Prepare for beta 9 tag

caddyfile: Fix bug with Delete
It now will delete the current token even if it is the last one
2026-05-25 16:22:36 -04:00 · 2019-11-04 13:43:39 -07:00 · 2019-11-04 13:25:37 -07:00 · 2019-11-04 12:54:46 -07:00 · 2019-11-04 12:53:14 -07:00 · 2019-11-04 12:18:42 -07:00
305 changed files with 26938 additions and 18277 deletions
@@ -1,16 +1,18 @@
-.DS_Store
-Thumbs.db
 _gitignore/
-Vagrantfile
-.vagrant/
-
-dist/builds/
-dist/release/
-
-error.log
-access.log
-
-/*.conf
+*.log
 Caddyfile
+!caddyfile/

-og_static/
+# artifacts from pprof tooling
+*.prof
+*.test
+
+# build artifacts
+cmd/caddy/caddy
+cmd/caddy/caddy.exe
+
+# mac specific
+.DS_Store
+
+# go modules
+vendor
@@ -0,0 +1,49 @@
+linters-settings:
+  errcheck:
+    ignore: fmt:.*,io/ioutil:^Read.*,github.com/caddyserver/caddy/v2/caddyconfig:RegisterAdapter,github.com/caddyserver/caddy/v2:RegisterModule
+    ignoretests: true
+  misspell:
+    locale: US
+
+linters:
+  enable:
+    - bodyclose
+    - errcheck
+    - gofmt
+    - goimports
+    - gosec
+    - ineffassign
+    - misspell
+
+run:
+  # default concurrency is a available CPU number.
+  # concurrency: 4 # explicitly omit this value to fully utilize available resources.
+  deadline: 5m
+  issues-exit-code: 1
+  tests: false
+
+# output configuration options
+output:
+  format: 'colored-line-number'
+  print-issued-lines: true
+  print-linter-name: true
+
+issues:
+  exclude-rules:
+    # we aren't calling unknown URL
+    - text: "G107" # G107: Url provided to HTTP request as taint input
+      linters:
+        - gosec
+    # as a web server that's expected to handle any template, this is totally in the hands of the user.
+    - text: "G203" # G203: Use of unescaped data in HTML templates
+      linters:
+        - gosec
+    # we're shelling out to known commands, not relying on user-defined input.
+    - text: "G204" # G204: Audit use of command execution
+      linters:
+        - gosec
+    # the choice of weakrand is deliberate, hence the named import "weakrand"
+    - path: modules/caddyhttp/reverseproxy/selectionpolicies.go
+      text: "G404" # G404: Insecure random number source (rand)
+      linters:
+        - gosec
@@ -1,14 +0,0 @@
-language: go
-
-go:
-  - 1.4.2
-  - 1.5.1
-  - tip
-
-install:
-  - go get -d ./...
-  - go get golang.org/x/tools/cmd/vet
-
-script:
-  - go vet ./...
-  - go test ./...
@@ -0,0 +1,10 @@
+# This is the official list of Caddy Authors for copyright purposes.
+# Authors may be either individual people or legal entities.
+#
+# Not all individual contributors are authors. For the full list of
+# contributors, refer to the project's page on GitHub or the repo's
+# commit history.
+
+Matthew Holt <Matthew.Holt@gmail.com>
+Light Code Labs <sales@lightcodelabs.com>
+Ardan Labs <info@ardanlabs.com>
@@ -1,32 +0,0 @@
-## Contributing to Caddy
-
-**[Join us on Slack](https://gophers.slack.com/messages/caddy/)** to chat with other Caddy developers! ([Request an invite](http://bit.ly/go-slack-signup), then join the #caddy channel.)
-
-This project gladly accepts contributions and we encourage interested users to get involved!
-
-
-#### For small tweaks, bug fixes, and tests
-
-Submit [pull requests](https://github.com/mholt/caddy/pulls) at any time. Thank you for helping out in simple ways! Bug fixes should be under test to assert correct behavior.
-
-
-#### Ideas, questions, bug reports
-
-You should totally [open an issue](https://github.com/mholt/caddy/issues) with your ideas, questions, and bug reports, if one does not already exist for it. Bug reports should state expected behavior and contain clear instructions for reproducing the problem.
-
-
-#### New features
-
-Before submitting a pull request, please open an issue first to discuss it and claim it. This prevents overlapping efforts and keeps the project in-line with its goals. If you prefer to discuss the feature privately, you can reach other developers on Slack or you may email me directly. (My email address is below.)
-
-And don't forget to write tests for new features!
-
-
-#### Vulnerabilities
-
-If you've found a vulnerability that is serious, please email me: Matthew dot Holt at Gmail. If it's not a big deal, a pull request will probably be faster.
-
-
-## Thank you
-
-Thanks for your help! Caddy would not be what it is today without your contributions.
@@ -1,3 +1,4 @@
+
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
@@ -178,7 +179,7 @@
   APPENDIX: How to apply the Apache License to your work.

      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
+      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
@@ -186,7 +187,7 @@
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

-   Copyright {yyyy} {name of copyright owner}
+   Copyright [yyyy] [name of copyright owner]

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
@@ -1,133 +1,384 @@
-[![Caddy](https://caddyserver.com/resources/images/caddy-boxed.png)](https://caddyserver.com)
+Caddy 2 Development Branch
+===========================

-[![Documentation](https://img.shields.io/badge/godoc-reference-blue.svg?style=flat-square)](https://godoc.org/github.com/mholt/caddy) [![Linux Build Status](https://img.shields.io/travis/mholt/caddy.svg?style=flat-square&label=linux+build)](https://travis-ci.org/mholt/caddy) [![Windows Build Status](https://img.shields.io/appveyor/ci/mholt/caddy.svg?style=flat-square&label=windows+build)](https://ci.appveyor.com/project/mholt/caddy)
+[![Build Status](https://dev.azure.com/mholt-dev/Caddy/_apis/build/status/Multiplatform%20Tests?branchName=v2)](https://dev.azure.com/mholt-dev/Caddy/_build/latest?definitionId=5&branchName=v2)
+[![fuzzit](https://app.fuzzit.dev/badge?org_id=caddyserver-gh)](https://app.fuzzit.dev/orgs/caddyserver-gh/dashboard)

-Caddy is a lightweight, general-purpose web server for Windows, Mac, Linux, BSD, and [Android](https://github.com/mholt/caddy/wiki/Running-Caddy-on-Android). It is a capable alternative to other popular and easy to use web servers.
-
-The most notable features are HTTP/2, Virtual Hosts, TLS + SNI, and easy configuration with a [Caddyfile](https://caddyserver.com/docs/caddyfile). Usually, you have one Caddyfile per site. Most directives for the Caddyfile invoke a layer of middleware which can be [used in your own Go programs](https://github.com/mholt/caddy/wiki/Using-Caddy-Middleware-in-Your-Own-Programs).
-
-[Download](https://github.com/mholt/caddy/releases) · [User Guide](https://caddyserver.com/docs)
+This is the development branch for Caddy 2. This code (version 2) is not yet feature-complete or production-ready, but is already being used in production, and we encourage you to deploy it today on sites that are not very visible or important so that it can obtain crucial experience in the field.

+Please file issues to propose new features and report bugs, and after the bug or feature has been discussed, submit a pull request! We need your help to build this web server into what you want it to be. (Caddy 2 issues and pull requests receive priority over Caddy 1 issues and pull requests.)

+**Caddy 2 is the web server of the Go community.** We are looking for maintainers to represent the community! Please become involved (issues, PRs, [our forum](https://caddy.community) etc.) and express interest if you are committed to being a collaborator on the Caddy project.


 ### Menu

- [Getting Caddy](#getting-caddy)
- [Running from Source](#running-from-source)
+- [Build from source](#build-from-source)
 - [Quick Start](#quick-start)
- [Contributing](#contributing)
- [About the Project](#about-the-project)
+- [Configuration](#configuration)
+- [Full Documentation](#full-documentation)
+- [List of Improvements](#list-of-improvements)
+- [FAQ](#faq)


+## Build from source

+Requirements:

-## Getting Caddy
+- [Go 1.13 or newer](https://golang.org/dl/)
+- Do NOT disable [Go modules](https://github.com/golang/go/wiki/Modules) (`export GO111MODULE=auto`)

-Caddy binaries have no dependencies and are available for nearly every platform.
+Download the `v2` source code:

-[Latest release](https://github.com/mholt/caddy/releases/latest)
+```bash
+$ git clone -b v2 "https://github.com/caddyserver/caddy.git"
+```

+Build:

-## Running from Source
-
-Note: You will need **[Go 1.4](https://golang.org/dl)** or newer
-
-1. `$ go get github.com/mholt/caddy`
-2. `cd` into your website's directory
-3. Run `caddy` (assumes `$GOPATH/bin` is in your `$PATH`)
-
-If you're tinkering, you can also use `go run main.go`.
-
-By default, Caddy serves the current directory at [localhost:2015](http://localhost:2015). You can place a Caddyfile to configure Caddy for serving your site.
-
-Caddy accepts some flags from the command line. Run `caddy -h` to view the help for flags. You can also pipe a Caddyfile into the caddy command.
-
-**Running as root:** We advise against this; use setcap instead, like so: `setcap cap_net_bind_service=+ep ./caddy` This will allow you to listen on ports below 1024 (like 80 and 443).
-
-
-#### Docker Container
-
-Caddy is available as a Docker container from any of these sources:
-
- [abiosoft/caddy](https://registry.hub.docker.com/u/abiosoft/caddy/)
- [darron/caddy](https://registry.hub.docker.com/u/darron/caddy/)
- [joshix/caddy](https://registry.hub.docker.com/u/joshix/caddy/)
- [jumanjiman/caddy](https://registry.hub.docker.com/u/jumanjiman/caddy/)
- [zenithar/nano-caddy](https://registry.hub.docker.com/u/zenithar/nano-caddy/)
-
-
-#### 3rd-party libraries
-
-Although Caddy's binaries are completely static, Caddy relies on some excellent libraries. [Godoc.org](https://godoc.org/github.com/mholt/caddy) shows the packages that each Caddy package imports.
+```bash
+$ cd caddy/cmd/caddy/
+$ go build
+```

+That will put a `caddy(.exe)` binary into the current directory. You can move it into your PATH or use `go install` to do that automatically (assuming `$GOPATH/bin` is already in your PATH). You can also use `go run main.go` for quick, temporary builds while developing.

+The initial build may be slow as dependencies are downloaded. Subsequent builds should be very fast. If you encounter any Go-module-related errors, try clearing your Go module cache (`$GOPATH/pkg/mod`) and Go package cache (`$GOPATH/pkg`) and read [the Go wiki page about modules for help](https://github.com/golang/go/wiki/Modules). If you have issues with Go modules, please consult the Go community for help. But if there is an actual error in Caddy, please report it to us.


 ## Quick Start

-The website has [full documentation](https://caddyserver.com/docs) but this will get you started in about 30 seconds:
+(Until the stable 2.0 release, there may be breaking changes in v2, please be aware!)

-Place a file named "Caddyfile" with your site. Paste this into it and save:
+These instructions assume an executable build of Caddy 2 is named `caddy` in the current folder. If it's in your PATH, you may omit the path to the binary (`./`).

-```
-localhost
+Start Caddy:

-gzip
-browse
-ext .html
-websocket /echo cat
-log ../access.log
-header /api Access-Control-Allow-Origin *
+```bash
+$ ./caddy start
 ```

-Run `caddy` from that directory, and it will automatically use that Caddyfile to configure itself.
-
-That simple file enables compression, allows directory browsing (for folders without an index file), serves clean URLs, hosts an echo server for WebSocket connections at /echo, logs accesses to access.log, and adds the coveted `Access-Control-Allow-Origin: *` header for all responses from some API.
-
-Wow! Caddy can do a lot with just a few lines.
-
-#### Defining multiple sites
-
-You can run multiple sites from the same Caddyfile, too:
+There are no config files with Caddy 2. Instead, you POST configuration to it:

+```bash
+$ curl -X POST "http://localhost:2019/load" \
+    -H "Content-Type: application/json" \
+    -d @- << EOF
+    {
+        "apps": {
+            "http": {
+                "servers": {
+                    "example": {
+                        "listen": ["127.0.0.1:2080"],
+                        "routes": [
+                            {
+                                "handle": [{
+                                    "handler": "file_server",
+                                    "browse": {}
+                                }]
+                            }
+                        ]
+                    }
+                }
+            }
+        }
+    }
+EOF
 ```
-http://mysite.com,
-http://www.mysite.com {
-	redir https://mysite.com
-}

