Merge branch 'master' into acme-database

acmeserver: add policy field to define allow/deny rules (#5796 )
* acmeserver: support specifying the allowed challenge types * add caddyfile adapt tests * acmeserver: add `policy` field to define allow/deny rules * allow `omitempty` to work * add caddyfile support for `policy` * remove "uri domain" policy * fmt the files * add docs * do not support `CommonName`; the field is deprecated * r/DNSDomains/Domains/g * Caddyfile docs * add tests * move `Policy` to top of file
2026-05-26 08:42:31 -04:00 · 2024-02-24 02:26:57 +03:00 · 2024-02-24 02:26:00 +03:00 · 2024-02-24 02:12:25 +03:00 · 2024-02-23 12:45:58 -07:00 · 2024-02-21 00:37:40 +00:00
315 changed files with 13855 additions and 6228 deletions
@@ -1,5 +1,5 @@
 [*]
 end_of_line = lf
-[caddytest/integration/caddyfile_adapt/*.txt]
+[caddytest/integration/caddyfile_adapt/*.caddyfiletest]
 indent_style = tab
@@ -19,45 +19,49 @@ jobs:
      fail-fast: false
      matrix:
        os: 
-          - ubuntu-latest
+          - linux
-          - macos-latest
+          - mac
-          - windows-latest
+          - windows
        go: 
-          - '1.20'
+          - '1.21'
-          # - '1.21'
+          - '1.22'
        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.20'
+        - go: '1.21'
-          GO_SEMVER: '~1.20.6'
+          GO_SEMVER: '~1.21.0'
-        # - go: '1.21'
+        - go: '1.22'
-        #   GO_SEMVER: '~1.21.0'
+          GO_SEMVER: '~1.22.0'
        # Set some variables per OS, usable via ${{ matrix.VAR }}
        # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
        # CADDY_BIN_PATH: the path to the compiled Caddy binary, for artifact publishing
        # SUCCESS: the typical value for $? per OS (Windows/pwsh returns 'True')
-        - os: ubuntu-latest
+        - os: linux
          OS_LABEL: ubuntu-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy
          SUCCESS: 0
-        - os: macos-latest
+        - os: mac
          OS_LABEL: macos-14
          CADDY_BIN_PATH: ./cmd/caddy/caddy
          SUCCESS: 0
-        - os: windows-latest
+        - os: windows
          OS_LABEL: windows-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy.exe
          SUCCESS: 'True'
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ matrix.OS_LABEL }}
    steps:
    - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: Install Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true
@@ -73,6 +77,7 @@ jobs:
    - name: Print Go version and environment
      id: vars
      shell: bash
      run: |
        printf "Using go at: $(which go)\n"
        printf "Go version: $(go version)\n"
@@ -94,13 +99,14 @@ jobs:
      env:
        CGO_ENABLED: 0
      run: |
-        go build -trimpath -ldflags="-w -s" -v
+        go build -tags nobdger -trimpath -ldflags="-w -s" -v
    - name: Publish Build Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
        path: ${{ matrix.CADDY_BIN_PATH }}
        compression-level: 0
    # Commented bits below were useful to allow the job to continue
    # even if the tests fail, so we can publish the report separately
@@ -110,7 +116,7 @@ jobs:
      # continue-on-error: true
      run: |
        # (go test -v -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
-        go test -v -coverprofile="cover-profile.out" -short -race ./...
+        go test -tags nobadger -v -coverprofile="cover-profile.out" -short -race ./...
        # echo "status=$?" >> $GITHUB_OUTPUT
    # Relevant step if we reinvestigate publishing test/coverage reports
@@ -123,7 +129,7 @@ jobs:
    # To return the correct result even though we set 'continue-on-error: true'
    # - name: Coerce correct build result
-    #   if: matrix.os != 'windows-latest' && steps.step_test.outputs.status != ${{ matrix.SUCCESS }}
+    #   if: matrix.os != 'windows' && steps.step_test.outputs.status != ${{ matrix.SUCCESS }}
    #   run: |
    #     echo "step_test ${{ steps.step_test.outputs.status }}\n"
    #     exit 1
@@ -135,7 +141,7 @@ jobs:
    continue-on-error: true  # August 2020: s390x VM is down due to weather and power issues
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      - name: Run Tests
        run: |
          mkdir -p ~/.ssh && echo -e "${SSH_KEY//_/\\n}" > ~/.ssh/id_ecdsa && chmod og-rwx ~/.ssh/id_ecdsa
@@ -145,7 +151,7 @@ jobs:
          # The environment is fresh, so there's no point in keeping accepting and adding the key.
          rsync -arz -e "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" --progress --delete --exclude '.git' . "$CI_USER"@ci-s390x.caddyserver.com:/var/tmp/"$short_sha"
-          ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t "$CI_USER"@ci-s390x.caddyserver.com "cd /var/tmp/$short_sha; go version; go env; printf "\n\n";CGO_ENABLED=0 go test -v ./..."
+          ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t "$CI_USER"@ci-s390x.caddyserver.com "cd /var/tmp/$short_sha; go version; go env; printf "\n\n";CGO_ENABLED=0 go test -tags nobadger -v ./..."
          test_result=$?
          # There's no need leaving the files around
@@ -161,11 +167,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
-      - uses: goreleaser/goreleaser-action@v4
+      - uses: goreleaser/goreleaser-action@v5
        with:
          version: latest
          args: check
        env:
          TAG: ${{ steps.vars.outputs.version_tag }}
@@ -11,11 +11,12 @@ on:
      - 2.*
 jobs:
-  cross-build-test:
+  build:
    strategy:
      fail-fast: false
      matrix:
        goos: 
          - 'aix'
          - 'android'
          - 'linux'
          - 'solaris'
@@ -28,22 +29,22 @@ jobs:
          - 'darwin'
          - 'netbsd'
        go: 
-          - '1.20'
+          - '1.22'
        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.20'
+        - go: '1.22'
-          GO_SEMVER: '~1.20.6'
+          GO_SEMVER: '~1.22.0'
    runs-on: ubuntu-latest
    continue-on-error: true
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ matrix.GO_SEMVER }}
          check-latest: true
@@ -62,11 +63,12 @@ jobs:
        env:
          CGO_ENABLED: 0
          GOOS: ${{ matrix.goos }}
          GOARCH: ${{ matrix.goos == 'aix' && 'ppc64' || 'amd64' }}
        shell: bash
        continue-on-error: true
        working-directory: ./cmd/caddy
        run: |
-          GOOS=$GOOS go build -trimpath -o caddy-"$GOOS"-amd64 2> /dev/null
+          GOOS=$GOOS GOARCH=$GOARCH go build -tags nobadger -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null
          if [ $? -ne 0 ]; then
            echo "::warning ::$GOOS Build Failed"
            exit 0
@@ -17,30 +17,39 @@ jobs:
  # From https://github.com/golangci/golangci-lint-action
  golangci:
    permissions:
-      contents: read  # for actions/checkout to fetch code
+      contents: read # for actions/checkout to fetch code
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
    name: lint
    strategy:
      matrix:
-        os: 
+        os:
-          - ubuntu-latest
+          - linux
-          - macos-latest
+          - mac
-          - windows-latest
+          - windows
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v4
        with:
          go-version: '~1.20.6'
          check-latest: true
-          # Workaround for https://github.com/golangci/golangci-lint-action/issues/135
+        include:
-          skip-pkg-cache: true
+        - os: linux
          OS_LABEL: ubuntu-latest
        - os: mac
          OS_LABEL: macos-14
        - os: windows
          OS_LABEL: windows-latest
    runs-on: ${{ matrix.OS_LABEL }}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: '~1.22.0'
          check-latest: true
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
-          version: v1.53
+          version: v1.55
          # Workaround for https://github.com/golangci/golangci-lint-action/issues/135
          skip-pkg-cache: true
@@ -50,3 +59,12 @@ jobs:
          # Optional: show only new issues if it's a pull request. The default value is `false`.
          # only-new-issues: true
  govulncheck:
    runs-on: ubuntu-latest
    steps:
      - name: govulncheck
        uses: golang/govulncheck-action@v1
        with:
          go-version-input: '~1.22.0'
          check-latest: true
@@ -13,13 +13,13 @@ jobs:
        os: 
          - ubuntu-latest
        go: 
-          - '1.20'
+          - '1.21'
        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.20'
+        - go: '1.21'
-          GO_SEMVER: '~1.20.6'
+          GO_SEMVER: '~1.21.0'
    runs-on: ${{ matrix.os }}
    # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
@@ -32,18 +32,18 @@ jobs:
    steps:
    - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - name: Install Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true
    # Force fetch upstream tags -- because 65 minutes
-    # tl;dr: actions/checkout@v3 runs this line:
+    # tl;dr: actions/checkout@v4 runs this line:
    #   git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +ebc278ec98bb24f2852b61fde2a9bf2e3d83818b:refs/tags/
    # which makes its own local lightweight tag, losing all the annotations in the process. Our earlier script ran:
    #   git fetch --prune --unshallow
@@ -106,10 +106,10 @@ jobs:
      run: syft version
    # GoReleaser will take care of publishing those artifacts into the release
    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v4
+      uses: goreleaser/goreleaser-action@v5
      with:
        version: latest
-        args: release --rm-dist --timeout 60m
+        args: release --clean --timeout 60m
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        TAG: ${{ steps.vars.outputs.version_tag }}
@@ -18,7 +18,7 @@ jobs:
    # See https://github.com/peter-evans/repository-dispatch
    - name: Trigger event on caddyserver/dist
-      uses: peter-evans/repository-dispatch@v2
+      uses: peter-evans/repository-dispatch@v3
      with:
        token: ${{ secrets.REPO_DISPATCH_TOKEN }}
        repository: caddyserver/dist
@@ -26,7 +26,7 @@ jobs:
        client-payload: '{"tag": "${{ github.event.release.tag_name }}"}'
    - name: Trigger event on caddyserver/caddy-docker
-      uses: peter-evans/repository-dispatch@v2
+      uses: peter-evans/repository-dispatch@v3
      with:
        token: ${{ secrets.REPO_DISPATCH_TOKEN }}
        repository: caddyserver/caddy-docker
@@ -12,6 +12,7 @@ Caddyfile.*
 cmd/caddy/caddy
 cmd/caddy/caddy.exe
 cmd/caddy/tmp/*.exe
 cmd/caddy/.env
 # mac specific
 .DS_Store
@@ -2,35 +2,81 @@ linters-settings:
  errcheck:
    ignore: fmt:.*,go.uber.org/zap/zapcore:^Add.*
    ignoretests: true
  gci:
    sections:
      - standard # Standard section: captures all standard packages.
      - default # Default section: contains all imports that could not be matched to another section type.
      - prefix(github.com/caddyserver/caddy/v2/cmd) # ensure that this is always at the top and always has a line break.
      - prefix(github.com/caddyserver/caddy) # Custom section: groups all imports with the specified Prefix.
    # Skip generated files.
    # Default: true
    skip-generated: true
    # Enable custom order of sections.
    # If `true`, make the section order the same as the order of `sections`.
    # Default: false
    custom-order: true
  exhaustive:
    ignore-enum-types: reflect.Kind|svc.Cmd
 linters:
  disable-all: true
  enable:
    - asasalint
    - asciicheck
    - bidichk
    - bodyclose
    - decorder
    - dogsled
    - dupl
    - dupword
    - durationcheck
    - errcheck
    - errname
    - exhaustive
    - exportloopref
    - gci
    - gofmt
    - goimports
    - gofumpt
    - gosec
    - gosimple
    - govet
    - ineffassign
    - importas
    - misspell
    - prealloc
    - promlinter
    - sloglint
    - sqlclosecheck
    - staticcheck
    - tenv
    - testableexamples
    - testifylint
    - tparallel
    - typecheck
    - unconvert
    - unused
    - wastedassign
    - whitespace
    - zerologlint
  # these are implicitly disabled:
-  # - asciicheck
+  # - containedctx
  # - contextcheck
  # - cyclop
  # - depguard
-  # - dogsled
+  # - errchkjson
-  # - dupl
+  # - errorlint
-  # - exhaustive
+  # - exhaustruct
-  # - exportloopref
+  # - execinquery
  # - exhaustruct
  # - forbidigo
  # - forcetypeassert
  # - funlen
-  # - gci
+  # - ginkgolinter
  # - gocheckcompilerdirectives
  # - gochecknoglobals
  # - gochecknoinits
  # - gochecksumtype
  # - gocognit
  # - goconst
  # - gocritic
@@ -38,27 +84,47 @@ linters:
  # - godot
  # - godox
  # - goerr113
  # - gofumpt
  # - goheader
  # - golint
  # - gomnd
  # - gomoddirectives
  # - gomodguard
  # - goprintffuncname
-  # - interfacer
+  # - gosmopolitan
  # - grouper
  # - inamedparam
  # - interfacebloat
  # - ireturn
  # - lll
-  # - maligned
+  # - loggercheck
  # - maintidx
  # - makezero
  # - mirror
  # - musttag
  # - nakedret
  # - nestif
  # - nilerr
  # - nilnil
  # - nlreturn
  # - noctx
  # - nolintlint
  # - nonamedreturns
  # - nosprintfhostport
  # - paralleltest
  # - perfsprint
  # - predeclared
  # - protogetter
  # - reassign
  # - revive
  # - rowserrcheck
  # - scopelint
  # - sqlclosecheck
  # - stylecheck
  # - tagalign
  # - tagliatelle
  # - testpackage
  # - thelper
  # - unparam
-  # - whitespace
+  # - usestdlibvars
  # - varnamelen
  # - wrapcheck
  # - wsl
 run:
@@ -77,23 +143,26 @@ output:
 issues:
  exclude-rules:
    # we aren't calling unknown URL
-    - text: "G107" # G107: Url provided to HTTP request as taint input
+    - text: 'G107' # G107: Url provided to HTTP request as taint input
      linters:
        - gosec
    # as a web server that's expected to handle any template, this is totally in the hands of the user.
-    - text: "G203" # G203: Use of unescaped data in HTML templates
+    - text: 'G203' # G203: Use of unescaped data in HTML templates
      linters:
        - gosec
    # we're shelling out to known commands, not relying on user-defined input.
-    - text: "G204" # G204: Audit use of command execution
+    - text: 'G204' # G204: Audit use of command execution
      linters:
        - gosec
    # the choice of weakrand is deliberate, hence the named import "weakrand"
    - path: modules/caddyhttp/reverseproxy/selectionpolicies.go
-      text: "G404" # G404: Insecure random number source (rand)
+      text: 'G404' # G404: Insecure random number source (rand)
      linters:
        - gosec
    - path: modules/caddyhttp/reverseproxy/streaming.go
-      text: "G404" # G404: Insecure random number source (rand)
+      text: 'G404' # G404: Insecure random number source (rand)
      linters:
        - gosec
    - path: modules/logging/filters.go
      linters:
        - dupl
@@ -43,6 +43,7 @@ builds:
  - arm64
  - s390x
  - ppc64le
  - riscv64
  goarm:
  - "5"
  - "6"
@@ -54,14 +55,20 @@ builds:
      goarch: ppc64le
    - goos: darwin
      goarch: s390x
    - goos: darwin
      goarch: riscv64
    - goos: windows
      goarch: ppc64le
    - goos: windows
      goarch: s390x
    - goos: windows
      goarch: riscv64
    - goos: freebsd
      goarch: ppc64le
    - goos: freebsd
      goarch: s390x
    - goos: freebsd
      goarch: riscv64
    - goos: freebsd
      goarch: arm
      goarm: "5"
@@ -70,6 +77,8 @@ builds:
  - -mod=readonly
  ldflags:
  - -s -w
  tags:
  - nobadger
 signs:
  - cmd: cosign
@@ -106,7 +115,7 @@ archives:
      {{- with .Mips }}_{{ . }}{{ end }}
      {{- if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}
-  # packge the 'caddy-build' directory into a tarball,
+  # package the 'caddy-build' directory into a tarball,
  # allowing users to build the exact same set of files as ours.
  - id: source
    meta: true
@@ -87,7 +87,7 @@ See [our online documentation](https://caddyserver.com/docs/install) for other i
 Requirements:
- [Go 1.20 or newer](https://golang.org/dl/)
+- [Go 1.21 or newer](https://golang.org/dl/)
 ### For development
@@ -1196,15 +1196,27 @@ traverseLoop:
 					}
 				case http.MethodPut:
 					if _, ok := v[part]; ok {
-						return fmt.Errorf("[%s] key already exists: %s", path, part)
+						return APIError{
 							HTTPStatus: http.StatusConflict,
 							Err:        fmt.Errorf("[%s] key already exists: %s", path, part),
 						}
 					}
 					v[part] = val
 				case http.MethodPatch:
 					if _, ok := v[part]; !ok {
-						return fmt.Errorf("[%s] key does not exist: %s", path, part)
+						return APIError{
 							HTTPStatus: http.StatusNotFound,
 							Err:        fmt.Errorf("[%s] key does not exist: %s", path, part),
 						}
 					}
 					v[part] = val
 				case http.MethodDelete:
 					if _, ok := v[part]; !ok {
 						return APIError{
 							HTTPStatus: http.StatusNotFound,
 							Err:        fmt.Errorf("[%s] key does not exist: %s", path, part),
 						}
 					}
 					delete(v, part)
 				default:
 					return fmt.Errorf("unrecognized method %s", method)
@@ -1346,7 +1358,7 @@ var (
 // will get deleted before the process gracefully exits.
 func PIDFile(filename string) error {
 	pid := []byte(strconv.Itoa(os.Getpid()) + "\n")
-	err := os.WriteFile(filename, pid, 0600)
+	err := os.WriteFile(filename, pid, 0o600)
 	if err != nil {
 		return err
 	}
@@ -75,6 +75,12 @@ func TestUnsyncedConfigAccess(t *testing.T) {
 			path:   "/bar/qq",
 			expect: `{"foo": "jet", "bar": {"aa": "bb"}, "list": ["a", "b", "c"]}`,
 		},
 		{
 			method:    "DELETE",
 			path:      "/bar/qq",
 			expect:    `{"foo": "jet", "bar": {"aa": "bb"}, "list": ["a", "b", "c"]}`,
 			shouldErr: true,
 		},
 		{
 			method:  "POST",
 			path:    "/list",
@@ -22,6 +22,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
 	"io/fs"
 	"log"
 	"net/http"
 	"os"
@@ -34,10 +35,12 @@ import (
 	"sync/atomic"
 	"time"
 	"github.com/caddyserver/caddy/v2/notify"
 	"github.com/caddyserver/certmagic"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
 	"github.com/caddyserver/caddy/v2/internal/filesystems"
 	"github.com/caddyserver/caddy/v2/notify"
 )
 // Config is the top (or beginning) of the Caddy configuration structure.
@@ -82,6 +85,9 @@ type Config struct {
 	storage certmagic.Storage
 	cancelFunc context.CancelFunc
 	// filesystems is a dict of filesystems that will later be loaded from and added to.
 	filesystems FileSystems
 }
 // App is a thing that Caddy runs.
