caddytls: fix preferred chains options by appending values instead of replacing (#7387)

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

.github/ISSUE_TEMPLATE/ISSUE.yml

@@ -0,0 +1,31 @@
+name: Issue
+description: An actionable development item, like a bug report or feature request
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for opening an issue! This is for actionable development items like bug reports and feature requests.
+        If you have a question about using Caddy, please [post on our forums](https://caddy.community) instead.
+  - type: textarea
+    id: content
+    attributes:
+      label: Issue Details
+      placeholder: Describe the issue here. Be specific by providing complete logs and minimal instructions to reproduce, or a thoughtful proposal, etc.
+    validations:
+      required: true
+  - type: dropdown
+    id: assistance-disclosure
+    attributes:
+      label: Assistance Disclosure
+      description: "Our project allows assistance by AI/LLM tools as long as it is disclosed and described so we can better respond. Please certify whether you have used any such tooling related to this issue:"
+      options:
+        - 
+        - AI used
+        - AI not used
+    validations:
+      required: true
+  - type: input
+    id: assistance-description
+    attributes:
+      label: If AI was used, describe the extent to which it was used.
+      description: 'Examples: "ChatGPT translated from my native language" or "Claude proposed this change/feature"'

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Caddy forum
+    url: https://caddy.community
+    about: If you have questions (or answers!) about using Caddy, please use our forum

.github/SECURITY.md

@@ -48,9 +48,9 @@ We consider publicly-registered domain names to be public information. This nece
 
 It will speed things up if you suggest a working patch, such as a code diff, and explain why and how it works. Reports that are not actionable, do not contain enough information, are too pushy/demanding, or are not able to convince us that it is a viable and practical attack on the web server itself may be deferred to a later time or possibly ignored, depending on available resources. Priority will be given to credible, responsible reports that are constructive, specific, and actionable. (We get a lot of invalid reports.) Thank you for understanding.
 
-When you are ready, please email Matt Holt (the author) directly: matt at dyanim dot com.
+When you are ready, please submit a [new private vulnerability report](https://github.com/caddyserver/caddy/security/advisories/new).
 
-Please don't encrypt the email body. It only makes the process more complicated.
+Please don't encrypt the message. It only makes the process more complicated.
 
 Please also understand that due to our nature as an open source project, we do not have a budget to award security bounties. We can only thank you.
 

.github/dependabot.yml

@@ -3,5 +3,20 @@ version: 2
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
+    open-pull-requests-limit: 1
+    groups:
+      actions-deps:
+        patterns:
+          - "*"
+    schedule:
+      interval: "monthly"
+    
+  - package-ecosystem: "gomod"
+    directory: "/"
+    open-pull-requests-limit: 1
+    groups:
+      all-updates:
+        patterns:
+          - "*"
     schedule:
       interval: "monthly"

.github/pull_request_template.md

@@ -0,0 +1,29 @@
+
+
+
+## Assistance Disclosure
+<!--
+Thank you for contributing! Please note:
+
+The use of AI/LLM tools is allowed so long as it is disclosed, so
+that we can provide better code review and maintain project quality.
+
+If you used AI/LLM tooling in any way related to this PR, please
+let us know to what extent it was utilized.
+
+Examples:
+
+"No AI was used."
+"I wrote the code, but Claude generated the tests."
+"I consulted ChatGPT for a solution, but I authored/coded it myself."
+"Cody generated the code, and I verified it is correct."
+"Copilot provided tab completion for code and comments."
+
+We expect that you have vetted your contributions for correctness.
+Additionally, signing our CLA certifies that you have the rights to
+contribute this change.
+
+Replace the text below with your disclosure:
+-->
+
+_This PR is missing an assistance disclosure._

.github/workflows/ai.yml

@@ -0,0 +1,30 @@
+name: AI Moderator
+permissions: read-all
+on:
+  issues:
+    types: [opened]
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+jobs:
+  spam-detection:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+      models: read
+      contents: read
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: github/ai-moderator@6bcdb2a79c2e564db8d76d7d4439d91a044c4eb6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          spam-label: 'spam'
+          ai-label: 'ai-generated'
+          minimize-detected-comments: true
+          # Built-in prompt configuration (all enabled by default)
+          enable-spam-detection: true
+          enable-link-spam-detection: true
+          enable-ai-detection: true
+          # custom-prompt-path: '.github/prompts/my-custom.prompt.yml'  # Optional

.github/workflows/auto-release-pr.yml

@@ -0,0 +1,221 @@
+name: Release Proposal Approval Tracker
+
+on:
+  pull_request_review:
+    types: [submitted, dismissed]
+  pull_request:
+    types: [labeled, unlabeled, synchronize, closed]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  check-approvals:
+    name: Track Maintainer Approvals
+    runs-on: ubuntu-latest
+    # Only run on PRs with release-proposal label
+    if: contains(github.event.pull_request.labels.*.name, 'release-proposal') && github.event.pull_request.state == 'open'
+    
+    steps:
+      - name: Check approvals and update PR
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          MAINTAINER_LOGINS: ${{ secrets.MAINTAINER_LOGINS }}
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+            
+            // Extract version from PR title (e.g., "Release Proposal: v1.2.3")
+            const versionMatch = pr.title.match(/Release Proposal:\s*(v[\d.]+(?:-[\w.]+)?)/);
+            const commitMatch = pr.body.match(/\*\*Target Commit:\*\*\s*`([a-f0-9]+)`/);
+            
+            if (!versionMatch || !commitMatch) {
+              console.log('Could not extract version from title or commit from body');
+              return;
+            }
+            
+            const version = versionMatch[1];
+            const targetCommit = commitMatch[1];
+            
+            console.log(`Version: ${version}, Target Commit: ${targetCommit}`);
+            
+            // Get all reviews
+            const reviews = await github.rest.pulls.listReviews({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: pr.number
+            });
+            
+            // Get list of maintainers
+            const maintainerLoginsRaw = process.env.MAINTAINER_LOGINS || '';
+            const maintainerLogins = maintainerLoginsRaw
+              .split(/[,;]/)
+              .map(login => login.trim())
+              .filter(login => login.length > 0);
+            
+            console.log(`Maintainer logins: ${maintainerLogins.join(', ')}`);
+            
+            // Get the latest review from each user
+            const latestReviewsByUser = {};
+            reviews.data.forEach(review => {
+              const username = review.user.login;
+              if (!latestReviewsByUser[username] || new Date(review.submitted_at) > new Date(latestReviewsByUser[username].submitted_at)) {
+                latestReviewsByUser[username] = review;
+              }
+            });
+            
+            // Count approvals from maintainers
+            const maintainerApprovals = Object.entries(latestReviewsByUser)
+              .filter(([username, review]) => 
+                maintainerLogins.includes(username) && 
+                review.state === 'APPROVED'
+              )
+              .map(([username, review]) => username);
+            
+            const approvalCount = maintainerApprovals.length;
+            console.log(`Found ${approvalCount} maintainer approvals from: ${maintainerApprovals.join(', ')}`);
+            
+            // Get current labels
+            const currentLabels = pr.labels.map(label => label.name);
+            const hasApprovedLabel = currentLabels.includes('approved');
+            const hasAwaitingApprovalLabel = currentLabels.includes('awaiting-approval');
+            
+            if (approvalCount >= 2 && !hasApprovedLabel) {
+              console.log('✅ Quorum reached! Updating PR...');
+              
+              // Remove awaiting-approval label if present
+              if (hasAwaitingApprovalLabel) {
+                await github.rest.issues.removeLabel({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pr.number,
+                  name: 'awaiting-approval'
+                }).catch(e => console.log('Label not found:', e.message));
+              }
+              
+              // Add approved label
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pr.number,
+                labels: ['approved']
+              });
+              
+              // Add comment with tagging instructions
+              const approversList = maintainerApprovals.map(u => `@${u}`).join(', ');
+              const commentBody = [
+                '## ✅ Approval Quorum Reached',
+                '',
+                `This release proposal has been approved by ${approvalCount} maintainers: ${approversList}`,
+                '',
+                '### Tagging Instructions',
+                '',
+                'A maintainer should now create and push the signed tag:',
+                '',
+                '```bash',
+                `git checkout ${targetCommit}`,
+                `git tag -s ${version} -m "Release ${version}"`,
+                `git push origin ${version}`,
+                `git checkout -`,
+                '```',
+                '',
+                'The release workflow will automatically start when the tag is pushed.'
+              ].join('\n');
+              
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pr.number,
+                body: commentBody
+              });
+              
+              console.log('Posted tagging instructions');
+            } else if (approvalCount < 2 && hasApprovedLabel) {
+              console.log('⚠️  Approval count dropped below quorum, removing approved label');
+              
+              // Remove approved label
+              await github.rest.issues.removeLabel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pr.number,
+                name: 'approved'
+              }).catch(e => console.log('Label not found:', e.message));
+              
+              // Add awaiting-approval label
+              if (!hasAwaitingApprovalLabel) {
+                await github.rest.issues.addLabels({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pr.number,
+                  labels: ['awaiting-approval']
+                });
+              }
+            } else {
+              console.log(`⏳ Waiting for more approvals (${approvalCount}/2 required)`);
+            }
+
+  handle-pr-closed:
+    name: Handle PR Closed Without Tag
+    runs-on: ubuntu-latest
+    if: |
+      contains(github.event.pull_request.labels.*.name, 'release-proposal') &&
+      github.event.action == 'closed' && !contains(github.event.pull_request.labels.*.name, 'released')
+    
+    steps:
+      - name: Add cancelled label and comment
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+            
+            // Check if the release-in-progress label is present
+            const hasReleaseInProgress = pr.labels.some(label => label.name === 'release-in-progress');
+            
+            if (hasReleaseInProgress) {
+              // PR was closed while release was in progress - this is unusual
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pr.number,
+                body: '⚠️ **Warning:** This PR was closed while a release was in progress. This may indicate an error. Please verify the release status.'
+              });
+            } else {
+              // PR was closed before tag was created - this is normal cancellation
+              const versionMatch = pr.title.match(/Release Proposal:\s*(v[\d.]+(?:-[\w.]+)?)/);
+              const version = versionMatch ? versionMatch[1] : 'unknown';
+              
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pr.number,
+                body: `## 🚫 Release Proposal Cancelled\n\nThis release proposal for ${version} was closed without creating the tag.\n\nIf you want to proceed with this release later, you can create a new release proposal.`
+              });
+            }
+            
+            // Add cancelled label
+            await github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr.number,
+              labels: ['cancelled']
+            });
+            
+            // Remove other workflow labels if present
+            const labelsToRemove = ['awaiting-approval', 'approved', 'release-in-progress'];
+            for (const label of labelsToRemove) {
+              try {
+                await github.rest.issues.removeLabel({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pr.number,
+                  name: label
+                });
+              } catch (e) {
+                console.log(`Label ${label} not found or already removed`);
+              }
+            }
+            
+            console.log('Added cancelled label and cleaned up workflow labels');
+            

.github/workflows/ci.yml

@@ -13,9 +13,13 @@ on:
       - 2.*
 
 env:
+  GOFLAGS: '-tags=nobadger,nomysql,nopgx'
   # https://github.com/actions/setup-go/issues/491
   GOTOOLCHAIN: local
 
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
@@ -27,13 +31,13 @@ jobs:
           - mac
           - windows
         go:
-          - '1.24'
+          - '1.25'
 
         include:
         # Set the minimum Go patch version for the given Go minor
         # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.24'
-          GO_SEMVER: '~1.24.1'
+        - go: '1.25'
+          GO_SEMVER: '~1.25.0'
 
         # Set some variables per OS, usable via ${{ matrix.VAR }}
         # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
@@ -55,13 +59,21 @@ jobs:
           SUCCESS: 'True'
 
     runs-on: ${{ matrix.OS_LABEL }}
-
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: write # to allow uploading artifacts and cache
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version: ${{ matrix.GO_SEMVER }}
         check-latest: true
@@ -99,7 +111,7 @@ jobs:
       env:
         CGO_ENABLED: 0
       run: |
-        go build -tags nobadger,nomysql,nopgx -trimpath -ldflags="-w -s" -v
+        go build -trimpath -ldflags="-w -s" -v
 
     - name: Smoke test Caddy
       working-directory: ./cmd/caddy
@@ -108,7 +120,7 @@ jobs:
         ./caddy stop
 
     - name: Publish Build Artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
         path: ${{ matrix.CADDY_BIN_PATH }}
@@ -122,7 +134,7 @@ jobs:
       # continue-on-error: true
       run: |
         # (go test -v -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
-        go test -tags nobadger,nomysql,nopgx -v -coverprofile="cover-profile.out" -short -race ./...
+        go test -v -coverprofile="cover-profile.out" -short -race ./...
         # echo "status=$?" >> $GITHUB_OUTPUT
 
     # Relevant step if we reinvestigate publishing test/coverage reports
@@ -142,12 +154,21 @@ jobs:
 
   s390x-test:
     name: test (s390x on IBM Z)
+    permissions:
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
     continue-on-error: true  # August 2020: s390x VM is down due to weather and power issues
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+          allowed-endpoints: ci-s390x.caddyserver.com:22
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run Tests
         run: |
           set +e
@@ -170,7 +191,7 @@ jobs:
           retries=3
           exit_code=0
           while ((retries > 0)); do
-            CGO_ENABLED=0 go test -p 1 -tags nobadger,nomysql,nopgx -v ./...
+            CGO_ENABLED=0 go test -p 1 -v ./...
             exit_code=$?
             if ((exit_code == 0)); then
               break
@@ -194,25 +215,33 @@ jobs:
 
   goreleaser-check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
 
-      - uses: goreleaser/goreleaser-action@v6
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      
+      - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           version: latest
           args: check
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version: "~1.24"
+          go-version: "~1.25"
           check-latest: true
       - name: Install xcaddy
         run: |
           go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
           xcaddy version
-      - uses: goreleaser/goreleaser-action@v6
+      - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           version: latest
           args: build --single-target --snapshot

.github/workflows/cross-build.yml

@@ -11,9 +11,14 @@ on:
       - 2.*
 
 env:
+  GOFLAGS: '-tags=nobadger,nomysql,nopgx'
+  CGO_ENABLED: '0'
   # https://github.com/actions/setup-go/issues/491
   GOTOOLCHAIN: local
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -31,22 +36,30 @@ jobs:
           - 'darwin'
           - 'netbsd'
         go:
-          - '1.24'
+          - '1.25'
 
         include:
         # Set the minimum Go patch version for the given Go minor
         # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.24'
-          GO_SEMVER: '~1.24.1'
+        - go: '1.25'
+          GO_SEMVER: '~1.25.0'
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     continue-on-error: true
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: ${{ matrix.GO_SEMVER }}
           check-latest: true
@@ -63,11 +76,9 @@ jobs:
 
       - name: Run Build
         env:
-          CGO_ENABLED: 0
           GOOS: ${{ matrix.goos }}
           GOARCH: ${{ matrix.goos == 'aix' && 'ppc64' || 'amd64' }}
         shell: bash
         continue-on-error: true
         working-directory: ./cmd/caddy
-        run: |
-          GOOS=$GOOS GOARCH=$GOARCH go build -tags=nobadger,nomysql,nopgx -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null
+        run: go build -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null

.github/workflows/lint.yml

@@ -44,14 +44,19 @@ jobs:
     runs-on: ${{ matrix.OS_LABEL }}
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
-          go-version: '~1.24'
+          egress-policy: audit
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: '~1.25'
           check-latest: true
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
 
@@ -62,10 +67,39 @@ jobs:
           # only-new-issues: true
 
   govulncheck:
+    permissions:
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     steps:
-      - name: govulncheck
-        uses: golang/govulncheck-action@v1
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
-          go-version-input: '~1.24.1'
+          egress-policy: audit
+
+      - name: govulncheck
+        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
+        with:
+          go-version-input: '~1.25.0'
           check-latest: true
+  
+  dependency-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0
+        with:
+          comment-summary-in-pr: on-failure
+          # https://github.com/actions/dependency-review-action/issues/430#issuecomment-1468975566
+          base-ref: ${{ github.event.pull_request.base.sha || 'master' }}
+          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}