-https://mysite.com {
-	tls mysite.crt mysite.key
-	# ...
+Now visit http://localhost:2080 in your browser and you will see the contents of the current directory displayed.
+
+To change Caddy's configuration, simply POST a new payload to that endpoint. Config changes are extremely lightweight and efficient, and should be graceful on all platforms -- _even Windows_.
+
+Updating configuration using heredoc can be tedious, so you can still use a config file if you prefer. Put your configuration in any file (`caddy.json` for example) and then POST that instead:
+
+```bash
+$ curl -X POST "http://localhost:2019/load" \
+    -H "Content-Type: application/json" \
+    -d @caddy.json
+```
+
+Or you can tell Caddy to load its configuration from a file in the first place (this simply does the work of the above curl command for you):
+
+```bash
+$ ./caddy start --config caddy.json
+```
+
+To stop Caddy:
+
+```bash
+$ ./caddy stop
+```
+
+Note that this will stop any process named the same as `os.Args[0]`.
+
+For other commands, please see [the Caddy 2 documentation](https://github.com/caddyserver/caddy/wiki/v2:-Documentation).
+
+### Caddyfile
+
+Caddy 2 can be configured with a Caddyfile, much like in v1, for example:
+
+```plain
+example.com
+
+try_files {path}.html {path}
+encode gzip zstd
+reverse_proxy /api  localhost:9005
+php_fastcgi   /blog unix//path/to/socket
+file_server
+```
+
+Instead of being its primary mode of configuration, an internal _config adapter_ adapts the Caddyfile to Caddy's native JSON structure. You can see it in action with the [`adapt` command](https://github.com/caddyserver/caddy/wiki/v2:-Documentation#adapt):
+
+```bash
+$ ./caddy adapt --config path/to/Caddyfile --adapter caddyfile --pretty
+```
+
+If you just want to run Caddy with your Caddyfile directly, the CLI wraps this up for you nicely. Either of the following commands:
+
+```bash
+$ ./caddy start
+$ ./caddy run
+```
+
+will use your Caddyfile if it is called `Caddyfile` in the current directory.
+
+If your Caddyfile is somewhere else, you can still use it:
+
+```bash
+$ ./caddy start|run --config path/to/Caddyfile --adapter caddyfile
+```
+
+[Learn more about the Caddyfile in v2.](https://github.com/caddyserver/caddy/wiki/v2:-Documentation#caddyfile-adapter)
+
+
+## Configuration
+
+Caddy 2 exposes an unprecedented level of control compared to any web server in existence. In Caddy 2, you are usually setting the actual values of the initialized types in memory that power everything from your HTTP handlers and TLS handshakes to your storage medium. Caddy 2 is also ridiculously extensible, with a module system that makes vast improvements over Caddy 1's plugin system.
+
+Nearly all of Caddy 2's configuration is contained in a single config document, rather than being spread across CLI flags and env variables and a configuration file as with other web servers (and Caddy 1).
+
+To wield the power of this design, you need to know how the config document is structured. Please see the [the Caddy 2 documentation in our wiki](https://github.com/caddyserver/caddy/wiki/v2:-Documentation) for details about Caddy's config structure.
+
+Configuration is normally given to Caddy through an API endpoint, which is likewise documented in the wiki pages. However, you can also use config files of various formats with [config adapters](https://github.com/caddyserver/caddy/wiki/v2:-Documentation#config-adapters).
+
+
+## Full Documentation
+
+Caddy 2 is very much in development, so the documentation is an ongoing WIP, but the latest will be in our wiki for now:
+
+**https://github.com/caddyserver/caddy/wiki/v2:-Documentation**
+
+Note that breaking changes are expected until the stable 2.0 release.
+
+
+## List of Improvements
+
+The following is a non-comprehensive list of significant improvements over Caddy 1. Not everything in this list is finished yet, but they will be finished or at least will be possible with Caddy 2:
+
+- Centralized configuration. No more disparate use of environment variables, config files (potentially multiple!), CLI flags, etc.
+- REST API. Control Caddy with HTTP requests to an administration endpoint. Changes are applied immediately and efficiently.
+- Dynamic configuration. Any and all specific config values can be modified directly through the admin API with a REST endpoint.
+    - Change only specific configuration settings instead of needing to specify the whole config each time. This makes it safe and easy to change Caddy's config with manually-crafted curl commands, for example.
+- No configuration files. Except optionally to bootstrap its configuration at startup. You can still use config files if you wish, and we expect that most people will.
+- Export the current Caddy configuration with an API GET request.
+- Silky-smooth graceful reloads. Update the configuration up to dozens of times per second with no dropped requests and very little memory cost. Our unique graceful reload technology is lighter and faster **and works on all platforms, including Windows**.
+- An embedded scripting language! Caddy2 has native Starlark integration. Do things you never thought possible with higher performance than Lua, JavaScript, and other VMs. Starlark is expressive, familiar (dialect of Python), _almost_ Turing-complete, and highly efficient. (We're still improving performance here.)
+- Using [XDG standards](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html#variables) instead of dumping all assets in `$HOME/.caddy`.
+- Caddy plugins are now called "Caddy modules" (although the terms "plugin" and "module" may be used interchangably). Caddy modules are a concept unrelated [Go modules](https://github.com/golang/go/wiki/Modules), except that Caddy modules may be implemented by Go modules. Caddy modules are centrally-registered, properly namespaced, and generically loaded & configured, as opposed to how scattered and unorganized Caddy 1-era plugins are.
+- Modules are easier to write, since they do not have to both deserialize their own configuration from a configuration DSL and provision themselves like plugins did. Modules are initialized pre-configured and have the ability to validate the configuration and perform provisioning steps if necessary.
+- Can specify different storage mechanisms in different parts of the configuration, if more than one is needed.
+- "Top-level" Caddy modules are simply called "apps" because literally any long-lived application can be served by Caddy 2.
+- Even more of Caddy is made of modules, allowing for unparalleled extensibility, flexibility, and control. Caddy 2 is arguably the most flexible, extensible, programmable web server ever made.
+- TLS improvements!
+	- TLS configuration is now centralized and decoupled from specific sites
+	- A single certificate cache is used process-wide, reducing duplication and improving memory use
+	- Customize how to manage each certificate ("automation policies") based on the hostname
+	- Automation policy doesn't have to be limited to just ACME - could be any way to manage certificates
+	- Fine-grained control over TLS handshakes
+	- If an ACME challenge fails, other enabled challenges will be tried (no other web server does this)
+    - TLS Session Ticket Ephemeral Keys (STEKs) can be rotated in a cluster for increased performance (no other web server does this either!)
+    - Ability to select a specific certificate per ClientHello given multiple qualifying certificates
+    - Provide TLS certificates without persisting them to disk; keep private keys entirely in memory
+	- Certificate management at startup is now asynchronous and much easier to use through machine reboots and in unsupervised settings
+- All-new HTTP server core
+	- Listeners can be configured for any network type, address, and port range
+	- Customizable TLS connection policies
+	- HTTP handlers are configured by "routes" which consist of matcher and handler components. Match matches an HTTP request, and handle defines the list of handlers to invoke as a result of the match.
+	- Some matchers are regular expressions, which expose capture groups to placeholders.
+	- New matchers include negation and matching based on remote IP address / CIDR ranges.
+    - Placeholders are vastly improved generally
+	- Placeholders (variables) are more properly namespaced.
+	- Multiple routes may match an HTTP request, creating a "composite route" quickly on the fly.
+	- The actual handler for any given request is its composite route.
+	- User defines the order of middlewares (careful! easy to break things).
+	- Adding middlewares no longer requires changes to Caddy's code base (there is no authoritative list).
+	- Routes may be marked as terminal, meaning no more routes will be matched.
+	- Routes may be grouped so that only the first matching route in a group is applied.
+	- Requests may be "re-handled" if they are modified and need to be sent through the chain again (internal redirect).
+	- Vastly more powerful static file server, with native content-negotiation abilities
+    - Done away with URL-rewriting hacks often needed in Caddy 1
+	- Highly descriptive/traceable errors
+	- Very flexible error handling, with the ability to specify a whole list of routes just for error cases
+	- The proxy has numerous improvements, including dynamic backends and more configurable health checks
+	- FastCGI support integrated with the reverse proxy
+	- More control over automatic HTTPS: disable entirely, disable only HTTP->HTTPS redirects, disable only cert management, and for certain names, etc.
+    - Use Starlark to build custom, dynamic HTTP handlers at request-time
+        - We are finding that -- on average -- Caddy 2's Starlark handlers are ~1.25-2x faster than NGINX+Lua.
+
+And a few major features still being worked on:
+
+- Logging
+- Kubernetes ingress controller (mostly done, just polishing it -- and it's amazing)
+- More config adapters. Caddy's native JSON config structure is powerful and complex. Config adapters upsample various formats to Caddy's native config. There are already adapters for Caddyfile, JSON 5, and JSON-C. Planned are NGINX config, YAML, and TOML. The community might be interested in building Traefik and Apache config adapters!
+
+
+
+## FAQ
+
+### How do I configure Caddy 2?
+
+Caddy's primary mode of configuration is a REST API, which accepts a JSON document. The JSON structure is described [in the wiki](https://github.com/caddyserver/caddy/wiki/v2:-Documentation). The advantages of exposing this low-level structure are 1) it has near-parity with actual memory initialization, 2) it allows us to offer wrappers over this configuration to any degree of convenience that is needed, and 3) it performs very well under rapid config changes.
+
+Basically, you will [start Caddy](https://github.com/caddyserver/caddy/wiki/v2:-Documentation#start), then [POST a JSON config to its API endpoint](https://github.com/caddyserver/caddy/wiki/v2:-Documentation#post-load).
+
+Although this makes Caddy 2 highly programmable, not everyone will want to configure Caddy via JSON with an API. Sometimes we just want to give Caddy a simple, static config file and have it do its thing. That's what **[config adapters](https://github.com/caddyserver/caddy/wiki/v2:-Documentation#config-adapters)** are for! You can configure Caddy more ways than one, depending on your needs and preferences. See the next questions that explain this more.
+
+### Caddy 2 feels harder to use. How is this an improvement over Caddy 1?
+
+Caddy's ease of use is one of the main reasons it is special. We are not taking that away in Caddy 2, but first we had to be sure to tackle the fundamental design limitations with Caddy 1. Usability can then be layered on top. This approach has several advantages which we discuss in the next question.
+
+### What about the Caddyfile; are there easier ways to configure Caddy 2?
+
+Yes! Caddy's native JSON configuration via API is nice when you are automating config changes at scale, but if you just have a simple, static configuration in a file, you can do that too with the [Caddyfile](https://github.com/caddyserver/caddy/wiki/v2:-Documentation#caddyfile-adapter).
+
+The v2 Caddyfile is very similar to the v1 Caddyfile, but they are not compatible. Several improvements have been made to request matching and directives in v2, giving you more power with less complexity and fewer inconsistencies.
+
+Caddy's default _config adapter_ is the Caddyfile adapter. This takes a Caddyfile as input and [outputs the JSON config](https://github.com/caddyserver/caddy/wiki/v2:-Documentation#adapt). You can even run Caddy directly without having to see or think about the underlying JSON config.
+
+The following _config adapters_ are already being built or plan to be built:
+
+- Caddyfile
+- JSON 5
+- JSON-C
+- nginx
+- YAML
+- TOML
+- any others that the community would like to contribute
+
+Config adapters allow you to configure Caddy not just one way but _any_ of these ways. For example, you'll be able to bring your existing NGINX config to Caddy and it will spit out the Caddy config JSON you need (to the best of its ability). How cool is that! You can then easily tweak the resulting config by hand, if necessary.
+
+All config adapters vary in their theoretical expressiveness; that is, if you need more advanced configuration you'll have to drop down to the JSON config, because the Caddyfile or an nginx config may not be expressive enough.
+
+However, we expect that most users will be able to use the Caddyfile (or another easy config adapter) exclusively for their sites.
+
+### Why JSON for configuration? Why not _&lt;any other serialization format&gt;_?
+
+We know there might be strong opinions on this one. Regardless, for Caddy 2, we've decided to go with JSON. If that proves to be a fatal mistake, then Caddy 3 probably won't use JSON.
+
+JSON may not be the fastest, the most compact, the easiest to write, serialization format that exists. But those aren't our goals. It has withstood the test of time and checks all our boxes.
+
+- It is almost entirely ubiquitous. JSON works natively in web browsers and has mature libraries in pretty much every language.
+- It is human-readable (as opposed to a binary format).
+- It is easy to tweak by hand. Although composing raw JSON by hand is not awesome, this will not be mainstream once our config adapters are done.
+- It is generally easy to convert other serializations or config formats into JSON, as opposed to the other way around.
+- Even though JSON deserialization is not fast per-se, that kind of performance is not really a concern since config reloads are not the server's hottest path like HTTP request handling or TLS handshakes are. Even with JSON, Caddy 2 can handle dozens of config changes per second, which is probably plenty for now.
+- It maps almost 1:1 to the actual, in-memory values that power your HTTP handlers and other parts of the server (no need to parse a config file with some arbitrary DSL and do a bunch of extra pre-processing).
+
+Ultimately, we think all these properties are appropriate -- if not ideal -- for a web server configuration.
+
+If you're still not happy with the choice of JSON, feel free to contribute a config adapter of your own choice!
+
+Or just use YAML or TOML, which seamlessly translate to JSON.
+
+### JSON is declarative; what if I need more programmability (i.e. imperative syntax)?
+
+NGINX also realized the need for imperative logic in declarative configs, so they tried "if" statements, [but it was a bad idea](https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/).
+
+We have good news. Caddy 2 can give you the power of imperative logic without the perils of mixing declarative and imperative config such as befell NGINX. We do this by allowing embedded imperative syntax awithin the Caddy's declarative config.
+
+Caddy 2's configuration is declarative because configuration is very much declarative in nature. Configuration is a tricky medium, as it is read and written by both computers and humans. Computers use it, but humans constantly refer to it and update it. Declarative syntaxes are fairly straightforward to make sense of, whereas it is difficult to reason about imperative logic.
+
+However, sometimes computation is useful, and in some cases, the only way to express what you need. This can be illustrated really well in the simple case of trying to decide whether a particular HTTP middleware should be invoked as part of an HTTP request. A lot of the time, such logic is as simple as: "GET requests for any path starting with /foo/bar", which can be expressed declaratively in JSON:
+
+```json
+{
+	"method": "GET",
+	"path": "/foo/bar"
 }
 ```

-Note that the secure host will automatically be served with HTTP/2 if the client supports it.
+But what if you need to match /foo/bar OR /topaz? How do you express that OR clause? Maybe an array:

-For more documentation, please view [the website](https://caddyserver.com/docs). You may also be interested in the [developer guide](https://github.com/mholt/caddy/wiki) on this project's GitHub wiki.
+```json
+{
+	"method": ["GET"],
+	"path": ["/foo/bar", "/topaz"]
+}
+```

+Now what if you need add a NOT or AND clause? JSON quickly tires out. As you learn about Caddy 2's request matching, you will see how we handled this. Caddy 2's JSON gives you the ability to express moderately-complex logic such as:

+```js
+// this is not actual Caddy config, just logic pseudocode
+IF (Host = "example.com")
+	OR (Host = "sub.example.com" AND Path != "/foo/bar")
+```

+Already, this is more expressive power than most web servers offer with their native config, yet Caddy 2 offers this in JSON.

+But in most web servers, to make logic this complex feasible, you'll generally call out to Lua or some extra DSL. For example, in NGINX you could use a Lua module to express this logic. Traefik 2.0 has [yet another kind of clunky-looking custom DSL](https://blog.containo.us/back-to-traefik-2-0-2f9aa17be305#d22e) just for this.

+Caddy 2 solves this in a novel way with [Starlark expressions](https://godoc.org/go.starlark.net/starlark#Eval). Starlark is a familiar dialect of Python! So, no new DSLs to learn and no VMs to slow things down:

-## Contributing
+```python
+req.host == 'example.com' ||
+	(req.host == 'sub.example.com' && req.path != '/foo/bar')
+```

-**[Join us on Slack](https://gophers.slack.com/messages/caddy/)** to chat with other Caddy developers! ([Request an invite](http://bit.ly/go-slack-signup), then join the #caddy channel.)
+Starlark performs at least as well as NGINX+Lua (more performance tests ongoing, as well as optimizations to make it even faster!) and because it's basically Python, it's familiar and easy to use.

-This project would not be what it is without your help. Please see the [contributing guidelines](https://github.com/mholt/caddy/blob/master/CONTRIBUTING.md) if you haven't already.
+In summary: Caddy 2 config is declarative, but can be imperative where that is useful.

-Thanks for making Caddy -- and the Web -- better!
+### What is Caddy 2 licensed as?

-Special thanks to [![DigitalOcean](http://i.imgur.com/sfGr0eY.png)](https://www.digitalocean.com) for hosting the Caddy project.
+Caddy 2 is licensed under the Apache 2.0 open source license. There are no official Caddy 2 distributions that are proprietary.

+### Does Caddy 2 have telemetry?

+No. There was not enough academic interest to continue supporting it. If telemetry does get added later, it will not be on by default or will be vastly reduced in its scope.

+## Does Caddy 2 use HTTPS by default?

-## About the project
+Yes. HTTPS is automatic and enabled by default when possible, just like in Caddy 1. Basically, if your HTTP routes specify a `host` matcher with qualifying domain names, those names will be enabled for automatic HTTPS. Automatic HTTPS is disabled for domains which match certificates that are manually loaded by your config.

-Caddy was born out of the need for a "batteries-included" web server that runs anywhere and doesn't have to take its configuration with it. Caddy took inspiration from [spark](https://github.com/rif/spark), nginx, lighttpd, Websocketd, and Vagrant, and provides a pleasant mixture of features from each of them.
+## How do I avoid Let's Encrypt rate limits with Caddy 2?

+As you are testing and developing with Caddy 2, you should use test ("staging") certificates from Let's Encrypt to avoid rate limits. By default, Caddy 2 uses Let's Encrypt's production endpoint to get real certificates for your domains, but their [rate limits](https://letsencrypt.org/docs/rate-limits/) forbid testing and development use of this endpoint for good reasons. You can switch to their [staging endpoint](https://letsencrypt.org/docs/staging-environment/) by adding the staging CA to your automation policy in the `tls` app:

-*Twitter: [@mholt6](https://twitter.com/mholt6)*
+```json
+"tls": {
+	"automation": {
+		"policies": [
+			{
+				"management": {
+					"module": "acme",
+					"ca": "https://acme-staging-v02.api.letsencrypt.org/directory"
+				}
+			}
+		]
+	}
+}
+```
+
+Or with the Caddyfile, using a global options block at the top:
+
+```
+{
+	acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
+}
+```
+
+## Can we get some access controls on the admin endpoint?
+
+Yeah, that's coming. For now, you can use a permissioned unix socket for some basic security.
@@ -0,0 +1,782 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddy
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"expvar"
+	"fmt"
+	"io"
+	"mime"
+	"net/http"
+	"net/http/pprof"
+	"net/url"
+	"os"
+	"path"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/caddyserver/caddy/v2/caddyconfig"
+	"go.uber.org/zap"
+)
+
+// TODO: is there a way to make the admin endpoint so that it can be plugged into the HTTP app? see issue #2833
+
+// AdminConfig configures the admin endpoint.
+type AdminConfig struct {
+	Disabled      bool     `json:"disabled,omitempty"`
+	Listen        string   `json:"listen,omitempty"`
+	EnforceOrigin bool     `json:"enforce_origin,omitempty"`
+	Origins       []string `json:"origins,omitempty"`
+}
+
+// listenAddr extracts a singular listen address from ac.Listen,
+// returning the network and the address of the listener.
+func (admin AdminConfig) listenAddr() (netw string, addr string, err error) {
+	var listenAddrs []string
+	input := admin.Listen
+	if input == "" {
+		input = DefaultAdminListen
+	}
+	netw, listenAddrs, err = ParseNetworkAddress(input)
+	if err != nil {
+		err = fmt.Errorf("parsing admin listener address: %v", err)
+		return
+	}
+	if len(listenAddrs) != 1 {
+		err = fmt.Errorf("admin endpoint must have exactly one address; cannot listen on %v", listenAddrs)
+		return
+	}
+	addr = listenAddrs[0]
+	return
+}
+
+// newAdminHandler reads admin's config and returns an http.Handler suitable
+// for use in an admin endpoint server, which will be listening on listenAddr.
+func (admin AdminConfig) newAdminHandler(listenAddr string) adminHandler {
+	muxWrap := adminHandler{
+		enforceOrigin:  admin.EnforceOrigin,
+		allowedOrigins: admin.allowedOrigins(listenAddr),
+		mux:            http.NewServeMux(),
+	}
+
+	// addRoute just calls muxWrap.mux.Handle after
+	// wrapping the handler with error handling
+	addRoute := func(pattern string, h AdminHandler) {
+		wrapper := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			err := h.ServeHTTP(w, r)
+			muxWrap.handleError(w, r, err)
+		})
+		muxWrap.mux.Handle(pattern, wrapper)
+	}
+
+	// register standard config control endpoints
+	addRoute("/load", AdminHandlerFunc(handleLoad))
+	addRoute("/"+rawConfigKey+"/", AdminHandlerFunc(handleConfig))
+	addRoute("/id/", AdminHandlerFunc(handleConfigID))
+	addRoute("/stop", AdminHandlerFunc(handleStop))
+
+	// register debugging endpoints
+	muxWrap.mux.HandleFunc("/debug/pprof/", pprof.Index)
+	muxWrap.mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
+	muxWrap.mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
+	muxWrap.mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
+	muxWrap.mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
+	muxWrap.mux.Handle("/debug/vars", expvar.Handler())
+
+	// register third-party module endpoints
+	for _, m := range GetModules("admin.api") {
+		router := m.New().(AdminRouter)
+		for _, route := range router.Routes() {
+			addRoute(route.Pattern, route.Handler)
+		}
+	}
+
+	return muxWrap
+}
+
+// allowedOrigins returns a list of origins that are allowed.
+// If admin.Origins is nil (null), the provided listen address
+// will be used as the default origin. If admin.Origins is
+// empty, no origins will be allowed, effectively bricking the
+// endpoint, but whatever.
+func (admin AdminConfig) allowedOrigins(listen string) []string {
+	uniqueOrigins := make(map[string]struct{})
+	for _, o := range admin.Origins {
+		uniqueOrigins[o] = struct{}{}
+	}
+	if admin.Origins == nil {
+		uniqueOrigins[listen] = struct{}{}
+	}
+	var allowed []string
+	for origin := range uniqueOrigins {
+		allowed = append(allowed, origin)
+	}
+	return allowed
+}
+
+// replaceAdmin replaces the running admin server according
+// to the relevant configuration in cfg. If no configuration
+// for the admin endpoint exists in cfg, a default one is
+// used, so that there is always an admin server (unless it
+// is explicitly configured to be disabled).
+func replaceAdmin(cfg *Config) error {
+	// always be sure to close down the old admin endpoint
+	// as gracefully as possible, even if the new one is
+	// disabled -- careful to use reference to the current
+	// (old) admin endpoint since it will be different
+	// when the function returns
+	oldAdminServer := adminServer
+	defer func() {
+		// do the shutdown asynchronously so that any
+		// current API request gets a response; this
+		// goroutine may last a few seconds
+		if oldAdminServer != nil {
+			go func(oldAdminServer *http.Server) {
+				err := stopAdminServer(oldAdminServer)
+				if err != nil {
+					Log().Named("admin").Error("stopping current admin endpoint", zap.Error(err))
+				}
+			}(oldAdminServer)
+		}
+	}()
+
+	// always get a valid admin config
+	adminConfig := DefaultAdminConfig
+	if cfg != nil && cfg.Admin != nil {
+		adminConfig = cfg.Admin
+	}
+
+	// if new admin endpoint is to be disabled, we're done
+	if adminConfig.Disabled {
+		Log().Named("admin").Warn("admin endpoint disabled")
+		return nil
+	}
+
+	// extract a singular listener address
+	netw, addr, err := adminConfig.listenAddr()
+	if err != nil {
+		return err
+	}
+
+	handler := adminConfig.newAdminHandler(addr)
+
+	ln, err := Listen(netw, addr)
+	if err != nil {
+		return err
+	}
+
+	adminServer = &http.Server{
+		Handler:           handler,
+		ReadTimeout:       10 * time.Second,
+		ReadHeaderTimeout: 5 * time.Second,
+		IdleTimeout:       60 * time.Second,
+		MaxHeaderBytes:    1024 * 64,
+	}
+
+	go adminServer.Serve(ln)
+
+	Log().Named("admin").Info(
+		"admin endpoint started",
+		zap.String("address", addr),
+		zap.Bool("enforce_origin", adminConfig.EnforceOrigin),
+		zap.Strings("origins", handler.allowedOrigins),
+	)
+
+	return nil
+}
+
+func stopAdminServer(srv *http.Server) error {
+	if srv == nil {
+		return fmt.Errorf("no admin server")
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	err := srv.Shutdown(ctx)
+	if err != nil {
+		return fmt.Errorf("shutting down admin server: %v", err)
+	}
+	Log().Named("admin").Info("stopped previous server")
+	return nil
+}
+
+// AdminRouter is a type which can return routes for the admin API.
+type AdminRouter interface {
+	Routes() []AdminRoute
+}
+
+// AdminRoute represents a route for the admin endpoint.
+type AdminRoute struct {
+	Pattern string
+	Handler AdminHandler
+}
+
+type adminHandler struct {
+	enforceOrigin  bool
+	allowedOrigins []string
+	mux            *http.ServeMux
+}
+
+// ServeHTTP is the external entry point for API requests.
+// It will only be called once per request.
+func (h adminHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	Log().Named("admin.api").Info("received request",
+		zap.String("method", r.Method),
+		zap.String("uri", r.RequestURI),
+		zap.String("remote_addr", r.RemoteAddr),
+		zap.Reflect("headers", r.Header),
+	)
+	h.serveHTTP(w, r)
+}
+
+// serveHTTP is the internal entry point for API requests. It may
+// be called more than once per request, for example if a request
+// is rewritten (i.e. internal redirect).
+func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
+	if h.enforceOrigin {
+		// DNS rebinding mitigation
+		err := h.checkHost(r)
+		if err != nil {
+			h.handleError(w, r, err)
+			return
+		}
+
+		// cross-site mitigation
+		origin, err := h.checkOrigin(r)
+		if err != nil {
+			h.handleError(w, r, err)
+			return
+		}
+
+		w.Header().Set("Access-Control-Allow-Origin", origin)
+		w.Header().Set("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PUT, PATCH, DELETE")
+		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Cache-Control")
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
+	}
+
+	// TODO: authentication & authorization, if configured
+
+	h.mux.ServeHTTP(w, r)
+}
+
+func (h adminHandler) handleError(w http.ResponseWriter, r *http.Request, err error) {
+	if err == nil {
+		return
+	}
+	if err == ErrInternalRedir {
+		h.serveHTTP(w, r)
+		return
+	}
+
+	apiErr, ok := err.(APIError)
+	if !ok {
+		apiErr = APIError{
+			Code: http.StatusInternalServerError,
+			Err:  err,
+		}
+	}
+	if apiErr.Code == 0 {
+		apiErr.Code = http.StatusInternalServerError
+	}
+	if apiErr.Message == "" && apiErr.Err != nil {
+		apiErr.Message = apiErr.Err.Error()
+	}
+
+	Log().Named("admin.api").Error("request error",
+		zap.Error(err),
+		zap.Int("status_code", apiErr.Code),
+	)
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(apiErr.Code)
+	json.NewEncoder(w).Encode(apiErr)
+}
+
+// checkHost returns a handler that wraps next such that
+// it will only be called if the request's Host header matches
+// a trustworthy/expected value. This helps to mitigate DNS
+// rebinding attacks.
+func (h adminHandler) checkHost(r *http.Request) error {
+	var allowed bool
+	for _, allowedHost := range h.allowedOrigins {
+		if r.Host == allowedHost {
+			allowed = true
+			break
+		}
+	}
+	if !allowed {
+		return APIError{
+			Code: http.StatusForbidden,
+			Err:  fmt.Errorf("host not allowed: %s", r.Host),
+		}
+	}
+	return nil
+}
+
+// checkOrigin ensures that the Origin header, if
+// set, matches the intended target; prevents arbitrary
+// sites from issuing requests to our listener. It
+// returns the origin that was obtained from r.
+func (h adminHandler) checkOrigin(r *http.Request) (string, error) {
+	origin := h.getOriginHost(r)
+	if origin == "" {
+		return origin, APIError{
+			Code: http.StatusForbidden,
+			Err:  fmt.Errorf("missing required Origin header"),
+		}
+	}
+	if !h.originAllowed(origin) {
+		return origin, APIError{
+			Code: http.StatusForbidden,
+			Err:  fmt.Errorf("client is not allowed to access from origin %s", origin),
+		}
+	}
+	return origin, nil
+}
+
+func (h adminHandler) getOriginHost(r *http.Request) string {
+	origin := r.Header.Get("Origin")
+	if origin == "" {
+		origin = r.Header.Get("Referer")
+	}
+	originURL, err := url.Parse(origin)
+	if err == nil && originURL.Host != "" {
+		origin = originURL.Host
+	}
+	return origin
+}
+
+func (h adminHandler) originAllowed(origin string) bool {
+	for _, allowedOrigin := range h.allowedOrigins {
+		originCopy := origin
+		if !strings.Contains(allowedOrigin, "://") {
+			// no scheme specified, so allow both
+			originCopy = strings.TrimPrefix(originCopy, "http://")
+			originCopy = strings.TrimPrefix(originCopy, "https://")
+		}
+		if originCopy == allowedOrigin {
+			return true
+		}
+	}
+	return false
+}
+
+func handleLoad(w http.ResponseWriter, r *http.Request) error {
+	if r.Method != http.MethodPost {
+		return APIError{
+			Code: http.StatusMethodNotAllowed,
+			Err:  fmt.Errorf("method not allowed"),
+		}
+	}
+
+	buf := bufPool.Get().(*bytes.Buffer)
+	buf.Reset()
+	defer bufPool.Put(buf)
+
+	_, err := io.Copy(buf, r.Body)
+	if err != nil {
+		return APIError{
+			Code: http.StatusBadRequest,
+			Err:  fmt.Errorf("reading request body: %v", err),
+		}
+	}
+	body := buf.Bytes()
+
+	// if the config is formatted other than Caddy's native
+	// JSON, we need to adapt it before loading it
+	if ctHeader := r.Header.Get("Content-Type"); ctHeader != "" {
+		ct, _, err := mime.ParseMediaType(ctHeader)
+		if err != nil {
+			return APIError{
+				Code: http.StatusBadRequest,
+				Err:  fmt.Errorf("invalid Content-Type: %v", err),
+			}
+		}
+		if !strings.HasSuffix(ct, "/json") {
+			slashIdx := strings.Index(ct, "/")
+			if slashIdx < 0 {
+				return APIError{
+					Code: http.StatusBadRequest,
+					Err:  fmt.Errorf("malformed Content-Type"),
+				}
+			}
+			adapterName := ct[slashIdx+1:]
+			cfgAdapter := caddyconfig.GetAdapter(adapterName)
+			if cfgAdapter == nil {
+				return APIError{
+					Code: http.StatusBadRequest,
+					Err:  fmt.Errorf("unrecognized config adapter '%s'", adapterName),
+				}
+			}
+			result, warnings, err := cfgAdapter.Adapt(body, nil)
+			if err != nil {
+				return APIError{
+					Code: http.StatusBadRequest,
+					Err:  fmt.Errorf("adapting config using %s adapter: %v", adapterName, err),
+				}
+			}
+			if len(warnings) > 0 {
+				respBody, err := json.Marshal(warnings)
+				if err != nil {
+					Log().Named("admin.api.load").Error(err.Error())
+				}
+				w.Write(respBody)
+			}
+			body = result
+		}
+	}
+
+	forceReload := r.Header.Get("Cache-Control") == "must-revalidate"
+
+	err = Load(body, forceReload)
+	if err != nil {
+		return APIError{
+			Code: http.StatusBadRequest,
+			Err:  fmt.Errorf("loading config: %v", err),
+		}
+	}
+
+	Log().Named("admin.api").Info("load complete")
+
+	return nil
+}
+
+func handleConfig(w http.ResponseWriter, r *http.Request) error {
+	switch r.Method {
+	case http.MethodGet:
+		w.Header().Set("Content-Type", "application/json")
+
+		err := readConfig(r.URL.Path, w)
+		if err != nil {
+			return APIError{Code: http.StatusBadRequest, Err: err}
+		}
+
+		return nil
+
+	case http.MethodPost,
+		http.MethodPut,
+		http.MethodPatch,
+		http.MethodDelete:
+
+		// DELETE does not use a body, but the others do
+		var body []byte
+		if r.Method != http.MethodDelete {
+			if ct := r.Header.Get("Content-Type"); !strings.Contains(ct, "/json") {
+				return APIError{
+					Code: http.StatusBadRequest,
+					Err:  fmt.Errorf("unacceptable content-type: %v; 'application/json' required", ct),
+				}
+			}
+
+			buf := bufPool.Get().(*bytes.Buffer)
+			buf.Reset()
+			defer bufPool.Put(buf)
+
+			_, err := io.Copy(buf, r.Body)
+			if err != nil {
+				return APIError{
+					Code: http.StatusBadRequest,
+					Err:  fmt.Errorf("reading request body: %v", err),
+				}
+			}
+			body = buf.Bytes()
+		}
+
+		forceReload := r.Header.Get("Cache-Control") == "must-revalidate"
+
+		err := changeConfig(r.Method, r.URL.Path, body, forceReload)
+		if err != nil {
+			return err
+		}
+
+	default:
+		return APIError{
+			Code: http.StatusMethodNotAllowed,
+			Err:  fmt.Errorf("method %s not allowed", r.Method),
+		}
+	}
+
+	return nil
+}
+
+func handleConfigID(w http.ResponseWriter, r *http.Request) error {
+	idPath := r.URL.Path
+
+	parts := strings.Split(idPath, "/")
+	if len(parts) < 3 || parts[2] == "" {
+		return fmt.Errorf("request path is missing object ID")
+	}
+	if parts[0] != "" || parts[1] != "id" {
+		return fmt.Errorf("malformed object path")
+	}
+	id := parts[2]
+
+	// map the ID to the expanded path
+	currentCfgMu.RLock()
+	expanded, ok := rawCfgIndex[id]
+	defer currentCfgMu.RUnlock()
+	if !ok {
+		return fmt.Errorf("unknown object ID '%s'", id)
+	}
+
+	// piece the full URL path back together
+	parts = append([]string{expanded}, parts[3:]...)
+	r.URL.Path = path.Join(parts...)
+
+	return ErrInternalRedir
+}
+
+func handleStop(w http.ResponseWriter, r *http.Request) error {
+	defer func() {
+		Log().Named("admin.api").Info("stopping now, bye!! 👋")
+		os.Exit(0)
+	}()
+	err := handleUnload(w, r)
+	if err != nil {
+		Log().Named("admin.api").Error("unload error", zap.Error(err))
+	}
+	return nil
+}
+
+// handleUnload stops the current configuration that is running.
+// Note that doing this can also be accomplished with DELETE /config/
+// but we leave this function because handleStop uses it.
+func handleUnload(w http.ResponseWriter, r *http.Request) error {
+	if r.Method != http.MethodPost {
+		return APIError{
+			Code: http.StatusMethodNotAllowed,
+			Err:  fmt.Errorf("method not allowed"),
+		}
+	}
+	currentCfgMu.RLock()
+	hasCfg := currentCfg != nil
+	currentCfgMu.RUnlock()
+	if !hasCfg {
+		Log().Named("admin.api").Info("nothing to unload")
+		return nil
+	}
+	Log().Named("admin.api").Info("unloading")
+	if err := stopAndCleanup(); err != nil {
+		Log().Named("admin.api").Error("error unloading", zap.Error(err))
+	} else {
+		Log().Named("admin.api").Info("unloading completed")
+	}
+	return nil
+}
+
+// unsyncedConfigAccess traverses into the current config and performs
+// the operation at path according to method, using body and out as
+// needed. This is a low-level, unsynchronized function; most callers
+// will want to use changeConfig or readConfig instead. This requires a
+// read or write lock on currentCfgMu, depending on method (GET needs
+// only a read lock; all others need a write lock).
+func unsyncedConfigAccess(method, path string, body []byte, out io.Writer) error {
+	var err error
+	var val interface{}
+
+	// if there is a request body, decode it into the
+	// variable that will be set in the config according
+	// to method and path
+	if len(body) > 0 {
+		err = json.Unmarshal(body, &val)
+		if err != nil {
+			return fmt.Errorf("decoding request body: %v", err)
+		}
+	}
+
+	enc := json.NewEncoder(out)
+
+	cleanPath := strings.Trim(path, "/")
+	if cleanPath == "" {
+		return fmt.Errorf("no traversable path")
+	}
+
+	parts := strings.Split(cleanPath, "/")
+	if len(parts) == 0 {
+		return fmt.Errorf("path missing")
+	}
+
+	var ptr interface{} = rawCfg
+
+traverseLoop:
+	for i, part := range parts {
+		switch v := ptr.(type) {
+		case map[string]interface{}:
+			// if the next part enters a slice, and the slice is our destination,
+			// handle it specially (because appending to the slice copies the slice
+			// header, which does not replace the original one like we want)
+			if arr, ok := v[part].([]interface{}); ok && i == len(parts)-2 {
+				var idx int
+				if method != http.MethodPost {
+					idxStr := parts[len(parts)-1]
+					idx, err = strconv.Atoi(idxStr)
+					if err != nil {
+						return fmt.Errorf("[%s] invalid array index '%s': %v",
+							path, idxStr, err)
+					}
+					if idx < 0 || idx >= len(arr) {
+						return fmt.Errorf("[%s] array index out of bounds: %s", path, idxStr)
+					}
+				}
+
+				switch method {
+				case http.MethodGet:
+					err = enc.Encode(arr[idx])
+					if err != nil {
+						return fmt.Errorf("encoding config: %v", err)
+					}
+				case http.MethodPost:
+					v[part] = append(arr, val)
+				case http.MethodPut:
+					// avoid creation of new slice and a second copy (see
+					// https://github.com/golang/go/wiki/SliceTricks#insert)
+					arr = append(arr, nil)
+					copy(arr[idx+1:], arr[idx:])
+					arr[idx] = val
+					v[part] = arr
+				case http.MethodPatch:
+					arr[idx] = val
+				case http.MethodDelete:
+					v[part] = append(arr[:idx], arr[idx+1:]...)
+				default:
+					return fmt.Errorf("unrecognized method %s", method)
+				}
+				break traverseLoop
+			}
+
+			if i == len(parts)-1 {
+				switch method {
+				case http.MethodGet:
+					err = enc.Encode(v[part])
+					if err != nil {
+						return fmt.Errorf("encoding config: %v", err)
+					}
+				case http.MethodPost:
+					if arr, ok := v[part].([]interface{}); ok {
+						// if the part is an existing list, POST appends to it
+						// TODO: Do we ever reach this point, since we handle arrays
+						// separately above?
+						v[part] = append(arr, val)
+					} else {
+						// otherwise, it simply sets the value
+						v[part] = val
+					}
+				case http.MethodPut:
+					if _, ok := v[part]; ok {
+						return fmt.Errorf("[%s] key already exists: %s", path, part)
+					}
+					v[part] = val
+				case http.MethodPatch:
+					if _, ok := v[part]; !ok {
+						return fmt.Errorf("[%s] key does not exist: %s", path, part)
+					}
+					v[part] = val
+				case http.MethodDelete:
+					delete(v, part)
+				default:
+					return fmt.Errorf("unrecognized method %s", method)
+				}
+			} else {
+				ptr = v[part]
+			}
+
+		case []interface{}:
+			partInt, err := strconv.Atoi(part)
+			if err != nil {
+				return fmt.Errorf("[/%s] invalid array index '%s': %v",
+					strings.Join(parts[:i+1], "/"), part, err)
+			}
+			if partInt < 0 || partInt >= len(v) {
+				return fmt.Errorf("[/%s] array index out of bounds: %s",
+					strings.Join(parts[:i+1], "/"), part)
+			}
+			ptr = v[partInt]
+
+		default:
+			return fmt.Errorf("invalid path: %s", parts[:i+1])
+		}
+	}
+
+	return nil
+}
+
+// AdminHandler is like http.Handler except ServeHTTP may return an error.
+//
+// If any handler encounters an error, it should be returned for proper
+// handling.
+type AdminHandler interface {
+	ServeHTTP(http.ResponseWriter, *http.Request) error
+}
+
+// AdminHandlerFunc is a convenience type like http.HandlerFunc.
+type AdminHandlerFunc func(http.ResponseWriter, *http.Request) error
+
+// ServeHTTP implements the Handler interface.
+func (f AdminHandlerFunc) ServeHTTP(w http.ResponseWriter, r *http.Request) error {
+	return f(w, r)
+}
+
+// APIError is a structured error that every API
+// handler should return for consistency in logging
+// and client responses. If Message is unset, then
+// Err.Error() will be serialized in its place.
+type APIError struct {
+	Code    int    `json:"-"`
+	Err     error  `json:"-"`
+	Message string `json:"error"`
+}
+
+func (e APIError) Error() string {
+	if e.Err != nil {
+		return e.Err.Error()
+	}
+	return e.Message
+}
+
+var (
+	// DefaultAdminListen is the address for the admin
+	// listener, if none is specified at startup.
+	DefaultAdminListen = "localhost:2019"
+
+	// ErrInternalRedir indicates an internal redirect
+	// and is useful when admin API handlers rewrite
+	// the request; in that case, authentication and
+	// authorization needs to happen again for the
+	// rewritten request.
+	ErrInternalRedir = fmt.Errorf("internal redirect; re-authorization required")
+
+	// DefaultAdminConfig is the default configuration
+	// for the administration endpoint.
+	DefaultAdminConfig = &AdminConfig{
+		Listen: DefaultAdminListen,
+	}
+)
+
+const (
+	rawConfigKey = "config"
+	idKey        = "@id"
+)
+
+var bufPool = sync.Pool{
+	New: func() interface{} {
+		return new(bytes.Buffer)
+	},
+}
+
+var adminServer *http.Server
@@ -0,0 +1,126 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddy
+
+import (
+	"encoding/json"
+	"reflect"
+	"testing"
+)
+
+func TestUnsyncedConfigAccess(t *testing.T) {
+	// each test is performed in sequence, so
+	// each change builds on the previous ones;
+	// the config is not reset between tests
+	for i, tc := range []struct {
+		method    string
+		path      string // rawConfigKey will be prepended
+		payload   string
+		expect    string // JSON representation of what the whole config is expected to be after the request
+		shouldErr bool
+	}{
+		{
+			method:  "POST",
+			path:    "",
+			payload: `{"foo": "bar", "list": ["a", "b", "c"]}`, // starting value
+			expect:  `{"foo": "bar", "list": ["a", "b", "c"]}`,
+		},
+		{
+			method:  "POST",
+			path:    "/foo",
+			payload: `"jet"`,
+			expect:  `{"foo": "jet", "list": ["a", "b", "c"]}`,
+		},
+		{
+			method:  "POST",
+			path:    "/bar",
+			payload: `{"aa": "bb", "qq": "zz"}`,
+			expect:  `{"foo": "jet", "bar": {"aa": "bb", "qq": "zz"}, "list": ["a", "b", "c"]}`,
+		},
+		{
+			method: "DELETE",
+			path:   "/bar/qq",
+			expect: `{"foo": "jet", "bar": {"aa": "bb"}, "list": ["a", "b", "c"]}`,
+		},
+		{
+			method:  "POST",
+			path:    "/list",
+			payload: `"e"`,
+			expect:  `{"foo": "jet", "bar": {"aa": "bb"}, "list": ["a", "b", "c", "e"]}`,
+		},
+		{
+			method:  "PUT",
+			path:    "/list/3",
+			payload: `"d"`,
+			expect:  `{"foo": "jet", "bar": {"aa": "bb"}, "list": ["a", "b", "c", "d", "e"]}`,
+		},
+		{
+			method: "DELETE",
+			path:   "/list/3",
+			expect: `{"foo": "jet", "bar": {"aa": "bb"}, "list": ["a", "b", "c", "e"]}`,
+		},
+		{
+			method:  "PATCH",
+			path:    "/list/3",
+			payload: `"d"`,
+			expect:  `{"foo": "jet", "bar": {"aa": "bb"}, "list": ["a", "b", "c", "d"]}`,
+		},
+	} {
+		err := unsyncedConfigAccess(tc.method, rawConfigKey+tc.path, []byte(tc.payload), nil)
+
+		if tc.shouldErr && err == nil {
+			t.Fatalf("Test %d: Expected error return value, but got: %v", i, err)
+		}
+		if !tc.shouldErr && err != nil {
+			t.Fatalf("Test %d: Should not have had error return value, but got: %v", i, err)
+		}
+
+		// decode the expected config so we can do a convenient DeepEqual
+		var expectedDecoded interface{}
+		err = json.Unmarshal([]byte(tc.expect), &expectedDecoded)
+		if err != nil {
+			t.Fatalf("Test %d: Unmarshaling expected config: %v", i, err)
+		}
+
+		// make sure the resulting config is as we expect it
+		if !reflect.DeepEqual(rawCfg[rawConfigKey], expectedDecoded) {
+			t.Fatalf("Test %d:\nExpected:\n\t%#v\nActual:\n\t%#v",
+				i, expectedDecoded, rawCfg[rawConfigKey])
+		}
+	}
+}
+
+func BenchmarkLoad(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		cfg := []byte(`{
+			"apps": {
+				"http": {
+					"servers": {
+						"myserver": {
+							"listen": ["tcp/localhost:8080-8084"],
+							"read_timeout": "30s"
+						},
+						"yourserver": {
+							"listen": ["127.0.0.1:5000"],
+							"read_header_timeout": "15s"
+						}
+					}
+				}
+			}
+		}
+		`)
+		Load(cfg, true)
+	}
+}
@@ -1,19 +0,0 @@
-version: "{build}"
-
-os: Windows Server 2012 R2
-
-clone_folder: c:\gopath\src\github.com\mholt\caddy
-
-environment:
-  GOPATH: c:\gopath
-
-install:
-  - go get golang.org/x/tools/cmd/vet
-  - echo %GOPATH%
-  - go version
-  - go env
-  - go get -d ./...
-
-build_script:
-  - go vet ./...
-  - go test ./...
@@ -0,0 +1,242 @@
+# Mutilated beyond recognition from the example at:
+# https://docs.microsoft.com/azure/devops/pipelines/languages/go
+
+trigger:
+  - v2
+
+schedules:
+- cron: "0 0 * * *"
+  displayName: Daily midnight fuzzing
+  branches:
+    include:
+    - v2
+  always: true
+
+variables:
+  GOROOT: $(gorootDir)/go
+  GOPATH: $(system.defaultWorkingDirectory)/gopath
+  GOBIN:  $(GOPATH)/bin
+  modulePath: '$(GOPATH)/src/github.com/$(build.repository.name)'
+  # TODO: Remove once it's enabled by default
+  GO111MODULE: on
+
+jobs:
+- job: crossPlatformTest
+  displayName: "Cross-Platform Tests"
+  strategy:
+    matrix:
+      linux:
+        imageName: ubuntu-16.04
+        gorootDir: /usr/local
+      mac:
+        imageName: macos-10.13
+        gorootDir: /usr/local
+      windows:
+        imageName: windows-2019
+        gorootDir: C:\
+  pool:
+    vmImage: $(imageName)
+  
+  steps:
+  - bash: |
+      latestGo=$(curl "https://golang.org/VERSION?m=text")
+      echo "##vso[task.setvariable variable=LATEST_GO]$latestGo"
+      echo "Latest Go version: $latestGo"
+    displayName: "Get latest Go version"
+
+  - bash: |
+      sudo rm -f $(which go)
+      echo '##vso[task.prependpath]$(GOBIN)'
+      echo '##vso[task.prependpath]$(GOROOT)/bin'
+      mkdir -p '$(modulePath)'
+      shopt -s extglob
+      shopt -s dotglob
+      mv !(gopath) '$(modulePath)'
+    displayName: Remove old Go, set GOBIN/GOROOT, and move project into GOPATH
+
+  # Install Go (this varies by platform)
+  - bash: |
+      wget "https://dl.google.com/go/$(LATEST_GO).linux-amd64.tar.gz"
+      sudo tar -C $(gorootDir) -xzf "$(LATEST_GO).linux-amd64.tar.gz"
+    condition: eq( variables['Agent.OS'], 'Linux' )
+    displayName: Install Go on Linux
+
+  - bash: |
+      wget "https://dl.google.com/go/$(LATEST_GO).darwin-amd64.tar.gz"
+      sudo tar -C $(gorootDir) -xzf "$(LATEST_GO).darwin-amd64.tar.gz"
+    condition: eq( variables['Agent.OS'], 'Darwin' )
+    displayName: Install Go on macOS
+
+  # The low performance is partly due to PowerShell's attempt to update the progress bar. Disabling it speeds up the process.
+  # Reference: https://github.com/PowerShell/PowerShell/issues/2138
+  - powershell: |
+      $ProgressPreference = 'SilentlyContinue'
+      Write-Host "Downloading Go..."
+      (New-Object System.Net.WebClient).DownloadFile("https://dl.google.com/go/$(LATEST_GO).windows-amd64.zip", "$(LATEST_GO).windows-amd64.zip")
+      Write-Host "Extracting Go... (I'm slow too)"
+      7z x "$(LATEST_GO).windows-amd64.zip" -o"$(gorootDir)"
+    condition: eq( variables['Agent.OS'], 'Windows_NT' )
+    displayName: Install Go on Windows
+
+  - bash: curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.19.1
+    displayName: Install golangci-lint
+
+  - script: |
+      go get github.com/axw/gocov/gocov
+      go get github.com/AlekSi/gocov-xml
+      go get -u github.com/jstemmer/go-junit-report
+    displayName: Install test and coverage analysis tools
+
+  - bash: |
+      printf "Using go at: $(which go)\n"
+      printf "Go version: $(go version)\n"
+      printf "\n\nGo environment:\n\n"
+      go env
+      printf "\n\nSystem environment:\n\n"
+      env
+    displayName: Print Go version and environment
+
+  - script: |
+      go get -v -t -d ./...
+      mkdir test-results
+    workingDirectory: '$(modulePath)'
+    displayName: Get dependencies
+
+  # its behavior is governed by .golangci.yml
+  - script: |
+      (golangci-lint run --out-format junit-xml) > test-results/lint-result.xml
+      exit 0
+    workingDirectory: '$(modulePath)'
+    continueOnError: true
+    displayName: Run lint check
+
+  - script: |
+      (go test -v -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
+    workingDirectory: '$(modulePath)'
+    continueOnError: true
+    displayName: Run tests
+
+  - script: |
+      mkdir coverage
+      gocov convert cover-profile.out > coverage/coverage.json
+      # Because Windows doesn't work with input redirection like *nix, but output redirection works.
+      (cat ./coverage/coverage.json | gocov-xml) > coverage/coverage.xml 
+    workingDirectory: '$(modulePath)'
+    displayName: Prepare coverage reports
+
+  - script: |
+      (cat ./test-results/test-result.out | go-junit-report) > test-results/test-result.xml
+    workingDirectory: '$(modulePath)'
+    displayName: Prepare test report
+
+  - task: PublishCodeCoverageResults@1
+    displayName: Publish test coverage report
+    inputs:
+      codeCoverageTool: Cobertura 
+      summaryFileLocation: $(modulePath)/coverage/coverage.xml
+
+  - task: PublishTestResults@2
+    displayName: Publish unit test
+    inputs:
+      testResultsFormat: 'JUnit'
+      testResultsFiles: $(modulePath)/test-results/test-result.xml
+      testRunTitle: $(agent.OS) Unit Test
+      mergeTestResults: false
+
+  - task: PublishTestResults@2
+    displayName: Publish lint results
+    inputs:
+      testResultsFormat: 'JUnit'
+      testResultsFiles: $(modulePath)/test-results/lint-result.xml
+      testRunTitle: $(agent.OS) Lint
+      mergeTestResults: false
+
+  - bash: |
+      exit 1
+    condition: eq(variables['Agent.JobStatus'], 'SucceededWithIssues')
+    displayName: Coerce correct build result
+
+- job: fuzzing
+  displayName: 'Fuzzing'
+  # Only run this job on schedules or PRs for non-forks.
