Merge branch 'master' into acme-database

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

.github/CONTRIBUTING.md

@@ -25,7 +25,7 @@ Other menu items:
 
 You can have a huge impact on the project by helping with its code. To contribute code to Caddy, first submit or comment in an issue to discuss your contribution, then open a [pull request](https://github.com/caddyserver/caddy/pulls) (PR). If you're new to our community, that's okay: **we gladly welcome pull requests from anyone, regardless of your native language or coding experience.** You can get familiar with Caddy's code base by using [code search at Sourcegraph](https://sourcegraph.com/github.com/caddyserver/caddy).
 
-We hold contributions to a high standard for quality :bowtie:, so don't be surprised if we ask for revisions—even if it seems small or insignificant. Please don't take it personally. :blue_heart: If your change is on the right track, we can guide you to make it mergeable.
+We hold contributions to a high standard for quality :bowtie:, so don't be surprised if we ask for revisions—even if it seems small or insignificant. Please don't take it personally. :blue_heart: If your change is on the right track, we can guide you to make it mergable.
 
 Here are some of the expectations we have of contributors:
 

.github/workflows/ci.yml

@@ -23,17 +23,17 @@ jobs:
           - mac
           - windows
         go: 
+          - '1.21'
           - '1.22'
-          - '1.23'
 
         include:
         # Set the minimum Go patch version for the given Go minor
         # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.22'
-          GO_SEMVER: '~1.22.3'
+        - go: '1.21'
+          GO_SEMVER: '~1.21.0'
 
-        - go: '1.23'
-          GO_SEMVER: '~1.23.0'
+        - go: '1.22'
+          GO_SEMVER: '~1.22.0'
 
         # Set some variables per OS, usable via ${{ matrix.VAR }}
         # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
@@ -99,13 +99,7 @@ jobs:
       env:
         CGO_ENABLED: 0
       run: |
-        go build -tags nobadger -trimpath -ldflags="-w -s" -v
-
-    - name: Smoke test Caddy
-      working-directory: ./cmd/caddy
-      run: |
-        ./caddy start
-        ./caddy stop
+        go build -tags nobdger -trimpath -ldflags="-w -s" -v
 
     - name: Publish Build Artifact
       uses: actions/upload-artifact@v4
@@ -150,41 +144,18 @@ jobs:
         uses: actions/checkout@v4
       - name: Run Tests
         run: |
-          set +e
           mkdir -p ~/.ssh && echo -e "${SSH_KEY//_/\\n}" > ~/.ssh/id_ecdsa && chmod og-rwx ~/.ssh/id_ecdsa
 
           # short sha is enough?
           short_sha=$(git rev-parse --short HEAD)
 
-          # To shorten the following lines
-          ssh_opts="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
-          ssh_host="$CI_USER@ci-s390x.caddyserver.com"
-
           # The environment is fresh, so there's no point in keeping accepting and adding the key.
-          rsync -arz -e "ssh $ssh_opts" --progress --delete --exclude '.git' . "$ssh_host":/var/tmp/"$short_sha"
-          ssh $ssh_opts -t "$ssh_host" bash <<EOF
-          cd /var/tmp/$short_sha
-          go version
-          go env
-          printf "\n\n"
-          retries=3
-          exit_code=0
-          while ((retries > 0)); do
-            CGO_ENABLED=0 go test -p 1 -tags nobadger -v ./...
-            exit_code=$?
-            if ((exit_code == 0)); then
-              break
-            fi
-            echo "\n\nTest failed: \$exit_code, retrying..."
-            ((retries--))
-          done
-          echo "Remote exit code: \$exit_code"
-          exit \$exit_code
-          EOF
+          rsync -arz -e "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" --progress --delete --exclude '.git' . "$CI_USER"@ci-s390x.caddyserver.com:/var/tmp/"$short_sha"
+          ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t "$CI_USER"@ci-s390x.caddyserver.com "cd /var/tmp/$short_sha; go version; go env; printf "\n\n";CGO_ENABLED=0 go test -tags nobadger -v ./..."
           test_result=$?
 
           # There's no need leaving the files around
-          ssh $ssh_opts "$ssh_host" "rm -rf /var/tmp/'$short_sha'"
+          ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$CI_USER"@ci-s390x.caddyserver.com "rm -rf /var/tmp/'$short_sha'"
 
           echo "Test exit code: $test_result"
           exit $test_result
@@ -198,22 +169,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       
-      - uses: goreleaser/goreleaser-action@v6
+      - uses: goreleaser/goreleaser-action@v5
         with:
           version: latest
           args: check
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "~1.23"
-          check-latest: true
-      - name: Install xcaddy
-        run: |
-          go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
-          xcaddy version
-      - uses: goreleaser/goreleaser-action@v6
-        with:
-          version: latest
-          args: build --single-target --snapshot
-        env:
-          TAG: "master"

.github/workflows/cross-build.yml

@@ -17,27 +17,25 @@ jobs:
       matrix:
         goos: 
           - 'aix'
+          - 'android'
           - 'linux'
           - 'solaris'
           - 'illumos'
           - 'dragonfly'
           - 'freebsd'
           - 'openbsd'
+          - 'plan9'
           - 'windows'
           - 'darwin'
           - 'netbsd'
         go: 
           - '1.22'
-          - '1.23'
 
         include:
         # Set the minimum Go patch version for the given Go minor
         # Usable via ${{ matrix.GO_SEMVER }}
         - go: '1.22'
-          GO_SEMVER: '~1.22.3'
-
-        - go: '1.23'
-          GO_SEMVER: '~1.23.0'
+          GO_SEMVER: '~1.22.0'
 
     runs-on: ubuntu-latest
     continue-on-error: true
@@ -70,4 +68,8 @@ jobs:
         continue-on-error: true
         working-directory: ./cmd/caddy
         run: |
-          GOOS=$GOOS GOARCH=$GOARCH go build -tags=nobadger,nomysql,nopgx -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null
+          GOOS=$GOOS GOARCH=$GOARCH go build -tags nobadger -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null
+          if [ $? -ne 0 ]; then
+            echo "::warning ::$GOOS Build Failed"
+            exit 0
+          fi

.github/workflows/lint.yml

@@ -43,13 +43,16 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: '~1.23'
+          go-version: '~1.22.0'
           check-latest: true
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v3
         with:
-          version: latest
+          version: v1.55
+
+          # Workaround for https://github.com/golangci/golangci-lint-action/issues/135
+          skip-pkg-cache: true
 
           # Windows times out frequently after about 5m50s if we don't set a longer timeout.
           args: --timeout 10m
@@ -63,5 +66,5 @@ jobs:
       - name: govulncheck
         uses: golang/govulncheck-action@v1
         with:
-          go-version-input: '~1.23.0'
+          go-version-input: '~1.22.0'
           check-latest: true

.github/workflows/release.yml

@@ -13,13 +13,13 @@ jobs:
         os: 
           - ubuntu-latest
         go: 
-          - '1.23'
+          - '1.21'
 
         include:
         # Set the minimum Go patch version for the given Go minor
         # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.23'
-          GO_SEMVER: '~1.23.0'
+        - go: '1.21'
+          GO_SEMVER: '~1.21.0'
 
     runs-on: ${{ matrix.os }}
     # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
@@ -104,13 +104,9 @@ jobs:
       uses: anchore/sbom-action/download-syft@main
     - name: Syft version
       run: syft version
-    - name: Install xcaddy
-      run: |
-        go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
-        xcaddy version
     # GoReleaser will take care of publishing those artifacts into the release
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v6
+      uses: goreleaser/goreleaser-action@v5
       with:
         version: latest
         args: release --clean --timeout 60m

.gitignore

@@ -3,7 +3,6 @@ _gitignore/
 Caddyfile
 Caddyfile.*
 !caddyfile/
-!caddyfile.go
 
 # artifacts from pprof tooling
 *.prof

.golangci.yml

@@ -1,9 +1,7 @@
 linters-settings:
   errcheck:
-    exclude-functions:
-      - fmt.*
-      - (go.uber.org/zap/zapcore.ObjectEncoder).AddObject
-      - (go.uber.org/zap/zapcore.ObjectEncoder).AddArray
+    ignore: fmt:.*,go.uber.org/zap/zapcore:^Add.*
+    ignoretests: true
   gci:
     sections:
       - standard # Standard section: captures all standard packages.
@@ -35,6 +33,7 @@ linters:
     - errcheck
     - errname
     - exhaustive
+    - exportloopref
     - gci
     - gofmt
     - goimports
@@ -131,22 +130,18 @@ linters:
 run:
   # default concurrency is a available CPU number.
   # concurrency: 4 # explicitly omit this value to fully utilize available resources.
-  timeout: 5m
+  deadline: 5m
   issues-exit-code: 1
   tests: false
 
 # output configuration options
 output:
-  formats:
-    - format: 'colored-line-number'
+  format: 'colored-line-number'
   print-issued-lines: true
   print-linter-name: true
 
 issues:
   exclude-rules:
-    - text: 'G115' # TODO: Either we should fix the issues or nuke the linter if it's bad
-      linters:
-        - gosec
     # we aren't calling unknown URL
     - text: 'G107' # G107: Url provided to HTTP request as taint input
       linters:
@@ -171,12 +166,3 @@ issues:
     - path: modules/logging/filters.go
       linters:
         - dupl
-    - path: modules/caddyhttp/matchers.go
-      linters:
-        - dupl
-    - path: modules/caddyhttp/vars.go
-      linters:
-        - dupl
-    - path: _test\.go
-      linters:
-        - errcheck

.goreleaser.yml

@@ -1,5 +1,3 @@
-version: 2
-
 before:
   hooks:
     # The build is done in this particular way to build Caddy in a designated directory named in .gitignore.
@@ -12,9 +10,6 @@ before:
     - mkdir -p caddy-build
     - cp cmd/caddy/main.go caddy-build/main.go
     - /bin/sh -c 'cd ./caddy-build && go mod init caddy'
-    # prepare syso files for windows embedding
-    - /bin/sh -c 'for a in amd64 arm arm64; do XCADDY_SKIP_BUILD=1 GOOS=windows GOARCH=$a xcaddy build {{.Env.TAG}}; done'
-    - /bin/sh -c 'mv /tmp/buildenv_*/*.syso caddy-build'
     # GoReleaser doesn't seem to offer {{.Tag}} at this stage, so we have to embed it into the env
     # so we run: TAG=$(git describe --abbrev=0) goreleaser release --rm-dist --skip-publish --skip-validate
     - go mod edit -require=github.com/caddyserver/caddy/v2@{{.Env.TAG}} ./caddy-build/go.mod
@@ -34,6 +29,7 @@ builds:
 - env:
   - CGO_ENABLED=0
   - GO111MODULE=on
+  main: main.go
   dir: ./caddy-build
   binary: caddy
   goos:
@@ -83,8 +79,6 @@ builds:
   - -s -w
   tags:
   - nobadger
-  - nomysql
-  - nopgx
 
 signs:
   - cmd: cosign

README.md

@@ -56,7 +56,7 @@
 </p>
 
 
-## [Features](https://caddyserver.com/features)
+## [Features](https://caddyserver.com/v2)
 
 - **Easy configuration** with the [Caddyfile](https://caddyserver.com/docs/caddyfile)
 - **Powerful configuration** with its [native JSON config](https://caddyserver.com/docs/json/)
@@ -75,7 +75,7 @@
 - **Runs anywhere** with **no external dependencies** (not even libc)
 - Written in Go, a language with higher **memory safety guarantees** than other servers
 - Actually **fun to use**
-- So much more to [discover](https://caddyserver.com/features)
+- So much more to [discover](https://caddyserver.com/v2)
 
 ## Install
 
@@ -87,7 +87,7 @@ See [our online documentation](https://caddyserver.com/docs/install) for other i
 
 Requirements:
 
-- [Go 1.22.3 or newer](https://golang.org/dl/)
+- [Go 1.21 or newer](https://golang.org/dl/)
 
 ### For development
 
@@ -131,7 +131,7 @@ $ xcaddy build
 4. Initialize a Go module: `go mod init caddy`
 5. (Optional) Pin Caddy version: `go get github.com/caddyserver/caddy/v2@version` replacing `version` with a git tag, commit, or branch name.
 6. (Optional) Add plugins by adding their import: `_ "import/path/here"`
-7. Compile: `go build -tags=nobadger,nomysql,nopgx`
+7. Compile: `go build`
 
 
 

admin.go

@@ -26,6 +26,7 @@ import (
 	"expvar"
 	"fmt"
 	"hash"
+	"hash/fnv"
 	"io"
 	"net"
 	"net/http"
@@ -34,21 +35,19 @@ import (
 	"os"
 	"path"
 	"regexp"
-	"slices"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/caddyserver/certmagic"
-	"github.com/cespare/xxhash/v2"
 	"github.com/prometheus/client_golang/prometheus"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 )
 
 func init() {
-	// The hard-coded default `DefaultAdminListen` can be overridden
+	// The hard-coded default `DefaultAdminListen` can be overidden
 	// by setting the `CADDY_ADMIN` environment variable.
 	// The environment variable may be used by packagers to change
 	// the default admin address to something more appropriate for
@@ -214,7 +213,7 @@ type AdminPermissions struct {
 
 // newAdminHandler reads admin's config and returns an http.Handler suitable
 // for use in an admin endpoint server, which will be listening on listenAddr.
-func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool, _ Context) adminHandler {
+func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool) adminHandler {
 	muxWrap := adminHandler{mux: http.NewServeMux()}
 
 	// secure the local or remote endpoint respectively
@@ -270,6 +269,7 @@ func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool, _ Co
 	// register third-party module endpoints
 	for _, m := range GetModules("admin.api") {
 		router := m.New().(AdminRouter)
+		handlerLabel := m.ID.Name()
 		for _, route := range router.Routes() {
 			addRoute(route.Pattern, handlerLabel, route.Handler)
 		}
@@ -312,7 +312,7 @@ func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []*url.URL {
 	}
 	if admin.Origins == nil {
 		if addr.isLoopback() {
-			if addr.IsUnixNetwork() || addr.IsFdNetwork() {
+			if addr.IsUnixNetwork() {
 				// RFC 2616, Section 14.26:
 				// "A client MUST include a Host header field in all HTTP/1.1 request
 				// messages. If the requested URI does not include an Internet host
@@ -350,7 +350,7 @@ func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []*url.URL {
 				uniqueOrigins[net.JoinHostPort("127.0.0.1", addr.port())] = struct{}{}
 			}
 		}
-		if !addr.IsUnixNetwork() && !addr.IsFdNetwork() {
+		if !addr.IsUnixNetwork() {
 			uniqueOrigins[addr.JoinHostPort(0)] = struct{}{}
 		}
 	}
@@ -381,9 +381,7 @@ func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []*url.URL {
 // for the admin endpoint exists in cfg, a default one is used, so
 // that there is always an admin server (unless it is explicitly
 // configured to be disabled).
-// Critically note that some elements and functionality of the context
-// may not be ready, e.g. storage. Tread carefully.
-func replaceLocalAdminServer(cfg *Config, ctx Context) error {
+func replaceLocalAdminServer(cfg *Config) error {
 	// always* be sure to close down the old admin endpoint
 	// as gracefully as possible, even if the new one is
 	// disabled -- careful to use reference to the current
@@ -425,7 +423,7 @@ func replaceLocalAdminServer(cfg *Config, ctx Context) error {
 		return err
 	}
 
-	handler := cfg.Admin.newAdminHandler(addr, false, ctx)
+	handler := cfg.Admin.newAdminHandler(addr, false)
 
 	ln, err := addr.Listen(context.TODO(), 0, net.ListenConfig{})
 	if err != nil {
@@ -476,6 +474,7 @@ func manageIdentity(ctx Context, cfg *Config) error {
 	// import the caddytls package -- but it works
 	if cfg.Admin.Identity.IssuersRaw == nil {
 		cfg.Admin.Identity.IssuersRaw = []json.RawMessage{
+			json.RawMessage(`{"module": "zerossl"}`),
 			json.RawMessage(`{"module": "acme"}`),
 		}
 	}
@@ -546,7 +545,7 @@ func replaceRemoteAdminServer(ctx Context, cfg *Config) error {
 
 	// make the HTTP handler but disable Host/Origin enforcement
 	// because we are using TLS authentication instead
-	handler := cfg.Admin.newAdminHandler(addr, true, ctx)
+	handler := cfg.Admin.newAdminHandler(addr, true)
 
 	// create client certificate pool for TLS mutual auth, and extract public keys
 	// so that we can enforce access controls at the application layer
@@ -677,7 +676,13 @@ func (remote RemoteAdmin) enforceAccessControls(r *http.Request) error {
 					// key recognized; make sure its HTTP request is permitted
 					for _, accessPerm := range adminAccess.Permissions {
 						// verify method
-						methodFound := accessPerm.Methods == nil || slices.Contains(accessPerm.Methods, r.Method)
+						methodFound := accessPerm.Methods == nil
+						for _, method := range accessPerm.Methods {
+							if method == r.Method {
+								methodFound = true
+								break
+							}
+						}
 						if !methodFound {
 							return APIError{
 								HTTPStatus: http.StatusForbidden,
@@ -873,9 +878,13 @@ func (h adminHandler) handleError(w http.ResponseWriter, r *http.Request, err er
 // a trustworthy/expected value. This helps to mitigate DNS
 // rebinding attacks.
 func (h adminHandler) checkHost(r *http.Request) error {
-	allowed := slices.ContainsFunc(h.allowedOrigins, func(u *url.URL) bool {
-		return r.Host == u.Host
-	})
+	var allowed bool
+	for _, allowedOrigin := range h.allowedOrigins {
+		if r.Host == allowedOrigin.Host {
+			allowed = true
+			break
+		}
+	}
 	if !allowed {
 		return APIError{
 			HTTPStatus: http.StatusForbidden,
@@ -937,7 +946,7 @@ func (h adminHandler) originAllowed(origin *url.URL) bool {
 
 // etagHasher returns a the hasher we used on the config to both
 // produce and verify ETags.
-func etagHasher() hash.Hash { return xxhash.New() }
+func etagHasher() hash.Hash32 { return fnv.New32a() }
 
 // makeEtag returns an Etag header value (including quotes) for
 // the given config path and hash of contents at that path.
@@ -945,28 +954,17 @@ func makeEtag(path string, hash hash.Hash) string {
 	return fmt.Sprintf(`"%s %x"`, path, hash.Sum(nil))
 }
 
-// This buffer pool is used to keep buffers for
-// reading the config file during eTag header generation
-var bufferPool = sync.Pool{
-	New: func() any {
-		return new(bytes.Buffer)
-	},
-}
-
 func handleConfig(w http.ResponseWriter, r *http.Request) error {
 	switch r.Method {
 	case http.MethodGet:
 		w.Header().Set("Content-Type", "application/json")
+		// Set the ETag as a trailer header.
+		// The alternative is to write the config to a buffer, and
+		// then hash that.
+		w.Header().Set("Trailer", "ETag")
+
 		hash := etagHasher()
-
-		// Read the config into a buffer instead of writing directly to
-		// the response writer, as we want to set the ETag as the header,
-		// not the trailer.
-		buf := bufferPool.Get().(*bytes.Buffer)
-		buf.Reset()
-		defer bufferPool.Put(buf)
-
-		configWriter := io.MultiWriter(buf, hash)
+		configWriter := io.MultiWriter(w, hash)
 		err := readConfig(r.URL.Path, configWriter)
 		if err != nil {
 			return APIError{HTTPStatus: http.StatusBadRequest, Err: err}
@@ -975,10 +973,6 @@ func handleConfig(w http.ResponseWriter, r *http.Request) error {
 		// we could consider setting up a sync.Pool for the summed
 		// hashes to reduce GC pressure.
 		w.Header().Set("Etag", makeEtag(r.URL.Path, hash))
-		_, err = w.Write(buf.Bytes())
-		if err != nil {
-			return APIError{HTTPStatus: http.StatusInternalServerError, Err: err}
-		}
 
 		return nil
 

caddy.go

@@ -397,62 +397,6 @@ func unsyncedDecodeAndRun(cfgJSON []byte, allowPersist bool) error {
 // will want to use Run instead, which also
 // updates the config's raw state.
 func run(newCfg *Config, start bool) (Context, error) {
-	ctx, err := provisionContext(newCfg, start)
-	if err != nil {
-		globalMetrics.configSuccess.Set(0)
-		return ctx, err
-	}
-
-	if !start {
-		return ctx, nil
-	}
-
-	// Provision any admin routers which may need to access
-	// some of the other apps at runtime
-	err = ctx.cfg.Admin.provisionAdminRouters(ctx)
-	if err != nil {
-		globalMetrics.configSuccess.Set(0)
-		return ctx, err
-	}
-
-	// Start
-	err = func() error {
-		started := make([]string, 0, len(ctx.cfg.apps))
-		for name, a := range ctx.cfg.apps {
-			err := a.Start()
-			if err != nil {
-				// an app failed to start, so we need to stop
-				// all other apps that were already started
-				for _, otherAppName := range started {
-					err2 := ctx.cfg.apps[otherAppName].Stop()
-					if err2 != nil {
-						err = fmt.Errorf("%v; additionally, aborting app %s: %v",
-							err, otherAppName, err2)
-					}
-				}
-				return fmt.Errorf("%s app module: start: %v", name, err)
-			}
-			started = append(started, name)
-		}
-		return nil
-	}()
-	if err != nil {
-		globalMetrics.configSuccess.Set(0)
-		return ctx, err
-	}
-	globalMetrics.configSuccess.Set(1)
-	globalMetrics.configSuccessTime.SetToCurrentTime()
-	// now that the user's config is running, finish setting up anything else,
-	// such as remote admin endpoint, config loader, etc.
-	return ctx, finishSettingUp(ctx, ctx.cfg)
-}
-
-// provisionContext creates a new context from the given configuration and provisions
-// storage and apps.
-// If `newCfg` is nil a new empty configuration will be created.
-// If `replaceAdminServer` is true any currently active admin server will be replaced
-// with a new admin server based on the provided configuration.
-func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error) {
 	// because we will need to roll back any state
 	// modifications if this function errors, we
 	// keep a single error value and scope all
@@ -475,7 +419,6 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 	ctx, cancel := NewContext(Context{Context: context.Background(), cfg: newCfg})
 	defer func() {
 		if err != nil {
-			globalMetrics.configSuccess.Set(0)
 			// if there were any errors during startup,
 			// we should cancel the new context we created
 			// since the associated config won't be used;
@@ -501,8 +444,8 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 	}
 
 	// start the admin endpoint (and stop any prior one)
-	if replaceAdminServer {
-		err = replaceLocalAdminServer(newCfg, ctx)
+	if start {
+		err = replaceLocalAdminServer(newCfg)
 		if err != nil {
 			return ctx, fmt.Errorf("starting caddy administration endpoint: %v", err)
 		}
@@ -548,16 +491,49 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 		}
 		return nil
 	}()
-	return ctx, err
-}
+	if err != nil {
+		return ctx, err
+	}
 
-// ProvisionContext creates a new context from the configuration and provisions storage
-// and app modules.
-// The function is intended for testing and advanced use cases only, typically `Run` should be
-// use to ensure a fully functional caddy instance.
-// EXPERIMENTAL: While this is public the interface and implementation details of this function may change.
-func ProvisionContext(newCfg *Config) (Context, error) {
-	return provisionContext(newCfg, false)
+	if !start {
+		return ctx, nil
+	}
+
+	// Provision any admin routers which may need to access
+	// some of the other apps at runtime
+	err = newCfg.Admin.provisionAdminRouters(ctx)
+	if err != nil {
+		return ctx, err
+	}
+
+	// Start
+	err = func() error {
+		started := make([]string, 0, len(newCfg.apps))
+		for name, a := range newCfg.apps {
+			err := a.Start()
+			if err != nil {
+				// an app failed to start, so we need to stop
+				// all other apps that were already started
+				for _, otherAppName := range started {
+					err2 := newCfg.apps[otherAppName].Stop()
+					if err2 != nil {
+						err = fmt.Errorf("%v; additionally, aborting app %s: %v",
+							err, otherAppName, err2)
+					}
+				}
+				return fmt.Errorf("%s app module: start: %v", name, err)
+			}
+			started = append(started, name)
+		}
+		return nil
+	}()
+	if err != nil {
+		return ctx, err
+	}
+
+	// now that the user's config is running, finish setting up anything else,
+	// such as remote admin endpoint, config loader, etc.
+	return ctx, finishSettingUp(ctx, newCfg)
 }
 
 // finishSettingUp should be run after all apps have successfully started.
@@ -739,7 +715,6 @@ func exitProcess(ctx context.Context, logger *zap.Logger) {
 	logger.Warn("exiting; byeee!! 👋")
 
 	exitCode := ExitCodeSuccess
-	lastContext := ActiveContext()
 
 	// stop all apps
 	if err := Stop(); err != nil {
@@ -761,16 +736,6 @@ func exitProcess(ctx context.Context, logger *zap.Logger) {
 		}
 	}
 
