noot

.github/workflows/ci.yml

@@ -23,18 +23,18 @@ jobs:
           - mac
           - windows
         go: 
+          - '1.21'
           - '1.22'
-          - '1.23'
 
         include:
         # Set the minimum Go patch version for the given Go minor
         # Usable via ${{ matrix.GO_SEMVER }}
+        - go: '1.21'
+          GO_SEMVER: '~1.21.0'
+
         - go: '1.22'
           GO_SEMVER: '~1.22.3'
 
-        - go: '1.23'
-          GO_SEMVER: '~1.23.0'
-
         # Set some variables per OS, usable via ${{ matrix.VAR }}
         # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
         # CADDY_BIN_PATH: the path to the compiled Caddy binary, for artifact publishing
@@ -99,7 +99,7 @@ jobs:
       env:
         CGO_ENABLED: 0
       run: |
-        go build -tags nobadger -trimpath -ldflags="-w -s" -v
+        go build -tags nobdger -trimpath -ldflags="-w -s" -v
 
     - name: Smoke test Caddy
       working-directory: ./cmd/caddy
@@ -150,41 +150,18 @@ jobs:
         uses: actions/checkout@v4
       - name: Run Tests
         run: |
-          set +e
           mkdir -p ~/.ssh && echo -e "${SSH_KEY//_/\\n}" > ~/.ssh/id_ecdsa && chmod og-rwx ~/.ssh/id_ecdsa
 
           # short sha is enough?
           short_sha=$(git rev-parse --short HEAD)
 
-          # To shorten the following lines
-          ssh_opts="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
-          ssh_host="$CI_USER@ci-s390x.caddyserver.com"
-
           # The environment is fresh, so there's no point in keeping accepting and adding the key.
-          rsync -arz -e "ssh $ssh_opts" --progress --delete --exclude '.git' . "$ssh_host":/var/tmp/"$short_sha"
-          ssh $ssh_opts -t "$ssh_host" bash <<EOF
-          cd /var/tmp/$short_sha
-          go version
-          go env
-          printf "\n\n"
-          retries=3
-          exit_code=0
-          while ((retries > 0)); do
-            CGO_ENABLED=0 go test -p 1 -tags nobadger -v ./...
-            exit_code=$?
-            if ((exit_code == 0)); then
-              break
-            fi
-            echo "\n\nTest failed: \$exit_code, retrying..."
-            ((retries--))
-          done
-          echo "Remote exit code: \$exit_code"
-          exit \$exit_code
-          EOF
+          rsync -arz -e "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" --progress --delete --exclude '.git' . "$CI_USER"@ci-s390x.caddyserver.com:/var/tmp/"$short_sha"
+          ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t "$CI_USER"@ci-s390x.caddyserver.com "cd /var/tmp/$short_sha; go version; go env; printf "\n\n";CGO_ENABLED=0 go test -tags nobadger -v ./..."
           test_result=$?
 
           # There's no need leaving the files around
-          ssh $ssh_opts "$ssh_host" "rm -rf /var/tmp/'$short_sha'"
+          ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$CI_USER"@ci-s390x.caddyserver.com "rm -rf /var/tmp/'$short_sha'"
 
           echo "Test exit code: $test_result"
           exit $test_result
@@ -202,18 +179,3 @@ jobs:
         with:
           version: latest
           args: check
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "~1.23"
-          check-latest: true
-      - name: Install xcaddy
-        run: |
-          go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
-          xcaddy version
-      - uses: goreleaser/goreleaser-action@v6
-        with:
-          version: latest
-          args: build --single-target --snapshot
-        env:
-          TAG: "master"

.github/workflows/cross-build.yml

@@ -28,7 +28,6 @@ jobs:
           - 'netbsd'
         go: 
           - '1.22'
-          - '1.23'
 
         include:
         # Set the minimum Go patch version for the given Go minor
@@ -36,9 +35,6 @@ jobs:
         - go: '1.22'
           GO_SEMVER: '~1.22.3'
 
-        - go: '1.23'
-          GO_SEMVER: '~1.23.0'
-
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
@@ -70,4 +66,4 @@ jobs:
         continue-on-error: true
         working-directory: ./cmd/caddy
         run: |
-          GOOS=$GOOS GOARCH=$GOARCH go build -tags=nobadger,nomysql,nopgx -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null
+          GOOS=$GOOS GOARCH=$GOARCH go build -tags nobadger -trimpath -o caddy-"$GOOS"-$GOARCH 2> /dev/null

.github/workflows/lint.yml

@@ -43,13 +43,13 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: '~1.23'
+          go-version: '~1.22.3'
           check-latest: true
 
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
-          version: latest
+          version: v1.55
 
           # Windows times out frequently after about 5m50s if we don't set a longer timeout.
           args: --timeout 10m
@@ -63,5 +63,5 @@ jobs:
       - name: govulncheck
         uses: golang/govulncheck-action@v1
         with:
-          go-version-input: '~1.23.0'
+          go-version-input: '~1.22.3'
           check-latest: true

.github/workflows/release.yml

@@ -13,13 +13,13 @@ jobs:
         os: 
           - ubuntu-latest
         go: 
-          - '1.23'
+          - '1.22'
 
         include:
         # Set the minimum Go patch version for the given Go minor
         # Usable via ${{ matrix.GO_SEMVER }}
-        - go: '1.23'
-          GO_SEMVER: '~1.23.0'
+        - go: '1.22'
+          GO_SEMVER: '~1.22.3'
 
     runs-on: ${{ matrix.os }}
     # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
@@ -104,10 +104,6 @@ jobs:
       uses: anchore/sbom-action/download-syft@main
     - name: Syft version
       run: syft version
-    - name: Install xcaddy
-      run: |
-        go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
-        xcaddy version
     # GoReleaser will take care of publishing those artifacts into the release
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v6

.golangci.yml

@@ -1,9 +1,7 @@
 linters-settings:
   errcheck:
-    exclude-functions:
-      - fmt.*
-      - (go.uber.org/zap/zapcore.ObjectEncoder).AddObject
-      - (go.uber.org/zap/zapcore.ObjectEncoder).AddArray
+    ignore: fmt:.*,go.uber.org/zap/zapcore:^Add.*
+    ignoretests: true
   gci:
     sections:
       - standard # Standard section: captures all standard packages.
@@ -35,6 +33,7 @@ linters:
     - errcheck
     - errname
     - exhaustive
+    - exportloopref
     - gci
     - gofmt
     - goimports
@@ -131,22 +130,18 @@ linters:
 run:
   # default concurrency is a available CPU number.
   # concurrency: 4 # explicitly omit this value to fully utilize available resources.
-  timeout: 5m
+  deadline: 5m
   issues-exit-code: 1
   tests: false
 
 # output configuration options
 output:
-  formats:
-    - format: 'colored-line-number'
+  format: 'colored-line-number'
   print-issued-lines: true
   print-linter-name: true
 
 issues:
   exclude-rules:
-    - text: 'G115' # TODO: Either we should fix the issues or nuke the linter if it's bad
-      linters:
-        - gosec
     # we aren't calling unknown URL
     - text: 'G107' # G107: Url provided to HTTP request as taint input
       linters:
@@ -171,12 +166,3 @@ issues:
     - path: modules/logging/filters.go
       linters:
         - dupl
-    - path: modules/caddyhttp/matchers.go
-      linters:
-        - dupl
-    - path: modules/caddyhttp/vars.go
-      linters:
-        - dupl
-    - path: _test\.go
-      linters:
-        - errcheck

.goreleaser.yml

@@ -12,9 +12,6 @@ before:
     - mkdir -p caddy-build
     - cp cmd/caddy/main.go caddy-build/main.go
     - /bin/sh -c 'cd ./caddy-build && go mod init caddy'
-    # prepare syso files for windows embedding
-    - /bin/sh -c 'for a in amd64 arm arm64; do XCADDY_SKIP_BUILD=1 GOOS=windows GOARCH=$a xcaddy build {{.Env.TAG}}; done'
-    - /bin/sh -c 'mv /tmp/buildenv_*/*.syso caddy-build'
     # GoReleaser doesn't seem to offer {{.Tag}} at this stage, so we have to embed it into the env
     # so we run: TAG=$(git describe --abbrev=0) goreleaser release --rm-dist --skip-publish --skip-validate
     - go mod edit -require=github.com/caddyserver/caddy/v2@{{.Env.TAG}} ./caddy-build/go.mod
@@ -34,6 +31,7 @@ builds:
 - env:
   - CGO_ENABLED=0
   - GO111MODULE=on
+  main: main.go
   dir: ./caddy-build
   binary: caddy
   goos:
@@ -83,8 +81,6 @@ builds:
   - -s -w
   tags:
   - nobadger
-  - nomysql
-  - nopgx
 
 signs:
   - cmd: cosign

README.md

@@ -87,7 +87,7 @@ See [our online documentation](https://caddyserver.com/docs/install) for other i
 
 Requirements:
 
-- [Go 1.22.3 or newer](https://golang.org/dl/)
+- [Go 1.21 or newer](https://golang.org/dl/)
 
 ### For development
 
@@ -131,7 +131,7 @@ $ xcaddy build
 4. Initialize a Go module: `go mod init caddy`
 5. (Optional) Pin Caddy version: `go get github.com/caddyserver/caddy/v2@version` replacing `version` with a git tag, commit, or branch name.
 6. (Optional) Add plugins by adding their import: `_ "import/path/here"`
-7. Compile: `go build -tags=nobadger,nomysql,nopgx`
+7. Compile: `go build`
 
 
 

admin.go

@@ -34,7 +34,6 @@ import (
 	"os"
 	"path"
 	"regexp"
-	"slices"
 	"strconv"
 	"strings"
 	"sync"
@@ -214,7 +213,7 @@ type AdminPermissions struct {
 
 // newAdminHandler reads admin's config and returns an http.Handler suitable
 // for use in an admin endpoint server, which will be listening on listenAddr.
-func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool, _ Context) adminHandler {
+func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool) adminHandler {
 	muxWrap := adminHandler{mux: http.NewServeMux()}
 
 	// secure the local or remote endpoint respectively
@@ -270,6 +269,7 @@ func (admin *AdminConfig) newAdminHandler(addr NetworkAddress, remote bool, _ Co
 	// register third-party module endpoints
 	for _, m := range GetModules("admin.api") {
 		router := m.New().(AdminRouter)
+		handlerLabel := m.ID.Name()
 		for _, route := range router.Routes() {
 			addRoute(route.Pattern, handlerLabel, route.Handler)
 		}
@@ -312,7 +312,7 @@ func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []*url.URL {
 	}
 	if admin.Origins == nil {
 		if addr.isLoopback() {
-			if addr.IsUnixNetwork() || addr.IsFdNetwork() {
+			if addr.IsUnixNetwork() {
 				// RFC 2616, Section 14.26:
 				// "A client MUST include a Host header field in all HTTP/1.1 request
 				// messages. If the requested URI does not include an Internet host
@@ -350,7 +350,7 @@ func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []*url.URL {
 				uniqueOrigins[net.JoinHostPort("127.0.0.1", addr.port())] = struct{}{}
 			}
 		}
-		if !addr.IsUnixNetwork() && !addr.IsFdNetwork() {
+		if !addr.IsUnixNetwork() {
 			uniqueOrigins[addr.JoinHostPort(0)] = struct{}{}
 		}
 	}
@@ -381,9 +381,7 @@ func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []*url.URL {
 // for the admin endpoint exists in cfg, a default one is used, so
 // that there is always an admin server (unless it is explicitly
 // configured to be disabled).
-// Critically note that some elements and functionality of the context
-// may not be ready, e.g. storage. Tread carefully.
-func replaceLocalAdminServer(cfg *Config, ctx Context) error {
+func replaceLocalAdminServer(cfg *Config) error {
 	// always* be sure to close down the old admin endpoint
 	// as gracefully as possible, even if the new one is
 	// disabled -- careful to use reference to the current
@@ -425,7 +423,7 @@ func replaceLocalAdminServer(cfg *Config, ctx Context) error {
 		return err
 	}
 
-	handler := cfg.Admin.newAdminHandler(addr, false, ctx)
+	handler := cfg.Admin.newAdminHandler(addr, false)
 
 	ln, err := addr.Listen(context.TODO(), 0, net.ListenConfig{})
 	if err != nil {
@@ -546,7 +544,7 @@ func replaceRemoteAdminServer(ctx Context, cfg *Config) error {
 
 	// make the HTTP handler but disable Host/Origin enforcement
 	// because we are using TLS authentication instead
-	handler := cfg.Admin.newAdminHandler(addr, true, ctx)
+	handler := cfg.Admin.newAdminHandler(addr, true)
 
 	// create client certificate pool for TLS mutual auth, and extract public keys
 	// so that we can enforce access controls at the application layer
@@ -677,7 +675,13 @@ func (remote RemoteAdmin) enforceAccessControls(r *http.Request) error {
 					// key recognized; make sure its HTTP request is permitted
 					for _, accessPerm := range adminAccess.Permissions {
 						// verify method
-						methodFound := accessPerm.Methods == nil || slices.Contains(accessPerm.Methods, r.Method)
+						methodFound := accessPerm.Methods == nil
+						for _, method := range accessPerm.Methods {
+							if method == r.Method {
+								methodFound = true
+								break
+							}
+						}
 						if !methodFound {
 							return APIError{
 								HTTPStatus: http.StatusForbidden,
@@ -873,9 +877,13 @@ func (h adminHandler) handleError(w http.ResponseWriter, r *http.Request, err er
 // a trustworthy/expected value. This helps to mitigate DNS
 // rebinding attacks.
 func (h adminHandler) checkHost(r *http.Request) error {
-	allowed := slices.ContainsFunc(h.allowedOrigins, func(u *url.URL) bool {
-		return r.Host == u.Host
-	})
+	var allowed bool
+	for _, allowedOrigin := range h.allowedOrigins {
+		if r.Host == allowedOrigin.Host {
+			allowed = true
+			break
+		}
+	}
 	if !allowed {
 		return APIError{
 			HTTPStatus: http.StatusForbidden,

caddy.go

@@ -20,6 +20,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"errors"
+	"flag"
 	"fmt"
 	"io"
 	"io/fs"
@@ -399,7 +400,6 @@ func unsyncedDecodeAndRun(cfgJSON []byte, allowPersist bool) error {
 func run(newCfg *Config, start bool) (Context, error) {
 	ctx, err := provisionContext(newCfg, start)
 	if err != nil {
-		globalMetrics.configSuccess.Set(0)
 		return ctx, err
 	}
 
@@ -411,7 +411,6 @@ func run(newCfg *Config, start bool) (Context, error) {
 	// some of the other apps at runtime
 	err = ctx.cfg.Admin.provisionAdminRouters(ctx)
 	if err != nil {
-		globalMetrics.configSuccess.Set(0)
 		return ctx, err
 	}
 
@@ -437,11 +436,9 @@ func run(newCfg *Config, start bool) (Context, error) {
 		return nil
 	}()
 	if err != nil {
-		globalMetrics.configSuccess.Set(0)
 		return ctx, err
 	}
-	globalMetrics.configSuccess.Set(1)
-	globalMetrics.configSuccessTime.SetToCurrentTime()
+
 	// now that the user's config is running, finish setting up anything else,
 	// such as remote admin endpoint, config loader, etc.
 	return ctx, finishSettingUp(ctx, ctx.cfg)
@@ -475,7 +472,6 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 	ctx, cancel := NewContext(Context{Context: context.Background(), cfg: newCfg})
 	defer func() {
 		if err != nil {
-			globalMetrics.configSuccess.Set(0)
 			// if there were any errors during startup,
 			// we should cancel the new context we created
 			// since the associated config won't be used;
@@ -502,7 +498,7 @@ func provisionContext(newCfg *Config, replaceAdminServer bool) (Context, error)
 
 	// start the admin endpoint (and stop any prior one)
 	if replaceAdminServer {
-		err = replaceLocalAdminServer(newCfg, ctx)
+		err = replaceLocalAdminServer(newCfg)
 		if err != nil {
 			return ctx, fmt.Errorf("starting caddy administration endpoint: %v", err)
 		}
@@ -783,7 +779,10 @@ func exitProcess(ctx context.Context, logger *zap.Logger) {
 			} else {
 				logger.Error("unclean shutdown")
 			}
-			os.Exit(exitCode)
+			// check if we are in test environment, and dont call exit if we are
+			if flag.Lookup("test.v") == nil && !strings.Contains(os.Args[0], ".test") {
+				os.Exit(exitCode)
+			}
 		}()
 
 		if remoteAdminServer != nil {

caddyconfig/caddyfile/dispenser.go

@@ -415,7 +415,7 @@ func (d *Dispenser) EOFErr() error {
 
 // Err generates a custom parse-time error with a message of msg.
 func (d *Dispenser) Err(msg string) error {
-	return d.WrapErr(errors.New(msg))
+	return d.Errf(msg)
 }
 
 // Errf is like Err, but for formatted error messages

caddyconfig/caddyfile/importgraph.go

@@ -16,7 +16,6 @@ package caddyfile
 
 import (
 	"fmt"
-	"slices"
 )
 
 type adjacency map[string][]string
@@ -92,7 +91,12 @@ func (i *importGraph) areConnected(from, to string) bool {
 	if !ok {
 		return false
 	}
-	return slices.Contains(al, to)
+	for _, v := range al {
+		if v == to {
+			return true
+		}
+	}
+	return false
 }
 
 func (i *importGraph) willCycle(from, to string) bool {

caddyconfig/caddyfile/parse.go

@@ -264,13 +264,8 @@ func (p *parser) addresses() error {
 				return p.Errf("Site addresses cannot contain a comma ',': '%s' - put a space after the comma to separate site addresses", value)
 			}
 
-			// After the above, a comma surrounded by spaces would result
-			// in an empty token which we should ignore
-			if value != "" {
-				// Add the token as a site address
-				token.Text = value
-				p.block.Keys = append(p.block.Keys, token)
-			}
+			token.Text = value
+			p.block.Keys = append(p.block.Keys, token)
 		}
 
 		// Advance token and possibly break out of loop or return error

caddyconfig/caddyfile/parse_test.go

@@ -555,10 +555,6 @@ func TestParseAll(t *testing.T) {
 			{"localhost:1234", "http://host2"},
 		}},
 
-		{`foo.example.com   ,   example.com`, false, [][]string{
-			{"foo.example.com", "example.com"},
-		}},
-
 		{`localhost:1234, http://host2,`, true, [][]string{}},
 
 		{`http://host1.com, http://host2.com {
@@ -618,8 +614,8 @@ func TestParseAll(t *testing.T) {
 		}
 		for j, block := range blocks {
 			if len(block.Keys) != len(test.keys[j]) {
-				t.Errorf("Test %d: Expected %d keys in block %d, got %d: %v",
-					i, len(test.keys[j]), j, len(block.Keys), block.Keys)
+				t.Errorf("Test %d: Expected %d keys in block %d, got %d",
+					i, len(test.keys[j]), j, len(block.Keys))
 				continue
 			}
 			for k, addr := range block.GetKeysText() {

caddyconfig/httpcaddyfile/addresses.go

@@ -31,7 +31,7 @@ import (
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 )
 
-// mapAddressToProtocolToServerBlocks returns a map of listener address to list of server
+// mapAddressToServerBlocks returns a map of listener address to list of server
 // blocks that will be served on that address. To do this, each server block is
 // expanded so that each one is considered individually, although keys of a
 // server block that share the same address stay grouped together so the config
@@ -77,15 +77,10 @@ import (
 // repetition may be undesirable, so call consolidateAddrMappings() to map
 // multiple addresses to the same lists of server blocks (a many:many mapping).
 // (Doing this is essentially a map-reduce technique.)
-func (st *ServerType) mapAddressToProtocolToServerBlocks(originalServerBlocks []serverBlock,
+func (st *ServerType) mapAddressToServerBlocks(originalServerBlocks []serverBlock,
 	options map[string]any,
-) (map[string]map[string][]serverBlock, error) {
-	addrToProtocolToServerBlocks := map[string]map[string][]serverBlock{}
-
-	type keyWithParsedKey struct {
-		key       caddyfile.Token
-		parsedKey Address
-	}
+) (map[string][]serverBlock, error) {
+	sbmap := make(map[string][]serverBlock)
 
 	for i, sblock := range originalServerBlocks {
 		// within a server block, we need to map all the listener addresses
@@ -93,48 +88,27 @@ func (st *ServerType) mapAddressToProtocolToServerBlocks(originalServerBlocks []
 		// will be served by them; this has the effect of treating each
 		// key of a server block as its own, but without having to repeat its
 		// contents in cases where multiple keys really can be served together
-		addrToProtocolToKeyWithParsedKeys := map[string]map[string][]keyWithParsedKey{}
+		addrToKeys := make(map[string][]caddyfile.Token)
 		for j, key := range sblock.block.Keys {
-			parsedKey, err := ParseAddress(key.Text)
-			if err != nil {
-				return nil, fmt.Errorf("parsing key: %v", err)
-			}
-			parsedKey = parsedKey.Normalize()
-
 			// a key can have multiple listener addresses if there are multiple
 			// arguments to the 'bind' directive (although they will all have
 			// the same port, since the port is defined by the key or is implicit
 			// through automatic HTTPS)
-			listeners, err := st.listenersForServerBlockAddress(sblock, parsedKey, options)
+			addrs, err := st.listenerAddrsForServerBlockKey(sblock, key.Text, options)
 			if err != nil {
 				return nil, fmt.Errorf("server block %d, key %d (%s): determining listener address: %v", i, j, key.Text, err)
 			}
 
-			// associate this key with its protocols and each listener address served with them
-			kwpk := keyWithParsedKey{key, parsedKey}
-			for addr, protocols := range listeners {
-				protocolToKeyWithParsedKeys, ok := addrToProtocolToKeyWithParsedKeys[addr]
-				if !ok {
-					protocolToKeyWithParsedKeys = map[string][]keyWithParsedKey{}
-					addrToProtocolToKeyWithParsedKeys[addr] = protocolToKeyWithParsedKeys
-				}
-
-				// an empty protocol indicates the default, a nil or empty value in the ListenProtocols array
-				if len(protocols) == 0 {
-					protocols[""] = struct{}{}
-				}
-				for prot := range protocols {
-					protocolToKeyWithParsedKeys[prot] = append(
-						protocolToKeyWithParsedKeys[prot],
-						kwpk)
-				}
+			// associate this key with each listener address it is served on
+			for _, addr := range addrs {
+				addrToKeys[addr] = append(addrToKeys[addr], key)
 			}
 		}
 
 		// make a slice of the map keys so we can iterate in sorted order
-		addrs := make([]string, 0, len(addrToProtocolToKeyWithParsedKeys))
-		for addr := range addrToProtocolToKeyWithParsedKeys {
-			addrs = append(addrs, addr)
+		addrs := make([]string, 0, len(addrToKeys))
+		for k := range addrToKeys {
+			addrs = append(addrs, k)
 		}
 		sort.Strings(addrs)
 
@@ -144,132 +118,85 @@ func (st *ServerType) mapAddressToProtocolToServerBlocks(originalServerBlocks []
 		// server block are only the ones which use the address; but
 		// the contents (tokens) are of course the same
 		for _, addr := range addrs {
-			protocolToKeyWithParsedKeys := addrToProtocolToKeyWithParsedKeys[addr]
-
-			prots := make([]string, 0, len(protocolToKeyWithParsedKeys))
-			for prot := range protocolToKeyWithParsedKeys {
-				prots = append(prots, prot)
-			}
-			sort.Strings(prots)
-
-			protocolToServerBlocks, ok := addrToProtocolToServerBlocks[addr]
-			if !ok {
-				protocolToServerBlocks = map[string][]serverBlock{}
-				addrToProtocolToServerBlocks[addr] = protocolToServerBlocks
-			}
-
-			for _, prot := range prots {
-				keyWithParsedKeys := protocolToKeyWithParsedKeys[prot]
-
-				keys := make([]caddyfile.Token, len(keyWithParsedKeys))
-				parsedKeys := make([]Address, len(keyWithParsedKeys))
-
-				for k, keyWithParsedKey := range keyWithParsedKeys {
-					keys[k] = keyWithParsedKey.key
-					parsedKeys[k] = keyWithParsedKey.parsedKey
+			keys := addrToKeys[addr]
+			// parse keys so that we only have to do it once
+			parsedKeys := make([]Address, 0, len(keys))
+			for _, key := range keys {
+				addr, err := ParseAddress(key.Text)
+				if err != nil {
+					return nil, fmt.Errorf("parsing key '%s': %v", key.Text, err)
 				}
-
-				protocolToServerBlocks[prot] = append(protocolToServerBlocks[prot], serverBlock{
-					block: caddyfile.ServerBlock{
-						Keys:     keys,
-						Segments: sblock.block.Segments,
-					},
-					pile:       sblock.pile,
-					parsedKeys: parsedKeys,
-				})
+				parsedKeys = append(parsedKeys, addr.Normalize())
 			}
-		}
-	}
-
-	return addrToProtocolToServerBlocks, nil
-}
-
-// consolidateAddrMappings eliminates repetition of identical server blocks in a mapping of
-// single listener addresses to protocols to lists of server blocks. Since multiple addresses
-// may serve multiple protocols to identical sites (server block contents), this function turns
-// a 1:many mapping into a many:many mapping. Server block contents (tokens) must be
-// exactly identical so that reflect.DeepEqual returns true in order for the addresses to be combined.
-// Identical entries are deleted from the addrToServerBlocks map. Essentially, each pairing (each
-// association from multiple addresses to multiple server blocks; i.e. each element of
-// the returned slice) becomes a server definition in the output JSON.
-func (st *ServerType) consolidateAddrMappings(addrToProtocolToServerBlocks map[string]map[string][]serverBlock) []sbAddrAssociation {
-	sbaddrs := make([]sbAddrAssociation, 0, len(addrToProtocolToServerBlocks))
-
-	addrs := make([]string, 0, len(addrToProtocolToServerBlocks))
-	for addr := range addrToProtocolToServerBlocks {
-		addrs = append(addrs, addr)
-	}
-	sort.Strings(addrs)
-
-	for _, addr := range addrs {
-		protocolToServerBlocks := addrToProtocolToServerBlocks[addr]
-
-		prots := make([]string, 0, len(protocolToServerBlocks))
-		for prot := range protocolToServerBlocks {
-			prots = append(prots, prot)
-		}
-		sort.Strings(prots)
-
-		for _, prot := range prots {
-			serverBlocks := protocolToServerBlocks[prot]
-
-			// now find other addresses that map to identical
-			// server blocks and add them to our map of listener
-			// addresses and protocols, while removing them from
-			// the original map
-			listeners := map[string]map[string]struct{}{}
-
-			for otherAddr, otherProtocolToServerBlocks := range addrToProtocolToServerBlocks {
-				for otherProt, otherServerBlocks := range otherProtocolToServerBlocks {
-					if addr == otherAddr && prot == otherProt || reflect.DeepEqual(serverBlocks, otherServerBlocks) {
-						listener, ok := listeners[otherAddr]
-						if !ok {
-							listener = map[string]struct{}{}
-							listeners[otherAddr] = listener
-						}
-						listener[otherProt] = struct{}{}
-						delete(otherProtocolToServerBlocks, otherProt)
-					}
-				}
-			}
-
-			addresses := make([]string, 0, len(listeners))
-			for lnAddr := range listeners {
-				addresses = append(addresses, lnAddr)
-			}
-			sort.Strings(addresses)
-
-			addressesWithProtocols := make([]addressWithProtocols, 0, len(listeners))
-
-			for _, lnAddr := range addresses {
-				lnProts := listeners[lnAddr]
-				prots := make([]string, 0, len(lnProts))
-				for prot := range lnProts {
-					prots = append(prots, prot)
-				}
-				sort.Strings(prots)
-
-				addressesWithProtocols = append(addressesWithProtocols, addressWithProtocols{
-					address:   lnAddr,
-					protocols: prots,
-				})
-			}
-
-			sbaddrs = append(sbaddrs, sbAddrAssociation{
-				addressesWithProtocols: addressesWithProtocols,
-				serverBlocks:           serverBlocks,
+			sbmap[addr] = append(sbmap[addr], serverBlock{
+				block: caddyfile.ServerBlock{
+					Keys:     keys,
+					Segments: sblock.block.Segments,
+				},
+				pile: sblock.pile,
+				keys: parsedKeys,
 			})
 		}
 	}
 
+	return sbmap, nil
+}
+
+// consolidateAddrMappings eliminates repetition of identical server blocks in a mapping of
+// single listener addresses to lists of server blocks. Since multiple addresses may serve
+// identical sites (server block contents), this function turns a 1:many mapping into a
+// many:many mapping. Server block contents (tokens) must be exactly identical so that
+// reflect.DeepEqual returns true in order for the addresses to be combined. Identical
+// entries are deleted from the addrToServerBlocks map. Essentially, each pairing (each
+// association from multiple addresses to multiple server blocks; i.e. each element of
+// the returned slice) becomes a server definition in the output JSON.
+func (st *ServerType) consolidateAddrMappings(addrToServerBlocks map[string][]serverBlock) []sbAddrAssociation {
+	sbaddrs := make([]sbAddrAssociation, 0, len(addrToServerBlocks))
+	for addr, sblocks := range addrToServerBlocks {
+		// we start with knowing that at least this address
+		// maps to these server blocks
+		a := sbAddrAssociation{
+			addresses:    []string{addr},
+			serverBlocks: sblocks,
+		}
+
+		// now find other addresses that map to identical
+		// server blocks and add them to our list of
+		// addresses, while removing them from the map
+		for otherAddr, otherSblocks := range addrToServerBlocks {
+			if addr == otherAddr {
+				continue
+			}
+			if reflect.DeepEqual(sblocks, otherSblocks) {
+				a.addresses = append(a.addresses, otherAddr)
+				delete(addrToServerBlocks, otherAddr)
+			}
+		}
+		sort.Strings(a.addresses)
+
+		sbaddrs = append(sbaddrs, a)
+	}
+
+	// sort them by their first address (we know there will always be at least one)
+	// to avoid problems with non-deterministic ordering (makes tests flaky)
+	sort.Slice(sbaddrs, func(i, j int) bool {
+		return sbaddrs[i].addresses[0] < sbaddrs[j].addresses[0]
+	})
+
 	return sbaddrs
 }
 
-// listenersForServerBlockAddress essentially converts the Caddyfile site addresses to a map from
-// Caddy listener addresses and the protocols to serve them with to the parsed address for each server block.
-func (st *ServerType) listenersForServerBlockAddress(sblock serverBlock, addr Address,
+// listenerAddrsForServerBlockKey essentially converts the Caddyfile
+// site addresses to Caddy listener addresses for each server block.
+func (st *ServerType) listenerAddrsForServerBlockKey(sblock serverBlock, key string,
 	options map[string]any,
-) (map[string]map[string]struct{}, error) {
+) ([]string, error) {
+	addr, err := ParseAddress(key)
+	if err != nil {
+		return nil, fmt.Errorf("parsing key: %v", err)
+	}
+	addr = addr.Normalize()
+
 	switch addr.Scheme {
 	case "wss":
 		return nil, fmt.Errorf("the scheme wss:// is only supported in browsers; use https:// instead")
@@ -303,58 +230,55 @@ func (st *ServerType) listenersForServerBlockAddress(sblock serverBlock, addr Ad
 
 	// error if scheme and port combination violate convention
 	if (addr.Scheme == "http" && lnPort == httpsPort) || (addr.Scheme == "https" && lnPort == httpPort) {
-		return nil, fmt.Errorf("[%s] scheme and port violate convention", addr.String())
+		return nil, fmt.Errorf("[%s] scheme and port violate convention", key)
 	}
 
-	// the bind directive specifies hosts (and potentially network), and the protocols to serve them with, but is optional
-	lnCfgVals := make([]addressesWithProtocols, 0, len(sblock.pile["bind"]))
+	// the bind directive specifies hosts (and potentially network), but is optional
+	lnHosts := make([]string, 0, len(sblock.pile["bind"]))
 	for _, cfgVal := range sblock.pile["bind"] {
-		if val, ok := cfgVal.Value.(addressesWithProtocols); ok {
-			lnCfgVals = append(lnCfgVals, val)
-		}
+		lnHosts = append(lnHosts, cfgVal.Value.([]string)...)
 	}
-	if len(lnCfgVals) == 0 {
-		if defaultBindValues, ok := options["default_bind"].([]ConfigValue); ok {
-			for _, defaultBindValue := range defaultBindValues {
-				lnCfgVals = append(lnCfgVals, defaultBindValue.Value.(addressesWithProtocols))
-			}
+	if len(lnHosts) == 0 {
+		if defaultBind, ok := options["default_bind"].([]string); ok {
+			lnHosts = defaultBind
 		} else {
-			lnCfgVals = []addressesWithProtocols{{
-				addresses: []string{""},
-				protocols: nil,
-			}}
+			lnHosts = []string{""}
 		}
 	}
 
 	// use a map to prevent duplication
-	listeners := map[string]map[string]struct{}{}
-	for _, lnCfgVal := range lnCfgVals {
-		for _, lnAddr := range lnCfgVal.addresses {
-			lnNetw, lnHost, _, err := caddy.SplitNetworkAddress(lnAddr)
-			if err != nil {
-				return nil, fmt.Errorf("splitting listener address: %v", err)
-			}
-			networkAddr, err := caddy.ParseNetworkAddress(caddy.JoinNetworkAddress(lnNetw, lnHost, lnPort))
-			if err != nil {
-				return nil, fmt.Errorf("parsing network address: %v", err)
-			}
-			if _, ok := listeners[addr.String()]; !ok {
-				listeners[networkAddr.String()] = map[string]struct{}{}
-			}
-			for _, protocol := range lnCfgVal.protocols {
-				listeners[networkAddr.String()][protocol] = struct{}{}
-			}
+	listeners := make(map[string]struct{})
+	for _, lnHost := range lnHosts {
+		// normally we would simply append the port,
+		// but if lnHost is IPv6, we need to ensure it
+		// is enclosed in [ ]; net.JoinHostPort does
+		// this for us, but lnHost might also have a
+		// network type in front (e.g. "tcp/") leading
+		// to "[tcp/::1]" which causes parsing failures
+		// later; what we need is "tcp/[::1]", so we have
+		// to split the network and host, then re-combine
+		network, host, ok := strings.Cut(lnHost, "/")
+		if !ok {
+			host = network
+			network = ""
 		}
+		host = strings.Trim(host, "[]") // IPv6
+		networkAddr := caddy.JoinNetworkAddress(network, host, lnPort)
+		addr, err := caddy.ParseNetworkAddress(networkAddr)
+		if err != nil {
+			return nil, fmt.Errorf("parsing network address: %v", err)
+		}
+		listeners[addr.String()] = struct{}{}
 	}
 
-	return listeners, nil
-}
+	// now turn map into list
+	listenersList := make([]string, 0, len(listeners))
+	for lnStr := range listeners {
+		listenersList = append(listenersList, lnStr)
+	}
+	sort.Strings(listenersList)
 
-// addressesWithProtocols associates a list of listen addresses
-// with a list of protocols to serve them with
-type addressesWithProtocols struct {
-	addresses []string
-	protocols []string
+	return listenersList, nil
 }
 
 // Address represents a site address. It contains

caddyconfig/httpcaddyfile/builtins.go

@@ -56,30 +56,10 @@ func init() {
 
 // parseBind parses the bind directive. Syntax:
 //
-//		bind <addresses...> [{
-//	   protocols [h1|h2|h2c|h3] [...]
-//	 }]
+//	bind <addresses...>
 func parseBind(h Helper) ([]ConfigValue, error) {
 	h.Next() // consume directive name
-	var addresses, protocols []string
-	addresses = h.RemainingArgs()
-
-	for h.NextBlock(0) {
-		switch h.Val() {
-		case "protocols":
-			protocols = h.RemainingArgs()
-			if len(protocols) == 0 {
-				return nil, h.Errf("protocols requires one or more arguments")
-			}
-		default:
-			return nil, h.Errf("unknown subdirective: %s", h.Val())
-		}
-	}
-
-	return []ConfigValue{{Class: "bind", Value: addressesWithProtocols{
-		addresses: addresses,
-		protocols: protocols,
-	}}}, nil
+	return []ConfigValue{{Class: "bind", Value: h.RemainingArgs()}}, nil
 }
 
 // parseTLS parses the tls directive. Syntax:

caddyconfig/httpcaddyfile/directives.go

@@ -17,7 +17,6 @@ package httpcaddyfile
 import (
 	"encoding/json"
 	"net"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"
@@ -101,6 +100,17 @@ var defaultDirectiveOrder = []string{
 // plugins or by the user via the "order" global option.
 var directiveOrder = defaultDirectiveOrder
 
+// directiveIsOrdered returns true if dir is
+// a known, ordered (sorted) directive.
+func directiveIsOrdered(dir string) bool {
+	for _, d := range directiveOrder {
+		if d == dir {
+			return true
+		}
+	}
+	return false
+}
+
 // RegisterDirective registers a unique directive dir with an
 // associated unmarshaling (setup) function. When directive dir
 // is encountered in a Caddyfile, setupFunc will be called to
@@ -151,7 +161,7 @@ func RegisterHandlerDirective(dir string, setupFunc UnmarshalHandlerFunc) {
 // EXPERIMENTAL: This API may change or be removed.
 func RegisterDirectiveOrder(dir string, position Positional, standardDir string) {
 	// check if directive was already ordered
-	if slices.Contains(directiveOrder, dir) {
+	if directiveIsOrdered(dir) {
 		panic("directive '" + dir + "' already ordered")
 	}
 
@@ -162,7 +172,12 @@ func RegisterDirectiveOrder(dir string, position Positional, standardDir string)
 	// check if directive exists in standard distribution, since
 	// we can't allow plugins to depend on one another; we can't
 	// guarantee the order that plugins are loaded in.
-	foundStandardDir := slices.Contains(defaultDirectiveOrder, standardDir)
+	foundStandardDir := false
+	for _, d := range defaultDirectiveOrder {
+		if d == standardDir {
+			foundStandardDir = true
+		}
+	}
 	if !foundStandardDir {
 		panic("the 3rd argument '" + standardDir + "' must be a directive that exists in the standard distribution of Caddy")
 	}
@@ -516,9 +531,9 @@ func sortRoutes(routes []ConfigValue) {
 // a "pile" of config values, keyed by class name,
 // as well as its parsed keys for convenience.
 type serverBlock struct {
-	block      caddyfile.ServerBlock
-	pile       map[string][]ConfigValue // config values obtained from directives
-	parsedKeys []Address
+	block caddyfile.ServerBlock
+	pile  map[string][]ConfigValue // config values obtained from directives
+	keys  []Address
 }
 
 // hostsFromKeys returns a list of all the non-empty hostnames found in
@@ -535,7 +550,7 @@ type serverBlock struct {
 func (sb serverBlock) hostsFromKeys(loggerMode bool) []string {
 	// ensure each entry in our list is unique
 	hostMap := make(map[string]struct{})
-	for _, addr := range sb.parsedKeys {
+	for _, addr := range sb.keys {
 		if addr.Host == "" {
 			if !loggerMode {
 				// server block contains a key like ":443", i.e. the host portion
@@ -567,7 +582,7 @@ func (sb serverBlock) hostsFromKeys(loggerMode bool) []string {
 func (sb serverBlock) hostsFromKeysNotHTTP(httpPort string) []string {
 	// ensure each entry in our list is unique
 	hostMap := make(map[string]struct{})
-	for _, addr := range sb.parsedKeys {
+	for _, addr := range sb.keys {
 		if addr.Host == "" {
 			continue
 		}
@@ -588,17 +603,23 @@ func (sb serverBlock) hostsFromKeysNotHTTP(httpPort string) []string {
 // hasHostCatchAllKey returns true if sb has a key that
 // omits a host portion, i.e. it "catches all" hosts.
 func (sb serverBlock) hasHostCatchAllKey() bool {
-	return slices.ContainsFunc(sb.parsedKeys, func(addr Address) bool {
-		return addr.Host == ""
-	})
+	for _, addr := range sb.keys {
+		if addr.Host == "" {
+			return true
+		}
+	}
+	return false
 }
 
 // isAllHTTP returns true if all sb keys explicitly specify
 // the http:// scheme
 func (sb serverBlock) isAllHTTP() bool {
-	return !slices.ContainsFunc(sb.parsedKeys, func(addr Address) bool {
-		return addr.Scheme != "http"
-	})
+	for _, addr := range sb.keys {
+		if addr.Scheme != "http" {
+			return false
+		}
+	}
+	return true
 }
 