+  condition: or(eq(variables['System.PullRequest.IsFork'], 'False'), eq(variables['Build.Reason'], 'Schedule') )
+  strategy:
+    matrix:
+      linux:
+        imageName: ubuntu-16.04
+        gorootDir: /usr/local
+  pool:
+    vmImage: $(imageName)
+
+  steps:
+  - bash: |
+      latestGo=$(curl "https://golang.org/VERSION?m=text")
+      echo "##vso[task.setvariable variable=LATEST_GO]$latestGo"
+      echo "Latest Go version: $latestGo"
+    displayName: "Get latest Go version"
+
+  - bash: |
+      sudo rm -f $(which go)
+      echo '##vso[task.prependpath]$(GOBIN)'
+      echo '##vso[task.prependpath]$(GOROOT)/bin'
+      mkdir -p '$(modulePath)'
+      shopt -s extglob
+      shopt -s dotglob
+      mv !(gopath) '$(modulePath)'
+    displayName: Remove old Go, set GOBIN/GOROOT, and move project into GOPATH
+
+  - bash: |
+      wget "https://dl.google.com/go/$(LATEST_GO).linux-amd64.tar.gz"
+      sudo tar -C $(gorootDir) -xzf "$(LATEST_GO).linux-amd64.tar.gz"
+    condition: eq( variables['Agent.OS'], 'Linux' )
+    displayName: Install Go on Linux
+
+  - bash: |
+      # Install Clang-7.0 because other versions seem to be missing the file libclang_rt.fuzzer-x86_64.a
+      sudo add-apt-repository "deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-7 main"
+      wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
+      sudo apt update && sudo apt install -y clang-7 lldb-7 lld-7
+
+      go get -v github.com/dvyukov/go-fuzz/go-fuzz github.com/dvyukov/go-fuzz/go-fuzz-build
+      wget -q -O fuzzit https://github.com/fuzzitdev/fuzzit/releases/download/v2.4.74/fuzzit_Linux_x86_64
+      chmod a+x fuzzit
+      mv fuzzit $(GOBIN)
+    displayName: Download go-fuzz tools and the Fuzzit CLI, and move Fuzzit CLI to GOBIN
+    condition: and(eq(variables['System.PullRequest.IsFork'], 'False') , eq( variables['Agent.OS'], 'Linux' ))
+
+  - bash: |
+      declare -A fuzzers_funcs=(\
+        ["./caddyconfig/httpcaddyfile/adapter_fuzz.go"]="FuzzHTTPCaddyfileAdapter" \
+        ["./caddyconfig/httpcaddyfile/addresses_fuzz.go"]="FuzzParseAddress" \
+        ["./caddyconfig/caddyfile/parse_fuzz.go"]="FuzzParseCaddyfile" \
+        ["./listeners_fuzz.go"]="FuzzParseNetworkAddress" \
+        ["./replacer_fuzz.go"]="FuzzReplacer" \
+      )
+
+      declare -A fuzzers_targets=(\
+        ["./caddyconfig/httpcaddyfile/adapter_fuzz.go"]="caddyfile-adapter" \
+        ["./caddyconfig/httpcaddyfile/addresses_fuzz.go"]="parse-address" \
+        ["./caddyconfig/caddyfile/parse_fuzz.go"]="parse-caddyfile" \
+        ["./listeners_fuzz.go"]="parse-network-address" \
+        ["./replacer_fuzz.go"]="replacer" \
+      )
+
+      fuzz_type="local-regression"
+      if [[ $(Build.Reason) == "Schedule" ]]; then
+        fuzz_type="fuzzing"
+      fi
+      echo "Fuzzing type: $fuzz_type"
+
+      for f in $(find . -name \*_fuzz.go); do
+        FUZZER_DIRECTORY=$(dirname $f)
+        echo "go-fuzz-build func ${fuzzers_funcs[$f]} residing in $f"
+        go-fuzz-build -func "${fuzzers_funcs[$f]}" -libfuzzer -o "$FUZZER_DIRECTORY/${fuzzers_targets[$f]}.a" $FUZZER_DIRECTORY
+        echo "Generating fuzzer binary of func ${fuzzers_funcs[$f]} which resides in $f"
+        clang-7 -fsanitize=fuzzer "$FUZZER_DIRECTORY/${fuzzers_targets[$f]}.a" -o "$FUZZER_DIRECTORY/${fuzzers_targets[$f]}"
+        fuzzit create job caddyserver/${fuzzers_targets[$f]} $FUZZER_DIRECTORY/${fuzzers_targets[$f]} --api-key ${FUZZIT_API_KEY} --type "${fuzz_type}" --branch "${SYSTEM_PULLREQUEST_SOURCEBRANCH}" --revision "${BUILD_SOURCEVERSION}"
+        echo "Completed $f"
+      done
+    env:
+      FUZZIT_API_KEY: $(FUZZIT_API_KEY)
+    workingDirectory: '$(modulePath)'
+    displayName: Generate fuzzers & submit them to Fuzzit
@@ -0,0 +1,513 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddy
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"path"
+	"runtime/debug"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/mholt/certmagic"
+)
+
+// Config represents a Caddy configuration. It is the
+// top of the module structure: all Caddy modules will
+// be loaded, starting with this struct. In order to
+// be loaded and run successfully, a Config and all its
+// modules must be JSON-encodable; i.e. when filling a
+// Config struct manually, its JSON-encodable fields
+// (the ones with JSON struct tags, usually ending with
+// "Raw" if they decode into a separate field) must be
+// set so that they can be unmarshaled and provisioned.
+// Setting the fields for the decoded values instead
+// will result in those values being overwritten at
+// unmarshaling/provisioning.
+type Config struct {
+	Admin      *AdminConfig               `json:"admin,omitempty"`
+	Logging    *Logging                   `json:"logging,omitempty"`
+	StorageRaw json.RawMessage            `json:"storage,omitempty"`
+	AppsRaw    map[string]json.RawMessage `json:"apps,omitempty"`
+
+	apps    map[string]App
+	storage certmagic.Storage
+
+	cancelFunc context.CancelFunc
+}
+
+// App is a thing that Caddy runs.
+type App interface {
+	Start() error
+	Stop() error
+}
+
+// Run runs the given config, replacing any existing config.
+func Run(cfg *Config) error {
+	cfgJSON, err := json.Marshal(cfg)
+	if err != nil {
+		return err
+	}
+	return Load(cfgJSON, true)
+}
+
+// Load loads the given config JSON and runs it only
+// if it is different from the current config or
+// forceReload is true.
+func Load(cfgJSON []byte, forceReload bool) error {
+	return changeConfig(http.MethodPost, "/"+rawConfigKey, cfgJSON, forceReload)
+}
+
+// changeConfig changes the current config (rawCfg) according to the
+// method, traversed via the given path, and uses the given input as
+// the new value (if applicable; i.e. "DELETE" doesn't have an input).
+// If the resulting config is the same as the previous, no reload will
+// occur unless forceReload is true. This function is safe for
+// concurrent use.
+func changeConfig(method, path string, input []byte, forceReload bool) error {
+	switch method {
+	case http.MethodGet,
+		http.MethodHead,
+		http.MethodOptions,
+		http.MethodConnect,
+		http.MethodTrace:
+		return fmt.Errorf("method not allowed")
+	}
+
+	currentCfgMu.Lock()
+	defer currentCfgMu.Unlock()
+
+	err := unsyncedConfigAccess(method, path, input, nil)
+	if err != nil {
+		return err
+	}
+
+	// find any IDs in this config and index them
+	idx := make(map[string]string)
+	err = indexConfigObjects(rawCfg[rawConfigKey], "/"+rawConfigKey, idx)
+	if err != nil {
+		return APIError{
+			Code: http.StatusInternalServerError,
+			Err:  fmt.Errorf("indexing config: %v", err),
+		}
+	}
+
+	// the mutation is complete, so encode the entire config as JSON
+	newCfg, err := json.Marshal(rawCfg[rawConfigKey])
+	if err != nil {
+		return APIError{
+			Code: http.StatusBadRequest,
+			Err:  fmt.Errorf("encoding new config: %v", err),
+		}
+	}
+
+	// if nothing changed, no need to do a whole reload unless the client forces it
+	if !forceReload && bytes.Equal(rawCfgJSON, newCfg) {
+		Log().Named("admin.api.change_config").Info("config is unchanged")
+		return nil
+	}
+
+	// load this new config; if it fails, we need to revert to
+	// our old representation of caddy's actual config
+	err = unsyncedDecodeAndRun(newCfg)
+	if err != nil {
+		if len(rawCfgJSON) > 0 {
+			// restore old config state to keep it consistent
+			// with what caddy is still running; we need to
+			// unmarshal it again because it's likely that
+			// pointers deep in our rawCfg map were modified
+			var oldCfg interface{}
+			err2 := json.Unmarshal(rawCfgJSON, &oldCfg)
+			if err2 != nil {
+				err = fmt.Errorf("%v; additionally, restoring old config: %v", err, err2)
+			}
+			rawCfg[rawConfigKey] = oldCfg
+		}
+
+		return fmt.Errorf("loading new config: %v", err)
+	}
+
+	// success, so update our stored copy of the encoded
+	// config to keep it consistent with what caddy is now
+	// running (storing an encoded copy is not strictly
+	// necessary, but avoids an extra json.Marshal for
+	// each config change)
+	rawCfgJSON = newCfg
+	rawCfgIndex = idx
+
+	return nil
+}
+
+// readConfig traverses the current config to path
+// and writes its JSON encoding to out.
+func readConfig(path string, out io.Writer) error {
+	currentCfgMu.RLock()
+	defer currentCfgMu.RUnlock()
+	return unsyncedConfigAccess(http.MethodGet, path, nil, out)
+}
+
+// indexConfigObjects recurisvely searches ptr for object fields named
+// "@id" and maps that ID value to the full configPath in the index.
+// This function is NOT safe for concurrent access; obtain a write lock
+// on currentCfgMu.
+func indexConfigObjects(ptr interface{}, configPath string, index map[string]string) error {
+	switch val := ptr.(type) {
+	case map[string]interface{}:
+		for k, v := range val {
+			if k == idKey {
+				switch idVal := v.(type) {
+				case string:
+					index[idVal] = configPath
+				case float64: // all JSON numbers decode as float64
+					index[fmt.Sprintf("%v", idVal)] = configPath
+				default:
+					return fmt.Errorf("%s: %s field must be a string or number", configPath, idKey)
+				}
+				delete(val, idKey) // field is no longer needed, and will break config if not removed
+				continue
+			}
+			// traverse this object property recursively
+			err := indexConfigObjects(val[k], path.Join(configPath, k), index)
+			if err != nil {
+				return err
+			}
+		}
+	case []interface{}:
+		// traverse each element of the array recursively
+		for i := range val {
+			err := indexConfigObjects(val[i], path.Join(configPath, strconv.Itoa(i)), index)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+// unsyncedDecodeAndRun decodes cfgJSON and runs
+// it as the new config, replacing any other
+// current config. It does not update the raw
+// config state, as this is a lower-level function;
+// most callers will want to use Load instead.
+// A write lock on currentCfgMu is required!
+func unsyncedDecodeAndRun(cfgJSON []byte) error {
+	var newCfg *Config
+	err := strictUnmarshalJSON(cfgJSON, &newCfg)
+	if err != nil {
+		return err
+	}
+
+	// run the new config and start all its apps
+	err = run(newCfg, true)
+	if err != nil {
+		return err
+	}
+
+	// swap old config with the new one
+	oldCfg := currentCfg
+	currentCfg = newCfg
+
+	// Stop, Cleanup each old app
+	unsyncedStop(oldCfg)
+
+	return nil
+}
+
+// run runs newCfg and starts all its apps if
+// start is true. If any errors happen, cleanup
+// is performed if any modules were provisioned;
+// apps that were started already will be stopped,
+// so this function should not leak resources if
+// an error is returned. However, if no error is
+// returned and start == false, you should cancel
+// the config if you are not going to start it,
+// so that each provisioned module will be
+// cleaned up.
+//
+// This is a low-level function; most callers
+// will want to use Run instead, which also
+// updates the config's raw state.
+func run(newCfg *Config, start bool) error {
+	// because we will need to roll back any state
+	// modifications if this function errors, we
+	// keep a single error value and scope all
+	// sub-operations to their own functions to
+	// ensure this error value does not get
+	// overridden or missed when it should have
+	// been set by a short assignment
+	var err error
+
+	// start the admin endpoint (and stop any prior one)
+	err = replaceAdmin(newCfg)
+	if err != nil {
+		return fmt.Errorf("starting caddy administration endpoint: %v", err)
+	}
+
+	if newCfg == nil {
+		return nil
+	}
+
+	// prepare the new config for use
+	newCfg.apps = make(map[string]App)
+
+	// create a context within which to load
+	// modules - essentially our new config's
+	// execution environment; be sure that
+	// cleanup occurs when we return if there
+	// was an error; if no error, it will get
+	// cleaned up on next config cycle
+	ctx, cancel := NewContext(Context{Context: context.Background(), cfg: newCfg})
+	defer func() {
+		if err != nil {
+			// if there were any errors during startup,
+			// we should cancel the new context we created
+			// since the associated config won't be used;
+			// this will cause all modules that were newly
+			// provisioned to clean themselves up
+			cancel()
+
+			// also undo any other state changes we made
+			if currentCfg != nil {
+				certmagic.Default.Storage = currentCfg.storage
+			}
+		}
+	}()
+	newCfg.cancelFunc = cancel // clean up later
+
+	// set up logging before anything bad happens
+	if newCfg.Logging == nil {
+		newCfg.Logging = new(Logging)
+	}
+	err = newCfg.Logging.openLogs(ctx)
+	if err != nil {
+		return err
+	}
+
+	// set up global storage and make it CertMagic's default storage, too
+	err = func() error {
+		if newCfg.StorageRaw != nil {
+			val, err := ctx.LoadModuleInline("module", "caddy.storage", newCfg.StorageRaw)
+			if err != nil {
+				return fmt.Errorf("loading storage module: %v", err)
+			}
+			stor, err := val.(StorageConverter).CertMagicStorage()
+			if err != nil {
+				return fmt.Errorf("creating storage value: %v", err)
+			}
+			newCfg.storage = stor
+			newCfg.StorageRaw = nil // allow GC to deallocate
+		}
+		if newCfg.storage == nil {
+			newCfg.storage = &certmagic.FileStorage{Path: dataDir()}
+		}
+		certmagic.Default.Storage = newCfg.storage
+
+		return nil
+	}()
+	if err != nil {
+		return err
+	}
+
+	// Load, Provision, Validate each app and their submodules
+	err = func() error {
+		for modName, rawMsg := range newCfg.AppsRaw {
+			val, err := ctx.LoadModule(modName, rawMsg)
+			if err != nil {
+				return fmt.Errorf("loading app module '%s': %v", modName, err)
+			}
+			newCfg.apps[modName] = val.(App)
+		}
+		return nil
+	}()
+	if err != nil {
+		return err
+	}
+
+	if !start {
+		return nil
+	}
+
+	// Start
+	return func() error {
+		var started []string
+		for name, a := range newCfg.apps {
+			err := a.Start()
+			if err != nil {
+				// an app failed to start, so we need to stop
+				// all other apps that were already started
+				for _, otherAppName := range started {
+					err2 := newCfg.apps[otherAppName].Stop()
+					if err2 != nil {
+						err = fmt.Errorf("%v; additionally, aborting app %s: %v",
+							err, otherAppName, err2)
+					}
+				}
+				return fmt.Errorf("%s app module: start: %v", name, err)
+			}
+			started = append(started, name)
+		}
+		return nil
+	}()
+}
+
+// Stop stops running the current configuration.
+// It is the antithesis of Run(). This function
+// will log any errors that occur during the
+// stopping of individual apps and continue to
+// stop the others. Stop should only be called
+// if not replacing with a new config.
+func Stop() error {
+	currentCfgMu.Lock()
+	defer currentCfgMu.Unlock()
+	unsyncedStop(currentCfg)
+	currentCfg = nil
+	rawCfgJSON = nil
+	rawCfgIndex = nil
+	rawCfg[rawConfigKey] = nil
+	return nil
+}
+
+// unsyncedStop stops cfg from running, but has
+// no locking around cfg. It is a no-op if cfg is
+// nil. If any app returns an error when stopping,
+// it is logged and the function continues stopping
+// the next app. This function assumes all apps in
+// cfg were successfully started first.
+func unsyncedStop(cfg *Config) {
+	if cfg == nil {
+		return
+	}
+
+	// stop each app
+	for name, a := range cfg.apps {
+		err := a.Stop()
+		if err != nil {
+			log.Printf("[ERROR] stop %s: %v", name, err)
+		}
+	}
+
+	// clean up all modules
+	cfg.cancelFunc()
+}
+
+// stopAndCleanup calls stop and cleans up anything
+// else that is expedient. This should only be used
+// when stopping and not replacing with a new config.
+func stopAndCleanup() error {
+	if err := Stop(); err != nil {
+		return err
+	}
+	certmagic.CleanUpOwnLocks()
+	return nil
+}
+
+// Validate loads, provisions, and validates
+// cfg, but does not start running it.
+func Validate(cfg *Config) error {
+	err := run(cfg, false)
+	if err == nil {
+		cfg.cancelFunc() // call Cleanup on all modules
+	}
+	return err
+}
+
+// Duration is a JSON-string-unmarshable duration type.
+type Duration time.Duration
+
+// UnmarshalJSON satisfies json.Unmarshaler.
+func (d *Duration) UnmarshalJSON(b []byte) error {
+	if len(b) == 0 {
+		return io.EOF
+	}
+	var dur time.Duration
+	var err error
+	if b[0] == byte('"') && b[len(b)-1] == byte('"') {
+		dur, err = time.ParseDuration(strings.Trim(string(b), `"`))
+	} else {
+		err = json.Unmarshal(b, &dur)
+	}
+	*d = Duration(dur)
+	return err
+}
+
+// GoModule returns the build info of this Caddy
+// build from debug.BuildInfo (requires Go modules).
+// If no version information is available, a non-nil
+// value will still be returned, but with an
+// unknown version.
+func GoModule() *debug.Module {
+	var mod debug.Module
+	return goModule(&mod)
+}
+
+// goModule holds the actual implementation of GoModule.
+// Allocating debug.Module in GoModule() and passing a
+// reference to goModule enables mid-stack inlining.
+func goModule(mod *debug.Module) *debug.Module {
+	mod.Version = "unknown"
+	bi, ok := debug.ReadBuildInfo()
+	if ok {
+		mod.Path = bi.Main.Path
+		// The recommended way to build Caddy involves
+		// creating a separate main module, which
+		// TODO: track related Go issue: https://github.com/golang/go/issues/29228
+		// once that issue is fixed, we should just be able to use bi.Main... hopefully.
+		for _, dep := range bi.Deps {
+			if dep.Path == "github.com/caddyserver/caddy/v2" {
+				return dep
+			}
+		}
+		return &bi.Main
+	}
+	return mod
+}
+
+// CtxKey is a value type for use with context.WithValue.
+type CtxKey string
+
+// This group of variables pertains to the current configuration.
+var (
+	// currentCfgMu protects everything in this var block.
+	currentCfgMu sync.RWMutex
+
+	// currentCfg is the currently-running configuration.
+	currentCfg *Config
+
+	// rawCfg is the current, generic-decoded configuration;
+	// we initialize it as a map with one field ("config")
+	// to maintain parity with the API endpoint and to avoid
+	// the special case of having to access/mutate the variable
+	// directly without traversing into it.
+	rawCfg = map[string]interface{}{
+		rawConfigKey: nil,
+	}
+
+	// rawCfgJSON is the JSON-encoded form of rawCfg. Keeping
+	// this around avoids an extra Marshal call during changes.
+	rawCfgJSON []byte
+
+	// rawCfgIndex is the map of user-assigned ID to expanded
+	// path, for converting /id/ paths to /config/ paths.
+	rawCfgIndex map[string]string
+)
@@ -1,29 +0,0 @@
-package assets
-
-import (
-	"os"
-	"path/filepath"
-	"runtime"
-)
-
-// Path returns the path to the folder
-// where the application may store data. This
-// currently resolves to ~/.caddy
-func Path() string {
-	return filepath.Join(userHomeDir(), ".caddy")
-}
-
-// userHomeDir returns the user's home directory according to
-// environment variables.
-//
-// Credit: http://stackoverflow.com/a/7922977/1048862
-func userHomeDir() string {
-	if runtime.GOOS == "windows" {
-		home := os.Getenv("HOMEDRIVE") + os.Getenv("HOMEPATH")
-		if home == "" {
-			home = os.Getenv("USERPROFILE")
-		}
-		return home
-	}
-	return os.Getenv("HOME")
-}
@@ -1,12 +0,0 @@
-package assets
-
-import (
-	"strings"
-	"testing"
-)
-
-func TestPath(t *testing.T) {
-	if actual := Path(); !strings.HasSuffix(actual, ".caddy") {
-		t.Errorf("Expected path to be a .caddy folder, got: %v", actual)
-	}
-}
@@ -1,358 +0,0 @@
-// Package caddy implements the Caddy web server as a service.
-//
-// To use this package, follow a few simple steps:
-//
-//   1. Set the AppName and AppVersion variables.
-//   2. Call LoadCaddyfile() to get the Caddyfile (it
-//      might have been piped in as part of a restart).
-//      You should pass in your own Caddyfile loader.
-//   3. Call caddy.Start() to start Caddy, caddy.Stop()
-//      to stop it, or caddy.Restart() to restart it.
-//
-// You should use caddy.Wait() to wait for all Caddy servers
-// to quit before your process exits.
-//
-// Importing this package has the side-effect of trapping
-// SIGINT on all platforms and SIGUSR1 on not-Windows systems.
-// It has to do this in order to perform shutdowns or reloads.
-package caddy
-
-import (
-	"bytes"
-	"encoding/gob"
-	"errors"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net"
-	"os"
-	"path"
-	"strings"
-	"sync"
-
-	"github.com/mholt/caddy/caddy/letsencrypt"
-	"github.com/mholt/caddy/server"
-)
-
-// Configurable application parameters
-var (
-	// The name and version of the application.
-	AppName, AppVersion string
-
-	// If true, initialization will not show any informative output.
-	Quiet bool
-
-	// DefaultInput is the default configuration to use when config input is empty or missing.
-	DefaultInput = CaddyfileInput{
-		Contents: []byte(fmt.Sprintf("%s:%s\nroot %s", DefaultHost, DefaultPort, DefaultRoot)),
-	}
-
-	// HTTP2 indicates whether HTTP2 is enabled or not
-	HTTP2 bool // TODO: temporary flag until http2 is standard
-)
-
-var (
-	// caddyfile is the input configuration text used for this process
-	caddyfile Input
-
-	// caddyfileMu protects caddyfile during changes
-	caddyfileMu sync.Mutex
-
-	// incompleteRestartErr occurs if this process is a fork
-	// of the parent but no Caddyfile was piped in
-	incompleteRestartErr = errors.New("cannot finish restart successfully")
-
-	// servers is a list of all the currently-listening servers
-	servers []*server.Server
-
-	// serversMu protects the servers slice during changes
-	serversMu sync.Mutex
-
-	// wg is used to wait for all servers to shut down
-	wg sync.WaitGroup
-
-	// loadedGob is used if this is a child process as part of
-	// a graceful restart; it is used to map listeners to their
-	// index in the list of inherited file descriptors. This
-	// variable is not safe for concurrent access.
-	loadedGob caddyfileGob
-)
-
-const (
-	DefaultHost = "0.0.0.0"
-	DefaultPort = "2015"
-	DefaultRoot = "."
-)
-
-// Start starts Caddy with the given Caddyfile. If cdyfile
-// is nil or the process is forked from a parent as part of
-// a graceful restart, Caddy will check to see if Caddyfile
-// was piped from stdin and use that. It blocks until all the
-// servers are listening.
-//
-// If this process is a fork and no Caddyfile was piped in,
-// an error will be returned (the Restart() function does this
-// for you automatically). If this process is NOT a fork and
-// cdyfile is nil, a default configuration will be assumed.
-// In any case, an error is returned if Caddy could not be
-// started.
-func Start(cdyfile Input) error {
-	// TODO: What if already started -- is that an error?
-
-	var err error
-
-	// Input must never be nil; try to load something
-	if cdyfile == nil {
-		cdyfile, err = LoadCaddyfile(nil)
-		if err != nil {
-			return err
-		}
-	}
-
-	caddyfileMu.Lock()
-	caddyfile = cdyfile
-	caddyfileMu.Unlock()
-
-	// load the server configs (activates Let's Encrypt)
-	configs, err := loadConfigs(path.Base(cdyfile.Path()), bytes.NewReader(cdyfile.Body()))
-	if err != nil {
-		return err
-	}
-
-	// group virtualhosts by address
-	groupings, err := arrangeBindings(configs)
-	if err != nil {
-		return err
-	}
-
-	// Start each server with its one or more configurations
-	err = startServers(groupings)
-	if err != nil {
-		return err
-	}
-
-	// Close remaining file descriptors we may have inherited that we don't need
-	if isRestart() {
-		for _, fdIndex := range loadedGob.ListenerFds {
-			file := os.NewFile(fdIndex, "")
-			fln, err := net.FileListener(file)
-			if err == nil {
-				fln.Close()
-			}
-		}
-	}
-
-	// Show initialization output
-	if !Quiet && !isRestart() {
-		var checkedFdLimit bool
-		for _, group := range groupings {
-			for _, conf := range group.Configs {
-				// Print address of site
-				fmt.Println(conf.Address())
-
-				// Note if non-localhost site resolves to loopback interface
-				if group.BindAddr.IP.IsLoopback() && !isLocalhost(conf.Host) {
-					fmt.Printf("Notice: %s is only accessible on this machine (%s)\n",
-						conf.Host, group.BindAddr.IP.String())
-				}
-				if !checkedFdLimit && !group.BindAddr.IP.IsLoopback() && !isLocalhost(conf.Host) {
-					checkFdlimit()
-					checkedFdLimit = true
-				}
-			}
-		}
-	}
-
-	// Tell parent process that we got this
-	if isRestart() {
-		ppipe := os.NewFile(3, "") // parent is listening on pipe at index 3
-		ppipe.Write([]byte("success"))
-		ppipe.Close()
-	}
-
-	return nil
-}
-
-// startServers starts all the servers in groupings,
-// taking into account whether or not this process is
-// a child from a graceful restart or not. It blocks
-// until the servers are listening.
-func startServers(groupings Group) error {
-	var startupWg sync.WaitGroup
-
-	for _, group := range groupings {
-		s, err := server.New(group.BindAddr.String(), group.Configs)
-		if err != nil {
-			log.Fatal(err)
-		}
-		s.HTTP2 = HTTP2 // TODO: This setting is temporary
-
-		var ln server.ListenerFile
-		if isRestart() {
-			// Look up this server's listener in the map of inherited file descriptors;
-			// if we don't have one, we must make a new one.
-			if fdIndex, ok := loadedGob.ListenerFds[s.Addr]; ok {
-				file := os.NewFile(fdIndex, "")
-
-				fln, err := net.FileListener(file)
-				if err != nil {
-					log.Fatal(err)
-				}
-
-				ln, ok = fln.(server.ListenerFile)
-				if !ok {
-					log.Fatal("listener was not a ListenerFile")
-				}
-
-				delete(loadedGob.ListenerFds, s.Addr) // mark it as used
-			}
-		}
-
-		wg.Add(1)
-		go func(s *server.Server, ln server.ListenerFile) {
-			defer wg.Done()
-
-			if ln != nil {
-				err = s.Serve(ln)
-			} else {
-				err = s.ListenAndServe()
-			}
-
-			// "use of closed network connection" is normal if doing graceful shutdown...
-			if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
-				if isRestart() {
-					log.Fatal(err)
-				} else {
-					log.Println(err)
-				}
-			}
-		}(s, ln)
-
-		startupWg.Add(1)
-		go func(s *server.Server) {
-			defer startupWg.Done()
-			s.WaitUntilStarted()
-		}(s)
-
-		serversMu.Lock()
-		servers = append(servers, s)
-		serversMu.Unlock()
-	}
-
-	startupWg.Wait()
-
-	return nil
-}
-
-// Stop stops all servers. It blocks until they are all stopped.
-// It does NOT execute shutdown callbacks that may have been
-// configured by middleware (they are executed on SIGINT).
-func Stop() error {
-	letsencrypt.Deactivate()
-
-	serversMu.Lock()
-	for _, s := range servers {
-		s.Stop() // TODO: error checking/reporting?
-	}
-	servers = []*server.Server{} // don't reuse servers
-	serversMu.Unlock()
-
-	return nil
-}
-
-// Wait blocks until all servers are stopped.
-func Wait() {
-	wg.Wait()
-}
-
-// LoadCaddyfile loads a Caddyfile in a way that prioritizes
-// reading from stdin pipe; otherwise it calls loader to load
-// the Caddyfile. If loader does not return a Caddyfile, the
-// default one will be returned. Thus, if there are no other
-// errors, this function always returns at least the default
-// Caddyfile (not the previously-used Caddyfile).
-func LoadCaddyfile(loader func() (Input, error)) (cdyfile Input, err error) {
-	// If we are a fork, finishing the restart is highest priority;
-	// piped input is required in this case.
-	if isRestart() {
-		err := gob.NewDecoder(os.Stdin).Decode(&loadedGob)
-		if err != nil {
-			return nil, err
-		}
-		cdyfile = loadedGob.Caddyfile
-	}
-
-	// Otherwise, we first try to get from stdin pipe
-	if cdyfile == nil {
-		cdyfile, err = CaddyfileFromPipe(os.Stdin)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	// No piped input, so try the user's loader instead
-	if cdyfile == nil && loader != nil {
-		cdyfile, err = loader()
-	}
-
-	// Otherwise revert to default
-	if cdyfile == nil {
-		cdyfile = DefaultInput
-	}
-
-	return
-}
-
-// CaddyfileFromPipe loads the Caddyfile input from f if f is
-// not interactive input. f is assumed to be a pipe or stream,
-// such as os.Stdin. If f is not a pipe, no error is returned
-// but the Input value will be nil. An error is only returned
-// if there was an error reading the pipe, even if the length
-// of what was read is 0.
-func CaddyfileFromPipe(f *os.File) (Input, error) {
-	fi, err := f.Stat()
-	if err == nil && fi.Mode()&os.ModeCharDevice == 0 {
-		// Note that a non-nil error is not a problem. Windows
-		// will not create a stdin if there is no pipe, which
-		// produces an error when calling Stat(). But Unix will
-		// make one either way, which is why we also check that
-		// bitmask.
-		// BUG: Reading from stdin after this fails (e.g. for the let's encrypt email address) (OS X)
-		confBody, err := ioutil.ReadAll(f)
-		if err != nil {
-			return nil, err
-		}
-		return CaddyfileInput{
-			Contents: confBody,
-			Filepath: f.Name(),
-		}, nil
-	}
-
-	// not having input from the pipe is not itself an error,
-	// just means no input to return.
-	return nil, nil
-}
-
-// Caddyfile returns the current Caddyfile
-func Caddyfile() Input {
-	caddyfileMu.Lock()
-	defer caddyfileMu.Unlock()
-	return caddyfile
-}
-
-// Input represents a Caddyfile; its contents and file path
-// (which should include the file name at the end of the path).
-// If path does not apply (e.g. piped input) you may use
-// any understandable value. The path is mainly used for logging,
-// error messages, and debugging.
-type Input interface {
-	// Gets the Caddyfile contents
-	Body() []byte
-
-	// Gets the path to the origin file
-	Path() string
-
-	// IsFile returns true if the original input was a file on the file system
-	// that could be loaded again later if requested.
-	IsFile() bool
-}
@@ -1,32 +0,0 @@
-package caddy
-
-import (
-	"net/http"
-	"testing"
-	"time"
-)
-
-func TestCaddyStartStop(t *testing.T) {
-	caddyfile := "localhost:1984\ntls off"
-
-	for i := 0; i < 2; i++ {
-		err := Start(CaddyfileInput{Contents: []byte(caddyfile)})
-		if err != nil {
-			t.Fatalf("Error starting, iteration %d: %v", i, err)
-		}
-
-		client := http.Client{
-			Timeout: time.Duration(2 * time.Second),
-		}
-		resp, err := client.Get("http://localhost:1984")
-		if err != nil {
-			t.Fatalf("Expected GET request to succeed (iteration %d), but it failed: %v", i, err)
-		}
-		resp.Body.Close()
-
-		err = Stop()
-		if err != nil {
-			t.Fatalf("Error stopping, iteration %d: %v", i, err)
-		}
-	}
-}
@@ -1,163 +0,0 @@
-package caddyfile
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"net"
-	"strconv"
-	"strings"
-
-	"github.com/mholt/caddy/caddy/parse"
-)
-
-const filename = "Caddyfile"
-
-// ToJSON converts caddyfile to its JSON representation.
-func ToJSON(caddyfile []byte) ([]byte, error) {
-	var j Caddyfile
-
-	serverBlocks, err := parse.ServerBlocks(filename, bytes.NewReader(caddyfile), false)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, sb := range serverBlocks {
-		block := ServerBlock{Body: make(map[string]interface{})}
-
-		for _, host := range sb.HostList() {
-			block.Hosts = append(block.Hosts, strings.TrimSuffix(host, ":"))
-		}
-
-		for dir, tokens := range sb.Tokens {
-			disp := parse.NewDispenserTokens(filename, tokens)
-			disp.Next() // the first token is the directive; skip it
-			block.Body[dir] = constructLine(disp)
-		}
-
-		j = append(j, block)
-	}
-
-	result, err := json.Marshal(j)
-	if err != nil {
-		return nil, err
-	}
-
-	return result, nil
-}
-
-// constructLine transforms tokens into a JSON-encodable structure;
-// but only one line at a time, to be used at the top-level of
-// a server block only (where the first token on each line is a
-// directive) - not to be used at any other nesting level.
-func constructLine(d parse.Dispenser) interface{} {
-	var args []interface{}
-
-	all := d.RemainingArgs()
-	for _, arg := range all {
-		args = append(args, arg)
-	}
-
-	d.Next()
-	if d.Val() == "{" {
-		args = append(args, constructBlock(d))
-	}
-
-	return args
-}
-
-// constructBlock recursively processes tokens into a
-// JSON-encodable structure.
-func constructBlock(d parse.Dispenser) interface{} {
-	block := make(map[string]interface{})
-
-	for d.Next() {
-		if d.Val() == "}" {
-			break
-		}
-
-		dir := d.Val()
-		all := d.RemainingArgs()
-
-		var args []interface{}
-		for _, arg := range all {
-			args = append(args, arg)
-		}
-		if d.Val() == "{" {
-			args = append(args, constructBlock(d))
-		}
-
-		block[dir] = args
-	}
-
-	return block
-}
-
-// FromJSON converts JSON-encoded jsonBytes to Caddyfile text
-func FromJSON(jsonBytes []byte) ([]byte, error) {
-	var j Caddyfile
-	var result string
-
-	err := json.Unmarshal(jsonBytes, &j)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, sb := range j {
-		for i, host := range sb.Hosts {
-			if hostname, port, err := net.SplitHostPort(host); err == nil {
-				if port == "http" || port == "https" {
-					host = port + "://" + hostname
-				}
-			}
-			if i > 0 {
-				result += ", "
-			}
-			result += strings.TrimSuffix(host, ":")
-		}
-		result += jsonToText(sb.Body, 1)
-	}
-
-	return []byte(result), nil
-}
-
-// jsonToText recursively transforms a scope of JSON into plain
-// Caddyfile text.
-func jsonToText(scope interface{}, depth int) string {
-	var result string
-
-	switch val := scope.(type) {
-	case string:
-		if strings.ContainsAny(val, "\" \n\t\r") {
-			result += ` "` + strings.Replace(val, "\"", "\\\"", -1) + `"`
-		} else {
-			result += " " + val
-		}
-	case int:
-		result += " " + strconv.Itoa(val)
-	case float64:
-		result += " " + fmt.Sprintf("%v", val)
-	case bool:
-		result += " " + fmt.Sprintf("%t", val)
-	case map[string]interface{}:
-		result += " {\n"
-		for param, args := range val {
-			result += strings.Repeat("\t", depth) + param
-			result += jsonToText(args, depth+1) + "\n"
-		}
-		result += strings.Repeat("\t", depth-1) + "}"
-	case []interface{}:
-		for _, v := range val {
-			result += jsonToText(v, depth)
-		}
-	}
-
-	return result
-}
-
-type Caddyfile []ServerBlock
-
-type ServerBlock struct {
-	Hosts []string               `json:"hosts"`
-	Body  map[string]interface{} `json:"body"`
-}
@@ -1,91 +0,0 @@
-package caddyfile
-
-import "testing"
-
-var tests = []struct {
-	caddyfile, json string
-}{
-	{ // 0
-		caddyfile: `foo {
-	root /bar
-}`,
-		json: `[{"hosts":["foo"],"body":{"root":["/bar"]}}]`,
-	},
-	{ // 1
-		caddyfile: `host1, host2 {
-	dir {
-		def
-	}
-}`,
-		json: `[{"hosts":["host1","host2"],"body":{"dir":[{"def":null}]}}]`,
-	},
-	{ // 2
-		caddyfile: `host1, host2 {
-	dir abc {
-		def ghi
-	}
-}`,
-		json: `[{"hosts":["host1","host2"],"body":{"dir":["abc",{"def":["ghi"]}]}}]`,
-	},
-	{ // 3
-		caddyfile: `host1:1234, host2:5678 {
-	dir abc {
-	}
-}`,
-		json: `[{"hosts":["host1:1234","host2:5678"],"body":{"dir":["abc",{}]}}]`,
-	},
-	{ // 4
-		caddyfile: `host {
-	foo "bar baz"
-}`,
-		json: `[{"hosts":["host"],"body":{"foo":["bar baz"]}}]`,
-	},
-	{ // 5
-		caddyfile: `host, host:80 {
-	foo "bar \"baz\""
-}`,
-		json: `[{"hosts":["host","host:80"],"body":{"foo":["bar \"baz\""]}}]`,
-	},
-	{ // 6
-		caddyfile: `host {
-	foo "bar
-baz"
-}`,
-		json: `[{"hosts":["host"],"body":{"foo":["bar\nbaz"]}}]`,
-	},
-	{ // 7
-		caddyfile: `host {
-	dir 123 4.56 true
-}`,
-		json: `[{"hosts":["host"],"body":{"dir":["123","4.56","true"]}}]`, // NOTE: I guess we assume numbers and booleans should be encoded as strings...?
-	},
-	{ // 8
-		caddyfile: `http://host, https://host {
-}`,
-		json: `[{"hosts":["host:http","host:https"],"body":{}}]`, // hosts in JSON are always host:port format (if port is specified), for consistency
-	},
-}
-
-func TestToJSON(t *testing.T) {
-	for i, test := range tests {
-		output, err := ToJSON([]byte(test.caddyfile))
-		if err != nil {
-			t.Errorf("Test %d: %v", i, err)
-		}
-		if string(output) != test.json {
-			t.Errorf("Test %d\nExpected:\n'%s'\nActual:\n'%s'", i, test.json, string(output))
-		}
-	}
-}
-
-func TestFromJSON(t *testing.T) {
-	for i, test := range tests {
-		output, err := FromJSON([]byte(test.json))
-		if err != nil {
-			t.Errorf("Test %d: %v", i, err)
-		}
-		if string(output) != test.caddyfile {
-			t.Errorf("Test %d\nExpected:\n'%s'\nActual:\n'%s'", i, test.caddyfile, string(output))
-		}
-	}
-}
@@ -1,361 +0,0 @@
-package caddy
-
-import (
-	"fmt"
-	"io"
-	"log"
-	"net"
-	"sync"
-
-	"github.com/mholt/caddy/caddy/letsencrypt"
-	"github.com/mholt/caddy/caddy/parse"
-	"github.com/mholt/caddy/caddy/setup"
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/server"
-)
-
-const (
-	// DefaultConfigFile is the name of the configuration file that is loaded
-	// by default if no other file is specified.
-	DefaultConfigFile = "Caddyfile"
-)
-
-// loadConfigs reads input (named filename) and parses it, returning the
-// server configurations in the order they appeared in the input. As part
-// of this, it activates Let's Encrypt for the configs that are produced.
-// Thus, the returned configs are already optimally configured optimally
-// for HTTPS.
-func loadConfigs(filename string, input io.Reader) ([]server.Config, error) {
-	var configs []server.Config
-
-	// turn off timestamp for parsing
-	flags := log.Flags()
-	log.SetFlags(0)
-
-	// Each server block represents similar hosts/addresses, since they
-	// were grouped together in the Caddyfile.
-	serverBlocks, err := parse.ServerBlocks(filename, input, true)
-	if err != nil {
-		return nil, err
-	}
-	if len(serverBlocks) == 0 {
-		return []server.Config{NewDefault()}, nil
-	}
-
-	var lastDirectiveIndex int // we set up directives in two parts; this stores where we left off
-
-	// Iterate each server block and make a config for each one,
-	// executing the directives that were parsed in order up to the tls
-	// directive; this is because we must activate Let's Encrypt.
-	for i, sb := range serverBlocks {
-		onces := makeOnces()
-		storages := makeStorages()
-
-		for j, addr := range sb.Addresses {
-			config := server.Config{
-				Host:       addr.Host,
-				Port:       addr.Port,
-				Root:       Root,
-				Middleware: make(map[string][]middleware.Middleware),
-				ConfigFile: filename,
-				AppName:    AppName,
-				AppVersion: AppVersion,
-			}
-
-			// It is crucial that directives are executed in the proper order.
-			for k, dir := range directiveOrder {
-				// Execute directive if it is in the server block
-				if tokens, ok := sb.Tokens[dir.name]; ok {
-					// Each setup function gets a controller, from which setup functions
-					// get access to the config, tokens, and other state information useful
-					// to set up its own host only.
-					controller := &setup.Controller{
-						Config:    &config,
-						Dispenser: parse.NewDispenserTokens(filename, tokens),
-						OncePerServerBlock: func(f func() error) error {
-							var err error
-							onces[dir.name].Do(func() {
-								err = f()
-							})
-							return err
-						},
-						ServerBlockIndex:     i,
-						ServerBlockHostIndex: j,
-						ServerBlockHosts:     sb.HostList(),
-						ServerBlockStorage:   storages[dir.name],
-					}
-					// execute setup function and append middleware handler, if any
-					midware, err := dir.setup(controller)
-					if err != nil {
-						return nil, err
-					}
-					if midware != nil {
-						// TODO: For now, we only support the default path scope /
-						config.Middleware["/"] = append(config.Middleware["/"], midware)
-					}
-					storages[dir.name] = controller.ServerBlockStorage // persist for this server block
-				}
-
-				// Stop after TLS setup, since we need to activate Let's Encrypt before continuing;
-				// it makes some changes to the configs that middlewares might want to know about.
-				if dir.name == "tls" {
-					lastDirectiveIndex = k
-					break
-				}
-			}
-
-			configs = append(configs, config)
-		}
-	}
-
-	// Now we have all the configs, but they have only been set up to the
-	// point of tls. We need to activate Let's Encrypt before setting up
-	// the rest of the middlewares so they have correct information regarding
-	// TLS configuration, if necessary. (this call is append-only, so our
-	// iterations below shouldn't be affected)
-	configs, err = letsencrypt.Activate(configs)
-	if err != nil {
-		return nil, err
-	}
-
-	// Finish setting up the rest of the directives, now that TLS is
-	// optimally configured. These loops are similar to above except
-	// we don't iterate all the directives from the beginning and we
-	// don't create new configs.
-	configIndex := -1
-	for i, sb := range serverBlocks {
-		onces := makeOnces()
-		storages := makeStorages()
-
-		for j := range sb.Addresses {
-			configIndex++
-
-			for k := lastDirectiveIndex + 1; k < len(directiveOrder); k++ {
-				dir := directiveOrder[k]
-
-				if tokens, ok := sb.Tokens[dir.name]; ok {
-					controller := &setup.Controller{
-						Config:    &configs[configIndex],
-						Dispenser: parse.NewDispenserTokens(filename, tokens),
-						OncePerServerBlock: func(f func() error) error {
-							var err error
-							onces[dir.name].Do(func() {
-								err = f()
-							})
-							return err
-						},
-						ServerBlockIndex:     i,
-						ServerBlockHostIndex: j,
-						ServerBlockHosts:     sb.HostList(),
-						ServerBlockStorage:   storages[dir.name],
-					}
-					midware, err := dir.setup(controller)
-					if err != nil {
-						return nil, err
-					}
-					if midware != nil {
-						// TODO: For now, we only support the default path scope /
-						configs[configIndex].Middleware["/"] = append(configs[configIndex].Middleware["/"], midware)
-					}
-					storages[dir.name] = controller.ServerBlockStorage // persist for this server block
-				}
-			}
-		}
-	}
-
-	// restore logging settings
-	log.SetFlags(flags)
-
-	return configs, nil
-}
-
-// makeOnces makes a map of directive name to sync.Once
-// instance. This is intended to be called once per server
-// block when setting up configs so that Setup functions
-// for each directive can perform a task just once per
-// server block, even if there are multiple hosts on the block.
-//
-// We need one Once per directive, otherwise the first
-// directive to use it would exclude other directives from
-// using it at all, which would be a bug.
-func makeOnces() map[string]*sync.Once {
-	onces := make(map[string]*sync.Once)
-	for _, dir := range directiveOrder {
-		onces[dir.name] = new(sync.Once)
-	}
-	return onces
-}
-
-// makeStorages makes a map of directive name to interface{}
-// so that directives' setup functions can persist state
-// between different hosts on the same server block during the
-// setup phase.
-func makeStorages() map[string]interface{} {
-	storages := make(map[string]interface{})
-	for _, dir := range directiveOrder {
-		storages[dir.name] = nil
-	}
-	return storages
-}
-
-// arrangeBindings groups configurations by their bind address. For example,
-// a server that should listen on localhost and another on 127.0.0.1 will
-// be grouped into the same address: 127.0.0.1. It will return an error
-// if an address is malformed or a TLS listener is configured on the
-// same address as a plaintext HTTP listener. The return value is a map of
-// bind address to list of configs that would become VirtualHosts on that
-// server. Use the keys of the returned map to create listeners, and use
-// the associated values to set up the virtualhosts.
-func arrangeBindings(allConfigs []server.Config) (Group, error) {
-	var groupings Group
-
-	// Group configs by bind address
-	for _, conf := range allConfigs {
-		// use default port if none is specified
-		if conf.Port == "" {
-			conf.Port = Port
-		}
-
-		bindAddr, warnErr, fatalErr := resolveAddr(conf)
-		if fatalErr != nil {
-			return groupings, fatalErr
-		}
-		if warnErr != nil {
-			log.Println("[Warning]", warnErr)
-		}
-
-		// Make sure to compare the string representation of the address,
-		// not the pointer, since a new *TCPAddr is created each time.
-		var existing bool
-		for i := 0; i < len(groupings); i++ {
-			if groupings[i].BindAddr.String() == bindAddr.String() {
-				groupings[i].Configs = append(groupings[i].Configs, conf)
-				existing = true
-				break
-			}
-		}
-		if !existing {
-			groupings = append(groupings, BindingMapping{
-				BindAddr: bindAddr,
-				Configs:  []server.Config{conf},
-			})
-		}
-	}
-
-	// Don't allow HTTP and HTTPS to be served on the same address
-	for _, group := range groupings {
-		isTLS := group.Configs[0].TLS.Enabled
-		for _, config := range group.Configs {
-			if config.TLS.Enabled != isTLS {
-				thisConfigProto, otherConfigProto := "HTTP", "HTTP"
-				if config.TLS.Enabled {
-					thisConfigProto = "HTTPS"
-				}
-				if group.Configs[0].TLS.Enabled {
-					otherConfigProto = "HTTPS"
-				}
-				return groupings, fmt.Errorf("configuration error: Cannot multiplex %s (%s) and %s (%s) on same address",
-					group.Configs[0].Address(), otherConfigProto, config.Address(), thisConfigProto)
-			}
-		}
-	}
-
-	return groupings, nil
-}
-
-// resolveAddr determines the address (host and port) that a config will
-// bind to. The returned address, resolvAddr, should be used to bind the
-// listener or group the config with other configs using the same address.
-// The first error, if not nil, is just a warning and should be reported
-// but execution may continue. The second error, if not nil, is a real
-// problem and the server should not be started.
-//
-// This function handles edge cases gracefully. If a port name like
-// "http" or "https" is unknown to the system, this function will
-// change them to 80 or 443 respectively. If a hostname fails to
-// resolve, that host can still be served but will be listening on
-// the wildcard host instead. This function takes care of this for you.
-func resolveAddr(conf server.Config) (resolvAddr *net.TCPAddr, warnErr error, fatalErr error) {
-	bindHost := conf.BindHost
-
-	// TODO: Do we even need the port? Maybe we just need to look up the host.
-	resolvAddr, warnErr = net.ResolveTCPAddr("tcp", net.JoinHostPort(bindHost, conf.Port))
-	if warnErr != nil {
-		// Most likely the host lookup failed or the port is unknown
-		tryPort := conf.Port
-
-		switch errVal := warnErr.(type) {
-		case *net.AddrError:
-			if errVal.Err == "unknown port" {
-				// some odd Linux machines don't support these port names; see issue #136
-				switch conf.Port {
-				case "http":
-					tryPort = "80"
-				case "https":
-					tryPort = "443"
-				}
-			}
-			resolvAddr, fatalErr = net.ResolveTCPAddr("tcp", net.JoinHostPort(bindHost, tryPort))
-			if fatalErr != nil {
-				return
-			}
-		default:
-			// the hostname probably couldn't be resolved, just bind to wildcard then
-			resolvAddr, fatalErr = net.ResolveTCPAddr("tcp", net.JoinHostPort("0.0.0.0", tryPort))
-			if fatalErr != nil {
-				return
-			}
-		}
-
-		return
-	}
-
-	return
-}
-
-// validDirective returns true if d is a valid
-// directive; false otherwise.
-func validDirective(d string) bool {
-	for _, dir := range directiveOrder {
-		if dir.name == d {
-			return true
-		}
-	}
-	return false
-}
-
-// NewDefault makes a default configuration, which
-// is empty except for root, host, and port,
-// which are essentials for serving the cwd.
-func NewDefault() server.Config {
-	return server.Config{
-		Root: Root,
-		Host: Host,
-		Port: Port,
-	}
-}
-
-// These defaults are configurable through the command line
-var (
-	// Site root
-	Root = DefaultRoot
-
-	// Site host
-	Host = DefaultHost
-
-	// Site port
-	Port = DefaultPort
-)
-
-// BindingMapping maps a network address to configurations
-// that will bind to it. The order of the configs is important.
-type BindingMapping struct {
-	BindAddr *net.TCPAddr
-	Configs  []server.Config
-}
-
-// Group maps network addresses to their configurations.
-// Preserving the order of the groupings is important
-// (related to graceful shutdown and restart)
-// so this is a slice, not a literal map.
-type Group []BindingMapping
@@ -1,138 +0,0 @@
-package caddy
-
-import (
-	"reflect"
-	"sync"
-	"testing"
-
-	"github.com/mholt/caddy/server"
-)
-
-func TestNewDefault(t *testing.T) {
-	config := NewDefault()
-
-	if actual, expected := config.Root, DefaultRoot; actual != expected {
-		t.Errorf("Root was %s but expected %s", actual, expected)
-	}
-	if actual, expected := config.Host, DefaultHost; actual != expected {
-		t.Errorf("Host was %s but expected %s", actual, expected)
-	}
-	if actual, expected := config.Port, DefaultPort; actual != expected {
-		t.Errorf("Port was %s but expected %s", actual, expected)
-	}
-}
-
-func TestResolveAddr(t *testing.T) {
-	// NOTE: If tests fail due to comparing to string "127.0.0.1",
-	// it's possible that system env resolves with IPv6, or ::1.
-	// If that happens, maybe we should use actualAddr.IP.IsLoopback()
-	// for the assertion, rather than a direct string comparison.
-
-	// NOTE: Tests with {Host: "", Port: ""} and {Host: "localhost", Port: ""}
-	// will not behave the same cross-platform, so they have been omitted.
-
-	for i, test := range []struct {
-		config         server.Config
-		shouldWarnErr  bool
-		shouldFatalErr bool
-		expectedIP     string
-		expectedPort   int
-	}{
-		{server.Config{Host: "127.0.0.1", Port: "1234"}, false, false, "<nil>", 1234},
-		{server.Config{Host: "localhost", Port: "80"}, false, false, "<nil>", 80},
-		{server.Config{BindHost: "localhost", Port: "1234"}, false, false, "127.0.0.1", 1234},
-		{server.Config{BindHost: "127.0.0.1", Port: "1234"}, false, false, "127.0.0.1", 1234},
-		{server.Config{BindHost: "should-not-resolve", Port: "1234"}, true, false, "0.0.0.0", 1234},
-		{server.Config{BindHost: "localhost", Port: "http"}, false, false, "127.0.0.1", 80},
-		{server.Config{BindHost: "localhost", Port: "https"}, false, false, "127.0.0.1", 443},
-		{server.Config{BindHost: "", Port: "1234"}, false, false, "<nil>", 1234},
-		{server.Config{BindHost: "localhost", Port: "abcd"}, false, true, "", 0},
-		{server.Config{BindHost: "127.0.0.1", Host: "should-not-be-used", Port: "1234"}, false, false, "127.0.0.1", 1234},
-		{server.Config{BindHost: "localhost", Host: "should-not-be-used", Port: "1234"}, false, false, "127.0.0.1", 1234},
-		{server.Config{BindHost: "should-not-resolve", Host: "localhost", Port: "1234"}, true, false, "0.0.0.0", 1234},
-	} {
-		actualAddr, warnErr, fatalErr := resolveAddr(test.config)
-
-		if test.shouldFatalErr && fatalErr == nil {
-			t.Errorf("Test %d: Expected error, but there wasn't any", i)
-		}
-		if !test.shouldFatalErr && fatalErr != nil {
-			t.Errorf("Test %d: Expected no error, but there was one: %v", i, fatalErr)
-		}
-		if fatalErr != nil {
-			continue
-		}
-
-		if test.shouldWarnErr && warnErr == nil {
-			t.Errorf("Test %d: Expected warning, but there wasn't any", i)
-		}
-		if !test.shouldWarnErr && warnErr != nil {
-			t.Errorf("Test %d: Expected no warning, but there was one: %v", i, warnErr)
-		}
-
-		if actual, expected := actualAddr.IP.String(), test.expectedIP; actual != expected {
-			t.Errorf("Test %d: IP was %s but expected %s", i, actual, expected)
-		}
-		if actual, expected := actualAddr.Port, test.expectedPort; actual != expected {
-			t.Errorf("Test %d: Port was %d but expected %d", i, actual, expected)
-		}
-	}
-}
-
-func TestMakeOnces(t *testing.T) {
-	directives := []directive{
-		{"dummy", nil},
-		{"dummy2", nil},
-	}
-	directiveOrder = directives
-	onces := makeOnces()
-	if len(onces) != len(directives) {
-		t.Errorf("onces had len %d , expected %d", len(onces), len(directives))
-	}
-	expected := map[string]*sync.Once{
-		"dummy":  new(sync.Once),
-		"dummy2": new(sync.Once),
-	}
-	if !reflect.DeepEqual(onces, expected) {
-		t.Errorf("onces was %v, expected %v", onces, expected)
-	}
-}
-
-func TestMakeStorages(t *testing.T) {
-	directives := []directive{
-		{"dummy", nil},
-		{"dummy2", nil},
-	}
-	directiveOrder = directives
-	storages := makeStorages()
-	if len(storages) != len(directives) {
-		t.Errorf("storages had len %d , expected %d", len(storages), len(directives))
-	}
-	expected := map[string]interface{}{