@@ -356,13 +362,13 @@ func unsyncedDecodeAndRun(cfgJSON []byte, allowPersist bool) error {
 			newCfg.Admin.Config.Persist == nil ||
 			*newCfg.Admin.Config.Persist) {
 		dir := filepath.Dir(ConfigAutosavePath)
-		err := os.MkdirAll(dir, 0700)
+		err := os.MkdirAll(dir, 0o700)
 		if err != nil {
 			Log().Error("unable to create folder for config autosave",
 				zap.String("dir", dir),
 				zap.Error(err))
 		} else {
-			err := os.WriteFile(ConfigAutosavePath, cfgJSON, 0600)
+			err := os.WriteFile(ConfigAutosavePath, cfgJSON, 0o600)
 			if err == nil {
 				Log().Info("autosaved config (load with --resume flag)", zap.String("file", ConfigAutosavePath))
 			} else {
@@ -445,6 +451,9 @@ func run(newCfg *Config, start bool) (Context, error) {
 		}
 	}
 	// create the new filesystem map
 	newCfg.filesystems = &filesystems.FilesystemMap{}
 	// prepare the new config for use
 	newCfg.apps = make(map[string]App)
@@ -824,14 +833,19 @@ func ParseDuration(s string) (time.Duration, error) {
 // regardless of storage configuration, since each instance is intended to
 // have its own unique ID.
 func InstanceID() (uuid.UUID, error) {
-	uuidFilePath := filepath.Join(AppDataDir(), "instance.uuid")
+	appDataDir := AppDataDir()
 	uuidFilePath := filepath.Join(appDataDir, "instance.uuid")
 	uuidFileBytes, err := os.ReadFile(uuidFilePath)
-	if os.IsNotExist(err) {
+	if errors.Is(err, fs.ErrNotExist) {
 		uuid, err := uuid.NewRandom()
 		if err != nil {
 			return uuid, err
 		}
-		err = os.WriteFile(uuidFilePath, []byte(uuid.String()), 0600)
+		err = os.MkdirAll(appDataDir, 0o600)
 		if err != nil {
 			return uuid, err
 		}
 		err = os.WriteFile(uuidFilePath, []byte(uuid.String()), 0o600)
 		return uuid, err
 	} else if err != nil {
 		return [16]byte{}, err
@@ -52,7 +52,7 @@ func (a Adapter) Adapt(body []byte, options map[string]any) ([]byte, []caddyconf
 		return nil, warnings, err
 	}
-	// lint check: see if input was properly formatted; sometimes messy files files parse
+	// lint check: see if input was properly formatted; sometimes messy files parse
 	// successfully but result in logical errors (the Caddyfile is a bad format, I'm sorry)
 	if warning, different := FormattingDifference(filename, body); different {
 		warnings = append(warnings, warning)
@@ -92,30 +92,26 @@ func FormattingDifference(filename string, body []byte) (caddyconfig.Warning, bo
 	}, true
 }
-// Unmarshaler is a type that can unmarshal
+// Unmarshaler is a type that can unmarshal Caddyfile tokens to
-// Caddyfile tokens to set itself up for a
+// set itself up for a JSON encoding. The goal of an unmarshaler
-// JSON encoding. The goal of an unmarshaler
+// is not to set itself up for actual use, but to set itself up for
-// is not to set itself up for actual use,
+// being marshaled into JSON. Caddyfile-unmarshaled values will not
-// but to set itself up for being marshaled
+// be used directly; they will be encoded as JSON and then used from
-// into JSON. Caddyfile-unmarshaled values
+// that. Implementations _may_ be able to support multiple segments
-// will not be used directly; they will be
+// (instances of their directive or batch of tokens); typically this
-// encoded as JSON and then used from that.
+// means wrapping parsing logic in a loop: `for d.Next() { ... }`.
-// Implementations must be able to support
+// More commonly, only a single segment is supported, so a simple
-// multiple segments (instances of their
+// `d.Next()` at the start should be used to consume the module
-// directive or batch of tokens); typically
+// identifier token (directive name, etc).
 // this means wrapping all token logic in
 // a loop: `for d.Next() { ... }`.
 type Unmarshaler interface {
 	UnmarshalCaddyfile(d *Dispenser) error
 }
 // ServerType is a type that can evaluate a Caddyfile and set up a caddy config.
 type ServerType interface {
-	// Setup takes the server blocks which
+	// Setup takes the server blocks which contain tokens,
-	// contain tokens, as well as options
+	// as well as options (e.g. CLI flags) and creates a
-	// (e.g. CLI flags) and creates a Caddy
+	// Caddy config, along with any warnings or an error.
 	// config, along with any warnings or
 	// an error.
 	Setup([]ServerBlock, map[string]any) (*caddy.Config, []caddyconfig.Warning, error)
 }
@@ -391,22 +391,22 @@ func (d *Dispenser) Reset() {
 // an argument.
 func (d *Dispenser) ArgErr() error {
 	if d.Val() == "{" {
-		return d.Err("Unexpected token '{', expecting argument")
+		return d.Err("unexpected token '{', expecting argument")
 	}
-	return d.Errf("Wrong argument count or unexpected line ending after '%s'", d.Val())
+	return d.Errf("wrong argument count or unexpected line ending after '%s'", d.Val())
 }
 // SyntaxErr creates a generic syntax error which explains what was
 // found and what was expected.
 func (d *Dispenser) SyntaxErr(expected string) error {
-	msg := fmt.Sprintf("%s:%d - Syntax error: Unexpected token '%s', expecting '%s', import chain: ['%s']", d.File(), d.Line(), d.Val(), expected, strings.Join(d.Token().imports, "','"))
+	msg := fmt.Sprintf("syntax error: unexpected token '%s', expecting '%s', at %s:%d import chain: ['%s']", d.Val(), expected, d.File(), d.Line(), strings.Join(d.Token().imports, "','"))
 	return errors.New(msg)
 }
 // EOFErr returns an error indicating that the dispenser reached
 // the end of the input when searching for the next token.
 func (d *Dispenser) EOFErr() error {
-	return d.Errf("Unexpected EOF")
+	return d.Errf("unexpected EOF")
 }
 // Err generates a custom parse-time error with a message of msg.
@@ -421,7 +421,10 @@ func (d *Dispenser) Errf(format string, args ...any) error {
 // WrapErr takes an existing error and adds the Caddyfile file and line number.
 func (d *Dispenser) WrapErr(err error) error {
-	return fmt.Errorf("%s:%d - Error during parsing: %w, import chain: ['%s']", d.File(), d.Line(), err, strings.Join(d.Token().imports, "','"))
+	if len(d.Token().imports) > 0 {
 		return fmt.Errorf("%w, at %s:%d import chain ['%s']", err, d.File(), d.Line(), strings.Join(d.Token().imports, "','"))
 	}
 	return fmt.Errorf("%w, at %s:%d", err, d.File(), d.Line())
 }
 // Delete deletes the current token and returns the updated slice
@@ -305,7 +305,7 @@ func TestDispenser_ArgErr_Err(t *testing.T) {
 		t.Errorf("Expected error message with custom message in it ('foobar'); got '%v'", err)
 	}
-	var ErrBarIsFull = errors.New("bar is full")
+	ErrBarIsFull := errors.New("bar is full")
 	bookingError := d.Errf("unable to reserve: %w", ErrBarIsFull)
 	if !errors.Is(bookingError, ErrBarIsFull) {
 		t.Errorf("Errf(): should be able to unwrap the error chain")
@@ -18,6 +18,8 @@ import (
 	"bytes"
 	"io"
 	"unicode"
 	"golang.org/x/exp/slices"
 )
 // Format formats the input Caddyfile to a standard, nice-looking
@@ -31,6 +33,14 @@ func Format(input []byte) []byte {
 	out := new(bytes.Buffer)
 	rdr := bytes.NewReader(input)
 	type heredocState int
 	const (
 		heredocClosed  heredocState = 0
 		heredocOpening heredocState = 1
 		heredocOpened  heredocState = 2
 	)
 	var (
 		last rune // the last character that was written to the result
@@ -47,6 +57,11 @@ func Format(input []byte) []byte {
 		quoted  bool // whether we're in a quoted segment
 		escaped bool // whether current char is escaped
 		heredoc              heredocState // whether we're in a heredoc
 		heredocEscaped       bool         // whether heredoc is escaped
 		heredocMarker        []rune
 		heredocClosingMarker []rune
 		nesting int // indentation level
 	)
@@ -75,6 +90,62 @@ func Format(input []byte) []byte {
 			panic(err)
 		}
 		// detect whether we have the start of a heredoc
 		if !quoted && !(heredoc != heredocClosed || heredocEscaped) &&
 			space && last == '<' && ch == '<' {
 			write(ch)
 			heredoc = heredocOpening
 			space = false
 			continue
 		}
 		if heredoc == heredocOpening {
 			if ch == '\n' {
 				if len(heredocMarker) > 0 && heredocMarkerRegexp.MatchString(string(heredocMarker)) {
 					heredoc = heredocOpened
 				} else {
 					heredocMarker = nil
 					heredoc = heredocClosed
 					nextLine()
 					continue
 				}
 				write(ch)
 				continue
 			}
 			if unicode.IsSpace(ch) {
 				// a space means it's just a regular token and not a heredoc
 				heredocMarker = nil
 				heredoc = heredocClosed
 			} else {
 				heredocMarker = append(heredocMarker, ch)
 				write(ch)
 				continue
 			}
 		}
 		// if we're in a heredoc, all characters are read&write as-is
 		if heredoc == heredocOpened {
 			heredocClosingMarker = append(heredocClosingMarker, ch)
 			if len(heredocClosingMarker) > len(heredocMarker)+1 { // We assert that the heredocClosingMarker is followed by a unicode.Space
 				heredocClosingMarker = heredocClosingMarker[1:]
 			}
 			// check if we're done
 			if unicode.IsSpace(ch) && slices.Equal(heredocClosingMarker[:len(heredocClosingMarker)-1], heredocMarker) {
 				heredocMarker = nil
 				heredocClosingMarker = nil
 				heredoc = heredocClosed
 			} else {
 				write(ch)
 				if ch == '\n' {
 					heredocClosingMarker = heredocClosingMarker[:0]
 				}
 				continue
 			}
 		}
 		if last == '<' && space {
 			space = false
 		}
 		if comment {
 			if ch == '\n' {
 				comment = false
@@ -98,6 +169,9 @@ func Format(input []byte) []byte {
 		}
 		if escaped {
 			if ch == '<' {
 				heredocEscaped = true
 			}
 			write(ch)
 			escaped = false
 			continue
@@ -117,6 +191,7 @@ func Format(input []byte) []byte {
 		if unicode.IsSpace(ch) {
 			space = true
 			heredocEscaped = false
 			if ch == '\n' {
 				newLines++
 			}
@@ -205,6 +280,11 @@ func Format(input []byte) []byte {
 			write('{')
 			openBraceWritten = true
 		}
 		if spacePrior && ch == '<' {
 			space = true
 		}
 		write(ch)
 		beginningOfLine = false
@@ -362,6 +362,76 @@ block {
 block {
 }
 `,
 		},
 		{
 			description: "keep heredoc as-is",
 			input: `block {
 	heredoc <<HEREDOC
 	Here's more than one space       Here's more than one space
 	HEREDOC
 }
 `,
 			expect: `block {
 	heredoc <<HEREDOC
 	Here's more than one space       Here's more than one space
 	HEREDOC
 }
 `,
 		},
 		{
 			description: "Mixing heredoc with regular part",
 			input: `block {
 	heredoc <<HEREDOC
 	Here's more than one space       Here's more than one space
 	HEREDOC
 	respond "More than one space will be eaten"     200
 }
 block2 {
 	heredoc <<HEREDOC
 	Here's more than one space       Here's more than one space
 	HEREDOC
 	respond "More than one space will be eaten" 200
 }
 `,
 			expect: `block {
 	heredoc <<HEREDOC
 	Here's more than one space       Here's more than one space
 	HEREDOC
 	respond "More than one space will be eaten" 200
 }
 block2 {
 	heredoc <<HEREDOC
 	Here's more than one space       Here's more than one space
 	HEREDOC
 	respond "More than one space will be eaten" 200
 }
 `,
 		},
 		{
 			description: "Heredoc as regular token",
 			input: `block {
 	heredoc <<HEREDOC                                 "More than one space will be eaten"
 }
 `,
 			expect: `block {
 	heredoc <<HEREDOC "More than one space will be eaten"
 }
 `,
 		},
 		{
 			description: "Escape heredoc",
 			input: `block {
 	heredoc \<<HEREDOC
 	respond "More than one space will be eaten"                           200
 }
 `,
 			expect: `block {
 	heredoc \<<HEREDOC
 	respond "More than one space will be eaten" 200
 }
 `,
 		},
 	} {
@@ -19,8 +19,9 @@ import (
 	"strconv"
 	"strings"
 	"github.com/caddyserver/caddy/v2"
 	"go.uber.org/zap"
 	"github.com/caddyserver/caddy/v2"
 )
 // parseVariadic determines if the token is a variadic placeholder,
@@ -51,6 +52,13 @@ func parseVariadic(token Token, argCount int) (bool, int, int) {
 		return false, 0, 0
 	}
 	// A valid token may contain several placeholders, and
 	// they may be separated by ":". It's not variadic.
 	// https://github.com/caddyserver/caddy/issues/5716
 	if strings.Contains(start, "}") || strings.Contains(end, "{") {
 		return false, 0, 0
 	}
 	var (
 		startIndex = 0
 		endIndex   = argCount
@@ -93,6 +101,11 @@ func makeArgsReplacer(args []string) *caddy.Replacer {
 		// TODO: Remove the deprecated {args.*} placeholder
 		// support at some point in the future
 		if matches := argsRegexpIndexDeprecated.FindStringSubmatch(key); len(matches) > 0 {
 			// What's matched may be a substring of the key
 			if matches[0] != key {
 				return nil, false
 			}
 			value, err := strconv.Atoi(matches[1])
 			if err != nil {
 				caddy.Log().Named("caddyfile").Warn(
@@ -111,6 +124,11 @@ func makeArgsReplacer(args []string) *caddy.Replacer {
 		// Handle args[*] form
 		if matches := argsRegexpIndex.FindStringSubmatch(key); len(matches) > 0 {
 			// What's matched may be a substring of the key
 			if matches[0] != key {
 				return nil, false
 			}
 			if strings.Contains(matches[1], ":") {
 				caddy.Log().Named("caddyfile").Warn(
 					"Variadic placeholder {args[" + matches[1] + "]} must be a token on its own")
@@ -34,6 +34,7 @@ func (i *importGraph) addNode(name string) {
 	}
 	i.nodes[name] = true
 }
 func (i *importGraph) addNodes(names []string) {
 	for _, name := range names {
 		i.addNode(name)
@@ -43,6 +44,7 @@ func (i *importGraph) addNodes(names []string) {
 func (i *importGraph) removeNode(name string) {
 	delete(i.nodes, name)
 }
 func (i *importGraph) removeNodes(names []string) {
 	for _, name := range names {
 		i.removeNode(name)
@@ -73,6 +75,7 @@ func (i *importGraph) addEdge(from, to string) error {
 	i.edges[from] = append(i.edges[from], to)
 	return nil
 }
 func (i *importGraph) addEdges(from string, tos []string) error {
 	for _, to := range tos {
 		err := i.addEdge(from, to)
@@ -137,18 +137,32 @@ func (l *lexer) next() (bool, error) {
 		}
 		// detect whether we have the start of a heredoc
-		if !inHeredoc && !heredocEscaped && len(val) > 1 && string(val[:2]) == "<<" {
+		if !(quoted || btQuoted) && !(inHeredoc || heredocEscaped) &&
-			if ch == '<' {
+			len(val) > 1 && string(val[:2]) == "<<" {
-				return false, fmt.Errorf("too many '<' for heredoc on line #%d; only use two, for example <<END", l.line)
+			// a space means it's just a regular token and not a heredoc
 			if ch == ' ' {
 				return makeToken(0), nil
 			}
 			// skip CR, we only care about LF
 			if ch == '\r' {
 				continue
 			}
 			// after hitting a newline, we know that the heredoc marker
 			// is the characters after the two << and the newline.
 			// we reset the val because the heredoc is syntax we don't
 			// want to keep.
 			if ch == '\n' {
 				if len(val) == 2 {
 					return false, fmt.Errorf("missing opening heredoc marker on line #%d; must contain only alpha-numeric characters, dashes and underscores; got empty string", l.line)
 				}
 				// check if there's too many <
 				if string(val[:3]) == "<<<" {
 					return false, fmt.Errorf("too many '<' for heredoc on line #%d; only use two, for example <<END", l.line)
 				}
 				heredocMarker = string(val[2:])
 				if !heredocMarkerRegexp.Match([]byte(heredocMarker)) {
 					return false, fmt.Errorf("heredoc marker on line #%d must contain only alpha-numeric characters, dashes and underscores; got '%s'", l.line, heredocMarker)
@@ -172,7 +186,7 @@ func (l *lexer) next() (bool, error) {
 			}
 			// check if we're done, i.e. that the last few characters are the marker
-			if len(val) > len(heredocMarker) && heredocMarker == string(val[len(val)-len(heredocMarker):]) {
+			if len(val) >= len(heredocMarker) && heredocMarker == string(val[len(val)-len(heredocMarker):]) {
 				// set the final value
 				val, err = l.finalizeHeredoc(val, heredocMarker)
 				if err != nil {
@@ -299,6 +313,11 @@ func (l *lexer) finalizeHeredoc(val []rune, marker string) ([]rune, error) {
 	// iterate over each line and strip the whitespace from the front
 	var out string
 	for lineNum, lineText := range lines[:len(lines)-1] {
 		if lineText == "" || lineText == "\r" {
 			out += "\n"
 			continue
 		}
 		// find an exact match for the padding
 		index := strings.Index(lineText, paddingToStrip)
@@ -285,6 +285,18 @@ EOF same-line-arg
 		},
 		{
 			input: []byte(`heredoc <<EOF
 EOF
 	HERE same-line-arg
 	`),
 			expected: []Token{
 				{Line: 1, Text: `heredoc`},
 				{Line: 1, Text: ``},
 				{Line: 3, Text: `HERE`},
 				{Line: 3, Text: `same-line-arg`},
 			},
 		},
 		{
 			input: []byte(`heredoc <<EOF
 		EOF same-line-arg
 	`),
 			expected: []Token{
@@ -322,15 +334,59 @@ EOF same-line-arg
 			},
 		},
 		{
-			input: []byte(`heredoc <EOF
+			input: []byte(`escaped-heredoc \<< >>`),
 			expected: []Token{
 				{Line: 1, Text: `escaped-heredoc`},
 				{Line: 1, Text: `<<`},
 				{Line: 1, Text: `>>`},
 			},
 		},
 		{
 			input: []byte(`not-a-heredoc <EOF
 	content
 	EOF same-line-arg
 	`),
 			expected: []Token{
-				{Line: 1, Text: `heredoc`},
+				{Line: 1, Text: `not-a-heredoc`},
 				{Line: 1, Text: `<EOF`},
 				{Line: 2, Text: `content`},
-				{Line: 3, Text: `EOF`},
+			},
 		},
 		{
 			input: []byte(`not-a-heredoc <<<EOF content`),
 			expected: []Token{
 				{Line: 1, Text: `not-a-heredoc`},
 				{Line: 1, Text: `<<<EOF`},
 				{Line: 1, Text: `content`},
 			},
 		},
 		{
 			input: []byte(`not-a-heredoc "<<" ">>"`),
 			expected: []Token{
 				{Line: 1, Text: `not-a-heredoc`},
 				{Line: 1, Text: `<<`},
 				{Line: 1, Text: `>>`},
 			},
 		},
 		{
 			input: []byte(`not-a-heredoc << >>`),
 			expected: []Token{
 				{Line: 1, Text: `not-a-heredoc`},
 				{Line: 1, Text: `<<`},
 				{Line: 1, Text: `>>`},
 			},
 		},
 		{
 			input: []byte(`not-a-heredoc <<HERE SAME LINE
 	content
 	HERE same-line-arg
 	`),
 			expected: []Token{
 				{Line: 1, Text: `not-a-heredoc`},
 				{Line: 1, Text: `<<HERE`},
 				{Line: 1, Text: `SAME`},
 				{Line: 1, Text: `LINE`},
 				{Line: 2, Text: `content`},
 				{Line: 3, Text: `HERE`},
 				{Line: 3, Text: `same-line-arg`},
 			},
 		},
@@ -366,12 +422,9 @@ EOF same-line-arg
 			},
 		},
 		{
-			input: []byte(`heredoc <<HERE SAME LINE
+			input:        []byte("not-a-heredoc <<\n"),
 	content
 	HERE same-line-arg
 	`),
 			expectErr:    true,
-			errorMessage: "heredoc marker on line #1 must contain only alpha-numeric characters, dashes and underscores; got 'HERE SAME LINE'",
+			errorMessage: "missing opening heredoc marker on line #1; must contain only alpha-numeric characters, dashes and underscores; got empty string",
 		},
 		{
 			input: []byte(`heredoc <<<EOF
@@ -404,6 +457,48 @@ EOF same-line-arg
 			expectErr:    true,
 			errorMessage: "mismatched leading whitespace in heredoc <<EOF on line #2 [        content], expected whitespace [\t\t] to match the closing marker",
 		},
 		{
 			input: []byte(`heredoc <<EOF
 The next line is a blank line
 The previous line is a blank line
 EOF`),
 			expected: []Token{
 				{Line: 1, Text: "heredoc"},
 				{Line: 1, Text: "The next line is a blank line\n\nThe previous line is a blank line"},
 			},
 		},
 		{
 			input: []byte(`heredoc <<EOF
 	One tab indented heredoc with blank next line
 	One tab indented heredoc with blank previous line
 	EOF`),
 			expected: []Token{
 				{Line: 1, Text: "heredoc"},
 				{Line: 1, Text: "One tab indented heredoc with blank next line\n\nOne tab indented heredoc with blank previous line"},
 			},
 		},
 		{
 			input: []byte(`heredoc <<EOF
 The next line is a blank line with one tab
 The previous line is a blank line with one tab
 EOF`),
 			expected: []Token{
 				{Line: 1, Text: "heredoc"},
 				{Line: 1, Text: "The next line is a blank line with one tab\n\t\nThe previous line is a blank line with one tab"},
 			},
 		},
 		{
 			input: []byte(`heredoc <<EOF
 		The next line is a blank line with one tab less than the correct indentation
 		The previous line is a blank line with one tab less than the correct indentation
 		EOF`),
 			expectErr:    true,
 			errorMessage: "mismatched leading whitespace in heredoc <<EOF on line #3 [\t], expected whitespace [\t\t] to match the closing marker",
 		},
 	}
 	for i, testCase := range testCases {
@@ -22,8 +22,9 @@ import (
 	"path/filepath"
 	"strings"
 	"github.com/caddyserver/caddy/v2"
 	"go.uber.org/zap"
 	"github.com/caddyserver/caddy/v2"
 )
 // Parse parses the input just enough to group tokens, in
@@ -159,14 +160,14 @@ func (p *parser) begin() error {
 	}
 	if ok, name := p.isNamedRoute(); ok {
 		// named routes only have one key, the route name
 		p.block.Keys = []string{name}
 		p.block.IsNamedRoute = true
 		// we just need a dummy leading token to ease parsing later
 		nameToken := p.Token()
 		nameToken.Text = name
 		// named routes only have one key, the route name
 		p.block.Keys = []Token{nameToken}
 		p.block.IsNamedRoute = true
 		// get all the tokens from the block, including the braces
 		tokens, err := p.blockTokens(true)
 		if err != nil {
@@ -210,10 +211,11 @@ func (p *parser) addresses() error {
 	var expectingAnother bool
 	for {
-		tkn := p.Val()
+		value := p.Val()
 		token := p.Token()
 		// special case: import directive replaces tokens during parse-time
-		if tkn == "import" && p.isNewLine() {
+		if value == "import" && p.isNewLine() {
 			err := p.doImport(0)
 			if err != nil {
 				return err
@@ -222,9 +224,9 @@ func (p *parser) addresses() error {
 		}
 		// Open brace definitely indicates end of addresses
-		if tkn == "{" {
+		if value == "{" {
 			if expectingAnother {
-				return p.Errf("Expected another address but had '%s' - check for extra comma", tkn)
+				return p.Errf("Expected another address but had '%s' - check for extra comma", value)
 			}
 			// Mark this server block as being defined with braces.
