r/RegisterType/RegisterNamespace/g

Co-Author: Matt Holt
follow the linter's commands
2026-05-26 16:52:40 -04:00 · 2023-12-14 23:50:24 +03:00 · 2023-12-14 23:38:08 +03:00 · 2023-12-14 18:14:18 +03:00 · 2023-12-14 18:02:38 +03:00 · 2023-12-14 18:02:15 +03:00
322 changed files with 5659 additions and 15387 deletions
@@ -1,5 +1,5 @@
 [*]
 end_of_line = lf
-[caddytest/integration/caddyfile_adapt/*.caddyfiletest]
+[caddytest/integration/caddyfile_adapt/*.txt]
 indent_style = tab
@@ -19,49 +19,45 @@ jobs:
      fail-fast: false
      matrix:
        os: 
-          - linux
+          - ubuntu-latest
-          - mac
+          - macos-latest
-          - windows
+          - windows-latest
        go: 
          - '1.20'
          - '1.21'
          - '1.22'
        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
        - go: '1.20'
          GO_SEMVER: '~1.20.6'
        - go: '1.21'
          GO_SEMVER: '~1.21.0'
        - go: '1.22'
          GO_SEMVER: '~1.22.1'
        # Set some variables per OS, usable via ${{ matrix.VAR }}
        # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
        # CADDY_BIN_PATH: the path to the compiled Caddy binary, for artifact publishing
        # SUCCESS: the typical value for $? per OS (Windows/pwsh returns 'True')
-        - os: linux
+        - os: ubuntu-latest
          OS_LABEL: ubuntu-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy
          SUCCESS: 0
-        - os: mac
+        - os: macos-latest
          OS_LABEL: macos-14
          CADDY_BIN_PATH: ./cmd/caddy/caddy
          SUCCESS: 0
-        - os: windows
+        - os: windows-latest
          OS_LABEL: windows-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy.exe
          SUCCESS: 'True'
-    runs-on: ${{ matrix.OS_LABEL }}
+    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v4
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true
@@ -99,20 +95,13 @@ jobs:
      env:
        CGO_ENABLED: 0
      run: |
-        go build -tags nobdger -trimpath -ldflags="-w -s" -v
+        go build -trimpath -ldflags="-w -s" -v
    - name: Smoke test Caddy
      working-directory: ./cmd/caddy
      run: |
        ./caddy start
        ./caddy stop
    - name: Publish Build Artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v3
      with:
        name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
        path: ${{ matrix.CADDY_BIN_PATH }}
        compression-level: 0
    # Commented bits below were useful to allow the job to continue
    # even if the tests fail, so we can publish the report separately
@@ -122,7 +111,7 @@ jobs:
      # continue-on-error: true
      run: |
        # (go test -v -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
-        go test -tags nobadger -v -coverprofile="cover-profile.out" -short -race ./...
+        go test -v -coverprofile="cover-profile.out" -short -race ./...
        # echo "status=$?" >> $GITHUB_OUTPUT
    # Relevant step if we reinvestigate publishing test/coverage reports
@@ -135,7 +124,7 @@ jobs:
    # To return the correct result even though we set 'continue-on-error: true'
    # - name: Coerce correct build result
-    #   if: matrix.os != 'windows' && steps.step_test.outputs.status != ${{ matrix.SUCCESS }}
+    #   if: matrix.os != 'windows-latest' && steps.step_test.outputs.status != ${{ matrix.SUCCESS }}
    #   run: |
    #     echo "step_test ${{ steps.step_test.outputs.status }}\n"
    #     exit 1
@@ -157,7 +146,7 @@ jobs:
          # The environment is fresh, so there's no point in keeping accepting and adding the key.
          rsync -arz -e "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" --progress --delete --exclude '.git' . "$CI_USER"@ci-s390x.caddyserver.com:/var/tmp/"$short_sha"
-          ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t "$CI_USER"@ci-s390x.caddyserver.com "cd /var/tmp/$short_sha; go version; go env; printf "\n\n";CGO_ENABLED=0 go test -tags nobadger -v ./..."
+          ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t "$CI_USER"@ci-s390x.caddyserver.com "cd /var/tmp/$short_sha; go version; go env; printf "\n\n";CGO_ENABLED=0 go test -v ./..."
          test_result=$?
          # There's no need leaving the files around
@@ -179,3 +168,5 @@ jobs:
        with:
          version: latest
          args: check
        env:
          TAG: ${{ steps.vars.outputs.version_tag }}
@@ -11,29 +11,31 @@ on:
      - 2.*
 jobs:
-  build:
+  cross-build-test:
    strategy:
      fail-fast: false
      matrix:
        goos: 
          - 'aix'
          - 'android'
          - 'linux'
          - 'solaris'
          - 'illumos'
          - 'dragonfly'
          - 'freebsd'
          - 'openbsd'
          - 'plan9'
          - 'windows'
          - 'darwin'
          - 'netbsd'
        go: 
-          - '1.22'
+          - '1.21'
        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.22'
+        - go: '1.21'
-          GO_SEMVER: '~1.22.1'
+          GO_SEMVER: '~1.21.0'
    runs-on: ubuntu-latest
    continue-on-error: true
@@ -42,7 +44,7 @@ jobs:
        uses: actions/checkout@v4
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
        with:
          go-version: ${{ matrix.GO_SEMVER }}
          check-latest: true
@@ -66,4 +68,8 @@ jobs:
        continue-on-error: true
        working-directory: ./cmd/caddy
        run: |
-          GOOS=$GOOS GOARCH=$GOARCH go build -tags nobadger -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null
+          GOOS=$GOOS GOARCH=$GOARCH go build -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null
          if [ $? -ne 0 ]; then
            echo "::warning ::$GOOS Build Failed"
            exit 0
          fi
@@ -23,33 +23,24 @@ jobs:
    strategy:
      matrix:
        os:
-          - linux
+          - ubuntu-latest
-          - mac
+          - macos-latest
-          - windows
+          - windows-latest
-
+    runs-on: ${{ matrix.os }}
        include:
        - os: linux
          OS_LABEL: ubuntu-latest
        - os: mac
          OS_LABEL: macos-14
        - os: windows
          OS_LABEL: windows-latest
    runs-on: ${{ matrix.OS_LABEL }}
    steps:
      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v4
        with:
-          go-version: '~1.22.1'
+          go-version: '~1.21.0'
          check-latest: true
          # Workaround for https://github.com/golangci/golangci-lint-action/issues/135
          skip-pkg-cache: true
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v3
        with:
-          version: v1.55
+          version: v1.54
          # Workaround for https://github.com/golangci/golangci-lint-action/issues/135
          skip-pkg-cache: true
@@ -66,5 +57,5 @@ jobs:
      - name: govulncheck
        uses: golang/govulncheck-action@v1
        with:
-          go-version-input: '~1.22.1'
+          go-version-input: '~1.21.0'
          check-latest: true
@@ -37,7 +37,7 @@ jobs:
        fetch-depth: 0
    - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v4
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true
@@ -18,7 +18,7 @@ jobs:
    # See https://github.com/peter-evans/repository-dispatch
    - name: Trigger event on caddyserver/dist
-      uses: peter-evans/repository-dispatch@v3
+      uses: peter-evans/repository-dispatch@v2
      with:
        token: ${{ secrets.REPO_DISPATCH_TOKEN }}
        repository: caddyserver/dist
@@ -26,7 +26,7 @@ jobs:
        client-payload: '{"tag": "${{ github.event.release.tag_name }}"}'
    - name: Trigger event on caddyserver/caddy-docker
-      uses: peter-evans/repository-dispatch@v3
+      uses: peter-evans/repository-dispatch@v2
      with:
        token: ${{ secrets.REPO_DISPATCH_TOKEN }}
        repository: caddyserver/caddy-docker
@@ -3,7 +3,6 @@ _gitignore/
 Caddyfile
 Caddyfile.*
 !caddyfile/
 !caddyfile.go
 # artifacts from pprof tooling
 *.prof
@@ -15,68 +15,35 @@ linters-settings:
    # If `true`, make the section order the same as the order of `sections`.
    # Default: false
    custom-order: true
  exhaustive:
    ignore-enum-types: reflect.Kind|svc.Cmd
 linters:
  disable-all: true
  enable:
    - asasalint
    - asciicheck
    - bidichk
    - bodyclose
    - decorder
    - dogsled
    - dupl
    - dupword
    - durationcheck
    - errcheck
    - errname
    - exhaustive
    - exportloopref
    - gci
    - gofmt
    - goimports
    - gofumpt
    - gosec
    - gosimple
    - govet
    - ineffassign
    - importas
    - misspell
    - prealloc
    - promlinter
    - sloglint
    - sqlclosecheck
    - staticcheck
    - tenv
    - testableexamples
    - testifylint
    - tparallel
    - typecheck
    - unconvert
    - unused
    - wastedassign
    - whitespace
    - zerologlint
  # these are implicitly disabled:
-  # - containedctx
+  # - asciicheck
  # - contextcheck
  # - cyclop
  # - depguard
-  # - errchkjson
+  # - dogsled
-  # - errorlint
+  # - dupl
-  # - exhaustruct
+  # - exhaustive
-  # - execinquery
+  # - exportloopref
  # - exhaustruct
  # - forbidigo
  # - forcetypeassert
  # - funlen
-  # - ginkgolinter
+  # - gci
  # - gocheckcompilerdirectives
  # - gochecknoglobals
  # - gochecknoinits
  # - gochecksumtype
  # - gocognit
  # - goconst
  # - gocritic
@@ -84,47 +51,27 @@ linters:
  # - godot
  # - godox
  # - goerr113
  # - gofumpt
  # - goheader
  # - golint
  # - gomnd
  # - gomoddirectives
  # - gomodguard
  # - goprintffuncname
-  # - gosmopolitan
+  # - interfacer
  # - grouper
  # - inamedparam
  # - interfacebloat
  # - ireturn
  # - lll
-  # - loggercheck
+  # - maligned
  # - maintidx
  # - makezero
  # - mirror
  # - musttag
  # - nakedret
  # - nestif
  # - nilerr
  # - nilnil
  # - nlreturn
  # - noctx
  # - nolintlint
  # - nonamedreturns
  # - nosprintfhostport
  # - paralleltest
  # - perfsprint
  # - predeclared
  # - protogetter
  # - reassign
  # - revive
  # - rowserrcheck
  # - scopelint
  # - sqlclosecheck
  # - stylecheck
  # - tagalign
  # - tagliatelle
  # - testpackage
  # - thelper
  # - unparam
-  # - usestdlibvars
+  # - whitespace
  # - varnamelen
  # - wrapcheck
  # - wsl
 run:
@@ -163,6 +110,3 @@ issues:
      text: 'G404' # G404: Insecure random number source (rand)
      linters:
        - gosec
    - path: modules/logging/filters.go
      linters:
        - dupl
@@ -77,8 +77,6 @@ builds:
  - -mod=readonly
  ldflags:
  - -s -w
  tags:
  - nobadger
 signs:
  - cmd: cosign
@@ -56,7 +56,7 @@
 </p>
-## [Features](https://caddyserver.com/features)
+## [Features](https://caddyserver.com/v2)
 - **Easy configuration** with the [Caddyfile](https://caddyserver.com/docs/caddyfile)
 - **Powerful configuration** with its [native JSON config](https://caddyserver.com/docs/json/)
@@ -75,7 +75,7 @@
 - **Runs anywhere** with **no external dependencies** (not even libc)
 - Written in Go, a language with higher **memory safety guarantees** than other servers
 - Actually **fun to use**
- So much more to [discover](https://caddyserver.com/features)
+- So much more to [discover](https://caddyserver.com/v2)
 ## Install
@@ -87,7 +87,7 @@ See [our online documentation](https://caddyserver.com/docs/install) for other i
 Requirements:
- [Go 1.21 or newer](https://golang.org/dl/)
+- [Go 1.20 or newer](https://golang.org/dl/)
 ### For development
@@ -26,6 +26,7 @@ import (
 	"expvar"
 	"fmt"
 	"hash"
 	"hash/fnv"
 	"io"
 	"net"
 	"net/http"
@@ -40,14 +41,13 @@ import (
 	"time"
 	"github.com/caddyserver/certmagic"
 	"github.com/cespare/xxhash/v2"
 	"github.com/prometheus/client_golang/prometheus"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 )
 func init() {
-	// The hard-coded default `DefaultAdminListen` can be overridden
+	// The hard-coded default `DefaultAdminListen` can be overidden
 	// by setting the `CADDY_ADMIN` environment variable.
 	// The environment variable may be used by packagers to change
 	// the default admin address to something more appropriate for
@@ -55,6 +55,7 @@ func init() {
 	if env, exists := os.LookupEnv("CADDY_ADMIN"); exists {
 		DefaultAdminListen = env
 	}
 	RegisterNamespace("caddy.config_loaders", []interface{}{(*ConfigLoader)(nil)})
 }
 // AdminConfig configures Caddy's API endpoint, which is used
@@ -474,6 +475,7 @@ func manageIdentity(ctx Context, cfg *Config) error {
 	// import the caddytls package -- but it works
 	if cfg.Admin.Identity.IssuersRaw == nil {
 		cfg.Admin.Identity.IssuersRaw = []json.RawMessage{
 			json.RawMessage(`{"module": "zerossl"}`),
 			json.RawMessage(`{"module": "acme"}`),
 		}
 	}
@@ -945,7 +947,7 @@ func (h adminHandler) originAllowed(origin *url.URL) bool {
 // etagHasher returns a the hasher we used on the config to both
 // produce and verify ETags.
-func etagHasher() hash.Hash { return xxhash.New() }
+func etagHasher() hash.Hash32 { return fnv.New32a() }
 // makeEtag returns an Etag header value (including quotes) for
 // the given config path and hash of contents at that path.
@@ -953,28 +955,17 @@ func makeEtag(path string, hash hash.Hash) string {
 	return fmt.Sprintf(`"%s %x"`, path, hash.Sum(nil))
 }
 // This buffer pool is used to keep buffers for
 // reading the config file during eTag header generation
 var bufferPool = sync.Pool{
 	New: func() any {
 		return new(bytes.Buffer)
 	},
 }
 func handleConfig(w http.ResponseWriter, r *http.Request) error {
 	switch r.Method {
 	case http.MethodGet:
 		w.Header().Set("Content-Type", "application/json")
 		// Set the ETag as a trailer header.
 		// The alternative is to write the config to a buffer, and
 		// then hash that.
 		w.Header().Set("Trailer", "ETag")
 		hash := etagHasher()
-
+		configWriter := io.MultiWriter(w, hash)
 		// Read the config into a buffer instead of writing directly to
 		// the response writer, as we want to set the ETag as the header,
 		// not the trailer.
 		buf := bufferPool.Get().(*bytes.Buffer)
 		buf.Reset()
 		defer bufferPool.Put(buf)
 		configWriter := io.MultiWriter(buf, hash)
 		err := readConfig(r.URL.Path, configWriter)
 		if err != nil {
 			return APIError{HTTPStatus: http.StatusBadRequest, Err: err}
@@ -983,10 +974,6 @@ func handleConfig(w http.ResponseWriter, r *http.Request) error {
 		// we could consider setting up a sync.Pool for the summed
 		// hashes to reduce GC pressure.
 		w.Header().Set("Etag", makeEtag(r.URL.Path, hash))
 		_, err = w.Write(buf.Bytes())
 		if err != nil {
 			return APIError{HTTPStatus: http.StatusInternalServerError, Err: err}
 		}
 		return nil
@@ -22,7 +22,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
 	"io/fs"
 	"log"
 	"net/http"
 	"os"
@@ -39,10 +38,18 @@ import (
 	"github.com/google/uuid"
 	"go.uber.org/zap"
 	"github.com/caddyserver/caddy/v2/internal/filesystems"
 	"github.com/caddyserver/caddy/v2/notify"
 )
 func init() {
 	RegisterNamespace("", []interface{}{
 		(*App)(nil),
 	})
 	RegisterNamespace("caddy.storage", []interface{}{
 		(*StorageConverter)(nil),
 	})
 }
 // Config is the top (or beginning) of the Caddy configuration structure.
 // Caddy config is expressed natively as a JSON document. If you prefer
 // not to work with JSON directly, there are [many config adapters](/docs/config-adapters)
@@ -74,20 +81,21 @@ type Config struct {
 	// module is `caddy.storage.file_system` (the local file system),
 	// and the default path
 	// [depends on the OS and environment](/docs/conventions#data-directory).
 	// A storage `module` should implement the following interfaces:
 	// - [StorageConverter](https://pkg.go.dev/github.com/caddyserver/caddy/v2#StorageConverter)
 	StorageRaw json.RawMessage `json:"storage,omitempty" caddy:"namespace=caddy.storage inline_key=module"`
 	// AppsRaw are the apps that Caddy will load and run. The
 	// app module name is the key, and the app's config is the
 	// associated value.