.github/workflows/release-proposal.yml

@@ -0,0 +1,249 @@
+name: Release Proposal
+
+# This workflow creates a release proposal as a PR that requires approval from maintainers
+# Triggered manually by maintainers when ready to prepare a release
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to release (e.g., v2.8.0)'
+        required: true
+        type: string
+      commit_hash:
+        description: 'Commit hash to release from'
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  create-proposal:
+    name: Create Release Proposal
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+    
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Trim and validate inputs
+        id: inputs
+        run: |
+          # Trim whitespace from inputs
+          VERSION=$(echo "${{ inputs.version }}" | xargs)
+          COMMIT_HASH=$(echo "${{ inputs.commit_hash }}" | xargs)
+          
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "commit_hash=$COMMIT_HASH" >> $GITHUB_OUTPUT
+          
+          # Validate version format
+          if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ ]]; then
+            echo "Error: Version must follow semver format (e.g., v2.8.0 or v2.8.0-beta.1)"
+            exit 1
+          fi
+          
+          # Validate commit hash format
+          if [[ ! "$COMMIT_HASH" =~ ^[a-f0-9]{7,40}$ ]]; then
+            echo "Error: Commit hash must be a valid SHA (7-40 characters)"
+            exit 1
+          fi
+          
+          # Check if commit exists
+          if ! git cat-file -e "$COMMIT_HASH"; then
+            echo "Error: Commit $COMMIT_HASH does not exist"
+            exit 1
+          fi
+
+      - name: Check if tag already exists
+        run: |
+          if git rev-parse "${{ steps.inputs.outputs.version }}" >/dev/null 2>&1; then
+            echo "Error: Tag ${{ steps.inputs.outputs.version }} already exists"
+            exit 1
+          fi
+
+      - name: Check for existing proposal PR
+        id: check_existing
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const version = '${{ steps.inputs.outputs.version }}';
+            
+            // Search for existing open PRs with release-proposal label that match this version
+            const openPRs = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              sort: 'updated',
+              direction: 'desc'
+            });
+            
+            const existingOpenPR = openPRs.data.find(pr => 
+              pr.title.includes(version) && 
+              pr.labels.some(label => label.name === 'release-proposal')
+            );
+            
+            if (existingOpenPR) {
+              const hasReleased = existingOpenPR.labels.some(label => label.name === 'released');
+              const hasReleaseInProgress = existingOpenPR.labels.some(label => label.name === 'release-in-progress');
+              
+              if (hasReleased || hasReleaseInProgress) {
+                core.setFailed(`A release for ${version} is already in progress or completed: ${existingOpenPR.html_url}`);
+              } else {
+                core.setFailed(`An open release proposal already exists for ${version}: ${existingOpenPR.html_url}\n\nPlease use the existing PR or close it first.`);
+              }
+              return;
+            }
+            
+            // Check for closed PRs with this version that were cancelled
+            const closedPRs = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'closed',
+              sort: 'updated',
+              direction: 'desc'
+            });
+            
+            const cancelledPR = closedPRs.data.find(pr => 
+              pr.title.includes(version) && 
+              pr.labels.some(label => label.name === 'release-proposal') &&
+              pr.labels.some(label => label.name === 'cancelled')
+            );
+            
+            if (cancelledPR) {
+              console.log(`Found previously cancelled proposal for ${version}: ${cancelledPR.html_url}`);
+              console.log('Creating new proposal to replace cancelled one...');
+            } else {
+              console.log(`No existing proposal found for ${version}, proceeding...`);
+            }
+
+      - name: Generate changelog and create branch
+        id: setup
+        run: |
+          VERSION="${{ steps.inputs.outputs.version }}"
+          COMMIT_HASH="${{ steps.inputs.outputs.commit_hash }}"
+          
+          # Create a new branch for the release proposal
+          BRANCH_NAME="release_proposal-$VERSION"
+          git checkout -b "$BRANCH_NAME"
+          
+          # Calculate how many commits behind HEAD
+          COMMITS_BEHIND=$(git rev-list --count ${COMMIT_HASH}..HEAD)
+          
+          if [ "$COMMITS_BEHIND" -eq 0 ]; then
+            BEHIND_INFO="This is the latest commit (HEAD)"
+          else
+            BEHIND_INFO="This commit is **${COMMITS_BEHIND} commits behind HEAD**"
+          fi
+          
+          echo "commits_behind=$COMMITS_BEHIND" >> $GITHUB_OUTPUT
+          echo "behind_info=$BEHIND_INFO" >> $GITHUB_OUTPUT
+          
+          # Get the last tag
+          LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
+          
+          if [ -z "$LAST_TAG" ]; then
+            echo "No previous tag found, generating full changelog"
+            COMMITS=$(git log --pretty=format:"- %s (%h)" --reverse "$COMMIT_HASH")
+          else
+            echo "Generating changelog since $LAST_TAG"
+            COMMITS=$(git log --pretty=format:"- %s (%h)" --reverse "${LAST_TAG}..$COMMIT_HASH")
+          fi
+          
+          # Store changelog for PR body
+          CLEANSED_COMMITS=$(echo "$COMMITS" | sed 's/`/\\`/g')
+          echo "changelog<<EOF" >> $GITHUB_OUTPUT
+          echo "$CLEANSED_COMMITS" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+          
+          # Create empty commit for the PR
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git commit --allow-empty -m "Release proposal for $VERSION"
+          
+          # Push the branch
+          git push origin "$BRANCH_NAME"
+          
+          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+
+      - name: Create release proposal PR
+        id: create_pr
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const changelog = `${{ steps.setup.outputs.changelog }}`;
+            
+            const pr = await github.rest.pulls.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: `Release Proposal: ${{ steps.inputs.outputs.version }}`,
+              head: '${{ steps.setup.outputs.branch_name }}',
+              base: 'master',
+              body: `## Release Proposal: ${{ steps.inputs.outputs.version }}
+            
+            **Target Commit:** \`${{ steps.inputs.outputs.commit_hash }}\`
+            **Requested by:** @${{ github.actor }}
+            **Commit Status:** ${{ steps.setup.outputs.behind_info }}
+            
+            This PR proposes creating release tag \`${{ steps.inputs.outputs.version }}\` at commit \`${{ steps.inputs.outputs.commit_hash }}\`.
+            
+            ### Approval Process
+            
+            This PR requires **approval from 2+ maintainers** before the tag can be created.
+            
+            ### What happens next?
+            
+            1. Maintainers review this proposal
+            2. When 2+ maintainer approvals are received, an automated workflow will post tagging instructions
+            3. A maintainer manually creates and pushes the signed tag
+            4. The release workflow is triggered automatically by the tag push
+            5. Upon release completion, this PR is closed and the branch is deleted
+            
+            ### Changes Since Last Release
+            
+            ${changelog}
+            
+            ### Release Checklist
+            
+            - [ ] All tests pass
+            - [ ] Security review completed
+            - [ ] Documentation updated
+            - [ ] Breaking changes documented
+            
+            ---
+            
+            **Note:** Tag creation is manual and requires a signed tag from a maintainer.`,
+              draft: true
+            });
+            
+            // Add labels
+            await github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr.data.number,
+              labels: ['release-proposal', 'awaiting-approval']
+            });
+            
+            console.log(`Created PR: ${pr.data.html_url}`);
+            
+            return { number: pr.data.number, url: pr.data.html_url };
+          result-encoding: json
+
+      - name: Post summary
+        run: |
+          echo "## Release Proposal PR Created! 🚀" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Version: **${{ steps.inputs.outputs.version }}**" >> $GITHUB_STEP_SUMMARY
+          echo "Commit: **${{ steps.inputs.outputs.commit_hash }}**" >> $GITHUB_STEP_SUMMARY
+          echo "Status: ${{ steps.setup.outputs.behind_info }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "PR: ${{ fromJson(steps.create_pr.outputs.result).url }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/release.yml

@@ -9,21 +9,338 @@ env:
   # https://github.com/actions/setup-go/issues/491
   GOTOOLCHAIN: local
 
+permissions:
+  contents: read
+
 jobs:
+  verify-tag:
+    name: Verify Tag Signature and Approvals
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+    
+    outputs:
+      verification_passed: ${{ steps.verify.outputs.passed }}
+      tag_version: ${{ steps.info.outputs.version }}
+      proposal_issue_number: ${{ steps.find_proposal.outputs.result && fromJson(steps.find_proposal.outputs.result).number || '' }}
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+      # Force fetch upstream tags -- because 65 minutes
+      # tl;dr: actions/checkout@v3 runs this line:
+      #   git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +ebc278ec98bb24f2852b61fde2a9bf2e3d83818b:refs/tags/
+      # which makes its own local lightweight tag, losing all the annotations in the process. Our earlier script ran:
+      #   git fetch --prune --unshallow
+      # which doesn't overwrite that tag because that would be destructive.
+      # Credit to @francislavoie for the investigation.
+      # https://github.com/actions/checkout/issues/290#issuecomment-680260080
+      - name: Force fetch upstream tags
+        run: git fetch --tags --force
+
+      - name: Get tag info
+        id: info
+        run: |
+          echo "version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+          echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+
+       # https://github.community/t5/GitHub-Actions/How-to-get-just-the-tag-name/m-p/32167/highlight/true#M1027
+      - name: Print Go version and environment
+        id: vars
+        run: |
+          printf "Using go at: $(which go)\n"
+          printf "Go version: $(go version)\n"
+          printf "\n\nGo environment:\n\n"
+          go env
+          printf "\n\nSystem environment:\n\n"
+          env
+          echo "version_tag=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
+          echo "short_sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+
+          # Add "pip install" CLI tools to PATH
+          echo ~/.local/bin >> $GITHUB_PATH
+
+          # Parse semver
+          TAG=${GITHUB_REF/refs\/tags\//}
+          SEMVER_RE='[^0-9]*\([0-9]*\)[.]\([0-9]*\)[.]\([0-9]*\)\([0-9A-Za-z\.-]*\)'
+          TAG_MAJOR=`echo ${TAG#v} | sed -e "s#$SEMVER_RE#\1#"`
+          TAG_MINOR=`echo ${TAG#v} | sed -e "s#$SEMVER_RE#\2#"`
+          TAG_PATCH=`echo ${TAG#v} | sed -e "s#$SEMVER_RE#\3#"`
+          TAG_SPECIAL=`echo ${TAG#v} | sed -e "s#$SEMVER_RE#\4#"`
+          echo "tag_major=${TAG_MAJOR}" >> $GITHUB_OUTPUT
+          echo "tag_minor=${TAG_MINOR}" >> $GITHUB_OUTPUT
+          echo "tag_patch=${TAG_PATCH}" >> $GITHUB_OUTPUT
+          echo "tag_special=${TAG_SPECIAL}" >> $GITHUB_OUTPUT
+
+      - name: Validate commits and tag signatures
+        id: verify
+        env:
+          signing_keys: ${{ secrets.SIGNING_KEYS }}
+        run: |
+          # Read the string into an array, splitting by IFS
+          IFS=";" read -ra keys_collection <<< "$signing_keys"
+          
+          # ref: https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#example-usage-of-the-runner-context
+          touch "${{ runner.temp }}/allowed_signers"
+
+          # Iterate and print the split elements
+          for item in "${keys_collection[@]}"; do
+          
+            # trim leading whitespaces
+            item="${item##*( )}"
+
+            # trim trailing whitespaces
+            item="${item%%*( )}"
+            
+            IFS=" " read -ra key_components <<< "$item"
+            # git wants it in format: email address, type, public key
+            # ssh has it in format: type, public key, email address
+            echo "${key_components[2]} namespaces=\"git\" ${key_components[0]} ${key_components[1]}" >> "${{ runner.temp }}/allowed_signers"
+          done
+
+          git config set --global gpg.ssh.allowedSignersFile "${{ runner.temp }}/allowed_signers"
+
+          echo "Verifying the tag: ${{ steps.vars.outputs.version_tag }}"
+          
+          # Verify the tag is signed
+          if ! git verify-tag -v "${{ steps.vars.outputs.version_tag }}" 2>&1; then
+            echo "❌ Tag verification failed!"
+            echo "passed=false" >> $GITHUB_OUTPUT
+            git push --delete origin "${{ steps.vars.outputs.version_tag }}"
+            exit 1
+          fi
+          # Run it again to capture the output
+          git verify-tag -v "${{ steps.vars.outputs.version_tag }}" 2>&1 | tee /tmp/verify-output.txt;
+
+          # SSH verification output typically includes the key fingerprint
+          # Use GNU grep with Perl regex for cleaner extraction (Linux environment)
+          KEY_SHA256=$(grep -oP "SHA256:[\"']?\K[A-Za-z0-9+/=]+(?=[\"']?)" /tmp/verify-output.txt | head -1 || echo "")
+          
+          if [ -z "$KEY_SHA256" ]; then
+            # Try alternative pattern with "key" prefix
+            KEY_SHA256=$(grep -oP "key SHA256:[\"']?\K[A-Za-z0-9+/=]+(?=[\"']?)" /tmp/verify-output.txt | head -1 || echo "")
+          fi
+          
+          if [ -z "$KEY_SHA256" ]; then
+            # Fallback: extract any base64-like string (40+ chars)
+            KEY_SHA256=$(grep -oP '[A-Za-z0-9+/]{40,}=?' /tmp/verify-output.txt | head -1 || echo "")
+          fi
+          
+          if [ -z "$KEY_SHA256" ]; then
+            echo "Somehow could not extract SSH key fingerprint from git verify-tag output"
+            echo "Cancelling flow and deleting tag"
+            echo "passed=false" >> $GITHUB_OUTPUT
+            git push --delete origin "${{ steps.vars.outputs.version_tag }}"
+            exit 1
+          fi
+
+          echo "✅ Tag verification succeeded!"
+          echo "passed=true" >> $GITHUB_OUTPUT
+          echo "key_id=$KEY_SHA256" >> $GITHUB_OUTPUT
+
+      - name: Find related release proposal
+        id: find_proposal
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const version = '${{ steps.vars.outputs.version_tag }}';
+            
+            // Search for PRs with release-proposal label that match this version
+            const prs = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open', // Changed to 'all' to find both open and closed PRs
+              sort: 'updated',
+              direction: 'desc'
+            });
+            
+            // Find the most recent PR for this version
+            const proposal = prs.data.find(pr => 
+              pr.title.includes(version) && 
+              pr.labels.some(label => label.name === 'release-proposal')
+            );
+            
+            if (!proposal) {
+              console.log(`⚠️  No release proposal PR found for ${version}`);
+              console.log('This might be a hotfix or emergency release');
+              return { number: null, approved: true, approvals: 0, proposedCommit: null };
+            }
+            
+            console.log(`Found proposal PR #${proposal.number} for version ${version}`);
+            
+            // Extract commit hash from PR body
+            const commitMatch = proposal.body.match(/\*\*Target Commit:\*\*\s*`([a-f0-9]+)`/);
+            const proposedCommit = commitMatch ? commitMatch[1] : null;
+            
+            if (proposedCommit) {
+              console.log(`Proposal was for commit: ${proposedCommit}`);
+            } else {
+              console.log('⚠️  No target commit hash found in PR body');
+            }
+            
+            // Get PR reviews to extract approvers
+            let approvers = 'Validated by automation';
+            let approvalCount = 2; // Minimum required
+            
+            try {
+              const reviews = await github.rest.pulls.listReviews({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: proposal.number
+              });
+              
+              // Get latest review per user and filter for approvals
+              const latestReviewsByUser = {};
+              reviews.data.forEach(review => {
+                const username = review.user.login;
+                if (!latestReviewsByUser[username] || new Date(review.submitted_at) > new Date(latestReviewsByUser[username].submitted_at)) {
+                  latestReviewsByUser[username] = review;
+                }
+              });
+              
+              const approvalReviews = Object.values(latestReviewsByUser).filter(review => 
+                review.state === 'APPROVED'
+              );
+              
+              if (approvalReviews.length > 0) {
+                approvers = approvalReviews.map(r => '@' + r.user.login).join(', ');
+                approvalCount = approvalReviews.length;
+                console.log(`Found ${approvalCount} approvals from: ${approvers}`);
+              }
+            } catch (error) {
+              console.log(`Could not fetch reviews: ${error.message}`);
+            }
+            
+            return {
+              number: proposal.number,
+              approved: true,
+              approvals: approvalCount,
+              approvers: approvers,
+              proposedCommit: proposedCommit
+            };
+          result-encoding: json
+
+      - name: Verify proposal commit
+        run: |
+          APPROVALS='${{ steps.find_proposal.outputs.result }}'
+          
+          # Parse JSON
+          PROPOSED_COMMIT=$(echo "$APPROVALS" | jq -r '.proposedCommit')
+          CURRENT_COMMIT="${{ steps.info.outputs.sha }}"
+          
+          echo "Proposed commit: $PROPOSED_COMMIT"
+          echo "Current commit: $CURRENT_COMMIT"
+          
+          # Check if commits match (if proposal had a target commit)
+          if [ "$PROPOSED_COMMIT" != "null" ] && [ -n "$PROPOSED_COMMIT" ]; then
+            # Normalize both commits to full SHA for comparison
+            PROPOSED_FULL=$(git rev-parse "$PROPOSED_COMMIT" 2>/dev/null || echo "")
+            CURRENT_FULL=$(git rev-parse "$CURRENT_COMMIT" 2>/dev/null || echo "")
+            
+            if [ -z "$PROPOSED_FULL" ]; then
+              echo "⚠️  Could not resolve proposed commit: $PROPOSED_COMMIT"
+            elif [ "$PROPOSED_FULL" != "$CURRENT_FULL" ]; then
+              echo "❌ Commit mismatch!"
+              echo "The tag points to commit $CURRENT_FULL but the proposal was for $PROPOSED_FULL"
+              echo "This indicates an error in tag creation."
+              # Delete the tag remotely
+              git push --delete origin "${{ steps.vars.outputs.version_tag }}"
+              echo "Tag ${{steps.vars.outputs.version_tag}} has been deleted"
+              exit 1
+            else
+              echo "✅ Commit hash matches proposal"
+            fi
+          else
+            echo "⚠️  No target commit found in proposal (might be legacy release)"
+          fi
+          
+          echo "✅ Tag verification completed"
+
+      - name: Update release proposal PR
+        if: fromJson(steps.find_proposal.outputs.result).number != null
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const result = ${{ steps.find_proposal.outputs.result }};
+            
+            if (result.number) {
+              // Add in-progress label
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: result.number,
+                labels: ['release-in-progress']
+              });
+              
+              // Remove approved label if present
+              try {
+                await github.rest.issues.removeLabel({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: result.number,
+                  name: 'approved'
+                });
+              } catch (e) {
+                console.log('Approved label not found:', e.message);
+              }
+              
+              const commentBody = [
+                '## 🚀 Release Workflow Started',
+                '',
+                '- **Tag:** ${{ steps.info.outputs.version }}',
+                '- **Signed by key:** ${{ steps.verify.outputs.key_id }}',
+                '- **Commit:** ${{ steps.info.outputs.sha }}',
+                '- **Approved by:** ' + result.approvers,
+                '',
+                'Release workflow is now running. This PR will be updated when the release is published.'
+              ].join('\n');
+              
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: result.number,
+                body: commentBody
+              });
+            }
+
+      - name: Summary
+        run: |
+          APPROVALS='${{ steps.find_proposal.outputs.result }}'
+          PROPOSED_COMMIT=$(echo "$APPROVALS" | jq -r '.proposedCommit // "N/A"')
+          APPROVERS=$(echo "$APPROVALS" | jq -r '.approvers // "N/A"')
+          
+          echo "## Tag Verification Summary 🔐" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- **Tag:** ${{ steps.info.outputs.version }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Commit:** ${{ steps.info.outputs.sha }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Proposed Commit:** $PROPOSED_COMMIT" >> $GITHUB_STEP_SUMMARY
+          echo "- **Signature:** ✅ Verified" >> $GITHUB_STEP_SUMMARY
+          echo "- **Signed by:** ${{ steps.verify.outputs.key_id }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Approvals:** ✅ Sufficient" >> $GITHUB_STEP_SUMMARY
+          echo "- **Approved by:** $APPROVERS" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Proceeding with release build..." >> $GITHUB_STEP_SUMMARY
+      
   release:
     name: Release
+    needs: verify-tag
+    if: ${{ needs.verify-tag.outputs.verification_passed == 'true' }}
     strategy:
       matrix:
         os: 
           - ubuntu-latest
         go: 
-          - '1.24'
+          - '1.25'
 
         include:
         # Set the minimum Go patch version for the given Go minor
         # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.24'
-          GO_SEMVER: '~1.24.1'
+        - go: '1.25'
+          GO_SEMVER: '~1.25.0'
 
     runs-on: ${{ matrix.os }}
     # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
@@ -33,21 +350,28 @@ jobs:
       # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#permission-on-contents
       # "Releases" is part of `contents`, so it needs the `write`
       contents: write
+      issues: write
+      pull-requests: write
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0
 
     - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version: ${{ matrix.GO_SEMVER }}
         check-latest: true
 
     # Force fetch upstream tags -- because 65 minutes
-    # tl;dr: actions/checkout@v4 runs this line:
+    # tl;dr: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4.2.2 runs this line:
     #   git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +ebc278ec98bb24f2852b61fde2a9bf2e3d83818b:refs/tags/
     # which makes its own local lightweight tag, losing all the annotations in the process. Our earlier script ran:
     #   git fetch --prune --unshallow
@@ -90,22 +414,12 @@ jobs:
     - name: Install Cloudsmith CLI
       run: pip install --upgrade cloudsmith-cli
 
-    - name: Validate commits and tag signatures
-      run: |
-        
-        # Import Matt Holt's key
-        curl 'https://github.com/mholt.gpg' | gpg --import
-
-        echo "Verifying the tag: ${{ steps.vars.outputs.version_tag }}"
-        # tags are only accepted if signed by Matt's key
-        git verify-tag "${{ steps.vars.outputs.version_tag }}" || exit 1
-
     - name: Install Cosign
-      uses: sigstore/cosign-installer@main
+      uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # main
     - name: Cosign version
       run: cosign version
     - name: Install Syft
-      uses: anchore/sbom-action/download-syft@main
+      uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # main
     - name: Syft version
       run: syft version
     - name: Install xcaddy
@@ -114,7 +428,7 @@ jobs:
         xcaddy version
     # GoReleaser will take care of publishing those artifacts into the release
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v6
+      uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
       with:
         version: latest
         args: release --clean --timeout 60m
@@ -180,3 +494,72 @@ jobs:
           echo "Pushing $filename to 'testing'"
           cloudsmith push deb caddy/testing/any-distro/any-version $filename
         done
+
+    - name: Update release proposal PR
+      if: needs.verify-tag.outputs.proposal_issue_number != ''
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      with:
+        script: |
+          const prNumber = parseInt('${{ needs.verify-tag.outputs.proposal_issue_number }}');
+          
+          if (prNumber) {
+            // Get PR details to find the branch
+            const pr = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: prNumber
+            });
+            
+            const branchName = pr.data.head.ref;
+            
+            // Remove in-progress label
+            try {
+              await github.rest.issues.removeLabel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                name: 'release-in-progress'
+              });
+            } catch (e) {
+              console.log('Label not found:', e.message);
+            }
+            
+            // Add released label
+            await github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+              labels: ['released']
+            });
+            
+            // Add final comment
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+              body: '## ✅ Release Published\n\nThe release has been successfully published and is now available.'
+            });
+            
+            // Close the PR if it's still open
+            if (pr.data.state === 'open') {
+              await github.rest.pulls.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: prNumber,
+                state: 'closed'
+              });
+              console.log(`Closed PR #${prNumber}`);
+            }
+            
+            // Delete the branch
+            try {
+              await github.rest.git.deleteRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: `heads/${branchName}`
+              });
+              console.log(`Deleted branch: ${branchName}`);
+            } catch (e) {
+              console.log(`Could not delete branch ${branchName}: ${e.message}`);
+            }
+          }

.github/workflows/release_published.yml

@@ -5,6 +5,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   release:
     name: Release Published
@@ -13,12 +16,20 @@ jobs:
         os: 
           - ubuntu-latest
     runs-on: ${{ matrix.os }}
-
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: write
     steps:
 
     # See https://github.com/peter-evans/repository-dispatch
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
     - name: Trigger event on caddyserver/dist
-      uses: peter-evans/repository-dispatch@v3
+      uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
       with:
         token: ${{ secrets.REPO_DISPATCH_TOKEN }}
         repository: caddyserver/dist
@@ -26,7 +37,7 @@ jobs:
         client-payload: '{"tag": "${{ github.event.release.tag_name }}"}'
 
     - name: Trigger event on caddyserver/caddy-docker
-      uses: peter-evans/repository-dispatch@v3
+      uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
       with:
         token: ${{ secrets.REPO_DISPATCH_TOKEN }}
         repository: caddyserver/caddy-docker

.github/workflows/scorecard.yml

@@ -0,0 +1,86 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: OpenSSF Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 2 * * 5'
+  push:
+    branches: [ "master", "2.*" ]
+  pull_request:
+    branches: [ "master", "2.*" ]
+
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+          # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
+          # file_mode: git
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5
+        with:
+          sarif_file: results.sarif

.golangci.yml

@@ -1,27 +1,19 @@
-linters-settings:
-  errcheck:
-    exclude-functions:
-      - fmt.*
-      - (go.uber.org/zap/zapcore.ObjectEncoder).AddObject
-      - (go.uber.org/zap/zapcore.ObjectEncoder).AddArray
-  gci:
-    sections:
-      - standard # Standard section: captures all standard packages.
-      - default # Default section: contains all imports that could not be matched to another section type.
-      - prefix(github.com/caddyserver/caddy/v2/cmd) # ensure that this is always at the top and always has a line break.
-      - prefix(github.com/caddyserver/caddy) # Custom section: groups all imports with the specified Prefix.
-    # Skip generated files.
-    # Default: true
-    skip-generated: true
-    # Enable custom order of sections.
-    # If `true`, make the section order the same as the order of `sections`.
-    # Default: false
-    custom-order: true
-  exhaustive:
-    ignore-enum-types: reflect.Kind|svc.Cmd
-
+version: "2"
+run:
+  issues-exit-code: 1
+  tests: false
+  build-tags:
+    - nobadger
+    - nomysql
+    - nopgx
+output:
+  formats:
+    text:
+      path: stdout
+      print-linter-name: true
+      print-issued-lines: true
 linters:
-  disable-all: true
+  default: none
   enable:
     - asasalint
     - asciicheck
@@ -35,148 +27,96 @@ linters:
     - errcheck
     - errname
     - exhaustive
-    - gci
-    - gofmt
-    - goimports
-    - gofumpt
     - gosec
-    - gosimple
     - govet
-    - ineffassign
     - importas
+    - ineffassign
     - misspell
     - prealloc
     - promlinter
     - sloglint
     - sqlclosecheck
     - staticcheck
-    - tenv
     - testableexamples
     - testifylint
     - tparallel
-    - typecheck
     - unconvert
     - unused
     - wastedassign
     - whitespace
     - zerologlint
-  # these are implicitly disabled:
-  # - containedctx
-  # - contextcheck
-  # - cyclop
-  # - depguard
-  # - errchkjson
-  # - errorlint
-  # - exhaustruct
-  # - execinquery
-  # - exhaustruct
-  # - forbidigo
-  # - forcetypeassert
-  # - funlen
-  # - ginkgolinter
-  # - gocheckcompilerdirectives
-  # - gochecknoglobals
-  # - gochecknoinits
-  # - gochecksumtype
-  # - gocognit
-  # - goconst
-  # - gocritic
-  # - gocyclo
-  # - godot
-  # - godox
-  # - goerr113
-  # - goheader
-  # - gomnd
-  # - gomoddirectives
-  # - gomodguard
-  # - goprintffuncname
-  # - gosmopolitan
-  # - grouper
-  # - inamedparam
-  # - interfacebloat
-  # - ireturn
-  # - lll
-  # - loggercheck
-  # - maintidx
-  # - makezero
-  # - mirror
-  # - musttag
-  # - nakedret
-  # - nestif
-  # - nilerr
-  # - nilnil
-  # - nlreturn
-  # - noctx
-  # - nolintlint
-  # - nonamedreturns
-  # - nosprintfhostport
-  # - paralleltest
-  # - perfsprint
-  # - predeclared
-  # - protogetter
-  # - reassign
-  # - revive
-  # - rowserrcheck
-  # - stylecheck
-  # - tagalign
-  # - tagliatelle
-  # - testpackage
-  # - thelper
-  # - unparam
-  # - usestdlibvars
-  # - varnamelen
-  # - wrapcheck
-  # - wsl
-
-run:
-  # default concurrency is a available CPU number.
-  # concurrency: 4 # explicitly omit this value to fully utilize available resources.
-  timeout: 5m
-  issues-exit-code: 1
-  tests: false
-
-# output configuration options
-output:
-  formats:
-    - format: 'colored-line-number'
-  print-issued-lines: true
-  print-linter-name: true
-
-issues:
-  exclude-rules:
-    - text: 'G115' # TODO: Either we should fix the issues or nuke the linter if it's bad
-      linters:
+  settings:
+    staticcheck:
+      checks: ["all", "-ST1000", "-ST1003", "-ST1016", "-ST1020", "-ST1021", "-ST1022",  "-QF1006", "-QF1008"] # default, and exclude 1 more undesired check
+    errcheck:
+      exclude-functions:
+        - fmt.*
+        - (go.uber.org/zap/zapcore.ObjectEncoder).AddObject
+        - (go.uber.org/zap/zapcore.ObjectEncoder).AddArray
+    exhaustive:
+      ignore-enum-types: reflect.Kind|svc.Cmd
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
           - gosec
-    # we aren't calling unknown URL
-    - text: 'G107' # G107: Url provided to HTTP request as taint input
-      linters:
+        text: G115 # TODO: Either we should fix the issues or nuke the linter if it's bad
+      - linters:
           - gosec
-    # as a web server that's expected to handle any template, this is totally in the hands of the user.
-    - text: 'G203' # G203: Use of unescaped data in HTML templates
-      linters:
+        text: G107 # we aren't calling unknown URL
+      - linters:
           - gosec
-    # we're shelling out to known commands, not relying on user-defined input.
-    - text: 'G204' # G204: Audit use of command execution
-      linters:
+        text: G203 # as a web server that's expected to handle any template, this is totally in the hands of the user.
+      - linters:
+          - gosec
+        text: G204 # we're shelling out to known commands, not relying on user-defined input.
+      - linters:
           - gosec
         # the choice of weakrand is deliberate, hence the named import "weakrand"
-    - path: modules/caddyhttp/reverseproxy/selectionpolicies.go
-      text: 'G404' # G404: Insecure random number source (rand)
-      linters:
+        path: modules/caddyhttp/reverseproxy/selectionpolicies.go
+        text: G404
+      - linters:
           - gosec
-    - path: modules/caddyhttp/reverseproxy/streaming.go
-      text: 'G404' # G404: Insecure random number source (rand)
-      linters:
-        - gosec
-    - path: modules/logging/filters.go
-      linters:
+        path: modules/caddyhttp/reverseproxy/streaming.go
+        text: G404
+      - linters:
           - dupl
-    - path: modules/caddyhttp/matchers.go
-      linters:
+        path: modules/logging/filters.go
+      - linters:
           - dupl
-    - path: modules/caddyhttp/vars.go
-      linters:
+        path: modules/caddyhttp/matchers.go
+      - linters:
           - dupl
-    - path: _test\.go
-      linters:
+        path: modules/caddyhttp/vars.go
+      - linters:
           - errcheck
+        path: _test\.go
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - gofumpt
+    - goimports
+  settings:
+    gci:
+      sections:
+        - standard # Standard section: captures all standard packages.
+        - default # Default section: contains all imports that could not be matched to another section type.
+        - prefix(github.com/caddyserver/caddy/v2/cmd) # ensure that this is always at the top and always has a line break.
+        - prefix(github.com/caddyserver/caddy) # Custom section: groups all imports with the specified Prefix.
+      custom-order: true
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/golangci/golangci-lint
+  rev: v1.52.2
+  hooks:
+  - id: golangci-lint-config-verify
+  - id: golangci-lint
+  - id: golangci-lint-fmt
+- repo: https://github.com/jumanjihouse/pre-commit-hooks
+  rev: 3.0.0
+  hooks:
+  - id: shellcheck
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace

README.md

@@ -14,6 +14,7 @@
 <p align="center">Caddy is an extensible server platform that uses TLS by default.</p>
 <p align="center">
 	<a href="https://github.com/caddyserver/caddy/actions/workflows/ci.yml"><img src="https://github.com/caddyserver/caddy/actions/workflows/ci.yml/badge.svg"></a>
+	<a href="https://www.bestpractices.dev/projects/7141"><img src="https://www.bestpractices.dev/projects/7141/badge"></a>
 	<a href="https://pkg.go.dev/github.com/caddyserver/caddy/v2"><img src="https://img.shields.io/badge/godoc-reference-%23007d9c.svg"></a>
 	<br>
 	<a href="https://x.com/caddyserver" title="@caddyserver on Twitter"><img src="https://img.shields.io/twitter/follow/caddyserver" alt="@caddyserver on Twitter"></a>
@@ -88,7 +89,7 @@ See [our online documentation](https://caddyserver.com/docs/install) for other i
 
 Requirements:
 
-- [Go 1.24.0 or newer](https://golang.org/dl/)
+- [Go 1.25.0 or newer](https://golang.org/dl/)
 
 ### For development
 

admin.go

@@ -424,6 +424,13 @@ func replaceLocalAdminServer(cfg *Config, ctx Context) error {
 
 	handler := cfg.Admin.newAdminHandler(addr, false, ctx)
 
+	// run the provisioners for loaded modules to make sure local
+	// state is properly re-initialized in the new admin server
+	err = cfg.Admin.provisionAdminRouters(ctx)
+	if err != nil {
+		return err
+	}
+
 	ln, err := addr.Listen(context.TODO(), 0, net.ListenConfig{})
 	if err != nil {
 		return err
@@ -545,6 +552,13 @@ func replaceRemoteAdminServer(ctx Context, cfg *Config) error {
 	// because we are using TLS authentication instead
 	handler := cfg.Admin.newAdminHandler(addr, true, ctx)
 
+	// run the provisioners for loaded modules to make sure local
+	// state is properly re-initialized in the new admin server
+	err = cfg.Admin.provisionAdminRouters(ctx)
+	if err != nil {
+		return err
+	}
+
 	// create client certificate pool for TLS mutual auth, and extract public keys
 	// so that we can enforce access controls at the application layer
 	clientCertPool := x509.NewCertPool()
@@ -932,7 +946,7 @@ func (h adminHandler) originAllowed(origin *url.URL) bool {
 	return false
 }
 
-// etagHasher returns a the hasher we used on the config to both
+// etagHasher returns the hasher we used on the config to both
 // produce and verify ETags.
 func etagHasher() hash.Hash { return xxhash.New() }
 
@@ -1015,6 +1029,13 @@ func handleConfig(w http.ResponseWriter, r *http.Request) error {
 			return err
 		}
 
