fileserver: Add sort buttons in grid mode (#7089)

* [ADD] sort buttons in grid mode

* [CHANGE] replace spaces with tabs

.github/SECURITY.md

@@ -48,9 +48,9 @@ We consider publicly-registered domain names to be public information. This nece
 
 It will speed things up if you suggest a working patch, such as a code diff, and explain why and how it works. Reports that are not actionable, do not contain enough information, are too pushy/demanding, or are not able to convince us that it is a viable and practical attack on the web server itself may be deferred to a later time or possibly ignored, depending on available resources. Priority will be given to credible, responsible reports that are constructive, specific, and actionable. (We get a lot of invalid reports.) Thank you for understanding.
 
-When you are ready, please email Matt Holt (the author) directly: matt at dyanim dot com.
+When you are ready, please submit a [new private vulnerability report](https://github.com/caddyserver/caddy/security/advisories/new).
 
-Please don't encrypt the email body. It only makes the process more complicated.
+Please don't encrypt the message. It only makes the process more complicated.
 
 Please also understand that due to our nature as an open source project, we do not have a budget to award security bounties. We can only thank you.
 

.github/dependabot.yml

@@ -5,3 +5,8 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/ci.yml

@@ -16,6 +16,9 @@ env:
   # https://github.com/actions/setup-go/issues/491
   GOTOOLCHAIN: local
 
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
@@ -55,13 +58,21 @@ jobs:
           SUCCESS: 'True'
 
     runs-on: ${{ matrix.OS_LABEL }}
-
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: write # to allow uploading artifacts and cache
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      with:
+        egress-policy: audit
+
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
         go-version: ${{ matrix.GO_SEMVER }}
         check-latest: true
@@ -108,7 +119,7 @@ jobs:
         ./caddy stop
 
     - name: Publish Build Artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
         path: ${{ matrix.CADDY_BIN_PATH }}
@@ -142,12 +153,21 @@ jobs:
 
   s390x-test:
     name: test (s390x on IBM Z)
+    permissions:
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
     continue-on-error: true  # August 2020: s390x VM is down due to weather and power issues
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+          allowed-endpoints: ci-s390x.caddyserver.com:22
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run Tests
         run: |
           set +e
@@ -194,17 +214,25 @@ jobs:
 
   goreleaser-check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
     steps:
-      - name: Checkout code
+      - name: Harden the runner (Audit all outbound calls)
-        uses: actions/checkout@v4
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
 
-      - uses: goreleaser/goreleaser-action@v6
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      
+      - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
         with:
           version: latest
           args: check
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: "~1.24"
           check-latest: true
@@ -212,7 +240,7 @@ jobs:
         run: |
           go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
           xcaddy version
-      - uses: goreleaser/goreleaser-action@v6
+      - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
         with:
           version: latest
           args: build --single-target --snapshot

.github/workflows/cross-build.yml

@@ -14,6 +14,9 @@ env:
   # https://github.com/actions/setup-go/issues/491
   GOTOOLCHAIN: local
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -40,13 +43,21 @@ jobs:
           GO_SEMVER: '~1.24.1'
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     continue-on-error: true
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: ${{ matrix.GO_SEMVER }}
           check-latest: true

.github/workflows/lint.yml

@@ -44,14 +44,19 @@ jobs:
     runs-on: ${{ matrix.OS_LABEL }}
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
-      - uses: actions/setup-go@v5
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: '~1.24'
           check-latest: true
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
 
@@ -62,10 +67,39 @@ jobs:
           # only-new-issues: true
 
   govulncheck:
+    permissions:
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
       - name: govulncheck
-        uses: golang/govulncheck-action@v1
+        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
         with:
           go-version-input: '~1.24.1'
           check-latest: true
+  
+  dependency-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
+        with:
+          comment-summary-in-pr: on-failure
+          # https://github.com/actions/dependency-review-action/issues/430#issuecomment-1468975566
+          base-ref: ${{ github.event.pull_request.base.sha || 'master' }}
+          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}

.github/workflows/release.yml

@@ -9,6 +9,9 @@ env:
   # https://github.com/actions/setup-go/issues/491
   GOTOOLCHAIN: local
 
+permissions:
+  contents: read
+
 jobs:
   release:
     name: Release
@@ -35,19 +38,24 @@ jobs:
       contents: write
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      with:
+        egress-policy: audit
+
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
 
     - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
         go-version: ${{ matrix.GO_SEMVER }}
         check-latest: true
 
     # Force fetch upstream tags -- because 65 minutes
-    # tl;dr: actions/checkout@v4 runs this line:
+    # tl;dr: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 runs this line:
     #   git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +ebc278ec98bb24f2852b61fde2a9bf2e3d83818b:refs/tags/
     # which makes its own local lightweight tag, losing all the annotations in the process. Our earlier script ran:
     #   git fetch --prune --unshallow
@@ -101,11 +109,11 @@ jobs:
         git verify-tag "${{ steps.vars.outputs.version_tag }}" || exit 1
 
     - name: Install Cosign
-      uses: sigstore/cosign-installer@main
+      uses: sigstore/cosign-installer@e9a05e6d32d7ed22b5656cd874ef31af58d05bfa # main
     - name: Cosign version
       run: cosign version
     - name: Install Syft
-      uses: anchore/sbom-action/download-syft@main
+      uses: anchore/sbom-action/download-syft@9246b90769f852b3a8921f330c59e0b3f439d6e9 # main
     - name: Syft version
       run: syft version
     - name: Install xcaddy
@@ -114,7 +122,7 @@ jobs:
         xcaddy version
     # GoReleaser will take care of publishing those artifacts into the release
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v6
+      uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
       with:
         version: latest
         args: release --clean --timeout 60m

.github/workflows/release_published.yml

@@ -5,6 +5,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   release:
     name: Release Published
@@ -13,12 +16,20 @@ jobs:
         os: 
           - ubuntu-latest
     runs-on: ${{ matrix.os }}
-
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: write
     steps:
 
     # See https://github.com/peter-evans/repository-dispatch
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      with:
+        egress-policy: audit
+
     - name: Trigger event on caddyserver/dist
-      uses: peter-evans/repository-dispatch@v3
+      uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
       with:
         token: ${{ secrets.REPO_DISPATCH_TOKEN }}
         repository: caddyserver/dist
@@ -26,7 +37,7 @@ jobs:
         client-payload: '{"tag": "${{ github.event.release.tag_name }}"}'
 
     - name: Trigger event on caddyserver/caddy-docker
-      uses: peter-evans/repository-dispatch@v3
+      uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
       with:
         token: ${{ secrets.REPO_DISPATCH_TOKEN }}
         repository: caddyserver/caddy-docker

.github/workflows/scorecard.yml

@@ -0,0 +1,86 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: OpenSSF Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 2 * * 5'
+  push:
+    branches: [ "master", "2.*" ]
+  pull_request:
+    branches: [ "master", "2.*" ]
+
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+          # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
+          # file_mode: git
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+        with:
+          sarif_file: results.sarif

.golangci.yml

@@ -1,27 +1,15 @@
-linters-settings:
+version: "2"
-  errcheck:
+run:
-    exclude-functions:
+  issues-exit-code: 1
-      - fmt.*
+  tests: false
-      - (go.uber.org/zap/zapcore.ObjectEncoder).AddObject
+output:
-      - (go.uber.org/zap/zapcore.ObjectEncoder).AddArray
+  formats:
-  gci:
+    text:
-    sections:
+      path: stdout
-      - standard # Standard section: captures all standard packages.
+      print-linter-name: true
-      - default # Default section: contains all imports that could not be matched to another section type.
+      print-issued-lines: true
-      - prefix(github.com/caddyserver/caddy/v2/cmd) # ensure that this is always at the top and always has a line break.
-      - prefix(github.com/caddyserver/caddy) # Custom section: groups all imports with the specified Prefix.
-    # Skip generated files.
-    # Default: true
-    skip-generated: true
-    # Enable custom order of sections.
-    # If `true`, make the section order the same as the order of `sections`.
-    # Default: false
-    custom-order: true
-  exhaustive:
-    ignore-enum-types: reflect.Kind|svc.Cmd
-
 linters:
-  disable-all: true
+  default: none
   enable:
     - asasalint
     - asciicheck
@@ -35,148 +23,96 @@ linters:
     - errcheck
     - errname
     - exhaustive
-    - gci
-    - gofmt
-    - goimports
-    - gofumpt
     - gosec
-    - gosimple
     - govet
-    - ineffassign
     - importas
+    - ineffassign
     - misspell
     - prealloc
     - promlinter
     - sloglint
     - sqlclosecheck
     - staticcheck
-    - tenv
     - testableexamples
     - testifylint
     - tparallel
-    - typecheck
     - unconvert
     - unused
     - wastedassign
     - whitespace
     - zerologlint
-  # these are implicitly disabled:
+  settings:
-  # - containedctx
+    staticcheck:
-  # - contextcheck
+      checks: ["all", "-ST1000", "-ST1003", "-ST1016", "-ST1020", "-ST1021", "-ST1022",  "-QF1006", "-QF1008"] # default, and exclude 1 more undesired check
-  # - cyclop
+    errcheck:
-  # - depguard
+      exclude-functions:
-  # - errchkjson
+        - fmt.*
-  # - errorlint
+        - (go.uber.org/zap/zapcore.ObjectEncoder).AddObject
-  # - exhaustruct
+        - (go.uber.org/zap/zapcore.ObjectEncoder).AddArray
-  # - execinquery
+    exhaustive:
-  # - exhaustruct
+      ignore-enum-types: reflect.Kind|svc.Cmd
-  # - forbidigo
+  exclusions:
-  # - forcetypeassert
+    generated: lax
-  # - funlen
+    presets:
-  # - ginkgolinter
+      - comments
-  # - gocheckcompilerdirectives
+      - common-false-positives
-  # - gochecknoglobals
+      - legacy
-  # - gochecknoinits
+      - std-error-handling
-  # - gochecksumtype
+    rules:
-  # - gocognit
+      - linters:
-  # - goconst
-  # - gocritic
-  # - gocyclo
-  # - godot
-  # - godox
-  # - goerr113
-  # - goheader
-  # - gomnd
-  # - gomoddirectives
-  # - gomodguard
-  # - goprintffuncname
-  # - gosmopolitan
-  # - grouper
-  # - inamedparam
-  # - interfacebloat
-  # - ireturn
-  # - lll
-  # - loggercheck
-  # - maintidx
-  # - makezero
-  # - mirror
-  # - musttag
-  # - nakedret
-  # - nestif
-  # - nilerr
-  # - nilnil
-  # - nlreturn
-  # - noctx
-  # - nolintlint
-  # - nonamedreturns
-  # - nosprintfhostport
-  # - paralleltest
-  # - perfsprint
-  # - predeclared
-  # - protogetter
-  # - reassign
-  # - revive
-  # - rowserrcheck
-  # - stylecheck
-  # - tagalign
-  # - tagliatelle
-  # - testpackage
-  # - thelper
-  # - unparam
-  # - usestdlibvars
-  # - varnamelen
-  # - wrapcheck
-  # - wsl
-
-run:
-  # default concurrency is a available CPU number.
-  # concurrency: 4 # explicitly omit this value to fully utilize available resources.
-  timeout: 5m
-  issues-exit-code: 1
-  tests: false
-
-# output configuration options
-output:
-  formats:
-    - format: 'colored-line-number'
-  print-issued-lines: true
-  print-linter-name: true
-
-issues:
-  exclude-rules:
-    - text: 'G115' # TODO: Either we should fix the issues or nuke the linter if it's bad
-      linters:
           - gosec
-    # we aren't calling unknown URL
+        text: G115 # TODO: Either we should fix the issues or nuke the linter if it's bad
-    - text: 'G107' # G107: Url provided to HTTP request as taint input
+      - linters:
-      linters:
           - gosec
-    # as a web server that's expected to handle any template, this is totally in the hands of the user.
+        text: G107 # we aren't calling unknown URL
-    - text: 'G203' # G203: Use of unescaped data in HTML templates
+      - linters:
-      linters:
           - gosec
-    # we're shelling out to known commands, not relying on user-defined input.
+        text: G203 # as a web server that's expected to handle any template, this is totally in the hands of the user.
-    - text: 'G204' # G204: Audit use of command execution
+      - linters:
-      linters:
+          - gosec
+        text: G204 # we're shelling out to known commands, not relying on user-defined input.
+      - linters:
           - gosec
         # the choice of weakrand is deliberate, hence the named import "weakrand"
-    - path: modules/caddyhttp/reverseproxy/selectionpolicies.go
+        path: modules/caddyhttp/reverseproxy/selectionpolicies.go
-      text: 'G404' # G404: Insecure random number source (rand)
+        text: G404
-      linters:
+      - linters:
           - gosec
-    - path: modules/caddyhttp/reverseproxy/streaming.go
+        path: modules/caddyhttp/reverseproxy/streaming.go
-      text: 'G404' # G404: Insecure random number source (rand)
+        text: G404
-      linters:
+      - linters:
-        - gosec
-    - path: modules/logging/filters.go
-      linters:
           - dupl
-    - path: modules/caddyhttp/matchers.go
+        path: modules/logging/filters.go
-      linters:
+      - linters:
           - dupl
-    - path: modules/caddyhttp/vars.go
+        path: modules/caddyhttp/matchers.go
-      linters:
+      - linters:
           - dupl
-    - path: _test\.go
+        path: modules/caddyhttp/vars.go
-      linters:
+      - linters:
           - errcheck
+        path: _test\.go
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - gofumpt
+    - goimports
+  settings:
+    gci:
+      sections:
+        - standard # Standard section: captures all standard packages.
+        - default # Default section: contains all imports that could not be matched to another section type.
+        - prefix(github.com/caddyserver/caddy/v2/cmd) # ensure that this is always at the top and always has a line break.
+        - prefix(github.com/caddyserver/caddy) # Custom section: groups all imports with the specified Prefix.
+      custom-order: true
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/golangci/golangci-lint
+  rev: v1.52.2
+  hooks:
+  - id: golangci-lint-config-verify
+  - id: golangci-lint
+  - id: golangci-lint-fmt
+- repo: https://github.com/jumanjihouse/pre-commit-hooks
+  rev: 3.0.0
+  hooks:
+  - id: shellcheck
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace

README.md

@@ -14,6 +14,7 @@
 <p align="center">Caddy is an extensible server platform that uses TLS by default.</p>
 <p align="center">
 	<a href="https://github.com/caddyserver/caddy/actions/workflows/ci.yml"><img src="https://github.com/caddyserver/caddy/actions/workflows/ci.yml/badge.svg"></a>
+	<a href="https://www.bestpractices.dev/projects/7141"><img src="https://www.bestpractices.dev/projects/7141/badge"></a>
 	<a href="https://pkg.go.dev/github.com/caddyserver/caddy/v2"><img src="https://img.shields.io/badge/godoc-reference-%23007d9c.svg"></a>
 	<br>
 	<a href="https://x.com/caddyserver" title="@caddyserver on Twitter"><img src="https://img.shields.io/twitter/follow/caddyserver" alt="@caddyserver on Twitter"></a>

admin.go

@@ -424,6 +424,13 @@ func replaceLocalAdminServer(cfg *Config, ctx Context) error {
 
 	handler := cfg.Admin.newAdminHandler(addr, false, ctx)
 
+	// run the provisioners for loaded modules to make sure local
+	// state is properly re-initialized in the new admin server
+	err = cfg.Admin.provisionAdminRouters(ctx)
+	if err != nil {
+		return err
+	}
+
 	ln, err := addr.Listen(context.TODO(), 0, net.ListenConfig{})
 	if err != nil {
 		return err
@@ -545,6 +552,13 @@ func replaceRemoteAdminServer(ctx Context, cfg *Config) error {
 	// because we are using TLS authentication instead
 	handler := cfg.Admin.newAdminHandler(addr, true, ctx)
 
+	// run the provisioners for loaded modules to make sure local
+	// state is properly re-initialized in the new admin server
+	err = cfg.Admin.provisionAdminRouters(ctx)
+	if err != nil {
+		return err
+	}
+
 	// create client certificate pool for TLS mutual auth, and extract public keys
 	// so that we can enforce access controls at the application layer
 	clientCertPool := x509.NewCertPool()

admin_test.go

@@ -19,6 +19,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"maps"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
@@ -335,9 +336,7 @@ func TestAdminHandlerBuiltinRouteErrors(t *testing.T) {
 
 func testGetMetricValue(labels map[string]string) float64 {
 	promLabels := prometheus.Labels{}
-	for k, v := range labels {
+	maps.Copy(promLabels, labels)
-		promLabels[k] = v
-	}
 
 	metric, err := adminMetrics.requestErrors.GetMetricWith(promLabels)
 	if err != nil {
@@ -377,9 +376,7 @@ func (m *mockModule) CaddyModule() ModuleInfo {
 
 func TestNewAdminHandlerRouterRegistration(t *testing.T) {
 	originalModules := make(map[string]ModuleInfo)
-	for k, v := range modules {
+	maps.Copy(originalModules, modules)
-		originalModules[k] = v
-	}
 	defer func() {
 		modules = originalModules
 	}()
@@ -479,9 +476,7 @@ func TestAdminRouterProvisioning(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			originalModules := make(map[string]ModuleInfo)
-			for k, v := range modules {
+			maps.Copy(originalModules, modules)
-				originalModules[k] = v
-			}
 			defer func() {
 				modules = originalModules
 			}()
@@ -774,9 +769,7 @@ func (m *mockIssuerModule) CaddyModule() ModuleInfo {
 
 func TestManageIdentity(t *testing.T) {
 	originalModules := make(map[string]ModuleInfo)
-	for k, v := range modules {
+	maps.Copy(originalModules, modules)
-		originalModules[k] = v
-	}
 	defer func() {
 		modules = originalModules
 	}()

caddy.go

@@ -408,11 +408,23 @@ func run(newCfg *Config, start bool) (Context, error) {
 		return ctx, nil
 	}
 
+	defer func() {
+		// if newCfg fails to start completely, clean up the already provisioned modules
+		// partially copied from provisionContext
+		if err != nil {
+			globalMetrics.configSuccess.Set(0)
+			ctx.cfg.cancelFunc()
+
+			if currentCtx.cfg != nil {
+				certmagic.Default.Storage = currentCtx.cfg.storage
+			}
+		}
+	}()
+
 	// Provision any admin routers which may need to access
 	// some of the other apps at runtime
 	err = ctx.cfg.Admin.provisionAdminRouters(ctx)
 	if err != nil {
-		globalMetrics.configSuccess.Set(0)
 		return ctx, err
 	}
 
@@ -438,7 +450,6 @@ func run(newCfg *Config, start bool) (Context, error) {
 		return nil
 	}()
 	if err != nil {
-		globalMetrics.configSuccess.Set(0)
 		return ctx, err
 	}
 	globalMetrics.configSuccess.Set(1)
@@ -449,7 +460,8 @@ func run(newCfg *Config, start bool) (Context, error) {
 
 	// now that the user's config is running, finish setting up anything else,
 	// such as remote admin endpoint, config loader, etc.
-	return ctx, finishSettingUp(ctx, ctx.cfg)
+	err = finishSettingUp(ctx, ctx.cfg)
+	return ctx, err
 }
 
 // provisionContext creates a new context from the given configuration and provisions
@@ -505,14 +517,6 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 		return ctx, err
 	}
 
-	// start the admin endpoint (and stop any prior one)
-	if replaceAdminServer {
-		err = replaceLocalAdminServer(newCfg, ctx)
-		if err != nil {
-			return ctx, fmt.Errorf("starting caddy administration endpoint: %v", err)
-		}
-	}
-
 	// create the new filesystem map
 	newCfg.fileSystems = &filesystems.FileSystemMap{}
 
@@ -544,6 +548,14 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 		return ctx, err
 	}
 
+	// start the admin endpoint (and stop any prior one)
+	if replaceAdminServer {
+		err = replaceLocalAdminServer(newCfg, ctx)
+		if err != nil {
+			return ctx, fmt.Errorf("starting caddy administration endpoint: %v", err)
+		}
+	}
+
 	// Load and Provision each app and their submodules
 	err = func() error {
 		for appName := range newCfg.AppsRaw {
@@ -1104,9 +1116,15 @@ func (e Event) Origin() Module       { return e.origin } // Returns the module t
 // CloudEvents spec.
 func (e Event) CloudEvent() CloudEvent {
 	dataJSON, _ := json.Marshal(e.Data)
+	var source string
+	if e.Origin() == nil {
+		source = "caddy"
+	} else {
+		source = string(e.Origin().CaddyModule().ID)
+	}
 	return CloudEvent{
 		ID:              e.id.String(),
-		Source:          e.origin.CaddyModule().String(),
+		Source:          source,
 		SpecVersion:     "1.0",
 		Type:            e.name,
 		Time:            e.ts,

caddy_test.go

@@ -15,6 +15,7 @@
 package caddy
 
 import (
+	"context"
 	"testing"
 	"time"
 )
@@ -72,3 +73,21 @@ func TestParseDuration(t *testing.T) {
 		}
 	}
 }
+
+func TestEvent_CloudEvent_NilOrigin(t *testing.T) {
+	ctx, _ := NewContext(Context{Context: context.Background()}) // module will be nil by default
+	event, err := NewEvent(ctx, "started", nil)
+	if err != nil {
+		t.Fatalf("NewEvent() error = %v", err)
+	}
+
+	// This should not panic
+	ce := event.CloudEvent()
+
+	if ce.Source != "caddy" {
+		t.Errorf("Expected CloudEvent Source to be 'caddy', got '%s'", ce.Source)
+	}
+	if ce.Type != "started" {
+		t.Errorf("Expected CloudEvent Type to be 'started', got '%s'", ce.Type)
+	}
+}

caddyconfig/caddyfile/adapter.go

@@ -68,7 +68,7 @@ func (a Adapter) Adapt(body []byte, options map[string]any) ([]byte, []caddyconf
 // TODO: also perform this check on imported files
 func FormattingDifference(filename string, body []byte) (caddyconfig.Warning, bool) {
 	// replace windows-style newlines to normalize comparison
-	normalizedBody := bytes.Replace(body, []byte("\r\n"), []byte("\n"), -1)
+	normalizedBody := bytes.ReplaceAll(body, []byte("\r\n"), []byte("\n"))
 
 	formatted := Format(normalizedBody)
 	if bytes.Equal(formatted, normalizedBody) {

caddyconfig/caddyfile/formatter.go

@@ -94,7 +94,7 @@ func Format(input []byte) []byte {
 		}
 
 		// detect whether we have the start of a heredoc
-		if !quoted && !(heredoc != heredocClosed || heredocEscaped) &&
+		if !quoted && (heredoc == heredocClosed && !heredocEscaped) &&
 			space && last == '<' && ch == '<' {
 			write(ch)
 			heredoc = heredocOpening

caddyconfig/caddyfile/lexer.go

@@ -137,7 +137,7 @@ func (l *lexer) next() (bool, error) {
 		}
 
 		// detect whether we have the start of a heredoc
-		if !(quoted || btQuoted) && !(inHeredoc || heredocEscaped) &&
+		if (!quoted && !btQuoted) && (!inHeredoc && !heredocEscaped) &&
 			len(val) > 1 && string(val[:2]) == "<<" {
 			// a space means it's just a regular token and not a heredoc
 			if ch == ' ' {

caddyconfig/httpcaddyfile/builtins.go

@@ -15,6 +15,7 @@
 package httpcaddyfile
 
 import (
+	"encoding/json"
 	"fmt"
 	"html"
 	"net/http"
@@ -843,13 +844,18 @@ func parseHandleErrors(h Helper) ([]ConfigValue, error) {
 		return nil, h.Errf("segment was not parsed as a subroute")
 	}
 