 	// An `app` should implement the following interfaces:
 	// - [caddy.App](https://pkg.go.dev/github.com/caddyserver/caddy/v2?tab=doc#App)
 	AppsRaw ModuleMap `json:"apps,omitempty" caddy:"namespace="`
 	apps    map[string]App
 	storage certmagic.Storage
 	cancelFunc context.CancelFunc
 	// filesystems is a dict of filesystems that will later be loaded from and added to.
 	filesystems FileSystems
 }
 // App is a thing that Caddy runs.
@@ -451,9 +459,6 @@ func run(newCfg *Config, start bool) (Context, error) {
 		}
 	}
 	// create the new filesystem map
 	newCfg.filesystems = &filesystems.FilesystemMap{}
 	// prepare the new config for use
 	newCfg.apps = make(map[string]App)
@@ -715,7 +720,6 @@ func exitProcess(ctx context.Context, logger *zap.Logger) {
 	logger.Warn("exiting; byeee!! 👋")
 	exitCode := ExitCodeSuccess
 	lastContext := ActiveContext()
 	// stop all apps
 	if err := Stop(); err != nil {
@@ -737,16 +741,6 @@ func exitProcess(ctx context.Context, logger *zap.Logger) {
 		}
 	}
 	// execute any process-exit callbacks
 	for _, exitFunc := range lastContext.exitFuncs {
 		exitFunc(ctx)
 	}
 	exitFuncsMu.Lock()
 	for _, exitFunc := range exitFuncs {
 		exitFunc(ctx)
 	}
 	exitFuncsMu.Unlock()
 	// shut down admin endpoint(s) in goroutines so that
 	// if this function was called from an admin handler,
 	// it has a chance to return gracefully
@@ -785,23 +779,6 @@ var exiting = new(int32) // accessed atomically
 // EXPERIMENTAL API: subject to change or removal.
 func Exiting() bool { return atomic.LoadInt32(exiting) == 1 }
 // OnExit registers a callback to invoke during process exit.
 // This registration is PROCESS-GLOBAL, meaning that each
 // function should only be registered once forever, NOT once
 // per config load (etc).
 //
 // EXPERIMENTAL API: subject to change or removal.
 func OnExit(f func(context.Context)) {
 	exitFuncsMu.Lock()
 	exitFuncs = append(exitFuncs, f)
 	exitFuncsMu.Unlock()
 }
 var (
 	exitFuncs   []func(context.Context)
 	exitFuncsMu sync.Mutex
 )
 // Duration can be an integer or a string. An integer is
 // interpreted as nanoseconds. If a string, it is a Go
 // time.Duration value such as `300ms`, `1.5h`, or `2h45m`;
@@ -864,7 +841,7 @@ func InstanceID() (uuid.UUID, error) {
 	appDataDir := AppDataDir()
 	uuidFilePath := filepath.Join(appDataDir, "instance.uuid")
 	uuidFileBytes, err := os.ReadFile(uuidFilePath)
-	if errors.Is(err, fs.ErrNotExist) {
+	if os.IsNotExist(err) {
 		uuid, err := uuid.NewRandom()
 		if err != nil {
 			return uuid, err
@@ -52,7 +52,7 @@ func (a Adapter) Adapt(body []byte, options map[string]any) ([]byte, []caddyconf
 		return nil, warnings, err
 	}
-	// lint check: see if input was properly formatted; sometimes messy files parse
+	// lint check: see if input was properly formatted; sometimes messy files files parse
 	// successfully but result in logical errors (the Caddyfile is a bad format, I'm sorry)
 	if warning, different := FormattingDifference(filename, body); different {
 		warnings = append(warnings, warning)
@@ -92,26 +92,30 @@ func FormattingDifference(filename string, body []byte) (caddyconfig.Warning, bo
 	}, true
 }
-// Unmarshaler is a type that can unmarshal Caddyfile tokens to
+// Unmarshaler is a type that can unmarshal
-// set itself up for a JSON encoding. The goal of an unmarshaler
+// Caddyfile tokens to set itself up for a
-// is not to set itself up for actual use, but to set itself up for
+// JSON encoding. The goal of an unmarshaler
-// being marshaled into JSON. Caddyfile-unmarshaled values will not
+// is not to set itself up for actual use,
-// be used directly; they will be encoded as JSON and then used from
+// but to set itself up for being marshaled
-// that. Implementations _may_ be able to support multiple segments
+// into JSON. Caddyfile-unmarshaled values
-// (instances of their directive or batch of tokens); typically this
+// will not be used directly; they will be
-// means wrapping parsing logic in a loop: `for d.Next() { ... }`.
+// encoded as JSON and then used from that.
-// More commonly, only a single segment is supported, so a simple
+// Implementations must be able to support
-// `d.Next()` at the start should be used to consume the module
+// multiple segments (instances of their
-// identifier token (directive name, etc).
+// directive or batch of tokens); typically
 // this means wrapping all token logic in
 // a loop: `for d.Next() { ... }`.
 type Unmarshaler interface {
 	UnmarshalCaddyfile(d *Dispenser) error
 }
 // ServerType is a type that can evaluate a Caddyfile and set up a caddy config.
 type ServerType interface {
-	// Setup takes the server blocks which contain tokens,
+	// Setup takes the server blocks which
-	// as well as options (e.g. CLI flags) and creates a
+	// contain tokens, as well as options
-	// Caddy config, along with any warnings or an error.
+	// (e.g. CLI flags) and creates a Caddy
 	// config, along with any warnings or
 	// an error.
 	Setup([]ServerBlock, map[string]any) (*caddy.Config, []caddyconfig.Warning, error)
 }
@@ -30,10 +30,6 @@ type Dispenser struct {
 	tokens  []Token
 	cursor  int
 	nesting int
 	// A map of arbitrary context data that can be used
 	// to pass through some information to unmarshalers.
 	context map[string]any
 }
 // NewDispenser returns a Dispenser filled with the given tokens.
@@ -458,34 +454,6 @@ func (d *Dispenser) DeleteN(amount int) []Token {
 	return d.tokens
 }
 // SetContext sets a key-value pair in the context map.
 func (d *Dispenser) SetContext(key string, value any) {
 	if d.context == nil {
 		d.context = make(map[string]any)
 	}
 	d.context[key] = value
 }
 // GetContext gets the value of a key in the context map.
 func (d *Dispenser) GetContext(key string) any {
 	if d.context == nil {
 		return nil
 	}
 	return d.context[key]
 }
 // GetContextString gets the value of a key in the context map
 // as a string, or an empty string if the key does not exist.
 func (d *Dispenser) GetContextString(key string) string {
 	if d.context == nil {
 		return ""
 	}
 	if val, ok := d.context[key].(string); ok {
 		return val
 	}
 	return ""
 }
 // isNewLine determines whether the current token is on a different
 // line (higher line number) than the previous token. It handles imported
 // tokens correctly. If there isn't a previous token, it returns true.
@@ -517,5 +485,3 @@ func (d *Dispenser) isNextOnNewLine() bool {
 	next := d.tokens[d.cursor+1]
 	return isNextOnNewLine(curr, next)
 }
 const MatcherNameCtxKey = "matcher_name"
@@ -305,7 +305,7 @@ func TestDispenser_ArgErr_Err(t *testing.T) {
 		t.Errorf("Expected error message with custom message in it ('foobar'); got '%v'", err)
 	}
-	ErrBarIsFull := errors.New("bar is full")
+	var ErrBarIsFull = errors.New("bar is full")
 	bookingError := d.Errf("unable to reserve: %w", ErrBarIsFull)
 	if !errors.Is(bookingError, ErrBarIsFull) {
 		t.Errorf("Errf(): should be able to unwrap the error chain")
@@ -17,7 +17,6 @@ package caddyfile
 import (
 	"bytes"
 	"io"
 	"slices"
 	"unicode"
 )
@@ -32,14 +31,6 @@ func Format(input []byte) []byte {
 	out := new(bytes.Buffer)
 	rdr := bytes.NewReader(input)
 	type heredocState int
 	const (
 		heredocClosed  heredocState = 0
 		heredocOpening heredocState = 1
 		heredocOpened  heredocState = 2
 	)
 	var (
 		last rune // the last character that was written to the result
@@ -56,11 +47,6 @@ func Format(input []byte) []byte {
 		quoted  bool // whether we're in a quoted segment
 		escaped bool // whether current char is escaped
 		heredoc              heredocState // whether we're in a heredoc
 		heredocEscaped       bool         // whether heredoc is escaped
 		heredocMarker        []rune
 		heredocClosingMarker []rune
 		nesting int // indentation level
 	)
@@ -89,62 +75,6 @@ func Format(input []byte) []byte {
 			panic(err)
 		}
 		// detect whether we have the start of a heredoc
 		if !quoted && !(heredoc != heredocClosed || heredocEscaped) &&
 			space && last == '<' && ch == '<' {
 			write(ch)
 			heredoc = heredocOpening
 			space = false
 			continue
 		}
 		if heredoc == heredocOpening {
 			if ch == '\n' {
 				if len(heredocMarker) > 0 && heredocMarkerRegexp.MatchString(string(heredocMarker)) {
 					heredoc = heredocOpened
 				} else {
 					heredocMarker = nil
 					heredoc = heredocClosed
 					nextLine()
 					continue
 				}
 				write(ch)
 				continue
 			}
 			if unicode.IsSpace(ch) {
 				// a space means it's just a regular token and not a heredoc
 				heredocMarker = nil
 				heredoc = heredocClosed
 			} else {
 				heredocMarker = append(heredocMarker, ch)
 				write(ch)
 				continue
 			}
 		}
 		// if we're in a heredoc, all characters are read&write as-is
 		if heredoc == heredocOpened {
 			heredocClosingMarker = append(heredocClosingMarker, ch)
 			if len(heredocClosingMarker) > len(heredocMarker)+1 { // We assert that the heredocClosingMarker is followed by a unicode.Space
 				heredocClosingMarker = heredocClosingMarker[1:]
 			}
 			// check if we're done
 			if unicode.IsSpace(ch) && slices.Equal(heredocClosingMarker[:len(heredocClosingMarker)-1], heredocMarker) {
 				heredocMarker = nil
 				heredocClosingMarker = nil
 				heredoc = heredocClosed
 			} else {
 				write(ch)
 				if ch == '\n' {
 					heredocClosingMarker = heredocClosingMarker[:0]
 				}
 				continue
 			}
 		}
 		if last == '<' && space {
 			space = false
 		}
 		if comment {
 			if ch == '\n' {
 				comment = false
@@ -168,9 +98,6 @@ func Format(input []byte) []byte {
 		}
 		if escaped {
 			if ch == '<' {
 				heredocEscaped = true
 			}
 			write(ch)
 			escaped = false
 			continue
@@ -190,7 +117,6 @@ func Format(input []byte) []byte {
 		if unicode.IsSpace(ch) {
 			space = true
 			heredocEscaped = false
 			if ch == '\n' {
 				newLines++
 			}
@@ -279,11 +205,6 @@ func Format(input []byte) []byte {
 			write('{')
 			openBraceWritten = true
 		}
 		if spacePrior && ch == '<' {
 			space = true
 		}
 		write(ch)
 		beginningOfLine = false
@@ -362,76 +362,6 @@ block {
 block {
 }
 `,
 		},
 		{
 			description: "keep heredoc as-is",
 			input: `block {
 	heredoc <<HEREDOC
 	Here's more than one space       Here's more than one space
 	HEREDOC
 }
 `,
 			expect: `block {
 	heredoc <<HEREDOC
 	Here's more than one space       Here's more than one space
 	HEREDOC
 }
 `,
 		},
 		{
 			description: "Mixing heredoc with regular part",
 			input: `block {
 	heredoc <<HEREDOC
 	Here's more than one space       Here's more than one space
 	HEREDOC
 	respond "More than one space will be eaten"     200
 }
 block2 {
 	heredoc <<HEREDOC
 	Here's more than one space       Here's more than one space
 	HEREDOC
 	respond "More than one space will be eaten" 200
 }
 `,
 			expect: `block {
 	heredoc <<HEREDOC
 	Here's more than one space       Here's more than one space
 	HEREDOC
 	respond "More than one space will be eaten" 200
 }
 block2 {
 	heredoc <<HEREDOC
 	Here's more than one space       Here's more than one space
 	HEREDOC
 	respond "More than one space will be eaten" 200
 }
 `,
 		},
 		{
 			description: "Heredoc as regular token",
 			input: `block {
 	heredoc <<HEREDOC                                 "More than one space will be eaten"
 }
 `,
 			expect: `block {
 	heredoc <<HEREDOC "More than one space will be eaten"
 }
 `,
 		},
 		{
 			description: "Escape heredoc",
 			input: `block {
 	heredoc \<<HEREDOC
 	respond "More than one space will be eaten"                           200
 }
 `,
 			expect: `block {
 	heredoc \<<HEREDOC
 	respond "More than one space will be eaten" 200
 }
 `,
 		},
 	} {
@@ -21,18 +21,18 @@ import (
 type adjacency map[string][]string
 type importGraph struct {
-	nodes map[string]struct{}
+	nodes map[string]bool
 	edges adjacency
 }
 func (i *importGraph) addNode(name string) {
 	if i.nodes == nil {
-		i.nodes = make(map[string]struct{})
+		i.nodes = make(map[string]bool)
 	}
 	if _, exists := i.nodes[name]; exists {
 		return
 	}
-	i.nodes[name] = struct{}{}
+	i.nodes[name] = true
 }
 func (i *importGraph) addNodes(names []string) {
@@ -66,7 +66,7 @@ func (i *importGraph) addEdge(from, to string) error {
 	}
 	if i.nodes == nil {
-		i.nodes = make(map[string]struct{})
+		i.nodes = make(map[string]bool)
 	}
 	if i.edges == nil {
 		i.edges = make(adjacency)
@@ -186,7 +186,7 @@ func (l *lexer) next() (bool, error) {
 			}
 			// check if we're done, i.e. that the last few characters are the marker
-			if len(val) >= len(heredocMarker) && heredocMarker == string(val[len(val)-len(heredocMarker):]) {
+			if len(val) > len(heredocMarker) && heredocMarker == string(val[len(val)-len(heredocMarker):]) {
 				// set the final value
 				val, err = l.finalizeHeredoc(val, heredocMarker)
 				if err != nil {
@@ -313,11 +313,6 @@ func (l *lexer) finalizeHeredoc(val []rune, marker string) ([]rune, error) {
 	// iterate over each line and strip the whitespace from the front
 	var out string
 	for lineNum, lineText := range lines[:len(lines)-1] {
 		if lineText == "" || lineText == "\r" {
 			out += "\n"
 			continue
 		}
 		// find an exact match for the padding
 		index := strings.Index(lineText, paddingToStrip)
@@ -285,18 +285,6 @@ EOF same-line-arg
 		},
 		{
 			input: []byte(`heredoc <<EOF
 EOF
 	HERE same-line-arg
 	`),
 			expected: []Token{
 				{Line: 1, Text: `heredoc`},
 				{Line: 1, Text: ``},
 				{Line: 3, Text: `HERE`},
 				{Line: 3, Text: `same-line-arg`},
 			},
 		},
 		{
 			input: []byte(`heredoc <<EOF
 		EOF same-line-arg
 	`),
 			expected: []Token{
@@ -457,48 +445,6 @@ EOF
 			expectErr:    true,
 			errorMessage: "mismatched leading whitespace in heredoc <<EOF on line #2 [        content], expected whitespace [\t\t] to match the closing marker",
 		},
 		{
 			input: []byte(`heredoc <<EOF
 The next line is a blank line
 The previous line is a blank line
 EOF`),
 			expected: []Token{
 				{Line: 1, Text: "heredoc"},
 				{Line: 1, Text: "The next line is a blank line\n\nThe previous line is a blank line"},
 			},
 		},
 		{
 			input: []byte(`heredoc <<EOF
 	One tab indented heredoc with blank next line
 	One tab indented heredoc with blank previous line
 	EOF`),
 			expected: []Token{
 				{Line: 1, Text: "heredoc"},
 				{Line: 1, Text: "One tab indented heredoc with blank next line\n\nOne tab indented heredoc with blank previous line"},
 			},
 		},
 		{
 			input: []byte(`heredoc <<EOF
 The next line is a blank line with one tab
 The previous line is a blank line with one tab
 EOF`),
 			expected: []Token{
 				{Line: 1, Text: "heredoc"},
 				{Line: 1, Text: "The next line is a blank line with one tab\n\t\nThe previous line is a blank line with one tab"},
 			},
 		},
 		{
 			input: []byte(`heredoc <<EOF
 		The next line is a blank line with one tab less than the correct indentation
 		The previous line is a blank line with one tab less than the correct indentation
 		EOF`),
 			expectErr:    true,
 			errorMessage: "mismatched leading whitespace in heredoc <<EOF on line #3 [\t], expected whitespace [\t\t] to match the closing marker",
 		},
 	}
 	for i, testCase := range testCases {
@@ -50,7 +50,7 @@ func Parse(filename string, input []byte) ([]ServerBlock, error) {
 	p := parser{
 		Dispenser: NewDispenser(tokens),
 		importGraph: importGraph{
-			nodes: make(map[string]struct{}),
+			nodes: make(map[string]bool),
 			edges: make(adjacency),
 		},
 	}
@@ -160,14 +160,14 @@ func (p *parser) begin() error {
 	}
 	if ok, name := p.isNamedRoute(); ok {
 		// named routes only have one key, the route name
 		p.block.Keys = []string{name}
 		p.block.IsNamedRoute = true
 		// we just need a dummy leading token to ease parsing later
 		nameToken := p.Token()
 		nameToken.Text = name
 		// named routes only have one key, the route name
 		p.block.Keys = []Token{nameToken}
 		p.block.IsNamedRoute = true
 		// get all the tokens from the block, including the braces
 		tokens, err := p.blockTokens(true)
 		if err != nil {
@@ -211,11 +211,10 @@ func (p *parser) addresses() error {
 	var expectingAnother bool
 	for {
-		value := p.Val()
+		tkn := p.Val()
 		token := p.Token()
 		// special case: import directive replaces tokens during parse-time
-		if value == "import" && p.isNewLine() {
+		if tkn == "import" && p.isNewLine() {
 			err := p.doImport(0)
 			if err != nil {
 				return err
@@ -224,9 +223,9 @@ func (p *parser) addresses() error {
 		}
 		// Open brace definitely indicates end of addresses
-		if value == "{" {
+		if tkn == "{" {
 			if expectingAnother {
-				return p.Errf("Expected another address but had '%s' - check for extra comma", value)
+				return p.Errf("Expected another address but had '%s' - check for extra comma", tkn)
 			}
 			// Mark this server block as being defined with braces.