 			// This is used to provide a better error message when
@@ -236,15 +238,15 @@ func (p *parser) addresses() error {
 		}
 		// Users commonly forget to place a space between the address and the '{'
-		if strings.HasSuffix(tkn, "{") {
+		if strings.HasSuffix(value, "{") {
-			return p.Errf("Site addresses cannot end with a curly brace: '%s' - put a space between the token and the brace", tkn)
+			return p.Errf("Site addresses cannot end with a curly brace: '%s' - put a space between the token and the brace", value)
 		}
-		if tkn != "" { // empty token possible if user typed ""
+		if value != "" { // empty token possible if user typed ""
 			// Trailing comma indicates another address will follow, which
 			// may possibly be on the next line
-			if tkn[len(tkn)-1] == ',' {
+			if value[len(value)-1] == ',' {
-				tkn = tkn[:len(tkn)-1]
+				value = value[:len(value)-1]
 				expectingAnother = true
 			} else {
 				expectingAnother = false // but we may still see another one on this line
@@ -253,11 +255,12 @@ func (p *parser) addresses() error {
 			// If there's a comma here, it's probably because they didn't use a space
 			// between their two domains, e.g. "foo.com,bar.com", which would not be
 			// parsed as two separate site addresses.
-			if strings.Contains(tkn, ",") {
+			if strings.Contains(value, ",") {
-				return p.Errf("Site addresses cannot contain a comma ',': '%s' - put a space after the comma to separate site addresses", tkn)
+				return p.Errf("Site addresses cannot contain a comma ',': '%s' - put a space after the comma to separate site addresses", value)
 			}
-			p.block.Keys = append(p.block.Keys, tkn)
+			token.Text = value
 			p.block.Keys = append(p.block.Keys, token)
 		}
 		// Advance token and possibly break out of loop or return error
@@ -565,7 +568,6 @@ func (p *parser) doSingleImport(importFile string) ([]Token, error) {
 // are loaded into the current server block for later use
 // by directive setup functions.
 func (p *parser) directive() error {
 	// a segment is a list of tokens associated with this directive
 	var segment Segment
@@ -637,8 +639,8 @@ func (p *parser) closeCurlyBrace() error {
 func (p *parser) isNamedRoute() (bool, string) {
 	keys := p.block.Keys
 	// A named route block is a single key with parens, prefixed with &.
-	if len(keys) == 1 && strings.HasPrefix(keys[0], "&(") && strings.HasSuffix(keys[0], ")") {
+	if len(keys) == 1 && strings.HasPrefix(keys[0].Text, "&(") && strings.HasSuffix(keys[0].Text, ")") {
-		return true, strings.TrimSuffix(keys[0][2:], ")")
+		return true, strings.TrimSuffix(keys[0].Text[2:], ")")
 	}
 	return false, ""
 }
@@ -646,8 +648,8 @@ func (p *parser) isNamedRoute() (bool, string) {
 func (p *parser) isSnippet() (bool, string) {
 	keys := p.block.Keys
 	// A snippet block is a single key with parens. Nothing else qualifies.
-	if len(keys) == 1 && strings.HasPrefix(keys[0], "(") && strings.HasSuffix(keys[0], ")") {
+	if len(keys) == 1 && strings.HasPrefix(keys[0].Text, "(") && strings.HasSuffix(keys[0].Text, ")") {
-		return true, strings.TrimSuffix(keys[0][1:], ")")
+		return true, strings.TrimSuffix(keys[0].Text[1:], ")")
 	}
 	return false, ""
 }
@@ -691,11 +693,19 @@ func (p *parser) blockTokens(retainCurlies bool) ([]Token, error) {
 // grouped by segments.
 type ServerBlock struct {
 	HasBraces    bool
-	Keys         []string
+	Keys         []Token
 	Segments     []Segment
 	IsNamedRoute bool
 }
 func (sb ServerBlock) GetKeysText() []string {
 	res := []string{}
 	for _, k := range sb.Keys {
 		res = append(res, k.Text)
 	}
 	return res
 }
 // DispenseDirective returns a dispenser that contains
 // all the tokens in the server block.
 func (sb ServerBlock) DispenseDirective(dir string) *Dispenser {
@@ -22,7 +22,7 @@ import (
 )
 func TestParseVariadic(t *testing.T) {
-	var args = make([]string, 10)
+	args := make([]string, 10)
 	for i, tc := range []struct {
 		input  string
 		result bool
@@ -91,6 +91,10 @@ func TestParseVariadic(t *testing.T) {
 			input:  "{args[0:10]}",
 			result: true,
 		},
 		{
 			input:  "{args[0]}:{args[1]}:{args[2]}",
 			result: false,
 		},
 	} {
 		token := Token{
 			File: "test",
@@ -107,7 +111,6 @@ func TestAllTokens(t *testing.T) {
 	input := []byte("a b c\nd e")
 	expected := []string{"a", "b", "c", "d", "e"}
 	tokens, err := allTokens("TestAllTokens", input)
 	if err != nil {
 		t.Fatalf("Expected no error, got %v", err)
 	}
@@ -145,10 +148,11 @@ func TestParseOneAndImport(t *testing.T) {
 			"localhost",
 		}, []int{1}},
-		{`localhost:1234
+		{
 			`localhost:1234
 		  dir1 foo bar`, false, []string{
-			"localhost:1234",
+				"localhost:1234",
-		}, []int{3},
+			}, []int{3},
 		},
 		{`localhost {
@@ -343,7 +347,7 @@ func TestParseOneAndImport(t *testing.T) {
 				i, len(test.keys), len(result.Keys))
 			continue
 		}
-		for j, addr := range result.Keys {
+		for j, addr := range result.GetKeysText() {
 			if addr != test.keys[j] {
 				t.Errorf("Test %d, key %d: Expected '%s', but was '%s'",
 					i, j, test.keys[j], addr)
@@ -375,8 +379,9 @@ func TestRecursiveImport(t *testing.T) {
 	}
 	isExpected := func(got ServerBlock) bool {
-		if len(got.Keys) != 1 || got.Keys[0] != "localhost" {
+		textKeys := got.GetKeysText()
-			t.Errorf("got keys unexpected: expect localhost, got %v", got.Keys)
+		if len(textKeys) != 1 || textKeys[0] != "localhost" {
 			t.Errorf("got keys unexpected: expect localhost, got %v", textKeys)
 			return false
 		}
 		if len(got.Segments) != 2 {
@@ -403,13 +408,13 @@ func TestRecursiveImport(t *testing.T) {
 	err = os.WriteFile(recursiveFile1, []byte(
 		`localhost
 		dir1
-		import recursive_import_test2`), 0644)
+		import recursive_import_test2`), 0o644)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer os.Remove(recursiveFile1)
-	err = os.WriteFile(recursiveFile2, []byte("dir2 1"), 0644)
+	err = os.WriteFile(recursiveFile2, []byte("dir2 1"), 0o644)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -437,7 +442,7 @@ func TestRecursiveImport(t *testing.T) {
 	err = os.WriteFile(recursiveFile1, []byte(
 		`localhost
 		dir1
-		import `+recursiveFile2), 0644)
+		import `+recursiveFile2), 0o644)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -470,8 +475,9 @@ func TestDirectiveImport(t *testing.T) {
 	}
 	isExpected := func(got ServerBlock) bool {
-		if len(got.Keys) != 1 || got.Keys[0] != "localhost" {
+		textKeys := got.GetKeysText()
-			t.Errorf("got keys unexpected: expect localhost, got %v", got.Keys)
+		if len(textKeys) != 1 || textKeys[0] != "localhost" {
 			t.Errorf("got keys unexpected: expect localhost, got %v", textKeys)
 			return false
 		}
 		if len(got.Segments) != 2 {
@@ -491,7 +497,7 @@ func TestDirectiveImport(t *testing.T) {
 	}
 	err = os.WriteFile(directiveFile, []byte(`prop1 1
-	prop2 2`), 0644)
+	prop2 2`), 0o644)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -612,7 +618,7 @@ func TestParseAll(t *testing.T) {
 					i, len(test.keys[j]), j, len(block.Keys))
 				continue
 			}
-			for k, addr := range block.Keys {
+			for k, addr := range block.GetKeysText() {
 				if addr != test.keys[j][k] {
 					t.Errorf("Test %d, block %d, key %d: Expected '%s', but got '%s'",
 						i, j, k, test.keys[j][k], addr)
@@ -718,6 +724,36 @@ func TestEnvironmentReplacement(t *testing.T) {
 	}
 }
 func TestImportReplacementInJSONWithBrace(t *testing.T) {
 	for i, test := range []struct {
 		args   []string
 		input  string
 		expect string
 	}{
 		{
 			args:   []string{"123"},
 			input:  "{args[0]}",
 			expect: "123",
 		},
 		{
 			args:   []string{"123"},
 			input:  `{"key":"{args[0]}"}`,
 			expect: `{"key":"123"}`,
 		},
 		{
 			args:   []string{"123", "123"},
 			input:  `{"key":[{args[0]},{args[1]}]}`,
 			expect: `{"key":[123,123]}`,
 		},
 	} {
 		repl := makeArgsReplacer(test.args)
 		actual := repl.ReplaceKnown(test.input, "")
 		if actual != test.expect {
 			t.Errorf("Test %d: Expected: '%s' but got '%s'", i, test.expect, actual)
 		}
 	}
 }
 func TestSnippets(t *testing.T) {
 	p := testParser(`
 		(common) {
@@ -735,7 +771,7 @@ func TestSnippets(t *testing.T) {
 	if len(blocks) != 1 {
 		t.Fatalf("Expect exactly one server block. Got %d.", len(blocks))
 	}
-	if actual, expected := blocks[0].Keys[0], "http://example.com"; expected != actual {
+	if actual, expected := blocks[0].GetKeysText()[0], "http://example.com"; expected != actual {
 		t.Errorf("Expected server name to be '%s' but was '%s'", expected, actual)
 	}
 	if len(blocks[0].Segments) != 2 {
@@ -767,7 +803,7 @@ func TestImportedFilesIgnoreNonDirectiveImportTokens(t *testing.T) {
 	fileName := writeStringToTempFileOrDie(t, `
 		http://example.com {
 			# This isn't an import directive, it's just an arg with value 'import'
-			basicauth / import password
+			basic_auth / import password
 		}
 	`)
 	// Parse the root file that imports the other one.
@@ -778,12 +814,12 @@ func TestImportedFilesIgnoreNonDirectiveImportTokens(t *testing.T) {
 	}
 	auth := blocks[0].Segments[0]
 	line := auth[0].Text + " " + auth[1].Text + " " + auth[2].Text + " " + auth[3].Text
-	if line != "basicauth / import password" {
+	if line != "basic_auth / import password" {
 		// Previously, it would be changed to:
-		//   basicauth / import /path/to/test/dir/password
+		//   basic_auth / import /path/to/test/dir/password
 		// referencing a file that (probably) doesn't exist and changing the
 		// password!
-		t.Errorf("Expected basicauth tokens to be 'basicauth / import password' but got %#q", line)
+		t.Errorf("Expected basic_auth tokens to be 'basic_auth / import password' but got %#q", line)
 	}
 }
@@ -810,7 +846,7 @@ func TestSnippetAcrossMultipleFiles(t *testing.T) {
 	if len(blocks) != 1 {
 		t.Fatalf("Expect exactly one server block. Got %d.", len(blocks))
 	}
-	if actual, expected := blocks[0].Keys[0], "http://example.com"; expected != actual {
+	if actual, expected := blocks[0].GetKeysText()[0], "http://example.com"; expected != actual {
 		t.Errorf("Expected server name to be '%s' but was '%s'", expected, actual)
 	}
 	if len(blocks[0].Segments) != 1 {
@@ -24,10 +24,11 @@ import (
 	"strings"
 	"unicode"
 	"github.com/caddyserver/certmagic"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 	"github.com/caddyserver/certmagic"
 )
 // mapAddressToServerBlocks returns a map of listener address to list of server
@@ -77,7 +78,8 @@ import (
 // multiple addresses to the same lists of server blocks (a many:many mapping).
 // (Doing this is essentially a map-reduce technique.)
 func (st *ServerType) mapAddressToServerBlocks(originalServerBlocks []serverBlock,
-	options map[string]any) (map[string][]serverBlock, error) {
+	options map[string]any,
 ) (map[string][]serverBlock, error) {
 	sbmap := make(map[string][]serverBlock)
 	for i, sblock := range originalServerBlocks {
@@ -86,15 +88,15 @@ func (st *ServerType) mapAddressToServerBlocks(originalServerBlocks []serverBloc
 		// will be served by them; this has the effect of treating each
 		// key of a server block as its own, but without having to repeat its
 		// contents in cases where multiple keys really can be served together
-		addrToKeys := make(map[string][]string)
+		addrToKeys := make(map[string][]caddyfile.Token)
 		for j, key := range sblock.block.Keys {
 			// a key can have multiple listener addresses if there are multiple
 			// arguments to the 'bind' directive (although they will all have
 			// the same port, since the port is defined by the key or is implicit
 			// through automatic HTTPS)
-			addrs, err := st.listenerAddrsForServerBlockKey(sblock, key, options)
+			addrs, err := st.listenerAddrsForServerBlockKey(sblock, key.Text, options)
 			if err != nil {
-				return nil, fmt.Errorf("server block %d, key %d (%s): determining listener address: %v", i, j, key, err)
+				return nil, fmt.Errorf("server block %d, key %d (%s): determining listener address: %v", i, j, key.Text, err)
 			}
 			// associate this key with each listener address it is served on
@@ -120,9 +122,9 @@ func (st *ServerType) mapAddressToServerBlocks(originalServerBlocks []serverBloc
 			// parse keys so that we only have to do it once
 			parsedKeys := make([]Address, 0, len(keys))
 			for _, key := range keys {
-				addr, err := ParseAddress(key)
+				addr, err := ParseAddress(key.Text)
 				if err != nil {
-					return nil, fmt.Errorf("parsing key '%s': %v", key, err)
+					return nil, fmt.Errorf("parsing key '%s': %v", key.Text, err)
 				}
 				parsedKeys = append(parsedKeys, addr.Normalize())
 			}
@@ -187,13 +189,25 @@ func (st *ServerType) consolidateAddrMappings(addrToServerBlocks map[string][]se
 // listenerAddrsForServerBlockKey essentially converts the Caddyfile
 // site addresses to Caddy listener addresses for each server block.
 func (st *ServerType) listenerAddrsForServerBlockKey(sblock serverBlock, key string,
-	options map[string]any) ([]string, error) {
+	options map[string]any,
 ) ([]string, error) {
 	addr, err := ParseAddress(key)
 	if err != nil {
 		return nil, fmt.Errorf("parsing key: %v", err)
 	}
 	addr = addr.Normalize()
 	switch addr.Scheme {
 	case "wss":
 		return nil, fmt.Errorf("the scheme wss:// is only supported in browsers; use https:// instead")
 	case "ws":
 		return nil, fmt.Errorf("the scheme ws:// is only supported in browsers; use http:// instead")
 	case "https", "http", "":
 		// Do nothing or handle the valid schemes
 	default:
 		return nil, fmt.Errorf("unsupported URL scheme %s://", addr.Scheme)
 	}
 	// figure out the HTTP and HTTPS ports; either
 	// use defaults, or override with user config
 	httpPort, httpsPort := strconv.Itoa(caddyhttp.DefaultHTTPPort), strconv.Itoa(caddyhttp.DefaultHTTPSPort)
@@ -41,6 +41,7 @@ var directiveOrder = []string{
 	"map",
 	"vars",
 	"fs",
 	"root",
 	"skip_log",
@@ -57,7 +58,8 @@ var directiveOrder = []string{
 	"try_files",
 	// middleware handlers; some wrap responses
-	"basicauth",
+	"basicauth", // TODO: deprecated, renamed to basic_auth
 	"basic_auth",
 	"forward_auth",
 	"request_header",
 	"encode",
@@ -217,7 +219,8 @@ func (h Helper) ExtractMatcherSet() (caddy.ModuleMap, error) {
 // NewRoute returns config values relevant to creating a new HTTP route.
 func (h Helper) NewRoute(matcherSet caddy.ModuleMap,
-	handler caddyhttp.MiddlewareHandler) []ConfigValue {
+	handler caddyhttp.MiddlewareHandler,
 ) []ConfigValue {
 	mod, err := caddy.GetModule(caddy.GetModuleID(handler))
 	if err != nil {
 		*h.warnings = append(*h.warnings, caddyconfig.Warning{
@@ -269,12 +272,6 @@ func (h Helper) GroupRoutes(vals []ConfigValue) {
 	}
 }
 // NewBindAddresses returns config values relevant to adding
 // listener bind addresses to the config.
 func (h Helper) NewBindAddresses(addrs []string) []ConfigValue {
 	return []ConfigValue{{Class: "bind", Value: addrs}}
 }
 // WithDispenser returns a new instance based on d. All others Helper
 // fields are copied, so typically maps are shared with this new instance.
 func (h Helper) WithDispenser(d *caddyfile.Dispenser) Helper {
@@ -31,20 +31,23 @@ func TestHostsFromKeys(t *testing.T) {
 			[]Address{
 				{Original: ":2015", Port: "2015"},
 			},
-			[]string{}, []string{},
+			[]string{},
 			[]string{},
 		},
 		{
 			[]Address{
 				{Original: ":443", Port: "443"},
 			},
-			[]string{}, []string{},
+			[]string{},
 			[]string{},
 		},
 		{
 			[]Address{
 				{Original: "foo", Host: "foo"},
 				{Original: ":2015", Port: "2015"},
 			},
-			[]string{}, []string{"foo"},
+			[]string{},
 			[]string{"foo"},
 		},
 		{
 			[]Address{
@@ -17,20 +17,21 @@ package httpcaddyfile
 import (
 	"encoding/json"
 	"fmt"
 	"net"
 	"reflect"
 	"regexp"
 	"sort"
 	"strconv"
 	"strings"
 	"go.uber.org/zap"
 	"golang.org/x/exp/slices"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 	"github.com/caddyserver/caddy/v2/modules/caddypki"
 	"github.com/caddyserver/caddy/v2/modules/caddytls"
 	"go.uber.org/zap"
 	"golang.org/x/exp/slices"
 )
 func init() {
@@ -49,8 +50,7 @@ type App struct {
 }
 // ServerType can set up a config from an HTTP Caddyfile.
