replacer: use RWMutex to protect static provider

caddytls: Sync distributed storage cleaning (#5940 )
* caddytls: Log out remote addr to detect abuse * caddytls: Sync distributed storage cleaning * Handle errors * Update certmagic to fix tiny bug * Split off port when logging remote IP * Upgrade CertMagic
2026-05-25 16:22:36 -04:00 · 2024-03-21 01:12:36 +03:00 · 2023-12-07 13:26:21 -07:00 · 2023-12-07 13:26:21 -07:00 · 2023-12-07 13:26:21 -07:00 · 2023-12-07 13:26:21 -07:00
375 changed files with 6728 additions and 22225 deletions
@@ -1,5 +1,5 @@
 [*]
 end_of_line = lf

-[caddytest/integration/caddyfile_adapt/*.caddyfiletest]
+[caddytest/integration/caddyfile_adapt/*.txt]
 indent_style = tab
@@ -25,7 +25,7 @@ Other menu items:

 You can have a huge impact on the project by helping with its code. To contribute code to Caddy, first submit or comment in an issue to discuss your contribution, then open a [pull request](https://github.com/caddyserver/caddy/pulls) (PR). If you're new to our community, that's okay: **we gladly welcome pull requests from anyone, regardless of your native language or coding experience.** You can get familiar with Caddy's code base by using [code search at Sourcegraph](https://sourcegraph.com/github.com/caddyserver/caddy).

-We hold contributions to a high standard for quality :bowtie:, so don't be surprised if we ask for revisions&mdash;even if it seems small or insignificant. Please don't take it personally. :blue_heart: If your change is on the right track, we can guide you to make it mergeable.
+We hold contributions to a high standard for quality :bowtie:, so don't be surprised if we ask for revisions&mdash;even if it seems small or insignificant. Please don't take it personally. :blue_heart: If your change is on the right track, we can guide you to make it mergable.

 Here are some of the expectations we have of contributors:

@@ -19,49 +19,45 @@ jobs:
      fail-fast: false
      matrix:
        os: 
-          - linux
-          - mac
-          - windows
+          - ubuntu-latest
+          - macos-latest
+          - windows-latest
        go: 
-          - '1.22'
-          - '1.23'
+          - '1.20'
+          - '1.21'

        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.22'
-          GO_SEMVER: '~1.22.3'
+        - go: '1.20'
+          GO_SEMVER: '~1.20.6'

-        - go: '1.23'
-          GO_SEMVER: '~1.23.0'
+        - go: '1.21'
+          GO_SEMVER: '~1.21.0'

        # Set some variables per OS, usable via ${{ matrix.VAR }}
-        # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
        # CADDY_BIN_PATH: the path to the compiled Caddy binary, for artifact publishing
        # SUCCESS: the typical value for $? per OS (Windows/pwsh returns 'True')
-        - os: linux
-          OS_LABEL: ubuntu-latest
+        - os: ubuntu-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy
          SUCCESS: 0

-        - os: mac
-          OS_LABEL: macos-14
+        - os: macos-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy
          SUCCESS: 0

-        - os: windows
-          OS_LABEL: windows-latest
+        - os: windows-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy.exe
          SUCCESS: 'True'

-    runs-on: ${{ matrix.OS_LABEL }}
+    runs-on: ${{ matrix.os }}

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v4
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true
@@ -99,20 +95,13 @@ jobs:
      env:
        CGO_ENABLED: 0
      run: |
-        go build -tags nobadger -trimpath -ldflags="-w -s" -v
-
-    - name: Smoke test Caddy
-      working-directory: ./cmd/caddy
-      run: |
-        ./caddy start
-        ./caddy stop
+        go build -trimpath -ldflags="-w -s" -v

    - name: Publish Build Artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v3
      with:
        name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
        path: ${{ matrix.CADDY_BIN_PATH }}
-        compression-level: 0

    # Commented bits below were useful to allow the job to continue
    # even if the tests fail, so we can publish the report separately
@@ -122,7 +111,7 @@ jobs:
      # continue-on-error: true
      run: |
        # (go test -v -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
-        go test -tags nobadger -v -coverprofile="cover-profile.out" -short -race ./...
+        go test -v -coverprofile="cover-profile.out" -short -race ./...
        # echo "status=$?" >> $GITHUB_OUTPUT

    # Relevant step if we reinvestigate publishing test/coverage reports
@@ -135,7 +124,7 @@ jobs:

    # To return the correct result even though we set 'continue-on-error: true'
    # - name: Coerce correct build result
-    #   if: matrix.os != 'windows' && steps.step_test.outputs.status != ${{ matrix.SUCCESS }}
+    #   if: matrix.os != 'windows-latest' && steps.step_test.outputs.status != ${{ matrix.SUCCESS }}
    #   run: |
    #     echo "step_test ${{ steps.step_test.outputs.status }}\n"
    #     exit 1
@@ -150,41 +139,18 @@ jobs:
        uses: actions/checkout@v4
      - name: Run Tests
        run: |
-          set +e
          mkdir -p ~/.ssh && echo -e "${SSH_KEY//_/\\n}" > ~/.ssh/id_ecdsa && chmod og-rwx ~/.ssh/id_ecdsa

          # short sha is enough?
          short_sha=$(git rev-parse --short HEAD)

-          # To shorten the following lines
-          ssh_opts="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
-          ssh_host="$CI_USER@ci-s390x.caddyserver.com"
-
          # The environment is fresh, so there's no point in keeping accepting and adding the key.
-          rsync -arz -e "ssh $ssh_opts" --progress --delete --exclude '.git' . "$ssh_host":/var/tmp/"$short_sha"
-          ssh $ssh_opts -t "$ssh_host" bash <<EOF
-          cd /var/tmp/$short_sha
-          go version
-          go env
-          printf "\n\n"
-          retries=3
-          exit_code=0
-          while ((retries > 0)); do
-            CGO_ENABLED=0 go test -p 1 -tags nobadger -v ./...
-            exit_code=$?
-            if ((exit_code == 0)); then
-              break
-            fi
-            echo "\n\nTest failed: \$exit_code, retrying..."
-            ((retries--))
-          done
-          echo "Remote exit code: \$exit_code"
-          exit \$exit_code
-          EOF
+          rsync -arz -e "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" --progress --delete --exclude '.git' . "$CI_USER"@ci-s390x.caddyserver.com:/var/tmp/"$short_sha"
+          ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t "$CI_USER"@ci-s390x.caddyserver.com "cd /var/tmp/$short_sha; go version; go env; printf "\n\n";CGO_ENABLED=0 go test -v ./..."
          test_result=$?

          # There's no need leaving the files around
-          ssh $ssh_opts "$ssh_host" "rm -rf /var/tmp/'$short_sha'"
+          ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$CI_USER"@ci-s390x.caddyserver.com "rm -rf /var/tmp/'$short_sha'"

          echo "Test exit code: $test_result"
          exit $test_result
@@ -198,22 +164,9 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4
      
-      - uses: goreleaser/goreleaser-action@v6
+      - uses: goreleaser/goreleaser-action@v5
        with:
          version: latest
          args: check
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "~1.23"
-          check-latest: true
-      - name: Install xcaddy
-        run: |
-          go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
-          xcaddy version
-      - uses: goreleaser/goreleaser-action@v6
-        with:
-          version: latest
-          args: build --single-target --snapshot
        env:
-          TAG: "master"
+          TAG: ${{ steps.vars.outputs.version_tag }}
@@ -11,33 +11,30 @@ on:
      - 2.*

 jobs:
-  build:
+  cross-build-test:
    strategy:
      fail-fast: false
      matrix:
        goos: 
-          - 'aix'
+          - 'android'
          - 'linux'
          - 'solaris'
          - 'illumos'
          - 'dragonfly'
          - 'freebsd'
          - 'openbsd'
+          - 'plan9'
          - 'windows'
          - 'darwin'
          - 'netbsd'
        go: 
-          - '1.22'
-          - '1.23'
+          - '1.21'

        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.22'
-          GO_SEMVER: '~1.22.3'
-
-        - go: '1.23'
-          GO_SEMVER: '~1.23.0'
+        - go: '1.21'
+          GO_SEMVER: '~1.21.0'

    runs-on: ubuntu-latest
    continue-on-error: true
@@ -46,7 +43,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
        with:
          go-version: ${{ matrix.GO_SEMVER }}
          check-latest: true
@@ -65,9 +62,12 @@ jobs:
        env:
          CGO_ENABLED: 0
          GOOS: ${{ matrix.goos }}
-          GOARCH: ${{ matrix.goos == 'aix' && 'ppc64' || 'amd64' }}
        shell: bash
        continue-on-error: true
        working-directory: ./cmd/caddy
        run: |
-          GOOS=$GOOS GOARCH=$GOARCH go build -tags nobadger -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null
+          GOOS=$GOOS go build -trimpath -o caddy-"$GOOS"-amd64 2> /dev/null
+          if [ $? -ne 0 ]; then
+            echo "::warning ::$GOOS Build Failed"
+            exit 0
+          fi
@@ -23,33 +23,27 @@ jobs:
    strategy:
      matrix:
        os:
-          - linux
-          - mac
-          - windows
-
-        include:
-        - os: linux
-          OS_LABEL: ubuntu-latest
-
-        - os: mac
-          OS_LABEL: macos-14
-
-        - os: windows
-          OS_LABEL: windows-latest
-
-    runs-on: ${{ matrix.OS_LABEL }}
-
+          - ubuntu-latest
+          - macos-latest
+          - windows-latest
+    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v4
        with:
-          go-version: '~1.23'
+          go-version: '~1.21.0'
          check-latest: true

+          # Workaround for https://github.com/golangci/golangci-lint-action/issues/135
+          skip-pkg-cache: true
+
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v3
        with:
-          version: latest
+          version: v1.54
+
+          # Workaround for https://github.com/golangci/golangci-lint-action/issues/135
+          skip-pkg-cache: true

          # Windows times out frequently after about 5m50s if we don't set a longer timeout.
          args: --timeout 10m
@@ -63,5 +57,5 @@ jobs:
      - name: govulncheck
        uses: golang/govulncheck-action@v1
        with:
-          go-version-input: '~1.23.0'
+          go-version-input: '~1.21.0'
          check-latest: true
@@ -13,13 +13,13 @@ jobs:
        os: 
          - ubuntu-latest
        go: 
-          - '1.23'
+          - '1.21'

        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.23'
-          GO_SEMVER: '~1.23.0'
+        - go: '1.21'
+          GO_SEMVER: '~1.21.0'

    runs-on: ${{ matrix.os }}
    # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
@@ -37,7 +37,7 @@ jobs:
        fetch-depth: 0

    - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v4
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true
@@ -104,13 +104,9 @@ jobs:
      uses: anchore/sbom-action/download-syft@main
    - name: Syft version
      run: syft version
-    - name: Install xcaddy
-      run: |
-        go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
-        xcaddy version
    # GoReleaser will take care of publishing those artifacts into the release
    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v6
+      uses: goreleaser/goreleaser-action@v5
      with:
        version: latest
        args: release --clean --timeout 60m
@@ -18,7 +18,7 @@ jobs:

    # See https://github.com/peter-evans/repository-dispatch
    - name: Trigger event on caddyserver/dist
-      uses: peter-evans/repository-dispatch@v3
+      uses: peter-evans/repository-dispatch@v2
      with:
        token: ${{ secrets.REPO_DISPATCH_TOKEN }}
        repository: caddyserver/dist
@@ -26,7 +26,7 @@ jobs:
        client-payload: '{"tag": "${{ github.event.release.tag_name }}"}'

    - name: Trigger event on caddyserver/caddy-docker
-      uses: peter-evans/repository-dispatch@v3
+      uses: peter-evans/repository-dispatch@v2
      with:
        token: ${{ secrets.REPO_DISPATCH_TOKEN }}
        repository: caddyserver/caddy-docker
@@ -3,7 +3,6 @@ _gitignore/
 Caddyfile
 Caddyfile.*
 !caddyfile/
-!caddyfile.go

 # artifacts from pprof tooling
 *.prof
@@ -1,9 +1,7 @@
 linters-settings:
  errcheck:
-    exclude-functions:
-      - fmt.*
-      - (go.uber.org/zap/zapcore.ObjectEncoder).AddObject
-      - (go.uber.org/zap/zapcore.ObjectEncoder).AddArray
+    ignore: fmt:.*,go.uber.org/zap/zapcore:^Add.*
+    ignoretests: true
  gci:
    sections:
      - standard # Standard section: captures all standard packages.
@@ -17,67 +15,35 @@ linters-settings:
    # If `true`, make the section order the same as the order of `sections`.
    # Default: false
    custom-order: true
-  exhaustive:
-    ignore-enum-types: reflect.Kind|svc.Cmd

 linters:
  disable-all: true
  enable:
-    - asasalint
-    - asciicheck
-    - bidichk
    - bodyclose
-    - decorder
-    - dogsled
-    - dupl
-    - dupword
-    - durationcheck
    - errcheck
-    - errname
-    - exhaustive
    - gci
-    - gofmt
-    - goimports
    - gofumpt
    - gosec
    - gosimple
    - govet
    - ineffassign
-    - importas
    - misspell
    - prealloc
-    - promlinter
-    - sloglint
-    - sqlclosecheck
    - staticcheck
-    - tenv
-    - testableexamples
-    - testifylint
-    - tparallel
    - typecheck
    - unconvert
    - unused
-    - wastedassign
-    - whitespace
-    - zerologlint
  # these are implicitly disabled:
-  # - containedctx
-  # - contextcheck
-  # - cyclop
+  # - asciicheck
  # - depguard
-  # - errchkjson
-  # - errorlint
-  # - exhaustruct
-  # - execinquery
-  # - exhaustruct
-  # - forbidigo
-  # - forcetypeassert
+  # - dogsled
+  # - dupl
+  # - exhaustive
+  # - exportloopref
  # - funlen
-  # - ginkgolinter
-  # - gocheckcompilerdirectives
+  # - gci
  # - gochecknoglobals
  # - gochecknoinits
-  # - gochecksumtype
  # - gocognit
  # - goconst
  # - gocritic
@@ -85,68 +51,44 @@ linters:
  # - godot
  # - godox
  # - goerr113
+  # - gofumpt
  # - goheader
+  # - golint
  # - gomnd
-  # - gomoddirectives
  # - gomodguard
  # - goprintffuncname
-  # - gosmopolitan
-  # - grouper
-  # - inamedparam
-  # - interfacebloat
-  # - ireturn
+  # - interfacer
  # - lll
-  # - loggercheck
-  # - maintidx
-  # - makezero
-  # - mirror
-  # - musttag
+  # - maligned
  # - nakedret
  # - nestif
-  # - nilerr
-  # - nilnil
  # - nlreturn
  # - noctx
  # - nolintlint
-  # - nonamedreturns
-  # - nosprintfhostport
-  # - paralleltest
-  # - perfsprint
-  # - predeclared
-  # - protogetter
-  # - reassign
-  # - revive
  # - rowserrcheck
+  # - scopelint
+  # - sqlclosecheck
  # - stylecheck
-  # - tagalign
-  # - tagliatelle
  # - testpackage
-  # - thelper
  # - unparam
-  # - usestdlibvars
-  # - varnamelen
-  # - wrapcheck
+  # - whitespace
  # - wsl

 run:
  # default concurrency is a available CPU number.
  # concurrency: 4 # explicitly omit this value to fully utilize available resources.
-  timeout: 5m
+  deadline: 5m
  issues-exit-code: 1
  tests: false

 # output configuration options
 output:
-  formats:
-    - format: 'colored-line-number'
+  format: 'colored-line-number'
  print-issued-lines: true
  print-linter-name: true

 issues:
  exclude-rules:
-    - text: 'G115' # TODO: Either we should fix the issues or nuke the linter if it's bad
-      linters:
-        - gosec
    # we aren't calling unknown URL
    - text: 'G107' # G107: Url provided to HTTP request as taint input
      linters:
@@ -168,15 +110,3 @@ issues:
      text: 'G404' # G404: Insecure random number source (rand)
      linters:
        - gosec
-    - path: modules/logging/filters.go
-      linters:
-        - dupl
-    - path: modules/caddyhttp/matchers.go
-      linters:
-        - dupl
-    - path: modules/caddyhttp/vars.go
-      linters:
-        - dupl
-    - path: _test\.go
-      linters:
-        - errcheck
@@ -1,5 +1,3 @@
-version: 2
-
 before:
  hooks:
    # The build is done in this particular way to build Caddy in a designated directory named in .gitignore.
@@ -12,9 +10,6 @@ before:
    - mkdir -p caddy-build
    - cp cmd/caddy/main.go caddy-build/main.go
    - /bin/sh -c 'cd ./caddy-build && go mod init caddy'
-    # prepare syso files for windows embedding
-    - /bin/sh -c 'for a in amd64 arm arm64; do XCADDY_SKIP_BUILD=1 GOOS=windows GOARCH=$a xcaddy build {{.Env.TAG}}; done'
-    - /bin/sh -c 'mv /tmp/buildenv_*/*.syso caddy-build'
    # GoReleaser doesn't seem to offer {{.Tag}} at this stage, so we have to embed it into the env
    # so we run: TAG=$(git describe --abbrev=0) goreleaser release --rm-dist --skip-publish --skip-validate
    - go mod edit -require=github.com/caddyserver/caddy/v2@{{.Env.TAG}} ./caddy-build/go.mod
@@ -34,6 +29,7 @@ builds:
 - env:
  - CGO_ENABLED=0
  - GO111MODULE=on
+  main: main.go
  dir: ./caddy-build
  binary: caddy
  goos:
@@ -81,8 +77,6 @@ builds:
  - -mod=readonly
  ldflags:
  - -s -w
-  tags:
-  - nobadger

 signs:
  - cmd: cosign
@@ -56,7 +56,7 @@
 </p>


-## [Features](https://caddyserver.com/features)
+## [Features](https://caddyserver.com/v2)

 - **Easy configuration** with the [Caddyfile](https://caddyserver.com/docs/caddyfile)
 - **Powerful configuration** with its [native JSON config](https://caddyserver.com/docs/json/)
@@ -75,7 +75,7 @@
 - **Runs anywhere** with **no external dependencies** (not even libc)
 - Written in Go, a language with higher **memory safety guarantees** than other servers
 - Actually **fun to use**
- So much more to [discover](https://caddyserver.com/features)
+- So much more to [discover](https://caddyserver.com/v2)

 ## Install

@@ -87,7 +87,7 @@ See [our online documentation](https://caddyserver.com/docs/install) for other i

 Requirements:

- [Go 1.22.3 or newer](https://golang.org/dl/)
+- [Go 1.20 or newer](https://golang.org/dl/)

 ### For development

@@ -26,6 +26,7 @@ import (
 	"expvar"
 	"fmt"
 	"hash"
+	"hash/fnv"
 	"io"
 	"net"
 	"net/http"
@@ -34,21 +35,19 @@ import (
 	"os"
 	"path"
 	"regexp"
-	"slices"
 	"strconv"
 	"strings"
 	"sync"
 	"time"

 	"github.com/caddyserver/certmagic"
-	"github.com/cespare/xxhash/v2"
 	"github.com/prometheus/client_golang/prometheus"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 )

 func init() {
-	// The hard-coded default `DefaultAdminListen` can be overridden
+	// The hard-coded default `DefaultAdminListen` can be overidden
 	// by setting the `CADDY_ADMIN` environment variable.
 	// The environment variable may be used by packagers to change
 	// the default admin address to something more appropriate for
@@ -214,7 +213,7 @@ type AdminPermissions struct {

 // newAdminHandler reads admin's config and returns an http.Handler suitable
 // for use in an admin endpoint server, which will be listening on listenAddr.
-func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool, ctx Context) adminHandler {
+func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool) adminHandler {
 	muxWrap := adminHandler{mux: http.NewServeMux()}

 	// secure the local or remote endpoint respectively
@@ -270,6 +269,7 @@ func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool, ctx
 	// register third-party module endpoints
 	for _, m := range GetModules("admin.api") {
 		router := m.New().(AdminRouter)
+		handlerLabel := m.ID.Name()
 		for _, route := range router.Routes() {
 			addRoute(route.Pattern, handlerLabel, route.Handler)
 		}
@@ -312,7 +312,7 @@ func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []*url.URL {
 	}
 	if admin.Origins == nil {
 		if addr.isLoopback() {
-			if addr.IsUnixNetwork() || addr.IsFdNetwork() {
+			if addr.IsUnixNetwork() {
 				// RFC 2616, Section 14.26:
 				// "A client MUST include a Host header field in all HTTP/1.1 request
 				// messages. If the requested URI does not include an Internet host
@@ -350,7 +350,7 @@ func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []*url.URL {
 				uniqueOrigins[net.JoinHostPort("127.0.0.1", addr.port())] = struct{}{}
 			}
 		}
-		if !addr.IsUnixNetwork() && !addr.IsFdNetwork() {
+		if !addr.IsUnixNetwork() {
 			uniqueOrigins[addr.JoinHostPort(0)] = struct{}{}
 		}
 	}
@@ -381,9 +381,7 @@ func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []*url.URL {
 // for the admin endpoint exists in cfg, a default one is used, so
 // that there is always an admin server (unless it is explicitly
 // configured to be disabled).
-// Critically note that some elements and functionality of the context
-// may not be ready, e.g. storage. Tread carefully.
-func replaceLocalAdminServer(cfg *Config, ctx Context) error {
+func replaceLocalAdminServer(cfg *Config) error {
 	// always* be sure to close down the old admin endpoint
 	// as gracefully as possible, even if the new one is
 	// disabled -- careful to use reference to the current
@@ -425,7 +423,7 @@ func replaceLocalAdminServer(cfg *Config, ctx Context) error {
 		return err
 	}

-	handler := cfg.Admin.newAdminHandler(addr, false, ctx)
+	handler := cfg.Admin.newAdminHandler(addr, false)

 	ln, err := addr.Listen(context.TODO(), 0, net.ListenConfig{})
 	if err != nil {
@@ -476,6 +474,7 @@ func manageIdentity(ctx Context, cfg *Config) error {
 	// import the caddytls package -- but it works
 	if cfg.Admin.Identity.IssuersRaw == nil {
 		cfg.Admin.Identity.IssuersRaw = []json.RawMessage{
+			json.RawMessage(`{"module": "zerossl"}`),
 			json.RawMessage(`{"module": "acme"}`),
 		}
 	}
@@ -546,7 +545,7 @@ func replaceRemoteAdminServer(ctx Context, cfg *Config) error {

 	// make the HTTP handler but disable Host/Origin enforcement
 	// because we are using TLS authentication instead
-	handler := cfg.Admin.newAdminHandler(addr, true, ctx)
+	handler := cfg.Admin.newAdminHandler(addr, true)

 	// create client certificate pool for TLS mutual auth, and extract public keys
 	// so that we can enforce access controls at the application layer
@@ -677,7 +676,13 @@ func (remote RemoteAdmin) enforceAccessControls(r *http.Request) error {
 					// key recognized; make sure its HTTP request is permitted
 					for _, accessPerm := range adminAccess.Permissions {
 						// verify method
-						methodFound := accessPerm.Methods == nil || slices.Contains(accessPerm.Methods, r.Method)
+						methodFound := accessPerm.Methods == nil
+						for _, method := range accessPerm.Methods {
+							if method == r.Method {
+								methodFound = true
+								break
+							}
+						}
 						if !methodFound {
 							return APIError{
 								HTTPStatus: http.StatusForbidden,
@@ -873,9 +878,13 @@ func (h adminHandler) handleError(w http.ResponseWriter, r *http.Request, err er
 // a trustworthy/expected value. This helps to mitigate DNS
 // rebinding attacks.
 func (h adminHandler) checkHost(r *http.Request) error {
-	allowed := slices.ContainsFunc(h.allowedOrigins, func(u *url.URL) bool {
-		return r.Host == u.Host
-	})
+	var allowed bool
+	for _, allowedOrigin := range h.allowedOrigins {
+		if r.Host == allowedOrigin.Host {
+			allowed = true
+			break
+		}
+	}
 	if !allowed {
 		return APIError{
 			HTTPStatus: http.StatusForbidden,
@@ -937,7 +946,7 @@ func (h adminHandler) originAllowed(origin *url.URL) bool {

 // etagHasher returns a the hasher we used on the config to both
 // produce and verify ETags.
-func etagHasher() hash.Hash { return xxhash.New() }
+func etagHasher() hash.Hash32 { return fnv.New32a() }

 // makeEtag returns an Etag header value (including quotes) for
 // the given config path and hash of contents at that path.
@@ -945,28 +954,17 @@ func makeEtag(path string, hash hash.Hash) string {
 	return fmt.Sprintf(`"%s %x"`, path, hash.Sum(nil))
 }

-// This buffer pool is used to keep buffers for
-// reading the config file during eTag header generation
-var bufferPool = sync.Pool{
-	New: func() any {
-		return new(bytes.Buffer)
-	},
-}
-
 func handleConfig(w http.ResponseWriter, r *http.Request) error {
 	switch r.Method {
 	case http.MethodGet:
 		w.Header().Set("Content-Type", "application/json")
+		// Set the ETag as a trailer header.
+		// The alternative is to write the config to a buffer, and
+		// then hash that.
+		w.Header().Set("Trailer", "ETag")
+
 		hash := etagHasher()
-
-		// Read the config into a buffer instead of writing directly to
-		// the response writer, as we want to set the ETag as the header,
-		// not the trailer.
-		buf := bufferPool.Get().(*bytes.Buffer)
-		buf.Reset()
-		defer bufferPool.Put(buf)
-
-		configWriter := io.MultiWriter(buf, hash)
+		configWriter := io.MultiWriter(w, hash)
 		err := readConfig(r.URL.Path, configWriter)
 		if err != nil {
 			return APIError{HTTPStatus: http.StatusBadRequest, Err: err}
@@ -975,10 +973,6 @@ func handleConfig(w http.ResponseWriter, r *http.Request) error {
 		// we could consider setting up a sync.Pool for the summed
 		// hashes to reduce GC pressure.
 		w.Header().Set("Etag", makeEtag(r.URL.Path, hash))
-		_, err = w.Write(buf.Bytes())
-		if err != nil {
-			return APIError{HTTPStatus: http.StatusInternalServerError, Err: err}
-		}

 		return nil

@@ -22,7 +22,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/fs"
 	"log"
 	"net/http"
 	"os"
@@ -39,7 +38,6 @@ import (
 	"github.com/google/uuid"
 	"go.uber.org/zap"

-	"github.com/caddyserver/caddy/v2/internal/filesystems"
 	"github.com/caddyserver/caddy/v2/notify"
 )

@@ -85,9 +83,6 @@ type Config struct {
 	storage certmagic.Storage

 	cancelFunc context.CancelFunc
-
-	// filesystems is a dict of filesystems that will later be loaded from and added to.
-	filesystems FileSystems
 }