 			// This is used to provide a better error message when
@@ -238,15 +237,15 @@ func (p *parser) addresses() error {
 		}
 		// Users commonly forget to place a space between the address and the '{'
-		if strings.HasSuffix(value, "{") {
+		if strings.HasSuffix(tkn, "{") {
-			return p.Errf("Site addresses cannot end with a curly brace: '%s' - put a space between the token and the brace", value)
+			return p.Errf("Site addresses cannot end with a curly brace: '%s' - put a space between the token and the brace", tkn)
 		}
-		if value != "" { // empty token possible if user typed ""
+		if tkn != "" { // empty token possible if user typed ""
 			// Trailing comma indicates another address will follow, which
 			// may possibly be on the next line
-			if value[len(value)-1] == ',' {
+			if tkn[len(tkn)-1] == ',' {
-				value = value[:len(value)-1]
+				tkn = tkn[:len(tkn)-1]
 				expectingAnother = true
 			} else {
 				expectingAnother = false // but we may still see another one on this line
@@ -255,12 +254,11 @@ func (p *parser) addresses() error {
 			// If there's a comma here, it's probably because they didn't use a space
 			// between their two domains, e.g. "foo.com,bar.com", which would not be
 			// parsed as two separate site addresses.
-			if strings.Contains(value, ",") {
+			if strings.Contains(tkn, ",") {
-				return p.Errf("Site addresses cannot contain a comma ',': '%s' - put a space after the comma to separate site addresses", value)
+				return p.Errf("Site addresses cannot contain a comma ',': '%s' - put a space after the comma to separate site addresses", tkn)
 			}
-			token.Text = value
+			p.block.Keys = append(p.block.Keys, tkn)
 			p.block.Keys = append(p.block.Keys, token)
 		}
 		// Advance token and possibly break out of loop or return error
@@ -395,6 +393,7 @@ func (p *parser) doImport(nesting int) error {
 			return p.Errf("Glob pattern may only contain one wildcard (*), but has others: %s", globPattern)
 		}
 		matches, err = filepath.Glob(globPattern)
 		if err != nil {
 			return p.Errf("Failed to use import pattern %s: %v", importPattern, err)
 		}
@@ -638,8 +637,8 @@ func (p *parser) closeCurlyBrace() error {
 func (p *parser) isNamedRoute() (bool, string) {
 	keys := p.block.Keys
 	// A named route block is a single key with parens, prefixed with &.
-	if len(keys) == 1 && strings.HasPrefix(keys[0].Text, "&(") && strings.HasSuffix(keys[0].Text, ")") {
+	if len(keys) == 1 && strings.HasPrefix(keys[0], "&(") && strings.HasSuffix(keys[0], ")") {
-		return true, strings.TrimSuffix(keys[0].Text[2:], ")")
+		return true, strings.TrimSuffix(keys[0][2:], ")")
 	}
 	return false, ""
 }
@@ -647,8 +646,8 @@ func (p *parser) isNamedRoute() (bool, string) {
 func (p *parser) isSnippet() (bool, string) {
 	keys := p.block.Keys
 	// A snippet block is a single key with parens. Nothing else qualifies.
-	if len(keys) == 1 && strings.HasPrefix(keys[0].Text, "(") && strings.HasSuffix(keys[0].Text, ")") {
+	if len(keys) == 1 && strings.HasPrefix(keys[0], "(") && strings.HasSuffix(keys[0], ")") {
-		return true, strings.TrimSuffix(keys[0].Text[1:], ")")
+		return true, strings.TrimSuffix(keys[0][1:], ")")
 	}
 	return false, ""
 }
@@ -692,19 +691,11 @@ func (p *parser) blockTokens(retainCurlies bool) ([]Token, error) {
 // grouped by segments.
 type ServerBlock struct {
 	HasBraces    bool
-	Keys         []Token
+	Keys         []string
 	Segments     []Segment
 	IsNamedRoute bool
 }
 func (sb ServerBlock) GetKeysText() []string {
 	res := []string{}
 	for _, k := range sb.Keys {
 		res = append(res, k.Text)
 	}
 	return res
 }
 // DispenseDirective returns a dispenser that contains
 // all the tokens in the server block.
 func (sb ServerBlock) DispenseDirective(dir string) *Dispenser {
@@ -22,7 +22,7 @@ import (
 )
 func TestParseVariadic(t *testing.T) {
-	args := make([]string, 10)
+	var args = make([]string, 10)
 	for i, tc := range []struct {
 		input  string
 		result bool
@@ -111,6 +111,7 @@ func TestAllTokens(t *testing.T) {
 	input := []byte("a b c\nd e")
 	expected := []string{"a", "b", "c", "d", "e"}
 	tokens, err := allTokens("TestAllTokens", input)
 	if err != nil {
 		t.Fatalf("Expected no error, got %v", err)
 	}
@@ -148,8 +149,7 @@ func TestParseOneAndImport(t *testing.T) {
 			"localhost",
 		}, []int{1}},
-		{
+		{`localhost:1234
 			`localhost:1234
 		  dir1 foo bar`, false, []string{
 			"localhost:1234",
 		}, []int{3},
@@ -347,7 +347,7 @@ func TestParseOneAndImport(t *testing.T) {
 				i, len(test.keys), len(result.Keys))
 			continue
 		}
-		for j, addr := range result.GetKeysText() {
+		for j, addr := range result.Keys {
 			if addr != test.keys[j] {
 				t.Errorf("Test %d, key %d: Expected '%s', but was '%s'",
 					i, j, test.keys[j], addr)
@@ -379,9 +379,8 @@ func TestRecursiveImport(t *testing.T) {
 	}
 	isExpected := func(got ServerBlock) bool {
-		textKeys := got.GetKeysText()
+		if len(got.Keys) != 1 || got.Keys[0] != "localhost" {
-		if len(textKeys) != 1 || textKeys[0] != "localhost" {
+			t.Errorf("got keys unexpected: expect localhost, got %v", got.Keys)
 			t.Errorf("got keys unexpected: expect localhost, got %v", textKeys)
 			return false
 		}
 		if len(got.Segments) != 2 {
@@ -408,13 +407,13 @@ func TestRecursiveImport(t *testing.T) {
 	err = os.WriteFile(recursiveFile1, []byte(
 		`localhost
 		dir1
-		import recursive_import_test2`), 0o644)
+		import recursive_import_test2`), 0644)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer os.Remove(recursiveFile1)
-	err = os.WriteFile(recursiveFile2, []byte("dir2 1"), 0o644)
+	err = os.WriteFile(recursiveFile2, []byte("dir2 1"), 0644)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -442,7 +441,7 @@ func TestRecursiveImport(t *testing.T) {
 	err = os.WriteFile(recursiveFile1, []byte(
 		`localhost
 		dir1
-		import `+recursiveFile2), 0o644)
+		import `+recursiveFile2), 0644)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -475,9 +474,8 @@ func TestDirectiveImport(t *testing.T) {
 	}
 	isExpected := func(got ServerBlock) bool {
-		textKeys := got.GetKeysText()
+		if len(got.Keys) != 1 || got.Keys[0] != "localhost" {
-		if len(textKeys) != 1 || textKeys[0] != "localhost" {
+			t.Errorf("got keys unexpected: expect localhost, got %v", got.Keys)
 			t.Errorf("got keys unexpected: expect localhost, got %v", textKeys)
 			return false
 		}
 		if len(got.Segments) != 2 {
@@ -497,7 +495,7 @@ func TestDirectiveImport(t *testing.T) {
 	}
 	err = os.WriteFile(directiveFile, []byte(`prop1 1
-	prop2 2`), 0o644)
+	prop2 2`), 0644)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -618,7 +616,7 @@ func TestParseAll(t *testing.T) {
 					i, len(test.keys[j]), j, len(block.Keys))
 				continue
 			}
-			for k, addr := range block.GetKeysText() {
+			for k, addr := range block.Keys {
 				if addr != test.keys[j][k] {
 					t.Errorf("Test %d, block %d, key %d: Expected '%s', but got '%s'",
 						i, j, k, test.keys[j][k], addr)
@@ -771,7 +769,7 @@ func TestSnippets(t *testing.T) {
 	if len(blocks) != 1 {
 		t.Fatalf("Expect exactly one server block. Got %d.", len(blocks))
 	}
-	if actual, expected := blocks[0].GetKeysText()[0], "http://example.com"; expected != actual {
+	if actual, expected := blocks[0].Keys[0], "http://example.com"; expected != actual {
 		t.Errorf("Expected server name to be '%s' but was '%s'", expected, actual)
 	}
 	if len(blocks[0].Segments) != 2 {
@@ -803,7 +801,7 @@ func TestImportedFilesIgnoreNonDirectiveImportTokens(t *testing.T) {
 	fileName := writeStringToTempFileOrDie(t, `
 		http://example.com {
 			# This isn't an import directive, it's just an arg with value 'import'
-			basic_auth / import password
+			basicauth / import password
 		}
 	`)
 	// Parse the root file that imports the other one.
@@ -814,12 +812,12 @@ func TestImportedFilesIgnoreNonDirectiveImportTokens(t *testing.T) {
 	}
 	auth := blocks[0].Segments[0]
 	line := auth[0].Text + " " + auth[1].Text + " " + auth[2].Text + " " + auth[3].Text
-	if line != "basic_auth / import password" {
+	if line != "basicauth / import password" {
 		// Previously, it would be changed to:
-		//   basic_auth / import /path/to/test/dir/password
+		//   basicauth / import /path/to/test/dir/password
 		// referencing a file that (probably) doesn't exist and changing the
 		// password!
-		t.Errorf("Expected basic_auth tokens to be 'basic_auth / import password' but got %#q", line)
+		t.Errorf("Expected basicauth tokens to be 'basicauth / import password' but got %#q", line)
 	}
 }
@@ -846,7 +844,7 @@ func TestSnippetAcrossMultipleFiles(t *testing.T) {
 	if len(blocks) != 1 {
 		t.Fatalf("Expect exactly one server block. Got %d.", len(blocks))
 	}
-	if actual, expected := blocks[0].GetKeysText()[0], "http://example.com"; expected != actual {
+	if actual, expected := blocks[0].Keys[0], "http://example.com"; expected != actual {
 		t.Errorf("Expected server name to be '%s' but was '%s'", expected, actual)
 	}
 	if len(blocks[0].Segments) != 1 {
@@ -88,15 +88,15 @@ func (st *ServerType) mapAddressToServerBlocks(originalServerBlocks []serverBloc
 		// will be served by them; this has the effect of treating each
 		// key of a server block as its own, but without having to repeat its
 		// contents in cases where multiple keys really can be served together
-		addrToKeys := make(map[string][]caddyfile.Token)
+		addrToKeys := make(map[string][]string)
 		for j, key := range sblock.block.Keys {
 			// a key can have multiple listener addresses if there are multiple
 			// arguments to the 'bind' directive (although they will all have
 			// the same port, since the port is defined by the key or is implicit
 			// through automatic HTTPS)
-			addrs, err := st.listenerAddrsForServerBlockKey(sblock, key.Text, options)
+			addrs, err := st.listenerAddrsForServerBlockKey(sblock, key, options)
 			if err != nil {
-				return nil, fmt.Errorf("server block %d, key %d (%s): determining listener address: %v", i, j, key.Text, err)
+				return nil, fmt.Errorf("server block %d, key %d (%s): determining listener address: %v", i, j, key, err)
 			}
 			// associate this key with each listener address it is served on
@@ -122,9 +122,9 @@ func (st *ServerType) mapAddressToServerBlocks(originalServerBlocks []serverBloc
 			// parse keys so that we only have to do it once
 			parsedKeys := make([]Address, 0, len(keys))
 			for _, key := range keys {
-				addr, err := ParseAddress(key.Text)
+				addr, err := ParseAddress(key)
 				if err != nil {
-					return nil, fmt.Errorf("parsing key '%s': %v", key.Text, err)
+					return nil, fmt.Errorf("parsing key '%s': %v", key, err)
 				}
 				parsedKeys = append(parsedKeys, addr.Normalize())
 			}
@@ -15,16 +15,19 @@
 package httpcaddyfile
 import (
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 	"html"
 	"net/http"
 	"os"
 	"reflect"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/caddyserver/certmagic"
-	"github.com/mholt/acmez/v2/acme"
+	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap/zapcore"
 	"github.com/caddyserver/caddy/v2"
@@ -37,8 +40,7 @@ import (
 func init() {
 	RegisterDirective("bind", parseBind)
 	RegisterDirective("tls", parseTLS)
-	RegisterHandlerDirective("fs", parseFilesystem)
+	RegisterHandlerDirective("root", parseRoot)
 	RegisterDirective("root", parseRoot)
 	RegisterHandlerDirective("vars", parseVars)
 	RegisterHandlerDirective("redir", parseRedir)
 	RegisterHandlerDirective("respond", parseRespond)
@@ -49,16 +51,18 @@ func init() {
 	RegisterDirective("handle_errors", parseHandleErrors)
 	RegisterHandlerDirective("invoke", parseInvoke)
 	RegisterDirective("log", parseLog)
-	RegisterHandlerDirective("skip_log", parseLogSkip)
+	RegisterHandlerDirective("skip_log", parseSkipLog)
 	RegisterHandlerDirective("log_skip", parseLogSkip)
 }
 // parseBind parses the bind directive. Syntax:
 //
 //	bind <addresses...>
 func parseBind(h Helper) ([]ConfigValue, error) {
-	h.Next() // consume directive name
+	var lnHosts []string
-	return []ConfigValue{{Class: "bind", Value: h.RemainingArgs()}}, nil
+	for h.Next() {
 		lnHosts = append(lnHosts, h.RemainingArgs()...)
 	}
 	return h.NewBindAddresses(lnHosts), nil
 }
 // parseTLS parses the tls directive. Syntax:
@@ -69,7 +73,8 @@ func parseBind(h Helper) ([]ConfigValue, error) {
 //	    curves    <curves...>
 //	    client_auth {
 //	        mode                   [request|require|verify_if_given|require_and_verify]
-//	        trust_pool			   <module_name> [...]
+//	        trusted_ca_cert        <base64_der>
 //	        trusted_ca_cert_file   <filename>
 //	        trusted_leaf_cert      <base64_der>
 //	        trusted_leaf_cert_file <filename>
 //	    }
@@ -85,15 +90,12 @@ func parseBind(h Helper) ([]ConfigValue, error) {
 //	    dns_ttl                       <duration>
 //	    dns_challenge_override_domain <domain>
 //	    on_demand
 //	    reuse_private_keys
 //	    eab                           <key_id> <mac_key>
 //	    issuer                        <module_name> [...]