+		// If this request changed the config, clear the last
+		// config info we have stored, if it is different from
+		// the original source.
+		ClearLastConfigIfDifferent(
+			r.Header.Get("Caddy-Config-Source-File"),
+			r.Header.Get("Caddy-Config-Source-Adapter"))
+
 	default:
 		return APIError{
 			HTTPStatus: http.StatusMethodNotAllowed,

admin_test.go

@@ -19,6 +19,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"maps"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
@@ -148,11 +149,9 @@ func TestLoadConcurrent(t *testing.T) {
 	var wg sync.WaitGroup
 
 	for i := 0; i < 100; i++ {
-		wg.Add(1)
-		go func() {
+		wg.Go(func() {
 			_ = Load(testCfg, true)
-			wg.Done()
-		}()
+		})
 	}
 	wg.Wait()
 }
@@ -206,7 +205,7 @@ func TestETags(t *testing.T) {
 }
 
 func BenchmarkLoad(b *testing.B) {
-	for i := 0; i < b.N; i++ {
+	for b.Loop() {
 		Load(testCfg, true)
 	}
 }
@@ -335,9 +334,7 @@ func TestAdminHandlerBuiltinRouteErrors(t *testing.T) {
 
 func testGetMetricValue(labels map[string]string) float64 {
 	promLabels := prometheus.Labels{}
-	for k, v := range labels {
-		promLabels[k] = v
-	}
+	maps.Copy(promLabels, labels)
 
 	metric, err := adminMetrics.requestErrors.GetMetricWith(promLabels)
 	if err != nil {
@@ -377,9 +374,7 @@ func (m *mockModule) CaddyModule() ModuleInfo {
 
 func TestNewAdminHandlerRouterRegistration(t *testing.T) {
 	originalModules := make(map[string]ModuleInfo)
-	for k, v := range modules {
-		originalModules[k] = v
-	}
+	maps.Copy(originalModules, modules)
 	defer func() {
 		modules = originalModules
 	}()
@@ -479,9 +474,7 @@ func TestAdminRouterProvisioning(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			originalModules := make(map[string]ModuleInfo)
-			for k, v := range modules {
-				originalModules[k] = v
-			}
+			maps.Copy(originalModules, modules)
 			defer func() {
 				modules = originalModules
 			}()
@@ -774,9 +767,7 @@ func (m *mockIssuerModule) CaddyModule() ModuleInfo {
 
 func TestManageIdentity(t *testing.T) {
 	originalModules := make(map[string]ModuleInfo)
-	for k, v := range modules {
-		originalModules[k] = v
-	}
+	maps.Copy(originalModules, modules)
 	defer func() {
 		modules = originalModules
 	}()

caddy.go

@@ -82,6 +82,9 @@ type Config struct {
 	AppsRaw ModuleMap `json:"apps,omitempty" caddy:"namespace="`
 
 	apps map[string]App
+
+	// failedApps is a map of apps that failed to provision with their underlying error.
+	failedApps   map[string]error
 	storage      certmagic.Storage
 	eventEmitter eventEmitter
 
@@ -408,11 +411,23 @@ func run(newCfg *Config, start bool) (Context, error) {
 		return ctx, nil
 	}
 
+	defer func() {
+		// if newCfg fails to start completely, clean up the already provisioned modules
+		// partially copied from provisionContext
+		if err != nil {
+			globalMetrics.configSuccess.Set(0)
+			ctx.cfg.cancelFunc()
+
+			if currentCtx.cfg != nil {
+				certmagic.Default.Storage = currentCtx.cfg.storage
+			}
+		}
+	}()
+
 	// Provision any admin routers which may need to access
 	// some of the other apps at runtime
 	err = ctx.cfg.Admin.provisionAdminRouters(ctx)
 	if err != nil {
-		globalMetrics.configSuccess.Set(0)
 		return ctx, err
 	}
 
@@ -438,7 +453,6 @@ func run(newCfg *Config, start bool) (Context, error) {
 		return nil
 	}()
 	if err != nil {
-		globalMetrics.configSuccess.Set(0)
 		return ctx, err
 	}
 	globalMetrics.configSuccess.Set(1)
@@ -449,7 +463,8 @@ func run(newCfg *Config, start bool) (Context, error) {
 
 	// now that the user's config is running, finish setting up anything else,
 	// such as remote admin endpoint, config loader, etc.
-	return ctx, finishSettingUp(ctx, ctx.cfg)
+	err = finishSettingUp(ctx, ctx.cfg)
+	return ctx, err
 }
 
 // provisionContext creates a new context from the given configuration and provisions
@@ -505,19 +520,12 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 		return ctx, err
 	}
 
-	// start the admin endpoint (and stop any prior one)
-	if replaceAdminServer {
-		err = replaceLocalAdminServer(newCfg, ctx)
-		if err != nil {
-			return ctx, fmt.Errorf("starting caddy administration endpoint: %v", err)
-		}
-	}
-
 	// create the new filesystem map
 	newCfg.fileSystems = &filesystems.FileSystemMap{}
 
 	// prepare the new config for use
 	newCfg.apps = make(map[string]App)
+	newCfg.failedApps = make(map[string]error)
 
 	// set up global storage and make it CertMagic's default storage, too
 	err = func() error {
@@ -544,6 +552,14 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 		return ctx, err
 	}
 
+	// start the admin endpoint (and stop any prior one)
+	if replaceAdminServer {
+		err = replaceLocalAdminServer(newCfg, ctx)
+		if err != nil {
+			return ctx, fmt.Errorf("starting caddy administration endpoint: %v", err)
+		}
+	}
+
 	// Load and Provision each app and their submodules
 	err = func() error {
 		for appName := range newCfg.AppsRaw {
@@ -959,11 +975,11 @@ func Version() (simple, full string) {
 		if CustomVersion != "" {
 			full = CustomVersion
 			simple = CustomVersion
-			return
+			return simple, full
 		}
 		full = "unknown"
 		simple = "unknown"
-		return
+		return simple, full
 	}
 	// find the Caddy module in the dependency list
 	for _, dep := range bi.Deps {
@@ -1043,7 +1059,7 @@ func Version() (simple, full string) {
 		}
 	}
 
-	return
+	return simple, full
 }
 
 // Event represents something that has happened or is happening.
@@ -1104,9 +1120,15 @@ func (e Event) Origin() Module       { return e.origin } // Returns the module t
 // CloudEvents spec.
 func (e Event) CloudEvent() CloudEvent {
 	dataJSON, _ := json.Marshal(e.Data)
+	var source string
+	if e.Origin() == nil {
+		source = "caddy"
+	} else {
+		source = string(e.Origin().CaddyModule().ID)
+	}
 	return CloudEvent{
 		ID:              e.id.String(),
-		Source:          e.origin.CaddyModule().String(),
+		Source:          source,
 		SpecVersion:     "1.0",
 		Type:            e.name,
 		Time:            e.ts,
@@ -1175,6 +1197,91 @@ var (
 	rawCfgMu sync.RWMutex
 )
 
+// lastConfigFile and lastConfigAdapter remember the source config
+// file and adapter used when Caddy was started via the CLI "run" command.
+// These are consulted by the SIGUSR1 handler to attempt reloading from
+// the same source. They are intentionally not set for other entrypoints
+// such as "caddy start" or subcommands like file-server.
+var (
+	lastConfigMu      sync.RWMutex
+	lastConfigFile    string
+	lastConfigAdapter string
+)
+
+// reloadFromSourceFunc is the type of stored callback
+// which is called when we receive a SIGUSR1 signal.
+type reloadFromSourceFunc func(file, adapter string) error
+
+// reloadFromSourceCallback is the stored callback
+// which is called when we receive a SIGUSR1 signal.
+var reloadFromSourceCallback reloadFromSourceFunc
+
+// errReloadFromSourceUnavailable is returned when no reload-from-source callback is set.
+var errReloadFromSourceUnavailable = errors.New("reload from source unavailable in this process") //nolint:unused
+
+// SetLastConfig records the given source file and adapter as the
+// last-known external configuration source. Intended to be called
+// only when starting via "caddy run --config <file> --adapter <adapter>".
+func SetLastConfig(file, adapter string, fn reloadFromSourceFunc) {
+	lastConfigMu.Lock()
+	lastConfigFile = file
+	lastConfigAdapter = adapter
+	reloadFromSourceCallback = fn
+	lastConfigMu.Unlock()
+}
+
+// ClearLastConfigIfDifferent clears the recorded last-config if the provided
+// source file/adapter do not match the recorded last-config. If both srcFile
+// and srcAdapter are empty, the last-config is cleared.
+func ClearLastConfigIfDifferent(srcFile, srcAdapter string) {
+	if (srcFile != "" || srcAdapter != "") && lastConfigMatches(srcFile, srcAdapter) {
+		return
+	}
+	SetLastConfig("", "", nil)
+}
+
+// getLastConfig returns the last-known config file and adapter.
+func getLastConfig() (file, adapter string, fn reloadFromSourceFunc) {
+	lastConfigMu.RLock()
+	f, a, cb := lastConfigFile, lastConfigAdapter, reloadFromSourceCallback
+	lastConfigMu.RUnlock()
+	return f, a, cb
+}
+
+// lastConfigMatches returns true if the provided source file and/or adapter
+// matches the recorded last-config. Matching rules (in priority order):
+//  1. If srcAdapter is provided and differs from the recorded adapter, no match.
+//  2. If srcFile exactly equals the recorded file, match.
+//  3. If both sides can be made absolute and equal, match.
+//  4. If basenames are equal, match.
+func lastConfigMatches(srcFile, srcAdapter string) bool {
+	lf, la, _ := getLastConfig()
+
+	// If adapter is provided, it must match.
+	if srcAdapter != "" && srcAdapter != la {
+		return false
+	}
+
+	// Quick equality check.
+	if srcFile == lf {
+		return true
+	}
+
+	// Try absolute path comparison.
+	sAbs, sErr := filepath.Abs(srcFile)
+	lAbs, lErr := filepath.Abs(lf)
+	if sErr == nil && lErr == nil && sAbs == lAbs {
+		return true
+	}
+
+	// Final fallback: basename equality.
+	if filepath.Base(srcFile) == filepath.Base(lf) {
+		return true
+	}
+
+	return false
+}
+
 // errSameConfig is returned if the new config is the same
 // as the old one. This isn't usually an actual, actionable
 // error; it's mostly a sentinel value.

caddy_test.go

@@ -15,6 +15,7 @@
 package caddy
 
 import (
+	"context"
 	"testing"
 	"time"
 )
@@ -72,3 +73,21 @@ func TestParseDuration(t *testing.T) {
 		}
 	}
 }
+
+func TestEvent_CloudEvent_NilOrigin(t *testing.T) {
+	ctx, _ := NewContext(Context{Context: context.Background()}) // module will be nil by default
+	event, err := NewEvent(ctx, "started", nil)
+	if err != nil {
+		t.Fatalf("NewEvent() error = %v", err)
+	}
+
+	// This should not panic
+	ce := event.CloudEvent()
+
+	if ce.Source != "caddy" {
+		t.Errorf("Expected CloudEvent Source to be 'caddy', got '%s'", ce.Source)
+	}
+	if ce.Type != "started" {
+		t.Errorf("Expected CloudEvent Type to be 'started', got '%s'", ce.Type)
+	}
+}

caddyconfig/caddyfile/adapter.go

@@ -68,7 +68,7 @@ func (a Adapter) Adapt(body []byte, options map[string]any) ([]byte, []caddyconf
 // TODO: also perform this check on imported files
 func FormattingDifference(filename string, body []byte) (caddyconfig.Warning, bool) {
 	// replace windows-style newlines to normalize comparison
-	normalizedBody := bytes.Replace(body, []byte("\r\n"), []byte("\n"), -1)
+	normalizedBody := bytes.ReplaceAll(body, []byte("\r\n"), []byte("\n"))
 
 	formatted := Format(normalizedBody)
 	if bytes.Equal(formatted, normalizedBody) {

caddyconfig/caddyfile/dispenser.go

@@ -308,9 +308,9 @@ func (d *Dispenser) CountRemainingArgs() int {
 }
 
 // RemainingArgs loads any more arguments (tokens on the same line)
-// into a slice and returns them. Open curly brace tokens also indicate
-// the end of arguments, and the curly brace is not included in
-// the return value nor is it loaded.
+// into a slice of strings and returns them. Open curly brace tokens
+// also indicate the end of arguments, and the curly brace is not
+// included in the return value nor is it loaded.
 func (d *Dispenser) RemainingArgs() []string {
 	var args []string
 	for d.NextArg() {
@@ -320,9 +320,9 @@ func (d *Dispenser) RemainingArgs() []string {
 }
 
 // RemainingArgsRaw loads any more arguments (tokens on the same line,
-// retaining quotes) into a slice and returns them. Open curly brace
-// tokens also indicate the end of arguments, and the curly brace is
-// not included in the return value nor is it loaded.
+// retaining quotes) into a slice of strings and returns them.
+// Open curly brace tokens also indicate the end of arguments,
+// and the curly brace is not included in the return value nor is it loaded.
 func (d *Dispenser) RemainingArgsRaw() []string {
 	var args []string
 	for d.NextArg() {
@@ -331,6 +331,18 @@ func (d *Dispenser) RemainingArgsRaw() []string {
 	return args
 }
 
+// RemainingArgsAsTokens loads any more arguments (tokens on the same line)
+// into a slice of Token-structs and returns them. Open curly brace tokens
+// also indicate the end of arguments, and the curly brace is not included
+// in the return value nor is it loaded.
+func (d *Dispenser) RemainingArgsAsTokens() []Token {
+	var args []Token
+	for d.NextArg() {
+		args = append(args, d.Token())
+	}
+	return args
+}
+
 // NewFromNextSegment returns a new dispenser with a copy of
 // the tokens from the current token until the end of the
 // "directive" whether that be to the end of the line or

caddyconfig/caddyfile/dispenser_test.go

@@ -274,6 +274,66 @@ func TestDispenser_RemainingArgs(t *testing.T) {
 	}
 }
 
+func TestDispenser_RemainingArgsAsTokens(t *testing.T) {
+	input := `dir1 arg1 arg2 arg3
+			  dir2 arg4 arg5
+			  dir3 arg6 { arg7
+			  dir4`
+	d := NewTestDispenser(input)
+
+	d.Next() // dir1
+
+	args := d.RemainingArgsAsTokens()
+
+	tokenTexts := make([]string, 0, len(args))
+	for _, arg := range args {
+		tokenTexts = append(tokenTexts, arg.Text)
+	}
+
+	if expected := []string{"arg1", "arg2", "arg3"}; !reflect.DeepEqual(tokenTexts, expected) {
+		t.Errorf("RemainingArgsAsTokens(): Expected %v, got %v", expected, tokenTexts)
+	}
+
+	d.Next() // dir2
+
+	args = d.RemainingArgsAsTokens()
+
+	tokenTexts = tokenTexts[:0]
+	for _, arg := range args {
+		tokenTexts = append(tokenTexts, arg.Text)
+	}
+
+	if expected := []string{"arg4", "arg5"}; !reflect.DeepEqual(tokenTexts, expected) {
+		t.Errorf("RemainingArgsAsTokens(): Expected %v, got %v", expected, tokenTexts)
+	}
+
+	d.Next() // dir3
+
+	args = d.RemainingArgsAsTokens()
+	tokenTexts = tokenTexts[:0]
+	for _, arg := range args {
+		tokenTexts = append(tokenTexts, arg.Text)
+	}
+
+	if expected := []string{"arg6"}; !reflect.DeepEqual(tokenTexts, expected) {
+		t.Errorf("RemainingArgsAsTokens(): Expected %v, got %v", expected, tokenTexts)
+	}
+
+	d.Next() // {
+	d.Next() // arg7
+	d.Next() // dir4
+
+	args = d.RemainingArgsAsTokens()
+	tokenTexts = tokenTexts[:0]
+	for _, arg := range args {
+		tokenTexts = append(tokenTexts, arg.Text)
+	}
+
+	if len(args) != 0 {
+		t.Errorf("RemainingArgsAsTokens(): Expected %v, got %v", []string{}, tokenTexts)
+	}
+}
+
 func TestDispenser_ArgErr_Err(t *testing.T) {
 	input := `dir1 {
 			  }

caddyconfig/caddyfile/formatter.go

@@ -53,7 +53,7 @@ func Format(input []byte) []byte {
 		newLines int // count of newlines consumed
 
 		comment bool   // whether we're in a comment
-		quoted  bool // whether we're in a quoted segment
+		quotes  string // encountered quotes ('', '`', '"', '"`', '`"')
 		escaped bool   // whether current char is escaped
 
 		heredoc              heredocState // whether we're in a heredoc
@@ -62,7 +62,6 @@ func Format(input []byte) []byte {
 		heredocClosingMarker []rune
 
 		nesting int // indentation level
-		withinBackquote bool
 	)
 
 	write := func(ch rune) {
@@ -89,12 +88,8 @@ func Format(input []byte) []byte {
 			}
 			panic(err)
 		}
-		if ch == '`' {
-			withinBackquote = !withinBackquote
-		}
-
 		// detect whether we have the start of a heredoc
-		if !quoted && !(heredoc != heredocClosed || heredocEscaped) &&
+		if quotes == "" && (heredoc == heredocClosed && !heredocEscaped) &&
 			space && last == '<' && ch == '<' {
 			write(ch)
 			heredoc = heredocOpening
@@ -180,16 +175,38 @@ func Format(input []byte) []byte {
 			continue
 		}
 
-		if quoted {
+		if ch == '`' {
+			switch quotes {
+			case "\"`":
+				quotes = "\""
+			case "`":
+				quotes = ""
+			case "\"":
+				quotes = "\"`"
+			default:
+				quotes = "`"
+			}
+		}
+
+		if quotes == "\"" {
 			if ch == '"' {
-				quoted = false
+				quotes = ""
 			}
 			write(ch)
 			continue
 		}
 