 // Positional are the supported modes for ordering directives.

caddyconfig/httpcaddyfile/directives_test.go

@@ -78,7 +78,7 @@ func TestHostsFromKeys(t *testing.T) {
 			[]string{"example.com:2015"},
 		},
 	} {
-		sb := serverBlock{parsedKeys: tc.keys}
+		sb := serverBlock{keys: tc.keys}
 
 		// test in normal mode
 		actual := sb.hostsFromKeys(false)

caddyconfig/httpcaddyfile/httptype.go

@@ -15,7 +15,6 @@
 package httpcaddyfile
 
 import (
-	"cmp"
 	"encoding/json"
 	"fmt"
 	"net"
@@ -172,7 +171,7 @@ func (st ServerType) Setup(
 	}
 
 	// map
-	sbmap, err := st.mapAddressToProtocolToServerBlocks(originalServerBlocks, options)
+	sbmap, err := st.mapAddressToServerBlocks(originalServerBlocks, options)
 	if err != nil {
 		return nil, warnings, err
 	}
@@ -187,25 +186,12 @@ func (st ServerType) Setup(
 		return nil, warnings, err
 	}
 
-	// hoist the metrics config from per-server to global
-	metrics, _ := options["metrics"].(*caddyhttp.Metrics)
-	for _, s := range servers {
-		if s.Metrics != nil {
-			metrics = cmp.Or[*caddyhttp.Metrics](metrics, &caddyhttp.Metrics{})
-			metrics = &caddyhttp.Metrics{
-				PerHost: metrics.PerHost || s.Metrics.PerHost,
-			}
-			s.Metrics = nil // we don't need it anymore
-		}
-	}
-
 	// now that each server is configured, make the HTTP app
 	httpApp := caddyhttp.App{
 		HTTPPort:      tryInt(options["http_port"], &warnings),
 		HTTPSPort:     tryInt(options["https_port"], &warnings),
 		GracePeriod:   tryDuration(options["grace_period"], &warnings),
 		ShutdownDelay: tryDuration(options["shutdown_delay"], &warnings),
-		Metrics:       metrics,
 		Servers:       servers,
 	}
 
@@ -416,20 +402,6 @@ func (ServerType) evaluateGlobalOptionsBlock(serverBlocks []serverBlock, options
 			options[opt] = append(existingOpts, logOpts...)
 			continue
 		}
-		// Also fold multiple "default_bind" options together into an
-		// array so that server blocks can have multiple binds by default.
-		if opt == "default_bind" {
-			existingOpts, ok := options[opt].([]ConfigValue)
-			if !ok {
-				existingOpts = []ConfigValue{}
-			}
-			defaultBindOpts, ok := val.([]ConfigValue)
-			if !ok {
-				return nil, fmt.Errorf("unexpected type from 'default_bind' global options: %T", val)
-			}
-			options[opt] = append(existingOpts, defaultBindOpts...)
-			continue
-		}
 
 		options[opt] = val
 	}
@@ -548,8 +520,8 @@ func (st *ServerType) serversFromPairings(
 	if hsp, ok := options["https_port"].(int); ok {
 		httpsPort = strconv.Itoa(hsp)
 	}
-	autoHTTPS := []string{}
-	if ah, ok := options["auto_https"].([]string); ok {
+	autoHTTPS := "on"
+	if ah, ok := options["auto_https"].(string); ok {
 		autoHTTPS = ah
 	}
 
@@ -564,81 +536,29 @@ func (st *ServerType) serversFromPairings(
 					if k == j {
 						continue
 					}
-					if slices.Contains(sblock2.block.GetKeysText(), key) {
+					if sliceContains(sblock2.block.GetKeysText(), key) {
 						return nil, fmt.Errorf("ambiguous site definition: %s", key)
 					}
 				}
 			}
 		}
 
-		var (
-			addresses []string
-			protocols [][]string
-		)
-
-		for _, addressWithProtocols := range p.addressesWithProtocols {
-			addresses = append(addresses, addressWithProtocols.address)
-			protocols = append(protocols, addressWithProtocols.protocols)
-		}
-
 		srv := &caddyhttp.Server{
-			Listen:          addresses,
-			ListenProtocols: protocols,
-		}
-
-		// remove srv.ListenProtocols[j] if it only contains the default protocols
-		for j, lnProtocols := range srv.ListenProtocols {
-			srv.ListenProtocols[j] = nil
-			for _, lnProtocol := range lnProtocols {
-				if lnProtocol != "" {
-					srv.ListenProtocols[j] = lnProtocols
-					break
-				}
-			}
-		}
-
-		// remove srv.ListenProtocols if it only contains the default protocols for all listen addresses
-		listenProtocols := srv.ListenProtocols
-		srv.ListenProtocols = nil
-		for _, lnProtocols := range listenProtocols {
-			if lnProtocols != nil {
-				srv.ListenProtocols = listenProtocols
-				break
-			}
+			Listen: p.addresses,
 		}
 
 		// handle the auto_https global option
-		for _, val := range autoHTTPS {
-			switch val {
+		if autoHTTPS != "on" {
+			srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
+			switch autoHTTPS {
 			case "off":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
 				srv.AutoHTTPS.Disabled = true
-
 			case "disable_redirects":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
 				srv.AutoHTTPS.DisableRedir = true
-
 			case "disable_certs":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
 				srv.AutoHTTPS.DisableCerts = true
-
 			case "ignore_loaded_certs":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
 				srv.AutoHTTPS.IgnoreLoadedCerts = true
-
-			case "prefer_wildcard":
-				if srv.AutoHTTPS == nil {
-					srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
-				}
-				srv.AutoHTTPS.PreferWildcard = true
 			}
 		}
 
@@ -646,7 +566,7 @@ func (st *ServerType) serversFromPairings(
 		// See ParseAddress() where parsing should later reject paths
 		// See https://github.com/caddyserver/caddy/pull/4728 for a full explanation
 		for _, sblock := range p.serverBlocks {
-			for _, addr := range sblock.parsedKeys {
+			for _, addr := range sblock.keys {
 				if addr.Path != "" {
 					caddy.Log().Named("caddyfile").Warn("Using a path in a site address is deprecated; please use the 'handle' directive instead", zap.String("address", addr.String()))
 				}
@@ -664,7 +584,7 @@ func (st *ServerType) serversFromPairings(
 			var iLongestPath, jLongestPath string
 			var iLongestHost, jLongestHost string
 			var iWildcardHost, jWildcardHost bool
-			for _, addr := range p.serverBlocks[i].parsedKeys {
+			for _, addr := range p.serverBlocks[i].keys {
 				if strings.Contains(addr.Host, "*") || addr.Host == "" {
 					iWildcardHost = true
 				}
@@ -675,7 +595,7 @@ func (st *ServerType) serversFromPairings(
 					iLongestPath = addr.Path
 				}
 			}
-			for _, addr := range p.serverBlocks[j].parsedKeys {
+			for _, addr := range p.serverBlocks[j].keys {
 				if strings.Contains(addr.Host, "*") || addr.Host == "" {
 					jWildcardHost = true
 				}
@@ -706,18 +626,8 @@ func (st *ServerType) serversFromPairings(
 			return specificity(iLongestHost) > specificity(jLongestHost)
 		})
 
-		// collect all hosts that have a wildcard in them
-		wildcardHosts := []string{}
-		for _, sblock := range p.serverBlocks {
-			for _, addr := range sblock.parsedKeys {
-				if strings.HasPrefix(addr.Host, "*.") {
-					wildcardHosts = append(wildcardHosts, addr.Host[2:])
-				}
-			}
-		}
-
 		var hasCatchAllTLSConnPolicy, addressQualifiesForTLS bool
-		autoHTTPSWillAddConnPolicy := srv.AutoHTTPS == nil || !srv.AutoHTTPS.Disabled
+		autoHTTPSWillAddConnPolicy := autoHTTPS != "off"
 
 		// if needed, the ServerLogConfig is initialized beforehand so
 		// that all server blocks can populate it with data, even when not
@@ -801,7 +711,7 @@ func (st *ServerType) serversFromPairings(
 				}
 			}
 
-			for _, addr := range sblock.parsedKeys {
+			for _, addr := range sblock.keys {
 				// if server only uses HTTP port, auto-HTTPS will not apply
 				if listenersUseAnyPortOtherThan(srv.Listen, httpPort) {
 					// exclude any hosts that were defined explicitly with "http://"
@@ -810,7 +720,7 @@ func (st *ServerType) serversFromPairings(
 						if srv.AutoHTTPS == nil {
 							srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig)
 						}
-						if !slices.Contains(srv.AutoHTTPS.Skip, addr.Host) {
+						if !sliceContains(srv.AutoHTTPS.Skip, addr.Host) {
 							srv.AutoHTTPS.Skip = append(srv.AutoHTTPS.Skip, addr.Host)
 						}
 					}
@@ -824,7 +734,7 @@ func (st *ServerType) serversFromPairings(
 				// https://caddy.community/t/making-sense-of-auto-https-and-why-disabling-it-still-serves-https-instead-of-http/9761
 				createdTLSConnPolicies, ok := sblock.pile["tls.connection_policy"]
 				hasTLSEnabled := (ok && len(createdTLSConnPolicies) > 0) ||
-					(addr.Host != "" && srv.AutoHTTPS != nil && !slices.Contains(srv.AutoHTTPS.Skip, addr.Host))
+					(addr.Host != "" && srv.AutoHTTPS != nil && !sliceContains(srv.AutoHTTPS.Skip, addr.Host))
 
 				// we'll need to remember if the address qualifies for auto-HTTPS, so we
 				// can add a TLS conn policy if necessary
@@ -832,19 +742,6 @@ func (st *ServerType) serversFromPairings(
 					(addr.Scheme != "http" && addr.Port != httpPort && hasTLSEnabled) {
 					addressQualifiesForTLS = true
 				}
-
-				// If prefer wildcard is enabled, then we add hosts that are
-				// already covered by the wildcard to the skip list
-				if addressQualifiesForTLS && srv.AutoHTTPS != nil && srv.AutoHTTPS.PreferWildcard {
-					baseDomain := addr.Host
-					if idx := strings.Index(baseDomain, "."); idx != -1 {
-						baseDomain = baseDomain[idx+1:]
-					}
-					if !strings.HasPrefix(addr.Host, "*.") && slices.Contains(wildcardHosts, baseDomain) {
-						srv.AutoHTTPS.SkipCerts = append(srv.AutoHTTPS.SkipCerts, addr.Host)
-					}
-				}
-
 				// predict whether auto-HTTPS will add the conn policy for us; if so, we
 				// may not need to add one for this server
 				autoHTTPSWillAddConnPolicy = autoHTTPSWillAddConnPolicy &&
@@ -976,10 +873,7 @@ func (st *ServerType) serversFromPairings(
 		if addressQualifiesForTLS &&
 			!hasCatchAllTLSConnPolicy &&
 			(len(srv.TLSConnPolicies) > 0 || !autoHTTPSWillAddConnPolicy || defaultSNI != "" || fallbackSNI != "") {
-			srv.TLSConnPolicies = append(srv.TLSConnPolicies, &caddytls.ConnectionPolicy{
-				DefaultSNI:  defaultSNI,
-				FallbackSNI: fallbackSNI,
-			})
+			srv.TLSConnPolicies = append(srv.TLSConnPolicies, &caddytls.ConnectionPolicy{DefaultSNI: defaultSNI, FallbackSNI: fallbackSNI})
 		}
 
 		// tidy things up a bit
@@ -992,7 +886,8 @@ func (st *ServerType) serversFromPairings(
 		servers[fmt.Sprintf("srv%d", i)] = srv
 	}
 
-	if err := applyServerOptions(servers, options, warnings); err != nil {
+	err := applyServerOptions(servers, options, warnings)
+	if err != nil {
 		return nil, fmt.Errorf("applying global server options: %v", err)
 	}
 
@@ -1037,7 +932,7 @@ func detectConflictingSchemes(srv *caddyhttp.Server, serverBlocks []serverBlock,
 	}
 
 	for _, sblock := range serverBlocks {
-		for _, addr := range sblock.parsedKeys {
+		for _, addr := range sblock.keys {
 			if addr.Scheme == "http" || addr.Port == httpPort {
 				if err := checkAndSetHTTP(addr); err != nil {
 					return err
@@ -1166,7 +1061,7 @@ func consolidateConnPolicies(cps caddytls.ConnectionPolicies) (caddytls.Connecti
 				} else if cps[i].CertSelection != nil && cps[j].CertSelection != nil {
 					// if both have one, then combine AnyTag
 					for _, tag := range cps[j].CertSelection.AnyTag {
-						if !slices.Contains(cps[i].CertSelection.AnyTag, tag) {
+						if !sliceContains(cps[i].CertSelection.AnyTag, tag) {
 							cps[i].CertSelection.AnyTag = append(cps[i].CertSelection.AnyTag, tag)
 						}
 					}
@@ -1249,7 +1144,7 @@ func appendSubrouteToRouteList(routeList caddyhttp.RouteList,
 func buildSubroute(routes []ConfigValue, groupCounter counter, needsSorting bool) (*caddyhttp.Subroute, error) {
 	if needsSorting {
 		for _, val := range routes {
-			if !slices.Contains(directiveOrder, val.directive) {
+			if !directiveIsOrdered(val.directive) {
 				return nil, fmt.Errorf("directive '%s' is not an ordered HTTP handler, so it cannot be used here - try placing within a route block or using the order global option", val.directive)
 			}
 		}
@@ -1427,7 +1322,7 @@ func (st *ServerType) compileEncodedMatcherSets(sblock serverBlock) ([]caddy.Mod
 	var matcherPairs []*hostPathPair
 
 	var catchAllHosts bool
-	for _, addr := range sblock.parsedKeys {
+	for _, addr := range sblock.keys {
 		// choose a matcher pair that should be shared by this
 		// server block; if none exists yet, create one
 		var chosenMatcherPair *hostPathPair
@@ -1459,16 +1354,25 @@ func (st *ServerType) compileEncodedMatcherSets(sblock serverBlock) ([]caddy.Mod
 
 		// add this server block's keys to the matcher
 		// pair if it doesn't already exist
-		if addr.Host != "" && !slices.Contains(chosenMatcherPair.hostm, addr.Host) {
-			chosenMatcherPair.hostm = append(chosenMatcherPair.hostm, addr.Host)
+		if addr.Host != "" {
+			var found bool
+			for _, h := range chosenMatcherPair.hostm {
+				if h == addr.Host {
+					found = true
+					break
+				}
+			}
+			if !found {
+				chosenMatcherPair.hostm = append(chosenMatcherPair.hostm, addr.Host)
+			}
 		}
 	}
 
 	// iterate each pairing of host and path matchers and
 	// put them into a map for JSON encoding
-	var matcherSets []map[string]caddyhttp.RequestMatcherWithError
+	var matcherSets []map[string]caddyhttp.RequestMatcher
 	for _, mp := range matcherPairs {
-		matcherSet := make(map[string]caddyhttp.RequestMatcherWithError)
+		matcherSet := make(map[string]caddyhttp.RequestMatcher)
 		if len(mp.hostm) > 0 {
 			matcherSet["host"] = mp.hostm
 		}
@@ -1527,17 +1431,12 @@ func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.M
 		if err != nil {
 			return err
 		}
-
-		if rm, ok := unm.(caddyhttp.RequestMatcherWithError); ok {
-			matchers[definitionName][matcherName] = caddyconfig.JSON(rm, nil)
-			return nil
+		rm, ok := unm.(caddyhttp.RequestMatcher)
+		if !ok {
+			return fmt.Errorf("matcher module '%s' is not a request matcher", matcherName)
 		}
-		// nolint:staticcheck
-		if rm, ok := unm.(caddyhttp.RequestMatcher); ok {
-			matchers[definitionName][matcherName] = caddyconfig.JSON(rm, nil)
-			return nil
-		}
-		return fmt.Errorf("matcher module '%s' is not a request matcher", matcherName)
+		matchers[definitionName][matcherName] = caddyconfig.JSON(rm, nil)
+		return nil
 	}
 
 	// if the next token is quoted, we can assume it's not a matcher name
@@ -1581,7 +1480,7 @@ func parseMatcherDefinitions(d *caddyfile.Dispenser, matchers map[string]caddy.M
 	return nil
 }
 
-func encodeMatcherSet(matchers map[string]caddyhttp.RequestMatcherWithError) (caddy.ModuleMap, error) {
+func encodeMatcherSet(matchers map[string]caddyhttp.RequestMatcher) (caddy.ModuleMap, error) {
 	msEncoded := make(caddy.ModuleMap)
 	for matcherName, val := range matchers {
 		jsonBytes, err := json.Marshal(val)
@@ -1641,6 +1540,16 @@ func tryDuration(val any, warnings *[]caddyconfig.Warning) caddy.Duration {
 	return durationVal
 }
 
+// sliceContains returns true if needle is in haystack.
+func sliceContains(haystack []string, needle string) bool {
+	for _, s := range haystack {
+		if s == needle {
+			return true
+		}
+	}
+	return false
+}
+
 // listenersUseAnyPortOtherThan returns true if there are any
 // listeners in addresses that use a port which is not otherPort.
 // Mostly borrowed from unexported method in caddyhttp package.
@@ -1704,19 +1613,12 @@ type namedCustomLog struct {
 	noHostname bool
 }
 
-// addressWithProtocols associates a listen address with
-// the protocols to serve it with
-type addressWithProtocols struct {
-	address   string
-	protocols []string
-}
-
 // sbAddrAssociation is a mapping from a list of
-// addresses with protocols, and a list of server
-// blocks that are served on those addresses.
+// addresses to a list of server blocks that are
+// served on those addresses.
 type sbAddrAssociation struct {
-	addressesWithProtocols []addressWithProtocols
-	serverBlocks           []serverBlock
+	addresses    []string
+	serverBlocks []serverBlock
 }
 
 const (

caddyconfig/httpcaddyfile/options.go

@@ -15,7 +15,6 @@
 package httpcaddyfile
 
 import (
-	"slices"
 	"strconv"
 
 	"github.com/caddyserver/certmagic"
@@ -24,7 +23,6 @@ import (
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
-	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 	"github.com/caddyserver/caddy/v2/modules/caddytls"
 )
 
@@ -32,15 +30,14 @@ func init() {
 	RegisterGlobalOption("debug", parseOptTrue)
 	RegisterGlobalOption("http_port", parseOptHTTPPort)
 	RegisterGlobalOption("https_port", parseOptHTTPSPort)
-	RegisterGlobalOption("default_bind", parseOptDefaultBind)
+	RegisterGlobalOption("default_bind", parseOptStringList)
 	RegisterGlobalOption("grace_period", parseOptDuration)
 	RegisterGlobalOption("shutdown_delay", parseOptDuration)
 	RegisterGlobalOption("default_sni", parseOptSingleString)
 	RegisterGlobalOption("fallback_sni", parseOptSingleString)
 	RegisterGlobalOption("order", parseOptOrder)
 	RegisterGlobalOption("storage", parseOptStorage)
-	RegisterGlobalOption("storage_check", parseStorageCheck)
-	RegisterGlobalOption("storage_clean_interval", parseStorageCleanInterval)
+	RegisterGlobalOption("storage_clean_interval", parseOptDuration)
 	RegisterGlobalOption("renew_interval", parseOptDuration)
 	RegisterGlobalOption("ocsp_interval", parseOptDuration)
 	RegisterGlobalOption("acme_ca", parseOptSingleString)
@@ -55,7 +52,6 @@ func init() {
 	RegisterGlobalOption("local_certs", parseOptTrue)
 	RegisterGlobalOption("key_type", parseOptSingleString)
 	RegisterGlobalOption("auto_https", parseOptAutoHTTPS)
-	RegisterGlobalOption("metrics", parseMetricsOptions)
 	RegisterGlobalOption("servers", parseServerOptions)
 	RegisterGlobalOption("ocsp_stapling", parseOCSPStaplingOptions)
 	RegisterGlobalOption("cert_lifetime", parseOptDuration)
@@ -114,12 +110,17 @@ func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
 	}
 	pos := Positional(d.Val())
 
-	// if directive already had an order, drop it
-	newOrder := slices.DeleteFunc(directiveOrder, func(d string) bool {
-		return d == dirName
-	})
+	newOrder := directiveOrder
 
-	// act on the positional; if it's First or Last, we're done right away
+	// if directive exists, first remove it
+	for i, d := range newOrder {
+		if d == dirName {
+			newOrder = append(newOrder[:i], newOrder[i+1:]...)
+			break
+		}
+	}
+
+	// act on the positional
 	switch pos {
 	case First:
 		newOrder = append([]string{dirName}, newOrder...)
@@ -128,7 +129,6 @@ func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
 		}
 		directiveOrder = newOrder
 		return newOrder, nil
-
 	case Last:
 		newOrder = append(newOrder, dirName)
 		if d.NextArg() {
@@ -136,11 +136,8 @@ func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
 		}
 		directiveOrder = newOrder
 		return newOrder, nil
-
-	// if it's Before or After, continue
 	case Before:
 	case After:
-
 	default:
 		return nil, d.Errf("unknown positional '%s'", pos)
 	}
@@ -154,17 +151,17 @@ func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
 		return nil, d.ArgErr()
 	}
 
-	// get the position of the target directive
-	targetIndex := slices.Index(newOrder, otherDir)
-	if targetIndex == -1 {
-		return nil, d.Errf("directive '%s' not found", otherDir)
+	// insert directive into proper position
+	for i, d := range newOrder {
+		if d == otherDir {
+			if pos == Before {
+				newOrder = append(newOrder[:i], append([]string{dirName}, newOrder[i:]...)...)
+			} else if pos == After {
+				newOrder = append(newOrder[:i+1], append([]string{dirName}, newOrder[i+1:]...)...)
+			}
+			break
+		}
 	}
-	// if we're inserting after, we need to increment the index to go after
-	if pos == After {
-		targetIndex++
-	}
-	// insert the directive into the new order
-	newOrder = slices.Insert(newOrder, targetIndex, dirName)
 
 	directiveOrder = newOrder
 
@@ -190,40 +187,6 @@ func parseOptStorage(d *caddyfile.Dispenser, _ any) (any, error) {
 	return storage, nil
 }
 
-func parseStorageCheck(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
-	if !d.Next() {
-		return "", d.ArgErr()
-	}
-	val := d.Val()
-	if d.Next() {
-		return "", d.ArgErr()
-	}
-	if val != "off" {
-		return "", d.Errf("storage_check must be 'off'")
-	}
-	return val, nil
-}
-
-func parseStorageCleanInterval(d *caddyfile.Dispenser, _ any) (any, error) {
-	d.Next() // consume option name
-	if !d.Next() {
-		return "", d.ArgErr()
-	}
-	val := d.Val()
-	if d.Next() {
-		return "", d.ArgErr()
-	}
-	if val == "off" {
-		return false, nil
-	}
-	dur, err := caddy.ParseDuration(d.Val())
-	if err != nil {
-		return nil, d.Errf("failed to parse storage_clean_interval, must be a duration or 'off' %w", err)
-	}
-	return caddy.Duration(dur), nil
-}
-
 func parseOptDuration(d *caddyfile.Dispenser, _ any) (any, error) {
 	if !d.Next() { // consume option name
 		return nil, d.ArgErr()
@@ -321,32 +284,13 @@ func parseOptSingleString(d *caddyfile.Dispenser, _ any) (any, error) {
 	return val, nil
 }
 
-func parseOptDefaultBind(d *caddyfile.Dispenser, _ any) (any, error) {
+func parseOptStringList(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
-
-	var addresses, protocols []string
-	addresses = d.RemainingArgs()
-
-	if len(addresses) == 0 {
-		addresses = append(addresses, "")
+	val := d.RemainingArgs()
+	if len(val) == 0 {
+		return "", d.ArgErr()
 	}
-
-	for d.NextBlock(0) {
-		switch d.Val() {
-		case "protocols":
-			protocols = d.RemainingArgs()
-			if len(protocols) == 0 {
-				return nil, d.Errf("protocols requires one or more arguments")
-			}
-		default:
-			return nil, d.Errf("unknown subdirective: %s", d.Val())
-		}
-	}
-
-	return []ConfigValue{{Class: "bind", Value: addressesWithProtocols{
-		addresses: addresses,
-		protocols: protocols,
-	}}}, nil
+	return val, nil
 }
 
 func parseOptAdmin(d *caddyfile.Dispenser, _ any) (any, error) {
@@ -431,10 +375,36 @@ func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
 			ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", modName, nil)
 
 		case "interval":
-			return nil, d.Errf("the on_demand_tls 'interval' option is no longer supported, remove it from your config")
+			if !d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			dur, err := caddy.ParseDuration(d.Val())
+			if err != nil {
+				return nil, err
+			}
+			if ond == nil {
+				ond = new(caddytls.OnDemandConfig)
+			}
+			if ond.RateLimit == nil {
+				ond.RateLimit = new(caddytls.RateLimit)
+			}
+			ond.RateLimit.Interval = caddy.Duration(dur)
 
 		case "burst":
-			return nil, d.Errf("the on_demand_tls 'burst' option is no longer supported, remove it from your config")
+			if !d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			burst, err := strconv.Atoi(d.Val())
+			if err != nil {
+				return nil, err
+			}
+			if ond == nil {
+				ond = new(caddytls.OnDemandConfig)
+			}
+			if ond.RateLimit == nil {
+				ond.RateLimit = new(caddytls.RateLimit)
+			}
+			ond.RateLimit.Burst = burst
 
 		default:
 			return nil, d.Errf("unrecognized parameter '%s'", d.Val())
@@ -463,44 +433,19 @@ func parseOptPersistConfig(d *caddyfile.Dispenser, _ any) (any, error) {
 
 func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
-	val := d.RemainingArgs()
-	if len(val) == 0 {
+	if !d.Next() {
 		return "", d.ArgErr()
 	}
-	for _, v := range val {
-		switch v {
-		case "off":
-		case "disable_redirects":
-		case "disable_certs":
-		case "ignore_loaded_certs":
-		case "prefer_wildcard":
-			break
-
-		default:
-			return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', 'ignore_loaded_certs', or 'prefer_wildcard'")
-		}
+	val := d.Val()
+	if d.Next() {
+		return "", d.ArgErr()
+	}
+	if val != "off" && val != "disable_redirects" && val != "disable_certs" && val != "ignore_loaded_certs" {
+		return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', or 'ignore_loaded_certs'")
 	}
 	return val, nil
 }
 
-func unmarshalCaddyfileMetricsOptions(d *caddyfile.Dispenser) (any, error) {
-	d.Next() // consume option name
-	metrics := new(caddyhttp.Metrics)
-	for d.NextBlock(0) {
-		switch d.Val() {
-		case "per_host":
-			metrics.PerHost = true
-		default:
-			return nil, d.Errf("unrecognized servers option '%s'", d.Val())
-		}
-	}
-	return metrics, nil
-}
-
-func parseMetricsOptions(d *caddyfile.Dispenser, _ any) (any, error) {
-	return unmarshalCaddyfileMetricsOptions(d)
-}
-
 func parseServerOptions(d *caddyfile.Dispenser, _ any) (any, error) {
 	return unmarshalCaddyfileServerOptions(d)
 }

caddyconfig/httpcaddyfile/serveroptions.go

@@ -17,7 +17,6 @@ package httpcaddyfile
 import (
 	"encoding/json"
 	"fmt"
-	"slices"
 
 	"github.com/dustin/go-humanize"
 
@@ -181,7 +180,7 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 				if proto != "h1" && proto != "h2" && proto != "h2c" && proto != "h3" {
 					return nil, d.Errf("unknown protocol '%s': expected h1, h2, h2c, or h3", proto)
 				}
-				if slices.Contains(serverOpts.Protocols, proto) {
+				if sliceContains(serverOpts.Protocols, proto) {
 					return nil, d.Errf("protocol %s specified more than once", proto)
 				}
 				serverOpts.Protocols = append(serverOpts.Protocols, proto)
@@ -230,7 +229,7 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 		case "client_ip_headers":
 			headers := d.RemainingArgs()
 			for _, header := range headers {
-				if slices.Contains(serverOpts.ClientIPHeaders, header) {
+				if sliceContains(serverOpts.ClientIPHeaders, header) {
 					return nil, d.Errf("client IP header %s specified more than once", header)
 				}
 				serverOpts.ClientIPHeaders = append(serverOpts.ClientIPHeaders, header)
@@ -240,14 +239,13 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
 			}
 
 		case "metrics":
-			caddy.Log().Warn("The nested 'metrics' option inside `servers` is deprecated and will be removed in the next major version. Use the global 'metrics' option instead.")
-			serverOpts.Metrics = new(caddyhttp.Metrics)
-			for nesting := d.Nesting(); d.NextBlock(nesting); {
-				switch d.Val() {
-				case "per_host":
-					serverOpts.Metrics.PerHost = true
-				}
+			if d.NextArg() {
+				return nil, d.ArgErr()
 			}
+			if nesting := d.Nesting(); d.NextBlock(nesting) {
+				return nil, d.ArgErr()
+			}
+			serverOpts.Metrics = new(caddyhttp.Metrics)
 
 		case "trace":
 			if d.NextArg() {
@@ -290,15 +288,24 @@ func applyServerOptions(
 
 	for key, server := range servers {
 		// find the options that apply to this server
-		optsIndex := slices.IndexFunc(serverOpts, func(s serverOptions) bool {
-			return s.ListenerAddress == "" || slices.Contains(server.Listen, s.ListenerAddress)
-		})
+		opts := func() *serverOptions {
+			for _, entry := range serverOpts {
+				if entry.ListenerAddress == "" {
+					return &entry
+				}
+				for _, listener := range server.Listen {
+					if entry.ListenerAddress == listener {
+						return &entry
+					}
+				}
+			}
+			return nil
+		}()
 
 		// if none apply, then move to the next server
-		if optsIndex == -1 {
+		if opts == nil {
 			continue
 		}
-		opts := serverOpts[optsIndex]
 
 		// set all the options
 		server.ListenerWrappersRaw = opts.ListenerWrappersRaw

caddyconfig/httpcaddyfile/tlsapp.go

@@ -19,7 +19,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"
@@ -45,8 +44,8 @@ func (st ServerType) buildTLSApp(
 	if hp, ok := options["http_port"].(int); ok {
 		httpPort = strconv.Itoa(hp)
 	}
-	autoHTTPS := []string{}
-	if ah, ok := options["auto_https"].([]string); ok {
+	autoHTTPS := "on"
+	if ah, ok := options["auto_https"].(string); ok {
 		autoHTTPS = ah
 	}
 
@@ -54,25 +53,23 @@ func (st ServerType) buildTLSApp(
 	// key, so that they don't get forgotten/omitted by auto-HTTPS
 	// (since they won't appear in route matchers)
 	httpsHostsSharedWithHostlessKey := make(map[string]struct{})
-	if !slices.Contains(autoHTTPS, "off") {
+	if autoHTTPS != "off" {
 		for _, pair := range pairings {
 			for _, sb := range pair.serverBlocks {
-				for _, addr := range sb.parsedKeys {
-					if addr.Host != "" {
-						continue
-					}
-
-					// this server block has a hostless key, now
-					// go through and add all the hosts to the set
-					for _, otherAddr := range sb.parsedKeys {
-						if otherAddr.Original == addr.Original {
-							continue
-						}
-						if otherAddr.Host != "" && otherAddr.Scheme != "http" && otherAddr.Port != httpPort {
-							httpsHostsSharedWithHostlessKey[otherAddr.Host] = struct{}{}
+				for _, addr := range sb.keys {
+					if addr.Host == "" {
+						// this server block has a hostless key, now
+						// go through and add all the hosts to the set
+						for _, otherAddr := range sb.keys {
+							if otherAddr.Original == addr.Original {
+								continue
+							}
+							if otherAddr.Host != "" && otherAddr.Scheme != "http" && otherAddr.Port != httpPort {
+								httpsHostsSharedWithHostlessKey[otherAddr.Host] = struct{}{}
+							}
 						}
+						break
 					}
-					break
 				}
 			}
 		}
@@ -92,32 +89,9 @@ func (st ServerType) buildTLSApp(
 		tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, catchAllAP)
 	}
 
-	// collect all hosts that have a wildcard in them, and arent HTTP
-	wildcardHosts := []string{}
-	for _, p := range pairings {
-		var addresses []string
-		for _, addressWithProtocols := range p.addressesWithProtocols {
-			addresses = append(addresses, addressWithProtocols.address)
-		}
-		if !listenersUseAnyPortOtherThan(addresses, httpPort) {
-			continue
-		}
-		for _, sblock := range p.serverBlocks {
-			for _, addr := range sblock.parsedKeys {
-				if strings.HasPrefix(addr.Host, "*.") {
-					wildcardHosts = append(wildcardHosts, addr.Host[2:])
-				}
-			}
-		}
-	}
-
 	for _, p := range pairings {
 		// avoid setting up TLS automation policies for a server that is HTTP-only
-		var addresses []string
-		for _, addressWithProtocols := range p.addressesWithProtocols {
-			addresses = append(addresses, addressWithProtocols.address)
-		}
-		if !listenersUseAnyPortOtherThan(addresses, httpPort) {
+		if !listenersUseAnyPortOtherThan(p.addresses, httpPort) {
 			continue
 		}
 
@@ -134,12 +108,6 @@ func (st ServerType) buildTLSApp(
 				return nil, warnings, err
 			}
 
-			// make a plain copy so we can compare whether we made any changes
-			apCopy, err := newBaseAutomationPolicy(options, warnings, true)
-			if err != nil {
-				return nil, warnings, err
-			}
-
 			sblockHosts := sblock.hostsFromKeys(false)
 			if len(sblockHosts) == 0 && catchAllAP != nil {
 				ap = catchAllAP
@@ -213,8 +181,8 @@ func (st ServerType) buildTLSApp(
 					if acmeIssuer.Challenges.BindHost == "" {
 						// only binding to one host is supported
 						var bindHost string
-						if asserted, ok := cfgVal.Value.(addressesWithProtocols); ok && len(asserted.addresses) > 0 {
-							bindHost = asserted.addresses[0]
+						if bindHosts, ok := cfgVal.Value.([]string); ok && len(bindHosts) > 0 {
+							bindHost = bindHosts[0]
 						}
 						acmeIssuer.Challenges.BindHost = bindHost
 					}
@@ -242,21 +210,9 @@ func (st ServerType) buildTLSApp(
 				catchAllAP = ap
 			}
 
-			hostsNotHTTP := sblock.hostsFromKeysNotHTTP(httpPort)
-			sort.Strings(hostsNotHTTP) // solely for deterministic test results
-
-			// if the we prefer wildcards and the AP is unchanged,
-			// then we can skip this AP because it should be covered
-			// by an AP with a wildcard
-			if slices.Contains(autoHTTPS, "prefer_wildcard") {
-				if hostsCoveredByWildcard(hostsNotHTTP, wildcardHosts) &&
-					reflect.DeepEqual(ap, apCopy) {
-					continue
-				}
-			}
-
 			// associate our new automation policy with this server block's hosts
-			ap.SubjectsRaw = hostsNotHTTP
+			ap.SubjectsRaw = sblock.hostsFromKeysNotHTTP(httpPort)
+			sort.Strings(ap.SubjectsRaw) // solely for deterministic test results
 
 			// if a combination of public and internal names were given
 			// for this same server block and no issuer was specified, we
@@ -295,7 +251,6 @@ func (st ServerType) buildTLSApp(
 					ap2.IssuersRaw = []json.RawMessage{caddyconfig.JSONModuleObject(caddytls.InternalIssuer{}, "module", "internal", &warnings)}
 				}
 			}
-
 			if tlsApp.Automation == nil {
 				tlsApp.Automation = new(caddytls.AutomationConfig)
 			}
@@ -349,16 +304,6 @@ func (st ServerType) buildTLSApp(
 		tlsApp.Automation.OnDemand = onDemand
 	}
 
-	// if the storage clean interval is a boolean, then it's "off" to disable cleaning
-	if sc, ok := options["storage_check"].(string); ok && sc == "off" {
-		tlsApp.DisableStorageCheck = true
-	}
-
-	// if the storage clean interval is a boolean, then it's "off" to disable cleaning
-	if sci, ok := options["storage_clean_interval"].(bool); ok && !sci {
-		tlsApp.DisableStorageClean = true
-	}
-
 	// set the storage clean interval if configured
 	if storageCleanInterval, ok := options["storage_clean_interval"].(caddy.Duration); ok {
 		if tlsApp.Automation == nil {
@@ -399,7 +344,7 @@ func (st ServerType) buildTLSApp(
 	internalAP := &caddytls.AutomationPolicy{
 		IssuersRaw: []json.RawMessage{json.RawMessage(`{"module":"internal"}`)},
 	}
-	if !slices.Contains(autoHTTPS, "off") && !slices.Contains(autoHTTPS, "disable_certs") {
+	if autoHTTPS != "off" && autoHTTPS != "disable_certs" {
 		for h := range httpsHostsSharedWithHostlessKey {
 			al = append(al, h)
 			if !certmagic.SubjectQualifiesForPublicCert(h) {
@@ -520,7 +465,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	if globalACMECA != nil && acmeIssuer.CA == "" {
 		acmeIssuer.CA = globalACMECA.(string)
 	}
-	if globalACMECARoot != nil && !slices.Contains(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string)) {
+	if globalACMECARoot != nil && !sliceContains(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string)) {
 		acmeIssuer.TrustedRootsPEMFiles = append(acmeIssuer.TrustedRootsPEMFiles, globalACMECARoot.(string))
 	}
 	if globalACMEDNS != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil) {
@@ -635,7 +580,7 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls
 			if !automationPolicyHasAllPublicNames(aps[i]) {
 				// if this automation policy has internal names, we might as well remove it
 				// so auto-https can implicitly use the internal issuer
-				aps = slices.Delete(aps, i, i+1)
+				aps = append(aps[:i], aps[i+1:]...)
 				i--
 			}
 		}
@@ -652,7 +597,7 @@ outer:
 		for j := i + 1; j < len(aps); j++ {
 			// if they're exactly equal in every way, just keep one of them
 			if reflect.DeepEqual(aps[i], aps[j]) {
-				aps = slices.Delete(aps, j, j+1)
+				aps = append(aps[:j], aps[j+1:]...)
 				// must re-evaluate current i against next j; can't skip it!
 				// even if i decrements to -1, will be incremented to 0 immediately
 				i--
@@ -682,18 +627,18 @@ outer:
 					// cause example.com to be served by the less specific policy for
 					// '*.com', which might be different (yes we've seen this happen)
 					if automationPolicyShadows(i, aps) >= j {
-						aps = slices.Delete(aps, i, i+1)
+						aps = append(aps[:i], aps[i+1:]...)
 						i--
 						continue outer
 					}
 				} else {
 					// avoid repeated subjects
 					for _, subj := range aps[j].SubjectsRaw {
-						if !slices.Contains(aps[i].SubjectsRaw, subj) {
+						if !sliceContains(aps[i].SubjectsRaw, subj) {
 							aps[i].SubjectsRaw = append(aps[i].SubjectsRaw, subj)
 						}
 					}
-					aps = slices.Delete(aps, j, j+1)
+					aps = append(aps[:j], aps[j+1:]...)
 					j--
 				}
 			}
@@ -713,9 +658,13 @@ func automationPolicyIsSubset(a, b *caddytls.AutomationPolicy) bool {
 		return false
 	}
 	for _, aSubj := range a.SubjectsRaw {
-		inSuperset := slices.ContainsFunc(b.SubjectsRaw, func(bSubj string) bool {
-			return certmagic.MatchWildcard(aSubj, bSubj)
-		})
+		var inSuperset bool
+		for _, bSubj := range b.SubjectsRaw {
+			if certmagic.MatchWildcard(aSubj, bSubj) {
+				inSuperset = true
+				break
+			}
+		}
 		if !inSuperset {
 			return false
 		}
@@ -760,28 +709,14 @@ func subjectQualifiesForPublicCert(ap *caddytls.AutomationPolicy, subj string) b
 // automationPolicyHasAllPublicNames returns true if all the names on the policy
 // do NOT qualify for public certs OR are tailscale domains.
 func automationPolicyHasAllPublicNames(ap *caddytls.AutomationPolicy) bool {
-	return !slices.ContainsFunc(ap.SubjectsRaw, func(i string) bool {
-		return !subjectQualifiesForPublicCert(ap, i) || isTailscaleDomain(i)
-	})
+	for _, subj := range ap.SubjectsRaw {
+		if !subjectQualifiesForPublicCert(ap, subj) || isTailscaleDomain(subj) {
+			return false
+		}
+	}
+	return true
 }
 
 func isTailscaleDomain(name string) bool {
 	return strings.HasSuffix(strings.ToLower(name), ".ts.net")
 }
-
-func hostsCoveredByWildcard(hosts []string, wildcards []string) bool {
-	if len(hosts) == 0 || len(wildcards) == 0 {
-		return false
-	}
-	for _, host := range hosts {
-		for _, wildcard := range wildcards {
-			if strings.HasPrefix(host, "*.") {
-				continue
-			}
-			if certmagic.MatchWildcard(host, "*."+wildcard) {
-				return true
-			}
-		}
-	}
-	return false
-}

caddytest/caddytest.go

@@ -1,40 +1,29 @@
 package caddytest
 
 import (
-	"bytes"
 	"context"
 	"crypto/tls"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
-	"io/fs"
 	"log"
 	"net"
 	"net/http"
 	"net/http/cookiejar"
 	"os"
-	"path"
-	"reflect"
-	"regexp"
-	"runtime"
+	"strconv"
 	"strings"
-	"testing"
+	"sync/atomic"
 	"time"
 