 // App is a thing that Caddy runs.
@@ -397,62 +392,6 @@ func unsyncedDecodeAndRun(cfgJSON []byte, allowPersist bool) error {
 // will want to use Run instead, which also
 // updates the config's raw state.
 func run(newCfg *Config, start bool) (Context, error) {
-	ctx, err := provisionContext(newCfg, start)
-	if err != nil {
-		globalMetrics.configSuccess.Set(0)
-		return ctx, err
-	}
-
-	if !start {
-		return ctx, nil
-	}
-
-	// Provision any admin routers which may need to access
-	// some of the other apps at runtime
-	err = ctx.cfg.Admin.provisionAdminRouters(ctx)
-	if err != nil {
-		globalMetrics.configSuccess.Set(0)
-		return ctx, err
-	}
-
-	// Start
-	err = func() error {
-		started := make([]string, 0, len(ctx.cfg.apps))
-		for name, a := range ctx.cfg.apps {
-			err := a.Start()
-			if err != nil {
-				// an app failed to start, so we need to stop
-				// all other apps that were already started
-				for _, otherAppName := range started {
-					err2 := ctx.cfg.apps[otherAppName].Stop()
-					if err2 != nil {
-						err = fmt.Errorf("%v; additionally, aborting app %s: %v",
-							err, otherAppName, err2)
-					}
-				}
-				return fmt.Errorf("%s app module: start: %v", name, err)
-			}
-			started = append(started, name)
-		}
-		return nil
-	}()
-	if err != nil {
-		globalMetrics.configSuccess.Set(0)
-		return ctx, err
-	}
-	globalMetrics.configSuccess.Set(1)
-	globalMetrics.configSuccessTime.SetToCurrentTime()
-	// now that the user's config is running, finish setting up anything else,
-	// such as remote admin endpoint, config loader, etc.
-	return ctx, finishSettingUp(ctx, ctx.cfg)
-}
-
-// provisionContext creates a new context from the given configuration and provisions
-// storage and apps.
-// If `newCfg` is nil a new empty configuration will be created.
-// If `replaceAdminServer` is true any currently active admin server will be replaced
-// with a new admin server based on the provided configuration.
-func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error) {
 	// because we will need to roll back any state
 	// modifications if this function errors, we
 	// keep a single error value and scope all
@@ -475,7 +414,6 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 	ctx, cancel := NewContext(Context{Context: context.Background(), cfg: newCfg})
 	defer func() {
 		if err != nil {
-			globalMetrics.configSuccess.Set(0)
 			// if there were any errors during startup,
 			// we should cancel the new context we created
 			// since the associated config won't be used;
@@ -501,16 +439,13 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 	}

 	// start the admin endpoint (and stop any prior one)
-	if replaceAdminServer {
-		err = replaceLocalAdminServer(newCfg, ctx)
+	if start {
+		err = replaceLocalAdminServer(newCfg)
 		if err != nil {
 			return ctx, fmt.Errorf("starting caddy administration endpoint: %v", err)
 		}
 	}

-	// create the new filesystem map
-	newCfg.filesystems = &filesystems.FilesystemMap{}
-
 	// prepare the new config for use
 	newCfg.apps = make(map[string]App)

@@ -548,16 +483,49 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 		}
 		return nil
 	}()
-	return ctx, err
-}
+	if err != nil {
+		return ctx, err
+	}

-// ProvisionContext creates a new context from the configuration and provisions storage
-// and app modules.
-// The function is intended for testing and advanced use cases only, typically `Run` should be
-// use to ensure a fully functional caddy instance.
-// EXPERIMENTAL: While this is public the interface and implementation details of this function may change.
-func ProvisionContext(newCfg *Config) (Context, error) {
-	return provisionContext(newCfg, false)
+	if !start {
+		return ctx, nil
+	}
+
+	// Provision any admin routers which may need to access
+	// some of the other apps at runtime
+	err = newCfg.Admin.provisionAdminRouters(ctx)
+	if err != nil {
+		return ctx, err
+	}
+
+	// Start
+	err = func() error {
+		started := make([]string, 0, len(newCfg.apps))
+		for name, a := range newCfg.apps {
+			err := a.Start()
+			if err != nil {
+				// an app failed to start, so we need to stop
+				// all other apps that were already started
+				for _, otherAppName := range started {
+					err2 := newCfg.apps[otherAppName].Stop()
+					if err2 != nil {
+						err = fmt.Errorf("%v; additionally, aborting app %s: %v",
+							err, otherAppName, err2)
+					}
+				}
+				return fmt.Errorf("%s app module: start: %v", name, err)
+			}
+			started = append(started, name)
+		}
+		return nil
+	}()
+	if err != nil {
+		return ctx, err
+	}
+
+	// now that the user's config is running, finish setting up anything else,
+	// such as remote admin endpoint, config loader, etc.
+	return ctx, finishSettingUp(ctx, newCfg)
 }

 // finishSettingUp should be run after all apps have successfully started.
@@ -739,7 +707,6 @@ func exitProcess(ctx context.Context, logger *zap.Logger) {
 	logger.Warn("exiting; byeee!! 👋")

 	exitCode := ExitCodeSuccess
-	lastContext := ActiveContext()

 	// stop all apps
 	if err := Stop(); err != nil {
@@ -761,16 +728,6 @@ func exitProcess(ctx context.Context, logger *zap.Logger) {
 		}
 	}

-	// execute any process-exit callbacks
-	for _, exitFunc := range lastContext.exitFuncs {
-		exitFunc(ctx)
-	}
-	exitFuncsMu.Lock()
-	for _, exitFunc := range exitFuncs {
-		exitFunc(ctx)
-	}
-	exitFuncsMu.Unlock()
-
 	// shut down admin endpoint(s) in goroutines so that
 	// if this function was called from an admin handler,
 	// it has a chance to return gracefully
@@ -809,23 +766,6 @@ var exiting = new(int32) // accessed atomically
 // EXPERIMENTAL API: subject to change or removal.
 func Exiting() bool { return atomic.LoadInt32(exiting) == 1 }

-// OnExit registers a callback to invoke during process exit.
-// This registration is PROCESS-GLOBAL, meaning that each
-// function should only be registered once forever, NOT once
-// per config load (etc).
-//
-// EXPERIMENTAL API: subject to change or removal.
-func OnExit(f func(context.Context)) {
-	exitFuncsMu.Lock()
-	exitFuncs = append(exitFuncs, f)
-	exitFuncsMu.Unlock()
-}
-
-var (
-	exitFuncs   []func(context.Context)
-	exitFuncsMu sync.Mutex
-)
-
 // Duration can be an integer or a string. An integer is
 // interpreted as nanoseconds. If a string, it is a Go
 // time.Duration value such as `300ms`, `1.5h`, or `2h45m`;
@@ -885,18 +825,13 @@ func ParseDuration(s string) (time.Duration, error) {
 // regardless of storage configuration, since each instance is intended to
 // have its own unique ID.
 func InstanceID() (uuid.UUID, error) {
-	appDataDir := AppDataDir()
-	uuidFilePath := filepath.Join(appDataDir, "instance.uuid")
+	uuidFilePath := filepath.Join(AppDataDir(), "instance.uuid")
 	uuidFileBytes, err := os.ReadFile(uuidFilePath)
-	if errors.Is(err, fs.ErrNotExist) {
+	if os.IsNotExist(err) {
 		uuid, err := uuid.NewRandom()
 		if err != nil {
 			return uuid, err
 		}
-		err = os.MkdirAll(appDataDir, 0o700)
-		if err != nil {
-			return uuid, err
-		}
 		err = os.WriteFile(uuidFilePath, []byte(uuid.String()), 0o600)
 		return uuid, err
 	} else if err != nil {
@@ -52,7 +52,7 @@ func (a Adapter) Adapt(body []byte, options map[string]any) ([]byte, []caddyconf
 		return nil, warnings, err
 	}

-	// lint check: see if input was properly formatted; sometimes messy files parse
+	// lint check: see if input was properly formatted; sometimes messy files files parse
 	// successfully but result in logical errors (the Caddyfile is a bad format, I'm sorry)
 	if warning, different := FormattingDifference(filename, body); different {
 		warnings = append(warnings, warning)
@@ -92,26 +92,30 @@ func FormattingDifference(filename string, body []byte) (caddyconfig.Warning, bo
 	}, true
 }

-// Unmarshaler is a type that can unmarshal Caddyfile tokens to
-// set itself up for a JSON encoding. The goal of an unmarshaler
-// is not to set itself up for actual use, but to set itself up for
-// being marshaled into JSON. Caddyfile-unmarshaled values will not
-// be used directly; they will be encoded as JSON and then used from
-// that. Implementations _may_ be able to support multiple segments
-// (instances of their directive or batch of tokens); typically this
-// means wrapping parsing logic in a loop: `for d.Next() { ... }`.
-// More commonly, only a single segment is supported, so a simple
-// `d.Next()` at the start should be used to consume the module
-// identifier token (directive name, etc).
+// Unmarshaler is a type that can unmarshal
+// Caddyfile tokens to set itself up for a
+// JSON encoding. The goal of an unmarshaler
+// is not to set itself up for actual use,
+// but to set itself up for being marshaled
+// into JSON. Caddyfile-unmarshaled values
+// will not be used directly; they will be
+// encoded as JSON and then used from that.
+// Implementations must be able to support
+// multiple segments (instances of their
+// directive or batch of tokens); typically
+// this means wrapping all token logic in
+// a loop: `for d.Next() { ... }`.
 type Unmarshaler interface {
 	UnmarshalCaddyfile(d *Dispenser) error
 }

 // ServerType is a type that can evaluate a Caddyfile and set up a caddy config.
 type ServerType interface {
-	// Setup takes the server blocks which contain tokens,
-	// as well as options (e.g. CLI flags) and creates a
-	// Caddy config, along with any warnings or an error.
+	// Setup takes the server blocks which
+	// contain tokens, as well as options
+	// (e.g. CLI flags) and creates a Caddy
+	// config, along with any warnings or
+	// an error.
 	Setup([]ServerBlock, map[string]any) (*caddy.Config, []caddyconfig.Warning, error)
 }

@@ -30,10 +30,6 @@ type Dispenser struct {
 	tokens  []Token
 	cursor  int
 	nesting int
-
-	// A map of arbitrary context data that can be used
-	// to pass through some information to unmarshalers.
-	context map[string]any
 }

 // NewDispenser returns a Dispenser filled with the given tokens.
@@ -415,7 +411,7 @@ func (d *Dispenser) EOFErr() error {

 // Err generates a custom parse-time error with a message of msg.
 func (d *Dispenser) Err(msg string) error {
-	return d.WrapErr(errors.New(msg))
+	return d.Errf(msg)
 }

 // Errf is like Err, but for formatted error messages
@@ -458,34 +454,6 @@ func (d *Dispenser) DeleteN(amount int) []Token {
 	return d.tokens
 }

-// SetContext sets a key-value pair in the context map.
-func (d *Dispenser) SetContext(key string, value any) {
-	if d.context == nil {
-		d.context = make(map[string]any)
-	}
-	d.context[key] = value
-}
-
-// GetContext gets the value of a key in the context map.
-func (d *Dispenser) GetContext(key string) any {
-	if d.context == nil {
-		return nil
-	}
-	return d.context[key]
-}
-
-// GetContextString gets the value of a key in the context map
-// as a string, or an empty string if the key does not exist.
-func (d *Dispenser) GetContextString(key string) string {
-	if d.context == nil {
-		return ""
-	}
-	if val, ok := d.context[key].(string); ok {
-		return val
-	}
-	return ""
-}
-
 // isNewLine determines whether the current token is on a different
 // line (higher line number) than the previous token. It handles imported
 // tokens correctly. If there isn't a previous token, it returns true.
@@ -517,5 +485,3 @@ func (d *Dispenser) isNextOnNewLine() bool {
 	next := d.tokens[d.cursor+1]
 	return isNextOnNewLine(curr, next)
 }
-
-const MatcherNameCtxKey = "matcher_name"
@@ -305,7 +305,7 @@ func TestDispenser_ArgErr_Err(t *testing.T) {
 		t.Errorf("Expected error message with custom message in it ('foobar'); got '%v'", err)
 	}

-	ErrBarIsFull := errors.New("bar is full")
+	var ErrBarIsFull = errors.New("bar is full")
 	bookingError := d.Errf("unable to reserve: %w", ErrBarIsFull)
 	if !errors.Is(bookingError, ErrBarIsFull) {
 		t.Errorf("Errf(): should be able to unwrap the error chain")
@@ -17,7 +17,6 @@ package caddyfile
 import (
 	"bytes"
 	"io"
-	"slices"
 	"unicode"
 )

@@ -32,14 +31,6 @@ func Format(input []byte) []byte {
 	out := new(bytes.Buffer)
 	rdr := bytes.NewReader(input)

-	type heredocState int
-
-	const (
-		heredocClosed  heredocState = 0
-		heredocOpening heredocState = 1
-		heredocOpened  heredocState = 2
-	)
-
 	var (
 		last rune // the last character that was written to the result

@@ -56,11 +47,6 @@ func Format(input []byte) []byte {
 		quoted  bool // whether we're in a quoted segment
 		escaped bool // whether current char is escaped

-		heredoc              heredocState // whether we're in a heredoc
-		heredocEscaped       bool         // whether heredoc is escaped
-		heredocMarker        []rune
-		heredocClosingMarker []rune
-
 		nesting int // indentation level
 	)

@@ -89,62 +75,6 @@ func Format(input []byte) []byte {
 			panic(err)
 		}

-		// detect whether we have the start of a heredoc
-		if !quoted && !(heredoc != heredocClosed || heredocEscaped) &&
-			space && last == '<' && ch == '<' {
-			write(ch)
-			heredoc = heredocOpening
-			space = false
-			continue
-		}
-
-		if heredoc == heredocOpening {
-			if ch == '\n' {
-				if len(heredocMarker) > 0 && heredocMarkerRegexp.MatchString(string(heredocMarker)) {
-					heredoc = heredocOpened
-				} else {
-					heredocMarker = nil
-					heredoc = heredocClosed
-					nextLine()
-					continue
-				}
-				write(ch)
-				continue
-			}
-			if unicode.IsSpace(ch) {
-				// a space means it's just a regular token and not a heredoc
-				heredocMarker = nil
-				heredoc = heredocClosed
-			} else {
-				heredocMarker = append(heredocMarker, ch)
-				write(ch)
-				continue
-			}
-		}
-		// if we're in a heredoc, all characters are read&write as-is
-		if heredoc == heredocOpened {
-			heredocClosingMarker = append(heredocClosingMarker, ch)
-			if len(heredocClosingMarker) > len(heredocMarker)+1 { // We assert that the heredocClosingMarker is followed by a unicode.Space
-				heredocClosingMarker = heredocClosingMarker[1:]
-			}
-			// check if we're done
-			if unicode.IsSpace(ch) && slices.Equal(heredocClosingMarker[:len(heredocClosingMarker)-1], heredocMarker) {
-				heredocMarker = nil
-				heredocClosingMarker = nil
-				heredoc = heredocClosed
-			} else {
-				write(ch)
-				if ch == '\n' {
-					heredocClosingMarker = heredocClosingMarker[:0]
-				}
-				continue
-			}
-		}
-
-		if last == '<' && space {
-			space = false
-		}
-
 		if comment {
 			if ch == '\n' {
 				comment = false
@@ -168,9 +98,6 @@ func Format(input []byte) []byte {
 		}

 		if escaped {
-			if ch == '<' {
-				heredocEscaped = true
-			}
 			write(ch)
 			escaped = false
 			continue
@@ -190,7 +117,6 @@ func Format(input []byte) []byte {

 		if unicode.IsSpace(ch) {
 			space = true
-			heredocEscaped = false
 			if ch == '\n' {
 				newLines++
 			}
@@ -279,11 +205,6 @@ func Format(input []byte) []byte {
 			write('{')
 			openBraceWritten = true
 		}
-
-		if spacePrior && ch == '<' {
-			space = true
-		}
-
 		write(ch)

 		beginningOfLine = false
@@ -362,76 +362,6 @@ block {

 block {
 }
-`,
-		},
-		{
-			description: "keep heredoc as-is",
-			input: `block {
-	heredoc <<HEREDOC
-	Here's more than one space       Here's more than one space
-	HEREDOC
-}
-`,
-			expect: `block {
-	heredoc <<HEREDOC
-	Here's more than one space       Here's more than one space
-	HEREDOC
-}
-`,
-		},
-		{
-			description: "Mixing heredoc with regular part",
-			input: `block {
-	heredoc <<HEREDOC
-	Here's more than one space       Here's more than one space
-	HEREDOC
-	respond "More than one space will be eaten"     200
-}
-
-block2 {
-	heredoc <<HEREDOC
-	Here's more than one space       Here's more than one space
-	HEREDOC
-	respond "More than one space will be eaten" 200
-}
-`,
-			expect: `block {
-	heredoc <<HEREDOC
-	Here's more than one space       Here's more than one space
-	HEREDOC
-	respond "More than one space will be eaten" 200
-}
-
-block2 {
-	heredoc <<HEREDOC
-	Here's more than one space       Here's more than one space
-	HEREDOC
-	respond "More than one space will be eaten" 200
-}
-`,
-		},
-		{
-			description: "Heredoc as regular token",
-			input: `block {
-	heredoc <<HEREDOC                                 "More than one space will be eaten"
-}
-`,
-			expect: `block {
-	heredoc <<HEREDOC "More than one space will be eaten"
-}
-`,
-		},
-		{
-			description: "Escape heredoc",
-			input: `block {
-	heredoc \<<HEREDOC
-	respond "More than one space will be eaten"                           200
-}
-`,
-			expect: `block {
-	heredoc \<<HEREDOC
-	respond "More than one space will be eaten" 200
-}
 `,
 		},
 	} {
@@ -16,24 +16,23 @@ package caddyfile

 import (
 	"fmt"
-	"slices"
 )

 type adjacency map[string][]string

 type importGraph struct {
-	nodes map[string]struct{}
+	nodes map[string]bool
 	edges adjacency
 }

 func (i *importGraph) addNode(name string) {
 	if i.nodes == nil {
-		i.nodes = make(map[string]struct{})
+		i.nodes = make(map[string]bool)
 	}
 	if _, exists := i.nodes[name]; exists {
 		return
 	}
-	i.nodes[name] = struct{}{}
+	i.nodes[name] = true
 }

 func (i *importGraph) addNodes(names []string) {
@@ -67,7 +66,7 @@ func (i *importGraph) addEdge(from, to string) error {
 	}

 	if i.nodes == nil {
-		i.nodes = make(map[string]struct{})
+		i.nodes = make(map[string]bool)
 	}
 	if i.edges == nil {
 		i.edges = make(adjacency)
@@ -92,7 +91,12 @@ func (i *importGraph) areConnected(from, to string) bool {
 	if !ok {
 		return false
 	}
-	return slices.Contains(al, to)
+	for _, v := range al {
+		if v == to {
+			return true
+		}
+	}
+	return false
 }

 func (i *importGraph) willCycle(from, to string) bool {
@@ -186,7 +186,7 @@ func (l *lexer) next() (bool, error) {
 			}

 			// check if we're done, i.e. that the last few characters are the marker
-			if len(val) >= len(heredocMarker) && heredocMarker == string(val[len(val)-len(heredocMarker):]) {
+			if len(val) > len(heredocMarker) && heredocMarker == string(val[len(val)-len(heredocMarker):]) {
 				// set the final value
 				val, err = l.finalizeHeredoc(val, heredocMarker)
 				if err != nil {
@@ -313,11 +313,6 @@ func (l *lexer) finalizeHeredoc(val []rune, marker string) ([]rune, error) {
 	// iterate over each line and strip the whitespace from the front
 	var out string
 	for lineNum, lineText := range lines[:len(lines)-1] {
-		if lineText == "" || lineText == "\r" {
-			out += "\n"
-			continue
-		}
-
 		// find an exact match for the padding
 		index := strings.Index(lineText, paddingToStrip)

@@ -340,8 +335,6 @@ func (l *lexer) finalizeHeredoc(val []rune, marker string) ([]rune, error) {
 	return []rune(out), nil
 }

-// Quoted returns true if the token was enclosed in quotes
-// (i.e. double quotes, backticks, or heredoc).
 func (t Token) Quoted() bool {
 	return t.wasQuoted > 0
 }
@@ -358,19 +351,6 @@ func (t Token) NumLineBreaks() int {
 	return lineBreaks
 }

-// Clone returns a deep copy of the token.
-func (t Token) Clone() Token {
-	return Token{
-		File:          t.File,
-		imports:       append([]string{}, t.imports...),
-		Line:          t.Line,
-		Text:          t.Text,
-		wasQuoted:     t.wasQuoted,
-		heredocMarker: t.heredocMarker,
-		snippetName:   t.snippetName,
-	}
-}
-
 var heredocMarkerRegexp = regexp.MustCompile("^[A-Za-z0-9_-]+$")

 // isNextOnNewLine tests whether t2 is on a different line from t1
@@ -285,18 +285,6 @@ EOF same-line-arg
 		},
 		{
 			input: []byte(`heredoc <<EOF
-EOF
-	HERE same-line-arg
-	`),
-			expected: []Token{
-				{Line: 1, Text: `heredoc`},
-				{Line: 1, Text: ``},
-				{Line: 3, Text: `HERE`},
-				{Line: 3, Text: `same-line-arg`},
-			},
-		},
-		{
-			input: []byte(`heredoc <<EOF
 		EOF same-line-arg
 	`),
 			expected: []Token{
@@ -457,48 +445,6 @@ EOF
 			expectErr:    true,
 			errorMessage: "mismatched leading whitespace in heredoc <<EOF on line #2 [        content], expected whitespace [\t\t] to match the closing marker",
 		},
-		{
-			input: []byte(`heredoc <<EOF
-The next line is a blank line
-
-The previous line is a blank line
-EOF`),
-			expected: []Token{
-				{Line: 1, Text: "heredoc"},
-				{Line: 1, Text: "The next line is a blank line\n\nThe previous line is a blank line"},
-			},
-		},
-		{
-			input: []byte(`heredoc <<EOF
-	One tab indented heredoc with blank next line
-
-	One tab indented heredoc with blank previous line
-	EOF`),
-			expected: []Token{
-				{Line: 1, Text: "heredoc"},
-				{Line: 1, Text: "One tab indented heredoc with blank next line\n\nOne tab indented heredoc with blank previous line"},
-			},
-		},
-		{
-			input: []byte(`heredoc <<EOF
-The next line is a blank line with one tab
-	
-The previous line is a blank line with one tab
-EOF`),
-			expected: []Token{
-				{Line: 1, Text: "heredoc"},
-				{Line: 1, Text: "The next line is a blank line with one tab\n\t\nThe previous line is a blank line with one tab"},
-			},
-		},
-		{
-			input: []byte(`heredoc <<EOF
-		The next line is a blank line with one tab less than the correct indentation
-	
-		The previous line is a blank line with one tab less than the correct indentation
-		EOF`),
-			expectErr:    true,
-			errorMessage: "mismatched leading whitespace in heredoc <<EOF on line #3 [\t], expected whitespace [\t\t] to match the closing marker",
-		},
 	}

 	for i, testCase := range testCases {
@@ -50,7 +50,7 @@ func Parse(filename string, input []byte) ([]ServerBlock, error) {
 	p := parser{
 		Dispenser: NewDispenser(tokens),
 		importGraph: importGraph{
-			nodes: make(map[string]struct{}),
+			nodes: make(map[string]bool),
 			edges: make(adjacency),
 		},
 	}
@@ -160,14 +160,14 @@ func (p *parser) begin() error {
 	}

 	if ok, name := p.isNamedRoute(); ok {
+		// named routes only have one key, the route name
+		p.block.Keys = []string{name}
+		p.block.IsNamedRoute = true
+
 		// we just need a dummy leading token to ease parsing later
 		nameToken := p.Token()
 		nameToken.Text = name

-		// named routes only have one key, the route name
-		p.block.Keys = []Token{nameToken}
-		p.block.IsNamedRoute = true
-
 		// get all the tokens from the block, including the braces
 		tokens, err := p.blockTokens(true)
 		if err != nil {
@@ -211,16 +211,10 @@ func (p *parser) addresses() error {
 	var expectingAnother bool

 	for {
-		value := p.Val()
-		token := p.Token()
+		tkn := p.Val()

-		// Reject request matchers if trying to define them globally
-		if strings.HasPrefix(value, "@") {
-			return p.Errf("request matchers may not be defined globally, they must be in a site block; found %s", value)
-		}
-
-		// Special case: import directive replaces tokens during parse-time
-		if value == "import" && p.isNewLine() {
+		// special case: import directive replaces tokens during parse-time
+		if tkn == "import" && p.isNewLine() {
 			err := p.doImport(0)
 			if err != nil {
 				return err
@@ -229,9 +223,9 @@ func (p *parser) addresses() error {
 		}

 		// Open brace definitely indicates end of addresses
-		if value == "{" {
+		if tkn == "{" {
 			if expectingAnother {
-				return p.Errf("Expected another address but had '%s' - check for extra comma", value)
+				return p.Errf("Expected another address but had '%s' - check for extra comma", tkn)
 			}
 			// Mark this server block as being defined with braces.
 			// This is used to provide a better error message when
@@ -243,15 +237,15 @@ func (p *parser) addresses() error {
 		}

 		// Users commonly forget to place a space between the address and the '{'
-		if strings.HasSuffix(value, "{") {
-			return p.Errf("Site addresses cannot end with a curly brace: '%s' - put a space between the token and the brace", value)
+		if strings.HasSuffix(tkn, "{") {
+			return p.Errf("Site addresses cannot end with a curly brace: '%s' - put a space between the token and the brace", tkn)
 		}

-		if value != "" { // empty token possible if user typed ""
+		if tkn != "" { // empty token possible if user typed ""
 			// Trailing comma indicates another address will follow, which
 			// may possibly be on the next line
-			if value[len(value)-1] == ',' {
-				value = value[:len(value)-1]
+			if tkn[len(tkn)-1] == ',' {
+				tkn = tkn[:len(tkn)-1]
 				expectingAnother = true
 			} else {
 				expectingAnother = false // but we may still see another one on this line
@@ -260,12 +254,11 @@ func (p *parser) addresses() error {
 			// If there's a comma here, it's probably because they didn't use a space
 			// between their two domains, e.g. "foo.com,bar.com", which would not be
 			// parsed as two separate site addresses.
-			if strings.Contains(value, ",") {
-				return p.Errf("Site addresses cannot contain a comma ',': '%s' - put a space after the comma to separate site addresses", value)
+			if strings.Contains(tkn, ",") {
+				return p.Errf("Site addresses cannot contain a comma ',': '%s' - put a space after the comma to separate site addresses", tkn)
 			}

-			token.Text = value
-			p.block.Keys = append(p.block.Keys, token)
+			p.block.Keys = append(p.block.Keys, tkn)
 		}

 		// Advance token and possibly break out of loop or return error
@@ -364,45 +357,9 @@ func (p *parser) doImport(nesting int) error {
 	// set up a replacer for non-variadic args replacement
 	repl := makeArgsReplacer(args)