 //	    get_certificate               <module_name> [...]
 //	    insecure_secrets_log          <log_file>
 //	}
 func parseTLS(h Helper) ([]ConfigValue, error) {
 	h.Next() // consume directive name
 	cp := new(caddytls.ConnectionPolicy)
 	var fileLoader caddytls.FileLoader
 	var folderLoader caddytls.FolderLoader
@@ -104,8 +106,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 	var issuers []certmagic.Issuer
 	var certManagers []certmagic.Manager
 	var onDemand bool
 	var reusePrivateKeys bool
 	for h.Next() {
 		// file certificate loader
 		firstLine := h.RemainingArgs()
 		switch len(firstLine) {
 		case 0:
@@ -115,13 +118,13 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			} else if !strings.Contains(firstLine[0], "@") {
 				return nil, h.Err("single argument must either be 'internal' or an email address")
 			} else {
-			acmeIssuer = &caddytls.ACMEIssuer{
+				if acmeIssuer == nil {
-				Email: firstLine[0],
+					acmeIssuer = new(caddytls.ACMEIssuer)
 				}
 				acmeIssuer.Email = firstLine[0]
 			}
 		case 2:
 		// file certificate loader
 			certFilename := firstLine[0]
 			keyFilename := firstLine[1]
@@ -171,7 +174,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 		}
 		var hasBlock bool
-	for h.NextBlock(0) {
+		for nesting := h.Nesting(); h.NextBlock(nesting); {
 			hasBlock = true
 			switch h.Val() {
@@ -211,9 +214,55 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			case "client_auth":
 				cp.ClientAuthentication = &caddytls.ClientAuthentication{}
-			if err := cp.ClientAuthentication.UnmarshalCaddyfile(h.NewFromNextSegment()); err != nil {
+				for nesting := h.Nesting(); h.NextBlock(nesting); {
 					subdir := h.Val()
 					switch subdir {
 					case "mode":
 						if !h.Args(&cp.ClientAuthentication.Mode) {
 							return nil, h.ArgErr()
 						}
 						if h.NextArg() {
 							return nil, h.ArgErr()
 						}
 					case "trusted_ca_cert",
 						"trusted_leaf_cert":
 						if !h.NextArg() {
 							return nil, h.ArgErr()
 						}
 						if subdir == "trusted_ca_cert" {
 							cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts, h.Val())
 						} else {
 							cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts, h.Val())
 						}
 					case "trusted_ca_cert_file",
 						"trusted_leaf_cert_file":
 						if !h.NextArg() {
 							return nil, h.ArgErr()
 						}
 						filename := h.Val()
 						certDataPEM, err := os.ReadFile(filename)
 						if err != nil {
 							return nil, err
 						}
 						block, _ := pem.Decode(certDataPEM)
 						if block == nil || block.Type != "CERTIFICATE" {
 							return nil, h.Errf("no CERTIFICATE pem block found in %s", h.Val())
 						}
 						if subdir == "trusted_ca_cert_file" {
 							cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts,
 								base64.StdEncoding.EncodeToString(block.Bytes))
 						} else {
 							cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts,
 								base64.StdEncoding.EncodeToString(block.Bytes))
 						}
 					default:
 						return nil, h.Errf("unknown subdirective for client_auth: %s", subdir)
 					}
 				}
 			case "alpn":
 				args := h.RemainingArgs()
 				if len(args) == 0 {
@@ -424,12 +473,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 				}
 				onDemand = true
 		case "reuse_private_keys":
 			if h.NextArg() {
 				return nil, h.ArgErr()
 			}
 			reusePrivateKeys = true
 			case "insecure_secrets_log":
 				if !h.NextArg() {
 					return nil, h.ArgErr()
@@ -445,6 +488,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 		if len(firstLine) == 0 && !hasBlock {
 			return nil, h.ArgErr()
 		}
 	}
 	// begin building the final config values
 	configVals := []ConfigValue{}
@@ -486,24 +530,19 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 	case acmeIssuer != nil:
 		// implicit ACME issuers (from various subdirectives) - use defaults; there might be more than one
-		defaultIssuers := caddytls.DefaultIssuers(acmeIssuer.Email)
+		defaultIssuers := caddytls.DefaultIssuers()
-		// if an ACME CA endpoint was set, the user expects to use that specific one,
+		// if a CA endpoint was set, override multiple implicit issuers since it's a specific one
 		// not any others that may be defaults, so replace all defaults with that ACME CA
 		if acmeIssuer.CA != "" {
 			defaultIssuers = []certmagic.Issuer{acmeIssuer}
 		}
 		for _, issuer := range defaultIssuers {
-			// apply settings from the implicitly-configured ACMEIssuer to any
+			switch iss := issuer.(type) {
-			// default ACMEIssuers, but preserve each default issuer's CA endpoint,
+			case *caddytls.ACMEIssuer:
-			// because, for example, if you configure the DNS challenge, it should
+				issuer = acmeIssuer
-			// apply to any of the default ACMEIssuers, but you don't want to trample
+			case *caddytls.ZeroSSLIssuer:
-			// out their unique CA endpoints
+				iss.ACMEIssuer = acmeIssuer
 			if iss, ok := issuer.(*caddytls.ACMEIssuer); ok && iss != nil {
 				acmeCopy := *acmeIssuer
 				acmeCopy.CA = iss.CA
 				issuer = &acmeCopy
 			}
 			configVals = append(configVals, ConfigValue{
 				Class: "tls.cert_issuer",
@@ -540,14 +579,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 		})
 	}
 	// reuse private keys TLS
 	if reusePrivateKeys {
 		configVals = append(configVals, ConfigValue{
 			Class: "tls.reuse_private_keys",
 			Value: true,
 		})
 	}
 	// custom certificate selection
 	if len(certSelector.AnyTag) > 0 {
 		cp.CertSelection = &certSelector
@@ -569,53 +600,18 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 // parseRoot parses the root directive. Syntax:
 //
 //	root [<matcher>] <path>
-func parseRoot(h Helper) ([]ConfigValue, error) {
+func parseRoot(h Helper) (caddyhttp.MiddlewareHandler, error) {
-	h.Next() // consume directive name
+	var root string
-
+	for h.Next() {
 	// count the tokens to determine what to do
 	argsCount := h.CountRemainingArgs()
 	if argsCount == 0 {
 		return nil, h.Errf("too few arguments; must have at least a root path")
 	}
 	if argsCount > 2 {
 		return nil, h.Errf("too many arguments; should only be a matcher and a path")
 	}
 	// with only one arg, assume it's a root path with no matcher token
 	if argsCount == 1 {
 		if !h.NextArg() {
 			return nil, h.ArgErr()
 		}
 		return h.NewRoute(nil, caddyhttp.VarsMiddleware{"root": h.Val()}), nil
 	}
 	// parse the matcher token into a matcher set
 	userMatcherSet, err := h.ExtractMatcherSet()
 	if err != nil {
 		return nil, err
 	}
 	h.Next() // consume directive name again, matcher parsing does a reset
 	// advance to the root path
 	if !h.NextArg() {
 		return nil, h.ArgErr()
 	}
 	// make the route with the matcher
 	return h.NewRoute(userMatcherSet, caddyhttp.VarsMiddleware{"root": h.Val()}), nil
 }
 // parseFilesystem parses the fs directive. Syntax:
 //
 //	fs <filesystem>
 func parseFilesystem(h Helper) (caddyhttp.MiddlewareHandler, error) {
 	h.Next() // consume directive name
 		if !h.NextArg() {
 			return nil, h.ArgErr()
 		}
 		root = h.Val()
 		if h.NextArg() {
 			return nil, h.ArgErr()
 		}
-	return caddyhttp.VarsMiddleware{"fs": h.Val()}, nil
+	}
 	return caddyhttp.VarsMiddleware{"root": root}, nil
 }
 // parseVars parses the vars directive. See its UnmarshalCaddyfile method for syntax.
@@ -635,7 +631,10 @@ func parseVars(h Helper) (caddyhttp.MiddlewareHandler, error) {
 // respond with HTTP 200 and no Location header; redirect is performed
 // with JS and a meta tag).
 func parseRedir(h Helper) (caddyhttp.MiddlewareHandler, error) {
-	h.Next() // consume directive name
+	if !h.Next() {
 		return nil, h.ArgErr()
 	}
 	if !h.NextArg() {
 		return nil, h.ArgErr()
 	}
@@ -651,10 +650,8 @@ func parseRedir(h Helper) (caddyhttp.MiddlewareHandler, error) {
 	switch code {
 	case "permanent":
 		code = "301"
 	case "temporary", "":
 		code = "302"
 	case "html":
 		// Script tag comes first since that will better imitate a redirect in the browser's
 		// history, but the meta tag is a fallback for most non-JS clients.
@@ -670,9 +667,7 @@ func parseRedir(h Helper) (caddyhttp.MiddlewareHandler, error) {
 `
 		safeTo := html.EscapeString(to)
 		body = fmt.Sprintf(metaRedir, safeTo, safeTo, safeTo, safeTo)
 		hdr = http.Header{"Content-Type": []string{"text/html; charset=utf-8"}}
 		code = "200" // don't redirect non-browser clients
 	default:
 		// Allow placeholders for the code
 		if strings.HasPrefix(code, "{") {
@@ -711,7 +706,10 @@ func parseRedir(h Helper) (caddyhttp.MiddlewareHandler, error) {
 func parseRespond(h Helper) (caddyhttp.MiddlewareHandler, error) {
 	sr := new(caddyhttp.StaticResponse)
 	err := sr.UnmarshalCaddyfile(h.Dispenser)
-	return sr, err
+	if err != nil {
 		return nil, err
 	}
 	return sr, nil
 }
 // parseAbort parses the abort directive.
@@ -727,7 +725,10 @@ func parseAbort(h Helper) (caddyhttp.MiddlewareHandler, error) {
 func parseError(h Helper) (caddyhttp.MiddlewareHandler, error) {
 	se := new(caddyhttp.StaticError)
 	err := se.UnmarshalCaddyfile(h.Dispenser)
-	return se, err
+	if err != nil {
 		return nil, err
 	}
 	return se, nil
 }
 // parseRoute parses the route directive.
@@ -753,67 +754,10 @@ func parseHandle(h Helper) (caddyhttp.MiddlewareHandler, error) {
 }
 func parseHandleErrors(h Helper) ([]ConfigValue, error) {
-	h.Next() // consume directive name
+	subroute, err := ParseSegmentAsSubroute(h)
 	expression := ""
 	args := h.RemainingArgs()
 	if len(args) > 0 {
 		codes := []string{}
 		for _, val := range args {
 			if len(val) != 3 {
 				return nil, h.Errf("bad status value '%s'", val)
 			}
 			if strings.HasSuffix(val, "xx") {
 				val = val[:1]
 				_, err := strconv.Atoi(val)
 				if err != nil {
 					return nil, h.Errf("bad status value '%s': %v", val, err)
 				}
 				if expression != "" {
 					expression += " || "
 				}
 				expression += fmt.Sprintf("{http.error.status_code} >= %s00 && {http.error.status_code} <= %s99", val, val)
 				continue
 			}
 			_, err := strconv.Atoi(val)
 			if err != nil {
 				return nil, h.Errf("bad status value '%s': %v", val, err)
 			}
 			codes = append(codes, val)
 		}
 		if len(codes) > 0 {
 			if expression != "" {
 				expression += " || "
 			}
 			expression += "{http.error.status_code} in [" + strings.Join(codes, ", ") + "]"
 		}
 		// Reset cursor position to get ready for ParseSegmentAsSubroute
 		h.Reset()
 		h.Next()
 		h.RemainingArgs()
 		h.Prev()
 	} else {
 		// If no arguments present reset the cursor position to get ready for ParseSegmentAsSubroute
 		h.Prev()
 	}
 	handler, err := ParseSegmentAsSubroute(h)
 	if err != nil {
 		return nil, err
 	}
 	subroute, ok := handler.(*caddyhttp.Subroute)
 	if !ok {
 		return nil, h.Errf("segment was not parsed as a subroute")
 	}
 	if expression != "" {
 		statusMatcher := caddy.ModuleMap{
 			"expression": h.JSON(caddyhttp.MatchExpression{Expr: expression}),
 		}
 		for i := range subroute.Routes {
 			subroute.Routes[i].MatcherSetsRaw = []caddy.ModuleMap{statusMatcher}
 		}
 	}
 	return []ConfigValue{
 		{
 			Class: "error_route",
@@ -860,14 +804,12 @@ func parseLog(h Helper) ([]ConfigValue, error) {
 // level. The parseAsGlobalOption parameter is used to distinguish any differing logic
 // between the two.
 func parseLogHelper(h Helper, globalLogNames map[string]struct{}) ([]ConfigValue, error) {
 	h.Next() // consume option name
 	// When the globalLogNames parameter is passed in, we make
 	// modifications to the parsing behavior.
 	parseAsGlobalOption := globalLogNames != nil
 	var configValues []ConfigValue
-
+	for h.Next() {
 		// Logic below expects that a name is always present when a
 		// global option is being parsed; or an optional override
 		// is supported for access logs.
@@ -1039,22 +981,18 @@ func parseLogHelper(h Helper, globalLogNames map[string]struct{}) ([]ConfigValue
 			Class: "custom_log",
 			Value: val,
 		})
 	}
 	return configValues, nil
 }
-// parseLogSkip parses the log_skip directive. Syntax:
+// parseSkipLog parses the skip_log directive. Syntax:
 //
-//	log_skip [<matcher>]
+//	skip_log [<matcher>]
-func parseLogSkip(h Helper) (caddyhttp.MiddlewareHandler, error) {
+func parseSkipLog(h Helper) (caddyhttp.MiddlewareHandler, error) {
-	h.Next() // consume directive name
+	for h.Next() {
 	// "skip_log" is deprecated, replaced by "log_skip"
 	if h.Val() == "skip_log" {
 		caddy.Log().Named("config.adapter.caddyfile").Warn("the 'skip_log' directive is deprecated, please use 'log_skip' instead!")
 	}
 		if h.NextArg() {
 			return nil, h.ArgErr()
 		}
-	return caddyhttp.VarsMiddleware{"log_skip": true}, nil
+	}
 	return caddyhttp.VarsMiddleware{"skip_log": true}, nil
 }
@@ -27,32 +27,22 @@ import (
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 )
-// defaultDirectiveOrder specifies the default order
+// directiveOrder specifies the order
-// to apply directives in HTTP routes. This must only
+// to apply directives in HTTP routes.
 // consist of directives that are included in Caddy's
 // standard distribution.
 //
-// e.g. The 'root' directive goes near the start in
+// The root directive goes first in case rewrites or
-// case rewrites or redirects depend on existence of
+// redirects depend on existence of files, i.e. the
-// files, i.e. the file matcher, which must know the
+// file matcher, which must know the root first.
 // root first.
 //
-// e.g. The 'header' directive goes before 'redir' so
+// The header directive goes second so that headers
-// that headers can be manipulated before doing redirects.
+// can be manipulated before doing redirects.
-//
+var directiveOrder = []string{
 // e.g. The 'respond' directive is near the end because it
 // writes a response and terminates the middleware chain.
 var defaultDirectiveOrder = []string{
 	"tracing",
 	// set variables that may be used by other directives
 	"map",
 	"vars",
 	"fs",
 	"root",
-	"log_append",
+	"skip_log",
 	"skip_log", // TODO: deprecated, renamed to log_skip
 	"log_skip",
 	"header",
 	"copy_response_headers", // only in reverse_proxy's handle_response
@@ -67,8 +57,7 @@ var defaultDirectiveOrder = []string{
 	"try_files",
 	// middleware handlers; some wrap responses
-	"basicauth", // TODO: deprecated, renamed to basic_auth
+	"basicauth",
 	"basic_auth",
 	"forward_auth",
 	"request_header",
 	"encode",
@@ -93,11 +82,6 @@ var defaultDirectiveOrder = []string{
 	"acme_server",
 }
 // directiveOrder specifies the order to apply directives
 // in HTTP routes, after being modified by either the
 // plugins or by the user via the "order" global option.
 var directiveOrder = defaultDirectiveOrder
 // directiveIsOrdered returns true if dir is
 // a known, ordered (sorted) directive.
 func directiveIsOrdered(dir string) bool {
@@ -144,58 +128,6 @@ func RegisterHandlerDirective(dir string, setupFunc UnmarshalHandlerFunc) {
 	})
 }
 // RegisterDirectiveOrder registers the default order for a
 // directive from a plugin.
 //
 // This is useful when a plugin has a well-understood place
 // it should run in the middleware pipeline, and it allows
 // users to avoid having to define the order themselves.