-		"dummy":  nil,
-		"dummy2": nil,
-	}
-	if !reflect.DeepEqual(storages, expected) {
-		t.Errorf("storages was %v, expected %v", storages, expected)
-	}
-}
-
-func TestValidDirective(t *testing.T) {
-	directives := []directive{
-		{"dummy", nil},
-		{"dummy2", nil},
-	}
-	directiveOrder = directives
-	for i, test := range []struct {
-		directive string
-		valid     bool
-	}{
-		{"dummy", true},
-		{"dummy2", true},
-		{"dummy3", false},
-	} {
-		if actual, expected := validDirective(test.directive), test.valid; actual != expected {
-			t.Errorf("Test %d: valid was %t, expected %t", i, actual, expected)
-		}
-	}
-}
@@ -1,80 +0,0 @@
-package caddy
-
-import (
-	"github.com/mholt/caddy/caddy/parse"
-	"github.com/mholt/caddy/caddy/setup"
-	"github.com/mholt/caddy/middleware"
-)
-
-func init() {
-	// The parse package must know which directives
-	// are valid, but it must not import the setup
-	// or config package. To solve this problem, we
-	// fill up this map in our init function here.
-	// The parse package does not need to know the
-	// ordering of the directives.
-	for _, dir := range directiveOrder {
-		parse.ValidDirectives[dir.name] = struct{}{}
-	}
-}
-
-// Directives are registered in the order they should be
-// executed. Middleware (directives that inject a handler)
-// are executed in the order A-B-C-*-C-B-A, assuming
-// they all call the Next handler in the chain.
-//
-// Ordering is VERY important. Every middleware will
-// feel the effects of all other middleware below
-// (after) them during a request, but they must not
-// care what middleware above them are doing.
-//
-// For example, log needs to know the status code and
-// exactly how many bytes were written to the client,
-// which every other middleware can affect, so it gets
-// registered first. The errors middleware does not
-// care if gzip or log modifies its response, so it
-// gets registered below them. Gzip, on the other hand,
-// DOES care what errors does to the response since it
-// must compress every output to the client, even error
-// pages, so it must be registered before the errors
-// middleware and any others that would write to the
-// response.
-var directiveOrder = []directive{
-	// Essential directives that initialize vital configuration settings
-	{"root", setup.Root},
-	{"tls", setup.TLS}, // letsencrypt is set up just after tls
-	{"bind", setup.BindHost},
-
-	// Other directives that don't create HTTP handlers
-	{"startup", setup.Startup},
-	{"shutdown", setup.Shutdown},
-
-	// Directives that inject handlers (middleware)
-	{"log", setup.Log},
-	{"gzip", setup.Gzip},
-	{"errors", setup.Errors},
-	{"header", setup.Headers},
-	{"rewrite", setup.Rewrite},
-	{"redir", setup.Redir},
-	{"ext", setup.Ext},
-	{"mime", setup.Mime},
-	{"basicauth", setup.BasicAuth},
-	{"internal", setup.Internal},
-	{"proxy", setup.Proxy},
-	{"fastcgi", setup.FastCGI},
-	{"websocket", setup.WebSocket},
-	{"markdown", setup.Markdown},
-	{"templates", setup.Templates},
-	{"browse", setup.Browse},
-}
-
-// directive ties together a directive name with its setup function.
-type directive struct {
-	name  string
-	setup SetupFunc
-}
-
-// SetupFunc takes a controller and may optionally return a middleware.
-// If the resulting middleware is not nil, it will be chained into
-// the HTTP handlers in the order specified in this package.
-type SetupFunc func(c *setup.Controller) (middleware.Middleware, error)
@@ -1,71 +0,0 @@
-package caddy
-
-import (
-	"bytes"
-	"fmt"
-	"os"
-	"os/exec"
-	"runtime"
-	"strconv"
-	"strings"
-
-	"github.com/mholt/caddy/caddy/letsencrypt"
-)
-
-func init() {
-	letsencrypt.OnChange = func() error { return Restart(nil) }
-}
-
-// isLocalhost returns true if host looks explicitly like a localhost address.
-func isLocalhost(host string) bool {
-	return host == "localhost" || host == "::1" || strings.HasPrefix(host, "127.")
-}
-
-// checkFdlimit issues a warning if the OS max file descriptors is below a recommended minimum.
-func checkFdlimit() {
-	const min = 4096
-
-	// Warn if ulimit is too low for production sites
-	if runtime.GOOS == "linux" || runtime.GOOS == "darwin" {
-		out, err := exec.Command("sh", "-c", "ulimit -n").Output() // use sh because ulimit isn't in Linux $PATH
-		if err == nil {
-			// Note that an error here need not be reported
-			lim, err := strconv.Atoi(string(bytes.TrimSpace(out)))
-			if err == nil && lim < min {
-				fmt.Printf("Warning: File descriptor limit %d is too low for production sites. At least %d is recommended. Set with \"ulimit -n %d\".\n", lim, min, min)
-			}
-		}
-	}
-}
-
-// caddyfileGob maps bind address to index of the file descriptor
-// in the Files array passed to the child process. It also contains
-// the caddyfile contents. Used only during graceful restarts.
-type caddyfileGob struct {
-	ListenerFds map[string]uintptr
-	Caddyfile   Input
-}
-
-// isRestart returns whether this process is, according
-// to env variables, a fork as part of a graceful restart.
-func isRestart() bool {
-	return os.Getenv("CADDY_RESTART") == "true"
-}
-
-// CaddyfileInput represents a Caddyfile as input
-// and is simply a convenient way to implement
-// the Input interface.
-type CaddyfileInput struct {
-	Filepath string
-	Contents []byte
-	RealFile bool
-}
-
-// Body returns c.Contents.
-func (c CaddyfileInput) Body() []byte { return c.Contents }
-
-// Path returns c.Filepath.
-func (c CaddyfileInput) Path() string { return c.Filepath }
-
-// Path returns true if the original input was a real file on the file system.
-func (c CaddyfileInput) IsFile() bool { return c.RealFile }
@@ -1,30 +0,0 @@
-package letsencrypt
-
-import (
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"io/ioutil"
-	"os"
-)
-
-// loadRSAPrivateKey loads a PEM-encoded RSA private key from file.
-func loadRSAPrivateKey(file string) (*rsa.PrivateKey, error) {
-	keyBytes, err := ioutil.ReadFile(file)
-	if err != nil {
-		return nil, err
-	}
-	keyBlock, _ := pem.Decode(keyBytes)
-	return x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
-}
-
-// saveRSAPrivateKey saves a PEM-encoded RSA private key to file.
-func saveRSAPrivateKey(key *rsa.PrivateKey, file string) error {
-	pemKey := pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}
-	keyOut, err := os.Create(file)
-	if err != nil {
-		return err
-	}
-	defer keyOut.Close()
-	return pem.Encode(keyOut, &pemKey)
-}
@@ -1,51 +0,0 @@
-package letsencrypt
-
-import (
-	"bytes"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"os"
-	"testing"
-)
-
-func init() {
-	rsaKeySizeToUse = 128 // make tests faster; small key size OK for testing
-}
-
-func TestSaveAndLoadRSAPrivateKey(t *testing.T) {
-	keyFile := "test.key"
-	defer os.Remove(keyFile)
-
-	privateKey, err := rsa.GenerateKey(rand.Reader, rsaKeySizeToUse)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// test save
-	err = saveRSAPrivateKey(privateKey, keyFile)
-	if err != nil {
-		t.Fatal("error saving private key:", err)
-	}
-
-	// test load
-	loadedKey, err := loadRSAPrivateKey(keyFile)
-	if err != nil {
-		t.Error("error loading private key:", err)
-	}
-
-	// very loaded key is correct
-	if !rsaPrivateKeysSame(privateKey, loadedKey) {
-		t.Error("Expected key bytes to be the same, but they weren't")
-	}
-}
-
-// rsaPrivateKeyBytes returns the bytes of DER-encoded key.
-func rsaPrivateKeyBytes(key *rsa.PrivateKey) []byte {
-	return x509.MarshalPKCS1PrivateKey(key)
-}
-
-// rsaPrivateKeysSame compares the bytes of a and b and returns true if they are the same.
-func rsaPrivateKeysSame(a, b *rsa.PrivateKey) bool {
-	return bytes.Equal(rsaPrivateKeyBytes(a), rsaPrivateKeyBytes(b))
-}
@@ -1,67 +0,0 @@
-package letsencrypt
-
-import (
-	"crypto/tls"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"sync"
-	"sync/atomic"
-
-	"github.com/mholt/caddy/middleware"
-)
-
-// Handler is a Caddy middleware that can proxy ACME requests
-// to the real ACME endpoint. This is necessary to renew certificates
-// while the server is running. Obviously, a site served on port
-// 443 (HTTPS) binds to that port, so another listener created by
-// our acme client can't bind successfully and solve the challenge.
-// Thus, we chain this handler in so that it can, when activated,
-// proxy ACME requests to an ACME client listening on an alternate
-// port.
-type Handler struct {
-	sync.Mutex      // protects the ChallengePath property
-	Next            middleware.Handler
-	ChallengeActive int32  // use sync/atomic for speed to set/get this flag
-	ChallengePath   string // the exact request path to match before proxying
-}
-
-// ServeHTTP is basically a no-op unless an ACME challenge is active on this host
-// and the request path matches the expected path exactly.
-func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
-	// Only if challenge is active
-	if atomic.LoadInt32(&h.ChallengeActive) == 1 {
-		h.Lock()
-		path := h.ChallengePath
-		h.Unlock()
-
-		// Request path must be correct; if so, proxy to ACME client
-		if r.URL.Path == path {
-			upstream, err := url.Parse("https://" + r.Host + ":" + alternatePort)
-			if err != nil {
-				return http.StatusInternalServerError, err
-			}
-			proxy := httputil.NewSingleHostReverseProxy(upstream)
-			proxy.Transport = &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // client uses self-signed cert
-			}
-			proxy.ServeHTTP(w, r)
-			return 0, nil
-		}
-	}
-
-	return h.Next.ServeHTTP(w, r)
-}
-
-// ChallengeOn enables h to proxy ACME requests.
-func (h *Handler) ChallengeOn(challengePath string) {
-	h.Lock()
-	h.ChallengePath = challengePath
-	h.Unlock()
-	atomic.StoreInt32(&h.ChallengeActive, 1)
-}
-
-// ChallengeOff disables ACME proxying from this h.
-func (h *Handler) ChallengeOff(success bool) {
-	atomic.StoreInt32(&h.ChallengeActive, 0)
-}
@@ -1,497 +0,0 @@
-// Package letsencrypt integrates Let's Encrypt functionality into Caddy
-// with first-class support for creating and renewing certificates
-// automatically. It is designed to configure sites for HTTPS by default.
-package letsencrypt
-
-import (
-	"encoding/json"
-	"errors"
-	"io/ioutil"
-	"net/http"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/redirect"
-	"github.com/mholt/caddy/server"
-	"github.com/xenolf/lego/acme"
-)
-
-// Activate sets up TLS for each server config in configs
-// as needed. It only skips the config if the cert and key
-// are already provided, if plaintext http is explicitly
-// specified as the port, TLS is explicitly disabled, or
-// the host looks like a loopback or wildcard address.
-//
-// This function may prompt the user to provide an email
-// address if none is available through other means. It
-// prefers the email address specified in the config, but
-// if that is not available it will check the command line
-// argument. If absent, it will use the most recent email
-// address from last time. If there isn't one, the user
-// will be prompted and shown SA link.
-//
-// Also note that calling this function activates asset
-// management automatically, which keeps certificates
-// renewed and OCSP stapling updated. This has the effect
-// of causing restarts when assets are updated.
-//
-// Activate returns the updated list of configs, since
-// some may have been appended, for example, to redirect
-// plaintext HTTP requests to their HTTPS counterpart.
-// This function only appends; it does not prepend or splice.
-func Activate(configs []server.Config) ([]server.Config, error) {
-	// just in case previous caller forgot...
-	Deactivate()
-
-	// TODO: All the output the end user should see when running caddy is something
-	// simple like "Setting up HTTPS..." (and maybe 'done' at the end of the line when finished).
-	// In other words, hide all the other logging except for on errors. Or maybe
-	// have a place to put those logs.
-
-	// reset cached ocsp statuses from any previous activations
-	ocspStatus = make(map[*[]byte]int)
-
-	// Identify and configure any eligible hosts for which
-	// we already have certs and keys in storage from last time.
-	configLen := len(configs) // avoid infinite loop since this loop appends plaintext to the slice
-	for i := 0; i < configLen; i++ {
-		if existingCertAndKey(configs[i].Host) && configQualifies(configs[i], configs) {
-			configs = autoConfigure(&configs[i], configs)
-		}
-	}
-
-	// Group configs by email address; only configs that are eligible
-	// for TLS management are included. We group by email so that we
-	// can request certificates in batches with the same client.
-	// Note: The return value is a map, and iteration over a map is
-	// not ordered. I don't think it will be a problem, but if an
-	// ordering problem arises, look at this carefully.
-	groupedConfigs, err := groupConfigsByEmail(configs)
-	if err != nil {
-		return configs, err
-	}
-
-	// obtain certificates for configs that need one, and reconfigure each
-	// config to use the certificates
-	for leEmail, serverConfigs := range groupedConfigs {
-		// make client to service this email address with CA server
-		client, err := newClient(leEmail)
-		if err != nil {
-			return configs, errors.New("error creating client: " + err.Error())
-		}
-
-		// client is ready, so let's get free, trusted SSL certificates!
-	Obtain:
-		certificates, failures := obtainCertificates(client, serverConfigs)
-		if len(failures) > 0 {
-			// Build an error string to return, using all the failures in the list.
-			var errMsg string
-
-			// If an error is because of updated SA, only prompt user for agreement once
-			var promptedForAgreement bool
-
-			for domain, obtainErr := range failures {
-				// If the failure was simply because the terms have changed, re-prompt and re-try
-				if tosErr, ok := obtainErr.(acme.TOSError); ok {
-					if !Agreed && !promptedForAgreement {
-						Agreed = promptUserAgreement(tosErr.Detail, true) // TODO: Use latest URL
-						promptedForAgreement = true
-					}
-					if Agreed {
-						err := client.AgreeToTOS()
-						if err != nil {
-							return configs, errors.New("error agreeing to updated terms: " + err.Error())
-						}
-						goto Obtain
-					}
-				}
-
-				// If user did not agree or it was any other kind of error, just append to the list of errors
-				errMsg += "[" + domain + "] failed to get certificate: " + obtainErr.Error() + "\n"
-			}
-
-			return configs, errors.New(errMsg)
-		}
-
-		// ... that's it. save the certs, keys, and metadata files to disk
-		err = saveCertsAndKeys(certificates)
-		if err != nil {
-			return configs, errors.New("error saving assets: " + err.Error())
-		}
-
-		// it all comes down to this: turning on TLS with all the new certs
-		for i := 0; i < len(serverConfigs); i++ {
-			configs = autoConfigure(serverConfigs[i], configs)
-		}
-	}
-
-	// renew all certificates that need renewal
-	renewCertificates(configs, false)
-
-	// keep certificates renewed and OCSP stapling updated
-	go maintainAssets(configs, stopChan)
-
-	return configs, nil
-}
-
-// Deactivate cleans up long-term, in-memory resources
-// allocated by calling Activate(). Essentially, it stops
-// the asset maintainer from running, meaning that certificates
-// will not be renewed, OCSP staples will not be updated, etc.
-func Deactivate() (err error) {
-	defer func() {
-		if rec := recover(); rec != nil {
-			err = errors.New("already deactivated")
-		}
-	}()
-	close(stopChan)
-	stopChan = make(chan struct{})
-	return
-}
-
-// configQualifies returns true if cfg qualifes for automatic LE activation,
-// but it does require the list of all configs to be passed in as well.
-// It does NOT check to see if a cert and key already exist for cfg.
-func configQualifies(cfg server.Config, allConfigs []server.Config) bool {
-	return cfg.TLS.Certificate == "" && // user could provide their own cert and key
-		cfg.TLS.Key == "" &&
-
-		// user can force-disable automatic HTTPS for this host
-		cfg.Port != "http" &&
-		cfg.TLS.LetsEncryptEmail != "off" &&
-
-		// obviously we get can't certs for loopback or internal hosts
-		cfg.Host != "localhost" &&
-		cfg.Host != "" &&
-		cfg.Host != "0.0.0.0" &&
-		cfg.Host != "::1" &&
-		!strings.HasPrefix(cfg.Host, "127.") && // to use a boulder on your own machine, add fake domain to hosts file
-		// not excluding 10.* and 192.168.* hosts for possibility of running internal Boulder instance
-
-		// make sure an HTTPS version of this config doesn't exist in the list already
-		!hostHasOtherScheme(cfg.Host, "https", allConfigs)
-}
-
-// groupConfigsByEmail groups configs by user email address. The returned map is
-// a map of email address to the configs that are serviced under that account.
-// If an email address is not available for an eligible config, the user will be
-// prompted to provide one. The returned map contains pointers to the original
-// server config values.
-func groupConfigsByEmail(configs []server.Config) (map[string][]*server.Config, error) {
-	initMap := make(map[string][]*server.Config)
-	for i := 0; i < len(configs); i++ {
-		// filter out configs that we already have certs for and
-		// that we won't be obtaining certs for - this way we won't
-		// bother the user for an email address unnecessarily and
-		// we don't obtain new certs for a host we already have certs for.
-		if existingCertAndKey(configs[i].Host) || !configQualifies(configs[i], configs) {
-			continue
-		}
-		leEmail := getEmail(configs[i])
-		initMap[leEmail] = append(initMap[leEmail], &configs[i])
-	}
-	return initMap, nil
-}
-
-// existingCertAndKey returns true if the host has a certificate
-// and private key in storage already, false otherwise.
-func existingCertAndKey(host string) bool {
-	_, err := os.Stat(storage.SiteCertFile(host))
-	if err != nil {
-		return false
-	}
-	_, err = os.Stat(storage.SiteKeyFile(host))
-	if err != nil {
-		return false
-	}
-	return true
-}
-
-// newClient creates a new ACME client to facilitate communication
-// with the Let's Encrypt CA server on behalf of the user specified
-// by leEmail. As part of this process, a user will be loaded from
-// disk (if already exists) or created new and registered via ACME
-// and saved to the file system for next time.
-func newClient(leEmail string) (*acme.Client, error) {
-	return newClientPort(leEmail, exposePort)
-}
-
-// newClientPort does the same thing as newClient, except it creates a
-// new client with a custom port used for ACME transactions instead of
-// the default port. This is important if the default port is already in
-// use or is not exposed to the public, etc.
-func newClientPort(leEmail, port string) (*acme.Client, error) {
-	// Look up or create the LE user account
-	leUser, err := getUser(leEmail)
-	if err != nil {
-		return nil, err
-	}
-
-	// The client facilitates our communication with the CA server.
-	client, err := acme.NewClient(CAUrl, &leUser, rsaKeySizeToUse, port)
-	if err != nil {
-		return nil, err
-	}
-
-	// If not registered, the user must register an account with the CA
-	// and agree to terms
-	if leUser.Registration == nil {
-		reg, err := client.Register()
-		if err != nil {
-			return nil, errors.New("registration error: " + err.Error())
-		}
-		leUser.Registration = reg
-
-		if !Agreed && reg.TosURL == "" {
-			Agreed = promptUserAgreement(saURL, false) // TODO - latest URL
-		}
-		if !Agreed && reg.TosURL == "" {
-			return nil, errors.New("user must agree to terms")
-		}
-
-		err = client.AgreeToTOS()
-		if err != nil {
-			saveUser(leUser) // TODO: Might as well try, right? Error check?
-			return nil, errors.New("error agreeing to terms: " + err.Error())
-		}
-
-		// save user to the file system
-		err = saveUser(leUser)
-		if err != nil {
-			return nil, errors.New("could not save user: " + err.Error())
-		}
-	}
-
-	return client, nil
-}
-
-// obtainCertificates obtains certificates from the CA server for
-// the configurations in serverConfigs using client.
-func obtainCertificates(client *acme.Client, serverConfigs []*server.Config) ([]acme.CertificateResource, map[string]error) {
-	// collect all the hostnames into one slice
-	var hosts []string
-	for _, cfg := range serverConfigs {
-		hosts = append(hosts, cfg.Host)
-	}
-
-	return client.ObtainCertificates(hosts, true)
-}
-
-// saveCertificates saves each certificate resource to disk. This
-// includes the certificate file itself, the private key, and the
-// metadata file.
-func saveCertsAndKeys(certificates []acme.CertificateResource) error {
-	for _, cert := range certificates {
-		os.MkdirAll(storage.Site(cert.Domain), 0700)
-
-		// Save cert
-		err := ioutil.WriteFile(storage.SiteCertFile(cert.Domain), cert.Certificate, 0600)
-		if err != nil {
-			return err
-		}
-
-		// Save private key
-		err = ioutil.WriteFile(storage.SiteKeyFile(cert.Domain), cert.PrivateKey, 0600)
-		if err != nil {
-			return err
-		}
-
-		// Save cert metadata
-		jsonBytes, err := json.MarshalIndent(&cert, "", "\t")
-		if err != nil {
-			return err
-		}
-		err = ioutil.WriteFile(storage.SiteMetaFile(cert.Domain), jsonBytes, 0600)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// autoConfigure enables TLS on cfg and appends, if necessary, a new config
-// to allConfigs that redirects plaintext HTTP to its new HTTPS counterpart.
-// It expects the certificate and key to already be in storage. It returns
-// the new list of allConfigs, since it may append a new config. This function
-// assumes that cfg was already set up for HTTPS.
-func autoConfigure(cfg *server.Config, allConfigs []server.Config) []server.Config {
-	bundleBytes, err := ioutil.ReadFile(storage.SiteCertFile(cfg.Host))
-	// TODO: Handle these errors better
-	if err == nil {
-		ocsp, status, err := acme.GetOCSPForCert(bundleBytes)
-		ocspStatus[&bundleBytes] = status
-		if err == nil && status == acme.OCSPGood {
-			cfg.TLS.OCSPStaple = ocsp
-		}
-	}
-	cfg.TLS.Certificate = storage.SiteCertFile(cfg.Host)
-	cfg.TLS.Key = storage.SiteKeyFile(cfg.Host)
-	cfg.TLS.Enabled = true
-	if cfg.Port == "" {
-		cfg.Port = "https"
-	}
-
-	// Chain in ACME middleware proxy if we use up the SSL port
-	if cfg.Port == "https" || cfg.Port == "443" {
-		handler := new(Handler)
-		mid := func(next middleware.Handler) middleware.Handler {
-			handler.Next = next
-			return handler
-		}
-		cfg.Middleware["/"] = append(cfg.Middleware["/"], mid)
-		acmeHandlers[cfg.Host] = handler
-	}
-
-	// Set up http->https redirect as long as there isn't already
-	// a http counterpart in the configs
-	if !hostHasOtherScheme(cfg.Host, "http", allConfigs) {
-		allConfigs = append(allConfigs, redirPlaintextHost(*cfg))
-	}
-
-	return allConfigs
-}
-
-// hostHasOtherScheme tells you whether there is another config in the list
-// for the same host but with the port equal to scheme. For example, to see
-// if example.com has a https variant already, pass in example.com and
-// "https" along with the list of configs. This function considers "443"
-// and "https" to be the same scheme, as well as "http" and "80".
-func hostHasOtherScheme(host, scheme string, allConfigs []server.Config) bool {
-	if scheme == "80" {
-		scheme = "http"
-	} else if scheme == "443" {
-		scheme = "https"
-	}
-	for _, otherCfg := range allConfigs {
-		if otherCfg.Host == host {
-			if (otherCfg.Port == scheme) ||
-				(scheme == "https" && otherCfg.Port == "443") ||
-				(scheme == "http" && otherCfg.Port == "80") {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// redirPlaintextHost returns a new plaintext HTTP configuration for
-// a virtualHost that simply redirects to cfg, which is assumed to
-// be the HTTPS configuration. The returned configuration is set
-// to listen on the "http" port (port 80).
-func redirPlaintextHost(cfg server.Config) server.Config {
-	toUrl := "https://" + cfg.Host
-	if cfg.Port != "https" && cfg.Port != "http" {
-		toUrl += ":" + cfg.Port
-	}
-
-	redirMidware := func(next middleware.Handler) middleware.Handler {
-		return redirect.Redirect{Next: next, Rules: []redirect.Rule{
-			{
-				FromScheme: "http",
-				FromPath:   "/",
-				To:         toUrl + "{uri}",
-				Code:       http.StatusMovedPermanently,
-			},
-		}}
-	}
-
-	return server.Config{
-		Host: cfg.Host,
-		Port: "http",
-		Middleware: map[string][]middleware.Middleware{
-			"/": []middleware.Middleware{redirMidware},
-		},
-	}
-}
-
-// Revoke revokes the certificate for host via ACME protocol.
-func Revoke(host string) error {
-	if !existingCertAndKey(host) {
-		return errors.New("no certificate and key for " + host)
-	}
-
-	email := getEmail(server.Config{Host: host})
-	if email == "" {
-		return errors.New("email is required to revoke")
-	}
-
-	client, err := newClient(email)
-	if err != nil {
-		return err
-	}
-
-	certFile := storage.SiteCertFile(host)
-	certBytes, err := ioutil.ReadFile(certFile)
-	if err != nil {
-		return err
-	}
-
-	err = client.RevokeCertificate(certBytes)
-	if err != nil {
-		return err
-	}
-
-	err = os.Remove(certFile)
-	if err != nil {
-		return errors.New("certificate revoked, but unable to delete certificate file: " + err.Error())
-	}
-
-	return nil
-}
-
-var (
-	// Let's Encrypt account email to use if none provided
-	DefaultEmail string
-
-	// Whether user has agreed to the Let's Encrypt SA
-	Agreed bool
-
-	// The base URL to the CA's ACME endpoint
-	CAUrl string
-)
-
-// Some essential values related to the Let's Encrypt process
-const (
-	// The port to expose to the CA server for Simple HTTP Challenge.
-	// NOTE: Let's Encrypt requires port 443. If exposePort is not 443,
-	// then port 443 must be forwarded to exposePort.
-	exposePort = "443"
-
-	// If port 443 is in use by a Caddy server instance, then this is
-	// port on which the acme client will solve challenges. (Whatever is
-	// listening on port 443 must proxy ACME requests to this port.)
-	alternatePort = "5033"
-
-	// How often to check certificates for renewal.
-	renewInterval = 24 * time.Hour
-
-	// How often to update OCSP stapling.
-	ocspInterval = 1 * time.Hour
-)
-
-// KeySize represents the length of a key in bits.
-type KeySize int
-
-// Key sizes are used to determine the strength of a key.
-const (
-	ECC_224  KeySize = 224
-	ECC_256          = 256
-	RSA_2048         = 2048
-	RSA_4096         = 4096
-)
-
-// rsaKeySizeToUse is the size to use for new RSA keys.
-// This shouldn't need to change except for in tests;
-// the size can be drastically reduced for speed.
-var rsaKeySizeToUse = RSA_2048
-
-// stopChan is used to signal the maintenance goroutine
-// to terminate.
-var stopChan chan struct{}
-
-// ocspStatus maps certificate bundle to OCSP status at start.
-// It is used during regular OCSP checks to see if the OCSP
-// status has changed.
-var ocspStatus = make(map[*[]byte]int)
@@ -1,51 +0,0 @@
-package letsencrypt
-
-import (
-	"net/http"
-	"testing"
-
-	"github.com/mholt/caddy/middleware/redirect"
-	"github.com/mholt/caddy/server"
-)
-
-func TestRedirPlaintextHost(t *testing.T) {
-	cfg := redirPlaintextHost(server.Config{
-		Host: "example.com",
-		Port: "http",
-	})
-
-	// Check host and port
-	if actual, expected := cfg.Host, "example.com"; actual != expected {
-		t.Errorf("Expected redir config to have host %s but got %s", expected, actual)
-	}
-	if actual, expected := cfg.Port, "http"; actual != expected {
-		t.Errorf("Expected redir config to have port '%s' but got '%s'", expected, actual)
-	}
-
-	// Make sure redirect handler is set up properly
-	if cfg.Middleware == nil || len(cfg.Middleware["/"]) != 1 {
-		t.Fatalf("Redir config middleware not set up properly; got: %#v", cfg.Middleware)
-	}
-
-	handler, ok := cfg.Middleware["/"][0](nil).(redirect.Redirect)
-	if !ok {
-		t.Fatalf("Expected a redirect.Redirect middleware, but got: %#v", handler)
-	}
-	if len(handler.Rules) != 1 {
-		t.Fatalf("Expected one redirect rule, got: %#v", handler.Rules)
-	}
-
-	// Check redirect rule for correctness
-	if actual, expected := handler.Rules[0].FromScheme, "http"; actual != expected {
-		t.Errorf("Expected redirect rule to be from scheme '%s' but is actually from '%s'", expected, actual)
-	}
-	if actual, expected := handler.Rules[0].FromPath, "/"; actual != expected {
-		t.Errorf("Expected redirect rule to be for path '%s' but is actually for '%s'", expected, actual)
-	}
-	if actual, expected := handler.Rules[0].To, "https://example.com{uri}"; actual != expected {
-		t.Errorf("Expected redirect rule to be to URL '%s' but is actually to '%s'", expected, actual)
-	}
-	if actual, expected := handler.Rules[0].Code, http.StatusMovedPermanently; actual != expected {
-		t.Errorf("Expected redirect rule to have code %d but was %d", expected, actual)
-	}
-}
@@ -1,183 +0,0 @@
-package letsencrypt
-
-import (
-	"encoding/json"
-	"io/ioutil"
-	"log"
-	"time"
-
-	"github.com/mholt/caddy/server"
-	"github.com/xenolf/lego/acme"
-)
-
-// OnChange is a callback function that will be used to restart
-// the application or the part of the application that uses
-// the certificates maintained by this package. When at least
-// one certificate is renewed or an OCSP status changes, this
-// function will be called.
-var OnChange func() error
-
-// maintainAssets is a permanently-blocking function
-// that loops indefinitely and, on a regular schedule, checks
-// certificates for expiration and initiates a renewal of certs
-// that are expiring soon. It also updates OCSP stapling and
-// performs other maintenance of assets.
-//
-// You must pass in the server configs to maintain and the channel
-// which you'll close when maintenance should stop, to allow this
-// goroutine to clean up after itself and unblock.
-func maintainAssets(configs []server.Config, stopChan chan struct{}) {
-	renewalTicker := time.NewTicker(renewInterval)
-	ocspTicker := time.NewTicker(ocspInterval)
-
-	for {
-		select {
-		case <-renewalTicker.C:
-			n, errs := renewCertificates(configs, true)
-			if len(errs) > 0 {
-				for _, err := range errs {
-					log.Printf("[ERROR] cert renewal: %v\n", err)
-				}
-			}
-			// even if there was an error, some renewals may have succeeded
-			if n > 0 && OnChange != nil {
-				err := OnChange()
-				if err != nil {
-					log.Printf("[ERROR] onchange after cert renewal: %v\n", err)
-				}
-			}
-		case <-ocspTicker.C:
-			for bundle, oldStatus := range ocspStatus {
-				_, newStatus, err := acme.GetOCSPForCert(*bundle)
-				if err == nil && newStatus != oldStatus && OnChange != nil {
-					log.Printf("[INFO] ocsp status changed from %v to %v\n", oldStatus, newStatus)
-					err := OnChange()
-					if err != nil {
-						log.Printf("[ERROR] onchange after ocsp update: %v\n", err)
-					}
-					break
-				}
-			}
-		case <-stopChan:
-			renewalTicker.Stop()
-			ocspTicker.Stop()
-			return
-		}
-	}
-}
-
-// renewCertificates loops through all configured site and
-// looks for certificates to renew. Nothing is mutated
-// through this function; all changes happen directly on disk.
-// It returns the number of certificates renewed and any errors
-// that occurred. It only performs a renewal if necessary.
-// If useCustomPort is true, a custom port will be used, and
-// whatever is listening at 443 better proxy ACME requests to it.
-// Otherwise, the acme package will create its own listener on 443.
-func renewCertificates(configs []server.Config, useCustomPort bool) (int, []error) {
-	log.Print("[INFO] Processing certificate renewals...")
-	var errs []error
-	var n int
-
-	defer func() {
-		// reset these so as to not interfere with other challenges
-		acme.OnSimpleHTTPStart = nil
-		acme.OnSimpleHTTPEnd = nil
-	}()
-
-	for _, cfg := range configs {
-		// Host must be TLS-enabled and have existing assets managed by LE
-		if !cfg.TLS.Enabled || !existingCertAndKey(cfg.Host) {
-			continue
-		}
-
-		// Read the certificate and get the NotAfter time.
-		certBytes, err := ioutil.ReadFile(storage.SiteCertFile(cfg.Host))
-		if err != nil {
-			errs = append(errs, err)
-			continue // still have to check other certificates
-		}
-		expTime, err := acme.GetPEMCertExpiration(certBytes)
-		if err != nil {
-			errs = append(errs, err)
-			continue
-		}
-
-		// The time returned from the certificate is always in UTC.
-		// So calculate the time left with local time as UTC.
-		// Directly convert it to days for the following checks.
-		daysLeft := int(expTime.Sub(time.Now().UTC()).Hours() / 24)
-
-		// Renew with two weeks or less remaining.
-		if daysLeft <= 14 {
-			log.Printf("[INFO] There are %d days left on the certificate of %s. Trying to renew now.", daysLeft, cfg.Host)
-			var client *acme.Client
-			if useCustomPort {
-				client, err = newClientPort("", alternatePort) // email not used for renewal
-			} else {
-				client, err = newClient("")
-			}
-			if err != nil {
-				errs = append(errs, err)
-				continue
-			}
-
-			// Read metadata
-			metaBytes, err := ioutil.ReadFile(storage.SiteMetaFile(cfg.Host))
-			if err != nil {
-				errs = append(errs, err)
-				continue
-			}
-
-			privBytes, err := ioutil.ReadFile(storage.SiteKeyFile(cfg.Host))
-			if err != nil {
-				errs = append(errs, err)
-				continue
-			}
-
-			var certMeta acme.CertificateResource
-			err = json.Unmarshal(metaBytes, &certMeta)
-			certMeta.Certificate = certBytes
-			certMeta.PrivateKey = privBytes
-
-			// Tell the handler to accept and proxy acme request in order to solve challenge
-			acme.OnSimpleHTTPStart = acmeHandlers[cfg.Host].ChallengeOn
-			acme.OnSimpleHTTPEnd = acmeHandlers[cfg.Host].ChallengeOff
-
-			// Renew certificate.
-			// TODO: revokeOld should be an option in the caddyfile
-			// TODO: bundle should be an option in the caddyfile as well :)
-		Renew:
-			newCertMeta, err := client.RenewCertificate(certMeta, true, true)
-			if err != nil {
-				if _, ok := err.(acme.TOSError); ok {
-					err := client.AgreeToTOS()
-					if err != nil {
-						errs = append(errs, err)
-					}
-					goto Renew
-				}
-
-				time.Sleep(10 * time.Second)
-				newCertMeta, err = client.RenewCertificate(certMeta, true, true)
-				if err != nil {
-					errs = append(errs, err)
-					continue
-				}
-			}
-
-			saveCertsAndKeys([]acme.CertificateResource{newCertMeta})
-			n++
-		} else if daysLeft <= 30 {
-			// Warn on 30 days remaining. TODO: Just do this once...
-			log.Printf("[WARN] There are %d days left on the certificate for %s. Will renew when 14 days remain.\n", daysLeft, cfg.Host)
-		}
-	}
-
-	return n, errs
-}
-
-// acmeHandlers is a map of host to ACME handler. These
-// are used to proxy ACME requests to the ACME client
-// when port 443 is in use.
-var acmeHandlers = make(map[string]*Handler)
@@ -1,94 +0,0 @@
-package letsencrypt
-
-import (
-	"path/filepath"
-	"strings"
-
-	"github.com/mholt/caddy/caddy/assets"
-)
-
-// storage is used to get file paths in a consistent,
-// cross-platform way for persisting Let's Encrypt assets
-// on the file system.
-var storage = Storage(filepath.Join(assets.Path(), "letsencrypt"))
-
-// Storage is a root directory and facilitates
-// forming file paths derived from it.
-type Storage string
-
-// Sites gets the directory that stores site certificate and keys.
-func (s Storage) Sites() string {
-	return filepath.Join(string(s), "sites")
-}
-
-// Site returns the path to the folder containing assets for domain.
-func (s Storage) Site(domain string) string {
-	return filepath.Join(s.Sites(), domain)
-}
-
-// CertFile returns the path to the certificate file for domain.
-func (s Storage) SiteCertFile(domain string) string {
-	return filepath.Join(s.Site(domain), domain+".crt")
-}
-
-// SiteKeyFile returns the path to domain's private key file.
-func (s Storage) SiteKeyFile(domain string) string {
-	return filepath.Join(s.Site(domain), domain+".key")
-}
-
-// SiteMetaFile returns the path to the domain's asset metadata file.
-func (s Storage) SiteMetaFile(domain string) string {
-	return filepath.Join(s.Site(domain), domain+".json")
-}
-
-// Users gets the directory that stores account folders.
-func (s Storage) Users() string {
-	return filepath.Join(string(s), "users")
-}
-
-// User gets the account folder for the user with email.
-func (s Storage) User(email string) string {
-	if email == "" {
-		email = emptyEmail
-	}
-	return filepath.Join(s.Users(), email)
-}
-
-// UserRegFile gets the path to the registration file for
-// the user with the given email address.
-func (s Storage) UserRegFile(email string) string {
-	if email == "" {
-		email = emptyEmail
-	}
-	fileName := emailUsername(email)
-	if fileName == "" {
-		fileName = "registration"
-	}
-	return filepath.Join(s.User(email), fileName+".json")
-}
-
-// UserKeyFile gets the path to the private key file for
-// the user with the given email address.
-func (s Storage) UserKeyFile(email string) string {
-	if email == "" {
-		email = emptyEmail
-	}
-	fileName := emailUsername(email)
-	if fileName == "" {
-		fileName = "private"
-	}
-	return filepath.Join(s.User(email), fileName+".key")
-}
-
-// emailUsername returns the username portion of an
-// email address (part before '@') or the original
-// input if it can't find the "@" symbol.
-func emailUsername(email string) string {
-	at := strings.Index(email, "@")
-	if at == -1 {
-		return email
-	} else if at == 0 {
-		return email[1:]
-	}
-	return email[:at]
-}
@@ -1,84 +0,0 @@
-package letsencrypt
-
-import (
-	"path/filepath"
-	"testing"
-)
-
-func TestStorage(t *testing.T) {
-	storage = Storage("./letsencrypt")
-
-	if expected, actual := filepath.Join("letsencrypt", "sites"), storage.Sites(); actual != expected {
-		t.Errorf("Expected Sites() to return '%s' but got '%s'", expected, actual)
-	}
-	if expected, actual := filepath.Join("letsencrypt", "sites", "test.com"), storage.Site("test.com"); actual != expected {
-		t.Errorf("Expected Site() to return '%s' but got '%s'", expected, actual)
-	}
-	if expected, actual := filepath.Join("letsencrypt", "sites", "test.com", "test.com.crt"), storage.SiteCertFile("test.com"); actual != expected {
-		t.Errorf("Expected SiteCertFile() to return '%s' but got '%s'", expected, actual)
-	}
-	if expected, actual := filepath.Join("letsencrypt", "sites", "test.com", "test.com.key"), storage.SiteKeyFile("test.com"); actual != expected {
-		t.Errorf("Expected SiteKeyFile() to return '%s' but got '%s'", expected, actual)
-	}
-	if expected, actual := filepath.Join("letsencrypt", "sites", "test.com", "test.com.json"), storage.SiteMetaFile("test.com"); actual != expected {
-		t.Errorf("Expected SiteMetaFile() to return '%s' but got '%s'", expected, actual)
-	}
-	if expected, actual := filepath.Join("letsencrypt", "users"), storage.Users(); actual != expected {
-		t.Errorf("Expected Users() to return '%s' but got '%s'", expected, actual)
-	}
-	if expected, actual := filepath.Join("letsencrypt", "users", "me@example.com"), storage.User("me@example.com"); actual != expected {
-		t.Errorf("Expected User() to return '%s' but got '%s'", expected, actual)
-	}
-	if expected, actual := filepath.Join("letsencrypt", "users", "me@example.com", "me.json"), storage.UserRegFile("me@example.com"); actual != expected {
-		t.Errorf("Expected UserRegFile() to return '%s' but got '%s'", expected, actual)
-	}
-	if expected, actual := filepath.Join("letsencrypt", "users", "me@example.com", "me.key"), storage.UserKeyFile("me@example.com"); actual != expected {
-		t.Errorf("Expected UserKeyFile() to return '%s' but got '%s'", expected, actual)
-	}
-
-	// Test with empty emails
-	if expected, actual := filepath.Join("letsencrypt", "users", emptyEmail), storage.User(emptyEmail); actual != expected {
-		t.Errorf("Expected User(\"\") to return '%s' but got '%s'", expected, actual)
-	}
-	if expected, actual := filepath.Join("letsencrypt", "users", emptyEmail, emptyEmail+".json"), storage.UserRegFile(""); actual != expected {
-		t.Errorf("Expected UserRegFile(\"\") to return '%s' but got '%s'", expected, actual)
-	}
-	if expected, actual := filepath.Join("letsencrypt", "users", emptyEmail, emptyEmail+".key"), storage.UserKeyFile(""); actual != expected {
-		t.Errorf("Expected UserKeyFile(\"\") to return '%s' but got '%s'", expected, actual)
-	}
-}
-
-func TestEmailUsername(t *testing.T) {
-	for i, test := range []struct {
-		input, expect string
-	}{
-		{
-			input:  "username@example.com",
-			expect: "username",
-		},
-		{
-			input:  "plus+addressing@example.com",
-			expect: "plus+addressing",
-		},
-		{
-			input:  "me+plus-addressing@example.com",
-			expect: "me+plus-addressing",
-		},
-		{
-			input:  "not-an-email",
-			expect: "not-an-email",
-		},
-		{
-			input:  "@foobar.com",
-			expect: "foobar.com",
-		},
-		{
-			input:  emptyEmail,
-			expect: emptyEmail,
-		},
-	} {
-		if actual := emailUsername(test.input); actual != test.expect {
-			t.Errorf("Test %d: Expected username to be '%s' but was '%s'", i, test.expect, actual)
-		}
-	}
-}
@@ -1,196 +0,0 @@
-package letsencrypt
-
-import (
-	"bufio"
-	"crypto/rand"
-	"crypto/rsa"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
-	"strings"
-
-	"github.com/mholt/caddy/server"
-	"github.com/xenolf/lego/acme"
-)
-
-// User represents a Let's Encrypt user account.
-type User struct {
-	Email        string
-	Registration *acme.RegistrationResource
-	key          *rsa.PrivateKey
-}
-
-// GetEmail gets u's email.
-func (u User) GetEmail() string {
-	return u.Email
-}
-
-// GetRegistration gets u's registration resource.
-func (u User) GetRegistration() *acme.RegistrationResource {
-	return u.Registration
-}
-
-// GetPrivateKey gets u's private key.
-func (u User) GetPrivateKey() *rsa.PrivateKey {
-	return u.key
-}
-
-// getUser loads the user with the given email from disk.
-// If the user does not exist, it will create a new one,
-// but it does NOT save new users to the disk or register
-// them via ACME.
-func getUser(email string) (User, error) {
-	var user User
-
-	// open user file
-	regFile, err := os.Open(storage.UserRegFile(email))
-	if err != nil {
-		if os.IsNotExist(err) {
-			// create a new user
-			return newUser(email)
-		}
-		return user, err
-	}
-	defer regFile.Close()
-
-	// load user information
-	err = json.NewDecoder(regFile).Decode(&user)
-	if err != nil {
-		return user, err
-	}
-
-	// load their private key
-	user.key, err = loadRSAPrivateKey(storage.UserKeyFile(email))
-	if err != nil {
-		return user, err
-	}
-
-	return user, nil
-}
-
-// saveUser persists a user's key and account registration
-// to the file system. It does NOT register the user via ACME.
-func saveUser(user User) error {
-	// make user account folder
-	err := os.MkdirAll(storage.User(user.Email), 0700)
-	if err != nil {
-		return err
-	}
-
-	// save private key file
-	err = saveRSAPrivateKey(user.key, storage.UserKeyFile(user.Email))
-	if err != nil {
-		return err
-	}
-
-	// save registration file
-	jsonBytes, err := json.MarshalIndent(&user, "", "\t")
-	if err != nil {
-		return err
-	}
-
-	return ioutil.WriteFile(storage.UserRegFile(user.Email), jsonBytes, 0600)
-}
-
-// newUser creates a new User for the given email address
-// with a new private key. This function does NOT save the
-// user to disk or register it via ACME. If you want to use
-// a user account that might already exist, call getUser
-// instead.
-func newUser(email string) (User, error) {
-	user := User{Email: email}
-	privateKey, err := rsa.GenerateKey(rand.Reader, rsaKeySizeToUse)
-	if err != nil {
-		return user, errors.New("error generating private key: " + err.Error())
-	}
-	user.key = privateKey
-	return user, nil
-}
-
-// getEmail does everything it can to obtain an email
-// address from the user to use for TLS for cfg. If it
-// cannot get an email address, it returns empty string.
-// (It will warn the user of the consequences of an
-// empty email.)
-func getEmail(cfg server.Config) string {
-	// First try the tls directive from the Caddyfile
-	leEmail := cfg.TLS.LetsEncryptEmail
-	if leEmail == "" {
-		// Then try memory (command line flag or typed by user previously)
-		leEmail = DefaultEmail
-	}
-	if leEmail == "" {
-		// Then try to get most recent user email ~/.caddy/users file
-		userDirs, err := ioutil.ReadDir(storage.Users())
-		if err == nil {
-			var mostRecent os.FileInfo
-			for _, dir := range userDirs {
-				if !dir.IsDir() {
-					continue
-				}
-				if mostRecent == nil || dir.ModTime().After(mostRecent.ModTime()) {
-					mostRecent = dir
-				}
-			}
-			if mostRecent != nil {
-				leEmail = mostRecent.Name()
-			}
-		}
-	}
-	if leEmail == "" {
-		// Alas, we must bother the user and ask for an email address;
-		// if they proceed they also agree to the SA.
-		reader := bufio.NewReader(stdin)
-		fmt.Println("Your sites will be served over HTTPS automatically using Let's Encrypt.")
-		fmt.Println("By continuing, you agree to the Let's Encrypt Subscriber Agreement at:")
-		fmt.Println("  " + saURL) // TODO: Show current SA link
-		fmt.Println("Please enter your email address so you can recover your account if needed.")
-		fmt.Println("You can leave it blank, but you'll lose the ability to recover your account.")
-		fmt.Print("Email address: ")
-		var err error
-		leEmail, err = reader.ReadString('\n')
-		if err != nil {
-			return ""
-		}
-		DefaultEmail = leEmail
-		Agreed = true
-	}
-	return strings.TrimSpace(leEmail)
-}
-
-// promptUserAgreement prompts the user to agree to the agreement
-// at agreementURL via stdin. If the agreement has changed, then pass
-// true as the second argument. If this is the user's first time
-// agreeing, pass false. It returns whether the user agreed or not.
-func promptUserAgreement(agreementURL string, changed bool) bool {
-	if changed {
-		fmt.Printf("The Let's Encrypt Subscriber Agreement has changed:\n  %s\n", agreementURL)
-		fmt.Print("Do you agree to the new terms? (y/n): ")
-	} else {
-		fmt.Printf("To continue, you must agree to the Let's Encrypt Subscriber Agreement:\n  %s\n", agreementURL)
-		fmt.Print("Do you agree to the terms? (y/n): ")
-	}
-
-	reader := bufio.NewReader(stdin)
-	answer, err := reader.ReadString('\n')
-	if err != nil {
-		return false
-	}
-	answer = strings.ToLower(strings.TrimSpace(answer))
-
-	return answer == "y" || answer == "yes"
-}
-
-// stdin is used to read the user's input if prompted;
-// this is changed by tests during tests.
-var stdin = io.ReadWriter(os.Stdin)
-
-// The name of the folder for accounts where the email
-// address was not provided; default 'username' if you will.
-const emptyEmail = "default"
-
-// TODO: Use latest
-const saURL = "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
@@ -1,192 +0,0 @@
-package letsencrypt
-
-import (
-	"bytes"
-	"crypto/rand"
-	"crypto/rsa"
-	"io"
-	"os"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/mholt/caddy/server"
-	"github.com/xenolf/lego/acme"
-)
-
-func TestUser(t *testing.T) {
-	privateKey, err := rsa.GenerateKey(rand.Reader, 128)
-	if err != nil {
-		t.Fatalf("Could not generate test private key: %v", err)
-	}
-	u := User{
-		Email:        "me@mine.com",
-		Registration: new(acme.RegistrationResource),
-		key:          privateKey,
-	}
-
-	if expected, actual := "me@mine.com", u.GetEmail(); actual != expected {
-		t.Errorf("Expected email '%s' but got '%s'", expected, actual)
-	}
-	if u.GetRegistration() == nil {
-		t.Error("Expected a registration resource, but got nil")
-	}
-	if expected, actual := privateKey, u.GetPrivateKey(); actual != expected {
-		t.Errorf("Expected the private key at address %p but got one at %p instead ", expected, actual)
-	}
-}
-
-func TestNewUser(t *testing.T) {
-	email := "me@foobar.com"
-	user, err := newUser(email)
-	if err != nil {
-		t.Fatalf("Error creating user: %v", err)
-	}
-	if user.key == nil {
-		t.Error("Private key is nil")
-	}
-	if user.Email != email {
-		t.Errorf("Expected email to be %s, but was %s", email, user.Email)
-	}
-	if user.Registration != nil {
-		t.Error("New user already has a registration resource; it shouldn't")
-	}
-}
-
-func TestSaveUser(t *testing.T) {
-	storage = Storage("./testdata")
-	defer os.RemoveAll(string(storage))
-
-	email := "me@foobar.com"
-	user, err := newUser(email)
-	if err != nil {
-		t.Fatalf("Error creating user: %v", err)
-	}
-
-	err = saveUser(user)
-	if err != nil {
-		t.Fatalf("Error saving user: %v", err)
-	}
-	_, err = os.Stat(storage.UserRegFile(email))
-	if err != nil {
-		t.Errorf("Cannot access user registration file, error: %v", err)
-	}
-	_, err = os.Stat(storage.UserKeyFile(email))
-	if err != nil {
-		t.Errorf("Cannot access user private key file, error: %v", err)
-	}
-}
-
-func TestGetUserDoesNotAlreadyExist(t *testing.T) {
-	storage = Storage("./testdata")
-	defer os.RemoveAll(string(storage))
-
-	user, err := getUser("user_does_not_exist@foobar.com")
-	if err != nil {
-		t.Fatalf("Error getting user: %v", err)
-	}
-
-	if user.key == nil {
-		t.Error("Expected user to have a private key, but it was nil")
-	}
-}
-
-func TestGetUserAlreadyExists(t *testing.T) {
-	storage = Storage("./testdata")
-	defer os.RemoveAll(string(storage))
-
-	email := "me@foobar.com"
-
-	// Set up test
-	user, err := newUser(email)
-	if err != nil {
-		t.Fatalf("Error creating user: %v", err)
-	}
-	err = saveUser(user)
-	if err != nil {
-		t.Fatalf("Error saving user: %v", err)
-	}
-
-	// Expect to load user from disk
-	user2, err := getUser(email)
-	if err != nil {
-		t.Fatalf("Error getting user: %v", err)
-	}
-
-	// Assert keys are the same
-	if !rsaPrivateKeysSame(user.key, user2.key) {
-		t.Error("Expected private key to be the same after loading, but it wasn't")
-	}
-
-	// Assert emails are the same
-	if user.Email != user2.Email {
-		t.Errorf("Expected emails to be equal, but was '%s' before and '%s' after loading", user.Email, user2.Email)
-	}
-}
-
-func TestGetEmail(t *testing.T) {
-	storage = Storage("./testdata")
-	defer os.RemoveAll(string(storage))
-	DefaultEmail = "test2@foo.com"
-
-	// Test1: Use email in config
-	config := server.Config{
-		TLS: server.TLSConfig{
-			LetsEncryptEmail: "test1@foo.com",
-		},
-	}
-	actual := getEmail(config)
-	if actual != "test1@foo.com" {
-		t.Errorf("Did not get correct email from config; expected '%s' but got '%s'", "test1@foo.com", actual)
-	}
-
-	// Test2: Use default email from flag (or user previously typing it)
-	actual = getEmail(server.Config{})
-	if actual != DefaultEmail {
-		t.Errorf("Did not get correct email from config; expected '%s' but got '%s'", DefaultEmail, actual)
-	}
-
-	// Test3: Get input from user
-	DefaultEmail = ""
-	stdin = new(bytes.Buffer)
-	_, err := io.Copy(stdin, strings.NewReader("test3@foo.com\n"))
-	if err != nil {
-		t.Fatalf("Could not simulate user input, error: %v", err)
-	}
-	actual = getEmail(server.Config{})
-	if actual != "test3@foo.com" {
-		t.Errorf("Did not get correct email from user input prompt; expected '%s' but got '%s'", "test3@foo.com", actual)
-	}
-
-	// Test4: Get most recent email from before
-	DefaultEmail = ""
-	for i, eml := range []string{
-		"test4-3@foo.com",
-		"test4-2@foo.com",
-		"test4-1@foo.com",
-	} {
-		u, err := newUser(eml)
-		if err != nil {
-			t.Fatalf("Error creating user %d: %v", i, err)
-		}
-		err = saveUser(u)
-		if err != nil {
-			t.Fatalf("Error saving user %d: %v", i, err)
-		}
-
-		// Change modified time so they're all different, so the test becomes deterministic
-		f, err := os.Stat(storage.User(eml))
-		if err != nil {
-			t.Fatalf("Could not access user folder for '%s': %v", eml, err)
-		}
-		chTime := f.ModTime().Add(-(time.Duration(i) * time.Second))
-		if err := os.Chtimes(storage.User(eml), chTime, chTime); err != nil {
-			t.Fatalf("Could not change user folder mod time for '%s': %v", eml, err)
-		}
-	}
-
-	actual = getEmail(server.Config{})
-	if actual != "test4-3@foo.com" {
-		t.Errorf("Did not get correct email from storage; expected '%s' but got '%s'", "test4-3@foo.com", actual)
-	}
-}
@@ -1,251 +0,0 @@
-package parse
