
+			if err != nil {
+				t.Errorf("Test %d failed to retrieve upstream address. %s", i, err.Error())
+			}
+
+			expectedAddr := fmt.Sprintf("%s:%d", test.target, test.port)
+			if addr != expectedAddr {
+				t.Errorf("Test %d expected upstream address to be %s, got %s", i, expectedAddr, addr)
+			}
+		}
+	}
+}
+
+func buildTestResolver(target string, port uint16) srvResolver {
+	return &testSRVResolver{target, port}
+}
+
+type testSRVResolver struct {
+	target string
+	port   uint16
+}
+
+func (r *testSRVResolver) LookupSRV(ctx context.Context, service, proto, name string) (string, []*net.SRV, error) {
+	return "", []*net.SRV{
+		{Target: r.target,
+			Port:     r.port,
+			Priority: 1,
+			Weight:   1}}, nil
+}
@@ -1,14 +1,29 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Package gzip provides a middleware layer that performs
 // gzip compression on the response.
 package gzip

 import (
+	"compress/gzip"
 	"io"
 	"net/http"
 	"strings"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func init() {
@@ -51,21 +66,31 @@ outer:
 			}
 		}

-		// gzipWriter modifies underlying writer at init,
-		// use a discard writer instead to leave ResponseWriter in
-		// original form.
-		gzipWriter := getWriter(c.Level)
-		defer putWriter(c.Level, gzipWriter)
+		// In order to avoid unused memory allocation, gzip.putWriter only be called when gzip compression happened.
+		// see https://github.com/caddyserver/caddy/issues/2395
 		gz := &gzipResponseWriter{
-			Writer:                gzipWriter,
 			ResponseWriterWrapper: &httpserver.ResponseWriterWrapper{ResponseWriter: w},
+			newWriter: func() io.Writer {
+				// gzipWriter modifies underlying writer at init,
+				// use a discard writer instead to leave ResponseWriter in
+				// original form.
+				return getWriter(c.Level)
+			},
 		}

+		defer func() {
+			if gzWriter, ok := gz.internalWriter.(*gzip.Writer); ok {
+				putWriter(c.Level, gzWriter)
+			}
+		}()
+
 		var rw http.ResponseWriter
 		// if no response filter is used
 		if len(c.ResponseFilters) == 0 {
 			// replace discard writer with ResponseWriter
-			gzipWriter.Reset(w)
+			if gzWriter, ok := gz.Writer().(*gzip.Writer); ok {
+				gzWriter.Reset(w)
+			}
 			rw = gz
 		} else {
 			// wrap gzip writer with ResponseFilterWriter
@@ -89,12 +114,13 @@ outer:
 	return g.Next.ServeHTTP(w, r)
 }

-// gzipResponeWriter wraps the underlying Write method
+// gzipResponseWriter wraps the underlying Write method
 // with a gzip.Writer to compress the output.
 type gzipResponseWriter struct {
-	io.Writer
+	internalWriter io.Writer
 	*httpserver.ResponseWriterWrapper
 	statusCodeWritten bool
+	newWriter         func() io.Writer
 }

 // WriteHeader wraps the underlying WriteHeader method to prevent
@@ -104,7 +130,19 @@ type gzipResponseWriter struct {
 func (w *gzipResponseWriter) WriteHeader(code int) {
 	w.Header().Del("Content-Length")
 	w.Header().Set("Content-Encoding", "gzip")
-	w.Header().Add("Vary", "Accept-Encoding")
+	varyList, exist := w.Header()["Vary"]
+	shouldAddVary := true
+	if exist {
+		for _, vary := range varyList {
+			if vary == "Accept-Encoding" {
+				shouldAddVary = false
+				break
+			}
+		}
+	}
+	if shouldAddVary {
+		w.Header().Add("Vary", "Accept-Encoding")
+	}
 	originalEtag := w.Header().Get("ETag")
 	if originalEtag != "" && !strings.HasPrefix(originalEtag, "W/") {
 		w.Header().Set("ETag", "W/"+originalEtag)
@@ -121,9 +159,17 @@ func (w *gzipResponseWriter) Write(b []byte) (int, error) {
 	if !w.statusCodeWritten {
 		w.WriteHeader(http.StatusOK)
 	}
-	n, err := w.Writer.Write(b)
+	n, err := w.Writer().Write(b)
 	return n, err
 }

+//Writer use a lazy way to initialize Writer
+func (w *gzipResponseWriter) Writer() io.Writer {
+	if w.internalWriter == nil {
+		w.internalWriter = w.newWriter()
+	}
+	return w.internalWriter
+}
+
 // Interface guards
 var _ httpserver.HTTPInterfaces = (*gzipResponseWriter)(nil)
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package gzip

 import (
@@ -9,7 +23,7 @@ import (
 	"strings"
 	"testing"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestGzipHandler(t *testing.T) {
@@ -1,10 +1,24 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package gzip

 import (
 	"net/http"
 	"path"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 // RequestFilter determines if a request should be gzipped.
@@ -16,7 +30,7 @@ type RequestFilter interface {

 // defaultExtensions is the list of default extensions for which to enable gzipping.
 var defaultExtensions = []string{"", ".txt", ".htm", ".html", ".css", ".php", ".js", ".json",
-	".md", ".mdown", ".xml", ".svg", ".go", ".cgi", ".py", ".pl", ".aspx", ".asp"}
+	".md", ".mdown", ".xml", ".svg", ".go", ".cgi", ".py", ".pl", ".aspx", ".asp", ".m3u", ".m3u8", ".wasm"}

 // DefaultExtFilter creates an ExtFilter with default extensions.
 func DefaultExtFilter() ExtFilter {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package gzip

 import (
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package gzip

 import (
@@ -68,7 +82,7 @@ func (r *ResponseFilterWriter) WriteHeader(code int) {

 	if r.shouldCompress {
 		// replace discard writer with ResponseWriter
-		if gzWriter, ok := r.gzipResponseWriter.Writer.(*gzip.Writer); ok {
+		if gzWriter, ok := r.gzipResponseWriter.Writer().(*gzip.Writer); ok {
 			gzWriter.Reset(r.ResponseWriter)
 		}
 		// use gzip WriteHeader to include and delete
@@ -1,13 +1,28 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package gzip

 import (
 	"compress/gzip"
 	"fmt"
+	"log"
 	"net/http"
 	"net/http/httptest"
 	"testing"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestLengthFilter(t *testing.T) {
@@ -33,7 +48,7 @@ func TestLengthFilter(t *testing.T) {
 		for j, filter := range filters {
 			r := httptest.NewRecorder()
 			r.Header().Set("Content-Length", fmt.Sprint(ts.length))
-			wWriter := NewResponseFilterWriter([]ResponseFilter{filter}, &gzipResponseWriter{gzip.NewWriter(r), &httpserver.ResponseWriterWrapper{ResponseWriter: r}, false})
+			wWriter := NewResponseFilterWriter([]ResponseFilter{filter}, &gzipResponseWriter{gzip.NewWriter(r), &httpserver.ResponseWriterWrapper{ResponseWriter: r}, false, nil})
 			if filter.ShouldCompress(wWriter) != ts.shouldCompress[j] {
 				t.Errorf("Test %v: Expected %v found %v", i, ts.shouldCompress[j], filter.ShouldCompress(r))
 			}
@@ -63,7 +78,9 @@ func TestResponseFilterWriter(t *testing.T) {
 	for i, ts := range tests {
 		server.Next = httpserver.HandlerFunc(func(w http.ResponseWriter, r *http.Request) (int, error) {
 			w.Header().Set("Content-Length", fmt.Sprint(len(ts.body)))
-			w.Write([]byte(ts.body))
+			if _, err := w.Write([]byte(ts.body)); err != nil {
+				log.Println("[ERROR] failed to write response: ", err)
+			}
 			return 200, nil
 		})

@@ -72,7 +89,9 @@ func TestResponseFilterWriter(t *testing.T) {

 		w := httptest.NewRecorder()

-		server.ServeHTTP(w, r)
+		if _, err := server.ServeHTTP(w, r); err != nil {
+			log.Println("[ERROR] unable to serve a gzipped response: ", err)
+		}

 		resp := w.Body.String()

@@ -95,7 +114,9 @@ func TestResponseGzippedOutput(t *testing.T) {

 	server.Next = httpserver.HandlerFunc(func(w http.ResponseWriter, r *http.Request) (int, error) {
 		w.Header().Set("Content-Encoding", "gzip")
-		w.Write([]byte("gzipped"))
+		if _, err := w.Write([]byte("gzipped")); err != nil {
+			log.Println("[ERROR] failed to write response: ", err)
+		}
 		return 200, nil
 	})

@@ -103,7 +124,9 @@ func TestResponseGzippedOutput(t *testing.T) {
 	r.Header.Set("Accept-Encoding", "gzip")

 	w := httptest.NewRecorder()
-	server.ServeHTTP(w, r)
+	if _, err := server.ServeHTTP(w, r); err != nil {
+		log.Println("[ERROR] unable to serve a gzipped response: ", err)
+	}
 	resp := w.Body.String()

 	if resp != "gzipped" {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package gzip

 import (
@@ -8,8 +22,8 @@ import (
 	"strings"
 	"sync"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 // setup configures a new gzip middleware instance.
@@ -1,10 +1,24 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package gzip

 import (
 	"testing"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestSetup(t *testing.T) {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Package header provides middleware that appends headers to
 // requests based on a set of configuration rules that define
 // which routes receive which headers.
@@ -7,7 +21,7 @@ import (
 	"net/http"
 	"strings"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 // Headers is middleware that adds headers to the responses
@@ -1,7 +1,22 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package header

 import (
 	"fmt"
+	"log"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -9,7 +24,7 @@ import (
 	"sort"
 	"testing"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestHeader(t *testing.T) {
@@ -55,7 +70,9 @@ func TestHeader(t *testing.T) {
 		// preset header
 		rec.Header().Set("Server", "Caddy")

-		he.ServeHTTP(rec, req)
+		if _, err := he.ServeHTTP(rec, req); err != nil {
+			log.Println("[ERROR] ServeHTTP failed: ", err)
+		}

 		if got := rec.Header().Get(test.name); got != test.value {
 			t.Errorf("Test %d: Expected %s header to be %q but was %q",
@@ -67,7 +84,9 @@ func TestHeader(t *testing.T) {
 func TestMultipleHeaders(t *testing.T) {
 	he := Headers{
 		Next: httpserver.HandlerFunc(func(w http.ResponseWriter, r *http.Request) (int, error) {
-			fmt.Fprint(w, "This is a test")
+			if _, err := fmt.Fprint(w, "This is a test"); err != nil {
+				log.Println("[ERROR] Fprint failed: ", err)
+			}
 			return 0, nil
 		}),
 		Rules: []Rule{
@@ -83,7 +102,9 @@ func TestMultipleHeaders(t *testing.T) {
 	}

 	rec := httptest.NewRecorder()
-	he.ServeHTTP(rec, req)
+	if _, err := he.ServeHTTP(rec, req); err != nil {
+		log.Println("[ERROR] ServeHTTP failed: ", err)
+	}

 	desiredHeaders := []string{"</css/main.css>; rel=preload", "</images/image.png>; rel=preload"}
 	actualHeaders := rec.HeaderMap[http.CanonicalHeaderKey("Link")]
@@ -1,10 +1,24 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package header

 import (
 	"net/http"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func init() {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package header

 import (
@@ -6,8 +20,8 @@ import (
 	"reflect"
 	"testing"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func TestSetup(t *testing.T) {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
@@ -6,7 +20,7 @@ import (
 	"regexp"
 	"strings"

-	"github.com/mholt/caddy"
+	"github.com/caddyserver/caddy"
 )

 // SetupIfMatcher parses `if` or `if_op` in the current dispenser block.
@@ -26,6 +40,7 @@ func SetupIfMatcher(controller *caddy.Controller) (RequestMatcher, error) {
 				return matcher, err
 			}
 			matcher.ifs = append(matcher.ifs, ifc)
+			matcher.Enabled = true
 		case "if_op":
 			if !c.NextArg() {
 				return matcher, c.ArgErr()
@@ -53,59 +68,8 @@ const (
 	matchOp      = "match"
 )

-func operatorError(operator string) error {
-	return fmt.Errorf("Invalid operator %v", operator)
-}
-
 // ifCondition is a 'if' condition.
-type ifCondition func(string, string) bool
-
-var ifConditions = map[string]ifCondition{
-	isOp:         isFunc,
-	notOp:        notFunc,
-	hasOp:        hasFunc,
-	startsWithOp: startsWithFunc,
-	endsWithOp:   endsWithFunc,
-	matchOp:      matchFunc,
-}
-
-// isFunc is condition for Is operator.
-// It checks for equality.
-func isFunc(a, b string) bool {
-	return a == b
-}
-
-// notFunc is condition for Not operator.
-// It checks for inequality.
-func notFunc(a, b string) bool {
-	return !isFunc(a, b)
-}
-
-// hasFunc is condition for Has operator.
-// It checks if b is a substring of a.
-func hasFunc(a, b string) bool {
-	return strings.Contains(a, b)
-}
-
-// startsWithFunc is condition for StartsWith operator.
-// It checks if b is a prefix of a.
-func startsWithFunc(a, b string) bool {
-	return strings.HasPrefix(a, b)
-}
-
-// endsWithFunc is condition for EndsWith operator.
-// It checks if b is a suffix of a.
-func endsWithFunc(a, b string) bool {
-	return strings.HasSuffix(a, b)
-}
-
-// matchFunc is condition for Match operator.
-// It does regexp matching of a against pattern in b
-// and returns if they match.
-func matchFunc(a, b string) bool {
-	matched, _ := regexp.MatchString(b, a)
-	return matched
-}
+type ifFunc func(a, b string) bool

 // ifCond is statement for a IfMatcher condition.
 type ifCond struct {
@@ -113,48 +77,88 @@ type ifCond struct {
 	op  string
 	b   string
 	neg bool
+	rex *regexp.Regexp
+	f   ifFunc
 }

 // newIfCond creates a new If condition.
-func newIfCond(a, operator, b string) (ifCond, error) {
-	neg := false
-	if strings.HasPrefix(operator, "not_") {
-		neg = true
-		operator = operator[4:]
+func newIfCond(a, op, b string) (ifCond, error) {
+	i := ifCond{a: a, op: op, b: b}
+	if strings.HasPrefix(op, "not_") {
+		i.neg = true
+		i.op = op[4:]
 	}
-	if _, ok := ifConditions[operator]; !ok {
-		return ifCond{}, operatorError(operator)
+
+	switch i.op {
+	case isOp:
+		// It checks for equality.
+		i.f = i.isFunc
+	case notOp:
+		// It checks for inequality.
+		i.f = i.notFunc
+	case hasOp:
+		// It checks if b is a substring of a.
+		i.f = strings.Contains
+	case startsWithOp:
+		// It checks if b is a prefix of a.
+		i.f = strings.HasPrefix
+	case endsWithOp:
+		// It checks if b is a suffix of a.
+		i.f = strings.HasSuffix
+	case matchOp:
+		// It does regexp matching of a against pattern in b and returns if they match.
+		var err error
+		if i.rex, err = regexp.Compile(i.b); err != nil {
+			return ifCond{}, fmt.Errorf("Invalid regular expression: '%s', %v", i.b, err)
+		}
+		i.f = i.matchFunc
+	default:
+		return ifCond{}, fmt.Errorf("Invalid operator %v", i.op)
 	}
-	return ifCond{
-		a:   a,
-		op:  operator,
-		b:   b,
-		neg: neg,
-	}, nil
+
+	return i, nil
+}
+
+// isFunc is condition for Is operator.
+func (i ifCond) isFunc(a, b string) bool {
+	return a == b
+}
+
+// notFunc is condition for Not operator.
+func (i ifCond) notFunc(a, b string) bool {
+	return a != b
+}
+
+// matchFunc is condition for Match operator.
+func (i ifCond) matchFunc(a, b string) bool {
+	return i.rex.MatchString(a)
 }

 // True returns true if the condition is true and false otherwise.
 // If r is not nil, it replaces placeholders before comparison.
 func (i ifCond) True(r *http.Request) bool {
-	if c, ok := ifConditions[i.op]; ok {
+	if i.f != nil {
 		a, b := i.a, i.b
 		if r != nil {
 			replacer := NewReplacer(r, nil, "")
 			a = replacer.Replace(i.a)
-			b = replacer.Replace(i.b)
+			if i.op != matchOp {
+				b = replacer.Replace(i.b)
+			}
 		}
 		if i.neg {
-			return !c(a, b)
+			return !i.f(a, b)
 		}
-		return c(a, b)
+		return i.f(a, b)
 	}
 	return i.neg // false if not negated, true otherwise
 }

 // IfMatcher is a RequestMatcher for 'if' conditions.
 type IfMatcher struct {
-	ifs  []ifCond // list of If
-	isOr bool     // if true, conditions are 'or' instead of 'and'
+	Enabled bool     // if true, matcher has been configured; otherwise it's no-op
+	ifs     []ifCond // list of If
+	isOr    bool     // if true, conditions are 'or' instead of 'and'
 }

 // Match satisfies RequestMatcher interface.
@@ -187,7 +191,7 @@ func (m IfMatcher) Or(r *http.Request) bool {
 }

 // IfMatcherKeyword checks if the next value in the dispenser is a keyword for 'if' config block.
-// If true, remaining arguments in the dispinser are cleard to keep the dispenser valid for use.
+// If true, remaining arguments in the dispenser are cleared to keep the dispenser valid for use.
 func IfMatcherKeyword(c *caddy.Controller) bool {
 	if c.Val() == "if" || c.Val() == "if_op" {
 		// clear remaining args
@@ -1,79 +1,99 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
 	"context"
-	"fmt"
 	"net/http"
+	"regexp"
 	"strings"
 	"testing"

-	"github.com/mholt/caddy"
+	"github.com/caddyserver/caddy"
 )

 func TestConditions(t *testing.T) {
 	tests := []struct {
 		condition string
 		isTrue    bool
+		shouldErr bool
 	}{
-		{"a is b", false},
-		{"a is a", true},
-		{"a not b", true},
-		{"a not a", false},
-		{"a has a", true},
-		{"a has b", false},
-		{"ba has b", true},
-		{"bab has b", true},
-		{"bab has bb", false},
-		{"a not_has a", false},
-		{"a not_has b", true},
-		{"ba not_has b", false},
-		{"bab not_has b", false},
-		{"bab not_has bb", true},
-		{"bab starts_with bb", false},
-		{"bab starts_with ba", true},
-		{"bab starts_with bab", true},
-		{"bab not_starts_with bb", true},
-		{"bab not_starts_with ba", false},
-		{"bab not_starts_with bab", false},
-		{"bab ends_with bb", false},
-		{"bab ends_with bab", true},
-		{"bab ends_with ab", true},
-		{"bab not_ends_with bb", true},
-		{"bab not_ends_with ab", false},
-		{"bab not_ends_with bab", false},
-		{"a match *", false},
-		{"a match a", true},
-		{"a match .*", true},
-		{"a match a.*", true},
-		{"a match b.*", false},
-		{"ba match b.*", true},
-		{"ba match b[a-z]", true},
-		{"b0 match b[a-z]", false},
-		{"b0a match b[a-z]", false},
-		{"b0a match b[a-z]+", false},
-		{"b0a match b[a-z0-9]+", true},
-		{"a not_match *", true},
-		{"a not_match a", false},
-		{"a not_match .*", false},
-		{"a not_match a.*", false},
-		{"a not_match b.*", true},
-		{"ba not_match b.*", false},
-		{"ba not_match b[a-z]", false},
-		{"b0 not_match b[a-z]", true},
-		{"b0a not_match b[a-z]", true},
-		{"b0a not_match b[a-z]+", true},
-		{"b0a not_match b[a-z0-9]+", false},
+		{"a is b", false, false},
+		{"a is a", true, false},
+		{"a not b", true, false},
+		{"a not a", false, false},
+		{"a has a", true, false},
+		{"a has b", false, false},
+		{"ba has b", true, false},
+		{"bab has b", true, false},
+		{"bab has bb", false, false},
+		{"a not_has a", false, false},
+		{"a not_has b", true, false},
+		{"ba not_has b", false, false},
+		{"bab not_has b", false, false},
+		{"bab not_has bb", true, false},
+		{"bab starts_with bb", false, false},
+		{"bab starts_with ba", true, false},
+		{"bab starts_with bab", true, false},
+		{"bab not_starts_with bb", true, false},
+		{"bab not_starts_with ba", false, false},
+		{"bab not_starts_with bab", false, false},
+		{"bab ends_with bb", false, false},
+		{"bab ends_with bab", true, false},
+		{"bab ends_with ab", true, false},
+		{"bab not_ends_with bb", true, false},
+		{"bab not_ends_with ab", false, false},
+		{"bab not_ends_with bab", false, false},
+		{"a match *", false, true},
+		{"a match a", true, false},
+		{"a match .*", true, false},
+		{"a match a.*", true, false},
+		{"a match b.*", false, false},
+		{"ba match b.*", true, false},
+		{"ba match b[a-z]", true, false},
+		{"b0 match b[a-z]", false, false},
+		{"b0a match b[a-z]", false, false},
+		{"b0a match b[a-z]+", false, false},
+		{"b0a match b[a-z0-9]+", true, false},
+		{"bac match b[a-z]{2}", true, false},
+		{"a not_match *", false, true},
+		{"a not_match a", false, false},
+		{"a not_match .*", false, false},
+		{"a not_match a.*", false, false},
+		{"a not_match b.*", true, false},
+		{"ba not_match b.*", false, false},
+		{"ba not_match b[a-z]", false, false},
+		{"b0 not_match b[a-z]", true, false},
+		{"b0a not_match b[a-z]", true, false},
+		{"b0a not_match b[a-z]+", true, false},
+		{"b0a not_match b[a-z0-9]+", false, false},
+		{"bac not_match b[a-z]{2}", false, false},
 	}

 	for i, test := range tests {
 		str := strings.Fields(test.condition)
 		ifCond, err := newIfCond(str[0], str[1], str[2])
 		if err != nil {
-			t.Error(err)
+			if !test.shouldErr {
+				t.Error(err)
+			}
+			continue
 		}
 		isTrue := ifCond.True(nil)
 		if isTrue != test.isTrue {
-			t.Errorf("Test %d: expected %v found %v", i, test.isTrue, isTrue)
+			t.Errorf("Test %d: '%s' expected %v found %v", i, test.condition, test.isTrue, isTrue)
 		}
 	}