 //
 // The directive dir may be placed in the position relative
 // to ('before' or 'after') a directive included in Caddy's
 // standard distribution. It cannot be relative to another
 // plugin's directive.
 //
 // EXPERIMENTAL: This API may change or be removed.
 func RegisterDirectiveOrder(dir string, position Positional, standardDir string) {
 	// check if directive was already ordered
 	if directiveIsOrdered(dir) {
 		panic("directive '" + dir + "' already ordered")
 	}
 	if position != Before && position != After {
 		panic("the 2nd argument must be either 'before' or 'after', got '" + position + "'")
 	}
 	// check if directive exists in standard distribution, since
 	// we can't allow plugins to depend on one another; we can't
 	// guarantee the order that plugins are loaded in.
 	foundStandardDir := false
 	for _, d := range defaultDirectiveOrder {
 		if d == standardDir {
 			foundStandardDir = true
 		}
 	}
 	if !foundStandardDir {
 		panic("the 3rd argument '" + standardDir + "' must be a directive that exists in the standard distribution of Caddy")
 	}
 	// insert directive into proper position
 	newOrder := directiveOrder
 	for i, d := range newOrder {
 		if d != standardDir {
 			continue
 		}
 		if position == Before {
 			newOrder = append(newOrder[:i], append([]string{dir}, newOrder[i:]...)...)
 		} else if position == After {
 			newOrder = append(newOrder[:i+1], append([]string{dir}, newOrder[i+1:]...)...)
 		}
 		break
 	}
 	directiveOrder = newOrder
 }
 // RegisterGlobalOption registers a unique global option opt with
 // an associated unmarshaling (setup) function. When the global
 // option opt is encountered in a Caddyfile, setupFunc will be
@@ -338,6 +270,12 @@ func (h Helper) GroupRoutes(vals []ConfigValue) {
 	}
 }
 // NewBindAddresses returns config values relevant to adding
 // listener bind addresses to the config.
 func (h Helper) NewBindAddresses(addrs []string) []ConfigValue {
 	return []ConfigValue{{Class: "bind", Value: addrs}}
 }
 // WithDispenser returns a new instance based on d. All others Helper
 // fields are copied, so typically maps are shared with this new instance.
 func (h Helper) WithDispenser(d *caddyfile.Dispenser) Helper {
@@ -620,16 +558,6 @@ func (sb serverBlock) isAllHTTP() bool {
 	return true
 }
 // Positional are the supported modes for ordering directives.
 type Positional string
 const (
 	Before Positional = "before"
 	After  Positional = "after"
 	First  Positional = "first"
 	Last   Positional = "last"
 )
 type (
 	// UnmarshalFunc is a function which can unmarshal Caddyfile
 	// tokens into zero or more config values using a Helper type.
@@ -31,23 +31,20 @@ func TestHostsFromKeys(t *testing.T) {
 			[]Address{
 				{Original: ":2015", Port: "2015"},
 			},
-			[]string{},
+			[]string{}, []string{},
 			[]string{},
 		},
 		{
 			[]Address{
 				{Original: ":443", Port: "443"},
 			},
-			[]string{},
+			[]string{}, []string{},
 			[]string{},
 		},
 		{
 			[]Address{
 				{Original: "foo", Host: "foo"},
 				{Original: ":2015", Port: "2015"},
 			},
-			[]string{},
+			[]string{}, []string{"foo"},
 			[]string{"foo"},
 		},
 		{
 			[]Address{
@@ -19,12 +19,12 @@ import (
 	"fmt"
 	"net"
 	"reflect"
 	"slices"
 	"sort"
 	"strconv"
 	"strings"
 	"go.uber.org/zap"
 	"golang.org/x/exp/slices"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
@@ -65,11 +65,8 @@ func (st ServerType) Setup(
 	originalServerBlocks := make([]serverBlock, 0, len(inputServerBlocks))
 	for _, sblock := range inputServerBlocks {
 		for j, k := range sblock.Keys {
-			if j == 0 && strings.HasPrefix(k.Text, "@") {
+			if j == 0 && strings.HasPrefix(k, "@") {
-				return nil, warnings, fmt.Errorf("%s:%d: cannot define a matcher outside of a site block: '%s'", k.File, k.Line, k.Text)
+				return nil, warnings, fmt.Errorf("cannot define a matcher outside of a site block: '%s'", k)
 			}
 			if _, ok := registeredDirectives[k.Text]; ok {
 				return nil, warnings, fmt.Errorf("%s:%d: parsed '%s' as a site address, but it is a known directive; directives must appear in a site block", k.File, k.Line, k.Text)
 			}
 		}
 		originalServerBlocks = append(originalServerBlocks, serverBlock{
@@ -274,12 +271,6 @@ func (st ServerType) Setup(
 	if !reflect.DeepEqual(pkiApp, &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}) {
 		cfg.AppsRaw["pki"] = caddyconfig.JSON(pkiApp, &warnings)
 	}
 	if filesystems, ok := options["filesystem"].(caddy.Module); ok {
 		cfg.AppsRaw["caddy.filesystems"] = caddyconfig.JSON(
 			filesystems,
 			&warnings)
 	}
 	if storageCvtr, ok := options["storage"].(caddy.StorageConverter); ok {
 		cfg.StorageRaw = caddyconfig.JSONModuleObject(storageCvtr,
 			"module",
@@ -289,6 +280,7 @@ func (st ServerType) Setup(
 	if adminConfig, ok := options["admin"].(*caddy.AdminConfig); ok && adminConfig != nil {
 		cfg.Admin = adminConfig
 	}
 	if pc, ok := options["persist_config"].(string); ok && pc == "off" {
 		if cfg.Admin == nil {
 			cfg.Admin = new(caddy.AdminConfig)
@@ -493,7 +485,7 @@ func (ServerType) extractNamedRoutes(
 			route.HandlersRaw = []json.RawMessage{caddyconfig.JSONModuleObject(handler, "handler", subroute.CaddyModule().ID.Name(), h.warnings)}
 		}
-		namedRoutes[sb.block.GetKeysText()[0]] = &route
+		namedRoutes[sb.block.Keys[0]] = &route
 	}
 	options["named_routes"] = namedRoutes
@@ -531,12 +523,12 @@ func (st *ServerType) serversFromPairings(
 		// address), otherwise their routes will improperly be added
 		// to the same server (see issue #4635)
 		for j, sblock1 := range p.serverBlocks {
-			for _, key := range sblock1.block.GetKeysText() {
+			for _, key := range sblock1.block.Keys {
 				for k, sblock2 := range p.serverBlocks {
 					if k == j {
 						continue
 					}
-					if sliceContains(sblock2.block.GetKeysText(), key) {
+					if sliceContains(sblock2.block.Keys, key) {
 						return nil, fmt.Errorf("ambiguous site definition: %s", key)
 					}
 				}
@@ -777,19 +769,10 @@ func (st *ServerType) serversFromPairings(
 				if srv.Errors == nil {
 					srv.Errors = new(caddyhttp.HTTPErrorConfig)
 				}
 				sort.SliceStable(errorSubrouteVals, func(i, j int) bool {
 					sri, srj := errorSubrouteVals[i].Value.(*caddyhttp.Subroute), errorSubrouteVals[j].Value.(*caddyhttp.Subroute)
 					if len(sri.Routes[0].MatcherSetsRaw) == 0 && len(srj.Routes[0].MatcherSetsRaw) != 0 {
 						return false
 					}
 					return true
 				})
 				errorsSubroute := &caddyhttp.Subroute{}
 				for _, val := range errorSubrouteVals {
 					sr := val.Value.(*caddyhttp.Subroute)
-					errorsSubroute.Routes = append(errorsSubroute.Routes, sr.Routes...)
+					srv.Errors.Routes = appendSubrouteToRouteList(srv.Errors.Routes, sr, matcherSetsEnc, p, warnings)
 				}
 				srv.Errors.Routes = appendSubrouteToRouteList(srv.Errors.Routes, errorsSubroute, matcherSetsEnc, p, warnings)
 			}
 			// add log associations
@@ -805,22 +788,22 @@ func (st *ServerType) serversFromPairings(
 					// if the logger overrides the hostnames, map that to the logger name
 					for _, h := range ncl.hostnames {
 						if srv.Logs.LoggerNames == nil {
-							srv.Logs.LoggerNames = make(map[string]caddyhttp.StringArray)
+							srv.Logs.LoggerNames = make(map[string]string)
 						}
-						srv.Logs.LoggerNames[h] = append(srv.Logs.LoggerNames[h], ncl.name)
+						srv.Logs.LoggerNames[h] = ncl.name
 					}
 				} else {
 					// otherwise, map each host to the logger name
 					for _, h := range sblockLogHosts {
 						if srv.Logs.LoggerNames == nil {
 							srv.Logs.LoggerNames = make(map[string]string)
 						}
 						// strip the port from the host, if any
 						host, _, err := net.SplitHostPort(h)
 						if err != nil {
 							host = h
 						}
-						if srv.Logs.LoggerNames == nil {
+						srv.Logs.LoggerNames[host] = ncl.name
 							srv.Logs.LoggerNames = make(map[string]caddyhttp.StringArray)
 						}
 						srv.Logs.LoggerNames[host] = append(srv.Logs.LoggerNames[host], ncl.name)
 					}
 				}
 			}
@@ -837,11 +820,6 @@ func (st *ServerType) serversFromPairings(
 			}
 		}
 		// sort for deterministic JSON output
 		if srv.Logs != nil {
 			slices.Sort(srv.Logs.SkipHosts)
 		}
 		// a server cannot (natively) serve both HTTP and HTTPS at the
 		// same time, so make sure the configuration isn't in conflict
 		err := detectConflictingSchemes(srv, p.serverBlocks, options)
@@ -1384,8 +1362,7 @@ func (st *ServerType) compileEncodedMatcherSets(sblock serverBlock) ([]caddy.Mod
 }
 func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.ModuleMap) error {
-	d.Next() // advance to the first token
+	for d.Next() {
 		// this is the "name" for "named matchers"
 		definitionName := d.Val()
@@ -1397,14 +1374,6 @@ func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.M
 		// given a matcher name and the tokens following it, parse
 		// the tokens as a matcher module and record it
 		makeMatcher := func(matcherName string, tokens []caddyfile.Token) error {
 		// create a new dispenser from the tokens
 		dispenser := caddyfile.NewDispenser(tokens)
 		// set the matcher name (without @) in the dispenser context so
 		// that matcher modules can access it to use it as their name
 		// (e.g. regexp matchers which use the name for capture groups)
 		dispenser.SetContext(caddyfile.MatcherNameCtxKey, definitionName[1:])
 			mod, err := caddy.GetModule("http.matchers." + matcherName)
 			if err != nil {
 				return fmt.Errorf("getting matcher module '%s': %v", matcherName, err)
@@ -1413,7 +1382,7 @@ func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.M
 			if !ok {
 				return fmt.Errorf("matcher module '%s' is not a Caddyfile unmarshaler", matcherName)
 			}
-		err = unm.UnmarshalCaddyfile(dispenser)
+			err = unm.UnmarshalCaddyfile(caddyfile.NewDispenser(tokens))
 			if err != nil {
 				return err
 			}
@@ -1429,16 +1398,11 @@ func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.M
 		// and that it's probably an 'expression' matcher
 		if d.NextArg() {
 			if d.Token().Quoted() {
-			// since it was missing the matcher name, we insert a token
+				err := makeMatcher("expression", []caddyfile.Token{d.Token()})
 			// in front of the expression token itself
 			err := makeMatcher("expression", []caddyfile.Token{
 				{Text: "expression", File: d.File(), Line: d.Line()},
 				d.Token(),
 			})
 				if err != nil {
 					return err
 				}
-			return nil
+				continue
 			}
 			// if it wasn't quoted, then we need to rewind after calling
@@ -1461,6 +1425,7 @@ func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.M
 				return err
 			}
 		}
 	}
 	return nil
 }
@@ -18,7 +18,7 @@ import (
 	"strconv"
 	"github.com/caddyserver/certmagic"
-	"github.com/mholt/acmez/v2/acme"
+	"github.com/mholt/acmez/acme"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
@@ -54,7 +54,6 @@ func init() {
 	RegisterGlobalOption("auto_https", parseOptAutoHTTPS)
 	RegisterGlobalOption("servers", parseServerOptions)
 	RegisterGlobalOption("ocsp_stapling", parseOCSPStaplingOptions)
 	RegisterGlobalOption("cert_lifetime", parseOptDuration)
 	RegisterGlobalOption("log", parseLogOptions)
 	RegisterGlobalOption("preferred_chains", parseOptPreferredChains)
 	RegisterGlobalOption("persist_config", parseOptPersistConfig)
@@ -63,8 +62,8 @@ func init() {
 func parseOptTrue(d *caddyfile.Dispenser, _ any) (any, error) { return true, nil }
 func parseOptHTTPPort(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	var httpPort int
 	for d.Next() {
 		var httpPortStr string
 		if !d.AllArgs(&httpPortStr) {
 			return 0, d.ArgErr()
@@ -74,12 +73,13 @@ func parseOptHTTPPort(d *caddyfile.Dispenser, _ any) (any, error) {
 		if err != nil {
 			return 0, d.Errf("converting port '%s' to integer value: %v", httpPortStr, err)
 		}
 	}
 	return httpPort, nil
 }
 func parseOptHTTPSPort(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	var httpsPort int
 	for d.Next() {
 		var httpsPortStr string
 		if !d.AllArgs(&httpsPortStr) {
 			return 0, d.ArgErr()
@@ -89,12 +89,14 @@ func parseOptHTTPSPort(d *caddyfile.Dispenser, _ any) (any, error) {
 		if err != nil {
 			return 0, d.Errf("converting port '%s' to integer value: %v", httpsPortStr, err)
 		}
 	}
 	return httpsPort, nil
 }
 func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
+	newOrder := directiveOrder
 	for d.Next() {
 		// get directive name
 		if !d.Next() {
 			return nil, d.ArgErr()
@@ -108,9 +110,7 @@ func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
 		if !d.Next() {
 			return nil, d.ArgErr()
 		}
-	pos := Positional(d.Val())
+		pos := d.Val()
 	newOrder := directiveOrder
 		// if directive exists, first remove it
 		for i, d := range newOrder {
@@ -122,22 +122,22 @@ func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
 		// act on the positional
 		switch pos {
-	case First:
+		case "first":
 			newOrder = append([]string{dirName}, newOrder...)
 			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			directiveOrder = newOrder
 			return newOrder, nil
-	case Last:
+		case "last":
 			newOrder = append(newOrder, dirName)
 			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			directiveOrder = newOrder
 			return newOrder, nil
-	case Before:
+		case "before":
-	case After:
+		case "after":
 		default:
 			return nil, d.Errf("unknown positional '%s'", pos)
 		}
@@ -154,14 +154,15 @@ func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
 		// insert directive into proper position
 		for i, d := range newOrder {
 			if d == otherDir {
-			if pos == Before {
+				if pos == "before" {
 					newOrder = append(newOrder[:i], append([]string{dirName}, newOrder[i:]...)...)
-			} else if pos == After {
+				} else if pos == "after" {
 					newOrder = append(newOrder[:i+1], append([]string{dirName}, newOrder[i+1:]...)...)