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"strings"
-)
-
-// Dispenser is a type that dispenses tokens, similarly to a lexer,
-// except that it can do so with some notion of structure and has
-// some really convenient methods.
-type Dispenser struct {
-	filename string
-	tokens   []token
-	cursor   int
-	nesting  int
-}
-
-// NewDispenser returns a Dispenser, ready to use for parsing the given input.
-func NewDispenser(filename string, input io.Reader) Dispenser {
-	return Dispenser{
-		filename: filename,
-		tokens:   allTokens(input),
-		cursor:   -1,
-	}
-}
-
-// NewDispenserTokens returns a Dispenser filled with the given tokens.
-func NewDispenserTokens(filename string, tokens []token) Dispenser {
-	return Dispenser{
-		filename: filename,
-		tokens:   tokens,
-		cursor:   -1,
-	}
-}
-
-// Next loads the next token. Returns true if a token
-// was loaded; false otherwise. If false, all tokens
-// have been consumed.
-func (d *Dispenser) Next() bool {
-	if d.cursor < len(d.tokens)-1 {
-		d.cursor++
-		return true
-	}
-	return false
-}
-
-// NextArg loads the next token if it is on the same
-// line. Returns true if a token was loaded; false
-// otherwise. If false, all tokens on the line have
-// been consumed. It handles imported tokens correctly.
-func (d *Dispenser) NextArg() bool {
-	if d.cursor < 0 {
-		d.cursor++
-		return true
-	}
-	if d.cursor >= len(d.tokens) {
-		return false
-	}
-	if d.cursor < len(d.tokens)-1 &&
-		d.tokens[d.cursor].file == d.tokens[d.cursor+1].file &&
-		d.tokens[d.cursor].line+d.numLineBreaks(d.cursor) == d.tokens[d.cursor+1].line {
-		d.cursor++
-		return true
-	}
-	return false
-}
-
-// NextLine loads the next token only if it is not on the same
-// line as the current token, and returns true if a token was
-// loaded; false otherwise. If false, there is not another token
-// or it is on the same line. It handles imported tokens correctly.
-func (d *Dispenser) NextLine() bool {
-	if d.cursor < 0 {
-		d.cursor++
-		return true
-	}
-	if d.cursor >= len(d.tokens) {
-		return false
-	}
-	if d.cursor < len(d.tokens)-1 &&
-		(d.tokens[d.cursor].file != d.tokens[d.cursor+1].file ||
-			d.tokens[d.cursor].line+d.numLineBreaks(d.cursor) < d.tokens[d.cursor+1].line) {
-		d.cursor++
-		return true
-	}
-	return false
-}
-
-// NextBlock can be used as the condition of a for loop
-// to load the next token as long as it opens a block or
-// is already in a block. It returns true if a token was
-// loaded, or false when the block's closing curly brace
-// was loaded and thus the block ended. Nested blocks are
-// not supported.
-func (d *Dispenser) NextBlock() bool {
-	if d.nesting > 0 {
-		d.Next()
-		if d.Val() == "}" {
-			d.nesting--
-			return false
-		}
-		return true
-	}
-	if !d.NextArg() { // block must open on same line
-		return false
-	}
-	if d.Val() != "{" {
-		d.cursor-- // roll back if not opening brace
-		return false
-	}
-	d.Next()
-	if d.Val() == "}" {
-		// Open and then closed right away
-		return false
-	}
-	d.nesting++
-	return true
-}
-
-// IncrNest adds a level of nesting to the dispenser.
-func (d *Dispenser) IncrNest() {
-	d.nesting++
-	return
-}
-
-// Val gets the text of the current token. If there is no token
-// loaded, it returns empty string.
-func (d *Dispenser) Val() string {
-	if d.cursor < 0 || d.cursor >= len(d.tokens) {
-		return ""
-	}
-	return d.tokens[d.cursor].text
-}
-
-// Line gets the line number of the current token. If there is no token
-// loaded, it returns 0.
-func (d *Dispenser) Line() int {
-	if d.cursor < 0 || d.cursor >= len(d.tokens) {
-		return 0
-	}
-	return d.tokens[d.cursor].line
-}
-
-// File gets the filename of the current token. If there is no token loaded,
-// it returns the filename originally given when parsing started.
-func (d *Dispenser) File() string {
-	if d.cursor < 0 || d.cursor >= len(d.tokens) {
-		return d.filename
-	}
-	if tokenFilename := d.tokens[d.cursor].file; tokenFilename != "" {
-		return tokenFilename
-	}
-	return d.filename
-}
-
-// Args is a convenience function that loads the next arguments
-// (tokens on the same line) into an arbitrary number of strings
-// pointed to in targets. If there are fewer tokens available
-// than string pointers, the remaining strings will not be changed
-// and false will be returned. If there were enough tokens available
-// to fill the arguments, then true will be returned.
-func (d *Dispenser) Args(targets ...*string) bool {
-	enough := true
-	for i := 0; i < len(targets); i++ {
-		if !d.NextArg() {
-			enough = false
-			break
-		}
-		*targets[i] = d.Val()
-	}
-	return enough
-}
-
-// RemainingArgs loads any more arguments (tokens on the same line)
-// into a slice and returns them. Open curly brace tokens also indicate
-// the end of arguments, and the curly brace is not included in
-// the return value nor is it loaded.
-func (d *Dispenser) RemainingArgs() []string {
-	var args []string
-
-	for d.NextArg() {
-		if d.Val() == "{" {
-			d.cursor--
-			break
-		}
-		args = append(args, d.Val())
-	}
-
-	return args
-}
-
-// ArgErr returns an argument error, meaning that another
-// argument was expected but not found. In other words,
-// a line break or open curly brace was encountered instead of
-// an argument.
-func (d *Dispenser) ArgErr() error {
-	if d.Val() == "{" {
-		return d.Err("Unexpected token '{', expecting argument")
-	}
-	return d.Errf("Wrong argument count or unexpected line ending after '%s'", d.Val())
-}
-
-// SyntaxErr creates a generic syntax error which explains what was
-// found and what was expected.
-func (d *Dispenser) SyntaxErr(expected string) error {
-	msg := fmt.Sprintf("%s:%d - Syntax error: Unexpected token '%s', expecting '%s'", d.File(), d.Line(), d.Val(), expected)
-	return errors.New(msg)
-}
-
-// EOFErr returns an error indicating that the dispenser reached
-// the end of the input when searching for the next token.
-func (d *Dispenser) EOFErr() error {
-	return d.Errf("Unexpected EOF")
-}
-
-// Err generates a custom parse error with a message of msg.
-func (d *Dispenser) Err(msg string) error {
-	msg = fmt.Sprintf("%s:%d - Parse error: %s", d.File(), d.Line(), msg)
-	return errors.New(msg)
-}
-
-// Errf is like Err, but for formatted error messages
-func (d *Dispenser) Errf(format string, args ...interface{}) error {
-	return d.Err(fmt.Sprintf(format, args...))
-}
-
-// numLineBreaks counts how many line breaks are in the token
-// value given by the token index tknIdx. It returns 0 if the
-// token does not exist or there are no line breaks.
-func (d *Dispenser) numLineBreaks(tknIdx int) int {
-	if tknIdx < 0 || tknIdx >= len(d.tokens) {
-		return 0
-	}
-	return strings.Count(d.tokens[tknIdx].text, "\n")
-}
-
-// isNewLine determines whether the current token is on a different
-// line (higher line number) than the previous token. It handles imported
-// tokens correctly. If there isn't a previous token, it returns true.
-func (d *Dispenser) isNewLine() bool {
-	if d.cursor < 1 {
-		return true
-	}
-	if d.cursor > len(d.tokens)-1 {
-		return false
-	}
-	return d.tokens[d.cursor-1].file != d.tokens[d.cursor].file ||
-		d.tokens[d.cursor-1].line+d.numLineBreaks(d.cursor-1) < d.tokens[d.cursor].line
-}
@@ -1,165 +0,0 @@
-package parse
-
-import (
-	"strings"
-	"testing"
-)
-
-type lexerTestCase struct {
-	input    string
-	expected []token
-}
-
-func TestLexer(t *testing.T) {
-	testCases := []lexerTestCase{
-		{
-			input: `host:123`,
-			expected: []token{
-				{line: 1, text: "host:123"},
-			},
-		},
-		{
-			input: `host:123
-
-					directive`,
-			expected: []token{
-				{line: 1, text: "host:123"},
-				{line: 3, text: "directive"},
-			},
-		},
-		{
-			input: `host:123 {
-						directive
-					}`,
-			expected: []token{
-				{line: 1, text: "host:123"},
-				{line: 1, text: "{"},
-				{line: 2, text: "directive"},
-				{line: 3, text: "}"},
-			},
-		},
-		{
-			input: `host:123 { directive }`,
-			expected: []token{
-				{line: 1, text: "host:123"},
-				{line: 1, text: "{"},
-				{line: 1, text: "directive"},
-				{line: 1, text: "}"},
-			},
-		},
-		{
-			input: `host:123 {
-						#comment
-						directive
-						# comment
-						foobar # another comment
-					}`,
-			expected: []token{
-				{line: 1, text: "host:123"},
-				{line: 1, text: "{"},
-				{line: 3, text: "directive"},
-				{line: 5, text: "foobar"},
-				{line: 6, text: "}"},
-			},
-		},
-		{
-			input: `a "quoted value" b
-					foobar`,
-			expected: []token{
-				{line: 1, text: "a"},
-				{line: 1, text: "quoted value"},
-				{line: 1, text: "b"},
-				{line: 2, text: "foobar"},
-			},
-		},
-		{
-			input: `A "quoted \"value\" inside" B`,
-			expected: []token{
-				{line: 1, text: "A"},
-				{line: 1, text: `quoted "value" inside`},
-				{line: 1, text: "B"},
-			},
-		},
-		{
-			input: `"don't\escape"`,
-			expected: []token{
-				{line: 1, text: `don't\escape`},
-			},
-		},
-		{
-			input: `"don't\\escape"`,
-			expected: []token{
-				{line: 1, text: `don't\\escape`},
-			},
-		},
-		{
-			input: `A "quoted value with line
-					break inside" {
-						foobar
-					}`,
-			expected: []token{
-				{line: 1, text: "A"},
-				{line: 1, text: "quoted value with line\n\t\t\t\t\tbreak inside"},
-				{line: 2, text: "{"},
-				{line: 3, text: "foobar"},
-				{line: 4, text: "}"},
-			},
-		},
-		{
-			input: `"C:\php\php-cgi.exe"`,
-			expected: []token{
-				{line: 1, text: `C:\php\php-cgi.exe`},
-			},
-		},
-		{
-			input: `empty "" string`,
-			expected: []token{
-				{line: 1, text: `empty`},
-				{line: 1, text: ``},
-				{line: 1, text: `string`},
-			},
-		},
-		{
-			input: "skip those\r\nCR characters",
-			expected: []token{
-				{line: 1, text: "skip"},
-				{line: 1, text: "those"},
-				{line: 2, text: "CR"},
-				{line: 2, text: "characters"},
-			},
-		},
-	}
-
-	for i, testCase := range testCases {
-		actual := tokenize(testCase.input)
-		lexerCompare(t, i, testCase.expected, actual)
-	}
-}
-
-func tokenize(input string) (tokens []token) {
-	l := lexer{}
-	l.load(strings.NewReader(input))
-	for l.next() {
-		tokens = append(tokens, l.token)
-	}
-	return
-}
-
-func lexerCompare(t *testing.T, n int, expected, actual []token) {
-	if len(expected) != len(actual) {
-		t.Errorf("Test case %d: expected %d token(s) but got %d", n, len(expected), len(actual))
-	}
-
-	for i := 0; i < len(actual) && i < len(expected); i++ {
-		if actual[i].line != expected[i].line {
-			t.Errorf("Test case %d token %d ('%s'): expected line %d but was line %d",
-				n, i, expected[i].text, expected[i].line, actual[i].line)
-			break
-		}
-		if actual[i].text != expected[i].text {
-			t.Errorf("Test case %d token %d: expected text '%s' but was '%s'",
-				n, i, expected[i].text, actual[i].text)
-			break
-		}
-	}
-}
@@ -1,31 +0,0 @@
-// Package parse provides facilities for parsing configuration files.
-package parse
-
-import "io"
-
-// ServerBlocks parses the input just enough to organize tokens,
-// in order, by server block. No further parsing is performed.
-// If checkDirectives is true, only valid directives will be allowed
-// otherwise we consider it a parse error. Server blocks are returned
-// in the order in which they appear.
-func ServerBlocks(filename string, input io.Reader, checkDirectives bool) ([]serverBlock, error) {
-	p := parser{Dispenser: NewDispenser(filename, input), checkDirectives: checkDirectives}
-	blocks, err := p.parseAll()
-	return blocks, err
-}
-
-// allTokens lexes the entire input, but does not parse it.
-// It returns all the tokens from the input, unstructured
-// and in order.
-func allTokens(input io.Reader) (tokens []token) {
-	l := new(lexer)
-	l.load(input)
-	for l.next() {
-		tokens = append(tokens, l.token)
-	}
-	return
-}
-
-// Set of directives that are valid (unordered). Populated
-// by config package's init function.
-var ValidDirectives = make(map[string]struct{})
@@ -1,22 +0,0 @@
-package parse
-
-import (
-	"strings"
-	"testing"
-)
-
-func TestAllTokens(t *testing.T) {
-	input := strings.NewReader("a b c\nd e")
-	expected := []string{"a", "b", "c", "d", "e"}
-	tokens := allTokens(input)
-
-	if len(tokens) != len(expected) {
-		t.Fatalf("Expected %d tokens, got %d", len(expected), len(tokens))
-	}
-
-	for i, val := range expected {
-		if tokens[i].text != val {
-			t.Errorf("Token %d should be '%s' but was '%s'", i, val, tokens[i].text)
-		}
-	}
-}
@@ -1,329 +0,0 @@
-package parse
-
-import (
-	"net"
-	"os"
-	"path/filepath"
-	"strings"
-)
-
-type parser struct {
-	Dispenser
-	block           serverBlock // current server block being parsed
-	eof             bool        // if we encounter a valid EOF in a hard place
-	checkDirectives bool        // if true, directives must be known
-}
-
-func (p *parser) parseAll() ([]serverBlock, error) {
-	var blocks []serverBlock
-
-	for p.Next() {
-		err := p.parseOne()
-		if err != nil {
-			return blocks, err
-		}
-		if len(p.block.Addresses) > 0 {
-			blocks = append(blocks, p.block)
-		}
-	}
-
-	return blocks, nil
-}
-
-func (p *parser) parseOne() error {
-	p.block = serverBlock{Tokens: make(map[string][]token)}
-
-	err := p.begin()
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (p *parser) begin() error {
-	if len(p.tokens) == 0 {
-		return nil
-	}
-
-	err := p.addresses()
-	if err != nil {
-		return err
-	}
-
-	if p.eof {
-		// this happens if the Caddyfile consists of only
-		// a line of addresses and nothing else
-		return nil
-	}
-
-	err = p.blockContents()
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (p *parser) addresses() error {
-	var expectingAnother bool
-
-	for {
-		tkn := p.Val()
-
-		// special case: import directive replaces tokens during parse-time
-		if tkn == "import" && p.isNewLine() {
-			err := p.doImport()
-			if err != nil {
-				return err
-			}
-			continue
-		}
-
-		// Open brace definitely indicates end of addresses
-		if tkn == "{" {
-			if expectingAnother {
-				return p.Errf("Expected another address but had '%s' - check for extra comma", tkn)
-			}
-			break
-		}
-
-		if tkn != "" { // empty token possible if user typed "" in Caddyfile
-			// Trailing comma indicates another address will follow, which
-			// may possibly be on the next line
-			if tkn[len(tkn)-1] == ',' {
-				tkn = tkn[:len(tkn)-1]
-				expectingAnother = true
-			} else {
-				expectingAnother = false // but we may still see another one on this line
-			}
-
-			// Parse and save this address
-			host, port, err := standardAddress(tkn)
-			if err != nil {
-				return err
-			}
-			p.block.Addresses = append(p.block.Addresses, address{host, port})
-		}
-
-		// Advance token and possibly break out of loop or return error
-		hasNext := p.Next()
-		if expectingAnother && !hasNext {
-			return p.EOFErr()
-		}
-		if !hasNext {
-			p.eof = true
-			break // EOF
-		}
-		if !expectingAnother && p.isNewLine() {
-			break
-		}
-	}
-
-	return nil
-}
-
-func (p *parser) blockContents() error {
-	errOpenCurlyBrace := p.openCurlyBrace()
-	if errOpenCurlyBrace != nil {
-		// single-server configs don't need curly braces
-		p.cursor--
-	}
-
-	err := p.directives()
-	if err != nil {
-		return err
-	}
-
-	// Only look for close curly brace if there was an opening
-	if errOpenCurlyBrace == nil {
-		err = p.closeCurlyBrace()
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-// directives parses through all the lines for directives
-// and it expects the next token to be the first
-// directive. It goes until EOF or closing curly brace
-// which ends the server block.
-func (p *parser) directives() error {
-	for p.Next() {
-		// end of server block
-		if p.Val() == "}" {
-			break
-		}
-
-		// special case: import directive replaces tokens during parse-time
-		if p.Val() == "import" {
-			err := p.doImport()
-			if err != nil {
-				return err
-			}
-			p.cursor-- // cursor is advanced when we continue, so roll back one more
-			continue
-		}
-
-		// normal case: parse a directive on this line
-		if err := p.directive(); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// doImport swaps out the import directive and its argument
-// (a total of 2 tokens) with the tokens in the file specified.
-// When the function returns, the cursor is on the token before
-// where the import directive was. In other words, call Next()
-// to access the first token that was imported.
-func (p *parser) doImport() error {
-	if !p.NextArg() {
-		return p.ArgErr()
-	}
-	importFile := p.Val()
-	if p.NextArg() {
-		return p.Err("Import allows only one file to import")
-	}
-
-	file, err := os.Open(importFile)
-	if err != nil {
-		return p.Errf("Could not import %s - %v", importFile, err)
-	}
-	defer file.Close()
-	importedTokens := allTokens(file)
-
-	// Tack the filename onto these tokens so any errors show the imported file's name
-	for i := 0; i < len(importedTokens); i++ {
-		importedTokens[i].file = filepath.Base(importFile)
-	}
-
-	// Splice out the import directive and its argument (2 tokens total)
-	// and insert the imported tokens in their place.
-	tokensBefore := p.tokens[:p.cursor-1]
-	tokensAfter := p.tokens[p.cursor+1:]
-	p.tokens = append(tokensBefore, append(importedTokens, tokensAfter...)...)
-	p.cursor-- // cursor was advanced one position to read the filename; rewind it
-
-	return nil
-}
-
-// directive collects tokens until the directive's scope
-// closes (either end of line or end of curly brace block).
-// It expects the currently-loaded token to be a directive
-// (or } that ends a server block). The collected tokens
-// are loaded into the current server block for later use
-// by directive setup functions.
-func (p *parser) directive() error {
-	dir := p.Val()
-	nesting := 0
-
-	if p.checkDirectives {
-		if _, ok := ValidDirectives[dir]; !ok {
-			return p.Errf("Unknown directive '%s'", dir)
-		}
-	}
-
-	// The directive itself is appended as a relevant token
-	p.block.Tokens[dir] = append(p.block.Tokens[dir], p.tokens[p.cursor])
-
-	for p.Next() {
-		if p.Val() == "{" {
-			nesting++
-		} else if p.isNewLine() && nesting == 0 {
-			p.cursor-- // read too far
-			break
-		} else if p.Val() == "}" && nesting > 0 {
-			nesting--
-		} else if p.Val() == "}" && nesting == 0 {
-			return p.Err("Unexpected '}' because no matching opening brace")
-		}
-		p.block.Tokens[dir] = append(p.block.Tokens[dir], p.tokens[p.cursor])
-	}
-
-	if nesting > 0 {
-		return p.EOFErr()
-	}
-	return nil
-}
-
-// openCurlyBrace expects the current token to be an
-// opening curly brace. This acts like an assertion
-// because it returns an error if the token is not
-// a opening curly brace. It does NOT advance the token.
-func (p *parser) openCurlyBrace() error {
-	if p.Val() != "{" {
-		return p.SyntaxErr("{")
-	}
-	return nil
-}
-
-// closeCurlyBrace expects the current token to be
-// a closing curly brace. This acts like an assertion
-// because it returns an error if the token is not
-// a closing curly brace. It does NOT advance the token.
-func (p *parser) closeCurlyBrace() error {
-	if p.Val() != "}" {
-		return p.SyntaxErr("}")
-	}
-	return nil
-}
-
-// standardAddress turns the accepted host and port patterns
-// into a format accepted by net.Dial.
-func standardAddress(str string) (host, port string, err error) {
-	var schemePort, splitPort string
-
-	if strings.HasPrefix(str, "https://") {
-		schemePort = "https"
-		str = str[8:]
-	} else if strings.HasPrefix(str, "http://") {
-		schemePort = "http"
-		str = str[7:]
-	}
-
-	host, splitPort, err = net.SplitHostPort(str)
-	if err != nil {
-		host, splitPort, err = net.SplitHostPort(str + ":") // tack on empty port
-	}
-	if err != nil {
-		// ¯\_(ツ)_/¯
-		host = str
-	}
-
-	if splitPort != "" {
-		port = splitPort
-	} else {
-		port = schemePort
-	}
-
-	return
-}
-
-type (
-	// serverBlock associates tokens with a list of addresses
-	// and groups tokens by directive name.
-	serverBlock struct {
-		Addresses []address
-		Tokens    map[string][]token
-	}
-
-	address struct {
-		Host, Port string
-	}
-)
-
-// HostList converts the list of addresses (hosts)
-// that are associated with this server block into
-// a slice of strings. Each string is a host:port
-// combination.
-func (sb serverBlock) HostList() []string {
-	sbHosts := make([]string, len(sb.Addresses))
-	for j, addr := range sb.Addresses {
-		sbHosts[j] = net.JoinHostPort(addr.Host, addr.Port)
-	}
-	return sbHosts
-}
@@ -1,380 +0,0 @@
-package parse
-
-import (
-	"strings"
-	"testing"
-)
-
-func TestStandardAddress(t *testing.T) {
-	for i, test := range []struct {
-		input      string
-		host, port string
-		shouldErr  bool
-	}{
-		{`localhost`, "localhost", "", false},
-		{`localhost:1234`, "localhost", "1234", false},
-		{`localhost:`, "localhost", "", false},
-		{`0.0.0.0`, "0.0.0.0", "", false},
-		{`127.0.0.1:1234`, "127.0.0.1", "1234", false},
-		{`:1234`, "", "1234", false},
-		{`[::1]`, "::1", "", false},
-		{`[::1]:1234`, "::1", "1234", false},
-		{`:`, "", "", false},
-		{`localhost:http`, "localhost", "http", false},
-		{`localhost:https`, "localhost", "https", false},
-		{`:http`, "", "http", false},
-		{`:https`, "", "https", false},
-		{`http://localhost`, "localhost", "http", false},
-		{`https://localhost`, "localhost", "https", false},
-		{`http://127.0.0.1`, "127.0.0.1", "http", false},
-		{`https://127.0.0.1`, "127.0.0.1", "https", false},
-		{`http://[::1]`, "::1", "http", false},
-		{`http://localhost:1234`, "localhost", "1234", false},
-		{`https://127.0.0.1:1234`, "127.0.0.1", "1234", false},
-		{`http://[::1]:1234`, "::1", "1234", false},
-		{``, "", "", false},
-		{`::1`, "::1", "", true},
-		{`localhost::`, "localhost::", "", true},
-		{`#$%@`, "#$%@", "", true},
-	} {
-		host, port, err := standardAddress(test.input)
-
-		if err != nil && !test.shouldErr {
-			t.Errorf("Test %d: Expected no error, but had error: %v", i, err)
-		}
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d: Expected error, but had none", i)
-		}
-
-		if host != test.host {
-			t.Errorf("Test %d: Expected host '%s', got '%s'", i, test.host, host)
-		}
-
-		if port != test.port {
-			t.Errorf("Test %d: Expected port '%s', got '%s'", i, test.port, port)
-		}
-	}
-}
-
-func TestParseOneAndImport(t *testing.T) {
-	setupParseTests()
-
-	testParseOne := func(input string) (serverBlock, error) {
-		p := testParser(input)
-		p.Next() // parseOne doesn't call Next() to start, so we must
-		err := p.parseOne()
-		return p.block, err
-	}
-
-	for i, test := range []struct {
-		input     string
-		shouldErr bool
-		addresses []address
-		tokens    map[string]int // map of directive name to number of tokens expected
-	}{
-		{`localhost`, false, []address{
-			{"localhost", ""},
-		}, map[string]int{}},
-
-		{`localhost
-		  dir1`, false, []address{
-			{"localhost", ""},
-		}, map[string]int{
-			"dir1": 1,
-		}},
-
-		{`localhost:1234
-		  dir1 foo bar`, false, []address{
-			{"localhost", "1234"},
-		}, map[string]int{
-			"dir1": 3,
-		}},
-
-		{`localhost {
-		    dir1
-		  }`, false, []address{
-			{"localhost", ""},
-		}, map[string]int{
-			"dir1": 1,
-		}},
-
-		{`localhost:1234 {
-		    dir1 foo bar
-		    dir2
-		  }`, false, []address{
-			{"localhost", "1234"},
-		}, map[string]int{
-			"dir1": 3,
-			"dir2": 1,
-		}},
-
-		{`http://localhost https://localhost
-		  dir1 foo bar`, false, []address{
-			{"localhost", "http"},
-			{"localhost", "https"},
-		}, map[string]int{
-			"dir1": 3,
-		}},
-
-		{`http://localhost https://localhost {
-		    dir1 foo bar
-		  }`, false, []address{
-			{"localhost", "http"},
-			{"localhost", "https"},
-		}, map[string]int{
-			"dir1": 3,
-		}},
-
-		{`http://localhost, https://localhost {
-		    dir1 foo bar
-		  }`, false, []address{
-			{"localhost", "http"},
-			{"localhost", "https"},
-		}, map[string]int{
-			"dir1": 3,
-		}},
-
-		{`http://localhost, {
-		  }`, true, []address{
-			{"localhost", "http"},
-		}, map[string]int{}},
-
-		{`host1:80, http://host2.com
-		  dir1 foo bar
-		  dir2 baz`, false, []address{
-			{"host1", "80"},
-			{"host2.com", "http"},
-		}, map[string]int{
-			"dir1": 3,
-			"dir2": 2,
-		}},
-
-		{`http://host1.com,
-		  http://host2.com,
-		  https://host3.com`, false, []address{
-			{"host1.com", "http"},
-			{"host2.com", "http"},
-			{"host3.com", "https"},
-		}, map[string]int{}},
-
-		{`http://host1.com:1234, https://host2.com
-		  dir1 foo {
-		    bar baz
-		  }
-		  dir2`, false, []address{
-			{"host1.com", "1234"},
-			{"host2.com", "https"},
-		}, map[string]int{
-			"dir1": 6,
-			"dir2": 1,
-		}},
-
-		{`127.0.0.1
-		  dir1 {
-		    bar baz
-		  }
-		  dir2 {
-		    foo bar
-		  }`, false, []address{
-			{"127.0.0.1", ""},
-		}, map[string]int{
-			"dir1": 5,
-			"dir2": 5,
-		}},
-
-		{`127.0.0.1
-		  unknown_directive`, true, []address{
-			{"127.0.0.1", ""},
-		}, map[string]int{}},
-
-		{`localhost
-		  dir1 {
-		    foo`, true, []address{
-			{"localhost", ""},
-		}, map[string]int{
-			"dir1": 3,
-		}},
-
-		{`localhost
-		  dir1 {
-		  }`, false, []address{
-			{"localhost", ""},
-		}, map[string]int{
-			"dir1": 3,
-		}},
-
-		{`localhost
-		  dir1 {
-		  } }`, true, []address{
-			{"localhost", ""},
-		}, map[string]int{
-			"dir1": 3,
-		}},
-
-		{`localhost
-		  dir1 {
-		    nested {
-		      foo
-		    }
-		  }
-		  dir2 foo bar`, false, []address{
-			{"localhost", ""},
-		}, map[string]int{
-			"dir1": 7,
-			"dir2": 3,
-		}},
-
-		{``, false, []address{}, map[string]int{}},
-
-		{`localhost
-		  dir1 arg1
-		  import import_test1.txt`, false, []address{
-			{"localhost", ""},
-		}, map[string]int{
-			"dir1": 2,
-			"dir2": 3,
-			"dir3": 1,
-		}},
-
-		{`import import_test2.txt`, false, []address{
-			{"host1", ""},
-		}, map[string]int{
-			"dir1": 1,
-			"dir2": 2,
-		}},
-
-		{`import import_test1.txt import_test2.txt`, true, []address{}, map[string]int{}},
-
-		{`import not_found.txt`, true, []address{}, map[string]int{}},
-
-		{`""`, false, []address{}, map[string]int{}},
-
-		{``, false, []address{}, map[string]int{}},
-	} {
-		result, err := testParseOne(test.input)
-
-		if test.shouldErr && err == nil {
-			t.Errorf("Test %d: Expected an error, but didn't get one", i)
-		}
-		if !test.shouldErr && err != nil {
-			t.Errorf("Test %d: Expected no error, but got: %v", i, err)
-		}
-
-		if len(result.Addresses) != len(test.addresses) {
-			t.Errorf("Test %d: Expected %d addresses, got %d",
-				i, len(test.addresses), len(result.Addresses))
-			continue
-		}
-		for j, addr := range result.Addresses {
-			if addr.Host != test.addresses[j].Host {
-				t.Errorf("Test %d, address %d: Expected host to be '%s', but was '%s'",
-					i, j, test.addresses[j].Host, addr.Host)
-			}
-			if addr.Port != test.addresses[j].Port {
-				t.Errorf("Test %d, address %d: Expected port to be '%s', but was '%s'",
-					i, j, test.addresses[j].Port, addr.Port)
-			}
-		}
-
-		if len(result.Tokens) != len(test.tokens) {
-			t.Errorf("Test %d: Expected %d directives, had %d",
-				i, len(test.tokens), len(result.Tokens))
-			continue
-		}
-		for directive, tokens := range result.Tokens {
-			if len(tokens) != test.tokens[directive] {
-				t.Errorf("Test %d, directive '%s': Expected %d tokens, counted %d",
-					i, directive, test.tokens[directive], len(tokens))
-				continue
-			}
-		}
-	}
-}
-
-func TestParseAll(t *testing.T) {
-	setupParseTests()
-
-	for i, test := range []struct {
-		input     string
-		shouldErr bool
-		addresses [][]address // addresses per server block, in order
-	}{
-		{`localhost`, false, [][]address{
-			{{"localhost", ""}},
-		}},
-
-		{`localhost:1234`, false, [][]address{
-			[]address{{"localhost", "1234"}},
-		}},
-
-		{`localhost:1234 {
-		  }
-		  localhost:2015 {
-		  }`, false, [][]address{
-			[]address{{"localhost", "1234"}},
-			[]address{{"localhost", "2015"}},
-		}},
-
-		{`localhost:1234, http://host2`, false, [][]address{
-			[]address{{"localhost", "1234"}, {"host2", "http"}},
-		}},
-
-		{`localhost:1234, http://host2,`, true, [][]address{}},
-
-		{`http://host1.com, http://host2.com {
-		  }
-		  https://host3.com, https://host4.com {
-		  }`, false, [][]address{
-			[]address{{"host1.com", "http"}, {"host2.com", "http"}},
-			[]address{{"host3.com", "https"}, {"host4.com", "https"}},
-		}},
-	} {
-		p := testParser(test.input)
-		blocks, err := p.parseAll()
-
-		if test.shouldErr && err == nil {
-			t.Errorf("Test %d: Expected an error, but didn't get one", i)
-		}
-		if !test.shouldErr && err != nil {
-			t.Errorf("Test %d: Expected no error, but got: %v", i, err)
-		}
-
-		if len(blocks) != len(test.addresses) {
-			t.Errorf("Test %d: Expected %d server blocks, got %d",
-				i, len(test.addresses), len(blocks))
-			continue
-		}
-		for j, block := range blocks {
-			if len(block.Addresses) != len(test.addresses[j]) {
-				t.Errorf("Test %d: Expected %d addresses in block %d, got %d",
-					i, len(test.addresses[j]), j, len(block.Addresses))
-				continue
-			}
-			for k, addr := range block.Addresses {
-				if addr.Host != test.addresses[j][k].Host {
-					t.Errorf("Test %d, block %d, address %d: Expected host to be '%s', but was '%s'",
-						i, j, k, test.addresses[j][k].Host, addr.Host)
-				}
-				if addr.Port != test.addresses[j][k].Port {
-					t.Errorf("Test %d, block %d, address %d: Expected port to be '%s', but was '%s'",
-						i, j, k, test.addresses[j][k].Port, addr.Port)
-				}
-			}
-		}
-	}
-}
-
-func setupParseTests() {
-	// Set up some bogus directives for testing
-	ValidDirectives = map[string]struct{}{
-		"dir1": {},
-		"dir2": {},
-		"dir3": {},
-	}
-}
-
-func testParser(input string) parser {
-	buf := strings.NewReader(input)
-	p := parser{Dispenser: NewDispenser("Test", buf), checkDirectives: true}
-	return p
-}
@@ -1,102 +0,0 @@
-// +build !windows
-
-package caddy
-
-import (
-	"encoding/gob"
-	"io/ioutil"
-	"log"
-	"os"
-	"syscall"
-)
-
-func init() {
-	gob.Register(CaddyfileInput{})
-}
-
-// Restart restarts the entire application; gracefully with zero
-// downtime if on a POSIX-compatible system, or forcefully if on
-// Windows but with imperceptibly-short downtime.
-//
-// The restarted application will use newCaddyfile as its input
-// configuration. If newCaddyfile is nil, the current (existing)
-// Caddyfile configuration will be used.
-//
-// Note: The process must exist in the same place on the disk in
-// order for this to work. Thus, multiple graceful restarts don't
-// work if executing with `go run`, since the binary is cleaned up
-// when `go run` sees the initial parent process exit.
-func Restart(newCaddyfile Input) error {
-	if newCaddyfile == nil {
-		caddyfileMu.Lock()
-		newCaddyfile = caddyfile
-		caddyfileMu.Unlock()
-	}
-
-	if len(os.Args) == 0 { // this should never happen...
-		os.Args = []string{""}
-	}
-
-	// Tell the child that it's a restart
-	os.Setenv("CADDY_RESTART", "true")
-
-	// Prepare our payload to the child process
-	cdyfileGob := caddyfileGob{
-		ListenerFds: make(map[string]uintptr),
-		Caddyfile:   newCaddyfile,
-	}
-
-	// Prepare a pipe to the fork's stdin so it can get the Caddyfile
-	rpipe, wpipe, err := os.Pipe()
-	if err != nil {
-		return err
-	}
-
-	// Prepare a pipe that the child process will use to communicate
-	// its success or failure with us, the parent
-	sigrpipe, sigwpipe, err := os.Pipe()
-	if err != nil {
-		return err
-	}
-
-	// Pass along current environment and file descriptors to child.
-	// Ordering here is very important: stdin, stdout, stderr, sigpipe,
-	// and then the listener file descriptors (in order).
-	fds := []uintptr{rpipe.Fd(), os.Stdout.Fd(), os.Stderr.Fd(), sigwpipe.Fd()}
-
-	// Now add file descriptors of the sockets
-	serversMu.Lock()
-	for i, s := range servers {
-		fds = append(fds, s.ListenerFd())
-		cdyfileGob.ListenerFds[s.Addr] = uintptr(4 + i) // 4 fds come before any of the listeners
-	}
-	serversMu.Unlock()
-
-	// Fork the process with the current environment and file descriptors
-	execSpec := &syscall.ProcAttr{
-		Env:   os.Environ(),
-		Files: fds,
-	}
-	_, err = syscall.ForkExec(os.Args[0], os.Args, execSpec)
-	if err != nil {
-		return err
-	}
-
-	// Feed it the Caddyfile
-	err = gob.NewEncoder(wpipe).Encode(cdyfileGob)
-	if err != nil {
-		return err
-	}
-	wpipe.Close()
-
-	// Wait for child process to signal success or fail
-	sigwpipe.Close() // close our copy of the write end of the pipe or we might be stuck
-	answer, err := ioutil.ReadAll(sigrpipe)
-	if err != nil || len(answer) == 0 {
-		log.Println("restart: child failed to initialize; changes not applied")
-		return incompleteRestartErr
-	}
-
-	// Child process is listening now; we can stop all our servers here.
-	return Stop()
-}
@@ -1,25 +0,0 @@
-package caddy
-
-func Restart(newCaddyfile Input) error {
-	if newCaddyfile == nil {
-		caddyfileMu.Lock()
-		newCaddyfile = caddyfile
-		caddyfileMu.Unlock()
-	}
-
-	wg.Add(1) // barrier so Wait() doesn't unblock
-
-	err := Stop()
-	if err != nil {
-		return err
-	}
-
-	err = Start(newCaddyfile)
-	if err != nil {
-		return err
-	}
-
-	wg.Done() // take down our barrier
-
-	return nil
-}
@@ -1,72 +0,0 @@
-package setup
-
-import (
-	"strings"
-
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/basicauth"
-)
-
-// BasicAuth configures a new BasicAuth middleware instance.
-func BasicAuth(c *Controller) (middleware.Middleware, error) {
-	root := c.Root
-
-	rules, err := basicAuthParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	basic := basicauth.BasicAuth{Rules: rules}
-
-	return func(next middleware.Handler) middleware.Handler {
-		basic.Next = next
-		basic.SiteRoot = root
-		return basic
-	}, nil
-}
-
-func basicAuthParse(c *Controller) ([]basicauth.Rule, error) {
-	var rules []basicauth.Rule
-
-	var err error
-	for c.Next() {
-		var rule basicauth.Rule
-
-		args := c.RemainingArgs()
-
-		switch len(args) {
-		case 2:
-			rule.Username = args[0]
-			if rule.Password, err = passwordMatcher(rule.Username, args[1], c.Root); err != nil {
-				return rules, c.Errf("Get password matcher from %s: %v", c.Val(), err)
-			}
-
-			for c.NextBlock() {
-				rule.Resources = append(rule.Resources, c.Val())
-				if c.NextArg() {
-					return rules, c.Errf("Expecting only one resource per line (extra '%s')", c.Val())
-				}
-			}
-		case 3:
-			rule.Resources = append(rule.Resources, args[0])
-			rule.Username = args[1]
-			if rule.Password, err = passwordMatcher(rule.Username, args[2], c.Root); err != nil {
-				return rules, c.Errf("Get password matcher from %s: %v", c.Val(), err)
-			}
-		default:
-			return rules, c.ArgErr()
-		}
-
-		rules = append(rules, rule)
-	}
-
-	return rules, nil
-}
-
-func passwordMatcher(username, passw, siteRoot string) (basicauth.PasswordMatcher, error) {
-	if !strings.HasPrefix(passw, "htpasswd=") {
-		return basicauth.PlainMatcher(passw), nil
-	}
-
-	return basicauth.GetHtpasswdMatcher(passw[9:], username, siteRoot)
-}
@@ -1,132 +0,0 @@
-package setup
-
-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-	"strings"
-	"testing"
-
-	"github.com/mholt/caddy/middleware/basicauth"
-)
-
-func TestBasicAuth(t *testing.T) {
-	c := NewTestController(`basicauth user pwd`)
-
-	mid, err := BasicAuth(c)
-	if err != nil {
-		t.Errorf("Expected no errors, but got: %v", err)
-	}
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(basicauth.BasicAuth)
-	if !ok {
-		t.Fatalf("Expected handler to be type BasicAuth, got: %#v", handler)
-	}
-
-	if !SameNext(myHandler.Next, EmptyNext) {
-		t.Error("'Next' field of handler was not set properly")
-	}
-}
-
-func TestBasicAuthParse(t *testing.T) {
-	htpasswdPasswd := "IedFOuGmTpT8"
-	htpasswdFile := `sha1:{SHA}dcAUljwz99qFjYR0YLTXx0RqLww=
-md5:$apr1$l42y8rex$pOA2VJ0x/0TwaFeAF9nX61`
-
-	var skipHtpassword bool
-	htfh, err := ioutil.TempFile(".", "basicauth-")
-	if err != nil {
-		t.Logf("Error creating temp file (%v), will skip htpassword test", err)
-		skipHtpassword = true
-	} else {
-		if _, err = htfh.Write([]byte(htpasswdFile)); err != nil {
-			t.Fatalf("write htpasswd file %q: %v", htfh.Name(), err)
-		}
-		htfh.Close()
-		defer os.Remove(htfh.Name())
-	}
-
-	tests := []struct {
-		input     string
-		shouldErr bool
-		password  string
-		expected  []basicauth.Rule
-	}{
-		{`basicauth user pwd`, false, "pwd", []basicauth.Rule{
-			{Username: "user"},
-		}},
-		{`basicauth user pwd {
-		}`, false, "pwd", []basicauth.Rule{
-			{Username: "user"},
-		}},
-		{`basicauth user pwd {
-			/resource1
-			/resource2
-		}`, false, "pwd", []basicauth.Rule{
-			{Username: "user", Resources: []string{"/resource1", "/resource2"}},
-		}},
-		{`basicauth /resource user pwd`, false, "pwd", []basicauth.Rule{
-			{Username: "user", Resources: []string{"/resource"}},
-		}},
-		{`basicauth /res1 user1 pwd1
-		  basicauth /res2 user2 pwd2`, false, "pwd", []basicauth.Rule{
-			{Username: "user1", Resources: []string{"/res1"}},
-			{Username: "user2", Resources: []string{"/res2"}},
-		}},
-		{`basicauth user`, true, "", []basicauth.Rule{}},
-		{`basicauth`, true, "", []basicauth.Rule{}},
-		{`basicauth /resource user pwd asdf`, true, "", []basicauth.Rule{}},
-
-		{`basicauth sha1 htpasswd=` + htfh.Name(), false, htpasswdPasswd, []basicauth.Rule{
-			{Username: "sha1"},
-		}},
-	}
-
-	for i, test := range tests {
-		c := NewTestController(test.input)
-		actual, err := basicAuthParse(c)
-
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d didn't error, but it should have", i)
-		} else if err != nil && !test.shouldErr {
-			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
-		}
-
-		if len(actual) != len(test.expected) {
-			t.Fatalf("Test %d expected %d rules, but got %d",
-				i, len(test.expected), len(actual))
-		}
-
-		for j, expectedRule := range test.expected {
-			actualRule := actual[j]
-
-			if actualRule.Username != expectedRule.Username {
-				t.Errorf("Test %d, rule %d: Expected username '%s', got '%s'",
-					i, j, expectedRule.Username, actualRule.Username)
-			}
-
-			if strings.Contains(test.input, "htpasswd=") && skipHtpassword {
-				continue
-			}
-			pwd := test.password
-			if len(actual) > 1 {
-				pwd = fmt.Sprintf("%s%d", pwd, j+1)
-			}
-			if !actualRule.Password(pwd) || actualRule.Password(test.password+"!") {
-				t.Errorf("Test %d, rule %d: Expected password '%v', got '%v'",
-					i, j, test.password, actualRule.Password)
-			}
-
-			expectedRes := fmt.Sprintf("%v", expectedRule.Resources)
-			actualRes := fmt.Sprintf("%v", actualRule.Resources)
-			if actualRes != expectedRes {
-				t.Errorf("Test %d, rule %d: Expected resource list %s, but got %s",
-					i, j, expectedRes, actualRes)
-			}
-		}
-	}
-}
@@ -1,12 +0,0 @@
-package setup
-
-import "github.com/mholt/caddy/middleware"
-
-func BindHost(c *Controller) (middleware.Middleware, error) {
-	for c.Next() {
-		if !c.Args(&c.BindHost) {
-			return nil, c.ArgErr()
-		}
-	}
-	return nil, nil
-}
@@ -1,256 +0,0 @@
-package setup
-
-import (
-	"fmt"
-	"io/ioutil"
-	"text/template"
-
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/browse"
-)
-
-// Browse configures a new Browse middleware instance.
-func Browse(c *Controller) (middleware.Middleware, error) {
-	configs, err := browseParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	browse := browse.Browse{
-		Root:          c.Root,
-		Configs:       configs,
-		IgnoreIndexes: false,
-	}
-
-	return func(next middleware.Handler) middleware.Handler {
-		browse.Next = next
-		return browse
-	}, nil
-}
-
-func browseParse(c *Controller) ([]browse.Config, error) {
-	var configs []browse.Config
-
-	appendCfg := func(bc browse.Config) error {
-		for _, c := range configs {
-			if c.PathScope == bc.PathScope {
-				return fmt.Errorf("duplicate browsing config for %s", c.PathScope)
-			}
-		}
-		configs = append(configs, bc)
-		return nil
-	}
-
-	for c.Next() {
-		var bc browse.Config
-
-		// First argument is directory to allow browsing; default is site root
-		if c.NextArg() {
-			bc.PathScope = c.Val()
-		} else {
-			bc.PathScope = "/"
-		}
-
-		// Second argument would be the template file to use
-		var tplText string
-		if c.NextArg() {
-			tplBytes, err := ioutil.ReadFile(c.Val())
-			if err != nil {
-				return configs, err
-			}
-			tplText = string(tplBytes)
-		} else {
-			tplText = defaultTemplate
-		}
-
-		// Build the template
-		tpl, err := template.New("listing").Parse(tplText)
-		if err != nil {
-			return configs, err
-		}
-		bc.Template = tpl
-
-		// Save configuration
-		err = appendCfg(bc)
-		if err != nil {
-			return configs, err
-		}
-	}
-
-	return configs, nil
-}
-
-// The default template to use when serving up directory listings
-const defaultTemplate = `<!DOCTYPE html>
-<html>
-	<head>
-		<title>{{.Name}}</title>
-		<meta charset="utf-8">
-<style>
-* { padding: 0; margin: 0; }
-
-body {
-	padding: 1% 2%;
-	font: 16px Arial;
-}
-
-header {
-	font-size: 45px;
-	padding: 25px;
-}
-
-header a {
-	text-decoration: none;
-	color: inherit;
-}
-
-header .up {
-	display: inline-block;
-	height: 50px;
-	width: 50px;
-	text-align: center;
-	margin-right: 20px;
-}
-
-header a.up:hover {
-	background: #000;
-	color: #FFF;
-}
-
-h1 {
-	font-size: 30px;
-	display: inline;
-}
-
-table {
-	border: 0;
-	border-collapse: collapse;
-	max-width: 750px;
-	margin: 0 auto;
-}
-
-th,
-td {
-	padding: 4px 20px;
-	vertical-align: middle;
-	line-height: 1.5em; /* emoji are kind of odd heights */
-}
-
-th {
-	text-align: left;
-}
-
-th a {
-	color: #000;
-	text-decoration: none;
-}
-
-@media (max-width: 700px) {
-	.hideable {
-		display: none;
-	}
-
-	body {
-		padding: 0;
-	}
-
-	header,
-	header h1 {
-		font-size: 16px;
-	}
-
-	header {
-		position: fixed;
-		top: 0;
-		width: 100%;
-		background: #333;
-		color: #FFF;
-		padding: 15px;
-		text-align: center;
-	}
-
-	header .up {
-		height: auto;
-		width: auto;
-		display: none;
-	}
-
-	header a.up {
-		display: inline-block;
-		position: absolute;
-		left: 0;
-		top: 0;
-		width: 40px;
-		height: 48px;
-		font-size: 35px;
-	}
-
-	header h1 {
-		font-weight: normal;
-	}
-
-	main {
-		margin-top: 70px;
-	}
-}
-
-.name {
-	white-space: pre;
-}
-</style>
-	</head>
-	<body>
-		<header>
-			{{if .CanGoUp}}
-			<a href=".." class="up" title="Up one level">&#11025;</a>
-			{{else}}
-			<div class="up">&nbsp;</div>
-			{{end}}
-
-			<h1>{{.Path}}</h1>
-		</header>
-		<main>
-			<table>
-				<tr>
-					<th>
-						{{if and (eq .Sort "name") (ne .Order "desc")}}
-						<a href="?sort=name&order=desc">Name &#9650;</a>
-						{{else if and (eq .Sort "name") (ne .Order "asc")}}
-						<a href="?sort=name&order=asc">Name &#9660;</a>
-						{{else}}
-						<a href="?sort=name&order=asc">Name</a>
-						{{end}}
-					</th>
-					<th>
-						{{if and (eq .Sort "size") (ne .Order "desc")}}
-						<a href="?sort=size&order=desc">Size &#9650;</a>
-						{{else if and (eq .Sort "size") (ne .Order "asc")}}
-						<a href="?sort=size&order=asc">Size &#9660;</a>
-						{{else}}
-						<a href="?sort=size&order=asc">Size</a>
-						{{end}}
-					</th>
-					<th class="hideable">
-						{{if and (eq .Sort "time") (ne .Order "desc")}}
-						<a href="?sort=time&order=desc">Modified &#9650;</a>
-						{{else if and (eq .Sort "time") (ne .Order "asc")}}
-						<a href="?sort=time&order=asc">Modified &#9660;</a>
-						{{else}}
-						<a href="?sort=time&order=asc">Modified</a>
-						{{end}}
-					</th>
-				</tr>
-				{{range .Items}}
-				<tr>
-					<td>
-						{{if .IsDir}}&#128194;{{else}}&#128196;{{end}}
-						<a href="{{.URL}}" class="name">{{.Name}}</a>
-					</td>
-					<td>{{.HumanSize}}</td>
-					<td class="hideable">{{.HumanModTime "01/02/2006 3:04:05 PM -0700"}}</td>
-				</tr>
-				{{end}}
-			</table>
-		</main>
-	</body>
-</html>`
@@ -1,83 +0,0 @@
-package setup
-
-import (
-	"fmt"
-	"net/http"
-	"strings"
-
-	"github.com/mholt/caddy/caddy/parse"
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/server"
-)
-
-// Controller is given to the setup function of middlewares which
-// gives them access to be able to read tokens and set config. Each
-// virtualhost gets their own server config and dispenser.
-type Controller struct {
-	*server.Config
-	parse.Dispenser
-
-	// OncePerServerBlock is a function that executes f
-	// exactly once per server block, no matter how many
-	// hosts are associated with it. If it is the first
-	// time, the function f is executed immediately
-	// (not deferred) and may return an error which is
-	// returned by OncePerServerBlock.
-	OncePerServerBlock func(f func() error) error
-
-	// ServerBlockIndex is the 0-based index of the
-	// server block as it appeared in the input.
-	ServerBlockIndex int
-
-	// ServerBlockHostIndex is the 0-based index of this
-	// host as it appeared in the input at the head of the
-	// server block.
-	ServerBlockHostIndex int
-
-	// ServerBlockHosts is a list of hosts that are
-	// associated with this server block. All these
-	// hosts, consequently, share the same tokens.
-	ServerBlockHosts []string
-
-	// ServerBlockStorage is used by a directive's
-	// setup function to persist state between all
-	// the hosts on a server block.
-	ServerBlockStorage interface{}
-}
-
-// NewTestController creates a new *Controller for
-// the input specified, with a filename of "Testfile".
-// The Config is bare, consisting only of a Root of cwd.
-//
-// Used primarily for testing but needs to be exported so
-// add-ons can use this as a convenience. Does not initialize
-// the server-block-related fields.
-func NewTestController(input string) *Controller {
-	return &Controller{
-		Config: &server.Config{
-			Root: ".",
-		},
-		Dispenser: parse.NewDispenser("Testfile", strings.NewReader(input)),
-		OncePerServerBlock: func(f func() error) error {
-			return f()
-		},
-	}
-}
-
-// EmptyNext is a no-op function that can be passed into
-// middleware.Middleware functions so that the assignment
-// to the Next field of the Handler can be tested.
-//
-// Used primarily for testing but needs to be exported so
-// add-ons can use this as a convenience.
-var EmptyNext = middleware.HandlerFunc(func(w http.ResponseWriter, r *http.Request) (int, error) {
-	return 0, nil
-})
-
-// SameNext does a pointer comparison between next1 and next2.
-//
-// Used primarily for testing but needs to be exported so
-// add-ons can use this as a convenience.
-func SameNext(next1, next2 middleware.Handler) bool {
-	return fmt.Sprintf("%v", next1) == fmt.Sprintf("%v", next2)
-}
@@ -1,149 +0,0 @@
-package setup
-
-import (
-	"fmt"
-	"io"
-	"log"
-	"os"
-	"path/filepath"
-	"strconv"
-
-	"github.com/hashicorp/go-syslog"
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/errors"
-)
-
-// Errors configures a new gzip middleware instance.
-func Errors(c *Controller) (middleware.Middleware, error) {
-	handler, err := errorsParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	// Open the log file for writing when the server starts
-	c.Startup = append(c.Startup, func() error {
-		var err error
-		var writer io.Writer
-
-		switch handler.LogFile {
-		case "visible":
-			handler.Debug = true
-		case "stdout":
-			writer = os.Stdout
-		case "stderr":
-			writer = os.Stderr
-		case "syslog":
-			writer, err = gsyslog.NewLogger(gsyslog.LOG_ERR, "LOCAL0", "caddy")
-			if err != nil {
-				return err
-			}
-		default:
-			if handler.LogFile == "" {
-				writer = os.Stderr // default
-				break
-			}
-
-			var file *os.File
-			file, err = os.OpenFile(handler.LogFile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0644)
-			if err != nil {
-				return err
-			}
-			if handler.LogRoller != nil {
-				file.Close()
-
-				handler.LogRoller.Filename = handler.LogFile
-
-				writer = handler.LogRoller.GetLogWriter()
-			} else {
-				writer = file
-			}
-		}
-
-		handler.Log = log.New(writer, "", 0)
-		return nil
-	})
-
-	return func(next middleware.Handler) middleware.Handler {
-		handler.Next = next
-		return handler
-	}, nil
-}
-
-func errorsParse(c *Controller) (*errors.ErrorHandler, error) {
-	// Very important that we make a pointer because the Startup
-	// function that opens the log file must have access to the
-	// same instance of the handler, not a copy.
-	handler := &errors.ErrorHandler{ErrorPages: make(map[int]string)}
-
-	optionalBlock := func() (bool, error) {
-		var hadBlock bool
-
-		for c.NextBlock() {
-			hadBlock = true
-
-			what := c.Val()
-			if !c.NextArg() {
-				return hadBlock, c.ArgErr()
-			}
-			where := c.Val()
-
-			if what == "log" {
-				if where == "visible" {
-					handler.Debug = true
-				} else {
-					handler.LogFile = where
-					if c.NextArg() {
-						if c.Val() == "{" {
-							c.IncrNest()
-							logRoller, err := parseRoller(c)
-							if err != nil {
-								return hadBlock, err
-							}
-							handler.LogRoller = logRoller
-						}
-					}
-				}
-			} else {
-				// Error page; ensure it exists
-				where = filepath.Join(c.Root, where)
-				f, err := os.Open(where)
-				if err != nil {
-					fmt.Println("Warning: Unable to open error page '" + where + "': " + err.Error())
-				}
-				f.Close()
-
-				whatInt, err := strconv.Atoi(what)
-				if err != nil {
-					return hadBlock, c.Err("Expecting a numeric status code, got '" + what + "'")
-				}
-				handler.ErrorPages[whatInt] = where
-			}
-		}
-		return hadBlock, nil
-	}
-
-	for c.Next() {
-		// weird hack to avoid having the handler values overwritten.
-		if c.Val() == "}" {
-			continue
-		}
-		// Configuration may be in a block
-		hadBlock, err := optionalBlock()
-		if err != nil {
-			return handler, err
-		}
-
-		// Otherwise, the only argument would be an error log file name or 'visible'
-		if !hadBlock {
-			if c.NextArg() {
-				if c.Val() == "visible" {
-					handler.Debug = true
-				} else {
-					handler.LogFile = c.Val()
-				}
-			}
-		}
-	}
-
-	return handler, nil
-}
@@ -1,158 +0,0 @@
-package setup
-
-import (
-	"testing"
-
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/errors"
-)
-
-func TestErrors(t *testing.T) {
-	c := NewTestController(`errors`)
-	mid, err := Errors(c)
-
-	if err != nil {
-		t.Errorf("Expected no errors, got: %v", err)
-	}
-
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(*errors.ErrorHandler)
-
-	if !ok {
-		t.Fatalf("Expected handler to be type ErrorHandler, got: %#v", handler)
-	}
-
-	if myHandler.LogFile != "" {
-		t.Errorf("Expected '%s' as the default LogFile", "")
-	}
-	if myHandler.LogRoller != nil {
-		t.Errorf("Expected LogRoller to be nil, got: %v", *myHandler.LogRoller)
-	}
-	if !SameNext(myHandler.Next, EmptyNext) {
-		t.Error("'Next' field of handler was not set properly")
-	}
-
-	// Test Startup function
-	if len(c.Startup) == 0 {
-		t.Fatal("Expected 1 startup function, had 0")
-	}
-	err = c.Startup[0]()
-	if myHandler.Log == nil {
-		t.Error("Expected Log to be non-nil after startup because Debug is not enabled")
-	}
-}
-
-func TestErrorsParse(t *testing.T) {
-	tests := []struct {
-		inputErrorsRules     string
-		shouldErr            bool
-		expectedErrorHandler errors.ErrorHandler
-	}{
-		{`errors`, false, errors.ErrorHandler{
-			LogFile: "",
-		}},
-		{`errors errors.txt`, false, errors.ErrorHandler{
-			LogFile: "errors.txt",
-		}},
-		{`errors visible`, false, errors.ErrorHandler{
-			LogFile: "",
-			Debug:   true,
-		}},
-		{`errors { log visible }`, false, errors.ErrorHandler{
-			LogFile: "",
-			Debug:   true,
-		}},
-		{`errors { log errors.txt
-        404 404.html
-        500 500.html
-}`, false, errors.ErrorHandler{
-			LogFile: "errors.txt",
-			ErrorPages: map[int]string{
-				404: "404.html",
-				500: "500.html",
-			},
-		}},
-		{`errors { log errors.txt { size 2 age 10 keep 3 } }`, false, errors.ErrorHandler{
-			LogFile: "errors.txt",
-			LogRoller: &middleware.LogRoller{
-				MaxSize:    2,
-				MaxAge:     10,
-				MaxBackups: 3,
-				LocalTime:  true,
-			},
-		}},
-		{`errors { log errors.txt {
-            size 3
-            age 11