-	"github.com/aryann/difflib"
-
 	caddycmd "github.com/caddyserver/caddy/v2/cmd"
 
-	"github.com/caddyserver/caddy/v2/caddyconfig"
 	// plug in Caddy modules here
 	_ "github.com/caddyserver/caddy/v2/modules/standard"
 )
 
 // Defaults store any configuration required to make the tests run
 type Defaults struct {
-	// Port we expect caddy to listening on
-	AdminPort int
 	// Certificates we expect to be loaded before attempting to run the tests
 	Certificates []string
 	// TestRequestTimeout is the time to wait for a http request to
@@ -45,29 +34,31 @@ type Defaults struct {
 
 // Default testing values
 var Default = Defaults{
-	AdminPort:          2999, // different from what a real server also running on a developer's machine might be
 	Certificates:       []string{"/caddy.localhost.crt", "/caddy.localhost.key"},
 	TestRequestTimeout: 5 * time.Second,
 	LoadRequestTimeout: 5 * time.Second,
 }
 
-var (
-	matchKey  = regexp.MustCompile(`(/[\w\d\.]+\.key)`)
-	matchCert = regexp.MustCompile(`(/[\w\d\.]+\.crt)`)
-)
-
 // Tester represents an instance of a test client.
 type Tester struct {
-	Client       *http.Client
-	configLoaded bool
-	t            testing.TB
+	Client *http.Client
+
+	adminPort int
+
+	portOne int
+	portTwo int
+
+	started        atomic.Bool
+	configLoaded   bool
+	configFileName string
+	envFileName    string
 }
 
 // NewTester will create a new testing client with an attached cookie jar
-func NewTester(t testing.TB) *Tester {
+func NewTester() (*Tester, error) {
 	jar, err := cookiejar.New(nil)
 	if err != nil {
-		t.Fatalf("failed to create cookiejar: %s", err)
+		return nil, fmt.Errorf("failed to create cookiejar: %w", err)
 	}
 
 	return &Tester{
@@ -77,8 +68,7 @@ func NewTester(t testing.TB) *Tester {
 			Timeout:   Default.TestRequestTimeout,
 		},
 		configLoaded: false,
-		t:            t,
-	}
+	}, nil
 }
 
 type configLoadError struct {
@@ -92,53 +82,73 @@ func timeElapsed(start time.Time, name string) {
 	log.Printf("%s took %s", name, elapsed)
 }
 
-// InitServer this will configure the server with a configurion of a specific
-// type. The configType must be either "json" or the adapter type.
-func (tc *Tester) InitServer(rawConfig string, configType string) {
-	if err := tc.initServer(rawConfig, configType); err != nil {
-		tc.t.Logf("failed to load config: %s", err)
-		tc.t.Fail()
+// launch caddy will start the server
+func (tc *Tester) LaunchCaddy() error {
+	if !tc.started.CompareAndSwap(false, true) {
+		return fmt.Errorf("already launched caddy with this tester")
 	}
-	if err := tc.ensureConfigRunning(rawConfig, configType); err != nil {
-		tc.t.Logf("failed ensuring config is running: %s", err)
-		tc.t.Fail()
+	if err := tc.startServer(); err != nil {
+		return fmt.Errorf("failed to start server: %w", err)
 	}
+	return nil
 }
 
-// InitServer this will configure the server with a configurion of a specific
-// type. The configType must be either "json" or the adapter type.
-func (tc *Tester) initServer(rawConfig string, configType string) error {
-	if testing.Short() {
-		tc.t.SkipNow()
-		return nil
-	}
-
-	err := validateTestPrerequisites(tc.t)
-	if err != nil {
-		tc.t.Skipf("skipping tests as failed integration prerequisites. %s", err)
-		return nil
-	}
-
-	tc.t.Cleanup(func() {
-		if tc.t.Failed() && tc.configLoaded {
-			res, err := http.Get(fmt.Sprintf("http://localhost:%d/config/", Default.AdminPort))
-			if err != nil {
-				tc.t.Log("unable to read the current config")
-				return
-			}
-			defer res.Body.Close()
-			body, _ := io.ReadAll(res.Body)
-
-			var out bytes.Buffer
-			_ = json.Indent(&out, body, "", "  ")
-			tc.t.Logf("----------- failed with config -----------\n%s", out.String())
+func (tc *Tester) CleanupCaddy() error {
+	// now shutdown the server, since the test is done.
+	defer func() {
+		// try to remove  pthe tmp config file we created
+		if tc.configFileName != "" {
+			os.Remove(tc.configFileName)
 		}
-	})
+		if tc.envFileName != "" {
+			os.Remove(tc.envFileName)
+		}
+	}()
+	resp, err := http.Post(fmt.Sprintf("http://localhost:%d/stop", tc.adminPort), "", nil)
+	if err != nil {
+		return fmt.Errorf("couldn't stop caddytest server: %w", err)
+	}
+	resp.Body.Close()
+	for retries := 0; retries < 10; retries++ {
+		if tc.isCaddyAdminRunning() != nil {
+			return nil
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
 
-	rawConfig = prependCaddyFilePath(rawConfig)
+	return fmt.Errorf("timed out waiting for caddytest server to stop")
+}
+
+func (tc *Tester) AdminPort() int {
+	return tc.adminPort
+}
+
+func (tc *Tester) PortOne() int {
+	return tc.portOne
+}
+
+func (tc *Tester) PortTwo() int {
+	return tc.portTwo
+}
+
+func (tc *Tester) ReplaceTestingPlaceholders(x string) string {
+	x = strings.ReplaceAll(x, "{$TESTING_CADDY_ADMIN_BIND}", fmt.Sprintf("localhost:%d", tc.adminPort))
+	x = strings.ReplaceAll(x, "{$TESTING_CADDY_ADMIN_PORT}", fmt.Sprintf("%d", tc.adminPort))
+	x = strings.ReplaceAll(x, "{$TESTING_CADDY_PORT_ONE}", fmt.Sprintf("%d", tc.portOne))
+	x = strings.ReplaceAll(x, "{$TESTING_CADDY_PORT_TWO}", fmt.Sprintf("%d", tc.portTwo))
+	return x
+}
+
+// LoadConfig loads the config to the tester server and also ensures that the config was loaded
+// it should not be run
+func (tc *Tester) LoadConfig(rawConfig string, configType string) error {
+	if tc.adminPort == 0 {
+		return fmt.Errorf("load config called where startServer didnt succeed")
+	}
+	rawConfig = tc.ReplaceTestingPlaceholders(rawConfig)
+	// replace special testing placeholders so we can have our admin api be on a random port
 	// normalize JSON config
 	if configType == "json" {
-		tc.t.Logf("Before: %s", rawConfig)
 		var conf any
 		if err := json.Unmarshal([]byte(rawConfig), &conf); err != nil {
 			return err
@@ -148,16 +158,14 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 			return err
 		}
 		rawConfig = string(c)
-		tc.t.Logf("After: %s", rawConfig)
 	}
 	client := &http.Client{
 		Timeout: Default.LoadRequestTimeout,
 	}
 	start := time.Now()
-	req, err := http.NewRequest("POST", fmt.Sprintf("http://localhost:%d/load", Default.AdminPort), strings.NewReader(rawConfig))
+	req, err := http.NewRequest("POST", fmt.Sprintf("http://localhost:%d/load", tc.adminPort), strings.NewReader(rawConfig))
 	if err != nil {
-		tc.t.Errorf("failed to create request. %s", err)
-		return err
+		return fmt.Errorf("failed to create request. %w", err)
 	}
 
 	if configType == "json" {
@@ -168,16 +176,14 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 
 	res, err := client.Do(req)
 	if err != nil {
-		tc.t.Errorf("unable to contact caddy server. %s", err)
-		return err
+		return fmt.Errorf("unable to contact caddy server. %w", err)
 	}
 	timeElapsed(start, "caddytest: config load time")
 
 	defer res.Body.Close()
 	body, err := io.ReadAll(res.Body)
 	if err != nil {
-		tc.t.Errorf("unable to read response. %s", err)
-		return err
+		return fmt.Errorf("unable to read response. %w", err)
 	}
 
 	if res.StatusCode != 200 {
@@ -185,133 +191,115 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
 	}
 
 	tc.configLoaded = true
+
+	// if the config is not loaded at this point, it is a bug in caddy's config.Load
+	// the contract for config.Load states that the config must be loaded before it returns, and that it will
+	// error if the config fails to apply
 	return nil
 }
 
-func (tc *Tester) ensureConfigRunning(rawConfig string, configType string) error {
-	expectedBytes := []byte(prependCaddyFilePath(rawConfig))
-	if configType != "json" {
-		adapter := caddyconfig.GetAdapter(configType)
-		if adapter == nil {
-			return fmt.Errorf("adapter of config type is missing: %s", configType)
-		}
-		expectedBytes, _, _ = adapter.Adapt([]byte(rawConfig), nil)
-	}
-
-	var expected any
-	err := json.Unmarshal(expectedBytes, &expected)
-	if err != nil {
-		return err
-	}
-
+func (tc *Tester) GetCurrentConfig(receiver any) error {
 	client := &http.Client{
 		Timeout: Default.LoadRequestTimeout,
 	}
 
-	fetchConfig := func(client *http.Client) any {
-		resp, err := client.Get(fmt.Sprintf("http://localhost:%d/config/", Default.AdminPort))
-		if err != nil {
-			return nil
-		}
-		defer resp.Body.Close()
-		actualBytes, err := io.ReadAll(resp.Body)
-		if err != nil {
-			return nil
-		}
-		var actual any
-		err = json.Unmarshal(actualBytes, &actual)
-		if err != nil {
-			return nil
-		}
-		return actual
+	resp, err := client.Get(fmt.Sprintf("http://localhost:%d/config/", tc.adminPort))
+	if err != nil {
+		return err
 	}
-
-	for retries := 10; retries > 0; retries-- {
-		if reflect.DeepEqual(expected, fetchConfig(client)) {
-			return nil
-		}
-		time.Sleep(1 * time.Second)
+	defer resp.Body.Close()
+	actualBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
 	}
-	tc.t.Errorf("POSTed configuration isn't active")
-	return errors.New("EnsureConfigRunning: POSTed configuration isn't active")
+	err = json.Unmarshal(actualBytes, receiver)
+	if err != nil {
+		return err
+	}
+	return nil
 }
 
-const initConfig = `{
-	admin localhost:2999
-}
-`
-
-// validateTestPrerequisites ensures the certificates are available in the
-// designated path and Caddy sub-process is running.
-func validateTestPrerequisites(t testing.TB) error {
-	// check certificates are found
-	for _, certName := range Default.Certificates {
-		if _, err := os.Stat(getIntegrationDir() + certName); errors.Is(err, fs.ErrNotExist) {
-			return fmt.Errorf("caddy integration test certificates (%s) not found", certName)
-		}
+func getFreePort() (int, error) {
+	lr, err := net.Listen("tcp", "localhost:0")
+	if err != nil {
+		return 0, err
 	}
+	port := strings.Split(lr.Addr().String(), ":")
+	if len(port) < 2 {
+		return 0, fmt.Errorf("no port available")
+	}
+	i, err := strconv.Atoi(port[1])
+	if err != nil {
+		return 0, err
+	}
+	err = lr.Close()
+	if err != nil {
+		return 0, fmt.Errorf("failed to close listener: %w", err)
+	}
+	return i, nil
+}
 
-	if isCaddyAdminRunning() != nil {
-		// setup the init config file, and set the cleanup afterwards
+// launches caddy, and then ensures the Caddy sub-process is running.
+func (tc *Tester) startServer() error {
+	if tc.isCaddyAdminRunning() == nil {
+		return fmt.Errorf("caddy test admin port still in use")
+	}
+	a, err := getFreePort()
+	if err != nil {
+		return fmt.Errorf("could not find a open port to listen on: %w", err)
+	}
+	tc.adminPort = a
+	tc.portOne, err = getFreePort()
+	if err != nil {
+		return fmt.Errorf("could not find a open portOne: %w", err)
+	}
+	tc.portTwo, err = getFreePort()
+	if err != nil {
+		return fmt.Errorf("could not find a open portOne: %w", err)
+	}
+	// setup the init config file, and set the cleanup afterwards
+	{
 		f, err := os.CreateTemp("", "")
 		if err != nil {
 			return err
 		}
-		t.Cleanup(func() {
-			os.Remove(f.Name())
-		})
+		tc.configFileName = f.Name()
+
+		initConfig := fmt.Sprintf(`{
+	admin localhost:%d
+}`, a)
 		if _, err := f.WriteString(initConfig); err != nil {
 			return err
 		}
+	}
 
-		// start inprocess caddy server
-		os.Args = []string{"caddy", "run", "--config", f.Name(), "--adapter", "caddyfile"}
-		go func() {
-			caddycmd.Main()
-		}()
-
-		// wait for caddy to start serving the initial config
-		for retries := 10; retries > 0 && isCaddyAdminRunning() != nil; retries-- {
-			time.Sleep(1 * time.Second)
-		}
+	// start inprocess caddy server
+	go func() {
+		_ = caddycmd.MainForTesting("run", "--config", tc.configFileName, "--adapter", "caddyfile")
+	}()
+	// wait for caddy admin api to start. it should happen quickly.
+	for retries := 10; retries > 0 && tc.isCaddyAdminRunning() != nil; retries-- {
+		time.Sleep(100 * time.Millisecond)
 	}
 
 	// one more time to return the error
-	return isCaddyAdminRunning()
+	return tc.isCaddyAdminRunning()
 }
 
-func isCaddyAdminRunning() error {
+func (tc *Tester) isCaddyAdminRunning() error {
 	// assert that caddy is running
 	client := &http.Client{
 		Timeout: Default.LoadRequestTimeout,
 	}
-	resp, err := client.Get(fmt.Sprintf("http://localhost:%d/config/", Default.AdminPort))
+	resp, err := client.Get(fmt.Sprintf("http://localhost:%d/config/", tc.adminPort))
 	if err != nil {
-		return fmt.Errorf("caddy integration test caddy server not running. Expected to be listening on localhost:%d", Default.AdminPort)
+		return fmt.Errorf("caddy integration test caddy server not running. Expected to be listening on localhost:%d", tc.adminPort)
 	}
 	resp.Body.Close()
 
 	return nil
 }
 
-func getIntegrationDir() string {
-	_, filename, _, ok := runtime.Caller(1)
-	if !ok {
-		panic("unable to determine the current file path")
-	}
-
-	return path.Dir(filename)
-}
-
-// use the convention to replace /[certificatename].[crt|key] with the full path
-// this helps reduce the noise in test configurations and also allow this
-// to run in any path
-func prependCaddyFilePath(rawConfig string) string {
-	r := matchKey.ReplaceAllString(rawConfig, getIntegrationDir()+"$1")
-	r = matchCert.ReplaceAllString(r, getIntegrationDir()+"$1")
-	return r
-}
-
 // CreateTestingTransport creates a testing transport that forces call dialing connections to happen locally
 func CreateTestingTransport() *http.Transport {
 	dialer := net.Dialer{
@@ -338,231 +326,3 @@ func CreateTestingTransport() *http.Transport {
 		TLSClientConfig:       &tls.Config{InsecureSkipVerify: true}, //nolint:gosec
 	}
 }
-
-// AssertLoadError will load a config and expect an error
-func AssertLoadError(t *testing.T, rawConfig string, configType string, expectedError string) {
-	tc := NewTester(t)
-
-	err := tc.initServer(rawConfig, configType)
-	if !strings.Contains(err.Error(), expectedError) {
-		t.Errorf("expected error \"%s\" but got \"%s\"", expectedError, err.Error())
-	}
-}
-
-// AssertRedirect makes a request and asserts the redirection happens
-func (tc *Tester) AssertRedirect(requestURI string, expectedToLocation string, expectedStatusCode int) *http.Response {
-	redirectPolicyFunc := func(req *http.Request, via []*http.Request) error {
-		return http.ErrUseLastResponse
-	}
-
-	// using the existing client, we override the check redirect policy for this test
-	old := tc.Client.CheckRedirect
-	tc.Client.CheckRedirect = redirectPolicyFunc
-	defer func() { tc.Client.CheckRedirect = old }()
-
-	resp, err := tc.Client.Get(requestURI)
-	if err != nil {
-		tc.t.Errorf("failed to call server %s", err)
-		return nil
-	}
-
-	if expectedStatusCode != resp.StatusCode {
-		tc.t.Errorf("requesting \"%s\" expected status code: %d but got %d", requestURI, expectedStatusCode, resp.StatusCode)
-	}
-
-	loc, err := resp.Location()
-	if err != nil {
-		tc.t.Errorf("requesting \"%s\" expected location: \"%s\" but got error: %s", requestURI, expectedToLocation, err)
-	}
-	if loc == nil && expectedToLocation != "" {
-		tc.t.Errorf("requesting \"%s\" expected a Location header, but didn't get one", requestURI)
-	}
-	if loc != nil {
-		if expectedToLocation != loc.String() {
-			tc.t.Errorf("requesting \"%s\" expected location: \"%s\" but got \"%s\"", requestURI, expectedToLocation, loc.String())
-		}
-	}
-
-	return resp
-}
-
-// CompareAdapt adapts a config and then compares it against an expected result
-func CompareAdapt(t testing.TB, filename, rawConfig string, adapterName string, expectedResponse string) bool {
-	cfgAdapter := caddyconfig.GetAdapter(adapterName)
-	if cfgAdapter == nil {
-		t.Logf("unrecognized config adapter '%s'", adapterName)
-		return false
-	}
-
-	options := make(map[string]any)
-
-	result, warnings, err := cfgAdapter.Adapt([]byte(rawConfig), options)
-	if err != nil {
-		t.Logf("adapting config using %s adapter: %v", adapterName, err)
-		return false
-	}
-
-	// prettify results to keep tests human-manageable
-	var prettyBuf bytes.Buffer
-	err = json.Indent(&prettyBuf, result, "", "\t")
-	if err != nil {
-		return false
-	}
-	result = prettyBuf.Bytes()
-
-	if len(warnings) > 0 {
-		for _, w := range warnings {
-			t.Logf("warning: %s:%d: %s: %s", filename, w.Line, w.Directive, w.Message)
-		}
-	}
-
-	diff := difflib.Diff(
-		strings.Split(expectedResponse, "\n"),
-		strings.Split(string(result), "\n"))
-
-	// scan for failure
-	failed := false
-	for _, d := range diff {
-		if d.Delta != difflib.Common {
-			failed = true
-			break
-		}
-	}
-
-	if failed {
-		for _, d := range diff {
-			switch d.Delta {
-			case difflib.Common:
-				fmt.Printf("  %s\n", d.Payload)
-			case difflib.LeftOnly:
-				fmt.Printf(" - %s\n", d.Payload)
-			case difflib.RightOnly:
-				fmt.Printf(" + %s\n", d.Payload)
-			}
-		}
-		return false
-	}
-	return true
-}
-
-// AssertAdapt adapts a config and then tests it against an expected result
-func AssertAdapt(t testing.TB, rawConfig string, adapterName string, expectedResponse string) {
-	ok := CompareAdapt(t, "Caddyfile", rawConfig, adapterName, expectedResponse)
-	if !ok {
-		t.Fail()
-	}
-}
-
-// Generic request functions
-
-func applyHeaders(t testing.TB, req *http.Request, requestHeaders []string) {
-	requestContentType := ""
-	for _, requestHeader := range requestHeaders {
-		arr := strings.SplitAfterN(requestHeader, ":", 2)
-		k := strings.TrimRight(arr[0], ":")
-		v := strings.TrimSpace(arr[1])
-		if k == "Content-Type" {
-			requestContentType = v
-		}
-		t.Logf("Request header: %s => %s", k, v)
-		req.Header.Set(k, v)
-	}
-
-	if requestContentType == "" {
-		t.Logf("Content-Type header not provided")
-	}
-}
-
-// AssertResponseCode will execute the request and verify the status code, returns a response for additional assertions
-func (tc *Tester) AssertResponseCode(req *http.Request, expectedStatusCode int) *http.Response {
-	resp, err := tc.Client.Do(req)
-	if err != nil {
-		tc.t.Fatalf("failed to call server %s", err)
-	}
-
-	if expectedStatusCode != resp.StatusCode {
-		tc.t.Errorf("requesting \"%s\" expected status code: %d but got %d", req.URL.RequestURI(), expectedStatusCode, resp.StatusCode)
-	}
-
-	return resp
-}
-
-// AssertResponse request a URI and assert the status code and the body contains a string
-func (tc *Tester) AssertResponse(req *http.Request, expectedStatusCode int, expectedBody string) (*http.Response, string) {
-	resp := tc.AssertResponseCode(req, expectedStatusCode)
-
-	defer resp.Body.Close()
-	bytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		tc.t.Fatalf("unable to read the response body %s", err)
-	}
-
-	body := string(bytes)
-
-	if body != expectedBody {
-		tc.t.Errorf("requesting \"%s\" expected response body \"%s\" but got \"%s\"", req.RequestURI, expectedBody, body)
-	}
-
-	return resp, body
-}
-
-// Verb specific test functions
-
-// AssertGetResponse GET a URI and expect a statusCode and body text
-func (tc *Tester) AssertGetResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
-	req, err := http.NewRequest("GET", requestURI, nil)
-	if err != nil {
-		tc.t.Fatalf("unable to create request %s", err)
-	}
-
-	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
-}
-
-// AssertDeleteResponse request a URI and expect a statusCode and body text
-func (tc *Tester) AssertDeleteResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
-	req, err := http.NewRequest("DELETE", requestURI, nil)
-	if err != nil {
-		tc.t.Fatalf("unable to create request %s", err)
-	}
-
-	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
-}
-
-// AssertPostResponseBody POST to a URI and assert the response code and body
-func (tc *Tester) AssertPostResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
-	req, err := http.NewRequest("POST", requestURI, requestBody)
-	if err != nil {
-		tc.t.Errorf("failed to create request %s", err)
-		return nil, ""
-	}
-
-	applyHeaders(tc.t, req, requestHeaders)
-
-	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
-}
-
-// AssertPutResponseBody PUT to a URI and assert the response code and body
-func (tc *Tester) AssertPutResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
-	req, err := http.NewRequest("PUT", requestURI, requestBody)
-	if err != nil {
-		tc.t.Errorf("failed to create request %s", err)
-		return nil, ""
-	}
-
-	applyHeaders(tc.t, req, requestHeaders)
-
-	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
-}
-
-// AssertPatchResponseBody PATCH to a URI and assert the response code and body
-func (tc *Tester) AssertPatchResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
-	req, err := http.NewRequest("PATCH", requestURI, requestBody)
-	if err != nil {
-		tc.t.Errorf("failed to create request %s", err)
-		return nil, ""
-	}
-
-	applyHeaders(tc.t, req, requestHeaders)
-
-	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
-}

caddytest/caddytest_assert.go

@@ -0,0 +1,116 @@
+package caddytest
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/aryann/difflib"
+	"github.com/stretchr/testify/require"
+
+	"github.com/caddyserver/caddy/v2/caddyconfig"
+)
+
+// AssertLoadError will load a config and expect an error
+func AssertLoadError(t *testing.T, rawConfig string, configType string, expectedError string) {
+	tc, err := NewTester()
+	require.NoError(t, err)
+	err = tc.LaunchCaddy()
+	require.NoError(t, err)
+
+	err = tc.LoadConfig(rawConfig, configType)
+	if !strings.Contains(err.Error(), expectedError) {
+		t.Errorf("expected error \"%s\" but got \"%s\"", expectedError, err.Error())
+	}
+	_ = tc.CleanupCaddy()
+}
+
+// CompareAdapt adapts a config and then compares it against an expected result
+func CompareAdapt(t testing.TB, filename, rawConfig string, adapterName string, expectedResponse string) bool {
+	cfgAdapter := caddyconfig.GetAdapter(adapterName)
+	if cfgAdapter == nil {
+		t.Logf("unrecognized config adapter '%s'", adapterName)
+		return false
+	}
+
+	options := make(map[string]any)
+
+	result, warnings, err := cfgAdapter.Adapt([]byte(rawConfig), options)
+	if err != nil {
+		t.Logf("adapting config using %s adapter: %v", adapterName, err)
+		return false
+	}
+
+	// prettify results to keep tests human-manageable
+	var prettyBuf bytes.Buffer
+	err = json.Indent(&prettyBuf, result, "", "\t")
+	if err != nil {
+		return false
+	}
+	result = prettyBuf.Bytes()
+
+	if len(warnings) > 0 {
+		for _, w := range warnings {
+			t.Logf("warning: %s:%d: %s: %s", filename, w.Line, w.Directive, w.Message)
+		}
+	}
+
+	diff := difflib.Diff(
+		strings.Split(expectedResponse, "\n"),
+		strings.Split(string(result), "\n"))
+
+	// scan for failure
+	failed := false
+	for _, d := range diff {
+		if d.Delta != difflib.Common {
+			failed = true
+			break
+		}
+	}
+
+	if failed {
+		for _, d := range diff {
+			switch d.Delta {
+			case difflib.Common:
+				fmt.Printf("  %s\n", d.Payload)
+			case difflib.LeftOnly:
+				fmt.Printf(" - %s\n", d.Payload)
+			case difflib.RightOnly:
+				fmt.Printf(" + %s\n", d.Payload)
+			}
+		}
+		return false
+	}
+	return true
+}
+
+// AssertAdapt adapts a config and then tests it against an expected result
+func AssertAdapt(t testing.TB, rawConfig string, adapterName string, expectedResponse string) {
+	ok := CompareAdapt(t, "Caddyfile", rawConfig, adapterName, expectedResponse)
+	if !ok {
+		t.Fail()
+	}
+}
+
+// Generic request functions
+
+func applyHeaders(t testing.TB, req *http.Request, requestHeaders []string) {
+	requestContentType := ""
+	for _, requestHeader := range requestHeaders {
+		arr := strings.SplitAfterN(requestHeader, ":", 2)
+		k := strings.TrimRight(arr[0], ":")
+		v := strings.TrimSpace(arr[1])
+		if k == "Content-Type" {
+			requestContentType = v
+		}
+		t.Logf("Request header: %s => %s", k, v)
+		req.Header.Set(k, v)
+	}
+
+	if requestContentType == "" {
+		t.Logf("Content-Type header not provided")
+	}
+}

caddytest/caddytest_test.go

@@ -1,21 +1,22 @@
 package caddytest
 
 import (
+	"fmt"
 	"net/http"
 	"strings"
 	"testing"
 )
 
 func TestReplaceCertificatePaths(t *testing.T) {
-	rawConfig := `a.caddy.localhost:9443 {
+	rawConfig := `a.caddy.localhost:9443{
 		tls /caddy.localhost.crt /caddy.localhost.key {
 		}
 
 		redir / https://b.caddy.localhost:9443/version 301
-    
+
 		respond /version 200 {
 		  body "hello from a.caddy.localhost"
-		}	
+		}
 	  }`
 
 	r := prependCaddyFilePath(rawConfig)
@@ -34,8 +35,8 @@ func TestReplaceCertificatePaths(t *testing.T) {
 }
 
 func TestLoadUnorderedJSON(t *testing.T) {
-	tester := NewTester(t)
-	tester.InitServer(`
+	harness := StartHarness(t)
+	harness.LoadConfig(`
 	{
 		"logging": {
 			"logs": {
@@ -68,7 +69,7 @@ func TestLoadUnorderedJSON(t *testing.T) {
 			}
 		},
 		"admin": {
-			"listen": "localhost:2999"
+			"listen": "{$TESTING_CADDY_ADMIN_BIND}"
 		},
 		"apps": {
 			"pki": {
@@ -79,12 +80,13 @@ func TestLoadUnorderedJSON(t *testing.T) {
 				}
 			},
 			"http": {
-				"http_port": 9080,
-				"https_port": 9443,
+				"http_port": {$TESTING_CADDY_PORT_ONE},
+				"https_port": {$TESTING_CADDY_PORT_TWO},
 				"servers": {
 					"s_server": {
 						"listen": [
-							":9080"
+							":{$TESTING_CADDY_PORT_ONE}",
+							":{$TESTING_CADDY_PORT_TWO}"
 						],
 						"routes": [
 							{
@@ -119,10 +121,10 @@ func TestLoadUnorderedJSON(t *testing.T) {
 		}
 	}
   `, "json")
-	req, err := http.NewRequest(http.MethodGet, "http://localhost:9080/", nil)
+	req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne()), nil)
 	if err != nil {
 		t.Fail()
 		return
 	}
-	tester.AssertResponseCode(req, 200)
+	harness.AssertResponseCode(req, 200)
 }

caddytest/integration/acme_test.go

@@ -24,19 +24,13 @@ const acmeChallengePort = 9081
 // Test the basic functionality of Caddy's ACME server
 func TestACMEServerWithDefaults(t *testing.T) {
 	ctx := context.Background()
-	logger, err := zap.NewDevelopment()
-	if err != nil {
-		t.Error(err)
-		return
-	}
-
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		local_certs
 	}
 	acme.localhost {
@@ -44,10 +38,11 @@ func TestACMEServerWithDefaults(t *testing.T) {
 	}
   `, "caddyfile")
 
+	logger := caddy.Log().Named("acmeserver")
 	client := acmez.Client{
 		Client: &acme.Client{
-			Directory:  "https://acme.localhost:9443/acme/local/directory",
-			HTTPClient: tester.Client,
+			Directory:  fmt.Sprintf("https://acme.localhost:%d/acme/local/directory", harness.Tester().PortTwo()),
+			HTTPClient: harness.Client(),
 			Logger:     logger,
 		},
 		ChallengeSolvers: map[string]acmez.Solver{
@@ -97,13 +92,13 @@ func TestACMEServerWithMismatchedChallenges(t *testing.T) {
 	ctx := context.Background()
 	logger := caddy.Log().Named("acmez")
 
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		local_certs
 	}
 	acme.localhost {
@@ -115,8 +110,8 @@ func TestACMEServerWithMismatchedChallenges(t *testing.T) {
 
 	client := acmez.Client{
 		Client: &acme.Client{
-			Directory:  "https://acme.localhost:9443/acme/local/directory",
-			HTTPClient: tester.Client,
+			Directory:  fmt.Sprintf("https://acme.localhost:%d/acme/local/directory", harness.Tester().PortTwo()),
+			HTTPClient: harness.Client(),
 			Logger:     logger,
 		},
 		ChallengeSolvers: map[string]acmez.Solver{

caddytest/integration/acmeserver_test.go

@@ -5,50 +5,51 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"fmt"
 	"strings"
 	"testing"
 
+	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddytest"
 	"github.com/mholt/acmez/v2"
 	"github.com/mholt/acmez/v2/acme"
-	"go.uber.org/zap"
 )
 
 func TestACMEServerDirectory(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		skip_install_trust
 		local_certs
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		pki {
 			ca local {
 				name "Caddy Local Authority"
 			}
 		}
 	}
-	acme.localhost:9443 {
+	acme.localhost:{$TESTING_CADDY_PORT_TWO} {
 		acme_server
 	}
   `, "caddyfile")
-	tester.AssertGetResponse(
-		"https://acme.localhost:9443/acme/local/directory",
+	harness.AssertGetResponse(
+		fmt.Sprintf("https://acme.localhost:%d/acme/local/directory", harness.Tester().PortTwo()),
 		200,
-		`{"newNonce":"https://acme.localhost:9443/acme/local/new-nonce","newAccount":"https://acme.localhost:9443/acme/local/new-account","newOrder":"https://acme.localhost:9443/acme/local/new-order","revokeCert":"https://acme.localhost:9443/acme/local/revoke-cert","keyChange":"https://acme.localhost:9443/acme/local/key-change"}
-`)
+		fmt.Sprintf(`{"newNonce":"https://acme.localhost:%[1]d/acme/local/new-nonce","newAccount":"https://acme.localhost:%[1]d/acme/local/new-account","newOrder":"https://acme.localhost:%[1]d/acme/local/new-order","revokeCert":"https://acme.localhost:%[1]d/acme/local/revoke-cert","keyChange":"https://acme.localhost:%[1]d/acme/local/key-change"}
+`, harness.Tester().PortTwo()))
 }
 
 func TestACMEServerAllowPolicy(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		skip_install_trust
 		local_certs
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		pki {
 			ca local {
 				name "Caddy Local Authority"
@@ -66,16 +67,12 @@ func TestACMEServerAllowPolicy(t *testing.T) {
   `, "caddyfile")
 
 	ctx := context.Background()
-	logger, err := zap.NewDevelopment()
-	if err != nil {
-		t.Error(err)
-		return
-	}
+	logger := caddy.Log().Named("acmez")
 
 	client := acmez.Client{
 		Client: &acme.Client{
-			Directory:  "https://acme.localhost:9443/acme/local/directory",
-			HTTPClient: tester.Client,
+			Directory:  fmt.Sprintf("https://acme.localhost:%d/acme/local/directory", harness.Tester().PortTwo()),
+			HTTPClient: harness.Client(),
 			Logger:     logger,
 		},
 		ChallengeSolvers: map[string]acmez.Solver{
@@ -131,14 +128,14 @@ func TestACMEServerAllowPolicy(t *testing.T) {
 }
 
 func TestACMEServerDenyPolicy(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		skip_install_trust
 		local_certs
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		pki {
 			ca local {
 				name "Caddy Local Authority"
@@ -155,16 +152,12 @@ func TestACMEServerDenyPolicy(t *testing.T) {
   `, "caddyfile")
 
 	ctx := context.Background()
-	logger, err := zap.NewDevelopment()
-	if err != nil {
-		t.Error(err)
-		return
-	}
+	logger := caddy.Log().Named("acmez")
 
 	client := acmez.Client{
 		Client: &acme.Client{
-			Directory:  "https://acme.localhost:9443/acme/local/directory",
-			HTTPClient: tester.Client,
+			Directory:  fmt.Sprintf("https://acme.localhost:%d/acme/local/directory", harness.Tester().PortTwo()),
+			HTTPClient: harness.Client(),
 			Logger:     logger,
 		},
 		ChallengeSolvers: map[string]acmez.Solver{
@@ -197,7 +190,7 @@ func TestACMEServerDenyPolicy(t *testing.T) {
 		_, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"deny.localhost"})
 		if err == nil {
 			t.Errorf("obtaining certificate for 'deny.localhost' domain")
-		} else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
+		} else if !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
 			t.Logf("unexpected error: %v", err)
 		}
 	}

caddytest/integration/autohttps_test.go

@@ -1,6 +1,7 @@
 package integration
 
 import (
+	"fmt"
 	"net/http"
 	"testing"
 
@@ -8,69 +9,69 @@ import (
 )
 
 func TestAutoHTTPtoHTTPSRedirectsImplicitPort(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
+		admin {$TESTING_CADDY_ADMIN_BIND}
 		skip_install_trust
-		http_port     9080
-		https_port    9443
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 	}
 	localhost
 	respond "Yahaha! You found me!"
   `, "caddyfile")
 
-	tester.AssertRedirect("http://localhost:9080/", "https://localhost/", http.StatusPermanentRedirect)
+	harness.AssertRedirect(fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne()), "https://localhost/", http.StatusPermanentRedirect)
 }
 
 func TestAutoHTTPtoHTTPSRedirectsExplicitPortSameAsHTTPSPort(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 	}
-	localhost:9443
+	localhost:{$TESTING_CADDY_PORT_TWO}
 	respond "Yahaha! You found me!"
   `, "caddyfile")
 
-	tester.AssertRedirect("http://localhost:9080/", "https://localhost/", http.StatusPermanentRedirect)
+	harness.AssertRedirect(fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne()), "https://localhost/", http.StatusPermanentRedirect)
 }
 
 func TestAutoHTTPtoHTTPSRedirectsExplicitPortDifferentFromHTTPSPort(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 	}
 	localhost:1234
 	respond "Yahaha! You found me!"
   `, "caddyfile")
 
-	tester.AssertRedirect("http://localhost:9080/", "https://localhost:1234/", http.StatusPermanentRedirect)
+	harness.AssertRedirect(fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne()), "https://localhost:1234/", http.StatusPermanentRedirect)
 }
 
 func TestAutoHTTPRedirectsWithHTTPListenerFirstInAddresses(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 {
   "admin": {
-	"listen": "localhost:2999"
+	"listen": "{$TESTING_CADDY_ADMIN_BIND}"
   },
   "apps": {
     "http": {
-      "http_port": 9080,
-      "https_port": 9443,
+      "http_port": {$TESTING_CADDY_PORT_ONE},
+      "https_port": {$TESTING_CADDY_PORT_TWO},
       "servers": {
         "ingress_server": {
           "listen": [
-            ":9080",
-            ":9443"
+            ":{$TESTING_CADDY_PORT_ONE}",
+            ":{$TESTING_CADDY_PORT_TWO}"
           ],
           "routes": [
             {
@@ -94,52 +95,52 @@ func TestAutoHTTPRedirectsWithHTTPListenerFirstInAddresses(t *testing.T) {
   }
 }
 `, "json")
-	tester.AssertRedirect("http://localhost:9080/", "https://localhost/", http.StatusPermanentRedirect)
+	harness.AssertRedirect(fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne()), "https://localhost/", http.StatusPermanentRedirect)
 }
 
 func TestAutoHTTPRedirectsInsertedBeforeUserDefinedCatchAll(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		local_certs
 	}
-	http://:9080 {
+	http://:{$TESTING_CADDY_PORT_ONE} {
 		respond "Foo"
 	}
-	http://baz.localhost:9080 {
+	http://baz.localhost:{$TESTING_CADDY_PORT_ONE} {
 		respond "Baz"
 	}
 	bar.localhost {
 		respond "Bar"
 	}
   `, "caddyfile")
-	tester.AssertRedirect("http://bar.localhost:9080/", "https://bar.localhost/", http.StatusPermanentRedirect)
-	tester.AssertGetResponse("http://foo.localhost:9080/", 200, "Foo")
-	tester.AssertGetResponse("http://baz.localhost:9080/", 200, "Baz")
+	harness.AssertRedirect(fmt.Sprintf("http://bar.localhost:%d/", harness.Tester().PortOne()), "https://bar.localhost/", http.StatusPermanentRedirect)
+	harness.AssertGetResponse(fmt.Sprintf("http://foo.localhost:%d/", harness.Tester().PortOne()), 200, "Foo")
+	harness.AssertGetResponse(fmt.Sprintf("http://baz.localhost:%d/", harness.Tester().PortOne()), 200, "Baz")
 }
 
 func TestAutoHTTPRedirectsInsertedBeforeUserDefinedCatchAllWithNoExplicitHTTPSite(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		local_certs
 	}
-	http://:9080 {
+	http://:{$TESTING_CADDY_PORT_ONE} {
 		respond "Foo"
 	}
 	bar.localhost {
 		respond "Bar"
 	}
   `, "caddyfile")
-	tester.AssertRedirect("http://bar.localhost:9080/", "https://bar.localhost/", http.StatusPermanentRedirect)
-	tester.AssertGetResponse("http://foo.localhost:9080/", 200, "Foo")
-	tester.AssertGetResponse("http://baz.localhost:9080/", 200, "Foo")
+	harness.AssertRedirect(fmt.Sprintf("http://bar.localhost:%d/", harness.Tester().PortOne()), "https://bar.localhost/", http.StatusPermanentRedirect)
+	harness.AssertGetResponse(fmt.Sprintf("http://foo.localhost:%d/", harness.Tester().PortOne()), 200, "Foo")
+	harness.AssertGetResponse(fmt.Sprintf("http://baz.localhost:%d/", harness.Tester().PortOne()), 200, "Foo")
 }

caddytest/integration/caddyfile_adapt/acme_server_sign_with_root.caddyfiletest

@@ -5,15 +5,15 @@
 			root_cn "Internal Root Cert"
 			intermediate_cn "Internal Intermediate Cert"
 		}
-	}
+    }
 }
+
 acme.example.com {
 	acme_server {
 		ca internal
 		sign_with_root
 	}
 }
-
 ----------
 {
 	"apps": {

caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard.caddyfiletest

@@ -1,109 +0,0 @@
-{
-	auto_https prefer_wildcard
-}
-
-*.example.com {
-	tls {
-		dns mock
-	}
-	respond "fallback"
-}
-
-foo.example.com {
-	respond "foo"
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"foo.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "foo",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						},
-						{
-							"match": [
-								{
-									"host": [
-										"*.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "fallback",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"skip_certificates": [
-							"foo.example.com"
-						],
-						"prefer_wildcard": true
-					}
-				}
-			}
-		},
-		"tls": {
-			"automation": {
-				"policies": [
-					{
-						"subjects": [
-							"*.example.com"
-						],
-						"issuers": [
-							{
-								"challenges": {
-									"dns": {
-										"provider": {
-											"name": "mock"
-										}
-									}
-								},
-								"module": "acme"
-							}
-						]
-					}
-				]
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard_multi.caddyfiletest