 				}
 				break
 			}
 		}
 	}
 	directiveOrder = newOrder
@@ -213,20 +214,20 @@ func parseOptACMEDNS(d *caddyfile.Dispenser, _ any) (any, error) {
 	if err != nil {
 		return nil, err
 	}
-	prov, ok := unm.(certmagic.DNSProvider)
+	prov, ok := unm.(certmagic.ACMEDNSProvider)
 	if !ok {
-		return nil, d.Errf("module %s (%T) is not a certmagic.DNSProvider", modID, unm)
+		return nil, d.Errf("module %s (%T) is not a certmagic.ACMEDNSProvider", modID, unm)
 	}
 	return prov, nil
 }
 func parseOptACMEEAB(d *caddyfile.Dispenser, _ any) (any, error) {
 	eab := new(acme.EAB)
-	d.Next() // consume option name
+	for d.Next() {
 		if d.NextArg() {
 			return nil, d.ArgErr()
 		}
-	for d.NextBlock(0) {
+		for nesting := d.Nesting(); d.NextBlock(nesting); {
 			switch d.Val() {
 			case "key_id":
 				if !d.NextArg() {
@@ -244,19 +245,17 @@ func parseOptACMEEAB(d *caddyfile.Dispenser, _ any) (any, error) {
 				return nil, d.Errf("unrecognized parameter '%s'", d.Val())
 			}
 		}
 	}
 	return eab, nil
 }
 func parseOptCertIssuer(d *caddyfile.Dispenser, existing any) (any, error) {
 	d.Next() // consume option name
 	var issuers []certmagic.Issuer
 	if existing != nil {
 		issuers = existing.([]certmagic.Issuer)
 	}
-
+	for d.Next() { // consume option name
-	// get issuer module name
+		if !d.Next() { // get issuer module name
 	if !d.Next() {
 			return nil, d.ArgErr()
 		}
 		modID := "tls.issuance." + d.Val()
@@ -269,11 +268,12 @@ func parseOptCertIssuer(d *caddyfile.Dispenser, existing any) (any, error) {
 			return nil, d.Errf("module %s (%T) is not a certmagic.Issuer", modID, unm)
 		}
 		issuers = append(issuers, iss)
 	}
 	return issuers, nil
 }
 func parseOptSingleString(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
+	d.Next() // consume parameter name
 	if !d.Next() {
 		return "", d.ArgErr()
 	}
@@ -285,7 +285,7 @@ func parseOptSingleString(d *caddyfile.Dispenser, _ any) (any, error) {
 }
 func parseOptStringList(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
+	d.Next() // consume parameter name
 	val := d.RemainingArgs()
 	if len(val) == 0 {
 		return "", d.ArgErr()
@@ -294,9 +294,8 @@ func parseOptStringList(d *caddyfile.Dispenser, _ any) (any, error) {
 }
 func parseOptAdmin(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	adminCfg := new(caddy.AdminConfig)
 	for d.Next() {
 		if d.NextArg() {
 			listenAddress := d.Val()
 			if listenAddress == "off" {
@@ -311,7 +310,7 @@ func parseOptAdmin(d *caddyfile.Dispenser, _ any) (any, error) {
 				}
 			}
 		}
-	for d.NextBlock(0) {
+		for nesting := d.Nesting(); d.NextBlock(nesting); {
 			switch d.Val() {
 			case "enforce_origin":
 				adminCfg.EnforceOrigin = true
@@ -323,6 +322,7 @@ func parseOptAdmin(d *caddyfile.Dispenser, _ any) (any, error) {
 				return nil, d.Errf("unrecognized parameter '%s'", d.Val())
 			}
 		}
 	}
 	if adminCfg.Listen == "" && !adminCfg.Disabled {
 		adminCfg.Listen = caddy.DefaultAdminListen
 	}
@@ -330,13 +330,11 @@ func parseOptAdmin(d *caddyfile.Dispenser, _ any) (any, error) {
 }
 func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
+	var ond *caddytls.OnDemandConfig
 	for d.Next() {
 		if d.NextArg() {
 			return nil, d.ArgErr()
 		}
 	var ond *caddytls.OnDemandConfig
 		for nesting := d.Nesting(); d.NextBlock(nesting); {
 			switch d.Val() {
 			case "ask":
@@ -346,33 +344,7 @@ func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
 				if ond == nil {
 					ond = new(caddytls.OnDemandConfig)
 				}
-			if ond.PermissionRaw != nil {
+				ond.Ask = d.Val()
 				return nil, d.Err("on-demand TLS permission module (or 'ask') already specified")
 			}
 			perm := caddytls.PermissionByHTTP{Endpoint: d.Val()}
 			ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", "http", nil)
 		case "permission":
 			if !d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			if ond == nil {
 				ond = new(caddytls.OnDemandConfig)
 			}
 			if ond.PermissionRaw != nil {
 				return nil, d.Err("on-demand TLS permission module (or 'ask') already specified")
 			}
 			modName := d.Val()
 			modID := "tls.permission." + modName
 			unm, err := caddyfile.UnmarshalModule(d, modID)
 			if err != nil {
 				return nil, err
 			}
 			perm, ok := unm.(caddytls.OnDemandPermission)
 			if !ok {
 				return nil, d.Errf("module %s (%T) is not an on-demand TLS permission module", modID, unm)
 			}
 			ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", modName, nil)
 			case "interval":
 				if !d.NextArg() {
@@ -410,6 +382,7 @@ func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
 				return nil, d.Errf("unrecognized parameter '%s'", d.Val())
 			}
 		}
 	}
 	if ond == nil {
 		return nil, d.Err("expected at least one config parameter for on_demand_tls")
 	}
@@ -417,7 +390,7 @@ func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
 }
 func parseOptPersistConfig(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
+	d.Next() // consume parameter name
 	if !d.Next() {
 		return "", d.ArgErr()
 	}
@@ -432,7 +405,7 @@ func parseOptPersistConfig(d *caddyfile.Dispenser, _ any) (any, error) {
 }
 func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
+	d.Next() // consume parameter name
 	if !d.Next() {
 		return "", d.ArgErr()
 	}
@@ -48,12 +48,10 @@ func init() {
 //
 // When the CA ID is unspecified, 'local' is assumed.
 func parsePKIApp(d *caddyfile.Dispenser, existingVal any) (any, error) {
-	d.Next() // consume app name
+	pki := &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}
-	pki := &caddypki.PKI{
+	for d.Next() {
-		CAs: make(map[string]*caddypki.CA),
+		for nesting := d.Nesting(); d.NextBlock(nesting); {
 	}
 	for d.NextBlock(0) {
 			switch d.Val() {
 			case "ca":
 				pkiCa := new(caddypki.CA)
@@ -166,6 +164,8 @@ func parsePKIApp(d *caddyfile.Dispenser, existingVal any) (any, error) {
 				return nil, d.Errf("unrecognized pki option '%s'", d.Val())
 			}
 		}
 	}
 	return pki, nil
 }
@@ -46,23 +46,21 @@ type serverOptions struct {
 	Protocols            []string
 	StrictSNIHost        *bool
 	TrustedProxiesRaw    json.RawMessage
 	TrustedProxiesStrict int
 	ClientIPHeaders      []string
 	ShouldLogCredentials bool
 	Metrics              *caddyhttp.Metrics
 }
 func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 	d.Next() // consume option name
 	serverOpts := serverOptions{}
 	for d.Next() {
 		if d.NextArg() {
 			serverOpts.ListenerAddress = d.Val()
 			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
 		}
-	for d.NextBlock(0) {
+		for nesting := d.Nesting(); d.NextBlock(nesting); {
 			switch d.Val() {
 			case "name":
 				if serverOpts.ListenerAddress == "" {
@@ -219,12 +217,6 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 				)
 				serverOpts.TrustedProxiesRaw = jsonSource
 		case "trusted_proxies_strict":
 			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
 			serverOpts.TrustedProxiesStrict = 1
 			case "client_ip_headers":
 				headers := d.RemainingArgs()
 				for _, header := range headers {
@@ -284,6 +276,7 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 				return nil, d.Errf("unrecognized servers option '%s'", d.Val())
 			}
 		}
 	}
 	return serverOpts, nil
 }
@@ -291,7 +284,7 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 func applyServerOptions(
 	servers map[string]*caddyhttp.Server,
 	options map[string]any,
-	_ *[]caddyconfig.Warning,
+	warnings *[]caddyconfig.Warning,
 ) error {
 	serverOpts, ok := options["servers"].([]serverOptions)
 	if !ok {
@@ -347,7 +340,6 @@ func applyServerOptions(
 		server.StrictSNIHost = opts.StrictSNIHost
 		server.TrustedProxiesRaw = opts.TrustedProxiesRaw
 		server.ClientIPHeaders = opts.ClientIPHeaders
 		server.TrustedProxiesStrict = opts.TrustedProxiesStrict
 		server.Metrics = opts.Metrics
 		if opts.ShouldLogCredentials {
 			if server.Logs == nil {
@@ -33,7 +33,7 @@ func NewShorthandReplacer() ShorthandReplacer {
 		{regexp.MustCompile(`{path\.([\w-]*)}`), "{http.request.uri.path.$1}"},
 		{regexp.MustCompile(`{file\.([\w-]*)}`), "{http.request.uri.path.file.$1}"},
 		{regexp.MustCompile(`{query\.([\w-]*)}`), "{http.request.uri.query.$1}"},
-		{regexp.MustCompile(`{re\.([\w-\.]*)}`), "{http.regexp.$1}"},
+		{regexp.MustCompile(`{re\.([\w-]*)\.([\w-]*)}`), "{http.regexp.$1.$2}"},
 		{regexp.MustCompile(`{vars\.([\w-]*)}`), "{http.vars.$1}"},
 		{regexp.MustCompile(`{rp\.([\w-\.]*)}`), "{http.reverse_proxy.$1}"},
 		{regexp.MustCompile(`{err\.([\w-\.]*)}`), "{http.error.$1}"},
@@ -24,7 +24,7 @@ import (
 	"strings"
 	"github.com/caddyserver/certmagic"
-	"github.com/mholt/acmez/v2/acme"
+	"github.com/mholt/acmez/acme"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
@@ -118,11 +118,6 @@ func (st ServerType) buildTLSApp(
 				ap.OnDemand = true
 			}
 			// reuse private keys tls
 			if _, ok := sblock.pile["tls.reuse_private_keys"]; ok {
 				ap.ReusePrivateKeys = true
 			}
 			if keyTypeVals, ok := sblock.pile["tls.key_type"]; ok {
 				ap.KeyType = keyTypeVals[0].Value.(string)
 			}
@@ -224,7 +219,7 @@ func (st ServerType) buildTLSApp(
 				var internal, external []string
 				for _, s := range ap.SubjectsRaw {
 					// do not create Issuers for Tailscale domains; they will be given a Manager instead
-					if isTailscaleDomain(s) {
+					if strings.HasSuffix(strings.ToLower(s), ".ts.net") {
 						continue
 					}
 					if !certmagic.SubjectQualifiesForCert(s) {
@@ -344,7 +339,7 @@ func (st ServerType) buildTLSApp(
 	internalAP := &caddytls.AutomationPolicy{
 		IssuersRaw: []json.RawMessage{json.RawMessage(`{"module":"internal"}`)},
 	}
-	if autoHTTPS != "off" && autoHTTPS != "disable_certs" {
+	if autoHTTPS != "off" {
 		for h := range httpsHostsSharedWithHostlessKey {
 			al = append(al, h)
 			if !certmagic.SubjectQualifiesForPublicCert(h) {
@@ -378,17 +373,20 @@ func (st ServerType) buildTLSApp(
 				if len(ap.Issuers) == 0 && automationPolicyHasAllPublicNames(ap) {
 					// for public names, create default issuers which will later be filled in with configured global defaults
 					// (internal names will implicitly use the internal issuer at auto-https time)
-					emailStr, _ := globalEmail.(string)
+					ap.Issuers = caddytls.DefaultIssuers()
 					ap.Issuers = caddytls.DefaultIssuers(emailStr)
 					// if a specific endpoint is configured, can't use multiple default issuers
 					if globalACMECA != nil {
 						if strings.Contains(globalACMECA.(string), "zerossl") {
 							ap.Issuers = []certmagic.Issuer{&caddytls.ZeroSSLIssuer{ACMEIssuer: new(caddytls.ACMEIssuer)}}
 						} else {
 							ap.Issuers = []certmagic.Issuer{new(caddytls.ACMEIssuer)}
 						}
 					}
 				}
 			}
 		}
 	}
 	// finalize and verify policies; do cleanup
 	if tlsApp.Automation != nil {
@@ -456,7 +454,6 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	globalACMEDNS := options["acme_dns"]
 	globalACMEEAB := options["acme_eab"]
 	globalPreferredChains := options["preferred_chains"]
 	globalCertLifetime := options["cert_lifetime"]
 	if globalEmail != nil && acmeIssuer.Email == "" {
 		acmeIssuer.Email = globalEmail.(string)
@@ -480,10 +477,6 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	if globalPreferredChains != nil && acmeIssuer.PreferredChains == nil {
 		acmeIssuer.PreferredChains = globalPreferredChains.(*caddytls.ChainPreference)
 	}
 	if globalCertLifetime != nil && acmeIssuer.CertificateLifetime == 0 {
 		acmeIssuer.CertificateLifetime = globalCertLifetime.(caddy.Duration)
 	}
 	return nil
 }
@@ -492,11 +485,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 // for any other automation policies. A nil policy (and no error) will be
 // returned if there are no default/global options. However, if always is
 // true, a non-nil value will always be returned (unless there is an error).
-func newBaseAutomationPolicy(
+func newBaseAutomationPolicy(options map[string]any, warnings []caddyconfig.Warning, always bool) (*caddytls.AutomationPolicy, error) {
 	options map[string]any,
 	_ []caddyconfig.Warning,
 	always bool,
 ) (*caddytls.AutomationPolicy, error) {
 	issuers, hasIssuers := options["cert_issuer"]
 	_, hasLocalCerts := options["local_certs"]
 	keyType, hasKeyType := options["key_type"]
@@ -598,7 +587,6 @@ outer:
 				aps[i].MustStaple == aps[j].MustStaple &&
 				aps[i].KeyType == aps[j].KeyType &&
 				aps[i].OnDemand == aps[j].OnDemand &&
 				aps[i].ReusePrivateKeys == aps[j].ReusePrivateKeys &&
 				aps[i].RenewalWindowRatio == aps[j].RenewalWindowRatio {
 				if len(aps[i].SubjectsRaw) > 0 && len(aps[j].SubjectsRaw) == 0 {
 					// later policy (at j) has no subjects ("catch-all"), so we can
@@ -672,33 +660,17 @@ func automationPolicyShadows(i int, aps []*caddytls.AutomationPolicy) int {
 // subjectQualifiesForPublicCert is like certmagic.SubjectQualifiesForPublicCert() except
 // that this allows domains with multiple wildcard levels like '*.*.example.com' to qualify
 // if the automation policy has OnDemand enabled (i.e. this function is more lenient).
 //
 // IP subjects are considered as non-qualifying for public certs. Technically, there are
 // now public ACME CAs as well as non-ACME CAs that issue IP certificates. But this function
 // is used solely for implicit automation (defaults), where it gets really complicated to
 // keep track of which issuers support IP certificates in which circumstances. Currently,
 // issuers that support IP certificates are very few, and all require some sort of config
 // from the user anyway (such as an account credential). Since we cannot implicitly and
 // automatically get public IP certs without configuration from the user, we treat IPs as
 // not qualifying for public certificates. Users should expressly configure an issuer
 // that supports IP certs for that purpose.
 func subjectQualifiesForPublicCert(ap *caddytls.AutomationPolicy, subj string) bool {
 	return !certmagic.SubjectIsIP(subj) &&
 		!certmagic.SubjectIsInternal(subj) &&
 		(strings.Count(subj, "*.") < 2 || ap.OnDemand)
 }
 // automationPolicyHasAllPublicNames returns true if all the names on the policy
 // do NOT qualify for public certs OR are tailscale domains.
 func automationPolicyHasAllPublicNames(ap *caddytls.AutomationPolicy) bool {
 	for _, subj := range ap.SubjectsRaw {
-		if !subjectQualifiesForPublicCert(ap, subj) || isTailscaleDomain(subj) {
+		if !subjectQualifiesForPublicCert(ap, subj) {
 			return false
 		}
 	}
 	return true
 }
 func isTailscaleDomain(name string) bool {
 	return strings.HasSuffix(strings.ToLower(name), ".ts.net")
 }
@@ -181,16 +181,19 @@ func (hl HTTPLoader) makeClient(ctx caddy.Context) (*http.Client, error) {
 			if err != nil {
 				return nil, fmt.Errorf("getting server identity credentials: %v", err)
 			}
-			// See https://github.com/securego/gosec/issues/1054#issuecomment-2072235199
+			if tlsConfig == nil {
-			//nolint:gosec
+				tlsConfig = new(tls.Config)
-			tlsConfig = &tls.Config{Certificates: certs}
+			}
 			tlsConfig.Certificates = certs
 		} else if hl.TLS.ClientCertificateFile != "" && hl.TLS.ClientCertificateKeyFile != "" {
 			cert, err := tls.LoadX509KeyPair(hl.TLS.ClientCertificateFile, hl.TLS.ClientCertificateKeyFile)
 			if err != nil {
 				return nil, err
 			}
-			//nolint:gosec
+			if tlsConfig == nil {
-			tlsConfig = &tls.Config{Certificates: []tls.Certificate{cert}}
+				tlsConfig = new(tls.Config)
 			}
 			tlsConfig.Certificates = []tls.Certificate{cert}
 		}
 		// trusted server certs
@@ -8,7 +8,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
 	"io/fs"
 	"log"
 	"net"
 	"net/http"
@@ -60,11 +59,11 @@ var (
 type Tester struct {
 	Client       *http.Client
 	configLoaded bool
-	t            testing.TB
+	t            *testing.T
 }
 // NewTester will create a new testing client with an attached cookie jar
-func NewTester(t testing.TB) *Tester {
+func NewTester(t *testing.T) *Tester {
 	jar, err := cookiejar.New(nil)
 	if err != nil {
 		t.Fatalf("failed to create cookiejar: %s", err)
@@ -121,6 +120,7 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 	tc.t.Cleanup(func() {
 		if tc.t.Failed() && tc.configLoaded {
 			res, err := http.Get(fmt.Sprintf("http://localhost:%d/config/", Default.AdminPort))
 			if err != nil {
 				tc.t.Log("unable to read the current config")
@@ -229,10 +229,10 @@ const initConfig = `{
 // validateTestPrerequisites ensures the certificates are available in the
 // designated path and Caddy sub-process is running.