-type ServerType struct {
+type ServerType struct{}
 }
 // Setup makes a config from the tokens.
 func (st ServerType) Setup(
@@ -65,8 +65,11 @@ func (st ServerType) Setup(
 	originalServerBlocks := make([]serverBlock, 0, len(inputServerBlocks))
 	for _, sblock := range inputServerBlocks {
 		for j, k := range sblock.Keys {
-			if j == 0 && strings.HasPrefix(k, "@") {
+			if j == 0 && strings.HasPrefix(k.Text, "@") {
-				return nil, warnings, fmt.Errorf("cannot define a matcher outside of a site block: '%s'", k)
+				return nil, warnings, fmt.Errorf("%s:%d: cannot define a matcher outside of a site block: '%s'", k.File, k.Line, k.Text)
 			}
 			if _, ok := registeredDirectives[k.Text]; ok {
 				return nil, warnings, fmt.Errorf("%s:%d: parsed '%s' as a site address, but it is a known directive; directives must appear in a site block", k.File, k.Line, k.Text)
 			}
 		}
 		originalServerBlocks = append(originalServerBlocks, serverBlock{
@@ -82,46 +85,18 @@ func (st ServerType) Setup(
 		return nil, warnings, err
 	}
-	originalServerBlocks, err = st.extractNamedRoutes(originalServerBlocks, options, &warnings)
+	// this will replace both static and user-defined placeholder shorthands
 	// with actual identifiers used by Caddy
 	replacer := NewShorthandReplacer()
 	originalServerBlocks, err = st.extractNamedRoutes(originalServerBlocks, options, &warnings, replacer)
 	if err != nil {
 		return nil, warnings, err
 	}
 	// replace shorthand placeholders (which are convenient
 	// when writing a Caddyfile) with their actual placeholder
 	// identifiers or variable names
 	replacer := strings.NewReplacer(placeholderShorthands()...)
 	// these are placeholders that allow a user-defined final
 	// parameters, but we still want to provide a shorthand
 	// for those, so we use a regexp to replace
 	regexpReplacements := []struct {
 		search  *regexp.Regexp
 		replace string
 	}{
 		{regexp.MustCompile(`{header\.([\w-]*)}`), "{http.request.header.$1}"},
 		{regexp.MustCompile(`{cookie\.([\w-]*)}`), "{http.request.cookie.$1}"},
 		{regexp.MustCompile(`{labels\.([\w-]*)}`), "{http.request.host.labels.$1}"},
 		{regexp.MustCompile(`{path\.([\w-]*)}`), "{http.request.uri.path.$1}"},
 		{regexp.MustCompile(`{file\.([\w-]*)}`), "{http.request.uri.path.file.$1}"},
 		{regexp.MustCompile(`{query\.([\w-]*)}`), "{http.request.uri.query.$1}"},
 		{regexp.MustCompile(`{re\.([\w-]*)\.([\w-]*)}`), "{http.regexp.$1.$2}"},
 		{regexp.MustCompile(`{vars\.([\w-]*)}`), "{http.vars.$1}"},
 		{regexp.MustCompile(`{rp\.([\w-\.]*)}`), "{http.reverse_proxy.$1}"},
 		{regexp.MustCompile(`{err\.([\w-\.]*)}`), "{http.error.$1}"},
 		{regexp.MustCompile(`{file_match\.([\w-]*)}`), "{http.matchers.file.$1}"},
 	}
 	for _, sb := range originalServerBlocks {
-		for _, segment := range sb.block.Segments {
+		for i := range sb.block.Segments {
-			for i := 0; i < len(segment); i++ {
+			replacer.ApplyToSegment(&sb.block.Segments[i])
 				// simple string replacements
 				segment[i].Text = replacer.Replace(segment[i].Text)
 				// complex regexp replacements
 				for _, r := range regexpReplacements {
 					segment[i].Text = r.search.ReplaceAllString(segment[i].Text, r.replace)
 				}
 			}
 		}
 		if len(sb.block.Keys) == 0 {
@@ -299,6 +274,12 @@ func (st ServerType) Setup(
 	if !reflect.DeepEqual(pkiApp, &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}) {
 		cfg.AppsRaw["pki"] = caddyconfig.JSON(pkiApp, &warnings)
 	}
 	if filesystems, ok := options["filesystem"].(caddy.Module); ok {
 		cfg.AppsRaw["caddy.filesystems"] = caddyconfig.JSON(
 			filesystems,
 			&warnings)
 	}
 	if storageCvtr, ok := options["storage"].(caddy.StorageConverter); ok {
 		cfg.StorageRaw = caddyconfig.JSONModuleObject(storageCvtr,
 			"module",
@@ -308,7 +289,6 @@ func (st ServerType) Setup(
 	if adminConfig, ok := options["admin"].(*caddy.AdminConfig); ok && adminConfig != nil {
 		cfg.Admin = adminConfig
 	}
 	if pc, ok := options["persist_config"].(string); ok && pc == "off" {
 		if cfg.Admin == nil {
 			cfg.Admin = new(caddy.AdminConfig)
@@ -452,6 +432,7 @@ func (ServerType) extractNamedRoutes(
 	serverBlocks []serverBlock,
 	options map[string]any,
 	warnings *[]caddyconfig.Warning,
 	replacer ShorthandReplacer,
 ) ([]serverBlock, error) {
 	namedRoutes := map[string]*caddyhttp.Route{}
@@ -477,11 +458,14 @@ func (ServerType) extractNamedRoutes(
 			continue
 		}
 		// zip up all the segments since ParseSegmentAsSubroute
 		// was designed to take a directive+
 		wholeSegment := caddyfile.Segment{}
-		for _, segment := range sb.block.Segments {
+		for i := range sb.block.Segments {
-			wholeSegment = append(wholeSegment, segment...)
+			// replace user-defined placeholder shorthands in extracted named routes
 			replacer.ApplyToSegment(&sb.block.Segments[i])
 			// zip up all the segments since ParseSegmentAsSubroute
 			// was designed to take a directive+
 			wholeSegment = append(wholeSegment, sb.block.Segments[i]...)
 		}
 		h := Helper{
@@ -509,7 +493,7 @@ func (ServerType) extractNamedRoutes(
 			route.HandlersRaw = []json.RawMessage{caddyconfig.JSONModuleObject(handler, "handler", subroute.CaddyModule().ID.Name(), h.warnings)}
 		}
-		namedRoutes[sb.block.Keys[0]] = &route
+		namedRoutes[sb.block.GetKeysText()[0]] = &route
 	}
 	options["named_routes"] = namedRoutes
@@ -547,12 +531,12 @@ func (st *ServerType) serversFromPairings(
 		// address), otherwise their routes will improperly be added
 		// to the same server (see issue #4635)
 		for j, sblock1 := range p.serverBlocks {
-			for _, key := range sblock1.block.Keys {
+			for _, key := range sblock1.block.GetKeysText() {
 				for k, sblock2 := range p.serverBlocks {
 					if k == j {
 						continue
 					}
-					if sliceContains(sblock2.block.Keys, key) {
+					if sliceContains(sblock2.block.GetKeysText(), key) {
 						return nil, fmt.Errorf("ambiguous site definition: %s", key)
 					}
 				}
@@ -710,6 +694,7 @@ func (st *ServerType) serversFromPairings(
 					}
 					if len(hosts) > 0 {
 						slices.Sort(hosts) // for deterministic JSON output
 						cp.MatchersRaw = caddy.ModuleMap{
 							"sni": caddyconfig.JSON(hosts, warnings), // make sure to match all hosts, not just auto-HTTPS-qualified ones
 						}
@@ -741,10 +726,20 @@ func (st *ServerType) serversFromPairings(
 					}
 				}
 				// If TLS is specified as directive, it will also result in 1 or more connection policy being created
 				// Thus, catch-all address with non-standard port, e.g. :8443, can have TLS enabled without
 				// specifying prefix "https://"
 				// Second part of the condition is to allow creating TLS conn policy even though `auto_https` has been disabled
 				// ensuring compatibility with behavior described in below link
 				// https://caddy.community/t/making-sense-of-auto-https-and-why-disabling-it-still-serves-https-instead-of-http/9761
 				createdTLSConnPolicies, ok := sblock.pile["tls.connection_policy"]
 				hasTLSEnabled := (ok && len(createdTLSConnPolicies) > 0) ||
 					(addr.Host != "" && srv.AutoHTTPS != nil && !sliceContains(srv.AutoHTTPS.Skip, addr.Host))
 				// we'll need to remember if the address qualifies for auto-HTTPS, so we
 				// can add a TLS conn policy if necessary
 				if addr.Scheme == "https" ||
-					(addr.Scheme != "http" && addr.Host != "" && addr.Port != httpPort) {
+					(addr.Scheme != "http" && addr.Port != httpPort && hasTLSEnabled) {
 					addressQualifiesForTLS = true
 				}
 				// predict whether auto-HTTPS will add the conn policy for us; if so, we
@@ -782,10 +777,19 @@ func (st *ServerType) serversFromPairings(
 				if srv.Errors == nil {
 					srv.Errors = new(caddyhttp.HTTPErrorConfig)
 				}
 				sort.SliceStable(errorSubrouteVals, func(i, j int) bool {
 					sri, srj := errorSubrouteVals[i].Value.(*caddyhttp.Subroute), errorSubrouteVals[j].Value.(*caddyhttp.Subroute)
 					if len(sri.Routes[0].MatcherSetsRaw) == 0 && len(srj.Routes[0].MatcherSetsRaw) != 0 {
 						return false
 					}
 					return true
 				})
 				errorsSubroute := &caddyhttp.Subroute{}
 				for _, val := range errorSubrouteVals {
 					sr := val.Value.(*caddyhttp.Subroute)
-					srv.Errors.Routes = appendSubrouteToRouteList(srv.Errors.Routes, sr, matcherSetsEnc, p, warnings)
+					errorsSubroute.Routes = append(errorsSubroute.Routes, sr.Routes...)
 				}
 				srv.Errors.Routes = appendSubrouteToRouteList(srv.Errors.Routes, errorsSubroute, matcherSetsEnc, p, warnings)
 			}
 			// add log associations
@@ -811,7 +815,12 @@ func (st *ServerType) serversFromPairings(
 						if srv.Logs.LoggerNames == nil {
 							srv.Logs.LoggerNames = make(map[string]string)
 						}
-						srv.Logs.LoggerNames[h] = ncl.name
+						// strip the port from the host, if any
 						host, _, err := net.SplitHostPort(h)
 						if err != nil {
 							host = h
 						}
 						srv.Logs.LoggerNames[host] = ncl.name
 					}
 				}
 			}
@@ -828,6 +837,11 @@ func (st *ServerType) serversFromPairings(
 			}
 		}
 		// sort for deterministic JSON output
 		if srv.Logs != nil {
 			slices.Sort(srv.Logs.SkipHosts)
 		}
 		// a server cannot (natively) serve both HTTP and HTTPS at the
 		// same time, so make sure the configuration isn't in conflict
 		err := detectConflictingSchemes(srv, p.serverBlocks, options)
@@ -1059,8 +1073,8 @@ func appendSubrouteToRouteList(routeList caddyhttp.RouteList,
 	subroute *caddyhttp.Subroute,
 	matcherSetsEnc []caddy.ModuleMap,
 	p sbAddrAssociation,
-	warnings *[]caddyconfig.Warning) caddyhttp.RouteList {
+	warnings *[]caddyconfig.Warning,
-
+) caddyhttp.RouteList {
 	// nothing to do if... there's nothing to do
 	if len(matcherSetsEnc) == 0 && len(subroute.Routes) == 0 && subroute.Errors == nil {
 		return routeList
@@ -1370,68 +1384,73 @@ func (st *ServerType) compileEncodedMatcherSets(sblock serverBlock) ([]caddy.Mod
 }
 func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.ModuleMap) error {
-	for d.Next() {
+	d.Next() // advance to the first token
 		// this is the "name" for "named matchers"
 		definitionName := d.Val()
-		if _, ok := matchers[definitionName]; ok {
+	// this is the "name" for "named matchers"
-			return fmt.Errorf("matcher is defined more than once: %s", definitionName)
+	definitionName := d.Val()
 	if _, ok := matchers[definitionName]; ok {
 		return fmt.Errorf("matcher is defined more than once: %s", definitionName)
 	}
 	matchers[definitionName] = make(caddy.ModuleMap)
 	// given a matcher name and the tokens following it, parse
 	// the tokens as a matcher module and record it
 	makeMatcher := func(matcherName string, tokens []caddyfile.Token) error {
 		mod, err := caddy.GetModule("http.matchers." + matcherName)
 		if err != nil {
 			return fmt.Errorf("getting matcher module '%s': %v", matcherName, err)
 		}
-		matchers[definitionName] = make(caddy.ModuleMap)
+		unm, ok := mod.New().(caddyfile.Unmarshaler)
 		if !ok {
 			return fmt.Errorf("matcher module '%s' is not a Caddyfile unmarshaler", matcherName)
 		}
 		err = unm.UnmarshalCaddyfile(caddyfile.NewDispenser(tokens))
 		if err != nil {
 			return err
 		}
 		rm, ok := unm.(caddyhttp.RequestMatcher)
 		if !ok {
 			return fmt.Errorf("matcher module '%s' is not a request matcher", matcherName)
 		}
 		matchers[definitionName][matcherName] = caddyconfig.JSON(rm, nil)
 		return nil
 	}
-		// given a matcher name and the tokens following it, parse
+	// if the next token is quoted, we can assume it's not a matcher name
-		// the tokens as a matcher module and record it
+	// and that it's probably an 'expression' matcher
-		makeMatcher := func(matcherName string, tokens []caddyfile.Token) error {
+	if d.NextArg() {
-			mod, err := caddy.GetModule("http.matchers." + matcherName)
+		if d.Token().Quoted() {
-			if err != nil {
+			// since it was missing the matcher name, we insert a token
-				return fmt.Errorf("getting matcher module '%s': %v", matcherName, err)
+			// in front of the expression token itself
-			}
+			err := makeMatcher("expression", []caddyfile.Token{
-			unm, ok := mod.New().(caddyfile.Unmarshaler)
+				{Text: "expression", File: d.File(), Line: d.Line()},
-			if !ok {
+				d.Token(),
-				return fmt.Errorf("matcher module '%s' is not a Caddyfile unmarshaler", matcherName)
+			})
 			}
 			err = unm.UnmarshalCaddyfile(caddyfile.NewDispenser(tokens))
 			if err != nil {
 				return err
 			}
 			rm, ok := unm.(caddyhttp.RequestMatcher)
 			if !ok {
 				return fmt.Errorf("matcher module '%s' is not a request matcher", matcherName)
 			}
 			matchers[definitionName][matcherName] = caddyconfig.JSON(rm, nil)
 			return nil
 		}
-		// if the next token is quoted, we can assume it's not a matcher name
+		// if it wasn't quoted, then we need to rewind after calling
-		// and that it's probably an 'expression' matcher
+		// d.NextArg() so the below properly grabs the matcher name
-		if d.NextArg() {
+		d.Prev()
-			if d.Token().Quoted() {
+	}
 				err := makeMatcher("expression", []caddyfile.Token{d.Token()})
 				if err != nil {
 					return err
 				}
 				continue
 			}
-			// if it wasn't quoted, then we need to rewind after calling
+	// in case there are multiple instances of the same matcher, concatenate
-			// d.NextArg() so the below properly grabs the matcher name
+	// their tokens (we expect that UnmarshalCaddyfile should be able to
-			d.Prev()
+	// handle more than one segment); otherwise, we'd overwrite other
-		}
+	// instances of the matcher in this set
-
+	tokensByMatcherName := make(map[string][]caddyfile.Token)
-		// in case there are multiple instances of the same matcher, concatenate
+	for nesting := d.Nesting(); d.NextArg() || d.NextBlock(nesting); {
-		// their tokens (we expect that UnmarshalCaddyfile should be able to
+		matcherName := d.Val()
-		// handle more than one segment); otherwise, we'd overwrite other
+		tokensByMatcherName[matcherName] = append(tokensByMatcherName[matcherName], d.NextSegment()...)
-		// instances of the matcher in this set
+	}
-		tokensByMatcherName := make(map[string][]caddyfile.Token)
+	for matcherName, tokens := range tokensByMatcherName {
-		for nesting := d.Nesting(); d.NextArg() || d.NextBlock(nesting); {
+		err := makeMatcher(matcherName, tokens)
-			matcherName := d.Val()
+		if err != nil {
-			tokensByMatcherName[matcherName] = append(tokensByMatcherName[matcherName], d.NextSegment()...)