@@ -1,268 +0,0 @@
-{
-	auto_https prefer_wildcard
-}
-
-# Covers two domains
-*.one.example.com {
-	tls {
-		dns mock
-	}
-	respond "one fallback"
-}
-
-# Is covered, should not get its own AP
-foo.one.example.com {
-	respond "foo one"
-}
-
-# This one has its own tls config so it doesn't get covered (escape hatch)
-bar.one.example.com {
-	respond "bar one"
-	tls bar@bar.com
-}
-
-# Covers nothing but AP gets consolidated with the first
-*.two.example.com {
-	tls {
-		dns mock
-	}
-	respond "two fallback"
-}
-
-# Is HTTP so it should not cover
-http://*.three.example.com {
-	respond "three fallback"
-}
-
-# Has no wildcard coverage so it gets an AP
-foo.three.example.com {
-	respond "foo three"
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"foo.three.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "foo three",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						},
-						{
-							"match": [
-								{
-									"host": [
-										"foo.one.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "foo one",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						},
-						{
-							"match": [
-								{
-									"host": [
-										"bar.one.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "bar one",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						},
-						{
-							"match": [
-								{
-									"host": [
-										"*.one.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "one fallback",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						},
-						{
-							"match": [
-								{
-									"host": [
-										"*.two.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "two fallback",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"skip_certificates": [
-							"foo.one.example.com",
-							"bar.one.example.com"
-						],
-						"prefer_wildcard": true
-					}
-				},
-				"srv1": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"*.three.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "three fallback",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"prefer_wildcard": true
-					}
-				}
-			}
-		},
-		"tls": {
-			"automation": {
-				"policies": [
-					{
-						"subjects": [
-							"foo.three.example.com"
-						]
-					},
-					{
-						"subjects": [
-							"bar.one.example.com"
-						],
-						"issuers": [
-							{
-								"email": "bar@bar.com",
-								"module": "acme"
-							},
-							{
-								"ca": "https://acme.zerossl.com/v2/DV90",
-								"email": "bar@bar.com",
-								"module": "acme"
-							}
-						]
-					},
-					{
-						"subjects": [
-							"*.one.example.com",
-							"*.two.example.com"
-						],
-						"issuers": [
-							{
-								"challenges": {
-									"dns": {
-										"provider": {
-											"name": "mock"
-										}
-									}
-								},
-								"module": "acme"
-							}
-						]
-					}
-				]
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/bind_fd_fdgram_h123.caddyfiletest

@@ -1,142 +0,0 @@
-{
-	auto_https disable_redirects
-	admin off
-}
-
-http://localhost {
-	bind fd/{env.CADDY_HTTP_FD} {
-		protocols h1
-	}
-	log
-	respond "Hello, HTTP!"
-}
-
-https://localhost {
-	bind fd/{env.CADDY_HTTPS_FD} {
-		protocols h1 h2
-	}
-	bind fdgram/{env.CADDY_HTTP3_FD} {
-		protocols h3
-	}
-	log
-	respond "Hello, HTTPS!"
-}
-----------
-{
-	"admin": {
-		"disabled": true
-	},
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						"fd/{env.CADDY_HTTPS_FD}",
-						"fdgram/{env.CADDY_HTTP3_FD}"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "Hello, HTTPS!",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"disable_redirects": true
-					},
-					"logs": {
-						"logger_names": {
-							"localhost": [
-								""
-							]
-						}
-					},
-					"listen_protocols": [
-						[
-							"h1",
-							"h2"
-						],
-						[
-							"h3"
-						]
-					]
-				},
-				"srv1": {
-					"automatic_https": {
-						"disable_redirects": true
-					}
-				},
-				"srv2": {
-					"listen": [
-						"fd/{env.CADDY_HTTP_FD}"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"localhost"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"body": "Hello, HTTP!",
-													"handler": "static_response"
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					],
-					"automatic_https": {
-						"disable_redirects": true,
-						"skip": [
-							"localhost"
-						]
-					},
-					"logs": {
-						"logger_names": {
-							"localhost": [
-								""
-							]
-						}
-					},
-					"listen_protocols": [
-						[
-							"h1"
-						]
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/file_server_file_limit.caddyfiletest

@@ -1,36 +0,0 @@
-:80
-
-file_server {
-	browse {
-		file_limit 4000
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"browse": {
-										"file_limit": 4000
-									},
-									"handler": "file_server",
-									"hide": [
-										"./Caddyfile"
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/file_server_sort.caddyfiletest

@@ -1,39 +0,0 @@
-:80
-
-file_server {
-	browse {
-		sort size desc
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"browse": {
-										"sort": [
-											"size",
-											"desc"
-										]
-									},
-									"handler": "file_server",
-									"hide": [
-										"./Caddyfile"
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/forward_auth_authelia.caddyfiletest

@@ -1,6 +1,6 @@
 app.example.com {
 	forward_auth authelia:9091 {
-		uri /api/authz/forward-auth
+		uri /api/verify?rd=https://authelia.example.com
 		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
 	}
 
@@ -39,13 +39,6 @@ app.example.com {
 																]
 															},
 															"routes": [
-																{
-																	"handle": [
-																		{
-																			"handler": "vars"
-																		}
-																	]
-																},
 																{
 																	"handle": [
 																		{
@@ -54,104 +47,19 @@ app.example.com {
 																				"set": {
 																					"Remote-Email": [
 																						"{http.reverse_proxy.header.Remote-Email}"
-																					]
-																				}
-																			}
-																		}
-																	],
-																	"match": [
-																		{
-																			"not": [
-																				{
-																					"vars": {
-																						"{http.reverse_proxy.header.Remote-Email}": [
-																							""
-																						]
-																					}
-																				}
-																			]
-																		}
-																	]
-																},
-																{
-																	"handle": [
-																		{
-																			"handler": "headers",
-																			"request": {
-																				"set": {
+																					],
 																					"Remote-Groups": [
 																						"{http.reverse_proxy.header.Remote-Groups}"
-																					]
-																				}
-																			}
-																		}
-																	],
-																	"match": [
-																		{
-																			"not": [
-																				{
-																					"vars": {
-																						"{http.reverse_proxy.header.Remote-Groups}": [
-																							""
-																						]
-																					}
-																				}
-																			]
-																		}
-																	]
-																},
-																{
-																	"handle": [
-																		{
-																			"handler": "headers",
-																			"request": {
-																				"set": {
+																					],
 																					"Remote-Name": [
 																						"{http.reverse_proxy.header.Remote-Name}"
-																					]
-																				}
-																			}
-																		}
-																	],
-																	"match": [
-																		{
-																			"not": [
-																				{
-																					"vars": {
-																						"{http.reverse_proxy.header.Remote-Name}": [
-																							""
-																						]
-																					}
-																				}
-																			]
-																		}
-																	]
-																},
-																{
-																	"handle": [
-																		{
-																			"handler": "headers",
-																			"request": {
-																				"set": {
+																					],
 																					"Remote-User": [
 																						"{http.reverse_proxy.header.Remote-User}"
 																					]
 																				}
 																			}
 																		}
-																	],
-																	"match": [
-																		{
-																			"not": [
-																				{
-																					"vars": {
-																						"{http.reverse_proxy.header.Remote-User}": [
-																							""
-																						]
-																					}
-																				}
-																			]
-																		}
 																	]
 																}
 															]
@@ -172,7 +80,7 @@ app.example.com {
 													},
 													"rewrite": {
 														"method": "GET",
-														"uri": "/api/authz/forward-auth"
+														"uri": "/api/verify?rd=https://authelia.example.com"
 													},
 													"upstreams": [
 														{

caddytest/integration/caddyfile_adapt/forward_auth_rename_headers.caddyfiletest

@@ -28,13 +28,6 @@ forward_auth localhost:9000 {
 												]
 											},
 											"routes": [
-												{
-													"handle": [
-														{
-															"handler": "vars"
-														}
-													]
-												},
 												{
 													"handle": [
 														{
@@ -43,131 +36,22 @@ forward_auth localhost:9000 {
 																"set": {
 																	"1": [
 																		"{http.reverse_proxy.header.A}"
-																	]
-																}
-															}
-														}
-													],
-													"match": [
-														{
-															"not": [
-																{
-																	"vars": {
-																		"{http.reverse_proxy.header.A}": [
-																			""
-																		]
-																	}
-																}
-															]
-														}
-													]
-												},
-												{
-													"handle": [
-														{
-															"handler": "headers",
-															"request": {
-																"set": {
-																	"B": [
-																		"{http.reverse_proxy.header.B}"
-																	]
-																}
-															}
-														}
-													],
-													"match": [
-														{
-															"not": [
-																{
-																	"vars": {
-																		"{http.reverse_proxy.header.B}": [
-																			""
-																		]
-																	}
-																}
-															]
-														}
-													]
-												},
-												{
-													"handle": [
-														{
-															"handler": "headers",
-															"request": {
-																"set": {
+																	],
 																	"3": [
 																		"{http.reverse_proxy.header.C}"
-																	]
-																}
-															}
-														}
-													],
-													"match": [
-														{
-															"not": [
-																{
-																	"vars": {
-																		"{http.reverse_proxy.header.C}": [
-																			""
-																		]
-																	}
-																}
-															]
-														}
-													]
-												},
-												{
-													"handle": [
-														{
-															"handler": "headers",
-															"request": {
-																"set": {
+																	],
+																	"5": [
+																		"{http.reverse_proxy.header.E}"
+																	],
+																	"B": [
+																		"{http.reverse_proxy.header.B}"
+																	],
 																	"D": [
 																		"{http.reverse_proxy.header.D}"
 																	]
 																}
 															}
 														}
-													],
-													"match": [
-														{
-															"not": [
-																{
-																	"vars": {
-																		"{http.reverse_proxy.header.D}": [
-																			""
-																		]
-																	}
-																}
-															]
-														}
-													]
-												},
-												{
-													"handle": [
-														{
-															"handler": "headers",
-															"request": {
-																"set": {
-																	"5": [
-																		"{http.reverse_proxy.header.E}"
-																	]
-																}
-															}
-														}
-													],
-													"match": [
-														{
-															"not": [
-																{
-																	"vars": {
-																		"{http.reverse_proxy.header.E}": [
-																			""
-																		]
-																	}
-																}
-															]
-														}
 													]
 												}
 											]

caddytest/integration/caddyfile_adapt/global_options.caddyfiletest

@@ -9,8 +9,6 @@
 	storage file_system {
 		root /data
 	}
-	storage_check off
-	storage_clean_interval off
 	acme_ca https://example.com
 	acme_ca_root /path/to/ca.crt
 	ocsp_stapling off
@@ -19,6 +17,8 @@
 	admin off
 	on_demand_tls {
 		ask https://example.com
+		interval 30s
+		burst 20
 	}
 	local_certs
 	key_type ed25519
@@ -72,12 +72,14 @@
 					"permission": {
 						"endpoint": "https://example.com",
 						"module": "http"
+					},
+					"rate_limit": {
+						"interval": 30000000000,
+						"burst": 20
 					}
 				}
 			},
-			"disable_ocsp_stapling": true,
-			"disable_storage_check": true,
-			"disable_storage_clean": true
+			"disable_ocsp_stapling": true
 		}
 	}
 }

caddytest/integration/caddyfile_adapt/global_options_acme.caddyfiletest

@@ -17,6 +17,8 @@
 	admin off
 	on_demand_tls {
 		ask https://example.com
+		interval 30s
+		burst 20
 	}
 	storage_clean_interval 7d
 	renew_interval 1d
@@ -87,6 +89,10 @@
 					"permission": {
 						"endpoint": "https://example.com",
 						"module": "http"
+					},
+					"rate_limit": {
+						"interval": 30000000000,
+						"burst": 20
 					}
 				},
 				"ocsp_interval": 172800000000000,

caddytest/integration/caddyfile_adapt/global_options_admin.caddyfiletest

@@ -16,6 +16,8 @@
 	}
 	on_demand_tls {
 		ask https://example.com
+		interval 30s
+		burst 20
 	}
 	local_certs
 	key_type ed25519
@@ -72,6 +74,10 @@
 					"permission": {
 						"endpoint": "https://example.com",
 						"module": "http"
+					},
+					"rate_limit": {
+						"interval": 30000000000,
+						"burst": 20
 					}
 				}
 			}

caddytest/integration/caddyfile_adapt/heredoc.caddyfiletest

@@ -1,12 +1,11 @@
 example.com {
-	respond <<EOF
+    respond <<EOF
     <html>
       <head><title>Foo</title>
       <body>Foo</body>
     </html>
     EOF 200
 }
-
 ----------
 {
 	"apps": {

caddytest/integration/caddyfile_adapt/map_and_vars_with_raw_types.caddyfiletest

@@ -1,23 +1,23 @@
 example.com
 
-map {host} {my_placeholder} {magic_number} {
+map {host}             {my_placeholder}  {magic_number} {
 	# Should output boolean "true" and an integer
-	example.com true 3
+	example.com        true              3
 
 	# Should output a string and null
-	foo.example.com "string value"
+	foo.example.com    "string value"
 
 	# Should output two strings (quoted int)
-	(.*)\.example.com "${1} subdomain" "5"
+	(.*)\.example.com  "${1} subdomain"  "5"
 
 	# Should output null and a string (quoted int)
-	~.*\.net$ - `7`
+	~.*\.net$          -                 `7`
 
 	# Should output a float and the string "false"
-	~.*\.xyz$ 123.456 "false"
+	~.*\.xyz$          123.456           "false"
 
 	# Should output two strings, second being escaped quote
-	default "unknown domain" \"""
+	default            "unknown domain"  \"""
 }
 
 vars foo bar
@@ -27,7 +27,6 @@ vars {
 	ghi 2.3
 	jkl "mn op"
 }
-
 ----------
 {
 	"apps": {

caddytest/integration/caddyfile_adapt/metrics_merge_options.caddyfiletest

@@ -1,39 +0,0 @@
-{
-	metrics
-	servers :80 {
-		metrics {
-			per_host
-		}
-	}
-}
-:80 {
-	respond "Hello"
-}
-
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"body": "Hello",
-									"handler": "static_response"
-								}
-							]
-						}
-					]
-				}
-			},
-			"metrics": {
-				"per_host": true
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/metrics_perhost.caddyfiletest

@@ -1,37 +0,0 @@
-{
-	servers :80 {
-		metrics {
-			per_host
-		}
-	}
-}
-:80 {
-	respond "Hello"
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":80"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"body": "Hello",
-									"handler": "static_response"
-								}
-							]
-						}
-					]
-				}
-			},
-			"metrics": {
-				"per_host": true
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/reverse_proxy_health_method.caddyfiletest

@@ -1,40 +0,0 @@
-:8884
-
-reverse_proxy 127.0.0.1:65535 {
-	health_uri /health
-	health_method HEAD
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":8884"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"handler": "reverse_proxy",
-									"health_checks": {
-										"active": {
-											"method": "HEAD",
-											"uri": "/health"
-										}
-									},
-									"upstreams": [
-										{
-											"dial": "127.0.0.1:65535"
-										}
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/reverse_proxy_health_reqbody.caddyfiletest

@@ -1,40 +0,0 @@
-:8884
-
-reverse_proxy 127.0.0.1:65535 {
-	health_uri /health
-	health_request_body "test body"
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":8884"
-					],
-					"routes": [
-						{
-							"handle": [
-								{
-									"handler": "reverse_proxy",
-									"health_checks": {
-										"active": {
-											"body": "test body",
-											"uri": "/health"
-										}
-									},
-									"upstreams": [
-										{
-											"dial": "127.0.0.1:65535"
-										}
-									]
-								}
-							]
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/reverse_proxy_localaddr.caddyfiletest

@@ -1,57 +0,0 @@
-https://example.com {
-	reverse_proxy http://localhost:54321 {
-		transport http {
-			local_address 192.168.0.1
-		}
-	}
-}
-
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"handle": [
-												{
-													"handler": "reverse_proxy",
-													"transport": {
-														"local_address": "192.168.0.1",
-														"protocol": "http"
-													},
-													"upstreams": [
-														{
-															"dial": "localhost:54321"
-														}
-													]
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_adapt/wildcard_pattern.caddyfiletest

@@ -1,157 +0,0 @@
-*.example.com {
-	tls foo@example.com {
-		dns mock
-	}
-
-	@foo host foo.example.com
-	handle @foo {
-		respond "Foo!"
-	}
-
-	@bar host bar.example.com
-	handle @bar {
-		respond "Bar!"
-	}
-
-	# Fallback for otherwise unhandled domains
-	handle {
-		abort
-	}
-}
-----------
-{
-	"apps": {
-		"http": {
-			"servers": {
-				"srv0": {
-					"listen": [
-						":443"
-					],
-					"routes": [
-						{
-							"match": [
-								{
-									"host": [
-										"*.example.com"
-									]
-								}
-							],
-							"handle": [
-								{
-									"handler": "subroute",
-									"routes": [
-										{
-											"group": "group3",
-											"handle": [
-												{
-													"handler": "subroute",
-													"routes": [
-														{
-															"handle": [
-																{
-																	"body": "Foo!",
-																	"handler": "static_response"
-																}
-															]
-														}
-													]
-												}
-											],
-											"match": [
-												{
-													"host": [
-														"foo.example.com"
-													]
-												}
-											]
-										},
-										{
-											"group": "group3",
-											"handle": [
-												{
-													"handler": "subroute",
-													"routes": [
-														{
-															"handle": [
-																{
-																	"body": "Bar!",
-																	"handler": "static_response"
-																}
-															]
-														}
-													]
-												}
-											],
-											"match": [
-												{
-													"host": [
-														"bar.example.com"
-													]
-												}
-											]
-										},
-										{
-											"group": "group3",
-											"handle": [
-												{
-													"handler": "subroute",
-													"routes": [
-														{
-															"handle": [
-																{
-																	"abort": true,
-																	"handler": "static_response"
-																}
-															]
-														}
-													]
-												}
-											]
-										}
-									]
-								}
-							],
-							"terminal": true
-						}
-					]
-				}
-			}
-		},
-		"tls": {
-			"automation": {
-				"policies": [
-					{
-						"subjects": [
-							"*.example.com"
-						],
-						"issuers": [
-							{
-								"challenges": {
-									"dns": {
-										"provider": {
-											"name": "mock"
-										}
-									}
-								},
-								"email": "foo@example.com",
-								"module": "acme"
-							},
-							{
-								"ca": "https://acme.zerossl.com/v2/DV90",
-								"challenges": {
-									"dns": {
-										"provider": {
-											"name": "mock"
-										}
-									}
-								},
-								"email": "foo@example.com",
-								"module": "acme"
-							}
-						]
-					}
-				]
-			}
-		}
-	}
-}

caddytest/integration/caddyfile_test.go

@@ -1,6 +1,7 @@
 package integration
 
 import (
+	"fmt"
 	"net/http"
 	"net/url"
 	"testing"
@@ -10,62 +11,63 @@ import (
 
 func TestRespond(t *testing.T) {
 	// arrange
-	tester := caddytest.NewTester(t)
-	tester.InitServer(` 
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
   {
-    admin localhost:2999
-    http_port     9080
-    https_port    9443
+    admin {$TESTING_CADDY_ADMIN_BIND}
+    http_port     {$TESTING_CADDY_PORT_ONE}
+    https_port    {$TESTING_CADDY_PORT_TWO}
     grace_period  1ns
   }
-  
-  localhost:9080 {
+
+  localhost:{$TESTING_CADDY_PORT_ONE} {
     respond /version 200 {
       body "hello from localhost"
-    }	
+    }
     }
   `, "caddyfile")
 
 	// act and assert
-	tester.AssertGetResponse("http://localhost:9080/version", 200, "hello from localhost")
+	harness.AssertGetResponse(fmt.Sprintf("http://localhost:%d/version", harness.Tester().PortOne()), 200, "hello from localhost")
 }
 
 func TestRedirect(t *testing.T) {
 	// arrange
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
   {
-    admin localhost:2999
-    http_port     9080
-    https_port    9443
+    admin {$TESTING_CADDY_ADMIN_BIND}
+    http_port     {$TESTING_CADDY_PORT_ONE}
+    https_port    {$TESTING_CADDY_PORT_TWO}
     grace_period  1ns
   }
-  
-  localhost:9080 {
-    
-    redir / http://localhost:9080/hello 301
-    
+
+  localhost:{$TESTING_CADDY_PORT_ONE} {
+
+    redir / http://localhost:{$TESTING_CADDY_PORT_ONE}/hello 301
+
     respond /hello 200 {
       body "hello from localhost"
-    }	
+    }
     }
   `, "caddyfile")
 
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
 	// act and assert
-	tester.AssertRedirect("http://localhost:9080/", "http://localhost:9080/hello", 301)
+	harness.AssertRedirect(target, target+"hello", 301)
 
 	// follow redirect
-	tester.AssertGetResponse("http://localhost:9080/", 200, "hello from localhost")
+	harness.AssertGetResponse(target, 200, "hello from localhost")
 }
 
 func TestDuplicateHosts(t *testing.T) {
 	// act and assert
 	caddytest.AssertLoadError(t,
 		`
-    localhost:9080 {
+    localhost:{$TESTING_CADDY_PORT_ONE} {
     }
-  
-    localhost:9080 { 
+
+    localhost:{$TESTING_CADDY_PORT_ONE} {
     }
     `,
 		"caddyfile",
@@ -80,18 +82,18 @@ func TestReadCookie(t *testing.T) {
 	}
 
 	// arrange
-	tester := caddytest.NewTester(t)
-	tester.Client.Jar.SetCookies(localhost, []*http.Cookie{&cookie})
-	tester.InitServer(` 
+	harness := caddytest.StartHarness(t)
+	harness.Client().Jar.SetCookies(localhost, []*http.Cookie{&cookie})
+	harness.LoadConfig(`
   {
     skip_install_trust
-    admin localhost:2999
-    http_port     9080
-    https_port    9443
+    admin {$TESTING_CADDY_ADMIN_BIND}
+    http_port     {$TESTING_CADDY_PORT_ONE}
+    https_port    {$TESTING_CADDY_PORT_TWO}
     grace_period  1ns
   }
-  
-  localhost:9080 {
+
+  localhost:{$TESTING_CADDY_PORT_ONE} {
     templates {
       root testdata
     }
@@ -102,21 +104,22 @@ func TestReadCookie(t *testing.T) {
   `, "caddyfile")
 
 	// act and assert
-	tester.AssertGetResponse("http://localhost:9080/cookie.html", 200, "<h2>Cookie.ClientName caddytest</h2>")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"cookie.html", 200, "<h2>Cookie.ClientName caddytest</h2>")
 }
 
 func TestReplIndex(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
   {
     skip_install_trust
-    admin localhost:2999
-    http_port     9080
-    https_port    9443
+    admin {$TESTING_CADDY_ADMIN_BIND}
+    http_port     {$TESTING_CADDY_PORT_ONE}
+    https_port    {$TESTING_CADDY_PORT_TWO}
     grace_period  1ns
   }
 
-  localhost:9080 {
+  localhost:{$TESTING_CADDY_PORT_ONE} {
     templates {
       root testdata
     }
@@ -128,7 +131,8 @@ func TestReplIndex(t *testing.T) {
   `, "caddyfile")
 
 	// act and assert
-	tester.AssertGetResponse("http://localhost:9080/", 200, "")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target, 200, "")
 }
 
 func TestInvalidPrefix(t *testing.T) {
@@ -481,40 +485,42 @@ func TestValidPrefix(t *testing.T) {
 }
 
 func TestUriReplace(t *testing.T) {
-	tester := caddytest.NewTester(t)
+	harness := caddytest.StartHarness(t)
 
-	tester.InitServer(`
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
+	:{$TESTING_CADDY_PORT_ONE}
 	uri replace "\}" %7D
 	uri replace "\{" %7B
-	
+
 	respond "{query}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/endpoint?test={%20content%20}", 200, "test=%7B%20content%20%7D")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"endpoint?test={%20content%20}", 200, "test=%7B%20content%20%7D")
 }
 
 func TestUriOps(t *testing.T) {
-	tester := caddytest.NewTester(t)
+	harness := caddytest.StartHarness(t)
 
-	tester.InitServer(`
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
+	:{$TESTING_CADDY_PORT_ONE}
 	uri query +foo bar
 	uri query -baz
 	uri query taz test
 	uri query key=value example
 	uri query changethis>changed
-	
+
 	respond "{query}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar0&baz=buz&taz=nottest&changethis=val", 200, "changed=val&foo=bar0&foo=bar&key%3Dvalue=example&taz=test")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"endpoint?foo=bar0&baz=buz&taz=nottest&changethis=val", 200, "changed=val&foo=bar0&foo=bar&key%3Dvalue=example&taz=test")
 }
 
 // Tests the `http.request.local.port` placeholder.
@@ -523,204 +529,215 @@ func TestUriOps(t *testing.T) {
 // refer to 127.0.0.1 or ::1.
 // TODO: Test each http version separately (especially http/3)
 func TestHttpRequestLocalPortPlaceholder(t *testing.T) {
-	tester := caddytest.NewTester(t)
+	harness := caddytest.StartHarness(t)
 
-	tester.InitServer(`
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
+	:{$TESTING_CADDY_PORT_ONE}
 	respond "{http.request.local.port}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/", 200, "9080")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target, 200, fmt.Sprintf("%d", harness.Tester().PortOne()))
 }
 
 func TestSetThenAddQueryParams(t *testing.T) {
-	tester := caddytest.NewTester(t)
+	harness := caddytest.StartHarness(t)
 
-	tester.InitServer(`
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
+	:{$TESTING_CADDY_PORT_ONE}
 	uri query foo bar
 	uri query +foo baz
-	
+
 	respond "{query}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/endpoint", 200, "foo=bar&foo=baz")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"endpoint", 200, "foo=bar&foo=baz")
 }
 
 func TestSetThenDeleteParams(t *testing.T) {
-	tester := caddytest.NewTester(t)
+	harness := caddytest.StartHarness(t)
 
-	tester.InitServer(`
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
+	:{$TESTING_CADDY_PORT_ONE}
 	uri query bar foo{query.foo}
 	uri query -foo
-	
+
 	respond "{query}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar", 200, "bar=foobar")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"endpoint?foo=bar", 200, "bar=foobar")
 }
 
 func TestRenameAndOtherOps(t *testing.T) {
-	tester := caddytest.NewTester(t)
+	harness := caddytest.StartHarness(t)
 
-	tester.InitServer(`
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
+	:{$TESTING_CADDY_PORT_ONE}
 	uri query foo>bar
 	uri query bar taz
 	uri query +bar baz
-	
+
 	respond "{query}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar", 200, "bar=taz&bar=baz")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"endpoint?foo=bar", 200, "bar=taz&bar=baz")
 }
 
 func TestReplaceOps(t *testing.T) {
-	tester := caddytest.NewTester(t)
+	harness := caddytest.StartHarness(t)
 
-	tester.InitServer(`
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
-	uri query foo bar baz	
+	:{$TESTING_CADDY_PORT_ONE}
+	uri query foo bar baz
 	respond "{query}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar", 200, "foo=baz")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"endpoint?foo=bar", 200, "foo=baz")
 }
 
 func TestReplaceWithReplacementPlaceholder(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
-	uri query foo bar {query.placeholder}	
+	:{$TESTING_CADDY_PORT_ONE}
+	uri query foo bar {query.placeholder}
 	respond "{query}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/endpoint?placeholder=baz&foo=bar", 200, "foo=baz&placeholder=baz")
-
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"endpoint?placeholder=baz&foo=bar", 200, "foo=baz&placeholder=baz")
 }
 
 func TestReplaceWithKeyPlaceholder(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
-	uri query {query.placeholder} bar baz	
+	:{$TESTING_CADDY_PORT_ONE}
+	uri query {query.placeholder} bar baz
 	respond "{query}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/endpoint?placeholder=foo&foo=bar", 200, "foo=baz&placeholder=foo")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"endpoint?placeholder=foo&foo=bar", 200, "foo=baz&placeholder=foo")
 }
 
 func TestPartialReplacement(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
-	uri query foo ar az	
+	:{$TESTING_CADDY_PORT_ONE}
+	uri query foo ar az
 	respond "{query}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar", 200, "foo=baz")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"endpoint?foo=bar", 200, "foo=baz")
 }
 
 func TestNonExistingSearch(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
-	uri query foo var baz	
+	:{$TESTING_CADDY_PORT_ONE}
+	uri query foo var baz
 	respond "{query}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar", 200, "foo=bar")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"endpoint?foo=bar", 200, "foo=bar")
 }
 
 func TestReplaceAllOps(t *testing.T) {
-	tester := caddytest.NewTester(t)
+	harness := caddytest.StartHarness(t)
 
-	tester.InitServer(`
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
-	uri query * bar baz	
+	:{$TESTING_CADDY_PORT_ONE}
+	uri query * bar baz
 	respond "{query}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar&baz=bar", 200, "baz=baz&foo=baz")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"endpoint?foo=bar&baz=bar", 200, "baz=baz&foo=baz")
 }
 
 func TestUriOpsBlock(t *testing.T) {
-	tester := caddytest.NewTester(t)
+	harness := caddytest.StartHarness(t)
 
-	tester.InitServer(`
+	harness.LoadConfig(`
 	{
-		admin localhost:2999
-		http_port     9080
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	:9080
+	:{$TESTING_CADDY_PORT_ONE}
 	uri query {
 		+foo bar
 		-baz
 		taz test
-	} 
+	}
 	respond "{query}"`, "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/endpoint?foo=bar0&baz=buz&taz=nottest", 200, "foo=bar0&foo=bar&taz=test")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"endpoint?foo=bar0&baz=buz&taz=nottest", 200, "foo=bar0&foo=bar&taz=test")
 }
 
 func TestHandleErrorSimpleCodes(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`{
-		admin localhost:2999
-		http_port     9080
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`{
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	localhost:9080 {
+	localhost:{$TESTING_CADDY_PORT_ONE} {
 		root * /srv
 		error /private* "Unauthorized" 410
 		error /hidden* "Not found" 404
-	
+
 		handle_errors 404 410 {
 			respond "404 or 410 error"
 		}
 	}`, "caddyfile")
 	// act and assert
-	tester.AssertGetResponse("http://localhost:9080/private", 410, "404 or 410 error")
-	tester.AssertGetResponse("http://localhost:9080/hidden", 404, "404 or 410 error")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"private", 410, "404 or 410 error")
+	harness.AssertGetResponse(target+"hidden", 404, "404 or 410 error")
 }
 
 func TestHandleErrorRange(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`{
-		admin localhost:2999
-		http_port     9080
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`{
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	localhost:9080 {
+	localhost:{$TESTING_CADDY_PORT_ONE} {
 		root * /srv
 		error /private* "Unauthorized" 410
 		error /hidden* "Not found" 404
@@ -730,17 +747,18 @@ func TestHandleErrorRange(t *testing.T) {
 		}
 	}`, "caddyfile")
 	// act and assert
-	tester.AssertGetResponse("http://localhost:9080/private", 410, "Error in the [400 .. 499] range")
-	tester.AssertGetResponse("http://localhost:9080/hidden", 404, "Error in the [400 .. 499] range")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"private", 410, "Error in the [400 .. 499] range")
+	harness.AssertGetResponse(target+"hidden", 404, "Error in the [400 .. 499] range")
 }
 
 func TestHandleErrorSort(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`{
-		admin localhost:2999
-		http_port     9080
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`{
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	localhost:9080 {
+	localhost:{$TESTING_CADDY_PORT_ONE} {
 		root * /srv
 		error /private* "Unauthorized" 410
 		error /hidden* "Not found" 404
@@ -754,17 +772,18 @@ func TestHandleErrorSort(t *testing.T) {
 		}
 	}`, "caddyfile")
 	// act and assert
-	tester.AssertGetResponse("http://localhost:9080/internalerr", 500, "Fallback route: code outside the [400..499] range")
-	tester.AssertGetResponse("http://localhost:9080/hidden", 404, "Error in the [400 .. 499] range")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"internalerr", 500, "Fallback route: code outside the [400..499] range")
+	harness.AssertGetResponse(target+"hidden", 404, "Error in the [400 .. 499] range")
 }
 
 func TestHandleErrorRangeAndCodes(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`{
-		admin localhost:2999
-		http_port     9080
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`{
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
 	}
-	localhost:9080 {
+	localhost:{$TESTING_CADDY_PORT_ONE} {
 		root * /srv
 		error /private* "Unauthorized" 410
 		error /threehundred* "Moved Permanently" 301
@@ -778,9 +797,10 @@ func TestHandleErrorRangeAndCodes(t *testing.T) {
 		}
 	}`, "caddyfile")
 	// act and assert
-	tester.AssertGetResponse("http://localhost:9080/internalerr", 500, "Error code is equal to 500 or in the [300..399] range")
-	tester.AssertGetResponse("http://localhost:9080/threehundred", 301, "Error code is equal to 500 or in the [300..399] range")
-	tester.AssertGetResponse("http://localhost:9080/private", 410, "Error in the [400 .. 499] range")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target+"internalerr", 500, "Error code is equal to 500 or in the [300..399] range")
+	harness.AssertGetResponse(target+"threehundred", 301, "Error code is equal to 500 or in the [300..399] range")
+	harness.AssertGetResponse(target+"private", 410, "Error in the [400 .. 499] range")
 }
 
 func TestInvalidSiteAddressesAsDirectives(t *testing.T) {

caddytest/integration/handler_test.go

@@ -2,6 +2,7 @@ package integration
 
 import (
 	"bytes"
+	"fmt"
 	"net/http"
 	"testing"
 
@@ -9,36 +10,36 @@ import (
 )
 
 func TestBrowse(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		grace_period  1ns
 	}
-	http://localhost:9080 {
+	http://localhost:{$TESTING_CADDY_PORT_ONE} {
 		file_server browse
 	}
   `, "caddyfile")
 
-	req, err := http.NewRequest(http.MethodGet, "http://localhost:9080/", nil)
+	req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne()), nil)
 	if err != nil {
 		t.Fail()
 		return
 	}
-	tester.AssertResponseCode(req, 200)
+	harness.AssertResponseCode(req, 200)
 }
 
 func TestRespondWithJSON(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		grace_period  1ns
 	}
 	localhost {
@@ -46,7 +47,7 @@ func TestRespondWithJSON(t *testing.T) {
 	}
   `, "caddyfile")
 
-	res, _ := tester.AssertPostResponseBody("https://localhost:9443/",
+	res, _ := harness.AssertPostResponseBody(fmt.Sprintf("https://localhost:%d/", harness.Tester().PortTwo()),
 		nil,
 		bytes.NewBufferString(`{
 		"greeting": "Hello, world!"

caddytest/integration/intercept_test.go

@@ -1,40 +1,35 @@
 package integration
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/caddyserver/caddy/v2/caddytest"
 )
 
 func TestIntercept(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`{
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`{
 			skip_install_trust
-			admin localhost:2999
-			http_port     9080
-			https_port    9443
+			admin {$TESTING_CADDY_ADMIN_BIND}
+			http_port     {$TESTING_CADDY_PORT_ONE}
+			https_port    {$TESTING_CADDY_PORT_TWO}
 			grace_period  1ns
 		}
-	
-		localhost:9080 {
+
+		localhost:{$TESTING_CADDY_PORT_ONE} {
 			respond /intercept "I'm a teapot" 408
-			header /intercept To-Intercept ok
 			respond /no-intercept "I'm not a teapot"
 
 			intercept {
 				@teapot status 408
 				handle_response @teapot {
-					header /intercept intercepted {resp.header.To-Intercept}
 					respond /intercept "I'm a combined coffee/tea pot that is temporarily out of coffee" 503
 				}
-			}	
+			}
 		}
 		`, "caddyfile")
 
-	r, _ := tester.AssertGetResponse("http://localhost:9080/intercept", 503, "I'm a combined coffee/tea pot that is temporarily out of coffee")
-	if r.Header.Get("intercepted") != "ok" {
-		t.Fatalf(`header "intercepted" value is not "ok": %s`, r.Header.Get("intercepted"))
-	}
-
-	tester.AssertGetResponse("http://localhost:9080/no-intercept", 200, "I'm not a teapot")
+	harness.AssertGetResponse(fmt.Sprintf("http://localhost:%d/intercept", harness.Tester().PortOne()), 503, "I'm a combined coffee/tea pot that is temporarily out of coffee")
+	harness.AssertGetResponse(fmt.Sprintf("http://localhost:%d/no-intercept", harness.Tester().PortOne()), 200, "I'm not a teapot")
 }

caddytest/integration/leafcertloaders_test.go

@@ -7,21 +7,21 @@ import (
 )
 
 func TestLeafCertLoaders(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		"admin": {
-			"listen": "localhost:2999"
+			"listen": "{$TESTING_CADDY_ADMIN_BIND}"
 		},
 		"apps": {
 			"http": {
-				"http_port": 9080,
-       			"https_port": 9443,
+				"http_port": {$TESTING_CADDY_PORT_ONE},
+       			"https_port": {$TESTING_CADDY_PORT_TWO},
 				"grace_period": 1,
 				"servers": {
 					"srv0": {
 						"listen": [
-							":9443"
+							":{$TESTING_CADDY_PORT_TWO}"
 						],
 						"routes": [
 							{

caddytest/integration/listener_test.go

@@ -12,7 +12,7 @@ import (
 	"github.com/caddyserver/caddy/v2/caddytest"
 )
 
-func setupListenerWrapperTest(t *testing.T, handlerFunc http.HandlerFunc) *caddytest.Tester {
+func setupListenerWrapperTest(t *testing.T, handlerFunc http.HandlerFunc) *caddytest.TestHarness {
 	l, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		t.Fatalf("failed to listen: %s", err)
@@ -28,15 +28,15 @@ func setupListenerWrapperTest(t *testing.T, handlerFunc http.HandlerFunc) *caddy
 		_ = srv.Close()
 		_ = l.Close()
 	})
-	tester := caddytest.NewTester(t)
-	tester.InitServer(fmt.Sprintf(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(fmt.Sprintf(`
 	{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		local_certs
-		servers :9443 {
+		servers :{$TESTING_CADDY_PORT_TWO} {
 			listener_wrappers {
 				http_redirect
 				tls
@@ -47,7 +47,7 @@ func setupListenerWrapperTest(t *testing.T, handlerFunc http.HandlerFunc) *caddy
 		reverse_proxy %s
 	}
   `, l.Addr().String()), "caddyfile")
-	return tester
+	return harness
 }
 
 func TestHTTPRedirectWrapperWithLargeUpload(t *testing.T) {
@@ -56,7 +56,7 @@ func TestHTTPRedirectWrapperWithLargeUpload(t *testing.T) {
 	body := make([]byte, uploadSize)
 	rand.New(rand.NewSource(0)).Read(body)
 