@@ -192,6 +212,7 @@ func TestIfMatcher(t *testing.T) {
 }

 func TestSetupIfMatcher(t *testing.T) {
+	rex_b, _ := regexp.Compile("b")
 	tests := []struct {
 		input     string
 		shouldErr bool
@@ -201,7 +222,7 @@ func TestSetupIfMatcher(t *testing.T) {
 			if	a match b
 		 }`, false, IfMatcher{
 			ifs: []ifCond{
-				{a: "a", op: "match", b: "b", neg: false},
+				{a: "a", op: "match", b: "b", neg: false, rex: rex_b},
 			},
 		}},
 		{`test {
@@ -209,7 +230,7 @@ func TestSetupIfMatcher(t *testing.T) {
 			if_op or
 		 }`, false, IfMatcher{
 			ifs: []ifCond{
-				{a: "a", op: "match", b: "b", neg: false},
+				{a: "a", op: "match", b: "b", neg: false, rex: rex_b},
 			},
 			isOr: true,
 		}},
@@ -255,6 +276,7 @@ func TestSetupIfMatcher(t *testing.T) {
 	for i, test := range tests {
 		c := caddy.NewTestController("http", test.input)
 		c.Next()
+
 		matcher, err := SetupIfMatcher(c)
 		if err == nil && test.shouldErr {
 			t.Errorf("Test %d didn't error, but it should have", i)
@@ -263,15 +285,60 @@ func TestSetupIfMatcher(t *testing.T) {
 		} else if err != nil && test.shouldErr {
 			continue
 		}
-		if _, ok := matcher.(IfMatcher); !ok {
+
+		test_if, ok := matcher.(IfMatcher)
+		if !ok {
 			t.Error("RequestMatcher should be of type IfMatcher")
 		}
+
 		if err != nil {
 			t.Errorf("Expected no error, but got: %v", err)
 		}
-		if fmt.Sprint(matcher) != fmt.Sprint(test.expected) {
-			t.Errorf("Test %v: Expected %v, found %v", i,
-				fmt.Sprint(test.expected), fmt.Sprint(matcher))
+
+		if len(test_if.ifs) != len(test.expected.ifs) {
+			t.Errorf("Test %d: Expected %d ifConditions, found %v", i,
+				len(test.expected.ifs), len(test_if.ifs))
+		}
+
+		for j, if_c := range test_if.ifs {
+			expected_c := test.expected.ifs[j]
+
+			if if_c.a != expected_c.a {
+				t.Errorf("Test %d, ifCond %d: Expected A=%s, got %s",
+					i, j, if_c.a, expected_c.a)
+			}
+
+			if if_c.op != expected_c.op {
+				t.Errorf("Test %d, ifCond %d: Expected Op=%s, got %s",
+					i, j, if_c.op, expected_c.op)
+			}
+
+			if if_c.b != expected_c.b {
+				t.Errorf("Test %d, ifCond %d: Expected B=%s, got %s",
+					i, j, if_c.b, expected_c.b)
+			}
+
+			if if_c.neg != expected_c.neg {
+				t.Errorf("Test %d, ifCond %d: Expected Neg=%v, got %v",
+					i, j, if_c.neg, expected_c.neg)
+			}
+
+			if expected_c.rex != nil && if_c.rex == nil {
+				t.Errorf("Test %d, ifCond %d: Expected Rex=%v, got <nil>",
+					i, j, expected_c.rex)
+			}
+
+			if expected_c.rex == nil && if_c.rex != nil {
+				t.Errorf("Test %d, ifCond %d: Expected Rex=<nil>, got %v",
+					i, j, if_c.rex)
+			}
+
+			if expected_c.rex != nil && if_c.rex != nil {
+				if if_c.rex.String() != expected_c.rex.String() {
+					t.Errorf("Test %d, ifCond %d: Expected Rex=%v, got %v",
+						i, j, if_c.rex, expected_c.rex)
+				}
+			}
 		}
 	}
 }
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
@@ -1,19 +1,35 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
 	"fmt"
 	"net"
 	"net/http"
+	"strconv"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddytls"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddytls"
+	"github.com/mholt/certmagic"
 )

 func activateHTTPS(cctx caddy.Context) error {
 	operatorPresent := !caddy.Started()

 	if !caddy.Quiet && operatorPresent {
-		fmt.Print("Activating privacy features...")
+		fmt.Print("Activating privacy features... ")
 	}

 	ctx := cctx.(*httpContext)
@@ -23,10 +39,13 @@ func activateHTTPS(cctx caddy.Context) error {

 	// place certificates and keys on disk
 	for _, c := range ctx.siteConfigs {
-		if c.TLS.OnDemand {
+		if !c.TLS.Managed {
+			continue
+		}
+		if c.TLS.Manager.OnDemand != nil {
 			continue // obtain these certificates on-demand instead
 		}
-		err := c.TLS.ObtainCert(c.TLS.Hostname, operatorPresent)
+		err := c.TLS.Manager.ObtainCert(c.TLS.Hostname, operatorPresent)
 		if err != nil {
 			return err
 		}
@@ -44,13 +63,23 @@ func activateHTTPS(cctx caddy.Context) error {
 	// renew all relevant certificates that need renewal. this is important
 	// to do right away so we guarantee that renewals aren't missed, and
 	// also the user can respond to any potential errors that occur.
-	err = caddytls.RenewManagedCertificates(true)
-	if err != nil {
-		return err
+	// (skip if upgrading, because the parent process is likely already listening
+	// on the ports we'd need to do ACME before we finish starting; parent process
+	// already running renewal ticker, so renewal won't be missed anyway.)
+	if !caddy.IsUpgrade() {
+		ctx.instance.StorageMu.RLock()
+		certCache, ok := ctx.instance.Storage[caddytls.CertCacheInstStorageKey].(*certmagic.Cache)
+		ctx.instance.StorageMu.RUnlock()
+		if ok && certCache != nil {
+			err = certCache.RenewManagedCertificates()
+			if err != nil {
+				return err
+			}
+		}
 	}

 	if !caddy.Quiet && operatorPresent {
-		fmt.Println(" done.")
+		fmt.Println("done.")
 	}

 	return nil
@@ -76,13 +105,14 @@ func markQualifiedForAutoHTTPS(configs []*SiteConfig) {
 // value will always be nil.
 func enableAutoHTTPS(configs []*SiteConfig, loadCertificates bool) error {
 	for _, cfg := range configs {
-		if cfg == nil || cfg.TLS == nil || !cfg.TLS.Managed || cfg.TLS.OnDemand {
+		if cfg == nil || cfg.TLS == nil || !cfg.TLS.Managed ||
+			cfg.TLS.Manager == nil || cfg.TLS.Manager.OnDemand != nil {
 			continue
 		}
 		cfg.TLS.Enabled = true
 		cfg.Addr.Scheme = "https"
-		if loadCertificates && caddytls.HostQualifies(cfg.Addr.Host) {
-			_, err := cfg.TLS.CacheManagedCertificate(cfg.Addr.Host)
+		if loadCertificates && certmagic.HostQualifies(cfg.TLS.Hostname) {
+			_, err := cfg.TLS.Manager.CacheManagedCertificate(cfg.TLS.Hostname)
 			if err != nil {
 				return err
 			}
@@ -94,9 +124,9 @@ func enableAutoHTTPS(configs []*SiteConfig, loadCertificates bool) error {
 		// Set default port of 443 if not explicitly set
 		if cfg.Addr.Port == "" &&
 			cfg.TLS.Enabled &&
-			(!cfg.TLS.Manual || cfg.TLS.OnDemand) &&
+			(!cfg.TLS.Manual || cfg.TLS.Manager.OnDemand != nil) &&
 			cfg.Addr.Host != "localhost" {
-			cfg.Addr.Port = HTTPSPort
+			cfg.Addr.Port = strconv.Itoa(certmagic.HTTPSPort)
 		}
 	}
 	return nil
@@ -109,10 +139,12 @@ func enableAutoHTTPS(configs []*SiteConfig, loadCertificates bool) error {
 // only set up redirects for configs that qualify. It returns the updated list of
 // all configs.
 func makePlaintextRedirects(allConfigs []*SiteConfig) []*SiteConfig {
+	httpPort := strconv.Itoa(certmagic.HTTPPort)
+	httpsPort := strconv.Itoa(certmagic.HTTPSPort)
 	for i, cfg := range allConfigs {
 		if cfg.TLS.Managed &&
-			!hostHasOtherPort(allConfigs, i, HTTPPort) &&
-			(cfg.Addr.Port == HTTPSPort || !hostHasOtherPort(allConfigs, i, HTTPSPort)) {
+			!hostHasOtherPort(allConfigs, i, httpPort) &&
+			(cfg.Addr.Port == httpsPort || !hostHasOtherPort(allConfigs, i, httpsPort)) {
 			allConfigs = append(allConfigs, redirPlaintextHost(cfg))
 		}
 	}
@@ -138,26 +170,40 @@ func hostHasOtherPort(allConfigs []*SiteConfig, thisConfigIdx int, otherPort str
 // redirPlaintextHost returns a new plaintext HTTP configuration for
 // a virtualHost that simply redirects to cfg, which is assumed to
 // be the HTTPS configuration. The returned configuration is set
-// to listen on HTTPPort. The TLS field of cfg must not be nil.
+// to listen on certmagic.HTTPPort. The TLS field of cfg must not be nil.
 func redirPlaintextHost(cfg *SiteConfig) *SiteConfig {
 	redirPort := cfg.Addr.Port
-	if redirPort == DefaultHTTPSPort {
-		redirPort = "" // default port is redundant
+	if redirPort == strconv.Itoa(certmagic.HTTPSPort) {
+		// By default, HTTPSPort should be DefaultHTTPSPort,
+		// which of course doesn't need to be explicitly stated
+		// in the Location header. Even if HTTPSPort is changed
+		// so that it is no longer DefaultHTTPSPort, we shouldn't
+		// append it to the URL in the Location because changing
+		// the HTTPS port is assumed to be an internal-only change
+		// (in other words, we assume port forwarding is going on);
+		// but redirects go back to a presumably-external client.
+		// (If redirect clients are also internal, that is more
+		// advanced, and the user should configure HTTP->HTTPS
+		// redirects themselves.)
+		redirPort = ""
 	}
+
 	redirMiddleware := func(next Handler) Handler {
 		return HandlerFunc(func(w http.ResponseWriter, r *http.Request) (int, error) {
-			// Construct the URL to which to redirect. Note that the Host in a request might
-			// contain a port, but we just need the hostname; we'll set the port if needed.
+			// Construct the URL to which to redirect. Note that the Host in a
+			// request might contain a port, but we just need the hostname from
+			// it; and we'll set the port if needed.
 			toURL := "https://"
 			requestHost, _, err := net.SplitHostPort(r.Host)
 			if err != nil {
-				requestHost = r.Host // Host did not contain a port; great
+				requestHost = r.Host // Host did not contain a port, so use the whole value
 			}
 			if redirPort == "" {
 				toURL += requestHost
 			} else {
 				toURL += net.JoinHostPort(requestHost, redirPort)
 			}
+
 			toURL += r.URL.RequestURI()

 			w.Header().Set("Connection", "close")
@@ -165,14 +211,16 @@ func redirPlaintextHost(cfg *SiteConfig) *SiteConfig {
 			return 0, nil
 		})
 	}
+
 	host := cfg.Addr.Host
-	port := HTTPPort
+	port := strconv.Itoa(certmagic.HTTPPort)
 	addr := net.JoinHostPort(host, port)
+
 	return &SiteConfig{
 		Addr:       Address{Original: addr, Host: host, Port: port},
 		ListenHost: cfg.ListenHost,
 		middleware: []Middleware{redirMiddleware},
-		TLS:        &caddytls.Config{AltHTTPPort: cfg.TLS.AltHTTPPort, AltTLSSNIPort: cfg.TLS.AltTLSSNIPort},
+		TLS:        &caddytls.Config{Manager: cfg.TLS.Manager},
 		Timeouts:   cfg.Timeouts,
 	}
 }
@@ -1,13 +1,30 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
 	"fmt"
+	"log"
 	"net"
 	"net/http"
 	"net/http/httptest"
+	"strconv"
 	"testing"

-	"github.com/mholt/caddy/caddytls"
+	"github.com/caddyserver/caddy/caddytls"
+	"github.com/mholt/certmagic"
 )

 func TestRedirPlaintextHost(t *testing.T) {
@@ -39,7 +56,7 @@ func TestRedirPlaintextHost(t *testing.T) {
 		},
 		{
 			Host: "foohost",
-			Port: "443", // since this is the default HTTPS port, should not be included in Location value
+			Port: strconv.Itoa(certmagic.HTTPSPort), // since this is the 'default' HTTPS port, should not be included in Location value
 		},
 		{
 			Host:        "*.example.com",
@@ -67,7 +84,7 @@ func TestRedirPlaintextHost(t *testing.T) {
 		if actual, expected := cfg.ListenHost, testcase.ListenHost; actual != expected {
 			t.Errorf("Test %d: Expected redir config to have bindhost %s but got %s", i, expected, actual)
 		}
-		if actual, expected := cfg.Addr.Port, HTTPPort; actual != expected {
+		if actual, expected := cfg.Addr.Port, strconv.Itoa(certmagic.HTTPPort); actual != expected {
 			t.Errorf("Test %d: Expected redir config to have port '%s' but got '%s'", i, expected, actual)
 		}

@@ -161,11 +178,13 @@ func TestMakePlaintextRedirects(t *testing.T) {

 func TestEnableAutoHTTPS(t *testing.T) {
 	configs := []*SiteConfig{
-		{Addr: Address{Host: "example.com"}, TLS: &caddytls.Config{Managed: true}},
+		{Addr: Address{Host: "example.com"}, TLS: &caddytls.Config{Managed: true, Manager: &certmagic.Config{}}},
 		{}, // not managed - no changes!
 	}

-	enableAutoHTTPS(configs, false)
+	if err := enableAutoHTTPS(configs, false); err != nil {
+		log.Println("[ERROR]  enableAutoHTTPS failed: ", err)
+	}

 	if !configs[0].TLS.Enabled {
 		t.Errorf("Expected config 0 to have TLS.Enabled == true, but it was false")
@@ -182,18 +201,18 @@ func TestEnableAutoHTTPS(t *testing.T) {
 func TestMarkQualifiedForAutoHTTPS(t *testing.T) {
 	// TODO: caddytls.TestQualifiesForManagedTLS and this test share nearly the same config list...
 	configs := []*SiteConfig{
-		{Addr: Address{Host: ""}, TLS: new(caddytls.Config)},
-		{Addr: Address{Host: "localhost"}, TLS: new(caddytls.Config)},
-		{Addr: Address{Host: "123.44.3.21"}, TLS: new(caddytls.Config)},
-		{Addr: Address{Host: "example.com"}, TLS: new(caddytls.Config)},
+		{Addr: Address{Host: ""}, TLS: newManagedConfig()},
+		{Addr: Address{Host: "localhost"}, TLS: newManagedConfig()},
+		{Addr: Address{Host: "123.44.3.21"}, TLS: newManagedConfig()},
+		{Addr: Address{Host: "example.com"}, TLS: newManagedConfig()},
 		{Addr: Address{Host: "example.com"}, TLS: &caddytls.Config{Manual: true}},
 		{Addr: Address{Host: "example.com"}, TLS: &caddytls.Config{ACMEEmail: "off"}},
-		{Addr: Address{Host: "example.com"}, TLS: &caddytls.Config{ACMEEmail: "foo@bar.com"}},
-		{Addr: Address{Host: "example.com", Scheme: "http"}, TLS: new(caddytls.Config)},
-		{Addr: Address{Host: "example.com", Port: "80"}, TLS: new(caddytls.Config)},
-		{Addr: Address{Host: "example.com", Port: "1234"}, TLS: new(caddytls.Config)},
-		{Addr: Address{Host: "example.com", Scheme: "https"}, TLS: new(caddytls.Config)},
-		{Addr: Address{Host: "example.com", Port: "80", Scheme: "https"}, TLS: new(caddytls.Config)},
+		{Addr: Address{Host: "example.com"}, TLS: &caddytls.Config{ACMEEmail: "foo@bar.com", Manager: &certmagic.Config{}}},
+		{Addr: Address{Host: "example.com", Scheme: "http"}, TLS: newManagedConfig()},
+		{Addr: Address{Host: "example.com", Port: "80"}, TLS: newManagedConfig()},
+		{Addr: Address{Host: "example.com", Port: "1234"}, TLS: newManagedConfig()},
+		{Addr: Address{Host: "example.com", Scheme: "https"}, TLS: newManagedConfig()},
+		{Addr: Address{Host: "example.com", Port: "80", Scheme: "https"}, TLS: newManagedConfig()},
 	}
 	expectedManagedCount := 4

@@ -210,3 +229,7 @@ func TestMarkQualifiedForAutoHTTPS(t *testing.T) {
 		t.Errorf("Expected %d managed configs, but got %d", expectedManagedCount, count)
 	}
 }
+
+func newManagedConfig() *caddytls.Config {
+	return &caddytls.Config{Manager: &certmagic.Config{}}
+}
@@ -1,15 +1,30 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
 	"bytes"
 	"io"
 	"log"
+	"net"
 	"os"
 	"strings"
 	"sync"

-	"github.com/hashicorp/go-syslog"
-	"github.com/mholt/caddy"
+	"github.com/caddyserver/caddy"
+	gsyslog "github.com/hashicorp/go-syslog"
 )

 var remoteSyslogPrefixes = map[string]string{
@@ -23,9 +38,13 @@ var remoteSyslogPrefixes = map[string]string{
 type Logger struct {
 	Output string
 	*log.Logger
-	Roller *LogRoller
-	writer io.Writer
-	fileMu *sync.RWMutex
+	Roller       *LogRoller
+	writer       io.Writer
+	fileMu       *sync.RWMutex
+	V4ipMask     net.IPMask
+	V6ipMask     net.IPMask
+	IPMaskExists bool
+	Exceptions   []string
 }

 // NewTestLogger creates logger suitable for testing purposes
@@ -50,6 +69,31 @@ func (l Logger) Printf(format string, args ...interface{}) {
 	l.fileMu.RUnlock()
 }

+func (l Logger) MaskIP(ip string) string {
+	var reqIP net.IP
+	// If unable to parse, simply return IP as provided.
+	reqIP = net.ParseIP(ip)
+	if reqIP == nil {
+		return ip
+	}
+
+	if reqIP.To4() != nil {
+		return reqIP.Mask(l.V4ipMask).String()
+	}
+	return reqIP.Mask(l.V6ipMask).String()
+}
+
+// ShouldLog returns true if the path is not exempted from
+// being logged (i.e. it is not found in l.Exceptions).
+func (l Logger) ShouldLog(path string) bool {
+	for _, exc := range l.Exceptions {
+		if Path(path).Matches(exc) {
+			return false
+		}
+	}
+	return true
+}
+
 // Attach binds logger Start and Close functions to
 // controller's OnStartup and OnShutdown hooks.
 func (l *Logger) Attach(controller *caddy.Controller) {
@@ -116,7 +160,7 @@ selectwriter:
 			return err
 		}

-		if l.Roller != nil {
+		if l.Roller != nil && !l.Roller.Disabled {
 			file.Close()
 			l.Roller.Filename = l.Output
 			l.writer = l.Roller.GetLogWriter()
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 //+build linux darwin

 package httpserver
@@ -6,6 +20,7 @@ import (
 	"bytes"
 	"fmt"
 	"io/ioutil"
+	"log"
 	"os"
 	"path/filepath"
 	"strings"
@@ -165,9 +180,13 @@ func bootServer(location string, ch chan format.LogParts) (*syslog.Server, error

 	switch address.network {
 	case "tcp":
-		server.ListenTCP(address.address)
+		if err := server.ListenTCP(address.address); err != nil {
+			log.Println("[ERROR] server failed to listen on TCP address: ", err)
+		}
 	case "udp":
-		server.ListenUDP(address.address)
+		if err := server.ListenUDP(address.address); err != nil {
+			log.Println("[ERROR] server failed to listen on UDP address: ", err)
+		}
 	}

 	server.SetHandler(syslog.NewChannelHandler(ch))
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
@@ -7,7 +21,7 @@ import (
 	"path"
 	"time"