+	// wrap the subroutes
+	wrappingRoute := caddyhttp.Route{
+		HandlersRaw: []json.RawMessage{caddyconfig.JSONModuleObject(subroute, "handler", "subroute", nil)},
+	}
+	subroute = &caddyhttp.Subroute{
+		Routes: []caddyhttp.Route{wrappingRoute},
+	}
 	if expression != "" {
 		statusMatcher := caddy.ModuleMap{
 			"expression": h.JSON(caddyhttp.MatchExpression{Expr: expression}),
 		}
-		for i := range subroute.Routes {
+		subroute.Routes[0].MatcherSetsRaw = []caddy.ModuleMap{statusMatcher}
-			subroute.Routes[i].MatcherSetsRaw = []caddy.ModuleMap{statusMatcher}
-		}
 	}
 	return []ConfigValue{
 		{
@@ -1160,6 +1166,11 @@ func parseLogSkip(h Helper) (caddyhttp.MiddlewareHandler, error) {
 	if h.NextArg() {
 		return nil, h.ArgErr()
 	}
+
+	if h.NextBlock(0) {
+		return nil, h.Err("log_skip directive does not accept blocks")
+	}
+
 	return caddyhttp.VarsMiddleware{"log_skip": true}, nil
 }
 

caddyconfig/httpcaddyfile/directives.go

@@ -16,6 +16,7 @@ package httpcaddyfile
 
 import (
 	"encoding/json"
+	"maps"
 	"net"
 	"slices"
 	"sort"
@@ -173,10 +174,12 @@ func RegisterDirectiveOrder(dir string, position Positional, standardDir string)
 		if d != standardDir {
 			continue
 		}
-		if position == Before {
+		switch position {
+		case Before:
 			newOrder = append(newOrder[:i], append([]string{dir}, newOrder[i:]...)...)
-		} else if position == After {
+		case After:
 			newOrder = append(newOrder[:i+1], append([]string{dir}, newOrder[i+1:]...)...)
+		case First, Last:
 		}
 		break
 	}
@@ -365,9 +368,7 @@ func parseSegmentAsConfig(h Helper) ([]ConfigValue, error) {
 		// copy existing matcher definitions so we can augment
 		// new ones that are defined only in this scope
 		matcherDefs := make(map[string]caddy.ModuleMap, len(h.matcherDefs))
-		for key, val := range h.matcherDefs {
+		maps.Copy(matcherDefs, h.matcherDefs)
-			matcherDefs[key] = val
-		}
 
 		// find and extract any embedded matcher definitions in this scope
 		for i := 0; i < len(segments); i++ {
@@ -483,12 +484,29 @@ func sortRoutes(routes []ConfigValue) {
 			// we can only confidently compare path lengths if both
 			// directives have a single path to match (issue #5037)
 			if iPathLen > 0 && jPathLen > 0 {
+				// trim the trailing wildcard if there is one
+				iPathTrimmed := strings.TrimSuffix(iPM[0], "*")
+				jPathTrimmed := strings.TrimSuffix(jPM[0], "*")
+
 				// if both paths are the same except for a trailing wildcard,
 				// sort by the shorter path first (which is more specific)
-				if strings.TrimSuffix(iPM[0], "*") == strings.TrimSuffix(jPM[0], "*") {
+				if iPathTrimmed == jPathTrimmed {
 					return iPathLen < jPathLen
 				}
 
+				// we use the trimmed length to compare the paths
+				// https://github.com/caddyserver/caddy/issues/7012#issuecomment-2870142195
+				// credit to https://github.com/Hellio404
+				// for sorts with many items, mixing matchers w/ and w/o wildcards will confuse the sort and result in incorrect orders
+				iPathLen = len(iPathTrimmed)
+				jPathLen = len(jPathTrimmed)
+
+				// if both paths have the same length, sort lexically
+				// https://github.com/caddyserver/caddy/pull/7015#issuecomment-2871993588
+				if iPathLen == jPathLen {
+					return iPathTrimmed < jPathTrimmed
+				}
+
 				// sort most-specific (longest) path first
 				return iPathLen > jPathLen
 			}

caddytest/caddytest.go

@@ -281,7 +281,7 @@ func validateTestPrerequisites(tc *Tester) error {
 		tc.t.Cleanup(func() {
 			os.Remove(f.Name())
 		})
-		if _, err := f.WriteString(fmt.Sprintf(initConfig, tc.config.AdminPort)); err != nil {
+		if _, err := fmt.Fprintf(f, initConfig, tc.config.AdminPort); err != nil {
 			return err
 		}
 

caddytest/integration/acme_test.go

@@ -12,13 +12,14 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez/v3"
 	"github.com/mholt/acmez/v3/acme"
 	smallstepacme "github.com/smallstep/certificates/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/exp/zapslog"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddytest"
 )
 
 const acmeChallengePort = 9081

caddytest/integration/acmeserver_test.go

@@ -9,11 +9,12 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez/v3"
 	"github.com/mholt/acmez/v3/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/exp/zapslog"
+
+	"github.com/caddyserver/caddy/v2/caddytest"
 )
 
 func TestACMEServerDirectory(t *testing.T) {

caddytest/integration/caddyfile_adapt/acme_server_policy-allow.caddyfiletest

@@ -0,0 +1,72 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		allow {
+			domains host-1.internal.example.com host-2.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"allow": {
+															"domains": [
+																"host-1.internal.example.com",
+																"host-2.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/acme_server_policy-both.caddyfiletest

@@ -0,0 +1,80 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		allow {
+			domains host-1.internal.example.com host-2.internal.example.com
+		}
+		deny {
+			domains dc.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"allow": {
+															"domains": [
+																"host-1.internal.example.com",
+																"host-2.internal.example.com"
+															]
+														},
+														"deny": {
+															"domains": [
+																"dc.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/acme_server_policy-deny.caddyfiletest

@@ -0,0 +1,71 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		deny {
+			domains dc.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"deny": {
+															"domains": [
+																"dc.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/error_example.caddyfiletest

@@ -101,6 +101,11 @@ example.com {
 										]
 									}
 								],
+								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
 												"handle": [
 													{
 														"handler": "subroute",
@@ -126,6 +131,10 @@ example.com {
 															}
 														]
 													}
+												]
+											}
+										]
+									}
 								],
 								"terminal": true
 							}

caddytest/integration/caddyfile_adapt/error_multi_site_blocks.caddyfiletest

@@ -159,6 +159,11 @@ bar.localhost {
 									}
 								],
 								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
@@ -168,6 +173,10 @@ bar.localhost {
 																		"body": "404 or 410 error",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{
@@ -175,12 +184,21 @@ bar.localhost {
 													}
 												]
 											},
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
 															{
 																"handle": [
 																	{
 																		"body": "Error In range [500 .. 599]",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{
@@ -202,6 +220,11 @@ bar.localhost {
 									}
 								],
 								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
@@ -211,6 +234,10 @@ bar.localhost {
 																		"body": "404 or 410 error from second site",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{
@@ -218,12 +245,21 @@ bar.localhost {
 													}
 												]
 											},
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
 															{
 																"handle": [
 																	{
 																		"body": "Error In range [500 .. 599] from second site",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{

caddytest/integration/caddyfile_adapt/error_range_codes.caddyfiletest

@@ -90,6 +90,11 @@ localhost:3010 {
 									}
 								],
 								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
@@ -99,6 +104,10 @@ localhost:3010 {
 																		"body": "Error in the [400 .. 499] range",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{

caddytest/integration/caddyfile_adapt/error_range_simple_codes.caddyfiletest

@@ -110,6 +110,11 @@ localhost:2099 {
 									}
 								],
 								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
@@ -119,6 +124,10 @@ localhost:2099 {
 																		"body": "Error in the [400 .. 499] range",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{
@@ -126,12 +135,21 @@ localhost:2099 {
 													}
 												]
 											},
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
 															{
 																"handle": [
 																	{
 																		"body": "Error code is equal to 500 or in the [300..399] range",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{

caddytest/integration/caddyfile_adapt/error_simple_codes.caddyfiletest

@@ -90,6 +90,11 @@ localhost:3010 {
 									}
 								],
 								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
@@ -99,6 +104,10 @@ localhost:3010 {
 																		"body": "404 or 410 error",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{

caddytest/integration/caddyfile_adapt/error_sort.caddyfiletest

@@ -110,6 +110,11 @@ localhost:2099 {
 									}
 								],
 								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
@@ -119,6 +124,10 @@ localhost:2099 {
 																		"body": "Error in the [400 .. 499] range",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{
@@ -126,6 +135,11 @@ localhost:2099 {
 													}
 												]
 											},
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
 															{
 																"handle": [
 																	{
@@ -136,6 +150,10 @@ localhost:2099 {
 															}
 														]
 													}
+												]
+											}
+										]
+									}
 								],
 								"terminal": true
 							}

caddytest/integration/caddyfile_adapt/error_subhandlers.caddyfiletest

@@ -0,0 +1,260 @@
+{
+	http_port 2099
+}
+localhost:2099 {
+	root * /var/www/
+	file_server
+
+	handle_errors 404 {
+		handle /en/* {
+			respond "not found" 404
+		}
+		handle /es/* {
+			respond "no encontrado"
+		}
+		handle {
+			respond "default not found"
+		}
+	}
+	handle_errors {
+		handle /en/* {
+			respond "English error"
+		}
+		handle /es/* {
+			respond "Spanish error"
+		}
+		handle {
+			respond "Default error"
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"http_port": 2099,
+			"servers": {
+				"srv0": {
+					"listen": [
+						":2099"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"handler": "vars",
+													"root": "/var/www/"
+												},
+												{
+													"handler": "file_server",
+													"hide": [
+														"./Caddyfile"
+													]
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"errors": {
+						"routes": [
+							{
+								"match": [
+									{
+										"host": [
+											"localhost"
+										]
+									}
+								],
+								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
+															{
+																"group": "group3",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "not found",
+																						"handler": "static_response",
+																						"status_code": 404
+																					}
+																				]
+																			}
+																		]
+																	}
+																],
+																"match": [
+																	{
+																		"path": [
+																			"/en/*"
+																		]
+																	}
+																]
+															},
+															{
+																"group": "group3",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "no encontrado",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																],
+																"match": [
+																	{
+																		"path": [
+																			"/es/*"
+																		]
+																	}
+																]
+															},
+															{
+																"group": "group3",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "default not found",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																]
+															}
+														]
+													}
+												],
+												"match": [
+													{
+														"expression": "{http.error.status_code} in [404]"
+													}
+												]
+											},
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
+															{
+																"group": "group8",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "English error",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																],
+																"match": [
+																	{
+																		"path": [
+																			"/en/*"
+																		]
+																	}
+																]
+															},
+															{
+																"group": "group8",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "Spanish error",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																],
+																"match": [
+																	{
+																		"path": [
+																			"/es/*"
+																		]
+																	}
+																]
+															},
+															{
+																"group": "group8",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "Default error",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																]
+															}
+														]
+													}
+												]
+											}
+										]
+									}
+								],
+								"terminal": true
+							}
+						]
+					}
+				}
+			}
+		}
+	}
+}
+