-	tester := setupListenerWrapperTest(t, func(writer http.ResponseWriter, request *http.Request) {
+	harness := setupListenerWrapperTest(t, func(writer http.ResponseWriter, request *http.Request) {
 		buf := new(bytes.Buffer)
 		_, err := buf.ReadFrom(request.Body)
 		if err != nil {
@@ -69,7 +69,7 @@ func TestHTTPRedirectWrapperWithLargeUpload(t *testing.T) {
 
 		writer.WriteHeader(http.StatusNoContent)
 	})
-	resp, err := tester.Client.Post("https://localhost:9443", "application/octet-stream", bytes.NewReader(body))
+	resp, err := harness.Client().Post(fmt.Sprintf("https://localhost:%d", harness.Tester().PortTwo()), "application/octet-stream", bytes.NewReader(body))
 	if err != nil {
 		t.Fatalf("failed to post: %s", err)
 	}
@@ -80,14 +80,14 @@ func TestHTTPRedirectWrapperWithLargeUpload(t *testing.T) {
 }
 
 func TestLargeHttpRequest(t *testing.T) {
-	tester := setupListenerWrapperTest(t, func(writer http.ResponseWriter, request *http.Request) {
+	harness := setupListenerWrapperTest(t, func(writer http.ResponseWriter, request *http.Request) {
 		t.Fatal("not supposed to handle a request")
 	})
 
 	// We never read the body in any way, set an extra long header instead.
-	req, _ := http.NewRequest("POST", "http://localhost:9443", nil)
+	req, _ := http.NewRequest("POST", fmt.Sprintf("http://localhost:%d", harness.Tester().PortTwo()), nil)
 	req.Header.Set("Long-Header", strings.Repeat("X", 1024*1024))
-	_, err := tester.Client.Do(req)
+	_, err := harness.Client().Do(req)
 	if err == nil {
 		t.Fatal("not supposed to succeed")
 	}

caddytest/integration/map_test.go

@@ -2,6 +2,7 @@ package integration
 
 import (
 	"bytes"
+	"fmt"
 	"testing"
 
 	"github.com/caddyserver/caddy/v2/caddytest"
@@ -9,16 +10,16 @@ import (
 
 func TestMap(t *testing.T) {
 	// arrange
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`{
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		grace_period  1ns
 	}
 
-	localhost:9080 {
+	localhost:{$TESTING_CADDY_PORT_ONE} {
 
 		map {http.request.method} {dest-1} {dest-2} {
 			default unknown1    unknown2
@@ -28,50 +29,50 @@ func TestMap(t *testing.T) {
 
 		respond /version 200 {
 			body "hello from localhost {dest-1} {dest-2}"
-		}	
+		}
 	}
 	`, "caddyfile")
 
 	// act and assert
-	tester.AssertGetResponse("http://localhost:9080/version", 200, "hello from localhost GET-called unknown2")
-	tester.AssertPostResponseBody("http://localhost:9080/version", []string{}, bytes.NewBuffer([]byte{}), 200, "hello from localhost post-called foobar")
+	harness.AssertGetResponse(fmt.Sprintf("http://localhost:%d/version", harness.Tester().PortOne()), 200, "hello from localhost GET-called unknown2")
+	harness.AssertPostResponseBody(fmt.Sprintf("http://localhost:%d/version", harness.Tester().PortOne()), []string{}, bytes.NewBuffer([]byte{}), 200, "hello from localhost post-called foobar")
 }
 
 func TestMapRespondWithDefault(t *testing.T) {
 	// arrange
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`{
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		}
-		
-		localhost:9080 {
-	
+
+		localhost:{$TESTING_CADDY_PORT_ONE} {
+
 			map {http.request.method} {dest-name} {
 				default unknown
 				GET     get-called
 			}
-		
+
 			respond /version 200 {
 				body "hello from localhost {dest-name}"
-			}	
+			}
 		}
 	`, "caddyfile")
 
 	// act and assert
-	tester.AssertGetResponse("http://localhost:9080/version", 200, "hello from localhost get-called")
-	tester.AssertPostResponseBody("http://localhost:9080/version", []string{}, bytes.NewBuffer([]byte{}), 200, "hello from localhost unknown")
+	harness.AssertGetResponse(fmt.Sprintf("http://localhost:%d/version", harness.Tester().PortOne()), 200, "hello from localhost get-called")
+	harness.AssertPostResponseBody(fmt.Sprintf("http://localhost:%d/version", harness.Tester().PortOne()), []string{}, bytes.NewBuffer([]byte{}), 200, "hello from localhost unknown")
 }
 
 func TestMapAsJSON(t *testing.T) {
 	// arrange
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		"admin": {
-			"listen": "localhost:2999"
+			"listen": "{$TESTING_CADDY_ADMIN_BIND}"
 		},
 		"apps": {
 			"pki": {
@@ -82,12 +83,12 @@ func TestMapAsJSON(t *testing.T) {
 				}
 			},
 			"http": {
-				"http_port": 9080,
-				"https_port": 9443,
+				"http_port": {$TESTING_CADDY_PORT_ONE},
+				"https_port": {$TESTING_CADDY_PORT_TWO},
 				"servers": {
 					"srv0": {
 						"listen": [
-							":9080"
+							":{$TESTING_CADDY_PORT_ONE}"
 						],
 						"routes": [
 							{
@@ -145,7 +146,7 @@ func TestMapAsJSON(t *testing.T) {
 			}
 		}
 	}`, "json")
-
-	tester.AssertGetResponse("http://localhost:9080/version", 200, "hello from localhost get-called")
-	tester.AssertPostResponseBody("http://localhost:9080/version", []string{}, bytes.NewBuffer([]byte{}), 200, "hello from localhost post-called")
+	target := fmt.Sprintf("http://localhost:%d/version", harness.Tester().PortOne())
+	harness.AssertGetResponse(target, 200, "hello from localhost get-called")
+	harness.AssertPostResponseBody(target, []string{}, bytes.NewBuffer([]byte{}), 200, "hello from localhost post-called")
 }

caddytest/integration/mockdns_test.go

@@ -1,61 +0,0 @@
-package integration
-
-import (
-	"context"
-
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
-	"github.com/caddyserver/certmagic"
-	"github.com/libdns/libdns"
-)
-
-func init() {
-	caddy.RegisterModule(MockDNSProvider{})
-}
-
-// MockDNSProvider is a mock DNS provider, for testing config with DNS modules.
-type MockDNSProvider struct{}
-
-// CaddyModule returns the Caddy module information.
-func (MockDNSProvider) CaddyModule() caddy.ModuleInfo {
-	return caddy.ModuleInfo{
-		ID:  "dns.providers.mock",
-		New: func() caddy.Module { return new(MockDNSProvider) },
-	}
-}
-
-// Provision sets up the module.
-func (MockDNSProvider) Provision(ctx caddy.Context) error {
-	return nil
-}
-
-// UnmarshalCaddyfile sets up the module from Caddyfile tokens.
-func (MockDNSProvider) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
-	return nil
-}
-
-// AppendRecords appends DNS records to the zone.
-func (MockDNSProvider) AppendRecords(ctx context.Context, zone string, recs []libdns.Record) ([]libdns.Record, error) {
-	return nil, nil
-}
-
-// DeleteRecords deletes DNS records from the zone.
-func (MockDNSProvider) DeleteRecords(ctx context.Context, zone string, recs []libdns.Record) ([]libdns.Record, error) {
-	return nil, nil
-}
-
-// GetRecords gets DNS records from the zone.
-func (MockDNSProvider) GetRecords(ctx context.Context, zone string) ([]libdns.Record, error) {
-	return nil, nil
-}
-
-// SetRecords sets DNS records in the zone.
-func (MockDNSProvider) SetRecords(ctx context.Context, zone string, recs []libdns.Record) ([]libdns.Record, error) {
-	return nil, nil
-}
-
-// Interface guard
-var _ caddyfile.Unmarshaler = (*MockDNSProvider)(nil)
-var _ certmagic.DNSProvider = (*MockDNSProvider)(nil)
-var _ caddy.Provisioner = (*MockDNSProvider)(nil)
-var _ caddy.Module = (*MockDNSProvider)(nil)

caddytest/integration/reverseproxy_test.go

@@ -14,11 +14,11 @@ import (
 )
 
 func TestSRVReverseProxy(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		"admin": {
-			"listen": "localhost:2999"
+			"listen": "{$TESTING_CADDY_ADMIN_BIND}"
 		},
 		"apps": {
 			"pki": {
@@ -87,11 +87,11 @@ func TestDialWithPlaceholderUnix(t *testing.T) {
 	})
 	runtime.Gosched() // Allow other goroutines to run
 
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		"admin": {
-			"listen": "localhost:2999"
+			"listen": "{$TESTING_CADDY_ADMIN_BIND}"
 		},
 		"apps": {
 			"pki": {
@@ -135,15 +135,15 @@ func TestDialWithPlaceholderUnix(t *testing.T) {
 		return
 	}
 	req.Header.Set("X-Caddy-Upstream-Dial", socketName)
-	tester.AssertResponse(req, 200, "Hello, World!")
+	harness.AssertResponse(req, 200, "Hello, World!")
 }
 
 func TestReverseProxyWithPlaceholderDialAddress(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		"admin": {
-			"listen": "localhost:2999"
+			"listen": "{$TESTING_CADDY_ADMIN_BIND}"
 		},
 		"apps": {
 			"pki": {
@@ -186,7 +186,7 @@ func TestReverseProxyWithPlaceholderDialAddress(t *testing.T) {
 					},
 					"srv1": {
 						"listen": [
-							":9080"
+							":{$TESTING_CADDY_PORT_ONE}"
 						],
 						"routes": [
 							{
@@ -199,7 +199,7 @@ func TestReverseProxyWithPlaceholderDialAddress(t *testing.T) {
 								],
 								"handle": [
 									{
-	
+
 										"handler": "reverse_proxy",
 										"upstreams": [
 											{
@@ -223,21 +223,21 @@ func TestReverseProxyWithPlaceholderDialAddress(t *testing.T) {
 	}
 	`, "json")
 
-	req, err := http.NewRequest(http.MethodGet, "http://localhost:9080", nil)
+	req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://localhost:%d", harness.Tester().PortOne()), nil)
 	if err != nil {
 		t.Fail()
 		return
 	}
 	req.Header.Set("X-Caddy-Upstream-Dial", "localhost:18080")
-	tester.AssertResponse(req, 200, "Hello, World!")
+	harness.AssertResponse(req, 200, "Hello, World!")
 }
 
 func TestReverseProxyWithPlaceholderTCPDialAddress(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		"admin": {
-			"listen": "localhost:2999"
+			"listen": "{$TESTING_CADDY_ADMIN_BIND}"
 		},
 		"apps": {
 			"pki": {
@@ -280,7 +280,7 @@ func TestReverseProxyWithPlaceholderTCPDialAddress(t *testing.T) {
 					},
 					"srv1": {
 						"listen": [
-							":9080"
+							":{$TESTING_CADDY_PORT_ONE}"
 						],
 						"routes": [
 							{
@@ -293,7 +293,7 @@ func TestReverseProxyWithPlaceholderTCPDialAddress(t *testing.T) {
 								],
 								"handle": [
 									{
-	
+
 										"handler": "reverse_proxy",
 										"upstreams": [
 											{
@@ -317,23 +317,23 @@ func TestReverseProxyWithPlaceholderTCPDialAddress(t *testing.T) {
 	}
 	`, "json")
 
-	req, err := http.NewRequest(http.MethodGet, "http://localhost:9080", nil)
+	req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://localhost:%d", harness.Tester().PortOne()), nil)
 	if err != nil {
 		t.Fail()
 		return
 	}
 	req.Header.Set("X-Caddy-Upstream-Dial", "localhost")
-	tester.AssertResponse(req, 200, "Hello, World!")
+	harness.AssertResponse(req, 200, "Hello, World!")
 }
 
 func TestReverseProxyHealthCheck(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		grace_period 1ns
 	}
 	http://localhost:2020 {
@@ -342,10 +342,10 @@ func TestReverseProxyHealthCheck(t *testing.T) {
 	http://localhost:2021 {
 		respond "ok"
 	}
-	http://localhost:9080 {
+	http://localhost:{$TESTING_CADDY_PORT_ONE} {
 		reverse_proxy {
 			to localhost:2020
-	
+
 			health_uri /health
 			health_port 2021
 			health_interval 10ms
@@ -357,14 +357,15 @@ func TestReverseProxyHealthCheck(t *testing.T) {
 	`, "caddyfile")
 
 	time.Sleep(100 * time.Millisecond) // TODO: for some reason this test seems particularly flaky, getting 503 when it should be 200, unless we wait
-	tester.AssertGetResponse("http://localhost:9080/", 200, "Hello, World!")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target, 200, "Hello, World!")
 }
 
 func TestReverseProxyHealthCheckUnixSocket(t *testing.T) {
 	if runtime.GOOS == "windows" {
 		t.SkipNow()
 	}
-	tester := caddytest.NewTester(t)
+	harness := caddytest.StartHarness(t)
 	f, err := os.CreateTemp("", "*.sock")
 	if err != nil {
 		t.Errorf("failed to create TempFile: %s", err)
@@ -395,18 +396,18 @@ func TestReverseProxyHealthCheckUnixSocket(t *testing.T) {
 	})
 	runtime.Gosched() // Allow other goroutines to run
 
-	tester.InitServer(fmt.Sprintf(`
+	harness.LoadConfig(fmt.Sprintf(`
 	{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		grace_period 1ns
 	}
-	http://localhost:9080 {
+	http://localhost:{$TESTING_CADDY_PORT_ONE} {
 		reverse_proxy {
 			to unix/%s
-	
+
 			health_uri /health
 			health_port 2021
 			health_interval 2s
@@ -415,14 +416,15 @@ func TestReverseProxyHealthCheckUnixSocket(t *testing.T) {
 	}
 	`, socketName), "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/", 200, "Hello, World!")
+	target := fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne())
+	harness.AssertGetResponse(target, 200, "Hello, World!")
 }
 
 func TestReverseProxyHealthCheckUnixSocketWithoutPort(t *testing.T) {
 	if runtime.GOOS == "windows" {
 		t.SkipNow()
 	}
-	tester := caddytest.NewTester(t)
+	harness := caddytest.StartHarness(t)
 	f, err := os.CreateTemp("", "*.sock")
 	if err != nil {
 		t.Errorf("failed to create TempFile: %s", err)
@@ -453,18 +455,18 @@ func TestReverseProxyHealthCheckUnixSocketWithoutPort(t *testing.T) {
 	})
 	runtime.Gosched() // Allow other goroutines to run
 
-	tester.InitServer(fmt.Sprintf(`
+	harness.LoadConfig(fmt.Sprintf(`
 	{
 		skip_install_trust
-		admin localhost:2999
-		http_port     9080
-		https_port    9443
+		admin {$TESTING_CADDY_ADMIN_BIND}
+		http_port     {$TESTING_CADDY_PORT_ONE}
+		https_port    {$TESTING_CADDY_PORT_TWO}
 		grace_period 1ns
 	}
-	http://localhost:9080 {
+	http://localhost:{$TESTING_CADDY_PORT_ONE} {
 		reverse_proxy {
 			to unix/%s
-	
+
 			health_uri /health
 			health_interval 2s
 			health_timeout 5s
@@ -472,5 +474,5 @@ func TestReverseProxyHealthCheckUnixSocketWithoutPort(t *testing.T) {
 	}
 	`, socketName), "caddyfile")
 
-	tester.AssertGetResponse("http://localhost:9080/", 200, "Hello, World!")
+	harness.AssertGetResponse(fmt.Sprintf("http://localhost:%d/", harness.Tester().PortOne()), 200, "Hello, World!")
 }

caddytest/integration/sni_test.go

@@ -1,6 +1,7 @@
 package integration
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/caddyserver/caddy/v2/caddytest"
@@ -8,20 +9,20 @@ import (
 
 func TestDefaultSNI(t *testing.T) {
 	// arrange
-	tester := caddytest.NewTester(t)
-	tester.InitServer(`{
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`{
 		"admin": {
-			"listen": "localhost:2999"
+			"listen": "{$TESTING_CADDY_ADMIN_BIND}"
 		},
 		"apps": {
 			"http": {
-				"http_port": 9080,
-				"https_port": 9443,
+				"http_port": {$TESTING_CADDY_PORT_ONE},
+				"https_port": {$TESTING_CADDY_PORT_TWO},
 				"grace_period": 1,
 				"servers": {
 					"srv0": {
 						"listen": [
-							":9443"
+							":{$TESTING_CADDY_PORT_TWO}"
 						],
 						"routes": [
 							{
@@ -102,26 +103,27 @@ func TestDefaultSNI(t *testing.T) {
 
 	// act and assert
 	// makes a request with no sni
-	tester.AssertGetResponse("https://127.0.0.1:9443/version", 200, "hello from a.caddy.localhost")
+	target := fmt.Sprintf("https://127.0.0.1:%d/", harness.Tester().PortTwo())
+	harness.AssertGetResponse(target+"version", 200, "hello from a.caddy.localhost")
 }
 
 func TestDefaultSNIWithNamedHostAndExplicitIP(t *testing.T) {
 	// arrange
-	tester := caddytest.NewTester(t)
-	tester.InitServer(` 
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		"admin": {
-			"listen": "localhost:2999"
+			"listen": "{$TESTING_CADDY_ADMIN_BIND}"
 		},
 		"apps": {
 			"http": {
-				"http_port": 9080,
-				"https_port": 9443,
+				"http_port": {$TESTING_CADDY_PORT_ONE},
+				"https_port": {$TESTING_CADDY_PORT_TWO},
 				"grace_period": 1,
 				"servers": {
 					"srv0": {
 						"listen": [
-							":9443"
+							":{$TESTING_CADDY_PORT_TWO}"
 						],
 						"routes": [
 							{
@@ -206,26 +208,27 @@ func TestDefaultSNIWithNamedHostAndExplicitIP(t *testing.T) {
 
 	// act and assert
 	// makes a request with no sni
-	tester.AssertGetResponse("https://127.0.0.1:9443/version", 200, "hello from a")
+	target := fmt.Sprintf("https://127.0.0.1:%d/", harness.Tester().PortTwo())
+	harness.AssertGetResponse(target+"version", 200, "hello from a")
 }
 
 func TestDefaultSNIWithPortMappingOnly(t *testing.T) {
 	// arrange
-	tester := caddytest.NewTester(t)
-	tester.InitServer(` 
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 	{
 		"admin": {
-			"listen": "localhost:2999"
+			"listen": "{$TESTING_CADDY_ADMIN_BIND}"
 		},
 		"apps": {
 			"http": {
-				"http_port": 9080,
-				"https_port": 9443,
+				"http_port": {$TESTING_CADDY_PORT_ONE},
+				"https_port": {$TESTING_CADDY_PORT_TWO},
 				"grace_period": 1,
 				"servers": {
 					"srv0": {
 						"listen": [
-							":9443"
+							":{$TESTING_CADDY_PORT_TWO}"
 						],
 						"routes": [
 							{
@@ -282,7 +285,8 @@ func TestDefaultSNIWithPortMappingOnly(t *testing.T) {
 
 	// act and assert
 	// makes a request with no sni
-	tester.AssertGetResponse("https://127.0.0.1:9443/version", 200, "hello from a.caddy.localhost")
+	target := fmt.Sprintf("https://127.0.0.1:%d/", harness.Tester().PortTwo())
+	harness.AssertGetResponse(target+"version", 200, "hello from a.caddy.localhost")
 }
 
 func TestHttpOnlyOnDomainWithSNI(t *testing.T) {

caddytest/integration/stream_test.go

@@ -20,21 +20,21 @@ import (
 
 // (see https://github.com/caddyserver/caddy/issues/3556 for use case)
 func TestH2ToH2CStream(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(` 
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
   {
 	"admin": {
-		"listen": "localhost:2999"
+		"listen": "{$TESTING_CADDY_ADMIN_BIND}"
 	},
     "apps": {
       "http": {
-        "http_port": 9080,
-        "https_port": 9443,
-		"grace_period": 1,
+        "http_port": {$TESTING_CADDY_PORT_ONE},
+        "https_port": {$TESTING_CADDY_PORT_TWO},
+				"grace_period": 1,
         "servers": {
           "srv0": {
             "listen": [
-              ":9443"
+              ":{$TESTING_CADDY_PORT_TWO}"
             ],
             "routes": [
               {
@@ -102,7 +102,7 @@ func TestH2ToH2CStream(t *testing.T) {
 
 	expectedBody := "some data to be echoed"
 	// start the server
-	server := testH2ToH2CStreamServeH2C(t)
+	server := testH2ToH2CStreamServeH2C(harness, t)
 	go server.ListenAndServe()
 	defer func() {
 		ctx, cancel := context.WithTimeout(context.Background(), time.Nanosecond)
@@ -116,7 +116,7 @@ func TestH2ToH2CStream(t *testing.T) {
 		Body:   io.NopCloser(r),
 		URL: &url.URL{
 			Scheme: "https",
-			Host:   "127.0.0.1:9443",
+			Host:   fmt.Sprintf("127.0.0.1:%d", harness.Tester().PortTwo()),
 			Path:   "/tov2ray",
 		},
 		Proto:      "HTTP/2",
@@ -127,7 +127,7 @@ func TestH2ToH2CStream(t *testing.T) {
 	// Disable any compression method from server.
 	req.Header.Set("Accept-Encoding", "identity")
 
-	resp := tester.AssertResponseCode(req, http.StatusOK)
+	resp := harness.AssertResponseCode(req, http.StatusOK)
 	if resp.StatusCode != http.StatusOK {
 		return
 	}
@@ -149,7 +149,7 @@ func TestH2ToH2CStream(t *testing.T) {
 	}
 }
 
-func testH2ToH2CStreamServeH2C(t *testing.T) *http.Server {
+func testH2ToH2CStreamServeH2C(harness *caddytest.TestHarness, t *testing.T) *http.Server {
 	h2s := &http2.Server{}
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		rstring, err := httputil.DumpRequest(r, false)
@@ -163,7 +163,7 @@ func testH2ToH2CStreamServeH2C(t *testing.T) *http.Server {
 			return
 		}
 
-		if r.Host != "127.0.0.1:9443" {
+		if r.Host != fmt.Sprintf("127.0.0.1:%d", harness.Tester().PortTwo()) {
 			t.Errorf("r.Host doesn't match, %v!", r.Host)
 			w.WriteHeader(http.StatusNotFound)
 			return
@@ -204,28 +204,21 @@ func testH2ToH2CStreamServeH2C(t *testing.T) *http.Server {
 
 // (see https://github.com/caddyserver/caddy/issues/3606 for use case)
 func TestH2ToH1ChunkedResponse(t *testing.T) {
-	tester := caddytest.NewTester(t)
-	tester.InitServer(` 
+	harness := caddytest.StartHarness(t)
+	harness.LoadConfig(`
 {
 	"admin": {
-		"listen": "localhost:2999"
+		"listen": "{$TESTING_CADDY_ADMIN_BIND}"
 	},
-  "logging": {
-    "logs": {
-      "default": {
-        "level": "DEBUG"
-      }
-    }
-  },
   "apps": {
     "http": {
-      "http_port": 9080,
-      "https_port": 9443,
-	  "grace_period": 1,
+      "http_port": {$TESTING_CADDY_PORT_ONE},
+      "https_port": {$TESTING_CADDY_PORT_TWO},
+	  	"grace_period": 1,
       "servers": {
         "srv0": {
           "listen": [
-            ":9443"
+            ":{$TESTING_CADDY_PORT_TWO}"
           ],
           "routes": [
             {
@@ -312,7 +305,7 @@ func TestH2ToH1ChunkedResponse(t *testing.T) {
 	}
 
 	// start the server
-	server := testH2ToH1ChunkedResponseServeH1(t)
+	server := testH2ToH1ChunkedResponseServeH1(harness, t)
 	go server.ListenAndServe()
 	defer func() {
 		ctx, cancel := context.WithTimeout(context.Background(), time.Nanosecond)
@@ -326,7 +319,7 @@ func TestH2ToH1ChunkedResponse(t *testing.T) {
 		Body:   io.NopCloser(r),
 		URL: &url.URL{
 			Scheme: "https",
-			Host:   "127.0.0.1:9443",
+			Host:   fmt.Sprintf("127.0.0.1:%d", harness.Tester().PortTwo()),
 			Path:   "/tov2ray",
 		},
 		Proto:      "HTTP/2",
@@ -340,7 +333,7 @@ func TestH2ToH1ChunkedResponse(t *testing.T) {
 		fmt.Fprint(w, expectedBody)
 		w.Close()
 	}()
-	resp := tester.AssertResponseCode(req, http.StatusOK)
+	resp := harness.AssertResponseCode(req, http.StatusOK)
 	if resp.StatusCode != http.StatusOK {
 		return
 	}
@@ -358,9 +351,9 @@ func TestH2ToH1ChunkedResponse(t *testing.T) {
 	}
 }
 
-func testH2ToH1ChunkedResponseServeH1(t *testing.T) *http.Server {
+func testH2ToH1ChunkedResponseServeH1(harness *caddytest.TestHarness, t *testing.T) *http.Server {
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Host != "127.0.0.1:9443" {
+		if r.Host != fmt.Sprintf("127.0.0.1:%d", harness.Tester().PortTwo()) {
 			t.Errorf("r.Host doesn't match, %v!", r.Host)
 			w.WriteHeader(http.StatusNotFound)
 			return

caddytest/integration/testdata/foo_with_multiple_trailing_newlines.txt

@@ -1,2 +0,0 @@
-foo
-

caddytest/integration/testdata/foo_with_trailing_newline.txt

@@ -1 +0,0 @@
-foo

caddytest/testing_harness.go

@@ -0,0 +1,241 @@
+package caddytest
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"path"
+	"regexp"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// use the convention to replace /[certificatename].[crt|key] with the full path
+// this helps reduce the noise in test configurations and also allow this
+// to run in any path
+func prependCaddyFilePath(rawConfig string) string {
+	r := matchKey.ReplaceAllString(rawConfig, getIntegrationDir()+"$1")
+	r = matchCert.ReplaceAllString(r, getIntegrationDir()+"$1")
+	return r
+}
+
+func getIntegrationDir() string {
+	_, filename, _, ok := runtime.Caller(1)
+	if !ok {
+		panic("unable to determine the current file path")
+	}
+
+	return path.Dir(filename)
+}
+
+var (
+	matchKey  = regexp.MustCompile(`(/[\w\d\.]+\.key)`)
+	matchCert = regexp.MustCompile(`(/[\w\d\.]+\.crt)`)
+)
+
+type TestHarness struct {
+	t testing.TB
+
+	tester *Tester
+}
+
+// StartHarness creates and starts a test harness environment which spans the lifetime a single caddy instance
+// This is used for the integration tests
+func StartHarness(t *testing.T) *TestHarness {
+	if testing.Short() {
+		t.SkipNow()
+		return nil
+	}
+	o := &TestHarness{t: t}
+	o.init()
+	return o
+}
+
+func (tc *TestHarness) Tester() *Tester {
+	return tc.tester
+}
+
+func (tc *TestHarness) Client() *http.Client {
+	return tc.tester.Client
+}
+
+func (tc *TestHarness) LoadConfig(rawConfig, configType string) {
+	rawConfig = prependCaddyFilePath(rawConfig)
+	err := tc.tester.LoadConfig(rawConfig, configType)
+	require.NoError(tc.t, err)
+}
+
+func (tc *TestHarness) init() {
+	// start the server
+	tester, err := NewTester()
+	if err != nil {
+		tc.t.Errorf("Failed to create caddy tester: %s", err)
+		return
+	}
+	tc.tester = tester
+	err = tc.tester.LaunchCaddy()
+	if err != nil {
+		tc.t.Errorf("Failed to launch caddy server: %s", err)
+		tc.t.FailNow()
+		return
+	}
+	// cleanup
+	tc.t.Cleanup(func() {
+		func() {
+			if tc.t.Failed() {
+				res, err := http.Get(fmt.Sprintf("http://localhost:%d/config/", tc.tester.adminPort))
+				if err != nil {
+					tc.t.Log("unable to read the current config")
+					return
+				}
+				defer res.Body.Close()
+				body, _ := io.ReadAll(res.Body)
+
+				var out bytes.Buffer
+				_ = json.Indent(&out, body, "", "  ")
+				tc.t.Logf("----------- failed with config -----------\n%s", out.String())
+			}
+		}()
+		// shutdown server after extracing the config
+		err = tc.tester.CleanupCaddy()
+		if err != nil {
+			tc.t.Errorf("failed to clean up caddy instance: %s", err)
+			tc.t.FailNow()
+		}
+	})
+}
+
+// AssertRedirect makes a request and asserts the redirection happens
+func (tc *TestHarness) AssertRedirect(requestURI string, expectedToLocation string, expectedStatusCode int) *http.Response {
+	redirectPolicyFunc := func(req *http.Request, via []*http.Request) error {
+		return http.ErrUseLastResponse
+	}
+
+	// using the existing client, we override the check redirect policy for this test
+	old := tc.tester.Client.CheckRedirect
+	tc.tester.Client.CheckRedirect = redirectPolicyFunc
+	defer func() { tc.tester.Client.CheckRedirect = old }()
+
+	resp, err := tc.tester.Client.Get(requestURI)
+	if err != nil {
+		tc.t.Errorf("failed to call server %s", err)
+		return nil
+	}
+
+	if expectedStatusCode != resp.StatusCode {
+		tc.t.Errorf("requesting \"%s\" expected status code: %d but got %d", requestURI, expectedStatusCode, resp.StatusCode)
+	}
+
+	loc, err := resp.Location()
+	if err != nil {
+		tc.t.Errorf("requesting \"%s\" expected location: \"%s\" but got error: %s", requestURI, expectedToLocation, err)
+	}
+	if loc == nil && expectedToLocation != "" {
+		tc.t.Errorf("requesting \"%s\" expected a Location header, but didn't get one", requestURI)
+	}
+	if loc != nil {
+		if expectedToLocation != loc.String() {
+			tc.t.Errorf("requesting \"%s\" expected location: \"%s\" but got \"%s\"", requestURI, expectedToLocation, loc.String())
+		}
+	}
+
+	return resp
+}
+
+// AssertResponseCode will execute the request and verify the status code, returns a response for additional assertions
+func (tc *TestHarness) AssertResponseCode(req *http.Request, expectedStatusCode int) *http.Response {
+	resp, err := tc.tester.Client.Do(req)
+	if err != nil {
+		tc.t.Fatalf("failed to call server %s", err)
+	}
+
+	if expectedStatusCode != resp.StatusCode {
+		tc.t.Errorf("requesting \"%s\" expected status code: %d but got %d", req.URL.RequestURI(), expectedStatusCode, resp.StatusCode)
+	}
+
+	return resp
+}
+
+// AssertResponse request a URI and assert the status code and the body contains a string
+func (tc *TestHarness) AssertResponse(req *http.Request, expectedStatusCode int, expectedBody string) (*http.Response, string) {
+	resp := tc.AssertResponseCode(req, expectedStatusCode)
+
+	defer resp.Body.Close()
+	bytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		tc.t.Fatalf("unable to read the response body %s", err)
+	}
+
+	body := string(bytes)
+
+	if body != expectedBody {
+		tc.t.Errorf("requesting \"%s\" expected response body \"%s\" but got \"%s\"", req.RequestURI, expectedBody, body)
+	}
+
+	return resp, body
+}
+
+// Verb specific test functions
+
+// AssertGetResponse GET a URI and expect a statusCode and body text
+func (tc *TestHarness) AssertGetResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
+	req, err := http.NewRequest("GET", requestURI, nil)
+	if err != nil {
+		tc.t.Fatalf("unable to create request %s", err)
+	}
+
+	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
+}
+
+// AssertDeleteResponse request a URI and expect a statusCode and body text
+func (tc *TestHarness) AssertDeleteResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
+	req, err := http.NewRequest("DELETE", requestURI, nil)
+	if err != nil {
+		tc.t.Fatalf("unable to create request %s", err)
+	}
+
+	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
+}
+
+// AssertPostResponseBody POST to a URI and assert the response code and body
+func (tc *TestHarness) AssertPostResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
+	req, err := http.NewRequest("POST", requestURI, requestBody)
+	if err != nil {
+		tc.t.Errorf("failed to create request %s", err)
+		return nil, ""
+	}
+
+	applyHeaders(tc.t, req, requestHeaders)
+
+	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
+}
+
+// AssertPutResponseBody PUT to a URI and assert the response code and body
+func (tc *TestHarness) AssertPutResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
+	req, err := http.NewRequest("PUT", requestURI, requestBody)
+	if err != nil {
+		tc.t.Errorf("failed to create request %s", err)
+		return nil, ""
+	}
+
+	applyHeaders(tc.t, req, requestHeaders)
+
+	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
+}
+
+// AssertPatchResponseBody PATCH to a URI and assert the response code and body
+func (tc *TestHarness) AssertPatchResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
+	req, err := http.NewRequest("PATCH", requestURI, requestBody)
+	if err != nil {
+		tc.t.Errorf("failed to create request %s", err)
+		return nil, ""
+	}
+
+	applyHeaders(tc.t, req, requestHeaders)
+
+	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
+}

cmd/caddy/main.go

@@ -1,8 +1,3 @@
-// The below line is required to enable post-quantum key agreement in Go 1.23
-// by default without insisting on setting a minimum version of 1.23 in go.mod.
-// See https://github.com/caddyserver/caddy/issues/6540#issuecomment-2313094905
-//go:debug tlskyber=1
-
 // Copyright 2015 Matthew Holt and The Caddy Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");

cmd/cobra.go

@@ -8,7 +8,7 @@ import (
 	"github.com/caddyserver/caddy/v2"
 )
 
-var defaultFactory = newRootCommandFactory(func() *cobra.Command {
+var defaultFactory = NewRootCommandFactory(func() *cobra.Command {
 	return &cobra.Command{
 		Use: "caddy",
 		Long: `Caddy is an extensible server platform written in Go.
@@ -108,9 +108,9 @@ const fullDocsFooter = `Full documentation is available at:
 https://caddyserver.com/docs/command-line`
 
 func init() {
-	defaultFactory.Use(func(rootCmd *cobra.Command) {
-		rootCmd.SetVersionTemplate("{{.Version}}\n")
-		rootCmd.SetHelpTemplate(rootCmd.HelpTemplate() + "\n" + fullDocsFooter + "\n")
+	defaultFactory.Use(func(cmd *cobra.Command) {
+		cmd.SetVersionTemplate("{{.Version}}\n")
+		cmd.SetHelpTemplate(cmd.HelpTemplate() + "\n" + fullDocsFooter + "\n")
 	})
 }
 

cmd/commandfactory.go

@@ -4,22 +4,22 @@ import (
 	"github.com/spf13/cobra"
 )
 
-type rootCommandFactory struct {
+type RootCommandFactory struct {
 	constructor func() *cobra.Command
 	options     []func(*cobra.Command)
 }
 
-func newRootCommandFactory(fn func() *cobra.Command) *rootCommandFactory {
-	return &rootCommandFactory{
+func NewRootCommandFactory(fn func() *cobra.Command) *RootCommandFactory {
+	return &RootCommandFactory{
 		constructor: fn,
 	}
 }
 
-func (f *rootCommandFactory) Use(fn func(cmd *cobra.Command)) {
+func (f *RootCommandFactory) Use(fn func(cmd *cobra.Command)) {
 	f.options = append(f.options, fn)
 }
 
-func (f *rootCommandFactory) Build() *cobra.Command {
+func (f *RootCommandFactory) Build() *cobra.Command {
 	o := f.constructor()
 	for _, v := range f.options {
 		v(o)

cmd/commandfuncs.go

@@ -20,6 +20,7 @@ import (
 	"crypto/rand"
 	"encoding/json"
 	"errors"
+	"flag"
 	"fmt"
 	"io"
 	"io/fs"
@@ -74,10 +75,6 @@ func cmdStart(fl Flags) (int, error) {
 	// sure by giving it some random bytes and having it echo
 	// them back to us)
 	cmd := exec.Command(os.Args[0], "run", "--pingback", ln.Addr().String())
-	// we should be able to run caddy in relative paths
-	if errors.Is(cmd.Err, exec.ErrDot) {
-		cmd.Err = nil
-	}
 	if configFlag != "" {
 		cmd.Args = append(cmd.Args, "--config", configFlag)
 	}
@@ -261,6 +258,7 @@ func cmdRun(fl Flags) (int, error) {
 
 	// if enabled, reload config file automatically on changes
 	// (this better only be used in dev!)
+	// do not enable this during tests, it will cause leaks
 	if watchFlag {
 		go watchConfigFile(configFile, configAdapterFlag)
 	}
@@ -284,7 +282,11 @@ func cmdRun(fl Flags) (int, error) {
 		}
 	}
 
-	select {}
+	if flag.Lookup("test.v") == nil || !strings.Contains(os.Args[0], ".test") {
+		select {}
+	} else {
+		return caddy.ExitCodeSuccess, nil
+	}
 }
 
 func cmdStop(fl Flags) (int, error) {
@@ -660,8 +662,6 @@ func AdminAPIRequest(adminAddr, method, uri string, headers http.Header, body io
 			return nil, err
 		}
 		parsedAddr.Host = addr
-	} else if parsedAddr.IsFdNetwork() {
-		origin = "http://127.0.0.1"
 	}
 
 	// form the request
@@ -669,13 +669,13 @@ func AdminAPIRequest(adminAddr, method, uri string, headers http.Header, body io
 	if err != nil {
 		return nil, fmt.Errorf("making request: %v", err)
 	}
-	if parsedAddr.IsUnixNetwork() || parsedAddr.IsFdNetwork() {
+	if parsedAddr.IsUnixNetwork() {
 		// We used to conform to RFC 2616 Section 14.26 which requires
 		// an empty host header when there is no host, as is the case
-		// with unix sockets and socket fds. However, Go required a
-		// Host value so we used a hack of a space character as the host
-		// (it would see the Host was non-empty, then trim the space later).
-		// As of Go 1.20.6 (July 2023), this hack no longer works. See:
+		// with unix sockets. However, Go required a Host value so we
+		// used a hack of a space character as the host (it would see
+		// the Host was non-empty, then trim the space later). As of
+		// Go 1.20.6 (July 2023), this hack no longer works. See:
 		// https://github.com/golang/go/issues/60374
 		// See also the discussion here:
 		// https://github.com/golang/go/issues/61431
@@ -716,7 +716,7 @@ func AdminAPIRequest(adminAddr, method, uri string, headers http.Header, body io
 
 	// if it didn't work, let the user know
 	if resp.StatusCode >= 400 {
-		respBody, err := io.ReadAll(io.LimitReader(resp.Body, 1024*1024*2))
+		respBody, err := io.ReadAll(io.LimitReader(resp.Body, 1024*10))
 		if err != nil {
 			return nil, fmt.Errorf("HTTP %d: reading error message: %v", resp.StatusCode, err)
 		}

cmd/commands.go

@@ -409,13 +409,12 @@ latest versions. EXPERIMENTAL: May be changed or removed.
 
 	RegisterCommand(Command{
 		Name:  "add-package",
-		Usage: "<package[@version]...>",
+		Usage: "<packages...>",
 		Short: "Adds Caddy packages (EXPERIMENTAL)",
 		Long: `
 Downloads an updated Caddy binary with the specified packages (module/plugin)
-added, with an optional version specified (e.g., "package@version"). Retains
-existing packages. Returns an error if any of the specified packages are already
-included. EXPERIMENTAL: May be changed or removed.
+added. Retains existing packages. Returns an error if the any of packages are
+already included. EXPERIMENTAL: May be changed or removed.
 `,
 		CobraFunc: func(cmd *cobra.Command) {
 			cmd.Flags().BoolP("keep-backup", "k", false, "Keep the backed up binary, instead of deleting it")
@@ -439,41 +438,42 @@ EXPERIMENTAL: May be changed or removed.
 		},
 	})
 
-	defaultFactory.Use(func(rootCmd *cobra.Command) {
-		rootCmd.AddCommand(caddyCmdToCobra(Command{
-			Name:  "manpage",
-			Usage: "--directory <path>",
-			Short: "Generates the manual pages for Caddy commands",
-			Long: `
+	RegisterCommand(Command{
+		Name:  "manpage",
+		Usage: "--directory <path>",
+		Short: "Generates the manual pages for Caddy commands",
+		Long: `
 Generates the manual pages for Caddy commands into the designated directory
 tagged into section 8 (System Administration).
 