-	// execute any process-exit callbacks
-	for _, exitFunc := range lastContext.exitFuncs {
-		exitFunc(ctx)
-	}
-	exitFuncsMu.Lock()
-	for _, exitFunc := range exitFuncs {
-		exitFunc(ctx)
-	}
-	exitFuncsMu.Unlock()
-
 	// shut down admin endpoint(s) in goroutines so that
 	// if this function was called from an admin handler,
 	// it has a chance to return gracefully
@@ -809,23 +774,6 @@ var exiting = new(int32) // accessed atomically
 // EXPERIMENTAL API: subject to change or removal.
 func Exiting() bool { return atomic.LoadInt32(exiting) == 1 }
 
-// OnExit registers a callback to invoke during process exit.
-// This registration is PROCESS-GLOBAL, meaning that each
-// function should only be registered once forever, NOT once
-// per config load (etc).
-//
-// EXPERIMENTAL API: subject to change or removal.
-func OnExit(f func(context.Context)) {
-	exitFuncsMu.Lock()
-	exitFuncs = append(exitFuncs, f)
-	exitFuncsMu.Unlock()
-}
-
-var (
-	exitFuncs   []func(context.Context)
-	exitFuncsMu sync.Mutex
-)
-
 // Duration can be an integer or a string. An integer is
 // interpreted as nanoseconds. If a string, it is a Go
 // time.Duration value such as `300ms`, `1.5h`, or `2h45m`;
@@ -893,7 +841,7 @@ func InstanceID() (uuid.UUID, error) {
 		if err != nil {
 			return uuid, err
 		}
-		err = os.MkdirAll(appDataDir, 0o700)
+		err = os.MkdirAll(appDataDir, 0o600)
 		if err != nil {
 			return uuid, err
 		}

caddyconfig/caddyfile/dispenser.go

@@ -30,10 +30,6 @@ type Dispenser struct {
 	tokens  []Token
 	cursor  int
 	nesting int
-
-	// A map of arbitrary context data that can be used
-	// to pass through some information to unmarshalers.
-	context map[string]any
 }
 
 // NewDispenser returns a Dispenser filled with the given tokens.
@@ -415,7 +411,7 @@ func (d *Dispenser) EOFErr() error {
 
 // Err generates a custom parse-time error with a message of msg.
 func (d *Dispenser) Err(msg string) error {
-	return d.WrapErr(errors.New(msg))
+	return d.Errf(msg)
 }
 
 // Errf is like Err, but for formatted error messages
@@ -458,34 +454,6 @@ func (d *Dispenser) DeleteN(amount int) []Token {
 	return d.tokens
 }
 
-// SetContext sets a key-value pair in the context map.
-func (d *Dispenser) SetContext(key string, value any) {
-	if d.context == nil {
-		d.context = make(map[string]any)
-	}
-	d.context[key] = value
-}
-
-// GetContext gets the value of a key in the context map.
-func (d *Dispenser) GetContext(key string) any {
-	if d.context == nil {
-		return nil
-	}
-	return d.context[key]
-}
-
-// GetContextString gets the value of a key in the context map
-// as a string, or an empty string if the key does not exist.
-func (d *Dispenser) GetContextString(key string) string {
-	if d.context == nil {
-		return ""
-	}
-	if val, ok := d.context[key].(string); ok {
-		return val
-	}
-	return ""
-}
-
 // isNewLine determines whether the current token is on a different
 // line (higher line number) than the previous token. It handles imported
 // tokens correctly. If there isn't a previous token, it returns true.
@@ -517,5 +485,3 @@ func (d *Dispenser) isNextOnNewLine() bool {
 	next := d.tokens[d.cursor+1]
 	return isNextOnNewLine(curr, next)
 }
-
-const MatcherNameCtxKey = "matcher_name"

caddyconfig/caddyfile/formatter.go

@@ -17,8 +17,9 @@ package caddyfile
 import (
 	"bytes"
 	"io"
-	"slices"
 	"unicode"
+
+	"golang.org/x/exp/slices"
 )
 
 // Format formats the input Caddyfile to a standard, nice-looking

caddyconfig/caddyfile/importgraph.go

@@ -16,24 +16,23 @@ package caddyfile
 
 import (
 	"fmt"
-	"slices"
 )
 
 type adjacency map[string][]string
 
 type importGraph struct {
-	nodes map[string]struct{}
+	nodes map[string]bool
 	edges adjacency
 }
 
 func (i *importGraph) addNode(name string) {
 	if i.nodes == nil {
-		i.nodes = make(map[string]struct{})
+		i.nodes = make(map[string]bool)
 	}
 	if _, exists := i.nodes[name]; exists {
 		return
 	}
-	i.nodes[name] = struct{}{}
+	i.nodes[name] = true
 }
 
 func (i *importGraph) addNodes(names []string) {
@@ -67,7 +66,7 @@ func (i *importGraph) addEdge(from, to string) error {
 	}
 
 	if i.nodes == nil {
-		i.nodes = make(map[string]struct{})
+		i.nodes = make(map[string]bool)
 	}
 	if i.edges == nil {
 		i.edges = make(adjacency)
@@ -92,7 +91,12 @@ func (i *importGraph) areConnected(from, to string) bool {
 	if !ok {
 		return false
 	}
-	return slices.Contains(al, to)
+	for _, v := range al {
+		if v == to {
+			return true
+		}
+	}
+	return false
 }
 
 func (i *importGraph) willCycle(from, to string) bool {

caddyconfig/caddyfile/lexer.go

@@ -340,8 +340,6 @@ func (l *lexer) finalizeHeredoc(val []rune, marker string) ([]rune, error) {
 	return []rune(out), nil
 }
 
-// Quoted returns true if the token was enclosed in quotes
-// (i.e. double quotes, backticks, or heredoc).
 func (t Token) Quoted() bool {
 	return t.wasQuoted > 0
 }
@@ -358,19 +356,6 @@ func (t Token) NumLineBreaks() int {
 	return lineBreaks
 }
 
-// Clone returns a deep copy of the token.
-func (t Token) Clone() Token {
-	return Token{
-		File:          t.File,
-		imports:       append([]string{}, t.imports...),
-		Line:          t.Line,
-		Text:          t.Text,
-		wasQuoted:     t.wasQuoted,
-		heredocMarker: t.heredocMarker,
-		snippetName:   t.snippetName,
-	}
-}
-
 var heredocMarkerRegexp = regexp.MustCompile("^[A-Za-z0-9_-]+$")
 
 // isNextOnNewLine tests whether t2 is on a different line from t1

caddyconfig/caddyfile/parse.go

@@ -50,7 +50,7 @@ func Parse(filename string, input []byte) ([]ServerBlock, error) {
 	p := parser{
 		Dispenser: NewDispenser(tokens),
 		importGraph: importGraph{
-			nodes: make(map[string]struct{}),
+			nodes: make(map[string]bool),
 			edges: make(adjacency),
 		},
 	}
@@ -214,12 +214,7 @@ func (p *parser) addresses() error {
 		value := p.Val()
 		token := p.Token()
 
-		// Reject request matchers if trying to define them globally
-		if strings.HasPrefix(value, "@") {
-			return p.Errf("request matchers may not be defined globally, they must be in a site block; found %s", value)
-		}
-
-		// Special case: import directive replaces tokens during parse-time
+		// special case: import directive replaces tokens during parse-time
 		if value == "import" && p.isNewLine() {
 			err := p.doImport(0)
 			if err != nil {
@@ -264,13 +259,8 @@ func (p *parser) addresses() error {
 				return p.Errf("Site addresses cannot contain a comma ',': '%s' - put a space after the comma to separate site addresses", value)
 			}
 
-			// After the above, a comma surrounded by spaces would result
-			// in an empty token which we should ignore
-			if value != "" {
-				// Add the token as a site address
-				token.Text = value
-				p.block.Keys = append(p.block.Keys, token)
-			}
+			token.Text = value
+			p.block.Keys = append(p.block.Keys, token)
 		}
 
 		// Advance token and possibly break out of loop or return error
@@ -369,45 +359,9 @@ func (p *parser) doImport(nesting int) error {
 	// set up a replacer for non-variadic args replacement
 	repl := makeArgsReplacer(args)
 
-	// grab all the tokens (if it exists) from within a block that follows the import
-	var blockTokens []Token
-	for currentNesting := p.Nesting(); p.NextBlock(currentNesting); {
-		blockTokens = append(blockTokens, p.Token())
-	}
-	// initialize with size 1
-	blockMapping := make(map[string][]Token, 1)
-	if len(blockTokens) > 0 {
-		// use such tokens to create a new dispenser, and then use it to parse each block
-		bd := NewDispenser(blockTokens)
-		for bd.Next() {
-			// see if we can grab a key
-			var currentMappingKey string
-			if bd.Val() == "{" {
-				return p.Err("anonymous blocks are not supported")
-			}
-			currentMappingKey = bd.Val()
-			currentMappingTokens := []Token{}
-			// read all args until end of line / {
-			if bd.NextArg() {
-				currentMappingTokens = append(currentMappingTokens, bd.Token())
-				for bd.NextArg() {
-					currentMappingTokens = append(currentMappingTokens, bd.Token())
-				}
-				// TODO(elee1766): we don't enter another mapping here because it's annoying to extract the { and } properly.
-				// maybe someone can do that in the future
-			} else {
-				// attempt to enter a block and add tokens to the currentMappingTokens
-				for mappingNesting := bd.Nesting(); bd.NextBlock(mappingNesting); {
-					currentMappingTokens = append(currentMappingTokens, bd.Token())
-				}
-			}
-			blockMapping[currentMappingKey] = currentMappingTokens
-		}
-	}
-
 	// splice out the import directive and its arguments
 	// (2 tokens, plus the length of args)
-	tokensBefore := p.tokens[:p.cursor-1-len(args)-len(blockTokens)]
+	tokensBefore := p.tokens[:p.cursor-1-len(args)]
 	tokensAfter := p.tokens[p.cursor+1:]
 	var importedTokens []Token
 	var nodes []string
@@ -441,6 +395,7 @@ func (p *parser) doImport(nesting int) error {
 			return p.Errf("Glob pattern may only contain one wildcard (*), but has others: %s", globPattern)
 		}
 		matches, err = filepath.Glob(globPattern)
+
 		if err != nil {
 			return p.Errf("Failed to use import pattern %s: %v", importPattern, err)
 		}
@@ -536,33 +491,6 @@ func (p *parser) doImport(nesting int) error {
 				maybeSnippet = false
 			}
 		}
-		// if it is {block}, we substitute with all tokens in the block
-		// if it is {blocks.*}, we substitute with the tokens in the mapping for the *
-		var skip bool
-		var tokensToAdd []Token
-		switch {
-		case token.Text == "{block}":
-			tokensToAdd = blockTokens
-		case strings.HasPrefix(token.Text, "{blocks.") && strings.HasSuffix(token.Text, "}"):
-			// {blocks.foo.bar} will be extracted to key `foo.bar`
-			blockKey := strings.TrimPrefix(strings.TrimSuffix(token.Text, "}"), "{blocks.")
-			val, ok := blockMapping[blockKey]
-			if ok {
-				tokensToAdd = val
-			}
-		default:
-			skip = true
-		}
-		if !skip {
-			if len(tokensToAdd) == 0 {
-				// if there is no content in the snippet block, don't do any replacement
-				// this allows snippets which contained {block}/{block.*} before this change to continue functioning as normal
-				tokensCopy = append(tokensCopy, token)
-			} else {
-				tokensCopy = append(tokensCopy, tokensToAdd...)
-			}
-			continue
-		}
 
 		if maybeSnippet {
 			tokensCopy = append(tokensCopy, token)
@@ -584,7 +512,7 @@ func (p *parser) doImport(nesting int) error {
 	// splice the imported tokens in the place of the import statement
 	// and rewind cursor so Next() will land on first imported token
 	p.tokens = append(tokensBefore, append(tokensCopy, tokensAfter...)...)
-	p.cursor -= len(args) + len(blockTokens) + 1
+	p.cursor -= len(args) + 1
 
 	return nil
 }

caddyconfig/caddyfile/parse_test.go

@@ -555,10 +555,6 @@ func TestParseAll(t *testing.T) {
 			{"localhost:1234", "http://host2"},
 		}},
 
-		{`foo.example.com   ,   example.com`, false, [][]string{
-			{"foo.example.com", "example.com"},
-		}},
-
 		{`localhost:1234, http://host2,`, true, [][]string{}},
 
 		{`http://host1.com, http://host2.com {
@@ -618,8 +614,8 @@ func TestParseAll(t *testing.T) {
 		}
 		for j, block := range blocks {
 			if len(block.Keys) != len(test.keys[j]) {
-				t.Errorf("Test %d: Expected %d keys in block %d, got %d: %v",
-					i, len(test.keys[j]), j, len(block.Keys), block.Keys)
+				t.Errorf("Test %d: Expected %d keys in block %d, got %d",
+					i, len(test.keys[j]), j, len(block.Keys))
 				continue
 			}
 			for k, addr := range block.GetKeysText() {
@@ -861,29 +857,6 @@ func TestSnippetAcrossMultipleFiles(t *testing.T) {
 	}
 }
 
-func TestRejectsGlobalMatcher(t *testing.T) {
-	p := testParser(`
-		@rejected path /foo
-
-		(common) {
-			gzip foo
-			errors stderr
-		}
-
-		http://example.com {
-			import common
-		}
-	`)
-	_, err := p.parseAll()
-	if err == nil {
-		t.Fatal("Expected an error, but got nil")
-	}
-	expected := "request matchers may not be defined globally, they must be in a site block; found @rejected, at Testfile:2"
-	if err.Error() != expected {
-		t.Errorf("Expected error to be '%s' but got '%v'", expected, err)
-	}
-}
-
 func testParser(input string) parser {
 	return parser{Dispenser: NewTestDispenser(input)}
 }

caddyconfig/httpcaddyfile/addresses.go

@@ -31,7 +31,7 @@ import (
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 )
 
-// mapAddressToProtocolToServerBlocks returns a map of listener address to list of server
+// mapAddressToServerBlocks returns a map of listener address to list of server
 // blocks that will be served on that address. To do this, each server block is
 // expanded so that each one is considered individually, although keys of a
 // server block that share the same address stay grouped together so the config
@@ -77,15 +77,10 @@ import (
 // repetition may be undesirable, so call consolidateAddrMappings() to map
 // multiple addresses to the same lists of server blocks (a many:many mapping).
 // (Doing this is essentially a map-reduce technique.)
-func (st *ServerType) mapAddressToProtocolToServerBlocks(originalServerBlocks []serverBlock,
+func (st *ServerType) mapAddressToServerBlocks(originalServerBlocks []serverBlock,
 	options map[string]any,
-) (map[string]map[string][]serverBlock, error) {
-	addrToProtocolToServerBlocks := map[string]map[string][]serverBlock{}
-
-	type keyWithParsedKey struct {
-		key       caddyfile.Token
-		parsedKey Address
-	}
+) (map[string][]serverBlock, error) {
+	sbmap := make(map[string][]serverBlock)
 
 	for i, sblock := range originalServerBlocks {
 		// within a server block, we need to map all the listener addresses
@@ -93,48 +88,27 @@ func (st *ServerType) mapAddressToProtocolToServerBlocks(originalServerBlocks []
 		// will be served by them; this has the effect of treating each
 		// key of a server block as its own, but without having to repeat its
 		// contents in cases where multiple keys really can be served together
-		addrToProtocolToKeyWithParsedKeys := map[string]map[string][]keyWithParsedKey{}
+		addrToKeys := make(map[string][]caddyfile.Token)
 		for j, key := range sblock.block.Keys {
-			parsedKey, err := ParseAddress(key.Text)
-			if err != nil {
-				return nil, fmt.Errorf("parsing key: %v", err)
-			}
-			parsedKey = parsedKey.Normalize()
-
 			// a key can have multiple listener addresses if there are multiple
 			// arguments to the 'bind' directive (although they will all have
 			// the same port, since the port is defined by the key or is implicit
 			// through automatic HTTPS)
-			listeners, err := st.listenersForServerBlockAddress(sblock, parsedKey, options)
+			addrs, err := st.listenerAddrsForServerBlockKey(sblock, key.Text, options)
 			if err != nil {
 				return nil, fmt.Errorf("server block %d, key %d (%s): determining listener address: %v", i, j, key.Text, err)
 			}
 
-			// associate this key with its protocols and each listener address served with them
-			kwpk := keyWithParsedKey{key, parsedKey}
-			for addr, protocols := range listeners {
-				protocolToKeyWithParsedKeys, ok := addrToProtocolToKeyWithParsedKeys[addr]
-				if !ok {
-					protocolToKeyWithParsedKeys = map[string][]keyWithParsedKey{}
-					addrToProtocolToKeyWithParsedKeys[addr] = protocolToKeyWithParsedKeys
-				}
-
-				// an empty protocol indicates the default, a nil or empty value in the ListenProtocols array
-				if len(protocols) == 0 {
-					protocols[""] = struct{}{}
-				}
-				for prot := range protocols {
-					protocolToKeyWithParsedKeys[prot] = append(
-						protocolToKeyWithParsedKeys[prot],
-						kwpk)
-				}
+			// associate this key with each listener address it is served on
+			for _, addr := range addrs {
+				addrToKeys[addr] = append(addrToKeys[addr], key)
 			}
 		}
 
 		// make a slice of the map keys so we can iterate in sorted order
-		addrs := make([]string, 0, len(addrToProtocolToKeyWithParsedKeys))
-		for addr := range addrToProtocolToKeyWithParsedKeys {
-			addrs = append(addrs, addr)
+		addrs := make([]string, 0, len(addrToKeys))
+		for k := range addrToKeys {
+			addrs = append(addrs, k)
 		}
 		sort.Strings(addrs)
 
@@ -144,132 +118,85 @@ func (st *ServerType) mapAddressToProtocolToServerBlocks(originalServerBlocks []
 		// server block are only the ones which use the address; but
 		// the contents (tokens) are of course the same
 		for _, addr := range addrs {
-			protocolToKeyWithParsedKeys := addrToProtocolToKeyWithParsedKeys[addr]
-
-			prots := make([]string, 0, len(protocolToKeyWithParsedKeys))
-			for prot := range protocolToKeyWithParsedKeys {
-				prots = append(prots, prot)
-			}
-			sort.Strings(prots)
-
-			protocolToServerBlocks, ok := addrToProtocolToServerBlocks[addr]
-			if !ok {
-				protocolToServerBlocks = map[string][]serverBlock{}
-				addrToProtocolToServerBlocks[addr] = protocolToServerBlocks
-			}
-
-			for _, prot := range prots {
-				keyWithParsedKeys := protocolToKeyWithParsedKeys[prot]
-
-				keys := make([]caddyfile.Token, len(keyWithParsedKeys))
-				parsedKeys := make([]Address, len(keyWithParsedKeys))
-
-				for k, keyWithParsedKey := range keyWithParsedKeys {
-					keys[k] = keyWithParsedKey.key
-					parsedKeys[k] = keyWithParsedKey.parsedKey
+			keys := addrToKeys[addr]
+			// parse keys so that we only have to do it once
+			parsedKeys := make([]Address, 0, len(keys))
+			for _, key := range keys {
+				addr, err := ParseAddress(key.Text)
+				if err != nil {
+					return nil, fmt.Errorf("parsing key '%s': %v", key.Text, err)
 				}
-
-				protocolToServerBlocks[prot] = append(protocolToServerBlocks[prot], serverBlock{
-					block: caddyfile.ServerBlock{
-						Keys:     keys,
-						Segments: sblock.block.Segments,
-					},
-					pile:       sblock.pile,
-					parsedKeys: parsedKeys,
-				})
+				parsedKeys = append(parsedKeys, addr.Normalize())
 			}
-		}
-	}
-
-	return addrToProtocolToServerBlocks, nil
-}
-
-// consolidateAddrMappings eliminates repetition of identical server blocks in a mapping of
-// single listener addresses to protocols to lists of server blocks. Since multiple addresses
-// may serve multiple protocols to identical sites (server block contents), this function turns
-// a 1:many mapping into a many:many mapping. Server block contents (tokens) must be
-// exactly identical so that reflect.DeepEqual returns true in order for the addresses to be combined.
-// Identical entries are deleted from the addrToServerBlocks map. Essentially, each pairing (each
-// association from multiple addresses to multiple server blocks; i.e. each element of
-// the returned slice) becomes a server definition in the output JSON.
-func (st *ServerType) consolidateAddrMappings(addrToProtocolToServerBlocks map[string]map[string][]serverBlock) []sbAddrAssociation {
-	sbaddrs := make([]sbAddrAssociation, 0, len(addrToProtocolToServerBlocks))
-
-	addrs := make([]string, 0, len(addrToProtocolToServerBlocks))
-	for addr := range addrToProtocolToServerBlocks {
-		addrs = append(addrs, addr)
-	}
-	sort.Strings(addrs)
-
-	for _, addr := range addrs {
-		protocolToServerBlocks := addrToProtocolToServerBlocks[addr]
-
-		prots := make([]string, 0, len(protocolToServerBlocks))
-		for prot := range protocolToServerBlocks {
-			prots = append(prots, prot)
-		}
-		sort.Strings(prots)
-
-		for _, prot := range prots {
-			serverBlocks := protocolToServerBlocks[prot]
-
-			// now find other addresses that map to identical
-			// server blocks and add them to our map of listener
-			// addresses and protocols, while removing them from
-			// the original map
-			listeners := map[string]map[string]struct{}{}
-
-			for otherAddr, otherProtocolToServerBlocks := range addrToProtocolToServerBlocks {
-				for otherProt, otherServerBlocks := range otherProtocolToServerBlocks {
-					if addr == otherAddr && prot == otherProt || reflect.DeepEqual(serverBlocks, otherServerBlocks) {
-						listener, ok := listeners[otherAddr]
-						if !ok {
-							listener = map[string]struct{}{}
-							listeners[otherAddr] = listener
-						}
-						listener[otherProt] = struct{}{}
-						delete(otherProtocolToServerBlocks, otherProt)
-					}
-				}
-			}
-
-			addresses := make([]string, 0, len(listeners))
-			for lnAddr := range listeners {
-				addresses = append(addresses, lnAddr)
-			}
-			sort.Strings(addresses)
-
-			addressesWithProtocols := make([]addressWithProtocols, 0, len(listeners))
-
-			for _, lnAddr := range addresses {
-				lnProts := listeners[lnAddr]
-				prots := make([]string, 0, len(lnProts))
-				for prot := range lnProts {
-					prots = append(prots, prot)
-				}
-				sort.Strings(prots)
-
-				addressesWithProtocols = append(addressesWithProtocols, addressWithProtocols{
-					address:   lnAddr,
-					protocols: prots,
-				})
-			}
-
-			sbaddrs = append(sbaddrs, sbAddrAssociation{
-				addressesWithProtocols: addressesWithProtocols,
-				serverBlocks:           serverBlocks,
+			sbmap[addr] = append(sbmap[addr], serverBlock{
+				block: caddyfile.ServerBlock{
+					Keys:     keys,
+					Segments: sblock.block.Segments,
+				},
+				pile: sblock.pile,
+				keys: parsedKeys,
 			})
 		}
 	}
 
+	return sbmap, nil
+}
+
+// consolidateAddrMappings eliminates repetition of identical server blocks in a mapping of
+// single listener addresses to lists of server blocks. Since multiple addresses may serve
+// identical sites (server block contents), this function turns a 1:many mapping into a
+// many:many mapping. Server block contents (tokens) must be exactly identical so that
+// reflect.DeepEqual returns true in order for the addresses to be combined. Identical
+// entries are deleted from the addrToServerBlocks map. Essentially, each pairing (each
+// association from multiple addresses to multiple server blocks; i.e. each element of
+// the returned slice) becomes a server definition in the output JSON.
+func (st *ServerType) consolidateAddrMappings(addrToServerBlocks map[string][]serverBlock) []sbAddrAssociation {
+	sbaddrs := make([]sbAddrAssociation, 0, len(addrToServerBlocks))
+	for addr, sblocks := range addrToServerBlocks {
+		// we start with knowing that at least this address
+		// maps to these server blocks
+		a := sbAddrAssociation{
+			addresses:    []string{addr},
+			serverBlocks: sblocks,
+		}
+
+		// now find other addresses that map to identical
+		// server blocks and add them to our list of
+		// addresses, while removing them from the map
+		for otherAddr, otherSblocks := range addrToServerBlocks {
+			if addr == otherAddr {
+				continue
+			}
+			if reflect.DeepEqual(sblocks, otherSblocks) {
+				a.addresses = append(a.addresses, otherAddr)
+				delete(addrToServerBlocks, otherAddr)
+			}
+		}
+		sort.Strings(a.addresses)
+
+		sbaddrs = append(sbaddrs, a)
+	}
+
+	// sort them by their first address (we know there will always be at least one)
+	// to avoid problems with non-deterministic ordering (makes tests flaky)
+	sort.Slice(sbaddrs, func(i, j int) bool {
+		return sbaddrs[i].addresses[0] < sbaddrs[j].addresses[0]
+	})
+
 	return sbaddrs
 }
 