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_block.caddyfiletest

@@ -0,0 +1,87 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf {
+			file ../caddy.ca.cer
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"files": [
+													"../caddy.ca.cer"
+												],
+												"loader": "file"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_inline.caddyfiletest

@@ -0,0 +1,85 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf file ../caddy.ca.cer
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"files": [
+													"../caddy.ca.cer"
+												],
+												"loader": "file"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_multi-in-block.caddyfiletest

@@ -0,0 +1,94 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf {
+			file ../caddy.ca.cer
+			file ../caddy.ca.cer
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"files": [
+													"../caddy.ca.cer"
+												],
+												"loader": "file"
+											},
+											{
+												"files": [
+													"../caddy.ca.cer"
+												],
+												"loader": "file"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_block.caddyfiletest

@@ -0,0 +1,87 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf {
+			folder ../
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"folders": [
+													"../"
+												],
+												"loader": "folder"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_inline.caddyfiletest

@@ -0,0 +1,85 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf folder ../
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"folders": [
+													"../"
+												],
+												"loader": "folder"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_multi-in-block.caddyfiletest

@@ -0,0 +1,94 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf {
+			folder ../
+			folder ../
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"folders": [
+													"../"
+												],
+												"loader": "folder"
+											},
+											{
+												"folders": [
+													"../"
+												],
+												"loader": "folder"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt_test.go

@@ -10,7 +10,6 @@ import (
 	"testing"
 
 	"github.com/caddyserver/caddy/v2/caddytest"
-
 	_ "github.com/caddyserver/caddy/v2/internal/testmocks"
 )
 

caddytest/integration/caddyfile_test.go

@@ -615,7 +615,6 @@ func TestReplaceWithReplacementPlaceholder(t *testing.T) {
 	respond "{query}"`, "caddyfile")
 
 	tester.AssertGetResponse("http://localhost:9080/endpoint?placeholder=baz&foo=bar", 200, "foo=baz&placeholder=baz")
-
 }
 
 func TestReplaceWithKeyPlaceholder(t *testing.T) {
@@ -783,6 +782,46 @@ func TestHandleErrorRangeAndCodes(t *testing.T) {
 	tester.AssertGetResponse("http://localhost:9080/private", 410, "Error in the [400 .. 499] range")
 }
 
+func TestHandleErrorSubHandlers(t *testing.T) {
+	tester := caddytest.NewTester(t)
+	tester.InitServer(`{
+		admin localhost:2999
+		http_port     9080
+	}
+	localhost:9080 {
+		root * /srv
+		file_server
+		error /*/internalerr* "Internal Server Error" 500
+
+		handle_errors 404 {
+			handle /en/* {
+				respond "not found" 404
+			}
+			handle /es/* {
+				respond "no encontrado" 404
+			}
+			handle {
+				respond "default not found"
+			}
+		}
+		handle_errors {
+			handle {
+				respond "Default error"
+			}
+			handle /en/* {
+				respond "English error"
+			}
+		}
+	}
+	`, "caddyfile")
+	// act and assert
+	tester.AssertGetResponse("http://localhost:9080/en/notfound", 404, "not found")
+	tester.AssertGetResponse("http://localhost:9080/es/notfound", 404, "no encontrado")
+	tester.AssertGetResponse("http://localhost:9080/notfound", 404, "default not found")
+	tester.AssertGetResponse("http://localhost:9080/es/internalerr", 500, "Default error")
+	tester.AssertGetResponse("http://localhost:9080/en/internalerr", 500, "English error")
+}
+
 func TestInvalidSiteAddressesAsDirectives(t *testing.T) {
 	type testCase struct {
 		config, expectedError string

caddytest/integration/mockdns_test.go

@@ -3,10 +3,11 @@ package integration
 import (
 	"context"
 
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/libdns"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 
 func init() {
@@ -55,7 +56,9 @@ func (MockDNSProvider) SetRecords(ctx context.Context, zone string, recs []libdn
 }
 
 // Interface guard
-var _ caddyfile.Unmarshaler = (*MockDNSProvider)(nil)
+var (
-var _ certmagic.DNSProvider = (*MockDNSProvider)(nil)
+	_ caddyfile.Unmarshaler = (*MockDNSProvider)(nil)
-var _ caddy.Provisioner = (*MockDNSProvider)(nil)
+	_ certmagic.DNSProvider = (*MockDNSProvider)(nil)
-var _ caddy.Module = (*MockDNSProvider)(nil)
+	_ caddy.Provisioner     = (*MockDNSProvider)(nil)
+	_ caddy.Module          = (*MockDNSProvider)(nil)
+)

caddytest/integration/stream_test.go

@@ -13,9 +13,10 @@ import (
 	"testing"
 	"time"
 
-	"github.com/caddyserver/caddy/v2/caddytest"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
+
+	"github.com/caddyserver/caddy/v2/caddytest"
 )
 
 // (see https://github.com/caddyserver/caddy/issues/3556 for use case)

cmd/commandfuncs.go

@@ -24,6 +24,7 @@ import (
 	"io"
 	"io/fs"
 	"log"
+	"maps"
 	"net"
 	"net/http"
 	"os"
@@ -703,9 +704,7 @@ func AdminAPIRequest(adminAddr, method, uri string, headers http.Header, body io
 	if body != nil {
 		req.Header.Set("Content-Type", "application/json")
 	}
-	for k, v := range headers {
+	maps.Copy(req.Header, headers)
-		req.Header[k] = v
-	}
 
 	// make an HTTP client that dials our network type, since admin
 	// endpoints aren't always TCP, which is what the default transport

cmd/commands.go

@@ -20,6 +20,7 @@ import (
 	"os"
 	"regexp"
 	"strings"
+	"sync"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/cobra/doc"
@@ -80,10 +81,16 @@ type CommandFunc func(Flags) (int, error)
 // Commands returns a list of commands initialised by
 // RegisterCommand
 func Commands() map[string]Command {
+	commandsMu.RLock()
+	defer commandsMu.RUnlock()
+
 	return commands
 }
 
-var commands = make(map[string]Command)
+var (
+	commandsMu sync.RWMutex
+	commands   = make(map[string]Command)
+)
 
 func init() {
 	RegisterCommand(Command{
@@ -441,7 +448,7 @@ EXPERIMENTAL: May be changed or removed.
 	})
 
 	defaultFactory.Use(func(rootCmd *cobra.Command) {
-		rootCmd.AddCommand(caddyCmdToCobra(Command{
+		manpageCommand := Command{
 			Name:  "manpage",
 			Usage: "--directory <path>",
 			Short: "Generates the manual pages for Caddy commands",
@@ -471,11 +478,12 @@ argument of --directory. If the directory does not exist, it will be created.
 					return caddy.ExitCodeSuccess, nil
 				})
 			},
-		}))
+		}
 
 		// source: https://github.com/spf13/cobra/blob/main/shell_completions.md
-		rootCmd.AddCommand(&cobra.Command{
+		completionCommand := Command{
-			Use:   "completion [bash|zsh|fish|powershell]",
+			Name:  "completion",
+			Usage: "[bash|zsh|fish|powershell]",
 			Short: "Generate completion script",
 			Long: fmt.Sprintf(`To load completions:
 
@@ -516,10 +524,11 @@ argument of --directory. If the directory does not exist, it will be created.
 	  PS> %[1]s completion powershell > %[1]s.ps1
 	  # and source this file from your PowerShell profile.
 	`, rootCmd.Root().Name()),
-			DisableFlagsInUseLine: true,
+			CobraFunc: func(cmd *cobra.Command) {
-			ValidArgs:             []string{"bash", "zsh", "fish", "powershell"},
+				cmd.DisableFlagsInUseLine = true
-			Args:                  cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs),
+				cmd.ValidArgs = []string{"bash", "zsh", "fish", "powershell"}
-			RunE: func(cmd *cobra.Command, args []string) error {
+				cmd.Args = cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs)
+				cmd.RunE = func(cmd *cobra.Command, args []string) error {
 					switch args[0] {
 					case "bash":
 						return cmd.Root().GenBashCompletion(os.Stdout)
@@ -532,8 +541,20 @@ argument of --directory. If the directory does not exist, it will be created.
 					default:
 						return fmt.Errorf("unrecognized shell: %s", args[0])
 					}
+				}
 			},
-		})
+		}
+
+		rootCmd.AddCommand(caddyCmdToCobra(manpageCommand))
+		rootCmd.AddCommand(caddyCmdToCobra(completionCommand))
+
+		// add manpage and completion commands to the map of
+		// available commands, because they're not registered
+		// through RegisterCommand.
+		commandsMu.Lock()
+		commands[manpageCommand.Name] = manpageCommand
+		commands[completionCommand.Name] = completionCommand
+		commandsMu.Unlock()
 	})
 }
 