+			return err
 		}
 		for matcherName, tokens := range tokensByMatcherName {
 			err := makeMatcher(matcherName, tokens)
 			if err != nil {
 				return err
 			}
 		}
 	}
 	return nil
@@ -1449,37 +1468,6 @@ func encodeMatcherSet(matchers map[string]caddyhttp.RequestMatcher) (caddy.Modul
 	return msEncoded, nil
 }
 // placeholderShorthands returns a slice of old-new string pairs,
 // where the left of the pair is a placeholder shorthand that may
 // be used in the Caddyfile, and the right is the replacement.
 func placeholderShorthands() []string {
 	return []string{
 		"{dir}", "{http.request.uri.path.dir}",
 		"{file}", "{http.request.uri.path.file}",
 		"{host}", "{http.request.host}",
 		"{hostport}", "{http.request.hostport}",
 		"{port}", "{http.request.port}",
 		"{method}", "{http.request.method}",
 		"{path}", "{http.request.uri.path}",
 		"{query}", "{http.request.uri.query}",
 		"{remote}", "{http.request.remote}",
 		"{remote_host}", "{http.request.remote.host}",
 		"{remote_port}", "{http.request.remote.port}",
 		"{scheme}", "{http.request.scheme}",
 		"{uri}", "{http.request.uri}",
 		"{tls_cipher}", "{http.request.tls.cipher_suite}",
 		"{tls_version}", "{http.request.tls.version}",
 		"{tls_client_fingerprint}", "{http.request.tls.client.fingerprint}",
 		"{tls_client_issuer}", "{http.request.tls.client.issuer}",
 		"{tls_client_serial}", "{http.request.tls.client.serial}",
 		"{tls_client_subject}", "{http.request.tls.client.subject}",
 		"{tls_client_certificate_pem}", "{http.request.tls.client.certificate_pem}",
 		"{tls_client_certificate_der_base64}", "{http.request.tls.client.certificate_der_base64}",
 		"{upstream_hostport}", "{http.reverse_proxy.upstream.hostport}",
 		"{client_ip}", "{http.vars.client_ip}",
 	}
 }
 // WasReplacedPlaceholderShorthand checks if a token string was
 // likely a replaced shorthand of the known Caddyfile placeholder
 // replacement outputs. Useful to prevent some user-defined map
@@ -1608,8 +1596,10 @@ type sbAddrAssociation struct {
 	serverBlocks []serverBlock
 }
-const matcherPrefix = "@"
+const (
-const namedRouteKey = "named_route"
+	matcherPrefix = "@"
 	namedRouteKey = "named_route"
 )
 // Interface guard
 var _ caddyfile.ServerType = (*ServerType)(nil)
@@ -17,12 +17,13 @@ package httpcaddyfile
 import (
 	"strconv"
 	"github.com/caddyserver/certmagic"
 	"github.com/mholt/acmez/acme"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/caddy/v2/modules/caddytls"
 	"github.com/caddyserver/certmagic"
 	"github.com/mholt/acmez/acme"
 )
 func init() {
@@ -61,105 +62,103 @@ func init() {
 func parseOptTrue(d *caddyfile.Dispenser, _ any) (any, error) { return true, nil }
 func parseOptHTTPPort(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	var httpPort int
-	for d.Next() {
+	var httpPortStr string
-		var httpPortStr string
+	if !d.AllArgs(&httpPortStr) {
-		if !d.AllArgs(&httpPortStr) {
+		return 0, d.ArgErr()
-			return 0, d.ArgErr()
+	}
-		}
+	var err error
-		var err error
+	httpPort, err = strconv.Atoi(httpPortStr)
-		httpPort, err = strconv.Atoi(httpPortStr)
+	if err != nil {
-		if err != nil {
+		return 0, d.Errf("converting port '%s' to integer value: %v", httpPortStr, err)
 			return 0, d.Errf("converting port '%s' to integer value: %v", httpPortStr, err)
 		}
 	}
 	return httpPort, nil
 }
 func parseOptHTTPSPort(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	var httpsPort int
-	for d.Next() {
+	var httpsPortStr string
-		var httpsPortStr string
+	if !d.AllArgs(&httpsPortStr) {
-		if !d.AllArgs(&httpsPortStr) {
+		return 0, d.ArgErr()
-			return 0, d.ArgErr()
+	}
-		}
+	var err error
-		var err error
+	httpsPort, err = strconv.Atoi(httpsPortStr)
-		httpsPort, err = strconv.Atoi(httpsPortStr)
+	if err != nil {
-		if err != nil {
+		return 0, d.Errf("converting port '%s' to integer value: %v", httpsPortStr, err)
 			return 0, d.Errf("converting port '%s' to integer value: %v", httpsPortStr, err)
 		}
 	}
 	return httpsPort, nil
 }
 func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	// get directive name
 	if !d.Next() {
 		return nil, d.ArgErr()
 	}
 	dirName := d.Val()
 	if _, ok := registeredDirectives[dirName]; !ok {
 		return nil, d.Errf("%s is not a registered directive", dirName)
 	}
 	// get positional token
 	if !d.Next() {
 		return nil, d.ArgErr()
 	}
 	pos := d.Val()
 	newOrder := directiveOrder
-	for d.Next() {
+	// if directive exists, first remove it
-		// get directive name
+	for i, d := range newOrder {
-		if !d.Next() {
+		if d == dirName {
-			return nil, d.ArgErr()
+			newOrder = append(newOrder[:i], newOrder[i+1:]...)
-		}
+			break
 		dirName := d.Val()
 		if _, ok := registeredDirectives[dirName]; !ok {
 			return nil, d.Errf("%s is not a registered directive", dirName)
 		}
 	}
-		// get positional token
+	// act on the positional
-		if !d.Next() {
+	switch pos {
-			return nil, d.ArgErr()
+	case "first":
-		}
+		newOrder = append([]string{dirName}, newOrder...)
 		pos := d.Val()
 		// if directive exists, first remove it
 		for i, d := range newOrder {
 			if d == dirName {
 				newOrder = append(newOrder[:i], newOrder[i+1:]...)
 				break
 			}
 		}
 		// act on the positional
 		switch pos {
 		case "first":
 			newOrder = append([]string{dirName}, newOrder...)
 			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			directiveOrder = newOrder
 			return newOrder, nil
 		case "last":
 			newOrder = append(newOrder, dirName)
 			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			directiveOrder = newOrder
 			return newOrder, nil
 		case "before":
 		case "after":
 		default:
 			return nil, d.Errf("unknown positional '%s'", pos)
 		}
 		// get name of other directive
 		if !d.NextArg() {
 			return nil, d.ArgErr()
 		}
 		otherDir := d.Val()
 		if d.NextArg() {
 			return nil, d.ArgErr()
 		}
 		directiveOrder = newOrder
 		return newOrder, nil
 	case "last":
 		newOrder = append(newOrder, dirName)
 		if d.NextArg() {
 			return nil, d.ArgErr()
 		}
 		directiveOrder = newOrder
 		return newOrder, nil
 	case "before":
 	case "after":
 	default:
 		return nil, d.Errf("unknown positional '%s'", pos)
 	}
-		// insert directive into proper position
+	// get name of other directive
-		for i, d := range newOrder {
+	if !d.NextArg() {
-			if d == otherDir {
+		return nil, d.ArgErr()
-				if pos == "before" {
+	}
-					newOrder = append(newOrder[:i], append([]string{dirName}, newOrder[i:]...)...)
+	otherDir := d.Val()
-				} else if pos == "after" {
+	if d.NextArg() {
-					newOrder = append(newOrder[:i+1], append([]string{dirName}, newOrder[i+1:]...)...)
+		return nil, d.ArgErr()
-				}
+	}
-				break
+
 	// insert directive into proper position
 	for i, d := range newOrder {
 		if d == otherDir {
 			if pos == "before" {
 				newOrder = append(newOrder[:i], append([]string{dirName}, newOrder[i:]...)...)
 			} else if pos == "after" {
 				newOrder = append(newOrder[:i+1], append([]string{dirName}, newOrder[i+1:]...)...)
 			}
 			break
 		}
 	}
@@ -222,57 +221,58 @@ func parseOptACMEDNS(d *caddyfile.Dispenser, _ any) (any, error) {
 func parseOptACMEEAB(d *caddyfile.Dispenser, _ any) (any, error) {
 	eab := new(acme.EAB)
-	for d.Next() {
+	d.Next() // consume option name
-		if d.NextArg() {
+	if d.NextArg() {
-			return nil, d.ArgErr()
+		return nil, d.ArgErr()
-		}
+	}
-		for nesting := d.Nesting(); d.NextBlock(nesting); {
+	for d.NextBlock(0) {
-			switch d.Val() {
+		switch d.Val() {
-			case "key_id":
+		case "key_id":
-				if !d.NextArg() {
+			if !d.NextArg() {
-					return nil, d.ArgErr()
+				return nil, d.ArgErr()
 				}
 				eab.KeyID = d.Val()
 			case "mac_key":
 				if !d.NextArg() {
 					return nil, d.ArgErr()
 				}
 				eab.MACKey = d.Val()
 			default:
 				return nil, d.Errf("unrecognized parameter '%s'", d.Val())
 			}
 			eab.KeyID = d.Val()
 		case "mac_key":
 			if !d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			eab.MACKey = d.Val()
 		default:
 			return nil, d.Errf("unrecognized parameter '%s'", d.Val())
 		}
 	}
 	return eab, nil
 }
 func parseOptCertIssuer(d *caddyfile.Dispenser, existing any) (any, error) {
 	d.Next() // consume option name
 	var issuers []certmagic.Issuer
 	if existing != nil {
 		issuers = existing.([]certmagic.Issuer)
 	}
-	for d.Next() { // consume option name
+
-		if !d.Next() { // get issuer module name
+	// get issuer module name
-			return nil, d.ArgErr()
+	if !d.Next() {
-		}
+		return nil, d.ArgErr()
 		modID := "tls.issuance." + d.Val()
 		unm, err := caddyfile.UnmarshalModule(d, modID)
 		if err != nil {
 			return nil, err
 		}
 		iss, ok := unm.(certmagic.Issuer)
 		if !ok {
 			return nil, d.Errf("module %s (%T) is not a certmagic.Issuer", modID, unm)
 		}
 		issuers = append(issuers, iss)
 	}
 	modID := "tls.issuance." + d.Val()
 	unm, err := caddyfile.UnmarshalModule(d, modID)
 	if err != nil {
 		return nil, err
 	}
 	iss, ok := unm.(certmagic.Issuer)
 	if !ok {
 		return nil, d.Errf("module %s (%T) is not a certmagic.Issuer", modID, unm)
 	}
 	issuers = append(issuers, iss)
 	return issuers, nil
 }
 func parseOptSingleString(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume parameter name
+	d.Next() // consume option name
 	if !d.Next() {
 		return "", d.ArgErr()
 	}
@@ -284,7 +284,7 @@ func parseOptSingleString(d *caddyfile.Dispenser, _ any) (any, error) {
 }
 func parseOptStringList(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume parameter name
+	d.Next() // consume option name
 	val := d.RemainingArgs()
 	if len(val) == 0 {
 		return "", d.ArgErr()
@@ -293,33 +293,33 @@ func parseOptStringList(d *caddyfile.Dispenser, _ any) (any, error) {
 }
 func parseOptAdmin(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	adminCfg := new(caddy.AdminConfig)
-	for d.Next() {
+	if d.NextArg() {
-		if d.NextArg() {
+		listenAddress := d.Val()
-			listenAddress := d.Val()
+		if listenAddress == "off" {
-			if listenAddress == "off" {
+			adminCfg.Disabled = true
-				adminCfg.Disabled = true
+			if d.Next() { // Do not accept any remaining options including block
-				if d.Next() { // Do not accept any remaining options including block
+				return nil, d.Err("No more option is allowed after turning off admin config")
-					return nil, d.Err("No more option is allowed after turning off admin config")
+			}
-				}
+		} else {
-			} else {
+			adminCfg.Listen = listenAddress
-				adminCfg.Listen = listenAddress
+			if d.NextArg() { // At most 1 arg is allowed
-				if d.NextArg() { // At most 1 arg is allowed
+				return nil, d.ArgErr()
 					return nil, d.ArgErr()
 				}
 			}
 		}
-		for nesting := d.Nesting(); d.NextBlock(nesting); {
+	}
-			switch d.Val() {
+	for d.NextBlock(0) {
-			case "enforce_origin":
+		switch d.Val() {
-				adminCfg.EnforceOrigin = true
+		case "enforce_origin":
 			adminCfg.EnforceOrigin = true
-			case "origins":
+		case "origins":
-				adminCfg.Origins = d.RemainingArgs()
+			adminCfg.Origins = d.RemainingArgs()
-			default:
+		default:
-				return nil, d.Errf("unrecognized parameter '%s'", d.Val())
+			return nil, d.Errf("unrecognized parameter '%s'", d.Val())
 			}
 		}
 	}
 	if adminCfg.Listen == "" && !adminCfg.Disabled {
@@ -329,57 +329,59 @@ func parseOptAdmin(d *caddyfile.Dispenser, _ any) (any, error) {
 }
 func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	if d.NextArg() {
 		return nil, d.ArgErr()
 	}
 	var ond *caddytls.OnDemandConfig
 	for d.Next() {
 		if d.NextArg() {
 			return nil, d.ArgErr()
 		}
 		for nesting := d.Nesting(); d.NextBlock(nesting); {
 			switch d.Val() {
 			case "ask":
 				if !d.NextArg() {
 					return nil, d.ArgErr()
 				}
 				if ond == nil {
 					ond = new(caddytls.OnDemandConfig)
 				}
 				ond.Ask = d.Val()
-			case "interval":
+	for nesting := d.Nesting(); d.NextBlock(nesting); {
-				if !d.NextArg() {
+		switch d.Val() {
-					return nil, d.ArgErr()
+		case "ask":
-				}
+			if !d.NextArg() {
-				dur, err := caddy.ParseDuration(d.Val())
+				return nil, d.ArgErr()
 				if err != nil {
 					return nil, err
 				}
 				if ond == nil {
 					ond = new(caddytls.OnDemandConfig)
 				}
 				if ond.RateLimit == nil {
 					ond.RateLimit = new(caddytls.RateLimit)
 				}
 				ond.RateLimit.Interval = caddy.Duration(dur)
 			case "burst":
 				if !d.NextArg() {
 					return nil, d.ArgErr()
 				}
 				burst, err := strconv.Atoi(d.Val())
 				if err != nil {
 					return nil, err
 				}
 				if ond == nil {
 					ond = new(caddytls.OnDemandConfig)
 				}
 				if ond.RateLimit == nil {
 					ond.RateLimit = new(caddytls.RateLimit)
 				}
 				ond.RateLimit.Burst = burst
 			default:
 				return nil, d.Errf("unrecognized parameter '%s'", d.Val())
 			}
 			if ond == nil {
 				ond = new(caddytls.OnDemandConfig)
 			}
 			perm := caddytls.PermissionByHTTP{Endpoint: d.Val()}
 			ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", "http", nil)
 		case "interval":
 			if !d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			dur, err := caddy.ParseDuration(d.Val())
 			if err != nil {
 				return nil, err
 			}
 			if ond == nil {
 				ond = new(caddytls.OnDemandConfig)
 			}
 			if ond.RateLimit == nil {
 				ond.RateLimit = new(caddytls.RateLimit)
 			}
 			ond.RateLimit.Interval = caddy.Duration(dur)
 		case "burst":
 			if !d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			burst, err := strconv.Atoi(d.Val())
 			if err != nil {
 				return nil, err
 			}
 			if ond == nil {
 				ond = new(caddytls.OnDemandConfig)
 			}
 			if ond.RateLimit == nil {
 				ond.RateLimit = new(caddytls.RateLimit)
 			}
 			ond.RateLimit.Burst = burst
 		default:
 			return nil, d.Errf("unrecognized parameter '%s'", d.Val())
 		}
 	}
 	if ond == nil {
@@ -389,7 +391,7 @@ func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
 }
 func parseOptPersistConfig(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume parameter name
+	d.Next() // consume option name
 	if !d.Next() {
 		return "", d.ArgErr()
 	}
@@ -404,7 +406,7 @@ func parseOptPersistConfig(d *caddyfile.Dispenser, _ any) (any, error) {
 }
 func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume parameter name
+	d.Next() // consume option name
 	if !d.Next() {
 		return "", d.ArgErr()
 	}
@@ -48,124 +48,124 @@ func init() {
 //
 // When the CA ID is unspecified, 'local' is assumed.