-// listenersForServerBlockAddress essentially converts the Caddyfile site addresses to a map from
-// Caddy listener addresses and the protocols to serve them with to the parsed address for each server block.
-func (st *ServerType) listenersForServerBlockAddress(sblock serverBlock, addr Address,
+// listenerAddrsForServerBlockKey essentially converts the Caddyfile
+// site addresses to Caddy listener addresses for each server block.
+func (st *ServerType) listenerAddrsForServerBlockKey(sblock serverBlock, key string,
 	options map[string]any,
-) (map[string]map[string]struct{}, error) {
+) ([]string, error) {
+	addr, err := ParseAddress(key)
+	if err != nil {
+		return nil, fmt.Errorf("parsing key: %v", err)
+	}
+	addr = addr.Normalize()
+
 	switch addr.Scheme {
 	case "wss":
 		return nil, fmt.Errorf("the scheme wss:// is only supported in browsers; use https:// instead")
@@ -303,58 +230,55 @@ func (st *ServerType) listenersForServerBlockAddress(sblock serverBlock, addr Ad
 
 	// error if scheme and port combination violate convention
 	if (addr.Scheme == "http" && lnPort == httpsPort) || (addr.Scheme == "https" && lnPort == httpPort) {
-		return nil, fmt.Errorf("[%s] scheme and port violate convention", addr.String())
+		return nil, fmt.Errorf("[%s] scheme and port violate convention", key)
 	}
 
-	// the bind directive specifies hosts (and potentially network), and the protocols to serve them with, but is optional
-	lnCfgVals := make([]addressesWithProtocols, 0, len(sblock.pile["bind"]))
+	// the bind directive specifies hosts (and potentially network), but is optional
+	lnHosts := make([]string, 0, len(sblock.pile["bind"]))
 	for _, cfgVal := range sblock.pile["bind"] {
-		if val, ok := cfgVal.Value.(addressesWithProtocols); ok {
-			lnCfgVals = append(lnCfgVals, val)
-		}
+		lnHosts = append(lnHosts, cfgVal.Value.([]string)...)
 	}
-	if len(lnCfgVals) == 0 {
-		if defaultBindValues, ok := options["default_bind"].([]ConfigValue); ok {
-			for _, defaultBindValue := range defaultBindValues {
-				lnCfgVals = append(lnCfgVals, defaultBindValue.Value.(addressesWithProtocols))
-			}
+	if len(lnHosts) == 0 {
+		if defaultBind, ok := options["default_bind"].([]string); ok {
+			lnHosts = defaultBind
 		} else {
-			lnCfgVals = []addressesWithProtocols{{
-				addresses: []string{""},
-				protocols: nil,
-			}}
+			lnHosts = []string{""}
 		}
 	}
 
 	// use a map to prevent duplication
-	listeners := map[string]map[string]struct{}{}
-	for _, lnCfgVal := range lnCfgVals {
-		for _, lnAddr := range lnCfgVal.addresses {
-			lnNetw, lnHost, _, err := caddy.SplitNetworkAddress(lnAddr)
-			if err != nil {
-				return nil, fmt.Errorf("splitting listener address: %v", err)
-			}
-			networkAddr, err := caddy.ParseNetworkAddress(caddy.JoinNetworkAddress(lnNetw, lnHost, lnPort))
-			if err != nil {
-				return nil, fmt.Errorf("parsing network address: %v", err)
-			}
-			if _, ok := listeners[addr.String()]; !ok {
-				listeners[networkAddr.String()] = map[string]struct{}{}
-			}
-			for _, protocol := range lnCfgVal.protocols {
-				listeners[networkAddr.String()][protocol] = struct{}{}
-			}
+	listeners := make(map[string]struct{})
+	for _, lnHost := range lnHosts {
+		// normally we would simply append the port,
+		// but if lnHost is IPv6, we need to ensure it
+		// is enclosed in [ ]; net.JoinHostPort does
+		// this for us, but lnHost might also have a
+		// network type in front (e.g. "tcp/") leading
+		// to "[tcp/::1]" which causes parsing failures
+		// later; what we need is "tcp/[::1]", so we have
+		// to split the network and host, then re-combine
+		network, host, ok := strings.Cut(lnHost, "/")
+		if !ok {
+			host = network
+			network = ""
 		}
+		host = strings.Trim(host, "[]") // IPv6
+		networkAddr := caddy.JoinNetworkAddress(network, host, lnPort)
+		addr, err := caddy.ParseNetworkAddress(networkAddr)
+		if err != nil {
+			return nil, fmt.Errorf("parsing network address: %v", err)
+		}
+		listeners[addr.String()] = struct{}{}
 	}
 
-	return listeners, nil
-}
+	// now turn map into list
+	listenersList := make([]string, 0, len(listeners))
+	for lnStr := range listeners {
+		listenersList = append(listenersList, lnStr)
+	}
+	sort.Strings(listenersList)
 
-// addressesWithProtocols associates a list of listen addresses
-// with a list of protocols to serve them with
-type addressesWithProtocols struct {
-	addresses []string
-	protocols []string
+	return listenersList, nil
 }
 
 // Address represents a site address. It contains

caddyconfig/httpcaddyfile/builtins.go

@@ -24,7 +24,7 @@ import (
 	"time"
 
 	"github.com/caddyserver/certmagic"
-	"github.com/mholt/acmez/v2/acme"
+	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap/zapcore"
 
 	"github.com/caddyserver/caddy/v2"
@@ -49,37 +49,15 @@ func init() {
 	RegisterDirective("handle_errors", parseHandleErrors)
 	RegisterHandlerDirective("invoke", parseInvoke)
 	RegisterDirective("log", parseLog)
-	RegisterHandlerDirective("skip_log", parseLogSkip)
-	RegisterHandlerDirective("log_skip", parseLogSkip)
-	RegisterHandlerDirective("log_name", parseLogName)
+	RegisterHandlerDirective("skip_log", parseSkipLog)
 }
 
 // parseBind parses the bind directive. Syntax:
 //
-//		bind <addresses...> [{
-//	   protocols [h1|h2|h2c|h3] [...]
-//	 }]
+//	bind <addresses...>
 func parseBind(h Helper) ([]ConfigValue, error) {
 	h.Next() // consume directive name
-	var addresses, protocols []string
-	addresses = h.RemainingArgs()
-
-	for h.NextBlock(0) {
-		switch h.Val() {
-		case "protocols":
-			protocols = h.RemainingArgs()
-			if len(protocols) == 0 {
-				return nil, h.Errf("protocols requires one or more arguments")
-			}
-		default:
-			return nil, h.Errf("unknown subdirective: %s", h.Val())
-		}
-	}
-
-	return []ConfigValue{{Class: "bind", Value: addressesWithProtocols{
-		addresses: addresses,
-		protocols: protocols,
-	}}}, nil
+	return []ConfigValue{{Class: "bind", Value: h.RemainingArgs()}}, nil
 }
 
 // parseTLS parses the tls directive. Syntax:
@@ -90,7 +68,8 @@ func parseBind(h Helper) ([]ConfigValue, error) {
 //	    curves    <curves...>
 //	    client_auth {
 //	        mode                   [request|require|verify_if_given|require_and_verify]
-//	        trust_pool			   <module_name> [...]
+//	        trusted_ca_cert        <base64_der>
+//	        trusted_ca_cert_file   <filename>
 //	        trusted_leaf_cert      <base64_der>
 //	        trusted_leaf_cert_file <filename>
 //	    }
@@ -127,6 +106,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 	var onDemand bool
 	var reusePrivateKeys bool
 
+	// file certificate loader
 	firstLine := h.RemainingArgs()
 	switch len(firstLine) {
 	case 0:
@@ -136,13 +116,13 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 		} else if !strings.Contains(firstLine[0], "@") {
 			return nil, h.Err("single argument must either be 'internal' or an email address")
 		} else {
-			acmeIssuer = &caddytls.ACMEIssuer{
-				Email: firstLine[0],
+			if acmeIssuer == nil {
+				acmeIssuer = new(caddytls.ACMEIssuer)
 			}
+			acmeIssuer.Email = firstLine[0]
 		}
 
 	case 2:
-		// file certificate loader
 		certFilename := firstLine[0]
 		keyFilename := firstLine[1]
 
@@ -507,24 +487,19 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 
 	case acmeIssuer != nil:
 		// implicit ACME issuers (from various subdirectives) - use defaults; there might be more than one
-		defaultIssuers := caddytls.DefaultIssuers(acmeIssuer.Email)
+		defaultIssuers := caddytls.DefaultIssuers()
 
-		// if an ACME CA endpoint was set, the user expects to use that specific one,
-		// not any others that may be defaults, so replace all defaults with that ACME CA
+		// if a CA endpoint was set, override multiple implicit issuers since it's a specific one
 		if acmeIssuer.CA != "" {
 			defaultIssuers = []certmagic.Issuer{acmeIssuer}
 		}
 
 		for _, issuer := range defaultIssuers {
-			// apply settings from the implicitly-configured ACMEIssuer to any
-			// default ACMEIssuers, but preserve each default issuer's CA endpoint,
-			// because, for example, if you configure the DNS challenge, it should
-			// apply to any of the default ACMEIssuers, but you don't want to trample
-			// out their unique CA endpoints
-			if iss, ok := issuer.(*caddytls.ACMEIssuer); ok && iss != nil {
-				acmeCopy := *acmeIssuer
-				acmeCopy.CA = iss.CA
-				issuer = &acmeCopy
+			switch iss := issuer.(type) {
+			case *caddytls.ACMEIssuer:
+				issuer = acmeIssuer
+			case *caddytls.ZeroSSLIssuer:
+				iss.ACMEIssuer = acmeIssuer
 			}
 			configVals = append(configVals, ConfigValue{
 				Class: "tls.cert_issuer",
@@ -869,7 +844,6 @@ func parseInvoke(h Helper) (caddyhttp.MiddlewareHandler, error) {
 //	log <logger_name> {
 //	    hostnames <hostnames...>
 //	    output <writer_module> ...
-//	    core   <core_module> ...
 //	    format <encoder_module> ...
 //	    level  <level>
 //	}
@@ -936,7 +910,7 @@ func parseLogHelper(h Helper, globalLogNames map[string]struct{}) ([]ConfigValue
 	// this is useful for setting up loggers per subdomain in a site block
 	// with a wildcard domain
 	customHostnames := []string{}
-	noHostname := false
+
 	for h.NextBlock(0) {
 		switch h.Val() {
 		case "hostnames":
@@ -981,22 +955,6 @@ func parseLogHelper(h Helper, globalLogNames map[string]struct{}) ([]ConfigValue
 			}
 			cl.WriterRaw = caddyconfig.JSONModuleObject(wo, "output", moduleName, h.warnings)
 
-		case "core":
-			if !h.NextArg() {
-				return nil, h.ArgErr()
-			}
-			moduleName := h.Val()
-			moduleID := "caddy.logging.cores." + moduleName
-			unm, err := caddyfile.UnmarshalModule(h.Dispenser, moduleID)
-			if err != nil {
-				return nil, err
-			}
-			core, ok := unm.(zapcore.Core)
-			if !ok {
-				return nil, h.Errf("module %s (%T) is not a zapcore.Core", moduleID, unm)
-			}
-			cl.CoreRaw = caddyconfig.JSONModuleObject(core, "module", moduleName, h.warnings)
-
 		case "format":
 			if !h.NextArg() {
 				return nil, h.ArgErr()
@@ -1038,12 +996,6 @@ func parseLogHelper(h Helper, globalLogNames map[string]struct{}) ([]ConfigValue
 				cl.Exclude = append(cl.Exclude, h.Val())
 			}
 
-		case "no_hostname":
-			if h.NextArg() {
-				return nil, h.ArgErr()
-			}
-			noHostname = true
-
 		default:
 			return nil, h.Errf("unrecognized subdirective: %s", h.Val())
 		}
@@ -1051,7 +1003,7 @@ func parseLogHelper(h Helper, globalLogNames map[string]struct{}) ([]ConfigValue
 
 	var val namedCustomLog
 	val.hostnames = customHostnames
-	val.noHostname = noHostname
+
 	isEmptyConfig := reflect.DeepEqual(cl, new(caddy.CustomLog))
 
 	// Skip handling of empty logging configs
@@ -1086,29 +1038,13 @@ func parseLogHelper(h Helper, globalLogNames map[string]struct{}) ([]ConfigValue
 	return configValues, nil
 }
 
-// parseLogSkip parses the log_skip directive. Syntax:
+// parseSkipLog parses the skip_log directive. Syntax:
 //
-//	log_skip [<matcher>]
-func parseLogSkip(h Helper) (caddyhttp.MiddlewareHandler, error) {
+//	skip_log [<matcher>]
+func parseSkipLog(h Helper) (caddyhttp.MiddlewareHandler, error) {
 	h.Next() // consume directive name
-
-	// "skip_log" is deprecated, replaced by "log_skip"
-	if h.Val() == "skip_log" {
-		caddy.Log().Named("config.adapter.caddyfile").Warn("the 'skip_log' directive is deprecated, please use 'log_skip' instead!")
-	}
-
 	if h.NextArg() {
 		return nil, h.ArgErr()
 	}
-	return caddyhttp.VarsMiddleware{"log_skip": true}, nil
-}
-
-// parseLogName parses the log_name directive. Syntax:
-//
-//	log_name <names...>
-func parseLogName(h Helper) (caddyhttp.MiddlewareHandler, error) {
-	h.Next() // consume directive name
-	return caddyhttp.VarsMiddleware{
-		caddyhttp.AccessLoggerNameVarKey: h.RemainingArgs(),
-	}, nil
+	return caddyhttp.VarsMiddleware{"skip_log": true}, nil
 }

caddyconfig/httpcaddyfile/builtins_test.go

@@ -25,12 +25,11 @@ func TestLogDirectiveSyntax(t *testing.T) {
 		{
 			input: `:8080 {
 				log {
-					core mock
 					output file foo.log
 				}
 			}
 			`,
-			output:      `{"logging":{"logs":{"default":{"exclude":["http.log.access.log0"]},"log0":{"writer":{"filename":"foo.log","output":"file"},"core":{"module":"mock"},"include":["http.log.access.log0"]}}},"apps":{"http":{"servers":{"srv0":{"listen":[":8080"],"logs":{"default_logger_name":"log0"}}}}}}`,
+			output:      `{"logging":{"logs":{"default":{"exclude":["http.log.access.log0"]},"log0":{"writer":{"filename":"foo.log","output":"file"},"include":["http.log.access.log0"]}}},"apps":{"http":{"servers":{"srv0":{"listen":[":8080"],"logs":{"default_logger_name":"log0"}}}}}}`,
 			expectError: false,
 		},
 		{
@@ -54,12 +53,11 @@ func TestLogDirectiveSyntax(t *testing.T) {
 		{
 			input: `:8080 {
 				log name-override {
-					core mock
 					output file foo.log
 				}
 			}
 			`,
-			output:      `{"logging":{"logs":{"default":{"exclude":["http.log.access.name-override"]},"name-override":{"writer":{"filename":"foo.log","output":"file"},"core":{"module":"mock"},"include":["http.log.access.name-override"]}}},"apps":{"http":{"servers":{"srv0":{"listen":[":8080"],"logs":{"default_logger_name":"name-override"}}}}}}`,
+			output:      `{"logging":{"logs":{"default":{"exclude":["http.log.access.name-override"]},"name-override":{"writer":{"filename":"foo.log","output":"file"},"include":["http.log.access.name-override"]}}},"apps":{"http":{"servers":{"srv0":{"listen":[":8080"],"logs":{"default_logger_name":"name-override"}}}}}}`,
 			expectError: false,
 		},
 	} {

caddyconfig/httpcaddyfile/directives.go

@@ -17,7 +17,6 @@ package httpcaddyfile
 import (
 	"encoding/json"
 	"net"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"
@@ -28,33 +27,23 @@ import (
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 )
 
-// defaultDirectiveOrder specifies the default order
-// to apply directives in HTTP routes. This must only
-// consist of directives that are included in Caddy's
-// standard distribution.
+// directiveOrder specifies the order
+// to apply directives in HTTP routes.
 //
-// e.g. The 'root' directive goes near the start in
-// case rewrites or redirects depend on existence of
-// files, i.e. the file matcher, which must know the
-// root first.
+// The root directive goes first in case rewrites or
+// redirects depend on existence of files, i.e. the
+// file matcher, which must know the root first.
 //
-// e.g. The 'header' directive goes before 'redir' so
-// that headers can be manipulated before doing redirects.
-//
-// e.g. The 'respond' directive is near the end because it
-// writes a response and terminates the middleware chain.
-var defaultDirectiveOrder = []string{
+// The header directive goes second so that headers
+// can be manipulated before doing redirects.
+var directiveOrder = []string{
 	"tracing",
 
-	// set variables that may be used by other directives
 	"map",
 	"vars",
 	"fs",
 	"root",
-	"log_append",
-	"skip_log", // TODO: deprecated, renamed to log_skip
-	"log_skip",
-	"log_name",
+	"skip_log",
 
 	"header",
 	"copy_response_headers", // only in reverse_proxy's handle_response
@@ -75,7 +64,6 @@ var defaultDirectiveOrder = []string{
 	"request_header",
 	"encode",
 	"push",
-	"intercept",
 	"templates",
 
 	// special routing & dispatching directives
@@ -96,10 +84,16 @@ var defaultDirectiveOrder = []string{
 	"acme_server",
 }
 
-// directiveOrder specifies the order to apply directives
-// in HTTP routes, after being modified by either the
-// plugins or by the user via the "order" global option.
-var directiveOrder = defaultDirectiveOrder
+// directiveIsOrdered returns true if dir is
+// a known, ordered (sorted) directive.
+func directiveIsOrdered(dir string) bool {
+	for _, d := range directiveOrder {
+		if d == dir {
+			return true
+		}
+	}
+	return false
+}
 
 // RegisterDirective registers a unique directive dir with an
 // associated unmarshaling (setup) function. When directive dir
@@ -136,53 +130,6 @@ func RegisterHandlerDirective(dir string, setupFunc UnmarshalHandlerFunc) {
 	})
 }
 
-// RegisterDirectiveOrder registers the default order for a
-// directive from a plugin.
-//
-// This is useful when a plugin has a well-understood place
-// it should run in the middleware pipeline, and it allows
-// users to avoid having to define the order themselves.
-//
-// The directive dir may be placed in the position relative
-// to ('before' or 'after') a directive included in Caddy's
-// standard distribution. It cannot be relative to another
-// plugin's directive.
-//
-// EXPERIMENTAL: This API may change or be removed.
-func RegisterDirectiveOrder(dir string, position Positional, standardDir string) {
-	// check if directive was already ordered
-	if slices.Contains(directiveOrder, dir) {
-		panic("directive '" + dir + "' already ordered")
-	}
-
-	if position != Before && position != After {
-		panic("the 2nd argument must be either 'before' or 'after', got '" + position + "'")
-	}
-
-	// check if directive exists in standard distribution, since
-	// we can't allow plugins to depend on one another; we can't
-	// guarantee the order that plugins are loaded in.
-	foundStandardDir := slices.Contains(defaultDirectiveOrder, standardDir)
-	if !foundStandardDir {
-		panic("the 3rd argument '" + standardDir + "' must be a directive that exists in the standard distribution of Caddy")
-	}
-
-	// insert directive into proper position
-	newOrder := directiveOrder
-	for i, d := range newOrder {
-		if d != standardDir {
-			continue
-		}
-		if position == Before {
-			newOrder = append(newOrder[:i], append([]string{dir}, newOrder[i:]...)...)
-		} else if position == After {
-			newOrder = append(newOrder[:i+1], append([]string{dir}, newOrder[i+1:]...)...)
-		}
-		break
-	}
-	directiveOrder = newOrder
-}
-
 // RegisterGlobalOption registers a unique global option opt with
 // an associated unmarshaling (setup) function. When the global
 // option opt is encountered in a Caddyfile, setupFunc will be
@@ -516,9 +463,9 @@ func sortRoutes(routes []ConfigValue) {
 // a "pile" of config values, keyed by class name,
 // as well as its parsed keys for convenience.
 type serverBlock struct {
-	block      caddyfile.ServerBlock
-	pile       map[string][]ConfigValue // config values obtained from directives
-	parsedKeys []Address
+	block caddyfile.ServerBlock
+	pile  map[string][]ConfigValue // config values obtained from directives
+	keys  []Address
 }
 
 // hostsFromKeys returns a list of all the non-empty hostnames found in
@@ -535,7 +482,7 @@ type serverBlock struct {
 func (sb serverBlock) hostsFromKeys(loggerMode bool) []string {
 	// ensure each entry in our list is unique
 	hostMap := make(map[string]struct{})
-	for _, addr := range sb.parsedKeys {
+	for _, addr := range sb.keys {
 		if addr.Host == "" {
 			if !loggerMode {
 				// server block contains a key like ":443", i.e. the host portion
@@ -567,7 +514,7 @@ func (sb serverBlock) hostsFromKeys(loggerMode bool) []string {
 func (sb serverBlock) hostsFromKeysNotHTTP(httpPort string) []string {
 	// ensure each entry in our list is unique
 	hostMap := make(map[string]struct{})
-	for _, addr := range sb.parsedKeys {
+	for _, addr := range sb.keys {
 		if addr.Host == "" {
 			continue
 		}
@@ -588,29 +535,25 @@ func (sb serverBlock) hostsFromKeysNotHTTP(httpPort string) []string {
 // hasHostCatchAllKey returns true if sb has a key that
 // omits a host portion, i.e. it "catches all" hosts.
 func (sb serverBlock) hasHostCatchAllKey() bool {
-	return slices.ContainsFunc(sb.parsedKeys, func(addr Address) bool {
-		return addr.Host == ""
-	})
+	for _, addr := range sb.keys {
+		if addr.Host == "" {
+			return true
+		}
+	}
+	return false
 }
 
 // isAllHTTP returns true if all sb keys explicitly specify
 // the http:// scheme
 func (sb serverBlock) isAllHTTP() bool {
-	return !slices.ContainsFunc(sb.parsedKeys, func(addr Address) bool {
-		return addr.Scheme != "http"
-	})
+	for _, addr := range sb.keys {
+		if addr.Scheme != "http" {
+			return false
+		}
+	}
+	return true
 }
 
-// Positional are the supported modes for ordering directives.
-type Positional string
-
-const (
-	Before Positional = "before"
-	After  Positional = "after"
-	First  Positional = "first"
-	Last   Positional = "last"
-)
-
 type (
 	// UnmarshalFunc is a function which can unmarshal Caddyfile
 	// tokens into zero or more config values using a Helper type.

caddyconfig/httpcaddyfile/directives_test.go

@@ -78,7 +78,7 @@ func TestHostsFromKeys(t *testing.T) {
 			[]string{"example.com:2015"},
 		},
 	} {
-		sb := serverBlock{parsedKeys: tc.keys}
+		sb := serverBlock{keys: tc.keys}
 
 		// test in normal mode
 		actual := sb.hostsFromKeys(false)

caddyconfig/httpcaddyfile/httptype.go

@@ -15,17 +15,16 @@
 package httpcaddyfile
 
 import (
-	"cmp"
 	"encoding/json"
 	"fmt"
 	"net"
 	"reflect"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"
 
 	"go.uber.org/zap"
+	"golang.org/x/exp/slices"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
@@ -172,7 +171,7 @@ func (st ServerType) Setup(
 	}
 
 	// map
-	sbmap, err := st.mapAddressToProtocolToServerBlocks(originalServerBlocks, options)
+	sbmap, err := st.mapAddressToServerBlocks(originalServerBlocks, options)
 	if err != nil {
 		return nil, warnings, err
 	}
@@ -187,25 +186,12 @@ func (st ServerType) Setup(
 		return nil, warnings, err
 	}
 
-	// hoist the metrics config from per-server to global
-	metrics, _ := options["metrics"].(*caddyhttp.Metrics)
-	for _, s := range servers {
-		if s.Metrics != nil {
-			metrics = cmp.Or[*caddyhttp.Metrics](metrics, &caddyhttp.Metrics{})
-			metrics = &caddyhttp.Metrics{
-				PerHost: metrics.PerHost || s.Metrics.PerHost,
-			}
-			s.Metrics = nil // we don't need it anymore
-		}
-	}
-
 	// now that each server is configured, make the HTTP app
 	httpApp := caddyhttp.App{
 		HTTPPort:      tryInt(options["http_port"], &warnings),
 		HTTPSPort:     tryInt(options["https_port"], &warnings),
 		GracePeriod:   tryDuration(options["grace_period"], &warnings),
 		ShutdownDelay: tryDuration(options["shutdown_delay"], &warnings),
-		Metrics:       metrics,
 		Servers:       servers,
 	}
 
@@ -416,20 +402,6 @@ func (ServerType) evaluateGlobalOptionsBlock(serverBlocks []serverBlock, options
 			options[opt] = append(existingOpts, logOpts...)
 			continue
 		}
-		// Also fold multiple "default_bind" options together into an
-		// array so that server blocks can have multiple binds by default.
-		if opt == "default_bind" {
-			existingOpts, ok := options[opt].([]ConfigValue)
-			if !ok {
-				existingOpts = []ConfigValue{}
-			}
-			defaultBindOpts, ok := val.([]ConfigValue)
-			if !ok {
-				return nil, fmt.Errorf("unexpected type from 'default_bind' global options: %T", val)
-			}
-			options[opt] = append(existingOpts, defaultBindOpts...)
-			continue
-		}
 
 		options[opt] = val
 	}
@@ -548,8 +520,8 @@ func (st *ServerType) serversFromPairings(
 	if hsp, ok := options["https_port"].(int); ok {
 		httpsPort = strconv.Itoa(hsp)
 	}
-	autoHTTPS := []string{}
-	if ah, ok := options["auto_https"].([]string); ok {
+	autoHTTPS := "on"
+	if ah, ok := options["auto_https"].(string); ok {
 		autoHTTPS = ah
 	}
 