 The manual page files are generated into the directory specified by the
 argument of --directory. If the directory does not exist, it will be created.
 `,
-			CobraFunc: func(cmd *cobra.Command) {
-				cmd.Flags().StringP("directory", "o", "", "The output directory where the manpages are generated")
-				cmd.RunE = WrapCommandFuncForCobra(func(fl Flags) (int, error) {
-					dir := strings.TrimSpace(fl.String("directory"))
-					if dir == "" {
-						return caddy.ExitCodeFailedQuit, fmt.Errorf("designated output directory and specified section are required")
-					}
-					if err := os.MkdirAll(dir, 0o755); err != nil {
-						return caddy.ExitCodeFailedQuit, err
-					}
-					if err := doc.GenManTree(rootCmd, &doc.GenManHeader{
-						Title:   "Caddy",
-						Section: "8", // https://en.wikipedia.org/wiki/Man_page#Manual_sections
-					}, dir); err != nil {
-						return caddy.ExitCodeFailedQuit, err
-					}
-					return caddy.ExitCodeSuccess, nil
-				})
-			},
-		}))
+		CobraFunc: func(cmd *cobra.Command) {
+			cmd.Flags().StringP("directory", "o", "", "The output directory where the manpages are generated")
+			cmd.RunE = WrapCommandFuncForCobra(func(fl Flags) (int, error) {
+				dir := strings.TrimSpace(fl.String("directory"))
+				if dir == "" {
+					return caddy.ExitCodeFailedQuit, fmt.Errorf("designated output directory and specified section are required")
+				}
+				if err := os.MkdirAll(dir, 0o755); err != nil {
+					return caddy.ExitCodeFailedQuit, err
+				}
+				ccmd := defaultFactory.Build()
+				if err := doc.GenManTree(ccmd, &doc.GenManHeader{
+					Title:   "Caddy",
+					Section: "8", // https://en.wikipedia.org/wiki/Man_page#Manual_sections
+				}, dir); err != nil {
+					return caddy.ExitCodeFailedQuit, err
+				}
+				return caddy.ExitCodeSuccess, nil
+			})
+		},
+	})
 
-		// source: https://github.com/spf13/cobra/blob/main/shell_completions.md
-		rootCmd.AddCommand(&cobra.Command{
+	// source: https://github.com/spf13/cobra/blob/main/shell_completions.md
+	defaultFactory.Use(func(ccmd *cobra.Command) {
+		ccmd.AddCommand(&cobra.Command{
 			Use:   "completion [bash|zsh|fish|powershell]",
 			Short: "Generate completion script",
 			Long: fmt.Sprintf(`To load completions:
@@ -514,7 +514,7 @@ argument of --directory. If the directory does not exist, it will be created.
 	  # To load completions for every new session, run:
 	  PS> %[1]s completion powershell > %[1]s.ps1
 	  # and source this file from your PowerShell profile.
-	`, rootCmd.Root().Name()),
+	`, defaultFactory.constructor().Name()),
 			DisableFlagsInUseLine: true,
 			ValidArgs:             []string{"bash", "zsh", "fish", "powershell"},
 			Args:                  cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs),
@@ -566,8 +566,8 @@ func RegisterCommand(cmd Command) {
 	if !commandNameRegex.MatchString(cmd.Name) {
 		panic("invalid command name")
 	}
-	defaultFactory.Use(func(rootCmd *cobra.Command) {
-		rootCmd.AddCommand(caddyCmdToCobra(cmd))
+	defaultFactory.Use(func(ccmd *cobra.Command) {
+		ccmd.AddCommand(caddyCmdToCobra(cmd))
 	})
 }
 

cmd/main.go

@@ -71,8 +71,8 @@ func Main() {
 	if err != nil {
 		caddy.Log().Warn("failed to set GOMAXPROCS", zap.Error(err))
 	}
-
-	if err := defaultFactory.Build().Execute(); err != nil {
+	rootCmd := defaultFactory.Build()
+	if err := rootCmd.Execute(); err != nil {
 		var exitError *exitError
 		if errors.As(err, &exitError) {
 			os.Exit(exitError.ExitCode)
@@ -81,6 +81,18 @@ func Main() {
 	}
 }
 
+// MainForTesting implements the main function of the caddy command, used internally for testing
+func MainForTesting(args ...string) error {
+	// create a root command for testing which will not pollute the global namespace, and does not
+	// call os.Exit().
+	rootCmd := defaultFactory.Build()
+	rootCmd.SetArgs(args)
+	if err := rootCmd.Execute(); err != nil {
+		return err
+	}
+	return nil
+}
+
 // handlePingbackConn reads from conn and ensures it matches
 // the bytes in expect, or returns an error if it doesn't.
 func handlePingbackConn(conn net.Conn, expect []byte) error {

cmd/main_test.go

@@ -235,7 +235,7 @@ func Test_isCaddyfile(t *testing.T) {
 			wantErr: false,
 		},
 		{
-
+			
 			name: "json is not caddyfile but not error",
 			args: args{
 				configFile:  "./Caddyfile.json",
@@ -245,7 +245,7 @@ func Test_isCaddyfile(t *testing.T) {
 			wantErr: false,
 		},
 		{
-
+			
 			name: "prefix of Caddyfile and ./ with any extension is Caddyfile",
 			args: args{
 				configFile:  "./Caddyfile.prd",
@@ -255,7 +255,7 @@ func Test_isCaddyfile(t *testing.T) {
 			wantErr: false,
 		},
 		{
-
+			
 			name: "prefix of Caddyfile without ./ with any extension is Caddyfile",
 			args: args{
 				configFile:  "Caddyfile.prd",

cmd/packagesfuncs.go

@@ -46,25 +46,6 @@ func cmdUpgrade(fl Flags) (int, error) {
 	return upgradeBuild(pluginPkgs, fl)
 }
 
-func splitModule(arg string) (module, version string, err error) {
-	const versionSplit = "@"
-
-	// accommodate module paths that have @ in them, but we can only tolerate that if there's also
-	// a version, otherwise we don't know if it's a version separator or part of the file path
-	lastVersionSplit := strings.LastIndex(arg, versionSplit)
-	if lastVersionSplit < 0 {
-		module = arg
-	} else {
-		module, version = arg[:lastVersionSplit], arg[lastVersionSplit+1:]
-	}
-
-	if module == "" {
-		err = fmt.Errorf("module name is required")
-	}
-
-	return
-}
-
 func cmdAddPackage(fl Flags) (int, error) {
 	if len(fl.Args()) == 0 {
 		return caddy.ExitCodeFailedStartup, fmt.Errorf("at least one package name must be specified")
@@ -79,15 +60,10 @@ func cmdAddPackage(fl Flags) (int, error) {
 	}
 
 	for _, arg := range fl.Args() {
-		module, version, err := splitModule(arg)
-		if err != nil {
-			return caddy.ExitCodeFailedStartup, fmt.Errorf("invalid module name: %v", err)
-		}
-		// only allow a version to be specified if it's different from the existing version
-		if _, ok := pluginPkgs[module]; ok && !(version != "" && pluginPkgs[module].Version != version) {
+		if _, ok := pluginPkgs[arg]; ok {
 			return caddy.ExitCodeFailedStartup, fmt.Errorf("package is already added")
 		}
-		pluginPkgs[module] = pluginPackage{Version: version, Path: module}
+		pluginPkgs[arg] = struct{}{}
 	}
 
 	return upgradeBuild(pluginPkgs, fl)
@@ -107,11 +83,7 @@ func cmdRemovePackage(fl Flags) (int, error) {
 	}
 
 	for _, arg := range fl.Args() {
-		module, _, err := splitModule(arg)
-		if err != nil {
-			return caddy.ExitCodeFailedStartup, fmt.Errorf("invalid module name: %v", err)
-		}
-		if _, ok := pluginPkgs[module]; !ok {
+		if _, ok := pluginPkgs[arg]; !ok {
 			// package does not exist
 			return caddy.ExitCodeFailedStartup, fmt.Errorf("package is not added")
 		}
@@ -121,7 +93,7 @@ func cmdRemovePackage(fl Flags) (int, error) {
 	return upgradeBuild(pluginPkgs, fl)
 }
 
-func upgradeBuild(pluginPkgs map[string]pluginPackage, fl Flags) (int, error) {
+func upgradeBuild(pluginPkgs map[string]struct{}, fl Flags) (int, error) {
 	l := caddy.Log()
 
 	thisExecPath, err := os.Executable()
@@ -148,8 +120,8 @@ func upgradeBuild(pluginPkgs map[string]pluginPackage, fl Flags) (int, error) {
 		"os":   {runtime.GOOS},
 		"arch": {runtime.GOARCH},
 	}
-	for _, pkgInfo := range pluginPkgs {
-		qs.Add("p", pkgInfo.String())
+	for pkg := range pluginPkgs {
+		qs.Add("p", pkg)
 	}
 
 	// initiate the build
@@ -304,14 +276,14 @@ func downloadBuild(qs url.Values) (*http.Response, error) {
 	return resp, nil
 }
 
-func getPluginPackages(modules []moduleInfo) (map[string]pluginPackage, error) {
-	pluginPkgs := make(map[string]pluginPackage)
+func getPluginPackages(modules []moduleInfo) (map[string]struct{}, error) {
+	pluginPkgs := make(map[string]struct{})
 	for _, mod := range modules {
 		if mod.goModule.Replace != nil {
 			return nil, fmt.Errorf("cannot auto-upgrade when Go module has been replaced: %s => %s",
 				mod.goModule.Path, mod.goModule.Replace.Path)
 		}
-		pluginPkgs[mod.goModule.Path] = pluginPackage{Version: mod.goModule.Version, Path: mod.goModule.Path}
+		pluginPkgs[mod.goModule.Path] = struct{}{}
 	}
 	return pluginPkgs, nil
 }
@@ -340,15 +312,3 @@ func writeCaddyBinary(path string, body *io.ReadCloser, fileInfo os.FileInfo) er
 }
 
 const downloadPath = "https://caddyserver.com/api/download"
-
-type pluginPackage struct {
-	Version string
-	Path    string
-}
-
-func (p pluginPackage) String() string {
-	if p.Version == "" {
-		return p.Path
-	}
-	return p.Path + "@" + p.Version
-}

context.go

@@ -23,8 +23,6 @@ import (
 	"reflect"
 
 	"github.com/caddyserver/certmagic"
-	"github.com/prometheus/client_golang/prometheus"
-	"github.com/prometheus/client_golang/prometheus/collectors"
 	"go.uber.org/zap"
 	"go.uber.org/zap/exp/zapslog"
 
@@ -49,7 +47,6 @@ type Context struct {
 	ancestry        []Module
 	cleanupFuncs    []func()                // invoked at every config unload
 	exitFuncs       []func(context.Context) // invoked at config unload ONLY IF the process is exiting (EXPERIMENTAL)
-	metricsRegistry *prometheus.Registry
 }
 
 // NewContext provides a new context derived from the given
@@ -61,7 +58,7 @@ type Context struct {
 // modules which are loaded will be properly unloaded.
 // See standard library context package's documentation.
 func NewContext(ctx Context) (Context, context.CancelFunc) {
-	newCtx := Context{moduleInstances: make(map[string][]Module), cfg: ctx.cfg, metricsRegistry: prometheus.NewPedanticRegistry()}
+	newCtx := Context{moduleInstances: make(map[string][]Module), cfg: ctx.cfg}
 	c, cancel := context.WithCancel(ctx.Context)
 	wrappedCancel := func() {
 		cancel()
@@ -82,7 +79,6 @@ func NewContext(ctx Context) (Context, context.CancelFunc) {
 		}
 	}
 	newCtx.Context = c
-	newCtx.initMetrics()
 	return newCtx, wrappedCancel
 }
 
@@ -101,22 +97,6 @@ func (ctx *Context) Filesystems() FileSystems {
 	return ctx.cfg.filesystems
 }
 
-// Returns the active metrics registry for the context
-// EXPERIMENTAL: This API is subject to change.
-func (ctx *Context) GetMetricsRegistry() *prometheus.Registry {
-	return ctx.metricsRegistry
-}
-
-func (ctx *Context) initMetrics() {
-	ctx.metricsRegistry.MustRegister(
-		collectors.NewBuildInfoCollector(),
-		adminMetrics.requestCount,
-		adminMetrics.requestErrors,
-		globalMetrics.configSuccess,
-		globalMetrics.configSuccessTime,
-	)
-}
-
 // OnExit executes f when the process exits gracefully.
 // The function is only executed if the process is gracefully
 // shut down while this context is active.
@@ -555,8 +535,12 @@ func (ctx Context) Slogger() *slog.Logger {
 	if mod == nil {
 		return slog.New(zapslog.NewHandler(Log().Core(), nil))
 	}
-	return slog.New(zapslog.NewHandler(ctx.cfg.Logging.Logger(mod).Core(),
-		zapslog.WithName(string(mod.CaddyModule().ID)),
+
+	return slog.New(zapslog.NewHandler(
+		ctx.cfg.Logging.Logger(mod).Core(),
+		&zapslog.HandlerOptions{
+			LoggerName: string(mod.CaddyModule().ID),
+		},
 	))
 }
 

go.mod

@@ -1,96 +1,94 @@
 module github.com/caddyserver/caddy/v2
 
-go 1.22.3
+go 1.21.0
 
-toolchain go1.23.0
+toolchain go1.22.2
 
 require (
-	github.com/BurntSushi/toml v1.4.0
-	github.com/Masterminds/sprig/v3 v3.3.0
-	github.com/alecthomas/chroma/v2 v2.14.0
+	github.com/BurntSushi/toml v1.3.2
+	github.com/Masterminds/sprig/v3 v3.2.3
+	github.com/alecthomas/chroma/v2 v2.13.0
 	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
-	github.com/caddyserver/certmagic v0.21.5-0.20241105180249-4293198e094d
+	github.com/caddyserver/certmagic v0.21.3
 	github.com/caddyserver/zerossl v0.1.3
 	github.com/dustin/go-humanize v1.0.1
 	github.com/go-chi/chi/v5 v5.0.12
-	github.com/google/cel-go v0.21.0
+	github.com/google/cel-go v0.20.1
 	github.com/google/uuid v1.6.0
-	github.com/klauspost/compress v1.17.11
-	github.com/klauspost/cpuid/v2 v2.2.8
-	github.com/mholt/acmez/v2 v2.0.3
+	github.com/klauspost/compress v1.17.8
+	github.com/klauspost/cpuid/v2 v2.2.7
+	github.com/mholt/acmez/v2 v2.0.1
 	github.com/prometheus/client_golang v1.19.1
-	github.com/quic-go/quic-go v0.48.1
+	github.com/quic-go/quic-go v0.44.0
 	github.com/smallstep/certificates v0.26.1
 	github.com/smallstep/nosql v0.6.1
 	github.com/smallstep/truststore v0.13.0
-	github.com/spf13/cobra v1.8.1
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
 	github.com/tailscale/tscert v0.0.0-20240608151842-d3f834017e53
-	github.com/yuin/goldmark v1.7.8
+	github.com/yuin/goldmark v1.7.1
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0
 	go.opentelemetry.io/contrib/propagators/autoprop v0.42.0
-	go.opentelemetry.io/otel v1.31.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0
-	go.opentelemetry.io/otel/sdk v1.31.0
-	go.uber.org/automaxprocs v1.6.0
+	go.opentelemetry.io/otel v1.24.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0
+	go.opentelemetry.io/otel/sdk v1.21.0
+	go.uber.org/automaxprocs v1.5.3
 	go.uber.org/zap v1.27.0
-	go.uber.org/zap/exp v0.3.0
-	golang.org/x/crypto v0.28.0
-	golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9
-	golang.org/x/net v0.30.0
-	golang.org/x/sync v0.8.0
-	golang.org/x/term v0.25.0
-	golang.org/x/time v0.7.0
+	go.uber.org/zap/exp v0.2.0
+	golang.org/x/crypto v0.23.0
+	golang.org/x/crypto/x509roots/fallback v0.0.0-20240507223354-67b13616a595
+	golang.org/x/net v0.25.0
+	golang.org/x/sync v0.7.0
+	golang.org/x/term v0.20.0
+	golang.org/x/time v0.5.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
-	dario.cat/mergo v1.0.1 // indirect
 	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/francoispqt/gojay v1.2.13 // indirect
 	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
-	github.com/golang/glog v1.2.2 // indirect
+	github.com/golang/glog v1.2.0 // indirect
 	github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745 // indirect
 	github.com/google/go-tpm v0.9.0 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/pprof v0.0.0-20231212022811-ec68065c825e // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0 // indirect
 	github.com/onsi/ginkgo/v2 v2.13.2 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/quic-go/qpack v0.5.1 // indirect
+	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935 // indirect
 	github.com/smallstep/pkcs7 v0.0.0-20231024181729-3b98ecc1ca81 // indirect
 	github.com/smallstep/scep v0.0.0-20231024192529-aee96d7ad34d // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	github.com/zeebo/blake3 v0.2.4 // indirect
+	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.opentelemetry.io/contrib/propagators/aws v1.17.0 // indirect
 	go.opentelemetry.io/contrib/propagators/b3 v1.17.0 // indirect
 	go.opentelemetry.io/contrib/propagators/jaeger v1.17.0 // indirect
 	go.opentelemetry.io/contrib/propagators/ot v1.17.0 // indirect
 	go.uber.org/mock v0.4.0 // indirect
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240506185236-b8a5c65736ae // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect
 )
 
 require (
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash v1.1.0 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0
+	github.com/cespare/xxhash/v2 v2.2.0
 	github.com/chzyer/readline v1.5.1 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
 	github.com/dgraph-io/badger v1.6.2 // indirect
 	github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
 	github.com/dgraph-io/ristretto v0.1.0 // indirect
@@ -99,13 +97,14 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-kit/kit v0.13.0 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-sql-driver/mysql v1.7.1 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/huandu/xstrings v1.3.3 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
 	github.com/jackc/pgconn v1.14.3 // indirect
@@ -115,43 +114,43 @@ require (
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
 	github.com/jackc/pgtype v1.14.0 // indirect
 	github.com/jackc/pgx/v4 v4.18.3 // indirect
-	github.com/libdns/libdns v0.2.2
+	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
-	github.com/miekg/dns v1.1.62 // indirect
+	github.com/miekg/dns v1.1.59 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/pires/go-proxyproto v0.7.1-0.20240628150027-b718e7ce4964
+	github.com/pires/go-proxyproto v0.7.0
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
 	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/rs/xid v1.5.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/slackhq/nebula v1.6.1 // indirect
-	github.com/spf13/cast v1.7.0 // indirect
+	github.com/spf13/cast v1.4.1 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/urfave/cli v1.22.14 // indirect
 	go.etcd.io/bbolt v1.3.9 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0 // indirect
-	go.opentelemetry.io/otel/metric v1.31.0 // indirect
-	go.opentelemetry.io/otel/trace v1.31.0
-	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0
+	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	go.step.sm/cli-utils v0.9.0 // indirect
 	go.step.sm/crypto v0.45.0
 	go.step.sm/linkedca v0.20.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/mod v0.18.0 // indirect
-	golang.org/x/sys v0.26.0
-	golang.org/x/text v0.19.0 // indirect
-	golang.org/x/tools v0.22.0 // indirect
-	google.golang.org/grpc v1.67.1 // indirect
-	google.golang.org/protobuf v1.35.1 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sys v0.20.0
+	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/tools v0.21.0 // indirect
+	google.golang.org/grpc v1.63.2 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
 	howett.net/plist v1.0.0 // indirect
 )

go.sum

@@ -1,56 +1,43 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.31.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.37.0/go.mod h1:TS1dMSSfndXH133OKGwekG838Om/cQT0BUHV3HcBgoo=
 cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM=
 cloud.google.com/go/auth v0.4.1 h1:Z7YNIhlWRtrnKlZke7z3GMqzvuYzdc2z98F9D1NV5Hg=
 cloud.google.com/go/auth v0.4.1/go.mod h1:QVBuVEKpCn4Zp58hzRGvL0tjRGU0YqdRTdCHM1IHnro=
 cloud.google.com/go/auth/oauth2adapt v0.2.2 h1:+TTV8aXpjeChS9M+aTtN/TjdQnzJvmzKFt//oWu7HX4=
 cloud.google.com/go/auth/oauth2adapt v0.2.2/go.mod h1:wcYjgpZI9+Yu7LyYBg4pqSiaRkfEK3GQcpb7C/uyF1Q=
-cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk=
-cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY=
-cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY=
+cloud.google.com/go/compute v1.24.0 h1:phWcR2eWzRJaL/kOiJwfFsPs4BaKq1j6vnpZrc1YlVg=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 cloud.google.com/go/iam v1.1.8 h1:r7umDwhj+BQyz0ScZMp4QrGXjSTI3ZINnpgU2nlB/K0=
 cloud.google.com/go/iam v1.1.8/go.mod h1:GvE6lyMmfxXauzNq8NbgJbeVQNspG+tcdL/W8QO1+zE=
 cloud.google.com/go/kms v1.16.0 h1:1yZsRPhmargZOmY+fVAh8IKiR9HzCb0U1zsxb5g2nRY=
 cloud.google.com/go/kms v1.16.0/go.mod h1:olQUXy2Xud+1GzYfiBO9N0RhjsJk5IJLU6n/ethLXVc=
 cloud.google.com/go/longrunning v0.5.7 h1:WLbHekDbjK1fVFD3ibpFFVoyizlLRl73I7YKuAKilhU=
 cloud.google.com/go/longrunning v0.5.7/go.mod h1:8GClkudohy1Fxm3owmBGid8W0pSgodEMwEAztp38Xng=
-dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
-dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-dmitri.shuralyov.com/app/changes v0.0.0-20180602232624-0a106ad413e3/go.mod h1:Yl+fi1br7+Rr3LqpNJf1/uxUdtRUV+Tnj0o93V2B9MU=
-dmitri.shuralyov.com/html/belt v0.0.0-20180602232347-f7d459c86be0/go.mod h1:JLBrvjyP0v+ecvNYvCpyZgu5/xkfAUhi6wJj28eUfSU=
-dmitri.shuralyov.com/service/change v0.0.0-20181023043359-a85b471d5412/go.mod h1:a1inKt/atXimZ4Mv927x+r7UpyzRUf4emIoiiSC2TN4=
-dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D6DFvNNtx+9ybjezNCa8XF0xaYcETyp6rHWU=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
-git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
 github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 h1:cTp8I5+VIoKjsnZuH8vjyaysT/ses3EvZeaV/1UkF2M=
 github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96/go.mod h1:bOvUY6CB00SOBii9/FifXqc0awNKxLFCL/+pkDPuyl8=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
-github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
-github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
-github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
-github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
+github.com/Masterminds/semver/v3 v3.2.0 h1:3MEsd0SM6jqZojhjLWWeBY+Kcjy9i6MQAeY7YgDP83g=
+github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
+github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
 github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
 github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
 github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/alecthomas/assert/v2 v2.7.0 h1:QtqSACNS3tF7oasA8CU6A6sXZSBDqnm7RfpLl9bZqbE=
-github.com/alecthomas/assert/v2 v2.7.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
+github.com/alecthomas/assert/v2 v2.6.0 h1:o3WJwILtexrEUk3cUVal3oiQY2tfgr/FHWiz/v2n4FU=
+github.com/alecthomas/assert/v2 v2.6.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
 github.com/alecthomas/chroma/v2 v2.2.0/go.mod h1:vf4zrexSH54oEjJ7EdB65tGNHmH3pGZmVkgTP5RHvAs=
-github.com/alecthomas/chroma/v2 v2.14.0 h1:R3+wzpnUArGcQz7fCETQBzO5n9IMNi13iIs46aU4V9E=
-github.com/alecthomas/chroma/v2 v2.14.0/go.mod h1:QolEbTfmUHIMVpBqxeDnNBj2uoeI4EbYP4i6n68SG4I=
+github.com/alecthomas/chroma/v2 v2.13.0 h1:VP72+99Fb2zEcYM0MeaWJmV+xQvz5v5cxRHd+ooU1lI=
+github.com/alecthomas/chroma/v2 v2.13.0/go.mod h1:BUGjjsD+ndS6eX37YgTchSEG+Jg9Jv1GiZs9sqPqztk=
 github.com/alecthomas/repr v0.0.0-20220113201626-b1b626ac65ae/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
 github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc=
 github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
-github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
@@ -84,22 +71,19 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.28.7 h1:et3Ta53gotFR4ERLXXHIHl/Uuk1q
 github.com/aws/aws-sdk-go-v2/service/sts v1.28.7/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw=
 github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
 github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
-github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
-github.com/caddyserver/certmagic v0.21.5-0.20241105180249-4293198e094d h1:+zOduGxxC4WBAnlDf5Uf0TXbWXRqjUXkJKevDZZa79A=
-github.com/caddyserver/certmagic v0.21.5-0.20241105180249-4293198e094d/go.mod h1:swUXjQ1T9ZtMv95qj7/InJvWLXURU85r+CfG0T+ZbDE=
+github.com/caddyserver/certmagic v0.21.3 h1:pqRRry3yuB4CWBVq9+cUqu+Y6E2z8TswbhNx1AZeYm0=
+github.com/caddyserver/certmagic v0.21.3/go.mod h1:Zq6pklO9nVRl3DIFUw9gVUfXKdpc/0qwTUAQMBlfgtI=
 github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
 github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
-github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
-github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
+github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/logex v1.2.1 h1:XHDu3E6q+gdHgsdTPH6ImJMIp436vR6MPtH8gP05QzM=
 github.com/chzyer/logex v1.2.1/go.mod h1:JLbx6lG2kDbNRFnfkgvh4eRJRPX1QCoOIWomwysCBrQ=
@@ -109,19 +93,17 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.3 h1:qMCsGGgs+MAzDFyp9LpAe1Lqy/fY/qCovCm0qnXZOBM=
+github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -146,19 +128,11 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
-github.com/francoispqt/gojay v1.2.13 h1:d2m3sFjloqoIUQU3TsHBgj6qg/BVGlTBeHDUmyJnXKk=
-github.com/francoispqt/gojay v1.2.13/go.mod h1:ehT5mTG4ua4581f1++1WLG0vPdaA9HaiDsoyrBGkyDY=
-github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
-github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
 github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s=
 github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
-github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
 github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-kit/kit v0.4.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
@@ -172,8 +146,8 @@ github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KE
 github.com/go-logfmt/logfmt v0.6.0 h1:wGYYu3uicYdqXVgoYbvnkrPVXkuLM1p1ifugDMEdRi4=
 github.com/go-logfmt/logfmt v0.6.0/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI=
@@ -184,68 +158,55 @@ github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEe
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.2.2 h1:1+mZ9upx1Dh6FmUTFR1naJ77miKiXgALjWOZ3NVFPmY=
-github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.0 h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68=
+github.com/golang/glog v1.2.0/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI=
-github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc=
+github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84=
+github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg=
 github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
 github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745 h1:heyoXNxkRT155x4jTAiSv5BVSVkueifPUm+Q8LUXMRo=
 github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745/go.mod h1:zN0wUQgV9LjwLZeFHnrAbQi8hzMVvEWePyk+MhPOk7k=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
-github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk=
 github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU=
 github.com/google/go-tpm-tools v0.4.4 h1:oiQfAIkc6xTy9Fl5NKTeTJkBTlXdHsxAofmQyxBKY98=
 github.com/google/go-tpm-tools v0.4.4/go.mod h1:T8jXkp2s+eltnCDIsXR84/MTcVU9Ja7bh3Mit0pa4AY=
 github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus=
 github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20231212022811-ec68065c825e h1:bwOy7hAFd0C91URzMIEBfr6BAz29yk7Qj0cy6S7DJlU=
 github.com/google/pprof v0.0.0-20231212022811-ec68065c825e/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
-github.com/googleapis/gax-go v2.0.0+incompatible h1:j0GKcs05QVmm7yesiZq2+9cxHkNK9YM6zKx4D2qucQU=
-github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
-github.com/googleapis/gax-go/v2 v2.0.3/go.mod h1:LLvjysVCY1JZeum8Z6l8qUty8fiNwE08qbEPm1M08qg=
 github.com/googleapis/gax-go/v2 v2.12.4 h1:9gWcmF85Wvq4ryPFvGFaOgPIs1AQX0d0bcbGw4Z96qg=
 github.com/googleapis/gax-go/v2 v2.12.4/go.mod h1:KYEYLorsnIGDi/rPC8b5TdlB9kbKoFubselGIoBMCwI=
-github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0 h1:RtRsiaGvWxcwd8y3BiRZxsylPT8hLWZ5SPcfI+3IDNk=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0/go.mod h1:TzP6duP4Py2pHLVPPQp42aoYI92+PCrVotyR5e8Vqlk=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
 github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
-github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
-github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/huandu/xstrings v1.3.3 h1:/Gcsuc1x8JVbJ9/rlye4xZnVAbEkGauT8lbebqcQws4=
+github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
+github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
+github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
@@ -296,16 +257,14 @@ github.com/jackc/pgx/v4 v4.18.3/go.mod h1:Ey4Oru5tH5sB6tV7hDmfWFahwF15Eb7DNXlRKx
 github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
-github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM=
-github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
+github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
+github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
+github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -313,7 +272,6 @@ github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -326,9 +284,7 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
 github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
-github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA=
 github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
@@ -341,36 +297,31 @@ github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Ky
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
-github.com/mholt/acmez/v2 v2.0.3 h1:CgDBlEwg3QBp6s45tPQmFIBrkRIkBT4rW4orMM6p4sw=
-github.com/mholt/acmez/v2 v2.0.3/go.mod h1:pQ1ysaDeGrIMvJ9dfJMk5kJNkn7L2sb3UhyrX6Q91cw=
-github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
-github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
-github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
+github.com/mholt/acmez/v2 v2.0.1 h1:3/3N0u1pLjMK4sNEAFSI+bcvzbPhRpY383sy1kLHJ6k=
+github.com/mholt/acmez/v2 v2.0.1/go.mod h1:fX4c9r5jYwMyMsC+7tkYRxHibkOTgta5DIFGoe67e1U=
+github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
+github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
+github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJEU3ofeGjhHklVoIGuVj85JJwZ6kWPaJwCIxgnFmo=
-github.com/neelance/sourcemap v0.0.0-20151028013722-8c68805598ab/go.mod h1:Qr6/a/Q4r9LP1IltGz7tA7iOK1WonHEYhu1HRBA7ZiM=
 github.com/onsi/ginkgo/v2 v2.13.2 h1:Bi2gGVkfn6gQcjNjZJVO8Gf0FHzMPf2phUei9tejVMs=
 github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
 github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
 github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
-github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv/v3 v3.0.1 h1:x06SQA46+PKIUftmEujdwSEpIx8kR+M9eLYsUxeYveU=
 github.com/peterbourgon/diskv/v3 v3.0.1/go.mod h1:kJ5Ny7vLdARGU3WUuy6uzO6T0nb/2gWcT1JiBvRmb5o=
-github.com/pires/go-proxyproto v0.7.1-0.20240628150027-b718e7ce4964 h1:ct/vxNBgHpASQ4sT8NaBX9LtsEtluZqaUJydLG50U3E=
-github.com/pires/go-proxyproto v0.7.1-0.20240628150027-b718e7ce4964/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
+github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
+github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -378,25 +329,21 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
-github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
 github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
 github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
-github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
 github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
-github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
-github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
-github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.48.1 h1:y/8xmfWI9qmGTc+lBr4jKRUWLGSlSigv847ULJ4hYXA=
-github.com/quic-go/quic-go v0.48.1/go.mod h1:yBgs3rWBOADpga7F+jJsb6Ybg1LSYiQvwWlLX+/6HMs=
+github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
+github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
+github.com/quic-go/quic-go v0.44.0 h1:So5wOr7jyO4vzL2sd8/pD9Kesciv91zSk8BoFngItQ0=
+github.com/quic-go/quic-go v0.44.0/go.mod h1:z4cx/9Ny9UtGITIPzmPTXh1ULfOyWh4qGQlpnPcWmek=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/xid v1.5.0 h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
@@ -408,35 +355,11 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/schollz/jsonstore v1.1.0 h1:WZBDjgezFS34CHI+myb4s8GGpir3UMpy7vWoCeO0n6E=
 github.com/schollz/jsonstore v1.1.0/go.mod h1:15c6+9guw8vDRyozGjN3FoILt0wpruJk9Pi66vjaZfg=
-github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
+github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
-github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
-github.com/shurcooL/component v0.0.0-20170202220835-f88ec8f54cc4/go.mod h1:XhFIlyj5a1fBNx5aJTbKoIq0mNaPvOagO+HjB3EtxrY=
-github.com/shurcooL/events v0.0.0-20181021180414-410e4ca65f48/go.mod h1:5u70Mqkb5O5cxEA8nxTsgrgLehJeAw6Oc4Ab1c/P1HM=
-github.com/shurcooL/github_flavored_markdown v0.0.0-20181002035957-2122de532470/go.mod h1:2dOwnU2uBioM+SGy2aZoq1f/Sd1l9OkAeAUvjSyvgU0=
-github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
-github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
-github.com/shurcooL/gofontwoff v0.0.0-20180329035133-29b52fc0a18d/go.mod h1:05UtEgK5zq39gLST6uB0cf3NEHjETfB4Fgr3Gx5R9Vw=
-github.com/shurcooL/gopherjslib v0.0.0-20160914041154-feb6d3990c2c/go.mod h1:8d3azKNyqcHP1GaQE/c6dDgjkgSx2BZ4IoEi4F1reUI=
-github.com/shurcooL/highlight_diff v0.0.0-20170515013008-09bb4053de1b/go.mod h1:ZpfEhSmds4ytuByIcDnOLkTHGUI6KNqRNPDLHDk+mUU=
-github.com/shurcooL/highlight_go v0.0.0-20181028180052-98c3abbbae20/go.mod h1:UDKB5a1T23gOMUJrI+uSuH0VRDStOiUVSjBTRDVBVag=
-github.com/shurcooL/home v0.0.0-20181020052607-80b7ffcb30f9/go.mod h1:+rgNQw2P9ARFAs37qieuu7ohDNQ3gds9msbT2yn85sg=
-github.com/shurcooL/htmlg v0.0.0-20170918183704-d01228ac9e50/go.mod h1:zPn1wHpTIePGnXSHpsVPWEktKXHr6+SS6x/IKRb7cpw=
-github.com/shurcooL/httperror v0.0.0-20170206035902-86b7830d14cc/go.mod h1:aYMfkZ6DWSJPJ6c4Wwz3QtW22G7mf/PEgaB9k/ik5+Y=
-github.com/shurcooL/httpfs v0.0.0-20171119174359-809beceb2371/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg=
-github.com/shurcooL/httpgzip v0.0.0-20180522190206-b1c53ac65af9/go.mod h1:919LwcH0M7/W4fcZ0/jy0qGght1GIhqyS/EgWGH2j5Q=
-github.com/shurcooL/issues v0.0.0-20181008053335-6292fdc1e191/go.mod h1:e2qWDig5bLteJ4fwvDAc2NHzqFEthkqn7aOZAOpj+PQ=
-github.com/shurcooL/issuesapp v0.0.0-20180602232740-048589ce2241/go.mod h1:NPpHK2TI7iSaM0buivtFUc9offApnI0Alt/K8hcHy0I=
-github.com/shurcooL/notifications v0.0.0-20181007000457-627ab5aea122/go.mod h1:b5uSkrEVM1jQUspwbixRBhaIjIzL2xazXp6kntxYle0=
-github.com/shurcooL/octicon v0.0.0-20181028054416-fa4f57f9efb2/go.mod h1:eWdoE5JD4R5UVWDucdOPg1g2fqQRq78IQa9zlOV1vpQ=
-github.com/shurcooL/reactions v0.0.0-20181006231557-f2e0b4ca5b82/go.mod h1:TCR1lToEk4d2s07G3XGfz2QrgHXg4RJBvjrOozvoWfk=
-github.com/shurcooL/sanitized_anchor_name v0.0.0-20170918181015-86672fcb3f95/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/shurcooL/users v0.0.0-20180125191416-49c67e49c537/go.mod h1:QJTqeLYEDaXHZDBsXlPCDqdhQuJkuw4NOtaxYe3xii4=
-github.com/shurcooL/webdavfs v0.0.0-20170829043945-18c3829fa133/go.mod h1:hKmq5kWdCj2z2KEozexVbfEZIWiTjhE0+UjmZgPqehw=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
@@ -458,18 +381,17 @@ github.com/smallstep/scep v0.0.0-20231024192529-aee96d7ad34d h1:06LUHn4Ia2X6syjI
 github.com/smallstep/scep v0.0.0-20231024192529-aee96d7ad34d/go.mod h1:4d0ub42ut1mMtvGyMensjuHYEUpRrASvkzLEJvoRQcU=
 github.com/smallstep/truststore v0.13.0 h1:90if9htAOblavbMeWlqNLnO9bsjjgVv2hQeQJCi/py4=
 github.com/smallstep/truststore v0.13.0/go.mod h1:3tmMp2aLKZ/OA/jnFUB0cYPcho402UG2knuJoPh4j7A=
-github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:UdhH50NIW0fCiwBSr0co2m7BnFLdv4fQTgdqdJTHFeE=
-github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=
 github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
-github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.4.1 h1:s0hze+J0196ZfEMTs80N7UlFt0BDuQ7Q+JDnHiMWKdA=
+github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
+github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -495,37 +417,33 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tailscale/tscert v0.0.0-20240608151842-d3f834017e53 h1:uxMgm0C+EjytfAqyfBG55ZONKQ7mvd7x4YYCWsf8QHQ=
 github.com/tailscale/tscert v0.0.0-20240608151842-d3f834017e53/go.mod h1:kNGUQ3VESx3VZwRwA9MSCUegIl6+saPL8Noq82ozCaU=
-github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk=
 github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
-github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU=
-github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark v1.4.15/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/yuin/goldmark v1.7.8 h1:iERMLn0/QJeHFhxSt3p6PeN9mGnvIKSpG9YYorDMnic=
-github.com/yuin/goldmark v1.7.8/go.mod h1:uzxRWxtg69N339t3louHJ7+O03ezfj6PlliRlaOzY1E=
+github.com/yuin/goldmark v1.7.1 h1:3bajkSilaCbjdKVsKdZjZCLBNPL9pYzrCakKaf4U49U=
+github.com/yuin/goldmark v1.7.1/go.mod h1:uzxRWxtg69N339t3louHJ7+O03ezfj6PlliRlaOzY1E=
 github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc h1:+IAOyRda+RLrxa1WC7umKOZRsGq4QrFFMYApOeHzQwQ=
 github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc/go.mod h1:ovIvrum6DQJA4QsJSovrkC4saKHQVs7TvcaeO8AIl5I=
 github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
 github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
-github.com/zeebo/blake3 v0.2.4 h1:KYQPkhpRtcqh0ssGYcKLG1JYvddkEA8QwCM/yBqhaZI=
-github.com/zeebo/blake3 v0.2.4/go.mod h1:7eeQ6d2iXWRGF6npfaxl2CU+xy2Fjo2gxeyZGCRUjcE=
+github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
+github.com/zeebo/blake3 v0.2.3/go.mod h1:mjJjZpnsyIVtVgTOSpJ9vmRE4wgDeyt2HU3qXvvKCaQ=
 github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI=
 go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE=
-go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 h1:UP6IpuHFkUgOQL9FFQFrZ+5LiwhhYRbi7VZSIx6Nj5s=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0/go.mod h1:qxuZLtbq5QDtdeSHsS7bcf6EH6uO6jUAgk764zd3rhM=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
 go.opentelemetry.io/contrib/propagators/autoprop v0.42.0 h1:s2RzYOAqHVgG23q8fPWYChobUoZM6rJZ98EnylJr66w=
 go.opentelemetry.io/contrib/propagators/autoprop v0.42.0/go.mod h1:Mv/tWNtZn+NbALDb2XcItP0OM3lWWZjAfSroINxfW+Y=
 go.opentelemetry.io/contrib/propagators/aws v1.17.0 h1:IX8d7l2uRw61BlmZBOTQFaK+y22j6vytMVTs9wFrO+c=
@@ -536,20 +454,20 @@ go.opentelemetry.io/contrib/propagators/jaeger v1.17.0 h1:Zbpbmwav32Ea5jSotpmkWE
 go.opentelemetry.io/contrib/propagators/jaeger v1.17.0/go.mod h1:tcTUAlmO8nuInPDSBVfG+CP6Mzjy5+gNV4mPxMbL0IA=
 go.opentelemetry.io/contrib/propagators/ot v1.17.0 h1:ufo2Vsz8l76eI47jFjuVyjyB3Ae2DmfiCV/o6Vc8ii0=
 go.opentelemetry.io/contrib/propagators/ot v1.17.0/go.mod h1:SbKPj5XGp8K/sGm05XblaIABgMgw2jDczP8gGeuaVLk=
-go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY=
-go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0 h1:K0XaT3DwHAcV4nKLzcQvwAgSyisUghWoY20I7huthMk=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0/go.mod h1:B5Ki776z/MBnVha1Nzwp5arlzBbE3+1jk+pGmaP5HME=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0 h1:FFeLy03iVTXP6ffeN2iXrxfGsZGCjVx0/4KlizjyBwU=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0/go.mod h1:TMu73/k1CP8nBUpDLc71Wj/Kf7ZS9FK5b53VapRsP9o=
-go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE=
-go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY=
-go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk=
-go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0=
-go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys=
-go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A=
-go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
-go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
+go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
+go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0/go.mod h1:zgBdWWAu7oEEMC06MMKc5NLbA/1YDXV1sMpSqEeLQLg=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 h1:tIqheXEFWAZ7O8A7m+J0aPTmpJN3YQ7qetUAdkkkKpk=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0/go.mod h1:nUeKExfxAQVbiVFn32YXpXZZHZ61Cc3s3Rn1pDBGAb0=
+go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
+go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
+go.opentelemetry.io/otel/sdk v1.21.0 h1:FTt8qirL1EysG6sTQRZ5TokkU8d0ugCj8htOgThZXQ8=
+go.opentelemetry.io/otel/sdk v1.21.0/go.mod h1:Nna6Yv7PWTdgJHVRD9hIYywQBRx7pbox6nwBnZIxl/E=
+go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
+go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
+go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
+go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.step.sm/cli-utils v0.9.0 h1:55jYcsQbnArNqepZyAwcato6Zy2MoZDRkWW+jF+aPfQ=
 go.step.sm/cli-utils v0.9.0/go.mod h1:Y/CRoWl1FVR9j+7PnAewufAwKmBOTzR6l9+7EYGAnp8=
 go.step.sm/crypto v0.45.0 h1:Z0WYAaaOYrJmKP9sJkPW+6wy3pgN3Ija8ek/D4serjc=
@@ -560,8 +478,8 @@ go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
-go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
+go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
+go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
@@ -577,14 +495,10 @@ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
-go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
-go4.org v0.0.0-20180809161055-417644f6feb5/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE=
-golang.org/x/build v0.0.0-20190111050920-041ab4dc3f9d/go.mod h1:OWs+y06UdEOHN4y+MfF/py+xQ/tYqIWW03b70/CG9Rw=
-golang.org/x/crypto v0.0.0-20181030102418-4d3f4d9ffa16/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+go.uber.org/zap/exp v0.2.0 h1:FtGenNNeCATRB3CmB/yEUnjEFeJWpB/pMcy7e2bKPYs=
+go.uber.org/zap/exp v0.2.0/go.mod h1:t0gqAIdh1MfKv9EwN/dLwfZnJxe9ITAZN78HEWPFWDQ=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -594,67 +508,44 @@ golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
-golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9 h1:4cEcP5+OjGppY79LCQ5Go2B1Boix2x0v6pvA01P3FoA=
-golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto/x509roots/fallback v0.0.0-20240507223354-67b13616a595 h1:TgSqweA595vD0Zt86JzLv3Pb/syKg8gd5KMGGbJPYFw=
+golang.org/x/crypto/x509roots/fallback v0.0.0-20240507223354-67b13616a595/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
-golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
-golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181029044818-c44066c5c816/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181106065722-10aee1819953/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190313220215-9f648a60d977/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
-golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
-golang.org/x/perf v0.0.0-20180704124530-6e6d33e29852/go.mod h1:JLpeXjPJfIyPr5TlbXLkXWLhP8nz10XfvxElABhCtcw=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo=
+golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181029174526-d69651ed3497/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190316082340-a2f829d7f35f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -671,41 +562,37 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
-golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030000716-a0a13e073c7b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
@@ -716,41 +603,25 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
-golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
+golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
+golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.0.0-20180910000450-7ca32eb868bf/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
-google.golang.org/api v0.0.0-20181030000543-1d582fd0359e/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
-google.golang.org/api v0.1.0/go.mod h1:UGEZY7KEX120AnNLIHFMKIo4obdJhkp2tPbaPlQx13Y=
 google.golang.org/api v0.180.0 h1:M2D87Yo0rGBPWpo1orwfCLehUUL6E7/TYe5gvMQWDh4=
 google.golang.org/api v0.180.0/go.mod h1:51AiyoEg1MJPSZ9zvklA8VnRILPXxn1iVen9v25XHAE=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20180831171423-11092d34479b/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20181029155118-b69ba1387ce2/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20181202183823-bd91e49a0898/go.mod h1:7Ep/1NZk928CDR8SjdVbjWNpdIf6nzjE3BTgJDr2Atg=
-google.golang.org/genproto v0.0.0-20190306203927-b5d61aea6440/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda h1:wu/KJm9KJwpfHWhkkZGohVC6KRrc1oJNr4jwtQMOQXw=
 google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda/go.mod h1:g2LLCvCeCSir/JJSWosk19BR4NVxGqHUC6rxIRsd7Aw=
-google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 h1:T6rh4haD3GVYsgEfWExoCZA2o2FmbNyKpTuAxbEFPTg=
-google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 h1:QCqS/PdaHTSWGvupk2F/ehwHtGc0/GYkT+3GAcR1CCc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
-google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
-google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio=
-google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
-google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
-google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
-google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/api v0.0.0-20240506185236-b8a5c65736ae h1:AH34z6WAGVNkllnKs5raNq3yRq93VnjBG6rpfub/jYk=
+google.golang.org/genproto/googleapis/api v0.0.0-20240506185236-b8a5c65736ae/go.mod h1:FfiGhwUm6CJviekPrc0oJ+7h29e+DmWU6UtjX0ZvI7Y=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 h1:DujSIu+2tC9Ht0aPNA7jgj23Iq8Ewi5sgkQ++wdvonE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
+google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
+google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
+google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
+google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -758,22 +629,16 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s=
-gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJdjuHRquDANNeA4x7B8WQ9o=
-honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
-sourcegraph.com/sourcegraph/go-diff v0.5.0/go.mod h1:kuch7UrkMzY0X+p9CRK03kfuPQ2zzQcaEFbx8wA8rck=
-sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0=