-            keep 5
-        }
-        404 404.html
-        503 503.html
-}`, false, errors.ErrorHandler{
-			LogFile: "errors.txt",
-			ErrorPages: map[int]string{
-				404: "404.html",
-				503: "503.html",
-			},
-			LogRoller: &middleware.LogRoller{
-				MaxSize:    3,
-				MaxAge:     11,
-				MaxBackups: 5,
-				LocalTime:  true,
-			},
-		}},
-	}
-	for i, test := range tests {
-		c := NewTestController(test.inputErrorsRules)
-		actualErrorsRule, err := errorsParse(c)
-
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d didn't error, but it should have", i)
-		} else if err != nil && !test.shouldErr {
-			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
-		}
-		if actualErrorsRule.LogFile != test.expectedErrorHandler.LogFile {
-			t.Errorf("Test %d expected LogFile to be %s, but got %s",
-				i, test.expectedErrorHandler.LogFile, actualErrorsRule.LogFile)
-		}
-		if actualErrorsRule.Debug != test.expectedErrorHandler.Debug {
-			t.Errorf("Test %d expected Debug to be %v, but got %v",
-				i, test.expectedErrorHandler.Debug, actualErrorsRule.Debug)
-		}
-		if actualErrorsRule.LogRoller != nil && test.expectedErrorHandler.LogRoller == nil || actualErrorsRule.LogRoller == nil && test.expectedErrorHandler.LogRoller != nil {
-			t.Fatalf("Test %d expected LogRoller to be %v, but got %v",
-				i, test.expectedErrorHandler.LogRoller, actualErrorsRule.LogRoller)
-		}
-		if len(actualErrorsRule.ErrorPages) != len(test.expectedErrorHandler.ErrorPages) {
-			t.Fatalf("Test %d expected %d no of Error pages, but got %d ",
-				i, len(test.expectedErrorHandler.ErrorPages), len(actualErrorsRule.ErrorPages))
-		}
-		if actualErrorsRule.LogRoller != nil && test.expectedErrorHandler.LogRoller != nil {
-			if actualErrorsRule.LogRoller.Filename != test.expectedErrorHandler.LogRoller.Filename {
-				t.Fatalf("Test %d expected LogRoller Filename to be %s, but got %s",
-					i, test.expectedErrorHandler.LogRoller.Filename, actualErrorsRule.LogRoller.Filename)
-			}
-			if actualErrorsRule.LogRoller.MaxAge != test.expectedErrorHandler.LogRoller.MaxAge {
-				t.Fatalf("Test %d expected LogRoller MaxAge to be %d, but got %d",
-					i, test.expectedErrorHandler.LogRoller.MaxAge, actualErrorsRule.LogRoller.MaxAge)
-			}
-			if actualErrorsRule.LogRoller.MaxBackups != test.expectedErrorHandler.LogRoller.MaxBackups {
-				t.Fatalf("Test %d expected LogRoller MaxBackups to be %d, but got %d",
-					i, test.expectedErrorHandler.LogRoller.MaxBackups, actualErrorsRule.LogRoller.MaxBackups)
-			}
-			if actualErrorsRule.LogRoller.MaxSize != test.expectedErrorHandler.LogRoller.MaxSize {
-				t.Fatalf("Test %d expected LogRoller MaxSize to be %d, but got %d",
-					i, test.expectedErrorHandler.LogRoller.MaxSize, actualErrorsRule.LogRoller.MaxSize)
-			}
-			if actualErrorsRule.LogRoller.LocalTime != test.expectedErrorHandler.LogRoller.LocalTime {
-				t.Fatalf("Test %d expected LogRoller LocalTime to be %t, but got %t",
-					i, test.expectedErrorHandler.LogRoller.LocalTime, actualErrorsRule.LogRoller.LocalTime)
-			}
-		}
-	}
-
-}
@@ -1,54 +0,0 @@
-package setup
-
-import (
-	"os"
-
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/extensions"
-)
-
-// Ext configures a new instance of 'extensions' middleware for clean URLs.
-func Ext(c *Controller) (middleware.Middleware, error) {
-	root := c.Root
-
-	exts, err := extParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	return func(next middleware.Handler) middleware.Handler {
-		return extensions.Ext{
-			Next:       next,
-			Extensions: exts,
-			Root:       root,
-		}
-	}, nil
-}
-
-// extParse sets up an instance of extension middleware
-// from a middleware controller and returns a list of extensions.
-func extParse(c *Controller) ([]string, error) {
-	var exts []string
-
-	for c.Next() {
-		// At least one extension is required
-		if !c.NextArg() {
-			return exts, c.ArgErr()
-		}
-		exts = append(exts, c.Val())
-
-		// Tack on any other extensions that may have been listed
-		exts = append(exts, c.RemainingArgs()...)
-	}
-
-	return exts, nil
-}
-
-// resourceExists returns true if the file specified at
-// root + path exists; false otherwise.
-func resourceExists(root, path string) bool {
-	_, err := os.Stat(root + path)
-	// technically we should use os.IsNotExist(err)
-	// but we don't handle any other kinds of errors anyway
-	return err == nil
-}
@@ -1,76 +0,0 @@
-package setup
-
-import (
-	"testing"
-
-	"github.com/mholt/caddy/middleware/extensions"
-)
-
-func TestExt(t *testing.T) {
-	c := NewTestController(`ext .html .htm .php`)
-
-	mid, err := Ext(c)
-
-	if err != nil {
-		t.Errorf("Expected no errors, got: %v", err)
-	}
-
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(extensions.Ext)
-
-	if !ok {
-		t.Fatalf("Expected handler to be type Ext, got: %#v", handler)
-	}
-
-	if myHandler.Extensions[0] != ".html" {
-		t.Errorf("Expected .html in the list of Extensions")
-	}
-	if myHandler.Extensions[1] != ".htm" {
-		t.Errorf("Expected .htm in the list of Extensions")
-	}
-	if myHandler.Extensions[2] != ".php" {
-		t.Errorf("Expected .php in the list of Extensions")
-	}
-	if !SameNext(myHandler.Next, EmptyNext) {
-		t.Error("'Next' field of handler was not set properly")
-	}
-
-}
-
-func TestExtParse(t *testing.T) {
-	tests := []struct {
-		inputExts    string
-		shouldErr    bool
-		expectedExts []string
-	}{
-		{`ext .html .htm .php`, false, []string{".html", ".htm", ".php"}},
-		{`ext .php .html .xml`, false, []string{".php", ".html", ".xml"}},
-		{`ext .txt .php .xml`, false, []string{".txt", ".php", ".xml"}},
-	}
-	for i, test := range tests {
-		c := NewTestController(test.inputExts)
-		actualExts, err := extParse(c)
-
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d didn't error, but it should have", i)
-		} else if err != nil && !test.shouldErr {
-			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
-		}
-
-		if len(actualExts) != len(test.expectedExts) {
-			t.Fatalf("Test %d expected %d rules, but got %d",
-				i, len(test.expectedExts), len(actualExts))
-		}
-		for j, actualExt := range actualExts {
-			if actualExt != test.expectedExts[j] {
-				t.Fatalf("Test %d expected %dth extension to be  %s  , but got %s",
-					i, j, test.expectedExts[j], actualExt)
-			}
-		}
-	}
-
-}
@@ -1,110 +0,0 @@
-package setup
-
-import (
-	"errors"
-	"net/http"
-	"path/filepath"
-
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/fastcgi"
-)
-
-// FastCGI configures a new FastCGI middleware instance.
-func FastCGI(c *Controller) (middleware.Middleware, error) {
-	absRoot, err := filepath.Abs(c.Root)
-	if err != nil {
-		return nil, err
-	}
-
-	rules, err := fastcgiParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	return func(next middleware.Handler) middleware.Handler {
-		return fastcgi.Handler{
-			Next:            next,
-			Rules:           rules,
-			Root:            c.Root,
-			AbsRoot:         absRoot,
-			FileSys:         http.Dir(c.Root),
-			SoftwareName:    c.AppName,
-			SoftwareVersion: c.AppVersion,
-			ServerName:      c.Host,
-			ServerPort:      c.Port,
-		}
-	}, nil
-}
-
-func fastcgiParse(c *Controller) ([]fastcgi.Rule, error) {
-	var rules []fastcgi.Rule
-
-	for c.Next() {
-		var rule fastcgi.Rule
-
-		args := c.RemainingArgs()
-
-		switch len(args) {
-		case 0:
-			return rules, c.ArgErr()
-		case 1:
-			rule.Path = "/"
-			rule.Address = args[0]
-		case 2:
-			rule.Path = args[0]
-			rule.Address = args[1]
-		case 3:
-			rule.Path = args[0]
-			rule.Address = args[1]
-			err := fastcgiPreset(args[2], &rule)
-			if err != nil {
-				return rules, c.Err("Invalid fastcgi rule preset '" + args[2] + "'")
-			}
-		}
-
-		for c.NextBlock() {
-			switch c.Val() {
-			case "ext":
-				if !c.NextArg() {
-					return rules, c.ArgErr()
-				}
-				rule.Ext = c.Val()
-			case "split":
-				if !c.NextArg() {
-					return rules, c.ArgErr()
-				}
-				rule.SplitPath = c.Val()
-			case "index":
-				args := c.RemainingArgs()
-				if len(args) == 0 {
-					return rules, c.ArgErr()
-				}
-				rule.IndexFiles = args
-			case "env":
-				envArgs := c.RemainingArgs()
-				if len(envArgs) < 2 {
-					return rules, c.ArgErr()
-				}
-				rule.EnvVars = append(rule.EnvVars, [2]string{envArgs[0], envArgs[1]})
-			}
-		}
-
-		rules = append(rules, rule)
-	}
-
-	return rules, nil
-}
-
-// fastcgiPreset configures rule according to name. It returns an error if
-// name is not a recognized preset name.
-func fastcgiPreset(name string, rule *fastcgi.Rule) error {
-	switch name {
-	case "php":
-		rule.Ext = ".php"
-		rule.SplitPath = ".php"
-		rule.IndexFiles = []string{"index.php"}
-	default:
-		return errors.New(name + " is not a valid preset name")
-	}
-	return nil
-}
@@ -1,107 +0,0 @@
-package setup
-
-import (
-	"fmt"
-	"github.com/mholt/caddy/middleware/fastcgi"
-	"testing"
-)
-
-func TestFastCGI(t *testing.T) {
-
-	c := NewTestController(`fastcgi / 127.0.0.1:9000`)
-
-	mid, err := FastCGI(c)
-
-	if err != nil {
-		t.Errorf("Expected no errors, got: %v", err)
-	}
-
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(fastcgi.Handler)
-
-	if !ok {
-		t.Fatalf("Expected handler to be type , got: %#v", handler)
-	}
-
-	if myHandler.Rules[0].Path != "/" {
-		t.Errorf("Expected / as the Path")
-	}
-	if myHandler.Rules[0].Address != "127.0.0.1:9000" {
-		t.Errorf("Expected 127.0.0.1:9000 as the Address")
-	}
-
-}
-
-func TestFastcgiParse(t *testing.T) {
-	tests := []struct {
-		inputFastcgiConfig    string
-		shouldErr             bool
-		expectedFastcgiConfig []fastcgi.Rule
-	}{
-
-		{`fastcgi /blog 127.0.0.1:9000 php`,
-			false, []fastcgi.Rule{{
-				Path:       "/blog",
-				Address:    "127.0.0.1:9000",
-				Ext:        ".php",
-				SplitPath:  ".php",
-				IndexFiles: []string{"index.php"},
-			}}},
-		{`fastcgi / 127.0.0.1:9001 {
-	              split .html
-	              }`,
-			false, []fastcgi.Rule{{
-				Path:       "/",
-				Address:    "127.0.0.1:9001",
-				Ext:        "",
-				SplitPath:  ".html",
-				IndexFiles: []string{},
-			}}},
-	}
-	for i, test := range tests {
-		c := NewTestController(test.inputFastcgiConfig)
-		actualFastcgiConfigs, err := fastcgiParse(c)
-
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d didn't error, but it should have", i)
-		} else if err != nil && !test.shouldErr {
-			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
-		}
-		if len(actualFastcgiConfigs) != len(test.expectedFastcgiConfig) {
-			t.Fatalf("Test %d expected %d no of FastCGI configs, but got %d ",
-				i, len(test.expectedFastcgiConfig), len(actualFastcgiConfigs))
-		}
-		for j, actualFastcgiConfig := range actualFastcgiConfigs {
-
-			if actualFastcgiConfig.Path != test.expectedFastcgiConfig[j].Path {
-				t.Errorf("Test %d expected %dth FastCGI Path to be  %s  , but got %s",
-					i, j, test.expectedFastcgiConfig[j].Path, actualFastcgiConfig.Path)
-			}
-
-			if actualFastcgiConfig.Address != test.expectedFastcgiConfig[j].Address {
-				t.Errorf("Test %d expected %dth FastCGI Address to be  %s  , but got %s",
-					i, j, test.expectedFastcgiConfig[j].Address, actualFastcgiConfig.Address)
-			}
-
-			if actualFastcgiConfig.Ext != test.expectedFastcgiConfig[j].Ext {
-				t.Errorf("Test %d expected %dth FastCGI Ext to be  %s  , but got %s",
-					i, j, test.expectedFastcgiConfig[j].Ext, actualFastcgiConfig.Ext)
-			}
-
-			if actualFastcgiConfig.SplitPath != test.expectedFastcgiConfig[j].SplitPath {
-				t.Errorf("Test %d expected %dth FastCGI SplitPath to be  %s  , but got %s",
-					i, j, test.expectedFastcgiConfig[j].SplitPath, actualFastcgiConfig.SplitPath)
-			}
-
-			if fmt.Sprint(actualFastcgiConfig.IndexFiles) != fmt.Sprint(test.expectedFastcgiConfig[j].IndexFiles) {
-				t.Errorf("Test %d expected %dth FastCGI IndexFiles to be  %s  , but got %s",
-					i, j, test.expectedFastcgiConfig[j].IndexFiles, actualFastcgiConfig.IndexFiles)
-			}
-		}
-	}
-
-}
@@ -1,95 +0,0 @@
-package setup
-
-import (
-	"fmt"
-	"strconv"
-	"strings"
-
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/gzip"
-)
-
-// Gzip configures a new gzip middleware instance.
-func Gzip(c *Controller) (middleware.Middleware, error) {
-	configs, err := gzipParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	return func(next middleware.Handler) middleware.Handler {
-		return gzip.Gzip{Next: next, Configs: configs}
-	}, nil
-}
-
-func gzipParse(c *Controller) ([]gzip.Config, error) {
-	var configs []gzip.Config
-
-	for c.Next() {
-		config := gzip.Config{}
-
-		pathFilter := gzip.PathFilter{IgnoredPaths: make(gzip.Set)}
-		extFilter := gzip.ExtFilter{Exts: make(gzip.Set)}
-
-		// No extra args expected
-		if len(c.RemainingArgs()) > 0 {
-			return configs, c.ArgErr()
-		}
-
-		for c.NextBlock() {
-			switch c.Val() {
-			case "ext":
-				exts := c.RemainingArgs()
-				if len(exts) == 0 {
-					return configs, c.ArgErr()
-				}
-				for _, e := range exts {
-					if !strings.HasPrefix(e, ".") && e != gzip.ExtWildCard {
-						return configs, fmt.Errorf(`gzip: invalid extension "%v" (must start with dot)`, e)
-					}
-					extFilter.Exts.Add(e)
-				}
-			case "not":
-				paths := c.RemainingArgs()
-				if len(paths) == 0 {
-					return configs, c.ArgErr()
-				}
-				for _, p := range paths {
-					if p == "/" {
-						return configs, fmt.Errorf(`gzip: cannot exclude path "/" - remove directive entirely instead`)
-					}
-					if !strings.HasPrefix(p, "/") {
-						return configs, fmt.Errorf(`gzip: invalid path "%v" (must start with /)`, p)
-					}
-					pathFilter.IgnoredPaths.Add(p)
-				}
-			case "level":
-				if !c.NextArg() {
-					return configs, c.ArgErr()
-				}
-				level, _ := strconv.Atoi(c.Val())
-				config.Level = level
-			default:
-				return configs, c.ArgErr()
-			}
-		}
-
-		config.Filters = []gzip.Filter{}
-
-		// If ignored paths are specified, put in front to filter with path first
-		if len(pathFilter.IgnoredPaths) > 0 {
-			config.Filters = []gzip.Filter{pathFilter}
-		}
-
-		// Then, if extensions are specified, use those to filter.
-		// Otherwise, use default extensions filter.
-		if len(extFilter.Exts) > 0 {
-			config.Filters = append(config.Filters, extFilter)
-		} else {
-			config.Filters = append(config.Filters, gzip.DefaultExtFilter())
-		}
-
-		configs = append(configs, config)
-	}
-
-	return configs, nil
-}
@@ -1,86 +0,0 @@
-package setup
-
-import (
-	"testing"
-
-	"github.com/mholt/caddy/middleware/gzip"
-)
-
-func TestGzip(t *testing.T) {
-	c := NewTestController(`gzip`)
-
-	mid, err := Gzip(c)
-	if err != nil {
-		t.Errorf("Expected no errors, but got: %v", err)
-	}
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(gzip.Gzip)
-	if !ok {
-		t.Fatalf("Expected handler to be type Gzip, got: %#v", handler)
-	}
-
-	if !SameNext(myHandler.Next, EmptyNext) {
-		t.Error("'Next' field of handler was not set properly")
-	}
-
-	tests := []struct {
-		input     string
-		shouldErr bool
-	}{
-		{`gzip {`, true},
-		{`gzip {}`, true},
-		{`gzip a b`, true},
-		{`gzip a {`, true},
-		{`gzip { not f } `, true},
-		{`gzip { not } `, true},
-		{`gzip { not /file
-		 ext .html
-		 level 1
-		} `, false},
-		{`gzip { level 9 } `, false},
-		{`gzip { ext } `, true},
-		{`gzip { ext /f
-		} `, true},
-		{`gzip { not /file
-		 ext .html
-		 level 1
-		}
-		gzip`, false},
-		{`gzip { not /file
-		 ext .html
-		 level 1
-		}
-		gzip { not /file1
-		 ext .htm
-		 level 3
-		}
-		`, false},
-		{`gzip { not /file
-		 ext .html
-		 level 1
-		}
-		gzip { not /file1
-		 ext .htm
-		 level 3
-		}
-		`, false},
-		{`gzip { not /file
-		 ext *
-		 level 1
-		}
-		`, false},
-	}
-	for i, test := range tests {
-		c := NewTestController(test.input)
-		_, err := gzipParse(c)
-		if test.shouldErr && err == nil {
-			t.Errorf("Test %v: Expected error but found nil", i)
-		} else if !test.shouldErr && err != nil {
-			t.Errorf("Test %v: Expected no error but found error: %v", i, err)
-		}
-	}
-}
@@ -1,84 +0,0 @@
-package setup
-
-import (
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/headers"
-)
-
-// Headers configures a new Headers middleware instance.
-func Headers(c *Controller) (middleware.Middleware, error) {
-	rules, err := headersParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	return func(next middleware.Handler) middleware.Handler {
-		return headers.Headers{Next: next, Rules: rules}
-	}, nil
-}
-
-func headersParse(c *Controller) ([]headers.Rule, error) {
-	var rules []headers.Rule
-
-	for c.NextLine() {
-		var head headers.Rule
-		var isNewPattern bool
-
-		if !c.NextArg() {
-			return rules, c.ArgErr()
-		}
-		pattern := c.Val()
-
-		// See if we already have a definition for this Path pattern...
-		for _, h := range rules {
-			if h.Path == pattern {
-				head = h
-				break
-			}
-		}
-
-		// ...otherwise, this is a new pattern
-		if head.Path == "" {
-			head.Path = pattern
-			isNewPattern = true
-		}
-
-		for c.NextBlock() {
-			// A block of headers was opened...
-
-			h := headers.Header{Name: c.Val()}
-
-			if c.NextArg() {
-				h.Value = c.Val()
-			}
-
-			head.Headers = append(head.Headers, h)
-		}
-		if c.NextArg() {
-			// ... or single header was defined as an argument instead.
-
-			h := headers.Header{Name: c.Val()}
-
-			h.Value = c.Val()
-
-			if c.NextArg() {
-				h.Value = c.Val()
-			}
-
-			head.Headers = append(head.Headers, h)
-		}
-
-		if isNewPattern {
-			rules = append(rules, head)
-		} else {
-			for i := 0; i < len(rules); i++ {
-				if rules[i].Path == pattern {
-					rules[i] = head
-					break
-				}
-			}
-		}
-	}
-
-	return rules, nil
-}
@@ -1,85 +0,0 @@
-package setup
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/mholt/caddy/middleware/headers"
-)
-
-func TestHeaders(t *testing.T) {
-	c := NewTestController(`header / Foo Bar`)
-
-	mid, err := Headers(c)
-	if err != nil {
-		t.Errorf("Expected no errors, but got: %v", err)
-	}
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(headers.Headers)
-	if !ok {
-		t.Fatalf("Expected handler to be type Headers, got: %#v", handler)
-	}
-
-	if !SameNext(myHandler.Next, EmptyNext) {
-		t.Error("'Next' field of handler was not set properly")
-	}
-}
-
-func TestHeadersParse(t *testing.T) {
-	tests := []struct {
-		input     string
-		shouldErr bool
-		expected  []headers.Rule
-	}{
-		{`header /foo Foo "Bar Baz"`,
-			false, []headers.Rule{
-				{Path: "/foo", Headers: []headers.Header{
-					{"Foo", "Bar Baz"},
-				}},
-			}},
-		{`header /bar { Foo "Bar Baz" Baz Qux }`,
-			false, []headers.Rule{
-				{Path: "/bar", Headers: []headers.Header{
-					{"Foo", "Bar Baz"},
-					{"Baz", "Qux"},
-				}},
-			}},
-	}
-
-	for i, test := range tests {
-		c := NewTestController(test.input)
-		actual, err := headersParse(c)
-
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d didn't error, but it should have", i)
-		} else if err != nil && !test.shouldErr {
-			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
-		}
-
-		if len(actual) != len(test.expected) {
-			t.Fatalf("Test %d expected %d rules, but got %d",
-				i, len(test.expected), len(actual))
-		}
-
-		for j, expectedRule := range test.expected {
-			actualRule := actual[j]
-
-			if actualRule.Path != expectedRule.Path {
-				t.Errorf("Test %d, rule %d: Expected path %s, but got %s",
-					i, j, expectedRule.Path, actualRule.Path)
-			}
-
-			expectedHeaders := fmt.Sprintf("%v", expectedRule.Headers)
-			actualHeaders := fmt.Sprintf("%v", actualRule.Headers)
-
-			if actualHeaders != expectedHeaders {
-				t.Errorf("Test %d, rule %d: Expected headers %s, but got %s",
-					i, j, expectedHeaders, actualHeaders)
-			}
-		}
-	}
-}
@@ -1,31 +0,0 @@
-package setup
-
-import (
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/inner"
-)
-
-// Internal configures a new Internal middleware instance.
-func Internal(c *Controller) (middleware.Middleware, error) {
-	paths, err := internalParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	return func(next middleware.Handler) middleware.Handler {
-		return inner.Internal{Next: next, Paths: paths}
-	}, nil
-}
-
-func internalParse(c *Controller) ([]string, error) {
-	var paths []string
-
-	for c.Next() {
-		if !c.NextArg() {
-			return paths, c.ArgErr()
-		}
-		paths = append(paths, c.Val())
-	}
-
-	return paths, nil
-}
@@ -1,72 +0,0 @@
-package setup
-
-import (
-	"testing"
-
-	"github.com/mholt/caddy/middleware/inner"
-)
-
-func TestInternal(t *testing.T) {
-	c := NewTestController(`internal /internal`)
-
-	mid, err := Internal(c)
-
-	if err != nil {
-		t.Errorf("Expected no errors, got: %v", err)
-	}
-
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(inner.Internal)
-
-	if !ok {
-		t.Fatalf("Expected handler to be type Internal, got: %#v", handler)
-	}
-
-	if myHandler.Paths[0] != "/internal" {
-		t.Errorf("Expected internal in the list of internal Paths")
-	}
-
-	if !SameNext(myHandler.Next, EmptyNext) {
-		t.Error("'Next' field of handler was not set properly")
-	}
-
-}
-
-func TestInternalParse(t *testing.T) {
-	tests := []struct {
-		inputInternalPaths    string
-		shouldErr             bool
-		expectedInternalPaths []string
-	}{
-		{`internal /internal`, false, []string{"/internal"}},
-
-		{`internal /internal1
-		  internal /internal2`, false, []string{"/internal1", "/internal2"}},
-	}
-	for i, test := range tests {
-		c := NewTestController(test.inputInternalPaths)
-		actualInternalPaths, err := internalParse(c)
-
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d didn't error, but it should have", i)
-		} else if err != nil && !test.shouldErr {
-			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
-		}
-
-		if len(actualInternalPaths) != len(test.expectedInternalPaths) {
-			t.Fatalf("Test %d expected %d InternalPaths, but got %d",
-				i, len(test.expectedInternalPaths), len(actualInternalPaths))
-		}
-		for j, actualInternalPath := range actualInternalPaths {
-			if actualInternalPath != test.expectedInternalPaths[j] {
-				t.Fatalf("Test %d expected %dth Internal Path to be  %s  , but got %s",
-					i, j, test.expectedInternalPaths[j], actualInternalPath)
-			}
-		}
-	}
-
-}
@@ -1,130 +0,0 @@
-package setup
-
-import (
-	"io"
-	"log"
-	"os"
-
-	"github.com/hashicorp/go-syslog"
-	"github.com/mholt/caddy/middleware"
-	caddylog "github.com/mholt/caddy/middleware/log"
-	"github.com/mholt/caddy/server"
-)
-
-// Log sets up the logging middleware.
-func Log(c *Controller) (middleware.Middleware, error) {
-	rules, err := logParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	// Open the log files for writing when the server starts
-	c.Startup = append(c.Startup, func() error {
-		for i := 0; i < len(rules); i++ {
-			var err error
-			var writer io.Writer
-
-			if rules[i].OutputFile == "stdout" {
-				writer = os.Stdout
-			} else if rules[i].OutputFile == "stderr" {
-				writer = os.Stderr
-			} else if rules[i].OutputFile == "syslog" {
-				writer, err = gsyslog.NewLogger(gsyslog.LOG_INFO, "LOCAL0", "caddy")
-				if err != nil {
-					return err
-				}
-			} else {
-				var file *os.File
-				file, err = os.OpenFile(rules[i].OutputFile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0644)
-				if err != nil {
-					return err
-				}
-				if rules[i].Roller != nil {
-					file.Close()
-					rules[i].Roller.Filename = rules[i].OutputFile
-					writer = rules[i].Roller.GetLogWriter()
-				} else {
-					writer = file
-				}
-			}
-
-			rules[i].Log = log.New(writer, "", 0)
-		}
-
-		return nil
-	})
-
-	return func(next middleware.Handler) middleware.Handler {
-		return caddylog.Logger{Next: next, Rules: rules, ErrorFunc: server.DefaultErrorFunc}
-	}, nil
-}
-
-func logParse(c *Controller) ([]caddylog.Rule, error) {
-	var rules []caddylog.Rule
-
-	for c.Next() {
-		args := c.RemainingArgs()
-
-		var logRoller *middleware.LogRoller
-		if c.NextBlock() {
-			if c.Val() == "rotate" {
-				if c.NextArg() {
-					if c.Val() == "{" {
-						var err error
-						logRoller, err = parseRoller(c)
-						if err != nil {
-							return nil, err
-						}
-						// This part doesn't allow having something after the rotate block
-						if c.Next() {
-							if c.Val() != "}" {
-								return nil, c.ArgErr()
-							}
-						}
-					}
-				}
-			}
-		}
-		if len(args) == 0 {
-			// Nothing specified; use defaults
-			rules = append(rules, caddylog.Rule{
-				PathScope:  "/",
-				OutputFile: caddylog.DefaultLogFilename,
-				Format:     caddylog.DefaultLogFormat,
-				Roller:     logRoller,
-			})
-		} else if len(args) == 1 {
-			// Only an output file specified
-			rules = append(rules, caddylog.Rule{
-				PathScope:  "/",
-				OutputFile: args[0],
-				Format:     caddylog.DefaultLogFormat,
-				Roller:     logRoller,
-			})
-		} else {
-			// Path scope, output file, and maybe a format specified
-
-			format := caddylog.DefaultLogFormat
-
-			if len(args) > 2 {
-				switch args[2] {
-				case "{common}":
-					format = caddylog.CommonLogFormat
-				case "{combined}":
-					format = caddylog.CombinedLogFormat
-				default:
-					format = args[2]
-				}
-			}
-
-			rules = append(rules, caddylog.Rule{
-				PathScope:  args[0],
-				OutputFile: args[1],
-				Format:     format,
-				Roller:     logRoller,
-			})
-		}
-	}
-
-	return rules, nil
-}
@@ -1,175 +0,0 @@
-package setup
-
-import (
-	"testing"
-
-	"github.com/mholt/caddy/middleware"
-	caddylog "github.com/mholt/caddy/middleware/log"
-)
-
-func TestLog(t *testing.T) {
-
-	c := NewTestController(`log`)
-
-	mid, err := Log(c)
-
-	if err != nil {
-		t.Errorf("Expected no errors, got: %v", err)
-	}
-
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(caddylog.Logger)
-
-	if !ok {
-		t.Fatalf("Expected handler to be type Logger, got: %#v", handler)
-	}
-
-	if myHandler.Rules[0].PathScope != "/" {
-		t.Errorf("Expected / as the default PathScope")
-	}
-	if myHandler.Rules[0].OutputFile != caddylog.DefaultLogFilename {
-		t.Errorf("Expected %s as the default OutputFile", caddylog.DefaultLogFilename)
-	}
-	if myHandler.Rules[0].Format != caddylog.DefaultLogFormat {
-		t.Errorf("Expected %s as the default Log Format", caddylog.DefaultLogFormat)
-	}
-	if myHandler.Rules[0].Roller != nil {
-		t.Errorf("Expected Roller to be nil, got: %v", *myHandler.Rules[0].Roller)
-	}
-	if !SameNext(myHandler.Next, EmptyNext) {
-		t.Error("'Next' field of handler was not set properly")
-	}
-
-}
-
-func TestLogParse(t *testing.T) {
-	tests := []struct {
-		inputLogRules    string
-		shouldErr        bool
-		expectedLogRules []caddylog.Rule
-	}{
-		{`log`, false, []caddylog.Rule{{
-			PathScope:  "/",
-			OutputFile: caddylog.DefaultLogFilename,
-			Format:     caddylog.DefaultLogFormat,
-		}}},
-		{`log log.txt`, false, []caddylog.Rule{{
-			PathScope:  "/",
-			OutputFile: "log.txt",
-			Format:     caddylog.DefaultLogFormat,
-		}}},
-		{`log /api log.txt`, false, []caddylog.Rule{{
-			PathScope:  "/api",
-			OutputFile: "log.txt",
-			Format:     caddylog.DefaultLogFormat,
-		}}},
-		{`log /serve stdout`, false, []caddylog.Rule{{
-			PathScope:  "/serve",
-			OutputFile: "stdout",
-			Format:     caddylog.DefaultLogFormat,
-		}}},
-		{`log /myapi log.txt {common}`, false, []caddylog.Rule{{
-			PathScope:  "/myapi",
-			OutputFile: "log.txt",
-			Format:     caddylog.CommonLogFormat,
-		}}},
-		{`log /test accesslog.txt {combined}`, false, []caddylog.Rule{{
-			PathScope:  "/test",
-			OutputFile: "accesslog.txt",
-			Format:     caddylog.CombinedLogFormat,
-		}}},
-		{`log /api1 log.txt
-		  log /api2 accesslog.txt {combined}`, false, []caddylog.Rule{{
-			PathScope:  "/api1",
-			OutputFile: "log.txt",
-			Format:     caddylog.DefaultLogFormat,
-		}, {
-			PathScope:  "/api2",
-			OutputFile: "accesslog.txt",
-			Format:     caddylog.CombinedLogFormat,
-		}}},
-		{`log /api3 stdout {host}
-		  log /api4 log.txt {when}`, false, []caddylog.Rule{{
-			PathScope:  "/api3",
-			OutputFile: "stdout",
-			Format:     "{host}",
-		}, {
-			PathScope:  "/api4",
-			OutputFile: "log.txt",
-			Format:     "{when}",
-		}}},
-		{`log access.log { rotate { size 2 age 10 keep 3 } }`, false, []caddylog.Rule{{
-			PathScope:  "/",
-			OutputFile: "access.log",
-			Format:     caddylog.DefaultLogFormat,
-			Roller: &middleware.LogRoller{
-				MaxSize:    2,
-				MaxAge:     10,
-				MaxBackups: 3,
-				LocalTime:  true,
-			},
-		}}},
-	}
-	for i, test := range tests {
-		c := NewTestController(test.inputLogRules)
-		actualLogRules, err := logParse(c)
-
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d didn't error, but it should have", i)
-		} else if err != nil && !test.shouldErr {
-			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
-		}
-		if len(actualLogRules) != len(test.expectedLogRules) {
-			t.Fatalf("Test %d expected %d no of Log rules, but got %d ",
-				i, len(test.expectedLogRules), len(actualLogRules))
-		}
-		for j, actualLogRule := range actualLogRules {
-
-			if actualLogRule.PathScope != test.expectedLogRules[j].PathScope {
-				t.Errorf("Test %d expected %dth LogRule PathScope to be  %s  , but got %s",
-					i, j, test.expectedLogRules[j].PathScope, actualLogRule.PathScope)
-			}
-
-			if actualLogRule.OutputFile != test.expectedLogRules[j].OutputFile {
-				t.Errorf("Test %d expected %dth LogRule OutputFile to be  %s  , but got %s",
-					i, j, test.expectedLogRules[j].OutputFile, actualLogRule.OutputFile)
-			}
-
-			if actualLogRule.Format != test.expectedLogRules[j].Format {
-				t.Errorf("Test %d expected %dth LogRule Format to be  %s  , but got %s",
-					i, j, test.expectedLogRules[j].Format, actualLogRule.Format)
-			}
-			if actualLogRule.Roller != nil && test.expectedLogRules[j].Roller == nil || actualLogRule.Roller == nil && test.expectedLogRules[j].Roller != nil {
-				t.Fatalf("Test %d expected %dth LogRule Roller to be %v, but got %v",
-					i, j, test.expectedLogRules[j].Roller, actualLogRule.Roller)
-			}
-			if actualLogRule.Roller != nil && test.expectedLogRules[j].Roller != nil {
-				if actualLogRule.Roller.Filename != test.expectedLogRules[j].Roller.Filename {
-					t.Fatalf("Test %d expected %dth LogRule Roller Filename to be %s, but got %s",
-						i, j, test.expectedLogRules[j].Roller.Filename, actualLogRule.Roller.Filename)
-				}
-				if actualLogRule.Roller.MaxAge != test.expectedLogRules[j].Roller.MaxAge {
-					t.Fatalf("Test %d expected %dth LogRule Roller MaxAge to be %d, but got %d",
-						i, j, test.expectedLogRules[j].Roller.MaxAge, actualLogRule.Roller.MaxAge)
-				}
-				if actualLogRule.Roller.MaxBackups != test.expectedLogRules[j].Roller.MaxBackups {
-					t.Fatalf("Test %d expected %dth LogRule Roller MaxBackups to be %d, but got %d",
-						i, j, test.expectedLogRules[j].Roller.MaxBackups, actualLogRule.Roller.MaxBackups)
-				}
-				if actualLogRule.Roller.MaxSize != test.expectedLogRules[j].Roller.MaxSize {
-					t.Fatalf("Test %d expected %dth LogRule Roller MaxSize to be %d, but got %d",
-						i, j, test.expectedLogRules[j].Roller.MaxSize, actualLogRule.Roller.MaxSize)
-				}
-				if actualLogRule.Roller.LocalTime != test.expectedLogRules[j].Roller.LocalTime {
-					t.Fatalf("Test %d expected %dth LogRule Roller LocalTime to be %t, but got %t",
-						i, j, test.expectedLogRules[j].Roller.LocalTime, actualLogRule.Roller.LocalTime)
-				}
-			}
-		}
-	}
-
-}
@@ -1,152 +0,0 @@
-package setup
-
-import (
-	"net/http"
-	"path"
-	"path/filepath"
-	"strings"
-
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/markdown"
-	"github.com/russross/blackfriday"
-)
-
-// Markdown configures a new Markdown middleware instance.
-func Markdown(c *Controller) (middleware.Middleware, error) {
-	mdconfigs, err := markdownParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	md := markdown.Markdown{
-		Root:       c.Root,
-		FileSys:    http.Dir(c.Root),
-		Configs:    mdconfigs,
-		IndexFiles: []string{"index.md"},
-	}
-
-	// Sweep the whole path at startup to at least generate link index, maybe generate static site
-	c.Startup = append(c.Startup, func() error {
-		for i := range mdconfigs {
-			cfg := mdconfigs[i]
-
-			// Generate link index and static files (if enabled)
-			if err := markdown.GenerateStatic(md, cfg); err != nil {
-				return err
-			}
-
-			// Watch file changes for static site generation if not in development mode.
-			if !cfg.Development {
-				markdown.Watch(md, cfg, markdown.DefaultInterval)
-			}
-		}
-
-		return nil
-	})
-
-	return func(next middleware.Handler) middleware.Handler {
-		md.Next = next
-		return md
-	}, nil
-}
-
-func markdownParse(c *Controller) ([]*markdown.Config, error) {
-	var mdconfigs []*markdown.Config
-
-	for c.Next() {
-		md := &markdown.Config{
-			Renderer:    blackfriday.HtmlRenderer(0, "", ""),
-			Templates:   make(map[string]string),
-			StaticFiles: make(map[string]string),
-		}
-
-		// Get the path scope
-		if !c.NextArg() || c.Val() == "{" {
-			return mdconfigs, c.ArgErr()
-		}
-		md.PathScope = c.Val()
-
-		// Load any other configuration parameters
-		for c.NextBlock() {
-			if err := loadParams(c, md); err != nil {
-				return mdconfigs, err
-			}
-		}
-
-		// If no extensions were specified, assume .md
-		if len(md.Extensions) == 0 {
-			md.Extensions = []string{".md"}
-		}
-
-		mdconfigs = append(mdconfigs, md)
-	}
-
-	return mdconfigs, nil
-}
-
-func loadParams(c *Controller, mdc *markdown.Config) error {
-	switch c.Val() {
-	case "ext":
-		exts := c.RemainingArgs()
-		if len(exts) == 0 {
-			return c.ArgErr()
-		}
-		mdc.Extensions = append(mdc.Extensions, exts...)
-		return nil
-	case "css":
-		if !c.NextArg() {
-			return c.ArgErr()
-		}
-		mdc.Styles = append(mdc.Styles, c.Val())
-		return nil
-	case "js":
-		if !c.NextArg() {
-			return c.ArgErr()
-		}
-		mdc.Scripts = append(mdc.Scripts, c.Val())
-		return nil
-	case "template":
-		tArgs := c.RemainingArgs()
-		switch len(tArgs) {
-		case 0:
-			return c.ArgErr()
-		case 1:
-			if _, ok := mdc.Templates[markdown.DefaultTemplate]; ok {
-				return c.Err("only one default template is allowed, use alias.")
-			}
-			fpath := filepath.ToSlash(filepath.Clean(c.Root + string(filepath.Separator) + tArgs[0]))
-			mdc.Templates[markdown.DefaultTemplate] = fpath
-			return nil
-		case 2:
-			fpath := filepath.ToSlash(filepath.Clean(c.Root + string(filepath.Separator) + tArgs[1]))
-			mdc.Templates[tArgs[0]] = fpath
-			return nil
-		default:
-			return c.ArgErr()
-		}
-	case "sitegen":
-		if c.NextArg() {
-			mdc.StaticDir = path.Join(c.Root, c.Val())
-		} else {
-			mdc.StaticDir = path.Join(c.Root, markdown.DefaultStaticDir)
-		}
-		if c.NextArg() {
-			// only 1 argument allowed
-			return c.ArgErr()
-		}
-		return nil
-	case "dev":
-		if c.NextArg() {
-			mdc.Development = strings.ToLower(c.Val()) == "true"
-		} else {
-			mdc.Development = true
-		}
-		if c.NextArg() {
-			// only 1 argument allowed
-			return c.ArgErr()
-		}
-		return nil
-	default:
-		return c.Err("Expected valid markdown configuration property")
-	}
-}
@@ -1,184 +0,0 @@
-package setup
-
-import (
-	"bytes"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/markdown"
-)
-
-func TestMarkdown(t *testing.T) {
-
-	c := NewTestController(`markdown /blog`)
-
-	mid, err := Markdown(c)
-
-	if err != nil {
-		t.Errorf("Expected no errors, got: %v", err)
-	}
-
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(markdown.Markdown)
-
-	if !ok {
-		t.Fatalf("Expected handler to be type Markdown, got: %#v", handler)
-	}
-
-	if myHandler.Configs[0].PathScope != "/blog" {
-		t.Errorf("Expected /blog as the Path Scope")
-	}
-	if fmt.Sprint(myHandler.Configs[0].Extensions) != fmt.Sprint([]string{".md"}) {
-		t.Errorf("Expected .md  as the Default Extension")
-	}
-}
-
-func TestMarkdownStaticGen(t *testing.T) {
-	c := NewTestController(`markdown /blog {
-	ext .md
-	template tpl_with_include.html
-	sitegen
-}`)
-
-	c.Root = "./testdata"
-	mid, err := Markdown(c)
-
-	if err != nil {
-		t.Errorf("Expected no errors, got: %v", err)
-	}
-
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	for _, start := range c.Startup {
-		err := start()
-		if err != nil {
-			t.Errorf("Startup error: %v", err)
-		}
-	}
-
-	next := middleware.HandlerFunc(func(w http.ResponseWriter, r *http.Request) (int, error) {
-		t.Fatalf("Next shouldn't be called")
-		return 0, nil
-	})
-	hndlr := mid(next)
-	mkdwn, ok := hndlr.(markdown.Markdown)
-	if !ok {
-		t.Fatalf("Was expecting a markdown.Markdown but got %T", hndlr)
-	}
-
-	expectedStaticFiles := map[string]string{"/blog/first_post.md": "testdata/generated_site/blog/first_post.md/index.html"}
-	if fmt.Sprint(expectedStaticFiles) != fmt.Sprint(mkdwn.Configs[0].StaticFiles) {
-		t.Fatalf("Test expected StaticFiles to be  %s, but got %s",
-			fmt.Sprint(expectedStaticFiles), fmt.Sprint(mkdwn.Configs[0].StaticFiles))
-	}
-
-	filePath := "testdata/generated_site/blog/first_post.md/index.html"
-	if _, err := os.Stat(filePath); err != nil {
-		t.Fatalf("An error occured when getting the file information: %v", err)
-	}
-
-	html, err := ioutil.ReadFile(filePath)
-	if err != nil {
-		t.Fatalf("An error occured when getting the file content: %v", err)
-	}
-
-	expectedBody := []byte(`<!DOCTYPE html>
-<html>
-<head>
-<title>first_post</title>
-</head>
-<body>
-<h1>Header title</h1>
-
-<h1>Test h1</h1>
-
-</body>
-</html>
-`)
-
-	if !bytes.Equal(html, expectedBody) {
-		t.Fatalf("Expected file content: %s got: %s", string(expectedBody), string(html))
-	}
-
-	fp := filepath.Join(c.Root, markdown.DefaultStaticDir)
-	if err = os.RemoveAll(fp); err != nil {
-		t.Errorf("Error while removing the generated static files: %v", err)
-	}
-}
-
-func TestMarkdownParse(t *testing.T) {
-	tests := []struct {
-		inputMarkdownConfig    string
-		shouldErr              bool
-		expectedMarkdownConfig []markdown.Config
-	}{
-
-		{`markdown /blog {
-	ext .md .txt
-	css /resources/css/blog.css
-	js  /resources/js/blog.js
-}`, false, []markdown.Config{{
-			PathScope:  "/blog",
-			Extensions: []string{".md", ".txt"},
-			Styles:     []string{"/resources/css/blog.css"},
-			Scripts:    []string{"/resources/js/blog.js"},
-		}}},
-		{`markdown /blog {
-	ext .md
-	template tpl_with_include.html
-	sitegen
-}`, false, []markdown.Config{{
-			PathScope:  "/blog",
-			Extensions: []string{".md"},
-			Templates:  map[string]string{markdown.DefaultTemplate: "testdata/tpl_with_include.html"},
-			StaticDir:  markdown.DefaultStaticDir,
-		}}},
-	}
-	for i, test := range tests {
-		c := NewTestController(test.inputMarkdownConfig)
-		c.Root = "./testdata"
-		actualMarkdownConfigs, err := markdownParse(c)
-
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d didn't error, but it should have", i)
-		} else if err != nil && !test.shouldErr {
-			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
-		}
-		if len(actualMarkdownConfigs) != len(test.expectedMarkdownConfig) {
-			t.Fatalf("Test %d expected %d no of WebSocket configs, but got %d ",
-				i, len(test.expectedMarkdownConfig), len(actualMarkdownConfigs))
-		}
-		for j, actualMarkdownConfig := range actualMarkdownConfigs {
-
-			if actualMarkdownConfig.PathScope != test.expectedMarkdownConfig[j].PathScope {
-				t.Errorf("Test %d expected %dth Markdown PathScope to be  %s  , but got %s",
-					i, j, test.expectedMarkdownConfig[j].PathScope, actualMarkdownConfig.PathScope)
-			}
-
-			if fmt.Sprint(actualMarkdownConfig.Styles) != fmt.Sprint(test.expectedMarkdownConfig[j].Styles) {
-				t.Errorf("Test %d expected %dth Markdown Config Styles to be  %s  , but got %s",
-					i, j, fmt.Sprint(test.expectedMarkdownConfig[j].Styles), fmt.Sprint(actualMarkdownConfig.Styles))
-			}
-			if fmt.Sprint(actualMarkdownConfig.Scripts) != fmt.Sprint(test.expectedMarkdownConfig[j].Scripts) {
-				t.Errorf("Test %d expected %dth Markdown Config Scripts to be  %s  , but got %s",
-					i, j, fmt.Sprint(test.expectedMarkdownConfig[j].Scripts), fmt.Sprint(actualMarkdownConfig.Scripts))
-			}
-			if fmt.Sprint(actualMarkdownConfig.Templates) != fmt.Sprint(test.expectedMarkdownConfig[j].Templates) {
-				t.Errorf("Test %d expected %dth Markdown Config Templates to be  %s  , but got %s",
-					i, j, fmt.Sprint(test.expectedMarkdownConfig[j].Templates), fmt.Sprint(actualMarkdownConfig.Templates))
-			}
-		}
-	}
-
-}
@@ -1,62 +0,0 @@
-package setup
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/mime"
-)
-
-// Mime configures a new mime middleware instance.
-func Mime(c *Controller) (middleware.Middleware, error) {
-	configs, err := mimeParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	return func(next middleware.Handler) middleware.Handler {
-		return mime.Mime{Next: next, Configs: configs}
-	}, nil
-}
-
-func mimeParse(c *Controller) ([]mime.Config, error) {
-	var configs []mime.Config
-
-	for c.Next() {
-		// At least one extension is required
-
-		args := c.RemainingArgs()
-		switch len(args) {
-		case 2:
-			if err := validateExt(args[0]); err != nil {
-				return configs, err
-			}
-			configs = append(configs, mime.Config{Ext: args[0], ContentType: args[1]})
-		case 1:
-			return configs, c.ArgErr()
-		case 0:
-			for c.NextBlock() {
-				ext := c.Val()
-				if err := validateExt(ext); err != nil {
-					return configs, err
-				}
-				if !c.NextArg() {
-					return configs, c.ArgErr()
-				}
-				configs = append(configs, mime.Config{Ext: ext, ContentType: c.Val()})
-			}
-		}
-
-	}
-
-	return configs, nil
-}
-
-// validateExt checks for valid file name extension.
-func validateExt(ext string) error {
-	if !strings.HasPrefix(ext, ".") {
-		return fmt.Errorf(`mime: invalid extension "%v" (must start with dot)`, ext)
-	}
-	return nil
-}
@@ -1,59 +0,0 @@
-package setup
-
-import (
-	"testing"
-
-	"github.com/mholt/caddy/middleware/mime"
-)
-
-func TestMime(t *testing.T) {
-
-	c := NewTestController(`mime .txt text/plain`)
-
-	mid, err := Mime(c)
-	if err != nil {
-		t.Errorf("Expected no errors, but got: %v", err)
-	}
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(mime.Mime)
-	if !ok {
-		t.Fatalf("Expected handler to be type Mime, got: %#v", handler)
-	}
-
-	if !SameNext(myHandler.Next, EmptyNext) {
-		t.Error("'Next' field of handler was not set properly")
-	}
-
-	tests := []struct {
-		input     string
-		shouldErr bool
-	}{
-		{`mime {`, true},
-		{`mime {}`, true},
-		{`mime a b`, true},
-		{`mime a {`, true},
-		{`mime { txt f } `, true},
-		{`mime { html } `, true},
-		{`mime {
-		 .html text/html
-		 .txt text/plain
-		} `, false},
-		{`mime { .html text/html } `, false},
-		{`mime { .html
-		} `, true},
-		{`mime .txt text/plain`, false},
-	}
-	for i, test := range tests {
-		c := NewTestController(test.input)
-		m, err := mimeParse(c)
-		if test.shouldErr && err == nil {
-			t.Errorf("Test %v: Expected error but found nil %v", i, m)
-		} else if !test.shouldErr && err != nil {
-			t.Errorf("Test %v: Expected no error but found error: %v", i, err)
-		}
-	}
-}
@@ -1,17 +0,0 @@
-package setup
-
-import (
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/proxy"
-)
-
-// Proxy configures a new Proxy middleware instance.
-func Proxy(c *Controller) (middleware.Middleware, error) {
-	upstreams, err := proxy.NewStaticUpstreams(c.Dispenser)
-	if err != nil {
-		return nil, err
-	}
-	return func(next middleware.Handler) middleware.Handler {
-		return proxy.Proxy{Next: next, Upstreams: upstreams}
-	}, nil
-}
@@ -1,173 +0,0 @@
-package setup
-
-import (
-	"net/http"
-
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/redirect"
-)
-
-// Redir configures a new Redirect middleware instance.
-func Redir(c *Controller) (middleware.Middleware, error) {
-	rules, err := redirParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	return func(next middleware.Handler) middleware.Handler {
-		return redirect.Redirect{Next: next, Rules: rules}
-	}, nil
-}
-
-func redirParse(c *Controller) ([]redirect.Rule, error) {
-	var redirects []redirect.Rule
-
-	// setRedirCode sets the redirect code for rule if it can, or returns an error
-	setRedirCode := func(code string, rule *redirect.Rule) error {
-		if code == "meta" {
-			rule.Meta = true
-		} else if codeNumber, ok := httpRedirs[code]; ok {
-			rule.Code = codeNumber
-		} else {
-			return c.Errf("Invalid redirect code '%v'", code)
-		}
-		return nil
-	}
-
-	// checkAndSaveRule checks the rule for validity (except the redir code)
-	// and saves it if it's valid, or returns an error.
-	checkAndSaveRule := func(rule redirect.Rule) error {
-		if rule.FromPath == rule.To {
-			return c.Err("'from' and 'to' values of redirect rule cannot be the same")
-		}
-
-		for _, otherRule := range redirects {
-			if otherRule.FromPath == rule.FromPath {
-				return c.Errf("rule with duplicate 'from' value: %s -> %s", otherRule.FromPath, otherRule.To)
-			}
-		}
-
-		redirects = append(redirects, rule)
-		return nil
-	}
-
-	for c.Next() {
-		args := c.RemainingArgs()
-
-		var hadOptionalBlock bool
-		for c.NextBlock() {
-			hadOptionalBlock = true
-
-			var rule redirect.Rule
-
-			if c.Config.TLS.Enabled {
-				rule.FromScheme = "https"
-			} else {
-				rule.FromScheme = "http"
-			}
-
-			// Set initial redirect code
-			// BUG: If the code is specified for a whole block and that code is invalid,
-			// the line number will appear on the first line inside the block, even if that
-			// line overwrites the block-level code with a valid redirect code. The program
-			// still functions correctly, but the line number in the error reporting is
-			// misleading to the user.
-			if len(args) == 1 {
-				err := setRedirCode(args[0], &rule)
-				if err != nil {
-					return redirects, err
-				}
-			} else {
-				rule.Code = http.StatusMovedPermanently // default code
-			}
-
-			// RemainingArgs only gets the values after the current token, but in our
-			// case we want to include the current token to get an accurate count.
-			insideArgs := append([]string{c.Val()}, c.RemainingArgs()...)
-
-			switch len(insideArgs) {
-			case 1:
-				// To specified (catch-all redirect)
-				// Not sure why user is doing this in a table, as it causes all other redirects to be ignored.
-				// As such, this feature remains undocumented.
-				rule.FromPath = "/"
-				rule.To = insideArgs[0]
-			case 2:
-				// From and To specified
-				rule.FromPath = insideArgs[0]
-				rule.To = insideArgs[1]
-			case 3:
-				// From, To, and Code specified
-				rule.FromPath = insideArgs[0]
-				rule.To = insideArgs[1]
-				err := setRedirCode(insideArgs[2], &rule)
-				if err != nil {
-					return redirects, err
-				}
-			default:
-				return redirects, c.ArgErr()
-			}
-
-			err := checkAndSaveRule(rule)
-			if err != nil {
-				return redirects, err
-			}
-		}
-
-		if !hadOptionalBlock {
-			var rule redirect.Rule
-
-			if c.Config.TLS.Enabled {
-				rule.FromScheme = "https"
-			} else {
-				rule.FromScheme = "http"
-			}
-
-			rule.Code = http.StatusMovedPermanently // default
-
-			switch len(args) {
-			case 1:
-				// To specified (catch-all redirect)
-				rule.FromPath = "/"
-				rule.To = args[0]
-			case 2:
-				// To and Code specified (catch-all redirect)
-				rule.FromPath = "/"
-				rule.To = args[0]
-				err := setRedirCode(args[1], &rule)
-				if err != nil {
-					return redirects, err
-				}
-			case 3:
-				// From, To, and Code specified
-				rule.FromPath = args[0]
-				rule.To = args[1]
-				err := setRedirCode(args[2], &rule)
-				if err != nil {
-					return redirects, err
-				}
-			default:
-				return redirects, c.ArgErr()
-			}
-
-			err := checkAndSaveRule(rule)
-			if err != nil {
-				return redirects, err
-			}
-		}
-	}
-
-	return redirects, nil
-}
-
-// httpRedirs is a list of supported HTTP redirect codes.
-var httpRedirs = map[string]int{
-	"300": http.StatusMultipleChoices,
-	"301": http.StatusMovedPermanently,
-	"302": http.StatusFound, // (NOT CORRECT for "Temporary Redirect", see 307)
-	"303": http.StatusSeeOther,
-	"304": http.StatusNotModified,
-	"305": http.StatusUseProxy,
-	"307": http.StatusTemporaryRedirect,
-	"308": 308, // Permanent Redirect
-}
@@ -1,79 +0,0 @@
-package setup
-
-import (
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/rewrite"
-)
-
-// Rewrite configures a new Rewrite middleware instance.
-func Rewrite(c *Controller) (middleware.Middleware, error) {
-	rewrites, err := rewriteParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	return func(next middleware.Handler) middleware.Handler {
-		return rewrite.Rewrite{Next: next, Rules: rewrites}
-	}, nil
-}
-
-func rewriteParse(c *Controller) ([]rewrite.Rule, error) {
-	var simpleRules []rewrite.Rule
-	var regexpRules []rewrite.Rule
-
-	for c.Next() {
-		var rule rewrite.Rule
-		var err error
-		var base = "/"
-		var pattern, to string
-		var ext []string
-
-		args := c.RemainingArgs()
-
-		switch len(args) {
-		case 2:
-			rule = rewrite.NewSimpleRule(args[0], args[1])
-			simpleRules = append(simpleRules, rule)
-		case 1:
-			base = args[0]
-			fallthrough
-		case 0:
-			for c.NextBlock() {
-				switch c.Val() {
-				case "r", "regexp":
-					if !c.NextArg() {
-						return nil, c.ArgErr()
-					}
-					pattern = c.Val()
-				case "to":
-					if !c.NextArg() {
-						return nil, c.ArgErr()
-					}
-					to = c.Val()
-				case "ext":
-					args1 := c.RemainingArgs()
-					if len(args1) == 0 {
-						return nil, c.ArgErr()
-					}
-					ext = args1
-				default:
-					return nil, c.ArgErr()
-				}
-			}
-			// ensure pattern and to are specified
-			if pattern == "" || to == "" {
-				return nil, c.ArgErr()
-			}
-			if rule, err = rewrite.NewRegexpRule(base, pattern, to, ext); err != nil {
-				return nil, err
-			}
-			regexpRules = append(regexpRules, rule)
-		default:
-			return nil, c.ArgErr()
-		}
-
-	}
-
-	// put simple rules in front to avoid regexp computation for them
-	return append(simpleRules, regexpRules...), nil
-}
@@ -1,185 +0,0 @@
-package setup
-
-import (
-	"testing"
-
-	"fmt"
-	"regexp"
-
-	"github.com/mholt/caddy/middleware/rewrite"
-)
-
-func TestRewrite(t *testing.T) {
-	c := NewTestController(`rewrite /from /to`)
-
-	mid, err := Rewrite(c)
-	if err != nil {
-		t.Errorf("Expected no errors, but got: %v", err)
-	}
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(rewrite.Rewrite)
-	if !ok {
-		t.Fatalf("Expected handler to be type Rewrite, got: %#v", handler)
-	}
-
-	if !SameNext(myHandler.Next, EmptyNext) {
-		t.Error("'Next' field of handler was not set properly")
-	}
-
-	if len(myHandler.Rules) != 1 {
-		t.Errorf("Expected handler to have %d rule, has %d instead", 1, len(myHandler.Rules))
-	}
-}
-
-func TestRewriteParse(t *testing.T) {
-	simpleTests := []struct {
-		input     string
-		shouldErr bool
-		expected  []rewrite.Rule
-	}{
-		{`rewrite /from /to`, false, []rewrite.Rule{
-			rewrite.SimpleRule{From: "/from", To: "/to"},
-		}},
-		{`rewrite /from /to
-		  rewrite a b`, false, []rewrite.Rule{
-			rewrite.SimpleRule{From: "/from", To: "/to"},
-			rewrite.SimpleRule{From: "a", To: "b"},
-		}},
-		{`rewrite a`, true, []rewrite.Rule{}},
-		{`rewrite`, true, []rewrite.Rule{}},
-		{`rewrite a b c`, true, []rewrite.Rule{
-			rewrite.SimpleRule{From: "a", To: "b"},
-		}},
-	}
-
-	for i, test := range simpleTests {
-		c := NewTestController(test.input)
-		actual, err := rewriteParse(c)
-
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d didn't error, but it should have", i)
-		} else if err != nil && !test.shouldErr {
-			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
-		} else if err != nil && test.shouldErr {
-			continue
-		}
-
-		if len(actual) != len(test.expected) {
-			t.Fatalf("Test %d expected %d rules, but got %d",
-				i, len(test.expected), len(actual))
-		}
-
-		for j, e := range test.expected {
-			actualRule := actual[j].(rewrite.SimpleRule)
-			expectedRule := e.(rewrite.SimpleRule)
-
-			if actualRule.From != expectedRule.From {
-				t.Errorf("Test %d, rule %d: Expected From=%s, got %s",
-					i, j, expectedRule.From, actualRule.From)
-			}
-
-			if actualRule.To != expectedRule.To {