@@ -564,81 +536,29 @@ func (st *ServerType) serversFromPairings(
 					if k == j {
 						continue
 					}
-					if slices.Contains(sblock2.block.GetKeysText(), key) {
+					if sliceContains(sblock2.block.GetKeysText(), key) {
 						return nil, fmt.Errorf("ambiguous site definition: %s", key)
 					}
 				}
 			}
 		}
 
-		var (
-			addresses []string
-			protocols [][]string
-		)
-
-		for _, addressWithProtocols := range p.addressesWithProtocols {
-			addresses = append(addresses, addressWithProtocols.address)
-			protocols = append(protocols, addressWithProtocols.protocols)
-		}
-
 		srv := &caddyhttp.Server{
-			Listen:          addresses,
-			ListenProtocols: protocols,
-		}
-
-		// remove srv.ListenProtocols[j] if it only contains the default protocols
-		for j, lnProtocols := range srv.ListenProtocols {
-			srv.ListenProtocols[j] = nil
-			for _, lnProtocol := range lnProtocols {
-				if lnProtocol != "" {
-					srv.ListenProtocols[j] = lnProtocols
-					break
-				}
-			}
-		}
-
-		// remove srv.ListenProtocols if it only contains the default protocols for all listen addresses
-		listenProtocols := srv.ListenProtocols
-		srv.ListenProtocols = nil
-		for _, lnProtocols := range listenProtocols {
-			if lnProtocols != nil {
-				srv.ListenProtocols = listenProtocols
-				break
-			}
+			Listen: p.addresses,
 		}
 
 		// handle the auto_https global option
-		for _, val := range autoHTTPS {
-			switch val {
+		if autoHTTPS != "on" {
+			srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
+			switch autoHTTPS {
 			case "off":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
 				srv.AutoHTTPS.Disabled = true
-
 			case "disable_redirects":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
 				srv.AutoHTTPS.DisableRedir = true
-
 			case "disable_certs":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
 				srv.AutoHTTPS.DisableCerts = true
-
 			case "ignore_loaded_certs":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
 				srv.AutoHTTPS.IgnoreLoadedCerts = true
-
-			case "prefer_wildcard":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
-				srv.AutoHTTPS.PreferWildcard = true
 			}
 		}
 
@@ -646,7 +566,7 @@ func (st *ServerType) serversFromPairings(
 		// See ParseAddress() where parsing should later reject paths
 		// See https://github.com/caddyserver/caddy/pull/4728 for a full explanation
 		for _, sblock := range p.serverBlocks {
-			for _, addr := range sblock.parsedKeys {
+			for _, addr := range sblock.keys {
 				if addr.Path != "" {
 					caddy.Log().Named("caddyfile").Warn("Using a path in a site address is deprecated; please use the 'handle' directive instead", zap.String("address", addr.String()))
 				}
@@ -664,7 +584,7 @@ func (st *ServerType) serversFromPairings(
 			var iLongestPath, jLongestPath string
 			var iLongestHost, jLongestHost string
 			var iWildcardHost, jWildcardHost bool
-			for _, addr := range p.serverBlocks[i].parsedKeys {
+			for _, addr := range p.serverBlocks[i].keys {
 				if strings.Contains(addr.Host, "*") || addr.Host == "" {
 					iWildcardHost = true
 				}
@@ -675,7 +595,7 @@ func (st *ServerType) serversFromPairings(
 					iLongestPath = addr.Path
 				}
 			}
-			for _, addr := range p.serverBlocks[j].parsedKeys {
+			for _, addr := range p.serverBlocks[j].keys {
 				if strings.Contains(addr.Host, "*") || addr.Host == "" {
 					jWildcardHost = true
 				}
@@ -706,18 +626,8 @@ func (st *ServerType) serversFromPairings(
 			return specificity(iLongestHost) > specificity(jLongestHost)
 		})
 
-		// collect all hosts that have a wildcard in them
-		wildcardHosts := []string{}
-		for _, sblock := range p.serverBlocks {
-			for _, addr := range sblock.parsedKeys {
-				if strings.HasPrefix(addr.Host, "*.") {
-					wildcardHosts = append(wildcardHosts, addr.Host[2:])
-				}
-			}
-		}
-
 		var hasCatchAllTLSConnPolicy, addressQualifiesForTLS bool
-		autoHTTPSWillAddConnPolicy := srv.AutoHTTPS == nil || !srv.AutoHTTPS.Disabled
+		autoHTTPSWillAddConnPolicy := autoHTTPS != "off"
 
 		// if needed, the ServerLogConfig is initialized beforehand so
 		// that all server blocks can populate it with data, even when not
@@ -801,7 +711,7 @@ func (st *ServerType) serversFromPairings(
 				}
 			}
 
-			for _, addr := range sblock.parsedKeys {
+			for _, addr := range sblock.keys {
 				// if server only uses HTTP port, auto-HTTPS will not apply
 				if listenersUseAnyPortOtherThan(srv.Listen, httpPort) {
 					// exclude any hosts that were defined explicitly with "http://"
@@ -810,7 +720,7 @@ func (st *ServerType) serversFromPairings(
 						if srv.AutoHTTPS == nil {
 							srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
 						}
-						if !slices.Contains(srv.AutoHTTPS.Skip, addr.Host) {
+						if !sliceContains(srv.AutoHTTPS.Skip, addr.Host) {
 							srv.AutoHTTPS.Skip = append(srv.AutoHTTPS.Skip, addr.Host)
 						}
 					}
@@ -824,7 +734,7 @@ func (st *ServerType) serversFromPairings(
 				// https://caddy.community/t/making-sense-of-auto-https-and-why-disabling-it-still-serves-https-instead-of-http/9761
 				createdTLSConnPolicies, ok := sblock.pile["tls.connection_policy"]
 				hasTLSEnabled := (ok && len(createdTLSConnPolicies) > 0) ||
-					(addr.Host != "" && srv.AutoHTTPS != nil && !slices.Contains(srv.AutoHTTPS.Skip, addr.Host))
+					(addr.Host != "" && srv.AutoHTTPS != nil && !sliceContains(srv.AutoHTTPS.Skip, addr.Host))
 
 				// we'll need to remember if the address qualifies for auto-HTTPS, so we
 				// can add a TLS conn policy if necessary
@@ -832,19 +742,6 @@ func (st *ServerType) serversFromPairings(
 					(addr.Scheme != "http" && addr.Port != httpPort && hasTLSEnabled) {
 					addressQualifiesForTLS = true
 				}
-
-				// If prefer wildcard is enabled, then we add hosts that are
-				// already covered by the wildcard to the skip list
-				if addressQualifiesForTLS && srv.AutoHTTPS != nil && srv.AutoHTTPS.PreferWildcard {
-					baseDomain := addr.Host
-					if idx := strings.Index(baseDomain, "."); idx != -1 {
-						baseDomain = baseDomain[idx+1:]
-					}
-					if !strings.HasPrefix(addr.Host, "*.") && slices.Contains(wildcardHosts, baseDomain) {
-						srv.AutoHTTPS.SkipCerts = append(srv.AutoHTTPS.SkipCerts, addr.Host)
-					}
-				}
-
 				// predict whether auto-HTTPS will add the conn policy for us; if so, we
 				// may not need to add one for this server
 				autoHTTPSWillAddConnPolicy = autoHTTPSWillAddConnPolicy &&
@@ -900,15 +797,6 @@ func (st *ServerType) serversFromPairings(
 			sblockLogHosts := sblock.hostsFromKeys(true)
 			for _, cval := range sblock.pile["custom_log"] {
 				ncl := cval.Value.(namedCustomLog)
-
-				// if `no_hostname` is set, then this logger will not
-				// be associated with any of the site block's hostnames,
-				// and only be usable via the `log_name` directive
-				// or the `access_logger_names` variable
-				if ncl.noHostname {
-					continue
-				}
-
 				if sblock.hasHostCatchAllKey() && len(ncl.hostnames) == 0 {
 					// all requests for hosts not able to be listed should use
 					// this log because it's a catch-all-hosts server block
@@ -917,22 +805,22 @@ func (st *ServerType) serversFromPairings(
 					// if the logger overrides the hostnames, map that to the logger name
 					for _, h := range ncl.hostnames {
 						if srv.Logs.LoggerNames == nil {
-							srv.Logs.LoggerNames = make(map[string]caddyhttp.StringArray)
+							srv.Logs.LoggerNames = make(map[string]string)
 						}
-						srv.Logs.LoggerNames[h] = append(srv.Logs.LoggerNames[h], ncl.name)
+						srv.Logs.LoggerNames[h] = ncl.name
 					}
 				} else {
 					// otherwise, map each host to the logger name
 					for _, h := range sblockLogHosts {
+						if srv.Logs.LoggerNames == nil {
+							srv.Logs.LoggerNames = make(map[string]string)
+						}
 						// strip the port from the host, if any
 						host, _, err := net.SplitHostPort(h)
 						if err != nil {
 							host = h
 						}
-						if srv.Logs.LoggerNames == nil {
-							srv.Logs.LoggerNames = make(map[string]caddyhttp.StringArray)
-						}
-						srv.Logs.LoggerNames[host] = append(srv.Logs.LoggerNames[host], ncl.name)
+						srv.Logs.LoggerNames[host] = ncl.name
 					}
 				}
 			}
@@ -976,10 +864,7 @@ func (st *ServerType) serversFromPairings(
 		if addressQualifiesForTLS &&
 			!hasCatchAllTLSConnPolicy &&
 			(len(srv.TLSConnPolicies) > 0 || !autoHTTPSWillAddConnPolicy || defaultSNI != "" || fallbackSNI != "") {
-			srv.TLSConnPolicies = append(srv.TLSConnPolicies, &caddytls.ConnectionPolicy{
-				DefaultSNI:  defaultSNI,
-				FallbackSNI: fallbackSNI,
-			})
+			srv.TLSConnPolicies = append(srv.TLSConnPolicies, &caddytls.ConnectionPolicy{DefaultSNI: defaultSNI, FallbackSNI: fallbackSNI})
 		}
 
 		// tidy things up a bit
@@ -992,7 +877,8 @@ func (st *ServerType) serversFromPairings(
 		servers[fmt.Sprintf("srv%d", i)] = srv
 	}
 
-	if err := applyServerOptions(servers, options, warnings); err != nil {
+	err := applyServerOptions(servers, options, warnings)
+	if err != nil {
 		return nil, fmt.Errorf("applying global server options: %v", err)
 	}
 
@@ -1037,7 +923,7 @@ func detectConflictingSchemes(srv *caddyhttp.Server, serverBlocks []serverBlock,
 	}
 
 	for _, sblock := range serverBlocks {
-		for _, addr := range sblock.parsedKeys {
+		for _, addr := range sblock.keys {
 			if addr.Scheme == "http" || addr.Port == httpPort {
 				if err := checkAndSetHTTP(addr); err != nil {
 					return err
@@ -1166,7 +1052,7 @@ func consolidateConnPolicies(cps caddytls.ConnectionPolicies) (caddytls.Connecti
 				} else if cps[i].CertSelection != nil && cps[j].CertSelection != nil {
 					// if both have one, then combine AnyTag
 					for _, tag := range cps[j].CertSelection.AnyTag {
-						if !slices.Contains(cps[i].CertSelection.AnyTag, tag) {
+						if !sliceContains(cps[i].CertSelection.AnyTag, tag) {
 							cps[i].CertSelection.AnyTag = append(cps[i].CertSelection.AnyTag, tag)
 						}
 					}
@@ -1249,7 +1135,7 @@ func appendSubrouteToRouteList(routeList caddyhttp.RouteList,
 func buildSubroute(routes []ConfigValue, groupCounter counter, needsSorting bool) (*caddyhttp.Subroute, error) {
 	if needsSorting {
 		for _, val := range routes {
-			if !slices.Contains(directiveOrder, val.directive) {
+			if !directiveIsOrdered(val.directive) {
 				return nil, fmt.Errorf("directive '%s' is not an ordered HTTP handler, so it cannot be used here - try placing within a route block or using the order global option", val.directive)
 			}
 		}
@@ -1396,24 +1282,19 @@ func matcherSetFromMatcherToken(
 	if tkn.Text == "*" {
 		// match all requests == no matchers, so nothing to do
 		return nil, true, nil
-	}
-
-	// convenient way to specify a single path match
-	if strings.HasPrefix(tkn.Text, "/") {
+	} else if strings.HasPrefix(tkn.Text, "/") {
+		// convenient way to specify a single path match
 		return caddy.ModuleMap{
 			"path": caddyconfig.JSON(caddyhttp.MatchPath{tkn.Text}, warnings),
 		}, true, nil
-	}
-
-	// pre-defined matcher
-	if strings.HasPrefix(tkn.Text, matcherPrefix) {
+	} else if strings.HasPrefix(tkn.Text, matcherPrefix) {
+		// pre-defined matcher
 		m, ok := matcherDefs[tkn.Text]
 		if !ok {
 			return nil, false, fmt.Errorf("unrecognized matcher name: %+v", tkn.Text)
 		}
 		return m, true, nil
 	}
-
 	return nil, false, nil
 }
 
@@ -1427,7 +1308,7 @@ func (st *ServerType) compileEncodedMatcherSets(sblock serverBlock) ([]caddy.Mod
 	var matcherPairs []*hostPathPair
 
 	var catchAllHosts bool
-	for _, addr := range sblock.parsedKeys {
+	for _, addr := range sblock.keys {
 		// choose a matcher pair that should be shared by this
 		// server block; if none exists yet, create one
 		var chosenMatcherPair *hostPathPair
@@ -1459,16 +1340,25 @@ func (st *ServerType) compileEncodedMatcherSets(sblock serverBlock) ([]caddy.Mod
 
 		// add this server block's keys to the matcher
 		// pair if it doesn't already exist
-		if addr.Host != "" && !slices.Contains(chosenMatcherPair.hostm, addr.Host) {
-			chosenMatcherPair.hostm = append(chosenMatcherPair.hostm, addr.Host)
+		if addr.Host != "" {
+			var found bool
+			for _, h := range chosenMatcherPair.hostm {
+				if h == addr.Host {
+					found = true
+					break
+				}
+			}
+			if !found {
+				chosenMatcherPair.hostm = append(chosenMatcherPair.hostm, addr.Host)
+			}
 		}
 	}
 
 	// iterate each pairing of host and path matchers and
 	// put them into a map for JSON encoding
-	var matcherSets []map[string]caddyhttp.RequestMatcherWithError
+	var matcherSets []map[string]caddyhttp.RequestMatcher
 	for _, mp := range matcherPairs {
-		matcherSet := make(map[string]caddyhttp.RequestMatcherWithError)
+		matcherSet := make(map[string]caddyhttp.RequestMatcher)
 		if len(mp.hostm) > 0 {
 			matcherSet["host"] = mp.hostm
 		}
@@ -1507,14 +1397,6 @@ func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.M
 	// given a matcher name and the tokens following it, parse
 	// the tokens as a matcher module and record it
 	makeMatcher := func(matcherName string, tokens []caddyfile.Token) error {
-		// create a new dispenser from the tokens
-		dispenser := caddyfile.NewDispenser(tokens)
-
-		// set the matcher name (without @) in the dispenser context so
-		// that matcher modules can access it to use it as their name
-		// (e.g. regexp matchers which use the name for capture groups)
-		dispenser.SetContext(caddyfile.MatcherNameCtxKey, definitionName[1:])
-
 		mod, err := caddy.GetModule("http.matchers." + matcherName)
 		if err != nil {
 			return fmt.Errorf("getting matcher module '%s': %v", matcherName, err)
@@ -1523,21 +1405,16 @@ func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.M
 		if !ok {
 			return fmt.Errorf("matcher module '%s' is not a Caddyfile unmarshaler", matcherName)
 		}
-		err = unm.UnmarshalCaddyfile(dispenser)
+		err = unm.UnmarshalCaddyfile(caddyfile.NewDispenser(tokens))
 		if err != nil {
 			return err
 		}
-
-		if rm, ok := unm.(caddyhttp.RequestMatcherWithError); ok {
-			matchers[definitionName][matcherName] = caddyconfig.JSON(rm, nil)
-			return nil
+		rm, ok := unm.(caddyhttp.RequestMatcher)
+		if !ok {
+			return fmt.Errorf("matcher module '%s' is not a request matcher", matcherName)
 		}
-		// nolint:staticcheck
-		if rm, ok := unm.(caddyhttp.RequestMatcher); ok {
-			matchers[definitionName][matcherName] = caddyconfig.JSON(rm, nil)
-			return nil
-		}
-		return fmt.Errorf("matcher module '%s' is not a request matcher", matcherName)
+		matchers[definitionName][matcherName] = caddyconfig.JSON(rm, nil)
+		return nil
 	}
 
 	// if the next token is quoted, we can assume it's not a matcher name
@@ -1545,13 +1422,11 @@ func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.M
 	if d.NextArg() {
 		if d.Token().Quoted() {
 			// since it was missing the matcher name, we insert a token
-			// in front of the expression token itself; we use Clone() to
-			// make the new token to keep the same the import location as
-			// the next token, if this is within a snippet or imported file.
-			// see https://github.com/caddyserver/caddy/issues/6287
-			expressionToken := d.Token().Clone()
-			expressionToken.Text = "expression"
-			err := makeMatcher("expression", []caddyfile.Token{expressionToken, d.Token()})
+			// in front of the expression token itself
+			err := makeMatcher("expression", []caddyfile.Token{
+				{Text: "expression", File: d.File(), Line: d.Line()},
+				d.Token(),
+			})
 			if err != nil {
 				return err
 			}
@@ -1581,7 +1456,7 @@ func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.M
 	return nil
 }
 
-func encodeMatcherSet(matchers map[string]caddyhttp.RequestMatcherWithError) (caddy.ModuleMap, error) {
+func encodeMatcherSet(matchers map[string]caddyhttp.RequestMatcher) (caddy.ModuleMap, error) {
 	msEncoded := make(caddy.ModuleMap)
 	for matcherName, val := range matchers {
 		jsonBytes, err := json.Marshal(val)
@@ -1641,6 +1516,16 @@ func tryDuration(val any, warnings *[]caddyconfig.Warning) caddy.Duration {
 	return durationVal
 }
 
+// sliceContains returns true if needle is in haystack.
+func sliceContains(haystack []string, needle string) bool {
+	for _, s := range haystack {
+		if s == needle {
+			return true
+		}
+	}
+	return false
+}
+
 // listenersUseAnyPortOtherThan returns true if there are any
 // listeners in addresses that use a port which is not otherPort.
 // Mostly borrowed from unexported method in caddyhttp package.
@@ -1698,25 +1583,17 @@ func (c counter) nextGroup() string {
 }
 
 type namedCustomLog struct {
-	name       string
-	hostnames  []string
-	log        *caddy.CustomLog
-	noHostname bool
-}
-
-// addressWithProtocols associates a listen address with
-// the protocols to serve it with
-type addressWithProtocols struct {
-	address   string
-	protocols []string
+	name      string
+	hostnames []string
+	log       *caddy.CustomLog
 }
 
 // sbAddrAssociation is a mapping from a list of
-// addresses with protocols, and a list of server
-// blocks that are served on those addresses.
+// addresses to a list of server blocks that are
+// served on those addresses.
 type sbAddrAssociation struct {
-	addressesWithProtocols []addressWithProtocols
-	serverBlocks           []serverBlock
+	addresses    []string
+	serverBlocks []serverBlock
 }
 
 const (

caddyconfig/httpcaddyfile/options.go

@@ -15,16 +15,14 @@
 package httpcaddyfile
 
 import (
-	"slices"
 	"strconv"
 
 	"github.com/caddyserver/certmagic"
-	"github.com/mholt/acmez/v2/acme"
+	"github.com/mholt/acmez/acme"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
-	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 	"github.com/caddyserver/caddy/v2/modules/caddytls"
 )
 
@@ -32,15 +30,14 @@ func init() {
 	RegisterGlobalOption("debug", parseOptTrue)
 	RegisterGlobalOption("http_port", parseOptHTTPPort)
 	RegisterGlobalOption("https_port", parseOptHTTPSPort)
-	RegisterGlobalOption("default_bind", parseOptDefaultBind)
+	RegisterGlobalOption("default_bind", parseOptStringList)
 	RegisterGlobalOption("grace_period", parseOptDuration)
 	RegisterGlobalOption("shutdown_delay", parseOptDuration)
 	RegisterGlobalOption("default_sni", parseOptSingleString)
 	RegisterGlobalOption("fallback_sni", parseOptSingleString)
 	RegisterGlobalOption("order", parseOptOrder)
 	RegisterGlobalOption("storage", parseOptStorage)
-	RegisterGlobalOption("storage_check", parseStorageCheck)
-	RegisterGlobalOption("storage_clean_interval", parseStorageCleanInterval)
+	RegisterGlobalOption("storage_clean_interval", parseOptDuration)
 	RegisterGlobalOption("renew_interval", parseOptDuration)
 	RegisterGlobalOption("ocsp_interval", parseOptDuration)
 	RegisterGlobalOption("acme_ca", parseOptSingleString)
@@ -55,10 +52,8 @@ func init() {
 	RegisterGlobalOption("local_certs", parseOptTrue)
 	RegisterGlobalOption("key_type", parseOptSingleString)
 	RegisterGlobalOption("auto_https", parseOptAutoHTTPS)
-	RegisterGlobalOption("metrics", parseMetricsOptions)
 	RegisterGlobalOption("servers", parseServerOptions)
 	RegisterGlobalOption("ocsp_stapling", parseOCSPStaplingOptions)
-	RegisterGlobalOption("cert_lifetime", parseOptDuration)
 	RegisterGlobalOption("log", parseLogOptions)
 	RegisterGlobalOption("preferred_chains", parseOptPreferredChains)
 	RegisterGlobalOption("persist_config", parseOptPersistConfig)
@@ -112,35 +107,36 @@ func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
 	if !d.Next() {
 		return nil, d.ArgErr()
 	}
-	pos := Positional(d.Val())
+	pos := d.Val()
 
-	// if directive already had an order, drop it
-	newOrder := slices.DeleteFunc(directiveOrder, func(d string) bool {
-		return d == dirName
-	})
+	newOrder := directiveOrder
 
-	// act on the positional; if it's First or Last, we're done right away
+	// if directive exists, first remove it
+	for i, d := range newOrder {
+		if d == dirName {
+			newOrder = append(newOrder[:i], newOrder[i+1:]...)
+			break
+		}
+	}
+
+	// act on the positional
 	switch pos {
-	case First:
+	case "first":
 		newOrder = append([]string{dirName}, newOrder...)
 		if d.NextArg() {
 			return nil, d.ArgErr()
 		}
 		directiveOrder = newOrder
 		return newOrder, nil
-
-	case Last:
+	case "last":
 		newOrder = append(newOrder, dirName)
 		if d.NextArg() {
 			return nil, d.ArgErr()
 		}
 		directiveOrder = newOrder
 		return newOrder, nil
-
-	// if it's Before or After, continue
-	case Before:
-	case After:
-
+	case "before":
+	case "after":
 	default:
 		return nil, d.Errf("unknown positional '%s'", pos)
 	}
@@ -154,17 +150,17 @@ func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
 		return nil, d.ArgErr()
 	}
 
-	// get the position of the target directive
-	targetIndex := slices.Index(newOrder, otherDir)
-	if targetIndex == -1 {
-		return nil, d.Errf("directive '%s' not found", otherDir)
+	// insert directive into proper position
+	for i, d := range newOrder {
+		if d == otherDir {
+			if pos == "before" {
+				newOrder = append(newOrder[:i], append([]string{dirName}, newOrder[i:]...)...)
+			} else if pos == "after" {
+				newOrder = append(newOrder[:i+1], append([]string{dirName}, newOrder[i+1:]...)...)
+			}
+			break
+		}
 	}
-	// if we're inserting after, we need to increment the index to go after
-	if pos == After {
-		targetIndex++
-	}
-	// insert the directive into the new order
-	newOrder = slices.Insert(newOrder, targetIndex, dirName)
 
 	directiveOrder = newOrder
 
@@ -190,40 +186,6 @@ func parseOptStorage(d *caddyfile.Dispenser, _ any) (any, error) {
 	return storage, nil
 }
 
-func parseStorageCheck(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
-	if !d.Next() {
-		return "", d.ArgErr()
-	}
-	val := d.Val()
-	if d.Next() {
-		return "", d.ArgErr()
-	}
-	if val != "off" {
-		return "", d.Errf("storage_check must be 'off'")
-	}
-	return val, nil
-}
-
-func parseStorageCleanInterval(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
-	if !d.Next() {
-		return "", d.ArgErr()
-	}
-	val := d.Val()
-	if d.Next() {
-		return "", d.ArgErr()
-	}
-	if val == "off" {
-		return false, nil
-	}
-	dur, err := caddy.ParseDuration(d.Val())
-	if err != nil {
-		return nil, d.Errf("failed to parse storage_clean_interval, must be a duration or 'off' %w", err)
-	}
-	return caddy.Duration(dur), nil
-}
-
 func parseOptDuration(d *caddyfile.Dispenser, _ any) (any, error) {
 	if !d.Next() { // consume option name
 		return nil, d.ArgErr()
@@ -250,9 +212,9 @@ func parseOptACMEDNS(d *caddyfile.Dispenser, _ any) (any, error) {
 	if err != nil {
 		return nil, err
 	}
-	prov, ok := unm.(certmagic.DNSProvider)
+	prov, ok := unm.(certmagic.ACMEDNSProvider)
 	if !ok {
-		return nil, d.Errf("module %s (%T) is not a certmagic.DNSProvider", modID, unm)
+		return nil, d.Errf("module %s (%T) is not a certmagic.ACMEDNSProvider", modID, unm)
 	}
 	return prov, nil
 }
@@ -321,32 +283,13 @@ func parseOptSingleString(d *caddyfile.Dispenser, _ any) (any, error) {
 	return val, nil
 }
 