-	// grab all the tokens (if it exists) from within a block that follows the import
-	var blockTokens []Token
-	for currentNesting := p.Nesting(); p.NextBlock(currentNesting); {
-		blockTokens = append(blockTokens, p.Token())
-	}
-	// initialize with size 1
-	blockMapping := make(map[string][]Token, 1)
-	if len(blockTokens) > 0 {
-		// use such tokens to create a new dispenser, and then use it to parse each block
-		bd := NewDispenser(blockTokens)
-		for bd.Next() {
-			// see if we can grab a key
-			var currentMappingKey string
-			if bd.Val() == "{" {
-				return p.Err("anonymous blocks are not supported")
-			}
-			currentMappingKey = bd.Val()
-			currentMappingTokens := []Token{}
-			// read all args until end of line / {
-			if bd.NextArg() {
-				currentMappingTokens = append(currentMappingTokens, bd.Token())
-				for bd.NextArg() {
-					currentMappingTokens = append(currentMappingTokens, bd.Token())
-				}
-				// TODO(elee1766): we don't enter another mapping here because it's annoying to extract the { and } properly.
-				// maybe someone can do that in the future
-			} else {
-				// attempt to enter a block and add tokens to the currentMappingTokens
-				for mappingNesting := bd.Nesting(); bd.NextBlock(mappingNesting); {
-					currentMappingTokens = append(currentMappingTokens, bd.Token())
-				}
-			}
-			blockMapping[currentMappingKey] = currentMappingTokens
-		}
-	}
-
 	// splice out the import directive and its arguments
 	// (2 tokens, plus the length of args)
-	tokensBefore := p.tokens[:p.cursor-1-len(args)-len(blockTokens)]
+	tokensBefore := p.tokens[:p.cursor-1-len(args)]
 	tokensAfter := p.tokens[p.cursor+1:]
 	var importedTokens []Token
 	var nodes []string
@@ -436,6 +393,7 @@ func (p *parser) doImport(nesting int) error {
 			return p.Errf("Glob pattern may only contain one wildcard (*), but has others: %s", globPattern)
 		}
 		matches, err = filepath.Glob(globPattern)
+
 		if err != nil {
 			return p.Errf("Failed to use import pattern %s: %v", importPattern, err)
 		}
@@ -531,33 +489,6 @@ func (p *parser) doImport(nesting int) error {
 				maybeSnippet = false
 			}
 		}
-		// if it is {block}, we substitute with all tokens in the block
-		// if it is {blocks.*}, we substitute with the tokens in the mapping for the *
-		var skip bool
-		var tokensToAdd []Token
-		switch {
-		case token.Text == "{block}":
-			tokensToAdd = blockTokens
-		case strings.HasPrefix(token.Text, "{blocks.") && strings.HasSuffix(token.Text, "}"):
-			// {blocks.foo.bar} will be extracted to key `foo.bar`
-			blockKey := strings.TrimPrefix(strings.TrimSuffix(token.Text, "}"), "{blocks.")
-			val, ok := blockMapping[blockKey]
-			if ok {
-				tokensToAdd = val
-			}
-		default:
-			skip = true
-		}
-		if !skip {
-			if len(tokensToAdd) == 0 {
-				// if there is no content in the snippet block, don't do any replacement
-				// this allows snippets which contained {block}/{block.*} before this change to continue functioning as normal
-				tokensCopy = append(tokensCopy, token)
-			} else {
-				tokensCopy = append(tokensCopy, tokensToAdd...)
-			}
-			continue
-		}

 		if maybeSnippet {
 			tokensCopy = append(tokensCopy, token)
@@ -579,7 +510,7 @@ func (p *parser) doImport(nesting int) error {
 	// splice the imported tokens in the place of the import statement
 	// and rewind cursor so Next() will land on first imported token
 	p.tokens = append(tokensBefore, append(tokensCopy, tokensAfter...)...)
-	p.cursor -= len(args) + len(blockTokens) + 1
+	p.cursor -= len(args) + 1

 	return nil
 }
@@ -706,8 +637,8 @@ func (p *parser) closeCurlyBrace() error {
 func (p *parser) isNamedRoute() (bool, string) {
 	keys := p.block.Keys
 	// A named route block is a single key with parens, prefixed with &.
-	if len(keys) == 1 && strings.HasPrefix(keys[0].Text, "&(") && strings.HasSuffix(keys[0].Text, ")") {
-		return true, strings.TrimSuffix(keys[0].Text[2:], ")")
+	if len(keys) == 1 && strings.HasPrefix(keys[0], "&(") && strings.HasSuffix(keys[0], ")") {
+		return true, strings.TrimSuffix(keys[0][2:], ")")
 	}
 	return false, ""
 }
@@ -715,8 +646,8 @@ func (p *parser) isNamedRoute() (bool, string) {
 func (p *parser) isSnippet() (bool, string) {
 	keys := p.block.Keys
 	// A snippet block is a single key with parens. Nothing else qualifies.
-	if len(keys) == 1 && strings.HasPrefix(keys[0].Text, "(") && strings.HasSuffix(keys[0].Text, ")") {
-		return true, strings.TrimSuffix(keys[0].Text[1:], ")")
+	if len(keys) == 1 && strings.HasPrefix(keys[0], "(") && strings.HasSuffix(keys[0], ")") {
+		return true, strings.TrimSuffix(keys[0][1:], ")")
 	}
 	return false, ""
 }
@@ -760,19 +691,11 @@ func (p *parser) blockTokens(retainCurlies bool) ([]Token, error) {
 // grouped by segments.
 type ServerBlock struct {
 	HasBraces    bool
-	Keys         []Token
+	Keys         []string
 	Segments     []Segment
 	IsNamedRoute bool
 }

-func (sb ServerBlock) GetKeysText() []string {
-	res := []string{}
-	for _, k := range sb.Keys {
-		res = append(res, k.Text)
-	}
-	return res
-}
-
 // DispenseDirective returns a dispenser that contains
 // all the tokens in the server block.
 func (sb ServerBlock) DispenseDirective(dir string) *Dispenser {
@@ -22,7 +22,7 @@ import (
 )

 func TestParseVariadic(t *testing.T) {
-	args := make([]string, 10)
+	var args = make([]string, 10)
 	for i, tc := range []struct {
 		input  string
 		result bool
@@ -111,6 +111,7 @@ func TestAllTokens(t *testing.T) {
 	input := []byte("a b c\nd e")
 	expected := []string{"a", "b", "c", "d", "e"}
 	tokens, err := allTokens("TestAllTokens", input)
+
 	if err != nil {
 		t.Fatalf("Expected no error, got %v", err)
 	}
@@ -148,11 +149,10 @@ func TestParseOneAndImport(t *testing.T) {
 			"localhost",
 		}, []int{1}},

-		{
-			`localhost:1234
+		{`localhost:1234
 		  dir1 foo bar`, false, []string{
-				"localhost:1234",
-			}, []int{3},
+			"localhost:1234",
+		}, []int{3},
 		},

 		{`localhost {
@@ -347,7 +347,7 @@ func TestParseOneAndImport(t *testing.T) {
 				i, len(test.keys), len(result.Keys))
 			continue
 		}
-		for j, addr := range result.GetKeysText() {
+		for j, addr := range result.Keys {
 			if addr != test.keys[j] {
 				t.Errorf("Test %d, key %d: Expected '%s', but was '%s'",
 					i, j, test.keys[j], addr)
@@ -379,9 +379,8 @@ func TestRecursiveImport(t *testing.T) {
 	}

 	isExpected := func(got ServerBlock) bool {
-		textKeys := got.GetKeysText()
-		if len(textKeys) != 1 || textKeys[0] != "localhost" {
-			t.Errorf("got keys unexpected: expect localhost, got %v", textKeys)
+		if len(got.Keys) != 1 || got.Keys[0] != "localhost" {
+			t.Errorf("got keys unexpected: expect localhost, got %v", got.Keys)
 			return false
 		}
 		if len(got.Segments) != 2 {
@@ -408,13 +407,13 @@ func TestRecursiveImport(t *testing.T) {
 	err = os.WriteFile(recursiveFile1, []byte(
 		`localhost
 		dir1
-		import recursive_import_test2`), 0o644)
+		import recursive_import_test2`), 0644)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer os.Remove(recursiveFile1)

-	err = os.WriteFile(recursiveFile2, []byte("dir2 1"), 0o644)
+	err = os.WriteFile(recursiveFile2, []byte("dir2 1"), 0644)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -442,7 +441,7 @@ func TestRecursiveImport(t *testing.T) {
 	err = os.WriteFile(recursiveFile1, []byte(
 		`localhost
 		dir1
-		import `+recursiveFile2), 0o644)
+		import `+recursiveFile2), 0644)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -475,9 +474,8 @@ func TestDirectiveImport(t *testing.T) {
 	}

 	isExpected := func(got ServerBlock) bool {
-		textKeys := got.GetKeysText()
-		if len(textKeys) != 1 || textKeys[0] != "localhost" {
-			t.Errorf("got keys unexpected: expect localhost, got %v", textKeys)
+		if len(got.Keys) != 1 || got.Keys[0] != "localhost" {
+			t.Errorf("got keys unexpected: expect localhost, got %v", got.Keys)
 			return false
 		}
 		if len(got.Segments) != 2 {
@@ -497,7 +495,7 @@ func TestDirectiveImport(t *testing.T) {
 	}

 	err = os.WriteFile(directiveFile, []byte(`prop1 1
-	prop2 2`), 0o644)
+	prop2 2`), 0644)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -618,7 +616,7 @@ func TestParseAll(t *testing.T) {
 					i, len(test.keys[j]), j, len(block.Keys))
 				continue
 			}
-			for k, addr := range block.GetKeysText() {
+			for k, addr := range block.Keys {
 				if addr != test.keys[j][k] {
 					t.Errorf("Test %d, block %d, key %d: Expected '%s', but got '%s'",
 						i, j, k, test.keys[j][k], addr)
@@ -771,7 +769,7 @@ func TestSnippets(t *testing.T) {
 	if len(blocks) != 1 {
 		t.Fatalf("Expect exactly one server block. Got %d.", len(blocks))
 	}
-	if actual, expected := blocks[0].GetKeysText()[0], "http://example.com"; expected != actual {
+	if actual, expected := blocks[0].Keys[0], "http://example.com"; expected != actual {
 		t.Errorf("Expected server name to be '%s' but was '%s'", expected, actual)
 	}
 	if len(blocks[0].Segments) != 2 {
@@ -803,7 +801,7 @@ func TestImportedFilesIgnoreNonDirectiveImportTokens(t *testing.T) {
 	fileName := writeStringToTempFileOrDie(t, `
 		http://example.com {
 			# This isn't an import directive, it's just an arg with value 'import'
-			basic_auth / import password
+			basicauth / import password
 		}
 	`)
 	// Parse the root file that imports the other one.
@@ -814,12 +812,12 @@ func TestImportedFilesIgnoreNonDirectiveImportTokens(t *testing.T) {
 	}
 	auth := blocks[0].Segments[0]
 	line := auth[0].Text + " " + auth[1].Text + " " + auth[2].Text + " " + auth[3].Text
-	if line != "basic_auth / import password" {
+	if line != "basicauth / import password" {
 		// Previously, it would be changed to:
-		//   basic_auth / import /path/to/test/dir/password
+		//   basicauth / import /path/to/test/dir/password
 		// referencing a file that (probably) doesn't exist and changing the
 		// password!
-		t.Errorf("Expected basic_auth tokens to be 'basic_auth / import password' but got %#q", line)
+		t.Errorf("Expected basicauth tokens to be 'basicauth / import password' but got %#q", line)
 	}
 }

@@ -846,7 +844,7 @@ func TestSnippetAcrossMultipleFiles(t *testing.T) {
 	if len(blocks) != 1 {
 		t.Fatalf("Expect exactly one server block. Got %d.", len(blocks))
 	}
-	if actual, expected := blocks[0].GetKeysText()[0], "http://example.com"; expected != actual {
+	if actual, expected := blocks[0].Keys[0], "http://example.com"; expected != actual {
 		t.Errorf("Expected server name to be '%s' but was '%s'", expected, actual)
 	}
 	if len(blocks[0].Segments) != 1 {
@@ -857,29 +855,6 @@ func TestSnippetAcrossMultipleFiles(t *testing.T) {
 	}
 }

-func TestRejectsGlobalMatcher(t *testing.T) {
-	p := testParser(`
-		@rejected path /foo
-
-		(common) {
-			gzip foo
-			errors stderr
-		}
-
-		http://example.com {
-			import common
-		}
-	`)
-	_, err := p.parseAll()
-	if err == nil {
-		t.Fatal("Expected an error, but got nil")
-	}
-	expected := "request matchers may not be defined globally, they must be in a site block; found @rejected, at Testfile:2"
-	if err.Error() != expected {
-		t.Errorf("Expected error to be '%s' but got '%v'", expected, err)
-	}
-}
-
 func testParser(input string) parser {
 	return parser{Dispenser: NewTestDispenser(input)}
 }
@@ -77,15 +77,10 @@ import (
 // repetition may be undesirable, so call consolidateAddrMappings() to map
 // multiple addresses to the same lists of server blocks (a many:many mapping).
 // (Doing this is essentially a map-reduce technique.)
-func (st *ServerType) mapAddressToProtocolToServerBlocks(originalServerBlocks []serverBlock,
+func (st *ServerType) mapAddressToServerBlocks(originalServerBlocks []serverBlock,
 	options map[string]any,
-) (map[string]map[string][]serverBlock, error) {
-	addrToProtocolToServerBlocks := map[string]map[string][]serverBlock{}
-
-	type keyWithParsedKey struct {
-		key       caddyfile.Token
-		parsedKey Address
-	}
+) (map[string][]serverBlock, error) {
+	sbmap := make(map[string][]serverBlock)

 	for i, sblock := range originalServerBlocks {
 		// within a server block, we need to map all the listener addresses
@@ -93,48 +88,27 @@ func (st *ServerType) mapAddressToProtocolToServerBlocks(originalServerBlocks []
 		// will be served by them; this has the effect of treating each
 		// key of a server block as its own, but without having to repeat its
 		// contents in cases where multiple keys really can be served together
-		addrToProtocolToKeyWithParsedKeys := map[string]map[string][]keyWithParsedKey{}
+		addrToKeys := make(map[string][]string)
 		for j, key := range sblock.block.Keys {
-			parsedKey, err := ParseAddress(key.Text)
-			if err != nil {
-				return nil, fmt.Errorf("parsing key: %v", err)
-			}
-			parsedKey = parsedKey.Normalize()
-
 			// a key can have multiple listener addresses if there are multiple
 			// arguments to the 'bind' directive (although they will all have
 			// the same port, since the port is defined by the key or is implicit
 			// through automatic HTTPS)
-			listeners, err := st.listenersForServerBlockAddress(sblock, parsedKey, options)
+			addrs, err := st.listenerAddrsForServerBlockKey(sblock, key, options)
 			if err != nil {
-				return nil, fmt.Errorf("server block %d, key %d (%s): determining listener address: %v", i, j, key.Text, err)
+				return nil, fmt.Errorf("server block %d, key %d (%s): determining listener address: %v", i, j, key, err)
 			}

-			// associate this key with its protocols and each listener address served with them
-			kwpk := keyWithParsedKey{key, parsedKey}
-			for addr, protocols := range listeners {
-				protocolToKeyWithParsedKeys, ok := addrToProtocolToKeyWithParsedKeys[addr]
-				if !ok {
-					protocolToKeyWithParsedKeys = map[string][]keyWithParsedKey{}
-					addrToProtocolToKeyWithParsedKeys[addr] = protocolToKeyWithParsedKeys
-				}
-
-				// an empty protocol indicates the default, a nil or empty value in the ListenProtocols array
-				if len(protocols) == 0 {
-					protocols[""] = struct{}{}
-				}
-				for prot := range protocols {
-					protocolToKeyWithParsedKeys[prot] = append(
-						protocolToKeyWithParsedKeys[prot],
-						kwpk)
-				}
+			// associate this key with each listener address it is served on
+			for _, addr := range addrs {
+				addrToKeys[addr] = append(addrToKeys[addr], key)
 			}
 		}

 		// make a slice of the map keys so we can iterate in sorted order
-		addrs := make([]string, 0, len(addrToProtocolToKeyWithParsedKeys))
-		for addr := range addrToProtocolToKeyWithParsedKeys {
-			addrs = append(addrs, addr)
+		addrs := make([]string, 0, len(addrToKeys))
+		for k := range addrToKeys {
+			addrs = append(addrs, k)
 		}
 		sort.Strings(addrs)

@@ -144,132 +118,85 @@ func (st *ServerType) mapAddressToProtocolToServerBlocks(originalServerBlocks []
 		// server block are only the ones which use the address; but
 		// the contents (tokens) are of course the same
 		for _, addr := range addrs {
-			protocolToKeyWithParsedKeys := addrToProtocolToKeyWithParsedKeys[addr]
-
-			prots := make([]string, 0, len(protocolToKeyWithParsedKeys))
-			for prot := range protocolToKeyWithParsedKeys {
-				prots = append(prots, prot)
-			}
-			sort.Strings(prots)
-
-			protocolToServerBlocks, ok := addrToProtocolToServerBlocks[addr]
-			if !ok {
-				protocolToServerBlocks = map[string][]serverBlock{}
-				addrToProtocolToServerBlocks[addr] = protocolToServerBlocks
-			}
-
-			for _, prot := range prots {
-				keyWithParsedKeys := protocolToKeyWithParsedKeys[prot]
-
-				keys := make([]caddyfile.Token, len(keyWithParsedKeys))
-				parsedKeys := make([]Address, len(keyWithParsedKeys))
-
-				for k, keyWithParsedKey := range keyWithParsedKeys {
-					keys[k] = keyWithParsedKey.key
-					parsedKeys[k] = keyWithParsedKey.parsedKey
+			keys := addrToKeys[addr]
+			// parse keys so that we only have to do it once
+			parsedKeys := make([]Address, 0, len(keys))
+			for _, key := range keys {
+				addr, err := ParseAddress(key)
+				if err != nil {
+					return nil, fmt.Errorf("parsing key '%s': %v", key, err)
 				}
-
-				protocolToServerBlocks[prot] = append(protocolToServerBlocks[prot], serverBlock{
-					block: caddyfile.ServerBlock{
-						Keys:     keys,
-						Segments: sblock.block.Segments,
-					},
-					pile:       sblock.pile,
-					parsedKeys: parsedKeys,
-				})
+				parsedKeys = append(parsedKeys, addr.Normalize())
 			}
-		}
-	}
-
-	return addrToProtocolToServerBlocks, nil
-}
-
-// consolidateAddrMappings eliminates repetition of identical server blocks in a mapping of
-// single listener addresses to protocols to lists of server blocks. Since multiple addresses
-// may serve multiple protocols to identical sites (server block contents), this function turns
-// a 1:many mapping into a many:many mapping. Server block contents (tokens) must be
-// exactly identical so that reflect.DeepEqual returns true in order for the addresses to be combined.
-// Identical entries are deleted from the addrToServerBlocks map. Essentially, each pairing (each
-// association from multiple addresses to multiple server blocks; i.e. each element of
-// the returned slice) becomes a server definition in the output JSON.
-func (st *ServerType) consolidateAddrMappings(addrToProtocolToServerBlocks map[string]map[string][]serverBlock) []sbAddrAssociation {
-	sbaddrs := make([]sbAddrAssociation, 0, len(addrToProtocolToServerBlocks))
-
-	addrs := make([]string, 0, len(addrToProtocolToServerBlocks))
-	for addr := range addrToProtocolToServerBlocks {
-		addrs = append(addrs, addr)
-	}
-	sort.Strings(addrs)
-
-	for _, addr := range addrs {
-		protocolToServerBlocks := addrToProtocolToServerBlocks[addr]
-
-		prots := make([]string, 0, len(protocolToServerBlocks))
-		for prot := range protocolToServerBlocks {
-			prots = append(prots, prot)
-		}
-		sort.Strings(prots)
-
-		for _, prot := range prots {
-			serverBlocks := protocolToServerBlocks[prot]
-
-			// now find other addresses that map to identical
-			// server blocks and add them to our map of listener
-			// addresses and protocols, while removing them from
-			// the original map
-			listeners := map[string]map[string]struct{}{}
-
-			for otherAddr, otherProtocolToServerBlocks := range addrToProtocolToServerBlocks {
-				for otherProt, otherServerBlocks := range otherProtocolToServerBlocks {
-					if addr == otherAddr && prot == otherProt || reflect.DeepEqual(serverBlocks, otherServerBlocks) {
-						listener, ok := listeners[otherAddr]
-						if !ok {
-							listener = map[string]struct{}{}
-							listeners[otherAddr] = listener
-						}
-						listener[otherProt] = struct{}{}
-						delete(otherProtocolToServerBlocks, otherProt)
-					}
-				}
-			}
-
-			addresses := make([]string, 0, len(listeners))
-			for lnAddr := range listeners {
-				addresses = append(addresses, lnAddr)
-			}
-			sort.Strings(addresses)
-
-			addressesWithProtocols := make([]addressWithProtocols, 0, len(listeners))
-
-			for _, lnAddr := range addresses {
-				lnProts := listeners[lnAddr]
-				prots := make([]string, 0, len(lnProts))
-				for prot := range lnProts {
-					prots = append(prots, prot)
-				}
-				sort.Strings(prots)
-
-				addressesWithProtocols = append(addressesWithProtocols, addressWithProtocols{
-					address:   lnAddr,
-					protocols: prots,
-				})
-			}
-
-			sbaddrs = append(sbaddrs, sbAddrAssociation{
-				addressesWithProtocols: addressesWithProtocols,
-				serverBlocks:           serverBlocks,
+			sbmap[addr] = append(sbmap[addr], serverBlock{
+				block: caddyfile.ServerBlock{
+					Keys:     keys,
+					Segments: sblock.block.Segments,
+				},
+				pile: sblock.pile,
+				keys: parsedKeys,
 			})
 		}
 	}

+	return sbmap, nil
+}
+
+// consolidateAddrMappings eliminates repetition of identical server blocks in a mapping of
+// single listener addresses to lists of server blocks. Since multiple addresses may serve
+// identical sites (server block contents), this function turns a 1:many mapping into a
+// many:many mapping. Server block contents (tokens) must be exactly identical so that
+// reflect.DeepEqual returns true in order for the addresses to be combined. Identical
+// entries are deleted from the addrToServerBlocks map. Essentially, each pairing (each
+// association from multiple addresses to multiple server blocks; i.e. each element of
+// the returned slice) becomes a server definition in the output JSON.
+func (st *ServerType) consolidateAddrMappings(addrToServerBlocks map[string][]serverBlock) []sbAddrAssociation {
+	sbaddrs := make([]sbAddrAssociation, 0, len(addrToServerBlocks))
+	for addr, sblocks := range addrToServerBlocks {
+		// we start with knowing that at least this address
+		// maps to these server blocks
+		a := sbAddrAssociation{
+			addresses:    []string{addr},
+			serverBlocks: sblocks,
+		}
+
+		// now find other addresses that map to identical
+		// server blocks and add them to our list of
+		// addresses, while removing them from the map
+		for otherAddr, otherSblocks := range addrToServerBlocks {
+			if addr == otherAddr {
+				continue
+			}
+			if reflect.DeepEqual(sblocks, otherSblocks) {
+				a.addresses = append(a.addresses, otherAddr)
+				delete(addrToServerBlocks, otherAddr)
+			}
+		}
+		sort.Strings(a.addresses)
+
+		sbaddrs = append(sbaddrs, a)
+	}
+
+	// sort them by their first address (we know there will always be at least one)
+	// to avoid problems with non-deterministic ordering (makes tests flaky)
+	sort.Slice(sbaddrs, func(i, j int) bool {
+		return sbaddrs[i].addresses[0] < sbaddrs[j].addresses[0]
+	})
+
 	return sbaddrs
 }

-// listenersForServerBlockAddress essentially converts the Caddyfile site addresses to a map from
-// Caddy listener addresses and the protocols to serve them with to the parsed address for each server block.
-func (st *ServerType) listenersForServerBlockAddress(sblock serverBlock, addr Address,
+// listenerAddrsForServerBlockKey essentially converts the Caddyfile
+// site addresses to Caddy listener addresses for each server block.
+func (st *ServerType) listenerAddrsForServerBlockKey(sblock serverBlock, key string,
 	options map[string]any,
-) (map[string]map[string]struct{}, error) {
+) ([]string, error) {
+	addr, err := ParseAddress(key)
+	if err != nil {
+		return nil, fmt.Errorf("parsing key: %v", err)
+	}
+	addr = addr.Normalize()
+
 	switch addr.Scheme {
 	case "wss":
 		return nil, fmt.Errorf("the scheme wss:// is only supported in browsers; use https:// instead")
@@ -303,54 +230,55 @@ func (st *ServerType) listenersForServerBlockAddress(sblock serverBlock, addr Ad

 	// error if scheme and port combination violate convention
 	if (addr.Scheme == "http" && lnPort == httpsPort) || (addr.Scheme == "https" && lnPort == httpPort) {
-		return nil, fmt.Errorf("[%s] scheme and port violate convention", addr.String())
+		return nil, fmt.Errorf("[%s] scheme and port violate convention", key)
 	}

-	// the bind directive specifies hosts (and potentially network), and the protocols to serve them with, but is optional
-	lnCfgVals := make([]addressesWithProtocols, 0, len(sblock.pile["bind"]))
+	// the bind directive specifies hosts (and potentially network), but is optional
+	lnHosts := make([]string, 0, len(sblock.pile["bind"]))
 	for _, cfgVal := range sblock.pile["bind"] {
-		if val, ok := cfgVal.Value.(addressesWithProtocols); ok {
-			lnCfgVals = append(lnCfgVals, val)
-		}
+		lnHosts = append(lnHosts, cfgVal.Value.([]string)...)
 	}
-	if len(lnCfgVals) == 0 {
-		if defaultBindValues, ok := options["default_bind"].([]ConfigValue); ok {
-			for _, defaultBindValue := range defaultBindValues {
-				lnCfgVals = append(lnCfgVals, defaultBindValue.Value.(addressesWithProtocols))
-			}
+	if len(lnHosts) == 0 {
+		if defaultBind, ok := options["default_bind"].([]string); ok {
+			lnHosts = defaultBind
 		} else {
-			lnCfgVals = []addressesWithProtocols{{
-				addresses: []string{""},
-				protocols: nil,
-			}}
+			lnHosts = []string{""}
 		}
 	}

 	// use a map to prevent duplication
-	listeners := map[string]map[string]struct{}{}
-	for _, lnCfgVal := range lnCfgVals {
-		for _, lnHost := range lnCfgVal.addresses {
-			networkAddr, err := caddy.ParseNetworkAddressFromHostPort(lnHost, lnPort)
-			if err != nil {
-				return nil, fmt.Errorf("parsing network address: %v", err)
-			}
-			if _, ok := listeners[addr.String()]; !ok {
-				listeners[networkAddr.String()] = map[string]struct{}{}
-			}
-			for _, protocol := range lnCfgVal.protocols {
-				listeners[networkAddr.String()][protocol] = struct{}{}
-			}
+	listeners := make(map[string]struct{})
+	for _, lnHost := range lnHosts {
+		// normally we would simply append the port,
+		// but if lnHost is IPv6, we need to ensure it
+		// is enclosed in [ ]; net.JoinHostPort does
+		// this for us, but lnHost might also have a
+		// network type in front (e.g. "tcp/") leading
+		// to "[tcp/::1]" which causes parsing failures
+		// later; what we need is "tcp/[::1]", so we have
+		// to split the network and host, then re-combine
+		network, host, ok := strings.Cut(lnHost, "/")
+		if !ok {
+			host = network
+			network = ""
 		}
+		host = strings.Trim(host, "[]") // IPv6
+		networkAddr := caddy.JoinNetworkAddress(network, host, lnPort)
+		addr, err := caddy.ParseNetworkAddress(networkAddr)
+		if err != nil {
+			return nil, fmt.Errorf("parsing network address: %v", err)
+		}
+		listeners[addr.String()] = struct{}{}
 	}

-	return listeners, nil
-}
+	// now turn map into list
+	listenersList := make([]string, 0, len(listeners))
+	for lnStr := range listeners {
+		listenersList = append(listenersList, lnStr)
+	}
+	sort.Strings(listenersList)

-// addressesWithProtocols associates a list of listen addresses
-// with a list of protocols to serve them with
-type addressesWithProtocols struct {
-	addresses []string
-	protocols []string
+	return listenersList, nil
 }