-	"github.com/mholt/caddy"
+	"github.com/caddyserver/caddy"
 )

 func init() {
@@ -103,6 +117,10 @@ func (c ConfigSelector) Select(r *http.Request) (config HandlerConfig) {
 // path separator, just like URLs.  IndexFle handles path manipulation
 // internally for systems that use different path separators.
 func IndexFile(root http.FileSystem, fpath string, indexFiles []string) (string, bool) {
+	if len(fpath) == 0 {
+		// https://caddy.community/t/panic-runtime-error-index-out-of-range/5781
+		fpath = "/"
+	}
 	if fpath[len(fpath)-1] != '/' || root == nil {
 		return "", false
 	}
@@ -144,7 +162,7 @@ func SetLastModifiedHeader(w http.ResponseWriter, modTime time.Time) {

 // CaseSensitivePath determines if paths should be case sensitive.
 // This is configurable via CASE_SENSITIVE_PATH environment variable.
-var CaseSensitivePath = true
+var CaseSensitivePath = false

 const caseSensitivePathEnv = "CASE_SENSITIVE_PATH"

@@ -153,10 +171,10 @@ const caseSensitivePathEnv = "CASE_SENSITIVE_PATH"
 // This could have been in init, but init cannot be called from tests.
 func initCaseSettings() {
 	switch os.Getenv(caseSensitivePathEnv) {
-	case "0", "false":
-		CaseSensitivePath = false
-	default:
+	case "1", "true":
 		CaseSensitivePath = true
+	default:
+		CaseSensitivePath = false
 	}
 }

@@ -200,6 +218,9 @@ func SameNext(next1, next2 Handler) bool {

 // Context key constants.
 const (
+	// ReplacerCtxKey is the context key for a per-request replacer.
+	ReplacerCtxKey caddy.CtxKey = "replacer"
+
 	// RemoteUserCtxKey is the key for the remote user of the request, if any (basicauth).
 	RemoteUserCtxKey caddy.CtxKey = "remote_user"

@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
@@ -45,7 +59,7 @@ func TestPathCaseSensitiveEnv(t *testing.T) {
 		{"0", false},
 		{"false", false},
 		{"true", true},
-		{"", true},
+		{"", false},
 	}

 	for i, test := range tests {
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
@@ -10,6 +24,9 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+
+	"github.com/caddyserver/caddy/caddytls"
+	"github.com/caddyserver/caddy/telemetry"
 )

 // tlsHandler is a http.Handler that will inject a value
@@ -35,6 +52,9 @@ type tlsHandler struct {
 // Halderman, et. al. in "The Security Impact of HTTPS Interception" (NDSS '17):
 // https://jhalderm.com/pub/papers/interception-ndss17.pdf
 func (h *tlsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	// TODO: one request per connection, we should report UA in connection with
+	// handshake (reported in caddytls package) and our MITM assessment
+
 	if h.listener == nil {
 		h.next.ServeHTTP(w, r)
 		return
@@ -45,11 +65,16 @@ func (h *tlsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	h.listener.helloInfosMu.RUnlock()

 	ua := r.Header.Get("User-Agent")
+	uaHash := telemetry.FastHash([]byte(ua))
+
+	// report this request's UA in connection with this ClientHello
+	go telemetry.AppendUnique("tls_client_hello_ua:"+caddytls.ClientHelloInfo(info).Key(), uaHash)

 	var checked, mitm bool
 	if r.Header.Get("X-BlueCoat-Via") != "" || // Blue Coat (masks User-Agent header to generic values)
 		r.Header.Get("X-FCCKV2") != "" || // Fortinet
 		info.advertisesHeartbeatSupport() { // no major browsers have ever implemented Heartbeat
+		// TODO: Move the heartbeat check into each "looksLike" function...
 		checked = true
 		mitm = true
 	} else if strings.Contains(ua, "Edge") || strings.Contains(ua, "MSIE") ||
@@ -83,6 +108,13 @@ func (h *tlsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {

 	if checked {
 		r = r.WithContext(context.WithValue(r.Context(), MitmCtxKey, mitm))
+		if mitm {
+			go telemetry.AppendUnique("http_mitm", "likely")
+		} else {
+			go telemetry.AppendUnique("http_mitm", "unlikely")
+		}
+	} else {
+		go telemetry.AppendUnique("http_mitm", "unknown")
 	}

 	if mitm && h.closeOnMITM {
@@ -181,6 +213,11 @@ func (c *clientHelloConn) Read(b []byte) (n int, err error) {
 	c.listener.helloInfos[c.Conn.RemoteAddr().String()] = rawParsed
 	c.listener.helloInfosMu.Unlock()

+	// report this ClientHello to telemetry
+	chKey := caddytls.ClientHelloInfo(rawParsed).Key()
+	go telemetry.SetNested("tls_client_hello", chKey, rawParsed)
+	go telemetry.AppendUnique("tls_client_hello_count", chKey)
+
 	c.readHello = true
 	return
 }
@@ -201,6 +238,7 @@ func parseRawClientHello(data []byte) (info rawHelloInfo) {
 	if len(data) < 42 {
 		return
 	}
+	info.Version = uint16(data[4])<<8 | uint16(data[5])
 	sessionIDLen := int(data[38])
 	if sessionIDLen > 32 || len(data) < 39+sessionIDLen {
 		return
@@ -217,9 +255,9 @@ func parseRawClientHello(data []byte) (info rawHelloInfo) {
 	}
 	numCipherSuites := cipherSuiteLen / 2
 	// read in the cipher suites
-	info.cipherSuites = make([]uint16, numCipherSuites)
+	info.CipherSuites = make([]uint16, numCipherSuites)
 	for i := 0; i < numCipherSuites; i++ {
-		info.cipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i])
+		info.CipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i])
 	}
 	data = data[2+cipherSuiteLen:]
 	if len(data) < 1 {
@@ -230,7 +268,7 @@ func parseRawClientHello(data []byte) (info rawHelloInfo) {
 	if len(data) < 1+compressionMethodsLen {
 		return
 	}
-	info.compressionMethods = data[1 : 1+compressionMethodsLen]
+	info.CompressionMethods = data[1 : 1+compressionMethodsLen]

 	data = data[1+compressionMethodsLen:]

@@ -258,7 +296,7 @@ func parseRawClientHello(data []byte) (info rawHelloInfo) {
 		}

 		// record that the client advertised support for this extension
-		info.extensions = append(info.extensions, extension)
+		info.Extensions = append(info.Extensions, extension)

 		switch extension {
 		case extensionSupportedCurves:
@@ -271,10 +309,10 @@ func parseRawClientHello(data []byte) (info rawHelloInfo) {
 				return
 			}
 			numCurves := l / 2
-			info.curves = make([]tls.CurveID, numCurves)
+			info.Curves = make([]tls.CurveID, numCurves)
 			d := data[2:]
 			for i := 0; i < numCurves; i++ {
-				info.curves[i] = tls.CurveID(d[0])<<8 | tls.CurveID(d[1])
+				info.Curves[i] = tls.CurveID(d[0])<<8 | tls.CurveID(d[1])
 				d = d[2:]
 			}
 		case extensionSupportedPoints:
@@ -286,8 +324,8 @@ func parseRawClientHello(data []byte) (info rawHelloInfo) {
 			if length != l+1 {
 				return
 			}
-			info.points = make([]uint8, l)
-			copy(info.points, data[1:])
+			info.Points = make([]uint8, l)
+			copy(info.Points, data[1:])
 		}

 		data = data[length:]
@@ -338,18 +376,12 @@ func (l *tlsHelloListener) Accept() (net.Conn, error) {
 // by Durumeric, Halderman, et. al. in
 // "The Security Impact of HTTPS Interception":
 // https://jhalderm.com/pub/papers/interception-ndss17.pdf
-type rawHelloInfo struct {
-	cipherSuites       []uint16
-	extensions         []uint16
-	compressionMethods []byte
-	curves             []tls.CurveID
-	points             []uint8
-}
+type rawHelloInfo caddytls.ClientHelloInfo

 // advertisesHeartbeatSupport returns true if info indicates
 // that the client supports the Heartbeat extension.
 func (info rawHelloInfo) advertisesHeartbeatSupport() bool {
-	for _, ext := range info.extensions {
+	for _, ext := range info.Extensions {
 		if ext == extensionHeartbeat {
 			return true
 		}
@@ -372,31 +404,31 @@ func (info rawHelloInfo) looksLikeFirefox() bool {
 	// Note: Firefox 55+ doesn't appear to advertise 0xFF03 (65283, short headers). It used to be between 5 and 13.
 	// Note: Firefox on Fedora (or RedHat) doesn't include ECC suites because of patent liability.
 	requiredExtensionsOrder := []uint16{23, 65281, 10, 11, 35, 16, 5, 13}
-	if !assertPresenceAndOrdering(requiredExtensionsOrder, info.extensions, true) {
+	if !assertPresenceAndOrdering(requiredExtensionsOrder, info.Extensions, true) {
 		return false
 	}

 	// We check for both presence of curves and their ordering.
 	requiredCurves := []tls.CurveID{29, 23, 24, 25}
-	if len(info.curves) < len(requiredCurves) {
+	if len(info.Curves) < len(requiredCurves) {
 		return false
 	}
 	for i := range requiredCurves {
-		if info.curves[i] != requiredCurves[i] {
+		if info.Curves[i] != requiredCurves[i] {
 			return false
 		}
 	}
-	if len(info.curves) > len(requiredCurves) {
+	if len(info.Curves) > len(requiredCurves) {
 		// newer Firefox (55 Nightly?) may have additional curves at end of list
 		allowedCurves := []tls.CurveID{256, 257}
 		for i := range allowedCurves {
-			if info.curves[len(requiredCurves)+i] != allowedCurves[i] {
+			if info.Curves[len(requiredCurves)+i] != allowedCurves[i] {
 				return false
 			}
 		}
 	}

-	if hasGreaseCiphers(info.cipherSuites) {
+	if hasGreaseCiphers(info.CipherSuites) {
 		return false
 	}

@@ -423,7 +455,7 @@ func (info rawHelloInfo) looksLikeFirefox() bool {
 		tls.TLS_RSA_WITH_AES_256_CBC_SHA,            // 0x35
 		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,           // 0xa
 	}
-	return assertPresenceAndOrdering(expectedCipherSuiteOrder, info.cipherSuites, false)
+	return assertPresenceAndOrdering(expectedCipherSuiteOrder, info.CipherSuites, false)
 }

 // looksLikeChrome returns true if info looks like a handshake
@@ -464,20 +496,20 @@ func (info rawHelloInfo) looksLikeChrome() bool {
 		TLS_DHE_RSA_WITH_AES_128_CBC_SHA:            {}, // 0x33
 		TLS_DHE_RSA_WITH_AES_256_CBC_SHA:            {}, // 0x39
 	}
-	for _, ext := range info.cipherSuites {
+	for _, ext := range info.CipherSuites {
 		if _, ok := chromeCipherExclusions[ext]; ok {
 			return false
 		}
 	}

 	// Chrome does not include curve 25 (CurveP521) (as of Chrome 56, Feb. 2017).
-	for _, curve := range info.curves {
+	for _, curve := range info.Curves {
 		if curve == 25 {
 			return false
 		}
 	}

-	if !hasGreaseCiphers(info.cipherSuites) {
+	if !hasGreaseCiphers(info.CipherSuites) {
 		return false
 	}

@@ -495,19 +527,19 @@ func (info rawHelloInfo) looksLikeEdge() bool {
 	// More specifically, the OCSP status request extension appears
 	// *directly* before the other two extensions, which occur in that
 	// order. (I contacted the authors for clarification and verified it.)
-	for i, ext := range info.extensions {
+	for i, ext := range info.Extensions {
 		if ext == extensionOCSPStatusRequest {
-			if len(info.extensions) <= i+2 {
+			if len(info.Extensions) <= i+2 {
 				return false
 			}
-			if info.extensions[i+1] != extensionSupportedCurves ||
-				info.extensions[i+2] != extensionSupportedPoints {
+			if info.Extensions[i+1] != extensionSupportedCurves ||
+				info.Extensions[i+2] != extensionSupportedPoints {
 				return false
 			}
 		}
 	}

-	for _, cs := range info.cipherSuites {
+	for _, cs := range info.CipherSuites {
 		// As of Feb. 2017, Edge does not have 0xff, but Avast adds it
 		if cs == scsvRenegotiation {
 			return false
@@ -518,7 +550,7 @@ func (info rawHelloInfo) looksLikeEdge() bool {
 		}
 	}

-	if hasGreaseCiphers(info.cipherSuites) {
+	if hasGreaseCiphers(info.CipherSuites) {
 		return false
 	}

@@ -544,23 +576,23 @@ func (info rawHelloInfo) looksLikeSafari() bool {

 	// We check for the presence and order of the extensions.
 	requiredExtensionsOrder := []uint16{10, 11, 13, 13172, 16, 5, 18, 23}
-	if !assertPresenceAndOrdering(requiredExtensionsOrder, info.extensions, true) {
+	if !assertPresenceAndOrdering(requiredExtensionsOrder, info.Extensions, true) {
 		// Safari on iOS 11 (beta) uses different set/ordering of extensions
 		requiredExtensionsOrderiOS11 := []uint16{65281, 0, 23, 13, 5, 13172, 18, 16, 11, 10}
-		if !assertPresenceAndOrdering(requiredExtensionsOrderiOS11, info.extensions, true) {
+		if !assertPresenceAndOrdering(requiredExtensionsOrderiOS11, info.Extensions, true) {
 			return false
 		}
 	} else {
 		// For these versions of Safari, expect TLS_EMPTY_RENEGOTIATION_INFO_SCSV first.
-		if len(info.cipherSuites) < 1 {
+		if len(info.CipherSuites) < 1 {
 			return false
 		}
-		if info.cipherSuites[0] != scsvRenegotiation {
+		if info.CipherSuites[0] != scsvRenegotiation {
 			return false
 		}
 	}

-	if hasGreaseCiphers(info.cipherSuites) {
+	if hasGreaseCiphers(info.CipherSuites) {
 		return false
 	}

@@ -585,19 +617,19 @@ func (info rawHelloInfo) looksLikeSafari() bool {
 		tls.TLS_RSA_WITH_AES_256_CBC_SHA,            // 0x35
 		tls.TLS_RSA_WITH_AES_128_CBC_SHA,            // 0x2f
 	}
-	return assertPresenceAndOrdering(expectedCipherSuiteOrder, info.cipherSuites, true)
+	return assertPresenceAndOrdering(expectedCipherSuiteOrder, info.CipherSuites, true)
 }

 // looksLikeTor returns true if the info looks like a ClientHello from Tor browser
 // (based on Firefox).
 func (info rawHelloInfo) looksLikeTor() bool {
 	requiredExtensionsOrder := []uint16{10, 11, 16, 5, 13}
-	if !assertPresenceAndOrdering(requiredExtensionsOrder, info.extensions, true) {
+	if !assertPresenceAndOrdering(requiredExtensionsOrder, info.Extensions, true) {
 		return false
 	}

 	// check for session tickets support; Tor doesn't support them to prevent tracking
-	for _, ext := range info.extensions {
+	for _, ext := range info.Extensions {
 		if ext == 35 {
 			return false
 		}
@@ -605,12 +637,12 @@ func (info rawHelloInfo) looksLikeTor() bool {

 	// We check for both presence of curves and their ordering, including
 	// an optional curve at the beginning (for Tor based on Firefox 52)
-	infoCurves := info.curves
-	if len(info.curves) == 4 {
-		if info.curves[0] != 29 {
+	infoCurves := info.Curves
+	if len(info.Curves) == 4 {
+		if info.Curves[0] != 29 {
 			return false
 		}
-		infoCurves = info.curves[1:]
+		infoCurves = info.Curves[1:]
 	}
 	requiredCurves := []tls.CurveID{23, 24, 25}
 	if len(infoCurves) < len(requiredCurves) {
@@ -622,7 +654,7 @@ func (info rawHelloInfo) looksLikeTor() bool {
 		}
 	}

-	if hasGreaseCiphers(info.cipherSuites) {
+	if hasGreaseCiphers(info.CipherSuites) {
 		return false
 	}

@@ -649,7 +681,7 @@ func (info rawHelloInfo) looksLikeTor() bool {
 		tls.TLS_RSA_WITH_AES_256_CBC_SHA,            // 0x35
 		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,           // 0xa
 	}
-	return assertPresenceAndOrdering(expectedCipherSuiteOrder, info.cipherSuites, false)
+	return assertPresenceAndOrdering(expectedCipherSuiteOrder, info.CipherSuites, false)
 }

 // assertPresenceAndOrdering will return true if candidateList contains
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
@@ -18,44 +32,48 @@ func TestParseClientHello(t *testing.T) {
 			// curl 7.51.0 (x86_64-apple-darwin16.0) libcurl/7.51.0 SecureTransport zlib/1.2.8
 			inputHex: `010000a6030358a28c73a71bdfc1f09dee13fecdc58805dcce42ac44254df548f14645f7dc2c00004400ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009f009e006b0067003900330016009d009c003d003c0035002f000a00af00ae008d008c008b01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000`,
 			expected: rawHelloInfo{
-				cipherSuites:       []uint16{255, 49196, 49195, 49188, 49187, 49162, 49161, 49160, 49200, 49199, 49192, 49191, 49172, 49171, 49170, 159, 158, 107, 103, 57, 51, 22, 157, 156, 61, 60, 53, 47, 10, 175, 174, 141, 140, 139},
-				extensions:         []uint16{10, 11, 13, 5, 18, 23},
-				compressionMethods: []byte{0},
-				curves:             []tls.CurveID{23, 24, 25},
-				points:             []uint8{0},
+				Version:            0x303,
+				CipherSuites:       []uint16{255, 49196, 49195, 49188, 49187, 49162, 49161, 49160, 49200, 49199, 49192, 49191, 49172, 49171, 49170, 159, 158, 107, 103, 57, 51, 22, 157, 156, 61, 60, 53, 47, 10, 175, 174, 141, 140, 139},
+				Extensions:         []uint16{10, 11, 13, 5, 18, 23},
+				CompressionMethods: []byte{0},
+				Curves:             []tls.CurveID{23, 24, 25},
+				Points:             []uint8{0},
 			},
 		},
 		{
 			// Chrome 56
 			inputHex: `010000c003031dae75222dae1433a5a283ddcde8ddabaefbf16d84f250eee6fdff48cdfff8a00000201a1ac02bc02fc02cc030cca9cca8cc14cc13c013c014009c009d002f0035000a010000777a7a0000ff010001000000000e000c0000096c6f63616c686f73740017000000230000000d00140012040308040401050308050501080606010201000500050100000000001200000010000e000c02683208687474702f312e3175500000000b00020100000a000a0008aaaa001d001700182a2a000100`,
 			expected: rawHelloInfo{
-				cipherSuites:       []uint16{6682, 49195, 49199, 49196, 49200, 52393, 52392, 52244, 52243, 49171, 49172, 156, 157, 47, 53, 10},
-				extensions:         []uint16{31354, 65281, 0, 23, 35, 13, 5, 18, 16, 30032, 11, 10, 10794},
-				compressionMethods: []byte{0},
-				curves:             []tls.CurveID{43690, 29, 23, 24},
-				points:             []uint8{0},
+				Version:            0x303,
+				CipherSuites:       []uint16{6682, 49195, 49199, 49196, 49200, 52393, 52392, 52244, 52243, 49171, 49172, 156, 157, 47, 53, 10},
+				Extensions:         []uint16{31354, 65281, 0, 23, 35, 13, 5, 18, 16, 30032, 11, 10, 10794},
+				CompressionMethods: []byte{0},
+				Curves:             []tls.CurveID{43690, 29, 23, 24},
+				Points:             []uint8{0},
 			},
 		},
 		{
 			// Firefox 51
 			inputHex: `010000bd030375f9022fc3a6562467f3540d68013b2d0b961979de6129e944efe0b35531323500001ec02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a010000760000000e000c0000096c6f63616c686f737400170000ff01000100000a000a0008001d001700180019000b00020100002300000010000e000c02683208687474702f312e31000500050100000000ff030000000d0020001e040305030603020308040805080604010501060102010402050206020202`,
 			expected: rawHelloInfo{
-				cipherSuites:       []uint16{49195, 49199, 52393, 52392, 49196, 49200, 49162, 49161, 49171, 49172, 51, 57, 47, 53, 10},
-				extensions:         []uint16{0, 23, 65281, 10, 11, 35, 16, 5, 65283, 13},
-				compressionMethods: []byte{0},
-				curves:             []tls.CurveID{29, 23, 24, 25},
-				points:             []uint8{0},
+				Version:            0x303,
+				CipherSuites:       []uint16{49195, 49199, 52393, 52392, 49196, 49200, 49162, 49161, 49171, 49172, 51, 57, 47, 53, 10},
+				Extensions:         []uint16{0, 23, 65281, 10, 11, 35, 16, 5, 65283, 13},
+				CompressionMethods: []byte{0},
+				Curves:             []tls.CurveID{29, 23, 24, 25},
+				Points:             []uint8{0},
 			},
 		},
 		{
 			// openssl s_client (OpenSSL 0.9.8zh 14 Jan 2016)
 			inputHex: `0100012b03035d385236b8ca7b7946fa0336f164e76bf821ed90e8de26d97cc677671b6f36380000acc030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a400a200a0009e00670040003f003e0033003200310030009a0099009800970045004400430042c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc00200050004c012c008001600130010000dc00dc003000a00ff0201000055000b000403000102000a001c001a00170019001c001b0018001a0016000e000d000b000c0009000a00230000000d0020001e060106020603050105020503040104020403030103020303020102020203000f000101`,
 			expected: rawHelloInfo{
-				cipherSuites:       []uint16{49200, 49196, 49192, 49188, 49172, 49162, 165, 163, 161, 159, 107, 106, 105, 104, 57, 56, 55, 54, 136, 135, 134, 133, 49202, 49198, 49194, 49190, 49167, 49157, 157, 61, 53, 132, 49199, 49195, 49191, 49187, 49171, 49161, 164, 162, 160, 158, 103, 64, 63, 62, 51, 50, 49, 48, 154, 153, 152, 151, 69, 68, 67, 66, 49201, 49197, 49193, 49189, 49166, 49156, 156, 60, 47, 150, 65, 7, 49169, 49159, 49164, 49154, 5, 4, 49170, 49160, 22, 19, 16, 13, 49165, 49155, 10, 255},
-				extensions:         []uint16{11, 10, 35, 13, 15},
-				compressionMethods: []byte{1, 0},
-				curves:             []tls.CurveID{23, 25, 28, 27, 24, 26, 22, 14, 13, 11, 12, 9, 10},
-				points:             []uint8{0, 1, 2},
+				Version:            0x303,
+				CipherSuites:       []uint16{49200, 49196, 49192, 49188, 49172, 49162, 165, 163, 161, 159, 107, 106, 105, 104, 57, 56, 55, 54, 136, 135, 134, 133, 49202, 49198, 49194, 49190, 49167, 49157, 157, 61, 53, 132, 49199, 49195, 49191, 49187, 49171, 49161, 164, 162, 160, 158, 103, 64, 63, 62, 51, 50, 49, 48, 154, 153, 152, 151, 69, 68, 67, 66, 49201, 49197, 49193, 49189, 49166, 49156, 156, 60, 47, 150, 65, 7, 49169, 49159, 49164, 49154, 5, 4, 49170, 49160, 22, 19, 16, 13, 49165, 49155, 10, 255},
+				Extensions:         []uint16{11, 10, 35, 13, 15},
+				CompressionMethods: []byte{1, 0},
+				Curves:             []tls.CurveID{23, 25, 28, 27, 24, 26, 22, 14, 13, 11, 12, 9, 10},
+				Points:             []uint8{0, 1, 2},
 			},
 		},
 	} {
@@ -186,10 +204,17 @@ func TestHeuristicFunctionsAndHandler(t *testing.T) {
 				interception: false,
 			},
 			{
+				// I think this was iOS 11 beta
 				userAgent:    "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.28 (KHTML, like Gecko) Version/11.0 Mobile/15A5318g Safari/604.1",
 				helloHex:     `010000e10303be294e11847ba01301e0bb6129f4a0d66344602141a8f0a1ab0750a1db145755000028c02cc02bc024c023cca9c00ac009c030c02fc028c027cca8c014c013009d009c003d003c0035002f01000090ff0100010000000014001200000f66696e6572706978656c732e636f6d00170000000d00140012040308040401050308050501080606010201000500050100000000337400000012000000100030002e0268320568322d31360568322d31350568322d313408737064792f332e3106737064792f3308687474702f312e31000b00020100000a00080006001d00170018`,
 				interception: false,
 			},
+			{
+				// iOS 11 stable
+				userAgent:    "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1",
+				helloHex:     `010000dc030327fafb16708fcbe489fda332260d32b1a22bea6672a72b5e61d7b9963df1b10d000028c02cc02bc024c023c00ac009cca9c030c02fc028c027c014c013cca8009d009c003d003c0035002f0100008bff010001000000000f000d00000a6d69746d2e776174636800170000000d00140012040308040401050308050501080606010201000500050100000000337400000012000000100030002e0268320568322d31360568322d31350568322d313408737064792f332e3106737064792f3308687474702f312e31000b00020100000a00080006001d00170018`,
+				interception: false,
+			},
 		},
 		"Tor": {
 			{
@@ -310,15 +335,15 @@ func TestHeuristicFunctionsAndHandler(t *testing.T) {
 			// in other words, if one returns true, the others
 			// should return false, with as little logic as possible,
 			// but with enough logic to force TLS proxies to do a
-			// good job preserving characterstics of the handshake.
+			// good job preserving characteristics of the handshake.
 			if (isChrome && (isFirefox || isSafari || isEdge || isTor)) ||
 				(isFirefox && (isChrome || isSafari || isEdge || isTor)) ||
 				(isSafari && (isChrome || isFirefox || isEdge || isTor)) ||
 				(isEdge && (isChrome || isFirefox || isSafari || isTor)) ||
 				(isTor && (isChrome || isFirefox || isSafari || isEdge)) {
 				t.Errorf("[%s] Test %d: Multiple fingerprinting functions matched: "+
-					"Chrome=%v Firefox=%v Safari=%v Edge=%v Tor=%v\n\tparsed hello dec: %+v\n\tparsed hello hex: %#x\n",
-					client, i, isChrome, isFirefox, isSafari, isEdge, isTor, parsed, parsed)
+					"Chrome=%v Firefox=%v Safari=%v Edge=%v Tor=%v\n\tparsed hello dec: %+v\n",
+					client, i, isChrome, isFirefox, isSafari, isEdge, isTor, parsed)
 			}