@@ -552,6 +573,9 @@ argument of --directory. If the directory does not exist, it will be created.
 //
 // This function should be used in init().
 func RegisterCommand(cmd Command) {
+	commandsMu.Lock()
+	defer commandsMu.Unlock()
+
 	if cmd.Name == "" {
 		panic("command name is required")
 	}
@@ -570,6 +594,7 @@ func RegisterCommand(cmd Command) {
 	defaultFactory.Use(func(rootCmd *cobra.Command) {
 		rootCmd.AddCommand(caddyCmdToCobra(cmd))
 	})
+	commands[cmd.Name] = cmd
 }
 
 var commandNameRegex = regexp.MustCompile(`^[a-z0-9]$|^([a-z0-9]+-?[a-z0-9]*)+[a-z0-9]$`)

cmd/commands_test.go

@@ -0,0 +1,39 @@
+package caddycmd
+
+import (
+	"maps"
+	"reflect"
+	"slices"
+	"testing"
+)
+
+func TestCommandsAreAvailable(t *testing.T) {
+	// trigger init, and build the default factory, so that
+	// all commands from this package are available
+	cmd := defaultFactory.Build()
+	if cmd == nil {
+		t.Fatal("default factory failed to build")
+	}
+
+	// check that the default factory has 17 commands; it doesn't
+	// include the commands registered through calls to init in
+	// other packages
+	cmds := Commands()
+	if len(cmds) != 17 {
+		t.Errorf("expected 17 commands, got %d", len(cmds))
+	}
+
+	commandNames := slices.Collect(maps.Keys(cmds))
+	slices.Sort(commandNames)
+
+	expectedCommandNames := []string{
+		"adapt", "add-package", "build-info", "completion",
+		"environ", "fmt", "list-modules", "manpage",
+		"reload", "remove-package", "run", "start",
+		"stop", "storage", "upgrade", "validate", "version",
+	}
+
+	if !reflect.DeepEqual(expectedCommandNames, commandNames) {
+		t.Errorf("expected %v, got %v", expectedCommandNames, commandNames)
+	}
+}

cmd/main.go

@@ -418,7 +418,7 @@ func parseEnvFile(envInput io.Reader) (map[string]string, error) {
 		// quoted value: support newlines
 		if strings.HasPrefix(val, `"`) || strings.HasPrefix(val, "'") {
 			quote := string(val[0])
-			for !(strings.HasSuffix(line, quote) && !strings.HasSuffix(line, `\`+quote)) {
+			for !strings.HasSuffix(line, quote) || strings.HasSuffix(line, `\`+quote) {
 				val = strings.ReplaceAll(val, `\`+quote, quote)
 				if !scanner.Scan() {
 					break

cmd/main_test.go

@@ -235,7 +235,6 @@ func Test_isCaddyfile(t *testing.T) {
 			wantErr: false,
 		},
 		{
-
 			name: "json is not caddyfile but not error",
 			args: args{
 				configFile:  "./Caddyfile.json",
@@ -245,7 +244,6 @@ func Test_isCaddyfile(t *testing.T) {
 			wantErr: false,
 		},
 		{
-
 			name: "prefix of Caddyfile and ./ with any extension is Caddyfile",
 			args: args{
 				configFile:  "./Caddyfile.prd",
@@ -255,7 +253,6 @@ func Test_isCaddyfile(t *testing.T) {
 			wantErr: false,
 		},
 		{
-
 			name: "prefix of Caddyfile without ./ with any extension is Caddyfile",
 			args: args{
 				configFile:  "Caddyfile.prd",

cmd/packagesfuncs.go

@@ -84,7 +84,7 @@ func cmdAddPackage(fl Flags) (int, error) {
 			return caddy.ExitCodeFailedStartup, fmt.Errorf("invalid module name: %v", err)
 		}
 		// only allow a version to be specified if it's different from the existing version
-		if _, ok := pluginPkgs[module]; ok && !(version != "" && pluginPkgs[module].Version != version) {
+		if _, ok := pluginPkgs[module]; ok && (version == "" || pluginPkgs[module].Version == version) {
 			return caddy.ExitCodeFailedStartup, fmt.Errorf("package is already added")
 		}
 		pluginPkgs[module] = pluginPackage{Version: version, Path: module}

context.go

@@ -577,11 +577,11 @@ func (ctx Context) Slogger() *slog.Logger {
 		if err != nil {
 			panic("config missing, unable to create dev logger: " + err.Error())
 		}
-		return slog.New(zapslog.NewHandler(l.Core(), nil))
+		return slog.New(zapslog.NewHandler(l.Core()))
 	}
 	mod := ctx.Module()
 	if mod == nil {
-		return slog.New(zapslog.NewHandler(Log().Core(), nil))
+		return slog.New(zapslog.NewHandler(Log().Core()))
 	}
 	return slog.New(zapslog.NewHandler(ctx.cfg.Logging.Logger(mod).Core(),
 		zapslog.WithName(string(mod.CaddyModule().ID)),

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
 	github.com/caddyserver/certmagic v0.23.0
 	github.com/caddyserver/zerossl v0.1.3
-	github.com/cloudflare/circl v1.6.0
+	github.com/cloudflare/circl v1.6.1
 	github.com/dustin/go-humanize v1.0.1
 	github.com/go-chi/chi/v5 v5.2.1
 	github.com/google/cel-go v0.24.1
@@ -19,7 +19,7 @@ require (
 	github.com/klauspost/cpuid/v2 v2.2.10
 	github.com/mholt/acmez/v3 v3.1.2
 	github.com/prometheus/client_golang v1.19.1
-	github.com/quic-go/quic-go v0.50.1
+	github.com/quic-go/quic-go v0.51.0
 	github.com/smallstep/certificates v0.26.1
 	github.com/smallstep/nosql v0.6.1
 	github.com/smallstep/truststore v0.13.0

go.sum

@@ -113,8 +113,8 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn
 github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
+github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
-github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@@ -397,8 +397,8 @@ github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
 github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
 github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.50.1 h1:unsgjFIUqW8a2oopkY7YNONpV1gYND6Nt9hnt1PN94Q=
+github.com/quic-go/quic-go v0.51.0 h1:K8exxe9zXxeRKxaXxi/GpUqYiTrtdiWP8bo1KFya6Wc=
-github.com/quic-go/quic-go v0.50.1/go.mod h1:Vim6OmUvlYdwBhXP9ZVrtGmCMWa3wEqhq3NgYrI8b4E=
+github.com/quic-go/quic-go v0.51.0/go.mod h1:MFlGGpcpJqRAfmYi6NC2cptDPSxRWTOGNuP4wqrWmzQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=

listeners_test.go

@@ -185,8 +185,7 @@ func TestParseNetworkAddress(t *testing.T) {
 	}{
 		{
 			input:      "",
-			expectAddr: NetworkAddress{
+			expectAddr: NetworkAddress{},
-			},
 		},
 		{
 			input:          ":",
@@ -312,8 +311,7 @@ func TestParseNetworkAddressWithDefaults(t *testing.T) {
 	}{
 		{
 			input:      "",
-			expectAddr: NetworkAddress{
+			expectAddr: NetworkAddress{},
-			},
 		},
 		{
 			input:          ":",

logging.go

@@ -162,7 +162,9 @@ func (logging *Logging) setupNewDefault(ctx Context) error {
 	if err != nil {
 		return fmt.Errorf("setting up default log: %v", err)
 	}
-	newDefault.logger = zap.New(newDefault.CustomLog.core, options...)
+
+	filteringCore := &filteringCore{newDefault.CustomLog.core, newDefault.CustomLog}
+	newDefault.logger = zap.New(filteringCore, options...)
 
 	// redirect the default caddy logs
 	defaultLoggerMu.Lock()

logging_test.go

@@ -0,0 +1,106 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddy
+
+import "testing"
+
+func TestCustomLog_loggerAllowed(t *testing.T) {
+	type fields struct {
+		BaseLog BaseLog
+		Include []string
+		Exclude []string
+	}
+	type args struct {
+		name     string
+		isModule bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		want   bool
+	}{
+		{
+			name: "include",
+			fields: fields{
+				Include: []string{"foo"},
+			},
+			args: args{
+				name:     "foo",
+				isModule: true,
+			},
+			want: true,
+		},
+		{
+			name: "exclude",
+			fields: fields{
+				Exclude: []string{"foo"},
+			},
+			args: args{
+				name:     "foo",
+				isModule: true,
+			},
+			want: false,
+		},
+		{
+			name: "include and exclude",
+			fields: fields{
+				Include: []string{"foo"},
+				Exclude: []string{"foo"},
+			},
+			args: args{
+				name:     "foo",
+				isModule: true,
+			},
+			want: false,
+		},
+		{
+			name: "include and exclude (longer namespace)",
+			fields: fields{
+				Include: []string{"foo.bar"},
+				Exclude: []string{"foo"},
+			},
+			args: args{
+				name:     "foo.bar",
+				isModule: true,
+			},
+			want: true,
+		},
+		{
+			name: "excluded module is not printed",
+			fields: fields{
+				Include: []string{"admin.api.load"},
+				Exclude: []string{"admin.api"},
+			},
+			args: args{
+				name:     "admin.api",
+				isModule: false,
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cl := &CustomLog{
+				BaseLog: tt.fields.BaseLog,
+				Include: tt.fields.Include,
+				Exclude: tt.fields.Exclude,
+			}
+			if got := cl.loggerAllowed(tt.args.name, tt.args.isModule); got != tt.want {
+				t.Errorf("CustomLog.loggerAllowed() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

modules/caddyhttp/autohttps.go

@@ -343,7 +343,7 @@ uniqueDomainsLoop:
 		// match on known domain names, unless it's our special case of a
 		// catch-all which is an empty string (common among catch-all sites
 		// that enable on-demand TLS for yet-unknown domain names)
-		if !(len(domains) == 1 && domains[0] == "") {
+		if len(domains) != 1 || domains[0] != "" {
 			matcherSet = append(matcherSet, MatchHost(domains))
 		}
 

modules/caddyhttp/caddyauth/basicauth.go

@@ -236,10 +236,7 @@ func (c *Cache) makeRoom() {
 	// the cache is on a long tail, we can save a lot of CPU
 	// time by doing a whole bunch of deletions now and then
 	// we won't have to do them again for a while
-	numToDelete := len(c.cache) / 10
+	numToDelete := max(len(c.cache)/10, 1)
-	if numToDelete < 1 {
-		numToDelete = 1
-	}
 	for deleted := 0; deleted <= numToDelete; deleted++ {
 		// Go maps are "nondeterministic" not actually random,
 		// so although we could just chop off the "front" of the