-func validateTestPrerequisites(t testing.TB) error {
+func validateTestPrerequisites(t *testing.T) error {
 	// check certificates are found
 	for _, certName := range Default.Certifcates {
-		if _, err := os.Stat(getIntegrationDir() + certName); errors.Is(err, fs.ErrNotExist) {
+		if _, err := os.Stat(getIntegrationDir() + certName); os.IsNotExist(err) {
 			return fmt.Errorf("caddy integration test certificates (%s) not found", certName)
 		}
 	}
@@ -373,7 +373,7 @@ func (tc *Tester) AssertRedirect(requestURI string, expectedToLocation string, e
 }
 // CompareAdapt adapts a config and then compares it against an expected result
-func CompareAdapt(t testing.TB, filename, rawConfig string, adapterName string, expectedResponse string) bool {
+func CompareAdapt(t *testing.T, filename, rawConfig string, adapterName string, expectedResponse string) bool {
 	cfgAdapter := caddyconfig.GetAdapter(adapterName)
 	if cfgAdapter == nil {
 		t.Logf("unrecognized config adapter '%s'", adapterName)
@@ -432,7 +432,7 @@ func CompareAdapt(t testing.TB, filename, rawConfig string, adapterName string,
 }
 // AssertAdapt adapts a config and then tests it against an expected result
-func AssertAdapt(t testing.TB, rawConfig string, adapterName string, expectedResponse string) {
+func AssertAdapt(t *testing.T, rawConfig string, adapterName string, expectedResponse string) {
 	ok := CompareAdapt(t, "Caddyfile", rawConfig, adapterName, expectedResponse)
 	if !ok {
 		t.Fail()
@@ -441,7 +441,7 @@ func AssertAdapt(t testing.TB, rawConfig string, adapterName string, expectedRes
 // Generic request functions
-func applyHeaders(t testing.TB, req *http.Request, requestHeaders []string) {
+func applyHeaders(t *testing.T, req *http.Request, requestHeaders []string) {
 	requestContentType := ""
 	for _, requestHeader := range requestHeaders {
 		arr := strings.SplitAfterN(requestHeader, ":", 2)
@@ -1,206 +0,0 @@
 package integration
 import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"fmt"
 	"net"
 	"net/http"
 	"strings"
 	"testing"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez/v2"
 	"github.com/mholt/acmez/v2/acme"
 	smallstepacme "github.com/smallstep/certificates/acme"
 	"go.uber.org/zap"
 )
 const acmeChallengePort = 9081
 // Test the basic functionality of Caddy's ACME server
 func TestACMEServerWithDefaults(t *testing.T) {
 	ctx := context.Background()
 	logger, err := zap.NewDevelopment()
 	if err != nil {
 		t.Error(err)
 		return
 	}
 	tester := caddytest.NewTester(t)
 	tester.InitServer(`
 	{
 		skip_install_trust
 		admin localhost:2999
 		http_port     9080
 		https_port    9443
 		local_certs
 	}
 	acme.localhost {
 		acme_server
 	}
  `, "caddyfile")
 	client := acmez.Client{
 		Client: &acme.Client{
 			Directory:  "https://acme.localhost:9443/acme/local/directory",
 			HTTPClient: tester.Client,
 			Logger:     logger,
 		},
 		ChallengeSolvers: map[string]acmez.Solver{
 			acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
 		},
 	}
 	accountPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating account key: %v", err)
 	}
 	account := acme.Account{
 		Contact:              []string{"mailto:you@example.com"},
 		TermsOfServiceAgreed: true,
 		PrivateKey:           accountPrivateKey,
 	}
 	account, err = client.NewAccount(ctx, account)
 	if err != nil {
 		t.Errorf("new account: %v", err)
 		return
 	}
 	// Every certificate needs a key.
 	certPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating certificate key: %v", err)
 		return
 	}
 	certs, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"localhost"})
 	if err != nil {
 		t.Errorf("obtaining certificate: %v", err)
 		return
 	}
 	// ACME servers should usually give you the entire certificate chain
 	// in PEM format, and sometimes even alternate chains! It's up to you
 	// which one(s) to store and use, but whatever you do, be sure to
 	// store the certificate and key somewhere safe and secure, i.e. don't
 	// lose them!
 	for _, cert := range certs {
 		t.Logf("Certificate %q:\n%s\n\n", cert.URL, cert.ChainPEM)
 	}
 }
 func TestACMEServerWithMismatchedChallenges(t *testing.T) {
 	ctx := context.Background()
 	logger := caddy.Log().Named("acmez")
 	tester := caddytest.NewTester(t)
 	tester.InitServer(`
 	{
 		skip_install_trust
 		admin localhost:2999
 		http_port     9080
 		https_port    9443
 		local_certs
 	}
 	acme.localhost {
 		acme_server {
 			challenges tls-alpn-01
 		}
 	}
  `, "caddyfile")
 	client := acmez.Client{
 		Client: &acme.Client{
 			Directory:  "https://acme.localhost:9443/acme/local/directory",
 			HTTPClient: tester.Client,
 			Logger:     logger,
 		},
 		ChallengeSolvers: map[string]acmez.Solver{
 			acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
 		},
 	}
 	accountPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating account key: %v", err)
 	}
 	account := acme.Account{
 		Contact:              []string{"mailto:you@example.com"},
 		TermsOfServiceAgreed: true,
 		PrivateKey:           accountPrivateKey,
 	}
 	account, err = client.NewAccount(ctx, account)
 	if err != nil {
 		t.Errorf("new account: %v", err)
 		return
 	}
 	// Every certificate needs a key.
 	certPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating certificate key: %v", err)
 		return
 	}
 	certs, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"localhost"})
 	if len(certs) > 0 {
 		t.Errorf("expected '0' certificates, but received '%d'", len(certs))
 	}
 	if err == nil {
 		t.Error("expected errors, but received none")
 	}
 	const expectedErrMsg = "no solvers available for remaining challenges (configured=[http-01] offered=[tls-alpn-01] remaining=[tls-alpn-01])"
 	if !strings.Contains(err.Error(), expectedErrMsg) {
 		t.Errorf(`received error message does not match expectation: expected="%s" received="%s"`, expectedErrMsg, err.Error())
 	}
 }
 // naiveHTTPSolver is a no-op acmez.Solver for example purposes only.
 type naiveHTTPSolver struct {
 	srv    *http.Server
 	logger *zap.Logger
 }
 func (s *naiveHTTPSolver) Present(ctx context.Context, challenge acme.Challenge) error {
 	smallstepacme.InsecurePortHTTP01 = acmeChallengePort
 	s.srv = &http.Server{
 		Addr: fmt.Sprintf(":%d", acmeChallengePort),
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			host, _, err := net.SplitHostPort(r.Host)
 			if err != nil {
 				host = r.Host
 			}
 			s.logger.Info("received request on challenge server", zap.String("path", r.URL.Path))
 			if r.Method == "GET" && r.URL.Path == challenge.HTTP01ResourcePath() && strings.EqualFold(host, challenge.Identifier.Value) {
 				w.Header().Add("Content-Type", "text/plain")
 				w.Write([]byte(challenge.KeyAuthorization))
 				r.Close = true
 				s.logger.Info("served key authentication",
 					zap.String("identifier", challenge.Identifier.Value),
 					zap.String("challenge", "http-01"),
 					zap.String("remote", r.RemoteAddr),
 				)
 			}
 		}),
 	}
 	l, err := net.Listen("tcp", fmt.Sprintf(":%d", acmeChallengePort))
 	if err != nil {
 		return err
 	}
 	s.logger.Info("present challenge", zap.Any("challenge", challenge))
 	go s.srv.Serve(l)
 	return nil
 }
 func (s naiveHTTPSolver) CleanUp(ctx context.Context, challenge acme.Challenge) error {
 	smallstepacme.InsecurePortHTTP01 = 0
 	s.logger.Info("cleanup", zap.Any("challenge", challenge))
 	if s.srv != nil {
 		s.srv.Close()
 	}
 	return nil
 }
@@ -1,17 +1,9 @@
 package integration
 import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"strings"
 	"testing"
 	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez/v2"
 	"github.com/mholt/acmez/v2/acme"
 	"go.uber.org/zap"
 )
 func TestACMEServerDirectory(t *testing.T) {
@@ -39,166 +31,3 @@ func TestACMEServerDirectory(t *testing.T) {
 		`{"newNonce":"https://acme.localhost:9443/acme/local/new-nonce","newAccount":"https://acme.localhost:9443/acme/local/new-account","newOrder":"https://acme.localhost:9443/acme/local/new-order","revokeCert":"https://acme.localhost:9443/acme/local/revoke-cert","keyChange":"https://acme.localhost:9443/acme/local/key-change"}
 `)
 }
 func TestACMEServerAllowPolicy(t *testing.T) {
 	tester := caddytest.NewTester(t)
 	tester.InitServer(`
 	{
 		skip_install_trust
 		local_certs
 		admin localhost:2999
 		http_port     9080
 		https_port    9443
 		pki {
 			ca local {
 				name "Caddy Local Authority"
 			}
 		}
 	}
 	acme.localhost {
 		acme_server {
 			challenges http-01
 			allow {
 				domains localhost
 			}
 		}
 	}
  `, "caddyfile")
 	ctx := context.Background()
 	logger, err := zap.NewDevelopment()
 	if err != nil {
 		t.Error(err)
 		return
 	}
 	client := acmez.Client{
 		Client: &acme.Client{
 			Directory:  "https://acme.localhost:9443/acme/local/directory",
 			HTTPClient: tester.Client,
 			Logger:     logger,
 		},
 		ChallengeSolvers: map[string]acmez.Solver{
 			acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
 		},
 	}
 	accountPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating account key: %v", err)
 	}
 	account := acme.Account{
 		Contact:              []string{"mailto:you@example.com"},
 		TermsOfServiceAgreed: true,
 		PrivateKey:           accountPrivateKey,
 	}
 	account, err = client.NewAccount(ctx, account)
 	if err != nil {
 		t.Errorf("new account: %v", err)
 		return
 	}
 	// Every certificate needs a key.
 	certPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating certificate key: %v", err)
 		return
 	}
 	{
 		certs, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"localhost"})
 		if err != nil {
 			t.Errorf("obtaining certificate for allowed domain: %v", err)
 			return
 		}
 		// ACME servers should usually give you the entire certificate chain
 		// in PEM format, and sometimes even alternate chains! It's up to you
 		// which one(s) to store and use, but whatever you do, be sure to
 		// store the certificate and key somewhere safe and secure, i.e. don't
 		// lose them!
 		for _, cert := range certs {
 			t.Logf("Certificate %q:\n%s\n\n", cert.URL, cert.ChainPEM)
 		}
 	}
 	{
 		_, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"not-matching.localhost"})
 		if err == nil {
 			t.Errorf("obtaining certificate for 'not-matching.localhost' domain")
 		} else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
 			t.Logf("unexpected error: %v", err)
 		}
 	}
 }
 func TestACMEServerDenyPolicy(t *testing.T) {
 	tester := caddytest.NewTester(t)
 	tester.InitServer(`
 	{
 		skip_install_trust
 		local_certs
 		admin localhost:2999
 		http_port     9080
 		https_port    9443
 		pki {
 			ca local {
 				name "Caddy Local Authority"
 			}
 		}
 	}
 	acme.localhost {
 		acme_server {
 			deny {
 				domains deny.localhost
 			}
 		}
 	}
  `, "caddyfile")
 	ctx := context.Background()
 	logger, err := zap.NewDevelopment()
 	if err != nil {
 		t.Error(err)
 		return
 	}
 	client := acmez.Client{
 		Client: &acme.Client{
 			Directory:  "https://acme.localhost:9443/acme/local/directory",
 			HTTPClient: tester.Client,
 			Logger:     logger,
 		},
 		ChallengeSolvers: map[string]acmez.Solver{
 			acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
 		},
 	}
 	accountPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating account key: %v", err)
 	}
 	account := acme.Account{
 		Contact:              []string{"mailto:you@example.com"},
 		TermsOfServiceAgreed: true,
 		PrivateKey:           accountPrivateKey,
 	}
 	account, err = client.NewAccount(ctx, account)
 	if err != nil {
 		t.Errorf("new account: %v", err)
 		return
 	}
 	// Every certificate needs a key.