 // Address represents a site address. It contains
@@ -25,12 +25,11 @@ func TestLogDirectiveSyntax(t *testing.T) {
 		{
 			input: `:8080 {
 				log {
-					core mock
 					output file foo.log
 				}
 			}
 			`,
-			output:      `{"logging":{"logs":{"default":{"exclude":["http.log.access.log0"]},"log0":{"writer":{"filename":"foo.log","output":"file"},"core":{"module":"mock"},"include":["http.log.access.log0"]}}},"apps":{"http":{"servers":{"srv0":{"listen":[":8080"],"logs":{"default_logger_name":"log0"}}}}}}`,
+			output:      `{"logging":{"logs":{"default":{"exclude":["http.log.access.log0"]},"log0":{"writer":{"filename":"foo.log","output":"file"},"include":["http.log.access.log0"]}}},"apps":{"http":{"servers":{"srv0":{"listen":[":8080"],"logs":{"default_logger_name":"log0"}}}}}}`,
 			expectError: false,
 		},
 		{
@@ -54,12 +53,11 @@ func TestLogDirectiveSyntax(t *testing.T) {
 		{
 			input: `:8080 {
 				log name-override {
-					core mock
 					output file foo.log
 				}
 			}
 			`,
-			output:      `{"logging":{"logs":{"default":{"exclude":["http.log.access.name-override"]},"name-override":{"writer":{"filename":"foo.log","output":"file"},"core":{"module":"mock"},"include":["http.log.access.name-override"]}}},"apps":{"http":{"servers":{"srv0":{"listen":[":8080"],"logs":{"default_logger_name":"name-override"}}}}}}`,
+			output:      `{"logging":{"logs":{"default":{"exclude":["http.log.access.name-override"]},"name-override":{"writer":{"filename":"foo.log","output":"file"},"include":["http.log.access.name-override"]}}},"apps":{"http":{"servers":{"srv0":{"listen":[":8080"],"logs":{"default_logger_name":"name-override"}}}}}}`,
 			expectError: false,
 		},
 	} {
@@ -17,7 +17,6 @@ package httpcaddyfile
 import (
 	"encoding/json"
 	"net"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"
@@ -28,33 +27,22 @@ import (
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 )

-// defaultDirectiveOrder specifies the default order
-// to apply directives in HTTP routes. This must only
-// consist of directives that are included in Caddy's
-// standard distribution.
+// directiveOrder specifies the order
+// to apply directives in HTTP routes.
 //
-// e.g. The 'root' directive goes near the start in
-// case rewrites or redirects depend on existence of
-// files, i.e. the file matcher, which must know the
-// root first.
+// The root directive goes first in case rewrites or
+// redirects depend on existence of files, i.e. the
+// file matcher, which must know the root first.
 //
-// e.g. The 'header' directive goes before 'redir' so
-// that headers can be manipulated before doing redirects.
-//
-// e.g. The 'respond' directive is near the end because it
-// writes a response and terminates the middleware chain.
-var defaultDirectiveOrder = []string{
+// The header directive goes second so that headers
+// can be manipulated before doing redirects.
+var directiveOrder = []string{
 	"tracing",

-	// set variables that may be used by other directives
 	"map",
 	"vars",
-	"fs",
 	"root",
-	"log_append",
-	"skip_log", // TODO: deprecated, renamed to log_skip
-	"log_skip",
-	"log_name",
+	"skip_log",

 	"header",
 	"copy_response_headers", // only in reverse_proxy's handle_response
@@ -69,13 +57,11 @@ var defaultDirectiveOrder = []string{
 	"try_files",

 	// middleware handlers; some wrap responses
-	"basicauth", // TODO: deprecated, renamed to basic_auth
-	"basic_auth",
+	"basicauth",
 	"forward_auth",
 	"request_header",
 	"encode",
 	"push",
-	"intercept",
 	"templates",

 	// special routing & dispatching directives
@@ -96,10 +82,16 @@ var defaultDirectiveOrder = []string{
 	"acme_server",
 }

-// directiveOrder specifies the order to apply directives
-// in HTTP routes, after being modified by either the
-// plugins or by the user via the "order" global option.
-var directiveOrder = defaultDirectiveOrder
+// directiveIsOrdered returns true if dir is
+// a known, ordered (sorted) directive.
+func directiveIsOrdered(dir string) bool {
+	for _, d := range directiveOrder {
+		if d == dir {
+			return true
+		}
+	}
+	return false
+}

 // RegisterDirective registers a unique directive dir with an
 // associated unmarshaling (setup) function. When directive dir
@@ -136,53 +128,6 @@ func RegisterHandlerDirective(dir string, setupFunc UnmarshalHandlerFunc) {
 	})
 }

-// RegisterDirectiveOrder registers the default order for a
-// directive from a plugin.
-//
-// This is useful when a plugin has a well-understood place
-// it should run in the middleware pipeline, and it allows
-// users to avoid having to define the order themselves.
-//
-// The directive dir may be placed in the position relative
-// to ('before' or 'after') a directive included in Caddy's
-// standard distribution. It cannot be relative to another
-// plugin's directive.
-//
-// EXPERIMENTAL: This API may change or be removed.
-func RegisterDirectiveOrder(dir string, position Positional, standardDir string) {
-	// check if directive was already ordered
-	if slices.Contains(directiveOrder, dir) {
-		panic("directive '" + dir + "' already ordered")
-	}
-
-	if position != Before && position != After {
-		panic("the 2nd argument must be either 'before' or 'after', got '" + position + "'")
-	}
-
-	// check if directive exists in standard distribution, since
-	// we can't allow plugins to depend on one another; we can't
-	// guarantee the order that plugins are loaded in.
-	foundStandardDir := slices.Contains(defaultDirectiveOrder, standardDir)
-	if !foundStandardDir {
-		panic("the 3rd argument '" + standardDir + "' must be a directive that exists in the standard distribution of Caddy")
-	}
-
-	// insert directive into proper position
-	newOrder := directiveOrder
-	for i, d := range newOrder {
-		if d != standardDir {
-			continue
-		}
-		if position == Before {
-			newOrder = append(newOrder[:i], append([]string{dir}, newOrder[i:]...)...)
-		} else if position == After {
-			newOrder = append(newOrder[:i+1], append([]string{dir}, newOrder[i+1:]...)...)
-		}
-		break
-	}
-	directiveOrder = newOrder
-}
-
 // RegisterGlobalOption registers a unique global option opt with
 // an associated unmarshaling (setup) function. When the global
 // option opt is encountered in a Caddyfile, setupFunc will be
@@ -325,6 +270,12 @@ func (h Helper) GroupRoutes(vals []ConfigValue) {
 	}
 }

+// NewBindAddresses returns config values relevant to adding
+// listener bind addresses to the config.
+func (h Helper) NewBindAddresses(addrs []string) []ConfigValue {
+	return []ConfigValue{{Class: "bind", Value: addrs}}
+}
+
 // WithDispenser returns a new instance based on d. All others Helper
 // fields are copied, so typically maps are shared with this new instance.
 func (h Helper) WithDispenser(d *caddyfile.Dispenser) Helper {
@@ -516,9 +467,9 @@ func sortRoutes(routes []ConfigValue) {
 // a "pile" of config values, keyed by class name,
 // as well as its parsed keys for convenience.
 type serverBlock struct {
-	block      caddyfile.ServerBlock
-	pile       map[string][]ConfigValue // config values obtained from directives
-	parsedKeys []Address
+	block caddyfile.ServerBlock
+	pile  map[string][]ConfigValue // config values obtained from directives
+	keys  []Address
 }

 // hostsFromKeys returns a list of all the non-empty hostnames found in
@@ -535,7 +486,7 @@ type serverBlock struct {
 func (sb serverBlock) hostsFromKeys(loggerMode bool) []string {
 	// ensure each entry in our list is unique
 	hostMap := make(map[string]struct{})
-	for _, addr := range sb.parsedKeys {
+	for _, addr := range sb.keys {
 		if addr.Host == "" {
 			if !loggerMode {
 				// server block contains a key like ":443", i.e. the host portion
@@ -567,7 +518,7 @@ func (sb serverBlock) hostsFromKeys(loggerMode bool) []string {
 func (sb serverBlock) hostsFromKeysNotHTTP(httpPort string) []string {
 	// ensure each entry in our list is unique
 	hostMap := make(map[string]struct{})
-	for _, addr := range sb.parsedKeys {
+	for _, addr := range sb.keys {
 		if addr.Host == "" {
 			continue
 		}
@@ -588,29 +539,25 @@ func (sb serverBlock) hostsFromKeysNotHTTP(httpPort string) []string {
 // hasHostCatchAllKey returns true if sb has a key that
 // omits a host portion, i.e. it "catches all" hosts.
 func (sb serverBlock) hasHostCatchAllKey() bool {
-	return slices.ContainsFunc(sb.parsedKeys, func(addr Address) bool {
-		return addr.Host == ""
-	})
+	for _, addr := range sb.keys {
+		if addr.Host == "" {
+			return true
+		}
+	}
+	return false
 }

 // isAllHTTP returns true if all sb keys explicitly specify
 // the http:// scheme
 func (sb serverBlock) isAllHTTP() bool {
-	return !slices.ContainsFunc(sb.parsedKeys, func(addr Address) bool {
-		return addr.Scheme != "http"
-	})
+	for _, addr := range sb.keys {
+		if addr.Scheme != "http" {
+			return false
+		}
+	}
+	return true
 }

-// Positional are the supported modes for ordering directives.
-type Positional string
-
-const (
-	Before Positional = "before"
-	After  Positional = "after"
-	First  Positional = "first"
-	Last   Positional = "last"
-)
-
 type (
 	// UnmarshalFunc is a function which can unmarshal Caddyfile
 	// tokens into zero or more config values using a Helper type.
@@ -31,23 +31,20 @@ func TestHostsFromKeys(t *testing.T) {
 			[]Address{
 				{Original: ":2015", Port: "2015"},
 			},
-			[]string{},
-			[]string{},
+			[]string{}, []string{},
 		},
 		{
 			[]Address{
 				{Original: ":443", Port: "443"},
 			},
-			[]string{},
-			[]string{},
+			[]string{}, []string{},
 		},
 		{
 			[]Address{
 				{Original: "foo", Host: "foo"},
 				{Original: ":2015", Port: "2015"},
 			},
-			[]string{},
-			[]string{"foo"},
+			[]string{}, []string{"foo"},
 		},
 		{
 			[]Address{
@@ -78,7 +75,7 @@ func TestHostsFromKeys(t *testing.T) {
 			[]string{"example.com:2015"},
 		},
 	} {
-		sb := serverBlock{parsedKeys: tc.keys}
+		sb := serverBlock{keys: tc.keys}

 		// test in normal mode
 		actual := sb.hostsFromKeys(false)
@@ -19,12 +19,12 @@ import (
 	"fmt"
 	"net"
 	"reflect"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"

 	"go.uber.org/zap"
+	"golang.org/x/exp/slices"

 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
@@ -65,11 +65,8 @@ func (st ServerType) Setup(
 	originalServerBlocks := make([]serverBlock, 0, len(inputServerBlocks))
 	for _, sblock := range inputServerBlocks {
 		for j, k := range sblock.Keys {
-			if j == 0 && strings.HasPrefix(k.Text, "@") {
-				return nil, warnings, fmt.Errorf("%s:%d: cannot define a matcher outside of a site block: '%s'", k.File, k.Line, k.Text)
-			}
-			if _, ok := registeredDirectives[k.Text]; ok {
-				return nil, warnings, fmt.Errorf("%s:%d: parsed '%s' as a site address, but it is a known directive; directives must appear in a site block", k.File, k.Line, k.Text)
+			if j == 0 && strings.HasPrefix(k, "@") {
+				return nil, warnings, fmt.Errorf("cannot define a matcher outside of a site block: '%s'", k)
 			}
 		}
 		originalServerBlocks = append(originalServerBlocks, serverBlock{
@@ -171,7 +168,7 @@ func (st ServerType) Setup(
 	}

 	// map
-	sbmap, err := st.mapAddressToProtocolToServerBlocks(originalServerBlocks, options)
+	sbmap, err := st.mapAddressToServerBlocks(originalServerBlocks, options)
 	if err != nil {
 		return nil, warnings, err
 	}
@@ -274,12 +271,6 @@ func (st ServerType) Setup(
 	if !reflect.DeepEqual(pkiApp, &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}) {
 		cfg.AppsRaw["pki"] = caddyconfig.JSON(pkiApp, &warnings)
 	}
-	if filesystems, ok := options["filesystem"].(caddy.Module); ok {
-		cfg.AppsRaw["caddy.filesystems"] = caddyconfig.JSON(
-			filesystems,
-			&warnings)
-	}
-
 	if storageCvtr, ok := options["storage"].(caddy.StorageConverter); ok {
 		cfg.StorageRaw = caddyconfig.JSONModuleObject(storageCvtr,
 			"module",
@@ -289,6 +280,7 @@ func (st ServerType) Setup(
 	if adminConfig, ok := options["admin"].(*caddy.AdminConfig); ok && adminConfig != nil {
 		cfg.Admin = adminConfig
 	}
+
 	if pc, ok := options["persist_config"].(string); ok && pc == "off" {
 		if cfg.Admin == nil {
 			cfg.Admin = new(caddy.AdminConfig)
@@ -402,20 +394,6 @@ func (ServerType) evaluateGlobalOptionsBlock(serverBlocks []serverBlock, options
 			options[opt] = append(existingOpts, logOpts...)
 			continue
 		}
-		// Also fold multiple "default_bind" options together into an
-		// array so that server blocks can have multiple binds by default.
-		if opt == "default_bind" {
-			existingOpts, ok := options[opt].([]ConfigValue)
-			if !ok {
-				existingOpts = []ConfigValue{}
-			}
-			defaultBindOpts, ok := val.([]ConfigValue)
-			if !ok {
-				return nil, fmt.Errorf("unexpected type from 'default_bind' global options: %T", val)
-			}
-			options[opt] = append(existingOpts, defaultBindOpts...)
-			continue
-		}

 		options[opt] = val
 	}
@@ -507,7 +485,7 @@ func (ServerType) extractNamedRoutes(
 			route.HandlersRaw = []json.RawMessage{caddyconfig.JSONModuleObject(handler, "handler", subroute.CaddyModule().ID.Name(), h.warnings)}
 		}

-		namedRoutes[sb.block.GetKeysText()[0]] = &route
+		namedRoutes[sb.block.Keys[0]] = &route
 	}
 	options["named_routes"] = namedRoutes

@@ -534,8 +512,8 @@ func (st *ServerType) serversFromPairings(
 	if hsp, ok := options["https_port"].(int); ok {
 		httpsPort = strconv.Itoa(hsp)
 	}
-	autoHTTPS := []string{}
-	if ah, ok := options["auto_https"].([]string); ok {
+	autoHTTPS := "on"
+	if ah, ok := options["auto_https"].(string); ok {
 		autoHTTPS = ah
 	}

@@ -545,86 +523,34 @@ func (st *ServerType) serversFromPairings(
 		// address), otherwise their routes will improperly be added
 		// to the same server (see issue #4635)
 		for j, sblock1 := range p.serverBlocks {
-			for _, key := range sblock1.block.GetKeysText() {
+			for _, key := range sblock1.block.Keys {
 				for k, sblock2 := range p.serverBlocks {
 					if k == j {
 						continue
 					}
-					if slices.Contains(sblock2.block.GetKeysText(), key) {
+					if sliceContains(sblock2.block.Keys, key) {
 						return nil, fmt.Errorf("ambiguous site definition: %s", key)
 					}
 				}
 			}
 		}

-		var (
-			addresses []string
-			protocols [][]string
-		)
-
-		for _, addressWithProtocols := range p.addressesWithProtocols {
-			addresses = append(addresses, addressWithProtocols.address)
-			protocols = append(protocols, addressWithProtocols.protocols)
-		}
-
 		srv := &caddyhttp.Server{
-			Listen:          addresses,
-			ListenProtocols: protocols,
-		}
-
-		// remove srv.ListenProtocols[j] if it only contains the default protocols
-		for j, lnProtocols := range srv.ListenProtocols {
-			srv.ListenProtocols[j] = nil
-			for _, lnProtocol := range lnProtocols {
-				if lnProtocol != "" {
-					srv.ListenProtocols[j] = lnProtocols
-					break
-				}
-			}
-		}
-
-		// remove srv.ListenProtocols if it only contains the default protocols for all listen addresses
-		listenProtocols := srv.ListenProtocols
-		srv.ListenProtocols = nil
-		for _, lnProtocols := range listenProtocols {
-			if lnProtocols != nil {
-				srv.ListenProtocols = listenProtocols
-				break
-			}
+			Listen: p.addresses,
 		}

 		// handle the auto_https global option
-		for _, val := range autoHTTPS {
-			switch val {
+		if autoHTTPS != "on" {
+			srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
+			switch autoHTTPS {
 			case "off":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
 				srv.AutoHTTPS.Disabled = true
-
 			case "disable_redirects":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
 				srv.AutoHTTPS.DisableRedir = true
-
 			case "disable_certs":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
 				srv.AutoHTTPS.DisableCerts = true
-
 			case "ignore_loaded_certs":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
 				srv.AutoHTTPS.IgnoreLoadedCerts = true
-
-			case "prefer_wildcard":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
-				srv.AutoHTTPS.PreferWildcard = true
 			}
 		}

@@ -632,7 +558,7 @@ func (st *ServerType) serversFromPairings(
 		// See ParseAddress() where parsing should later reject paths
 		// See https://github.com/caddyserver/caddy/pull/4728 for a full explanation
 		for _, sblock := range p.serverBlocks {
-			for _, addr := range sblock.parsedKeys {
+			for _, addr := range sblock.keys {
 				if addr.Path != "" {
 					caddy.Log().Named("caddyfile").Warn("Using a path in a site address is deprecated; please use the 'handle' directive instead", zap.String("address", addr.String()))
 				}
@@ -650,7 +576,7 @@ func (st *ServerType) serversFromPairings(
 			var iLongestPath, jLongestPath string
 			var iLongestHost, jLongestHost string
 			var iWildcardHost, jWildcardHost bool
-			for _, addr := range p.serverBlocks[i].parsedKeys {
+			for _, addr := range p.serverBlocks[i].keys {
 				if strings.Contains(addr.Host, "*") || addr.Host == "" {
 					iWildcardHost = true
 				}
@@ -661,7 +587,7 @@ func (st *ServerType) serversFromPairings(
 					iLongestPath = addr.Path
 				}
 			}
-			for _, addr := range p.serverBlocks[j].parsedKeys {
+			for _, addr := range p.serverBlocks[j].keys {
 				if strings.Contains(addr.Host, "*") || addr.Host == "" {
 					jWildcardHost = true
 				}
@@ -693,7 +619,7 @@ func (st *ServerType) serversFromPairings(
 		})

 		var hasCatchAllTLSConnPolicy, addressQualifiesForTLS bool
-		autoHTTPSWillAddConnPolicy := srv.AutoHTTPS == nil || !srv.AutoHTTPS.Disabled
+		autoHTTPSWillAddConnPolicy := autoHTTPS != "off"

 		// if needed, the ServerLogConfig is initialized beforehand so
 		// that all server blocks can populate it with data, even when not
@@ -777,14 +703,7 @@ func (st *ServerType) serversFromPairings(
 				}
 			}

-			wildcardHosts := []string{}
-			for _, addr := range sblock.parsedKeys {
-				if strings.HasPrefix(addr.Host, "*.") {
-					wildcardHosts = append(wildcardHosts, addr.Host[2:])
-				}
-			}
-
-			for _, addr := range sblock.parsedKeys {
+			for _, addr := range sblock.keys {
 				// if server only uses HTTP port, auto-HTTPS will not apply
 				if listenersUseAnyPortOtherThan(srv.Listen, httpPort) {
 					// exclude any hosts that were defined explicitly with "http://"
@@ -793,24 +712,12 @@ func (st *ServerType) serversFromPairings(
 						if srv.AutoHTTPS == nil {
 							srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
 						}
-						if !slices.Contains(srv.AutoHTTPS.Skip, addr.Host) {
+						if !sliceContains(srv.AutoHTTPS.Skip, addr.Host) {
 							srv.AutoHTTPS.Skip = append(srv.AutoHTTPS.Skip, addr.Host)
 						}
 					}
 				}

-				// If prefer wildcard is enabled, then we add hosts that are
-				// already covered by the wildcard to the skip list
-				if srv.AutoHTTPS != nil && srv.AutoHTTPS.PreferWildcard && addr.Scheme == "https" {
-					baseDomain := addr.Host
-					if idx := strings.Index(baseDomain, "."); idx != -1 {
-						baseDomain = baseDomain[idx+1:]
-					}
-					if !strings.HasPrefix(addr.Host, "*.") && slices.Contains(wildcardHosts, baseDomain) {
-						srv.AutoHTTPS.Skip = append(srv.AutoHTTPS.Skip, addr.Host)
-					}
-				}
-
 				// If TLS is specified as directive, it will also result in 1 or more connection policy being created
 				// Thus, catch-all address with non-standard port, e.g. :8443, can have TLS enabled without
 				// specifying prefix "https://"
@@ -819,7 +726,7 @@ func (st *ServerType) serversFromPairings(
 				// https://caddy.community/t/making-sense-of-auto-https-and-why-disabling-it-still-serves-https-instead-of-http/9761
 				createdTLSConnPolicies, ok := sblock.pile["tls.connection_policy"]
 				hasTLSEnabled := (ok && len(createdTLSConnPolicies) > 0) ||
-					(addr.Host != "" && srv.AutoHTTPS != nil && !slices.Contains(srv.AutoHTTPS.Skip, addr.Host))
+					(addr.Host != "" && srv.AutoHTTPS != nil && !sliceContains(srv.AutoHTTPS.Skip, addr.Host))

 				// we'll need to remember if the address qualifies for auto-HTTPS, so we
 				// can add a TLS conn policy if necessary
@@ -862,19 +769,10 @@ func (st *ServerType) serversFromPairings(
 				if srv.Errors == nil {
 					srv.Errors = new(caddyhttp.HTTPErrorConfig)
 				}
-				sort.SliceStable(errorSubrouteVals, func(i, j int) bool {
-					sri, srj := errorSubrouteVals[i].Value.(*caddyhttp.Subroute), errorSubrouteVals[j].Value.(*caddyhttp.Subroute)
-					if len(sri.Routes[0].MatcherSetsRaw) == 0 && len(srj.Routes[0].MatcherSetsRaw) != 0 {
-						return false
-					}
-					return true
-				})
-				errorsSubroute := &caddyhttp.Subroute{}
 				for _, val := range errorSubrouteVals {
 					sr := val.Value.(*caddyhttp.Subroute)
-					errorsSubroute.Routes = append(errorsSubroute.Routes, sr.Routes...)
+					srv.Errors.Routes = appendSubrouteToRouteList(srv.Errors.Routes, sr, matcherSetsEnc, p, warnings)
 				}
-				srv.Errors.Routes = appendSubrouteToRouteList(srv.Errors.Routes, errorsSubroute, matcherSetsEnc, p, warnings)
 			}

 			// add log associations
@@ -882,15 +780,6 @@ func (st *ServerType) serversFromPairings(
 			sblockLogHosts := sblock.hostsFromKeys(true)
 			for _, cval := range sblock.pile["custom_log"] {
 				ncl := cval.Value.(namedCustomLog)
-
-				// if `no_hostname` is set, then this logger will not
-				// be associated with any of the site block's hostnames,
-				// and only be usable via the `log_name` directive
-				// or the `access_logger_names` variable
-				if ncl.noHostname {
-					continue
-				}
-
 				if sblock.hasHostCatchAllKey() && len(ncl.hostnames) == 0 {
 					// all requests for hosts not able to be listed should use
 					// this log because it's a catch-all-hosts server block
@@ -899,22 +788,22 @@ func (st *ServerType) serversFromPairings(
 					// if the logger overrides the hostnames, map that to the logger name
 					for _, h := range ncl.hostnames {
 						if srv.Logs.LoggerNames == nil {
-							srv.Logs.LoggerNames = make(map[string]caddyhttp.StringArray)
+							srv.Logs.LoggerNames = make(map[string]string)
 						}
-						srv.Logs.LoggerNames[h] = append(srv.Logs.LoggerNames[h], ncl.name)
+						srv.Logs.LoggerNames[h] = ncl.name
 					}
 				} else {
 					// otherwise, map each host to the logger name
 					for _, h := range sblockLogHosts {
+						if srv.Logs.LoggerNames == nil {
+							srv.Logs.LoggerNames = make(map[string]string)
+						}
 						// strip the port from the host, if any
 						host, _, err := net.SplitHostPort(h)
 						if err != nil {
 							host = h
 						}
-						if srv.Logs.LoggerNames == nil {
-							srv.Logs.LoggerNames = make(map[string]caddyhttp.StringArray)
-						}
-						srv.Logs.LoggerNames[host] = append(srv.Logs.LoggerNames[host], ncl.name)
+						srv.Logs.LoggerNames[host] = ncl.name
 					}
 				}
 			}
@@ -931,11 +820,6 @@ func (st *ServerType) serversFromPairings(
 			}
 		}

-		// sort for deterministic JSON output
-		if srv.Logs != nil {
-			slices.Sort(srv.Logs.SkipHosts)
-		}
-
 		// a server cannot (natively) serve both HTTP and HTTPS at the
 		// same time, so make sure the configuration isn't in conflict
 		err := detectConflictingSchemes(srv, p.serverBlocks, options)
@@ -958,10 +842,7 @@ func (st *ServerType) serversFromPairings(
 		if addressQualifiesForTLS &&
 			!hasCatchAllTLSConnPolicy &&
 			(len(srv.TLSConnPolicies) > 0 || !autoHTTPSWillAddConnPolicy || defaultSNI != "" || fallbackSNI != "") {
-			srv.TLSConnPolicies = append(srv.TLSConnPolicies, &caddytls.ConnectionPolicy{
-				DefaultSNI:  defaultSNI,
-				FallbackSNI: fallbackSNI,
-			})
+			srv.TLSConnPolicies = append(srv.TLSConnPolicies, &caddytls.ConnectionPolicy{DefaultSNI: defaultSNI, FallbackSNI: fallbackSNI})
 		}

 		// tidy things up a bit
@@ -974,7 +855,8 @@ func (st *ServerType) serversFromPairings(
 		servers[fmt.Sprintf("srv%d", i)] = srv
 	}

-	if err := applyServerOptions(servers, options, warnings); err != nil {
+	err := applyServerOptions(servers, options, warnings)
+	if err != nil {
 		return nil, fmt.Errorf("applying global server options: %v", err)
 	}

@@ -1019,7 +901,7 @@ func detectConflictingSchemes(srv *caddyhttp.Server, serverBlocks []serverBlock,
 	}

 	for _, sblock := range serverBlocks {
-		for _, addr := range sblock.parsedKeys {
+		for _, addr := range sblock.keys {
 			if addr.Scheme == "http" || addr.Port == httpPort {
 				if err := checkAndSetHTTP(addr); err != nil {
 					return err
@@ -1148,7 +1030,7 @@ func consolidateConnPolicies(cps caddytls.ConnectionPolicies) (caddytls.Connecti
 				} else if cps[i].CertSelection != nil && cps[j].CertSelection != nil {
 					// if both have one, then combine AnyTag
 					for _, tag := range cps[j].CertSelection.AnyTag {
-						if !slices.Contains(cps[i].CertSelection.AnyTag, tag) {
+						if !sliceContains(cps[i].CertSelection.AnyTag, tag) {
 							cps[i].CertSelection.AnyTag = append(cps[i].CertSelection.AnyTag, tag)
 						}
 					}
@@ -1231,7 +1113,7 @@ func appendSubrouteToRouteList(routeList caddyhttp.RouteList,
 func buildSubroute(routes []ConfigValue, groupCounter counter, needsSorting bool) (*caddyhttp.Subroute, error) {
 	if needsSorting {
 		for _, val := range routes {
-			if !slices.Contains(directiveOrder, val.directive) {
+			if !directiveIsOrdered(val.directive) {
 				return nil, fmt.Errorf("directive '%s' is not an ordered HTTP handler, so it cannot be used here - try placing within a route block or using the order global option", val.directive)
 			}
 		}
@@ -1378,24 +1260,19 @@ func matcherSetFromMatcherToken(
 	if tkn.Text == "*" {
 		// match all requests == no matchers, so nothing to do
 		return nil, true, nil
-	}
-
-	// convenient way to specify a single path match
-	if strings.HasPrefix(tkn.Text, "/") {
+	} else if strings.HasPrefix(tkn.Text, "/") {
+		// convenient way to specify a single path match
 		return caddy.ModuleMap{
 			"path": caddyconfig.JSON(caddyhttp.MatchPath{tkn.Text}, warnings),
 		}, true, nil
-	}
-
-	// pre-defined matcher
-	if strings.HasPrefix(tkn.Text, matcherPrefix) {
+	} else if strings.HasPrefix(tkn.Text, matcherPrefix) {
+		// pre-defined matcher
 		m, ok := matcherDefs[tkn.Text]
 		if !ok {
 			return nil, false, fmt.Errorf("unrecognized matcher name: %+v", tkn.Text)
 		}
 		return m, true, nil
 	}
-
 	return nil, false, nil
 }