-		if space && ch == '"' {
-			quoted = true
+		if ch == '"' {
+			switch quotes {
+			case "":
+				if space {
+					quotes = "\""
+				}
+			case "`\"":
+				quotes = "`"
+			case "\"`":
+				quotes = ""
+			}
 		}
 
 		if unicode.IsSpace(ch) {
@@ -224,7 +241,7 @@ func Format(input []byte) []byte {
 			openBrace = false
 			if beginningOfLine {
 				indent()
-			} else if !openBraceSpace {
+			} else if !openBraceSpace || !unicode.IsSpace(last) {
 				write(' ')
 			}
 			write('{')
@@ -241,11 +258,11 @@ func Format(input []byte) []byte {
 		case ch == '{':
 			openBrace = true
 			openBraceSpace = spacePrior && !beginningOfLine
-			if openBraceSpace {
+			if openBraceSpace && newLines == 0 {
 				write(' ')
 			}
 			openBraceWritten = false
-			if withinBackquote {
+			if quotes == "`" {
 				write('{')
 				openBraceWritten = true
 				continue
@@ -253,7 +270,7 @@ func Format(input []byte) []byte {
 			continue
 
 		case ch == '}' && (spacePrior || !openBrace):
-			if withinBackquote {
+			if quotes == "`" {
 				write('}')
 				continue
 			}

caddyconfig/caddyfile/formatter_test.go

@@ -444,6 +444,26 @@ block2 {
 			input:       "block {respond \"All braces should remain: {{now | date `2006`}}\"}",
 			expect:      "block {respond \"All braces should remain: {{now | date `2006`}}\"}",
 		},
+		{
+			description: "Preserve quoted backticks and backticked quotes",
+			input:       "block { respond \"`\" } block { respond `\"`}",
+			expect:      "block {\n\trespond \"`\"\n}\n\nblock {\n\trespond `\"`\n}",
+		},
+		{
+			description: "No trailing space on line before env variable",
+			input: `{
+	a
+
+	{$ENV_VAR}
+}
+`,
+			expect: `{
+	a
+
+	{$ENV_VAR}
+}
+`,
+		},
 	} {
 		// the formatter should output a trailing newline,
 		// even if the tests aren't written to expect that

caddyconfig/caddyfile/lexer.go

@@ -137,7 +137,7 @@ func (l *lexer) next() (bool, error) {
 		}
 
 		// detect whether we have the start of a heredoc
-		if !(quoted || btQuoted) && !(inHeredoc || heredocEscaped) &&
+		if (!quoted && !btQuoted) && (!inHeredoc && !heredocEscaped) &&
 			len(val) > 1 && string(val[:2]) == "<<" {
 			// a space means it's just a regular token and not a heredoc
 			if ch == ' ' {
@@ -323,7 +323,8 @@ func (l *lexer) finalizeHeredoc(val []rune, marker string) ([]rune, error) {
 
 		// if the padding doesn't match exactly at the start then we can't safely strip
 		if index != 0 {
-			return nil, fmt.Errorf("mismatched leading whitespace in heredoc <<%s on line #%d [%s], expected whitespace [%s] to match the closing marker", marker, l.line+lineNum+1, lineText, paddingToStrip)
+			cleanLineText := strings.TrimRight(lineText, "\r\n")
+			return nil, fmt.Errorf("mismatched leading whitespace in heredoc <<%s on line #%d [%s], expected whitespace [%s] to match the closing marker", marker, l.line+lineNum+1, cleanLineText, paddingToStrip)
 		}
 
 		// strip, then append the line, with the newline, to the output.

caddyconfig/caddyfile/parse.go

@@ -379,28 +379,23 @@ func (p *parser) doImport(nesting int) error {
 	if len(blockTokens) > 0 {
 		// use such tokens to create a new dispenser, and then use it to parse each block
 		bd := NewDispenser(blockTokens)
+
+		// one iteration processes one sub-block inside the import
 		for bd.Next() {
-			// see if we can grab a key
-			var currentMappingKey string
-			if bd.Val() == "{" {
+			currentMappingKey := bd.Val()
+
+			if currentMappingKey == "{" {
 				return p.Err("anonymous blocks are not supported")
 			}
-			currentMappingKey = bd.Val()
-			currentMappingTokens := []Token{}
-			// read all args until end of line / {
-			if bd.NextArg() {
-				currentMappingTokens = append(currentMappingTokens, bd.Token())
-				for bd.NextArg() {
-					currentMappingTokens = append(currentMappingTokens, bd.Token())
-				}
-				// TODO(elee1766): we don't enter another mapping here because it's annoying to extract the { and } properly.
-				// maybe someone can do that in the future
-			} else {
-				// attempt to enter a block and add tokens to the currentMappingTokens
+
+			// load up all arguments (if there even are any)
+			currentMappingTokens := bd.RemainingArgsAsTokens()
+
+			// load up the entire block
 			for mappingNesting := bd.Nesting(); bd.NextBlock(mappingNesting); {
 				currentMappingTokens = append(currentMappingTokens, bd.Token())
 			}
-			}
+
 			blockMapping[currentMappingKey] = currentMappingTokens
 		}
 	}
@@ -538,29 +533,24 @@ func (p *parser) doImport(nesting int) error {
 		}
 		// if it is {block}, we substitute with all tokens in the block
 		// if it is {blocks.*}, we substitute with the tokens in the mapping for the *
-		var skip bool
 		var tokensToAdd []Token
+		foundBlockDirective := false
 		switch {
 		case token.Text == "{block}":
+			foundBlockDirective = true
 			tokensToAdd = blockTokens
 		case strings.HasPrefix(token.Text, "{blocks.") && strings.HasSuffix(token.Text, "}"):
+			foundBlockDirective = true
 			// {blocks.foo.bar} will be extracted to key `foo.bar`
 			blockKey := strings.TrimPrefix(strings.TrimSuffix(token.Text, "}"), "{blocks.")
 			val, ok := blockMapping[blockKey]
 			if ok {
 				tokensToAdd = val
 			}
-		default:
-			skip = true
 		}
-		if !skip {
-			if len(tokensToAdd) == 0 {
-				// if there is no content in the snippet block, don't do any replacement
-				// this allows snippets which contained {block}/{block.*} before this change to continue functioning as normal
-				tokensCopy = append(tokensCopy, token)
-			} else {
+
+		if foundBlockDirective {
 			tokensCopy = append(tokensCopy, tokensToAdd...)
-			}
 			continue
 		}
 

caddyconfig/caddyfile/parse_test.go

@@ -18,6 +18,7 @@ import (
 	"bytes"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 )
 
@@ -884,6 +885,51 @@ func TestRejectsGlobalMatcher(t *testing.T) {
 	}
 }
 
+func TestRejectAnonymousImportBlock(t *testing.T) {
+	p := testParser(`
+		(site) {
+			http://{args[0]} https://{args[0]} {
+				{block}
+			}
+		}
+
+		import site test.domain {
+			{ 
+				header_up Host {host}
+				header_up X-Real-IP {remote_host}
+			}
+		}
+	`)
+	_, err := p.parseAll()
+	if err == nil {
+		t.Fatal("Expected an error, but got nil")
+	}
+	expected := "anonymous blocks are not supported"
+	if !strings.HasPrefix(err.Error(), "anonymous blocks are not supported") {
+		t.Errorf("Expected error to start with '%s' but got '%v'", expected, err)
+	}
+}
+
+func TestAcceptSiteImportWithBraces(t *testing.T) {
+	p := testParser(`
+		(site) {
+			http://{args[0]} https://{args[0]} {
+				{block}
+			}
+		}
+
+		import site test.domain {
+			reverse_proxy http://192.168.1.1:8080 { 
+				header_up Host {host}
+			}
+		}
+	`)
+	_, err := p.parseAll()
+	if err != nil {
+		t.Errorf("Expected error to be nil but got '%v'", err)
+	}
+}
+
 func testParser(input string) parser {
 	return parser{Dispenser: NewTestDispenser(input)}
 }

caddyconfig/httpcaddyfile/builtins.go

@@ -15,6 +15,7 @@
 package httpcaddyfile
 
 import (
+	"encoding/json"
 	"fmt"
 	"html"
 	"net/http"
@@ -129,6 +130,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 	var reusePrivateKeys bool
 	var forceAutomate bool
 
+	// Track which DNS challenge options are set
+	var dnsOptionsSet []string
+
 	firstLine := h.RemainingArgs()
 	switch len(firstLine) {
 	case 0:
@@ -349,6 +353,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
+			dnsOptionsSet = append(dnsOptionsSet, "resolvers")
 			acmeIssuer.Challenges.DNS.Resolvers = args
 
 		case "propagation_delay":
@@ -370,6 +375,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
+			dnsOptionsSet = append(dnsOptionsSet, "propagation_delay")
 			acmeIssuer.Challenges.DNS.PropagationDelay = caddy.Duration(delay)
 
 		case "propagation_timeout":
@@ -397,6 +403,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
+			dnsOptionsSet = append(dnsOptionsSet, "propagation_timeout")
 			acmeIssuer.Challenges.DNS.PropagationTimeout = caddy.Duration(timeout)
 
 		case "dns_ttl":
@@ -418,6 +425,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
+			dnsOptionsSet = append(dnsOptionsSet, "dns_ttl")
 			acmeIssuer.Challenges.DNS.TTL = caddy.Duration(ttl)
 
 		case "dns_challenge_override_domain":
@@ -434,6 +442,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			if acmeIssuer.Challenges.DNS == nil {
 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 			}
+			dnsOptionsSet = append(dnsOptionsSet, "dns_challenge_override_domain")
 			acmeIssuer.Challenges.DNS.OverrideDomain = arg[0]
 
 		case "ca_root":
@@ -469,6 +478,18 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 		}
 	}
 
+	// Validate DNS challenge config: any DNS challenge option except "dns" requires a DNS provider
+	if acmeIssuer != nil && acmeIssuer.Challenges != nil && acmeIssuer.Challenges.DNS != nil {
+		dnsCfg := acmeIssuer.Challenges.DNS
+		providerSet := dnsCfg.ProviderRaw != nil || h.Option("dns") != nil || h.Option("acme_dns") != nil
+		if len(dnsOptionsSet) > 0 && !providerSet {
+			return nil, h.Errf(
+				"setting DNS challenge options [%s] requires a DNS provider (set with the 'dns' subdirective or 'acme_dns' global option)",
+				strings.Join(dnsOptionsSet, ", "),
+			)
+		}
+	}
+
 	// a naked tls directive is not allowed
 	if len(firstLine) == 0 && !hasBlock {
 		return nil, h.ArgErr()
@@ -843,13 +864,18 @@ func parseHandleErrors(h Helper) ([]ConfigValue, error) {
 		return nil, h.Errf("segment was not parsed as a subroute")
 	}
 
+	// wrap the subroutes
+	wrappingRoute := caddyhttp.Route{
+		HandlersRaw: []json.RawMessage{caddyconfig.JSONModuleObject(subroute, "handler", "subroute", nil)},
+	}
+	subroute = &caddyhttp.Subroute{
+		Routes: []caddyhttp.Route{wrappingRoute},
+	}
 	if expression != "" {
 		statusMatcher := caddy.ModuleMap{
 			"expression": h.JSON(caddyhttp.MatchExpression{Expr: expression}),
 		}
-		for i := range subroute.Routes {
-			subroute.Routes[i].MatcherSetsRaw = []caddy.ModuleMap{statusMatcher}
-		}
+		subroute.Routes[0].MatcherSetsRaw = []caddy.ModuleMap{statusMatcher}
 	}
 	return []ConfigValue{
 		{
@@ -1160,6 +1186,11 @@ func parseLogSkip(h Helper) (caddyhttp.MiddlewareHandler, error) {
 	if h.NextArg() {
 		return nil, h.ArgErr()
 	}
+
+	if h.NextBlock(0) {
+		return nil, h.Err("log_skip directive does not accept blocks")
+	}
+
 	return caddyhttp.VarsMiddleware{"log_skip": true}, nil
 }
 

caddyconfig/httpcaddyfile/directives.go

@@ -16,6 +16,7 @@ package httpcaddyfile
 
 import (
 	"encoding/json"
+	"maps"
 	"net"
 	"slices"
 	"sort"
@@ -173,10 +174,12 @@ func RegisterDirectiveOrder(dir string, position Positional, standardDir string)
 		if d != standardDir {
 			continue
 		}
-		if position == Before {
+		switch position {
+		case Before:
 			newOrder = append(newOrder[:i], append([]string{dir}, newOrder[i:]...)...)
-		} else if position == After {
+		case After:
 			newOrder = append(newOrder[:i+1], append([]string{dir}, newOrder[i+1:]...)...)
+		case First, Last:
 		}
 		break
 	}
@@ -365,9 +368,7 @@ func parseSegmentAsConfig(h Helper) ([]ConfigValue, error) {
 		// copy existing matcher definitions so we can augment
 		// new ones that are defined only in this scope
 		matcherDefs := make(map[string]caddy.ModuleMap, len(h.matcherDefs))
-		for key, val := range h.matcherDefs {
-			matcherDefs[key] = val
-		}
+		maps.Copy(matcherDefs, h.matcherDefs)
 
 		// find and extract any embedded matcher definitions in this scope
 		for i := 0; i < len(segments); i++ {
@@ -483,12 +484,29 @@ func sortRoutes(routes []ConfigValue) {
 			// we can only confidently compare path lengths if both
 			// directives have a single path to match (issue #5037)
 			if iPathLen > 0 && jPathLen > 0 {
+				// trim the trailing wildcard if there is one
+				iPathTrimmed := strings.TrimSuffix(iPM[0], "*")
+				jPathTrimmed := strings.TrimSuffix(jPM[0], "*")
+
 				// if both paths are the same except for a trailing wildcard,
 				// sort by the shorter path first (which is more specific)
-				if strings.TrimSuffix(iPM[0], "*") == strings.TrimSuffix(jPM[0], "*") {
+				if iPathTrimmed == jPathTrimmed {
 					return iPathLen < jPathLen
 				}
 
+				// we use the trimmed length to compare the paths
+				// https://github.com/caddyserver/caddy/issues/7012#issuecomment-2870142195
+				// credit to https://github.com/Hellio404
+				// for sorts with many items, mixing matchers w/ and w/o wildcards will confuse the sort and result in incorrect orders
+				iPathLen = len(iPathTrimmed)
+				jPathLen = len(jPathTrimmed)
+
+				// if both paths have the same length, sort lexically
+				// https://github.com/caddyserver/caddy/pull/7015#issuecomment-2871993588
+				if iPathLen == jPathLen {
+					return iPathTrimmed < jPathTrimmed
+				}
+
 				// sort most-specific (longest) path first
 				return iPathLen > jPathLen
 			}

caddyconfig/httpcaddyfile/httptype.go

@@ -851,6 +851,20 @@ func (st *ServerType) serversFromPairings(
 				srv.ListenerWrappersRaw = append(srv.ListenerWrappersRaw, jsonListenerWrapper)
 			}
 
+			// Look for any config values that provide packet conn wrappers on the server block
+			for _, listenerConfig := range sblock.pile["packet_conn_wrapper"] {
+				packetConnWrapper, ok := listenerConfig.Value.(caddy.PacketConnWrapper)
+				if !ok {
+					return nil, fmt.Errorf("config for a packet conn wrapper did not provide a value that implements caddy.PacketConnWrapper")
+				}
+				jsonPacketConnWrapper := caddyconfig.JSONModuleObject(
+					packetConnWrapper,
+					"wrapper",
+					packetConnWrapper.(caddy.Module).CaddyModule().ID.Name(),
+					warnings)
+				srv.PacketConnWrappersRaw = append(srv.PacketConnWrappersRaw, jsonPacketConnWrapper)
+			}
+
 			// set up each handler directive, making sure to honor directive order
 			dirRoutes := sblock.pile["route"]
 			siteSubroute, err := buildSubroute(dirRoutes, groupCounter, true)

caddyconfig/httpcaddyfile/options.go

@@ -458,8 +458,6 @@ func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ any) (any, error) {
 		case "disable_certs":
 		case "ignore_loaded_certs":
 		case "prefer_wildcard":
-			break
-
 		default:
 			return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', 'ignore_loaded_certs', or 'prefer_wildcard'")
 		}
@@ -557,8 +555,14 @@ func parseOptPreferredChains(d *caddyfile.Dispenser, _ any) (any, error) {
 
 func parseOptDNS(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
+	optName := d.Val()
 
-	if !d.Next() { // get DNS module name
+	// get DNS module name
+	if !d.Next() {
+		// this is allowed if this is the "acme_dns" option since it may refer to the globally-configured "dns" option's value
+		if optName == "acme_dns" {
+			return nil, nil
+		}
 		return nil, d.ArgErr()
 	}
 	modID := "dns.providers." + d.Val()

caddyconfig/httpcaddyfile/pkiapp.go

@@ -15,6 +15,8 @@
 package httpcaddyfile
 
 import (
+	"slices"
+
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
@@ -178,6 +180,15 @@ func (st ServerType) buildPKIApp(
 	if _, ok := options["skip_install_trust"]; ok {
 		skipInstallTrust = true
 	}
+
+	// check if auto_https is off - in that case we should not create
+	// any PKI infrastructure even with skip_install_trust directive
+	autoHTTPS := []string{}
+	if ah, ok := options["auto_https"].([]string); ok {
+		autoHTTPS = ah
+	}
+	autoHTTPSOff := slices.Contains(autoHTTPS, "off")
+
 	falseBool := false
 