 func parsePKIApp(d *caddyfile.Dispenser, existingVal any) (any, error) {
-	pki := &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}
+	d.Next() // consume app name
-	for d.Next() {
+	pki := &caddypki.PKI{
-		for nesting := d.Nesting(); d.NextBlock(nesting); {
+		CAs: make(map[string]*caddypki.CA),
-			switch d.Val() {
+	}
-			case "ca":
+	for d.NextBlock(0) {
-				pkiCa := new(caddypki.CA)
+		switch d.Val() {
 		case "ca":
 			pkiCa := new(caddypki.CA)
 			if d.NextArg() {
 				pkiCa.ID = d.Val()
 				if d.NextArg() {
-					pkiCa.ID = d.Val()
+					return nil, d.ArgErr()
-					if d.NextArg() {
+				}
 			}
 			if pkiCa.ID == "" {
 				pkiCa.ID = caddypki.DefaultCAID
 			}
 			for nesting := d.Nesting(); d.NextBlock(nesting); {
 				switch d.Val() {
 				case "name":
 					if !d.NextArg() {
 						return nil, d.ArgErr()
 					}
-				}
+					pkiCa.Name = d.Val()
 				if pkiCa.ID == "" {
 					pkiCa.ID = caddypki.DefaultCAID
 				}
-				for nesting := d.Nesting(); d.NextBlock(nesting); {
+				case "root_cn":
-					switch d.Val() {
+					if !d.NextArg() {
-					case "name":
+						return nil, d.ArgErr()
 						if !d.NextArg() {
 							return nil, d.ArgErr()
 						}
 						pkiCa.Name = d.Val()
 					case "root_cn":
 						if !d.NextArg() {
 							return nil, d.ArgErr()
 						}
 						pkiCa.RootCommonName = d.Val()
 					case "intermediate_cn":
 						if !d.NextArg() {
 							return nil, d.ArgErr()
 						}
 						pkiCa.IntermediateCommonName = d.Val()
 					case "intermediate_lifetime":
 						if !d.NextArg() {
 							return nil, d.ArgErr()
 						}
 						dur, err := caddy.ParseDuration(d.Val())
 						if err != nil {
 							return nil, err
 						}
 						pkiCa.IntermediateLifetime = caddy.Duration(dur)
 					case "root":
 						if pkiCa.Root == nil {
 							pkiCa.Root = new(caddypki.KeyPair)
 						}
 						for nesting := d.Nesting(); d.NextBlock(nesting); {
 							switch d.Val() {
 							case "cert":
 								if !d.NextArg() {
 									return nil, d.ArgErr()
 								}
 								pkiCa.Root.Certificate = d.Val()
 							case "key":
 								if !d.NextArg() {
 									return nil, d.ArgErr()
 								}
 								pkiCa.Root.PrivateKey = d.Val()
 							case "format":
 								if !d.NextArg() {
 									return nil, d.ArgErr()
 								}
 								pkiCa.Root.Format = d.Val()
 							default:
 								return nil, d.Errf("unrecognized pki ca root option '%s'", d.Val())
 							}
 						}
 					case "intermediate":
 						if pkiCa.Intermediate == nil {
 							pkiCa.Intermediate = new(caddypki.KeyPair)
 						}
 						for nesting := d.Nesting(); d.NextBlock(nesting); {
 							switch d.Val() {
 							case "cert":
 								if !d.NextArg() {
 									return nil, d.ArgErr()
 								}
 								pkiCa.Intermediate.Certificate = d.Val()
 							case "key":
 								if !d.NextArg() {
 									return nil, d.ArgErr()
 								}
 								pkiCa.Intermediate.PrivateKey = d.Val()
 							case "format":
 								if !d.NextArg() {
 									return nil, d.ArgErr()
 								}
 								pkiCa.Intermediate.Format = d.Val()
 							default:
 								return nil, d.Errf("unrecognized pki ca intermediate option '%s'", d.Val())
 							}
 						}
 					default:
 						return nil, d.Errf("unrecognized pki ca option '%s'", d.Val())
 					}
 					pkiCa.RootCommonName = d.Val()
 				case "intermediate_cn":
 					if !d.NextArg() {
 						return nil, d.ArgErr()
 					}
 					pkiCa.IntermediateCommonName = d.Val()
 				case "intermediate_lifetime":
 					if !d.NextArg() {
 						return nil, d.ArgErr()
 					}
 					dur, err := caddy.ParseDuration(d.Val())
 					if err != nil {
 						return nil, err
 					}
 					pkiCa.IntermediateLifetime = caddy.Duration(dur)
 				case "root":
 					if pkiCa.Root == nil {
 						pkiCa.Root = new(caddypki.KeyPair)
 					}
 					for nesting := d.Nesting(); d.NextBlock(nesting); {
 						switch d.Val() {
 						case "cert":
 							if !d.NextArg() {
 								return nil, d.ArgErr()
 							}
 							pkiCa.Root.Certificate = d.Val()
 						case "key":
 							if !d.NextArg() {
 								return nil, d.ArgErr()
 							}
 							pkiCa.Root.PrivateKey = d.Val()
 						case "format":
 							if !d.NextArg() {
 								return nil, d.ArgErr()
 							}
 							pkiCa.Root.Format = d.Val()
 						default:
 							return nil, d.Errf("unrecognized pki ca root option '%s'", d.Val())
 						}
 					}
 				case "intermediate":
 					if pkiCa.Intermediate == nil {
 						pkiCa.Intermediate = new(caddypki.KeyPair)
 					}
 					for nesting := d.Nesting(); d.NextBlock(nesting); {
 						switch d.Val() {
 						case "cert":
 							if !d.NextArg() {
 								return nil, d.ArgErr()
 							}
 							pkiCa.Intermediate.Certificate = d.Val()
 						case "key":
 							if !d.NextArg() {
 								return nil, d.ArgErr()
 							}
 							pkiCa.Intermediate.PrivateKey = d.Val()
 						case "format":
 							if !d.NextArg() {
 								return nil, d.ArgErr()
 							}
 							pkiCa.Intermediate.Format = d.Val()
 						default:
 							return nil, d.Errf("unrecognized pki ca intermediate option '%s'", d.Val())
 						}
 					}
 				default:
 					return nil, d.Errf("unrecognized pki ca option '%s'", d.Val())
 				}
 				pki.CAs[pkiCa.ID] = pkiCa
 			default:
 				return nil, d.Errf("unrecognized pki option '%s'", d.Val())
 			}
 			pki.CAs[pkiCa.ID] = pkiCa
 		default:
 			return nil, d.Errf("unrecognized pki option '%s'", d.Val())
 		}
 	}
 	return pki, nil
 }
@@ -174,7 +174,6 @@ func (st ServerType) buildPKIApp(
 	options map[string]any,
 	warnings []caddyconfig.Warning,
 ) (*caddypki.PKI, []caddyconfig.Warning, error) {
 	skipInstallTrust := false
 	if _, ok := options["skip_install_trust"]; ok {
 		skipInstallTrust = true
@@ -18,11 +18,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"github.com/dustin/go-humanize"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 	"github.com/dustin/go-humanize"
 )
 // serverOptions collects server config overrides parsed from Caddyfile global options
@@ -45,235 +46,242 @@ type serverOptions struct {
 	Protocols            []string
 	StrictSNIHost        *bool
 	TrustedProxiesRaw    json.RawMessage
 	TrustedProxiesStrict int
 	ClientIPHeaders      []string
 	ShouldLogCredentials bool
 	Metrics              *caddyhttp.Metrics
 }
 func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 	d.Next() // consume option name
 	serverOpts := serverOptions{}
-	for d.Next() {
+	if d.NextArg() {
 		serverOpts.ListenerAddress = d.Val()
 		if d.NextArg() {
-			serverOpts.ListenerAddress = d.Val()
+			return nil, d.ArgErr()
-			if d.NextArg() {
+		}
 	}
 	for d.NextBlock(0) {
 		switch d.Val() {
 		case "name":
 			if serverOpts.ListenerAddress == "" {
 				return nil, d.Errf("cannot set a name for a server without a listener address")
 			}
 			if !d.NextArg() {
 				return nil, d.ArgErr()
 			}
-		}
+			serverOpts.Name = d.Val()
 		for nesting := d.Nesting(); d.NextBlock(nesting); {
 			switch d.Val() {
 			case "name":
 				if serverOpts.ListenerAddress == "" {
 					return nil, d.Errf("cannot set a name for a server without a listener address")
 				}
 				if !d.NextArg() {
 					return nil, d.ArgErr()
 				}
 				serverOpts.Name = d.Val()
-			case "listener_wrappers":
+		case "listener_wrappers":
-				for nesting := d.Nesting(); d.NextBlock(nesting); {
+			for nesting := d.Nesting(); d.NextBlock(nesting); {
-					modID := "caddy.listeners." + d.Val()
+				modID := "caddy.listeners." + d.Val()
 					unm, err := caddyfile.UnmarshalModule(d, modID)
 					if err != nil {
 						return nil, err
 					}
 					listenerWrapper, ok := unm.(caddy.ListenerWrapper)
 					if !ok {
 						return nil, fmt.Errorf("module %s (%T) is not a listener wrapper", modID, unm)
 					}
 					jsonListenerWrapper := caddyconfig.JSONModuleObject(
 						listenerWrapper,
 						"wrapper",
 						listenerWrapper.(caddy.Module).CaddyModule().ID.Name(),
 						nil,
 					)
 					serverOpts.ListenerWrappersRaw = append(serverOpts.ListenerWrappersRaw, jsonListenerWrapper)
 				}
 			case "timeouts":
 				for nesting := d.Nesting(); d.NextBlock(nesting); {
 					switch d.Val() {
 					case "read_body":
 						if !d.NextArg() {
 							return nil, d.ArgErr()
 						}
 						dur, err := caddy.ParseDuration(d.Val())
 						if err != nil {
 							return nil, d.Errf("parsing read_body timeout duration: %v", err)
 						}
 						serverOpts.ReadTimeout = caddy.Duration(dur)
 					case "read_header":
 						if !d.NextArg() {
 							return nil, d.ArgErr()
 						}
 						dur, err := caddy.ParseDuration(d.Val())
 						if err != nil {
 							return nil, d.Errf("parsing read_header timeout duration: %v", err)
 						}
 						serverOpts.ReadHeaderTimeout = caddy.Duration(dur)
 					case "write":
 						if !d.NextArg() {
 							return nil, d.ArgErr()
 						}
 						dur, err := caddy.ParseDuration(d.Val())
 						if err != nil {
 							return nil, d.Errf("parsing write timeout duration: %v", err)
 						}
 						serverOpts.WriteTimeout = caddy.Duration(dur)
 					case "idle":
 						if !d.NextArg() {
 							return nil, d.ArgErr()
 						}
 						dur, err := caddy.ParseDuration(d.Val())
 						if err != nil {
 							return nil, d.Errf("parsing idle timeout duration: %v", err)
 						}
 						serverOpts.IdleTimeout = caddy.Duration(dur)
 					default:
 						return nil, d.Errf("unrecognized timeouts option '%s'", d.Val())
 					}
 				}
 			case "keepalive_interval":
 				if !d.NextArg() {
 					return nil, d.ArgErr()
 				}
 				dur, err := caddy.ParseDuration(d.Val())
 				if err != nil {
 					return nil, d.Errf("parsing keepalive interval duration: %v", err)
 				}
 				serverOpts.KeepAliveInterval = caddy.Duration(dur)
 			case "max_header_size":
 				var sizeStr string
 				if !d.AllArgs(&sizeStr) {
 					return nil, d.ArgErr()
 				}
 				size, err := humanize.ParseBytes(sizeStr)
 				if err != nil {
 					return nil, d.Errf("parsing max_header_size: %v", err)
 				}
 				serverOpts.MaxHeaderBytes = int(size)
 			case "enable_full_duplex":
 				if d.NextArg() {
 					return nil, d.ArgErr()
 				}
 				serverOpts.EnableFullDuplex = true
 			case "log_credentials":
 				if d.NextArg() {
 					return nil, d.ArgErr()
 				}
 				serverOpts.ShouldLogCredentials = true
 			case "protocols":
 				protos := d.RemainingArgs()
 				for _, proto := range protos {
 					if proto != "h1" && proto != "h2" && proto != "h2c" && proto != "h3" {
 						return nil, d.Errf("unknown protocol '%s': expected h1, h2, h2c, or h3", proto)
 					}
 					if sliceContains(serverOpts.Protocols, proto) {
 						return nil, d.Errf("protocol %s specified more than once", proto)
 					}
 					serverOpts.Protocols = append(serverOpts.Protocols, proto)
 				}
 				if nesting := d.Nesting(); d.NextBlock(nesting) {
 					return nil, d.ArgErr()
 				}
 			case "strict_sni_host":
 				if d.NextArg() && d.Val() != "insecure_off" && d.Val() != "on" {
 					return nil, d.Errf("strict_sni_host only supports 'on' or 'insecure_off', got '%s'", d.Val())
 				}
 				boolVal := true
 				if d.Val() == "insecure_off" {
 					boolVal = false
 				}
 				serverOpts.StrictSNIHost = &boolVal
 			case "trusted_proxies":
 				if !d.NextArg() {
 					return nil, d.Err("trusted_proxies expects an IP range source module name as its first argument")
 				}
 				modID := "http.ip_sources." + d.Val()
 				unm, err := caddyfile.UnmarshalModule(d, modID)
 				if err != nil {
 					return nil, err
 				}
-				source, ok := unm.(caddyhttp.IPRangeSource)
+				listenerWrapper, ok := unm.(caddy.ListenerWrapper)
 				if !ok {
-					return nil, fmt.Errorf("module %s (%T) is not an IP range source", modID, unm)
+					return nil, fmt.Errorf("module %s (%T) is not a listener wrapper", modID, unm)
 				}
-				jsonSource := caddyconfig.JSONModuleObject(
+				jsonListenerWrapper := caddyconfig.JSONModuleObject(
-					source,
+					listenerWrapper,
-					"source",
+					"wrapper",
-					source.(caddy.Module).CaddyModule().ID.Name(),
+					listenerWrapper.(caddy.Module).CaddyModule().ID.Name(),
 					nil,
 				)
-				serverOpts.TrustedProxiesRaw = jsonSource
+				serverOpts.ListenerWrappersRaw = append(serverOpts.ListenerWrappersRaw, jsonListenerWrapper)
 			case "client_ip_headers":
 				headers := d.RemainingArgs()
 				for _, header := range headers {
 					if sliceContains(serverOpts.ClientIPHeaders, header) {
 						return nil, d.Errf("client IP header %s specified more than once", header)
 					}
 					serverOpts.ClientIPHeaders = append(serverOpts.ClientIPHeaders, header)
 				}
 				if nesting := d.Nesting(); d.NextBlock(nesting) {
 					return nil, d.ArgErr()
 				}
 			case "metrics":
 				if d.NextArg() {
 					return nil, d.ArgErr()
 				}
 				if nesting := d.Nesting(); d.NextBlock(nesting) {
 					return nil, d.ArgErr()
 				}
 				serverOpts.Metrics = new(caddyhttp.Metrics)
 			// TODO: DEPRECATED. (August 2022)
 			case "protocol":
 				caddy.Log().Named("caddyfile").Warn("DEPRECATED: protocol sub-option will be removed soon")
 				for nesting := d.Nesting(); d.NextBlock(nesting); {
 					switch d.Val() {
 					case "allow_h2c":
 						caddy.Log().Named("caddyfile").Warn("DEPRECATED: allow_h2c will be removed soon; use protocols option instead")
 						if d.NextArg() {
 							return nil, d.ArgErr()
 						}
 						if sliceContains(serverOpts.Protocols, "h2c") {
 							return nil, d.Errf("protocol h2c already specified")
 						}
 						serverOpts.Protocols = append(serverOpts.Protocols, "h2c")
 					case "strict_sni_host":
 						caddy.Log().Named("caddyfile").Warn("DEPRECATED: protocol > strict_sni_host in this position will be removed soon; move up to the servers block instead")
 						if d.NextArg() && d.Val() != "insecure_off" && d.Val() != "on" {
 							return nil, d.Errf("strict_sni_host only supports 'on' or 'insecure_off', got '%s'", d.Val())
 						}
 						boolVal := true
 						if d.Val() == "insecure_off" {
 							boolVal = false
 						}
 						serverOpts.StrictSNIHost = &boolVal
 					default:
 						return nil, d.Errf("unrecognized protocol option '%s'", d.Val())
 					}
 				}
 			default:
 				return nil, d.Errf("unrecognized servers option '%s'", d.Val())
 			}
 		case "timeouts":
 			for nesting := d.Nesting(); d.NextBlock(nesting); {
 				switch d.Val() {
 				case "read_body":
 					if !d.NextArg() {
 						return nil, d.ArgErr()
 					}
 					dur, err := caddy.ParseDuration(d.Val())
 					if err != nil {
 						return nil, d.Errf("parsing read_body timeout duration: %v", err)
 					}
 					serverOpts.ReadTimeout = caddy.Duration(dur)
 				case "read_header":
 					if !d.NextArg() {
 						return nil, d.ArgErr()
 					}
 					dur, err := caddy.ParseDuration(d.Val())
 					if err != nil {
 						return nil, d.Errf("parsing read_header timeout duration: %v", err)
 					}
 					serverOpts.ReadHeaderTimeout = caddy.Duration(dur)
 				case "write":
 					if !d.NextArg() {
 						return nil, d.ArgErr()
 					}
 					dur, err := caddy.ParseDuration(d.Val())
 					if err != nil {
 						return nil, d.Errf("parsing write timeout duration: %v", err)
 					}
 					serverOpts.WriteTimeout = caddy.Duration(dur)
 				case "idle":
 					if !d.NextArg() {
 						return nil, d.ArgErr()
 					}
 					dur, err := caddy.ParseDuration(d.Val())
 					if err != nil {
 						return nil, d.Errf("parsing idle timeout duration: %v", err)
 					}
 					serverOpts.IdleTimeout = caddy.Duration(dur)
 				default:
 					return nil, d.Errf("unrecognized timeouts option '%s'", d.Val())
 				}
 			}
 		case "keepalive_interval":
 			if !d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			dur, err := caddy.ParseDuration(d.Val())
 			if err != nil {
 				return nil, d.Errf("parsing keepalive interval duration: %v", err)
 			}
 			serverOpts.KeepAliveInterval = caddy.Duration(dur)
 		case "max_header_size":
 			var sizeStr string
 			if !d.AllArgs(&sizeStr) {
 				return nil, d.ArgErr()
 			}
 			size, err := humanize.ParseBytes(sizeStr)
 			if err != nil {
 				return nil, d.Errf("parsing max_header_size: %v", err)
 			}
 			serverOpts.MaxHeaderBytes = int(size)
 		case "enable_full_duplex":
 			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			serverOpts.EnableFullDuplex = true
 		case "log_credentials":
 			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			serverOpts.ShouldLogCredentials = true
 		case "protocols":
 			protos := d.RemainingArgs()
 			for _, proto := range protos {
 				if proto != "h1" && proto != "h2" && proto != "h2c" && proto != "h3" {
 					return nil, d.Errf("unknown protocol '%s': expected h1, h2, h2c, or h3", proto)
 				}
 				if sliceContains(serverOpts.Protocols, proto) {
 					return nil, d.Errf("protocol %s specified more than once", proto)
 				}
 				serverOpts.Protocols = append(serverOpts.Protocols, proto)
 			}
 			if nesting := d.Nesting(); d.NextBlock(nesting) {
 				return nil, d.ArgErr()
 			}
 		case "strict_sni_host":
 			if d.NextArg() && d.Val() != "insecure_off" && d.Val() != "on" {
 				return nil, d.Errf("strict_sni_host only supports 'on' or 'insecure_off', got '%s'", d.Val())
 			}
 			boolVal := true
 			if d.Val() == "insecure_off" {
 				boolVal = false
 			}
 			serverOpts.StrictSNIHost = &boolVal
 		case "trusted_proxies":
 			if !d.NextArg() {
 				return nil, d.Err("trusted_proxies expects an IP range source module name as its first argument")
 			}
 			modID := "http.ip_sources." + d.Val()
 			unm, err := caddyfile.UnmarshalModule(d, modID)
 			if err != nil {
 				return nil, err
 			}
 			source, ok := unm.(caddyhttp.IPRangeSource)
 			if !ok {
 				return nil, fmt.Errorf("module %s (%T) is not an IP range source", modID, unm)
 			}
 			jsonSource := caddyconfig.JSONModuleObject(
 				source,
 				"source",
 				source.(caddy.Module).CaddyModule().ID.Name(),
 				nil,
 			)
 			serverOpts.TrustedProxiesRaw = jsonSource
 		case "trusted_proxies_strict":
 			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			serverOpts.TrustedProxiesStrict = 1
 		case "client_ip_headers":
 			headers := d.RemainingArgs()
 			for _, header := range headers {
 				if sliceContains(serverOpts.ClientIPHeaders, header) {
 					return nil, d.Errf("client IP header %s specified more than once", header)
 				}
 				serverOpts.ClientIPHeaders = append(serverOpts.ClientIPHeaders, header)
 			}
 			if nesting := d.Nesting(); d.NextBlock(nesting) {
 				return nil, d.ArgErr()
 			}
 		case "metrics":
 			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			if nesting := d.Nesting(); d.NextBlock(nesting) {
 				return nil, d.ArgErr()
 			}
 			serverOpts.Metrics = new(caddyhttp.Metrics)
 		// TODO: DEPRECATED. (August 2022)
 		case "protocol":
 			caddy.Log().Named("caddyfile").Warn("DEPRECATED: protocol sub-option will be removed soon")
 			for nesting := d.Nesting(); d.NextBlock(nesting); {
 				switch d.Val() {
 				case "allow_h2c":
 					caddy.Log().Named("caddyfile").Warn("DEPRECATED: allow_h2c will be removed soon; use protocols option instead")
 					if d.NextArg() {
 						return nil, d.ArgErr()
 					}
 					if sliceContains(serverOpts.Protocols, "h2c") {
 						return nil, d.Errf("protocol h2c already specified")
 					}
 					serverOpts.Protocols = append(serverOpts.Protocols, "h2c")
 				case "strict_sni_host":
 					caddy.Log().Named("caddyfile").Warn("DEPRECATED: protocol > strict_sni_host in this position will be removed soon; move up to the servers block instead")
 					if d.NextArg() && d.Val() != "insecure_off" && d.Val() != "on" {
 						return nil, d.Errf("strict_sni_host only supports 'on' or 'insecure_off', got '%s'", d.Val())
 					}
 					boolVal := true
 					if d.Val() == "insecure_off" {
 						boolVal = false
 					}
 					serverOpts.StrictSNIHost = &boolVal
 				default:
 					return nil, d.Errf("unrecognized protocol option '%s'", d.Val())
 				}
 			}
 		default:
 			return nil, d.Errf("unrecognized servers option '%s'", d.Val())
 		}
 	}
 	return serverOpts, nil
@@ -339,6 +347,7 @@ func applyServerOptions(
 		server.StrictSNIHost = opts.StrictSNIHost
 		server.TrustedProxiesRaw = opts.TrustedProxiesRaw
 		server.ClientIPHeaders = opts.ClientIPHeaders
 		server.TrustedProxiesStrict = opts.TrustedProxiesStrict
 		server.Metrics = opts.Metrics
 		if opts.ShouldLogCredentials {
 			if server.Logs == nil {
@@ -0,0 +1,93 @@
 package httpcaddyfile
 import (
 	"regexp"
 	"strings"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 type ComplexShorthandReplacer struct {
 	search  *regexp.Regexp
 	replace string
 }
 type ShorthandReplacer struct {
 	complex []ComplexShorthandReplacer
 	simple  *strings.Replacer
 }
 func NewShorthandReplacer() ShorthandReplacer {
 	// replace shorthand placeholders (which are convenient
 	// when writing a Caddyfile) with their actual placeholder
 	// identifiers or variable names
 	replacer := strings.NewReplacer(placeholderShorthands()...)