@@ -1409,7 +1286,7 @@ func (st *ServerType) compileEncodedMatcherSets(sblock serverBlock) ([]caddy.Mod
 	var matcherPairs []*hostPathPair

 	var catchAllHosts bool
-	for _, addr := range sblock.parsedKeys {
+	for _, addr := range sblock.keys {
 		// choose a matcher pair that should be shared by this
 		// server block; if none exists yet, create one
 		var chosenMatcherPair *hostPathPair
@@ -1441,8 +1318,17 @@ func (st *ServerType) compileEncodedMatcherSets(sblock serverBlock) ([]caddy.Mod

 		// add this server block's keys to the matcher
 		// pair if it doesn't already exist
-		if addr.Host != "" && !slices.Contains(chosenMatcherPair.hostm, addr.Host) {
-			chosenMatcherPair.hostm = append(chosenMatcherPair.hostm, addr.Host)
+		if addr.Host != "" {
+			var found bool
+			for _, h := range chosenMatcherPair.hostm {
+				if h == addr.Host {
+					found = true
+					break
+				}
+			}
+			if !found {
+				chosenMatcherPair.hostm = append(chosenMatcherPair.hostm, addr.Host)
+			}
 		}
 	}

@@ -1476,83 +1362,68 @@ func (st *ServerType) compileEncodedMatcherSets(sblock serverBlock) ([]caddy.Mod
 }

 func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.ModuleMap) error {
-	d.Next() // advance to the first token
+	for d.Next() {
+		// this is the "name" for "named matchers"
+		definitionName := d.Val()

-	// this is the "name" for "named matchers"
-	definitionName := d.Val()
-
-	if _, ok := matchers[definitionName]; ok {
-		return fmt.Errorf("matcher is defined more than once: %s", definitionName)
-	}
-	matchers[definitionName] = make(caddy.ModuleMap)
-
-	// given a matcher name and the tokens following it, parse
-	// the tokens as a matcher module and record it
-	makeMatcher := func(matcherName string, tokens []caddyfile.Token) error {
-		// create a new dispenser from the tokens
-		dispenser := caddyfile.NewDispenser(tokens)
-
-		// set the matcher name (without @) in the dispenser context so
-		// that matcher modules can access it to use it as their name
-		// (e.g. regexp matchers which use the name for capture groups)
-		dispenser.SetContext(caddyfile.MatcherNameCtxKey, definitionName[1:])
-
-		mod, err := caddy.GetModule("http.matchers." + matcherName)
-		if err != nil {
-			return fmt.Errorf("getting matcher module '%s': %v", matcherName, err)
+		if _, ok := matchers[definitionName]; ok {
+			return fmt.Errorf("matcher is defined more than once: %s", definitionName)
 		}
-		unm, ok := mod.New().(caddyfile.Unmarshaler)
-		if !ok {
-			return fmt.Errorf("matcher module '%s' is not a Caddyfile unmarshaler", matcherName)
-		}
-		err = unm.UnmarshalCaddyfile(dispenser)
-		if err != nil {
-			return err
-		}
-		rm, ok := unm.(caddyhttp.RequestMatcher)
-		if !ok {
-			return fmt.Errorf("matcher module '%s' is not a request matcher", matcherName)
-		}
-		matchers[definitionName][matcherName] = caddyconfig.JSON(rm, nil)
-		return nil
-	}
+		matchers[definitionName] = make(caddy.ModuleMap)

-	// if the next token is quoted, we can assume it's not a matcher name
-	// and that it's probably an 'expression' matcher
-	if d.NextArg() {
-		if d.Token().Quoted() {
-			// since it was missing the matcher name, we insert a token
-			// in front of the expression token itself; we use Clone() to
-			// make the new token to keep the same the import location as
-			// the next token, if this is within a snippet or imported file.
-			// see https://github.com/caddyserver/caddy/issues/6287
-			expressionToken := d.Token().Clone()
-			expressionToken.Text = "expression"
-			err := makeMatcher("expression", []caddyfile.Token{expressionToken, d.Token()})
+		// given a matcher name and the tokens following it, parse
+		// the tokens as a matcher module and record it
+		makeMatcher := func(matcherName string, tokens []caddyfile.Token) error {
+			mod, err := caddy.GetModule("http.matchers." + matcherName)
+			if err != nil {
+				return fmt.Errorf("getting matcher module '%s': %v", matcherName, err)
+			}
+			unm, ok := mod.New().(caddyfile.Unmarshaler)
+			if !ok {
+				return fmt.Errorf("matcher module '%s' is not a Caddyfile unmarshaler", matcherName)
+			}
+			err = unm.UnmarshalCaddyfile(caddyfile.NewDispenser(tokens))
 			if err != nil {
 				return err
 			}
+			rm, ok := unm.(caddyhttp.RequestMatcher)
+			if !ok {
+				return fmt.Errorf("matcher module '%s' is not a request matcher", matcherName)
+			}
+			matchers[definitionName][matcherName] = caddyconfig.JSON(rm, nil)
 			return nil
 		}

-		// if it wasn't quoted, then we need to rewind after calling
-		// d.NextArg() so the below properly grabs the matcher name
-		d.Prev()
-	}
+		// if the next token is quoted, we can assume it's not a matcher name
+		// and that it's probably an 'expression' matcher
+		if d.NextArg() {
+			if d.Token().Quoted() {
+				err := makeMatcher("expression", []caddyfile.Token{d.Token()})
+				if err != nil {
+					return err
+				}
+				continue
+			}

-	// in case there are multiple instances of the same matcher, concatenate
-	// their tokens (we expect that UnmarshalCaddyfile should be able to
-	// handle more than one segment); otherwise, we'd overwrite other
-	// instances of the matcher in this set
-	tokensByMatcherName := make(map[string][]caddyfile.Token)
-	for nesting := d.Nesting(); d.NextArg() || d.NextBlock(nesting); {
-		matcherName := d.Val()
-		tokensByMatcherName[matcherName] = append(tokensByMatcherName[matcherName], d.NextSegment()...)
-	}
-	for matcherName, tokens := range tokensByMatcherName {
-		err := makeMatcher(matcherName, tokens)
-		if err != nil {
-			return err
+			// if it wasn't quoted, then we need to rewind after calling
+			// d.NextArg() so the below properly grabs the matcher name
+			d.Prev()
+		}
+
+		// in case there are multiple instances of the same matcher, concatenate
+		// their tokens (we expect that UnmarshalCaddyfile should be able to
+		// handle more than one segment); otherwise, we'd overwrite other
+		// instances of the matcher in this set
+		tokensByMatcherName := make(map[string][]caddyfile.Token)
+		for nesting := d.Nesting(); d.NextArg() || d.NextBlock(nesting); {
+			matcherName := d.Val()
+			tokensByMatcherName[matcherName] = append(tokensByMatcherName[matcherName], d.NextSegment()...)
+		}
+		for matcherName, tokens := range tokensByMatcherName {
+			err := makeMatcher(matcherName, tokens)
+			if err != nil {
+				return err
+			}
 		}
 	}
 	return nil
@@ -1618,6 +1489,16 @@ func tryDuration(val any, warnings *[]caddyconfig.Warning) caddy.Duration {
 	return durationVal
 }

+// sliceContains returns true if needle is in haystack.
+func sliceContains(haystack []string, needle string) bool {
+	for _, s := range haystack {
+		if s == needle {
+			return true
+		}
+	}
+	return false
+}
+
 // listenersUseAnyPortOtherThan returns true if there are any
 // listeners in addresses that use a port which is not otherPort.
 // Mostly borrowed from unexported method in caddyhttp package.
@@ -1675,25 +1556,17 @@ func (c counter) nextGroup() string {
 }

 type namedCustomLog struct {
-	name       string
-	hostnames  []string
-	log        *caddy.CustomLog
-	noHostname bool
-}
-
-// addressWithProtocols associates a listen address with
-// the protocols to serve it with
-type addressWithProtocols struct {
-	address   string
-	protocols []string
+	name      string
+	hostnames []string
+	log       *caddy.CustomLog
 }

 // sbAddrAssociation is a mapping from a list of
-// addresses with protocols, and a list of server
-// blocks that are served on those addresses.
+// addresses to a list of server blocks that are
+// served on those addresses.
 type sbAddrAssociation struct {
-	addressesWithProtocols []addressWithProtocols
-	serverBlocks           []serverBlock
+	addresses    []string
+	serverBlocks []serverBlock
 }

 const (
@@ -15,11 +15,10 @@
 package httpcaddyfile

 import (
-	"slices"
 	"strconv"

 	"github.com/caddyserver/certmagic"
-	"github.com/mholt/acmez/v2/acme"
+	"github.com/mholt/acmez/acme"

 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
@@ -31,7 +30,7 @@ func init() {
 	RegisterGlobalOption("debug", parseOptTrue)
 	RegisterGlobalOption("http_port", parseOptHTTPPort)
 	RegisterGlobalOption("https_port", parseOptHTTPSPort)
-	RegisterGlobalOption("default_bind", parseOptDefaultBind)
+	RegisterGlobalOption("default_bind", parseOptStringList)
 	RegisterGlobalOption("grace_period", parseOptDuration)
 	RegisterGlobalOption("shutdown_delay", parseOptDuration)
 	RegisterGlobalOption("default_sni", parseOptSingleString)
@@ -55,7 +54,6 @@ func init() {
 	RegisterGlobalOption("auto_https", parseOptAutoHTTPS)
 	RegisterGlobalOption("servers", parseServerOptions)
 	RegisterGlobalOption("ocsp_stapling", parseOCSPStaplingOptions)
-	RegisterGlobalOption("cert_lifetime", parseOptDuration)
 	RegisterGlobalOption("log", parseLogOptions)
 	RegisterGlobalOption("preferred_chains", parseOptPreferredChains)
 	RegisterGlobalOption("persist_config", parseOptPersistConfig)
@@ -64,105 +62,108 @@ func init() {
 func parseOptTrue(d *caddyfile.Dispenser, _ any) (any, error) { return true, nil }

 func parseOptHTTPPort(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
 	var httpPort int
-	var httpPortStr string
-	if !d.AllArgs(&httpPortStr) {
-		return 0, d.ArgErr()
-	}
-	var err error
-	httpPort, err = strconv.Atoi(httpPortStr)
-	if err != nil {
-		return 0, d.Errf("converting port '%s' to integer value: %v", httpPortStr, err)
+	for d.Next() {
+		var httpPortStr string
+		if !d.AllArgs(&httpPortStr) {
+			return 0, d.ArgErr()
+		}
+		var err error
+		httpPort, err = strconv.Atoi(httpPortStr)
+		if err != nil {
+			return 0, d.Errf("converting port '%s' to integer value: %v", httpPortStr, err)
+		}
 	}
 	return httpPort, nil
 }

 func parseOptHTTPSPort(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
 	var httpsPort int
-	var httpsPortStr string
-	if !d.AllArgs(&httpsPortStr) {
-		return 0, d.ArgErr()
-	}
-	var err error
-	httpsPort, err = strconv.Atoi(httpsPortStr)
-	if err != nil {
-		return 0, d.Errf("converting port '%s' to integer value: %v", httpsPortStr, err)
+	for d.Next() {
+		var httpsPortStr string
+		if !d.AllArgs(&httpsPortStr) {
+			return 0, d.ArgErr()
+		}
+		var err error
+		httpsPort, err = strconv.Atoi(httpsPortStr)
+		if err != nil {
+			return 0, d.Errf("converting port '%s' to integer value: %v", httpsPortStr, err)
+		}
 	}
 	return httpsPort, nil
 }

 func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
+	newOrder := directiveOrder

-	// get directive name
-	if !d.Next() {
-		return nil, d.ArgErr()
-	}
-	dirName := d.Val()
-	if _, ok := registeredDirectives[dirName]; !ok {
-		return nil, d.Errf("%s is not a registered directive", dirName)
-	}
+	for d.Next() {
+		// get directive name
+		if !d.Next() {
+			return nil, d.ArgErr()
+		}
+		dirName := d.Val()
+		if _, ok := registeredDirectives[dirName]; !ok {
+			return nil, d.Errf("%s is not a registered directive", dirName)
+		}

-	// get positional token
-	if !d.Next() {
-		return nil, d.ArgErr()
-	}
-	pos := Positional(d.Val())
+		// get positional token
+		if !d.Next() {
+			return nil, d.ArgErr()
+		}
+		pos := d.Val()

-	// if directive already had an order, drop it
-	newOrder := slices.DeleteFunc(directiveOrder, func(d string) bool {
-		return d == dirName
-	})
+		// if directive exists, first remove it
+		for i, d := range newOrder {
+			if d == dirName {
+				newOrder = append(newOrder[:i], newOrder[i+1:]...)
+				break
+			}
+		}

-	// act on the positional; if it's First or Last, we're done right away
-	switch pos {
-	case First:
-		newOrder = append([]string{dirName}, newOrder...)
+		// act on the positional
+		switch pos {
+		case "first":
+			newOrder = append([]string{dirName}, newOrder...)
+			if d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			directiveOrder = newOrder
+			return newOrder, nil
+		case "last":
+			newOrder = append(newOrder, dirName)
+			if d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			directiveOrder = newOrder
+			return newOrder, nil
+		case "before":
+		case "after":
+		default:
+			return nil, d.Errf("unknown positional '%s'", pos)
+		}
+
+		// get name of other directive
+		if !d.NextArg() {
+			return nil, d.ArgErr()
+		}
+		otherDir := d.Val()
 		if d.NextArg() {
 			return nil, d.ArgErr()
 		}
-		directiveOrder = newOrder
-		return newOrder, nil

-	case Last:
-		newOrder = append(newOrder, dirName)
-		if d.NextArg() {
-			return nil, d.ArgErr()
+		// insert directive into proper position
+		for i, d := range newOrder {
+			if d == otherDir {
+				if pos == "before" {
+					newOrder = append(newOrder[:i], append([]string{dirName}, newOrder[i:]...)...)
+				} else if pos == "after" {
+					newOrder = append(newOrder[:i+1], append([]string{dirName}, newOrder[i+1:]...)...)
+				}
+				break
+			}
 		}
-		directiveOrder = newOrder
-		return newOrder, nil
-
-	// if it's Before or After, continue
-	case Before:
-	case After:
-
-	default:
-		return nil, d.Errf("unknown positional '%s'", pos)
 	}

-	// get name of other directive
-	if !d.NextArg() {
-		return nil, d.ArgErr()
-	}
-	otherDir := d.Val()
-	if d.NextArg() {
-		return nil, d.ArgErr()
-	}
-
-	// get the position of the target directive
-	targetIndex := slices.Index(newOrder, otherDir)
-	if targetIndex == -1 {
-		return nil, d.Errf("directive '%s' not found", otherDir)
-	}
-	// if we're inserting after, we need to increment the index to go after
-	if pos == After {
-		targetIndex++
-	}
-	// insert the directive into the new order
-	newOrder = slices.Insert(newOrder, targetIndex, dirName)
-
 	directiveOrder = newOrder

 	return newOrder, nil
@@ -213,67 +214,66 @@ func parseOptACMEDNS(d *caddyfile.Dispenser, _ any) (any, error) {
 	if err != nil {
 		return nil, err
 	}
-	prov, ok := unm.(certmagic.DNSProvider)
+	prov, ok := unm.(certmagic.ACMEDNSProvider)
 	if !ok {
-		return nil, d.Errf("module %s (%T) is not a certmagic.DNSProvider", modID, unm)
+		return nil, d.Errf("module %s (%T) is not a certmagic.ACMEDNSProvider", modID, unm)
 	}
 	return prov, nil
 }

 func parseOptACMEEAB(d *caddyfile.Dispenser, _ any) (any, error) {
 	eab := new(acme.EAB)
-	d.Next() // consume option name
-	if d.NextArg() {
-		return nil, d.ArgErr()
-	}
-	for d.NextBlock(0) {
-		switch d.Val() {
-		case "key_id":
-			if !d.NextArg() {
-				return nil, d.ArgErr()
-			}
-			eab.KeyID = d.Val()
+	for d.Next() {
+		if d.NextArg() {
+			return nil, d.ArgErr()
+		}
+		for nesting := d.Nesting(); d.NextBlock(nesting); {
+			switch d.Val() {
+			case "key_id":
+				if !d.NextArg() {
+					return nil, d.ArgErr()
+				}
+				eab.KeyID = d.Val()

-		case "mac_key":
-			if !d.NextArg() {
-				return nil, d.ArgErr()
-			}
-			eab.MACKey = d.Val()
+			case "mac_key":
+				if !d.NextArg() {
+					return nil, d.ArgErr()
+				}
+				eab.MACKey = d.Val()

-		default:
-			return nil, d.Errf("unrecognized parameter '%s'", d.Val())
+			default:
+				return nil, d.Errf("unrecognized parameter '%s'", d.Val())
+			}
 		}
 	}
 	return eab, nil
 }

 func parseOptCertIssuer(d *caddyfile.Dispenser, existing any) (any, error) {
-	d.Next() // consume option name
-
 	var issuers []certmagic.Issuer
 	if existing != nil {
 		issuers = existing.([]certmagic.Issuer)
 	}
-
-	// get issuer module name
-	if !d.Next() {
-		return nil, d.ArgErr()
+	for d.Next() { // consume option name
+		if !d.Next() { // get issuer module name
+			return nil, d.ArgErr()
+		}
+		modID := "tls.issuance." + d.Val()
+		unm, err := caddyfile.UnmarshalModule(d, modID)
+		if err != nil {
+			return nil, err
+		}
+		iss, ok := unm.(certmagic.Issuer)
+		if !ok {
+			return nil, d.Errf("module %s (%T) is not a certmagic.Issuer", modID, unm)
+		}
+		issuers = append(issuers, iss)
 	}
-	modID := "tls.issuance." + d.Val()
-	unm, err := caddyfile.UnmarshalModule(d, modID)
-	if err != nil {
-		return nil, err
-	}
-	iss, ok := unm.(certmagic.Issuer)
-	if !ok {
-		return nil, d.Errf("module %s (%T) is not a certmagic.Issuer", modID, unm)
-	}
-	issuers = append(issuers, iss)
 	return issuers, nil
 }

 func parseOptSingleString(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
+	d.Next() // consume parameter name
 	if !d.Next() {
 		return "", d.ArgErr()
 	}
@@ -284,62 +284,43 @@ func parseOptSingleString(d *caddyfile.Dispenser, _ any) (any, error) {
 	return val, nil
 }

-func parseOptDefaultBind(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
-
-	var addresses, protocols []string
-	addresses = d.RemainingArgs()
-
-	if len(addresses) == 0 {
-		addresses = append(addresses, "")
+func parseOptStringList(d *caddyfile.Dispenser, _ any) (any, error) {
+	d.Next() // consume parameter name
+	val := d.RemainingArgs()
+	if len(val) == 0 {
+		return "", d.ArgErr()
 	}
-
-	for d.NextBlock(0) {
-		switch d.Val() {
-		case "protocols":
-			protocols = d.RemainingArgs()
-			if len(protocols) == 0 {
-				return nil, d.Errf("protocols requires one or more arguments")
-			}
-		default:
-			return nil, d.Errf("unknown subdirective: %s", d.Val())
-		}
-	}
-
-	return []ConfigValue{{Class: "bind", Value: addressesWithProtocols{
-		addresses: addresses,
-		protocols: protocols,
-	}}}, nil
+	return val, nil
 }

 func parseOptAdmin(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
-
 	adminCfg := new(caddy.AdminConfig)
-	if d.NextArg() {
-		listenAddress := d.Val()
-		if listenAddress == "off" {
-			adminCfg.Disabled = true
-			if d.Next() { // Do not accept any remaining options including block
-				return nil, d.Err("No more option is allowed after turning off admin config")
-			}
-		} else {
-			adminCfg.Listen = listenAddress
-			if d.NextArg() { // At most 1 arg is allowed
-				return nil, d.ArgErr()
+	for d.Next() {
+		if d.NextArg() {
+			listenAddress := d.Val()
+			if listenAddress == "off" {
+				adminCfg.Disabled = true
+				if d.Next() { // Do not accept any remaining options including block
+					return nil, d.Err("No more option is allowed after turning off admin config")
+				}
+			} else {
+				adminCfg.Listen = listenAddress
+				if d.NextArg() { // At most 1 arg is allowed
+					return nil, d.ArgErr()
+				}
 			}
 		}
-	}
-	for d.NextBlock(0) {
-		switch d.Val() {
-		case "enforce_origin":
-			adminCfg.EnforceOrigin = true
+		for nesting := d.Nesting(); d.NextBlock(nesting); {
+			switch d.Val() {
+			case "enforce_origin":
+				adminCfg.EnforceOrigin = true

-		case "origins":
-			adminCfg.Origins = d.RemainingArgs()
+			case "origins":
+				adminCfg.Origins = d.RemainingArgs()

-		default:
-			return nil, d.Errf("unrecognized parameter '%s'", d.Val())
+			default:
+				return nil, d.Errf("unrecognized parameter '%s'", d.Val())
+			}
 		}
 	}
 	if adminCfg.Listen == "" && !adminCfg.Disabled {
@@ -349,84 +330,57 @@ func parseOptAdmin(d *caddyfile.Dispenser, _ any) (any, error) {
 }

 func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
-	if d.NextArg() {
-		return nil, d.ArgErr()
-	}
-
 	var ond *caddytls.OnDemandConfig
+	for d.Next() {
+		if d.NextArg() {
+			return nil, d.ArgErr()
+		}
+		for nesting := d.Nesting(); d.NextBlock(nesting); {
+			switch d.Val() {
+			case "ask":
+				if !d.NextArg() {
+					return nil, d.ArgErr()
+				}
+				if ond == nil {
+					ond = new(caddytls.OnDemandConfig)
+				}
+				ond.Ask = d.Val()

-	for nesting := d.Nesting(); d.NextBlock(nesting); {
-		switch d.Val() {
-		case "ask":
-			if !d.NextArg() {
-				return nil, d.ArgErr()
-			}
-			if ond == nil {
-				ond = new(caddytls.OnDemandConfig)
-			}
-			if ond.PermissionRaw != nil {
-				return nil, d.Err("on-demand TLS permission module (or 'ask') already specified")
-			}
-			perm := caddytls.PermissionByHTTP{Endpoint: d.Val()}
-			ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", "http", nil)
+			case "interval":
+				if !d.NextArg() {
+					return nil, d.ArgErr()
+				}
+				dur, err := caddy.ParseDuration(d.Val())
+				if err != nil {
+					return nil, err
+				}
+				if ond == nil {
+					ond = new(caddytls.OnDemandConfig)
+				}
+				if ond.RateLimit == nil {
+					ond.RateLimit = new(caddytls.RateLimit)
+				}
+				ond.RateLimit.Interval = caddy.Duration(dur)

-		case "permission":
-			if !d.NextArg() {
-				return nil, d.ArgErr()
-			}
-			if ond == nil {
-				ond = new(caddytls.OnDemandConfig)
-			}
-			if ond.PermissionRaw != nil {
-				return nil, d.Err("on-demand TLS permission module (or 'ask') already specified")
-			}
-			modName := d.Val()
-			modID := "tls.permission." + modName
-			unm, err := caddyfile.UnmarshalModule(d, modID)
-			if err != nil {
-				return nil, err
-			}
-			perm, ok := unm.(caddytls.OnDemandPermission)
-			if !ok {
-				return nil, d.Errf("module %s (%T) is not an on-demand TLS permission module", modID, unm)
-			}
-			ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", modName, nil)
+			case "burst":
+				if !d.NextArg() {
+					return nil, d.ArgErr()
+				}
+				burst, err := strconv.Atoi(d.Val())
+				if err != nil {
+					return nil, err
+				}
+				if ond == nil {
+					ond = new(caddytls.OnDemandConfig)
+				}
+				if ond.RateLimit == nil {
+					ond.RateLimit = new(caddytls.RateLimit)
+				}
+				ond.RateLimit.Burst = burst

-		case "interval":
-			if !d.NextArg() {
-				return nil, d.ArgErr()
+			default:
+				return nil, d.Errf("unrecognized parameter '%s'", d.Val())
 			}
-			dur, err := caddy.ParseDuration(d.Val())
-			if err != nil {
-				return nil, err
-			}
-			if ond == nil {
-				ond = new(caddytls.OnDemandConfig)
-			}
-			if ond.RateLimit == nil {
-				ond.RateLimit = new(caddytls.RateLimit)
-			}
-			ond.RateLimit.Interval = caddy.Duration(dur)
-
-		case "burst":
-			if !d.NextArg() {
-				return nil, d.ArgErr()
-			}
-			burst, err := strconv.Atoi(d.Val())
-			if err != nil {
-				return nil, err
-			}
-			if ond == nil {
-				ond = new(caddytls.OnDemandConfig)
-			}
-			if ond.RateLimit == nil {
-				ond.RateLimit = new(caddytls.RateLimit)
-			}
-			ond.RateLimit.Burst = burst
-
-		default:
-			return nil, d.Errf("unrecognized parameter '%s'", d.Val())
 		}
 	}
 	if ond == nil {
@@ -436,7 +390,7 @@ func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
 }

 func parseOptPersistConfig(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
+	d.Next() // consume parameter name
 	if !d.Next() {
 		return "", d.ArgErr()
 	}
@@ -451,23 +405,16 @@ func parseOptPersistConfig(d *caddyfile.Dispenser, _ any) (any, error) {
 }

 func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
-	val := d.RemainingArgs()
-	if len(val) == 0 {
+	d.Next() // consume parameter name
+	if !d.Next() {
 		return "", d.ArgErr()
 	}
-	for _, v := range val {
-		switch v {
-		case "off":
-		case "disable_redirects":
-		case "disable_certs":
-		case "ignore_loaded_certs":
-		case "prefer_wildcard":
-			break
-
-		default:
-			return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', 'ignore_loaded_certs', or 'prefer_wildcard'")
-		}
+	val := d.Val()
+	if d.Next() {
+		return "", d.ArgErr()
+	}
+	if val != "off" && val != "disable_redirects" && val != "disable_certs" && val != "ignore_loaded_certs" {
+		return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', or 'ignore_loaded_certs'")
 	}
 	return val, nil
 }
@@ -48,124 +48,124 @@ func init() {
 //
 // When the CA ID is unspecified, 'local' is assumed.
 func parsePKIApp(d *caddyfile.Dispenser, existingVal any) (any, error) {
-	d.Next() // consume app name
+	pki := &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}