 	// Load the PKI app configured via global options
@@ -218,7 +229,8 @@ func (st ServerType) buildPKIApp(
 	// if there was no CAs defined in any of the servers,
 	// and we were requested to not install trust, then
 	// add one for the default/local CA to do so
-	if len(pkiApp.CAs) == 0 && skipInstallTrust {
+	// only if auto_https is not completely disabled
+	if len(pkiApp.CAs) == 0 && skipInstallTrust && !autoHTTPSOff {
 		ca := new(caddypki.CA)
 		ca.ID = caddypki.DefaultCAID
 		ca.InstallTrust = &falseBool

caddyconfig/httpcaddyfile/serveroptions.go

@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"slices"
+	"strconv"
 
 	"github.com/dustin/go-humanize"
 
@@ -37,17 +38,21 @@ type serverOptions struct {
 	// These will all map 1:1 to the caddyhttp.Server struct
 	Name                  string
 	ListenerWrappersRaw   []json.RawMessage
+	PacketConnWrappersRaw []json.RawMessage
 	ReadTimeout           caddy.Duration
 	ReadHeaderTimeout     caddy.Duration
 	WriteTimeout          caddy.Duration
 	IdleTimeout           caddy.Duration
 	KeepAliveInterval     caddy.Duration
+	KeepAliveIdle         caddy.Duration
+	KeepAliveCount        int
 	MaxHeaderBytes        int
 	EnableFullDuplex      bool
 	Protocols             []string
 	StrictSNIHost         *bool
 	TrustedProxiesRaw     json.RawMessage
 	TrustedProxiesStrict  int
+	TrustedProxiesUnix    bool
 	ClientIPHeaders       []string
 	ShouldLogCredentials  bool
 	Metrics               *caddyhttp.Metrics
@@ -95,6 +100,26 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 				serverOpts.ListenerWrappersRaw = append(serverOpts.ListenerWrappersRaw, jsonListenerWrapper)
 			}
 
+		case "packet_conn_wrappers":
+			for nesting := d.Nesting(); d.NextBlock(nesting); {
+				modID := "caddy.packetconns." + d.Val()
+				unm, err := caddyfile.UnmarshalModule(d, modID)
+				if err != nil {
+					return nil, err
+				}
+				packetConnWrapper, ok := unm.(caddy.PacketConnWrapper)
+				if !ok {
+					return nil, fmt.Errorf("module %s (%T) is not a packet conn wrapper", modID, unm)
+				}
+				jsonPacketConnWrapper := caddyconfig.JSONModuleObject(
+					packetConnWrapper,
+					"wrapper",
+					packetConnWrapper.(caddy.Module).CaddyModule().ID.Name(),
+					nil,
+				)
+				serverOpts.PacketConnWrappersRaw = append(serverOpts.PacketConnWrappersRaw, jsonPacketConnWrapper)
+			}
+
 		case "timeouts":
 			for nesting := d.Nesting(); d.NextBlock(nesting); {
 				switch d.Val() {
@@ -142,6 +167,7 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 					return nil, d.Errf("unrecognized timeouts option '%s'", d.Val())
 				}
 			}
+
 		case "keepalive_interval":
 			if !d.NextArg() {
 				return nil, d.ArgErr()
@@ -152,6 +178,26 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 			}
 			serverOpts.KeepAliveInterval = caddy.Duration(dur)
 
+		case "keepalive_idle":
+			if !d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			dur, err := caddy.ParseDuration(d.Val())
+			if err != nil {
+				return nil, d.Errf("parsing keepalive idle duration: %v", err)
+			}
+			serverOpts.KeepAliveIdle = caddy.Duration(dur)
+
+		case "keepalive_count":
+			if !d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			cnt, err := strconv.ParseInt(d.Val(), 10, 32)
+			if err != nil {
+				return nil, d.Errf("parsing keepalive count int: %v", err)
+			}
+			serverOpts.KeepAliveCount = int(cnt)
+
 		case "max_header_size":
 			var sizeStr string
 			if !d.AllArgs(&sizeStr) {
@@ -227,6 +273,12 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 			}
 			serverOpts.TrustedProxiesStrict = 1
 
+		case "trusted_proxies_unix":
+			if d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			serverOpts.TrustedProxiesUnix = true
+
 		case "client_ip_headers":
 			headers := d.RemainingArgs()
 			for _, header := range headers {
@@ -304,11 +356,14 @@ func applyServerOptions(
 
 		// set all the options
 		server.ListenerWrappersRaw = opts.ListenerWrappersRaw
+		server.PacketConnWrappersRaw = opts.PacketConnWrappersRaw
 		server.ReadTimeout = opts.ReadTimeout
 		server.ReadHeaderTimeout = opts.ReadHeaderTimeout
 		server.WriteTimeout = opts.WriteTimeout
 		server.IdleTimeout = opts.IdleTimeout
 		server.KeepAliveInterval = opts.KeepAliveInterval
+		server.KeepAliveIdle = opts.KeepAliveIdle
+		server.KeepAliveCount = opts.KeepAliveCount
 		server.MaxHeaderBytes = opts.MaxHeaderBytes
 		server.EnableFullDuplex = opts.EnableFullDuplex
 		server.Protocols = opts.Protocols
@@ -316,6 +371,7 @@ func applyServerOptions(
 		server.TrustedProxiesRaw = opts.TrustedProxiesRaw
 		server.ClientIPHeaders = opts.ClientIPHeaders
 		server.TrustedProxiesStrict = opts.TrustedProxiesStrict
+		server.TrustedProxiesUnix = opts.TrustedProxiesUnix
 		server.Metrics = opts.Metrics
 		if opts.ShouldLogCredentials {
 			if server.Logs == nil {

caddyconfig/httpcaddyfile/shorthands.go

@@ -64,10 +64,13 @@ func placeholderShorthands() []string {
 		"{orig_?query}", "{http.request.orig_uri.prefixed_query}",
 		"{method}", "{http.request.method}",
 		"{uri}", "{http.request.uri}",
+		"{%uri}", "{http.request.uri_escaped}",
 		"{path}", "{http.request.uri.path}",
+		"{%path}", "{http.request.uri.path_escaped}",
 		"{dir}", "{http.request.uri.path.dir}",
 		"{file}", "{http.request.uri.path.file}",
 		"{query}", "{http.request.uri.query}",
+		"{%query}", "{http.request.uri.query_escaped}",
 		"{?query}", "{http.request.uri.prefixed_query}",
 		"{remote}", "{http.request.remote}",
 		"{remote_host}", "{http.request.remote.host}",

caddyconfig/httpcaddyfile/tlsapp.go

@@ -464,10 +464,10 @@ func (st ServerType) buildTLSApp(
 		globalEmail := options["email"]
 		globalACMECA := options["acme_ca"]
 		globalACMECARoot := options["acme_ca_root"]
-		globalACMEDNS := options["acme_dns"]
+		_, globalACMEDNS := options["acme_dns"] // can be set to nil (to use globally-defined "dns" value instead), but it is still set
 		globalACMEEAB := options["acme_eab"]
 		globalPreferredChains := options["preferred_chains"]
-		hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS != nil || globalACMEEAB != nil || globalPreferredChains != nil
+		hasGlobalACMEDefaults := globalEmail != nil || globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS || globalACMEEAB != nil || globalPreferredChains != nil
 		if hasGlobalACMEDefaults {
 			for i := range tlsApp.Automation.Policies {
 				ap := tlsApp.Automation.Policies[i]
@@ -549,11 +549,12 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	globalEmail := options["email"]
 	globalACMECA := options["acme_ca"]
 	globalACMECARoot := options["acme_ca_root"]
-	globalACMEDNS := options["acme_dns"]
+	globalACMEDNS, globalACMEDNSok := options["acme_dns"] // can be set to nil (to use globally-defined "dns" value instead), but it is still set
 	globalACMEEAB := options["acme_eab"]
 	globalPreferredChains := options["preferred_chains"]
 	globalCertLifetime := options["cert_lifetime"]
 	globalHTTPPort, globalHTTPSPort := options["http_port"], options["https_port"]
+	globalDefaultBind := options["default_bind"]
 
 	if globalEmail != nil && acmeIssuer.Email == "" {
 		acmeIssuer.Email = globalEmail.(string)
@@ -564,11 +565,21 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	if globalACMECARoot != nil && !slices.Contains(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string)) {
 		acmeIssuer.TrustedRootsPEMFiles = append(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string))
 	}
-	if globalACMEDNS != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil) {
-		acmeIssuer.Challenges = &caddytls.ChallengesConfig{
-			DNS: &caddytls.DNSChallengeConfig{
-				ProviderRaw: caddyconfig.JSONModuleObject(globalACMEDNS, "name", globalACMEDNS.(caddy.Module).CaddyModule().ID.Name(), nil),
-			},
+	if globalACMEDNSok && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil || acmeIssuer.Challenges.DNS.ProviderRaw == nil) {
+		globalDNS := options["dns"]
+		if globalDNS == nil && globalACMEDNS == nil {
+			return fmt.Errorf("acme_dns specified without DNS provider config, but no provider specified with 'dns' global option")
+		}
+		if acmeIssuer.Challenges == nil {
+			acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
+		}
+		if acmeIssuer.Challenges.DNS == nil {
+			acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
+		}
+		// If global `dns` is set, do NOT set provider in issuer, just set empty dns config
+		if globalDNS == nil && acmeIssuer.Challenges.DNS.ProviderRaw == nil {
+			// Set a global DNS provider if `acme_dns` is set and `dns` is NOT set
+			acmeIssuer.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(globalACMEDNS, "name", globalACMEDNS.(caddy.Module).CaddyModule().ID.Name(), nil)
 		}
 	}
 	if globalACMEEAB != nil && acmeIssuer.ExternalAccount == nil {
@@ -596,6 +607,20 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 		}
 		acmeIssuer.Challenges.TLSALPN.AlternatePort = globalHTTPSPort.(int)
 	}
+	// If BindHost is still unset, fall back to the first default_bind address if set
+	// This avoids binding the automation policy to the wildcard socket, which is unexpected behavior when a more selective socket is specified via default_bind
+	// In BSD it is valid to bind to the wildcard socket even though a more selective socket is already open (still unexpected behavior by the caller though)
+	// In Linux the same call will error with EADDRINUSE whenever the listener for the automation policy is opened
+	if acmeIssuer.Challenges == nil || (acmeIssuer.Challenges.DNS == nil && acmeIssuer.Challenges.BindHost == "") {
+		if defBinds, ok := globalDefaultBind.([]ConfigValue); ok && len(defBinds) > 0 {
+			if abp, ok := defBinds[0].Value.(addressesWithProtocols); ok && len(abp.addresses) > 0 {
+				if acmeIssuer.Challenges == nil {
+					acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
+				}
+				acmeIssuer.Challenges.BindHost = abp.addresses[0]
+			}
+		}
+	}
 	if globalCertLifetime != nil && acmeIssuer.CertificateLifetime == 0 {
 		acmeIssuer.CertificateLifetime = globalCertLifetime.(caddy.Duration)
 	}
@@ -616,12 +641,18 @@ func newBaseAutomationPolicy(
 	_, hasLocalCerts := options["local_certs"]
 	keyType, hasKeyType := options["key_type"]
 	ocspStapling, hasOCSPStapling := options["ocsp_stapling"]
-
 	hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType || hasOCSPStapling
 
+	globalACMECA := options["acme_ca"]
+	globalACMECARoot := options["acme_ca_root"]
+	_, globalACMEDNS := options["acme_dns"] // can be set to nil (to use globally-defined "dns" value instead), but it is still set
+	globalACMEEAB := options["acme_eab"]
+	globalPreferredChains := options["preferred_chains"]
+	hasGlobalACMEDefaults := globalACMECA != nil || globalACMECARoot != nil || globalACMEDNS || globalACMEEAB != nil || globalPreferredChains != nil
+
 	// if there are no global options related to automation policies
 	// set, then we can just return right away
-	if !hasGlobalAutomationOpts {
+	if !hasGlobalAutomationOpts && !hasGlobalACMEDefaults {
 		if always {
 			return new(caddytls.AutomationPolicy), nil
 		}
@@ -643,6 +674,14 @@ func newBaseAutomationPolicy(
 		ap.Issuers = []certmagic.Issuer{new(caddytls.InternalIssuer)}
 	}
 
+	if hasGlobalACMEDefaults {
+		for i := range ap.Issuers {
+			if err := fillInGlobalACMEDefaults(ap.Issuers[i], options); err != nil {
+				return nil, fmt.Errorf("filling in global issuer defaults for issuer %d: %v", i, err)
+			}
+		}
+	}
+
 	if hasOCSPStapling {
 		ocspConfig := ocspStapling.(certmagic.OCSPConfig)
 		ap.DisableOCSPStapling = ocspConfig.DisableStapling

caddyconfig/load.go

@@ -121,6 +121,13 @@ func (adminLoad) handleLoad(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
+	// If this request changed the config, clear the last
+	// config info we have stored, if it is different from
+	// the original source.
+	caddy.ClearLastConfigIfDifferent(
+		r.Header.Get("Caddy-Config-Source-File"),
+		r.Header.Get("Caddy-Config-Source-Adapter"))
+
 	caddy.Log().Named("admin.api").Info("load complete")
 
 	return nil

caddytest/caddytest.go

@@ -281,7 +281,7 @@ func validateTestPrerequisites(tc *Tester) error {
 		tc.t.Cleanup(func() {
 			os.Remove(f.Name())
 		})
-		if _, err := f.WriteString(fmt.Sprintf(initConfig, tc.config.AdminPort)); err != nil {
+		if _, err := fmt.Fprintf(f, initConfig, tc.config.AdminPort); err != nil {
 			return err
 		}
 

caddytest/integration/acme_test.go

@@ -12,13 +12,14 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez/v3"
 	"github.com/mholt/acmez/v3/acme"
 	smallstepacme "github.com/smallstep/certificates/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/exp/zapslog"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddytest"
 )
 
 const acmeChallengePort = 9081

caddytest/integration/acmeserver_test.go

@@ -9,11 +9,12 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez/v3"
 	"github.com/mholt/acmez/v3/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/exp/zapslog"
+
+	"github.com/caddyserver/caddy/v2/caddytest"
 )
 
 func TestACMEServerDirectory(t *testing.T) {

caddytest/integration/caddyfile_adapt/acme_dns_configured.caddyfiletest

@@ -0,0 +1,69 @@
+{
+	acme_dns mock foo
+}
+
+example.com {
+	respond "Hello World"
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "Hello World",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {
+										"provider": {
+											"argument": "foo",
+											"name": "mock"
+										}
+									}
+								},
+								"module": "acme"
+							}
+						]
+					}
+				]
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/acme_dns_naked_use_dns_defaults.caddyfiletest

@@ -0,0 +1,53 @@
+{
+	dns mock
+	acme_dns
+}
+
+example.com {
+
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {}
+								},
+								"module": "acme"
+							}
+						]
+					}
+				]
+			},
+			"dns": {
+				"name": "mock"
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/acme_dns_naked_without_dns.caddyfiletest

@@ -0,0 +1,9 @@
+{
+	acme_dns
+}
+
+example.com {
+	respond "Hello World"
+}
+----------
+acme_dns specified without DNS provider config, but no provider specified with 'dns' global option

caddytest/integration/caddyfile_adapt/acme_server_policy-allow.caddyfiletest

@@ -0,0 +1,72 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		allow {
+			domains host-1.internal.example.com host-2.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"allow": {
+															"domains": [
+																"host-1.internal.example.com",
+																"host-2.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/acme_server_policy-both.caddyfiletest

@@ -0,0 +1,80 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		allow {
+			domains host-1.internal.example.com host-2.internal.example.com
+		}
+		deny {
+			domains dc.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"allow": {
+															"domains": [
+																"host-1.internal.example.com",
+																"host-2.internal.example.com"
+															]
+														},
+														"deny": {
+															"domains": [
+																"dc.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/acme_server_policy-deny.caddyfiletest

@@ -0,0 +1,71 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		deny {
+			domains dc.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"deny": {
+															"domains": [
+																"dc.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/ambiguous_site_definition.caddyfiletest

@@ -0,0 +1,12 @@
+example.com
+handle {
+	respond "one"
+}
+
+example.com
+handle {
+	respond "two"
+}
+----------
+Caddyfile:6: unrecognized directive: example.com
+Did you mean to define a second site? If so, you must use curly braces around each site to separate their configurations.

caddytest/integration/caddyfile_adapt/ambiguous_site_definition_duplicate_key.caddyfiletest

@@ -0,0 +1,9 @@
+:8080 {
+	respond "one"
+}
+
+:8080 {
+	respond "two"
+}
+----------
+ambiguous site definition: :8080

caddytest/integration/caddyfile_adapt/directive_as_site_address.caddyfiletest

@@ -0,0 +1,5 @@
+handle
+
+respond "should not work"
+----------
+Caddyfile:1: parsed 'handle' as a site address, but it is a known directive; directives must appear in a site block

caddytest/integration/caddyfile_adapt/duplicate_listener_address_global.caddyfiletest