 			// test the handler and detection results
@@ -346,8 +371,8 @@ func TestHeuristicFunctionsAndHandler(t *testing.T) {
 			if got != want {
 				t.Errorf("[%s] Test %d: Expected MITM=%v but got %v (type assertion OK (checked)=%v)",
 					client, i, want, got, checked)
-				t.Errorf("[%s] Test %d: Looks like Chrome=%v Firefox=%v Safari=%v Edge=%v Tor=%v\n\tparsed hello dec: %+v\n\tparsed hello hex: %#x\n",
-					client, i, isChrome, isFirefox, isSafari, isEdge, isTor, parsed, parsed)
+				t.Errorf("[%s] Test %d: Looks like Chrome=%v Firefox=%v Safari=%v Edge=%v Tor=%v\n\tparsed hello dec: %+v\n",
+					client, i, isChrome, isFirefox, isSafari, isEdge, isTor, parsed)
 			}
 		}
 	}
@@ -1,7 +1,22 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
 	"net/http"
+	"path"
 	"strings"
 )

@@ -16,10 +31,27 @@ type Path string
 // Path matching will probably not always be a direct
 // comparison; this method assures that paths can be
 // easily and consistently matched.
+//
+// Multiple slashes are collapsed/merged. See issue #1859.
 func (p Path) Matches(base string) bool {
-	if base == "/" {
+	if base == "/" || base == "" {
 		return true
 	}
+
+	// sanitize the paths for comparison, very important
+	// (slightly lossy if the base path requires multiple
+	// consecutive forward slashes, since those will be merged)
+	pHasTrailingSlash := strings.HasSuffix(string(p), "/")
+	baseHasTrailingSlash := strings.HasSuffix(base, "/")
+	p = Path(path.Clean(string(p)))
+	base = path.Clean(base)
+	if pHasTrailingSlash {
+		p += "/"
+	}
+	if baseHasTrailingSlash {
+		base += "/"
+	}
+
 	if CaseSensitivePath {
 		return strings.HasPrefix(string(p), base)
 	}
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import "testing"
@@ -29,6 +43,11 @@ func TestPathMatches(t *testing.T) {
 			rulePath:    "/foo/bar",
 			shouldMatch: false,
 		},
+		{
+			reqPath:     "/foo/",
+			rulePath:    "/foo/",
+			shouldMatch: true,
+		},
 		{
 			reqPath:     "/Foobar",
 			rulePath:    "/Foo",
@@ -86,10 +105,41 @@ func TestPathMatches(t *testing.T) {
 			rulePath:    "",
 			shouldMatch: true,
 		},
+		{
+			// see issue #1859
+			reqPath:     "//double-slash",
+			rulePath:    "/double-slash",
+			shouldMatch: true,
+		},
+		{
+			reqPath:     "/double//slash",
+			rulePath:    "/double/slash",
+			shouldMatch: true,
+		},
+		{
+			reqPath:     "//more/double//slashes",
+			rulePath:    "/more/double/slashes",
+			shouldMatch: true,
+		},
+		{
+			reqPath:     "/path/../traversal",
+			rulePath:    "/traversal",
+			shouldMatch: true,
+		},
+		{
+			reqPath:     "/path/../traversal",
+			rulePath:    "/path",
+			shouldMatch: false,
+		},
+		{
+			reqPath:     "/keep-slashes/http://something/foo/bar",
+			rulePath:    "/keep-slashes/http://something",
+			shouldMatch: true,
+		},
 	} {
 		CaseSensitivePath = !testcase.caseInsensitive
 		if got, want := testcase.reqPath.Matches(testcase.rulePath), testcase.shouldMatch; got != want {
-			t.Errorf("Test %d: For request path '%s' and other path '%s': expected %v, got %v",
+			t.Errorf("Test %d: For request path '%s' and base path '%s': expected %v, got %v",
 				i, testcase.reqPath, testcase.rulePath, want, got)
 		}
 	}
@@ -1,6 +1,21 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"log"
@@ -8,19 +23,23 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyfile"
-	"github.com/mholt/caddy/caddytls"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyfile"
+	"github.com/caddyserver/caddy/caddyhttp/staticfiles"
+	"github.com/caddyserver/caddy/caddytls"
+	"github.com/caddyserver/caddy/telemetry"
+	"github.com/mholt/certmagic"
 )

 const serverType = "http"

 func init() {
-	flag.StringVar(&HTTPPort, "http-port", HTTPPort, "Default port to use for HTTP")
-	flag.StringVar(&HTTPSPort, "https-port", HTTPSPort, "Default port to use for HTTPS")
+	flag.IntVar(&certmagic.HTTPPort, "http-port", certmagic.HTTPPort, "Default port to use for HTTP")
+	flag.IntVar(&certmagic.HTTPSPort, "https-port", certmagic.HTTPSPort, "Default port to use for HTTPS")
 	flag.StringVar(&Host, "host", DefaultHost, "Default host")
 	flag.StringVar(&Port, "port", DefaultPort, "Default port")
 	flag.StringVar(&Root, "root", DefaultRoot, "Root path of default site")
@@ -50,6 +69,12 @@ func init() {
 	caddy.RegisterParsingCallback(serverType, "root", hideCaddyfile)
 	caddy.RegisterParsingCallback(serverType, "tls", activateHTTPS)
 	caddytls.RegisterConfigGetter(serverType, func(c *caddy.Controller) *caddytls.Config { return GetConfig(c).TLS })
+
+	// disable the caddytls package reporting ClientHellos
+	// to telemetry, since our MITM detector does this but
+	// with more information than the standard lib provides
+	// (as of May 2018)
+	caddytls.ClientHelloTelemetry = false
 }

 // hideCaddyfile hides the source/origin Caddyfile if it is within the
@@ -76,11 +101,13 @@ func hideCaddyfile(cctx caddy.Context) error {
 	return nil
 }

-func newContext() caddy.Context {
-	return &httpContext{keysToSiteConfigs: make(map[string]*SiteConfig)}
+func newContext(inst *caddy.Instance) caddy.Context {
+	return &httpContext{instance: inst, keysToSiteConfigs: make(map[string]*SiteConfig)}
 }

 type httpContext struct {
+	instance *caddy.Instance
+
 	// keysToSiteConfigs maps an address at the top of a
 	// server block (a "key") to its SiteConfig. Not all
 	// SiteConfigs will be represented here, only ones
@@ -100,18 +127,24 @@ func (h *httpContext) saveConfig(key string, cfg *SiteConfig) {
 // executing directives and otherwise prepares the directives to
 // be parsed and executed.
 func (h *httpContext) InspectServerBlocks(sourceFile string, serverBlocks []caddyfile.ServerBlock) ([]caddyfile.ServerBlock, error) {
+	siteAddrs := make(map[string]string)
+	httpPort := strconv.Itoa(certmagic.HTTPPort)
+	httpsPort := strconv.Itoa(certmagic.HTTPSPort)
+
 	// For each address in each server block, make a new config
 	for _, sb := range serverBlocks {
 		for _, key := range sb.Keys {
-			key = strings.ToLower(key)
-			if _, dup := h.keysToSiteConfigs[key]; dup {
-				return serverBlocks, fmt.Errorf("duplicate site address: %s", key)
-			}
 			addr, err := standardizeAddress(key)
 			if err != nil {
 				return serverBlocks, err
 			}

+			addr = addr.Normalize()
+			key = addr.Key()
+			if _, dup := h.keysToSiteConfigs[key]; dup {
+				return serverBlocks, fmt.Errorf("duplicate site key: %s", key)
+			}
+
 			// Fill in address components from command line so that middleware
 			// have access to the correct information during setup
 			if addr.Host == "" && Host != DefaultHost {
@@ -121,26 +154,59 @@ func (h *httpContext) InspectServerBlocks(sourceFile string, serverBlocks []cadd
 				addr.Port = Port
 			}

+			// Make sure the adjusted site address is distinct
+			addrCopy := addr // make copy so we don't disturb the original, carefully-parsed address struct
+			if addrCopy.Port == "" && Port == DefaultPort {
+				addrCopy.Port = Port
+			}
+			addrStr := addrCopy.String()
+			if otherSiteKey, dup := siteAddrs[addrStr]; dup {
+				err := fmt.Errorf("duplicate site address: %s", addrStr)
+				if (addrCopy.Host == Host && Host != DefaultHost) ||
+					(addrCopy.Port == Port && Port != DefaultPort) {
+					err = fmt.Errorf("site defined as %s is a duplicate of %s because of modified "+
+						"default host and/or port values (usually via -host or -port flags)", key, otherSiteKey)
+				}
+				return serverBlocks, err
+			}
+			siteAddrs[addrStr] = key
+
 			// If default HTTP or HTTPS ports have been customized,
 			// make sure the ACME challenge ports match
-			var altHTTPPort, altTLSSNIPort string
-			if HTTPPort != DefaultHTTPPort {
-				altHTTPPort = HTTPPort
+			var altHTTPPort, altTLSALPNPort int
+			if httpPort != DefaultHTTPPort {
+				portInt, err := strconv.Atoi(httpPort)
+				if err != nil {
+					return nil, err
+				}
+				altHTTPPort = portInt
 			}
-			if HTTPSPort != DefaultHTTPSPort {
-				altTLSSNIPort = HTTPSPort
+			if httpsPort != DefaultHTTPSPort {
+				portInt, err := strconv.Atoi(httpsPort)
+				if err != nil {
+					return nil, err
+				}
+				altTLSALPNPort = portInt
 			}

+			// Make our caddytls.Config, which has a pointer to the
+			// instance's certificate cache and enough information
+			// to use automatic HTTPS when the time comes
+			caddytlsConfig, err := caddytls.NewConfig(h.instance)
+			if err != nil {
+				return nil, fmt.Errorf("creating new caddytls configuration: %v", err)
+			}
+			caddytlsConfig.Hostname = addr.Host
+			caddytlsConfig.Manager.AltHTTPPort = altHTTPPort
+			caddytlsConfig.Manager.AltTLSALPNPort = altTLSALPNPort
+
 			// Save the config to our master list, and key it for lookups
 			cfg := &SiteConfig{
-				Addr: addr,
-				Root: Root,
-				TLS: &caddytls.Config{
-					Hostname:      addr.Host,
-					AltHTTPPort:   altHTTPPort,
-					AltTLSSNIPort: altTLSSNIPort,
-				},
+				Addr:            addr,
+				Root:            Root,
+				TLS:             caddytlsConfig,
 				originCaddyfile: sourceFile,
+				IndexPages:      staticfiles.DefaultIndexPages,
 			}
 			h.saveConfig(key, cfg)
 		}
@@ -164,13 +230,48 @@ func (h *httpContext) InspectServerBlocks(sourceFile string, serverBlocks []cadd
 // MakeServers uses the newly-created siteConfigs to
 // create and return a list of server instances.
 func (h *httpContext) MakeServers() ([]caddy.Server, error) {
-	// make sure TLS is disabled for explicitly-HTTP sites
-	// (necessary when HTTP address shares a block containing tls)
+	httpPort := strconv.Itoa(certmagic.HTTPPort)
+	httpsPort := strconv.Itoa(certmagic.HTTPSPort)
+
+	// make a rough estimate as to whether we're in a "production
+	// environment/system" - start by assuming that most production
+	// servers will set their default CA endpoint to a public,
+	// trusted CA (obviously not a perfect heuristic)
+	var looksLikeProductionCA bool
+	for _, publicCAEndpoint := range caddytls.KnownACMECAs {
+		if strings.Contains(certmagic.Default.CA, publicCAEndpoint) {
+			looksLikeProductionCA = true
+			break
+		}
+	}
+
+	// Iterate each site configuration and make sure that:
+	// 1) TLS is disabled for explicitly-HTTP sites (necessary
+	//    when an HTTP address shares a block containing tls)
+	// 2) if QUIC is enabled, TLS ClientAuth is not, because
+	//    currently, QUIC does not support ClientAuth (TODO:
+	//    revisit this when our QUIC implementation supports it)
+	// 3) if TLS ClientAuth is used, StrictHostMatching is on
+	var atLeastOneSiteLooksLikeProduction bool
 	for _, cfg := range h.siteConfigs {
+		// see if all the addresses (both sites and
+		// listeners) are loopback to help us determine
+		// if this is a "production" instance or not
+		if !atLeastOneSiteLooksLikeProduction {
+			if !caddy.IsLoopback(cfg.Addr.Host) &&
+				!caddy.IsLoopback(cfg.ListenHost) &&
+				(caddytls.QualifiesForManagedTLS(cfg) ||
+					certmagic.HostQualifies(cfg.Addr.Host)) {
+				atLeastOneSiteLooksLikeProduction = true
+			}
+		}
+
+		// make sure TLS is disabled for explicitly-HTTP sites
+		// (necessary when HTTP address shares a block containing tls)
 		if !cfg.TLS.Enabled {
 			continue
 		}
-		if cfg.Addr.Port == HTTPPort || cfg.Addr.Scheme == "http" {
+		if cfg.Addr.Port == httpPort || cfg.Addr.Scheme == "http" {
 			cfg.TLS.Enabled = false
 			log.Printf("[WARNING] TLS disabled for %s", cfg.Addr)
 		} else if cfg.Addr.Scheme == "" {
@@ -181,11 +282,22 @@ func (h *httpContext) MakeServers() ([]caddy.Server, error) {
 			// is incorrect for this site.
 			cfg.Addr.Scheme = "https"
 		}
-		if cfg.Addr.Port == "" && ((!cfg.TLS.Manual && !cfg.TLS.SelfSigned) || cfg.TLS.OnDemand) {
+		if cfg.Addr.Port == "" && ((!cfg.TLS.Manual && !cfg.TLS.SelfSigned) || cfg.TLS.Manager.OnDemand != nil) {
 			// this is vital, otherwise the function call below that
 			// sets the listener address will use the default port
 			// instead of 443 because it doesn't know about TLS.
-			cfg.Addr.Port = HTTPSPort
+			cfg.Addr.Port = httpsPort
+		}
+		if cfg.TLS.ClientAuth != tls.NoClientCert {
+			if QUIC {
+				return nil, fmt.Errorf("cannot enable TLS client authentication with QUIC, because QUIC does not yet support it")
+			}
+			// this must be enabled so that a client cannot connect
+			// using SNI for another site on this listener that
+			// does NOT require ClientAuth, and then send HTTP
+			// requests with the Host header of this site which DOES
+			// require client auth, thus bypassing it...
+			cfg.StrictHostMatching = true
 		}
 	}

@@ -205,22 +317,48 @@ func (h *httpContext) MakeServers() ([]caddy.Server, error) {
 		servers = append(servers, s)
 	}

+	// NOTE: This value is only a "good guess". Quite often, development
+	// environments will use internal DNS or a local hosts file to serve
+	// real-looking domains in local development. We can't easily tell
+	// which without doing a DNS lookup, so this guess is definitely naive,
+	// and if we ever want a better guess, we will have to do DNS lookups.
+	deploymentGuess := "dev"
+	if looksLikeProductionCA && atLeastOneSiteLooksLikeProduction {
+		deploymentGuess = "prod"
+	}
+	telemetry.Set("http_deployment_guess", deploymentGuess)
+	telemetry.Set("http_num_sites", len(h.siteConfigs))
+
 	return servers, nil
 }

+// normalizedKey returns "normalized" key representation:
+//  scheme and host names are lowered, everything else stays the same
+func normalizedKey(key string) string {
+	addr, err := standardizeAddress(key)
+	if err != nil {
+		return key
+	}
+	return addr.Normalize().Key()
+}
+
 // GetConfig gets the SiteConfig that corresponds to c.
 // If none exist (should only happen in tests), then a
 // new, empty one will be created.
 func GetConfig(c *caddy.Controller) *SiteConfig {
 	ctx := c.Context().(*httpContext)
-	key := strings.ToLower(c.Key)
+	key := normalizedKey(c.Key)
 	if cfg, ok := ctx.keysToSiteConfigs[key]; ok {
 		return cfg
 	}
 	// we should only get here during tests because directive
 	// actions typically skip the server blocks where we make
 	// the configs
-	cfg := &SiteConfig{Root: Root, TLS: new(caddytls.Config)}
+	cfg := &SiteConfig{
+		Root:       Root,
+		TLS:        &caddytls.Config{Manager: certmagic.NewDefault()},
+		IndexPages: staticfiles.DefaultIndexPages,
+	}
 	ctx.saveConfig(key, cfg)
 	return cfg
 }
@@ -275,6 +413,8 @@ func groupSiteConfigsByListenAddr(configs []*SiteConfig) (map[string][]*SiteConf
 // parts of an address. The component parts may be
 // updated to the correct values as setup proceeds,
 // but the original value should never be changed.
+//
+// The Host field must be in a normalized form.
 type Address struct {
 	Original, Scheme, Host, Port, Path string
 }
@@ -286,7 +426,7 @@ func (a Address) String() string {
 	}
 	scheme := a.Scheme
 	if scheme == "" {
-		if a.Port == HTTPSPort {
+		if a.Port == strconv.Itoa(certmagic.HTTPSPort) {
 			scheme = "https"
 		} else {
 			scheme = "http"
@@ -296,11 +436,12 @@ func (a Address) String() string {
 	if s != "" {
 		s += "://"
 	}
-	s += a.Host
 	if a.Port != "" &&
 		((scheme == "https" && a.Port != DefaultHTTPSPort) ||
 			(scheme == "http" && a.Port != DefaultHTTPPort)) {
-		s += ":" + a.Port
+		s += net.JoinHostPort(a.Host, a.Port)
+	} else {
+		s += a.Host
 	}
 	if a.Path != "" {
 		s += a.Path
@@ -317,11 +458,66 @@ func (a Address) VHost() string {
 	return a.Original
 }