modules/caddyhttp/fileserver/browse.html

@@ -26,7 +26,7 @@
 		<path d="M9 7l4 0"/>
 		<path d="M9 11l4 0"/>
 	</svg>
-	{{- else if .HasExt ".jpg" ".jpeg" ".png" ".gif" ".webp" ".tiff" ".bmp" ".heif" ".heic" ".svg"}}
+	{{- else if .HasExt ".jpg" ".jpeg" ".png" ".gif" ".webp" ".tiff" ".bmp" ".heif" ".heic" ".svg" ".avif"}}
 		{{- if eq .Tpl.Layout "grid"}}
 		<img loading="lazy" src="{{.Name | pathEscape}}">
 		{{- else}}
@@ -828,6 +828,96 @@ footer {
 						</svg>
 						Grid
 					</a>
+					{{- if and (eq .Layout "grid") (eq .Sort "name") (ne .Order "asc")}}
+					<a href="?sort=name&order=asc{{if ne 0 .Limit}}&limit={{.Limit}}{{end}}{{if ne 0 .Offset}}&offset={{.Offset}}{{end}}&layout=grid">
+						<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-layout-grid" width="16" height="16" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+							<text x="2" y="10" font-size="9" fill="currentColor">Z</text>
+							<text x="2" y="20" font-size="9" fill="currentColor">A</text>
+							<path d="M13 4v12"></path>
+							<path d="M12 16l1 2l1 -2"></path>
+						</svg>
+					</a>
+					{{- else if and (eq .Layout "grid") (eq .Sort "name") (ne .Order "desc")}}
+					<a href="?sort=name&order=desc{{if ne 0 .Limit}}&limit={{.Limit}}{{end}}{{if ne 0 .Offset}}&offset={{.Offset}}{{end}}&layout=grid">
+						<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-layout-grid" width="16" height="16" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+							<text x="2" y="10" font-size="9" fill="currentColor">A</text>
+							<text x="2" y="20" font-size="9" fill="currentColor">Z</text>
+							<path d="M13 4v12"></path>
+							<path d="M12 16l1 2l1 -2"></path>
+						</svg>
+					</a>
+					{{- else if and (eq .Layout "grid")}}
+					<a href="?sort=name&order=asc{{if ne 0 .Limit}}&limit={{.Limit}}{{end}}{{if ne 0 .Offset}}&offset={{.Offset}}{{end}}&layout=grid">
+						<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-layout-grid" width="16" height="16" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+							<text x="2" y="20" font-size="9" fill="currentColor">A</text>
+							<text x="2" y="10" font-size="9" fill="currentColor">Z</text>
+							<path d="M13 4v12"></path>
+							<path d="M12 16l1 2l1 -2"></path>
+						</svg>
+					</a>
+					{{- end}}
+					{{- if and (eq .Layout "grid") (eq .Sort "size") (ne .Order "asc")}}
+					<a href="?sort=size&order=asc{{if ne 0 .Limit}}&limit={{.Limit}}{{end}}{{if ne 0 .Offset}}&offset={{.Offset}}{{end}}&layout=grid">
+						<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-layout-grid" width="16" height="16" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+							<rect x="2" y="4" width="4" height="3" rx="0.4" ry="0.4"></rect>
+							<rect x="2" y="10" width="8" height="3" rx="0.4" ry="0.4"></rect>
+							<rect x="2" y="16" width="12" height="3" rx="0.4" ry="0.4"></rect>
+							<path d="M18 4v12"></path>
+							<path d="M17 16l1 2l1 -2"></path>
+						</svg>
+					</a>
+					{{- else if and (eq .Layout "grid") (eq .Sort "size") (ne .Order "desc")}}
+					<a href="?sort=size&order=desc{{if ne 0 .Limit}}&limit={{.Limit}}{{end}}{{if ne 0 .Offset}}&offset={{.Offset}}{{end}}&layout=grid">
+						<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-layout-grid" width="16" height="16" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+							<rect x="2" y="4" width="12" height="3" rx="0.4" ry="0.4"></rect>
+							<rect x="2" y="10" width="8" height="3" rx="0.4" ry="0.4"></rect>
+							<rect x="2" y="16" width="4" height="3" rx="0.4" ry="0.4"></rect>
+							<path d="M18 4v12"></path>
+							<path d="M17 16l1 2l1 -2"></path>
+						</svg>
+					</a>
+					{{- else if and (eq .Layout "grid")}}
+					<a href="?sort=size&order=asc{{if ne 0 .Limit}}&limit={{.Limit}}{{end}}{{if ne 0 .Offset}}&offset={{.Offset}}{{end}}&layout=grid">
+						<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-layout-grid" width="16" height="16" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+							<rect x="2" y="4" width="4" height="3" rx="0.4" ry="0.4"></rect>
+							<rect x="2" y="10" width="8" height="3" rx="0.4" ry="0.4"></rect>
+							<rect x="2" y="16" width="12" height="3" rx="0.4" ry="0.4"></rect>
+							<path d="M18 4v12"></path>
+							<path d="M17 16l1 2l1 -2"></path>
+						</svg>
+					</a>
+					{{- end}}
+					{{- if and (eq .Layout "grid") (eq .Sort "time") (ne .Order "asc")}}
+					<a href="?sort=time&order=asc{{if ne 0 .Limit}}&limit={{.Limit}}{{end}}{{if ne 0 .Offset}}&offset={{.Offset}}{{end}}&layout=grid">
+						<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-layout-grid" width="16" height="16" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+							<circle cx="9" cy="11" r="8"></circle>
+							<line x1="9" y1="12" x2="9" y2="7" stroke-linecap="round"></line>
+							<line x1="9" y1="12" x2="12" y2="12" stroke-linecap="round"></line>
+							<path d="M20 4v12"></path>
+							<path d="M19 16l1 2l1 -2"></path>
+						</svg>
+					</a>
+					{{- else if and (eq .Layout "grid") (eq .Sort "time") (ne .Order "desc")}}
+					<a href="?sort=time&order=desc{{if ne 0 .Limit}}&limit={{.Limit}}{{end}}{{if ne 0 .Offset}}&offset={{.Offset}}{{end}}&layout=grid">
+						<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-layout-grid" width="16" height="16" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+							<circle cx="9" cy="11" r="8"></circle>
+							<line x1="9" y1="12" x2="9" y2="7" stroke-linecap="round"></line>
+							<line x1="9" y1="12" x2="12" y2="12" stroke-linecap="round"></line>
+							<path d="M20 4v12"></path>
+							<path d="M19 5l1 -2l1 2"></path>
+						</svg>
+					</a>
+					{{- else if and (eq .Layout "grid")}}
+					<a href="?sort=time&order=asc{{if ne 0 .Limit}}&limit={{.Limit}}{{end}}{{if ne 0 .Offset}}&offset={{.Offset}}{{end}}&layout=grid">
+						<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-layout-grid" width="16" height="16" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+							<circle cx="9" cy="11" r="8"></circle>
+							<line x1="9" y1="12" x2="9" y2="7" stroke-linecap="round"></line>
+							<line x1="9" y1="12" x2="12" y2="12" stroke-linecap="round"></line>
+							<path d="M20 4v12"></path>
+							<path d="M19 16l1 2l1 -2"></path>
+						</svg>
+					</a>
+					{{- end}}
 				</div>
 				<div class='listing{{if eq .Layout "grid"}} grid{{end}}'>
 				{{- if eq .Layout "grid"}}

modules/caddyhttp/fileserver/matcher.go

@@ -252,7 +252,7 @@ func celFileMatcherMacroExpander() parser.MacroExpander {
 		}
 
 		for _, arg := range args {
-			if !(isCELStringLiteral(arg) || isCELCaddyPlaceholderCall(arg)) {
+			if !isCELStringLiteral(arg) && !isCELCaddyPlaceholderCall(arg) {
 				return nil, &common.Error{
 					Location: eh.OffsetLocation(arg.ID()),
 					Message:  "matcher only supports repeated string literal arguments",
@@ -616,15 +616,16 @@ func isCELTryFilesLiteral(e ast.Expr) bool {
 				return false
 			}
 			mapKeyStr := mapKey.AsLiteral().ConvertToType(types.StringType).Value()
-			if mapKeyStr == "try_files" || mapKeyStr == "split_path" {
+			switch mapKeyStr {
+			case "try_files", "split_path":
 				if !isCELStringListLiteral(mapVal) {
 					return false
 				}
-			} else if mapKeyStr == "try_policy" || mapKeyStr == "root" {
+			case "try_policy", "root":
 				if !(isCELStringExpr(mapVal)) {
 					return false
 				}
-			} else {
+			default:
 				return false
 			}
 		}

modules/caddyhttp/fileserver/staticfiles.go

@@ -300,8 +300,10 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 	info, err := fs.Stat(fileSystem, filename)
 	if err != nil {
 		err = fsrv.mapDirOpenError(fileSystem, err, filename)
-		if errors.Is(err, fs.ErrNotExist) || errors.Is(err, fs.ErrInvalid) {
+		if errors.Is(err, fs.ErrNotExist) {
 			return fsrv.notFound(w, r, next)
+		} else if errors.Is(err, fs.ErrInvalid) {
+			return caddyhttp.Error(http.StatusBadRequest, err)
 		} else if errors.Is(err, fs.ErrPermission) {
 			return caddyhttp.Error(http.StatusForbidden, err)
 		}
@@ -611,6 +613,11 @@ func (fsrv *FileServer) mapDirOpenError(fileSystem fs.FS, originalErr error, nam
 		return originalErr
 	}
 
+	var pathErr *fs.PathError
+	if errors.As(originalErr, &pathErr) {
+		return fs.ErrInvalid
+	}
+
 	parts := strings.Split(name, separator)
 	for i := range parts {
 		if parts[i] == "" {

modules/caddyhttp/intercept/intercept.go

@@ -118,6 +118,11 @@ func (irh interceptedResponseHandler) WriteHeader(statusCode int) {
 	irh.ResponseRecorder.WriteHeader(statusCode)
 }
 
+// EXPERIMENTAL: Subject to change or removal.
+func (irh interceptedResponseHandler) Unwrap() http.ResponseWriter {
+	return irh.ResponseRecorder
+}
+
 // EXPERIMENTAL: Subject to change or removal.
 func (ir Intercept) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
 	buf := bufPool.Get().(*bytes.Buffer)

modules/caddyhttp/matchers.go

@@ -552,7 +552,6 @@ func (MatchPath) matchPatternWithEscapeSequence(escapedPath, matchPath string) b
 		if iPattern >= len(matchPath) || iPath >= len(escapedPath) {
 			break
 		}
-
 		// get the next character from the request path
 
 		pathCh := string(escapedPath[iPath])

modules/caddyhttp/metrics_test.go

@@ -9,8 +9,9 @@ import (
 	"sync"
 	"testing"
 
-	"github.com/caddyserver/caddy/v2"
 	"github.com/prometheus/client_golang/prometheus/testutil"
+
+	"github.com/caddyserver/caddy/v2"
 )
 
 func TestServerNameFromContext(t *testing.T) {

modules/caddyhttp/replacer.go

@@ -363,13 +363,13 @@ func addHTTPVarsToReplacer(repl *caddy.Replacer, req *http.Request, w http.Respo
 			}
 		}
 
-		switch {
+		switch key {
-		case key == "http.shutting_down":
+		case "http.shutting_down":
 			server := req.Context().Value(ServerCtxKey).(*Server)
 			server.shutdownAtMu.RLock()
 			defer server.shutdownAtMu.RUnlock()
 			return !server.shutdownAt.IsZero(), true
-		case key == "http.time_until_shutdown":
+		case "http.time_until_shutdown":
 			server := req.Context().Value(ServerCtxKey).(*Server)
 			server.shutdownAtMu.RLock()
 			defer server.shutdownAtMu.RUnlock()

modules/caddyhttp/reverseproxy/caddyfile.go

@@ -665,9 +665,10 @@ func (h *Handler) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 			if d.NextArg() {
 				return d.ArgErr()
 			}
-			if subdir == "request_buffers" {
+			switch subdir {
+			case "request_buffers":
 				h.RequestBuffers = size
-			} else if subdir == "response_buffers" {
+			case "response_buffers":
 				h.ResponseBuffers = size
 			}
 

modules/caddyhttp/reverseproxy/command.go

@@ -122,9 +122,10 @@ func cmdReverseProxy(fs caddycmd.Flags) (int, error) {
 		}
 	}
 	if fromAddr.Port == "" {
-		if fromAddr.Scheme == "http" {
+		switch fromAddr.Scheme {
+		case "http":
 			fromAddr.Port = httpPort
-		} else if fromAddr.Scheme == "https" {
+		case "https":
 			fromAddr.Port = httpsPort
 		}
 	}

modules/caddyhttp/reverseproxy/fastcgi/caddyfile.go

@@ -17,6 +17,7 @@ package fastcgi
 import (
 	"encoding/json"
 	"net/http"
+	"slices"
 	"strconv"
 	"strings"
 