-	pki := &caddypki.PKI{
-		CAs: make(map[string]*caddypki.CA),
-	}
-	for d.NextBlock(0) {
-		switch d.Val() {
-		case "ca":
-			pkiCa := new(caddypki.CA)
-			if d.NextArg() {
-				pkiCa.ID = d.Val()
+	for d.Next() {
+		for nesting := d.Nesting(); d.NextBlock(nesting); {
+			switch d.Val() {
+			case "ca":
+				pkiCa := new(caddypki.CA)
 				if d.NextArg() {
-					return nil, d.ArgErr()
+					pkiCa.ID = d.Val()
+					if d.NextArg() {
+						return nil, d.ArgErr()
+					}
 				}
-			}
-			if pkiCa.ID == "" {
-				pkiCa.ID = caddypki.DefaultCAID
-			}
-
-			for nesting := d.Nesting(); d.NextBlock(nesting); {
-				switch d.Val() {
-				case "name":
-					if !d.NextArg() {
-						return nil, d.ArgErr()
-					}
-					pkiCa.Name = d.Val()
-
-				case "root_cn":
-					if !d.NextArg() {
-						return nil, d.ArgErr()
-					}
-					pkiCa.RootCommonName = d.Val()
-
-				case "intermediate_cn":
-					if !d.NextArg() {
-						return nil, d.ArgErr()
-					}
-					pkiCa.IntermediateCommonName = d.Val()
-
-				case "intermediate_lifetime":
-					if !d.NextArg() {
-						return nil, d.ArgErr()
-					}
-					dur, err := caddy.ParseDuration(d.Val())
-					if err != nil {
-						return nil, err
-					}
-					pkiCa.IntermediateLifetime = caddy.Duration(dur)
-
-				case "root":
-					if pkiCa.Root == nil {
-						pkiCa.Root = new(caddypki.KeyPair)
-					}
-					for nesting := d.Nesting(); d.NextBlock(nesting); {
-						switch d.Val() {
-						case "cert":
-							if !d.NextArg() {
-								return nil, d.ArgErr()
-							}
-							pkiCa.Root.Certificate = d.Val()
-
-						case "key":
-							if !d.NextArg() {
-								return nil, d.ArgErr()
-							}
-							pkiCa.Root.PrivateKey = d.Val()
-
-						case "format":
-							if !d.NextArg() {
-								return nil, d.ArgErr()
-							}
-							pkiCa.Root.Format = d.Val()
-
-						default:
-							return nil, d.Errf("unrecognized pki ca root option '%s'", d.Val())
-						}
-					}
-
-				case "intermediate":
-					if pkiCa.Intermediate == nil {
-						pkiCa.Intermediate = new(caddypki.KeyPair)
-					}
-					for nesting := d.Nesting(); d.NextBlock(nesting); {
-						switch d.Val() {
-						case "cert":
-							if !d.NextArg() {
-								return nil, d.ArgErr()
-							}
-							pkiCa.Intermediate.Certificate = d.Val()
-
-						case "key":
-							if !d.NextArg() {
-								return nil, d.ArgErr()
-							}
-							pkiCa.Intermediate.PrivateKey = d.Val()
-
-						case "format":
-							if !d.NextArg() {
-								return nil, d.ArgErr()
-							}
-							pkiCa.Intermediate.Format = d.Val()
-
-						default:
-							return nil, d.Errf("unrecognized pki ca intermediate option '%s'", d.Val())
-						}
-					}
-
-				default:
-					return nil, d.Errf("unrecognized pki ca option '%s'", d.Val())
+				if pkiCa.ID == "" {
+					pkiCa.ID = caddypki.DefaultCAID
 				}
+
+				for nesting := d.Nesting(); d.NextBlock(nesting); {
+					switch d.Val() {
+					case "name":
+						if !d.NextArg() {
+							return nil, d.ArgErr()
+						}
+						pkiCa.Name = d.Val()
+
+					case "root_cn":
+						if !d.NextArg() {
+							return nil, d.ArgErr()
+						}
+						pkiCa.RootCommonName = d.Val()
+
+					case "intermediate_cn":
+						if !d.NextArg() {
+							return nil, d.ArgErr()
+						}
+						pkiCa.IntermediateCommonName = d.Val()
+
+					case "intermediate_lifetime":
+						if !d.NextArg() {
+							return nil, d.ArgErr()
+						}
+						dur, err := caddy.ParseDuration(d.Val())
+						if err != nil {
+							return nil, err
+						}
+						pkiCa.IntermediateLifetime = caddy.Duration(dur)
+
+					case "root":
+						if pkiCa.Root == nil {
+							pkiCa.Root = new(caddypki.KeyPair)
+						}
+						for nesting := d.Nesting(); d.NextBlock(nesting); {
+							switch d.Val() {
+							case "cert":
+								if !d.NextArg() {
+									return nil, d.ArgErr()
+								}
+								pkiCa.Root.Certificate = d.Val()
+
+							case "key":
+								if !d.NextArg() {
+									return nil, d.ArgErr()
+								}
+								pkiCa.Root.PrivateKey = d.Val()
+
+							case "format":
+								if !d.NextArg() {
+									return nil, d.ArgErr()
+								}
+								pkiCa.Root.Format = d.Val()
+
+							default:
+								return nil, d.Errf("unrecognized pki ca root option '%s'", d.Val())
+							}
+						}
+
+					case "intermediate":
+						if pkiCa.Intermediate == nil {
+							pkiCa.Intermediate = new(caddypki.KeyPair)
+						}
+						for nesting := d.Nesting(); d.NextBlock(nesting); {
+							switch d.Val() {
+							case "cert":
+								if !d.NextArg() {
+									return nil, d.ArgErr()
+								}
+								pkiCa.Intermediate.Certificate = d.Val()
+
+							case "key":
+								if !d.NextArg() {
+									return nil, d.ArgErr()
+								}
+								pkiCa.Intermediate.PrivateKey = d.Val()
+
+							case "format":
+								if !d.NextArg() {
+									return nil, d.ArgErr()
+								}
+								pkiCa.Intermediate.Format = d.Val()
+
+							default:
+								return nil, d.Errf("unrecognized pki ca intermediate option '%s'", d.Val())
+							}
+						}
+
+					default:
+						return nil, d.Errf("unrecognized pki ca option '%s'", d.Val())
+					}
+				}
+
+				pki.CAs[pkiCa.ID] = pkiCa
+
+			default:
+				return nil, d.Errf("unrecognized pki option '%s'", d.Val())
 			}
-
-			pki.CAs[pkiCa.ID] = pkiCa
-
-		default:
-			return nil, d.Errf("unrecognized pki option '%s'", d.Val())
 		}
 	}
+
 	return pki, nil
 }

@@ -17,7 +17,6 @@ package httpcaddyfile
 import (
 	"encoding/json"
 	"fmt"
-	"slices"

 	"github.com/dustin/go-humanize"

@@ -47,215 +46,235 @@ type serverOptions struct {
 	Protocols            []string
 	StrictSNIHost        *bool
 	TrustedProxiesRaw    json.RawMessage
-	TrustedProxiesStrict int
 	ClientIPHeaders      []string
 	ShouldLogCredentials bool
 	Metrics              *caddyhttp.Metrics
-	Trace                bool // TODO: EXPERIMENTAL
 }

 func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
-	d.Next() // consume option name
-
 	serverOpts := serverOptions{}
-	if d.NextArg() {
-		serverOpts.ListenerAddress = d.Val()
+	for d.Next() {
 		if d.NextArg() {
-			return nil, d.ArgErr()
-		}
-	}
-	for d.NextBlock(0) {
-		switch d.Val() {
-		case "name":
-			if serverOpts.ListenerAddress == "" {
-				return nil, d.Errf("cannot set a name for a server without a listener address")
-			}
-			if !d.NextArg() {
+			serverOpts.ListenerAddress = d.Val()
+			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
-			serverOpts.Name = d.Val()
+		}
+		for nesting := d.Nesting(); d.NextBlock(nesting); {
+			switch d.Val() {
+			case "name":
+				if serverOpts.ListenerAddress == "" {
+					return nil, d.Errf("cannot set a name for a server without a listener address")
+				}
+				if !d.NextArg() {
+					return nil, d.ArgErr()
+				}
+				serverOpts.Name = d.Val()

-		case "listener_wrappers":
-			for nesting := d.Nesting(); d.NextBlock(nesting); {
-				modID := "caddy.listeners." + d.Val()
+			case "listener_wrappers":
+				for nesting := d.Nesting(); d.NextBlock(nesting); {
+					modID := "caddy.listeners." + d.Val()
+					unm, err := caddyfile.UnmarshalModule(d, modID)
+					if err != nil {
+						return nil, err
+					}
+					listenerWrapper, ok := unm.(caddy.ListenerWrapper)
+					if !ok {
+						return nil, fmt.Errorf("module %s (%T) is not a listener wrapper", modID, unm)
+					}
+					jsonListenerWrapper := caddyconfig.JSONModuleObject(
+						listenerWrapper,
+						"wrapper",
+						listenerWrapper.(caddy.Module).CaddyModule().ID.Name(),
+						nil,
+					)
+					serverOpts.ListenerWrappersRaw = append(serverOpts.ListenerWrappersRaw, jsonListenerWrapper)
+				}
+
+			case "timeouts":
+				for nesting := d.Nesting(); d.NextBlock(nesting); {
+					switch d.Val() {
+					case "read_body":
+						if !d.NextArg() {
+							return nil, d.ArgErr()
+						}
+						dur, err := caddy.ParseDuration(d.Val())
+						if err != nil {
+							return nil, d.Errf("parsing read_body timeout duration: %v", err)
+						}
+						serverOpts.ReadTimeout = caddy.Duration(dur)
+
+					case "read_header":
+						if !d.NextArg() {
+							return nil, d.ArgErr()
+						}
+						dur, err := caddy.ParseDuration(d.Val())
+						if err != nil {
+							return nil, d.Errf("parsing read_header timeout duration: %v", err)
+						}
+						serverOpts.ReadHeaderTimeout = caddy.Duration(dur)
+
+					case "write":
+						if !d.NextArg() {
+							return nil, d.ArgErr()
+						}
+						dur, err := caddy.ParseDuration(d.Val())
+						if err != nil {
+							return nil, d.Errf("parsing write timeout duration: %v", err)
+						}
+						serverOpts.WriteTimeout = caddy.Duration(dur)
+
+					case "idle":
+						if !d.NextArg() {
+							return nil, d.ArgErr()
+						}
+						dur, err := caddy.ParseDuration(d.Val())
+						if err != nil {
+							return nil, d.Errf("parsing idle timeout duration: %v", err)
+						}
+						serverOpts.IdleTimeout = caddy.Duration(dur)
+
+					default:
+						return nil, d.Errf("unrecognized timeouts option '%s'", d.Val())
+					}
+				}
+			case "keepalive_interval":
+				if !d.NextArg() {
+					return nil, d.ArgErr()
+				}
+				dur, err := caddy.ParseDuration(d.Val())
+				if err != nil {
+					return nil, d.Errf("parsing keepalive interval duration: %v", err)
+				}
+				serverOpts.KeepAliveInterval = caddy.Duration(dur)
+
+			case "max_header_size":
+				var sizeStr string
+				if !d.AllArgs(&sizeStr) {
+					return nil, d.ArgErr()
+				}
+				size, err := humanize.ParseBytes(sizeStr)
+				if err != nil {
+					return nil, d.Errf("parsing max_header_size: %v", err)
+				}
+				serverOpts.MaxHeaderBytes = int(size)
+
+			case "enable_full_duplex":
+				if d.NextArg() {
+					return nil, d.ArgErr()
+				}
+				serverOpts.EnableFullDuplex = true
+
+			case "log_credentials":
+				if d.NextArg() {
+					return nil, d.ArgErr()
+				}
+				serverOpts.ShouldLogCredentials = true
+
+			case "protocols":
+				protos := d.RemainingArgs()
+				for _, proto := range protos {
+					if proto != "h1" && proto != "h2" && proto != "h2c" && proto != "h3" {
+						return nil, d.Errf("unknown protocol '%s': expected h1, h2, h2c, or h3", proto)
+					}
+					if sliceContains(serverOpts.Protocols, proto) {
+						return nil, d.Errf("protocol %s specified more than once", proto)
+					}
+					serverOpts.Protocols = append(serverOpts.Protocols, proto)
+				}
+				if nesting := d.Nesting(); d.NextBlock(nesting) {
+					return nil, d.ArgErr()
+				}
+
+			case "strict_sni_host":
+				if d.NextArg() && d.Val() != "insecure_off" && d.Val() != "on" {
+					return nil, d.Errf("strict_sni_host only supports 'on' or 'insecure_off', got '%s'", d.Val())
+				}
+				boolVal := true
+				if d.Val() == "insecure_off" {
+					boolVal = false
+				}
+				serverOpts.StrictSNIHost = &boolVal
+
+			case "trusted_proxies":
+				if !d.NextArg() {
+					return nil, d.Err("trusted_proxies expects an IP range source module name as its first argument")
+				}
+				modID := "http.ip_sources." + d.Val()
 				unm, err := caddyfile.UnmarshalModule(d, modID)
 				if err != nil {
 					return nil, err
 				}
-				listenerWrapper, ok := unm.(caddy.ListenerWrapper)
+				source, ok := unm.(caddyhttp.IPRangeSource)
 				if !ok {
-					return nil, fmt.Errorf("module %s (%T) is not a listener wrapper", modID, unm)
+					return nil, fmt.Errorf("module %s (%T) is not an IP range source", modID, unm)
 				}
-				jsonListenerWrapper := caddyconfig.JSONModuleObject(
-					listenerWrapper,
-					"wrapper",
-					listenerWrapper.(caddy.Module).CaddyModule().ID.Name(),
+				jsonSource := caddyconfig.JSONModuleObject(
+					source,
+					"source",
+					source.(caddy.Module).CaddyModule().ID.Name(),
 					nil,
 				)
-				serverOpts.ListenerWrappersRaw = append(serverOpts.ListenerWrappersRaw, jsonListenerWrapper)
-			}
+				serverOpts.TrustedProxiesRaw = jsonSource

-		case "timeouts":
-			for nesting := d.Nesting(); d.NextBlock(nesting); {
-				switch d.Val() {
-				case "read_body":
-					if !d.NextArg() {
-						return nil, d.ArgErr()
+			case "client_ip_headers":
+				headers := d.RemainingArgs()
+				for _, header := range headers {
+					if sliceContains(serverOpts.ClientIPHeaders, header) {
+						return nil, d.Errf("client IP header %s specified more than once", header)
 					}
-					dur, err := caddy.ParseDuration(d.Val())
-					if err != nil {
-						return nil, d.Errf("parsing read_body timeout duration: %v", err)
-					}
-					serverOpts.ReadTimeout = caddy.Duration(dur)
-
-				case "read_header":
-					if !d.NextArg() {
-						return nil, d.ArgErr()
-					}
-					dur, err := caddy.ParseDuration(d.Val())
-					if err != nil {
-						return nil, d.Errf("parsing read_header timeout duration: %v", err)
-					}
-					serverOpts.ReadHeaderTimeout = caddy.Duration(dur)
-
-				case "write":
-					if !d.NextArg() {
-						return nil, d.ArgErr()
-					}
-					dur, err := caddy.ParseDuration(d.Val())
-					if err != nil {
-						return nil, d.Errf("parsing write timeout duration: %v", err)
-					}
-					serverOpts.WriteTimeout = caddy.Duration(dur)
-
-				case "idle":
-					if !d.NextArg() {
-						return nil, d.ArgErr()
-					}
-					dur, err := caddy.ParseDuration(d.Val())
-					if err != nil {
-						return nil, d.Errf("parsing idle timeout duration: %v", err)
-					}
-					serverOpts.IdleTimeout = caddy.Duration(dur)
-
-				default:
-					return nil, d.Errf("unrecognized timeouts option '%s'", d.Val())
+					serverOpts.ClientIPHeaders = append(serverOpts.ClientIPHeaders, header)
 				}
-			}
-		case "keepalive_interval":
-			if !d.NextArg() {
-				return nil, d.ArgErr()
-			}
-			dur, err := caddy.ParseDuration(d.Val())
-			if err != nil {
-				return nil, d.Errf("parsing keepalive interval duration: %v", err)
-			}
-			serverOpts.KeepAliveInterval = caddy.Duration(dur)
-
-		case "max_header_size":
-			var sizeStr string
-			if !d.AllArgs(&sizeStr) {
-				return nil, d.ArgErr()
-			}
-			size, err := humanize.ParseBytes(sizeStr)
-			if err != nil {
-				return nil, d.Errf("parsing max_header_size: %v", err)
-			}
-			serverOpts.MaxHeaderBytes = int(size)
-
-		case "enable_full_duplex":
-			if d.NextArg() {
-				return nil, d.ArgErr()
-			}
-			serverOpts.EnableFullDuplex = true
-
-		case "log_credentials":
-			if d.NextArg() {
-				return nil, d.ArgErr()
-			}
-			serverOpts.ShouldLogCredentials = true
-
-		case "protocols":
-			protos := d.RemainingArgs()
-			for _, proto := range protos {
-				if proto != "h1" && proto != "h2" && proto != "h2c" && proto != "h3" {
-					return nil, d.Errf("unknown protocol '%s': expected h1, h2, h2c, or h3", proto)
+				if nesting := d.Nesting(); d.NextBlock(nesting) {
+					return nil, d.ArgErr()
 				}
-				if slices.Contains(serverOpts.Protocols, proto) {
-					return nil, d.Errf("protocol %s specified more than once", proto)
+
+			case "metrics":
+				if d.NextArg() {
+					return nil, d.ArgErr()
 				}
-				serverOpts.Protocols = append(serverOpts.Protocols, proto)
-			}
-			if nesting := d.Nesting(); d.NextBlock(nesting) {
-				return nil, d.ArgErr()
-			}
-
-		case "strict_sni_host":
-			if d.NextArg() && d.Val() != "insecure_off" && d.Val() != "on" {
-				return nil, d.Errf("strict_sni_host only supports 'on' or 'insecure_off', got '%s'", d.Val())
-			}
-			boolVal := true
-			if d.Val() == "insecure_off" {
-				boolVal = false
-			}
-			serverOpts.StrictSNIHost = &boolVal
-
-		case "trusted_proxies":
-			if !d.NextArg() {
-				return nil, d.Err("trusted_proxies expects an IP range source module name as its first argument")
-			}
-			modID := "http.ip_sources." + d.Val()
-			unm, err := caddyfile.UnmarshalModule(d, modID)
-			if err != nil {
-				return nil, err
-			}
-			source, ok := unm.(caddyhttp.IPRangeSource)
-			if !ok {
-				return nil, fmt.Errorf("module %s (%T) is not an IP range source", modID, unm)
-			}
-			jsonSource := caddyconfig.JSONModuleObject(
-				source,
-				"source",
-				source.(caddy.Module).CaddyModule().ID.Name(),
-				nil,
-			)
-			serverOpts.TrustedProxiesRaw = jsonSource
-
-		case "trusted_proxies_strict":
-			if d.NextArg() {
-				return nil, d.ArgErr()
-			}
-			serverOpts.TrustedProxiesStrict = 1
-
-		case "client_ip_headers":
-			headers := d.RemainingArgs()
-			for _, header := range headers {
-				if slices.Contains(serverOpts.ClientIPHeaders, header) {
-					return nil, d.Errf("client IP header %s specified more than once", header)
+				if nesting := d.Nesting(); d.NextBlock(nesting) {
+					return nil, d.ArgErr()
 				}
-				serverOpts.ClientIPHeaders = append(serverOpts.ClientIPHeaders, header)
-			}
-			if nesting := d.Nesting(); d.NextBlock(nesting) {
-				return nil, d.ArgErr()
-			}
+				serverOpts.Metrics = new(caddyhttp.Metrics)

-		case "metrics":
-			serverOpts.Metrics = new(caddyhttp.Metrics)
-			for nesting := d.Nesting(); d.NextBlock(nesting); {
-				switch d.Val() {
-				case "per_host":
-					serverOpts.Metrics.PerHost = true
+			// TODO: DEPRECATED. (August 2022)
+			case "protocol":
+				caddy.Log().Named("caddyfile").Warn("DEPRECATED: protocol sub-option will be removed soon")
+
+				for nesting := d.Nesting(); d.NextBlock(nesting); {
+					switch d.Val() {
+					case "allow_h2c":
+						caddy.Log().Named("caddyfile").Warn("DEPRECATED: allow_h2c will be removed soon; use protocols option instead")
+
+						if d.NextArg() {
+							return nil, d.ArgErr()
+						}
+						if sliceContains(serverOpts.Protocols, "h2c") {
+							return nil, d.Errf("protocol h2c already specified")
+						}
+						serverOpts.Protocols = append(serverOpts.Protocols, "h2c")
+
+					case "strict_sni_host":
+						caddy.Log().Named("caddyfile").Warn("DEPRECATED: protocol > strict_sni_host in this position will be removed soon; move up to the servers block instead")
+
+						if d.NextArg() && d.Val() != "insecure_off" && d.Val() != "on" {
+							return nil, d.Errf("strict_sni_host only supports 'on' or 'insecure_off', got '%s'", d.Val())
+						}
+						boolVal := true
+						if d.Val() == "insecure_off" {
+							boolVal = false
+						}
+						serverOpts.StrictSNIHost = &boolVal
+
+					default:
+						return nil, d.Errf("unrecognized protocol option '%s'", d.Val())
+					}
 				}
-			}

-		case "trace":
-			if d.NextArg() {
-				return nil, d.ArgErr()
+			default:
+				return nil, d.Errf("unrecognized servers option '%s'", d.Val())
 			}
-			serverOpts.Trace = true
-
-		default:
-			return nil, d.Errf("unrecognized servers option '%s'", d.Val())
 		}
 	}
 	return serverOpts, nil
@@ -265,7 +284,7 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 func applyServerOptions(
 	servers map[string]*caddyhttp.Server,
 	options map[string]any,
-	_ *[]caddyconfig.Warning,
+	warnings *[]caddyconfig.Warning,
 ) error {
 	serverOpts, ok := options["servers"].([]serverOptions)
 	if !ok {
@@ -289,15 +308,24 @@ func applyServerOptions(

 	for key, server := range servers {
 		// find the options that apply to this server
-		optsIndex := slices.IndexFunc(serverOpts, func(s serverOptions) bool {
-			return s.ListenerAddress == "" || slices.Contains(server.Listen, s.ListenerAddress)
-		})
+		opts := func() *serverOptions {
+			for _, entry := range serverOpts {
+				if entry.ListenerAddress == "" {
+					return &entry
+				}
+				for _, listener := range server.Listen {
+					if entry.ListenerAddress == listener {
+						return &entry
+					}
+				}
+			}
+			return nil
+		}()

 		// if none apply, then move to the next server
-		if optsIndex == -1 {
+		if opts == nil {
 			continue
 		}
-		opts := serverOpts[optsIndex]

 		// set all the options
 		server.ListenerWrappersRaw = opts.ListenerWrappersRaw
@@ -312,21 +340,13 @@ func applyServerOptions(
 		server.StrictSNIHost = opts.StrictSNIHost
 		server.TrustedProxiesRaw = opts.TrustedProxiesRaw
 		server.ClientIPHeaders = opts.ClientIPHeaders
-		server.TrustedProxiesStrict = opts.TrustedProxiesStrict
 		server.Metrics = opts.Metrics
 		if opts.ShouldLogCredentials {
 			if server.Logs == nil {
-				server.Logs = new(caddyhttp.ServerLogConfig)
+				server.Logs = &caddyhttp.ServerLogConfig{}
 			}
 			server.Logs.ShouldLogCredentials = opts.ShouldLogCredentials
 		}
-		if opts.Trace {
-			// TODO: THIS IS EXPERIMENTAL (MAY 2024)
-			if server.Logs == nil {
-				server.Logs = new(caddyhttp.ServerLogConfig)
-			}
-			server.Logs.Trace = opts.Trace
-		}

 		if opts.Name != "" {
 			nameReplacements[key] = opts.Name
@@ -33,10 +33,9 @@ func NewShorthandReplacer() ShorthandReplacer {
 		{regexp.MustCompile(`{path\.([\w-]*)}`), "{http.request.uri.path.$1}"},
 		{regexp.MustCompile(`{file\.([\w-]*)}`), "{http.request.uri.path.file.$1}"},
 		{regexp.MustCompile(`{query\.([\w-]*)}`), "{http.request.uri.query.$1}"},
-		{regexp.MustCompile(`{re\.([\w-\.]*)}`), "{http.regexp.$1}"},
+		{regexp.MustCompile(`{re\.([\w-]*)\.([\w-]*)}`), "{http.regexp.$1.$2}"},
 		{regexp.MustCompile(`{vars\.([\w-]*)}`), "{http.vars.$1}"},
 		{regexp.MustCompile(`{rp\.([\w-\.]*)}`), "{http.reverse_proxy.$1}"},
-		{regexp.MustCompile(`{resp\.([\w-\.]*)}`), "{http.intercept.$1}"},
 		{regexp.MustCompile(`{err\.([\w-\.]*)}`), "{http.error.$1}"},
 		{regexp.MustCompile(`{file_match\.([\w-]*)}`), "{http.matchers.file.$1}"},
 	}
@@ -65,7 +64,6 @@ func placeholderShorthands() []string {
 		"{remote_port}", "{http.request.remote.port}",
 		"{scheme}", "{http.request.scheme}",
 		"{uri}", "{http.request.uri}",
-		"{uuid}", "{http.request.uuid}",
 		"{tls_cipher}", "{http.request.tls.cipher_suite}",
 		"{tls_version}", "{http.request.tls.version}",
 		"{tls_client_fingerprint}", "{http.request.tls.client.fingerprint}",
@@ -19,13 +19,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"

 	"github.com/caddyserver/certmagic"
-	"github.com/mholt/acmez/v2/acme"
+	"github.com/mholt/acmez/acme"

 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
@@ -45,8 +44,8 @@ func (st ServerType) buildTLSApp(
 	if hp, ok := options["http_port"].(int); ok {
 		httpPort = strconv.Itoa(hp)
 	}
-	autoHTTPS := []string{}
-	if ah, ok := options["auto_https"].([]string); ok {
+	autoHTTPS := "on"
+	if ah, ok := options["auto_https"].(string); ok {
 		autoHTTPS = ah
 	}

@@ -54,25 +53,23 @@ func (st ServerType) buildTLSApp(
 	// key, so that they don't get forgotten/omitted by auto-HTTPS
 	// (since they won't appear in route matchers)
 	httpsHostsSharedWithHostlessKey := make(map[string]struct{})
-	if !slices.Contains(autoHTTPS, "off") {
+	if autoHTTPS != "off" {
 		for _, pair := range pairings {
 			for _, sb := range pair.serverBlocks {
-				for _, addr := range sb.parsedKeys {
-					if addr.Host != "" {
-						continue
-					}
-
-					// this server block has a hostless key, now
-					// go through and add all the hosts to the set
-					for _, otherAddr := range sb.parsedKeys {
-						if otherAddr.Original == addr.Original {
-							continue
-						}
-						if otherAddr.Host != "" && otherAddr.Scheme != "http" && otherAddr.Port != httpPort {
-							httpsHostsSharedWithHostlessKey[otherAddr.Host] = struct{}{}
+				for _, addr := range sb.keys {
+					if addr.Host == "" {
+						// this server block has a hostless key, now
+						// go through and add all the hosts to the set
+						for _, otherAddr := range sb.keys {
+							if otherAddr.Original == addr.Original {
+								continue
+							}
+							if otherAddr.Host != "" && otherAddr.Scheme != "http" && otherAddr.Port != httpPort {
+								httpsHostsSharedWithHostlessKey[otherAddr.Host] = struct{}{}
+							}
 						}
+						break
 					}
-					break
 				}
 			}
 		}
@@ -94,11 +91,7 @@ func (st ServerType) buildTLSApp(

 	for _, p := range pairings {
 		// avoid setting up TLS automation policies for a server that is HTTP-only
-		var addresses []string
-		for _, addressWithProtocols := range p.addressesWithProtocols {
-			addresses = append(addresses, addressWithProtocols.address)
-		}
-		if !listenersUseAnyPortOtherThan(addresses, httpPort) {
+		if !listenersUseAnyPortOtherThan(p.addresses, httpPort) {
 			continue
 		}

@@ -125,11 +118,6 @@ func (st ServerType) buildTLSApp(
 				ap.OnDemand = true
 			}