-func parseOptDefaultBind(d *caddyfile.Dispenser, _ any) (any, error) {
+func parseOptStringList(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
-
-	var addresses, protocols []string
-	addresses = d.RemainingArgs()
-
-	if len(addresses) == 0 {
-		addresses = append(addresses, "")
+	val := d.RemainingArgs()
+	if len(val) == 0 {
+		return "", d.ArgErr()
 	}
-
-	for d.NextBlock(0) {
-		switch d.Val() {
-		case "protocols":
-			protocols = d.RemainingArgs()
-			if len(protocols) == 0 {
-				return nil, d.Errf("protocols requires one or more arguments")
-			}
-		default:
-			return nil, d.Errf("unknown subdirective: %s", d.Val())
-		}
-	}
-
-	return []ConfigValue{{Class: "bind", Value: addressesWithProtocols{
-		addresses: addresses,
-		protocols: protocols,
-	}}}, nil
+	return val, nil
 }
 
 func parseOptAdmin(d *caddyfile.Dispenser, _ any) (any, error) {
@@ -402,39 +345,40 @@ func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
 			if ond == nil {
 				ond = new(caddytls.OnDemandConfig)
 			}
-			if ond.PermissionRaw != nil {
-				return nil, d.Err("on-demand TLS permission module (or 'ask') already specified")
-			}
 			perm := caddytls.PermissionByHTTP{Endpoint: d.Val()}
 			ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", "http", nil)
 
-		case "permission":
+		case "interval":
 			if !d.NextArg() {
 				return nil, d.ArgErr()
 			}
+			dur, err := caddy.ParseDuration(d.Val())
+			if err != nil {
+				return nil, err
+			}
 			if ond == nil {
 				ond = new(caddytls.OnDemandConfig)
 			}
-			if ond.PermissionRaw != nil {
-				return nil, d.Err("on-demand TLS permission module (or 'ask') already specified")
+			if ond.RateLimit == nil {
+				ond.RateLimit = new(caddytls.RateLimit)
 			}
-			modName := d.Val()
-			modID := "tls.permission." + modName
-			unm, err := caddyfile.UnmarshalModule(d, modID)
+			ond.RateLimit.Interval = caddy.Duration(dur)
+
+		case "burst":
+			if !d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			burst, err := strconv.Atoi(d.Val())
 			if err != nil {
 				return nil, err
 			}
-			perm, ok := unm.(caddytls.OnDemandPermission)
-			if !ok {
-				return nil, d.Errf("module %s (%T) is not an on-demand TLS permission module", modID, unm)
+			if ond == nil {
+				ond = new(caddytls.OnDemandConfig)
 			}
-			ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", modName, nil)
-
-		case "interval":
-			return nil, d.Errf("the on_demand_tls 'interval' option is no longer supported, remove it from your config")
-
-		case "burst":
-			return nil, d.Errf("the on_demand_tls 'burst' option is no longer supported, remove it from your config")
+			if ond.RateLimit == nil {
+				ond.RateLimit = new(caddytls.RateLimit)
+			}
+			ond.RateLimit.Burst = burst
 
 		default:
 			return nil, d.Errf("unrecognized parameter '%s'", d.Val())
@@ -463,44 +407,19 @@ func parseOptPersistConfig(d *caddyfile.Dispenser, _ any) (any, error) {
 
 func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
-	val := d.RemainingArgs()
-	if len(val) == 0 {
+	if !d.Next() {
 		return "", d.ArgErr()
 	}
-	for _, v := range val {
-		switch v {
-		case "off":
-		case "disable_redirects":
-		case "disable_certs":
-		case "ignore_loaded_certs":
-		case "prefer_wildcard":
-			break
-
-		default:
-			return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', 'ignore_loaded_certs', or 'prefer_wildcard'")
-		}
+	val := d.Val()
+	if d.Next() {
+		return "", d.ArgErr()
+	}
+	if val != "off" && val != "disable_redirects" && val != "disable_certs" && val != "ignore_loaded_certs" {
+		return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', or 'ignore_loaded_certs'")
 	}
 	return val, nil
 }
 
-func unmarshalCaddyfileMetricsOptions(d *caddyfile.Dispenser) (any, error) {
-	d.Next() // consume option name
-	metrics := new(caddyhttp.Metrics)
-	for d.NextBlock(0) {
-		switch d.Val() {
-		case "per_host":
-			metrics.PerHost = true
-		default:
-			return nil, d.Errf("unrecognized servers option '%s'", d.Val())
-		}
-	}
-	return metrics, nil
-}
-
-func parseMetricsOptions(d *caddyfile.Dispenser, _ any) (any, error) {
-	return unmarshalCaddyfileMetricsOptions(d)
-}
-
 func parseServerOptions(d *caddyfile.Dispenser, _ any) (any, error) {
 	return unmarshalCaddyfileServerOptions(d)
 }

caddyconfig/httpcaddyfile/serveroptions.go

@@ -17,7 +17,6 @@ package httpcaddyfile
 import (
 	"encoding/json"
 	"fmt"
-	"slices"
 
 	"github.com/dustin/go-humanize"
 
@@ -51,7 +50,6 @@ type serverOptions struct {
 	ClientIPHeaders      []string
 	ShouldLogCredentials bool
 	Metrics              *caddyhttp.Metrics
-	Trace                bool // TODO: EXPERIMENTAL
 }
 
 func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
@@ -181,7 +179,7 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 				if proto != "h1" && proto != "h2" && proto != "h2c" && proto != "h3" {
 					return nil, d.Errf("unknown protocol '%s': expected h1, h2, h2c, or h3", proto)
 				}
-				if slices.Contains(serverOpts.Protocols, proto) {
+				if sliceContains(serverOpts.Protocols, proto) {
 					return nil, d.Errf("protocol %s specified more than once", proto)
 				}
 				serverOpts.Protocols = append(serverOpts.Protocols, proto)
@@ -230,7 +228,7 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 		case "client_ip_headers":
 			headers := d.RemainingArgs()
 			for _, header := range headers {
-				if slices.Contains(serverOpts.ClientIPHeaders, header) {
+				if sliceContains(serverOpts.ClientIPHeaders, header) {
 					return nil, d.Errf("client IP header %s specified more than once", header)
 				}
 				serverOpts.ClientIPHeaders = append(serverOpts.ClientIPHeaders, header)
@@ -240,20 +238,47 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 			}
 
 		case "metrics":
-			caddy.Log().Warn("The nested 'metrics' option inside `servers` is deprecated and will be removed in the next major version. Use the global 'metrics' option instead.")
-			serverOpts.Metrics = new(caddyhttp.Metrics)
-			for nesting := d.Nesting(); d.NextBlock(nesting); {
-				switch d.Val() {
-				case "per_host":
-					serverOpts.Metrics.PerHost = true
-				}
-			}
-
-		case "trace":
 			if d.NextArg() {
 				return nil, d.ArgErr()
 			}
-			serverOpts.Trace = true
+			if nesting := d.Nesting(); d.NextBlock(nesting) {
+				return nil, d.ArgErr()
+			}
+			serverOpts.Metrics = new(caddyhttp.Metrics)
+
+		// TODO: DEPRECATED. (August 2022)
+		case "protocol":
+			caddy.Log().Named("caddyfile").Warn("DEPRECATED: protocol sub-option will be removed soon")
+
+			for nesting := d.Nesting(); d.NextBlock(nesting); {
+				switch d.Val() {
+				case "allow_h2c":
+					caddy.Log().Named("caddyfile").Warn("DEPRECATED: allow_h2c will be removed soon; use protocols option instead")
+
+					if d.NextArg() {
+						return nil, d.ArgErr()
+					}
+					if sliceContains(serverOpts.Protocols, "h2c") {
+						return nil, d.Errf("protocol h2c already specified")
+					}
+					serverOpts.Protocols = append(serverOpts.Protocols, "h2c")
+
+				case "strict_sni_host":
+					caddy.Log().Named("caddyfile").Warn("DEPRECATED: protocol > strict_sni_host in this position will be removed soon; move up to the servers block instead")
+
+					if d.NextArg() && d.Val() != "insecure_off" && d.Val() != "on" {
+						return nil, d.Errf("strict_sni_host only supports 'on' or 'insecure_off', got '%s'", d.Val())
+					}
+					boolVal := true
+					if d.Val() == "insecure_off" {
+						boolVal = false
+					}
+					serverOpts.StrictSNIHost = &boolVal
+
+				default:
+					return nil, d.Errf("unrecognized protocol option '%s'", d.Val())
+				}
+			}
 
 		default:
 			return nil, d.Errf("unrecognized servers option '%s'", d.Val())
@@ -266,7 +291,7 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 func applyServerOptions(
 	servers map[string]*caddyhttp.Server,
 	options map[string]any,
-	_ *[]caddyconfig.Warning,
+	warnings *[]caddyconfig.Warning,
 ) error {
 	serverOpts, ok := options["servers"].([]serverOptions)
 	if !ok {
@@ -290,15 +315,24 @@ func applyServerOptions(
 
 	for key, server := range servers {
 		// find the options that apply to this server
-		optsIndex := slices.IndexFunc(serverOpts, func(s serverOptions) bool {
-			return s.ListenerAddress == "" || slices.Contains(server.Listen, s.ListenerAddress)
-		})
+		opts := func() *serverOptions {
+			for _, entry := range serverOpts {
+				if entry.ListenerAddress == "" {
+					return &entry
+				}
+				for _, listener := range server.Listen {
+					if entry.ListenerAddress == listener {
+						return &entry
+					}
+				}
+			}
+			return nil
+		}()
 
 		// if none apply, then move to the next server
-		if optsIndex == -1 {
+		if opts == nil {
 			continue
 		}
-		opts := serverOpts[optsIndex]
 
 		// set all the options
 		server.ListenerWrappersRaw = opts.ListenerWrappersRaw
@@ -317,17 +351,10 @@ func applyServerOptions(
 		server.Metrics = opts.Metrics
 		if opts.ShouldLogCredentials {
 			if server.Logs == nil {
-				server.Logs = new(caddyhttp.ServerLogConfig)
+				server.Logs = &caddyhttp.ServerLogConfig{}
 			}
 			server.Logs.ShouldLogCredentials = opts.ShouldLogCredentials
 		}
-		if opts.Trace {
-			// TODO: THIS IS EXPERIMENTAL (MAY 2024)
-			if server.Logs == nil {
-				server.Logs = new(caddyhttp.ServerLogConfig)
-			}
-			server.Logs.Trace = opts.Trace
-		}
 
 		if opts.Name != "" {
 			nameReplacements[key] = opts.Name

caddyconfig/httpcaddyfile/shorthands.go

@@ -33,10 +33,9 @@ func NewShorthandReplacer() ShorthandReplacer {
 		{regexp.MustCompile(`{path\.([\w-]*)}`), "{http.request.uri.path.$1}"},
 		{regexp.MustCompile(`{file\.([\w-]*)}`), "{http.request.uri.path.file.$1}"},
 		{regexp.MustCompile(`{query\.([\w-]*)}`), "{http.request.uri.query.$1}"},
-		{regexp.MustCompile(`{re\.([\w-\.]*)}`), "{http.regexp.$1}"},
+		{regexp.MustCompile(`{re\.([\w-]*)\.([\w-]*)}`), "{http.regexp.$1.$2}"},
 		{regexp.MustCompile(`{vars\.([\w-]*)}`), "{http.vars.$1}"},
 		{regexp.MustCompile(`{rp\.([\w-\.]*)}`), "{http.reverse_proxy.$1}"},
-		{regexp.MustCompile(`{resp\.([\w-\.]*)}`), "{http.intercept.$1}"},
 		{regexp.MustCompile(`{err\.([\w-\.]*)}`), "{http.error.$1}"},
 		{regexp.MustCompile(`{file_match\.([\w-]*)}`), "{http.matchers.file.$1}"},
 	}

caddyconfig/httpcaddyfile/tlsapp.go

@@ -19,13 +19,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"
 
 	"github.com/caddyserver/certmagic"
-	"github.com/mholt/acmez/v2/acme"
+	"github.com/mholt/acmez/acme"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
@@ -45,8 +44,8 @@ func (st ServerType) buildTLSApp(
 	if hp, ok := options["http_port"].(int); ok {
 		httpPort = strconv.Itoa(hp)
 	}
-	autoHTTPS := []string{}
-	if ah, ok := options["auto_https"].([]string); ok {
+	autoHTTPS := "on"
+	if ah, ok := options["auto_https"].(string); ok {
 		autoHTTPS = ah
 	}
 
@@ -54,25 +53,23 @@ func (st ServerType) buildTLSApp(
 	// key, so that they don't get forgotten/omitted by auto-HTTPS
 	// (since they won't appear in route matchers)
 	httpsHostsSharedWithHostlessKey := make(map[string]struct{})
-	if !slices.Contains(autoHTTPS, "off") {
+	if autoHTTPS != "off" {
 		for _, pair := range pairings {
 			for _, sb := range pair.serverBlocks {
-				for _, addr := range sb.parsedKeys {
-					if addr.Host != "" {
-						continue
-					}
-
-					// this server block has a hostless key, now
-					// go through and add all the hosts to the set
-					for _, otherAddr := range sb.parsedKeys {
-						if otherAddr.Original == addr.Original {
-							continue
-						}
-						if otherAddr.Host != "" && otherAddr.Scheme != "http" && otherAddr.Port != httpPort {
-							httpsHostsSharedWithHostlessKey[otherAddr.Host] = struct{}{}
+				for _, addr := range sb.keys {
+					if addr.Host == "" {
+						// this server block has a hostless key, now
+						// go through and add all the hosts to the set
+						for _, otherAddr := range sb.keys {
+							if otherAddr.Original == addr.Original {
+								continue
+							}
+							if otherAddr.Host != "" && otherAddr.Scheme != "http" && otherAddr.Port != httpPort {
+								httpsHostsSharedWithHostlessKey[otherAddr.Host] = struct{}{}
+							}
 						}
+						break
 					}
-					break
 				}
 			}
 		}
@@ -92,32 +89,9 @@ func (st ServerType) buildTLSApp(
 		tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, catchAllAP)
 	}
 
-	// collect all hosts that have a wildcard in them, and arent HTTP
-	wildcardHosts := []string{}
-	for _, p := range pairings {
-		var addresses []string
-		for _, addressWithProtocols := range p.addressesWithProtocols {
-			addresses = append(addresses, addressWithProtocols.address)
-		}
-		if !listenersUseAnyPortOtherThan(addresses, httpPort) {
-			continue
-		}
-		for _, sblock := range p.serverBlocks {
-			for _, addr := range sblock.parsedKeys {
-				if strings.HasPrefix(addr.Host, "*.") {
-					wildcardHosts = append(wildcardHosts, addr.Host[2:])
-				}
-			}
-		}
-	}
-
 	for _, p := range pairings {
 		// avoid setting up TLS automation policies for a server that is HTTP-only
-		var addresses []string
-		for _, addressWithProtocols := range p.addressesWithProtocols {
-			addresses = append(addresses, addressWithProtocols.address)
-		}
-		if !listenersUseAnyPortOtherThan(addresses, httpPort) {
+		if !listenersUseAnyPortOtherThan(p.addresses, httpPort) {
 			continue
 		}
 
@@ -134,12 +108,6 @@ func (st ServerType) buildTLSApp(
 				return nil, warnings, err
 			}
 
-			// make a plain copy so we can compare whether we made any changes
-			apCopy, err := newBaseAutomationPolicy(options, warnings, true)
-			if err != nil {
-				return nil, warnings, err
-			}
-
 			sblockHosts := sblock.hostsFromKeys(false)
 			if len(sblockHosts) == 0 && catchAllAP != nil {
 				ap = catchAllAP
@@ -213,8 +181,8 @@ func (st ServerType) buildTLSApp(
 					if acmeIssuer.Challenges.BindHost == "" {
 						// only binding to one host is supported
 						var bindHost string
-						if asserted, ok := cfgVal.Value.(addressesWithProtocols); ok && len(asserted.addresses) > 0 {
-							bindHost = asserted.addresses[0]
+						if bindHosts, ok := cfgVal.Value.([]string); ok && len(bindHosts) > 0 {
+							bindHost = bindHosts[0]
 						}
 						acmeIssuer.Challenges.BindHost = bindHost
 					}
@@ -242,21 +210,9 @@ func (st ServerType) buildTLSApp(
 				catchAllAP = ap
 			}
 
-			hostsNotHTTP := sblock.hostsFromKeysNotHTTP(httpPort)
-			sort.Strings(hostsNotHTTP) // solely for deterministic test results
-
-			// if the we prefer wildcards and the AP is unchanged,
-			// then we can skip this AP because it should be covered
-			// by an AP with a wildcard
-			if slices.Contains(autoHTTPS, "prefer_wildcard") {
-				if hostsCoveredByWildcard(hostsNotHTTP, wildcardHosts) &&
-					reflect.DeepEqual(ap, apCopy) {
-					continue
-				}
-			}
-
 			// associate our new automation policy with this server block's hosts
-			ap.SubjectsRaw = hostsNotHTTP
+			ap.SubjectsRaw = sblock.hostsFromKeysNotHTTP(httpPort)
+			sort.Strings(ap.SubjectsRaw) // solely for deterministic test results
 
 			// if a combination of public and internal names were given
 			// for this same server block and no issuer was specified, we
@@ -268,7 +224,7 @@ func (st ServerType) buildTLSApp(
 				var internal, external []string
 				for _, s := range ap.SubjectsRaw {
 					// do not create Issuers for Tailscale domains; they will be given a Manager instead
-					if isTailscaleDomain(s) {
+					if strings.HasSuffix(strings.ToLower(s), ".ts.net") {
 						continue
 					}
 					if !certmagic.SubjectQualifiesForCert(s) {
@@ -295,7 +251,6 @@ func (st ServerType) buildTLSApp(
 					ap2.IssuersRaw = []json.RawMessage{caddyconfig.JSONModuleObject(caddytls.InternalIssuer{}, "module", "internal", &warnings)}
 				}
 			}
-
 			if tlsApp.Automation == nil {
 				tlsApp.Automation = new(caddytls.AutomationConfig)
 			}
@@ -349,16 +304,6 @@ func (st ServerType) buildTLSApp(
 		tlsApp.Automation.OnDemand = onDemand
 	}
 
-	// if the storage clean interval is a boolean, then it's "off" to disable cleaning
-	if sc, ok := options["storage_check"].(string); ok && sc == "off" {
-		tlsApp.DisableStorageCheck = true
-	}
-
-	// if the storage clean interval is a boolean, then it's "off" to disable cleaning
-	if sci, ok := options["storage_clean_interval"].(bool); ok && !sci {
-		tlsApp.DisableStorageClean = true
-	}
-
 	// set the storage clean interval if configured
 	if storageCleanInterval, ok := options["storage_clean_interval"].(caddy.Duration); ok {
 		if tlsApp.Automation == nil {
@@ -399,7 +344,7 @@ func (st ServerType) buildTLSApp(
 	internalAP := &caddytls.AutomationPolicy{
 		IssuersRaw: []json.RawMessage{json.RawMessage(`{"module":"internal"}`)},
 	}
-	if !slices.Contains(autoHTTPS, "off") && !slices.Contains(autoHTTPS, "disable_certs") {
+	if autoHTTPS != "off" {
 		for h := range httpsHostsSharedWithHostlessKey {
 			al = append(al, h)
 			if !certmagic.SubjectQualifiesForPublicCert(h) {
@@ -433,12 +378,15 @@ func (st ServerType) buildTLSApp(
 				if len(ap.Issuers) == 0 && automationPolicyHasAllPublicNames(ap) {
 					// for public names, create default issuers which will later be filled in with configured global defaults
 					// (internal names will implicitly use the internal issuer at auto-https time)
-					emailStr, _ := globalEmail.(string)
-					ap.Issuers = caddytls.DefaultIssuers(emailStr)
+					ap.Issuers = caddytls.DefaultIssuers()
 
 					// if a specific endpoint is configured, can't use multiple default issuers
 					if globalACMECA != nil {
-						ap.Issuers = []certmagic.Issuer{new(caddytls.ACMEIssuer)}
+						if strings.Contains(globalACMECA.(string), "zerossl") {
+							ap.Issuers = []certmagic.Issuer{&caddytls.ZeroSSLIssuer{ACMEIssuer: new(caddytls.ACMEIssuer)}}
+						} else {
+							ap.Issuers = []certmagic.Issuer{new(caddytls.ACMEIssuer)}
+						}
 					}
 				}
 			}
@@ -511,8 +459,6 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	globalACMEDNS := options["acme_dns"]
 	globalACMEEAB := options["acme_eab"]
 	globalPreferredChains := options["preferred_chains"]
-	globalCertLifetime := options["cert_lifetime"]
-	globalHTTPPort, globalHTTPSPort := options["http_port"], options["https_port"]
 
 	if globalEmail != nil && acmeIssuer.Email == "" {
 		acmeIssuer.Email = globalEmail.(string)
@@ -520,7 +466,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	if globalACMECA != nil && acmeIssuer.CA == "" {
 		acmeIssuer.CA = globalACMECA.(string)
 	}
-	if globalACMECARoot != nil && !slices.Contains(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string)) {
+	if globalACMECARoot != nil && !sliceContains(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string)) {
 		acmeIssuer.TrustedRootsPEMFiles = append(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string))
 	}
 	if globalACMEDNS != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil) {
@@ -536,27 +482,6 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	if globalPreferredChains != nil && acmeIssuer.PreferredChains == nil {
 		acmeIssuer.PreferredChains = globalPreferredChains.(*caddytls.ChainPreference)
 	}
-	if globalHTTPPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.HTTP == nil || acmeIssuer.Challenges.HTTP.AlternatePort == 0) {
-		if acmeIssuer.Challenges == nil {
-			acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
-		}
-		if acmeIssuer.Challenges.HTTP == nil {
-			acmeIssuer.Challenges.HTTP = new(caddytls.HTTPChallengeConfig)
-		}
-		acmeIssuer.Challenges.HTTP.AlternatePort = globalHTTPPort.(int)
-	}
-	if globalHTTPSPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.TLSALPN == nil || acmeIssuer.Challenges.TLSALPN.AlternatePort == 0) {
-		if acmeIssuer.Challenges == nil {
-			acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
-		}
-		if acmeIssuer.Challenges.TLSALPN == nil {
-			acmeIssuer.Challenges.TLSALPN = new(caddytls.TLSALPNChallengeConfig)
-		}
-		acmeIssuer.Challenges.TLSALPN.AlternatePort = globalHTTPSPort.(int)
-	}
-	if globalCertLifetime != nil && acmeIssuer.CertificateLifetime == 0 {
-		acmeIssuer.CertificateLifetime = globalCertLifetime.(caddy.Duration)
-	}
 	return nil
 }
 