@@ -314,7 +315,7 @@ func parsePHPFastCGI(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
 
 	// if the index is turned off, we skip the redirect and try_files
 	if indexFile != "off" {
-		dirRedir := false
+		var dirRedir bool
 		dirIndex := "{http.request.uri.path}/" + indexFile
 		tryPolicy := "first_exist_fallback"
 
@@ -328,13 +329,7 @@ func parsePHPFastCGI(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
 				tryPolicy = ""
 			}
 
-			for _, tf := range tryFiles {
+			dirRedir = slices.Contains(tryFiles, dirIndex)
-				if tf == dirIndex {
-					dirRedir = true
-
-					break
-				}
-			}
 		}
 
 		if dirRedir {

modules/caddyhttp/reverseproxy/healthchecks.go

@@ -484,7 +484,7 @@ func (h *Handler) doActiveHealthCheck(dialInfo DialInfo, hostAddr string, networ
 
 	markHealthy := func() {
 		// increment passes and then check if it has reached the threshold to be healthy
-		err := upstream.Host.countHealthPass(1)
+		err := upstream.countHealthPass(1)
 		if err != nil {
 			if c := h.HealthChecks.Active.logger.Check(zapcore.ErrorLevel, "could not count active health pass"); c != nil {
 				c.Write(

modules/caddyhttp/reverseproxy/httptransport.go

@@ -353,7 +353,7 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
 		h.NetworkProxyRaw = caddyconfig.JSONModuleObject(u, "from", "url", nil)
 	}
 	if len(h.NetworkProxyRaw) != 0 {
-		proxyMod, err := caddyCtx.LoadModule(h, "ForwardProxyRaw")
+		proxyMod, err := caddyCtx.LoadModule(h, "NetworkProxyRaw")
 		if err != nil {
 			return nil, fmt.Errorf("failed to load network_proxy module: %v", err)
 		}
@@ -382,6 +382,36 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
 		if err != nil {
 			return nil, fmt.Errorf("making TLS client config: %v", err)
 		}
+
+		// servername has a placeholder, so we need to replace it
+		if strings.Contains(h.TLS.ServerName, "{") {
+			rt.DialTLSContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
+				// reuses the dialer from above to establish a plaintext connection
+				conn, err := dialContext(ctx, network, addr)
+				if err != nil {
+					return nil, err
+				}
+
+				// but add our own handshake logic
+				repl := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
+				tlsConfig := rt.TLSClientConfig.Clone()
+				tlsConfig.ServerName = repl.ReplaceAll(tlsConfig.ServerName, "")
+				tlsConn := tls.Client(conn, tlsConfig)
+
+				// complete the handshake before returning the connection
+				if rt.TLSHandshakeTimeout != 0 {
+					var cancel context.CancelFunc
+					ctx, cancel = context.WithTimeout(ctx, rt.TLSHandshakeTimeout)
+					defer cancel()
+				}
+				err = tlsConn.HandshakeContext(ctx)
+				if err != nil {
+					_ = tlsConn.Close()
+					return nil, err
+				}
+				return tlsConn, nil
+			}
+		}
 	}
 
 	if h.KeepAlive != nil {
@@ -453,45 +483,9 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
 	return rt, nil
 }
 
-// replaceTLSServername checks TLS servername to see if it needs replacing
-// if it does need replacing, it creates a new cloned HTTPTransport object to avoid any races
-// and does the replacing of the TLS servername on that and returns the new object
-// if no replacement is necessary it returns the original
-func (h *HTTPTransport) replaceTLSServername(repl *caddy.Replacer) *HTTPTransport {
-	// check whether we have TLS and need to replace the servername in the TLSClientConfig
-	if h.TLSEnabled() && strings.Contains(h.TLS.ServerName, "{") {
-		// make a new h, "copy" the parts we don't need to touch, add a new *tls.Config and replace servername
-		newtransport := &HTTPTransport{
-			Resolver:              h.Resolver,
-			TLS:                   h.TLS,
-			KeepAlive:             h.KeepAlive,
-			Compression:           h.Compression,
-			MaxConnsPerHost:       h.MaxConnsPerHost,
-			DialTimeout:           h.DialTimeout,
-			FallbackDelay:         h.FallbackDelay,
-			ResponseHeaderTimeout: h.ResponseHeaderTimeout,
-			ExpectContinueTimeout: h.ExpectContinueTimeout,
-			MaxResponseHeaderSize: h.MaxResponseHeaderSize,
-			WriteBufferSize:       h.WriteBufferSize,
-			ReadBufferSize:        h.ReadBufferSize,
-			Versions:              h.Versions,
-			Transport:             h.Transport.Clone(),
-			h2cTransport:          h.h2cTransport,
-		}
-		newtransport.Transport.TLSClientConfig.ServerName = repl.ReplaceAll(newtransport.Transport.TLSClientConfig.ServerName, "")
-		return newtransport
-	}
-
-	return h
-}
-
 // RoundTrip implements http.RoundTripper.
 func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	// Try to replace TLS servername if needed
+	h.SetScheme(req)
-	repl := req.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
-	transport := h.replaceTLSServername(repl)
-
-	transport.SetScheme(req)
 
 	// use HTTP/3 if enabled (TODO: This is EXPERIMENTAL)
 	if h.h3Transport != nil {
@@ -507,7 +501,7 @@ func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 		return h.h2cTransport.RoundTrip(req)
 	}
 
-	return transport.Transport.RoundTrip(req)
+	return h.Transport.RoundTrip(req)
 }
 
 // SetScheme ensures that the outbound request req
@@ -534,13 +528,7 @@ func (h *HTTPTransport) shouldUseTLS(req *http.Request) bool {
 	}
 
 	port := req.URL.Port()
-	for i := range h.TLS.ExceptPorts {
+	return !slices.Contains(h.TLS.ExceptPorts, port)
-		if h.TLS.ExceptPorts[i] == port {
-			return false
-		}
-	}
-
-	return true
 }
 
 // TLSEnabled returns true if TLS is enabled.

modules/caddyhttp/reverseproxy/reverseproxy.go

@@ -1150,7 +1150,7 @@ func (lb LoadBalancing) tryAgain(ctx caddy.Context, start time.Time, retries int
 		// we have to assume the upstream received the request, and
 		// retries need to be carefully decided, because some requests
 		// are not idempotent
-		if !isDialError && !(isHandlerError && errors.Is(herr, errNoUpstream)) {
+		if !isDialError && (!isHandlerError || !errors.Is(herr, errNoUpstream)) {
 			if lb.RetryMatch == nil && req.Method != "GET" {
 				// by default, don't retry requests if they aren't GET
 				return false

modules/caddyhttp/reverseproxy/selectionpolicies.go

@@ -219,10 +219,7 @@ func (r RandomChoiceSelection) Validate() error {
 
 // Select returns an available host, if any.
 func (r RandomChoiceSelection) Select(pool UpstreamPool, _ *http.Request, _ http.ResponseWriter) *Upstream {
-	k := r.Choose
+	k := min(r.Choose, len(pool))
-	if k > len(pool) {
-		k = len(pool)
-	}
 	choices := make([]*Upstream, k)
 	for i, upstream := range pool {
 		if !upstream.Available() {
@@ -808,7 +805,7 @@ func leastRequests(upstreams []*Upstream) *Upstream {
 		return nil
 	}
 	var best []*Upstream
-	var bestReqs int = -1
+	bestReqs := -1
 	for _, upstream := range upstreams {
 		if upstream == nil {
 			continue

modules/caddyhttp/reverseproxy/upstreams_test.go

@@ -52,5 +52,4 @@ func TestResolveIpVersion(t *testing.T) {
 			t.Errorf("resolveIpVersion(): Expected %s got %s", test.expectedIpVersion, ipVersion)
 		}
 	}
-
 }

modules/caddyhttp/rewrite/rewrite.go

@@ -377,11 +377,7 @@ func buildQueryString(qs string, repl *caddy.Replacer) string {
 // performed in normalized/unescaped space.
 func trimPathPrefix(escapedPath, prefix string) string {
 	var iPath, iPrefix int
-	for {
+	for iPath < len(escapedPath) && iPrefix < len(prefix) {
-		if iPath >= len(escapedPath) || iPrefix >= len(prefix) {
-			break
-		}
-
 		prefixCh := prefix[iPrefix]
 		ch := string(escapedPath[iPath])
 

modules/caddyhttp/server_test.go

@@ -171,6 +171,7 @@ func BenchmarkServer_LogRequest_WithTrace(b *testing.B) {
 		s.logRequest(accLog, req, wrec, &duration, repl, bodyReader, false)
 	}
 }
+
 func TestServer_TrustedRealClientIP_NoTrustedHeaders(t *testing.T) {
 	req := httptest.NewRequest("GET", "/", nil)
 	req.RemoteAddr = "192.0.2.1:12345"

modules/caddyhttp/staticresp.go

@@ -22,6 +22,7 @@ import (
 	"net/http"
 	"net/textproto"
 	"os"
+	"slices"
 	"strconv"
 	"strings"
 	"text/template"
@@ -323,13 +324,7 @@ func cmdRespond(fl caddycmd.Flags) (int, error) {
 
 	// figure out if status code was explicitly specified; this lets
 	// us set a non-zero value as the default but is a little hacky
-	var statusCodeFlagSpecified bool
+	statusCodeFlagSpecified := slices.Contains(os.Args, "--status")
-	for _, fl := range os.Args {
-		if fl == "--status" {
-			statusCodeFlagSpecified = true
-			break
-		}
-	}
 