@@ -0,0 +1,12 @@
+{
+	servers {
+		srv0 {
+			listen :8080
+		}
+		srv1 {
+			listen :8080
+		}
+	}
+}
+----------
+parsing caddyfile tokens for 'servers': unrecognized servers option 'srv0', at Caddyfile:3

caddytest/integration/caddyfile_adapt/error_example.caddyfiletest

@@ -101,6 +101,11 @@ example.com {
 										]
 									}
 								],
+								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
 												"handle": [
 													{
 														"handler": "subroute",
@@ -126,6 +131,10 @@ example.com {
 															}
 														]
 													}
+												]
+											}
+										]
+									}
 								],
 								"terminal": true
 							}

caddytest/integration/caddyfile_adapt/error_multi_site_blocks.caddyfiletest

@@ -159,6 +159,11 @@ bar.localhost {
 									}
 								],
 								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
@@ -168,6 +173,10 @@ bar.localhost {
 																		"body": "404 or 410 error",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{
@@ -175,12 +184,21 @@ bar.localhost {
 													}
 												]
 											},
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
 															{
 																"handle": [
 																	{
 																		"body": "Error In range [500 .. 599]",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{
@@ -202,6 +220,11 @@ bar.localhost {
 									}
 								],
 								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
@@ -211,6 +234,10 @@ bar.localhost {
 																		"body": "404 or 410 error from second site",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{
@@ -218,12 +245,21 @@ bar.localhost {
 													}
 												]
 											},
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
 															{
 																"handle": [
 																	{
 																		"body": "Error In range [500 .. 599] from second site",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{

caddytest/integration/caddyfile_adapt/error_range_codes.caddyfiletest

@@ -90,6 +90,11 @@ localhost:3010 {
 									}
 								],
 								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
@@ -99,6 +104,10 @@ localhost:3010 {
 																		"body": "Error in the [400 .. 499] range",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{

caddytest/integration/caddyfile_adapt/error_range_simple_codes.caddyfiletest

@@ -110,6 +110,11 @@ localhost:2099 {
 									}
 								],
 								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
@@ -119,6 +124,10 @@ localhost:2099 {
 																		"body": "Error in the [400 .. 499] range",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{
@@ -126,12 +135,21 @@ localhost:2099 {
 													}
 												]
 											},
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
 															{
 																"handle": [
 																	{
 																		"body": "Error code is equal to 500 or in the [300..399] range",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{

caddytest/integration/caddyfile_adapt/error_simple_codes.caddyfiletest

@@ -90,6 +90,11 @@ localhost:3010 {
 									}
 								],
 								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
@@ -99,6 +104,10 @@ localhost:3010 {
 																		"body": "404 or 410 error",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{

caddytest/integration/caddyfile_adapt/error_sort.caddyfiletest

@@ -110,6 +110,11 @@ localhost:2099 {
 									}
 								],
 								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
 													{
 														"handler": "subroute",
 														"routes": [
@@ -119,6 +124,10 @@ localhost:2099 {
 																		"body": "Error in the [400 .. 499] range",
 																		"handler": "static_response"
 																	}
+																]
+															}
+														]
+													}
 												],
 												"match": [
 													{
@@ -126,6 +135,11 @@ localhost:2099 {
 													}
 												]
 											},
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
 															{
 																"handle": [
 																	{
@@ -136,6 +150,10 @@ localhost:2099 {
 															}
 														]
 													}
+												]
+											}
+										]
+									}
 								],
 								"terminal": true
 							}

caddytest/integration/caddyfile_adapt/error_subhandlers.caddyfiletest

@@ -0,0 +1,260 @@
+{
+	http_port 2099
+}
+localhost:2099 {
+	root * /var/www/
+	file_server
+
+	handle_errors 404 {
+		handle /en/* {
+			respond "not found" 404
+		}
+		handle /es/* {
+			respond "no encontrado"
+		}
+		handle {
+			respond "default not found"
+		}
+	}
+	handle_errors {
+		handle /en/* {
+			respond "English error"
+		}
+		handle /es/* {
+			respond "Spanish error"
+		}
+		handle {
+			respond "Default error"
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"http_port": 2099,
+			"servers": {
+				"srv0": {
+					"listen": [
+						":2099"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"handler": "vars",
+													"root": "/var/www/"
+												},
+												{
+													"handler": "file_server",
+													"hide": [
+														"./Caddyfile"
+													]
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"errors": {
+						"routes": [
+							{
+								"match": [
+									{
+										"host": [
+											"localhost"
+										]
+									}
+								],
+								"handle": [
+									{
+										"handler": "subroute",
+										"routes": [
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
+															{
+																"group": "group3",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "not found",
+																						"handler": "static_response",
+																						"status_code": 404
+																					}
+																				]
+																			}
+																		]
+																	}
+																],
+																"match": [
+																	{
+																		"path": [
+																			"/en/*"
+																		]
+																	}
+																]
+															},
+															{
+																"group": "group3",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "no encontrado",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																],
+																"match": [
+																	{
+																		"path": [
+																			"/es/*"
+																		]
+																	}
+																]
+															},
+															{
+																"group": "group3",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "default not found",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																]
+															}
+														]
+													}
+												],
+												"match": [
+													{
+														"expression": "{http.error.status_code} in [404]"
+													}
+												]
+											},
+											{
+												"handle": [
+													{
+														"handler": "subroute",
+														"routes": [
+															{
+																"group": "group8",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "English error",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																],
+																"match": [
+																	{
+																		"path": [
+																			"/en/*"
+																		]
+																	}
+																]
+															},
+															{
+																"group": "group8",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "Spanish error",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																],
+																"match": [
+																	{
+																		"path": [
+																			"/es/*"
+																		]
+																	}
+																]
+															},
+															{
+																"group": "group8",
+																"handle": [
+																	{
+																		"handler": "subroute",
+																		"routes": [
+																			{
+																				"handle": [
+																					{
+																						"body": "Default error",
+																						"handler": "static_response"
+																					}
+																				]
+																			}
+																		]
+																	}
+																]
+															}
+														]
+													}
+												]
+											}
+										]
+									}
+								],
+								"terminal": true
+							}
+						]
+					}
+				}
+			}
+		}
+	}
+}
+

caddytest/integration/caddyfile_adapt/global_options_preferred_chains.caddyfiletest

@@ -31,9 +31,6 @@ example.com
 			"automation": {
 				"policies": [
 					{
-						"subjects": [
-							"example.com"
-						],
 						"issuers": [
 							{
 								"module": "acme",

caddytest/integration/caddyfile_adapt/global_server_options_single.caddyfiletest

@@ -18,6 +18,9 @@
 		trusted_proxies static private_ranges
 		client_ip_headers Custom-Real-Client-IP X-Forwarded-For
 		client_ip_headers A-Third-One
+		keepalive_interval 20s
+		keepalive_idle 20s
+		keepalive_count 10
 	}
 }
 
@@ -45,6 +48,9 @@ foo.com {
 					"read_header_timeout": 30000000000,
 					"write_timeout": 30000000000,
 					"idle_timeout": 30000000000,
+					"keepalive_interval": 20000000000,
+					"keepalive_idle": 20000000000,
+					"keepalive_count": 10,
 					"max_header_bytes": 100000000,
 					"enable_full_duplex": true,
 					"routes": [

caddytest/integration/caddyfile_adapt/header_placeholder_search.caddyfiletest

@@ -0,0 +1,64 @@
+:80 {
+	header Test-Static ":443" "STATIC-WORKS"
+	header Test-Dynamic ":{http.request.local.port}" "DYNAMIC-WORKS"
+	header Test-Complex "port-{http.request.local.port}-end" "COMPLEX-{http.request.method}"
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":80"
+					],
+					"routes": [
+						{
+							"handle": [
+								{
+									"handler": "headers",
+									"response": {
+										"replace": {
+											"Test-Static": [
+												{
+													"replace": "STATIC-WORKS",
+													"search_regexp": ":443"
+												}
+											]
+										}
+									}
+								},
+								{
+									"handler": "headers",
+									"response": {
+										"replace": {
+											"Test-Dynamic": [
+												{
+													"replace": "DYNAMIC-WORKS",
+													"search_regexp": ":{http.request.local.port}"
+												}
+											]
+										}
+									}
+								},
+								{
+									"handler": "headers",
+									"response": {
+										"replace": {
+											"Test-Complex": [
+												{
+													"replace": "COMPLEX-{http.request.method}",
+													"search_regexp": "port-{http.request.local.port}-end"
+												}
+											]
+										}
+									}
+								}
+							]
+						}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/heredoc_extra_indentation.caddyfiletest

@@ -0,0 +1,41 @@
+:80
+
+handle {
+	respond <<END
+        line1
+        line2
+  END
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":80"
+					],
+					"routes": [
+						{
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "      line1\n      line2",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							]
+						}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/heredoc_incomplete.caddyfiletest

@@ -0,0 +1,9 @@
+:80
+
+handle {
+    respond <<EOF
+    Hello
+# missing EOF marker
+}
+----------
+mismatched leading whitespace in heredoc <<EOF on line #5 [    Hello], expected whitespace [# missing ] to match the closing marker

caddytest/integration/caddyfile_adapt/heredoc_invalid_marker.caddyfiletest

@@ -0,0 +1,9 @@
+:80
+
+handle {
+    respond <<END!
+    Hello
+    END!
+}
+----------
+heredoc marker on line #4 must contain only alpha-numeric characters, dashes and underscores; got 'END!'

caddytest/integration/caddyfile_adapt/heredoc_mismatched_whitespace.caddyfiletest

@@ -0,0 +1,10 @@
+:80
+
+handle {
+	respond <<END
+	line1
+	line2
+  END
+}
+----------
+mismatched leading whitespace in heredoc <<END on line #5 [	line1], expected whitespace [  ] to match the closing marker

caddytest/integration/caddyfile_adapt/heredoc_missing_marker.caddyfiletest

@@ -0,0 +1,9 @@
+:80
+
+handle {
+    respond << 
+    Hello
+    END
+}
+----------
+parsing caddyfile tokens for 'handle': unrecognized directive: Hello - are you sure your Caddyfile structure (nesting and braces) is correct?, at Caddyfile:7

caddytest/integration/caddyfile_adapt/heredoc_too_many_angle_brackets.caddyfiletest

@@ -0,0 +1,9 @@
+:80
+
+handle {
+    respond <<<END
+    Hello
+    END
+}
+----------
+too many '<' for heredoc on line #4; only use two, for example <<END

caddytest/integration/caddyfile_adapt/import_block_anonymous.caddyfiletest

@@ -0,0 +1,13 @@
+(site) {
+    http://{args[0]} https://{args[0]} {
+        {block}
+    }
+}
+import site test.domain {
+    { 
+        header_up Host {host}
+        header_up X-Real-IP {remote_host}
+    }
+}
+----------
+anonymous blocks are not supported

caddytest/integration/caddyfile_adapt/import_block_snippet_non_replaced_block.caddyfiletest

@@ -0,0 +1,57 @@
+(snippet) {
+	header {
+		reverse_proxy localhost:3000
+		{block}
+	}
+}
+
+example.com {
+	import snippet
+}
+---------- 
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"handler": "headers",
+													"response": {
+														"set": {
+															"Reverse_proxy": [
+																"localhost:3000"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/import_block_snippet_non_replaced_key_block.caddyfiletest

@@ -0,0 +1,57 @@
+(snippet) {
+	header {
+		reverse_proxy localhost:3000
+		{blocks.content_type}
+	}
+}
+
+example.com {
+	import snippet
+}
+---------- 
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"handler": "headers",
+													"response": {
+														"set": {
+															"Reverse_proxy": [
+																"localhost:3000"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/import_block_with_site_block.caddyfiletest

@@ -0,0 +1,65 @@
+(site) {
+	https://{args[0]} {
+		{block}
+	}
+}
+
+import site test.domain {
+	reverse_proxy http://192.168.1.1:8080 {
+		header_up Host {host}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"test.domain"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"handler": "reverse_proxy",
+													"headers": {
+														"request": {
+															"set": {
+																"Host": [
+																	"{http.request.host}"
+																]
+															}
+														}
+													},
+													"upstreams": [
+														{
+															"dial": "192.168.1.1:8080"
+														}
+													]
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/import_cycle.caddyfiletest

@@ -0,0 +1,12 @@
+(import1) {
+	import import2
+}
+
+(import2) {
+	import import1
+}
+
+import import1
+
+----------
+a cycle of imports exists between Caddyfile:import2 and Caddyfile:import1

caddytest/integration/caddyfile_adapt/invoke_undefined_named_route.caddyfiletest

@@ -0,0 +1,5 @@
+example.com {
+	invoke foo
+}
+----------
+cannot invoke named route 'foo', which was not defined

caddytest/integration/caddyfile_adapt/log_multiple_regexp_filters.caddyfiletest

@@ -0,0 +1,95 @@
+:80
+
+log {
+	output stdout
+	format filter {
+		wrap console
+		
+		# Multiple regexp filters for the same field - this should work now!
+		request>headers>Authorization regexp "Bearer\s+([A-Za-z0-9_-]+)" "Bearer [REDACTED]"
+		request>headers>Authorization regexp "Basic\s+([A-Za-z0-9+/=]+)" "Basic [REDACTED]"
+		request>headers>Authorization regexp "token=([^&\s]+)" "token=[REDACTED]"
+		
+		# Single regexp filter - this should continue to work as before
+		request>headers>Cookie regexp "sessionid=[^;]+" "sessionid=[REDACTED]"
+		
+		# Mixed filters (non-regexp) - these should work normally
+		request>headers>Server delete
+		request>remote_ip ip_mask {
+			ipv4 24
+			ipv6 32
+		}
+	}
+}
+----------
+{
+	"logging": {
+		"logs": {
+			"default": {
+				"exclude": [
+					"http.log.access.log0"
+				]
+			},
+			"log0": {
+				"writer": {
+					"output": "stdout"
+				},
+				"encoder": {
+					"fields": {
+						"request\u003eheaders\u003eAuthorization": {
+							"filter": "multi_regexp",
+							"operations": [
+								{
+									"regexp": "Bearer\\s+([A-Za-z0-9_-]+)",
+									"value": "Bearer [REDACTED]"
+								},
+								{
+									"regexp": "Basic\\s+([A-Za-z0-9+/=]+)",
+									"value": "Basic [REDACTED]"
+								},
+								{
+									"regexp": "token=([^\u0026\\s]+)",
+									"value": "token=[REDACTED]"
+								}
+							]
+						},
+						"request\u003eheaders\u003eCookie": {
+							"filter": "regexp",
+							"regexp": "sessionid=[^;]+",
+							"value": "sessionid=[REDACTED]"
+						},
+						"request\u003eheaders\u003eServer": {
+							"filter": "delete"
+						},
+						"request\u003eremote_ip": {
+							"filter": "ip_mask",
+							"ipv4_cidr": 24,
+							"ipv6_cidr": 32
+						}
+					},
+					"format": "filter",
+					"wrap": {
+						"format": "console"
+					}
+				},
+				"include": [
+					"http.log.access.log0"
+				]
+			}
+		}
+	},
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":80"
+					],
+					"logs": {
+						"default_logger_name": "log0"
+					}
+				}
+			}
+		}
+	}
+} 

caddytest/integration/caddyfile_adapt/matcher_outside_site_block.caddyfiletest

@@ -0,0 +1,9 @@
+@foo {
+	path /foo
+}
+
+handle {
+	respond "should not work"
+}
+----------
+request matchers may not be defined globally, they must be in a site block; found @foo, at Caddyfile:1

caddytest/integration/caddyfile_adapt/reverse_proxy_trusted_proxies_unix.caddyfiletest

@@ -0,0 +1,59 @@
+{
+	servers {
+		trusted_proxies_unix
+	}
+}
+
+example.com {
+	reverse_proxy https://local:8080
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"handler": "reverse_proxy",
+													"transport": {
+														"protocol": "http",
+														"tls": {}
+													},
+													"upstreams": [
+														{
+															"dial": "local:8080"
+														}
+													]
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"trusted_proxies_unix": true
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/site_address_invalid_port.caddyfiletest

@@ -0,0 +1,7 @@
+:70000
+
+handle {
+	respond "should not work"
+}
+----------
+port 70000 is out of range

caddytest/integration/caddyfile_adapt/site_address_negative_port.caddyfiletest

@@ -0,0 +1,7 @@
+:-1
+
+handle {
+	respond "should not work"
+}
+----------
+port -1 is out of range

caddytest/integration/caddyfile_adapt/site_address_unsupported_scheme.caddyfiletest

@@ -0,0 +1,7 @@
+foo://example.com
+
+handle {
+	respond "hello"
+}
+----------
+unsupported URL scheme foo://

caddytest/integration/caddyfile_adapt/site_address_wss_invalid_port.caddyfiletest

@@ -0,0 +1,7 @@
+wss://example.com:70000
+
+handle {
+	respond "should not work"
+}
+----------
+port 70000 is out of range

caddytest/integration/caddyfile_adapt/site_address_wss_scheme.caddyfiletest

@@ -0,0 +1,7 @@
+wss://example.com
+
+handle {
+	respond "hello"
+}
+----------
+the scheme wss:// is only supported in browsers; use https:// instead

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_block.caddyfiletest

@@ -0,0 +1,87 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf {
+			file ../caddy.ca.cer
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"files": [
+													"../caddy.ca.cer"
+												],
+												"loader": "file"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_inline.caddyfiletest

@@ -0,0 +1,85 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf file ../caddy.ca.cer
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"files": [
+													"../caddy.ca.cer"
+												],
+												"loader": "file"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_file_loader_multi-in-block.caddyfiletest