+// Normalize normalizes URL: turn scheme and host names into lower case
+func (a Address) Normalize() Address {
+	path := a.Path
+	if !CaseSensitivePath {
+		path = strings.ToLower(path)
+	}
+
+	// ensure host is normalized if it's an IP address
+	host := a.Host
+	if ip := net.ParseIP(host); ip != nil {
+		host = ip.String()
+	}
+
+	return Address{
+		Original: a.Original,
+		Scheme:   strings.ToLower(a.Scheme),
+		Host:     strings.ToLower(host),
+		Port:     a.Port,
+		Path:     path,
+	}
+}
+
+// Key is similar to String, just replaces scheme and host values with modified values.
+// Unlike String it doesn't add anything default (scheme, port, etc)
+func (a Address) Key() string {
+	res := ""
+	if a.Scheme != "" {
+		res += a.Scheme + "://"
+	}
+	if a.Host != "" {
+		res += a.Host
+	}
+	// insert port only if the original has its own explicit port
+	if a.Port != "" && len(a.Original) >= len(res) &&
+		strings.HasPrefix(a.Original[len(res):], ":"+a.Port) {
+		res += ":" + a.Port
+	}
+	if a.Path != "" {
+		res += a.Path
+	}
+	return res
+}
+
 // standardizeAddress parses an address string into a structured format with separate
 // scheme, host, port, and path portions, as well as the original input string.
 func standardizeAddress(str string) (Address, error) {
 	input := str

+	httpPort := strconv.Itoa(certmagic.HTTPPort)
+	httpsPort := strconv.Itoa(certmagic.HTTPSPort)
+
+	// As of Go 1.12.8 (Aug 2019), ports that are service names such
+	// as ":http" and ":https" are no longer parsed as they were
+	// before, which is a breaking change for us. Attempt to smooth
+	// this over for now by replacing those strings with their port
+	// equivalents. See
+	// https://github.com/golang/go/commit/3226f2d492963d361af9dfc6714ef141ba606713
+	str = strings.Replace(str, ":https", ":"+httpsPort, 1)
+	str = strings.Replace(str, ":http", ":"+httpPort, 1)
+
 	// Split input into components (prepend with // to assert host by default)
 	if !strings.Contains(str, "//") && !strings.HasPrefix(str, "/") {
 		str = "//" + str
@@ -343,32 +539,28 @@ func standardizeAddress(str string) (Address, error) {
 	// see if we can set port based off scheme
 	if port == "" {
 		if u.Scheme == "http" {
-			port = HTTPPort
+			port = httpPort
 		} else if u.Scheme == "https" {
-			port = HTTPSPort
+			port = httpsPort
 		}
 	}

-	// repeated or conflicting scheme is confusing, so error
-	if u.Scheme != "" && (port == "http" || port == "https") {
-		return Address{}, fmt.Errorf("[%s] scheme specified twice in address", input)
-	}
-
 	// error if scheme and port combination violate convention
-	if (u.Scheme == "http" && port == HTTPSPort) || (u.Scheme == "https" && port == HTTPPort) {
+	if (u.Scheme == "http" && port == httpsPort) || (u.Scheme == "https" && port == httpPort) {
 		return Address{}, fmt.Errorf("[%s] scheme and port violate convention", input)
 	}

 	// standardize http and https ports to their respective port numbers
-	if port == "http" {
-		u.Scheme = "http"
-		port = HTTPPort
-	} else if port == "https" {
-		u.Scheme = "https"
-		port = HTTPSPort
+	// (this behavior changed in Go 1.12.8)
+	if u.Scheme == "" {
+		if port == httpPort {
+			u.Scheme = "http"
+		} else if port == httpsPort {
+			u.Scheme = "https"
+		}
 	}

-	return Address{Original: input, Scheme: u.Scheme, Host: host, Port: port, Path: u.Path}, err
+	return Address{Original: input, Scheme: u.Scheme, Host: host, Port: port, Path: u.Path}, nil
 }

 // RegisterDevDirective splices name into the list of directives
@@ -441,8 +633,10 @@ var directives = []string{
 	"tls",

 	// services/utilities, or other directives that don't necessarily inject handlers
-	"startup",
-	"shutdown",
+	"startup",  // TODO: Deprecate this directive
+	"shutdown", // TODO: Deprecate this directive
+	"on",
+	"supervisor", // github.com/lucaslorentz/caddy-supervisor
 	"request_id",
 	"realip", // github.com/captncraig/caddy-realip
 	"git",    // github.com/abiosoft/caddy-git
@@ -456,49 +650,57 @@ var directives = []string{
 	"cache", // github.com/nicolasazrak/caddy-cache
 	"rewrite",
 	"ext",
+	"minify", // github.com/hacdias/caddy-minify
 	"gzip",
 	"header",
+	"geoip", // github.com/kodnaplakal/caddy-geoip
 	"errors",
-	"authz",     // github.com/casbin/caddy-authz
-	"filter",    // github.com/echocat/caddy-filter
-	"minify",    // github.com/hacdias/caddy-minify
-	"ipfilter",  // github.com/pyed/ipfilter
-	"ratelimit", // github.com/xuqingfeng/caddy-rate-limit
-	"search",    // github.com/pedronasser/caddy-search
-	"expires",   // github.com/epicagency/caddy-expires
+	"authz",        // github.com/casbin/caddy-authz
+	"filter",       // github.com/echocat/caddy-filter
+	"ipfilter",     // github.com/pyed/ipfilter
+	"ratelimit",    // github.com/xuqingfeng/caddy-rate-limit
+	"recaptcha",    // github.com/defund/caddy-recaptcha
+	"expires",      // github.com/epicagency/caddy-expires
+	"forwardproxy", // github.com/caddyserver/forwardproxy
 	"basicauth",
 	"redir",
 	"status",
-	"cors",   // github.com/captncraig/cors/caddy
-	"nobots", // github.com/Xumeiquer/nobots
+	"cors",      // github.com/captncraig/cors/caddy
+	"s3browser", // github.com/techknowlogick/caddy-s3browser
+	"nobots",    // github.com/Xumeiquer/nobots
 	"mime",
-	"login",     // github.com/tarent/loginsrv/caddy
-	"reauth",    // github.com/freman/caddy-reauth
-	"jwt",       // github.com/BTBurke/caddy-jwt
-	"jsonp",     // github.com/pschlump/caddy-jsonp
-	"upload",    // blitznote.com/src/caddy.upload
-	"multipass", // github.com/namsral/multipass/caddy
+	"login",      // github.com/tarent/loginsrv/caddy
+	"reauth",     // github.com/freman/caddy-reauth
+	"extauth",    // github.com/BTBurke/caddy-extauth
+	"jwt",        // github.com/BTBurke/caddy-jwt
+	"permission", // github.com/dhaavi/caddy-permission
+	"jsonp",      // github.com/pschlump/caddy-jsonp
+	"upload",     // blitznote.com/src/caddy.upload
+	"multipass",  // github.com/namsral/multipass/caddy
 	"internal",
 	"pprof",
 	"expvar",
 	"push",
 	"datadog",    // github.com/payintech/caddy-datadog
 	"prometheus", // github.com/miekg/caddy-prometheus
+	"templates",
 	"proxy",
+	"pubsub", // github.com/jung-kurt/caddy-pubsub
 	"fastcgi",
 	"cgi", // github.com/jung-kurt/caddy-cgi
 	"websocket",
-	"filemanager", // github.com/hacdias/filemanager/caddy/filemanager
+	"filebrowser", // github.com/filebrowser/caddy
 	"webdav",      // github.com/hacdias/caddy-webdav
 	"markdown",
-	"templates",
 	"browse",
-	"hugo",      // github.com/hacdias/filemanager/caddy/hugo
 	"mailout",   // github.com/SchumacherFM/mailout
+	"awses",     // github.com/miquella/caddy-awses
 	"awslambda", // github.com/coopernurse/caddy-awslambda
 	"grpc",      // github.com/pieterlouw/caddy-grpc
 	"gopkg",     // github.com/zikes/gopkg
 	"restic",    // github.com/restic/caddy
+	"wkd",       // github.com/emersion/caddy-wkd
+	"dyndns",    // github.com/linkonoid/caddy-dyndns
 }

 const (
@@ -534,10 +736,4 @@ var (

 	// QUIC indicates whether QUIC is enabled or not.
 	QUIC bool
-
-	// HTTPPort is the port to use for HTTP.
-	HTTPPort = DefaultHTTPPort
-
-	// HTTPSPort is the port to use for HTTPS.
-	HTTPSPort = DefaultHTTPSPort
 )
@@ -1,11 +1,29 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
 	"strings"
 	"testing"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyfile"
+	"sort"
+
+	"fmt"
+
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyfile"
 )

 func TestStandardizeAddress(t *testing.T) {
@@ -25,12 +43,12 @@ func TestStandardizeAddress(t *testing.T) {
 		{`:`, "", "", "", "", false},
 		{`localhost:http`, "http", "localhost", "80", "", false},
 		{`localhost:https`, "https", "localhost", "443", "", false},
-		{`:http`, "http", "", "80", "", false},
-		{`:https`, "https", "", "443", "", false},
-		{`http://localhost:https`, "", "", "", "", true}, // conflict
-		{`http://localhost:http`, "", "", "", "", true},  // repeated scheme
-		{`http://localhost:443`, "", "", "", "", true},   // not conventional
-		{`https://localhost:80`, "", "", "", "", true},   // not conventional
+		{`:http`, "http", "", "80", "", false},                          // as of Go 1.12.8, service name in port is no longer supported
+		{`:https`, "https", "", "443", "", false},                       // as of Go 1.12.8, service name in port is no longer supported
+		{`http://localhost:https`, "", "", "", "", true},                // conflict
+		{`http://localhost:http`, "http", "localhost", "80", "", false}, // repeated scheme -- test adjusted for Go 1.12.8 (expect no error)
+		{`http://localhost:443`, "", "", "", "", true},                  // not conventional
+		{`https://localhost:80`, "", "", "", "", true},                  // not conventional
 		{`http://localhost`, "http", "localhost", "80", "", false},
 		{`https://localhost`, "https", "localhost", "443", "", false},
 		{`http://127.0.0.1`, "http", "127.0.0.1", "80", "", false},
@@ -40,8 +58,8 @@ func TestStandardizeAddress(t *testing.T) {
 		{`https://127.0.0.1:1234`, "https", "127.0.0.1", "1234", "", false},
 		{`http://[::1]:1234`, "http", "::1", "1234", "", false},
 		{``, "", "", "", "", false},
-		{`::1`, "", "::1", "", "", true},
-		{`localhost::`, "", "localhost::", "", "", true},
+		{`::1`, "", "::1", "", "", false},                 // test adjusted for Go 1.12.8 (expect no error)
+		{`localhost::`, "", "localhost::", "", "", false}, // test adjusted for Go 1.12.8 (expect no error)
 		{`#$%@`, "", "", "", "", true},
 		{`host/path`, "", "host", "", "/path", false},
 		{`http://host/`, "http", "host", "80", "/", false},
@@ -49,7 +67,7 @@ func TestStandardizeAddress(t *testing.T) {
 		{`:1234/asdf`, "", "", "1234", "/asdf", false},
 		{`http://host/path`, "http", "host", "80", "/path", false},
 		{`https://host:443/path/foo`, "https", "host", "443", "/path/foo", false},
-		{`host:80/path`, "", "host", "80", "/path", false},
+		{`host:80/path`, "http", "host", "80", "/path", false}, // test adjusted for Go 1.12.8 (expect "http" scheme)
 		{`host:https/path`, "https", "host", "443", "/path", false},
 		{`/path`, "", "", "", "/path", false},
 	} {
@@ -123,7 +141,7 @@ func TestAddressString(t *testing.T) {
 func TestInspectServerBlocksWithCustomDefaultPort(t *testing.T) {
 	Port = "9999"
 	filename := "Testfile"
-	ctx := newContext().(*httpContext)
+	ctx := newContext(&caddy.Instance{Storage: make(map[interface{}]interface{})}).(*httpContext)
 	input := strings.NewReader(`localhost`)
 	sblocks, err := caddyfile.Parse(filename, input, nil)
 	if err != nil {
@@ -133,15 +151,45 @@ func TestInspectServerBlocksWithCustomDefaultPort(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Didn't expect an error, but got: %v", err)
 	}
-	addr := ctx.keysToSiteConfigs["localhost"].Addr
+	localhostKey := "localhost"
+	item, ok := ctx.keysToSiteConfigs[localhostKey]
+	if !ok {
+		availableKeys := make(sort.StringSlice, len(ctx.keysToSiteConfigs))
+		i := 0
+		for key := range ctx.keysToSiteConfigs {
+			availableKeys[i] = fmt.Sprintf("'%s'", key)
+			i++
+		}
+		availableKeys.Sort()
+		t.Errorf("`%s` not found within registered keys, only these are available: %s", localhostKey, strings.Join(availableKeys, ", "))
+		return
+	}
+	addr := item.Addr
 	if addr.Port != Port {
 		t.Errorf("Expected the port on the address to be set, but got: %#v", addr)
 	}
 }

+// See discussion on PR #2015
+func TestInspectServerBlocksWithAdjustedAddress(t *testing.T) {
+	Port = DefaultPort
+	Host = "example.com"
+	filename := "Testfile"
+	ctx := newContext(&caddy.Instance{Storage: make(map[interface{}]interface{})}).(*httpContext)
+	input := strings.NewReader("example.com {\n}\n:2015 {\n}")
+	sblocks, err := caddyfile.Parse(filename, input, nil)
+	if err != nil {
+		t.Fatalf("Expected no error setting up test, got: %v", err)
+	}
+	_, err = ctx.InspectServerBlocks(filename, sblocks)
+	if err == nil {
+		t.Fatalf("Expected an error because site definitions should overlap, got: %v", err)
+	}
+}
+
 func TestInspectServerBlocksCaseInsensitiveKey(t *testing.T) {
 	filename := "Testfile"
-	ctx := newContext().(*httpContext)
+	ctx := newContext(&caddy.Instance{Storage: make(map[interface{}]interface{})}).(*httpContext)
 	input := strings.NewReader("localhost {\n}\nLOCALHOST {\n}")
 	sblocks, err := caddyfile.Parse(filename, input, nil)
 	if err != nil {
@@ -153,6 +201,80 @@ func TestInspectServerBlocksCaseInsensitiveKey(t *testing.T) {
 	}
 }

+func TestKeyNormalization(t *testing.T) {
+	originalCaseSensitivePath := CaseSensitivePath
+	defer func() {
+		CaseSensitivePath = originalCaseSensitivePath
+	}()
+	CaseSensitivePath = true
+
+	caseSensitiveData := []struct {
+		orig string
+		res  string
+	}{
+		{
+			orig: "http://host:1234/path",
+			res:  "http://host:1234/path",
+		},
+		{
+			orig: "HTTP://A/ABCDEF",
+			res:  "http://a/ABCDEF",
+		},
+		{
+			orig: "A/ABCDEF",
+			res:  "a/ABCDEF",
+		},
+		{
+			orig: "A:2015/Path",
+			res:  "a:2015/Path",
+		},
+		{
+			orig: ":80",
+			res:  "http://",
+		},
+		{
+			orig: ":443",
+			res:  "https://",
+		},
+		{
+			orig: ":1234",
+			res:  ":1234",
+		},
+	}
+	for _, item := range caseSensitiveData {
+		v := normalizedKey(item.orig)
+		if v != item.res {
+			t.Errorf("Normalization of `%s` with CaseSensitivePath option set to true must be equal to `%s`, got `%s` instead", item.orig, item.res, v)
+		}
+	}
+
+	CaseSensitivePath = false
+	caseInsensitiveData := []struct {
+		orig string
+		res  string
+	}{
+		{
+			orig: "HTTP://A/ABCDEF",
+			res:  "http://a/abcdef",
+		},
+		{
+			orig: "A/ABCDEF",
+			res:  "a/abcdef",
+		},
+		{
+			orig: "A:2015/Port",
+			res:  "a:2015/port",
+		},
+	}
+	for _, item := range caseInsensitiveData {
+		v := normalizedKey(item.orig)
+		if v != item.res {
+			t.Errorf("Normalization of `%s` with CaseSensitivePath option set to false must be equal to `%s`, got `%s` instead", item.orig, item.res, v)
+		}
+	}
+
+}
+
 func TestGetConfig(t *testing.T) {
 	// case insensitivity for key
 	con := caddy.NewTestController("http", "")
@@ -170,6 +292,14 @@ func TestGetConfig(t *testing.T) {
 	if cfg == cfg3 {
 		t.Errorf("Expected different configs using when key is different; got %p and %p", cfg, cfg3)
 	}
+
+	con.Key = "foo/foobar"
+	cfg4 := GetConfig(con)
+	con.Key = "foo/Foobar"
+	cfg5 := GetConfig(con)
+	if cfg4 == cfg5 {
+		t.Errorf("Expected different cases in path to differentiate keys in general")
+	}
 }

 func TestDirectivesList(t *testing.T) {
@@ -193,7 +323,7 @@ func TestDirectivesList(t *testing.T) {
 }

 func TestContextSaveConfig(t *testing.T) {
-	ctx := newContext().(*httpContext)
+	ctx := newContext(&caddy.Instance{Storage: make(map[interface{}]interface{})}).(*httpContext)
 	ctx.saveConfig("foo", new(SiteConfig))
 	if _, ok := ctx.keysToSiteConfigs["foo"]; !ok {
 		t.Error("Expected config to be saved, but it wasn't")
@@ -212,7 +342,7 @@ func TestContextSaveConfig(t *testing.T) {

 // Test to make sure we are correctly hiding the Caddyfile
 func TestHideCaddyfile(t *testing.T) {
-	ctx := newContext().(*httpContext)
+	ctx := newContext(&caddy.Instance{Storage: make(map[interface{}]interface{})}).(*httpContext)
 	ctx.saveConfig("test", &SiteConfig{
 		Root:            Root,
 		originCaddyfile: "Testfile",
@@ -1,7 +1,24 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
+	"bytes"
+	"io"
 	"net/http"
+	"sync"
 	"time"
 )

@@ -25,9 +42,7 @@ type ResponseRecorder struct {
 	start    time.Time
 }

-// NewResponseRecorder makes and returns a new responseRecorder,
-// which captures the HTTP Status code from the ResponseWriter
-// and also the length of the response body written through it.
+// NewResponseRecorder makes and returns a new ResponseRecorder.
 // Because a status is not set unless WriteHeader is called
 // explicitly, this constructor initializes with a status code
 // of 200 to cover the default case.
@@ -56,15 +71,191 @@ func (r *ResponseRecorder) Write(buf []byte) (int, error) {
 	return n, err
 }

-// Size is a Getter to size property
+// Size returns the size of the recorded response body.
 func (r *ResponseRecorder) Size() int {
 	return r.size
 }

-// Status is a Getter to status property
+// Status returns the recorded response status code.
 func (r *ResponseRecorder) Status() int {
 	return r.status
 }