internal/ranges.go

@@ -1,14 +0,0 @@
-package internal
-
-// PrivateRangesCIDR returns a list of private CIDR range
-// strings, which can be used as a configuration shortcut.
-func PrivateRangesCIDR() []string {
-	return []string{
-		"192.168.0.0/16",
-		"172.16.0.0/12",
-		"10.0.0.0/8",
-		"127.0.0.1/8",
-		"fd00::/8",
-		"::1",
-	}
-}

listen.go

@@ -18,11 +18,7 @@ package caddy
 
 import (
 	"context"
-	"fmt"
 	"net"
-	"os"
-	"slices"
-	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -35,49 +31,10 @@ func reuseUnixSocket(network, addr string) (any, error) {
 }
 
 func listenReusable(ctx context.Context, lnKey string, network, address string, config net.ListenConfig) (any, error) {
-	var socketFile *os.File
-
-	fd := slices.Contains([]string{"fd", "fdgram"}, network)
-	if fd {
-		socketFd, err := strconv.ParseUint(address, 0, strconv.IntSize)
-		if err != nil {
-			return nil, fmt.Errorf("invalid file descriptor: %v", err)
-		}
-
-		func() {
-			socketFilesMu.Lock()
-			defer socketFilesMu.Unlock()
-
-			socketFdWide := uintptr(socketFd)
-			var ok bool
-
-			socketFile, ok = socketFiles[socketFdWide]
-
-			if !ok {
-				socketFile = os.NewFile(socketFdWide, lnKey)
-				if socketFile != nil {
-					socketFiles[socketFdWide] = socketFile
-				}
-			}
-		}()
-
-		if socketFile == nil {
-			return nil, fmt.Errorf("invalid socket file descriptor: %d", socketFd)
-		}
-	}
-
-	datagram := slices.Contains([]string{"udp", "udp4", "udp6", "unixgram", "fdgram"}, network)
-	if datagram {
+	switch network {
+	case "udp", "udp4", "udp6", "unixgram":
 		sharedPc, _, err := listenerPool.LoadOrNew(lnKey, func() (Destructor, error) {
-			var (
-				pc  net.PacketConn
-				err error
-			)
-			if fd {
-				pc, err = net.FilePacketConn(socketFile)
-			} else {
-				pc, err = config.ListenPacket(ctx, network, address)
-			}
+			pc, err := config.ListenPacket(ctx, network, address)
 			if err != nil {
 				return nil, err
 			}
@@ -87,27 +44,20 @@ func listenReusable(ctx context.Context, lnKey string, network, address string,
 			return nil, err
 		}
 		return &fakeClosePacketConn{sharedPacketConn: sharedPc.(*sharedPacketConn)}, nil
-	}
 
-	sharedLn, _, err := listenerPool.LoadOrNew(lnKey, func() (Destructor, error) {
-		var (
-			ln  net.Listener
-			err error
-		)
-		if fd {
-			ln, err = net.FileListener(socketFile)
-		} else {
-			ln, err = config.Listen(ctx, network, address)
-		}
+	default:
+		sharedLn, _, err := listenerPool.LoadOrNew(lnKey, func() (Destructor, error) {
+			ln, err := config.Listen(ctx, network, address)
+			if err != nil {
+				return nil, err
+			}
+			return &sharedListener{Listener: ln, key: lnKey}, nil
+		})
 		if err != nil {
 			return nil, err
 		}
-		return &sharedListener{Listener: ln, key: lnKey}, nil
-	})
-	if err != nil {
-		return nil, err
+		return &fakeCloseListener{sharedListener: sharedLn.(*sharedListener), keepAlivePeriod: config.KeepAlive}, nil
 	}
-	return &fakeCloseListener{sharedListener: sharedLn.(*sharedListener), keepAlivePeriod: config.KeepAlive}, nil
 }
 
 // fakeCloseListener is a private wrapper over a listener that
@@ -310,9 +260,3 @@ var (
 		Unwrap() net.PacketConn
 	}) = (*fakeClosePacketConn)(nil)
 )
-
-// socketFiles is a fd -> *os.File map used to make a FileListener/FilePacketConn from a socket file descriptor.
-var socketFiles = map[uintptr]*os.File{}
-
-// socketFilesMu synchronizes socketFiles insertions
-var socketFilesMu sync.Mutex

listen_unix.go

@@ -22,14 +22,10 @@ package caddy
 import (
 	"context"
 	"errors"
-	"fmt"
 	"io"
 	"io/fs"
 	"net"
 	"os"
-	"slices"
-	"strconv"
-	"sync"
 	"sync/atomic"
 	"syscall"
 
@@ -38,9 +34,12 @@ import (
 )
 
 // reuseUnixSocket copies and reuses the unix domain socket (UDS) if we already
-// have it open; if not, unlink it so we can have it.
-// No-op if not a unix network.
+// have it open; if not, unlink it so we can have it. No-op if not a unix network.
 func reuseUnixSocket(network, addr string) (any, error) {
+	if !IsUnixNetwork(network) {
+		return nil, nil
+	}
+
 	socketKey := listenerKey(network, addr)
 
 	socket, exists := unixSockets[socketKey]
@@ -72,7 +71,7 @@ func reuseUnixSocket(network, addr string) (any, error) {
 				return nil, err
 			}
 			atomic.AddInt32(unixSocket.count, 1)
-			unixSockets[socketKey] = &unixConn{pc.(*net.UnixConn), socketKey, unixSocket.count}
+			unixSockets[socketKey] = &unixConn{pc.(*net.UnixConn), addr, socketKey, unixSocket.count}
 		}
 
 		return unixSockets[socketKey], nil
@@ -90,107 +89,56 @@ func reuseUnixSocket(network, addr string) (any, error) {
 	return nil, nil
 }
 
-// listenReusable creates a new listener for the given network and address, and adds it to listenerPool.
 func listenReusable(ctx context.Context, lnKey string, network, address string, config net.ListenConfig) (any, error) {
+	// wrap any Control function set by the user so we can also add our reusePort control without clobbering theirs
+	oldControl := config.Control
+	config.Control = func(network, address string, c syscall.RawConn) error {
+		if oldControl != nil {
+			if err := oldControl(network, address, c); err != nil {
+				return err
+			}
+		}
+		return reusePort(network, address, c)
+	}
+
 	// even though SO_REUSEPORT lets us bind the socket multiple times,
 	// we still put it in the listenerPool so we can count how many
 	// configs are using this socket; necessary to ensure we can know
 	// whether to enforce shutdown delays, for example (see #5393).
-	var (
-		ln         io.Closer
-		err        error
-		socketFile *os.File
-	)
-
-	fd := slices.Contains([]string{"fd", "fdgram"}, network)
-	if fd {
-		socketFd, err := strconv.ParseUint(address, 0, strconv.IntSize)
-		if err != nil {
-			return nil, fmt.Errorf("invalid file descriptor: %v", err)
-		}
-
-		func() {
-			socketFilesMu.Lock()
-			defer socketFilesMu.Unlock()
-
-			socketFdWide := uintptr(socketFd)
-			var ok bool
-
-			socketFile, ok = socketFiles[socketFdWide]
-
-			if !ok {
-				socketFile = os.NewFile(socketFdWide, lnKey)
-				if socketFile != nil {
-					socketFiles[socketFdWide] = socketFile
-				}
-			}
-		}()
-
-		if socketFile == nil {
-			return nil, fmt.Errorf("invalid socket file descriptor: %d", socketFd)
-		}
-	} else {
-		// wrap any Control function set by the user so we can also add our reusePort control without clobbering theirs
-		oldControl := config.Control
-		config.Control = func(network, address string, c syscall.RawConn) error {
-			if oldControl != nil {
-				if err := oldControl(network, address, c); err != nil {
-					return err
-				}
-			}
-			return reusePort(network, address, c)
-		}
+	var ln io.Closer
+	var err error
+	switch network {
+	case "udp", "udp4", "udp6", "unixgram":
+		ln, err = config.ListenPacket(ctx, network, address)
+	default:
+		ln, err = config.Listen(ctx, network, address)
 	}
-
-	datagram := slices.Contains([]string{"udp", "udp4", "udp6", "unixgram", "fdgram"}, network)
-	if datagram {
-		if fd {
-			ln, err = net.FilePacketConn(socketFile)
-		} else {
-			ln, err = config.ListenPacket(ctx, network, address)
-		}
-	} else {
-		if fd {
-			ln, err = net.FileListener(socketFile)
-		} else {
-			ln, err = config.Listen(ctx, network, address)
-		}
-	}
-
 	if err == nil {
 		listenerPool.LoadOrStore(lnKey, nil)
 	}
 
-	if datagram {
-		if !fd {
-			// TODO: Not 100% sure this is necessary, but we do this for net.UnixListener, so...
-			if unix, ok := ln.(*net.UnixConn); ok {
-				one := int32(1)
-				ln = &unixConn{unix, lnKey, &one}
-				unixSockets[lnKey] = ln.(*unixConn)
-			}
-		}
-		// lightly wrap the connection so that when it is closed,
-		// we can decrement the usage pool counter
-		if specificLn, ok := ln.(net.PacketConn); ok {
-			ln = deletePacketConn{specificLn, lnKey}
-		}
-	} else {
-		if !fd {
-			// if new listener is a unix socket, make sure we can reuse it later
-			// (we do our own "unlink on close" -- not required, but more tidy)
-			if unix, ok := ln.(*net.UnixListener); ok {
-				unix.SetUnlinkOnClose(false)
-				one := int32(1)
-				ln = &unixListener{unix, lnKey, &one}
-				unixSockets[lnKey] = ln.(*unixListener)
-			}
-		}
-		// lightly wrap the listener so that when it is closed,
-		// we can decrement the usage pool counter
-		if specificLn, ok := ln.(net.Listener); ok {
-			ln = deleteListener{specificLn, lnKey}
-		}
+	// if new listener is a unix socket, make sure we can reuse it later
+	// (we do our own "unlink on close" -- not required, but more tidy)
+	one := int32(1)
+	if unix, ok := ln.(*net.UnixListener); ok {
+		unix.SetUnlinkOnClose(false)
+		ln = &unixListener{unix, lnKey, &one}
+		unixSockets[lnKey] = ln.(*unixListener)
+	}
+
+	// TODO: Not 100% sure this is necessary, but we do this for net.UnixListener in listen_unix.go, so...
+	if unix, ok := ln.(*net.UnixConn); ok {
+		ln = &unixConn{unix, address, lnKey, &one}
+		unixSockets[lnKey] = ln.(*unixConn)
+	}
+
+	// lightly wrap the listener so that when it is closed,
+	// we can decrement the usage pool counter
+	switch specificLn := ln.(type) {
+	case net.Listener:
+		return deleteListener{specificLn, lnKey}, err
+	case net.PacketConn:
+		return deletePacketConn{specificLn, lnKey}, err
 	}
 
 	// other types, I guess we just return them directly
@@ -222,18 +170,12 @@ type unixListener struct {
 func (uln *unixListener) Close() error {
 	newCount := atomic.AddInt32(uln.count, -1)
 	if newCount == 0 {
-		file, err := uln.File()
-		var name string
-		if err == nil {
-			name = file.Name()
-		}
 		defer func() {
+			addr := uln.Addr().String()
 			unixSocketsMu.Lock()
 			delete(unixSockets, uln.mapKey)
 			unixSocketsMu.Unlock()
-			if err == nil {
-				_ = syscall.Unlink(name)
-			}
+			_ = syscall.Unlink(addr)
 		}()
 	}
 	return uln.UnixListener.Close()
@@ -241,25 +183,19 @@ func (uln *unixListener) Close() error {
 
 type unixConn struct {
 	*net.UnixConn
-	mapKey string
-	count  *int32 // accessed atomically
+	filename string
+	mapKey   string
+	count    *int32 // accessed atomically
 }
 
 func (uc *unixConn) Close() error {
 	newCount := atomic.AddInt32(uc.count, -1)
 	if newCount == 0 {
-		file, err := uc.File()
-		var name string
-		if err == nil {
-			name = file.Name()
-		}
 		defer func() {
 			unixSocketsMu.Lock()
 			delete(unixSockets, uc.mapKey)
 			unixSocketsMu.Unlock()
-			if err == nil {
-				_ = syscall.Unlink(name)
-			}
+			_ = syscall.Unlink(uc.filename)
 		}()
 	}
 	return uc.UnixConn.Close()
@@ -275,12 +211,6 @@ var unixSockets = make(map[string]interface {
 	File() (*os.File, error)
 })
 
-// socketFiles is a fd -> *os.File map used to make a FileListener/FilePacketConn from a socket file descriptor.
-var socketFiles = map[uintptr]*os.File{}
-
-// socketFilesMu synchronizes socketFiles insertions
-var socketFilesMu sync.Mutex
-
 // deleteListener is a type that simply deletes itself
 // from the listenerPool when it closes. It is used
 // solely for the purpose of reference counting (i.e.

listeners.go

@@ -31,7 +31,6 @@ import (
 
 	"github.com/quic-go/quic-go"
 	"github.com/quic-go/quic-go/http3"
-	"github.com/quic-go/quic-go/qlog"
 	"go.uber.org/zap"
 	"golang.org/x/time/rate"
 
@@ -58,9 +57,11 @@ type NetworkAddress struct {
 	EndPort   uint
 }
 
-// ListenAll calls Listen for all addresses represented by this struct, i.e. all ports in the range.
+// ListenAll calls Listen() for all addresses represented by this struct, i.e. all ports in the range.
 // (If the address doesn't use ports or has 1 port only, then only 1 listener will be created.)
 // It returns an error if any listener failed to bind, and closes any listeners opened up to that point.
+//
+// TODO: Experimental API: subject to change or removal.
 func (na NetworkAddress) ListenAll(ctx context.Context, config net.ListenConfig) ([]any, error) {
 	var listeners []any
 	var err error
@@ -106,8 +107,7 @@ func (na NetworkAddress) ListenAll(ctx context.Context, config net.ListenConfig)
 // portOffset to the start port. (For network types that do not use ports, the
 // portOffset is ignored.)
 //
-// First Listen checks if a plugin can provide a listener from this address. Otherwise,
-// the provided ListenConfig is used to create the listener. Its Control function,
+// The provided ListenConfig is used to create the listener. Its Control function,
 // if set, may be wrapped by an internally-used Control function. The provided
 // context may be used to cancel long operations early. The context is not used
 // to close the listener after it has been created.
@@ -130,8 +130,8 @@ func (na NetworkAddress) ListenAll(ctx context.Context, config net.ListenConfig)
 // Unix sockets will be unlinked before being created, to ensure we can bind to
 // it even if the previous program using it exited uncleanly; it will also be
 // unlinked upon a graceful exit (or when a new config does not use that socket).
-// Listen synchronizes binds to unix domain sockets to avoid race conditions
-// while an existing socket is unlinked.
+//
+// TODO: Experimental API: subject to change or removal.
 func (na NetworkAddress) Listen(ctx context.Context, portOffset uint, config net.ListenConfig) (any, error) {
 	if na.IsUnixNetwork() {
 		unixSocketsMu.Lock()
@@ -149,53 +149,54 @@ func (na NetworkAddress) Listen(ctx context.Context, portOffset uint, config net
 
 func (na NetworkAddress) listen(ctx context.Context, portOffset uint, config net.ListenConfig) (any, error) {
 	var (
-		ln           any
-		err          error
-		address      string
-		unixFileMode fs.FileMode
+		ln                   any
+		err                  error
+		address              string
+		unixFileMode         fs.FileMode
+		isAbstractUnixSocket bool
 	)
 
 	// split unix socket addr early so lnKey
 	// is independent of permissions bits
 	if na.IsUnixNetwork() {
+		var err error
 		address, unixFileMode, err = internal.SplitUnixSocketPermissionsBits(na.Host)
 		if err != nil {
 			return nil, err
 		}
-	} else if na.IsFdNetwork() {
-		address = na.Host
+		isAbstractUnixSocket = strings.HasPrefix(address, "@")
 	} else {
 		address = na.JoinHostPort(portOffset)
 	}
 
+	// if this is a unix socket, see if we already have it open,
+	// force socket permissions on it and return early
+	if socket, err := reuseUnixSocket(na.Network, address); socket != nil || err != nil {
+		if !isAbstractUnixSocket {
+			if err := os.Chmod(address, unixFileMode); err != nil {
+				return nil, fmt.Errorf("unable to set permissions (%s) on %s: %v", unixFileMode, address, err)
+			}
+		}
+		return socket, err
+	}
+
+	lnKey := listenerKey(na.Network, address)
+
 	if strings.HasPrefix(na.Network, "ip") {
 		ln, err = config.ListenPacket(ctx, na.Network, address)
 	} else {
-		if na.IsUnixNetwork() {
-			// if this is a unix socket, see if we already have it open
-			ln, err = reuseUnixSocket(na.Network, address)
-		}
-
-		if ln == nil && err == nil {
-			// otherwise, create a new listener
-			lnKey := listenerKey(na.Network, address)
-			ln, err = listenReusable(ctx, lnKey, na.Network, address, config)
-		}
+		ln, err = listenReusable(ctx, lnKey, na.Network, address, config)
 	}
-
 	if err != nil {
 		return nil, err
 	}
-
 	if ln == nil {
 		return nil, fmt.Errorf("unsupported network type: %s", na.Network)
 	}
 
 	if IsUnixNetwork(na.Network) {
-		isAbstractUnixSocket := strings.HasPrefix(address, "@")
 		if !isAbstractUnixSocket {
-			err = os.Chmod(address, unixFileMode)
-			if err != nil {
+			if err := os.Chmod(address, unixFileMode); err != nil {
 				return nil, fmt.Errorf("unable to set permissions (%s) on %s: %v", unixFileMode, address, err)
 			}
 		}
@@ -210,22 +211,18 @@ func (na NetworkAddress) IsUnixNetwork() bool {
 	return IsUnixNetwork(na.Network)
 }
 
-// IsUnixNetwork returns true if na.Network is
-// fd or fdgram.
-func (na NetworkAddress) IsFdNetwork() bool {
-	return IsFdNetwork(na.Network)
-}
-
 // JoinHostPort is like net.JoinHostPort, but where the port
 // is StartPort + offset.
 func (na NetworkAddress) JoinHostPort(offset uint) string {
-	if na.IsUnixNetwork() || na.IsFdNetwork() {
+	if na.IsUnixNetwork() {
 		return na.Host
 	}
-	return net.JoinHostPort(na.Host, strconv.FormatUint(uint64(na.StartPort+offset), 10))
+	return net.JoinHostPort(na.Host, strconv.Itoa(int(na.StartPort+offset)))
 }
 
 // Expand returns one NetworkAddress for each port in the port range.
+//
+// This is EXPERIMENTAL and subject to change or removal.
 func (na NetworkAddress) Expand() []NetworkAddress {
 	size := na.PortRangeSize()
 	addrs := make([]NetworkAddress, size)
@@ -256,7 +253,7 @@ func (na NetworkAddress) PortRangeSize() uint {
 }
 
 func (na NetworkAddress) isLoopback() bool {
-	if na.IsUnixNetwork() || na.IsFdNetwork() {
+	if na.IsUnixNetwork() {
 		return true
 	}
 	if na.Host == "localhost" {
@@ -300,11 +297,6 @@ func IsUnixNetwork(netw string) bool {
 	return strings.HasPrefix(netw, "unix")
 }
 
-// IsFdNetwork returns true if the netw is a fd network.
-func IsFdNetwork(netw string) bool {
-	return strings.HasPrefix(netw, "fd")
-}
-
 // ParseNetworkAddress parses addr into its individual
 // components. The input string is expected to be of
 // the form "network/host:port-range" where any part is
@@ -335,12 +327,6 @@ func ParseNetworkAddressWithDefaults(addr, defaultNetwork string, defaultPort ui
 			Host:    host,
 		}, err
 	}
-	if IsFdNetwork(network) {
-		return NetworkAddress{
-			Network: network,
-			Host:    host,
-		}, nil
-	}
 	var start, end uint64
 	if port == "" {
 		start = uint64(defaultPort)
@@ -380,28 +366,25 @@ func SplitNetworkAddress(a string) (network, host, port string, err error) {
 	if slashFound {
 		network = strings.ToLower(strings.TrimSpace(beforeSlash))
 		a = afterSlash
-		if IsUnixNetwork(network) || IsFdNetwork(network) {
-			host = a
-			return
-		}
 	}
-
+	if IsUnixNetwork(network) {
+		host = a
+		return
+	}
 	host, port, err = net.SplitHostPort(a)
-	firstErr := err
-
-	if err != nil {
-		// in general, if there was an error, it was likely "missing port",
-		// so try removing square brackets around an IPv6 host, adding a bogus
-		// port to take advantage of standard library's robust parser, then
-		// strip the artificial port.
-		host, _, err = net.SplitHostPort(net.JoinHostPort(strings.Trim(a, "[]"), "0"))
+	if err == nil || a == "" {
+		return
+	}
+	// in general, if there was an error, it was likely "missing port",
+	// so try adding a bogus port to take advantage of standard library's
+	// robust parser, then strip the artificial port before returning
+	// (don't overwrite original error though; might still be relevant)
+	var err2 error
+	host, port, err2 = net.SplitHostPort(a + ":0")
+	if err2 == nil {
+		err = nil
 		port = ""
 	}
-
-	if err != nil {
-		err = errors.Join(firstErr, err)
-	}
-
 	return
 }
 
@@ -415,7 +398,7 @@ func JoinNetworkAddress(network, host, port string) string {
 	if network != "" {
 		a = network + "/"
 	}
-	if (host != "" && port == "") || IsUnixNetwork(network) || IsFdNetwork(network) {
+	if (host != "" && port == "") || IsUnixNetwork(network) {
 		a += host
 	} else if port != "" {
 		a += net.JoinHostPort(host, port)
@@ -423,11 +406,9 @@ func JoinNetworkAddress(network, host, port string) string {
 	return a
 }
 
-// ListenQUIC returns a http3.QUICEarlyListener suitable for use in a Caddy module.
-//
-// The network will be transformed into a QUIC-compatible type if the same address can be used with
-// different networks. Currently this just means that for tcp, udp will be used with the same
-// address instead.
+// ListenQUIC returns a quic.EarlyListener suitable for use in a Caddy module.
+// The network will be transformed into a QUIC-compatible type (if unix, then
+// unixgram will be used; otherwise, udp will be used).
 //
 // NOTE: This API is EXPERIMENTAL and may be changed or removed.
 func (na NetworkAddress) ListenQUIC(ctx context.Context, portOffset uint, config net.ListenConfig, tlsConf *tls.Config) (http3.QUICEarlyListener, error) {
@@ -462,13 +443,7 @@ func (na NetworkAddress) ListenQUIC(ctx context.Context, portOffset uint, config
 			Conn:                h3ln,
 			VerifySourceAddress: func(addr net.Addr) bool { return !limiter.Allow() },
 		}
-		earlyLn, err := tr.ListenEarly(
-			http3.ConfigureTLSConfig(quicTlsConfig),
-			&quic.Config{
-				Allow0RTT: true,
-				Tracer:    qlog.DefaultConnectionTracer,
-			},
-		)
+		earlyLn, err := tr.ListenEarly(http3.ConfigureTLSConfig(quicTlsConfig), &quic.Config{Allow0RTT: true})
 		if err != nil {
 			return nil, err
 		}
@@ -641,8 +616,7 @@ func RegisterNetwork(network string, getListener ListenerFunc) {
 	if network == "tcp" || network == "tcp4" || network == "tcp6" ||
 		network == "udp" || network == "udp4" || network == "udp6" ||
 		network == "unix" || network == "unixpacket" || network == "unixgram" ||
-		strings.HasPrefix("ip:", network) || strings.HasPrefix("ip4:", network) || strings.HasPrefix("ip6:", network) ||
-		network == "fd" || network == "fdgram" {
+		strings.HasPrefix("ip:", network) || strings.HasPrefix("ip4:", network) || strings.HasPrefix("ip6:", network) {
 		panic("network type " + network + " is reserved")
 	}
 

listeners_test.go

@@ -31,7 +31,7 @@ func TestSplitNetworkAddress(t *testing.T) {
 	}{
 		{
 			input:     "",
-			expectHost: "",
+			expectErr: true,
 		},
 		{
 			input:      "foo",
@@ -42,7 +42,7 @@ func TestSplitNetworkAddress(t *testing.T) {
 		},
 		{
 			input:     "::",
-			expectHost: "::",
+			expectErr: true,
 		},
 		{
 			input:      "[::]",
@@ -77,7 +77,7 @@ func TestSplitNetworkAddress(t *testing.T) {
 		{
 			input:         "udp/",
 			expectNetwork: "udp",
-			expectHost:    "",
+			expectErr:     true,
 		},
 		{
 			input:         "unix//foo/bar",
@@ -185,8 +185,7 @@ func TestParseNetworkAddress(t *testing.T) {
 	}{
 		{
 			input:     "",
-			expectAddr: NetworkAddress{
-			},
+			expectErr: true,
 		},
 		{
 			input:          ":",
@@ -312,8 +311,7 @@ func TestParseNetworkAddressWithDefaults(t *testing.T) {
 	}{
 		{
 			input:     "",
-			expectAddr: NetworkAddress{
-			},
+			expectErr: true,
 		},
 		{
 			input:          ":",

logging.go

@@ -16,6 +16,7 @@ package caddy
 
 import (
 	"encoding/json"
+	"flag"
 	"fmt"
 	"io"
 	"log"
@@ -699,7 +700,13 @@ type defaultCustomLog struct {
 // and enables INFO-level logs and higher.
 func newDefaultProductionLog() (*defaultCustomLog, error) {
 	cl := new(CustomLog)
-	cl.writerOpener = StderrWriter{}
+	f := flag.Lookup("test.v")
+	if (f != nil && f.Value.String() != "true") || strings.Contains(os.Args[0], ".test") {
+		cl.writerOpener = &DiscardWriter{}
+	} else {
+		cl.writerOpener = StderrWriter{}
+	}
+
 	var err error
 	cl.writer, err = cl.writerOpener.OpenWriter()
 	if err != nil {

metrics.go

@@ -4,33 +4,30 @@ import (
 	"net/http"
 
 	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/collectors"
+	"github.com/prometheus/client_golang/prometheus/promauto"
 
 	"github.com/caddyserver/caddy/v2/internal/metrics"
 )
 
 // define and register the metrics used in this package.
 func init() {
+	prometheus.MustRegister(collectors.NewBuildInfoCollector())
+
 	const ns, sub = "caddy", "admin"
-	adminMetrics.requestCount = prometheus.NewCounterVec(prometheus.CounterOpts{
+
+	adminMetrics.requestCount = promauto.NewCounterVec(prometheus.CounterOpts{
 		Namespace: ns,
 		Subsystem: sub,
 		Name:      "http_requests_total",
 		Help:      "Counter of requests made to the Admin API's HTTP endpoints.",
 	}, []string{"handler", "path", "code", "method"})
-	adminMetrics.requestErrors = prometheus.NewCounterVec(prometheus.CounterOpts{
+	adminMetrics.requestErrors = promauto.NewCounterVec(prometheus.CounterOpts{
 		Namespace: ns,
 		Subsystem: sub,
 		Name:      "http_request_errors_total",
 		Help:      "Number of requests resulting in middleware errors.",
 	}, []string{"handler", "path", "method"})
-	globalMetrics.configSuccess = prometheus.NewGauge(prometheus.GaugeOpts{
-		Name: "caddy_config_last_reload_successful",
-		Help: "Whether the last configuration reload attempt was successful.",
-	})
-	globalMetrics.configSuccessTime = prometheus.NewGauge(prometheus.GaugeOpts{
-		Name: "caddy_config_last_reload_success_timestamp_seconds",
-		Help: "Timestamp of the last successful configuration reload.",
-	})
 }
 
 // adminMetrics is a collection of metrics that can be tracked for the admin API.
@@ -39,12 +36,6 @@ var adminMetrics = struct {
 	requestErrors *prometheus.CounterVec
 }{}
 
-// globalMetrics is a collection of metrics that can be tracked for Caddy global state
-var globalMetrics = struct {
-	configSuccess     prometheus.Gauge
-	configSuccessTime prometheus.Gauge
-}{}
-
 // Similar to promhttp.InstrumentHandlerCounter, but upper-cases method names
 // instead of lower-casing them.
 //

modules/caddyevents/app.go

@@ -124,19 +124,18 @@ func (app *App) Provision(ctx caddy.Context) error {
 	app.subscriptions = make(map[string]map[caddy.ModuleID][]Handler)
 
 	for _, sub := range app.Subscriptions {
-		if sub.HandlersRaw == nil {
-			continue
-		}
-		handlersIface, err := ctx.LoadModule(sub, "HandlersRaw")
-		if err != nil {
-			return fmt.Errorf("loading event subscriber modules: %v", err)
-		}
-		for _, h := range handlersIface.([]any) {
-			sub.Handlers = append(sub.Handlers, h.(Handler))
-		}
-		if len(sub.Handlers) == 0 {
-			// pointless to bind without any handlers
-			return fmt.Errorf("no handlers defined")
+		if sub.HandlersRaw != nil {
+			handlersIface, err := ctx.LoadModule(sub, "HandlersRaw")
+			if err != nil {
+				return fmt.Errorf("loading event subscriber modules: %v", err)
+			}
+			for _, h := range handlersIface.([]any) {
+				sub.Handlers = append(sub.Handlers, h.(Handler))
+			}
+			if len(sub.Handlers) == 0 {
+				// pointless to bind without any handlers
+				return fmt.Errorf("no handlers defined")
+			}
 		}
 	}
 
@@ -262,7 +261,7 @@ func (app *App) Emit(ctx caddy.Context, eventName string, data map[string]any) E
 		return nil, false
 	})
 
-	logger = logger.WithLazy(zap.Any("data", e.Data))
+	logger = logger.With(zap.Any("data", e.Data))
 
 	logger.Debug("event")
 

modules/caddyhttp/app.go

@@ -15,11 +15,9 @@
 package caddyhttp
 
 import (
-	"cmp"
 	"context"
 	"crypto/tls"
 	"fmt"
-	"maps"
 	"net"
 	"net/http"
 	"strconv"
@@ -143,10 +141,6 @@ type App struct {
 	// affect functionality.
 	Servers map[string]*Server `json:"servers,omitempty"`
 
-	// If set, metrics observations will be enabled.
-	// This setting is EXPERIMENTAL and subject to change.
-	Metrics *Metrics `json:"metrics,omitempty"`
-
 	ctx    caddy.Context
 	logger *zap.Logger
 	tlsApp *caddytls.TLS
@@ -189,10 +183,6 @@ func (app *App) Provision(ctx caddy.Context) error {
 		return err
 	}
 
-	if app.Metrics != nil {
-		app.Metrics.init = sync.Once{}
-		app.Metrics.httpMetrics = &httpMetrics{}
-	}
 	// prepare each server
 	oldContext := ctx.Context
 	for srvName, srv := range app.Servers {
@@ -205,15 +195,6 @@ func (app *App) Provision(ctx caddy.Context) error {
 		srv.errorLogger = app.logger.Named("log.error")
 		srv.shutdownAtMu = new(sync.RWMutex)
 
-		if srv.Metrics != nil {
-			srv.logger.Warn("per-server 'metrics' is deprecated; use 'metrics' in the root 'http' app instead")
-			app.Metrics = cmp.Or[*Metrics](app.Metrics, &Metrics{
-				init:        sync.Once{},
-				httpMetrics: &httpMetrics{},
-			})
-			app.Metrics.PerHost = app.Metrics.PerHost || srv.Metrics.PerHost
-		}
-
 		// only enable access logs if configured
 		if srv.Logs != nil {
 			srv.accessLogger = app.logger.Named("log.access")
@@ -222,73 +203,15 @@ func (app *App) Provision(ctx caddy.Context) error {
 			}
 		}
 
-		// if no protocols configured explicitly, enable all except h2c
-		if len(srv.Protocols) == 0 {
-			srv.Protocols = []string{"h1", "h2", "h3"}
-		}
-
-		srvProtocolsUnique := map[string]struct{}{}
-		for _, srvProtocol := range srv.Protocols {
-			srvProtocolsUnique[srvProtocol] = struct{}{}
-		}
-		_, h1ok := srvProtocolsUnique["h1"]
-		_, h2ok := srvProtocolsUnique["h2"]
-		_, h2cok := srvProtocolsUnique["h2c"]
-
 		// the Go standard library does not let us serve only HTTP/2 using
 		// http.Server; we would probably need to write our own server
-		if !h1ok && (h2ok || h2cok) {
+		if !srv.protocol("h1") && (srv.protocol("h2") || srv.protocol("h2c")) {
 			return fmt.Errorf("server %s: cannot enable HTTP/2 or H2C without enabling HTTP/1.1; add h1 to protocols or remove h2/h2c", srvName)
 		}
 