-				t.Errorf("Test %d, rule %d: Expected To=%s, got %s",
-					i, j, expectedRule.To, actualRule.To)
-			}
-		}
-	}
-
-	regexpTests := []struct {
-		input     string
-		shouldErr bool
-		expected  []rewrite.Rule
-	}{
-		{`rewrite {
-			r	.*
-			to	/to
-		 }`, false, []rewrite.Rule{
-			&rewrite.RegexpRule{Base: "/", To: "/to", Regexp: regexp.MustCompile(".*")},
-		}},
-		{`rewrite {
-			regexp	.*
-			to		/to
-			ext		/ html txt
-		 }`, false, []rewrite.Rule{
-			&rewrite.RegexpRule{Base: "/", To: "/to", Exts: []string{"/", "html", "txt"}, Regexp: regexp.MustCompile(".*")},
-		}},
-		{`rewrite /path {
-			r	rr
-			to	/dest
-		 }
-		 rewrite / {
-		 	regexp	[a-z]+
-		 	to 		/to
-		 }
-		 `, false, []rewrite.Rule{
-			&rewrite.RegexpRule{Base: "/path", To: "/dest", Regexp: regexp.MustCompile("rr")},
-			&rewrite.RegexpRule{Base: "/", To: "/to", Regexp: regexp.MustCompile("[a-z]+")},
-		}},
-		{`rewrite {
-			to	/to
-		 }`, true, []rewrite.Rule{
-			&rewrite.RegexpRule{},
-		}},
-		{`rewrite {
-			r	.*
-		 }`, true, []rewrite.Rule{
-			&rewrite.RegexpRule{},
-		}},
-		{`rewrite {
-
-		 }`, true, []rewrite.Rule{
-			&rewrite.RegexpRule{},
-		}},
-		{`rewrite /`, true, []rewrite.Rule{
-			&rewrite.RegexpRule{},
-		}},
-	}
-
-	for i, test := range regexpTests {
-		c := NewTestController(test.input)
-		actual, err := rewriteParse(c)
-
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d didn't error, but it should have", i)
-		} else if err != nil && !test.shouldErr {
-			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
-		} else if err != nil && test.shouldErr {
-			continue
-		}
-
-		if len(actual) != len(test.expected) {
-			t.Fatalf("Test %d expected %d rules, but got %d",
-				i, len(test.expected), len(actual))
-		}
-
-		for j, e := range test.expected {
-			actualRule := actual[j].(*rewrite.RegexpRule)
-			expectedRule := e.(*rewrite.RegexpRule)
-
-			if actualRule.Base != expectedRule.Base {
-				t.Errorf("Test %d, rule %d: Expected Base=%s, got %s",
-					i, j, expectedRule.Base, actualRule.Base)
-			}
-
-			if actualRule.To != expectedRule.To {
-				t.Errorf("Test %d, rule %d: Expected To=%s, got %s",
-					i, j, expectedRule.To, actualRule.To)
-			}
-
-			if fmt.Sprint(actualRule.Exts) != fmt.Sprint(expectedRule.Exts) {
-				t.Errorf("Test %d, rule %d: Expected Ext=%v, got %v",
-					i, j, expectedRule.To, actualRule.To)
-			}
-
-			if actualRule.String() != expectedRule.String() {
-				t.Errorf("Test %d, rule %d: Expected Pattern=%s, got %s",
-					i, j, expectedRule.String(), actualRule.String())
-			}
-		}
-	}
-
-}
@@ -1,40 +0,0 @@
-package setup
-
-import (
-	"strconv"
-
-	"github.com/mholt/caddy/middleware"
-)
-
-func parseRoller(c *Controller) (*middleware.LogRoller, error) {
-	var size, age, keep int
-	// This is kind of a hack to support nested blocks:
-	// As we are already in a block: either log or errors,
-	// c.nesting > 0 but, as soon as c meets a }, it thinks
-	// the block is over and return false for c.NextBlock.
-	for c.NextBlock() {
-		what := c.Val()
-		if !c.NextArg() {
-			return nil, c.ArgErr()
-		}
-		value := c.Val()
-		var err error
-		switch what {
-		case "size":
-			size, err = strconv.Atoi(value)
-		case "age":
-			age, err = strconv.Atoi(value)
-		case "keep":
-			keep, err = strconv.Atoi(value)
-		}
-		if err != nil {
-			return nil, err
-		}
-	}
-	return &middleware.LogRoller{
-		MaxSize:    size,
-		MaxAge:     age,
-		MaxBackups: keep,
-		LocalTime:  true,
-	}, nil
-}
@@ -1,31 +0,0 @@
-package setup
-
-import (
-	"log"
-	"os"
-
-	"github.com/mholt/caddy/middleware"
-)
-
-func Root(c *Controller) (middleware.Middleware, error) {
-	for c.Next() {
-		if !c.NextArg() {
-			return nil, c.ArgErr()
-		}
-		c.Root = c.Val()
-	}
-
-	// Check if root path exists
-	_, err := os.Stat(c.Root)
-	if err != nil {
-		if os.IsNotExist(err) {
-			// Allow this, because the folder might appear later.
-			// But make sure the user knows!
-			log.Printf("Warning: Root path does not exist: %s", c.Root)
-		} else {
-			return nil, c.Errf("Unable to access root path '%s': %v", c.Root, err)
-		}
-	}
-
-	return nil, nil
-}
@@ -1,108 +0,0 @@
-package setup
-
-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-)
-
-func TestRoot(t *testing.T) {
-
-	// Predefined error substrings
-	parseErrContent := "Parse error:"
-	unableToAccessErrContent := "Unable to access root path"
-
-	existingDirPath, err := getTempDirPath()
-	if err != nil {
-		t.Fatalf("BeforeTest: Failed to find an existing directory for testing! Error was: %v", err)
-	}
-
-	nonExistingDir := filepath.Join(existingDirPath, "highly_unlikely_to_exist_dir")
-
-	existingFile, err := ioutil.TempFile("", "root_test")
-	if err != nil {
-		t.Fatalf("BeforeTest: Failed to create temp file for testing! Error was: %v", err)
-	}
-	defer func() {
-		existingFile.Close()
-		os.Remove(existingFile.Name())
-	}()
-
-	inaccessiblePath := getInaccessiblePath(existingFile.Name())
-
-	tests := []struct {
-		input              string
-		shouldErr          bool
-		expectedRoot       string // expected root, set to the controller. Empty for negative cases.
-		expectedErrContent string // substring from the expected error. Empty for positive cases.
-	}{
-		// positive
-		{
-			fmt.Sprintf(`root %s`, nonExistingDir), false, nonExistingDir, "",
-		},
-		{
-			fmt.Sprintf(`root %s`, existingDirPath), false, existingDirPath, "",
-		},
-		// negative
-		{
-			`root `, true, "", parseErrContent,
-		},
-		{
-			fmt.Sprintf(`root %s`, inaccessiblePath), true, "", unableToAccessErrContent,
-		},
-		{
-			fmt.Sprintf(`root {
-				%s
-			}`, existingDirPath), true, "", parseErrContent,
-		},
-	}
-
-	for i, test := range tests {
-		c := NewTestController(test.input)
-		mid, err := Root(c)
-
-		if test.shouldErr && err == nil {
-			t.Errorf("Test %d: Expected error but found %s for input %s", i, err, test.input)
-		}
-
-		if err != nil {
-			if !test.shouldErr {
-				t.Errorf("Test %d: Expected no error but found one for input %s. Error was: %v", i, test.input, err)
-			}
-
-			if !strings.Contains(err.Error(), test.expectedErrContent) {
-				t.Errorf("Test %d: Expected error to contain: %v, found error: %v, input: %s", i, test.expectedErrContent, err, test.input)
-			}
-		}
-
-		// the Root method always returns a nil middleware
-		if mid != nil {
-			t.Errorf("Middware, returned from Root() was not nil: %v", mid)
-		}
-
-		// check c.Root only if we are in a positive test.
-		if !test.shouldErr && test.expectedRoot != c.Root {
-			t.Errorf("Root not correctly set for input %s. Expected: %s, actual: %s", test.input, test.expectedRoot, c.Root)
-		}
-	}
-}
-
-// getTempDirPath returnes the path to the system temp directory. If it does not exists - an error is returned.
-func getTempDirPath() (string, error) {
-	tempDir := os.TempDir()
-
-	_, err := os.Stat(tempDir)
-	if err != nil {
-		return "", err
-	}
-
-	return tempDir, nil
-}
-
-func getInaccessiblePath(file string) string {
-	// null byte in filename is not allowed on Windows AND unix
-	return filepath.Join("C:", "file\x00name")
-}
@@ -1,62 +0,0 @@
-package setup
-
-import (
-	"os"
-	"os/exec"
-	"strings"
-
-	"github.com/mholt/caddy/middleware"
-)
-
-func Startup(c *Controller) (middleware.Middleware, error) {
-	return nil, registerCallback(c, &c.Startup)
-}
-
-func Shutdown(c *Controller) (middleware.Middleware, error) {
-	return nil, registerCallback(c, &c.Shutdown)
-}
-
-// registerCallback registers a callback function to execute by
-// using c to parse the line. It appends the callback function
-// to the list of callback functions passed in by reference.
-func registerCallback(c *Controller, list *[]func() error) error {
-	var funcs []func() error
-
-	for c.Next() {
-		args := c.RemainingArgs()
-		if len(args) == 0 {
-			return c.ArgErr()
-		}
-
-		nonblock := false
-		if len(args) > 1 && args[len(args)-1] == "&" {
-			// Run command in background; non-blocking
-			nonblock = true
-			args = args[:len(args)-1]
-		}
-
-		command, args, err := middleware.SplitCommandAndArgs(strings.Join(args, " "))
-		if err != nil {
-			return c.Err(err.Error())
-		}
-
-		fn := func() error {
-			cmd := exec.Command(command, args...)
-			cmd.Stdin = os.Stdin
-			cmd.Stdout = os.Stdout
-			cmd.Stderr = os.Stderr
-
-			if nonblock {
-				return cmd.Start()
-			}
-			return cmd.Run()
-		}
-
-		funcs = append(funcs, fn)
-	}
-
-	return c.OncePerServerBlock(func() error {
-		*list = append(*list, funcs...)
-		return nil
-	})
-}
@@ -1,58 +0,0 @@
-package setup
-
-import (
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strconv"
-	"testing"
-	"time"
-)
-
-// The Startup function's tests are symmetrical to Shutdown tests,
-// because the Startup and Shutdown functions share virtually the
-// same functionality
-func TestStartup(t *testing.T) {
-
-	tempDirPath, err := getTempDirPath()
-	if err != nil {
-		t.Fatalf("BeforeTest: Failed to find an existing directory for testing! Error was: %v", err)
-	}
-
-	testDir := filepath.Join(tempDirPath, "temp_dir_for_testing_startupshutdown.go")
-	osSenitiveTestDir := filepath.FromSlash(testDir)
-
-	exec.Command("rm", "-r", osSenitiveTestDir).Run() // removes osSenitiveTestDir from the OS's temp directory, if the osSenitiveTestDir already exists
-
-	tests := []struct {
-		input              string
-		shouldExecutionErr bool
-		shouldRemoveErr    bool
-	}{
-		// test case #0 tests proper functionality blocking commands
-		{"startup mkdir " + osSenitiveTestDir, false, false},
-
-		// test case #1 tests proper functionality of non-blocking commands
-		{"startup mkdir " + osSenitiveTestDir + " &", false, true},
-
-		// test case #2 tests handling of non-existant commands
-		{"startup " + strconv.Itoa(int(time.Now().UnixNano())), true, true},
-	}
-
-	for i, test := range tests {
-		c := NewTestController(test.input)
-		_, err = Startup(c)
-		if err != nil {
-			t.Errorf("Expected no errors, got: %v", err)
-		}
-		err = c.Startup[0]()
-		if err != nil && !test.shouldExecutionErr {
-			t.Errorf("Test %d recieved an error of:\n%v", i, err)
-		}
-		err = os.Remove(osSenitiveTestDir)
-		if err != nil && !test.shouldRemoveErr {
-			t.Errorf("Test %d recieved an error of:\n%v", i, err)
-		}
-
-	}
-}
@@ -1,90 +0,0 @@
-package setup
-
-import (
-	"net/http"
-
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/templates"
-)
-
-// Templates configures a new Templates middleware instance.
-func Templates(c *Controller) (middleware.Middleware, error) {
-	rules, err := templatesParse(c)
-	if err != nil {
-		return nil, err
-	}
-
-	tmpls := templates.Templates{
-		Rules:   rules,
-		Root:    c.Root,
-		FileSys: http.Dir(c.Root),
-	}
-
-	return func(next middleware.Handler) middleware.Handler {
-		tmpls.Next = next
-		return tmpls
-	}, nil
-}
-
-func templatesParse(c *Controller) ([]templates.Rule, error) {
-	var rules []templates.Rule
-
-	for c.Next() {
-		var rule templates.Rule
-
-		rule.Path = defaultTemplatePath
-		rule.Extensions = defaultTemplateExtensions
-
-		args := c.RemainingArgs()
-
-		switch len(args) {
-		case 0:
-			// Optional block
-			for c.NextBlock() {
-				switch c.Val() {
-				case "path":
-					args := c.RemainingArgs()
-					if len(args) != 1 {
-						return nil, c.ArgErr()
-					}
-					rule.Path = args[0]
-
-				case "ext":
-					args := c.RemainingArgs()
-					if len(args) == 0 {
-						return nil, c.ArgErr()
-					}
-					rule.Extensions = args
-
-				case "between":
-					args := c.RemainingArgs()
-					if len(args) != 2 {
-						return nil, c.ArgErr()
-					}
-					rule.Delims[0] = args[0]
-					rule.Delims[1] = args[1]
-				}
-			}
-		default:
-			// First argument would be the path
-			rule.Path = args[0]
-
-			// Any remaining arguments are extensions
-			rule.Extensions = args[1:]
-			if len(rule.Extensions) == 0 {
-				rule.Extensions = defaultTemplateExtensions
-			}
-		}
-
-		for _, ext := range rule.Extensions {
-			rule.IndexFiles = append(rule.IndexFiles, "index"+ext)
-		}
-
-		rules = append(rules, rule)
-	}
-	return rules, nil
-}
-
-const defaultTemplatePath = "/"
-
-var defaultTemplateExtensions = []string{".html", ".htm", ".tmpl", ".tpl", ".txt"}
@@ -1,112 +0,0 @@
-package setup
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/mholt/caddy/middleware/templates"
-)
-
-func TestTemplates(t *testing.T) {
-
-	c := NewTestController(`templates`)
-
-	mid, err := Templates(c)
-
-	if err != nil {
-		t.Errorf("Expected no errors, got: %v", err)
-	}
-
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(templates.Templates)
-
-	if !ok {
-		t.Fatalf("Expected handler to be type Templates, got: %#v", handler)
-	}
-
-	if myHandler.Rules[0].Path != defaultTemplatePath {
-		t.Errorf("Expected / as the default Path")
-	}
-	if fmt.Sprint(myHandler.Rules[0].Extensions) != fmt.Sprint(defaultTemplateExtensions) {
-		t.Errorf("Expected %v to be the Default Extensions", defaultTemplateExtensions)
-	}
-	var indexFiles []string
-	for _, extension := range defaultTemplateExtensions {
-		indexFiles = append(indexFiles, "index"+extension)
-	}
-	if fmt.Sprint(myHandler.Rules[0].IndexFiles) != fmt.Sprint(indexFiles) {
-		t.Errorf("Expected %v to be the Default Index files", indexFiles)
-	}
-	if myHandler.Rules[0].Delims != [2]string{} {
-		t.Errorf("Expected %v to be the Default Delims", [2]string{})
-	}
-}
-
-func TestTemplatesParse(t *testing.T) {
-	tests := []struct {
-		inputTemplateConfig    string
-		shouldErr              bool
-		expectedTemplateConfig []templates.Rule
-	}{
-		{`templates /api1`, false, []templates.Rule{{
-			Path:       "/api1",
-			Extensions: defaultTemplateExtensions,
-			Delims:     [2]string{},
-		}}},
-		{`templates /api2 .txt .htm`, false, []templates.Rule{{
-			Path:       "/api2",
-			Extensions: []string{".txt", ".htm"},
-			Delims:     [2]string{},
-		}}},
-
-		{`templates /api3 .htm .html
-		  templates /api4 .txt .tpl `, false, []templates.Rule{{
-			Path:       "/api3",
-			Extensions: []string{".htm", ".html"},
-			Delims:     [2]string{},
-		}, {
-			Path:       "/api4",
-			Extensions: []string{".txt", ".tpl"},
-			Delims:     [2]string{},
-		}}},
-		{`templates {
-				path /api5
-				ext .html
-				between {% %}
-			}`, false, []templates.Rule{{
-			Path:       "/api5",
-			Extensions: []string{".html"},
-			Delims:     [2]string{"{%", "%}"},
-		}}},
-	}
-	for i, test := range tests {
-		c := NewTestController(test.inputTemplateConfig)
-		actualTemplateConfigs, err := templatesParse(c)
-
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d didn't error, but it should have", i)
-		} else if err != nil && !test.shouldErr {
-			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
-		}
-		if len(actualTemplateConfigs) != len(test.expectedTemplateConfig) {
-			t.Fatalf("Test %d expected %d no of Template configs, but got %d ",
-				i, len(test.expectedTemplateConfig), len(actualTemplateConfigs))
-		}
-		for j, actualTemplateConfig := range actualTemplateConfigs {
-
-			if actualTemplateConfig.Path != test.expectedTemplateConfig[j].Path {
-				t.Errorf("Test %d expected %dth Template Config Path to be  %s  , but got %s",
-					i, j, test.expectedTemplateConfig[j].Path, actualTemplateConfig.Path)
-			}
-
-			if fmt.Sprint(actualTemplateConfig.Extensions) != fmt.Sprint(test.expectedTemplateConfig[j].Extensions) {
-				t.Errorf("Expected %v to be the  Extensions , but got %v instead", test.expectedTemplateConfig[j].Extensions, actualTemplateConfig.Extensions)
-			}
-		}
-	}
-
-}
@@ -1 +0,0 @@
-# Test h1
@@ -1 +0,0 @@
-<h1>Header title</h1>
@@ -1,10 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<title>{{.Doc.title}}</title>
-</head>
-<body>
-{{.Include "header.html"}}
-{{.Doc.body}}
-</body>
-</html>
@@ -1,153 +0,0 @@
-package setup
-
-import (
-	"crypto/tls"
-	"log"
-	"strings"
-
-	"github.com/mholt/caddy/middleware"
-)
-
-func TLS(c *Controller) (middleware.Middleware, error) {
-	if c.Port == "http" {
-		c.TLS.Enabled = false
-		log.Printf("Warning: TLS disabled for %s://%s. To force TLS over the plaintext HTTP port, "+
-			"specify port 80 explicitly (https://%s:80).", c.Port, c.Host, c.Host)
-	} else {
-		c.TLS.Enabled = true // they had a tls directive, so assume it's on unless we confirm otherwise later
-	}
-
-	for c.Next() {
-		args := c.RemainingArgs()
-		switch len(args) {
-		case 1:
-			c.TLS.LetsEncryptEmail = args[0]
-
-			// user can force-disable LE activation this way
-			if c.TLS.LetsEncryptEmail == "off" {
-				c.TLS.Enabled = false
-			}
-		case 2:
-			c.TLS.Certificate = args[0]
-			c.TLS.Key = args[1]
-
-			// manual HTTPS configuration without port specified should be
-			// served on the HTTPS port; that is what user would expect, and
-			// makes it consistent with how the letsencrypt package works.
-			if c.Port == "" {
-				c.Port = "https"
-			}
-		default:
-			return nil, c.ArgErr()
-		}
-
-		// Optional block
-		for c.NextBlock() {
-			switch c.Val() {
-			case "protocols":
-				args := c.RemainingArgs()
-				if len(args) != 2 {
-					return nil, c.ArgErr()
-				}
-				value, ok := supportedProtocols[strings.ToLower(args[0])]
-				if !ok {
-					return nil, c.Errf("Wrong protocol name or protocol not supported '%s'", c.Val())
-				}
-				c.TLS.ProtocolMinVersion = value
-				value, ok = supportedProtocols[strings.ToLower(args[1])]
-				if !ok {
-					return nil, c.Errf("Wrong protocol name or protocol not supported '%s'", c.Val())
-				}
-				c.TLS.ProtocolMaxVersion = value
-			case "ciphers":
-				for c.NextArg() {
-					value, ok := supportedCiphersMap[strings.ToUpper(c.Val())]
-					if !ok {
-						return nil, c.Errf("Wrong cipher name or cipher not supported '%s'", c.Val())
-					}
-					c.TLS.Ciphers = append(c.TLS.Ciphers, value)
-				}
-			case "clients":
-				c.TLS.ClientCerts = c.RemainingArgs()
-				if len(c.TLS.ClientCerts) == 0 {
-					return nil, c.ArgErr()
-				}
-			default:
-				return nil, c.Errf("Unknown keyword '%s'", c.Val())
-			}
-		}
-	}
-
-	// If no ciphers provided, use all that Caddy supports for the protocol
-	if len(c.TLS.Ciphers) == 0 {
-		c.TLS.Ciphers = supportedCiphers
-	}
-
-	// Not a cipher suite, but still important for mitigating protocol downgrade attacks
-	c.TLS.Ciphers = append(c.TLS.Ciphers, tls.TLS_FALLBACK_SCSV)
-
-	// Set default protocol min and max versions - must balance compatibility and security
-	if c.TLS.ProtocolMinVersion == 0 {
-		c.TLS.ProtocolMinVersion = tls.VersionTLS10
-	}
-	if c.TLS.ProtocolMaxVersion == 0 {
-		c.TLS.ProtocolMaxVersion = tls.VersionTLS12
-	}
-
-	// Prefer server cipher suites
-	c.TLS.PreferServerCipherSuites = true
-
-	return nil, nil
-}
-
-// Map of supported protocols
-// SSLv3 will be not supported in future release
-// HTTP/2 only supports TLS 1.2 and higher
-var supportedProtocols = map[string]uint16{
-	"ssl3.0": tls.VersionSSL30,
-	"tls1.0": tls.VersionTLS10,
-	"tls1.1": tls.VersionTLS11,
-	"tls1.2": tls.VersionTLS12,
-}
-
-// Map of supported ciphers, used only for parsing config.
-//
-// Note that, at time of writing, HTTP/2 blacklists 276 cipher suites,
-// including all but two of the suites below (the two GCM suites).
-// See https://http2.github.io/http2-spec/#BadCipherSuites
-//
-// TLS_FALLBACK_SCSV is not in this list because we manually ensure
-// it is always added (even though it is not technically a cipher suite).
-//
-// This map, like any map, is NOT ORDERED. Do not range over this map.
-var supportedCiphersMap = map[string]uint16{
-	"ECDHE-RSA-AES128-GCM-SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	"ECDHE-ECDSA-AES128-GCM-SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	"ECDHE-RSA-AES128-CBC-SHA":      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-	"ECDHE-RSA-AES256-CBC-SHA":      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	"ECDHE-ECDSA-AES256-CBC-SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-	"ECDHE-ECDSA-AES128-CBC-SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-	"RSA-AES128-CBC-SHA":            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-	"RSA-AES256-CBC-SHA":            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-	"ECDHE-RSA-3DES-EDE-CBC-SHA":    tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-	"RSA-3DES-EDE-CBC-SHA":          tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-}
-
-// List of supported cipher suites in descending order of preference.
-// Ordering is very important! Getting the wrong order will break
-// mainstream clients, especially with HTTP/2.
-//
-// Note that TLS_FALLBACK_SCSV is not in this list since it is always
-// added manually.
-var supportedCiphers = []uint16{
-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-	tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-	tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-	tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-	tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-	tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-}
@@ -1,153 +0,0 @@
-package setup
-
-import (
-	"crypto/tls"
-	"testing"
-)
-
-func TestTLSParseBasic(t *testing.T) {
-	c := NewTestController(`tls cert.pem key.pem`)
-
-	_, err := TLS(c)
-	if err != nil {
-		t.Errorf("Expected no errors, got: %v", err)
-	}
-
-	// Basic checks
-	if c.TLS.Certificate != "cert.pem" {
-		t.Errorf("Expected certificate arg to be 'cert.pem', was '%s'", c.TLS.Certificate)
-	}
-	if c.TLS.Key != "key.pem" {
-		t.Errorf("Expected key arg to be 'key.pem', was '%s'", c.TLS.Key)
-	}
-	if !c.TLS.Enabled {
-		t.Error("Expected TLS Enabled=true, but was false")
-	}
-
-	// Security defaults
-	if c.TLS.ProtocolMinVersion != tls.VersionTLS10 {
-		t.Errorf("Expected 'tls1.0 (0x0301)' as ProtocolMinVersion, got %#v", c.TLS.ProtocolMinVersion)
-	}
-	if c.TLS.ProtocolMaxVersion != tls.VersionTLS12 {
-		t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMaxVersion, got %v", c.TLS.ProtocolMaxVersion)
-	}
-
-	// Cipher checks
-	expectedCiphers := []uint16{
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		tls.TLS_FALLBACK_SCSV,
-	}
-
-	// Ensure count is correct (plus one for TLS_FALLBACK_SCSV)
-	if len(c.TLS.Ciphers) != len(supportedCiphers)+1 {
-		t.Errorf("Expected %v Ciphers (including TLS_FALLBACK_SCSV), got %v",
-			len(supportedCiphers)+1, len(c.TLS.Ciphers))
-	}
-
-	// Ensure ordering is correct
-	for i, actual := range c.TLS.Ciphers {
-		if actual != expectedCiphers[i] {
-			t.Errorf("Expected cipher in position %d to be %0x, got %0x", i, expectedCiphers[i], actual)
-		}
-	}
-
-	if !c.TLS.PreferServerCipherSuites {
-		t.Error("Expected PreferServerCipherSuites = true, but was false")
-	}
-}
-
-func TestTLSParseIncompleteParams(t *testing.T) {
-	c := NewTestController(`tls`)
-
-	_, err := TLS(c)
-	if err == nil {
-		t.Errorf("Expected errors (first check), but no error returned")
-	}
-}
-
-func TestTLSParseWithOptionalParams(t *testing.T) {
-	params := `tls cert.crt cert.key {
-            protocols ssl3.0 tls1.2
-            ciphers RSA-3DES-EDE-CBC-SHA RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256
-        }`
-	c := NewTestController(params)
-
-	_, err := TLS(c)
-	if err != nil {
-		t.Errorf("Expected no errors, got: %v", err)
-	}
-
-	if c.TLS.ProtocolMinVersion != tls.VersionSSL30 {
-		t.Errorf("Expected 'ssl3.0 (0x0300)' as ProtocolMinVersion, got %#v", c.TLS.ProtocolMinVersion)
-	}
-
-	if c.TLS.ProtocolMaxVersion != tls.VersionTLS12 {
-		t.Errorf("Expected 'tls1.2 (0x0302)' as ProtocolMaxVersion, got %#v", c.TLS.ProtocolMaxVersion)
-	}
-
-	if len(c.TLS.Ciphers)-1 != 3 {
-		t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers))
-	}
-}
-
-func TestTLSParseWithWrongOptionalParams(t *testing.T) {
-	// Test protocols wrong params
-	params := `tls cert.crt cert.key {
-			protocols ssl tls
-		}`
-	c := NewTestController(params)
-	_, err := TLS(c)
-	if err == nil {
-		t.Errorf("Expected errors, but no error returned")
-	}
-
-	// Test ciphers wrong params
-	params = `tls cert.crt cert.key {
-			ciphers not-valid-cipher
-		}`
-	c = NewTestController(params)
-	_, err = TLS(c)
-	if err == nil {
-		t.Errorf("Expected errors, but no error returned")
-	}
-}
-
-func TestTLSParseWithClientAuth(t *testing.T) {
-	params := `tls cert.crt cert.key {
-			clients client_ca.crt client2_ca.crt
-		}`
-	c := NewTestController(params)
-	_, err := TLS(c)
-	if err != nil {
-		t.Errorf("Expected no errors, got: %v", err)
-	}
-
-	if count := len(c.TLS.ClientCerts); count != 2 {
-		t.Fatalf("Expected two client certs, had %d", count)
-	}
-	if actual := c.TLS.ClientCerts[0]; actual != "client_ca.crt" {
-		t.Errorf("Expected first client cert file to be '%s', but was '%s'", "client_ca.crt", actual)
-	}
-	if actual := c.TLS.ClientCerts[1]; actual != "client2_ca.crt" {
-		t.Errorf("Expected second client cert file to be '%s', but was '%s'", "client2_ca.crt", actual)
-	}
-
-	// Test missing client cert file
-	params = `tls cert.crt cert.key {
-			clients
-		}`
-	c = NewTestController(params)
-	_, err = TLS(c)
-	if err == nil {
-		t.Errorf("Expected an error, but no error returned")
-	}
-}
@@ -1,87 +0,0 @@
-package setup
-
-import (
-	"github.com/mholt/caddy/middleware"
-	"github.com/mholt/caddy/middleware/websocket"
-)
-
-// WebSocket configures a new WebSocket middleware instance.
-func WebSocket(c *Controller) (middleware.Middleware, error) {
-
-	websocks, err := webSocketParse(c)
-	if err != nil {
-		return nil, err
-	}
-	websocket.GatewayInterface = c.AppName + "-CGI/1.1"
-	websocket.ServerSoftware = c.AppName + "/" + c.AppVersion
-
-	return func(next middleware.Handler) middleware.Handler {
-		return websocket.WebSocket{Next: next, Sockets: websocks}
-	}, nil
-}
-
-func webSocketParse(c *Controller) ([]websocket.Config, error) {
-	var websocks []websocket.Config
-	var respawn bool
-
-	optionalBlock := func() (hadBlock bool, err error) {
-		for c.NextBlock() {
-			hadBlock = true
-			if c.Val() == "respawn" {
-				respawn = true
-			} else {
-				return true, c.Err("Expected websocket configuration parameter in block")
-			}
-		}
-		return
-	}
-
-	for c.Next() {
-		var val, path, command string
-
-		// Path or command; not sure which yet
-		if !c.NextArg() {
-			return nil, c.ArgErr()
-		}
-		val = c.Val()
-
-		// Extra configuration may be in a block
-		hadBlock, err := optionalBlock()
-		if err != nil {
-			return nil, err
-		}
-
-		if !hadBlock {
-			// The next argument on this line will be the command or an open curly brace
-			if c.NextArg() {
-				path = val
-				command = c.Val()
-			} else {
-				path = "/"
-				command = val
-			}
-
-			// Okay, check again for optional block
-			hadBlock, err = optionalBlock()
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		// Split command into the actual command and its arguments
-		cmd, args, err := middleware.SplitCommandAndArgs(command)
-		if err != nil {
-			return nil, err
-		}
-
-		websocks = append(websocks, websocket.Config{
-			Path:      path,
-			Command:   cmd,
-			Arguments: args,
-			Respawn:   respawn, // TODO: This isn't used currently
-		})
-	}
-
-	return websocks, nil
-
-}
@@ -1,105 +0,0 @@
-package setup
-
-import (
-	"testing"
-
-	"github.com/mholt/caddy/middleware/websocket"
-)
-
-func TestWebSocket(t *testing.T) {
-
-	c := NewTestController(`websocket cat`)
-
-	mid, err := WebSocket(c)
-
-	if err != nil {
-		t.Errorf("Expected no errors, got: %v", err)
-	}
-
-	if mid == nil {
-		t.Fatal("Expected middleware, was nil instead")
-	}
-
-	handler := mid(EmptyNext)
-	myHandler, ok := handler.(websocket.WebSocket)
-
-	if !ok {
-		t.Fatalf("Expected handler to be type WebSocket, got: %#v", handler)
-	}
-
-	if myHandler.Sockets[0].Path != "/" {
-		t.Errorf("Expected / as the default Path")
-	}
-	if myHandler.Sockets[0].Command != "cat" {
-		t.Errorf("Expected %s as the command", "cat")
-	}
-
-}
-func TestWebSocketParse(t *testing.T) {
-	tests := []struct {
-		inputWebSocketConfig    string
-		shouldErr               bool
-		expectedWebSocketConfig []websocket.Config
-	}{
-		{`websocket /api1 cat`, false, []websocket.Config{{
-			Path:    "/api1",
-			Command: "cat",
-		}}},
-
-		{`websocket /api3 cat  
-		  websocket /api4 cat `, false, []websocket.Config{{
-			Path:    "/api3",
-			Command: "cat",
-		}, {
-			Path:    "/api4",
-			Command: "cat",
-		}}},
-
-		{`websocket /api5 "cmd arg1 arg2 arg3"`, false, []websocket.Config{{
-			Path:      "/api5",
-			Command:   "cmd",
-			Arguments: []string{"arg1", "arg2", "arg3"},
-		}}},
-
-		// accept respawn
-		{`websocket /api6 cat {
-			respawn
-		}`, false, []websocket.Config{{
-			Path:    "/api6",
-			Command: "cat",
-		}}},
-
-		// invalid configuration
-		{`websocket /api7 cat {
-			invalid
-		}`, true, []websocket.Config{}},
-	}
-	for i, test := range tests {
-		c := NewTestController(test.inputWebSocketConfig)
-		actualWebSocketConfigs, err := webSocketParse(c)
-
-		if err == nil && test.shouldErr {
-			t.Errorf("Test %d didn't error, but it should have", i)
-		} else if err != nil && !test.shouldErr {
-			t.Errorf("Test %d errored, but it shouldn't have; got '%v'", i, err)
-		}
-		if len(actualWebSocketConfigs) != len(test.expectedWebSocketConfig) {
-			t.Fatalf("Test %d expected %d no of WebSocket configs, but got %d ",
-				i, len(test.expectedWebSocketConfig), len(actualWebSocketConfigs))
-		}
-		for j, actualWebSocketConfig := range actualWebSocketConfigs {
-
-			if actualWebSocketConfig.Path != test.expectedWebSocketConfig[j].Path {
-				t.Errorf("Test %d expected %dth WebSocket Config Path to be  %s  , but got %s",
-					i, j, test.expectedWebSocketConfig[j].Path, actualWebSocketConfig.Path)
-			}
-
-			if actualWebSocketConfig.Command != test.expectedWebSocketConfig[j].Command {
-				t.Errorf("Test %d expected %dth WebSocket Config Command to be  %s  , but got %s",
-					i, j, test.expectedWebSocketConfig[j].Command, actualWebSocketConfig.Command)
-			}
-
-		}
-	}
-
-}
@@ -1,33 +0,0 @@
-package caddy
-
-import (
-	"log"
-	"os"
-	"os/signal"
-
-	"github.com/mholt/caddy/server"
-)
-
-func init() {
-	// Trap quit signals (cross-platform)
-	go func() {
-		shutdown := make(chan os.Signal, 1)
-		signal.Notify(shutdown, os.Interrupt, os.Kill)
-		<-shutdown
-
-		var exitCode int
-
-		serversMu.Lock()
-		errs := server.ShutdownCallbacks(servers)
-		serversMu.Unlock()
-
-		if len(errs) > 0 {
-			for _, err := range errs {
-				log.Println(err)
-			}
-			exitCode = 1
-		}
-
-		os.Exit(exitCode)
-	}()
-}
@@ -1,43 +0,0 @@
-// +build !windows
-
-package caddy
-
-import (
-	"io/ioutil"
-	"log"
-	"os"
-	"os/signal"
-	"syscall"
-)
-
-func init() {
-	// Trap POSIX-only signals
-	go func() {
-		reload := make(chan os.Signal, 1)
-		signal.Notify(reload, syscall.SIGUSR1) // reload configuration
-
-		for {
-			<-reload
-
-			var updatedCaddyfile Input
-
-			caddyfileMu.Lock()
-			if caddyfile.IsFile() {
-				body, err := ioutil.ReadFile(caddyfile.Path())
-				if err == nil {
-					caddyfile = CaddyfileInput{
-						Filepath: caddyfile.Path(),
-						Contents: body,
-						RealFile: true,
-					}
-				}
-			}
-			caddyfileMu.Unlock()
-
-			err := Restart(updatedCaddyfile)
-			if err != nil {
-				log.Println("error at restart:", err)
-			}
-		}
-	}()
-}
@@ -0,0 +1,87 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddyfile
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig"
+)
+
+// Adapter adapts Caddyfile to Caddy JSON.
+type Adapter struct {
+	ServerType ServerType
+}
+
+// Adapt converts the Caddyfile config in body to Caddy JSON.
+func (a Adapter) Adapt(body []byte, options map[string]interface{}) ([]byte, []caddyconfig.Warning, error) {
+	if a.ServerType == nil {
+		return nil, nil, fmt.Errorf("no server type")
+	}
+	if options == nil {
+		options = make(map[string]interface{})
+	}
+
+	filename, _ := options["filename"].(string)
+	if filename == "" {
+		filename = "Caddyfile"
+	}
+
+	serverBlocks, err := Parse(filename, bytes.NewReader(body))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	cfg, warnings, err := a.ServerType.Setup(serverBlocks, options)
+	if err != nil {
+		return nil, warnings, err
+	}
+
+	marshalFunc := json.Marshal
+	if options["pretty"] == "true" {
+		marshalFunc = caddyconfig.JSONIndent
+	}
+	result, err := marshalFunc(cfg)
+
+	return result, warnings, err
+}
+
+// Unmarshaler is a type that can unmarshal
+// Caddyfile tokens to set itself up for a
+// JSON encoding. The goal of an unmarshaler
+// is not to set itself up for actual use,
+// but to set itself up for being marshaled
+// into JSON. Caddyfile-unmarshaled values
+// will not be used directly; they will be
+// encoded as JSON and then used from that.
+type Unmarshaler interface {
+	UnmarshalCaddyfile(d *Dispenser) error
+}
+
+// ServerType is a type that can evaluate a Caddyfile and set up a caddy config.
+type ServerType interface {
+	// Setup takes the server blocks which
+	// contain tokens, as well as options
+	// (e.g. CLI flags) and creates a Caddy
+	// config, along with any warnings or
+	// an error.
+	Setup([]ServerBlock, map[string]interface{}) (*caddy.Config, []caddyconfig.Warning, error)
+}
+
+// Interface guard
+var _ caddyconfig.Adapter = (*Adapter)(nil)
@@ -0,0 +1,371 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddyfile
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+)
+
+// Dispenser is a type that dispenses tokens, similarly to a lexer,
+// except that it can do so with some notion of structure. An empty
+// Dispenser is invalid; call NewDispenser to make a proper instance.
+type Dispenser struct {
+	tokens  []Token
+	cursor  int
+	nesting int
+}
+
+// NewDispenser returns a Dispenser filled with the given tokens.
+func NewDispenser(tokens []Token) *Dispenser {
+	return &Dispenser{
+		tokens: tokens,
+		cursor: -1,
+	}
+}
+
+// Next loads the next token. Returns true if a token
+// was loaded; false otherwise. If false, all tokens
+// have been consumed.
+func (d *Dispenser) Next() bool {
+	if d.cursor < len(d.tokens)-1 {
+		d.cursor++
+		return true
+	}
+	return false
+}
+
+// Prev moves to the previous token. It does the inverse
+// of Next(), except this function may decrement the cursor
+// to -1 so that the next call to Next() points to the
+// first token; this allows dispensing to "start over". This
+// method returns true if the cursor ends up pointing to a
+// valid token.
+func (d *Dispenser) Prev() bool {
+	if d.cursor > -1 {
+		d.cursor--
+		return d.cursor > -1
+	}
+	return false
+}
+
+// NextArg loads the next token if it is on the same
+// line and if it is not a block opening (open curly
+// brace). Returns true if an argument token was
+// loaded; false otherwise. If false, all tokens on
+// the line have been consumed except for potentially
+// a block opening. It handles imported tokens
+// correctly.
+func (d *Dispenser) NextArg() bool {
+	if !d.nextOnSameLine() {
+		return false
+	}
+	if d.Val() == "{" {
+		// roll back; a block opening is not an argument
+		d.cursor--
+		return false
+	}
+	return true
+}
+
+// nextOnSameLine advances the cursor if the next
+// token is on the same line of the same file.
+func (d *Dispenser) nextOnSameLine() bool {
+	if d.cursor < 0 {
+		d.cursor++
+		return true
+	}
+	if d.cursor >= len(d.tokens) {
+		return false
+	}
+	if d.cursor < len(d.tokens)-1 &&
+		d.tokens[d.cursor].File == d.tokens[d.cursor+1].File &&
+		d.tokens[d.cursor].Line+d.numLineBreaks(d.cursor) == d.tokens[d.cursor+1].Line {
+		d.cursor++
+		return true
+	}
+	return false
+}
+
+// NextLine loads the next token only if it is not on the same
+// line as the current token, and returns true if a token was
+// loaded; false otherwise. If false, there is not another token
+// or it is on the same line. It handles imported tokens correctly.
+func (d *Dispenser) NextLine() bool {
+	if d.cursor < 0 {
+		d.cursor++
+		return true
+	}
+	if d.cursor >= len(d.tokens) {
+		return false
+	}
+	if d.cursor < len(d.tokens)-1 &&
+		(d.tokens[d.cursor].File != d.tokens[d.cursor+1].File ||
+			d.tokens[d.cursor].Line+d.numLineBreaks(d.cursor) < d.tokens[d.cursor+1].Line) {
+		d.cursor++
+		return true
+	}
+	return false
+}
+
+// NextBlock can be used as the condition of a for loop
+// to load the next token as long as it opens a block or
+// is already in a block nested more than initialNestingLevel.
+// In other words, a loop over NextBlock() will iterate
+// all tokens in the block assuming the next token is an
+// open curly brace, until the matching closing brace.
+// The open and closing brace tokens for the outer-most
+// block will be consumed internally and omitted from
+// the iteration.
+//
+// Proper use of this method looks like this:
+//
+//     for nesting := d.Nesting(); d.NextBlock(nesting); {
+//     }
+//
+// However, in simple cases where it is known that the
+// Dispenser is new and has not already traversed state
+// by a loop over NextBlock(), this will do:
+//
+//     for d.NextBlock(0) {
+//     }
+//
+// As with other token parsing logic, a loop over
+// NextBlock() should be contained within a loop over
+// Next(), as it is usually prudent to skip the initial
+// token.
+func (d *Dispenser) NextBlock(initialNestingLevel int) bool {
+	if d.nesting > initialNestingLevel {
+		if !d.Next() {
+			return false // should be EOF error
+		}
+		if d.Val() == "}" {
+			d.nesting--
+		}
+		return d.nesting > initialNestingLevel
+	}
+	if !d.nextOnSameLine() { // block must open on same line
+		return false
+	}
+	if d.Val() != "{" {
+		d.cursor-- // roll back if not opening brace
+		return false
+	}
+	d.Next() // consume open curly brace
+	if d.Val() == "}" {
+		return false // open and then closed right away
+	}
+	d.nesting++
+	return true
+}
+
+// Nesting returns the current nesting level. Necessary
+// if using NextBlock()
+func (d *Dispenser) Nesting() int {
+	return d.nesting
+}
+
+// Val gets the text of the current token. If there is no token
+// loaded, it returns empty string.
+func (d *Dispenser) Val() string {
+	if d.cursor < 0 || d.cursor >= len(d.tokens) {
+		return ""
+	}
+	return d.tokens[d.cursor].Text
+}
+
+// Line gets the line number of the current token.
+// If there is no token loaded, it returns 0.
+func (d *Dispenser) Line() int {
+	if d.cursor < 0 || d.cursor >= len(d.tokens) {
+		return 0
+	}
+	return d.tokens[d.cursor].Line
+}
+
+// File gets the filename where the current token originated.
+func (d *Dispenser) File() string {
+	if d.cursor < 0 || d.cursor >= len(d.tokens) {
+		return ""
+	}
+	return d.tokens[d.cursor].File
+}
+
+// Args is a convenience function that loads the next arguments
+// (tokens on the same line) into an arbitrary number of strings
+// pointed to in targets. If there are not enough argument tokens
+// available to fill targets, false is returned and the remaining
+// targets are left unchanged. If all the targets are filled,
+// then true is returned.
+func (d *Dispenser) Args(targets ...*string) bool {
+	for i := 0; i < len(targets); i++ {
+		if !d.NextArg() {
+			return false
+		}
+		*targets[i] = d.Val()
+	}
+	return true
+}
+
+// AllArgs is like Args, but if there are more argument tokens
+// available than there are targets, false is returned. The
+// number of available argument tokens must match the number of
+// targets exactly to return true.
+func (d *Dispenser) AllArgs(targets ...*string) bool {
+	if !d.Args(targets...) {
+		return false
+	}
+	if d.NextArg() {
+		d.Prev()
+		return false
+	}
+	return true
+}
+
+// RemainingArgs loads any more arguments (tokens on the same line)
+// into a slice and returns them. Open curly brace tokens also indicate
+// the end of arguments, and the curly brace is not included in
+// the return value nor is it loaded.
+func (d *Dispenser) RemainingArgs() []string {
+	var args []string
+	for d.NextArg() {
+		args = append(args, d.Val())
+	}
+	return args
+}
+
+// NewFromNextTokens returns a new dispenser with a copy of
+// the tokens from the current token until the end of the
+// "directive" whether that be to the end of the line or
+// the end of a block that starts at the end of the line;
+// in other words, until the end of the segment.
+func (d *Dispenser) NewFromNextTokens() *Dispenser {
+	tkns := []Token{d.Token()}
+	for d.NextArg() {
+		tkns = append(tkns, d.Token())
+	}
+	var openedBlock bool
+	for nesting := d.Nesting(); d.NextBlock(nesting); {
+		if !openedBlock {
+			// because NextBlock() consumes the initial open
+			// curly brace, we rewind here to append it, since
+			// our case is special in that we want to include
+			// all the tokens including surrounding curly braces
+			// for a new dispenser to have
+			d.Prev()
+			tkns = append(tkns, d.Token())
+			d.Next()
+			openedBlock = true
+		}
+		tkns = append(tkns, d.Token())
+	}
+	if openedBlock {
+		// include closing brace accordingly
+		tkns = append(tkns, d.Token())
+	}
+	return NewDispenser(tkns)
+}
+
+// Token returns the current token.
+func (d *Dispenser) Token() Token {
+	if d.cursor < 0 || d.cursor >= len(d.tokens) {
+		return Token{}
+	}
+	return d.tokens[d.cursor]
+}
+
+// Reset sets d's cursor to the beginning, as
+// if this was a new and unused dispenser.
+func (d *Dispenser) Reset() {
+	d.cursor = -1
+	d.nesting = 0
+}
+
+// ArgErr returns an argument error, meaning that another
+// argument was expected but not found. In other words,
+// a line break or open curly brace was encountered instead of
+// an argument.
+func (d *Dispenser) ArgErr() error {
+	if d.Val() == "{" {
+		return d.Err("Unexpected token '{', expecting argument")
+	}
+	return d.Errf("Wrong argument count or unexpected line ending after '%s'", d.Val())
+}
+
+// SyntaxErr creates a generic syntax error which explains what was
+// found and what was expected.
+func (d *Dispenser) SyntaxErr(expected string) error {
+	msg := fmt.Sprintf("%s:%d - Syntax error: Unexpected token '%s', expecting '%s'", d.File(), d.Line(), d.Val(), expected)
+	return errors.New(msg)
+}
+
+// EOFErr returns an error indicating that the dispenser reached
+// the end of the input when searching for the next token.
+func (d *Dispenser) EOFErr() error {
+	return d.Errf("Unexpected EOF")
+}
+
+// Err generates a custom parse-time error with a message of msg.
+func (d *Dispenser) Err(msg string) error {
+	msg = fmt.Sprintf("%s:%d - Error during parsing: %s", d.File(), d.Line(), msg)
+	return errors.New(msg)
+}
+
+// Errf is like Err, but for formatted error messages
+func (d *Dispenser) Errf(format string, args ...interface{}) error {
+	return d.Err(fmt.Sprintf(format, args...))
+}
+
+// Delete deletes the current token and returns the updated slice
+// of tokens. The cursor is not advanced to the next token.
+// Because deletion modifies the underlying slice, this method
+// should only be called if you have access to the original slice
+// of tokens and/or are using the slice of tokens outside this
+// Dispenser instance. If you do not re-assign the slice with the
+// return value of this method, inconsistencies in the token
+// array will become apparent (or worse, hide from you like they
+// did me for 3 and a half freaking hours late one night).
+func (d *Dispenser) Delete() []Token {
+	if d.cursor >= 0 && d.cursor <= len(d.tokens)-1 {
+		d.tokens = append(d.tokens[:d.cursor], d.tokens[d.cursor+1:]...)
+		d.cursor--
+	}
+	return d.tokens
+}
+
+// numLineBreaks counts how many line breaks are in the token
+// value given by the token index tknIdx. It returns 0 if the
+// token does not exist or there are no line breaks.
+func (d *Dispenser) numLineBreaks(tknIdx int) int {
+	if tknIdx < 0 || tknIdx >= len(d.tokens) {
+		return 0
+	}
+	return strings.Count(d.tokens[tknIdx].Text, "\n")
+}
+
+// isNewLine determines whether the current token is on a different
+// line (higher line number) than the previous token. It handles imported
+// tokens correctly. If there isn't a previous token, it returns true.
+func (d *Dispenser) isNewLine() bool {
+	if d.cursor < 1 {
+		return true
+	}
+	if d.cursor > len(d.tokens)-1 {
+		return false
+	}
+	return d.tokens[d.cursor-1].File != d.tokens[d.cursor].File ||
+		d.tokens[d.cursor-1].Line+d.numLineBreaks(d.cursor-1) < d.tokens[d.cursor].Line
+}
@@ -1,6 +1,22 @@
-package parse
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddyfile

 import (
+	"io"
+	"log"
 	"reflect"
 	"strings"
 	"testing"
@@ -11,7 +27,7 @@ func TestDispenser_Val_Next(t *testing.T) {
 			  dir1 arg1
 			  dir2 arg2 arg3
 			  dir3`
-	d := NewDispenser("Testfile", strings.NewReader(input))
+	d := newTestDispenser(input)

 	if val := d.Val(); val != "" {
 		t.Fatalf("Val(): Should return empty string when no token loaded; got '%s'", val)
@@ -49,7 +65,7 @@ func TestDispenser_NextArg(t *testing.T) {
 	input := `dir1 arg1
 			  dir2 arg2 arg3
 			  dir3`
-	d := NewDispenser("Testfile", strings.NewReader(input))
+	d := newTestDispenser(input)

 	assertNext := func(shouldLoad bool, expectedVal string, expectedCursor int) {
 		if d.Next() != shouldLoad {
@@ -64,7 +80,7 @@ func TestDispenser_NextArg(t *testing.T) {
 	}

 	assertNextArg := func(expectedVal string, loadAnother bool, expectedCursor int) {
-		if d.NextArg() != true {
+		if !d.NextArg() {
 			t.Error("NextArg(): Should load next argument but got false instead")
 		}
 		if d.cursor != expectedCursor {
@@ -74,7 +90,7 @@ func TestDispenser_NextArg(t *testing.T) {
 			t.Errorf("Val(): Expected '%s' but got '%s'", expectedVal, val)
 		}
 		if !loadAnother {
-			if d.NextArg() != false {
+			if d.NextArg() {
 				t.Fatalf("NextArg(): Should NOT load another argument, but got true instead (val: '%s')", d.Val())
 			}
 			if d.cursor != expectedCursor {
@@ -96,7 +112,7 @@ func TestDispenser_NextLine(t *testing.T) {
 	input := `host:port
 			  dir1 arg1
 			  dir2 arg2 arg3`
-	d := NewDispenser("Testfile", strings.NewReader(input))
+	d := newTestDispenser(input)

 	assertNextLine := func(shouldLoad bool, expectedVal string, expectedCursor int) {
 		if d.NextLine() != shouldLoad {
@@ -129,10 +145,10 @@ func TestDispenser_NextBlock(t *testing.T) {
 			  }
 			  foobar2 {
 			  }`
-	d := NewDispenser("Testfile", strings.NewReader(input))
+	d := newTestDispenser(input)

 	assertNextBlock := func(shouldLoad bool, expectedCursor, expectedNesting int) {
-		if loaded := d.NextBlock(); loaded != shouldLoad {
+		if loaded := d.NextBlock(0); loaded != shouldLoad {
 			t.Errorf("NextBlock(): Should return %v but got %v", shouldLoad, loaded)
 		}
 		if d.cursor != expectedCursor {
@@ -159,7 +175,7 @@ func TestDispenser_Args(t *testing.T) {
 			  dir2 arg4 arg5
 			  dir3 arg6 arg7
 			  dir4`
-	d := NewDispenser("Testfile", strings.NewReader(input))
+	d := newTestDispenser(input)

 	d.Next() // dir1

@@ -226,7 +242,7 @@ func TestDispenser_RemainingArgs(t *testing.T) {
 			  dir2 arg4 arg5
 			  dir3 arg6 { arg7
 			  dir4`
-	d := NewDispenser("Testfile", strings.NewReader(input))
+	d := newTestDispenser(input)

 	d.Next() // dir1

@@ -263,7 +279,7 @@ func TestDispenser_ArgErr_Err(t *testing.T) {
 	input := `dir1 {
 			  }
 			  dir2 arg1 arg2`
-	d := NewDispenser("Testfile", strings.NewReader(input))
+	d := newTestDispenser(input)

 	d.cursor = 1 // {

@@ -290,3 +306,11 @@ func TestDispenser_ArgErr_Err(t *testing.T) {
 		t.Errorf("Expected error message with custom message in it ('foobar'); got '%v'", err)
 	}
 }
+
+func newTestDispenser(input string) *Dispenser {
+	tokens, err := allTokens("Testfile", strings.NewReader(input))
+	if err != nil && err != io.EOF {
+		log.Fatalf("getting all tokens from input: %v", err)
+	}
+	return NewDispenser(tokens)
+}
@@ -1,4 +1,18 @@
-package parse
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddyfile

 import (
 	"bufio"
@@ -12,23 +26,38 @@ type (
 	// are separated by whitespace. A word can be enclosed
 	// in quotes if it contains whitespace.
 	lexer struct {
-		reader *bufio.Reader
-		token  token
-		line   int
+		reader       *bufio.Reader
+		token        Token
+		line         int
+		skippedLines int
 	}

-	// token represents a single parsable unit.
-	token struct {
-		file string
-		line int
-		text string
+	// Token represents a single parsable unit.
+	Token struct {
+		File string
+		Line int
+		Text string
 	}
 )

 // load prepares the lexer to scan an input for tokens.
+// It discards any leading byte order mark.
 func (l *lexer) load(input io.Reader) error {
 	l.reader = bufio.NewReader(input)
 	l.line = 1
+
+	// discard byte order mark, if present
+	firstCh, _, err := l.reader.ReadRune()
+	if err != nil {
+		return err
+	}
+	if firstCh != 0xFEFF {
+		err := l.reader.UnreadRune()
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }

@@ -47,7 +76,7 @@ func (l *lexer) next() bool {
 	var comment, quoted, escaped bool

 	makeToken := func() bool {
-		l.token.text = string(val)
+		l.token.Text = string(val)
 		return true
 	}

@@ -63,27 +92,29 @@ func (l *lexer) next() bool {
 			panic(err)
 		}

+		if !escaped && ch == '\\' {
+			escaped = true
+			continue
+		}
+
 		if quoted {
-			if !escaped {
-				if ch == '\\' {
-					escaped = true
-					continue
-				} else if ch == '"' {
-					quoted = false
+			if escaped {
+				// all is literal in quoted area,
+				// so only escape quotes
+				if ch != '"' {
+					val = append(val, '\\')
+				}
+				escaped = false
+			} else {
+				if ch == '"' {
 					return makeToken()
 				}
 			}
 			if ch == '\n' {
-				l.line++
-			}
-			if escaped {
-				// only escape quotes
-				if ch != '"' {
-					val = append(val, '\\')
-				}
+				l.line += 1 + l.skippedLines
+				l.skippedLines = 0
 			}
 			val = append(val, ch)
-			escaped = false
 			continue
 		}

@@ -92,7 +123,13 @@ func (l *lexer) next() bool {
 				continue
 			}
 			if ch == '\n' {
-				l.line++
+				if escaped {
+					l.skippedLines++
+					escaped = false
+				} else {
+					l.line += 1 + l.skippedLines
+					l.skippedLines = 0
+				}
 				comment = false
 			}
 			if len(val) > 0 {
@@ -104,19 +141,23 @@ func (l *lexer) next() bool {
 		if ch == '#' {
 			comment = true
 		}
-
 		if comment {
 			continue
 		}

 		if len(val) == 0 {
-			l.token = token{line: l.line}
+			l.token = Token{Line: l.line}
 			if ch == '"' {
 				quoted = true
 				continue
 			}
 		}

+		if escaped {
+			val = append(val, '\\')
+			escaped = false
+		}
+
 		val = append(val, ch)
 	}
 }
@@ -0,0 +1,238 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddyfile
+
+import (
+	"log"
+	"strings"
+	"testing"
+)
+
+type lexerTestCase struct {
+	input    string
+	expected []Token
+}
+
+func TestLexer(t *testing.T) {
+	testCases := []lexerTestCase{
+		{
+			input: `host:123`,
+			expected: []Token{
+				{Line: 1, Text: "host:123"},
+			},
+		},
+		{
+			input: `host:123
+
+					directive`,
+			expected: []Token{
+				{Line: 1, Text: "host:123"},
+				{Line: 3, Text: "directive"},
+			},
+		},
+		{
+			input: `host:123 {
+						directive
+					}`,
+			expected: []Token{
+				{Line: 1, Text: "host:123"},
+				{Line: 1, Text: "{"},
+				{Line: 2, Text: "directive"},
+				{Line: 3, Text: "}"},
+			},
+		},
+		{
+			input: `host:123 { directive }`,
+			expected: []Token{
+				{Line: 1, Text: "host:123"},
+				{Line: 1, Text: "{"},
+				{Line: 1, Text: "directive"},
+				{Line: 1, Text: "}"},
+			},
+		},
+		{
+			input: `host:123 {
+						#comment
+						directive
+						# comment
+						foobar # another comment
+					}`,
+			expected: []Token{
+				{Line: 1, Text: "host:123"},
+				{Line: 1, Text: "{"},
+				{Line: 3, Text: "directive"},
+				{Line: 5, Text: "foobar"},
+				{Line: 6, Text: "}"},
+			},
+		},
+		{
+			input: `a "quoted value" b
+					foobar`,
+			expected: []Token{
+				{Line: 1, Text: "a"},
+				{Line: 1, Text: "quoted value"},
+				{Line: 1, Text: "b"},
+				{Line: 2, Text: "foobar"},
+			},
+		},
+		{
+			input: `A "quoted \"value\" inside" B`,
+			expected: []Token{
+				{Line: 1, Text: "A"},
+				{Line: 1, Text: `quoted "value" inside`},