+// ResponseBuffer is a type that conditionally buffers the
+// response in memory. It implements http.ResponseWriter so
+// that it can stream the response if it is not buffering.
+// Whether it buffers is decided by a func passed into the
+// constructor, NewResponseBuffer.
+//
+// This type implements http.ResponseWriter, so you can pass
+// this to the Next() middleware in the chain and record its
+// response. However, since the entire response body will be
+// buffered in memory, only use this when explicitly configured
+// and required for some specific reason. For example, the
+// text/template package only parses templates out of []byte
+// and not io.Reader, so the templates directive uses this
+// type to obtain the entire template text, but only on certain
+// requests that match the right Content-Type, etc.
+//
+// ResponseBuffer also implements io.ReaderFrom for performance
+// reasons. The standard lib's http.response type (unexported)
+// uses io.Copy to write the body. io.Copy makes an allocation
+// if the destination does not have a ReadFrom method (or if
+// the source does not have a WriteTo method, but that's
+// irrelevant here). Our ReadFrom is smart: if buffering, it
+// calls the buffer's ReadFrom, which makes no allocs because
+// it is already a buffer! If we're streaming the response
+// instead, ReadFrom uses io.CopyBuffer with a pooled buffer
+// that is managed within this package.
+type ResponseBuffer struct {
+	*ResponseWriterWrapper
+	Buffer       *bytes.Buffer
+	header       http.Header
+	status       int
+	shouldBuffer func(status int, header http.Header) bool
+	stream       bool
+	rw           http.ResponseWriter
+	wroteHeader  bool
+}
+
+// NewResponseBuffer returns a new ResponseBuffer that will
+// use buf to store the full body of the response if shouldBuffer
+// returns true. If shouldBuffer returns false, then the response
+// body will be streamed directly to rw.
+//
+// shouldBuffer will be passed the status code and header fields of
+// the response. With that information, the function should decide
+// whether to buffer the response in memory. For example: the templates
+// directive uses this to determine whether the response is the
+// right Content-Type (according to user config) for a template.
+//
+// For performance, the buf you pass in should probably be obtained
+// from a sync.Pool in order to reuse allocated space.
+func NewResponseBuffer(buf *bytes.Buffer, rw http.ResponseWriter,
+	shouldBuffer func(status int, header http.Header) bool) *ResponseBuffer {
+	rb := &ResponseBuffer{
+		Buffer:       buf,
+		header:       make(http.Header),
+		status:       http.StatusOK, // default status code
+		shouldBuffer: shouldBuffer,
+		rw:           rw,
+	}
+	rb.ResponseWriterWrapper = &ResponseWriterWrapper{ResponseWriter: rw}
+	return rb
+}
+
+// Header returns the response header map.
+func (rb *ResponseBuffer) Header() http.Header {
+	return rb.header
+}
+
+// WriteHeader calls shouldBuffer to decide whether the
+// upcoming body should be buffered, and then writes
+// the header to the response.
+func (rb *ResponseBuffer) WriteHeader(status int) {
+	if rb.wroteHeader {
+		return
+	}
+	rb.wroteHeader = true
+
+	rb.status = status
+	rb.stream = !rb.shouldBuffer(status, rb.header)
+	if rb.stream {
+		rb.CopyHeader()
+		rb.ResponseWriterWrapper.WriteHeader(status)
+	}
+}
+
+// Write writes buf to rb.Buffer if buffering, otherwise
+// to the ResponseWriter directly if streaming.
+func (rb *ResponseBuffer) Write(buf []byte) (int, error) {
+	if !rb.wroteHeader {
+		rb.WriteHeader(http.StatusOK)
+	}
+
+	if rb.stream {
+		return rb.ResponseWriterWrapper.Write(buf)
+	}
+	return rb.Buffer.Write(buf)
+}
+
+// Buffered returns whether rb has decided to buffer the response.
+func (rb *ResponseBuffer) Buffered() bool {
+	return !rb.stream
+}
+
+// CopyHeader copies the buffered header in rb to the ResponseWriter,
+// but it does not write the header out.
+func (rb *ResponseBuffer) CopyHeader() {
+	for field, val := range rb.header {
+		rb.ResponseWriterWrapper.Header()[field] = val
+	}
+}
+
+// ReadFrom avoids allocations when writing to the buffer (if buffering),
+// and reduces allocations when writing to the ResponseWriter directly
+// (if streaming).
+//
+// In local testing with the templates directive, req/sec were improved
+// from ~8,200 to ~9,600 on templated files by ensuring that this type
+// implements io.ReaderFrom.
+func (rb *ResponseBuffer) ReadFrom(src io.Reader) (int64, error) {
+	if !rb.wroteHeader {
+		rb.WriteHeader(http.StatusOK)
+	}
+
+	if rb.stream {
+		// first see if we can avoid any allocations at all
+		if wt, ok := src.(io.WriterTo); ok {
+			return wt.WriteTo(rb.ResponseWriterWrapper)
+		}
+		// if not, use a pooled copy buffer to reduce allocs
+		// (this improved req/sec from ~25,300 to ~27,000 on
+		// static files served directly with the fileserver,
+		// but results fluctuated a little on each run).
+		// a note of caution:
+		// https://go-review.googlesource.com/c/22134#message-ff351762308fe05f6b72a487d6842e3988916486
+		buf := respBufPool.Get().([]byte)
+		n, err := io.CopyBuffer(rb.ResponseWriterWrapper, src, buf)
+		respBufPool.Put(buf) // deferring this slowed down benchmarks a smidgin, I think
+		return n, err
+	}
+	return rb.Buffer.ReadFrom(src)
+}
+
+// StatusCodeWriter returns an http.ResponseWriter that always
+// writes the status code stored in rb from when a response
+// was buffered to it.
+func (rb *ResponseBuffer) StatusCodeWriter(w http.ResponseWriter) http.ResponseWriter {
+	return forcedStatusCodeWriter{w, rb}
+}
+
+// forcedStatusCodeWriter is used to force a status code when
+// writing the header. It uses the status code saved on rb.
+// This is useful if passing a http.ResponseWriter into
+// http.ServeContent because ServeContent hard-codes 2xx status
+// codes. If we buffered the response, we force that status code
+// instead.
+type forcedStatusCodeWriter struct {
+	http.ResponseWriter
+	rb *ResponseBuffer
+}
+
+func (fscw forcedStatusCodeWriter) WriteHeader(int) {
+	fscw.ResponseWriter.WriteHeader(fscw.rb.status)
+}
+
+// respBufPool is used for io.CopyBuffer when ResponseBuffer
+// is configured to stream a response.
+var respBufPool = &sync.Pool{
+	New: func() interface{} {
+		return make([]byte, 32*1024)
+	},
+}
+
 // Interface guards
-var _ HTTPInterfaces = (*ResponseRecorder)(nil)
+var (
+	_ HTTPInterfaces = (*ResponseRecorder)(nil)
+	_ HTTPInterfaces = (*ResponseBuffer)(nil)
+	_ io.ReaderFrom  = (*ResponseBuffer)(nil)
+)
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
@@ -30,7 +44,7 @@ func TestWrite(t *testing.T) {
 	responseTestString := "test"
 	recordRequest := NewResponseRecorder(w)
 	buf := []byte(responseTestString)
-	recordRequest.Write(buf)
+	_, _ = recordRequest.Write(buf)
 	if recordRequest.size != len(buf) {
 		t.Fatalf("Expected the bytes written counter to be %d, but instead found %d\n", len(buf), recordRequest.size)
 	}
@@ -1,7 +1,25 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
 	"bytes"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"net"
@@ -14,7 +32,8 @@ import (
 	"strings"
 	"time"

-	"github.com/mholt/caddy"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddytls"
 )

 // requestReplacer is a strings.Replacer which is used to
@@ -88,20 +107,30 @@ func (lw *limitWriter) String() string {
 // emptyValue should be the string that is used in place
 // of empty string (can still be empty string).
 func NewReplacer(r *http.Request, rr *ResponseRecorder, emptyValue string) Replacer {
-	rb := newLimitWriter(MaxLogBodySize)
-	if r.Body != nil {
-		r.Body = struct {
-			io.Reader
-			io.Closer
-		}{io.TeeReader(r.Body, rb), io.Closer(r.Body)}
+	repl := &replacer{
+		request:          r,
+		responseRecorder: rr,
+		emptyValue:       emptyValue,
 	}
-	return &replacer{
-		request:            r,
-		requestBody:        rb,
-		responseRecorder:   rr,
-		customReplacements: make(map[string]string),
-		emptyValue:         emptyValue,
+
+	// extract customReplacements from a request replacer when present.
+	if existing, ok := r.Context().Value(ReplacerCtxKey).(*replacer); ok {
+		repl.requestBody = existing.requestBody
+		repl.customReplacements = existing.customReplacements
+	} else {
+		// if there is no existing replacer, build one from scratch.
+		rb := newLimitWriter(MaxLogBodySize)
+		if r.Body != nil {
+			r.Body = struct {
+				io.Reader
+				io.Closer
+			}{io.TeeReader(r.Body, rb), io.Closer(r.Body)}
+		}
+		repl.requestBody = rb
+		repl.customReplacements = make(map[string]string)
 	}
+
+	return repl
 }

 func canLogRequest(r *http.Request) bool {
@@ -116,6 +145,14 @@ func canLogRequest(r *http.Request) bool {
 	return false
 }

+// unescapeBraces finds escaped braces in s and returns
+// a string with those braces unescaped.
+func unescapeBraces(s string) string {
+	s = strings.Replace(s, "\\{", "{", -1)
+	s = strings.Replace(s, "\\}", "}", -1)
+	return s
+}
+
 // Replace performs a replacement of values on s and returns
 // the string with the replaced values.
 func (r *replacer) Replace(s string) string {
@@ -125,32 +162,59 @@ func (r *replacer) Replace(s string) string {
 	}

 	result := ""
+Placeholders: // process each placeholder in sequence
 	for {
-		idxStart := strings.Index(s, "{")
-		if idxStart == -1 {
-			// no placeholder anymore
-			break
-		}
-		idxEnd := strings.Index(s[idxStart:], "}")
-		if idxEnd == -1 {
-			// unpaired placeholder
-			break
-		}
-		idxEnd += idxStart
+		var idxStart, idxEnd int

-		// get a replacement
-		placeholder := s[idxStart : idxEnd+1]
+		idxOffset := 0
+		for { // find first unescaped opening brace
+			searchSpace := s[idxOffset:]
+			idxStart = strings.Index(searchSpace, "{")
+			if idxStart == -1 {
+				// no more placeholders
+				break Placeholders
+			}
+			if idxStart == 0 || searchSpace[idxStart-1] != '\\' {
+				// preceding character is not an escape
+				idxStart += idxOffset
+				break
+			}
+			// the brace we found was escaped
+			// search the rest of the string next
+			idxOffset += idxStart + 1
+		}
+
+		idxOffset = 0
+		for { // find first unescaped closing brace
+			searchSpace := s[idxStart+idxOffset:]
+			idxEnd = strings.Index(searchSpace, "}")
+			if idxEnd == -1 {
+				// unpaired placeholder
+				break Placeholders
+			}
+			if idxEnd == 0 || searchSpace[idxEnd-1] != '\\' {
+				// preceding character is not an escape
+				idxEnd += idxOffset + idxStart
+				break
+			}
+			// the brace we found was escaped
+			// search the rest of the string next
+			idxOffset += idxEnd + 1
+		}
+
+		// get a replacement for the unescaped placeholder
+		placeholder := unescapeBraces(s[idxStart : idxEnd+1])
 		replacement := r.getSubstitution(placeholder)

-		// append prefix + replacement
-		result += s[:idxStart] + replacement
+		// append unescaped prefix + replacement
+		result += strings.TrimPrefix(unescapeBraces(s[:idxStart]), "\\") + replacement

 		// strip out scanned parts
 		s = s[idxEnd+1:]
 	}

 	// append unscanned parts
-	return result + s
+	return result + unescapeBraces(s)
 }

 func roundDuration(d time.Duration) time.Duration {
@@ -183,6 +247,15 @@ func round(d, r time.Duration) time.Duration {
 	return d
 }

+// getPeerCert returns peer certificate
+func (r *replacer) getPeerCert() *x509.Certificate {
+	if r.request.TLS != nil && len(r.request.TLS.PeerCertificates) > 0 {
+		return r.request.TLS.PeerCertificates[0]
+	}
+
+	return nil
+}
+
 // getSubstitution retrieves value from corresponding key
 func (r *replacer) getSubstitution(key string) string {
 	// search custom replacements first
@@ -200,6 +273,16 @@ func (r *replacer) getSubstitution(key string) string {
 			}
 		}
 	}
+	// search response headers then
+	if r.responseRecorder != nil && key[1] == '<' {
+		want := key[2 : len(key)-1]
+		for key, values := range r.responseRecorder.Header() {
+			// Header placeholders (case-insensitive)
+			if strings.EqualFold(key, want) {
+				return strings.Join(values, ",")
+			}
+		}
+	}
 	// next check for cookies
 	if key[1] == '~' {
 		name := key[2 : len(key)-1]
@@ -285,10 +368,14 @@ func (r *replacer) getSubstitution(key string) string {
 		return url.QueryEscape(r.request.URL.RequestURI())
 	case "{when}":
 		return now().Format(timeFormat)
+	case "{when_iso_local}":
+		return now().Format(timeFormatISO)
 	case "{when_iso}":
 		return now().UTC().Format(timeFormatISOUTC)
 	case "{when_unix}":
 		return strconv.FormatInt(now().Unix(), 10)
+	case "{when_unix_ms}":
+		return strconv.FormatInt(nanoToMilliseconds(now().UnixNano()), 10)
 	case "{file}":
 		_, file := path.Split(r.request.URL.Path)
 		return file
@@ -341,14 +428,120 @@ func (r *replacer) getSubstitution(key string) string {
 		}
 		elapsedDuration := time.Since(r.responseRecorder.start)
 		return strconv.FormatInt(convertToMilliseconds(elapsedDuration), 10)
+	case "{tls_protocol}":
+		if r.request.TLS != nil {
+			if name, err := caddytls.GetSupportedProtocolName(r.request.TLS.Version); err == nil {
+				return name
+			} else {
+				return "tls" // this should never happen, but guard in case
+			}
+		}
+		return r.emptyValue // because not using a secure channel
+	case "{tls_cipher}":
+		if r.request.TLS != nil {
+			if name, err := caddytls.GetSupportedCipherName(r.request.TLS.CipherSuite); err == nil {
+				return name
+			} else {
+				return "UNKNOWN" // this should never happen, but guard in case
+			}
+		}
+		return r.emptyValue
+	case "{tls_client_escaped_cert}":
+		cert := r.getPeerCert()
+		if cert != nil {
+			pemBlock := pem.Block{
+				Type:  "CERTIFICATE",
+				Bytes: cert.Raw,
+			}
+			return url.QueryEscape(string(pem.EncodeToMemory(&pemBlock)))
+		}
+		return r.emptyValue
+	case "{tls_client_fingerprint}":
+		cert := r.getPeerCert()
+		if cert != nil {
+			return fmt.Sprintf("%x", sha256.Sum256(cert.Raw))
+		}
+		return r.emptyValue
+	case "{tls_client_i_dn}":
+		cert := r.getPeerCert()
+		if cert != nil {
+			return cert.Issuer.String()
+		}
+		return r.emptyValue
+	case "{tls_client_raw_cert}":
+		cert := r.getPeerCert()
+		if cert != nil {
+			return string(cert.Raw)
+		}
+		return r.emptyValue
+	case "{tls_client_s_dn}":
+		cert := r.getPeerCert()
+		if cert != nil {
+			return cert.Subject.String()
+		}
+		return r.emptyValue
+	case "{tls_client_serial}":
+		cert := r.getPeerCert()
+		if cert != nil {
+			return fmt.Sprintf("%x", cert.SerialNumber)
+		}
+		return r.emptyValue
+	case "{tls_client_v_end}":
+		cert := r.getPeerCert()
+		if cert != nil {
+			return cert.NotAfter.In(time.UTC).Format("Jan 02 15:04:05 2006 MST")
+		}
+		return r.emptyValue
+	case "{tls_client_v_remain}":
+		cert := r.getPeerCert()
+		if cert != nil {
+			now := time.Now().In(time.UTC)
+			days := int64(cert.NotAfter.Sub(now).Seconds() / 86400)
+			return strconv.FormatInt(days, 10)
+		}
+		return r.emptyValue
+	case "{tls_client_v_start}":
+		cert := r.getPeerCert()
+		if cert != nil {
+			return cert.NotBefore.Format("Jan 02 15:04:05 2006 MST")
+		}
+		return r.emptyValue
+	case "{server_port}":
+		_, port, err := net.SplitHostPort(r.request.Host)
+		if err != nil {
+			if r.request.TLS != nil {
+				return "443"
+			} else {
+				return "80"
+			}
+		}
+		return port
+	default:
+		// {labelN}
+		if strings.HasPrefix(key, "{label") {
+			nStr := key[6 : len(key)-1] // get the integer N in "{labelN}"
+			n, err := strconv.Atoi(nStr)
+			if err != nil || n < 1 {
+				return r.emptyValue
+			}
+			labels := strings.Split(r.request.Host, ".")
+			if n > len(labels) {
+				return r.emptyValue
+			}
+			return labels[n-1]
+		}
 	}

 	return r.emptyValue
 }

-//convertToMilliseconds returns the number of milliseconds in the given duration
+func nanoToMilliseconds(d int64) int64 {
+	return d / 1e6
+}
+
+// convertToMilliseconds returns the number of milliseconds in the given duration
 func convertToMilliseconds(d time.Duration) int64 {
-	return d.Nanoseconds() / 1e6
+	return nanoToMilliseconds(d.Nanoseconds())
 }

 // Set sets key to value in the r.customReplacements map.
@@ -358,6 +551,7 @@ func (r *replacer) Set(key, value string) {

 const (
 	timeFormat        = "02/Jan/2006:15:04:05 -0700"
+	timeFormatISO     = "2006-01-02T15:04:05"  // ISO 8601 with timezone to be assumed as local
 	timeFormatISOUTC  = "2006-01-02T15:04:05Z" // ISO 8601 with timezone to be assumed as UTC
 	headerContentType = "Content-Type"
 	contentTypeJSON   = "application/json"
@@ -1,13 +1,36 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
 	"context"
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"os"
+	"strconv"
 	"strings"
 	"testing"
 	"time"
+
+	"github.com/caddyserver/caddy/caddytls"
 )

 func TestNewReplacer(t *testing.T) {
@@ -39,7 +62,7 @@ func TestReplace(t *testing.T) {
 	recordRequest := NewResponseRecorder(w)
 	reader := strings.NewReader(`{"username": "dennis"}`)

-	request, err := http.NewRequest("POST", "http://localhost/?foo=bar", reader)
+	request, err := http.NewRequest("POST", "http://localhost.local/?foo=bar", reader)
 	if err != nil {
 		t.Fatalf("Failed to make request: %v", err)
 	}
@@ -53,6 +76,9 @@ func TestReplace(t *testing.T) {
 	request.Header.Set("CustomAdd", "caddy")
 	request.Header.Set("Cookie", "foo=bar; taste=delicious")

+	// add some response headers
+	recordRequest.Header().Set("Custom", "CustomResponseHeader")
+
 	hostname, err := os.Hostname()
 	if err != nil {
 		t.Fatalf("Failed to determine hostname: %v", err)
@@ -60,7 +86,8 @@ func TestReplace(t *testing.T) {

 	old := now
 	now = func() time.Time {
-		return time.Date(2006, 1, 2, 15, 4, 5, 02, time.FixedZone("hardcoded", -7))
+		// Note that the `-7` is seconds, not hours.
+		return time.Date(2006, 1, 2, 15, 4, 5, 99999999, time.FixedZone("hardcoded", -7))
 	}
 	defer func() {
 		now = old
@@ -70,18 +97,23 @@ func TestReplace(t *testing.T) {
 		expect   string
 	}{
 		{"This hostname is {hostname}", "This hostname is " + hostname},
-		{"This host is {host}.", "This host is localhost."},
+		{"This host is {host}.", "This host is localhost.local."},
 		{"This request method is {method}.", "This request method is POST."},
 		{"The response status is {status}.", "The response status is 200."},
 		{"{when}", "02/Jan/2006:15:04:05 +0000"},
 		{"{when_iso}", "2006-01-02T15:04:12Z"},
+		{"{when_iso_local}", "2006-01-02T15:04:05"},
 		{"{when_unix}", "1136214252"},
+		{"{when_unix_ms}", "1136214252099"},
 		{"The Custom header is {>Custom}.", "The Custom header is foobarbaz."},
 		{"The CustomAdd header is {>CustomAdd}.", "The CustomAdd header is caddy."},
-		{"The request is {request}.", "The request is POST /?foo=bar HTTP/1.1\\r\\nHost: localhost\\r\\n" +
+		{"The Custom response header is {<Custom}.", "The Custom response header is CustomResponseHeader."},
+		{"Bad {>Custom placeholder", "Bad {>Custom placeholder"},
+		{"The request is {request}.", "The request is POST /?foo=bar HTTP/1.1\\r\\nHost: localhost.local\\r\\n" +
 			"Cookie: foo=bar; taste=delicious\\r\\nCustom: foobarbaz\\r\\nCustomadd: caddy\\r\\n" +
 			"Shorterval: 1\\r\\n\\r\\n."},
 		{"The cUsToM header is {>cUsToM}...", "The cUsToM header is foobarbaz..."},
+		{"The cUsToM response header is {<CuSTom}.", "The cUsToM response header is CustomResponseHeader."},
 		{"The Non-Existent header is {>Non-Existent}.", "The Non-Existent header is -."},
 		{"Bad {host placeholder...", "Bad {host placeholder..."},
 		{"Bad {>Custom placeholder", "Bad {>Custom placeholder"},
@@ -92,6 +124,10 @@ func TestReplace(t *testing.T) {
 		{"Query string is {query}", "Query string is foo=bar"},
 		{"Query string value for foo is {?foo}", "Query string value for foo is bar"},
 		{"Missing query string argument is {?missing}", "Missing query string argument is "},
+		{"{label1} {label2} {label3} {label4}", "localhost local - -"},
+		{"Label with missing number is {label} or {labelQQ}", "Label with missing number is - or -"},
+		{"\\{ 'hostname': '{hostname}' \\}", "{ 'hostname': '" + hostname + "' }"},
+		{"{server_port}", "80"},
 	}

 	for _, c := range testCases {
@@ -124,6 +160,234 @@ func TestReplace(t *testing.T) {
 	}
 }