@@ -565,11 +490,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 // for any other automation policies. A nil policy (and no error) will be
 // returned if there are no default/global options. However, if always is
 // true, a non-nil value will always be returned (unless there is an error).
-func newBaseAutomationPolicy(
-	options map[string]any,
-	_ []caddyconfig.Warning,
-	always bool,
-) (*caddytls.AutomationPolicy, error) {
+func newBaseAutomationPolicy(options map[string]any, warnings []caddyconfig.Warning, always bool) (*caddytls.AutomationPolicy, error) {
 	issuers, hasIssuers := options["cert_issuer"]
 	_, hasLocalCerts := options["local_certs"]
 	keyType, hasKeyType := options["key_type"]
@@ -635,7 +556,7 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls
 			if !automationPolicyHasAllPublicNames(aps[i]) {
 				// if this automation policy has internal names, we might as well remove it
 				// so auto-https can implicitly use the internal issuer
-				aps = slices.Delete(aps, i, i+1)
+				aps = append(aps[:i], aps[i+1:]...)
 				i--
 			}
 		}
@@ -652,7 +573,7 @@ outer:
 		for j := i + 1; j < len(aps); j++ {
 			// if they're exactly equal in every way, just keep one of them
 			if reflect.DeepEqual(aps[i], aps[j]) {
-				aps = slices.Delete(aps, j, j+1)
+				aps = append(aps[:j], aps[j+1:]...)
 				// must re-evaluate current i against next j; can't skip it!
 				// even if i decrements to -1, will be incremented to 0 immediately
 				i--
@@ -682,18 +603,18 @@ outer:
 					// cause example.com to be served by the less specific policy for
 					// '*.com', which might be different (yes we've seen this happen)
 					if automationPolicyShadows(i, aps) >= j {
-						aps = slices.Delete(aps, i, i+1)
+						aps = append(aps[:i], aps[i+1:]...)
 						i--
 						continue outer
 					}
 				} else {
 					// avoid repeated subjects
 					for _, subj := range aps[j].SubjectsRaw {
-						if !slices.Contains(aps[i].SubjectsRaw, subj) {
+						if !sliceContains(aps[i].SubjectsRaw, subj) {
 							aps[i].SubjectsRaw = append(aps[i].SubjectsRaw, subj)
 						}
 					}
-					aps = slices.Delete(aps, j, j+1)
+					aps = append(aps[:j], aps[j+1:]...)
 					j--
 				}
 			}
@@ -713,9 +634,13 @@ func automationPolicyIsSubset(a, b *caddytls.AutomationPolicy) bool {
 		return false
 	}
 	for _, aSubj := range a.SubjectsRaw {
-		inSuperset := slices.ContainsFunc(b.SubjectsRaw, func(bSubj string) bool {
-			return certmagic.MatchWildcard(aSubj, bSubj)
-		})
+		var inSuperset bool
+		for _, bSubj := range b.SubjectsRaw {
+			if certmagic.MatchWildcard(aSubj, bSubj) {
+				inSuperset = true
+				break
+			}
+		}
 		if !inSuperset {
 			return false
 		}
@@ -741,47 +666,17 @@ func automationPolicyShadows(i int, aps []*caddytls.AutomationPolicy) int {
 // subjectQualifiesForPublicCert is like certmagic.SubjectQualifiesForPublicCert() except
 // that this allows domains with multiple wildcard levels like '*.*.example.com' to qualify
 // if the automation policy has OnDemand enabled (i.e. this function is more lenient).
-//
-// IP subjects are considered as non-qualifying for public certs. Technically, there are
-// now public ACME CAs as well as non-ACME CAs that issue IP certificates. But this function
-// is used solely for implicit automation (defaults), where it gets really complicated to
-// keep track of which issuers support IP certificates in which circumstances. Currently,
-// issuers that support IP certificates are very few, and all require some sort of config
-// from the user anyway (such as an account credential). Since we cannot implicitly and
-// automatically get public IP certs without configuration from the user, we treat IPs as
-// not qualifying for public certificates. Users should expressly configure an issuer
-// that supports IP certs for that purpose.
 func subjectQualifiesForPublicCert(ap *caddytls.AutomationPolicy, subj string) bool {
 	return !certmagic.SubjectIsIP(subj) &&
 		!certmagic.SubjectIsInternal(subj) &&
 		(strings.Count(subj, "*.") < 2 || ap.OnDemand)
 }
 
-// automationPolicyHasAllPublicNames returns true if all the names on the policy
-// do NOT qualify for public certs OR are tailscale domains.
 func automationPolicyHasAllPublicNames(ap *caddytls.AutomationPolicy) bool {
-	return !slices.ContainsFunc(ap.SubjectsRaw, func(i string) bool {
-		return !subjectQualifiesForPublicCert(ap, i) || isTailscaleDomain(i)
-	})
-}
-
-func isTailscaleDomain(name string) bool {
-	return strings.HasSuffix(strings.ToLower(name), ".ts.net")
-}
-
-func hostsCoveredByWildcard(hosts []string, wildcards []string) bool {
-	if len(hosts) == 0 || len(wildcards) == 0 {
-		return false
-	}
-	for _, host := range hosts {
-		for _, wildcard := range wildcards {
-			if strings.HasPrefix(host, "*.") {
-				continue
-			}
-			if certmagic.MatchWildcard(host, "*."+wildcard) {
-				return true
-			}
+	for _, subj := range ap.SubjectsRaw {
+		if !subjectQualifiesForPublicCert(ap, subj) {
+			return false
 		}
 	}
-	return false
+	return true
 }

caddyconfig/httploader.go

@@ -181,16 +181,19 @@ func (hl HTTPLoader) makeClient(ctx caddy.Context) (*http.Client, error) {
 			if err != nil {
 				return nil, fmt.Errorf("getting server identity credentials: %v", err)
 			}
-			// See https://github.com/securego/gosec/issues/1054#issuecomment-2072235199
-			//nolint:gosec
-			tlsConfig = &tls.Config{Certificates: certs}
+			if tlsConfig == nil {
+				tlsConfig = new(tls.Config)
+			}
+			tlsConfig.Certificates = certs
 		} else if hl.TLS.ClientCertificateFile != "" && hl.TLS.ClientCertificateKeyFile != "" {
 			cert, err := tls.LoadX509KeyPair(hl.TLS.ClientCertificateFile, hl.TLS.ClientCertificateKeyFile)
 			if err != nil {
 				return nil, err
 			}
-			//nolint:gosec
-			tlsConfig = &tls.Config{Certificates: []tls.Certificate{cert}}
+			if tlsConfig == nil {
+				tlsConfig = new(tls.Config)
+			}
+			tlsConfig.Certificates = []tls.Certificate{cert}
 		}
 
 		// trusted server certs

caddytest/caddytest.go

@@ -36,7 +36,7 @@ type Defaults struct {
 	// Port we expect caddy to listening on
 	AdminPort int
 	// Certificates we expect to be loaded before attempting to run the tests
-	Certificates []string
+	Certifcates []string
 	// TestRequestTimeout is the time to wait for a http request to
 	TestRequestTimeout time.Duration
 	// LoadRequestTimeout is the time to wait for the config to be loaded against the caddy server
@@ -46,7 +46,7 @@ type Defaults struct {
 // Default testing values
 var Default = Defaults{
 	AdminPort:          2999, // different from what a real server also running on a developer's machine might be
-	Certificates:       []string{"/caddy.localhost.crt", "/caddy.localhost.key"},
+	Certifcates:        []string{"/caddy.localhost.crt", "/caddy.localhost.key"},
 	TestRequestTimeout: 5 * time.Second,
 	LoadRequestTimeout: 5 * time.Second,
 }
@@ -136,20 +136,6 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 	})
 
 	rawConfig = prependCaddyFilePath(rawConfig)
-	// normalize JSON config
-	if configType == "json" {
-		tc.t.Logf("Before: %s", rawConfig)
-		var conf any
-		if err := json.Unmarshal([]byte(rawConfig), &conf); err != nil {
-			return err
-		}
-		c, err := json.Marshal(conf)
-		if err != nil {
-			return err
-		}
-		rawConfig = string(c)
-		tc.t.Logf("After: %s", rawConfig)
-	}
 	client := &http.Client{
 		Timeout: Default.LoadRequestTimeout,
 	}
@@ -245,7 +231,7 @@ const initConfig = `{
 // designated path and Caddy sub-process is running.
 func validateTestPrerequisites(t testing.TB) error {
 	// check certificates are found
-	for _, certName := range Default.Certificates {
+	for _, certName := range Default.Certifcates {
 		if _, err := os.Stat(getIntegrationDir() + certName); errors.Is(err, fs.ErrNotExist) {
 			return fmt.Errorf("caddy integration test certificates (%s) not found", certName)
 		}

caddytest/caddytest_test.go

@@ -1,7 +1,6 @@
 package caddytest
 
 import (
-	"net/http"
 	"strings"
 	"testing"
 )
@@ -32,97 +31,3 @@ func TestReplaceCertificatePaths(t *testing.T) {
 		t.Error("expected redirect uri to be unchanged")
 	}
 }
-
-func TestLoadUnorderedJSON(t *testing.T) {
-	tester := NewTester(t)
-	tester.InitServer(`
-	{
-		"logging": {
-			"logs": {
-				"default": {
-					"level": "DEBUG",
-					"writer": {
-						"output": "stdout"
-					}
-				},
-				"sStdOutLogs": {
-					"level": "DEBUG",
-					"writer": {
-						"output": "stdout"
-					},
-					"include": [
-						"http.*",
-						"admin.*"
-					]
-				},
-				"sFileLogs": {
-					"level": "DEBUG",
-					"writer": {
-						"output": "stdout"
-					},
-					"include": [
-						"http.*",
-						"admin.*"
-					]
-				}
-			}
-		},
-		"admin": {
-			"listen": "localhost:2999"
-		},
-		"apps": {
-			"pki": {
-				"certificate_authorities" : {
-				  "local" : {
-					"install_trust": false
-				  }
-				}
-			},
-			"http": {
-				"http_port": 9080,
-				"https_port": 9443,
-				"servers": {
-					"s_server": {
-						"listen": [
-							":9080"
-						],
-						"routes": [
-							{
-								"handle": [
-									{
-										"handler": "static_response",
-										"body": "Hello"
-									}
-								]
-							},
-							{
-								"match": [
-									{
-										"host": [
-											"localhost",
-											"127.0.0.1"
-										]
-									}
-								]
-							}
-						],
-						"logs": {
-							"default_logger_name": "sStdOutLogs",
-							"logger_names": {
-								"localhost": "sStdOutLogs",
-								"127.0.0.1": "sFileLogs"
-							}
-						}
-					}
-				}
-			}
-		}
-	}
-  `, "json")
-	req, err := http.NewRequest(http.MethodGet, "http://localhost:9080/", nil)
-	if err != nil {
-		t.Fail()
-		return
-	}
-	tester.AssertResponseCode(req, 200)
-}

caddytest/integration/acme_test.go

@@ -13,8 +13,8 @@ import (
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddytest"
-	"github.com/mholt/acmez/v2"
-	"github.com/mholt/acmez/v2/acme"
+	"github.com/mholt/acmez"
+	"github.com/mholt/acmez/acme"
 	smallstepacme "github.com/smallstep/certificates/acme"
 	"go.uber.org/zap"
 )
@@ -77,7 +77,7 @@ func TestACMEServerWithDefaults(t *testing.T) {
 		return
 	}
 
-	certs, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"localhost"})
+	certs, err := client.ObtainCertificate(ctx, account, certPrivateKey, []string{"localhost"})
 	if err != nil {
 		t.Errorf("obtaining certificate: %v", err)
 		return
@@ -146,7 +146,7 @@ func TestACMEServerWithMismatchedChallenges(t *testing.T) {
 		return
 	}
 
-	certs, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"localhost"})
+	certs, err := client.ObtainCertificate(ctx, account, certPrivateKey, []string{"localhost"})
 	if len(certs) > 0 {
 		t.Errorf("expected '0' certificates, but received '%d'", len(certs))
 	}

caddytest/integration/acmeserver_test.go

@@ -9,8 +9,8 @@ import (
 	"testing"
 
 	"github.com/caddyserver/caddy/v2/caddytest"
-	"github.com/mholt/acmez/v2"
-	"github.com/mholt/acmez/v2/acme"
+	"github.com/mholt/acmez"
+	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap"
 )
 
@@ -105,7 +105,12 @@ func TestACMEServerAllowPolicy(t *testing.T) {
 		return
 	}
 	{
-		certs, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"localhost"})
+		certs, err := client.ObtainCertificate(
+			ctx,
+			account,
+			certPrivateKey,
+			[]string{"localhost"},
+		)
 		if err != nil {
 			t.Errorf("obtaining certificate for allowed domain: %v", err)
 			return
@@ -121,7 +126,7 @@ func TestACMEServerAllowPolicy(t *testing.T) {
 		}
 	}
 	{
-		_, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"not-matching.localhost"})
+		_, err := client.ObtainCertificate(ctx, account, certPrivateKey, []string{"not-matching.localhost"})
 		if err == nil {
 			t.Errorf("obtaining certificate for 'not-matching.localhost' domain")
 		} else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
@@ -194,7 +199,7 @@ func TestACMEServerDenyPolicy(t *testing.T) {
 		return
 	}
 	{
-		_, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"deny.localhost"})
+		_, err := client.ObtainCertificate(ctx, account, certPrivateKey, []string{"deny.localhost"})
 		if err == nil {
 			t.Errorf("obtaining certificate for 'deny.localhost' domain")
 		} else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {

caddytest/integration/caddyfile_adapt/acme_server_sign_with_root.caddyfiletest

@@ -1,67 +0,0 @@
-{
-	pki {
-		ca internal {
-			name "Internal"
-			root_cn "Internal Root Cert"
-			intermediate_cn "Internal Intermediate Cert"
-		}
-	}
-}
-acme.example.com {
-	acme_server {
-		ca internal
-		sign_with_root
-	}
-}
-
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"acme.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"ca": "internal",
-													"handler": "acme_server",
-													"sign_with_root": true
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		},
-		"pki": {
-			"certificate_authorities": {
-				"internal": {
-					"name": "Internal",
-					"root_common_name": "Internal Root Cert",
-					"intermediate_common_name": "Internal Intermediate Cert"
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard.caddyfiletest

@@ -1,109 +0,0 @@
-{
-	auto_https prefer_wildcard
-}
-
-*.example.com {
-	tls {
-		dns mock
-	}
-	respond "fallback"
-}
-
-foo.example.com {
-	respond "foo"
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"foo.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "foo",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						},
-						{
-							"match": [
-								{
-									"host": [
-										"*.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "fallback",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"skip_certificates": [
-							"foo.example.com"
-						],
-						"prefer_wildcard": true
-					}
-				}
-			}
-		},
-		"tls": {
-			"automation": {
-				"policies": [
-					{
-						"subjects": [
-							"*.example.com"
-						],
-						"issuers": [
-							{
-								"challenges": {
-									"dns": {
-										"provider": {
-											"name": "mock"
-										}
-									}
-								},
-								"module": "acme"
-							}
-						]
-					}
-				]
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard_multi.caddyfiletest

@@ -1,268 +0,0 @@
-{
-	auto_https prefer_wildcard
-}
-
-# Covers two domains
-*.one.example.com {
-	tls {
-		dns mock
-	}
-	respond "one fallback"
-}
-
-# Is covered, should not get its own AP
-foo.one.example.com {
-	respond "foo one"
-}
-
-# This one has its own tls config so it doesn't get covered (escape hatch)
-bar.one.example.com {
-	respond "bar one"
-	tls bar@bar.com
-}
-
-# Covers nothing but AP gets consolidated with the first
-*.two.example.com {
-	tls {
-		dns mock
-	}
-	respond "two fallback"
-}
-
-# Is HTTP so it should not cover
-http://*.three.example.com {
-	respond "three fallback"
-}
-
-# Has no wildcard coverage so it gets an AP
-foo.three.example.com {
-	respond "foo three"
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"foo.three.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "foo three",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						},
-						{
-							"match": [
-								{
-									"host": [
-										"foo.one.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "foo one",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						},
-						{
-							"match": [
-								{
-									"host": [
-										"bar.one.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "bar one",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						},
-						{
-							"match": [
-								{
-									"host": [
-										"*.one.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "one fallback",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						},
-						{
-							"match": [
-								{
-									"host": [
-										"*.two.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "two fallback",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"skip_certificates": [
-							"foo.one.example.com",
-							"bar.one.example.com"
-						],
-						"prefer_wildcard": true
-					}
-				},
-				"srv1": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"*.three.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "three fallback",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"prefer_wildcard": true
-					}
-				}
-			}
-		},
-		"tls": {
-			"automation": {
-				"policies": [
-					{
-						"subjects": [
-							"foo.three.example.com"
-						]
-					},
-					{
-						"subjects": [
-							"bar.one.example.com"
-						],
-						"issuers": [
-							{
-								"email": "bar@bar.com",
-								"module": "acme"
-							},
-							{
-								"ca": "https://acme.zerossl.com/v2/DV90",
-								"email": "bar@bar.com",
-								"module": "acme"
-							}
-						]
-					},
-					{
-						"subjects": [
-							"*.one.example.com",
-							"*.two.example.com"
-						],
-						"issuers": [
-							{
-								"challenges": {
-									"dns": {
-										"provider": {
-											"name": "mock"
-										}
-									}
-								},
-								"module": "acme"
-							}
-						]
-					}
-				]
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/bind_fd_fdgram_h123.caddyfiletest

@@ -1,142 +0,0 @@
-{
-	auto_https disable_redirects
-	admin off
-}
-
-http://localhost {
-	bind fd/{env.CADDY_HTTP_FD} {
-		protocols h1
-	}
-	log
-	respond "Hello, HTTP!"
-}
-
-https://localhost {
-	bind fd/{env.CADDY_HTTPS_FD} {
-		protocols h1 h2
-	}
-	bind fdgram/{env.CADDY_HTTP3_FD} {
-		protocols h3
-	}
-	log
-	respond "Hello, HTTPS!"
-}
-----------
-{
-	"admin": {
-		"disabled": true
-	},
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						"fd/{env.CADDY_HTTPS_FD}",
-						"fdgram/{env.CADDY_HTTP3_FD}"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "Hello, HTTPS!",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"disable_redirects": true
-					},
-					"logs": {
-						"logger_names": {
-							"localhost": [
-								""
-							]
-						}
-					},
-					"listen_protocols": [
-						[
-							"h1",
-							"h2"
-						],
-						[
-							"h3"
-						]
-					]
-				},
-				"srv1": {
-					"automatic_https": {
-						"disable_redirects": true
-					}
-				},
-				"srv2": {
-					"listen": [
-						"fd/{env.CADDY_HTTP_FD}"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "Hello, HTTP!",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"disable_redirects": true,
-						"skip": [
-							"localhost"
-						]
-					},
-					"logs": {
-						"logger_names": {
-							"localhost": [
-								""
-							]
-						}
-					},
-					"listen_protocols": [
-						[
-							"h1"
-						]
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/expression_quotes.caddyfiletest

@@ -1,7 +1,3 @@
-(snippet) {
-	@g `{http.error.status_code} == 404`
-}
-
 example.com
 
 @a expression {http.error.status_code} == 400
@@ -18,12 +14,6 @@ abort @d
 
 @e expression `{http.error.status_code} == 404`
 abort @e
-
-@f `{http.error.status_code} == 404`
-abort @f
-
-import snippet
-abort @g
 ----------
 {
 	"apps": {
@@ -94,10 +84,7 @@ abort @g
 											],
 											"match": [
 												{
-													"expression": {
-														"expr": "{http.error.status_code} == 403",
-														"name": "d"
-													}
+													"expression": "{http.error.status_code} == 403"
 												}
 											]
 										},
@@ -110,42 +97,7 @@ abort @g
 											],
 											"match": [
 												{
-													"expression": {
-														"expr": "{http.error.status_code} == 404",
-														"name": "e"
-													}
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"abort": true,
-													"handler": "static_response"
-												}
-											],
-											"match": [
-												{
-													"expression": {
-														"expr": "{http.error.status_code} == 404",
-														"name": "f"
-													}
-												}
-											]
-										},
-										{
-											"handle": [
-												{
-													"abort": true,
-													"handler": "static_response"
-												}
-											],
-											"match": [
-												{
-													"expression": {
-														"expr": "{http.error.status_code} == 404",
-														"name": "g"
-													}
+													"expression": "{http.error.status_code} == 404"
 												}
 											]
 										}

caddytest/integration/caddyfile_adapt/file_server_etag_file_extensions.caddyfiletest

@@ -1,40 +0,0 @@
-:8080 {
-	root * ./
-	file_server {
-		etag_file_extensions .b3sum .sha256
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":8080"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"handler": "vars",
-									"root": "./"
-								},
-								{
-									"etag_file_extensions": [
-										".b3sum",
-										".sha256"
-									],
-									"handler": "file_server",
-									"hide": [
-										"./Caddyfile"
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/file_server_file_limit.caddyfiletest

@@ -1,36 +0,0 @@
-:80
-
-file_server {
-	browse {
-		file_limit 4000
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"browse": {
-										"file_limit": 4000
-									},
-									"handler": "file_server",
-									"hide": [
-										"./Caddyfile"
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/file_server_sort.caddyfiletest

@@ -1,39 +0,0 @@
-:80
-
-file_server {
-	browse {
-		sort size desc
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"browse": {
-										"sort": [
-											"size",
-											"desc"
-										]
-									},
-									"handler": "file_server",
-									"hide": [
-										"./Caddyfile"
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/forward_auth_authelia.caddyfiletest

@@ -1,6 +1,6 @@
 app.example.com {
 	forward_auth authelia:9091 {
-		uri /api/authz/forward-auth
+		uri /api/verify?rd=https://authelia.example.com
 		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
 	}
 
@@ -39,13 +39,6 @@ app.example.com {
 																]
 															},
 															"routes": [
-																{
-																	"handle": [
-																		{
-																			"handler": "vars"
-																		}
-																	]
-																},
 																{
 																	"handle": [
 																		{
@@ -54,104 +47,19 @@ app.example.com {
 																				"set": {
 																					"Remote-Email": [
 																						"{http.reverse_proxy.header.Remote-Email}"
-																					]
-																				}
-																			}
-																		}
-																	],
-																	"match": [
-																		{
-																			"not": [
-																				{
-																					"vars": {
-																						"{http.reverse_proxy.header.Remote-Email}": [
-																							""
-																						]
-																					}
-																				}
-																			]
-																		}
-																	]
-																},
-																{
-																	"handle": [
-																		{
-																			"handler": "headers",
-																			"request": {
-																				"set": {
+																					],
 																					"Remote-Groups": [
 																						"{http.reverse_proxy.header.Remote-Groups}"
-																					]
-																				}
-																			}
-																		}
-																	],
-																	"match": [
-																		{
-																			"not": [
-																				{
-																					"vars": {
-																						"{http.reverse_proxy.header.Remote-Groups}": [
-																							""
-																						]
-																					}
-																				}
-																			]
-																		}
-																	]
-																},
-																{
-																	"handle": [
-																		{
-																			"handler": "headers",
-																			"request": {
-																				"set": {
+																					],
 																					"Remote-Name": [
 																						"{http.reverse_proxy.header.Remote-Name}"
-																					]
-																				}
-																			}
-																		}
-																	],
-																	"match": [
-																		{
-																			"not": [
-																				{
-																					"vars": {
-																						"{http.reverse_proxy.header.Remote-Name}": [
-																							""
-																						]
-																					}
-																				}
-																			]
-																		}
-																	]
-																},
-																{
-																	"handle": [
-																		{
-																			"handler": "headers",
-																			"request": {
-																				"set": {
+																					],
 																					"Remote-User": [
 																						"{http.reverse_proxy.header.Remote-User}"
 																					]
 																				}
 																			}
 																		}
-																	],
-																	"match": [
-																		{
-																			"not": [
-																				{
-																					"vars": {
-																						"{http.reverse_proxy.header.Remote-User}": [
-																							""
-																						]
-																					}
-																				}
-																			]
-																		}
 																	]
 																}
 															]
@@ -172,7 +80,7 @@ app.example.com {
 													},
 													"rewrite": {
 														"method": "GET",
-														"uri": "/api/authz/forward-auth"
+														"uri": "/api/verify?rd=https://authelia.example.com"
 													},
 													"upstreams": [
 														{

caddytest/integration/caddyfile_adapt/forward_auth_rename_headers.caddyfiletest

@@ -28,13 +28,6 @@ forward_auth localhost:9000 {
 												]
 											},
 											"routes": [
-												{
-													"handle": [
-														{
-															"handler": "vars"
-														}
-													]
-												},
 												{
 													"handle": [
 														{
@@ -43,131 +36,22 @@ forward_auth localhost:9000 {
 																"set": {
 																	"1": [
 																		"{http.reverse_proxy.header.A}"
-																	]
-																}
-															}
-														}
-													],
-													"match": [
-														{
-															"not": [
-																{
-																	"vars": {
-																		"{http.reverse_proxy.header.A}": [
-																			""
-																		]
-																	}
-																}
-															]
-														}
-													]
-												},
-												{
-													"handle": [
-														{
-															"handler": "headers",
-															"request": {
-																"set": {
-																	"B": [
-																		"{http.reverse_proxy.header.B}"
-																	]
-																}
-															}
-														}
-													],
-													"match": [
-														{
-															"not": [
-																{
-																	"vars": {
-																		"{http.reverse_proxy.header.B}": [
-																			""
-																		]
-																	}
-																}
-															]
-														}
-													]
-												},
-												{
-													"handle": [
-														{
-															"handler": "headers",
-															"request": {
-																"set": {
+																	],
 																	"3": [
 																		"{http.reverse_proxy.header.C}"
-																	]
-																}
-															}
-														}
-													],
-													"match": [
-														{
-															"not": [
-																{
-																	"vars": {
-																		"{http.reverse_proxy.header.C}": [
-																			""
-																		]
-																	}
-																}
-															]
-														}
-													]
-												},
-												{
-													"handle": [
-														{
-															"handler": "headers",
-															"request": {
-																"set": {
+																	],
+																	"5": [
+																		"{http.reverse_proxy.header.E}"
+																	],
+																	"B": [
+																		"{http.reverse_proxy.header.B}"
+																	],
 																	"D": [
 																		"{http.reverse_proxy.header.D}"
 																	]
 																}
 															}
 														}
-													],
-													"match": [
-														{
-															"not": [
-																{
-																	"vars": {
-																		"{http.reverse_proxy.header.D}": [
-																			""
-																		]
-																	}
-																}
-															]
-														}
-													]
-												},
-												{
-													"handle": [
-														{
-															"handler": "headers",
-															"request": {
-																"set": {
-																	"5": [
-																		"{http.reverse_proxy.header.E}"
-																	]
-																}
-															}
-														}
-													],
-													"match": [
-														{
-															"not": [
-																{
-																	"vars": {
-																		"{http.reverse_proxy.header.E}": [
-																			""
-																		]
-																	}
-																}
-															]
-														}
 													]
 												}
 											]

caddytest/integration/caddyfile_adapt/global_options.caddyfiletest

@@ -9,8 +9,6 @@
 	storage file_system {
 		root /data
 	}
-	storage_check off
-	storage_clean_interval off
 	acme_ca https://example.com
 	acme_ca_root /path/to/ca.crt
 	ocsp_stapling off
@@ -19,6 +17,8 @@
 	admin off
 	on_demand_tls {
 		ask https://example.com
+		interval 30s
+		burst 20
 	}
 	local_certs
 	key_type ed25519
@@ -72,12 +72,14 @@
 					"permission": {
 						"endpoint": "https://example.com",
 						"module": "http"
+					},
+					"rate_limit": {
+						"interval": 30000000000,
+						"burst": 20
 					}
 				}
 			},
-			"disable_ocsp_stapling": true,
-			"disable_storage_check": true,
-			"disable_storage_clean": true
+			"disable_ocsp_stapling": true
 		}
 	}
 }

caddytest/integration/caddyfile_adapt/global_options_acme.caddyfiletest

@@ -17,6 +17,8 @@
 	admin off
 	on_demand_tls {
 		ask https://example.com
+		interval 30s
+		burst 20
 	}
 	storage_clean_interval 7d
 	renew_interval 1d
@@ -61,14 +63,6 @@
 						"issuers": [
 							{
 								"ca": "https://example.com",
-								"challenges": {
-									"http": {
-										"alternate_port": 8080
-									},
-									"tls-alpn": {
-										"alternate_port": 8443
-									}
-								},
 								"email": "test@example.com",
 								"external_account": {
 									"key_id": "4K2scIVbBpNd-78scadB2g",
@@ -87,6 +81,10 @@
 					"permission": {
 						"endpoint": "https://example.com",
 						"module": "http"
+					},
+					"rate_limit": {
+						"interval": 30000000000,
+						"burst": 20
 					}
 				},
 				"ocsp_interval": 172800000000000,

caddytest/integration/caddyfile_adapt/global_options_admin.caddyfiletest

@@ -16,6 +16,8 @@
 	}
 	on_demand_tls {
 		ask https://example.com
+		interval 30s
+		burst 20
 	}
 	local_certs
 	key_type ed25519
@@ -72,6 +74,10 @@
 					"permission": {
 						"endpoint": "https://example.com",
 						"module": "http"
+					},
+					"rate_limit": {
+						"interval": 30000000000,
+						"burst": 20
 					}
 				}
 			}

caddytest/integration/caddyfile_adapt/global_options_preferred_chains.caddyfiletest