 	certPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Errorf("generating certificate key: %v", err)
 		return
 	}
 	{
 		_, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"deny.localhost"})
 		if err == nil {
 			t.Errorf("obtaining certificate for 'deny.localhost' domain")
 		} else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
 			t.Logf("unexpected error: %v", err)
 		}
 	}
 }
@@ -1,65 +0,0 @@
 {
 	pki {
 		ca custom-ca {
 			name "Custom CA"
 		}
 	}
 }
 acme.example.com {
 	acme_server {
 		ca custom-ca
 		challenges dns-01
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"acme.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"ca": "custom-ca",
 													"challenges": [
 														"dns-01"
 													],
 													"handler": "acme_server"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"pki": {
 			"certificate_authorities": {
 				"custom-ca": {
 					"name": "Custom CA"
 				}
 			}
 		}
 	}
 }
@@ -1,62 +0,0 @@
 {
 	pki {
 		ca custom-ca {
 			name "Custom CA"
 		}
 	}
 }
 acme.example.com {
 	acme_server {
 		ca custom-ca
 		challenges
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"acme.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"ca": "custom-ca",
 													"handler": "acme_server"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"pki": {
 			"certificate_authorities": {
 				"custom-ca": {
 					"name": "Custom CA"
 				}
 			}
 		}
 	}
 }
@@ -1,66 +0,0 @@
 {
 	pki {
 		ca custom-ca {
 			name "Custom CA"
 		}
 	}
 }
 acme.example.com {
 	acme_server {
 		ca custom-ca
 		challenges dns-01 http-01
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"acme.example.com"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"ca": "custom-ca",
 													"challenges": [
 														"dns-01",
 														"http-01"
 													],
 													"handler": "acme_server"
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		},
 		"pki": {
 			"certificate_authorities": {
 				"custom-ca": {
 					"name": "Custom CA"
 				}
 			}
 		}
 	}
 }
@@ -1,245 +0,0 @@
 foo.localhost {
 	root * /srv
 	error /private* "Unauthorized" 410
 	error /fivehundred* "Internal Server Error" 500
 	handle_errors 5xx {
 		respond "Error In range [500 .. 599]"
 	}
 	handle_errors 410 {
 		respond "404 or 410 error"
 	}
 }
 bar.localhost {
 	root * /srv
 	error /private* "Unauthorized" 410
 	error /fivehundred* "Internal Server Error" 500
 	handle_errors 5xx {
 		respond "Error In range [500 .. 599] from second site"
 	}
 	handle_errors 410 {
 		respond "404 or 410 error from second site"
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"foo.localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/srv"
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Internal Server Error",
 													"handler": "error",
 													"status_code": 500
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/fivehundred*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Unauthorized",
 													"handler": "error",
 													"status_code": 410
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/private*"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						},
 						{
 							"match": [
 								{
 									"host": [
 										"bar.localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/srv"
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Internal Server Error",
 													"handler": "error",
 													"status_code": 500
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/fivehundred*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Unauthorized",
 													"handler": "error",
 													"status_code": 410
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/private*"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"errors": {
 						"routes": [
 							{
 								"match": [
 									{
 										"host": [
 											"foo.localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"body": "404 or 410 error",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} in [410]"
 													}
 												]
 											},
 											{
 												"handle": [
 													{
 														"body": "Error In range [500 .. 599]",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} \u003e= 500 \u0026\u0026 {http.error.status_code} \u003c= 599"
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							},
 							{
 								"match": [
 									{
 										"host": [
 											"bar.localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"body": "404 or 410 error from second site",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} in [410]"
 													}
 												]
 											},
 											{
 												"handle": [
 													{
 														"body": "Error In range [500 .. 599] from second site",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} \u003e= 500 \u0026\u0026 {http.error.status_code} \u003c= 599"
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							}
 						]
 					}
 				}
 			}
 		}
 	}
 }
@@ -1,120 +0,0 @@
 {
 	http_port 3010
 }
 localhost:3010 {
 	root * /srv
 	error /private* "Unauthorized" 410
 	error /hidden* "Not found" 404
 	handle_errors 4xx {
 		respond "Error in the [400 .. 499] range"
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"http_port": 3010,
 			"servers": {
 				"srv0": {
 					"listen": [
 						":3010"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/srv"
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Unauthorized",
 													"handler": "error",
 													"status_code": 410
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/private*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Not found",
 													"handler": "error",
 													"status_code": 404
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/hidden*"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"errors": {
 						"routes": [
 							{
 								"match": [
 									{
 										"host": [
 											"localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"body": "Error in the [400 .. 499] range",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} \u003e= 400 \u0026\u0026 {http.error.status_code} \u003c= 499"
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							}
 						]
 					}
 				}
 			}
 		}
 	}
 }
@@ -1,153 +0,0 @@
 {
 	http_port 2099
 }
 localhost:2099 {
 	root * /srv
 	error /private* "Unauthorized" 410
 	error /threehundred* "Moved Permanently" 301
 	error /internalerr* "Internal Server Error" 500
 	handle_errors 500 3xx {
 		respond "Error code is equal to 500 or in the [300..399] range"
 	}
 	handle_errors 4xx {
 		respond "Error in the [400 .. 499] range"
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"http_port": 2099,
 			"servers": {
 				"srv0": {
 					"listen": [
 						":2099"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/srv"
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Moved Permanently",
 													"handler": "error",
 													"status_code": 301
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/threehundred*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Internal Server Error",
 													"handler": "error",
 													"status_code": 500
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/internalerr*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Unauthorized",
 													"handler": "error",
 													"status_code": 410
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/private*"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"errors": {
 						"routes": [
 							{
 								"match": [
 									{
 										"host": [
 											"localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"body": "Error in the [400 .. 499] range",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} \u003e= 400 \u0026\u0026 {http.error.status_code} \u003c= 499"
 													}
 												]
 											},
 											{
 												"handle": [
 													{
 														"body": "Error code is equal to 500 or in the [300..399] range",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} \u003e= 300 \u0026\u0026 {http.error.status_code} \u003c= 399 || {http.error.status_code} in [500]"
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							}
 						]
 					}
 				}
 			}
 		}
 	}
 }
@@ -1,120 +0,0 @@
 {
 	http_port 3010
 }
 localhost:3010 {
 	root * /srv
 	error /private* "Unauthorized" 410
 	error /hidden* "Not found" 404
 	handle_errors 404 410 {
 		respond "404 or 410 error"
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"http_port": 3010,
 			"servers": {
 				"srv0": {
 					"listen": [
 						":3010"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/srv"
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Unauthorized",
 													"handler": "error",
 													"status_code": 410
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/private*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Not found",
 													"handler": "error",
 													"status_code": 404
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/hidden*"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"errors": {
 						"routes": [
 							{
 								"match": [
 									{
 										"host": [
 											"localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"body": "404 or 410 error",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} in [404, 410]"
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							}
 						]
 					}
 				}
 			}
 		}
 	}
 }
@@ -1,148 +0,0 @@
 {
 	http_port 2099
 }
 localhost:2099 {
 	root * /srv
 	error /private* "Unauthorized" 410
 	error /hidden* "Not found" 404
 	error /internalerr* "Internal Server Error" 500
 	handle_errors {
 		respond "Fallback route: code outside the [400..499] range"
 	}
 	handle_errors 4xx {
 		respond "Error in the [400 .. 499] range"
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"http_port": 2099,
 			"servers": {
 				"srv0": {
 					"listen": [
 						":2099"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"localhost"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "vars",
 													"root": "/srv"
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Internal Server Error",
 													"handler": "error",
 													"status_code": 500
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/internalerr*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Unauthorized",
 													"handler": "error",
 													"status_code": 410
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/private*"
 													]
 												}
 											]
 										},
 										{
 											"handle": [
 												{
 													"error": "Not found",
 													"handler": "error",
 													"status_code": 404
 												}
 											],
 											"match": [
 												{
 													"path": [
 														"/hidden*"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"errors": {
 						"routes": [
 							{
 								"match": [
 									{
 										"host": [
 											"localhost"
 										]
 									}
 								],
 								"handle": [
 									{
 										"handler": "subroute",
 										"routes": [
 											{
 												"handle": [
 													{
 														"body": "Error in the [400 .. 499] range",
 														"handler": "static_response"
 													}
 												],
 												"match": [
 													{
 														"expression": "{http.error.status_code} \u003e= 400 \u0026\u0026 {http.error.status_code} \u003c= 499"
 													}
 												]
 											},
 											{
 												"handle": [
 													{
 														"body": "Fallback route: code outside the [400..499] range",
 														"handler": "static_response"
 													}
 												]
 											}
 										]
 									}
 								],
 								"terminal": true
 							}
 						]
 					}
 				}
 			}
 		}
 	}
 }
@@ -84,10 +84,7 @@ abort @e
 											],
 											"match": [
 												{
-													"expression": {
+													"expression": "{http.error.status_code} == 403"
 														"expr": "{http.error.status_code} == 403",
 														"name": "d"
 													}
 												}
 											]
 										},
@@ -100,10 +97,7 @@ abort @e
 											],
 											"match": [
 												{
-													"expression": {
+													"expression": "{http.error.status_code} == 404"
 														"expr": "{http.error.status_code} == 404",
 														"name": "e"
 													}
 												}
 											]
 										}
@@ -1,40 +0,0 @@
 :8080 {
 	root * ./
 	file_server {
 		etag_file_extensions .b3sum .sha256
 	}
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":8080"
 					],
 					"routes": [
 						{
 							"handle": [
 								{
 									"handler": "vars",
 									"root": "./"
 								},
 								{
 									"etag_file_extensions": [
 										".b3sum",
 										".sha256"
 									],
 									"handler": "file_server",
 									"hide": [
 										"./Caddyfile"
 									]
 								}
 							]
 						}
 					]
 				}
 			}
 		}
 	}
 }
@@ -69,10 +69,7 @@
 					}
 				],
 				"on_demand": {
-					"permission": {
+					"ask": "https://example.com",
 						"endpoint": "https://example.com",
 						"module": "http"
 					},
 					"rate_limit": {
 						"interval": 30000000000,
 						"burst": 20
@@ -78,10 +78,7 @@
 					}
 				],
 				"on_demand": {
-					"permission": {
+					"ask": "https://example.com",
 						"endpoint": "https://example.com",
 						"module": "http"
 					},
 					"rate_limit": {
 						"interval": 30000000000,
 						"burst": 20
@@ -71,10 +71,7 @@
 					}
 				],
 				"on_demand": {
-					"permission": {
+					"ask": "https://example.com",
 						"endpoint": "https://example.com",
 						"module": "http"
 					},
 					"rate_limit": {
 						"interval": 30000000000,
 						"burst": 20
@@ -40,6 +40,12 @@ example.com
 								"preferred_chains": {
 									"smallest": true
 								}
 							},
 							{
 								"module": "zerossl",
 								"preferred_chains": {
 									"smallest": true
 								}
 							}
 						]
 					}
@@ -1,46 +0,0 @@
 http://handle {
 	file_server
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":80"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"handle"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "subroute",
 									"routes": [
 										{
 											"handle": [
 												{
 													"handler": "file_server",
 													"hide": [
 														"./Caddyfile"
 													]
 												}
 											]
 										}
 									]
 								}
 							],
 							"terminal": true
 						}
 					]
 				}
 			}
 		}
 	}
 }
@@ -72,12 +72,8 @@ b.example.com {
 					],
 					"logs": {
 						"logger_names": {
-							"a.example.com": [
+							"a.example.com": "log0",
-								"log0"
+							"b.example.com": "log1"
 							],
 							"b.example.com": [
 								"log1"
 							]
 						}
 					}
 				}
@@ -1,71 +0,0 @@
 :80 {
 	log
 	vars foo foo
 	log_append const bar
 	log_append vars foo
 	log_append placeholder {path}
 	log_append /only-for-this-path secret value
 }
 ----------
 {
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":80"
 					],
 					"routes": [
 						{
 							"handle": [
 								{
 									"foo": "foo",
 									"handler": "vars"
 								}
 							]
 						},
 						{
 							"match": [
 								{
 									"path": [
 										"/only-for-this-path"
 									]
 								}
 							],
 							"handle": [
 								{
 									"handler": "log_append",
 									"key": "secret",
 									"value": "value"
 								}
 							]
 						},
 						{
 							"handle": [
 								{
 									"handler": "log_append",
 									"key": "const",
 									"value": "bar"
 								},
 								{
 									"handler": "log_append",
 									"key": "vars",
 									"value": "foo"
 								},
 								{
 									"handler": "log_append",
 									"key": "placeholder",
 									"value": "{http.request.uri.path}"
 								}
 							]
 						}
 					],
 					"logs": {}
 				}
 			}
 		}
 	}
 }
@@ -1,63 +0,0 @@
 {
 	log {
 		format append {
 			wrap json
 			fields {
 				wrap "foo"
 			}
 			env {env.EXAMPLE}
 			int 1
 			float 1.1
 			bool true
 			string "string"
 		}
 	}
 }
 :80 {
 	respond "Hello, World!"
 }
 ----------
 {
 	"logging": {
 		"logs": {
 			"default": {
 				"encoder": {
 					"fields": {
 						"bool": true,
 						"env": "{env.EXAMPLE}",
 						"float": 1.1,
 						"int": 1,
 						"string": "string",
 						"wrap": "foo"
 					},
 					"format": "append",
 					"wrap": {
 						"format": "json"
 					}
 				}
 			}
 		}
 	},
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":80"
 					],
 					"routes": [
 						{
 							"handle": [
 								{
 									"body": "Hello, World!",
 									"handler": "static_response"
 								}
 							]
 						}
 					]
 				}
 			}
 		}
 	}
 }
@@ -1,7 +1,7 @@
 http://localhost:2020 {
 	log
-	log_skip /first-hidden*
+	skip_log /first-hidden*
-	log_skip /second-hidden*
+	skip_log /second-hidden*
 	respond 200
 }
@@ -34,7 +34,7 @@ http://localhost:2020 {
 											"handle": [
 												{
 													"handler": "vars",
-													"log_skip": true
+													"skip_log": true
 												}
 											],
 											"match": [
@@ -49,7 +49,7 @@ http://localhost:2020 {
 											"handle": [
 												{
 													"handler": "vars",
-													"log_skip": true
+													"skip_log": true
 												}
 											],
 											"match": [
@@ -99,9 +99,7 @@ http://localhost:2020 {
 					},
 					"logs": {
 						"logger_names": {
-							"localhost": [
+							"localhost": ""
 								""
 							]
 						},
 						"skip_unmapped_hosts": true
 					}
@@ -1,52 +0,0 @@
 :80
 log {
 	output stdout
 	format filter {
 		fields {
 			request>headers>Server delete
 		}
 	}
 }
 ----------
 {
 	"logging": {
 		"logs": {
 			"default": {
 				"exclude": [
 					"http.log.access.log0"
 				]
 			},
 			"log0": {
 				"writer": {
 					"output": "stdout"
 				},
 				"encoder": {
 					"fields": {
 						"request\u003eheaders\u003eServer": {
 							"filter": "delete"
 						}
 					},
 					"format": "filter"
 				},
 				"include": [
 					"http.log.access.log0"
 				]
 			}
 		}
 	},
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":80"
 					],
 					"logs": {
 						"default_logger_name": "log0"
 					}
 				}
 			}
 		}
 	}
 }
@@ -4,17 +4,12 @@ log {
 	output stdout
 	format filter {
 		wrap console
 		# long form, with "fields" wrapper
 		fields {
 			uri query {
 				replace foo REDACTED
 				delete bar
 				hash baz
 			}
 		}
 		# short form, flatter structure
 			request>headers>Authorization replace REDACTED
 			request>headers>Server delete
 			request>headers>Cookie cookie {
@@ -26,11 +21,11 @@ log {
 				ipv4 24
 				ipv6 32
 			}
 		request>client_ip ip_mask 16 32
 			request>headers>Regexp regexp secret REDACTED
 			request>headers>Hash hash
 		}
 	}
 }
 ----------
 {
 	"logging": {
@@ -46,11 +41,6 @@ log {
 				},
 				"encoder": {
 					"fields": {
 						"request\u003eclient_ip": {
 							"filter": "ip_mask",
 							"ipv4_cidr": 16,
 							"ipv6_cidr": 32
 						},
 						"request\u003eheaders\u003eAuthorization": {
 							"filter": "replace",
 							"value": "REDACTED"
@@ -1,117 +0,0 @@
 (log-both) {
 	log {args[0]}-json {
 		hostnames {args[0]}
 		output file /var/log/{args[0]}.log
 		format json
 	}
 	log {args[0]}-console {
 		hostnames {args[0]}
 		output file /var/log/{args[0]}.json
 		format console
 	}
 }
 *.example.com {
 	# Subdomains log to multiple files at once, with
 	# different output files and formats.
 	import log-both foo.example.com
 	import log-both bar.example.com
 }
 ----------
 {
 	"logging": {
 		"logs": {
 			"bar.example.com-console": {
 				"writer": {
 					"filename": "/var/log/bar.example.com.json",
 					"output": "file"
 				},
 				"encoder": {
 					"format": "console"
 				},
 				"include": [
 					"http.log.access.bar.example.com-console"
 				]
 			},
 			"bar.example.com-json": {
 				"writer": {
 					"filename": "/var/log/bar.example.com.log",
 					"output": "file"
 				},
 				"encoder": {
 					"format": "json"
 				},
 				"include": [
 					"http.log.access.bar.example.com-json"
 				]
 			},
 			"default": {
 				"exclude": [
 					"http.log.access.bar.example.com-console",
 					"http.log.access.bar.example.com-json",
 					"http.log.access.foo.example.com-console",
 					"http.log.access.foo.example.com-json"
 				]
 			},
 			"foo.example.com-console": {
 				"writer": {
 					"filename": "/var/log/foo.example.com.json",
 					"output": "file"
 				},
 				"encoder": {
 					"format": "console"
 				},
 				"include": [
 					"http.log.access.foo.example.com-console"
 				]
 			},
 			"foo.example.com-json": {
 				"writer": {
 					"filename": "/var/log/foo.example.com.log",
 					"output": "file"
 				},
 				"encoder": {
 					"format": "json"
 				},
 				"include": [
 					"http.log.access.foo.example.com-json"
 				]
 			}
 		}
 	},
 	"apps": {
 		"http": {
 			"servers": {
 				"srv0": {
 					"listen": [
 						":443"
 					],
 					"routes": [
 						{
 							"match": [
 								{
 									"host": [
 										"*.example.com"
 									]
 								}
 							],
 							"terminal": true
 						}
 					],
 					"logs": {
 						"logger_names": {
 							"bar.example.com": [
 								"bar.example.com-json",
 								"bar.example.com-console"
 							],
 							"foo.example.com": [
 								"foo.example.com-json",
 								"foo.example.com-console"
 							]
 						}
 					}
 				}
 			}
 		}
 	}
 }
@@ -75,15 +75,9 @@ example.com:8443 {
 					],
 					"logs": {
 						"logger_names": {
-							"bar.example.com": [
+							"bar.example.com": "log0",
-								"log0"
+							"baz.example.com": "log1",
-							],
+							"foo.example.com": "log0"
 							"baz.example.com": [
 								"log1"
 							],
 							"foo.example.com": [
 								"log0"
 							]
 						}
 					}
 				},
@@ -105,9 +99,7 @@ example.com:8443 {
 					],
 					"logs": {
 						"logger_names": {
-							"example.com": [
+							"example.com": "log2"
 								"log2"
 							]
 						}
 					}
 				}
@@ -76,9 +76,7 @@ http://localhost:8881 {
 					},
 					"logs": {
 						"logger_names": {
-							"localhost": [
+							"localhost": "foo"
 								"foo"
 							]
 						}
 					}
 				}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Mohammed Al Sahaf	18b346f6f9	r/RegisterType/RegisterNamespace/g Co-Author: Matt Holt	2023-12-14 23:50:24 +03:00
Mohammed Al Sahaf	52441e3037	follow the linter's commands	2023-12-14 23:38:08 +03:00
Mohammed Al Sahaf	b825a10927	own the usage of reflection into the RegisterType allowing the users to only pass instances of the interfaces	2023-12-14 18:14:18 +03:00
Mohammed Al Sahaf	52f43d2f4c	remove invalid test	2023-12-14 18:02:38 +03:00
Mohammed Al Sahaf	5e24e84288	core: add type registry Facilitates validation of type adherence to namespace requirements	2023-12-14 18:02:15 +03:00