+func TestCustomServerPort(t *testing.T) {
+	w := httptest.NewRecorder()
+	recordRequest := NewResponseRecorder(w)
+	reader := strings.NewReader(`{"username": "dennis"}`)
+
+	request, err := http.NewRequest("POST", "http://localhost.local:8000/?foo=bar", reader)
+	if err != nil {
+		t.Fatalf("Failed to make request: %v", err)
+	}
+	ctx := context.WithValue(request.Context(), OriginalURLCtxKey, *request.URL)
+	request = request.WithContext(ctx)
+
+	repl := NewReplacer(request, recordRequest, "-")
+
+	testCase := struct {
+		template string
+		expect   string
+	}{
+		template: "{server_port}",
+		expect:   "8000",
+	}
+
+	if expected, actual := testCase.expect, repl.Replace(testCase.template); expected != actual {
+		t.Errorf("for template '%s', expected '%s', got '%s'", testCase.template, expected, actual)
+	}
+}
+
+func TestTlsReplace(t *testing.T) {
+	w := httptest.NewRecorder()
+	recordRequest := NewResponseRecorder(w)
+
+	clientCertText := []byte(`-----BEGIN CERTIFICATE-----
+MIIB9jCCAV+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1DYWRk
+eSBUZXN0IENBMB4XDTE4MDcyNDIxMzUwNVoXDTI4MDcyMTIxMzUwNVowHTEbMBkG
+A1UEAwwSY2xpZW50LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQDFDEpzF0ew68teT3xDzcUxVFaTII+jXH1ftHXxxP4BEYBU4q90qzeKFneF
+z83I0nC0WAQ45ZwHfhLMYHFzHPdxr6+jkvKPASf0J2v2HDJuTM1bHBbik5Ls5eq+
+fVZDP8o/VHKSBKxNs8Goc2NTsr5b07QTIpkRStQK+RJALk4x9QIDAQABo0swSTAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A
+AAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEANSjz2Sk+
+eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
+3Q9fgDkiUod+uIK0IynzIKvw+Cjg+3nx6NQ0IM0zo8c7v398RzB4apbXKZyeeqUH
+9fNwfEi+OoXR6s+upSKobCmLGLGi9Na5s5g=
+-----END CERTIFICATE-----`)
+
+	block, _ := pem.Decode(clientCertText)
+	if block == nil {
+		t.Fatalf("failed to decode PEM certificate")
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("failed to decode PEM certificate: %v", err)
+	}
+
+	request := &http.Request{
+		Method: "GET",
+		Host:   "foo.com",
+		URL: &url.URL{
+			Scheme: "https",
+			Path:   "/path/",
+			Host:   "foo.com",
+		},
+		Header:     http.Header{},
+		Proto:      "HTTP/1.1",
+		ProtoMajor: 1,
+		ProtoMinor: 1,
+		RemoteAddr: "192.0.2.1:1234",
+		RequestURI: "https://foo.com/path/",
+		TLS: &tls.ConnectionState{
+			Version:           tls.VersionTLS12,
+			HandshakeComplete: true,
+			ServerName:        "foo.com",
+			CipherSuite:       tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			PeerCertificates:  []*x509.Certificate{cert},
+		},
+	}
+
+	repl := NewReplacer(request, recordRequest, "-")
+
+	now := time.Now().In(time.UTC)
+	days := int64(cert.NotAfter.Sub(now).Seconds() / 86400)
+	pemBlock := pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert.Raw,
+	}
+
+	protocol, _ := caddytls.GetSupportedProtocolName(request.TLS.Version)
+	cipher, _ := caddytls.GetSupportedCipherName(request.TLS.CipherSuite)
+	cEscapedCert := url.QueryEscape(string(pem.EncodeToMemory(&pemBlock)))
+	cFingerprint := fmt.Sprintf("%x", sha256.Sum256(cert.Raw))
+	cIDn := cert.Issuer.String()
+	cRawCert := string(cert.Raw)
+	cSDn := cert.Subject.String()
+	cSerial := fmt.Sprintf("%x", cert.SerialNumber)
+	cVEnd := cert.NotAfter.In(time.UTC).Format("Jan 02 15:04:05 2006 MST")
+	cVRemain := strconv.FormatInt(days, 10)
+	cVStart := cert.NotBefore.Format("Jan 02 15:04:05 2006 MST")
+
+	testCases := []struct {
+		template string
+		expect   string
+	}{
+		{"{tls_protocol}", protocol},
+		{"{tls_cipher}", cipher},
+		{"{tls_client_escaped_cert}", cEscapedCert},
+		{"{tls_client_fingerprint}", cFingerprint},
+		{"{tls_client_i_dn}", cIDn},
+		{"{tls_client_raw_cert}", cRawCert},
+		{"{tls_client_s_dn}", cSDn},
+		{"{tls_client_serial}", cSerial},
+		{"{tls_client_v_end}", cVEnd},
+		{"{tls_client_v_remain}", cVRemain},
+		{"{tls_client_v_start}", cVStart},
+		{"{server_port}", "443"},
+	}
+
+	for _, c := range testCases {
+		if expected, actual := c.expect, repl.Replace(c.template); expected != actual {
+			t.Errorf("for template '%s', expected '%s', got '%s'", c.template, expected, actual)
+		}
+	}
+}
+
+func BenchmarkReplace(b *testing.B) {
+	w := httptest.NewRecorder()
+	recordRequest := NewResponseRecorder(w)
+	reader := strings.NewReader(`{"username": "dennis"}`)
+
+	request, err := http.NewRequest("POST", "http://localhost/?foo=bar", reader)
+	if err != nil {
+		b.Fatalf("Failed to make request: %v", err)
+	}
+	ctx := context.WithValue(request.Context(), OriginalURLCtxKey, *request.URL)
+	request = request.WithContext(ctx)
+
+	request.Header.Set("Custom", "foobarbaz")
+	request.Header.Set("ShorterVal", "1")
+	repl := NewReplacer(request, recordRequest, "-")
+	// add some headers after creating replacer
+	request.Header.Set("CustomAdd", "caddy")
+	request.Header.Set("Cookie", "foo=bar; taste=delicious")
+
+	// add some response headers
+	recordRequest.Header().Set("Custom", "CustomResponseHeader")
+
+	now = func() time.Time {
+		// Note that the `-7` is seconds, not hours.
+		return time.Date(2006, 1, 2, 15, 4, 5, 02, time.FixedZone("hardcoded", -7))
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		repl.Replace("This hostname is {hostname}")
+	}
+}
+
+func BenchmarkReplaceEscaped(b *testing.B) {
+	w := httptest.NewRecorder()
+	recordRequest := NewResponseRecorder(w)
+	reader := strings.NewReader(`{"username": "dennis"}`)
+
+	request, err := http.NewRequest("POST", "http://localhost/?foo=bar", reader)
+	if err != nil {
+		b.Fatalf("Failed to make request: %v", err)
+	}
+	ctx := context.WithValue(request.Context(), OriginalURLCtxKey, *request.URL)
+	request = request.WithContext(ctx)
+
+	request.Header.Set("Custom", "foobarbaz")
+	request.Header.Set("ShorterVal", "1")
+	repl := NewReplacer(request, recordRequest, "-")
+	// add some headers after creating replacer
+	request.Header.Set("CustomAdd", "caddy")
+	request.Header.Set("Cookie", "foo=bar; taste=delicious")
+
+	// add some response headers
+	recordRequest.Header().Set("Custom", "CustomResponseHeader")
+
+	now = func() time.Time {
+		// Note that the `-7` is seconds, not hours.
+		return time.Date(2006, 1, 2, 15, 4, 5, 02, time.FixedZone("hardcoded", -7))
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		repl.Replace("\\{ 'hostname': '{hostname}' \\}")
+	}
+}
+
+func TestResponseRecorderNil(t *testing.T) {
+
+	reader := strings.NewReader(`{"username": "dennis"}`)
+
+	request, err := http.NewRequest("POST", "http://localhost/?foo=bar", reader)
+	if err != nil {
+		t.Fatalf("Failed to make request: %v", err)
+	}
+
+	request.Header.Set("Custom", "foobarbaz")
+	repl := NewReplacer(request, nil, "-")
+	// add some headers after creating replacer
+	request.Header.Set("CustomAdd", "caddy")
+	request.Header.Set("Cookie", "foo=bar; taste=delicious")
+
+	old := now
+	now = func() time.Time {
+		// Note that the `-7` is seconds, not hours.
+		return time.Date(2006, 1, 2, 15, 4, 5, 02, time.FixedZone("hardcoded", -7))
+	}
+	defer func() {
+		now = old
+	}()
+	testCases := []struct {
+		template string
+		expect   string
+	}{
+		{"The Custom response header is {<Custom}.", "The Custom response header is -."},
+	}
+
+	for _, c := range testCases {
+		if expected, actual := c.expect, repl.Replace(c.template); expected != actual {
+			t.Errorf("for template '%s', expected '%s', got '%s'", c.template, expected, actual)
+		}
+	}
+
+}
+
 func TestSet(t *testing.T) {
 	w := httptest.NewRecorder()
 	recordRequest := NewResponseRecorder(w)
@@ -209,7 +473,7 @@ func TestRound(t *testing.T) {
 	}
 }

-func TestMillisecondConverstion(t *testing.T) {
+func TestMillisecondConversion(t *testing.T) {
 	var testCases = map[time.Duration]int64{
 		2 * time.Second:           2000,
 		9039492 * time.Nanosecond: 9,
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
@@ -6,11 +20,12 @@ import (
 	"path/filepath"
 	"strconv"

-	"gopkg.in/natefinch/lumberjack.v2"
+	lumberjack "gopkg.in/natefinch/lumberjack.v2"
 )

 // LogRoller implements a type that provides a rolling logger.
 type LogRoller struct {
+	Disabled   bool
 	Filename   string
 	MaxSize    int
 	MaxAge     int
@@ -52,10 +67,11 @@ func IsLogRollerSubdirective(subdir string) bool {
 	return subdir == directiveRotateSize ||
 		subdir == directiveRotateAge ||
 		subdir == directiveRotateKeep ||
-		subdir == directiveRotateCompress
+		subdir == directiveRotateCompress ||
+		subdir == directiveRotateDisable
 }

-var invalidRollerParameterErr = errors.New("invalid roller parameter")
+var errInvalidRollParameter = errors.New("invalid roller parameter")

 // ParseRoller parses roller contents out of c.
 func ParseRoller(l *LogRoller, what string, where ...string) error {
@@ -65,16 +81,16 @@ func ParseRoller(l *LogRoller, what string, where ...string) error {

 	// rotate_compress doesn't accept any parameters.
 	// others only accept one parameter
-	if (what == directiveRotateCompress && len(where) != 0) ||
-		(what != directiveRotateCompress && len(where) != 1) {
-		return invalidRollerParameterErr
+	if ((what == directiveRotateCompress || what == directiveRotateDisable) && len(where) != 0) ||
+		((what != directiveRotateCompress && what != directiveRotateDisable) && len(where) != 1) {
+		return errInvalidRollParameter
 	}

 	var (
 		value int
 		err   error
 	)
-	if what != directiveRotateCompress {
+	if what != directiveRotateCompress && what != directiveRotateDisable {
 		value, err = strconv.Atoi(where[0])
 		if err != nil {
 			return err
@@ -82,6 +98,8 @@ func ParseRoller(l *LogRoller, what string, where ...string) error {
 	}

 	switch what {
+	case directiveRotateDisable:
+		l.Disabled = true
 	case directiveRotateSize:
 		l.MaxSize = value
 	case directiveRotateAge:
@@ -113,6 +131,7 @@ const (
 	// defaultRotateKeep is 10 files.
 	defaultRotateKeep = 10

+	directiveRotateDisable  = "rotate_disable"
 	directiveRotateSize     = "rotate_size"
 	directiveRotateAge      = "rotate_age"
 	directiveRotateKeep     = "rotate_keep"
@@ -121,4 +140,4 @@ const (

 // lumberjacks maps log filenames to the logger
 // that is being used to keep them rolled/maintained.
-var lumberjacks = make(map[string]*lumberjack.Logger)
+var lumberjacks = make(map[string]io.Writer)
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Package httpserver implements an HTTP server on top of Caddy.
 package httpserver

@@ -15,21 +29,19 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
-	"sync"
 	"time"

-	"github.com/lucas-clemente/quic-go/h2quic"
-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/staticfiles"
-	"github.com/mholt/caddy/caddytls"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/staticfiles"
+	"github.com/caddyserver/caddy/caddytls"
+	"github.com/caddyserver/caddy/telemetry"
+	"github.com/lucas-clemente/quic-go/http3"
 )

 // Server is the HTTP server implementation.
 type Server struct {
 	Server      *http.Server
-	quicServer  *h2quic.Server
-	listener    net.Listener
-	listenerMu  sync.Mutex
+	quicServer  *http3.Server
 	sites       []*SiteConfig
 	connTimeout time.Duration // max time to wait for a connection before force stop
 	tlsGovChan  chan struct{} // close to stop the TLS maintenance goroutine
@@ -92,7 +104,7 @@ func NewServer(addr string, group []*SiteConfig) (*Server, error) {
 	if s.Server.TLSConfig != nil {
 		// enable QUIC if desired (requires HTTP/2)
 		if HTTP2 && QUIC {
-			s.quicServer = &h2quic.Server{Server: s.Server}
+			s.quicServer = &http3.Server{Server: s.Server}
 			s.Server.Handler = s.wrapWithSvcHeaders(s.Server.Handler)
 		}

@@ -128,7 +140,7 @@ func NewServer(addr string, group []*SiteConfig) (*Server, error) {

 	// Compile custom middleware for every site (enables virtual hosting)
 	for _, site := range group {
-		stack := Handler(staticfiles.FileServer{Root: http.Dir(site.Root), Hide: site.HiddenFiles})
+		stack := Handler(staticfiles.FileServer{Root: http.Dir(site.Root), Hide: site.HiddenFiles, IndexPages: site.IndexPages})
 		for i := len(site.middleware) - 1; i >= 0; i-- {
 			stack = site.middleware[i](stack)
 		}
@@ -222,7 +234,9 @@ func makeHTTPServerWithTimeouts(addr string, group []*SiteConfig) *http.Server {

 func (s *Server) wrapWithSvcHeaders(previousHandler http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		s.quicServer.SetQuicHeaders(w.Header())
+		if err := s.quicServer.SetQuicHeaders(w.Header()); err != nil {
+			log.Println("[Error] failed to set proper headers for QUIC: ", err)
+		}
 		previousHandler.ServeHTTP(w, r)
 	}
 }
@@ -231,7 +245,7 @@ func (s *Server) wrapWithSvcHeaders(previousHandler http.Handler) http.HandlerFu
 // used to serve requests.
 func (s *Server) Listen() (net.Listener, error) {
 	if s.Server == nil {
-		return nil, fmt.Errorf("Server field is nil")
+		return nil, fmt.Errorf("server field is nil")
 	}

 	ln, err := net.Listen("tcp", s.Server.Addr)
@@ -259,16 +273,26 @@ func (s *Server) Listen() (net.Listener, error) {
 		ln = tcpKeepAliveListener{TCPListener: tcpLn}
 	}

+	cln := s.WrapListener(ln)
+
+	// Very important to return a concrete caddy.Listener
+	// implementation for graceful restarts.
+	return cln.(caddy.Listener), nil
+}
+
+// WrapListener wraps ln in the listener middlewares configured
+// for this server.
+func (s *Server) WrapListener(ln net.Listener) net.Listener {
+	if ln == nil {
+		return nil
+	}
 	cln := ln.(caddy.Listener)
 	for _, site := range s.sites {
 		for _, m := range site.listenerMiddleware {
 			cln = m(cln)
 		}
 	}
-
-	// Very important to return a concrete caddy.Listener
-	// implementation for graceful restarts.
-	return cln.(caddy.Listener), nil
+	return cln
 }

 // ListenPacket creates udp connection for QUIC if it is enabled,
@@ -285,10 +309,6 @@ func (s *Server) ListenPacket() (net.PacketConn, error) {

 // Serve serves requests on ln. It blocks until ln is closed.
 func (s *Server) Serve(ln net.Listener) error {
-	s.listenerMu.Lock()
-	s.listener = ln
-	s.listenerMu.Unlock()
-
 	if s.Server.TLSConfig != nil {
 		// Create TLS listener - note that we do not replace s.listener
 		// with this TLS listener; tls.listener is unexported and does
@@ -304,11 +324,19 @@ func (s *Server) Serve(ln net.Listener) error {
 		s.tlsGovChan = caddytls.RotateSessionTicketKeys(s.Server.TLSConfig)
 	}

+	defer func() {
+		if s.quicServer != nil {
+			if err := s.quicServer.Close(); err != nil {
+				log.Println("[ERROR] failed to close QUIC server: ", err)
+			}
+		}
+	}()
+
 	err := s.Server.Serve(ln)
-	if QUIC {
-		s.quicServer.Close()
+	if err != nil && err != http.ErrServerClosed {
+		return err
 	}
-	return err
+	return nil
 }

 // ServePacket serves QUIC requests on pc until it is closed.
@@ -331,6 +359,16 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}()

+	// record the User-Agent string (with a cap on its length to mitigate attacks)
+	ua := r.Header.Get("User-Agent")
+	if len(ua) > 512 {
+		ua = ua[:512]
+	}
+	uaHash := telemetry.FastHash([]byte(ua)) // this is a normalized field
+	go telemetry.SetNested("http_user_agent", uaHash, ua)
+	go telemetry.AppendUnique("http_user_agent_count", uaHash)
+	go telemetry.Increment("http_request_count")
+
 	// copy the original, unchanged URL into the context
 	// so it can be referenced by middlewares
 	urlCopy := *r.URL
@@ -342,6 +380,12 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	c := context.WithValue(r.Context(), OriginalURLCtxKey, urlCopy)
 	r = r.WithContext(c)

+	// Setup a replacer for the request that keeps track of placeholder
+	// values across plugins.
+	replacer := NewReplacer(r, nil, "")
+	c = context.WithValue(r.Context(), ReplacerCtxKey, replacer)
+	r = r.WithContext(c)
+
 	w.Header().Set("Server", caddy.AppName)

 	status, _ := s.serveHTTP(w, r)
@@ -368,24 +412,26 @@ func (s *Server) serveHTTP(w http.ResponseWriter, r *http.Request) (int, error)

 	if vhost == nil {
 		// check for ACME challenge even if vhost is nil;
-		// could be a new host coming online soon
-		if caddytls.HTTPChallengeHandler(w, r, "localhost", caddytls.DefaultHTTPAlternatePort) {
+		// could be a new host coming online soon - choose any
+		// vhost's cert manager configuration, I guess
+		if len(s.sites) > 0 && s.sites[0].TLS.Manager.HandleHTTPChallenge(w, r) {
 			return 0, nil
 		}
+
 		// otherwise, log the error and write a message to the client
 		remoteHost, _, err := net.SplitHostPort(r.RemoteAddr)
 		if err != nil {
 			remoteHost = r.RemoteAddr
 		}
-		WriteSiteNotFound(w, r) // don't add headers outside of this function
+		WriteSiteNotFound(w, r) // don't add headers outside of this function (http.forwardproxy)
 		log.Printf("[INFO] %s - No such site at %s (Remote: %s, Referer: %s)",
 			hostname, s.Server.Addr, remoteHost, r.Header.Get("Referer"))
 		return 0, nil
 	}

 	// we still check for ACME challenge if the vhost exists,
-	// because we must apply its HTTP challenge config settings
-	if s.proxyHTTPChallenge(vhost, w, r) {
+	// because the HTTP challenge might be disabled by its config
+	if vhost.TLS.Manager.HandleHTTPChallenge(w, r) {
 		return 0, nil
 	}

@@ -393,31 +439,45 @@ func (s *Server) serveHTTP(w http.ResponseWriter, r *http.Request) (int, error)
 	// the URL path, so a request to example.com/foo/blog on the site
 	// defined as example.com/foo appears as /blog instead of /foo/blog.
 	if pathPrefix != "/" {
-		r.URL.Path = strings.TrimPrefix(r.URL.Path, pathPrefix)
-		if !strings.HasPrefix(r.URL.Path, "/") {
-			r.URL.Path = "/" + r.URL.Path
-		}
+		r.URL = trimPathPrefix(r.URL, pathPrefix)
+	}
+
+	// enforce strict host matching, which ensures that the SNI
+	// value (if any), matches the Host header; essential for
+	// sites that rely on TLS ClientAuth sharing a port with
+	// sites that do not - if mismatched, close the connection
+	if vhost.StrictHostMatching && r.TLS != nil &&
+		strings.ToLower(r.TLS.ServerName) != strings.ToLower(hostname) {
+		r.Close = true
+		log.Printf("[ERROR] %s - strict host matching: SNI (%s) and HTTP Host (%s) values differ",
+			vhost.Addr, r.TLS.ServerName, hostname)
+		return http.StatusForbidden, nil
 	}

 	return vhost.middlewareChain.ServeHTTP(w, r)
 }

-// proxyHTTPChallenge solves the ACME HTTP challenge if r is the HTTP
-// request for the challenge. If it is, and if the request has been
-// fulfilled (response written), true is returned; false otherwise.
-// If you don't have a vhost, just call the challenge handler directly.
-func (s *Server) proxyHTTPChallenge(vhost *SiteConfig, w http.ResponseWriter, r *http.Request) bool {
-	if vhost.Addr.Port != caddytls.HTTPChallengePort {
-		return false
+func trimPathPrefix(u *url.URL, prefix string) *url.URL {
+	// We need to use URL.EscapedPath() when trimming the pathPrefix as
+	// URL.Path is ambiguous about / or %2f - see docs. See #1927
+	trimmedPath := strings.TrimPrefix(u.EscapedPath(), prefix)
+	if !strings.HasPrefix(trimmedPath, "/") {
+		trimmedPath = "/" + trimmedPath
 	}
-	if vhost.TLS != nil && vhost.TLS.Manual {
-		return false
+	// After trimming path reconstruct uri string with Query before parsing
+	trimmedURI := trimmedPath
+	if u.RawQuery != "" || u.ForceQuery == true {
+		trimmedURI = trimmedPath + "?" + u.RawQuery
 	}
-	altPort := caddytls.DefaultHTTPAlternatePort
-	if vhost.TLS != nil && vhost.TLS.AltHTTPPort != "" {
-		altPort = vhost.TLS.AltHTTPPort
+	if u.Fragment != "" {
+		trimmedURI = trimmedURI + "#" + u.Fragment
 	}
-	return caddytls.HTTPChallengeHandler(w, r, vhost.ListenHost, altPort)
+	trimmedURL, err := url.Parse(trimmedURI)
+	if err != nil {
+		log.Printf("[ERROR] Unable to parse trimmed URL %s: %v", trimmedURI, err)
+		return u
+	}
+	return trimmedURL
 }