-			// reuse private keys tls
-			if _, ok := sblock.pile["tls.reuse_private_keys"]; ok {
-				ap.ReusePrivateKeys = true
-			}
-
 			if keyTypeVals, ok := sblock.pile["tls.key_type"]; ok {
 				ap.KeyType = keyTypeVals[0].Value.(string)
 			}
@@ -188,8 +176,8 @@ func (st ServerType) buildTLSApp(
 					if acmeIssuer.Challenges.BindHost == "" {
 						// only binding to one host is supported
 						var bindHost string
-						if asserted, ok := cfgVal.Value.(addressesWithProtocols); ok && len(asserted.addresses) > 0 {
-							bindHost = asserted.addresses[0]
+						if bindHosts, ok := cfgVal.Value.([]string); ok && len(bindHosts) > 0 {
+							bindHost = bindHosts[0]
 						}
 						acmeIssuer.Challenges.BindHost = bindHost
 					}
@@ -231,7 +219,7 @@ func (st ServerType) buildTLSApp(
 				var internal, external []string
 				for _, s := range ap.SubjectsRaw {
 					// do not create Issuers for Tailscale domains; they will be given a Manager instead
-					if isTailscaleDomain(s) {
+					if strings.HasSuffix(strings.ToLower(s), ".ts.net") {
 						continue
 					}
 					if !certmagic.SubjectQualifiesForCert(s) {
@@ -351,7 +339,7 @@ func (st ServerType) buildTLSApp(
 	internalAP := &caddytls.AutomationPolicy{
 		IssuersRaw: []json.RawMessage{json.RawMessage(`{"module":"internal"}`)},
 	}
-	if !slices.Contains(autoHTTPS, "off") && !slices.Contains(autoHTTPS, "disable_certs") {
+	if autoHTTPS != "off" {
 		for h := range httpsHostsSharedWithHostlessKey {
 			al = append(al, h)
 			if !certmagic.SubjectQualifiesForPublicCert(h) {
@@ -385,12 +373,15 @@ func (st ServerType) buildTLSApp(
 				if len(ap.Issuers) == 0 && automationPolicyHasAllPublicNames(ap) {
 					// for public names, create default issuers which will later be filled in with configured global defaults
 					// (internal names will implicitly use the internal issuer at auto-https time)
-					emailStr, _ := globalEmail.(string)
-					ap.Issuers = caddytls.DefaultIssuers(emailStr)
+					ap.Issuers = caddytls.DefaultIssuers()

 					// if a specific endpoint is configured, can't use multiple default issuers
 					if globalACMECA != nil {
-						ap.Issuers = []certmagic.Issuer{new(caddytls.ACMEIssuer)}
+						if strings.Contains(globalACMECA.(string), "zerossl") {
+							ap.Issuers = []certmagic.Issuer{&caddytls.ZeroSSLIssuer{ACMEIssuer: new(caddytls.ACMEIssuer)}}
+						} else {
+							ap.Issuers = []certmagic.Issuer{new(caddytls.ACMEIssuer)}
+						}
 					}
 				}
 			}
@@ -418,10 +409,7 @@ func (st ServerType) buildTLSApp(
 		}

 		// consolidate automation policies that are the exact same
-		tlsApp.Automation.Policies = consolidateAutomationPolicies(
-			tlsApp.Automation.Policies,
-			slices.Contains(autoHTTPS, "prefer_wildcard"),
-		)
+		tlsApp.Automation.Policies = consolidateAutomationPolicies(tlsApp.Automation.Policies)

 		// ensure automation policies don't overlap subjects (this should be
 		// an error at provision-time as well, but catch it in the adapt phase
@@ -466,8 +454,6 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	globalACMEDNS := options["acme_dns"]
 	globalACMEEAB := options["acme_eab"]
 	globalPreferredChains := options["preferred_chains"]
-	globalCertLifetime := options["cert_lifetime"]
-	globalHTTPPort, globalHTTPSPort := options["http_port"], options["https_port"]

 	if globalEmail != nil && acmeIssuer.Email == "" {
 		acmeIssuer.Email = globalEmail.(string)
@@ -475,7 +461,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	if globalACMECA != nil && acmeIssuer.CA == "" {
 		acmeIssuer.CA = globalACMECA.(string)
 	}
-	if globalACMECARoot != nil && !slices.Contains(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string)) {
+	if globalACMECARoot != nil && !sliceContains(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string)) {
 		acmeIssuer.TrustedRootsPEMFiles = append(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string))
 	}
 	if globalACMEDNS != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil) {
@@ -491,27 +477,6 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	if globalPreferredChains != nil && acmeIssuer.PreferredChains == nil {
 		acmeIssuer.PreferredChains = globalPreferredChains.(*caddytls.ChainPreference)
 	}
-	if globalHTTPPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.HTTP == nil || acmeIssuer.Challenges.HTTP.AlternatePort == 0) {
-		if acmeIssuer.Challenges == nil {
-			acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
-		}
-		if acmeIssuer.Challenges.HTTP == nil {
-			acmeIssuer.Challenges.HTTP = new(caddytls.HTTPChallengeConfig)
-		}
-		acmeIssuer.Challenges.HTTP.AlternatePort = globalHTTPPort.(int)
-	}
-	if globalHTTPSPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.TLSALPN == nil || acmeIssuer.Challenges.TLSALPN.AlternatePort == 0) {
-		if acmeIssuer.Challenges == nil {
-			acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
-		}
-		if acmeIssuer.Challenges.TLSALPN == nil {
-			acmeIssuer.Challenges.TLSALPN = new(caddytls.TLSALPNChallengeConfig)
-		}
-		acmeIssuer.Challenges.TLSALPN.AlternatePort = globalHTTPSPort.(int)
-	}
-	if globalCertLifetime != nil && acmeIssuer.CertificateLifetime == 0 {
-		acmeIssuer.CertificateLifetime = globalCertLifetime.(caddy.Duration)
-	}
 	return nil
 }

@@ -520,11 +485,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 // for any other automation policies. A nil policy (and no error) will be
 // returned if there are no default/global options. However, if always is
 // true, a non-nil value will always be returned (unless there is an error).
-func newBaseAutomationPolicy(
-	options map[string]any,
-	_ []caddyconfig.Warning,
-	always bool,
-) (*caddytls.AutomationPolicy, error) {
+func newBaseAutomationPolicy(options map[string]any, warnings []caddyconfig.Warning, always bool) (*caddytls.AutomationPolicy, error) {
 	issuers, hasIssuers := options["cert_issuer"]
 	_, hasLocalCerts := options["local_certs"]
 	keyType, hasKeyType := options["key_type"]
@@ -567,7 +528,7 @@ func newBaseAutomationPolicy(

 // consolidateAutomationPolicies combines automation policies that are the same,
 // for a cleaner overall output.
-func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy, preferWildcard bool) []*caddytls.AutomationPolicy {
+func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls.AutomationPolicy {
 	// sort from most specific to least specific; we depend on this ordering
 	sort.SliceStable(aps, func(i, j int) bool {
 		if automationPolicyIsSubset(aps[i], aps[j]) {
@@ -590,7 +551,7 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy, preferWildc
 			if !automationPolicyHasAllPublicNames(aps[i]) {
 				// if this automation policy has internal names, we might as well remove it
 				// so auto-https can implicitly use the internal issuer
-				aps = slices.Delete(aps, i, i+1)
+				aps = append(aps[:i], aps[i+1:]...)
 				i--
 			}
 		}
@@ -607,7 +568,7 @@ outer:
 		for j := i + 1; j < len(aps); j++ {
 			// if they're exactly equal in every way, just keep one of them
 			if reflect.DeepEqual(aps[i], aps[j]) {
-				aps = slices.Delete(aps, j, j+1)
+				aps = append(aps[:j], aps[j+1:]...)
 				// must re-evaluate current i against next j; can't skip it!
 				// even if i decrements to -1, will be incremented to 0 immediately
 				i--
@@ -626,7 +587,6 @@ outer:
 				aps[i].MustStaple == aps[j].MustStaple &&
 				aps[i].KeyType == aps[j].KeyType &&
 				aps[i].OnDemand == aps[j].OnDemand &&
-				aps[i].ReusePrivateKeys == aps[j].ReusePrivateKeys &&
 				aps[i].RenewalWindowRatio == aps[j].RenewalWindowRatio {
 				if len(aps[i].SubjectsRaw) > 0 && len(aps[j].SubjectsRaw) == 0 {
 					// later policy (at j) has no subjects ("catch-all"), so we can
@@ -637,46 +597,21 @@ outer:
 					// cause example.com to be served by the less specific policy for
 					// '*.com', which might be different (yes we've seen this happen)
 					if automationPolicyShadows(i, aps) >= j {
-						aps = slices.Delete(aps, i, i+1)
+						aps = append(aps[:i], aps[i+1:]...)
 						i--
 						continue outer
 					}
 				} else {
 					// avoid repeated subjects
 					for _, subj := range aps[j].SubjectsRaw {
-						if !slices.Contains(aps[i].SubjectsRaw, subj) {
+						if !sliceContains(aps[i].SubjectsRaw, subj) {
 							aps[i].SubjectsRaw = append(aps[i].SubjectsRaw, subj)
 						}
 					}
-					aps = slices.Delete(aps, j, j+1)
+					aps = append(aps[:j], aps[j+1:]...)
 					j--
 				}
 			}
-
-			if preferWildcard {
-				// remove subjects from i if they're covered by a wildcard in j
-				iSubjs := aps[i].SubjectsRaw
-				for iSubj := 0; iSubj < len(iSubjs); iSubj++ {
-					for jSubj := range aps[j].SubjectsRaw {
-						if !strings.HasPrefix(aps[j].SubjectsRaw[jSubj], "*.") {
-							continue
-						}
-						if certmagic.MatchWildcard(aps[i].SubjectsRaw[iSubj], aps[j].SubjectsRaw[jSubj]) {
-							iSubjs = slices.Delete(iSubjs, iSubj, iSubj+1)
-							iSubj--
-							break
-						}
-					}
-				}
-				aps[i].SubjectsRaw = iSubjs
-
-				// remove i if it has no subjects left
-				if len(aps[i].SubjectsRaw) == 0 {
-					aps = slices.Delete(aps, i, i+1)
-					i--
-					continue outer
-				}
-			}
 		}
 	}

@@ -693,9 +628,13 @@ func automationPolicyIsSubset(a, b *caddytls.AutomationPolicy) bool {
 		return false
 	}
 	for _, aSubj := range a.SubjectsRaw {
-		inSuperset := slices.ContainsFunc(b.SubjectsRaw, func(bSubj string) bool {
-			return certmagic.MatchWildcard(aSubj, bSubj)
-		})
+		var inSuperset bool
+		for _, bSubj := range b.SubjectsRaw {
+			if certmagic.MatchWildcard(aSubj, bSubj) {
+				inSuperset = true
+				break
+			}
+		}
 		if !inSuperset {
 			return false
 		}
@@ -721,30 +660,17 @@ func automationPolicyShadows(i int, aps []*caddytls.AutomationPolicy) int {
 // subjectQualifiesForPublicCert is like certmagic.SubjectQualifiesForPublicCert() except
 // that this allows domains with multiple wildcard levels like '*.*.example.com' to qualify
 // if the automation policy has OnDemand enabled (i.e. this function is more lenient).
-//
-// IP subjects are considered as non-qualifying for public certs. Technically, there are
-// now public ACME CAs as well as non-ACME CAs that issue IP certificates. But this function
-// is used solely for implicit automation (defaults), where it gets really complicated to
-// keep track of which issuers support IP certificates in which circumstances. Currently,
-// issuers that support IP certificates are very few, and all require some sort of config
-// from the user anyway (such as an account credential). Since we cannot implicitly and
-// automatically get public IP certs without configuration from the user, we treat IPs as
-// not qualifying for public certificates. Users should expressly configure an issuer
-// that supports IP certs for that purpose.
 func subjectQualifiesForPublicCert(ap *caddytls.AutomationPolicy, subj string) bool {
 	return !certmagic.SubjectIsIP(subj) &&
 		!certmagic.SubjectIsInternal(subj) &&
 		(strings.Count(subj, "*.") < 2 || ap.OnDemand)
 }

-// automationPolicyHasAllPublicNames returns true if all the names on the policy
-// do NOT qualify for public certs OR are tailscale domains.
 func automationPolicyHasAllPublicNames(ap *caddytls.AutomationPolicy) bool {
-	return !slices.ContainsFunc(ap.SubjectsRaw, func(i string) bool {
-		return !subjectQualifiesForPublicCert(ap, i) || isTailscaleDomain(i)
-	})
-}
-
-func isTailscaleDomain(name string) bool {
-	return strings.HasSuffix(strings.ToLower(name), ".ts.net")
+	for _, subj := range ap.SubjectsRaw {
+		if !subjectQualifiesForPublicCert(ap, subj) {
+			return false
+		}
+	}
+	return true
 }
@@ -181,16 +181,19 @@ func (hl HTTPLoader) makeClient(ctx caddy.Context) (*http.Client, error) {
 			if err != nil {
 				return nil, fmt.Errorf("getting server identity credentials: %v", err)
 			}
-			// See https://github.com/securego/gosec/issues/1054#issuecomment-2072235199
-			//nolint:gosec
-			tlsConfig = &tls.Config{Certificates: certs}
+			if tlsConfig == nil {
+				tlsConfig = new(tls.Config)
+			}
+			tlsConfig.Certificates = certs
 		} else if hl.TLS.ClientCertificateFile != "" && hl.TLS.ClientCertificateKeyFile != "" {
 			cert, err := tls.LoadX509KeyPair(hl.TLS.ClientCertificateFile, hl.TLS.ClientCertificateKeyFile)
 			if err != nil {
 				return nil, err
 			}
-			//nolint:gosec
-			tlsConfig = &tls.Config{Certificates: []tls.Certificate{cert}}
+			if tlsConfig == nil {
+				tlsConfig = new(tls.Config)
+			}
+			tlsConfig.Certificates = []tls.Certificate{cert}
 		}

 		// trusted server certs
@@ -8,7 +8,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/fs"
 	"log"
 	"net"
 	"net/http"
@@ -36,7 +35,7 @@ type Defaults struct {
 	// Port we expect caddy to listening on
 	AdminPort int
 	// Certificates we expect to be loaded before attempting to run the tests
-	Certificates []string
+	Certifcates []string
 	// TestRequestTimeout is the time to wait for a http request to
 	TestRequestTimeout time.Duration
 	// LoadRequestTimeout is the time to wait for the config to be loaded against the caddy server
@@ -46,7 +45,7 @@ type Defaults struct {
 // Default testing values
 var Default = Defaults{
 	AdminPort:          2999, // different from what a real server also running on a developer's machine might be
-	Certificates:       []string{"/caddy.localhost.crt", "/caddy.localhost.key"},
+	Certifcates:        []string{"/caddy.localhost.crt", "/caddy.localhost.key"},
 	TestRequestTimeout: 5 * time.Second,
 	LoadRequestTimeout: 5 * time.Second,
 }
@@ -60,11 +59,11 @@ var (
 type Tester struct {
 	Client       *http.Client
 	configLoaded bool
-	t            testing.TB
+	t            *testing.T
 }

 // NewTester will create a new testing client with an attached cookie jar
-func NewTester(t testing.TB) *Tester {
+func NewTester(t *testing.T) *Tester {
 	jar, err := cookiejar.New(nil)
 	if err != nil {
 		t.Fatalf("failed to create cookiejar: %s", err)
@@ -121,6 +120,7 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {

 	tc.t.Cleanup(func() {
 		if tc.t.Failed() && tc.configLoaded {
+
 			res, err := http.Get(fmt.Sprintf("http://localhost:%d/config/", Default.AdminPort))
 			if err != nil {
 				tc.t.Log("unable to read the current config")
@@ -136,20 +136,6 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 	})

 	rawConfig = prependCaddyFilePath(rawConfig)
-	// normalize JSON config
-	if configType == "json" {
-		tc.t.Logf("Before: %s", rawConfig)
-		var conf any
-		if err := json.Unmarshal([]byte(rawConfig), &conf); err != nil {
-			return err
-		}
-		c, err := json.Marshal(conf)
-		if err != nil {
-			return err
-		}
-		rawConfig = string(c)
-		tc.t.Logf("After: %s", rawConfig)
-	}
 	client := &http.Client{
 		Timeout: Default.LoadRequestTimeout,
 	}
@@ -243,10 +229,10 @@ const initConfig = `{

 // validateTestPrerequisites ensures the certificates are available in the
 // designated path and Caddy sub-process is running.
-func validateTestPrerequisites(t testing.TB) error {
+func validateTestPrerequisites(t *testing.T) error {
 	// check certificates are found
-	for _, certName := range Default.Certificates {
-		if _, err := os.Stat(getIntegrationDir() + certName); errors.Is(err, fs.ErrNotExist) {
+	for _, certName := range Default.Certifcates {
+		if _, err := os.Stat(getIntegrationDir() + certName); os.IsNotExist(err) {
 			return fmt.Errorf("caddy integration test certificates (%s) not found", certName)
 		}
 	}
@@ -387,7 +373,7 @@ func (tc *Tester) AssertRedirect(requestURI string, expectedToLocation string, e
 }

 // CompareAdapt adapts a config and then compares it against an expected result
-func CompareAdapt(t testing.TB, filename, rawConfig string, adapterName string, expectedResponse string) bool {
+func CompareAdapt(t *testing.T, filename, rawConfig string, adapterName string, expectedResponse string) bool {
 	cfgAdapter := caddyconfig.GetAdapter(adapterName)
 	if cfgAdapter == nil {
 		t.Logf("unrecognized config adapter '%s'", adapterName)
@@ -446,7 +432,7 @@ func CompareAdapt(t testing.TB, filename, rawConfig string, adapterName string,
 }

 // AssertAdapt adapts a config and then tests it against an expected result
-func AssertAdapt(t testing.TB, rawConfig string, adapterName string, expectedResponse string) {
+func AssertAdapt(t *testing.T, rawConfig string, adapterName string, expectedResponse string) {
 	ok := CompareAdapt(t, "Caddyfile", rawConfig, adapterName, expectedResponse)
 	if !ok {
 		t.Fail()
@@ -455,7 +441,7 @@ func AssertAdapt(t testing.TB, rawConfig string, adapterName string, expectedRes

 // Generic request functions

-func applyHeaders(t testing.TB, req *http.Request, requestHeaders []string) {
+func applyHeaders(t *testing.T, req *http.Request, requestHeaders []string) {
 	requestContentType := ""
 	for _, requestHeader := range requestHeaders {
 		arr := strings.SplitAfterN(requestHeader, ":", 2)
@@ -1,7 +1,6 @@
 package caddytest

 import (
-	"net/http"
 	"strings"
 	"testing"
 )
@@ -32,97 +31,3 @@ func TestReplaceCertificatePaths(t *testing.T) {
 		t.Error("expected redirect uri to be unchanged")
 	}
 }
-
-func TestLoadUnorderedJSON(t *testing.T) {
-	tester := NewTester(t)
-	tester.InitServer(`
-	{
-		"logging": {
-			"logs": {
-				"default": {
-					"level": "DEBUG",
-					"writer": {
-						"output": "stdout"
-					}
-				},
-				"sStdOutLogs": {
-					"level": "DEBUG",
-					"writer": {
-						"output": "stdout"
-					},
-					"include": [
-						"http.*",
-						"admin.*"
-					]
-				},
-				"sFileLogs": {
-					"level": "DEBUG",
-					"writer": {
-						"output": "stdout"
-					},
-					"include": [
-						"http.*",
-						"admin.*"
-					]
-				}
-			}
-		},
-		"admin": {
-			"listen": "localhost:2999"
-		},
-		"apps": {
-			"pki": {
-				"certificate_authorities" : {
-				  "local" : {
-					"install_trust": false
-				  }
-				}
-			},
-			"http": {
-				"http_port": 9080,
-				"https_port": 9443,
-				"servers": {
-					"s_server": {
-						"listen": [
-							":9080"
-						],
-						"routes": [
-							{
-								"handle": [
-									{
-										"handler": "static_response",
-										"body": "Hello"
-									}
-								]
-							},
-							{
-								"match": [
-									{
-										"host": [
-											"localhost",
-											"127.0.0.1"
-										]
-									}
-								]
-							}
-						],
-						"logs": {
-							"default_logger_name": "sStdOutLogs",
-							"logger_names": {
-								"localhost": "sStdOutLogs",
-								"127.0.0.1": "sFileLogs"
-							}
-						}
-					}
-				}
-			}
-		}
-	}
-  `, "json")
-	req, err := http.NewRequest(http.MethodGet, "http://localhost:9080/", nil)
-	if err != nil {
-		t.Fail()
-		return
-	}
-	tester.AssertResponseCode(req, 200)
-}
@@ -1,206 +0,0 @@
-package integration
-
-import (
-	"context"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"fmt"
-	"net"
-	"net/http"
-	"strings"
-	"testing"
-
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddytest"
-	"github.com/mholt/acmez/v2"
-	"github.com/mholt/acmez/v2/acme"
-	smallstepacme "github.com/smallstep/certificates/acme"
-	"go.uber.org/zap"
-)
-
-const acmeChallengePort = 9081
-
-// Test the basic functionality of Caddy's ACME server
-func TestACMEServerWithDefaults(t *testing.T) {
-	ctx := context.Background()
-	logger, err := zap.NewDevelopment()
-	if err != nil {
-		t.Error(err)
-		return
-	}
-
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
-	{
-		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
-		local_certs
-	}
-	acme.localhost {
-		acme_server
-	}
-  `, "caddyfile")
-
-	client := acmez.Client{
-		Client: &acme.Client{
-			Directory:  "https://acme.localhost:9443/acme/local/directory",
-			HTTPClient: tester.Client,
-			Logger:     logger,
-		},
-		ChallengeSolvers: map[string]acmez.Solver{
-			acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
-		},
-	}
-
-	accountPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Errorf("generating account key: %v", err)
-	}
-	account := acme.Account{
-		Contact:              []string{"mailto:you@example.com"},
-		TermsOfServiceAgreed: true,
-		PrivateKey:           accountPrivateKey,
-	}
-	account, err = client.NewAccount(ctx, account)
-	if err != nil {
-		t.Errorf("new account: %v", err)
-		return
-	}
-
-	// Every certificate needs a key.
-	certPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Errorf("generating certificate key: %v", err)
-		return
-	}
-
-	certs, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"localhost"})
-	if err != nil {
-		t.Errorf("obtaining certificate: %v", err)
-		return
-	}
-
-	// ACME servers should usually give you the entire certificate chain
-	// in PEM format, and sometimes even alternate chains! It's up to you
-	// which one(s) to store and use, but whatever you do, be sure to
-	// store the certificate and key somewhere safe and secure, i.e. don't
-	// lose them!
-	for _, cert := range certs {
-		t.Logf("Certificate %q:\n%s\n\n", cert.URL, cert.ChainPEM)
-	}
-}
-
-func TestACMEServerWithMismatchedChallenges(t *testing.T) {
-	ctx := context.Background()
-	logger := caddy.Log().Named("acmez")
-
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
-	{
-		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
-		local_certs
-	}
-	acme.localhost {
-		acme_server {
-			challenges tls-alpn-01
-		}
-	}
-  `, "caddyfile")
-
-	client := acmez.Client{
-		Client: &acme.Client{
-			Directory:  "https://acme.localhost:9443/acme/local/directory",
-			HTTPClient: tester.Client,
-			Logger:     logger,
-		},
-		ChallengeSolvers: map[string]acmez.Solver{
-			acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
-		},
-	}
-
-	accountPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Errorf("generating account key: %v", err)
-	}
-	account := acme.Account{
-		Contact:              []string{"mailto:you@example.com"},
-		TermsOfServiceAgreed: true,
-		PrivateKey:           accountPrivateKey,
-	}
-	account, err = client.NewAccount(ctx, account)
-	if err != nil {
-		t.Errorf("new account: %v", err)
-		return
-	}
-
-	// Every certificate needs a key.
-	certPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Errorf("generating certificate key: %v", err)
-		return
-	}
-
-	certs, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"localhost"})
-	if len(certs) > 0 {
-		t.Errorf("expected '0' certificates, but received '%d'", len(certs))
-	}
-	if err == nil {
-		t.Error("expected errors, but received none")
-	}
-	const expectedErrMsg = "no solvers available for remaining challenges (configured=[http-01] offered=[tls-alpn-01] remaining=[tls-alpn-01])"
-	if !strings.Contains(err.Error(), expectedErrMsg) {
-		t.Errorf(`received error message does not match expectation: expected="%s" received="%s"`, expectedErrMsg, err.Error())
-	}
-}
-
-// naiveHTTPSolver is a no-op acmez.Solver for example purposes only.
-type naiveHTTPSolver struct {
-	srv    *http.Server
-	logger *zap.Logger
-}
-
-func (s *naiveHTTPSolver) Present(ctx context.Context, challenge acme.Challenge) error {
-	smallstepacme.InsecurePortHTTP01 = acmeChallengePort
-	s.srv = &http.Server{
-		Addr: fmt.Sprintf(":%d", acmeChallengePort),
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			host, _, err := net.SplitHostPort(r.Host)
-			if err != nil {
-				host = r.Host
-			}
-			s.logger.Info("received request on challenge server", zap.String("path", r.URL.Path))
-			if r.Method == "GET" && r.URL.Path == challenge.HTTP01ResourcePath() && strings.EqualFold(host, challenge.Identifier.Value) {
-				w.Header().Add("Content-Type", "text/plain")
-				w.Write([]byte(challenge.KeyAuthorization))
-				r.Close = true
-				s.logger.Info("served key authentication",
-					zap.String("identifier", challenge.Identifier.Value),
-					zap.String("challenge", "http-01"),
-					zap.String("remote", r.RemoteAddr),
-				)
-			}
-		}),
-	}
-	l, err := net.Listen("tcp", fmt.Sprintf(":%d", acmeChallengePort))
-	if err != nil {
-		return err
-	}
-	s.logger.Info("present challenge", zap.Any("challenge", challenge))
-	go s.srv.Serve(l)
-	return nil
-}
-
-func (s naiveHTTPSolver) CleanUp(ctx context.Context, challenge acme.Challenge) error {
-	smallstepacme.InsecurePortHTTP01 = 0
-	s.logger.Info("cleanup", zap.Any("challenge", challenge))
-	if s.srv != nil {
-		s.srv.Close()
-	}
-	return nil
-}
@@ -1,17 +1,9 @@
 package integration

 import (
-	"context"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"strings"
 	"testing"