 	// try to determine what kind of parameter the unnamed argument is
 	if arg != "" {

modules/caddypki/acmeserver/caddyfile.go

@@ -91,8 +91,7 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
 			acmeServer.Policy.AllowWildcardNames = true
 		case "allow":
 			r := &RuleSet{}
-			for h.Next() {
+			for nesting := h.Nesting(); h.NextBlock(nesting); {
-				for h.NextBlock(h.Nesting() - 1) {
 				if h.CountRemainingArgs() == 0 {
 					return nil, h.ArgErr() // TODO:
 				}
@@ -105,15 +104,13 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
 					return nil, h.Errf("unrecognized 'allow' subdirective: %s", h.Val())
 				}
 			}
-			}
 			if acmeServer.Policy == nil {
 				acmeServer.Policy = &Policy{}
 			}
 			acmeServer.Policy.Allow = r
 		case "deny":
 			r := &RuleSet{}
-			for h.Next() {
+			for nesting := h.Nesting(); h.NextBlock(nesting); {
-				for h.NextBlock(h.Nesting() - 1) {
 				if h.CountRemainingArgs() == 0 {
 					return nil, h.ArgErr() // TODO:
 				}
@@ -126,7 +123,6 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
 					return nil, h.Errf("unrecognized 'deny' subdirective: %s", h.Val())
 				}
 			}
-			}
 			if acmeServer.Policy == nil {
 				acmeServer.Policy = &Policy{}
 			}

modules/caddytls/acmeissuer.go

@@ -220,7 +220,7 @@ func (iss *ACMEIssuer) makeIssuerTemplate(ctx caddy.Context) (certmagic.ACMEIssu
 	}
 
 	if len(iss.NetworkProxyRaw) != 0 {
-		proxyMod, err := ctx.LoadModule(iss, "ForwardProxyRaw")
+		proxyMod, err := ctx.LoadModule(iss, "NetworkProxyRaw")
 		if err != nil {
 			return template, fmt.Errorf("failed to load network_proxy module: %v", err)
 		}

modules/caddytls/automation.go

@@ -388,10 +388,8 @@ func (ap *AutomationPolicy) onlyInternalIssuer() bool {
 // isWildcardOrDefault determines if the subjects include any wildcard domains,
 // or is the "default" policy (i.e. no subjects) which is unbounded.
 func (ap *AutomationPolicy) isWildcardOrDefault() bool {
-	isWildcardOrDefault := false
+	isWildcardOrDefault := len(ap.subjects) == 0
-	if len(ap.subjects) == 0 {
+
-		isWildcardOrDefault = true
-	}
 	for _, sub := range ap.subjects {
 		if strings.HasPrefix(sub, "*") {
 			isWildcardOrDefault = true

modules/caddytls/certmanagers.go

@@ -144,9 +144,9 @@ func (hcg HTTPCertGetter) GetCertificate(ctx context.Context, hello *tls.ClientH
 	qs.Set("server_name", hello.ServerName)
 	qs.Set("signature_schemes", strings.Join(sigs, ","))
 	qs.Set("cipher_suites", strings.Join(suites, ","))
-	remoteIP, _, err := net.SplitHostPort(hello.Conn.RemoteAddr().String())
+	localIP, _, err := net.SplitHostPort(hello.Conn.LocalAddr().String())
-	if err == nil && remoteIP != "" {
+	if err == nil && localIP != "" {
-		qs.Set("remote_ip", remoteIP)
+		qs.Set("local_ip", localIP)
 	}
 	parsed.RawQuery = qs.Encode()
 

modules/caddytls/certselection.go

@@ -87,13 +87,7 @@ nextChoice:
 		}
 
 		if len(p.AnyTag) > 0 {
-			var found bool
+			found := slices.ContainsFunc(p.AnyTag, cert.HasTag)
-			for _, tag := range p.AnyTag {
-				if cert.HasTag(tag) {
-					found = true
-					break
-				}
-			}
 			if !found {
 				continue
 			}

modules/caddytls/connpolicy.go

@@ -25,6 +25,7 @@ import (
 	"io"
 	"os"
 	"reflect"
+	"slices"
 	"strings"
 
 	"github.com/mholt/acmez/v3"
@@ -369,13 +370,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
 	}
 
 	// ensure ALPN includes the ACME TLS-ALPN protocol
-	var alpnFound bool
+	alpnFound := slices.Contains(p.ALPN, acmez.ACMETLS1Protocol)
-	for _, a := range p.ALPN {
-		if a == acmez.ACMETLS1Protocol {
-			alpnFound = true
-			break
-		}
-	}
 	if !alpnFound && (cfg.NextProtos == nil || len(cfg.NextProtos) > 0) {
 		cfg.NextProtos = append(cfg.NextProtos, acmez.ACMETLS1Protocol)
 	}
@@ -994,6 +989,48 @@ func (l *LeafCertClientAuth) Provision(ctx caddy.Context) error {
 	return nil
 }
 
+// UnmarshalCaddyfile implements caddyfile.Unmarshaler.
+func (l *LeafCertClientAuth) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	d.NextArg()
+
+	// accommodate the use of one-liners
+	if d.CountRemainingArgs() > 1 {
+		d.NextArg()
+		modName := d.Val()
+		mod, err := caddyfile.UnmarshalModule(d, "tls.leaf_cert_loader."+modName)
+		if err != nil {
+			return d.WrapErr(err)
+		}
+		vMod, ok := mod.(LeafCertificateLoader)
+		if !ok {
+			return fmt.Errorf("leaf module '%s' is not a leaf certificate loader", vMod)
+		}
+		l.LeafCertificateLoadersRaw = append(
+			l.LeafCertificateLoadersRaw,
+			caddyconfig.JSONModuleObject(vMod, "loader", modName, nil),
+		)
+		return nil
+	}
+
+	// accommodate the use of nested blocks
+	for nesting := d.Nesting(); d.NextBlock(nesting); {
+		modName := d.Val()
+		mod, err := caddyfile.UnmarshalModule(d, "tls.leaf_cert_loader."+modName)
+		if err != nil {
+			return d.WrapErr(err)
+		}
+		vMod, ok := mod.(LeafCertificateLoader)
+		if !ok {
+			return fmt.Errorf("leaf module '%s' is not a leaf certificate loader", vMod)
+		}
+		l.LeafCertificateLoadersRaw = append(
+			l.LeafCertificateLoadersRaw,
+			caddyconfig.JSONModuleObject(vMod, "loader", modName, nil),
+		)
+	}
+	return nil
+}
+
 func (l LeafCertClientAuth) VerifyClientCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) error {
 	if len(rawCerts) == 0 {
 		return fmt.Errorf("no client certificate provided")
@@ -1004,11 +1041,9 @@ func (l LeafCertClientAuth) VerifyClientCertificate(rawCerts [][]byte, _ [][]*x5
 		return fmt.Errorf("can't parse the given certificate: %s", err.Error())
 	}
 
-	for _, trustedLeafCert := range l.trustedLeafCerts {
+	if slices.ContainsFunc(l.trustedLeafCerts, remoteLeafCert.Equal) {
-		if remoteLeafCert.Equal(trustedLeafCert) {
 		return nil
 	}
-	}
 
 	return fmt.Errorf("client leaf certificate failed validation")
 }
@@ -1057,6 +1092,7 @@ var secretsLogPool = caddy.NewUsagePool()
 var (
 	_ caddyfile.Unmarshaler = (*ClientAuthentication)(nil)
 	_ caddyfile.Unmarshaler = (*ConnectionPolicy)(nil)
+	_ caddyfile.Unmarshaler = (*LeafCertClientAuth)(nil)
 )
 
 // ParseCaddyfileNestedMatcherSet parses the Caddyfile tokens for a nested

modules/caddytls/leaffileloader.go

@@ -21,6 +21,7 @@ import (
 	"os"
 
 	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 
 func init() {
@@ -32,6 +33,14 @@ type LeafFileLoader struct {
 	Files []string `json:"files,omitempty"`
 }
 
+// CaddyModule returns the Caddy module information.
+func (LeafFileLoader) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID:  "tls.leaf_cert_loader.file",
+		New: func() caddy.Module { return new(LeafFileLoader) },
+	}
+}
+
 // Provision implements caddy.Provisioner.
 func (fl *LeafFileLoader) Provision(ctx caddy.Context) error {
 	repl, ok := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
@@ -44,12 +53,11 @@ func (fl *LeafFileLoader) Provision(ctx caddy.Context) error {
 	return nil
 }
 
-// CaddyModule returns the Caddy module information.
+// UnmarshalCaddyfile implements caddyfile.Unmarshaler.
-func (LeafFileLoader) CaddyModule() caddy.ModuleInfo {
+func (fl *LeafFileLoader) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
-	return caddy.ModuleInfo{
+	d.NextArg()
-		ID:  "tls.leaf_cert_loader.file",
+	fl.Files = append(fl.Files, d.RemainingArgs()...)
-		New: func() caddy.Module { return new(LeafFileLoader) },
+	return nil
-	}
 }
 
 // LoadLeafCertificates returns the certificates to be loaded by fl.
@@ -96,4 +104,5 @@ func convertPEMFilesToDERBytes(filename string) ([]byte, error) {
 var (
 	_ LeafCertificateLoader = (*LeafFileLoader)(nil)
 	_ caddy.Provisioner     = (*LeafFileLoader)(nil)
+	_ caddyfile.Unmarshaler = (*LeafFileLoader)(nil)
 )

modules/caddytls/leaffolderloader.go

@@ -22,6 +22,7 @@ import (
 	"strings"
 
 	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 
 func init() {
@@ -55,6 +56,13 @@ func (fl *LeafFolderLoader) Provision(ctx caddy.Context) error {
 	return nil
 }
 
+// UnmarshalCaddyfile implements caddyfile.Unmarshaler.
+func (fl *LeafFolderLoader) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	d.NextArg()
+	fl.Folders = append(fl.Folders, d.RemainingArgs()...)
+	return nil
+}
+
 // LoadLeafCertificates loads all the leaf certificates in the directories
 // listed in fl from all files ending with .pem.
 func (fl LeafFolderLoader) LoadLeafCertificates() ([]*x509.Certificate, error) {
@@ -94,4 +102,5 @@ func (fl LeafFolderLoader) LoadLeafCertificates() ([]*x509.Certificate, error) {
 var (
 	_ LeafCertificateLoader = (*LeafFolderLoader)(nil)
 	_ caddy.Provisioner     = (*LeafFolderLoader)(nil)
+	_ caddyfile.Unmarshaler = (*LeafFolderLoader)(nil)
 )

modules/caddytls/leafpemloader.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 
 	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 
 func init() {
@@ -52,6 +53,13 @@ func (LeafPEMLoader) CaddyModule() caddy.ModuleInfo {
 	}
 }
 
+// UnmarshalCaddyfile implements caddyfile.Unmarshaler.
+func (fl *LeafPEMLoader) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	d.NextArg()
+	fl.Certificates = append(fl.Certificates, d.RemainingArgs()...)
+	return nil
+}
+
 // LoadLeafCertificates returns the certificates contained in pl.
 func (pl LeafPEMLoader) LoadLeafCertificates() ([]*x509.Certificate, error) {
 	certs := make([]*x509.Certificate, 0, len(pl.Certificates))

modules/logging/filewriter_test.go

@@ -317,7 +317,7 @@ func TestFileModeToJSON(t *testing.T) {
 	}{
 		{
 			name:    "none zero",
-			mode:    0644,
+			mode:    0o644,
 			want:    `"0644"`,
 			wantErr: false,
 		},
@@ -358,7 +358,7 @@ func TestFileModeModification(t *testing.T) {
 	defer os.RemoveAll(dir)
 
 	fpath := path.Join(dir, "test.log")
-	f_tmp, err := os.OpenFile(fpath, os.O_WRONLY|os.O_APPEND|os.O_CREATE, os.FileMode(0600))
+	f_tmp, err := os.OpenFile(fpath, os.O_WRONLY|os.O_APPEND|os.O_CREATE, os.FileMode(0o600))
 	if err != nil {
 		t.Fatalf("failed to create test file: %v", err)
 	}

modules/logging/filters_test.go

@@ -3,9 +3,10 @@ package logging
 import (
 	"testing"
 
+	"go.uber.org/zap/zapcore"
+
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
-	"go.uber.org/zap/zapcore"
 )
 
 func TestIPMaskSingleValue(t *testing.T) {