 	// these are placeholders that allow a user-defined final
 	// parameters, but we still want to provide a shorthand
 	// for those, so we use a regexp to replace
 	regexpReplacements := []ComplexShorthandReplacer{
 		{regexp.MustCompile(`{header\.([\w-]*)}`), "{http.request.header.$1}"},
 		{regexp.MustCompile(`{cookie\.([\w-]*)}`), "{http.request.cookie.$1}"},
 		{regexp.MustCompile(`{labels\.([\w-]*)}`), "{http.request.host.labels.$1}"},
 		{regexp.MustCompile(`{path\.([\w-]*)}`), "{http.request.uri.path.$1}"},
 		{regexp.MustCompile(`{file\.([\w-]*)}`), "{http.request.uri.path.file.$1}"},
 		{regexp.MustCompile(`{query\.([\w-]*)}`), "{http.request.uri.query.$1}"},
 		{regexp.MustCompile(`{re\.([\w-]*)\.([\w-]*)}`), "{http.regexp.$1.$2}"},
 		{regexp.MustCompile(`{vars\.([\w-]*)}`), "{http.vars.$1}"},
 		{regexp.MustCompile(`{rp\.([\w-\.]*)}`), "{http.reverse_proxy.$1}"},
 		{regexp.MustCompile(`{err\.([\w-\.]*)}`), "{http.error.$1}"},
 		{regexp.MustCompile(`{file_match\.([\w-]*)}`), "{http.matchers.file.$1}"},
 	}
 	return ShorthandReplacer{
 		complex: regexpReplacements,
 		simple:  replacer,
 	}
 }
 // placeholderShorthands returns a slice of old-new string pairs,
 // where the left of the pair is a placeholder shorthand that may
 // be used in the Caddyfile, and the right is the replacement.
 func placeholderShorthands() []string {
 	return []string{
 		"{dir}", "{http.request.uri.path.dir}",
 		"{file}", "{http.request.uri.path.file}",
 		"{host}", "{http.request.host}",
 		"{hostport}", "{http.request.hostport}",
 		"{port}", "{http.request.port}",
 		"{method}", "{http.request.method}",
 		"{path}", "{http.request.uri.path}",
 		"{query}", "{http.request.uri.query}",
 		"{remote}", "{http.request.remote}",
 		"{remote_host}", "{http.request.remote.host}",
 		"{remote_port}", "{http.request.remote.port}",
 		"{scheme}", "{http.request.scheme}",
 		"{uri}", "{http.request.uri}",
 		"{uuid}", "{http.request.uuid}",
 		"{tls_cipher}", "{http.request.tls.cipher_suite}",
 		"{tls_version}", "{http.request.tls.version}",
 		"{tls_client_fingerprint}", "{http.request.tls.client.fingerprint}",
 		"{tls_client_issuer}", "{http.request.tls.client.issuer}",
 		"{tls_client_serial}", "{http.request.tls.client.serial}",
 		"{tls_client_subject}", "{http.request.tls.client.subject}",
 		"{tls_client_certificate_pem}", "{http.request.tls.client.certificate_pem}",
 		"{tls_client_certificate_der_base64}", "{http.request.tls.client.certificate_der_base64}",
 		"{upstream_hostport}", "{http.reverse_proxy.upstream.hostport}",
 		"{client_ip}", "{http.vars.client_ip}",
 	}
 }
 // ApplyToSegment replaces shorthand placeholder to its full placeholder, understandable by Caddy.
 func (s ShorthandReplacer) ApplyToSegment(segment *caddyfile.Segment) {
 	if segment != nil {
 		for i := 0; i < len(*segment); i++ {
 			// simple string replacements
 			(*segment)[i].Text = s.simple.Replace((*segment)[i].Text)
 			// complex regexp replacements
 			for _, r := range s.complex {
 				(*segment)[i].Text = r.search.ReplaceAllString((*segment)[i].Text, r.replace)
 			}
 		}
 	}
 }
@@ -23,12 +23,13 @@ import (
 	"strconv"
 	"strings"
 	"github.com/caddyserver/certmagic"
 	"github.com/mholt/acmez/acme"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 	"github.com/caddyserver/caddy/v2/modules/caddytls"
 	"github.com/caddyserver/certmagic"
 	"github.com/mholt/acmez/acme"
 )
 func (st ServerType) buildTLSApp(
@@ -36,7 +37,6 @@ func (st ServerType) buildTLSApp(
 	options map[string]any,
 	warnings []caddyconfig.Warning,
 ) (*caddytls.TLS, []caddyconfig.Warning, error) {
 	tlsApp := &caddytls.TLS{CertificatesRaw: make(caddy.ModuleMap)}
 	var certLoaders []caddytls.CertificateLoader
@@ -118,6 +118,11 @@ func (st ServerType) buildTLSApp(
 				ap.OnDemand = true
 			}
 			// reuse private keys tls
 			if _, ok := sblock.pile["tls.reuse_private_keys"]; ok {
 				ap.ReusePrivateKeys = true
 			}
 			if keyTypeVals, ok := sblock.pile["tls.key_type"]; ok {
 				ap.KeyType = keyTypeVals[0].Value.(string)
 			}
@@ -582,10 +587,12 @@ outer:
 			// eaten up by the one with subjects; and if both have subjects, we
 			// need to combine their lists
 			if reflect.DeepEqual(aps[i].IssuersRaw, aps[j].IssuersRaw) &&
 				reflect.DeepEqual(aps[i].ManagersRaw, aps[j].ManagersRaw) &&
 				bytes.Equal(aps[i].StorageRaw, aps[j].StorageRaw) &&
 				aps[i].MustStaple == aps[j].MustStaple &&
 				aps[i].KeyType == aps[j].KeyType &&
 				aps[i].OnDemand == aps[j].OnDemand &&
 				aps[i].ReusePrivateKeys == aps[j].ReusePrivateKeys &&
 				aps[i].RenewalWindowRatio == aps[j].RenewalWindowRatio {
 				if len(aps[i].SubjectsRaw) > 0 && len(aps[j].SubjectsRaw) == 0 {
 					// later policy (at j) has no subjects ("catch-all"), so we can
@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
 	"io/fs"
 	"log"
 	"net"
 	"net/http"
@@ -22,9 +23,10 @@ import (
 	"time"
 	"github.com/aryann/difflib"
-	"github.com/caddyserver/caddy/v2/caddyconfig"
+
 	caddycmd "github.com/caddyserver/caddy/v2/cmd"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	// plug in Caddy modules here
 	_ "github.com/caddyserver/caddy/v2/modules/standard"
 )
@@ -58,12 +60,11 @@ var (
 type Tester struct {
 	Client       *http.Client
 	configLoaded bool
-	t            *testing.T
+	t            testing.TB
 }
 // NewTester will create a new testing client with an attached cookie jar
-func NewTester(t *testing.T) *Tester {
+func NewTester(t testing.TB) *Tester {
 	jar, err := cookiejar.New(nil)
 	if err != nil {
 		t.Fatalf("failed to create cookiejar: %s", err)
@@ -94,7 +95,6 @@ func timeElapsed(start time.Time, name string) {
 // InitServer this will configure the server with a configurion of a specific
 // type. The configType must be either "json" or the adapter type.
 func (tc *Tester) InitServer(rawConfig string, configType string) {
 	if err := tc.initServer(rawConfig, configType); err != nil {
 		tc.t.Logf("failed to load config: %s", err)
 		tc.t.Fail()
@@ -108,7 +108,6 @@ func (tc *Tester) InitServer(rawConfig string, configType string) {
 // InitServer this will configure the server with a configurion of a specific
 // type. The configType must be either "json" or the adapter type.
 func (tc *Tester) initServer(rawConfig string, configType string) error {
 	if testing.Short() {
 		tc.t.SkipNow()
 		return nil
@@ -122,7 +121,6 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 	tc.t.Cleanup(func() {
 		if tc.t.Failed() && tc.configLoaded {
 			res, err := http.Get(fmt.Sprintf("http://localhost:%d/config/", Default.AdminPort))
 			if err != nil {
 				tc.t.Log("unable to read the current config")
@@ -231,11 +229,10 @@ const initConfig = `{
 // validateTestPrerequisites ensures the certificates are available in the
 // designated path and Caddy sub-process is running.
-func validateTestPrerequisites(t *testing.T) error {
+func validateTestPrerequisites(t testing.TB) error {
 	// check certificates are found
 	for _, certName := range Default.Certifcates {
-		if _, err := os.Stat(getIntegrationDir() + certName); os.IsNotExist(err) {
+		if _, err := os.Stat(getIntegrationDir() + certName); errors.Is(err, fs.ErrNotExist) {
 			return fmt.Errorf("caddy integration test certificates (%s) not found", certName)
 		}
 	}
@@ -284,7 +281,6 @@ func isCaddyAdminRunning() error {
 }
 func getIntegrationDir() string {
 	_, filename, _, ok := runtime.Caller(1)
 	if !ok {
 		panic("unable to determine the current file path")
@@ -304,7 +300,6 @@ func prependCaddyFilePath(rawConfig string) string {
 // CreateTestingTransport creates a testing transport that forces call dialing connections to happen locally
 func CreateTestingTransport() *http.Transport {
 	dialer := net.Dialer{
 		Timeout:   5 * time.Second,
 		KeepAlive: 5 * time.Second,
@@ -332,7 +327,6 @@ func CreateTestingTransport() *http.Transport {
 // AssertLoadError will load a config and expect an error
 func AssertLoadError(t *testing.T, rawConfig string, configType string, expectedError string) {
 	tc := NewTester(t)
 	err := tc.initServer(rawConfig, configType)
@@ -343,7 +337,6 @@ func AssertLoadError(t *testing.T, rawConfig string, configType string, expected
 // AssertRedirect makes a request and asserts the redirection happens
 func (tc *Tester) AssertRedirect(requestURI string, expectedToLocation string, expectedStatusCode int) *http.Response {
 	redirectPolicyFunc := func(req *http.Request, via []*http.Request) error {
 		return http.ErrUseLastResponse
 	}
@@ -380,8 +373,7 @@ func (tc *Tester) AssertRedirect(requestURI string, expectedToLocation string, e
 }
 // CompareAdapt adapts a config and then compares it against an expected result
-func CompareAdapt(t *testing.T, filename, rawConfig string, adapterName string, expectedResponse string) bool {
+func CompareAdapt(t testing.TB, filename, rawConfig string, adapterName string, expectedResponse string) bool {
 	cfgAdapter := caddyconfig.GetAdapter(adapterName)
 	if cfgAdapter == nil {
 		t.Logf("unrecognized config adapter '%s'", adapterName)
@@ -440,7 +432,7 @@ func CompareAdapt(t *testing.T, filename, rawConfig string, adapterName string,
 }
 // AssertAdapt adapts a config and then tests it against an expected result
-func AssertAdapt(t *testing.T, rawConfig string, adapterName string, expectedResponse string) {
+func AssertAdapt(t testing.TB, rawConfig string, adapterName string, expectedResponse string) {
 	ok := CompareAdapt(t, "Caddyfile", rawConfig, adapterName, expectedResponse)
 	if !ok {
 		t.Fail()
@@ -449,7 +441,7 @@ func AssertAdapt(t *testing.T, rawConfig string, adapterName string, expectedRes
 // Generic request functions
-func applyHeaders(t *testing.T, req *http.Request, requestHeaders []string) {
+func applyHeaders(t testing.TB, req *http.Request, requestHeaders []string) {
 	requestContentType := ""
 	for _, requestHeader := range requestHeaders {
 		arr := strings.SplitAfterN(requestHeader, ":", 2)
@@ -469,14 +461,13 @@ func applyHeaders(t *testing.T, req *http.Request, requestHeaders []string) {
 // AssertResponseCode will execute the request and verify the status code, returns a response for additional assertions
 func (tc *Tester) AssertResponseCode(req *http.Request, expectedStatusCode int) *http.Response {
 	resp, err := tc.Client.Do(req)
 	if err != nil {
 		tc.t.Fatalf("failed to call server %s", err)
 	}
 	if expectedStatusCode != resp.StatusCode {
-		tc.t.Errorf("requesting \"%s\" expected status code: %d but got %d", req.RequestURI, expectedStatusCode, resp.StatusCode)
+		tc.t.Errorf("requesting \"%s\" expected status code: %d but got %d", req.URL.RequestURI(), expectedStatusCode, resp.StatusCode)
 	}
 	return resp
@@ -484,7 +475,6 @@ func (tc *Tester) AssertResponseCode(req *http.Request, expectedStatusCode int)
 // AssertResponse request a URI and assert the status code and the body contains a string
 func (tc *Tester) AssertResponse(req *http.Request, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	resp := tc.AssertResponseCode(req, expectedStatusCode)
 	defer resp.Body.Close()
@@ -506,7 +496,6 @@ func (tc *Tester) AssertResponse(req *http.Request, expectedStatusCode int, expe
 // AssertGetResponse GET a URI and expect a statusCode and body text
 func (tc *Tester) AssertGetResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	req, err := http.NewRequest("GET", requestURI, nil)
 	if err != nil {
 		tc.t.Fatalf("unable to create request %s", err)
@@ -517,7 +506,6 @@ func (tc *Tester) AssertGetResponse(requestURI string, expectedStatusCode int, e
 // AssertDeleteResponse request a URI and expect a statusCode and body text
 func (tc *Tester) AssertDeleteResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	req, err := http.NewRequest("DELETE", requestURI, nil)
 	if err != nil {
 		tc.t.Fatalf("unable to create request %s", err)
@@ -528,7 +516,6 @@ func (tc *Tester) AssertDeleteResponse(requestURI string, expectedStatusCode int
 // AssertPostResponseBody POST to a URI and assert the response code and body
 func (tc *Tester) AssertPostResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	req, err := http.NewRequest("POST", requestURI, requestBody)
 	if err != nil {
 		tc.t.Errorf("failed to create request %s", err)
@@ -542,7 +529,6 @@ func (tc *Tester) AssertPostResponseBody(requestURI string, requestHeaders []str
 // AssertPutResponseBody PUT to a URI and assert the response code and body
 func (tc *Tester) AssertPutResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	req, err := http.NewRequest("PUT", requestURI, requestBody)
 	if err != nil {
 		tc.t.Errorf("failed to create request %s", err)
@@ -556,7 +542,6 @@ func (tc *Tester) AssertPutResponseBody(requestURI string, requestHeaders []stri
 // AssertPatchResponseBody PATCH to a URI and assert the response code and body
 func (tc *Tester) AssertPatchResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	req, err := http.NewRequest("PATCH", requestURI, requestBody)
 	if err != nil {
 		tc.t.Errorf("failed to create request %s", err)
@@ -0,0 +1,206 @@
 package integration
 import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"fmt"
 	"net"
 	"net/http"
 	"strings"
 	"testing"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez"
 	"github.com/mholt/acmez/acme"
 	smallstepacme "github.com/smallstep/certificates/acme"
 	"go.uber.org/zap"
 )
 const acmeChallengePort = 9081
 // Test the basic functionality of Caddy's ACME server
 func TestACMEServerWithDefaults(t *testing.T) {
 	ctx := context.Background()
 	logger, err := zap.NewDevelopment()
 	if err != nil {
 		t.Error(err)
 		return
 	}
 	tester := caddytest.NewTester(t)
 	tester.InitServer(`
 	{
 		skip_install_trust
 		admin localhost:2999
 		http_port     9080
 		https_port    9443
 		local_certs
 	}
 	acme.localhost {
 		acme_server
 	}
  `, "caddyfile")
 	client := acmez.Client{
 		Client: &acme.Client{
 			Directory:  "https://acme.localhost:9443/acme/local/directory",
 			HTTPClient: tester.Client,
 			Logger:     logger,
 		},
 		ChallengeSolvers: map[string]acmez.Solver{
 			acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
 		},
 	}
 	accountPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating account key: %v", err)
 	}
 	account := acme.Account{
 		Contact:              []string{"mailto:you@example.com"},
 		TermsOfServiceAgreed: true,
 		PrivateKey:           accountPrivateKey,
 	}
 	account, err = client.NewAccount(ctx, account)
 	if err != nil {
 		t.Errorf("new account: %v", err)
 		return
 	}
 	// Every certificate needs a key.
 	certPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating certificate key: %v", err)
 		return
 	}
 	certs, err := client.ObtainCertificate(ctx, account, certPrivateKey, []string{"localhost"})
 	if err != nil {
 		t.Errorf("obtaining certificate: %v", err)
 		return
 	}
 	// ACME servers should usually give you the entire certificate chain
 	// in PEM format, and sometimes even alternate chains! It's up to you
 	// which one(s) to store and use, but whatever you do, be sure to
 	// store the certificate and key somewhere safe and secure, i.e. don't
 	// lose them!
 	for _, cert := range certs {
 		t.Logf("Certificate %q:\n%s\n\n", cert.URL, cert.ChainPEM)
 	}
 }
 func TestACMEServerWithMismatchedChallenges(t *testing.T) {
 	ctx := context.Background()
 	logger := caddy.Log().Named("acmez")
 	tester := caddytest.NewTester(t)
 	tester.InitServer(`
 	{
 		skip_install_trust
 		admin localhost:2999
 		http_port     9080
 		https_port    9443
 		local_certs
 	}
 	acme.localhost {
 		acme_server {
 			challenges tls-alpn-01
 		}
 	}
  `, "caddyfile")
 	client := acmez.Client{
 		Client: &acme.Client{
 			Directory:  "https://acme.localhost:9443/acme/local/directory",
 			HTTPClient: tester.Client,
 			Logger:     logger,
 		},
 		ChallengeSolvers: map[string]acmez.Solver{
 			acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
 		},
 	}
 	accountPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating account key: %v", err)
 	}
 	account := acme.Account{
 		Contact:              []string{"mailto:you@example.com"},
 		TermsOfServiceAgreed: true,
 		PrivateKey:           accountPrivateKey,
 	}
 	account, err = client.NewAccount(ctx, account)
 	if err != nil {
 		t.Errorf("new account: %v", err)
 		return
 	}
 	// Every certificate needs a key.
 	certPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating certificate key: %v", err)
 		return
 	}
 	certs, err := client.ObtainCertificate(ctx, account, certPrivateKey, []string{"localhost"})
 	if len(certs) > 0 {
 		t.Errorf("expected '0' certificates, but received '%d'", len(certs))
 	}
 	if err == nil {
 		t.Error("expected errors, but received none")
 	}
 	const expectedErrMsg = "no solvers available for remaining challenges (configured=[http-01] offered=[tls-alpn-01] remaining=[tls-alpn-01])"
 	if !strings.Contains(err.Error(), expectedErrMsg) {
 		t.Errorf(`received error message does not match expectation: expected="%s" received="%s"`, expectedErrMsg, err.Error())
 	}
 }
 // naiveHTTPSolver is a no-op acmez.Solver for example purposes only.