@@ -40,6 +40,12 @@ example.com
 								"preferred_chains": {
 									"smallest": true
 								}
+							},
+							{
+								"module": "zerossl",
+								"preferred_chains": {
+									"smallest": true
+								}
 							}
 						]
 					}

caddytest/integration/caddyfile_adapt/heredoc.caddyfiletest

@@ -1,12 +1,11 @@
 example.com {
-	respond <<EOF
+    respond <<EOF
     <html>
       <head><title>Foo</title>
       <body>Foo</body>
     </html>
     EOF 200
 }
-
 ----------
 {
 	"apps": {

caddytest/integration/caddyfile_adapt/import_args_snippet.caddyfiletest

@@ -72,12 +72,8 @@ b.example.com {
 					],
 					"logs": {
 						"logger_names": {
-							"a.example.com": [
-								"log0"
-							],
-							"b.example.com": [
-								"log1"
-							]
+							"a.example.com": "log0",
+							"b.example.com": "log1"
 						}
 					}
 				}

caddytest/integration/caddyfile_adapt/import_block_snippet.caddyfiletest

@@ -1,58 +0,0 @@
-(snippet) {
-	header {
-		{block}
-	}
-}
-
-example.com {
-	import snippet {
-		foo bar
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "headers",
-													"response": {
-														"set": {
-															"Foo": [
-																"bar"
-															]
-														}
-													}
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/import_block_snippet_args.caddyfiletest

@@ -1,56 +0,0 @@
-(snippet) {
-	{block}
-}
-
-example.com {
-	import snippet {
-		header foo bar
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "headers",
-													"response": {
-														"set": {
-															"Foo": [
-																"bar"
-															]
-														}
-													}
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/import_blocks_snippet.caddyfiletest

@@ -1,76 +0,0 @@
-(snippet) {
-	header {
-		{blocks.foo}
-	}
-	header {
-		{blocks.bar}
-	}
-}
-
-example.com {
-	import snippet {
-		foo {
-			foo a
-		}
-		bar {
-			bar b
-		}
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "headers",
-													"response": {
-														"set": {
-															"Foo": [
-																"a"
-															]
-														}
-													}
-												},
-												{
-													"handler": "headers",
-													"response": {
-														"set": {
-															"Bar": [
-																"b"
-															]
-														}
-													}
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/import_blocks_snippet_nested.caddyfiletest

@@ -1,82 +0,0 @@
-(snippet) {
-	header {
-		{blocks.bar}
-	}
-	import sub_snippet {
-		bar {
-			{blocks.foo}
-		}
-	}
-}
-(sub_snippet) {
-	header {
-		{blocks.bar}
-	}
-}
-example.com {
-	import snippet {
-		foo {
-			foo a
-		}
-		bar {
-			bar b
-		}
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "headers",
-													"response": {
-														"set": {
-															"Bar": [
-																"b"
-															]
-														}
-													}
-												},
-												{
-													"handler": "headers",
-													"response": {
-														"set": {
-															"Foo": [
-																"a"
-															]
-														}
-													}
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/intercept_response.caddyfiletest

@@ -1,230 +0,0 @@
-localhost
-
-respond "To intercept"
-
-intercept {
-	@500 status 500
-	replace_status @500 400
-
-	@all status 2xx 3xx 4xx 5xx
-	replace_status @all {http.error.status_code}
-
-	replace_status {http.error.status_code}
-
-	@accel header X-Accel-Redirect *
-	handle_response @accel {
-		respond "Header X-Accel-Redirect!"
-	}
-
-	@another {
-		header X-Another *
-	}
-	handle_response @another {
-		respond "Header X-Another!"
-	}
-
-	@401 status 401
-	handle_response @401 {
-		respond "Status 401!"
-	}
-
-	handle_response {
-		respond "Any! This should be last in the JSON!"
-	}
-
-	@403 {
-		status 403
-	}
-	handle_response @403 {
-		respond "Status 403!"
-	}
-
-	@multi {
-		status 401 403
-		status 404
-		header Foo *
-		header Bar *
-	}
-	handle_response @multi {
-		respond "Headers Foo, Bar AND statuses 401, 403 and 404!"
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handle_response": [
-														{
-															"match": {
-																"status_code": [
-																	500
-																]
-															},
-															"status_code": 400
-														},
-														{
-															"match": {
-																"status_code": [
-																	2,
-																	3,
-																	4,
-																	5
-																]
-															},
-															"status_code": "{http.error.status_code}"
-														},
-														{
-															"match": {
-																"headers": {
-																	"X-Accel-Redirect": [
-																		"*"
-																	]
-																}
-															},
-															"routes": [
-																{
-																	"handle": [
-																		{
-																			"body": "Header X-Accel-Redirect!",
-																			"handler": "static_response"
-																		}
-																	]
-																}
-															]
-														},
-														{
-															"match": {
-																"headers": {
-																	"X-Another": [
-																		"*"
-																	]
-																}
-															},
-															"routes": [
-																{
-																	"handle": [
-																		{
-																			"body": "Header X-Another!",
-																			"handler": "static_response"
-																		}
-																	]
-																}
-															]
-														},
-														{
-															"match": {
-																"status_code": [
-																	401
-																]
-															},
-															"routes": [
-																{
-																	"handle": [
-																		{
-																			"body": "Status 401!",
-																			"handler": "static_response"
-																		}
-																	]
-																}
-															]
-														},
-														{
-															"match": {
-																"status_code": [
-																	403
-																]
-															},
-															"routes": [
-																{
-																	"handle": [
-																		{
-																			"body": "Status 403!",
-																			"handler": "static_response"
-																		}
-																	]
-																}
-															]
-														},
-														{
-															"match": {
-																"headers": {
-																	"Bar": [
-																		"*"
-																	],
-																	"Foo": [
-																		"*"
-																	]
-																},
-																"status_code": [
-																	401,
-																	403,
-																	404
-																]
-															},
-															"routes": [
-																{
-																	"handle": [
-																		{
-																			"body": "Headers Foo, Bar AND statuses 401, 403 and 404!",
-																			"handler": "static_response"
-																		}
-																	]
-																}
-															]
-														},
-														{
-															"status_code": "{http.error.status_code}"
-														},
-														{
-															"routes": [
-																{
-																	"handle": [
-																		{
-																			"body": "Any! This should be last in the JSON!",
-																			"handler": "static_response"
-																		}
-																	]
-																}
-															]
-														}
-													],
-													"handler": "intercept"
-												},
-												{
-													"body": "To intercept",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/log_add.caddyfiletest

@@ -1,71 +0,0 @@
-:80 {
-	log
-
-	vars foo foo
-
-	log_append const bar
-	log_append vars foo
-	log_append placeholder {path}
-
-	log_append /only-for-this-path secret value
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"foo": "foo",
-									"handler": "vars"
-								}
-							]
-						},
-						{
-							"match": [
-								{
-									"path": [
-										"/only-for-this-path"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "log_append",
-									"key": "secret",
-									"value": "value"
-								}
-							]
-						},
-						{
-							"handle": [
-								{
-									"handler": "log_append",
-									"key": "const",
-									"value": "bar"
-								},
-								{
-									"handler": "log_append",
-									"key": "vars",
-									"value": "foo"
-								},
-								{
-									"handler": "log_append",
-									"key": "placeholder",
-									"value": "{http.request.uri.path}"
-								}
-							]
-						}
-					],
-					"logs": {}
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/log_append_encoder.caddyfiletest

@@ -1,63 +0,0 @@
-{
-	log {
-		format append {
-			wrap json
-			fields {
-				wrap "foo"
-			}
-			env {env.EXAMPLE}
-			int 1
-			float 1.1
-			bool true
-			string "string"
-		}
-	}
-}
-
-:80 {
-	respond "Hello, World!"
-}
-----------
-{
-	"logging": {
-		"logs": {
-			"default": {
-				"encoder": {
-					"fields": {
-						"bool": true,
-						"env": "{env.EXAMPLE}",
-						"float": 1.1,
-						"int": 1,
-						"string": "string",
-						"wrap": "foo"
-					},
-					"format": "append",
-					"wrap": {
-						"format": "json"
-					}
-				}
-			}
-		}
-	},
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"body": "Hello, World!",
-									"handler": "static_response"
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/log_except_catchall_blocks.caddyfiletest

@@ -1,7 +1,7 @@
 http://localhost:2020 {
 	log
-	log_skip /first-hidden*
-	log_skip /second-hidden*
+	skip_log /first-hidden*
+	skip_log /second-hidden*
 	respond 200
 }
 
@@ -34,7 +34,7 @@ http://localhost:2020 {
 											"handle": [
 												{
 													"handler": "vars",
-													"log_skip": true
+													"skip_log": true
 												}
 											],
 											"match": [
@@ -49,7 +49,7 @@ http://localhost:2020 {
 											"handle": [
 												{
 													"handler": "vars",
-													"log_skip": true
+													"skip_log": true
 												}
 											],
 											"match": [
@@ -99,9 +99,7 @@ http://localhost:2020 {
 					},
 					"logs": {
 						"logger_names": {
-							"localhost": [
-								""
-							]
+							"localhost": ""
 						},
 						"skip_unmapped_hosts": true
 					}

caddytest/integration/caddyfile_adapt/log_filter_with_header.txt

@@ -1,151 +0,0 @@
-localhost {
-	log {
-		output file ./caddy.access.log
-	}
-	log health_check_log {
-		output file ./caddy.access.health.log
-		no_hostname
-	}
-	log general_log {
-		output file ./caddy.access.general.log
-		no_hostname
-	}
-	@healthCheck `header_regexp('User-Agent', '^some-regexp$') || path('/healthz*')`
-	handle @healthCheck {
-		log_name health_check_log general_log
-		respond "Healthy"
-	}
-
-	handle {
-		respond "Hello World"
-	}
-}
-----------
-{
-	"logging": {
-		"logs": {
-			"default": {
-				"exclude": [
-					"http.log.access.general_log",
-					"http.log.access.health_check_log",
-					"http.log.access.log0"
-				]
-			},
-			"general_log": {
-				"writer": {
-					"filename": "./caddy.access.general.log",
-					"output": "file"
-				},
-				"include": [
-					"http.log.access.general_log"
-				]
-			},
-			"health_check_log": {
-				"writer": {
-					"filename": "./caddy.access.health.log",
-					"output": "file"
-				},
-				"include": [
-					"http.log.access.health_check_log"
-				]
-			},
-			"log0": {
-				"writer": {
-					"filename": "./caddy.access.log",
-					"output": "file"
-				},
-				"include": [
-					"http.log.access.log0"
-				]
-			}
-		}
-	},
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"group": "group2",
-											"handle": [
-												{
-													"handler": "subroute",
-													"routes": [
-														{
-															"handle": [
-																{
-																	"access_logger_names": [
-																		"health_check_log",
-																		"general_log"
-																	],
-																	"handler": "vars"
-																},
-																{
-																	"body": "Healthy",
-																	"handler": "static_response"
-																}
-															]
-														}
-													]
-												}
-											],
-											"match": [
-												{
-													"expression": {
-														"expr": "header_regexp('User-Agent', '^some-regexp$') || path('/healthz*')",
-														"name": "healthCheck"
-													}
-												}
-											]
-										},
-										{
-											"group": "group2",
-											"handle": [
-												{
-													"handler": "subroute",
-													"routes": [
-														{
-															"handle": [
-																{
-																	"body": "Hello World",
-																	"handler": "static_response"
-																}
-															]
-														}
-													]
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"logs": {
-						"logger_names": {
-							"localhost": [
-								"log0"
-							]
-						}
-					}
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/log_filters.caddyfiletest

@@ -4,31 +4,27 @@ log {
 	output stdout
 	format filter {
 		wrap console
-
-		# long form, with "fields" wrapper
 		fields {
 			uri query {
 				replace foo REDACTED
 				delete bar
 				hash baz
 			}
+			request>headers>Authorization replace REDACTED
+			request>headers>Server delete
+			request>headers>Cookie cookie {
+				replace foo REDACTED
+				delete bar
+				hash baz
+			}
+			request>remote_ip ip_mask {
+				ipv4 24
+				ipv6 32
+			}
+			request>client_ip ip_mask 16 32
+			request>headers>Regexp regexp secret REDACTED
+			request>headers>Hash hash
 		}
-
-		# short form, flatter structure
-		request>headers>Authorization replace REDACTED
-		request>headers>Server delete
-		request>headers>Cookie cookie {
-			replace foo REDACTED
-			delete bar
-			hash baz
-		}
-		request>remote_ip ip_mask {
-			ipv4 24
-			ipv6 32
-		}
-		request>client_ip ip_mask 16 32
-		request>headers>Regexp regexp secret REDACTED
-		request>headers>Hash hash
 	}
 }
 ----------

caddytest/integration/caddyfile_adapt/log_multi_logger_name.caddyfiletest

@@ -1,117 +0,0 @@
-(log-both) {
-	log {args[0]}-json {
-		hostnames {args[0]}
-		output file /var/log/{args[0]}.log
-		format json
-	}
-	log {args[0]}-console {
-		hostnames {args[0]}
-		output file /var/log/{args[0]}.json
-		format console
-	}
-}
-
-*.example.com {
-	# Subdomains log to multiple files at once, with
-	# different output files and formats.
-	import log-both foo.example.com
-	import log-both bar.example.com
-}
-----------
-{
-	"logging": {
-		"logs": {
-			"bar.example.com-console": {
-				"writer": {
-					"filename": "/var/log/bar.example.com.json",
-					"output": "file"
-				},
-				"encoder": {
-					"format": "console"
-				},
-				"include": [
-					"http.log.access.bar.example.com-console"
-				]
-			},
-			"bar.example.com-json": {
-				"writer": {
-					"filename": "/var/log/bar.example.com.log",
-					"output": "file"
-				},
-				"encoder": {
-					"format": "json"
-				},
-				"include": [
-					"http.log.access.bar.example.com-json"
-				]
-			},
-			"default": {
-				"exclude": [
-					"http.log.access.bar.example.com-console",
-					"http.log.access.bar.example.com-json",
-					"http.log.access.foo.example.com-console",
-					"http.log.access.foo.example.com-json"
-				]
-			},
-			"foo.example.com-console": {
-				"writer": {
-					"filename": "/var/log/foo.example.com.json",
-					"output": "file"
-				},
-				"encoder": {
-					"format": "console"
-				},
-				"include": [
-					"http.log.access.foo.example.com-console"
-				]
-			},
-			"foo.example.com-json": {
-				"writer": {
-					"filename": "/var/log/foo.example.com.log",
-					"output": "file"
-				},
-				"encoder": {
-					"format": "json"
-				},
-				"include": [
-					"http.log.access.foo.example.com-json"
-				]
-			}
-		}
-	},
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"*.example.com"
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"logs": {
-						"logger_names": {
-							"bar.example.com": [
-								"bar.example.com-json",
-								"bar.example.com-console"
-							],
-							"foo.example.com": [
-								"foo.example.com-json",
-								"foo.example.com-console"
-							]
-						}
-					}
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/log_override_hostname.caddyfiletest

@@ -75,15 +75,9 @@ example.com:8443 {
 					],
 					"logs": {
 						"logger_names": {
-							"bar.example.com": [
-								"log0"
-							],
-							"baz.example.com": [
-								"log1"
-							],
-							"foo.example.com": [
-								"log0"
-							]
+							"bar.example.com": "log0",
+							"baz.example.com": "log1",
+							"foo.example.com": "log0"
 						}
 					}
 				},
@@ -105,9 +99,7 @@ example.com:8443 {
 					],
 					"logs": {
 						"logger_names": {
-							"example.com": [
-								"log2"
-							]
+							"example.com": "log2"
 						}
 					}
 				}

caddytest/integration/caddyfile_adapt/log_override_name_multiaccess.caddyfiletest

@@ -76,9 +76,7 @@ http://localhost:8881 {
 					},
 					"logs": {
 						"logger_names": {
-							"localhost": [
-								"foo"
-							]
+							"localhost": "foo"
 						}
 					}
 				}

caddytest/integration/caddyfile_adapt/log_override_name_multiaccess_debug.caddyfiletest

@@ -81,9 +81,7 @@ http://localhost:8881 {
 					},
 					"logs": {
 						"logger_names": {
-							"localhost": [
-								"foo"
-							]
+							"localhost": "foo"
 						}
 					}
 				}

caddytest/integration/caddyfile_adapt/log_skip_hosts.caddyfiletest

@@ -63,9 +63,7 @@ example.com {
 					],
 					"logs": {
 						"logger_names": {
-							"one.example.com": [
-								""
-							]
+							"one.example.com": ""
 						},
 						"skip_hosts": [
 							"example.com",

caddytest/integration/caddyfile_adapt/map_and_vars_with_raw_types.caddyfiletest

@@ -1,23 +1,23 @@
 example.com
 
-map {host} {my_placeholder} {magic_number} {
+map {host}             {my_placeholder}  {magic_number} {
 	# Should output boolean "true" and an integer
-	example.com true 3
+	example.com        true              3
 
 	# Should output a string and null
-	foo.example.com "string value"
+	foo.example.com    "string value"
 
 	# Should output two strings (quoted int)
-	(.*)\.example.com "${1} subdomain" "5"
+	(.*)\.example.com  "${1} subdomain"  "5"
 
 	# Should output null and a string (quoted int)
-	~.*\.net$ - `7`
+	~.*\.net$          -                 `7`
 
 	# Should output a float and the string "false"
-	~.*\.xyz$ 123.456 "false"
+	~.*\.xyz$          123.456           "false"
 
 	# Should output two strings, second being escaped quote
-	default "unknown domain" \"""
+	default            "unknown domain"  \"""
 }
 
 vars foo bar
@@ -27,7 +27,6 @@ vars {
 	ghi 2.3
 	jkl "mn op"
 }
-
 ----------
 {
 	"apps": {

caddytest/integration/caddyfile_adapt/matcher_syntax.caddyfiletest

@@ -46,18 +46,6 @@
 
 	@matcher12 client_ip private_ranges
 	respond @matcher12 "client_ip matcher with private ranges"
-
-	@matcher13 {
-		remote_ip 1.1.1.1
-		remote_ip 2.2.2.2
-	}
-	respond @matcher13 "remote_ip merged"
-
-	@matcher14 {
-		client_ip 1.1.1.1
-		client_ip 2.2.2.2
-	}
-	respond @matcher14 "client_ip merged"
 }
 ----------
 {
@@ -158,7 +146,6 @@
 								{
 									"vars_regexp": {
 										"{http.request.uri}": {
-											"name": "matcher6",
 											"pattern": "\\.([a-f0-9]{6})\\.(css|js)$"
 										}
 									}
@@ -174,10 +161,7 @@
 						{
 							"match": [
 								{
-									"expression": {
-										"expr": "path('/foo*') \u0026\u0026 method('GET')",
-										"name": "matcher7"
-									}
+									"expression": "path('/foo*') \u0026\u0026 method('GET')"
 								}
 							],
 							"handle": [
@@ -291,42 +275,6 @@
 									"handler": "static_response"
 								}
 							]
-						},
-						{
-							"match": [
-								{
-									"remote_ip": {
-										"ranges": [
-											"1.1.1.1",
-											"2.2.2.2"
-										]
-									}
-								}
-							],
-							"handle": [
-								{
-									"body": "remote_ip merged",
-									"handler": "static_response"
-								}
-							]
-						},
-						{
-							"match": [
-								{
-									"client_ip": {
-										"ranges": [
-											"1.1.1.1",
-											"2.2.2.2"
-										]
-									}
-								}
-							],
-							"handle": [
-								{
-									"body": "client_ip merged",
-									"handler": "static_response"
-								}
-							]
 						}
 					]
 				}

caddytest/integration/caddyfile_adapt/metrics_merge_options.caddyfiletest

@@ -1,39 +0,0 @@
-{
-	metrics
-	servers :80 {
-		metrics {
-			per_host
-		}
-	}
-}
-:80 {
-	respond "Hello"
-}
-
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"body": "Hello",
-									"handler": "static_response"
-								}
-							]
-						}
-					]
-				}
-			},
-			"metrics": {
-				"per_host": true
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/metrics_perhost.caddyfiletest

@@ -1,37 +0,0 @@
-{
-	servers :80 {
-		metrics {
-			per_host
-		}
-	}
-}
-:80 {
-	respond "Hello"
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"body": "Hello",
-									"handler": "static_response"
-								}
-							]
-						}
-					]
-				}
-			},
-			"metrics": {
-				"per_host": true
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/reverse_proxy_dynamic_upstreams_grace_period.caddyfiletest

@@ -1,38 +0,0 @@
-:8884 {
-	reverse_proxy {
-		dynamic srv {
-			name foo
-			refresh 5m
-			grace_period 5s
-		}
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":8884"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"dynamic_upstreams": {
-										"grace_period": 5000000000,
-										"name": "foo",
-										"refresh": 300000000000,
-										"source": "srv"
-									},
-									"handler": "reverse_proxy"
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/reverse_proxy_health_method.caddyfiletest

@@ -1,40 +0,0 @@
-:8884
-
-reverse_proxy 127.0.0.1:65535 {
-	health_uri /health
-	health_method HEAD
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":8884"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"handler": "reverse_proxy",
-									"health_checks": {
-										"active": {
-											"method": "HEAD",
-											"uri": "/health"
-										}
-									},
-									"upstreams": [
-										{
-											"dial": "127.0.0.1:65535"
-										}
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/reverse_proxy_health_reqbody.caddyfiletest

@@ -1,40 +0,0 @@
-:8884
-
-reverse_proxy 127.0.0.1:65535 {
-	health_uri /health
-	health_request_body "test body"
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":8884"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"handler": "reverse_proxy",
-									"health_checks": {
-										"active": {
-											"body": "test body",
-											"uri": "/health"
-										}
-									},
-									"upstreams": [
-										{
-											"dial": "127.0.0.1:65535"
-										}
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_tls_file_cert.txt

@@ -1,47 +0,0 @@
-:8884
-reverse_proxy 127.0.0.1:65535 {
-	transport http {
-		tls_trust_pool file {
-			pem_file ../caddy.ca.cer
-		}
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":8884"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"handler": "reverse_proxy",
-									"transport": {
-										"protocol": "http",
-										"tls": {
-											"ca": {
-												"pem_files": [
-													"../caddy.ca.cer"
-												],
-												"provider": "file"
-											}
-										}
-									},
-									"upstreams": [
-										{
-											"dial": "127.0.0.1:65535"
-										}
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/reverse_proxy_http_transport_tls_inline_cert.txt

@@ -1,47 +0,0 @@
-:8884
-reverse_proxy 127.0.0.1:65535 {
-	transport http {
-		tls_trust_pool inline {
-			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
-		}
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":8884"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"handler": "reverse_proxy",
-									"transport": {
-										"protocol": "http",
-										"tls": {
-											"ca": {
-												"provider": "inline",
-												"trusted_ca_certs": [
-													"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
-												]
-											}
-										}
-									},
-									"upstreams": [
-										{
-											"dial": "127.0.0.1:65535"
-										}
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/reverse_proxy_localaddr.caddyfiletest