 // Address returns the address s was assigned to listen on.
@@ -447,16 +507,34 @@ func (s *Server) Stop() error {
 // OnStartupComplete lists the sites served by this server
 // and any relevant information, assuming caddy.Quiet == false.
 func (s *Server) OnStartupComplete() {
-	if caddy.Quiet {
-		return
+	if !caddy.Quiet {
+		firstSite := s.sites[0]
+		scheme := "HTTP"
+		if firstSite.TLS.Enabled {
+			scheme = "HTTPS"
+		}
+
+		fmt.Println("")
+		fmt.Printf("Serving %s on port "+firstSite.Port()+" \n", scheme)
+		s.outputSiteInfo(false)
+		fmt.Println("")
 	}
+
+	// Print out process log without header comment
+	s.outputSiteInfo(true)
+}
+
+func (s *Server) outputSiteInfo(isProcessLog bool) {
 	for _, site := range s.sites {
 		output := site.Addr.String()
 		if caddy.IsLoopback(s.Address()) && !caddy.IsLoopback(site.Addr.Host) {
 			output += " (only accessible on this machine)"
 		}
-		fmt.Println(output)
-		log.Println(output)
+		if isProcessLog {
+			log.Printf("[INFO] Serving %s \n", output)
+		} else {
+			fmt.Println(output)
+		}
 	}
 }

@@ -476,13 +554,21 @@ type tcpKeepAliveListener struct {
 }

 // Accept accepts the connection with a keep-alive enabled.
-func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
+func (ln tcpKeepAliveListener) Accept() (net.Conn, error) {
 	tc, err := ln.AcceptTCP()
 	if err != nil {
-		return
+		return nil, err
+	}
+	if err = tc.SetKeepAlive(true); err != nil {
+		return nil, err
+	}
+	// OpenBSD has no user-settable per-socket TCP keepalive
+	// https://github.com/caddyserver/caddy/pull/2787
+	if runtime.GOOS != "openbsd" {
+		if err = tc.SetKeepAlivePeriod(3 * time.Minute); err != nil {
+			return nil, err
+		}
 	}
-	tc.SetKeepAlive(true)
-	tc.SetKeepAlivePeriod(3 * time.Minute)
 	return tc, nil
 }

@@ -520,7 +606,9 @@ func WriteTextResponse(w http.ResponseWriter, status int, body string) {
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.WriteHeader(status)
-	w.Write([]byte(body))
+	if _, err := w.Write([]byte(body)); err != nil {
+		log.Println("[Error] failed to write body: ", err)
+	}
 }

 // SafePath joins siteRoot and reqPath and converts it to a path that can
@@ -1,7 +1,22 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
 	"net/http"
+	"net/url"
 	"testing"
 	"time"
 )
@@ -112,6 +127,114 @@ func TestMakeHTTPServerWithTimeouts(t *testing.T) {
 	}
 }

+func TestTrimPathPrefix(t *testing.T) {
+	for i, pt := range []struct {
+		url        string
+		prefix     string
+		expected   string
+		shouldFail bool
+	}{
+		{
+			url:        "/my/path",
+			prefix:     "/my",
+			expected:   "/path",
+			shouldFail: false,
+		},
+		{
+			url:        "/my/%2f/path",
+			prefix:     "/my",
+			expected:   "/%2f/path",
+			shouldFail: false,
+		},
+		{
+			url:        "/my/path",
+			prefix:     "/my/",
+			expected:   "/path",
+			shouldFail: false,
+		},
+		{
+			url:        "/my///path",
+			prefix:     "/my",
+			expected:   "/path",
+			shouldFail: true,
+		},
+		{
+			url:        "/my///path",
+			prefix:     "/my",
+			expected:   "///path",
+			shouldFail: false,
+		},
+		{
+			url:        "/my/path///slash",
+			prefix:     "/my",
+			expected:   "/path///slash",
+			shouldFail: false,
+		},
+		{
+			url:        "/my/%2f/path/%2f",
+			prefix:     "/my",
+			expected:   "/%2f/path/%2f",
+			shouldFail: false,
+		}, {
+			url:        "/my/%20/path",
+			prefix:     "/my",
+			expected:   "/%20/path",
+			shouldFail: false,
+		}, {
+			url:        "/path",
+			prefix:     "",
+			expected:   "/path",
+			shouldFail: false,
+		}, {
+			url:        "/path/my/",
+			prefix:     "/my",
+			expected:   "/path/my/",
+			shouldFail: false,
+		}, {
+			url:        "",
+			prefix:     "/my",
+			expected:   "/",
+			shouldFail: false,
+		}, {
+			url:        "/apath",
+			prefix:     "",
+			expected:   "/apath",
+			shouldFail: false,
+		}, {
+			url:        "/my/path/page.php?akey=value",
+			prefix:     "/my",
+			expected:   "/path/page.php?akey=value",
+			shouldFail: false,
+		}, {
+			url:        "/my/path/page?key=value#fragment",
+			prefix:     "/my",
+			expected:   "/path/page?key=value#fragment",
+			shouldFail: false,
+		}, {
+			url:        "/my/path/page#fragment",
+			prefix:     "/my",
+			expected:   "/path/page#fragment",
+			shouldFail: false,
+		}, {
+			url:        "/my/apath?",
+			prefix:     "/my",
+			expected:   "/apath?",
+			shouldFail: false,
+		},
+	} {
+
+		u, _ := url.Parse(pt.url)
+		if got, want := trimPathPrefix(u, pt.prefix), pt.expected; got.String() != want {
+			if !pt.shouldFail {
+
+				t.Errorf("Test %d: Expected='%s', but was '%s' ", i, want, got.String())
+			}
+		} else if pt.shouldFail {
+			t.Errorf("SHOULDFAIL Test %d: Expected='%s', and was '%s' but should fail", i, want, got.String())
+		}
+	}
+}
+
 func TestMakeHTTPServerWithHeaderLimit(t *testing.T) {
 	for name, c := range map[string]struct {
 		group  []*SiteConfig
@@ -1,9 +1,23 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
 	"time"

-	"github.com/mholt/caddy/caddytls"
+	"github.com/caddyserver/caddy/caddytls"
 )

 // SiteConfig contains information about a site
@@ -12,6 +26,9 @@ type SiteConfig struct {
 	// The address of the site
 	Addr Address

+	// The list of viable index page names of the site
+	IndexPages []string
+
 	// The hostname to bind listener to;
 	// defaults to Addr.Host
 	ListenHost string
@@ -19,6 +36,16 @@ type SiteConfig struct {
 	// TLS configuration
 	TLS *caddytls.Config

+	// If true, the Host header in the HTTP request must
+	// match the SNI value in the TLS handshake (if any).
+	// This should be enabled whenever a site relies on
+	// TLS client authentication, for example; or any time
+	// you want to enforce that THIS site's TLS config
+	// is used and not the TLS config of any other site
+	// on the same listener. TODO: Check how relevant this
+	// is with TLS 1.3.
+	StrictHostMatching bool
+
 	// Uncompiled middleware stack
 	middleware []Middleware

@@ -59,7 +86,7 @@ type SiteConfig struct {
 }

 // Timeouts specify various timeouts for a server to use.
-// If the assocated bool field is true, then the duration
+// If the associated bool field is true, then the duration
 // value should be treated literally (i.e. a zero-value
 // duration would mean "no timeout"). If false, the duration
 // was left unset, so a zero-value duration would mean to
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
@@ -5,11 +19,13 @@ import (
 	"crypto/rand"
 	"fmt"
 	"io/ioutil"
+	"log"
 	mathrand "math/rand"
 	"net"
 	"net/http"
 	"net/url"
 	"path"
+	"strconv"
 	"strings"
 	"sync"
 	"text/template"
@@ -17,6 +33,8 @@ import (

 	"os"

+	"github.com/caddyserver/caddy/caddytls"
+	"github.com/mholt/certmagic"
 	"github.com/russross/blackfriday"
 )

@@ -162,7 +180,7 @@ func (c Context) Port() (string, error) {
 	if err != nil {
 		if !strings.Contains(c.Req.Host, ":") {
 			// common with sites served on the default port 80
-			return HTTPPort, nil
+			return strconv.Itoa(certmagic.HTTPPort), nil
 		}
 		return "", err
 	}
@@ -405,7 +423,9 @@ func (c Context) RandomString(minLen, maxLen int) string {
 	// secureRandomBytes returns a number of bytes using crypto/rand.
 	secureRandomBytes := func(numBytes int) []byte {
 		randomBytes := make([]byte, numBytes)
-		rand.Read(randomBytes)
+		if _, err := rand.Read(randomBytes); err != nil {
+			log.Println("[ERROR] failed to read bytes: ", err)
+		}
 		return randomBytes
 	}

@@ -434,6 +454,15 @@ func (c Context) AddLink(link string) string {
 	return ""
 }

+// Returns either TLS protocol version if TLS used or empty string otherwise
+func (c Context) TLSVersion() (ret string) {
+	if c.Req.TLS != nil {
+		// Safe to ignore an error
+		ret, _ = caddytls.GetSupportedProtocolName(c.Req.TLS.Version)
+	}
+	return
+}
+
 // buffer pool for .Include context actions
 var includeBufs = sync.Pool{
 	New: func() interface{} {
@@ -1,7 +1,22 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
 	"bytes"
+	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"net"
@@ -86,7 +101,7 @@ func TestInclude(t *testing.T) {
 	for i, test := range tests {
 		testPrefix := getTestPrefix(i)

-		// WriteFile truncates the contentt
+		// WriteFile truncates the content
 		err := ioutil.WriteFile(absInFilePath, []byte(test.fileContent), os.ModePerm)
 		if err != nil {
 			t.Fatal(testPrefix+"Failed to create test file. Error was: %v", err)
@@ -147,7 +162,7 @@ func TestMarkdown(t *testing.T) {
 	for i, test := range tests {
 		testPrefix := getTestPrefix(i)

-		// WriteFile truncates the contentt
+		// WriteFile truncates the content
 		err := ioutil.WriteFile(absInFilePath, []byte(test.fileContent), os.ModePerm)
 		if err != nil {
 			t.Fatal(testPrefix+"Failed to create test file. Error was: %v", err)
@@ -263,7 +278,7 @@ func TestHostname(t *testing.T) {
 		// // Test 3 - ipv6 without port and brackets
 		// {"2001:4860:4860::8888", "google-public-dns-a.google.com."},
 		// Test 4 - no hostname available
-		{"1.1.1.1", "1.1.1.1"},
+		{"0.0.0.0", "0.0.0.0"},
 	}

 	for i, test := range tests {
@@ -908,3 +923,40 @@ func TestAddLink(t *testing.T) {
 		})
 	}
 }
+
+func TestTlsVersion(t *testing.T) {
+	for _, test := range []struct {
+		tlsState       *tls.ConnectionState
+		expectedResult string
+	}{
+		{
+			&tls.ConnectionState{Version: tls.VersionTLS10},
+			"tls1.0",
+		},
+		{
+			&tls.ConnectionState{Version: tls.VersionTLS11},
+			"tls1.1",
+		},
+		{
+			&tls.ConnectionState{Version: tls.VersionTLS12},
+			"tls1.2",
+		},
+		// TLS not used
+		{
+			nil,
+			"",
+		},
+		// Unsupported version
+		{
+			&tls.ConnectionState{Version: 0x0399},
+			"",
+		},
+	} {
+		context := getContextOrFail(t)
+		context.Req.TLS = test.tlsState
+		result := context.TLSVersion()
+		if result != test.expectedResult {
+			t.Errorf("Expected %s got %s", test.expectedResult, result)
+		}
+	}
+}
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
@@ -18,7 +32,12 @@ type vhostTrie struct {

 // newVHostTrie returns a new vhostTrie.
 func newVHostTrie() *vhostTrie {
-	return &vhostTrie{edges: make(map[string]*vhostTrie), fallbackHosts: []string{"0.0.0.0", ""}}
+	// TODO: fallbackHosts doesn't discriminate between network interfaces;
+	// i.e. if there is a host "0.0.0.0", it could match a request coming
+	// in to "[::1]" (and vice-versa) even though the IP versions differ.
+	// This might be OK, or maybe it's not desirable. The 'bind' directive
+	// can be used to restrict what interface a listener binds to.
+	return &vhostTrie{edges: make(map[string]*vhostTrie), fallbackHosts: []string{"0.0.0.0", "[::]", ""}}
 }

 // Insert adds stack to t keyed by key. The key should be
@@ -1,6 +1,21 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package httpserver

 import (
+	"log"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -89,7 +104,9 @@ func populateTestTrie(trie *vhostTrie, keys []string) {
 		func(key string) {
 			site := &SiteConfig{
 				middlewareChain: HandlerFunc(func(w http.ResponseWriter, r *http.Request) (int, error) {
-					w.Write([]byte(key))
+					if _, err := w.Write([]byte(key)); err != nil {
+						log.Println("[ERROR] failed to write bytes: ", err)
+					}
 					return 0, nil
 				}),
 			}
@@ -125,7 +142,9 @@ func assertTestTrie(t *testing.T, trie *vhostTrie, tests []vhostTrieTest, hasWil

 		// And it must be the correct value
 		resp := httptest.NewRecorder()
-		site.middlewareChain.ServeHTTP(resp, nil)
+		if _, err := site.middlewareChain.ServeHTTP(resp, nil); err != nil {
+			log.Println("[ERROR] failed to serve HTTP: ", err)
+		}
 		actualHandlerKey := resp.Body.String()
 		if actualHandlerKey != test.expectedKey {
 			t.Errorf("Test %d: Expected match '%s' but matched '%s'",
@@ -1,8 +1,22 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package index

 import (
-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/staticfiles"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 func init() {
@@ -15,6 +29,8 @@ func init() {
 func setupIndex(c *caddy.Controller) error {
 	var index []string

+	cfg := httpserver.GetConfig(c)
+
 	for c.Next() {
 		args := c.RemainingArgs()

@@ -26,7 +42,7 @@ func setupIndex(c *caddy.Controller) error {
 			index = append(index, in)
 		}

-		staticfiles.IndexPages = index
+		cfg.IndexPages = index
 	}

 	return nil
@@ -1,10 +1,25 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package index

 import (
 	"testing"

-	"github.com/mholt/caddy"
-	"github.com/mholt/caddy/caddyhttp/staticfiles"
+	"github.com/caddyserver/caddy"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/staticfiles"
 )

 func TestIndexIncompleteParams(t *testing.T) {
@@ -17,7 +32,7 @@ func TestIndexIncompleteParams(t *testing.T) {
 }

 func TestIndex(t *testing.T) {
-	c := caddy.NewTestController("", "index a.html b.html c.html")
+	c := caddy.NewTestController("http", "index a.html b.html c.html")

 	err := setupIndex(c)
 	if err != nil {
@@ -26,14 +41,85 @@ func TestIndex(t *testing.T) {

 	expectedIndex := []string{"a.html", "b.html", "c.html"}

-	if len(staticfiles.IndexPages) != 3 {
-		t.Errorf("Expected 3 values, got %v", len(staticfiles.IndexPages))
+	siteConfig := httpserver.GetConfig(c)
+
+	if len(siteConfig.IndexPages) != len(expectedIndex) {
+		t.Errorf("Expected 3 values, got %v", len(siteConfig.IndexPages))
 	}

 	// Ensure ordering is correct
-	for i, actual := range staticfiles.IndexPages {
+	for i, actual := range siteConfig.IndexPages {
 		if actual != expectedIndex[i] {
 			t.Errorf("Expected value in position %d to be %v, got %v", i, expectedIndex[i], actual)
 		}
 	}
 }
+
+func TestMultiSiteIndexWithEitherHasDefault(t *testing.T) {
+	// TestIndex already covers the correctness of the directive
+	// when used on a single controller, so no need to verify test setupIndex again.
+	// This sets the stage for the actual verification.
+	customIndex := caddy.NewTestController("http", "index a.html b.html")
+
+	// setupIndex against customIdx should not pollute the
+	// index list for other controllers.
+	err := setupIndex(customIndex)
+	if err != nil {
+		t.Errorf("Expected no errors, got: %v", err)
+	}
+
+	// Represents a virtual host with no index directive.
+	defaultIndex := caddy.NewTestController("http", "")
+
+	// Not calling setupIndex because it guards against lack of arguments,
+	// and we need to ensure the site gets the default set of index pages.
+
+	siteConfig := httpserver.GetConfig(defaultIndex)
+
+	// In case the index directive is not used, the virtual host
+	// should receive staticfiles.DefaultIndexPages slice. The length, as checked here,
+	// and the values, as checked in the upcoming loop, should match.
+	if len(siteConfig.IndexPages) != len(staticfiles.DefaultIndexPages) {
+		t.Errorf("Expected %d values, got %d", len(staticfiles.DefaultIndexPages), len(siteConfig.IndexPages))
+	}
+
+	// Ensure values match the expected default index pages
+	for i, actual := range siteConfig.IndexPages {
+		if actual != staticfiles.DefaultIndexPages[i] {
+			t.Errorf("Expected value in position %d to be %v, got %v", i, staticfiles.DefaultIndexPages[i], actual)
+		}
+	}
+}
+
+func TestPerSiteIndexPageIsolation(t *testing.T) {
+	firstIndex := "first.html"
+	secondIndex := "second.html"
+
+	// Create two sites with different index page configurations
+	firstSite := caddy.NewTestController("http", "index first.html")
+	err := setupIndex(firstSite)
+	if err != nil {
+		t.Errorf("Expected no errors, got: %v", err)
+	}
+
+	secondSite := caddy.NewTestController("http", "index second.html")
+	err = setupIndex(secondSite)
+	if err != nil {
+		t.Errorf("Expected no errors, got: %v", err)
+	}
+
+	firstSiteConfig := httpserver.GetConfig(firstSite)
+	if firstSiteConfig.IndexPages[0] != firstIndex {
+		t.Errorf("Expected index for first site as %s, received %s", firstIndex, firstSiteConfig.IndexPages[0])
+	}
+
+	secondSiteConfig := httpserver.GetConfig(secondSite)
+	if secondSiteConfig.IndexPages[0] != secondIndex {
+		t.Errorf("Expected index for second site as %s, received %s", secondIndex, secondSiteConfig.IndexPages[0])
+	}
+
+	// They should have different index pages, as per the provided config.
+	if firstSiteConfig.IndexPages[0] == secondSiteConfig.IndexPages[0] {
+		t.Errorf("Expected different index pages for both sites, got %s for first and %s for second", firstSiteConfig.IndexPages[0], secondSiteConfig.IndexPages[0])
+	}
+}
@@ -1,3 +1,17 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Package internalsrv provides a simple middleware that (a) prevents access
 // to internal locations and (b) allows to return files from internal location
 // by setting a special header, e.g. in a proxy response.
@@ -9,7 +23,7 @@ package internalsrv
 import (
 	"net/http"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 // Internal middleware protects internal locations from external requests -
@@ -32,7 +46,6 @@ func isInternalRedirect(w http.ResponseWriter) bool {

 // ServeHTTP implements the httpserver.Handler interface.
 func (i Internal) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
-
 	// Internal location requested? -> Not found.
 	for _, prefix := range i.Paths {
 		if httpserver.Path(r.URL.Path).Matches(prefix) {
@@ -50,7 +63,6 @@ func (i Internal) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error)
 		// "down the chain"
 		r.URL.Path = iw.Header().Get(redirectHeader)
 		iw.ClearHeader()
-
 		status, err = i.Next.ServeHTTP(iw, r)
 	}

@@ -1,14 +1,29 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package internalsrv

 import (
 	"fmt"
+	"log"
 	"net/http"
 	"net/http/httptest"
 	"testing"

 	"strconv"

-	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"github.com/caddyserver/caddy/caddyhttp/httpserver"
 )

 const (
@@ -112,7 +127,9 @@ func internalTestHandlerFunc(w http.ResponseWriter, r *http.Request) (int, error
 		w.WriteHeader(http.StatusOK)
 		w.Header().Set("Content-Type", contentTypeOctetStream)
 		w.Header().Set("Content-Length", strconv.Itoa(len(internalProtectedData)))
-		w.Write([]byte(internalProtectedData))
+		if _, err := w.Write([]byte(internalProtectedData)); err != nil {
+			log.Println("[ERROR] failed to write bytes: ", err)
+		}
 		return 0, nil
 	}

--- a/Show More
+++ b/Show More