 type naiveHTTPSolver struct {
 	srv    *http.Server
 	logger *zap.Logger
 }
 func (s *naiveHTTPSolver) Present(ctx context.Context, challenge acme.Challenge) error {
 	smallstepacme.InsecurePortHTTP01 = acmeChallengePort
 	s.srv = &http.Server{
 		Addr: fmt.Sprintf(":%d", acmeChallengePort),
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			host, _, err := net.SplitHostPort(r.Host)
 			if err != nil {
 				host = r.Host
 			}
 			s.logger.Info("received request on challenge server", zap.String("path", r.URL.Path))
 			if r.Method == "GET" && r.URL.Path == challenge.HTTP01ResourcePath() && strings.EqualFold(host, challenge.Identifier.Value) {
 				w.Header().Add("Content-Type", "text/plain")
 				w.Write([]byte(challenge.KeyAuthorization))
 				r.Close = true
 				s.logger.Info("served key authentication",
 					zap.String("identifier", challenge.Identifier.Value),
 					zap.String("challenge", "http-01"),
 					zap.String("remote", r.RemoteAddr),
 				)
 			}
 		}),
 	}
 	l, err := net.Listen("tcp", fmt.Sprintf(":%d", acmeChallengePort))
 	if err != nil {
 		return err
 	}
 	s.logger.Info("present challenge", zap.Any("challenge", challenge))
 	go s.srv.Serve(l)
 	return nil
 }
 func (s naiveHTTPSolver) CleanUp(ctx context.Context, challenge acme.Challenge) error {
 	smallstepacme.InsecurePortHTTP01 = 0
 	s.logger.Info("cleanup", zap.Any("challenge", challenge))
 	if s.srv != nil {
 		s.srv.Close()
 	}
 	return nil
 }
@@ -0,0 +1,209 @@
 package integration
 import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"strings"
 	"testing"
 	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez"
 	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap"
 )
 func TestACMEServerDirectory(t *testing.T) {
 	tester := caddytest.NewTester(t)
 	tester.InitServer(`
 	{
 		skip_install_trust
 		local_certs
 		admin localhost:2999
 		http_port     9080
 		https_port    9443
 		pki {
 			ca local {
 				name "Caddy Local Authority"
 			}
 		}
 	}
 	acme.localhost:9443 {
 		acme_server
 	}
  `, "caddyfile")
 	tester.AssertGetResponse(
 		"https://acme.localhost:9443/acme/local/directory",
 		200,
 		`{"newNonce":"https://acme.localhost:9443/acme/local/new-nonce","newAccount":"https://acme.localhost:9443/acme/local/new-account","newOrder":"https://acme.localhost:9443/acme/local/new-order","revokeCert":"https://acme.localhost:9443/acme/local/revoke-cert","keyChange":"https://acme.localhost:9443/acme/local/key-change"}
 `)
 }
 func TestACMEServerAllowPolicy(t *testing.T) {
 	tester := caddytest.NewTester(t)
 	tester.InitServer(`
 	{
 		skip_install_trust
 		local_certs
 		admin localhost:2999
 		http_port     9080
 		https_port    9443
 		pki {
 			ca local {
 				name "Caddy Local Authority"
 			}
 		}
 	}
 	acme.localhost {
 		acme_server {
 			challenges http-01
 			allow {
 				domains localhost
 			}
 		}
 	}
  `, "caddyfile")
 	ctx := context.Background()
 	logger, err := zap.NewDevelopment()
 	if err != nil {
 		t.Error(err)
 		return
 	}
 	client := acmez.Client{
 		Client: &acme.Client{
 			Directory:  "https://acme.localhost:9443/acme/local/directory",
 			HTTPClient: tester.Client,
 			Logger:     logger,
 		},
 		ChallengeSolvers: map[string]acmez.Solver{
 			acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
 		},
 	}
 	accountPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating account key: %v", err)
 	}
 	account := acme.Account{
 		Contact:              []string{"mailto:you@example.com"},
 		TermsOfServiceAgreed: true,
 		PrivateKey:           accountPrivateKey,
 	}
 	account, err = client.NewAccount(ctx, account)
 	if err != nil {
 		t.Errorf("new account: %v", err)
 		return
 	}
 	// Every certificate needs a key.
 	certPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating certificate key: %v", err)
 		return
 	}
 	{
 		certs, err := client.ObtainCertificate(
 			ctx,
 			account,
 			certPrivateKey,
 			[]string{"localhost"},
 		)
 		if err != nil {
 			t.Errorf("obtaining certificate for allowed domain: %v", err)
 			return
 		}
 		// ACME servers should usually give you the entire certificate chain
 		// in PEM format, and sometimes even alternate chains! It's up to you
 		// which one(s) to store and use, but whatever you do, be sure to
 		// store the certificate and key somewhere safe and secure, i.e. don't
 		// lose them!
 		for _, cert := range certs {
 			t.Logf("Certificate %q:\n%s\n\n", cert.URL, cert.ChainPEM)
 		}
 	}
 	{
 		_, err := client.ObtainCertificate(ctx, account, certPrivateKey, []string{"not-matching.localhost"})
 		if err == nil {
 			t.Errorf("obtaining certificate for 'not-matching.localhost' domain")
 		} else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
 			t.Logf("unexpected error: %v", err)
 		}
 	}
 }
 func TestACMEServerDenyPolicy(t *testing.T) {
 	tester := caddytest.NewTester(t)
 	tester.InitServer(`
 	{
 		skip_install_trust
 		local_certs
 		admin localhost:2999
 		http_port     9080
 		https_port    9443
 		pki {
 			ca local {
 				name "Caddy Local Authority"
 			}
 		}
 	}
 	acme.localhost {
 		acme_server {
 			deny {
 				domains deny.localhost
 			}
 		}
 	}
  `, "caddyfile")
 	ctx := context.Background()
 	logger, err := zap.NewDevelopment()
 	if err != nil {
 		t.Error(err)
 		return
 	}
 	client := acmez.Client{
 		Client: &acme.Client{
 			Directory:  "https://acme.localhost:9443/acme/local/directory",
 			HTTPClient: tester.Client,
 			Logger:     logger,
 		},
 		ChallengeSolvers: map[string]acmez.Solver{
 			acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
 		},
 	}
 	accountPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating account key: %v", err)
 	}
 	account := acme.Account{
 		Contact:              []string{"mailto:you@example.com"},
 		TermsOfServiceAgreed: true,
 		PrivateKey:           accountPrivateKey,
 	}
 	account, err = client.NewAccount(ctx, account)
 	if err != nil {
 		t.Errorf("new account: %v", err)
 		return
 	}
 	// Every certificate needs a key.
 	certPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating certificate key: %v", err)
 		return
 	}
 	{
 		_, err := client.ObtainCertificate(ctx, account, certPrivateKey, []string{"deny.localhost"})
 		if err == nil {
 			t.Errorf("obtaining certificate for 'deny.localhost' domain")
 		} else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
 			t.Logf("unexpected error: %v", err)
 		}
 	}
 }
@@ -0,0 +1,65 @@
 {
 	pki {
 		ca custom-ca {
 			name "Custom CA"
 		}
 	}
 }
 acme.example.com {
 	acme_server {
 		ca custom-ca
 		challenges dns-01
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"acme.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"ca": "custom-ca",
 													"challenges": [
 														"dns-01"
 													],
 													"handler": "acme_server"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"pki": {
 			"certificate_authorities": {
 				"custom-ca": {
 					"name": "Custom CA"
 				}
 			}
 		}
 	}
 }
@@ -0,0 +1,62 @@
 {
 	pki {
 		ca custom-ca {
 			name "Custom CA"
 		}
 	}
 }
 acme.example.com {
 	acme_server {
 		ca custom-ca
 		challenges
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"acme.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"ca": "custom-ca",
 													"handler": "acme_server"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"pki": {
 			"certificate_authorities": {
 				"custom-ca": {
 					"name": "Custom CA"
 				}
 			}
 		}
 	}
 }
@@ -0,0 +1,66 @@
 {
 	pki {
 		ca custom-ca {
 			name "Custom CA"
 		}
 	}
 }
 acme.example.com {
 	acme_server {
 		ca custom-ca
 		challenges dns-01 http-01
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"acme.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"ca": "custom-ca",
 													"challenges": [
 														"dns-01",
 														"http-01"
 													],
 													"handler": "acme_server"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"pki": {
 			"certificate_authorities": {
 				"custom-ca": {
 					"name": "Custom CA"
 				}
 			}
 		}
 	}
 }
@@ -0,0 +1,37 @@
 :8443 {
 	tls internal {
 		on_demand
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":8443"
 					],
 					"tls_connection_policies": [
 						{}
 					]
 				}
 			}
 		},
 		"tls": {
 			"automation": {
 				"policies": [
 					{
 						"issuers": [
 							{
 								"module": "internal"
 							}
 						],
 						"on_demand": true
 					}
 				]
 			}
 		}
 	}
 }
@@ -11,6 +11,7 @@ encode gzip zstd {
 		header Content-Type application/xhtml+xml*
 		header Content-Type application/atom+xml*
 		header Content-Type application/rss+xml*
 		header Content-Type application/wasm*
 		header Content-Type image/svg+xml*
 	}
 }
@@ -47,6 +48,7 @@ encode {
 												"application/xhtml+xml*",
 												"application/atom+xml*",
 												"application/rss+xml*",
 												"application/wasm*",
 												"image/svg+xml*"
 											]
 										},
@@ -0,0 +1,245 @@
 foo.localhost {
 	root * /srv
 	error /private* "Unauthorized" 410
 	error /fivehundred* "Internal Server Error" 500
 	handle_errors 5xx {
 		respond "Error In range [500 .. 599]"
 	}
 	handle_errors 410 {
 		respond "404 or 410 error"
 	}
 }
 bar.localhost {
 	root * /srv
 	error /private* "Unauthorized" 410
 	error /fivehundred* "Internal Server Error" 500
 	handle_errors 5xx {
 		respond "Error In range [500 .. 599] from second site"
 	}
 	handle_errors 410 {
 		respond "404 or 410 error from second site"
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"foo.localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/srv"
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Internal Server Error",
 													"handler": "error",
 													"status_code": 500
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/fivehundred*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Unauthorized",
 													"handler": "error",
 													"status_code": 410
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/private*"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						},
 						{
 							"match": [
 								{
 									"host": [
 										"bar.localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/srv"
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Internal Server Error",
 													"handler": "error",
 													"status_code": 500
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/fivehundred*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Unauthorized",
 													"handler": "error",
 													"status_code": 410
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/private*"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"errors": {
 						"routes": [
 							{
 								"match": [
 									{
 										"host": [
 											"foo.localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"body": "404 or 410 error",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} in [410]"
 													}
 												]
 											},
 											{
 												"handle": [
 													{
 														"body": "Error In range [500 .. 599]",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} \u003e= 500 \u0026\u0026 {http.error.status_code} \u003c= 599"
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							},
 							{
 								"match": [
 									{
 										"host": [
 											"bar.localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"body": "404 or 410 error from second site",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} in [410]"
 													}
 												]
 											},
 											{
 												"handle": [
 													{
 														"body": "Error In range [500 .. 599] from second site",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} \u003e= 500 \u0026\u0026 {http.error.status_code} \u003c= 599"
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							}
 						]
 					}
 				}
 			}
 		}
 	}
 }
@@ -0,0 +1,120 @@
 {
 	http_port 3010
 }
 localhost:3010 {
 	root * /srv
 	error /private* "Unauthorized" 410
 	error /hidden* "Not found" 404
 	handle_errors 4xx {
 		respond "Error in the [400 .. 499] range"
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"http_port": 3010,
 			"servers": {
 				"srv0": {
 					"listen": [
 						":3010"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/srv"
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Unauthorized",
 													"handler": "error",
 													"status_code": 410
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/private*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Not found",
 													"handler": "error",
 													"status_code": 404
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/hidden*"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"errors": {
 						"routes": [
 							{
 								"match": [
 									{
 										"host": [
 											"localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"body": "Error in the [400 .. 499] range",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} \u003e= 400 \u0026\u0026 {http.error.status_code} \u003c= 499"
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							}
 						]
 					}
 				}
 			}
 		}
 	}
 }
@@ -0,0 +1,153 @@
 {
 	http_port 2099
 }
 localhost:2099 {
 	root * /srv
 	error /private* "Unauthorized" 410
 	error /threehundred* "Moved Permanently" 301
 	error /internalerr* "Internal Server Error" 500
 	handle_errors 500 3xx {
 		respond "Error code is equal to 500 or in the [300..399] range"
 	}
 	handle_errors 4xx {
 		respond "Error in the [400 .. 499] range"
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"http_port": 2099,
 			"servers": {
 				"srv0": {
 					"listen": [
 						":2099"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/srv"
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Moved Permanently",
 													"handler": "error",
 													"status_code": 301
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/threehundred*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Internal Server Error",
 													"handler": "error",
 													"status_code": 500
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/internalerr*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Unauthorized",
 													"handler": "error",
 													"status_code": 410
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/private*"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"errors": {
 						"routes": [
 							{
 								"match": [
 									{
 										"host": [
 											"localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"body": "Error in the [400 .. 499] range",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} \u003e= 400 \u0026\u0026 {http.error.status_code} \u003c= 499"
 													}
 												]
 											},
 											{
 												"handle": [
 													{
 														"body": "Error code is equal to 500 or in the [300..399] range",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} \u003e= 300 \u0026\u0026 {http.error.status_code} \u003c= 399 || {http.error.status_code} in [500]"
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							}
 						]
 					}
 				}
 			}
 		}
 	}
 }
@@ -0,0 +1,120 @@
 {
 	http_port 3010
 }
 localhost:3010 {
 	root * /srv
 	error /private* "Unauthorized" 410
 	error /hidden* "Not found" 404
 	handle_errors 404 410 {
 		respond "404 or 410 error"
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"http_port": 3010,
 			"servers": {
 				"srv0": {
 					"listen": [
 						":3010"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/srv"
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Unauthorized",
 													"handler": "error",
 													"status_code": 410
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/private*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Not found",
 													"handler": "error",
 													"status_code": 404
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/hidden*"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"errors": {
 						"routes": [
 							{
 								"match": [
 									{
 										"host": [
 											"localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"body": "404 or 410 error",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} in [404, 410]"
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							}
 						]
 					}
 				}
 			}
 		}
 	}
 }
@@ -0,0 +1,148 @@
 {
 	http_port 2099
 }
 localhost:2099 {
 	root * /srv
 	error /private* "Unauthorized" 410
 	error /hidden* "Not found" 404
 	error /internalerr* "Internal Server Error" 500
 	handle_errors {
 		respond "Fallback route: code outside the [400..499] range"
 	}
 	handle_errors 4xx {
 		respond "Error in the [400 .. 499] range"
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"http_port": 2099,
 			"servers": {
 				"srv0": {
 					"listen": [
 						":2099"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/srv"
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Internal Server Error",
 													"handler": "error",
 													"status_code": 500
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/internalerr*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Unauthorized",
 													"handler": "error",
 													"status_code": 410
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/private*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Not found",
 													"handler": "error",
 													"status_code": 404
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/hidden*"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"errors": {
 						"routes": [
 							{
 								"match": [
 									{
 										"host": [
 											"localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"body": "Error in the [400 .. 499] range",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} \u003e= 400 \u0026\u0026 {http.error.status_code} \u003c= 499"
 													}
 												]
 											},
 											{
 												"handle": [
 													{
 														"body": "Fallback route: code outside the [400..499] range",
 														"handler": "static_response"
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							}
 						]
 					}
 				}
 			}
 		}
 	}
 }
@@ -69,11 +69,14 @@
 					}
 				],
 				"on_demand": {
 					"permission": {
 						"endpoint": "https://example.com",
 						"module": "http"
 					},
 					"rate_limit": {
 						"interval": 30000000000,
 						"burst": 20
-					},
+					}
 					"ask": "https://example.com"
 				}
 			},
 			"disable_ocsp_stapling": true
@@ -78,11 +78,14 @@
 					}
 				],
 				"on_demand": {
 					"permission": {
 						"endpoint": "https://example.com",
 						"module": "http"
 					},
 					"rate_limit": {
 						"interval": 30000000000,
 						"burst": 20
-					},
+					}
 					"ask": "https://example.com"
 				},
 				"ocsp_interval": 172800000000000,
 				"renew_interval": 86400000000000,
@@ -71,11 +71,14 @@
 					}
 				],
 				"on_demand": {
 					"permission": {
 						"endpoint": "https://example.com",
 						"module": "http"
 					},
 					"rate_limit": {
 						"interval": 30000000000,
 						"burst": 20
-					},
+					}
 					"ask": "https://example.com"
 				}
 			}
 		}
@@ -0,0 +1,46 @@
 http://handle {
 	file_server
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":80"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"handle"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "file_server",
 													"hide": [
 														"./Caddyfile"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		}
 	}
 }
@@ -99,7 +99,7 @@ http://localhost:2020 {
 					},
 					"logs": {
 						"logger_names": {
-							"localhost:2020": ""
+							"localhost": ""
 						},
 						"skip_unmapped_hosts": true
 					}
@@ -0,0 +1,52 @@
 :80
 log {
 	output stdout
 	format filter {
 		fields {
 			request>headers>Server delete
 		}
 	}
 }
 ----------
 {
 	"logging": {
 		"logs": {
 			"default": {
 				"exclude": [
 					"http.log.access.log0"
 				]
 			},
 			"log0": {
 				"writer": {
 					"output": "stdout"
 				},
 				"encoder": {
 					"fields": {
 						"request\u003eheaders\u003eServer": {
 							"filter": "delete"
 						}
 					},
 					"format": "filter"
 				},
 				"include": [
 					"http.log.access.log0"
 				]
 			}
 		}
 	},
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":80"
 					],
 					"logs": {
 						"default_logger_name": "log0"
 					}
 				}
 			}
 		}
 	}
 }
@@ -21,6 +21,7 @@ log {
 				ipv4 24
 				ipv6 32
 			}
 			request>client_ip ip_mask 16 32
 			request>headers>Regexp regexp secret REDACTED
 			request>headers>Hash hash
 		}
@@ -41,6 +42,11 @@ log {
 				},
 				"encoder": {
 					"fields": {
 						"request\u003eclient_ip": {
 							"filter": "ip_mask",
 							"ipv4_cidr": 16,
 							"ipv6_cidr": 32
 						},
 						"request\u003eheaders\u003eAuthorization": {
 							"filter": "replace",
 							"value": "REDACTED"
@@ -8,6 +8,12 @@
 		output file /baz.txt
 	}
 }
 example.com:8443 {
 	log {
 		output file /port.txt
 	}
 }
 ----------
 {
 	"logging": {
@@ -15,7 +21,8 @@
 			"default": {
 				"exclude": [
 					"http.log.access.log0",
-					"http.log.access.log1"
+					"http.log.access.log1",
 					"http.log.access.log2"
 				]
 			},
 			"log0": {
@@ -35,6 +42,15 @@
 				"include": [
 					"http.log.access.log1"
 				]
 			},
 			"log2": {
 				"writer": {
 					"filename": "/port.txt",
 					"output": "file"
 				},
 				"include": [
 					"http.log.access.log2"
 				]
 			}
 		}
 	},
@@ -64,6 +80,28 @@
 							"foo.example.com": "log0"
 						}
 					}
 				},
 				"srv1": {
 					"listen": [
 						":8443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"example.com"
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"logs": {
 						"logger_names": {
 							"example.com": "log2"
 						}
 					}
 				}
 			}
 		}
@@ -76,7 +76,7 @@ http://localhost:8881 {
 					},
 					"logs": {
 						"logger_names": {
-							"localhost:8881": "foo"
+							"localhost": "foo"
 						}
 					}
 				}
@@ -81,7 +81,7 @@ http://localhost:8881 {
 					},
 					"logs": {
 						"logger_names": {
-							"localhost:8881": "foo"
+							"localhost": "foo"
 						}
 					}
 				}
@@ -66,9 +66,9 @@ example.com {
 							"one.example.com": ""
 						},
 						"skip_hosts": [
 							"example.com",
 							"three.example.com",
-							"two.example.com",
+							"two.example.com"
 							"example.com"
 						]
 					}
 				}
--- a/Show More
+++ b/Show More