 	"github.com/caddyserver/caddy/v2/caddytest"
-	"github.com/mholt/acmez/v2"
-	"github.com/mholt/acmez/v2/acme"
-	"go.uber.org/zap"
 )

 func TestACMEServerDirectory(t *testing.T) {
@@ -39,166 +31,3 @@ func TestACMEServerDirectory(t *testing.T) {
 		`{"newNonce":"https://acme.localhost:9443/acme/local/new-nonce","newAccount":"https://acme.localhost:9443/acme/local/new-account","newOrder":"https://acme.localhost:9443/acme/local/new-order","revokeCert":"https://acme.localhost:9443/acme/local/revoke-cert","keyChange":"https://acme.localhost:9443/acme/local/key-change"}
 `)
 }
-
-func TestACMEServerAllowPolicy(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
-	{
-		skip_install_trust
-		local_certs
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
-		pki {
-			ca local {
-				name "Caddy Local Authority"
-			}
-		}
-	}
-	acme.localhost {
-		acme_server {
-			challenges http-01
-			allow {
-				domains localhost
-			}
-		}
-	}
-  `, "caddyfile")
-
-	ctx := context.Background()
-	logger, err := zap.NewDevelopment()
-	if err != nil {
-		t.Error(err)
-		return
-	}
-
-	client := acmez.Client{
-		Client: &acme.Client{
-			Directory:  "https://acme.localhost:9443/acme/local/directory",
-			HTTPClient: tester.Client,
-			Logger:     logger,
-		},
-		ChallengeSolvers: map[string]acmez.Solver{
-			acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
-		},
-	}
-
-	accountPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Errorf("generating account key: %v", err)
-	}
-	account := acme.Account{
-		Contact:              []string{"mailto:you@example.com"},
-		TermsOfServiceAgreed: true,
-		PrivateKey:           accountPrivateKey,
-	}
-	account, err = client.NewAccount(ctx, account)
-	if err != nil {
-		t.Errorf("new account: %v", err)
-		return
-	}
-
-	// Every certificate needs a key.
-	certPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Errorf("generating certificate key: %v", err)
-		return
-	}
-	{
-		certs, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"localhost"})
-		if err != nil {
-			t.Errorf("obtaining certificate for allowed domain: %v", err)
-			return
-		}
-
-		// ACME servers should usually give you the entire certificate chain
-		// in PEM format, and sometimes even alternate chains! It's up to you
-		// which one(s) to store and use, but whatever you do, be sure to
-		// store the certificate and key somewhere safe and secure, i.e. don't
-		// lose them!
-		for _, cert := range certs {
-			t.Logf("Certificate %q:\n%s\n\n", cert.URL, cert.ChainPEM)
-		}
-	}
-	{
-		_, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"not-matching.localhost"})
-		if err == nil {
-			t.Errorf("obtaining certificate for 'not-matching.localhost' domain")
-		} else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
-			t.Logf("unexpected error: %v", err)
-		}
-	}
-}
-
-func TestACMEServerDenyPolicy(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
-	{
-		skip_install_trust
-		local_certs
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
-		pki {
-			ca local {
-				name "Caddy Local Authority"
-			}
-		}
-	}
-	acme.localhost {
-		acme_server {
-			deny {
-				domains deny.localhost
-			}
-		}
-	}
-  `, "caddyfile")
-
-	ctx := context.Background()
-	logger, err := zap.NewDevelopment()
-	if err != nil {
-		t.Error(err)
-		return
-	}
-
-	client := acmez.Client{
-		Client: &acme.Client{
-			Directory:  "https://acme.localhost:9443/acme/local/directory",
-			HTTPClient: tester.Client,
-			Logger:     logger,
-		},
-		ChallengeSolvers: map[string]acmez.Solver{
-			acme.ChallengeTypeHTTP01: &naiveHTTPSolver{logger: logger},
-		},
-	}
-
-	accountPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Errorf("generating account key: %v", err)
-	}
-	account := acme.Account{
-		Contact:              []string{"mailto:you@example.com"},
-		TermsOfServiceAgreed: true,
-		PrivateKey:           accountPrivateKey,
-	}
-	account, err = client.NewAccount(ctx, account)
-	if err != nil {
-		t.Errorf("new account: %v", err)
-		return
-	}
-
-	// Every certificate needs a key.
-	certPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Errorf("generating certificate key: %v", err)
-		return
-	}
-	{
-		_, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"deny.localhost"})
-		if err == nil {
-			t.Errorf("obtaining certificate for 'deny.localhost' domain")
-		} else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
-			t.Logf("unexpected error: %v", err)
-		}
-	}
-}
@@ -1,65 +0,0 @@
-{
-	pki {
-		ca custom-ca {
-			name "Custom CA"
-		}
-	}
-}
-
-acme.example.com {
-	acme_server {
-		ca custom-ca
-		challenges dns-01
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"acme.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"ca": "custom-ca",
-													"challenges": [
-														"dns-01"
-													],
-													"handler": "acme_server"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		},
-		"pki": {
-			"certificate_authorities": {
-				"custom-ca": {
-					"name": "Custom CA"
-				}
-			}
-		}
-	}
-}
@@ -1,62 +0,0 @@
-{
-	pki {
-		ca custom-ca {
-			name "Custom CA"
-		}
-	}
-}
-
-acme.example.com {
-	acme_server {
-		ca custom-ca
-		challenges
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"acme.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"ca": "custom-ca",
-													"handler": "acme_server"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		},
-		"pki": {
-			"certificate_authorities": {
-				"custom-ca": {
-					"name": "Custom CA"
-				}
-			}
-		}
-	}
-}
@@ -1,66 +0,0 @@
-{
-	pki {
-		ca custom-ca {
-			name "Custom CA"
-		}
-	}
-}
-
-acme.example.com {
-	acme_server {
-		ca custom-ca
-		challenges dns-01 http-01
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"acme.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"ca": "custom-ca",
-													"challenges": [
-														"dns-01",
-														"http-01"
-													],
-													"handler": "acme_server"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		},
-		"pki": {
-			"certificate_authorities": {
-				"custom-ca": {
-					"name": "Custom CA"
-				}
-			}
-		}
-	}
-}
@@ -1,67 +0,0 @@
-{
-	pki {
-		ca internal {
-			name "Internal"
-			root_cn "Internal Root Cert"
-			intermediate_cn "Internal Intermediate Cert"
-		}
-    }
-}
-
-acme.example.com {
-	acme_server {
-		ca internal
-		sign_with_root
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"acme.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"ca": "internal",
-													"handler": "acme_server",
-													"sign_with_root": true
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		},
-		"pki": {
-			"certificate_authorities": {
-				"internal": {
-					"name": "Internal",
-					"root_common_name": "Internal Root Cert",
-					"intermediate_common_name": "Internal Intermediate Cert"
-				}
-			}
-		}
-	}
-}
@@ -1,106 +0,0 @@
-{
-	auto_https prefer_wildcard
-}
-
-*.example.com {
-	tls {
-		dns mock
-	}
-	respond "fallback"
-}
-
-foo.example.com {
-	respond "foo"
-}
----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"foo.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "foo",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						},
-						{
-							"match": [
-								{
-									"host": [
-										"*.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "fallback",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"prefer_wildcard": true
-					}
-				}
-			}
-		},
-		"tls": {
-			"automation": {
-				"policies": [
-					{
-						"subjects": [
-							"*.example.com"
-						],
-						"issuers": [
-							{
-								"challenges": {
-									"dns": {
-										"provider": {
-											"name": "mock"
-										}
-									}
-								},
-								"module": "acme"
-							}
-						]
-					}
-				]
-			}
-		}
-	}
-}
@@ -1,142 +0,0 @@
-{
-	auto_https disable_redirects
-	admin off
-}
-
-http://localhost {
-	bind fd/{env.CADDY_HTTP_FD} {
-		protocols h1
-	}
-	log
-	respond "Hello, HTTP!"
-}
-
-https://localhost {
-	bind fd/{env.CADDY_HTTPS_FD} {
-		protocols h1 h2
-	}
-	bind fdgram/{env.CADDY_HTTP3_FD} {
-		protocols h3
-	}
-	log
-	respond "Hello, HTTPS!"
-}
----------
-{
-	"admin": {
-		"disabled": true
-	},
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						"fd/{env.CADDY_HTTPS_FD}",
-						"fdgram/{env.CADDY_HTTP3_FD}"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "Hello, HTTPS!",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"disable_redirects": true
-					},
-					"logs": {
-						"logger_names": {
-							"localhost": [
-								""
-							]
-						}
-					},
-					"listen_protocols": [
-						[
-							"h1",
-							"h2"
-						],
-						[
-							"h3"
-						]
-					]
-				},
-				"srv1": {
-					"automatic_https": {
-						"disable_redirects": true
-					}
-				},
-				"srv2": {
-					"listen": [
-						"fd/{env.CADDY_HTTP_FD}"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "Hello, HTTP!",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"disable_redirects": true,
-						"skip": [
-							"localhost"
-						]
-					},
-					"logs": {
-						"logger_names": {
-							"localhost": [
-								""
-							]
-						}
-					},
-					"listen_protocols": [
-						[
-							"h1"
-						]
-					]
-				}
-			}
-		}
-	}
-}
@@ -1,245 +0,0 @@
-foo.localhost {
-	root * /srv
-	error /private* "Unauthorized" 410
-	error /fivehundred* "Internal Server Error" 500
-
-	handle_errors 5xx {
-		respond "Error In range [500 .. 599]"
-	}
-	handle_errors 410 {
-		respond "404 or 410 error"
-	}
-}
-
-bar.localhost {
-	root * /srv
-	error /private* "Unauthorized" 410
-	error /fivehundred* "Internal Server Error" 500
-
-	handle_errors 5xx {
-		respond "Error In range [500 .. 599] from second site"
-	}
-	handle_errors 410 {
-		respond "404 or 410 error from second site"
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"foo.localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "vars",
-													"root": "/srv"
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Internal Server Error",
-													"handler": "error",
-													"status_code": 500
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/fivehundred*"
-													]
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Unauthorized",
-													"handler": "error",
-													"status_code": 410
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/private*"
-													]
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						},
-						{
-							"match": [
-								{
-									"host": [
-										"bar.localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "vars",
-													"root": "/srv"
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Internal Server Error",
-													"handler": "error",
-													"status_code": 500
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/fivehundred*"
-													]
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Unauthorized",
-													"handler": "error",
-													"status_code": 410
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/private*"
-													]
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"errors": {
-						"routes": [
-							{
-								"match": [
-									{
-										"host": [
-											"foo.localhost"
-										]
-									}
-								],
-								"handle": [
-									{
-										"handler": "subroute",
-										"routes": [
-											{
-												"handle": [
-													{
-														"body": "404 or 410 error",
-														"handler": "static_response"
-													}
-												],
-												"match": [
-													{
-														"expression": "{http.error.status_code} in [410]"
-													}
-												]
-											},
-											{
-												"handle": [
-													{
-														"body": "Error In range [500 .. 599]",
-														"handler": "static_response"
-													}
-												],
-												"match": [
-													{
-														"expression": "{http.error.status_code} \u003e= 500 \u0026\u0026 {http.error.status_code} \u003c= 599"
-													}
-												]
-											}
-										]
-									}
-								],
-								"terminal": true
-							},
-							{
-								"match": [
-									{
-										"host": [
-											"bar.localhost"
-										]
-									}
-								],
-								"handle": [
-									{
-										"handler": "subroute",
-										"routes": [
-											{
-												"handle": [
-													{
-														"body": "404 or 410 error from second site",
-														"handler": "static_response"
-													}
-												],
-												"match": [
-													{
-														"expression": "{http.error.status_code} in [410]"
-													}
-												]
-											},
-											{
-												"handle": [
-													{
-														"body": "Error In range [500 .. 599] from second site",
-														"handler": "static_response"
-													}
-												],
-												"match": [
-													{
-														"expression": "{http.error.status_code} \u003e= 500 \u0026\u0026 {http.error.status_code} \u003c= 599"
-													}
-												]
-											}
-										]
-									}
-								],
-								"terminal": true
-							}
-						]
-					}
-				}
-			}
-		}
-	}
-}
@@ -1,120 +0,0 @@
-{
-	http_port 3010
-}
-localhost:3010 {
-	root * /srv
-	error /private* "Unauthorized" 410
-	error /hidden* "Not found" 404
-
-	handle_errors 4xx {
-		respond "Error in the [400 .. 499] range"
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"http_port": 3010,
-			"servers": {
-				"srv0": {
-					"listen": [
-						":3010"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "vars",
-													"root": "/srv"
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Unauthorized",
-													"handler": "error",
-													"status_code": 410
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/private*"
-													]
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Not found",
-													"handler": "error",
-													"status_code": 404
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/hidden*"
-													]
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"errors": {
-						"routes": [
-							{
-								"match": [
-									{
-										"host": [
-											"localhost"
-										]
-									}
-								],
-								"handle": [
-									{
-										"handler": "subroute",
-										"routes": [
-											{
-												"handle": [
-													{
-														"body": "Error in the [400 .. 499] range",
-														"handler": "static_response"
-													}
-												],
-												"match": [
-													{
-														"expression": "{http.error.status_code} \u003e= 400 \u0026\u0026 {http.error.status_code} \u003c= 499"
-													}
-												]
-											}
-										]
-									}
-								],
-								"terminal": true
-							}
-						]
-					}
-				}
-			}
-		}
-	}
-}
@@ -1,153 +0,0 @@
-{
-	http_port 2099
-}
-localhost:2099 {
-	root * /srv
-	error /private* "Unauthorized" 410
-	error /threehundred* "Moved Permanently" 301
-	error /internalerr* "Internal Server Error" 500
-
-	handle_errors 500 3xx {
-		respond "Error code is equal to 500 or in the [300..399] range"
-	}
-	handle_errors 4xx {
-		respond "Error in the [400 .. 499] range"
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"http_port": 2099,
-			"servers": {
-				"srv0": {
-					"listen": [
-						":2099"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "vars",
-													"root": "/srv"
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Moved Permanently",
-													"handler": "error",
-													"status_code": 301
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/threehundred*"
-													]
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Internal Server Error",
-													"handler": "error",
-													"status_code": 500
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/internalerr*"
-													]
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Unauthorized",
-													"handler": "error",
-													"status_code": 410
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/private*"
-													]
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"errors": {
-						"routes": [
-							{
-								"match": [
-									{
-										"host": [
-											"localhost"
-										]
-									}
-								],
-								"handle": [
-									{
-										"handler": "subroute",
-										"routes": [
-											{
-												"handle": [
-													{
-														"body": "Error in the [400 .. 499] range",
-														"handler": "static_response"
-													}
-												],
-												"match": [
-													{
-														"expression": "{http.error.status_code} \u003e= 400 \u0026\u0026 {http.error.status_code} \u003c= 499"
-													}
-												]
-											},
-											{
-												"handle": [
-													{
-														"body": "Error code is equal to 500 or in the [300..399] range",
-														"handler": "static_response"
-													}
-												],
-												"match": [
-													{
-														"expression": "{http.error.status_code} \u003e= 300 \u0026\u0026 {http.error.status_code} \u003c= 399 || {http.error.status_code} in [500]"
-													}
-												]
-											}
-										]
-									}
-								],
-								"terminal": true
-							}
-						]
-					}
-				}
-			}
-		}
-	}
-}
@@ -1,120 +0,0 @@
-{
-	http_port 3010
-}
-localhost:3010 {
-	root * /srv
-	error /private* "Unauthorized" 410
-	error /hidden* "Not found" 404
-
-	handle_errors 404 410 {
-		respond "404 or 410 error"
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"http_port": 3010,
-			"servers": {
-				"srv0": {
-					"listen": [
-						":3010"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "vars",
-													"root": "/srv"
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Unauthorized",
-													"handler": "error",
-													"status_code": 410
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/private*"
-													]
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Not found",
-													"handler": "error",
-													"status_code": 404
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/hidden*"
-													]
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"errors": {
-						"routes": [
-							{
-								"match": [
-									{
-										"host": [
-											"localhost"
-										]
-									}
-								],
-								"handle": [
-									{
-										"handler": "subroute",
-										"routes": [
-											{
-												"handle": [
-													{
-														"body": "404 or 410 error",
-														"handler": "static_response"
-													}
-												],
-												"match": [
-													{
-														"expression": "{http.error.status_code} in [404, 410]"
-													}
-												]
-											}
-										]
-									}
-								],
-								"terminal": true
-							}
-						]
-					}
-				}
-			}
-		}
-	}
-}
@@ -1,148 +0,0 @@
-{
-	http_port 2099
-}
-localhost:2099 {
-	root * /srv
-	error /private* "Unauthorized" 410
-	error /hidden* "Not found" 404
-	error /internalerr* "Internal Server Error" 500
-
-	handle_errors {
-		respond "Fallback route: code outside the [400..499] range"
-	}
-	handle_errors 4xx {
-		respond "Error in the [400 .. 499] range"
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"http_port": 2099,
-			"servers": {
-				"srv0": {
-					"listen": [
-						":2099"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "vars",
-													"root": "/srv"
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Internal Server Error",
-													"handler": "error",
-													"status_code": 500
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/internalerr*"
-													]
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Unauthorized",
-													"handler": "error",
-													"status_code": 410
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/private*"
-													]
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"error": "Not found",
-													"handler": "error",
-													"status_code": 404
-												}
-											],
-											"match": [
-												{
-													"path": [
-														"/hidden*"
-													]
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"errors": {
-						"routes": [
-							{
-								"match": [
-									{
-										"host": [
-											"localhost"
-										]
-									}
-								],
-								"handle": [
-									{
-										"handler": "subroute",
-										"routes": [
-											{
-												"handle": [
-													{
-														"body": "Error in the [400 .. 499] range",
-														"handler": "static_response"
-													}
-												],
-												"match": [
-													{
-														"expression": "{http.error.status_code} \u003e= 400 \u0026\u0026 {http.error.status_code} \u003c= 499"
-													}
-												]
-											},
-											{
-												"handle": [
-													{
-														"body": "Fallback route: code outside the [400..499] range",
-														"handler": "static_response"
-													}
-												]
-											}
-										]
-									}
-								],
-								"terminal": true
-							}
-						]
-					}
-				}
-			}
-		}
-	}
-}
@@ -1,7 +1,3 @@
-(snippet) {
-	@g `{http.error.status_code} == 404`
-}
-
 example.com

@a expression {http.error.status_code} == 400
@@ -18,12 +14,6 @@ abort @d

@e expression `{http.error.status_code} == 404`
 abort @e
-
-@f `{http.error.status_code} == 404`
-abort @f
-
-import snippet
-abort @g
 ----------
 {
 	"apps": {
@@ -94,10 +84,7 @@ abort @g
 											],
 											"match": [
 												{
-													"expression": {
-														"expr": "{http.error.status_code} == 403",
-														"name": "d"
-													}
+													"expression": "{http.error.status_code} == 403"
 												}
 											]
 										},
@@ -110,42 +97,7 @@ abort @g
 											],
 											"match": [
 												{
-													"expression": {
-														"expr": "{http.error.status_code} == 404",
-														"name": "e"
-													}
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"abort": true,
-													"handler": "static_response"
-												}
-											],
-											"match": [
-												{
-													"expression": {
-														"expr": "{http.error.status_code} == 404",
-														"name": "f"
-													}
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"abort": true,
-													"handler": "static_response"
-												}
-											],
-											"match": [
-												{
-													"expression": {
-														"expr": "{http.error.status_code} == 404",
-														"name": "g"
-													}
+													"expression": "{http.error.status_code} == 404"
 												}
 											]
 										}
@@ -1,40 +0,0 @@
-:8080 {
-	root * ./
-	file_server {
-		etag_file_extensions .b3sum .sha256
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":8080"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"handler": "vars",
-									"root": "./"
-								},
-								{
-									"etag_file_extensions": [
-										".b3sum",
-										".sha256"
-									],
-									"handler": "file_server",
-									"hide": [
-										"./Caddyfile"
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}
@@ -1,39 +0,0 @@
-:80
-
-file_server {
-	browse {
-		sort size desc
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"browse": {
-										"sort": [
-											"size",
-											"desc"
-										]
-									},
-									"handler": "file_server",
-									"hide": [
-										"./Caddyfile"
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}
@@ -69,10 +69,7 @@
 					}
 				],
 				"on_demand": {
-					"permission": {
-						"endpoint": "https://example.com",
-						"module": "http"
-					},
+					"ask": "https://example.com",
 					"rate_limit": {
 						"interval": 30000000000,
 						"burst": 20
@@ -63,14 +63,6 @@
 						"issuers": [
 							{
 								"ca": "https://example.com",
-								"challenges": {
-									"http": {
-										"alternate_port": 8080
-									},
-									"tls-alpn": {
-										"alternate_port": 8443
-									}
-								},
 								"email": "test@example.com",
 								"external_account": {
 									"key_id": "4K2scIVbBpNd-78scadB2g",
@@ -86,10 +78,7 @@
 					}
 				],
 				"on_demand": {
-					"permission": {
-						"endpoint": "https://example.com",
-						"module": "http"
-					},
+					"ask": "https://example.com",
 					"rate_limit": {
 						"interval": 30000000000,
 						"burst": 20
@@ -71,10 +71,7 @@
 					}
 				],
 				"on_demand": {
-					"permission": {
-						"endpoint": "https://example.com",
-						"module": "http"
-					},
+					"ask": "https://example.com",
 					"rate_limit": {
 						"interval": 30000000000,
 						"burst": 20
@@ -40,6 +40,12 @@ example.com
 								"preferred_chains": {
 									"smallest": true
 								}
+							},
+							{
+								"module": "zerossl",
+								"preferred_chains": {
+									"smallest": true
+								}
 							}
 						]
 					}
@@ -1,46 +0,0 @@
-http://handle {
-	file_server
-}
----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"handle"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "file_server",
-													"hide": [
-														"./Caddyfile"
-													]
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		}
-	}
-}
@@ -72,12 +72,8 @@ b.example.com {
 					],
 					"logs": {
 						"logger_names": {
-							"a.example.com": [
-								"log0"
-							],
-							"b.example.com": [
-								"log1"
-							]
+							"a.example.com": "log0",
+							"b.example.com": "log1"
 						}
 					}
 				}
@@ -1,58 +0,0 @@
-(snippet) {
-	header {
-		{block}
-	}
-}
-
-example.com {
-	import snippet {
-		foo bar
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "headers",
-													"response": {
-														"set": {
-															"Foo": [
-																"bar"
-															]
-														}
-													}
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		}
-	}
-}
@@ -1,56 +0,0 @@
-(snippet) {
-	{block}
-}
-
-example.com {
-	import snippet {
-		header foo bar
-	}
-}
----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "headers",
-													"response": {
-														"set": {
-															"Foo": [
-																"bar"
-															]
-														}
-													}
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		}
-	}
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Mohammed Al Sahaf	73ab7478f6	replacer: use RWMutex to protect static provider	2024-03-21 01:12:36 +03:00
Matt Holt	6d9a83376b	caddytls: Sync distributed storage cleaning (#5940 ) * caddytls: Log out remote addr to detect abuse * caddytls: Sync distributed storage cleaning * Handle errors * Update certmagic to fix tiny bug * Split off port when logging remote IP * Upgrade CertMagic	2023-12-07 13:26:21 -07:00
Andreas Kohn	df5edf6bdb	caddytls: Context to DecisionFunc (#5923 ) See https://github.com/caddyserver/certmagic/pull/255	2023-12-07 13:26:21 -07:00
Mohammed Al Sahaf	908e956927	tls: accept placeholders in string values of certificate loaders (#5963 ) * tls: loader: accept placeholders in string values * appease the linter	2023-12-07 13:26:21 -07:00
Matt Holt	2f7ceb5774	templates: Offically make templates extensible (#5939 ) * templates: Offically make templates extensible This supercedes #4757 (and #4568) by making template extensions configurable. The previous implementation was never documented AFAIK and had only 1 consumer, which I'll notify as a courtesy. * templates: Add 'maybe' function for optional components * Try to fix lint error	2023-12-07 13:26:21 -07:00
WeidiDeng	e89c9a45b9	http2 uses new round-robin scheduler (#5946 )	2023-12-07 13:26:21 -07:00
WeidiDeng	e9ac48b4be	panic when reading from backend failed to propagate stream error (#5952 )	2023-12-07 13:26:21 -07:00
dlorenc	e55570298a	chore: Bump otel to v1.21.0. (#5949 ) Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>	2023-12-07 13:26:21 -07:00
WeidiDeng	87f63b125b	httpredirectlistener: Only set read limit for when request is HTTP (#5917 )	2023-12-07 13:26:21 -07:00
Matthew Holt	801ec75669	fileserver: Add .m4v for browse template icon	2023-12-07 13:26:21 -07:00
Mohammed Al Sahaf	c8219d0e95	Revert "caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848 )" (#5924 )	2023-12-07 13:26:21 -07:00
WeidiDeng	36fce3fa18	go.mod: update quic-go version to v0.40.0 (#5922 )	2023-12-07 13:26:21 -07:00
Marten Seemann	547f069564	update quic-go to v0.39.3 (#5918 )	2023-12-07 13:26:21 -07:00
WeidiDeng	d9fbef92fc	chore: Fix usage pool comment (#5916 )	2023-12-07 13:26:21 -07:00
Mohammed Al Sahaf	1a4c857bb9	test: acmeserver: add smoke test for the ACME server directory (#5914 )	2023-12-07 13:26:21 -07:00
Mariano Cano	65c489a0c3	Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913 ) This commit upgrades the router used in the acmeserver to github.com/go-chi/chi/v5. In the latest release of step-ca, the router used by certificates was upgraded to that version. Fixes #5911 Signed-off-by: Mariano Cano <mariano.cano@gmail.com>	2023-12-07 13:26:21 -07:00
Francis Lavoie	db55da59ef	caddyhttp: Adjust `scheme` placeholder docs (#5910 )	2023-12-07 13:26:21 -07:00
Matthew Holt	b4c7313cc7	go.mod: Upgrade quic-go to v0.39.1	2023-12-07 13:26:21 -07:00
Ethan Brown (Domino)	b809ed71ed	go.mod: CVE-2023-45142 Update opentelemetry (#5908 )	2023-12-07 13:26:21 -07:00
Francis Lavoie	0259853a41	templates: Delete headers on `httpError` to reset to clean slate (#5905 )	2023-12-07 13:26:21 -07:00
Francis Lavoie	f0ea489d89	httpcaddyfile: Remove port from logger names (#5881 ) Co-authored-by: Matt Holt <mholt@users.noreply.github.com>	2023-12-07 13:26:21 -07:00
Matt Holt	648207063e	core: Apply SO_REUSEPORT to UDP sockets (#5725 ) * core: Apply SO_REUSEPORT to UDP sockets For some reason, 10 months ago when I implemented SO_REUSEPORT for TCP, I didn't realize, or forgot, that it can be used for UDP too. It is a much better solution than using deadline hacks to reuse a socket, at least for TCP. Then https://github.com/mholt/caddy-l4/issues/132 was posted, in which we see that UDP servers never actually stopped when the L4 app was stopped. I verified this using this command: $ nc -u 127.0.0.1 55353 combined with POSTing configs to the /load admin endpoint (which alternated between an echo server and a proxy server so I could tell which config was being used). I refactored the code to use SO_REUSEPORT for UDP, but of course we still need graceful reloads on all platforms, not just Unix, so I also implemented a deadline hack similar to what we used for TCP before. That implementation for TCP was not perfect, possibly having a logical (not data) race condition; but for UDP so far it seems to be working. Verified the same way I verified that SO_REUSEPORT works. I think this code is slightly cleaner and I'm fairly confident this code is effective. * Check error * Fix return * Fix var name * implement Unwrap interface and clean up * move unix packet conn to platform specific file * implement Unwrap for unix packet conn * Move sharedPacketConn into proper file * Fix Windows * move sharedPacketConn and fakeClosePacketConn to proper file --------- Co-authored-by: Weidi Deng <weidi_deng@icloud.com>	2023-12-07 13:26:21 -07:00
Harish Shan	9782ea3400	caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848 ) * Use sync.Pool to reduce lengthReader allocations Signed-off-by: Harish Shan <140232061+perhapsmaple@users.noreply.github.com> * Add defer putLengthReader to prevent leak Signed-off-by: Harish Shan <140232061+perhapsmaple@users.noreply.github.com> * Cleanup in putLengthReader Co-authored-by: Francis Lavoie <lavofr@gmail.com> --------- Signed-off-by: Harish Shan <140232061+perhapsmaple@users.noreply.github.com> Co-authored-by: Francis Lavoie <lavofr@gmail.com>	2023-12-07 13:26:21 -07:00
Thanmay Nath	11a082c060	cmd: Add newline character to version string in CLI output (#5895 )	2023-12-07 13:26:21 -07:00
WeidiDeng	15adb893d5	core: quic listener will manage the underlying socket by itself (#5749 ) * core: quic listener will manage the underlying socket by itself. * format code * rename sharedQUICTLSConfig to sharedQUICState, and it will now manage the number of active requests * add comment * strict unwrap type * fix unwrap * remove comment	2023-12-07 13:26:21 -07:00
Francis Lavoie	16834d64de	templates: Clarify `include` args docs, add `.ClientIP` (#5898 )	2023-12-07 13:26:21 -07:00
Francis Lavoie	ec2de22ab1	httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896 )	2023-12-07 13:26:21 -07:00
Mohammed Al Sahaf	979c413f04	cmd: upgrade: resolve symlink of the executable (#5891 )	2023-12-07 13:26:21 -07:00
WeidiDeng	ae5e2d96b7	caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883 )	2023-12-07 13:26:21 -07:00