+				{Line: 1, Text: "B"},
+			},
+		},
+		{
+			input: "An escaped \"newline\\\ninside\" quotes",
+			expected: []Token{
+				{Line: 1, Text: "An"},
+				{Line: 1, Text: "escaped"},
+				{Line: 1, Text: "newline\\\ninside"},
+				{Line: 2, Text: "quotes"},
+			},
+		},
+		{
+			input: "An escaped newline\\\noutside quotes",
+			expected: []Token{
+				{Line: 1, Text: "An"},
+				{Line: 1, Text: "escaped"},
+				{Line: 1, Text: "newline"},
+				{Line: 1, Text: "outside"},
+				{Line: 1, Text: "quotes"},
+			},
+		},
+		{
+			input: "line1\\\nescaped\nline2\nline3",
+			expected: []Token{
+				{Line: 1, Text: "line1"},
+				{Line: 1, Text: "escaped"},
+				{Line: 3, Text: "line2"},
+				{Line: 4, Text: "line3"},
+			},
+		},
+		{
+			input: "line1\\\nescaped1\\\nescaped2\nline4\nline5",
+			expected: []Token{
+				{Line: 1, Text: "line1"},
+				{Line: 1, Text: "escaped1"},
+				{Line: 1, Text: "escaped2"},
+				{Line: 4, Text: "line4"},
+				{Line: 5, Text: "line5"},
+			},
+		},
+		{
+			input: `"unescapable\ in quotes"`,
+			expected: []Token{
+				{Line: 1, Text: `unescapable\ in quotes`},
+			},
+		},
+		{
+			input: `"don't\escape"`,
+			expected: []Token{
+				{Line: 1, Text: `don't\escape`},
+			},
+		},
+		{
+			input: `"don't\\escape"`,
+			expected: []Token{
+				{Line: 1, Text: `don't\\escape`},
+			},
+		},
+		{
+			input: `un\escapable`,
+			expected: []Token{
+				{Line: 1, Text: `un\escapable`},
+			},
+		},
+		{
+			input: `A "quoted value with line
+					break inside" {
+						foobar
+					}`,
+			expected: []Token{
+				{Line: 1, Text: "A"},
+				{Line: 1, Text: "quoted value with line\n\t\t\t\t\tbreak inside"},
+				{Line: 2, Text: "{"},
+				{Line: 3, Text: "foobar"},
+				{Line: 4, Text: "}"},
+			},
+		},
+		{
+			input: `"C:\php\php-cgi.exe"`,
+			expected: []Token{
+				{Line: 1, Text: `C:\php\php-cgi.exe`},
+			},
+		},
+		{
+			input: `empty "" string`,
+			expected: []Token{
+				{Line: 1, Text: `empty`},
+				{Line: 1, Text: ``},
+				{Line: 1, Text: `string`},
+			},
+		},
+		{
+			input: "skip those\r\nCR characters",
+			expected: []Token{
+				{Line: 1, Text: "skip"},
+				{Line: 1, Text: "those"},
+				{Line: 2, Text: "CR"},
+				{Line: 2, Text: "characters"},
+			},
+		},
+		{
+			input: "\xEF\xBB\xBF:8080", // test with leading byte order mark
+			expected: []Token{
+				{Line: 1, Text: ":8080"},
+			},
+		},
+	}
+
+	for i, testCase := range testCases {
+		actual := tokenize(testCase.input)
+		lexerCompare(t, i, testCase.expected, actual)
+	}
+}
+
+func tokenize(input string) (tokens []Token) {
+	l := lexer{}
+	if err := l.load(strings.NewReader(input)); err != nil {
+		log.Printf("[ERROR] load failed: %v", err)
+	}
+	for l.next() {
+		tokens = append(tokens, l.token)
+	}
+	return
+}
+
+func lexerCompare(t *testing.T, n int, expected, actual []Token) {
+	if len(expected) != len(actual) {
+		t.Errorf("Test case %d: expected %d token(s) but got %d", n, len(expected), len(actual))
+	}
+
+	for i := 0; i < len(actual) && i < len(expected); i++ {
+		if actual[i].Line != expected[i].Line {
+			t.Errorf("Test case %d token %d ('%s'): expected line %d but was line %d",
+				n, i, expected[i].Text, expected[i].Line, actual[i].Line)
+			break
+		}
+		if actual[i].Text != expected[i].Text {
+			t.Errorf("Test case %d token %d: expected text '%s' but was '%s'",
+				n, i, expected[i].Text, actual[i].Text)
+			break
+		}
+	}
+}
@@ -0,0 +1,516 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddyfile
+
+import (
+	"io"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// Parse parses the input just enough to group tokens, in
+// order, by server block. No further parsing is performed.
+// Server blocks are returned in the order in which they appear.
+// Directives that do not appear in validDirectives will cause
+// an error. If you do not want to check for valid directives,
+// pass in nil instead.
+func Parse(filename string, input io.Reader) ([]ServerBlock, error) {
+	tokens, err := allTokens(filename, input)
+	if err != nil {
+		return nil, err
+	}
+	p := parser{Dispenser: NewDispenser(tokens)}
+	return p.parseAll()
+}
+
+// allTokens lexes the entire input, but does not parse it.
+// It returns all the tokens from the input, unstructured
+// and in order.
+func allTokens(filename string, input io.Reader) ([]Token, error) {
+	l := new(lexer)
+	err := l.load(input)
+	if err != nil {
+		return nil, err
+	}
+	var tokens []Token
+	for l.next() {
+		l.token.File = filename
+		tokens = append(tokens, l.token)
+	}
+	return tokens, nil
+}
+
+type parser struct {
+	*Dispenser
+	block           ServerBlock // current server block being parsed
+	eof             bool        // if we encounter a valid EOF in a hard place
+	definedSnippets map[string][]Token
+	nesting         int
+}
+
+func (p *parser) parseAll() ([]ServerBlock, error) {
+	var blocks []ServerBlock
+
+	for p.Next() {
+		err := p.parseOne()
+		if err != nil {
+			return blocks, err
+		}
+		if len(p.block.Keys) > 0 || len(p.block.Segments) > 0 {
+			blocks = append(blocks, p.block)
+		}
+		if p.nesting > 0 {
+			return blocks, p.EOFErr()
+		}
+	}
+
+	return blocks, nil
+}
+
+func (p *parser) parseOne() error {
+	p.block = ServerBlock{}
+	return p.begin()
+}
+
+func (p *parser) begin() error {
+	if len(p.tokens) == 0 {
+		return nil
+	}
+
+	err := p.addresses()
+
+	if err != nil {
+		return err
+	}
+
+	if p.eof {
+		// this happens if the Caddyfile consists of only
+		// a line of addresses and nothing else
+		return nil
+	}
+
+	if ok, name := p.isSnippet(); ok {
+		if p.definedSnippets == nil {
+			p.definedSnippets = map[string][]Token{}
+		}
+		if _, found := p.definedSnippets[name]; found {
+			return p.Errf("redeclaration of previously declared snippet %s", name)
+		}
+		// consume all tokens til matched close brace
+		tokens, err := p.snippetTokens()
+		if err != nil {
+			return err
+		}
+		p.definedSnippets[name] = tokens
+		// empty block keys so we don't save this block as a real server.
+		p.block.Keys = nil
+		return nil
+	}
+
+	return p.blockContents()
+}
+
+func (p *parser) addresses() error {
+	var expectingAnother bool
+
+	for {
+		tkn := replaceEnvVars(p.Val())
+
+		// special case: import directive replaces tokens during parse-time
+		if tkn == "import" && p.isNewLine() {
+			err := p.doImport()
+			if err != nil {
+				return err
+			}
+			continue
+		}
+
+		// Open brace definitely indicates end of addresses
+		if tkn == "{" {
+			if expectingAnother {
+				return p.Errf("Expected another address but had '%s' - check for extra comma", tkn)
+			}
+			break
+		}
+
+		if tkn != "" { // empty token possible if user typed ""
+			// Trailing comma indicates another address will follow, which
+			// may possibly be on the next line
+			if tkn[len(tkn)-1] == ',' {
+				tkn = tkn[:len(tkn)-1]
+				expectingAnother = true
+			} else {
+				expectingAnother = false // but we may still see another one on this line
+			}
+
+			p.block.Keys = append(p.block.Keys, tkn)
+		}
+
+		// Advance token and possibly break out of loop or return error
+		hasNext := p.Next()
+		if expectingAnother && !hasNext {
+			return p.EOFErr()
+		}
+		if !hasNext {
+			p.eof = true
+			break // EOF
+		}
+		if !expectingAnother && p.isNewLine() {
+			break
+		}
+	}
+
+	return nil
+}
+
+func (p *parser) blockContents() error {
+	errOpenCurlyBrace := p.openCurlyBrace()
+	if errOpenCurlyBrace != nil {
+		// single-server configs don't need curly braces
+		p.cursor--
+	}
+
+	err := p.directives()
+	if err != nil {
+		return err
+	}
+
+	// only look for close curly brace if there was an opening
+	if errOpenCurlyBrace == nil {
+		err = p.closeCurlyBrace()
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// directives parses through all the lines for directives
+// and it expects the next token to be the first
+// directive. It goes until EOF or closing curly brace
+// which ends the server block.
+func (p *parser) directives() error {
+	for p.Next() {
+		// end of server block
+		if p.Val() == "}" {
+			// p.nesting has already been decremented
+			break
+		}
+
+		// special case: import directive replaces tokens during parse-time
+		if p.Val() == "import" {
+			err := p.doImport()
+			if err != nil {
+				return err
+			}
+			p.cursor-- // cursor is advanced when we continue, so roll back one more
+			continue
+		}
+
+		// normal case: parse a directive as a new segment
+		// (a "segment" is a line which starts with a directive
+		// and which ends at the end of the line or at the end of
+		// the block that is opened at the end of the line)
+		if err := p.directive(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// doImport swaps out the import directive and its argument
+// (a total of 2 tokens) with the tokens in the specified file
+// or globbing pattern. When the function returns, the cursor
+// is on the token before where the import directive was. In
+// other words, call Next() to access the first token that was
+// imported.
+func (p *parser) doImport() error {
+	// syntax checks
+	if !p.NextArg() {
+		return p.ArgErr()
+	}
+	importPattern := replaceEnvVars(p.Val())
+	if importPattern == "" {
+		return p.Err("Import requires a non-empty filepath")
+	}
+	if p.NextArg() {
+		return p.Err("Import takes only one argument (glob pattern or file)")
+	}
+	// splice out the import directive and its argument (2 tokens total)
+	tokensBefore := p.tokens[:p.cursor-1]
+	tokensAfter := p.tokens[p.cursor+1:]
+	var importedTokens []Token
+
+	// first check snippets. That is a simple, non-recursive replacement
+	if p.definedSnippets != nil && p.definedSnippets[importPattern] != nil {
+		importedTokens = p.definedSnippets[importPattern]
+	} else {
+		// make path relative to the file of the _token_ being processed rather
+		// than current working directory (issue #867) and then use glob to get
+		// list of matching filenames
+		absFile, err := filepath.Abs(p.Dispenser.File())
+		if err != nil {
+			return p.Errf("Failed to get absolute path of file: %s: %v", p.Dispenser.File(), err)
+		}
+
+		var matches []string
+		var globPattern string
+		if !filepath.IsAbs(importPattern) {
+			globPattern = filepath.Join(filepath.Dir(absFile), importPattern)
+		} else {
+			globPattern = importPattern
+		}
+		if strings.Count(globPattern, "*") > 1 || strings.Count(globPattern, "?") > 1 ||
+			(strings.Contains(globPattern, "[") && strings.Contains(globPattern, "]")) {
+			// See issue #2096 - a pattern with many glob expansions can hang for too long
+			return p.Errf("Glob pattern may only contain one wildcard (*), but has others: %s", globPattern)
+		}
+		matches, err = filepath.Glob(globPattern)
+
+		if err != nil {
+			return p.Errf("Failed to use import pattern %s: %v", importPattern, err)
+		}
+		if len(matches) == 0 {
+			if strings.ContainsAny(globPattern, "*?[]") {
+				log.Printf("[WARNING] No files matching import glob pattern: %s", importPattern)
+			} else {
+				return p.Errf("File to import not found: %s", importPattern)
+			}
+		}
+
+		// collect all the imported tokens
+
+		for _, importFile := range matches {
+			newTokens, err := p.doSingleImport(importFile)
+			if err != nil {
+				return err
+			}
+			importedTokens = append(importedTokens, newTokens...)
+		}
+	}
+
+	// splice the imported tokens in the place of the import statement
+	// and rewind cursor so Next() will land on first imported token
+	p.tokens = append(tokensBefore, append(importedTokens, tokensAfter...)...)
+	p.cursor--
+
+	return nil
+}
+
+// doSingleImport lexes the individual file at importFile and returns
+// its tokens or an error, if any.
+func (p *parser) doSingleImport(importFile string) ([]Token, error) {
+	file, err := os.Open(importFile)
+	if err != nil {
+		return nil, p.Errf("Could not import %s: %v", importFile, err)
+	}
+	defer file.Close()
+
+	if info, err := file.Stat(); err != nil {
+		return nil, p.Errf("Could not import %s: %v", importFile, err)
+	} else if info.IsDir() {
+		return nil, p.Errf("Could not import %s: is a directory", importFile)
+	}
+
+	importedTokens, err := allTokens(importFile, file)
+	if err != nil {
+		return nil, p.Errf("Could not read tokens while importing %s: %v", importFile, err)
+	}
+
+	// Tack the file path onto these tokens so errors show the imported file's name
+	// (we use full, absolute path to avoid bugs: issue #1892)
+	filename, err := filepath.Abs(importFile)
+	if err != nil {
+		return nil, p.Errf("Failed to get absolute path of file: %s: %v", importFile, err)
+	}
+	for i := 0; i < len(importedTokens); i++ {
+		importedTokens[i].File = filename
+	}
+
+	return importedTokens, nil
+}
+
+// directive collects tokens until the directive's scope
+// closes (either end of line or end of curly brace block).
+// It expects the currently-loaded token to be a directive
+// (or } that ends a server block). The collected tokens
+// are loaded into the current server block for later use
+// by directive setup functions.
+func (p *parser) directive() error {
+	// evaluate any env vars in directive token
+	p.tokens[p.cursor].Text = replaceEnvVars(p.tokens[p.cursor].Text)
+
+	// a segment is a list of tokens associated with this directive
+	var segment Segment
+
+	// the directive itself is appended as a relevant token
+	segment = append(segment, p.Token())
+
+	for p.Next() {
+		if p.Val() == "{" {
+			p.nesting++
+		} else if p.isNewLine() && p.nesting == 0 {
+			p.cursor-- // read too far
+			break
+		} else if p.Val() == "}" && p.nesting > 0 {
+			p.nesting--
+		} else if p.Val() == "}" && p.nesting == 0 {
+			return p.Err("Unexpected '}' because no matching opening brace")
+		} else if p.Val() == "import" && p.isNewLine() {
+			if err := p.doImport(); err != nil {
+				return err
+			}
+			p.cursor-- // cursor is advanced when we continue, so roll back one more
+			continue
+		}
+		p.tokens[p.cursor].Text = replaceEnvVars(p.tokens[p.cursor].Text)
+		segment = append(segment, p.Token())
+	}
+
+	p.block.Segments = append(p.block.Segments, segment)
+
+	if p.nesting > 0 {
+		return p.EOFErr()
+	}
+
+	return nil
+}
+
+// openCurlyBrace expects the current token to be an
+// opening curly brace. This acts like an assertion
+// because it returns an error if the token is not
+// a opening curly brace. It does NOT advance the token.
+func (p *parser) openCurlyBrace() error {
+	if p.Val() != "{" {
+		return p.SyntaxErr("{")
+	}
+	return nil
+}
+
+// closeCurlyBrace expects the current token to be
+// a closing curly brace. This acts like an assertion
+// because it returns an error if the token is not
+// a closing curly brace. It does NOT advance the token.
+func (p *parser) closeCurlyBrace() error {
+	if p.Val() != "}" {
+		return p.SyntaxErr("}")
+	}
+	return nil
+}
+
+// replaceEnvVars replaces environment variables that appear in the token
+// and understands both the $UNIX and %WINDOWS% syntaxes.
+func replaceEnvVars(s string) string {
+	s = replaceEnvReferences(s, "{%", "%}")
+	s = replaceEnvReferences(s, "{$", "}")
+	return s
+}
+
+// replaceEnvReferences performs the actual replacement of env variables
+// in s, given the placeholder start and placeholder end strings.
+func replaceEnvReferences(s, refStart, refEnd string) string {
+	index := strings.Index(s, refStart)
+	for index != -1 {
+		endIndex := strings.Index(s[index:], refEnd)
+		if endIndex == -1 {
+			break
+		}
+
+		endIndex += index
+		if endIndex > index+len(refStart) {
+			ref := s[index : endIndex+len(refEnd)]
+			s = strings.Replace(s, ref, os.Getenv(ref[len(refStart):len(ref)-len(refEnd)]), -1)
+		} else {
+			return s
+		}
+		index = strings.Index(s, refStart)
+	}
+	return s
+}
+
+func (p *parser) isSnippet() (bool, string) {
+	keys := p.block.Keys
+	// A snippet block is a single key with parens. Nothing else qualifies.
+	if len(keys) == 1 && strings.HasPrefix(keys[0], "(") && strings.HasSuffix(keys[0], ")") {
+		return true, strings.TrimSuffix(keys[0][1:], ")")
+	}
+	return false, ""
+}
+
+// read and store everything in a block for later replay.
+func (p *parser) snippetTokens() ([]Token, error) {
+	// snippet must have curlies.
+	err := p.openCurlyBrace()
+	if err != nil {
+		return nil, err
+	}
+	nesting := 1 // count our own nesting in snippets
+	tokens := []Token{}
+	for p.Next() {
+		if p.Val() == "}" {
+			nesting--
+			if nesting == 0 {
+				break
+			}
+		}
+		if p.Val() == "{" {
+			nesting++
+		}
+		tokens = append(tokens, p.tokens[p.cursor])
+	}
+	// make sure we're matched up
+	if nesting != 0 {
+		return nil, p.SyntaxErr("}")
+	}
+	return tokens, nil
+}
+
+// ServerBlock associates any number of keys from the
+// head of the server block with tokens, which are
+// grouped by segments.
+type ServerBlock struct {
+	Keys     []string
+	Segments []Segment
+}
+
+// DispenseDirective returns a dispenser that contains
+// all the tokens in the server block.
+func (sb ServerBlock) DispenseDirective(dir string) *Dispenser {
+	var tokens []Token
+	for _, seg := range sb.Segments {
+		if len(seg) > 0 && seg[0].Text == dir {
+			tokens = append(tokens, seg...)
+		}
+	}
+	return NewDispenser(tokens)
+}
+
+// Segment is a list of tokens which begins with a directive
+// and ends at the end of the directive (either at the end of
+// the line, or at the end of a block it opens).
+type Segment []Token
+
+// Directive returns the directive name for the segment.
+// The directive name is the text of the first token.
+func (s Segment) Directive() string {
+	if len(s) > 0 {
+		return s[0].Text
+	}
+	return ""
+}
@@ -0,0 +1,36 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build gofuzz
+// +build gofuzz_libfuzzer
+
+package caddyfile
+
+import (
+	"bytes"
+)
+
+func FuzzParseCaddyfile(data []byte) (score int) {
+	sb, err := Parse("Caddyfile", bytes.NewReader(data))
+	if err != nil {
+		// if both an error is received and some ServerBlocks,
+		// then the parse was able to parse partially. Mark this
+		// result as interesting to push the fuzzer further through the parser.
+		if sb != nil && len(sb) > 0 {
+			return 1
+		}
+		return 0
+	}
+	return 1
+}
@@ -0,0 +1,679 @@
+// Copyright 2015 Light Code Labs, LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddyfile
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestAllTokens(t *testing.T) {
+	input := strings.NewReader("a b c\nd e")
+	expected := []string{"a", "b", "c", "d", "e"}
+	tokens, err := allTokens("TestAllTokens", input)
+
+	if err != nil {
+		t.Fatalf("Expected no error, got %v", err)
+	}
+	if len(tokens) != len(expected) {
+		t.Fatalf("Expected %d tokens, got %d", len(expected), len(tokens))
+	}
+
+	for i, val := range expected {
+		if tokens[i].Text != val {
+			t.Errorf("Token %d should be '%s' but was '%s'", i, val, tokens[i].Text)
+		}
+	}
+}
+
+func TestParseOneAndImport(t *testing.T) {
+	testParseOne := func(input string) (ServerBlock, error) {
+		p := testParser(input)
+		p.Next() // parseOne doesn't call Next() to start, so we must
+		err := p.parseOne()
+		return p.block, err
+	}
+
+	for i, test := range []struct {
+		input     string
+		shouldErr bool
+		keys      []string
+		numTokens []int // number of tokens to expect in each segment
+	}{
+		{`localhost`, false, []string{
+			"localhost",
+		}, []int{}},
+
+		{`localhost
+		  dir1`, false, []string{
+			"localhost",
+		}, []int{1}},
+
+		{`localhost:1234
+		  dir1 foo bar`, false, []string{
+			"localhost:1234",
+		}, []int{3},
+		},
+
+		{`localhost {
+		    dir1
+		  }`, false, []string{
+			"localhost",
+		}, []int{1}},
+
+		{`localhost:1234 {
+		    dir1 foo bar
+		    dir2
+		  }`, false, []string{
+			"localhost:1234",
+		}, []int{3, 1}},
+
+		{`http://localhost https://localhost
+		  dir1 foo bar`, false, []string{
+			"http://localhost",
+			"https://localhost",
+		}, []int{3}},
+
+		{`http://localhost https://localhost {
+		    dir1 foo bar
+		  }`, false, []string{
+			"http://localhost",
+			"https://localhost",
+		}, []int{3}},
+
+		{`http://localhost, https://localhost {
+		    dir1 foo bar
+		  }`, false, []string{
+			"http://localhost",
+			"https://localhost",
+		}, []int{3}},
+
+		{`http://localhost, {
+		  }`, true, []string{
+			"http://localhost",
+		}, []int{}},
+
+		{`host1:80, http://host2.com
+		  dir1 foo bar
+		  dir2 baz`, false, []string{
+			"host1:80",
+			"http://host2.com",
+		}, []int{3, 2}},
+
+		{`http://host1.com,
+		  http://host2.com,
+		  https://host3.com`, false, []string{
+			"http://host1.com",
+			"http://host2.com",
+			"https://host3.com",
+		}, []int{}},
+
+		{`http://host1.com:1234, https://host2.com
+		  dir1 foo {
+		    bar baz
+		  }
+		  dir2`, false, []string{
+			"http://host1.com:1234",
+			"https://host2.com",
+		}, []int{6, 1}},
+
+		{`127.0.0.1
+		  dir1 {
+		    bar baz
+		  }
+		  dir2 {
+		    foo bar
+		  }`, false, []string{
+			"127.0.0.1",
+		}, []int{5, 5}},
+
+		{`localhost
+		  dir1 {
+		    foo`, true, []string{
+			"localhost",
+		}, []int{3}},
+
+		{`localhost
+		  dir1 {
+		  }`, false, []string{
+			"localhost",
+		}, []int{3}},
+
+		{`localhost
+		  dir1 {
+		  } }`, true, []string{
+			"localhost",
+		}, []int{}},
+
+		{`localhost
+		  dir1 {
+		    nested {
+		      foo
+		    }
+		  }
+		  dir2 foo bar`, false, []string{
+			"localhost",
+		}, []int{7, 3}},
+
+		{``, false, []string{}, []int{}},
+
+		{`localhost
+		  dir1 arg1
+		  import testdata/import_test1.txt`, false, []string{
+			"localhost",
+		}, []int{2, 3, 1}},
+
+		{`import testdata/import_test2.txt`, false, []string{
+			"host1",
+		}, []int{1, 2}},
+
+		{`import testdata/import_test1.txt testdata/import_test2.txt`, true, []string{}, []int{}},
+
+		{`import testdata/not_found.txt`, true, []string{}, []int{}},
+
+		{`""`, false, []string{}, []int{}},
+
+		{``, false, []string{}, []int{}},
+
+		// test cases found by fuzzing!
+		{`import }{$"`, true, []string{}, []int{}},
+		{`import /*/*.txt`, true, []string{}, []int{}},
+		{`import /???/?*?o`, true, []string{}, []int{}},
+		{`import /??`, true, []string{}, []int{}},
+		{`import /[a-z]`, true, []string{}, []int{}},
+		{`import {$}`, true, []string{}, []int{}},
+		{`import {%}`, true, []string{}, []int{}},
+		{`import {$$}`, true, []string{}, []int{}},
+		{`import {%%}`, true, []string{}, []int{}},
+	} {
+		result, err := testParseOne(test.input)
+
+		if test.shouldErr && err == nil {
+			t.Errorf("Test %d: Expected an error, but didn't get one", i)
+		}
+		if !test.shouldErr && err != nil {
+			t.Errorf("Test %d: Expected no error, but got: %v", i, err)
+		}
+
+		if len(result.Keys) != len(test.keys) {
+			t.Errorf("Test %d: Expected %d keys, got %d",
+				i, len(test.keys), len(result.Keys))
+			continue
+		}
+		for j, addr := range result.Keys {
+			if addr != test.keys[j] {
+				t.Errorf("Test %d, key %d: Expected '%s', but was '%s'",
+					i, j, test.keys[j], addr)
+			}
+		}
+
+		if len(result.Segments) != len(test.numTokens) {
+			t.Errorf("Test %d: Expected %d segments, had %d",
+				i, len(test.numTokens), len(result.Segments))
+			continue
+		}
+
+		for j, seg := range result.Segments {
+			if len(seg) != test.numTokens[j] {
+				t.Errorf("Test %d, segment %d: Expected %d tokens, counted %d",
+					i, j, test.numTokens[j], len(seg))
+				continue
+			}
+		}
+	}
+}
+
+func TestRecursiveImport(t *testing.T) {
+	testParseOne := func(input string) (ServerBlock, error) {
+		p := testParser(input)
+		p.Next() // parseOne doesn't call Next() to start, so we must
+		err := p.parseOne()
+		return p.block, err
+	}
+
+	isExpected := func(got ServerBlock) bool {
+		if len(got.Keys) != 1 || got.Keys[0] != "localhost" {
+			t.Errorf("got keys unexpected: expect localhost, got %v", got.Keys)
+			return false
+		}
+		if len(got.Segments) != 2 {
+			t.Errorf("got wrong number of segments: expect 2, got %d", len(got.Segments))
+			return false
+		}
+		if len(got.Segments[0]) != 1 || len(got.Segments[1]) != 2 {
+			t.Errorf("got unexpect tokens: %v", got.Segments)
+			return false
+		}
+		return true
+	}
+
+	recursiveFile1, err := filepath.Abs("testdata/recursive_import_test1")
+	if err != nil {
+		t.Fatal(err)
+	}
+	recursiveFile2, err := filepath.Abs("testdata/recursive_import_test2")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// test relative recursive import
+	err = ioutil.WriteFile(recursiveFile1, []byte(
+		`localhost
+		dir1
+		import recursive_import_test2`), 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(recursiveFile1)
+
+	err = ioutil.WriteFile(recursiveFile2, []byte("dir2 1"), 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(recursiveFile2)
+
+	// import absolute path
+	result, err := testParseOne("import " + recursiveFile1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !isExpected(result) {
+		t.Error("absolute+relative import failed")
+	}
+
+	// import relative path
+	result, err = testParseOne("import testdata/recursive_import_test1")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !isExpected(result) {
+		t.Error("relative+relative import failed")
+	}
+
+	// test absolute recursive import
+	err = ioutil.WriteFile(recursiveFile1, []byte(
+		`localhost
+		dir1
+		import `+recursiveFile2), 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// import absolute path
+	result, err = testParseOne("import " + recursiveFile1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !isExpected(result) {
+		t.Error("absolute+absolute import failed")
+	}
+
+	// import relative path
+	result, err = testParseOne("import testdata/recursive_import_test1")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !isExpected(result) {
+		t.Error("relative+absolute import failed")
+	}
+}
+
+func TestDirectiveImport(t *testing.T) {
+	testParseOne := func(input string) (ServerBlock, error) {
+		p := testParser(input)
+		p.Next() // parseOne doesn't call Next() to start, so we must
+		err := p.parseOne()
+		return p.block, err
+	}
+
+	isExpected := func(got ServerBlock) bool {
+		if len(got.Keys) != 1 || got.Keys[0] != "localhost" {
+			t.Errorf("got keys unexpected: expect localhost, got %v", got.Keys)
+			return false
+		}
+		if len(got.Segments) != 2 {
+			t.Errorf("got wrong number of segments: expect 2, got %d", len(got.Segments))
+			return false
+		}
+		if len(got.Segments[0]) != 1 || len(got.Segments[1]) != 8 {
+			t.Errorf("got unexpect tokens: %v", got.Segments)
+			return false
+		}
+		return true
+	}
+
+	directiveFile, err := filepath.Abs("testdata/directive_import_test")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = ioutil.WriteFile(directiveFile, []byte(`prop1 1
+	prop2 2`), 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(directiveFile)
+
+	// import from existing file
+	result, err := testParseOne(`localhost
+	dir1
+	proxy {
+		import testdata/directive_import_test
+		transparent
+	}`)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !isExpected(result) {
+		t.Error("directive import failed")
+	}
+
+	// import from nonexistent file
+	_, err = testParseOne(`localhost
+	dir1
+	proxy {
+		import testdata/nonexistent_file
+		transparent
+	}`)
+	if err == nil {
+		t.Fatal("expected error when importing a nonexistent file")
+	}
+}
+
+func TestParseAll(t *testing.T) {
+	for i, test := range []struct {
+		input     string
+		shouldErr bool
+		keys      [][]string // keys per server block, in order
+	}{
+		{`localhost`, false, [][]string{
+			{"localhost"},
+		}},
+
+		{`localhost:1234`, false, [][]string{
+			{"localhost:1234"},
+		}},
+
+		{`localhost:1234 {
+		  }
+		  localhost:2015 {
+		  }`, false, [][]string{
+			{"localhost:1234"},
+			{"localhost:2015"},
+		}},
+
+		{`localhost:1234, http://host2`, false, [][]string{
+			{"localhost:1234", "http://host2"},
+		}},
+
+		{`localhost:1234, http://host2,`, true, [][]string{}},
+
+		{`http://host1.com, http://host2.com {
+		  }
+		  https://host3.com, https://host4.com {
+		  }`, false, [][]string{
+			{"http://host1.com", "http://host2.com"},
+			{"https://host3.com", "https://host4.com"},
+		}},
+
+		{`import testdata/import_glob*.txt`, false, [][]string{
+			{"glob0.host0"},
+			{"glob0.host1"},
+			{"glob1.host0"},
+			{"glob2.host0"},
+		}},
+
+		{`import notfound/*`, false, [][]string{}},        // glob needn't error with no matches
+		{`import notfound/file.conf`, true, [][]string{}}, // but a specific file should
+	} {
+		p := testParser(test.input)
+		blocks, err := p.parseAll()
+
+		if test.shouldErr && err == nil {
+			t.Errorf("Test %d: Expected an error, but didn't get one", i)
+		}
+		if !test.shouldErr && err != nil {
+			t.Errorf("Test %d: Expected no error, but got: %v", i, err)
+		}
+
+		if len(blocks) != len(test.keys) {
+			t.Errorf("Test %d: Expected %d server blocks, got %d",
+				i, len(test.keys), len(blocks))
+			continue
+		}
+		for j, block := range blocks {
+			if len(block.Keys) != len(test.keys[j]) {
+				t.Errorf("Test %d: Expected %d keys in block %d, got %d",
+					i, len(test.keys[j]), j, len(block.Keys))
+				continue
+			}
+			for k, addr := range block.Keys {
+				if addr != test.keys[j][k] {
+					t.Errorf("Test %d, block %d, key %d: Expected '%s', but got '%s'",
+						i, j, k, test.keys[j][k], addr)
+				}
+			}
+		}
+	}
+}
+
+func TestEnvironmentReplacement(t *testing.T) {
+	os.Setenv("PORT", "8080")
+	os.Setenv("ADDRESS", "servername.com")
+	os.Setenv("FOOBAR", "foobar")
+	os.Setenv("PARTIAL_DIR", "r1")
+
+	// basic test; unix-style env vars
+	p := testParser(`{$ADDRESS}`)
+	blocks, _ := p.parseAll()
+	if actual, expected := blocks[0].Keys[0], "servername.com"; expected != actual {
+		t.Errorf("Expected key to be '%s' but was '%s'", expected, actual)
+	}
+
+	// basic test; unix-style env vars
+	p = testParser(`di{$PARTIAL_DIR}`)
+	blocks, _ = p.parseAll()
+	if actual, expected := blocks[0].Keys[0], "dir1"; expected != actual {
+		t.Errorf("Expected key to be '%s' but was '%s'", expected, actual)
+	}
+
+	// multiple vars per token
+	p = testParser(`{$ADDRESS}:{$PORT}`)
+	blocks, _ = p.parseAll()
+	if actual, expected := blocks[0].Keys[0], "servername.com:8080"; expected != actual {
+		t.Errorf("Expected key to be '%s' but was '%s'", expected, actual)
+	}
+
+	// windows-style var and unix style in same token
+	p = testParser(`{%ADDRESS%}:{$PORT}`)
+	blocks, _ = p.parseAll()
+	if actual, expected := blocks[0].Keys[0], "servername.com:8080"; expected != actual {
+		t.Errorf("Expected key to be '%s' but was '%s'", expected, actual)
+	}
+
+	// reverse order
+	p = testParser(`{$ADDRESS}:{%PORT%}`)
+	blocks, _ = p.parseAll()
+	if actual, expected := blocks[0].Keys[0], "servername.com:8080"; expected != actual {
+		t.Errorf("Expected key to be '%s' but was '%s'", expected, actual)
+	}
+
+	// env var in server block body as argument
+	p = testParser(":{%PORT%}\ndir1 {$FOOBAR}")
+	blocks, _ = p.parseAll()
+	if actual, expected := blocks[0].Keys[0], ":8080"; expected != actual {
+		t.Errorf("Expected key to be '%s' but was '%s'", expected, actual)
+	}
+	if actual, expected := blocks[0].Segments[0][1].Text, "foobar"; expected != actual {
+		t.Errorf("Expected argument to be '%s' but was '%s'", expected, actual)
+	}
+
+	// combined windows env vars in argument
+	p = testParser(":{%PORT%}\ndir1 {%ADDRESS%}/{%FOOBAR%}")
+	blocks, _ = p.parseAll()
+	if actual, expected := blocks[0].Segments[0][1].Text, "servername.com/foobar"; expected != actual {
+		t.Errorf("Expected argument to be '%s' but was '%s'", expected, actual)
+	}
+
+	// malformed env var (windows)
+	p = testParser(":1234\ndir1 {%ADDRESS}")
+	blocks, _ = p.parseAll()
+	if actual, expected := blocks[0].Segments[0][1].Text, "{%ADDRESS}"; expected != actual {
+		t.Errorf("Expected host to be '%s' but was '%s'", expected, actual)
+	}
+
+	// malformed (non-existent) env var (unix)
+	p = testParser(`:{$PORT$}`)
+	blocks, _ = p.parseAll()
+	if actual, expected := blocks[0].Keys[0], ":"; expected != actual {
+		t.Errorf("Expected key to be '%s' but was '%s'", expected, actual)
+	}
+
+	// in quoted field
+	p = testParser(":1234\ndir1 \"Test {$FOOBAR} test\"")
+	blocks, _ = p.parseAll()
+	if actual, expected := blocks[0].Segments[0][1].Text, "Test foobar test"; expected != actual {
+		t.Errorf("Expected argument to be '%s' but was '%s'", expected, actual)
+	}
+
+	// after end token
+	p = testParser(":1234\nanswer \"{{ .Name }} {$FOOBAR}\"")
+	blocks, _ = p.parseAll()
+	if actual, expected := blocks[0].Segments[0][1].Text, "{{ .Name }} foobar"; expected != actual {
+		t.Errorf("Expected argument to be '%s' but was '%s'", expected, actual)
+	}
+}
+
+func TestSnippets(t *testing.T) {
+	p := testParser(`
+		(common) {
+			gzip foo
+			errors stderr
+		}
+		http://example.com {
+			import common
+		}
+	`)
+	blocks, err := p.parseAll()
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, b := range blocks {
+		t.Log(b.Keys)
+		t.Log(b.Segments)
+	}
+	if len(blocks) != 1 {
+		t.Fatalf("Expect exactly one server block. Got %d.", len(blocks))
+	}
+	if actual, expected := blocks[0].Keys[0], "http://example.com"; expected != actual {
+		t.Errorf("Expected server name to be '%s' but was '%s'", expected, actual)
+	}
+	if len(blocks[0].Segments) != 2 {
+		t.Fatalf("Server block should have tokens from import, got: %+v", blocks[0])
+	}
+	if actual, expected := blocks[0].Segments[0][0].Text, "gzip"; expected != actual {
+		t.Errorf("Expected argument to be '%s' but was '%s'", expected, actual)
+	}
+	if actual, expected := blocks[0].Segments[1][1].Text, "stderr"; expected != actual {
+		t.Errorf("Expected argument to be '%s' but was '%s'", expected, actual)
+	}
+}
+
+func writeStringToTempFileOrDie(t *testing.T, str string) (pathToFile string) {
+	file, err := ioutil.TempFile("", t.Name())
+	if err != nil {
+		panic(err) // get a stack trace so we know where this was called from.
+	}
+	if _, err := file.WriteString(str); err != nil {
+		panic(err)
+	}
+	if err := file.Close(); err != nil {
+		panic(err)
+	}
+	return file.Name()
+}
+
+func TestImportedFilesIgnoreNonDirectiveImportTokens(t *testing.T) {
+	fileName := writeStringToTempFileOrDie(t, `
+		http://example.com {
+			# This isn't an import directive, it's just an arg with value 'import'
+			basicauth / import password
+		}
+	`)
+	// Parse the root file that imports the other one.
+	p := testParser(`import ` + fileName)
+	blocks, err := p.parseAll()
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, b := range blocks {
+		t.Log(b.Keys)
+		t.Log(b.Segments)
+	}
+	auth := blocks[0].Segments[0]
+	line := auth[0].Text + " " + auth[1].Text + " " + auth[2].Text + " " + auth[3].Text
+	if line != "basicauth / import password" {
+		// Previously, it would be changed to:
+		//   basicauth / import /path/to/test/dir/password
+		// referencing a file that (probably) doesn't exist and changing the
+		// password!
+		t.Errorf("Expected basicauth tokens to be 'basicauth / import password' but got %#q", line)
+	}
+}
+
+func TestSnippetAcrossMultipleFiles(t *testing.T) {
+	// Make the derived Caddyfile that expects (common) to be defined.
+	fileName := writeStringToTempFileOrDie(t, `
+		http://example.com {
+			import common
+		}
+	`)
+
+	// Parse the root file that defines (common) and then imports the other one.
+	p := testParser(`
+		(common) {
+			gzip foo
+		}
+		import ` + fileName + `
+	`)
+
+	blocks, err := p.parseAll()
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, b := range blocks {
+		t.Log(b.Keys)
+		t.Log(b.Segments)
+	}
+	if len(blocks) != 1 {
+		t.Fatalf("Expect exactly one server block. Got %d.", len(blocks))
+	}
+	if actual, expected := blocks[0].Keys[0], "http://example.com"; expected != actual {
+		t.Errorf("Expected server name to be '%s' but was '%s'", expected, actual)
+	}
+	if len(blocks[0].Segments) != 1 {
+		t.Fatalf("Server block should have tokens from import")
+	}
+	if actual, expected := blocks[0].Segments[0][0].Text, "gzip"; expected != actual {
+		t.Errorf("Expected argument to be '%s' but was '%s'", expected, actual)
+	}
+}
+
+func testParser(input string) parser {
+	return parser{Dispenser: newTestDispenser(input)}
+}
@@ -0,0 +1,6 @@
+glob0.host0 {
+	dir2 arg1
+}
+
+glob0.host1 {
+}
@@ -0,0 +1,4 @@
+glob1.host0 {
+	dir1
+	dir2 arg1
+}
@@ -0,0 +1,3 @@
+glob2.host0 {
+	dir2 arg1
+}
@@ -0,0 +1,117 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddyconfig
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+// Adapter is a type which can adapt a configuration to Caddy JSON.
+// It returns the results and any warnings, or an error.
+type Adapter interface {
+	Adapt(body []byte, options map[string]interface{}) ([]byte, []Warning, error)
+}
+
+// Warning represents a warning or notice related to conversion.
+type Warning struct {
+	File      string `json:"file,omitempty"`
+	Line      int    `json:"line,omitempty"`
+	Directive string `json:"directive,omitempty"`
+	Message   string `json:"message,omitempty"`
+}
+
+// JSON encodes val as JSON, returning it as a json.RawMessage. Any
+// marshaling errors (which are highly unlikely with correct code)
+// are converted to warnings. This is convenient when filling config
+// structs that require a json.RawMessage, without having to worry
+// about errors.
+func JSON(val interface{}, warnings *[]Warning) json.RawMessage {
+	b, err := json.Marshal(val)
+	if err != nil {
+		if warnings != nil {
+			*warnings = append(*warnings, Warning{Message: err.Error()})
+		}
+		return nil
+	}
+	return b
+}
+
+// JSONModuleObject is like JSON, except it marshals val into a JSON object
+// and then adds a key to that object named fieldName with the value fieldVal.
+// This is useful for JSON-encoding module values where the module name has to
+// be described within the object by a certain key; for example,
+// "responder": "file_server" for a file server HTTP responder. The val must
+// encode into a map[string]interface{} (i.e. it must be a struct or map),
+// and any errors are converted into warnings, so this can be conveniently
+// used when filling a struct. For correct code, there should be no errors.
+func JSONModuleObject(val interface{}, fieldName, fieldVal string, warnings *[]Warning) json.RawMessage {
+	// encode to a JSON object first
+	enc, err := json.Marshal(val)
+	if err != nil {
+		if warnings != nil {
+			*warnings = append(*warnings, Warning{Message: err.Error()})
+		}
+		return nil
+	}
+
+	// then decode the object
+	var tmp map[string]interface{}
+	err = json.Unmarshal(enc, &tmp)
+	if err != nil {
+		if warnings != nil {
+			*warnings = append(*warnings, Warning{Message: err.Error()})
+		}
+		return nil
+	}
+
+	// so we can easily add the module's field with its appointed value
+	tmp[fieldName] = fieldVal
+
+	// then re-marshal as JSON
+	result, err := json.Marshal(tmp)
+	if err != nil {
+		if warnings != nil {
+			*warnings = append(*warnings, Warning{Message: err.Error()})
+		}
+		return nil
+	}
+
+	return result
+}
+
+// JSONIndent is used to JSON-marshal the final resulting Caddy
+// configuration in a consistent, human-readable way.
+func JSONIndent(val interface{}) ([]byte, error) {
+	return json.MarshalIndent(val, "", "\t")
+}
+
+// RegisterAdapter registers a config adapter with the given name.
+// This should usually be done at init-time.
+func RegisterAdapter(name string, adapter Adapter) error {
+	if _, ok := configAdapters[name]; ok {
+		return fmt.Errorf("%s: already registered", name)
+	}
+	configAdapters[name] = adapter
+	return nil
+}
+
+// GetAdapter returns the adapter with the given name,
+// or nil if one with that name is not registered.
+func GetAdapter(name string) Adapter {
+	return configAdapters[name]
+}
+
+var configAdapters = make(map[string]Adapter)
@@ -0,0 +1,43 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build gofuzz
+// +build gofuzz_libfuzzer
+
+package httpcaddyfile
+
+import (
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+)
+
+func FuzzHTTPCaddyfileAdapter(data []byte) int {
+	adapter := caddyfile.Adapter{
+		ServerType: ServerType{},
+	}
+
+	_, warns, err := adapter.Adapt(data, nil)
+
+	// Adapt func calls the Setup() func of the ServerType,
+	// thus it's going across multiple layers, each can
+	// return warnings or errors. Marking the presence of
+	// errors or warnings as interesting in this case
+	// could push the fuzzer towards a path where we only
+	// catch errors. Let's push the fuzzer to where it passes
+	// but breaks.
+	if err != nil || (warns != nil && len(warns) > 0) {
+		return 0
+	}
+
+	return 1
+}
@@ -0,0 +1,334 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package httpcaddyfile
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+	"reflect"
+	"strconv"
+	"strings"
+
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
+	"github.com/mholt/certmagic"
+)
+
+// mapAddressToServerBlocks returns a map of listener address to list of server
+// blocks that will be served on that address. To do this, each server block is
+// expanded so that each one is considered individually, although keys of a
+// server block that share the same address stay grouped together so the config
+// isn't repeated unnecessarily. For example, this Caddyfile:
+//
+// 	example.com {
+// 		bind 127.0.0.1
+// 	}
+// 	www.example.com, example.net/path, localhost:9999 {
+// 		bind 127.0.0.1 1.2.3.4
+// 	}
+//
+// has two server blocks to start with. But expressed in this Caddyfile are
+// actually 4 listener addresses: 127.0.0.1:443, 1.2.3.4:443, 127.0.0.1:9999,
+// and 127.0.0.1:9999. This is because the bind directive is applied to each
+// key of its server block (specifying the host part), and each key may have
+// a different port. And we definitely need to be sure that a site which is
+// bound to be served on a specific interface is not served on others just
+// beceause that is more convenient: it would be a potential security risk
+// if the difference between interfaces means private vs. public.
+//
+// So what this function does for the example above is iterate each server
+// block, and for each server block, iterate its keys. For the first, it
+// finds one key (example.com) and determines its listener address
+// (127.0.0.1:443 - because of 'bind' and automatic HTTPS). It then adds
+// the listener address to the map value returned by this function, with
+// the first server block as one of its associations.
+//
+// It then iterates each key on the second server block and associates them
+// with one or more listener addresses. Indeed, each key in this block has
+// two listener addresses because of the 'bind' directive. Once we know
+// which addresses serve which keys, we can create a new server block for
+// each address containing the contents of the server block and only those
+// specific keys of the server block which use that address.
+//
+// It is possible and even likely that some keys in the returned map have
+// the exact same list of server blocks (i.e. they are identical). This
+// happens when multiple hosts are declared with a 'bind' directive and
+// the resulting listener addresses are not shared by any other server
+// block (or the other server blocks are exactly identical in their token
+// contents). This happens with our example above because 1.2.3.4:443
+// and 1.2.3.4:9999 are used exclusively with the second server block. This
+// repetition may be undesirable, so call consolidateAddrMappings() to map
+// multiple addresses to the same lists of server blocks (a many:many mapping).
+// (Doing this is essentially a map-reduce technique.)
+func (st *ServerType) mapAddressToServerBlocks(originalServerBlocks []serverBlock) (map[string][]serverBlock, error) {
+	sbmap := make(map[string][]serverBlock)
+
+	for i, sblock := range originalServerBlocks {
+		// within a server block, we need to map all the listener addresses
+		// implied by the server block to the keys of the server block which
+		// will be served by them; this has the effect of treating each
+		// key of a server block as its own, but without having to repeat its
+		// contents in cases where multiple keys really can be served together
+		addrToKeys := make(map[string][]string)
+		for j, key := range sblock.block.Keys {
+			// a key can have multiple listener addresses if there are multiple
+			// arguments to the 'bind' directive (although they will all have
+			// the same port, since the port is defined by the key or is implicit
+			// through automatic HTTPS)
+			addrs, err := st.listenerAddrsForServerBlockKey(sblock, key)
+			if err != nil {
+				return nil, fmt.Errorf("server block %d, key %d (%s): determining listener address: %v", i, j, key, err)
+			}
+
+			// associate this key with each listener address it is served on
+			for _, addr := range addrs {
+				addrToKeys[addr] = append(addrToKeys[addr], key)
+			}
+		}
+
+		// now that we know which addresses serve which keys of this
+		// server block, we iterate that mapping and create a list of
+		// new server blocks for each address where the keys of the
+		// server block are only the ones which use the address; but
+		// the contents (tokens) are of course the same
+		for addr, keys := range addrToKeys {
+			sbmap[addr] = append(sbmap[addr], serverBlock{
+				block: caddyfile.ServerBlock{
+					Keys:     keys,
+					Segments: sblock.block.Segments,
+				},
+				pile: sblock.pile,
+			})
+		}
+	}
+
+	return sbmap, nil
+}
+
+// consolidateAddrMappings eliminates repetition of identical server blocks in a mapping of
+// single listener addresses to lists of server blocks. Since multiple addresses may serve
+// identical sites (server block contents), this function turns a 1:many mapping into a
+// many:many mapping. Server block contents (tokens) must be exactly identical so that
+// reflect.DeepEqual returns true in order for the addresses to be combined. Identical
+// entries are deleted from the addrToServerBlocks map. Essentially, each pairing (each
+// association from multiple addresses to multiple server blocks; i.e. each element of
+// the returned slice) becomes a server definition in the output JSON.
+func (st *ServerType) consolidateAddrMappings(addrToServerBlocks map[string][]serverBlock) []sbAddrAssociation {
+	var sbaddrs []sbAddrAssociation
+	for addr, sblocks := range addrToServerBlocks {
+		// we start with knowing that at least this address
+		// maps to these server blocks
+		a := sbAddrAssociation{
+			addresses:    []string{addr},
+			serverBlocks: sblocks,
+		}
+
+		// now find other addresses that map to identical
+		// server blocks and add them to our list of
+		// addresses, while removing them from the map
+		for otherAddr, otherSblocks := range addrToServerBlocks {
+			if addr == otherAddr {
+				continue
+			}
+			if reflect.DeepEqual(sblocks, otherSblocks) {
+				a.addresses = append(a.addresses, otherAddr)
+				delete(addrToServerBlocks, otherAddr)
+			}
+		}
+
+		sbaddrs = append(sbaddrs, a)
+	}
+	return sbaddrs
+}
+
+func (st *ServerType) listenerAddrsForServerBlockKey(sblock serverBlock, key string) ([]string, error) {
+	addr, err := ParseAddress(key)
+	if err != nil {
+		return nil, fmt.Errorf("parsing key: %v", err)
+	}
+	addr = addr.Normalize()
+
+	lnPort := DefaultPort
+	if addr.Port != "" {
+		// port explicitly defined
+		lnPort = addr.Port
+	} else if certmagic.HostQualifies(addr.Host) {
+		// automatic HTTPS
+		lnPort = strconv.Itoa(certmagic.HTTPSPort)
+	}
+
+	// the bind directive specifies hosts, but is optional
+	var lnHosts []string
+	for _, cfgVal := range sblock.pile["bind"] {
+		lnHosts = append(lnHosts, cfgVal.Value.([]string)...)
+	}
+	if len(lnHosts) == 0 {
+		lnHosts = []string{""}
+	}
+
+	// use a map to prevent duplication
+	listeners := make(map[string]struct{})
+	for _, host := range lnHosts {
+		listeners[net.JoinHostPort(host, lnPort)] = struct{}{}
+	}
+
+	// now turn map into list
+	var listenersList []string
+	for lnStr := range listeners {
+		listenersList = append(listenersList, lnStr)
+	}
+	// sort.Strings(listenersList) // TODO: is sorting necessary?
+
+	return listenersList, nil
+}
+
+// Address represents a site address. It contains
+// the original input value, and the component
+// parts of an address. The component parts may be
+// updated to the correct values as setup proceeds,
+// but the original value should never be changed.
+//
+// The Host field must be in a normalized form.
+type Address struct {
+	Original, Scheme, Host, Port, Path string
+}
+
+// ParseAddress parses an address string into a structured format with separate
+// scheme, host, port, and path portions, as well as the original input string.
+func ParseAddress(str string) (Address, error) {
+	httpPort, httpsPort := strconv.Itoa(certmagic.HTTPPort), strconv.Itoa(certmagic.HTTPSPort)
+
+	input := str
+
+	// Split input into components (prepend with // to force host portion by default)
+	if !strings.Contains(str, "//") && !strings.HasPrefix(str, "/") {
+		str = "//" + str
+	}
+
+	u, err := url.Parse(str)
+	if err != nil {
+		return Address{}, err
+	}
+
+	// separate host and port
+	host, port, err := net.SplitHostPort(u.Host)
+	if err != nil {
+		host, port, err = net.SplitHostPort(u.Host + ":")
+		if err != nil {
+			host = u.Host
+		}
+	}
+
+	// see if we can set port based off scheme
+	if port == "" {
+		if u.Scheme == "http" {
+			port = httpPort
+		} else if u.Scheme == "https" {
+			port = httpsPort
+		}
+	}
+
+	// error if scheme and port combination violate convention
+	if (u.Scheme == "http" && port == httpsPort) || (u.Scheme == "https" && port == httpPort) {
+		return Address{}, fmt.Errorf("[%s] scheme and port violate convention", input)
+	}
+
+	return Address{Original: input, Scheme: u.Scheme, Host: host, Port: port, Path: u.Path}, err
+}
+
+// TODO: which of the methods on Address are even used?
+
+// String returns a human-readable form of a. It will
+// be a cleaned-up and filled-out URL string.
+func (a Address) String() string {
+	if a.Host == "" && a.Port == "" {
+		return ""
+	}
+	scheme := a.Scheme
+	if scheme == "" {
+		if a.Port == strconv.Itoa(certmagic.HTTPSPort) {
+			scheme = "https"
+		} else {
+			scheme = "http"
+		}
+	}
+	s := scheme
+	if s != "" {
+		s += "://"
+	}
+	if a.Port != "" &&
+		((scheme == "https" && a.Port != strconv.Itoa(caddyhttp.DefaultHTTPSPort)) ||
+			(scheme == "http" && a.Port != strconv.Itoa(caddyhttp.DefaultHTTPPort))) {
+		s += net.JoinHostPort(a.Host, a.Port)
+	} else {
+		s += a.Host
+	}
+	if a.Path != "" {
+		s += a.Path
+	}
+	return s
+}
+
+// Normalize returns a normalized version of a.
+func (a Address) Normalize() Address {
+	path := a.Path
+	if !caseSensitivePath {
+		path = strings.ToLower(path)
+	}
+
+	// ensure host is normalized if it's an IP address
+	host := a.Host
+	if ip := net.ParseIP(host); ip != nil {
+		host = ip.String()
+	}
+
+	return Address{
+		Original: a.Original,
+		Scheme:   strings.ToLower(a.Scheme),
+		Host:     strings.ToLower(host),
+		Port:     a.Port,
+		Path:     path,
+	}
+}
+
+// Key returns a string form of a, much like String() does, but this
+// method doesn't add anything default that wasn't in the original.
+func (a Address) Key() string {
+	res := ""
+	if a.Scheme != "" {
+		res += a.Scheme + "://"
+	}
+	if a.Host != "" {
+		res += a.Host
+	}
+	// insert port only if the original has its own explicit port
+	if a.Port != "" &&
+		len(a.Original) >= len(res) &&
+		strings.HasPrefix(a.Original[len(res):], ":"+a.Port) {
+		res += ":" + a.Port
+	}
+	if a.Path != "" {
+		res += a.Path
+	}
+	return res
+}
+
+const (
+	// DefaultPort is the default port to use.
+	DefaultPort = "2015"
+
+	caseSensitivePath = false // TODO: Used?
+)
@@ -0,0 +1,29 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build gofuzz
+// +build gofuzz_libfuzzer
+
+package httpcaddyfile
+
+func FuzzParseAddress(data []byte) int {
+	addr, err := ParseAddress(string(data))
+	if err != nil {
+		if addr == (Address{}) {
+			return 1
+		}
+		return 0
+	}
+	return 1
+}
--- a/Show More
+++ b/Show More