@@ -1,57 +0,0 @@
-https://example.com {
-	reverse_proxy http://localhost:54321 {
-		transport http {
-			local_address 192.168.0.1
-		}
-	}
-}
-
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "reverse_proxy",
-													"transport": {
-														"local_address": "192.168.0.1",
-														"protocol": "http"
-													},
-													"upstreams": [
-														{
-															"dial": "localhost:54321"
-														}
-													]
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/shorthand_parameterized_placeholders.caddyfiletest

@@ -1,9 +1,5 @@
 localhost:80
-
 respond * "{header.content-type} {labels.0} {query.p} {path.0} {re.name.0}"
-
-@match path_regexp ^/foo(.*)$
-respond @match "{re.1}"
 ----------
 {
 	"apps": {
@@ -26,22 +22,6 @@ respond @match "{re.1}"
 								{
 									"handler": "subroute",
 									"routes": [
-										{
-											"handle": [
-												{
-													"body": "{http.regexp.1}",
-													"handler": "static_response"
-												}
-											],
-											"match": [
-												{
-													"path_regexp": {
-														"name": "match",
-														"pattern": "^/foo(.*)$"
-													}
-												}
-											]
-										},
 										{
 											"handle": [
 												{

caddytest/integration/caddyfile_adapt/tls_automation_policies_3.caddyfiletest

@@ -70,9 +70,8 @@ c.example.com {
 								"module": "acme"
 							},
 							{
-								"ca": "https://acme.zerossl.com/v2/DV90",
 								"email": "abc@example.com",
-								"module": "acme"
+								"module": "zerossl"
 							}
 						]
 					},

caddytest/integration/caddyfile_adapt/tls_automation_policies_4.caddyfiletest

@@ -131,9 +131,8 @@ abc.de {
 								"module": "acme"
 							},
 							{
-								"ca": "https://acme.zerossl.com/v2/DV90",
 								"email": "my.email@example.com",
-								"module": "acme"
+								"module": "zerossl"
 							}
 						]
 					}

caddytest/integration/caddyfile_adapt/tls_automation_policies_8.caddyfiletest

@@ -86,9 +86,8 @@ http://localhost:8081 {
 								"module": "acme"
 							},
 							{
-								"ca": "https://acme.zerossl.com/v2/DV90",
 								"email": "abc@example.com",
-								"module": "acme"
+								"module": "zerossl"
 							}
 						]
 					}

caddytest/integration/caddyfile_adapt/tls_automation_policies_global_email_localhost.caddyfiletest

@@ -54,9 +54,8 @@ example.com {
 								"module": "acme"
 							},
 							{
-								"ca": "https://acme.zerossl.com/v2/DV90",
 								"email": "foo@bar",
-								"module": "acme"
+								"module": "zerossl"
 							}
 						]
 					}

caddytest/integration/caddyfile_adapt/tls_client_auth_cert_file-legacy-with-verifier.caddyfiletest

@@ -1,75 +0,0 @@
-localhost
-
-respond "hello from localhost"
-tls {
-	client_auth {
-		mode request
-		trusted_ca_cert_file ../caddy.ca.cer
-		verifier dummy
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "hello from localhost",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"tls_connection_policies": [
-						{
-							"match": {
-								"sni": [
-									"localhost"
-								]
-							},
-							"client_authentication": {
-								"ca": {
-									"provider": "inline",
-									"trusted_ca_certs": [
-										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
-									]
-								},
-								"verifiers": [
-									{
-										"verifier": "dummy"
-									}
-								],
-								"mode": "request"
-							}
-						},
-						{}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/tls_dns_ttl.caddyfiletest

@@ -58,6 +58,14 @@ tls {
 									}
 								},
 								"module": "acme"
+							},
+							{
+								"challenges": {
+									"dns": {
+										"ttl": 310000000000
+									}
+								},
+								"module": "zerossl"
 							}
 						]
 					}

caddytest/integration/caddyfile_adapt/tls_explicit_issuer_dns_ttl.caddyfiletest

@@ -5,7 +5,7 @@ tls {
 	issuer acme {
 		dns_ttl 5m10s
 	}
-	issuer zerossl api_key {
+	issuer zerossl {
 		dns_ttl 10m20s
 	}
 }
@@ -65,9 +65,10 @@ tls {
 								"module": "acme"
 							},
 							{
-								"api_key": "api_key",
-								"cname_validation": {
-									"ttl": 620000000000
+								"challenges": {
+									"dns": {
+										"ttl": 620000000000
+									}
 								},
 								"module": "zerossl"
 							}

caddytest/integration/caddyfile_adapt/tls_explicit_issuer_propagation_options.caddyfiletest

@@ -6,7 +6,7 @@ tls {
 		propagation_delay 5m10s
 		propagation_timeout 10m20s
 	}
-	issuer zerossl api_key {
+	issuer zerossl {
 		propagation_delay 5m30s
 		propagation_timeout -1
 	}
@@ -68,10 +68,11 @@ tls {
 								"module": "acme"
 							},
 							{
-								"api_key": "api_key",
-								"cname_validation": {
-									"propagation_delay": 330000000000,
-									"propagation_timeout": -1
+								"challenges": {
+									"dns": {
+										"propagation_delay": 330000000000,
+										"propagation_timeout": -1
+									}
 								},
 								"module": "zerossl"
 							}

caddytest/integration/caddyfile_adapt/tls_propagation_options.caddyfiletest

@@ -60,6 +60,15 @@ tls {
 									}
 								},
 								"module": "acme"
+							},
+							{
+								"challenges": {
+									"dns": {
+										"propagation_delay": 310000000000,
+										"propagation_timeout": 620000000000
+									}
+								},
+								"module": "zerossl"
 							}
 						]
 					}

caddytest/integration/caddyfile_adapt/uri_query_operations.caddyfiletest

@@ -1,106 +0,0 @@
-:9080
-uri query +foo bar
-uri query -baz
-uri query taz test
-uri query key=value example
-uri query changethis>changed
-uri query {
-	findme value replacement
-	+foo1 baz
-}
-
-respond "{query}"
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":9080"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"handler": "rewrite",
-									"query": {
-										"add": [
-											{
-												"key": "foo",
-												"val": "bar"
-											}
-										]
-									}
-								},
-								{
-									"handler": "rewrite",
-									"query": {
-										"delete": [
-											"baz"
-										]
-									}
-								},
-								{
-									"handler": "rewrite",
-									"query": {
-										"set": [
-											{
-												"key": "taz",
-												"val": "test"
-											}
-										]
-									}
-								},
-								{
-									"handler": "rewrite",
-									"query": {
-										"set": [
-											{
-												"key": "key=value",
-												"val": "example"
-											}
-										]
-									}
-								},
-								{
-									"handler": "rewrite",
-									"query": {
-										"rename": [
-											{
-												"key": "changethis",
-												"val": "changed"
-											}
-										]
-									}
-								},
-								{
-									"handler": "rewrite",
-									"query": {
-										"add": [
-											{
-												"key": "foo1",
-												"val": "baz"
-											}
-										],
-										"replace": [
-											{
-												"key": "findme",
-												"replace": "replacement",
-												"search_regexp": "value"
-											}
-										]
-									}
-								},
-								{
-									"body": "{http.request.uri.query}",
-									"handler": "static_response"
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/wildcard_pattern.caddyfiletest

@@ -1,157 +0,0 @@
-*.example.com {
-	tls foo@example.com {
-		dns mock
-	}
-
-	@foo host foo.example.com
-	handle @foo {
-		respond "Foo!"
-	}
-
-	@bar host bar.example.com
-	handle @bar {
-		respond "Bar!"
-	}
-
-	# Fallback for otherwise unhandled domains
-	handle {
-		abort
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"*.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"group": "group3",
-											"handle": [
-												{
-													"handler": "subroute",
-													"routes": [
-														{
-															"handle": [
-																{
-																	"body": "Foo!",
-																	"handler": "static_response"
-																}
-															]
-														}
-													]
-												}
-											],
-											"match": [
-												{
-													"host": [
-														"foo.example.com"
-													]
-												}
-											]
-										},
-										{
-											"group": "group3",
-											"handle": [
-												{
-													"handler": "subroute",
-													"routes": [
-														{
-															"handle": [
-																{
-																	"body": "Bar!",
-																	"handler": "static_response"
-																}
-															]
-														}
-													]
-												}
-											],
-											"match": [
-												{
-													"host": [
-														"bar.example.com"
-													]
-												}
-											]
-										},
-										{
-											"group": "group3",
-											"handle": [
-												{
-													"handler": "subroute",
-													"routes": [
-														{
-															"handle": [
-																{
-																	"abort": true,
-																	"handler": "static_response"
-																}
-															]
-														}
-													]
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		},
-		"tls": {
-			"automation": {
-				"policies": [
-					{
-						"subjects": [
-							"*.example.com"
-						],
-						"issuers": [
-							{
-								"challenges": {
-									"dns": {
-										"provider": {
-											"name": "mock"
-										}
-									}
-								},
-								"email": "foo@example.com",
-								"module": "acme"
-							},
-							{
-								"ca": "https://acme.zerossl.com/v2/DV90",
-								"challenges": {
-									"dns": {
-										"provider": {
-											"name": "mock"
-										}
-									}
-								},
-								"email": "foo@example.com",
-								"module": "acme"
-							}
-						]
-					}
-				]
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt_test.go

@@ -10,8 +10,6 @@ import (
 	"testing"
 
 	"github.com/caddyserver/caddy/v2/caddytest"
-
-	_ "github.com/caddyserver/caddy/v2/internal/testmocks"
 )
 
 func TestCaddyfileAdaptToJSON(t *testing.T) {

caddytest/integration/caddyfile_test.go

@@ -497,203 +497,6 @@ func TestUriReplace(t *testing.T) {
 	tester.AssertGetResponse("http://localhost:9080/endpoint?test={%20content%20}", 200, "test=%7B%20content%20%7D")
 }
 
-func TestUriOps(t *testing.T) {
-	tester := caddytest.NewTester(t)
-
-	tester.InitServer(`
-	{
-		admin localhost:2999
-		http_port     9080
-	}
-	:9080
-	uri query +foo bar
-	uri query -baz
-	uri query taz test
-	uri query key=value example
-	uri query changethis>changed
-	
-	respond "{query}"`, "caddyfile")
-
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar0&baz=buz&taz=nottest&changethis=val", 200, "changed=val&foo=bar0&foo=bar&key%3Dvalue=example&taz=test")
-}
-
-// Tests the `http.request.local.port` placeholder.
-// We don't test the very similar `http.request.local.host` placeholder,
-// because depending on the host the test is running on, localhost might
-// refer to 127.0.0.1 or ::1.
-// TODO: Test each http version separately (especially http/3)
-func TestHttpRequestLocalPortPlaceholder(t *testing.T) {
-	tester := caddytest.NewTester(t)
-
-	tester.InitServer(`
-	{
-		admin localhost:2999
-		http_port     9080
-	}
-	:9080
-	respond "{http.request.local.port}"`, "caddyfile")
-
-	tester.AssertGetResponse("http://localhost:9080/", 200, "9080")
-}
-
-func TestSetThenAddQueryParams(t *testing.T) {
-	tester := caddytest.NewTester(t)
-
-	tester.InitServer(`
-	{
-		admin localhost:2999
-		http_port     9080
-	}
-	:9080
-	uri query foo bar
-	uri query +foo baz
-	
-	respond "{query}"`, "caddyfile")
-
-	tester.AssertGetResponse("http://localhost:9080/endpoint", 200, "foo=bar&foo=baz")
-}
-
-func TestSetThenDeleteParams(t *testing.T) {
-	tester := caddytest.NewTester(t)
-
-	tester.InitServer(`
-	{
-		admin localhost:2999
-		http_port     9080
-	}
-	:9080
-	uri query bar foo{query.foo}
-	uri query -foo
-	
-	respond "{query}"`, "caddyfile")
-
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar", 200, "bar=foobar")
-}
-
-func TestRenameAndOtherOps(t *testing.T) {
-	tester := caddytest.NewTester(t)
-
-	tester.InitServer(`
-	{
-		admin localhost:2999
-		http_port     9080
-	}
-	:9080
-	uri query foo>bar
-	uri query bar taz
-	uri query +bar baz
-	
-	respond "{query}"`, "caddyfile")
-
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar", 200, "bar=taz&bar=baz")
-}
-
-func TestReplaceOps(t *testing.T) {
-	tester := caddytest.NewTester(t)
-
-	tester.InitServer(`
-	{
-		admin localhost:2999
-		http_port     9080
-	}
-	:9080
-	uri query foo bar baz	
-	respond "{query}"`, "caddyfile")
-
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar", 200, "foo=baz")
-}
-
-func TestReplaceWithReplacementPlaceholder(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
-	{
-		admin localhost:2999
-		http_port     9080
-	}
-	:9080
-	uri query foo bar {query.placeholder}	
-	respond "{query}"`, "caddyfile")
-
-	tester.AssertGetResponse("http://localhost:9080/endpoint?placeholder=baz&foo=bar", 200, "foo=baz&placeholder=baz")
-
-}
-
-func TestReplaceWithKeyPlaceholder(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
-	{
-		admin localhost:2999
-		http_port     9080
-	}
-	:9080
-	uri query {query.placeholder} bar baz	
-	respond "{query}"`, "caddyfile")
-
-	tester.AssertGetResponse("http://localhost:9080/endpoint?placeholder=foo&foo=bar", 200, "foo=baz&placeholder=foo")
-}
-
-func TestPartialReplacement(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
-	{
-		admin localhost:2999
-		http_port     9080
-	}
-	:9080
-	uri query foo ar az	
-	respond "{query}"`, "caddyfile")
-
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar", 200, "foo=baz")
-}
-
-func TestNonExistingSearch(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
-	{
-		admin localhost:2999
-		http_port     9080
-	}
-	:9080
-	uri query foo var baz	
-	respond "{query}"`, "caddyfile")
-
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar", 200, "foo=bar")
-}
-
-func TestReplaceAllOps(t *testing.T) {
-	tester := caddytest.NewTester(t)
-
-	tester.InitServer(`
-	{
-		admin localhost:2999
-		http_port     9080
-	}
-	:9080
-	uri query * bar baz	
-	respond "{query}"`, "caddyfile")
-
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar&baz=bar", 200, "baz=baz&foo=baz")
-}
-
-func TestUriOpsBlock(t *testing.T) {
-	tester := caddytest.NewTester(t)
-
-	tester.InitServer(`
-	{
-		admin localhost:2999
-		http_port     9080
-	}
-	:9080
-	uri query {
-		+foo bar
-		-baz
-		taz test
-	} 
-	respond "{query}"`, "caddyfile")
-
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar0&baz=buz&taz=nottest", 200, "foo=bar0&foo=bar&taz=test")
-}
-
 func TestHandleErrorSimpleCodes(t *testing.T) {
 	tester := caddytest.NewTester(t)
 	tester.InitServer(`{

caddytest/integration/handler_test.go

@@ -1,7 +1,6 @@
 package integration
 
 import (
-	"bytes"
 	"net/http"
 	"testing"
 
@@ -30,30 +29,3 @@ func TestBrowse(t *testing.T) {
 	}
 	tester.AssertResponseCode(req, 200)
 }
-
-func TestRespondWithJSON(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
-	{
-		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
-		grace_period  1ns
-	}
-	localhost {
-		respond {http.request.body}
-	}
-  `, "caddyfile")
-
-	res, _ := tester.AssertPostResponseBody("https://localhost:9443/",
-		nil,
-		bytes.NewBufferString(`{
-		"greeting": "Hello, world!"
-	}`), 200, `{
-		"greeting": "Hello, world!"
-	}`)
-	if res.Header.Get("Content-Type") != "application/json" {
-		t.Errorf("expected Content-Type to be application/json, but was %s", res.Header.Get("Content-Type"))
-	}
-}

caddytest/integration/intercept_test.go

@@ -1,40 +0,0 @@
-package integration
-
-import (
-	"testing"
-
-	"github.com/caddyserver/caddy/v2/caddytest"
-)
-
-func TestIntercept(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`{
-			skip_install_trust
-			admin localhost:2999
-			http_port     9080
-			https_port    9443
-			grace_period  1ns
-		}
-	
-		localhost:9080 {
-			respond /intercept "I'm a teapot" 408
-			header /intercept To-Intercept ok
-			respond /no-intercept "I'm not a teapot"
-
-			intercept {
-				@teapot status 408
-				handle_response @teapot {
-					header /intercept intercepted {resp.header.To-Intercept}
-					respond /intercept "I'm a combined coffee/tea pot that is temporarily out of coffee" 503
-				}
-			}	
-		}
-		`, "caddyfile")
-
-	r, _ := tester.AssertGetResponse("http://localhost:9080/intercept", 503, "I'm a combined coffee/tea pot that is temporarily out of coffee")
-	if r.Header.Get("intercepted") != "ok" {
-		t.Fatalf(`header "intercepted" value is not "ok": %s`, r.Header.Get("intercepted"))
-	}
-
-	tester.AssertGetResponse("http://localhost:9080/no-intercept", 200, "I'm not a teapot")
-}

caddytest/integration/leafcertloaders_test.go

@@ -1,70 +0,0 @@
-package integration
-
-import (
-	"testing"
-
-	"github.com/caddyserver/caddy/v2/caddytest"
-)
-
-func TestLeafCertLoaders(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
-	{
-		"admin": {
-			"listen": "localhost:2999"
-		},
-		"apps": {
-			"http": {
-				"http_port": 9080,
-       			"https_port": 9443,
-				"grace_period": 1,
-				"servers": {
-					"srv0": {
-						"listen": [
-							":9443"
-						],
-						"routes": [
-							{
-								"match": [
-									{
-										"host": [
-											"localhost"
-										]
-									}
-								],
-								"terminal": true
-							}
-						],
-						"tls_connection_policies": [
-							{
-								"client_authentication": {
-									"verifiers": [
-										{
-											"verifier": "leaf",
-											"leaf_certs_loaders": [
-												{
-													"loader": "file",
-													"files": ["../leafcert.pem"]
-												}, 
-												{
-													"loader": "folder", 
-													"folders": ["../"]
-												},
-												{
-													"loader": "storage"
-												},
-												{
-													"loader": "pem"
-												}
-											]
-										}
-									]
-								}
-							}
-						]
-					}
-				}
-			}
-		}
-	}`, "json")
-}

caddytest/integration/mockdns_test.go

@@ -1,61 +0,0 @@
-package integration
-
-import (
-	"context"
-
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
-	"github.com/caddyserver/certmagic"
-	"github.com/libdns/libdns"
-)
-
-func init() {
-	caddy.RegisterModule(MockDNSProvider{})
-}
-
-// MockDNSProvider is a mock DNS provider, for testing config with DNS modules.
-type MockDNSProvider struct{}
-
-// CaddyModule returns the Caddy module information.
-func (MockDNSProvider) CaddyModule() caddy.ModuleInfo {
-	return caddy.ModuleInfo{
-		ID:  "dns.providers.mock",
-		New: func() caddy.Module { return new(MockDNSProvider) },
-	}
-}
-
-// Provision sets up the module.
-func (MockDNSProvider) Provision(ctx caddy.Context) error {
-	return nil
-}
-
-// UnmarshalCaddyfile sets up the module from Caddyfile tokens.
-func (MockDNSProvider) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
-	return nil
-}
-
-// AppendRecords appends DNS records to the zone.
-func (MockDNSProvider) AppendRecords(ctx context.Context, zone string, recs []libdns.Record) ([]libdns.Record, error) {
-	return nil, nil
-}
-
-// DeleteRecords deletes DNS records from the zone.
-func (MockDNSProvider) DeleteRecords(ctx context.Context, zone string, recs []libdns.Record) ([]libdns.Record, error) {
-	return nil, nil
-}
-
-// GetRecords gets DNS records from the zone.
-func (MockDNSProvider) GetRecords(ctx context.Context, zone string) ([]libdns.Record, error) {
-	return nil, nil
-}
-
-// SetRecords sets DNS records in the zone.
-func (MockDNSProvider) SetRecords(ctx context.Context, zone string, recs []libdns.Record) ([]libdns.Record, error) {
-	return nil, nil
-}
-
-// Interface guard
-var _ caddyfile.Unmarshaler = (*MockDNSProvider)(nil)
-var _ certmagic.DNSProvider = (*MockDNSProvider)(nil)
-var _ caddy.Provisioner = (*MockDNSProvider)(nil)
-var _ caddy.Module = (*MockDNSProvider)(nil)

caddytest/integration/reverseproxy_test.go

@@ -350,8 +350,6 @@ func TestReverseProxyHealthCheck(t *testing.T) {
 			health_port 2021
 			health_interval 10ms
 			health_timeout 100ms
-			health_passes 1
-			health_fails 1
 		}
 	}
 	`, "caddyfile")

caddytest/integration/stream_test.go

@@ -334,7 +334,7 @@ func TestH2ToH1ChunkedResponse(t *testing.T) {
 		ProtoMinor: 0,
 		Header:     make(http.Header),
 	}
-	// underlying transport will automatically add gzip
+	// underlying transport will automaticlly add gzip
 	// req.Header.Set("Accept-Encoding", "gzip")
 	go func() {
 		fmt.Fprint(w, expectedBody)

caddytest/integration/testdata/foo.txt

@@ -1 +0,0 @@
-foo

caddytest/integration/testdata/foo_with_multiple_trailing_newlines.txt

@@ -1,2 +0,0 @@
-foo
-

caddytest/integration/testdata/foo_with_trailing_newline.txt

@@ -1 +0,0 @@
-foo

caddytest/leafcert.pem

@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
-MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
-VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
-NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
-TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
-ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
-V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
-gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
-FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
-CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
-BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
-Wm7DCfrPNGVwFWUQOmsPue9rZBgO
------END CERTIFICATE-----

cmd/caddy/main.go

@@ -1,8 +1,3 @@
-// The below line is required to enable post-quantum key agreement in Go 1.23
-// by default without insisting on setting a minimum version of 1.23 in go.mod.
-// See https://github.com/caddyserver/caddy/issues/6540#issuecomment-2313094905
-//go:debug tlskyber=1
-
 // Copyright 2015 Matthew Holt and The Caddy Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

cmd/caddy/setcap.sh

@@ -1,17 +1,14 @@
 #!/bin/sh
 
-# USAGE:
-# 	go run -exec ./setcap.sh main.go <args...>
+# USAGE: go run -exec ./setcap.sh main.go <args...>
 #
 # (Example: `go run -exec ./setcap.sh main.go run --config caddy.json`)
 #
 # For some reason this does not work on my Arch system, so if you find that's
-# the case, you can instead do:
-#
-# 	go build && ./setcap.sh ./caddy <args...>
-#
+# the case, you can instead do: go build && ./setcap.sh ./caddy <args...>
 # but this will leave the ./caddy binary laying around.
 #
+#
 
 sudo setcap cap_net_bind_service=+ep "$1"
 "$@"

cmd/cobra.go

@@ -8,10 +8,9 @@ import (
 	"github.com/caddyserver/caddy/v2"
 )
 
-var defaultFactory = newRootCommandFactory(func() *cobra.Command {
-	return &cobra.Command{
-		Use: "caddy",
-		Long: `Caddy is an extensible server platform written in Go.
+var rootCmd = &cobra.Command{
+	Use: "caddy",
+	Long: `Caddy is an extensible server platform written in Go.
 
 At its core, Caddy merely manages configuration. Modules are plugged
 in statically at compile-time to provide useful functionality. Caddy's
@@ -92,26 +91,23 @@ package installers: https://caddyserver.com/docs/install
 Instructions for running Caddy in production are also available:
 https://caddyserver.com/docs/running
 `,
-		Example: `  $ caddy run
+	Example: `  $ caddy run
   $ caddy run --config caddy.json
   $ caddy reload --config caddy.json
   $ caddy stop`,
 
-		// kind of annoying to have all the help text printed out if
-		// caddy has an error provisioning its modules, for instance...
-		SilenceUsage: true,
-		Version:      onlyVersionText(),
-	}
-})
+	// kind of annoying to have all the help text printed out if
+	// caddy has an error provisioning its modules, for instance...
+	SilenceUsage: true,
+	Version:      onlyVersionText(),
+}
 
 const fullDocsFooter = `Full documentation is available at:
 https://caddyserver.com/docs/command-line`
 
 func init() {
-	defaultFactory.Use(func(rootCmd *cobra.Command) {
-		rootCmd.SetVersionTemplate("{{.Version}}\n")
-		rootCmd.SetHelpTemplate(rootCmd.HelpTemplate() + "\n" + fullDocsFooter + "\n")
-	})
+	rootCmd.SetVersionTemplate("{{.Version}}\n")
+	rootCmd.SetHelpTemplate(rootCmd.HelpTemplate() + "\n" + fullDocsFooter + "\n")
 }
 
 func onlyVersionText() string {
@@ -121,7 +117,7 @@ func onlyVersionText() string {
 
 func caddyCmdToCobra(caddyCmd Command) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   caddyCmd.Name + " " + caddyCmd.Usage,
+		Use:   caddyCmd.Name,
 		Short: caddyCmd.Short,
 		Long:  caddyCmd.Long,
 	}