@@ -0,0 +1,94 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf {
+			file ../caddy.ca.cer
+			file ../caddy.ca.cer
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"files": [
+													"../caddy.ca.cer"
+												],
+												"loader": "file"
+											},
+											{
+												"files": [
+													"../caddy.ca.cer"
+												],
+												"loader": "file"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_block.caddyfiletest

@@ -0,0 +1,87 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf {
+			folder ../
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"folders": [
+													"../"
+												],
+												"loader": "folder"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_inline.caddyfiletest

@@ -0,0 +1,85 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf folder ../
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"folders": [
+													"../"
+												],
+												"loader": "folder"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_leaf_verifier_folder_loader_multi-in-block.caddyfiletest

@@ -0,0 +1,94 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		verifier leaf {
+			folder ../
+			folder ../
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"verifiers": [
+									{
+										"leaf_certs_loaders": [
+											{
+												"folders": [
+													"../"
+												],
+												"loader": "folder"
+											},
+											{
+												"folders": [
+													"../"
+												],
+												"loader": "folder"
+											}
+										],
+										"verifier": "leaf"
+									}
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_dns_multiple_options_without_provider.caddyfiletest

@@ -0,0 +1,9 @@
+localhost
+
+tls {
+	propagation_delay 10s
+	dns_ttl 5m
+}
+
+----------
+parsing caddyfile tokens for 'tls': setting DNS challenge options [propagation_delay, dns_ttl] requires a DNS provider (set with the 'dns' subdirective or 'acme_dns' global option), at Caddyfile:6

caddytest/integration/caddyfile_adapt/tls_dns_override_acme_dns.caddyfiletest

@@ -0,0 +1,79 @@
+{
+	acme_dns mock foo
+}
+
+localhost {
+	tls {
+		dns mock bar
+		resolvers 8.8.8.8 8.8.4.4
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"subjects": [
+							"localhost"
+						],
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {
+										"provider": {
+											"argument": "bar",
+											"name": "mock"
+										},
+										"resolvers": [
+											"8.8.8.8",
+											"8.8.4.4"
+										]
+									}
+								},
+								"module": "acme"
+							}
+						]
+					},
+					{
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {
+										"provider": {
+											"argument": "foo",
+											"name": "mock"
+										}
+									}
+								},
+								"module": "acme"
+							}
+						]
+					}
+				]
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_dns_override_global_dns.caddyfiletest

@@ -0,0 +1,68 @@
+{
+	dns mock foo
+}
+
+localhost {
+	tls {
+		dns mock bar
+		resolvers 8.8.8.8 8.8.4.4
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"subjects": [
+							"localhost"
+						],
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {
+										"provider": {
+											"argument": "bar",
+											"name": "mock"
+										},
+										"resolvers": [
+											"8.8.8.8",
+											"8.8.4.4"
+										]
+									}
+								},
+								"module": "acme"
+							}
+						]
+					}
+				]
+			},
+			"dns": {
+				"argument": "foo",
+				"name": "mock"
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_dns_propagation_timeout_without_provider.caddyfiletest

@@ -0,0 +1,7 @@
+:443 {
+	tls {
+		propagation_timeout 30s
+	}
+}
+----------
+parsing caddyfile tokens for 'tls': setting DNS challenge options [propagation_timeout] requires a DNS provider (set with the 'dns' subdirective or 'acme_dns' global option), at Caddyfile:4

caddytest/integration/caddyfile_adapt/tls_dns_propagation_without_provider.caddyfiletest

@@ -0,0 +1,7 @@
+:443 {
+	tls {
+		propagation_delay 30s
+	}
+}
+----------
+parsing caddyfile tokens for 'tls': setting DNS challenge options [propagation_delay] requires a DNS provider (set with the 'dns' subdirective or 'acme_dns' global option), at Caddyfile:4

caddytest/integration/caddyfile_adapt/tls_dns_resolvers_with_global_provider.caddyfiletest

@@ -0,0 +1,76 @@
+{
+	acme_dns mock
+}
+
+localhost {
+	tls {
+		resolvers 8.8.8.8 8.8.4.4
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"subjects": [
+							"localhost"
+						],
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {
+										"provider": {
+											"name": "mock"
+										},
+										"resolvers": [
+											"8.8.8.8",
+											"8.8.4.4"
+										]
+									}
+								},
+								"module": "acme"
+							}
+						]
+					},
+					{
+						"issuers": [
+							{
+								"challenges": {
+									"dns": {
+										"provider": {
+											"name": "mock"
+										}
+									}
+								},
+								"module": "acme"
+							}
+						]
+					}
+				]
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_dns_ttl.caddyfiletest

@@ -2,6 +2,7 @@ localhost
 
 respond "hello from localhost"
 tls {
+	dns mock
 	dns_ttl 5m10s
 }
 ----------
@@ -54,6 +55,9 @@ tls {
 							{
 								"challenges": {
 									"dns": {
+										"provider": {
+											"name": "mock"
+										},
 										"ttl": 310000000000
 									}
 								},

caddytest/integration/caddyfile_adapt/tls_propagation_options.caddyfiletest

@@ -2,6 +2,7 @@ localhost
 
 respond "hello from localhost"
 tls {
+	dns mock
 	propagation_delay 5m10s
 	propagation_timeout 10m20s
 }
@@ -56,7 +57,10 @@ tls {
 								"challenges": {
 									"dns": {
 										"propagation_delay": 310000000000,
-										"propagation_timeout": 620000000000
+										"propagation_timeout": 620000000000,
+										"provider": {
+											"name": "mock"
+										}
 									}
 								},
 								"module": "acme"

caddytest/integration/caddyfile_adapt_test.go

@@ -9,8 +9,8 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/caddytest"
-
 	_ "github.com/caddyserver/caddy/v2/internal/testmocks"
 )
 
@@ -28,9 +28,11 @@ func TestCaddyfileAdaptToJSON(t *testing.T) {
 		if f.IsDir() {
 			continue
 		}
-
-		// read the test file
 		filename := f.Name()
+
+		// run each file as a subtest, so that we can see which one fails more easily
+		t.Run(filename, func(t *testing.T) {
+			// read the test file
 			data, err := os.ReadFile("./caddyfile_adapt/" + filename)
 			if err != nil {
 				t.Errorf("failed to read %s dir: %s", filename, err)
@@ -39,19 +41,35 @@ func TestCaddyfileAdaptToJSON(t *testing.T) {
 			// split the Caddyfile (first) and JSON (second) parts
 			// (append newline to Caddyfile to match formatter expectations)
 			parts := strings.Split(string(data), "----------")
-		caddyfile, json := strings.TrimSpace(parts[0])+"\n", strings.TrimSpace(parts[1])
+			caddyfile, expected := strings.TrimSpace(parts[0])+"\n", strings.TrimSpace(parts[1])
 
 			// replace windows newlines in the json with unix newlines
-		json = winNewlines.ReplaceAllString(json, "\n")
+			expected = winNewlines.ReplaceAllString(expected, "\n")
 
 			// replace os-specific default path for file_server's hide field
 			replacePath, _ := jsonMod.Marshal(fmt.Sprint(".", string(filepath.Separator), "Caddyfile"))
-		json = strings.ReplaceAll(json, `"./Caddyfile"`, string(replacePath))
+			expected = strings.ReplaceAll(expected, `"./Caddyfile"`, string(replacePath))
 
-		// run the test
-		ok := caddytest.CompareAdapt(t, filename, caddyfile, "caddyfile", json)
+			// if the expected output is JSON, compare it
+			if len(expected) > 0 && expected[0] == '{' {
+				ok := caddytest.CompareAdapt(t, filename, caddyfile, "caddyfile", expected)
 				if !ok {
 					t.Errorf("failed to adapt %s", filename)
 				}
+				return
+			}
+
+			// otherwise, adapt the Caddyfile and check for errors
+			cfgAdapter := caddyconfig.GetAdapter("caddyfile")
+			_, _, err = cfgAdapter.Adapt([]byte(caddyfile), nil)
+			if err == nil {
+				t.Errorf("expected error for %s but got none", filename)
+			} else {
+				normalizedErr := winNewlines.ReplaceAllString(err.Error(), "\n")
+				if !strings.Contains(normalizedErr, expected) {
+					t.Errorf("expected error for %s to contain:\n%s\nbut got:\n%s", filename, expected, normalizedErr)
+				}
+			}
+		})
 	}
 }

caddytest/integration/caddyfile_test.go

@@ -615,7 +615,6 @@ func TestReplaceWithReplacementPlaceholder(t *testing.T) {
 	respond "{query}"`, "caddyfile")
 
 	tester.AssertGetResponse("http://localhost:9080/endpoint?placeholder=baz&foo=bar", 200, "foo=baz&placeholder=baz")
-
 }
 
 func TestReplaceWithKeyPlaceholder(t *testing.T) {
@@ -783,6 +782,46 @@ func TestHandleErrorRangeAndCodes(t *testing.T) {
 	tester.AssertGetResponse("http://localhost:9080/private", 410, "Error in the [400 .. 499] range")
 }
 
+func TestHandleErrorSubHandlers(t *testing.T) {
+	tester := caddytest.NewTester(t)
+	tester.InitServer(`{
+		admin localhost:2999
+		http_port     9080
+	}
+	localhost:9080 {
+		root * /srv
+		file_server
+		error /*/internalerr* "Internal Server Error" 500
+
+		handle_errors 404 {
+			handle /en/* {
+				respond "not found" 404
+			}
+			handle /es/* {
+				respond "no encontrado" 404
+			}
+			handle {
+				respond "default not found"
+			}
+		}
+		handle_errors {
+			handle {
+				respond "Default error"
+			}
+			handle /en/* {
+				respond "English error"
+			}
+		}
+	}
+	`, "caddyfile")
+	// act and assert
+	tester.AssertGetResponse("http://localhost:9080/en/notfound", 404, "not found")
+	tester.AssertGetResponse("http://localhost:9080/es/notfound", 404, "no encontrado")
+	tester.AssertGetResponse("http://localhost:9080/notfound", 404, "default not found")
+	tester.AssertGetResponse("http://localhost:9080/es/internalerr", 500, "Default error")
+	tester.AssertGetResponse("http://localhost:9080/en/internalerr", 500, "English error")
+}
+
 func TestInvalidSiteAddressesAsDirectives(t *testing.T) {
 	type testCase struct {
 		config, expectedError string

caddytest/integration/h2listener_test.go

@@ -0,0 +1,129 @@
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"slices"
+	"strings"
+	"testing"
+
+	"github.com/caddyserver/caddy/v2/caddytest"
+)
+
+func newH2ListenerWithVersionsWithTLSTester(t *testing.T, serverVersions []string, clientVersions []string) *caddytest.Tester {
+	const baseConfig = `
+	{
+		skip_install_trust
+		admin localhost:2999
+		http_port     9080
+		https_port    9443
+		servers :9443 {
+            protocols %s
+        }
+	}
+	localhost {
+		respond "{http.request.tls.proto} {http.request.proto}"
+	}
+	`
+	tester := caddytest.NewTester(t)
+	tester.InitServer(fmt.Sprintf(baseConfig, strings.Join(serverVersions, " ")), "caddyfile")
+
+	tr := tester.Client.Transport.(*http.Transport)
+	tr.TLSClientConfig.NextProtos = clientVersions
+	tr.Protocols = new(http.Protocols)
+	if slices.Contains(clientVersions, "h2") {
+		tr.ForceAttemptHTTP2 = true
+		tr.Protocols.SetHTTP2(true)
+	}
+	if !slices.Contains(clientVersions, "http/1.1") {
+		tr.Protocols.SetHTTP1(false)
+	}
+
+	return tester
+}
+
+func TestH2ListenerWithTLS(t *testing.T) {
+	tests := []struct {
+		serverVersions []string
+		clientVersions []string
+		expectedBody   string
+		failed         bool
+	}{
+		{[]string{"h2"}, []string{"h2"}, "h2 HTTP/2.0", false},
+		{[]string{"h2"}, []string{"http/1.1"}, "", true},
+		{[]string{"h1"}, []string{"http/1.1"}, "http/1.1 HTTP/1.1", false},
+		{[]string{"h1"}, []string{"h2"}, "", true},
+		{[]string{"h2", "h1"}, []string{"h2"}, "h2 HTTP/2.0", false},
+		{[]string{"h2", "h1"}, []string{"http/1.1"}, "http/1.1 HTTP/1.1", false},
+	}
+	for _, tc := range tests {
+		tester := newH2ListenerWithVersionsWithTLSTester(t, tc.serverVersions, tc.clientVersions)
+		t.Logf("running with server versions %v and client versions %v:", tc.serverVersions, tc.clientVersions)
+		if tc.failed {
+			resp, err := tester.Client.Get("https://localhost:9443")
+			if err == nil {
+				t.Errorf("unexpected response: %d", resp.StatusCode)
+			}
+		} else {
+			tester.AssertGetResponse("https://localhost:9443", 200, tc.expectedBody)
+		}
+	}
+}
+
+func newH2ListenerWithVersionsWithoutTLSTester(t *testing.T, serverVersions []string, clientVersions []string) *caddytest.Tester {
+	const baseConfig = `
+	{
+		skip_install_trust
+		admin localhost:2999
+		http_port     9080
+		servers :9080 {
+            protocols %s
+        }
+	}
+	http://localhost {
+		respond "{http.request.proto}"
+	}
+	`
+	tester := caddytest.NewTester(t)
+	tester.InitServer(fmt.Sprintf(baseConfig, strings.Join(serverVersions, " ")), "caddyfile")
+
+	tr := tester.Client.Transport.(*http.Transport)
+	tr.Protocols = new(http.Protocols)
+	if slices.Contains(clientVersions, "h2c") {
+		tr.Protocols.SetHTTP1(false)
+		tr.Protocols.SetUnencryptedHTTP2(true)
+	} else if slices.Contains(clientVersions, "http/1.1") {
+		tr.Protocols.SetHTTP1(true)
+		tr.Protocols.SetUnencryptedHTTP2(false)
+	}
+
+	return tester
+}
+
+func TestH2ListenerWithoutTLS(t *testing.T) {
+	tests := []struct {
+		serverVersions []string
+		clientVersions []string
+		expectedBody   string
+		failed         bool
+	}{
+		{[]string{"h2c"}, []string{"h2c"}, "HTTP/2.0", false},
+		{[]string{"h2c"}, []string{"http/1.1"}, "", true},
+		{[]string{"h1"}, []string{"http/1.1"}, "HTTP/1.1", false},
+		{[]string{"h1"}, []string{"h2c"}, "", true},
+		{[]string{"h2c", "h1"}, []string{"h2c"}, "HTTP/2.0", false},
+		{[]string{"h2c", "h1"}, []string{"http/1.1"}, "HTTP/1.1", false},
+	}
+	for _, tc := range tests {
+		tester := newH2ListenerWithVersionsWithoutTLSTester(t, tc.serverVersions, tc.clientVersions)
+		t.Logf("running with server versions %v and client versions %v:", tc.serverVersions, tc.clientVersions)
+		if tc.failed {
+			resp, err := tester.Client.Get("http://localhost:9080")
+			if err == nil {
+				t.Errorf("unexpected response: %d", resp.StatusCode)
+			}
+		} else {
+			tester.AssertGetResponse("http://localhost:9080", 200, tc.expectedBody)
+		}
+	}
+}

caddytest/integration/mockdns_test.go

@@ -3,10 +3,11 @@ package integration
 import (
 	"context"
 
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/libdns"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 
 func init() {
@@ -14,7 +15,9 @@ func init() {
 }
 
 // MockDNSProvider is a mock DNS provider, for testing config with DNS modules.
-type MockDNSProvider struct{}
+type MockDNSProvider struct {
+	Argument string `json:"argument,omitempty"` // optional argument useful for testing
+}
 
 // CaddyModule returns the Caddy module information.
 func (MockDNSProvider) CaddyModule() caddy.ModuleInfo {
@@ -30,7 +33,15 @@ func (MockDNSProvider) Provision(ctx caddy.Context) error {
 }
 
 // UnmarshalCaddyfile sets up the module from Caddyfile tokens.
-func (MockDNSProvider) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+func (p *MockDNSProvider) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	d.Next() // consume directive name
+
+	if d.NextArg() {
+		p.Argument = d.Val()
+	}
+	if d.NextArg() {
+		return d.Errf("unexpected argument '%s'", d.Val())
+	}
 	return nil
 }
 
@@ -55,7 +66,9 @@ func (MockDNSProvider) SetRecords(ctx context.Context, zone string, recs []libdn
 }
 
 // Interface guard
-var _ caddyfile.Unmarshaler = (*MockDNSProvider)(nil)
-var _ certmagic.DNSProvider = (*MockDNSProvider)(nil)
-var _ caddy.Provisioner = (*MockDNSProvider)(nil)
-var _ caddy.Module = (*MockDNSProvider)(nil)
+var (
+	_ caddyfile.Unmarshaler = (*MockDNSProvider)(nil)
+	_ certmagic.DNSProvider = (*MockDNSProvider)(nil)
+	_ caddy.Provisioner     = (*MockDNSProvider)(nil)
+	_ caddy.Module          = (*MockDNSProvider)(nil)
+)

caddytest/integration/stream_test.go

@@ -13,9 +13,10 @@ import (
 	"testing"
 	"time"
 
-	"github.com/caddyserver/caddy/v2/caddytest"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
+
+	"github.com/caddyserver/caddy/v2/caddytest"
 )
 
 // (see https://github.com/caddyserver/caddy/issues/3556 for use case)