-		if srv.ListenProtocols != nil {
-			if len(srv.ListenProtocols) != len(srv.Listen) {
-				return fmt.Errorf("server %s: listener protocols count does not match address count: %d != %d",
-					srvName, len(srv.ListenProtocols), len(srv.Listen))
-			}
-
-			for i, lnProtocols := range srv.ListenProtocols {
-				if lnProtocols != nil {
-					// populate empty listen protocols with server protocols
-					lnProtocolsDefault := false
-					var lnProtocolsInclude []string
-					srvProtocolsInclude := maps.Clone(srvProtocolsUnique)
-
-					// keep existing listener protocols unless they are empty
-					for _, lnProtocol := range lnProtocols {
-						if lnProtocol == "" {
-							lnProtocolsDefault = true
-						} else {
-							lnProtocolsInclude = append(lnProtocolsInclude, lnProtocol)
-							delete(srvProtocolsInclude, lnProtocol)
-						}
-					}
-
-					// append server protocols to listener protocols if any listener protocols were empty
-					if lnProtocolsDefault {
-						for _, srvProtocol := range srv.Protocols {
-							if _, ok := srvProtocolsInclude[srvProtocol]; ok {
-								lnProtocolsInclude = append(lnProtocolsInclude, srvProtocol)
-							}
-						}
-					}
-
-					lnProtocolsIncludeUnique := map[string]struct{}{}
-					for _, lnProtocol := range lnProtocolsInclude {
-						lnProtocolsIncludeUnique[lnProtocol] = struct{}{}
-					}
-					_, h1ok := lnProtocolsIncludeUnique["h1"]
-					_, h2ok := lnProtocolsIncludeUnique["h2"]
-					_, h2cok := lnProtocolsIncludeUnique["h2c"]
-
-					// check if any listener protocols contain h2 or h2c without h1
-					if !h1ok && (h2ok || h2cok) {
-						return fmt.Errorf("server %s, listener %d: cannot enable HTTP/2 or H2C without enabling HTTP/1.1; add h1 to protocols or remove h2/h2c", srvName, i)
-					}
-
-					srv.ListenProtocols[i] = lnProtocolsInclude
-				}
-			}
+		// if no protocols configured explicitly, enable all except h2c
+		if len(srv.Protocols) == 0 {
+			srv.Protocols = []string{"h1", "h2", "h3"}
 		}
 
 		// if not explicitly configured by the user, disallow TLS
@@ -360,11 +283,12 @@ func (app *App) Provision(ctx caddy.Context) error {
 				srv.listenerWrappers = append([]caddy.ListenerWrapper{new(tlsPlaceholderWrapper)}, srv.listenerWrappers...)
 			}
 		}
+
 		// pre-compile the primary handler chain, and be sure to wrap it in our
 		// route handler so that important security checks are done, etc.
 		primaryRoute := emptyHandler
 		if srv.Routes != nil {
-			err := srv.Routes.ProvisionHandlers(ctx, app.Metrics)
+			err := srv.Routes.ProvisionHandlers(ctx, srv.Metrics)
 			if err != nil {
 				return fmt.Errorf("server %s: setting up route handlers: %v", srvName, err)
 			}
@@ -383,7 +307,7 @@ func (app *App) Provision(ctx caddy.Context) error {
 
 		// provision the named routes (they get compiled at runtime)
 		for name, route := range srv.NamedRoutes {
-			err := route.Provision(ctx, app.Metrics)
+			err := route.Provision(ctx, srv.Metrics)
 			if err != nil {
 				return fmt.Errorf("server %s: setting up named route '%s' handlers: %v", name, srvName, err)
 			}
@@ -420,7 +344,7 @@ func (app *App) Validate() error {
 			// check that every address in the port range is unique to this server;
 			// we do not use <= here because PortRangeSize() adds 1 to EndPort for us
 			for i := uint(0); i < listenAddr.PortRangeSize(); i++ {
-				addr := caddy.JoinNetworkAddress(listenAddr.Network, listenAddr.Host, strconv.FormatUint(uint64(listenAddr.StartPort+i), 10))
+				addr := caddy.JoinNetworkAddress(listenAddr.Network, listenAddr.Host, strconv.Itoa(int(listenAddr.StartPort+i)))
 				if sn, ok := lnAddrs[addr]; ok {
 					return fmt.Errorf("server %s: listener address repeated: %s (already claimed by server '%s')", srvName, addr, sn)
 				}
@@ -498,118 +422,99 @@ func (app *App) Start() error {
 			srv.server.Handler = h2c.NewHandler(srv, h2server)
 		}
 
-		for lnIndex, lnAddr := range srv.Listen {
+		for _, lnAddr := range srv.Listen {
 			listenAddr, err := caddy.ParseNetworkAddress(lnAddr)
 			if err != nil {
 				return fmt.Errorf("%s: parsing listen address '%s': %v", srvName, lnAddr, err)
 			}
-
 			srv.addresses = append(srv.addresses, listenAddr)
 
-			protocols := srv.Protocols
-			if srv.ListenProtocols != nil && srv.ListenProtocols[lnIndex] != nil {
-				protocols = srv.ListenProtocols[lnIndex]
-			}
-
-			protocolsUnique := map[string]struct{}{}
-			for _, protocol := range protocols {
-				protocolsUnique[protocol] = struct{}{}
-			}
-			_, h1ok := protocolsUnique["h1"]
-			_, h2ok := protocolsUnique["h2"]
-			_, h2cok := protocolsUnique["h2c"]
-			_, h3ok := protocolsUnique["h3"]
-
 			for portOffset := uint(0); portOffset < listenAddr.PortRangeSize(); portOffset++ {
+				// create the listener for this socket
 				hostport := listenAddr.JoinHostPort(portOffset)
+				lnAny, err := listenAddr.Listen(app.ctx, portOffset, net.ListenConfig{KeepAlive: time.Duration(srv.KeepAliveInterval)})
+				if err != nil {
+					return fmt.Errorf("listening on %s: %v", listenAddr.At(portOffset), err)
+				}
+				ln := lnAny.(net.Listener)
+
+				// wrap listener before TLS (up to the TLS placeholder wrapper)
+				var lnWrapperIdx int
+				for i, lnWrapper := range srv.listenerWrappers {
+					if _, ok := lnWrapper.(*tlsPlaceholderWrapper); ok {
+						lnWrapperIdx = i + 1 // mark the next wrapper's spot
+						break
+					}
+					ln = lnWrapper.WrapListener(ln)
+				}
 
 				// enable TLS if there is a policy and if this is not the HTTP port
 				useTLS := len(srv.TLSConnPolicies) > 0 && int(listenAddr.StartPort+portOffset) != app.httpPort()
+				if useTLS {
+					// create TLS listener - this enables and terminates TLS
+					ln = tls.NewListener(ln, tlsCfg)
 
-				// enable HTTP/3 if configured
-				if h3ok && useTLS {
-					app.logger.Info("enabling HTTP/3 listener", zap.String("addr", hostport))
-					if err := srv.serveHTTP3(listenAddr.At(portOffset), tlsCfg); err != nil {
-						return err
-					}
-				}
-
-				if h3ok && !useTLS {
-					// Can only serve h3 with TLS enabled
-					app.logger.Warn("HTTP/3 skipped because it requires TLS",
-						zap.String("network", listenAddr.Network),
-						zap.String("addr", hostport))
-				}
-
-				if h1ok || h2ok && useTLS || h2cok {
-					// create the listener for this socket
-					lnAny, err := listenAddr.Listen(app.ctx, portOffset, net.ListenConfig{KeepAlive: time.Duration(srv.KeepAliveInterval)})
-					if err != nil {
-						return fmt.Errorf("listening on %s: %v", listenAddr.At(portOffset), err)
-					}
-					ln, ok := lnAny.(net.Listener)
-					if !ok {
-						return fmt.Errorf("network '%s' cannot handle HTTP/1 or HTTP/2 connections", listenAddr.Network)
-					}
-
-					// wrap listener before TLS (up to the TLS placeholder wrapper)
-					var lnWrapperIdx int
-					for i, lnWrapper := range srv.listenerWrappers {
-						if _, ok := lnWrapper.(*tlsPlaceholderWrapper); ok {
-							lnWrapperIdx = i + 1 // mark the next wrapper's spot
-							break
+					// enable HTTP/3 if configured
+					if srv.protocol("h3") {
+						// Can't serve HTTP/3 on the same socket as HTTP/1 and 2 because it uses
+						// a different transport mechanism... which is fine, but the OS doesn't
+						// differentiate between a SOCK_STREAM file and a SOCK_DGRAM file; they
+						// are still one file on the system. So even though "unixpacket" and
+						// "unixgram" are different network types just as "tcp" and "udp" are,
+						// the OS will not let us use the same file as both STREAM and DGRAM.
+						if len(srv.Protocols) > 1 && listenAddr.IsUnixNetwork() {
+							app.logger.Warn("HTTP/3 disabled because Unix can't multiplex STREAM and DGRAM on same socket",
+								zap.String("file", hostport))
+							for i := range srv.Protocols {
+								if srv.Protocols[i] == "h3" {
+									srv.Protocols = append(srv.Protocols[:i], srv.Protocols[i+1:]...)
+									break
+								}
+							}
+						} else {
+							app.logger.Info("enabling HTTP/3 listener", zap.String("addr", hostport))
+							if err := srv.serveHTTP3(listenAddr.At(portOffset), tlsCfg); err != nil {
+								return err
+							}
 						}
-						ln = lnWrapper.WrapListener(ln)
-					}
-
-					if useTLS {
-						// create TLS listener - this enables and terminates TLS
-						ln = tls.NewListener(ln, tlsCfg)
-					}
-
-					// finish wrapping listener where we left off before TLS
-					for i := lnWrapperIdx; i < len(srv.listenerWrappers); i++ {
-						ln = srv.listenerWrappers[i].WrapListener(ln)
-					}
-
-					// handle http2 if use tls listener wrapper
-					if h2ok {
-						http2lnWrapper := &http2Listener{
-							Listener: ln,
-							server:   srv.server,
-							h2server: h2server,
-						}
-						srv.h2listeners = append(srv.h2listeners, http2lnWrapper)
-						ln = http2lnWrapper
-					}
-
-					// if binding to port 0, the OS chooses a port for us;
-					// but the user won't know the port unless we print it
-					if !listenAddr.IsUnixNetwork() && !listenAddr.IsFdNetwork() && listenAddr.StartPort == 0 && listenAddr.EndPort == 0 {
-						app.logger.Info("port 0 listener",
-							zap.String("input_address", lnAddr),
-							zap.String("actual_address", ln.Addr().String()))
-					}
-
-					app.logger.Debug("starting server loop",
-						zap.String("address", ln.Addr().String()),
-						zap.Bool("tls", useTLS),
-						zap.Bool("http3", srv.h3server != nil))
-
-					srv.listeners = append(srv.listeners, ln)
-
-					// enable HTTP/1 if configured
-					if h1ok {
-						//nolint:errcheck
-						go srv.server.Serve(ln)
 					}
 				}
 
-				if h2ok && !useTLS {
-					// Can only serve h2 with TLS enabled
-					app.logger.Warn("HTTP/2 skipped because it requires TLS",
-						zap.String("network", listenAddr.Network),
-						zap.String("addr", hostport))
+				// finish wrapping listener where we left off before TLS
+				for i := lnWrapperIdx; i < len(srv.listenerWrappers); i++ {
+					ln = srv.listenerWrappers[i].WrapListener(ln)
+				}
+
+				// handle http2 if use tls listener wrapper
+				if useTLS {
+					http2lnWrapper := &http2Listener{
+						Listener: ln,
+						server:   srv.server,
+						h2server: h2server,
+					}
+					srv.h2listeners = append(srv.h2listeners, http2lnWrapper)
+					ln = http2lnWrapper
+				}
+
+				// if binding to port 0, the OS chooses a port for us;
+				// but the user won't know the port unless we print it
+				if !listenAddr.IsUnixNetwork() && listenAddr.StartPort == 0 && listenAddr.EndPort == 0 {
+					app.logger.Info("port 0 listener",
+						zap.String("input_address", lnAddr),
+						zap.String("actual_address", ln.Addr().String()))
+				}
+
+				app.logger.Debug("starting server loop",
+					zap.String("address", ln.Addr().String()),
+					zap.Bool("tls", useTLS),
+					zap.Bool("http3", srv.h3server != nil))
+
+				srv.listeners = append(srv.listeners, ln)
+
+				// enable HTTP/1 if configured
+				if srv.protocol("h1") {
+					//nolint:errcheck
+					go srv.server.Serve(ln)
 				}
 			}
 		}
@@ -702,7 +607,16 @@ func (app *App) Stop() error {
 			return
 		}
 
-		if err := server.h3server.Shutdown(ctx); err != nil {
+		// First close h3server then close listeners unlike stdlib for several reasons:
+		// 1, udp has only a single socket, once closed, no more data can be read and
+		// written. In contrast, closing tcp listeners won't affect established connections.
+		// This have something to do with graceful shutdown when upstream implements it.
+		// 2, h3server will only close listeners it's registered (quic listeners). Closing
+		// listener first and these listeners maybe unregistered thus won't be closed. caddy
+		// distinguishes quic-listener and underlying datagram sockets.
+
+		// TODO: CloseGracefully, once implemented upstream (see https://github.com/quic-go/quic-go/issues/2103)
+		if err := server.h3server.Close(); err != nil {
 			app.logger.Error("HTTP/3 server shutdown",
 				zap.Error(err),
 				zap.Strings("addresses", server.Listen))

modules/caddyhttp/autohttps.go

@@ -17,7 +17,6 @@ package caddyhttp
 import (
 	"fmt"
 	"net/http"
-	"slices"
 	"strconv"
 	"strings"
 
@@ -65,12 +64,17 @@ type AutoHTTPSConfig struct {
 	// enabled. To force automated certificate management
 	// regardless of loaded certificates, set this to true.
 	IgnoreLoadedCerts bool `json:"ignore_loaded_certificates,omitempty"`
+}
 
-	// If true, automatic HTTPS will prefer wildcard names
-	// and ignore non-wildcard names if both are available.
-	// This allows for writing a config with top-level host
-	// matchers without having those names produce certificates.
-	PreferWildcard bool `json:"prefer_wildcard,omitempty"`
+// Skipped returns true if name is in skipSlice, which
+// should be either the Skip or SkipCerts field on ahc.
+func (ahc AutoHTTPSConfig) Skipped(name string, skipSlice []string) bool {
+	for _, n := range skipSlice {
+		if name == n {
+			return true
+		}
+	}
+	return false
 }
 
 // automaticHTTPSPhase1 provisions all route matchers, determines
@@ -154,7 +158,7 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
 								return fmt.Errorf("%s: route %d, matcher set %d, matcher %d, host matcher %d: %v",
 									srvName, routeIdx, matcherSetIdx, matcherIdx, hostMatcherIdx, err)
 							}
-							if !slices.Contains(srv.AutoHTTPS.Skip, d) {
+							if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) {
 								serverDomainSet[d] = struct{}{}
 							}
 						}
@@ -163,27 +167,6 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
 			}
 		}
 
-		if srv.AutoHTTPS.PreferWildcard {
-			wildcards := make(map[string]struct{})
-			for d := range serverDomainSet {
-				if strings.HasPrefix(d, "*.") {
-					wildcards[d[2:]] = struct{}{}
-				}
-			}
-			for d := range serverDomainSet {
-				if strings.HasPrefix(d, "*.") {
-					continue
-				}
-				base := d
-				if idx := strings.Index(d, "."); idx != -1 {
-					base = d[idx+1:]
-				}
-				if _, ok := wildcards[base]; ok {
-					delete(serverDomainSet, d)
-				}
-			}
-		}
-
 		// nothing more to do here if there are no domains that qualify for
 		// automatic HTTPS and there are no explicit TLS connection policies:
 		// if there is at least one domain but no TLS conn policy (F&&T), we'll
@@ -210,7 +193,7 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
 		} else {
 			for d := range serverDomainSet {
 				if certmagic.SubjectQualifiesForCert(d) &&
-					!slices.Contains(srv.AutoHTTPS.SkipCerts, d) {
+					!srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.SkipCerts) {
 					// if a certificate for this name is already loaded,
 					// don't obtain another one for it, unless we are
 					// supposed to ignore loaded certificates
@@ -320,21 +303,11 @@ uniqueDomainsLoop:
 			}
 		}
 
-		// if no automation policy exists for the name yet, we will associate it with an implicit one;
-		// we handle tailscale domains specially, and we also separate out identifiers that need the
-		// internal issuer (self-signed certs); certmagic does not consider public IP addresses to be
-		// disqualified for public certs, because there are public CAs that will issue certs for IPs.
-		// However, with auto-HTTPS, many times there is no issuer explicitly defined, and the default
-		// issuers do not (currently, as of 2024) issue IP certificates; so assign all IP subjects to
-		// the internal issuer when there are no explicit automation policies
-		shouldUseInternal := func(ident string) bool {
-			usingDefaultIssuersAndIsIP := certmagic.SubjectIsIP(ident) &&
-				(app.tlsApp == nil || app.tlsApp.Automation == nil || len(app.tlsApp.Automation.Policies) == 0)
-			return !certmagic.SubjectQualifiesForPublicCert(d) || usingDefaultIssuersAndIsIP
-		}
+		// if no automation policy exists for the name yet, we
+		// will associate it with an implicit one
 		if isTailscaleDomain(d) {
 			tailscale = append(tailscale, d)
-		} else if shouldUseInternal(d) {
+		} else if !certmagic.SubjectQualifiesForPublicCert(d) {
 			internal = append(internal, d)
 		}
 	}
@@ -769,7 +742,7 @@ func (app *App) automaticHTTPSPhase2() error {
 	)
 	err := app.tlsApp.Manage(app.allCertDomains)
 	if err != nil {
-		return fmt.Errorf("managing certificates for %d domains: %s", len(app.allCertDomains), err)
+		return fmt.Errorf("managing certificates for %v: %s", app.allCertDomains, err)
 	}
 	app.allCertDomains = nil // no longer needed; allow GC to deallocate
 	return nil

modules/caddyhttp/caddyauth/caddyauth.go

@@ -19,7 +19,6 @@ import (
 	"net/http"
 
 	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
@@ -77,9 +76,9 @@ func (a Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 	for provName, prov := range a.Providers {
 		user, authed, err = prov.Authenticate(w, r)
 		if err != nil {
-			if c := a.logger.Check(zapcore.ErrorLevel, "auth provider returned error"); c != nil {
-				c.Write(zap.String("provider", provName), zap.Error(err))
-			}
+			a.logger.Error("auth provider returned error",
+				zap.String("provider", provName),
+				zap.Error(err))
 			continue
 		}
 		if authed {

modules/caddyhttp/caddyhttp.go

@@ -36,26 +36,10 @@ func init() {
 // RequestMatcher is a type that can match to a request.
 // A route matcher MUST NOT modify the request, with the
 // only exception being its context.
-//
-// Deprecated: Matchers should now implement RequestMatcherWithError.
-// You may remove any interface guards for RequestMatcher
-// but keep your Match() methods for backwards compatibility.
 type RequestMatcher interface {
 	Match(*http.Request) bool
 }
 
-// RequestMatcherWithError is like RequestMatcher but can return an error.
-// An error during matching will abort the request middleware chain and
-// invoke the error middleware chain.
-//
-// This will eventually replace RequestMatcher. Matcher modules
-// should implement both interfaces, and once all modules have
-// been updated to use RequestMatcherWithError, the RequestMatcher
-// interface may eventually be dropped.
-type RequestMatcherWithError interface {
-	MatchWithError(*http.Request) (bool, error)
-}
-
 // Handler is like http.Handler except ServeHTTP may return an error.
 //
 // If any handler encounters an error, it should be returned for proper

modules/caddyhttp/celmatcher.go

@@ -126,10 +126,6 @@ func (m *MatchExpression) Provision(ctx caddy.Context) error {
 	// light (and possibly naïve) syntactic sugar
 	m.expandedExpr = placeholderRegexp.ReplaceAllString(m.Expr, placeholderExpansion)
 
-	// as a second pass, we'll strip the escape character from an escaped
-	// placeholder, so that it can be used as an input to other CEL functions
-	m.expandedExpr = escapedPlaceholderRegexp.ReplaceAllString(m.expandedExpr, escapedPlaceholderExpansion)
-
 	// our type adapter expands CEL's standard type support
 	m.ta = celTypeAdapter{}
 
@@ -163,17 +159,14 @@ func (m *MatchExpression) Provision(ctx caddy.Context) error {
 
 	// create the CEL environment
 	env, err := cel.NewEnv(
-		cel.Function(CELPlaceholderFuncName, cel.SingletonBinaryBinding(m.caddyPlaceholderFunc), cel.Overload(
-			CELPlaceholderFuncName+"_httpRequest_string",
+		cel.Function(placeholderFuncName, cel.SingletonBinaryBinding(m.caddyPlaceholderFunc), cel.Overload(
+			placeholderFuncName+"_httpRequest_string",
 			[]*cel.Type{httpRequestObjectType, cel.StringType},
 			cel.AnyType,
 		)),
-		cel.Variable(CELRequestVarName, httpRequestObjectType),
+		cel.Variable("request", httpRequestObjectType),
 		cel.CustomTypeAdapter(m.ta),
 		ext.Strings(),
-		ext.Bindings(),
-		ext.Lists(),
-		ext.Math(),
 		matcherLib,
 	)
 	if err != nil {
@@ -202,25 +195,17 @@ func (m *MatchExpression) Provision(ctx caddy.Context) error {
 
 // Match returns true if r matches m.
 func (m MatchExpression) Match(r *http.Request) bool {
-	match, err := m.MatchWithError(r)
-	if err != nil {
-		SetVar(r.Context(), MatcherErrorVarKey, err)
-	}
-	return match
-}
-
-// MatchWithError returns true if r matches m.
-func (m MatchExpression) MatchWithError(r *http.Request) (bool, error) {
 	celReq := celHTTPRequest{r}
 	out, _, err := m.prg.Eval(celReq)
 	if err != nil {
 		m.log.Error("evaluating expression", zap.Error(err))
-		return false, err
+		SetVar(r.Context(), MatcherErrorVarKey, err)
+		return false
 	}
 	if outBool, ok := out.Value().(bool); ok {
-		return outBool, nil
+		return outBool
 	}
-	return false, nil
+	return false
 }
 
 // UnmarshalCaddyfile implements caddyfile.Unmarshaler.
@@ -262,7 +247,7 @@ func (m MatchExpression) caddyPlaceholderFunc(lhs, rhs ref.Val) ref.Val {
 		return types.NewErr(
 			"invalid request of type '%v' to %s(request, placeholderVarName)",
 			lhs.Type(),
-			CELPlaceholderFuncName,
+			placeholderFuncName,
 		)
 	}
 	phStr, ok := rhs.(types.String)
@@ -270,7 +255,7 @@ func (m MatchExpression) caddyPlaceholderFunc(lhs, rhs ref.Val) ref.Val {
 		return types.NewErr(
 			"invalid placeholder variable name of type '%v' to %s(request, placeholderVarName)",
 			rhs.Type(),
-			CELPlaceholderFuncName,
+			placeholderFuncName,
 		)
 	}
 
@@ -290,7 +275,7 @@ var httpRequestCELType = cel.ObjectType("http.Request", traits.ReceiverType)
 type celHTTPRequest struct{ *http.Request }
 
 func (cr celHTTPRequest) ResolveName(name string) (any, bool) {
-	if name == CELRequestVarName {
+	if name == "request" {
 		return cr, true
 	}
 	return nil, false
@@ -355,7 +340,7 @@ func (celTypeAdapter) NativeToValue(value any) ref.Val {
 	case time.Time:
 		return types.Timestamp{Time: v}
 	case error:
-		return types.WrapErr(v)
+		types.NewErr(v.Error())
 	}
 	return types.DefaultTypeAdapter.NativeToValue(value)
 }
@@ -388,7 +373,7 @@ type CELLibraryProducer interface {
 // limited set of function signatures. For strong type validation you may need
 // to provide a custom macro which does a more detailed analysis of the CEL
 // literal provided to the macro as an argument.
-func CELMatcherImpl(macroName, funcName string, matcherDataTypes []*cel.Type, fac any) (cel.Library, error) {
+func CELMatcherImpl(macroName, funcName string, matcherDataTypes []*cel.Type, fac CELMatcherFactory) (cel.Library, error) {
 	requestType := cel.ObjectType("http.Request")
 	var macro parser.Macro
 	switch len(matcherDataTypes) {
@@ -432,11 +417,7 @@ func CELMatcherImpl(macroName, funcName string, matcherDataTypes []*cel.Type, fa
 }
 
 // CELMatcherFactory converts a constant CEL value into a RequestMatcher.
-// Deprecated: Use CELMatcherWithErrorFactory instead.
-type CELMatcherFactory = func(data ref.Val) (RequestMatcher, error)
-
-// CELMatcherWithErrorFactory converts a constant CEL value into a RequestMatcherWithError.
-type CELMatcherWithErrorFactory = func(data ref.Val) (RequestMatcherWithError, error)
+type CELMatcherFactory func(data ref.Val) (RequestMatcher, error)
 
 // matcherCELLibrary is a simplistic configurable cel.Library implementation.
 type matcherCELLibrary struct {
@@ -464,7 +445,7 @@ func (lib *matcherCELLibrary) ProgramOptions() []cel.ProgramOption {
 // that takes a single argument, and optimizes the implementation to precompile
 // the matcher and return a function that references the precompiled and
 // provisioned matcher.
-func CELMatcherDecorator(funcName string, fac any) interpreter.InterpretableDecorator {
+func CELMatcherDecorator(funcName string, fac CELMatcherFactory) interpreter.InterpretableDecorator {
 	return func(i interpreter.Interpretable) (interpreter.Interpretable, error) {
 		call, ok := i.(interpreter.InterpretableCall)
 		if !ok {
@@ -476,15 +457,15 @@ func CELMatcherDecorator(funcName string, fac any) interpreter.InterpretableDeco
 		callArgs := call.Args()
 		reqAttr, ok := callArgs[0].(interpreter.InterpretableAttribute)
 		if !ok {
-			return nil, errors.New("missing 'req' argument")
+			return nil, errors.New("missing 'request' argument")
 		}
 		nsAttr, ok := reqAttr.Attr().(interpreter.NamespacedAttribute)
 		if !ok {
-			return nil, errors.New("missing 'req' argument")
+			return nil, errors.New("missing 'request' argument")
 		}
 		varNames := nsAttr.CandidateVariableNames()
-		if len(varNames) != 1 || len(varNames) == 1 && varNames[0] != CELRequestVarName {
-			return nil, errors.New("missing 'req' argument")
+		if len(varNames) != 1 || len(varNames) == 1 && varNames[0] != "request" {
+			return nil, errors.New("missing 'request' argument")
 		}
 		matcherData, ok := callArgs[1].(interpreter.InterpretableConst)
 		if !ok {
@@ -493,92 +474,35 @@ func CELMatcherDecorator(funcName string, fac any) interpreter.InterpretableDeco
 			// and matcher provisioning should be handled at dynamically.
 			return i, nil
 		}
-
-		if factory, ok := fac.(CELMatcherWithErrorFactory); ok {
-			matcher, err := factory(matcherData.Value())
-			if err != nil {
-				return nil, err
-			}
-			return interpreter.NewCall(
-				i.ID(), funcName, funcName+"_opt",
-				[]interpreter.Interpretable{reqAttr},
-				func(args ...ref.Val) ref.Val {
-					// The request value, guaranteed to be of type celHTTPRequest
-					celReq := args[0]
-					// If needed this call could be changed to convert the value
-					// to a *http.Request using CEL's ConvertToNative method.
-					httpReq := celReq.Value().(celHTTPRequest)
-					match, err := matcher.MatchWithError(httpReq.Request)
-					if err != nil {
-						return types.WrapErr(err)
-					}
-					return types.Bool(match)
-				},
-			), nil
+		matcher, err := fac(matcherData.Value())
+		if err != nil {
+			return nil, err
 		}
-
-		if factory, ok := fac.(CELMatcherFactory); ok {
-			matcher, err := factory(matcherData.Value())
-			if err != nil {
-				return nil, err
-			}
-			return interpreter.NewCall(
-				i.ID(), funcName, funcName+"_opt",
-				[]interpreter.Interpretable{reqAttr},
-				func(args ...ref.Val) ref.Val {
-					// The request value, guaranteed to be of type celHTTPRequest
-					celReq := args[0]
-					// If needed this call could be changed to convert the value
-					// to a *http.Request using CEL's ConvertToNative method.
-					httpReq := celReq.Value().(celHTTPRequest)
-					if m, ok := matcher.(RequestMatcherWithError); ok {
-						match, err := m.MatchWithError(httpReq.Request)
-						if err != nil {
-							return types.WrapErr(err)
-						}
-						return types.Bool(match)
-					}
-					return types.Bool(matcher.Match(httpReq.Request))
-				},
-			), nil
-		}
-
-		return nil, fmt.Errorf("invalid matcher factory, must be CELMatcherFactory or CELMatcherWithErrorFactory: %T", fac)
+		return interpreter.NewCall(
+			i.ID(), funcName, funcName+"_opt",
+			[]interpreter.Interpretable{reqAttr},
+			func(args ...ref.Val) ref.Val {
+				// The request value, guaranteed to be of type celHTTPRequest
+				celReq := args[0]
+				// If needed this call could be changed to convert the value
+				// to a *http.Request using CEL's ConvertToNative method.
+				httpReq := celReq.Value().(celHTTPRequest)
+				return types.Bool(matcher.Match(httpReq.Request))
+			},
+		), nil
 	}
 }
 
 // CELMatcherRuntimeFunction creates a function binding for when the input to the matcher
 // is dynamically resolved rather than a set of static constant values.
-func CELMatcherRuntimeFunction(funcName string, fac any) functions.BinaryOp {
+func CELMatcherRuntimeFunction(funcName string, fac CELMatcherFactory) functions.BinaryOp {
 	return func(celReq, matcherData ref.Val) ref.Val {
-		if factory, ok := fac.(CELMatcherWithErrorFactory); ok {
-			matcher, err := factory(matcherData)
-			if err != nil {
-				return types.WrapErr(err)
-			}
-			httpReq := celReq.Value().(celHTTPRequest)
-			match, err := matcher.MatchWithError(httpReq.Request)
-			if err != nil {
-				return types.WrapErr(err)
-			}
-			return types.Bool(match)
+		matcher, err := fac(matcherData)
+		if err != nil {
+			return types.NewErr(err.Error())
 		}
-		if factory, ok := fac.(CELMatcherFactory); ok {
-			matcher, err := factory(matcherData)
-			if err != nil {
-				return types.WrapErr(err)
-			}
-			httpReq := celReq.Value().(celHTTPRequest)
-			if m, ok := matcher.(RequestMatcherWithError); ok {
-				match, err := m.MatchWithError(httpReq.Request)
-				if err != nil {
-					return types.WrapErr(err)
-				}
-				return types.Bool(match)
-			}
-			return types.Bool(matcher.Match(httpReq.Request))
-		}
-		return types.NewErr("CELMatcherRuntimeFunction invalid matcher factory: %T", fac)
+		httpReq := celReq.Value().(celHTTPRequest)
+		return types.Bool(matcher.Match(httpReq.Request))
 	}
 }
 
@@ -600,7 +524,7 @@ func celMatcherStringListMacroExpander(funcName string) cel.MacroFactory {
 				return nil, eh.NewError(arg.ID(), "matcher arguments must be string constants")
 			}
 		}
-		return eh.NewCall(funcName, eh.NewIdent(CELRequestVarName), eh.NewList(matchArgs...)), nil
+		return eh.NewCall(funcName, eh.NewIdent("request"), eh.NewList(matchArgs...)), nil
 	}
 }
 
@@ -614,7 +538,7 @@ func celMatcherStringMacroExpander(funcName string) parser.MacroExpander {
 			return nil, eh.NewError(0, "matcher requires one argument")
 		}
 		if isCELStringExpr(args[0]) {
-			return eh.NewCall(funcName, eh.NewIdent(CELRequestVarName), args[0]), nil
+			return eh.NewCall(funcName, eh.NewIdent("request"), args[0]), nil
 		}
 		return nil, eh.NewError(args[0].ID(), "matcher argument must be a string literal")
 	}
@@ -648,7 +572,7 @@ func celMatcherJSONMacroExpander(funcName string) parser.MacroExpander {
 					return nil, eh.NewError(entry.AsMapEntry().Value().ID(), "matcher map values must be string or list literals")
 				}
 			}
-			return eh.NewCall(funcName, eh.NewIdent(CELRequestVarName), arg), nil
+			return eh.NewCall(funcName, eh.NewIdent("request"), arg), nil
 		case ast.UnspecifiedExprKind, ast.CallKind, ast.ComprehensionKind, ast.IdentKind, ast.ListKind, ast.LiteralKind, ast.SelectKind:
 			// appeasing the linter :)
 		}
@@ -722,7 +646,7 @@ func isCELCaddyPlaceholderCall(e ast.Expr) bool {
 	switch e.Kind() {
 	case ast.CallKind:
 		call := e.AsCall()
-		if call.FunctionName() == CELPlaceholderFuncName {
+		if call.FunctionName() == "caddyPlaceholder" {
 			return true
 		}
 	case ast.UnspecifiedExprKind, ast.ComprehensionKind, ast.IdentKind, ast.ListKind, ast.LiteralKind, ast.MapKind, ast.SelectKind, ast.StructKind:
@@ -777,15 +701,8 @@ func isCELStringListLiteral(e ast.Expr) bool {
 // expressions with a proper CEL function call; this is
 // just for syntactic sugar.
 var (
-	// The placeholder may not be preceded by a backslash; the expansion
-	// will include the preceding character if it is not a backslash.
-	placeholderRegexp    = regexp.MustCompile(`([^\\]|^){([a-zA-Z][\w.-]+)}`)
-	placeholderExpansion = `${1}ph(req, "${2}")`
-
-	// As a second pass, we need to strip the escape character in front of
-	// the placeholder, if it exists.
-	escapedPlaceholderRegexp    = regexp.MustCompile(`\\{([a-zA-Z][\w.-]+)}`)
-	escapedPlaceholderExpansion = `{${1}}`
+	placeholderRegexp    = regexp.MustCompile(`{([a-zA-Z][\w.-]+)}`)
+	placeholderExpansion = `caddyPlaceholder(request, "${1}")`
 
 	CELTypeJSON = cel.MapType(cel.StringType, cel.DynType)
 )
@@ -793,18 +710,15 @@ var (
 var httpRequestObjectType = cel.ObjectType("http.Request")
 
 // The name of the CEL function which accesses Replacer values.
-const CELPlaceholderFuncName = "ph"
-
-// The name of the CEL request variable.
-const CELRequestVarName = "req"
+const placeholderFuncName = "caddyPlaceholder"
 
 const MatcherNameCtxKey = "matcher_name"
 
 // Interface guards
 var (
-	_ caddy.Provisioner       = (*MatchExpression)(nil)
-	_ RequestMatcherWithError = (*MatchExpression)(nil)
-	_ caddyfile.Unmarshaler   = (*MatchExpression)(nil)
-	_ json.Marshaler          = (*MatchExpression)(nil)
-	_ json.Unmarshaler        = (*MatchExpression)(nil)
+	_ caddy.Provisioner     = (*MatchExpression)(nil)
+	_ RequestMatcher        = (*MatchExpression)(nil)
+	_ caddyfile.Unmarshaler = (*MatchExpression)(nil)
+	_ json.Marshaler        = (*MatchExpression)(nil)
+	_ json.Unmarshaler      = (*MatchExpression)(nil)
 )

modules/caddyhttp/celmatcher_test.go

@@ -70,36 +70,13 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
 			wantResult: true,
 		},
 		{
-			name: "header matches an escaped placeholder value (MatchHeader)",
-			expression: &MatchExpression{
-				Expr: `header({'Field': '\\\{foobar}'})`,
-			},
-			urlTarget:  "https://example.com/foo",
-			httpHeader: &http.Header{"Field": []string{"{foobar}"}},
-			wantResult: true,
-		},
-		{
-			name: "header matches an placeholder replaced during the header matcher (MatchHeader)",
-			expression: &MatchExpression{
-				Expr: `header({'Field': '\{http.request.uri.path}'})`,
-			},
-			urlTarget:  "https://example.com/foo",
-			httpHeader: &http.Header{"Field": []string{"/foo"}},
-			wantResult: true,
-		},
-		{
-			name: "header error, invalid escape sequence (MatchHeader)",
-			expression: &MatchExpression{
-				Expr: `header({'Field': '\\{foobar}'})`,
-			},
-			wantErr: true,
-		},
-		{
-			name: "header error, needs to be JSON syntax with field as key (MatchHeader)",
+			name: "header error (MatchHeader)",
 			expression: &MatchExpression{
 				Expr: `header('foo')`,
 			},
-			wantErr: true,
+			urlTarget:  "https://example.com/foo",
+			httpHeader: &http.Header{"Field": []string{"foo", "bar"}},
+			wantErr:    true,
 		},
 		{
 			name: "header_regexp matches (MatchHeaderRE)",
@@ -133,7 +110,9 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
 			expression: &MatchExpression{
 				Expr: `header_regexp('foo')`,
 			},
-			wantErr: true,
+			urlTarget:  "https://example.com/foo",
+			httpHeader: &http.Header{"Field": []string{"foo", "bar"}},
+			wantErr:    true,
 		},
 		{
 			name: "host matches localhost (MatchHost)",
@@ -164,7 +143,8 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
 			expression: &MatchExpression{
 				Expr: `host(80)`,
 			},
-			wantErr: true,
+			urlTarget: "http://localhost:80",
+			wantErr:   true,
 		},
 		{
 			name: "method does not match (MatchMethod)",
@@ -189,7 +169,9 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
 			expression: &MatchExpression{
 				Expr: `method()`,
 			},
-			wantErr: true,
+			urlTarget:  "https://foo.example.com",
+			httpMethod: "PUT",
+			wantErr:    true,
 		},
 		{
 			name: "path matches substring (MatchPath)",
@@ -284,21 +266,24 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
 			expression: &MatchExpression{
 				Expr: `protocol()`,
 			},
-			wantErr: true,
+			urlTarget: "https://example.com",
+			wantErr:   true,
 		},
 		{
 			name: "protocol invocation error too many args (MatchProtocol)",
 			expression: &MatchExpression{
 				Expr: `protocol('grpc', 'https')`,
 			},
-			wantErr: true,
+			urlTarget: "https://example.com",
+			wantErr:   true,
 		},
 		{
 			name: "protocol invocation error wrong arg type (MatchProtocol)",
 			expression: &MatchExpression{
 				Expr: `protocol(true)`,
 			},
-			wantErr: true,
+			urlTarget: "https://example.com",
+			wantErr:   true,
 		},
 		{
 			name: "query does not match against a specific value (MatchQuery)",
@@ -345,35 +330,40 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
 			expression: &MatchExpression{
 				Expr: `query({1: "1"})`,
 			},
-			wantErr: true,
+			urlTarget: "https://example.com/foo",
+			wantErr:   true,
 		},
 		{
 			name: "query error typed struct instead of map (MatchQuery)",
 			expression: &MatchExpression{
 				Expr: `query(Message{field: "1"})`,
 			},
-			wantErr: true,
+			urlTarget: "https://example.com/foo",
+			wantErr:   true,
 		},
 		{
 			name: "query error bad map value type (MatchQuery)",
 			expression: &MatchExpression{
 				Expr: `query({"debug": 1})`,
 			},
-			wantErr: true,
+			urlTarget: "https://example.com/foo/?debug=1",
+			wantErr:   true,
 		},
 		{
 			name: "query error no args (MatchQuery)",
 			expression: &MatchExpression{
 				Expr: `query()`,
 			},
-			wantErr: true,
+			urlTarget: "https://example.com/foo/?debug=1",
+			wantErr:   true,
 		},
 		{
 			name: "remote_ip error no args (MatchRemoteIP)",
 			expression: &MatchExpression{
 				Expr: `remote_ip()`,
 			},
-			wantErr: true,
+			urlTarget: "https://example.com/foo",
+			wantErr:   true,
 		},
 		{
 			name: "remote_ip single IP match (MatchRemoteIP)",
@@ -383,67 +373,6 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
 			urlTarget:  "https://example.com/foo",
 			wantResult: true,
 		},
-		{
-			name: "vars value (VarsMatcher)",
-			expression: &MatchExpression{
-				Expr: `vars({'foo': 'bar'})`,
-			},
-			urlTarget:  "https://example.com/foo",
-			wantResult: true,
-		},
-		{
-			name: "vars matches placeholder, needs escape (VarsMatcher)",
-			expression: &MatchExpression{
-				Expr: `vars({'\{http.request.uri.path}': '/foo'})`,
-			},
-			urlTarget:  "https://example.com/foo",
-			wantResult: true,
-		},
-		{
-			name: "vars error wrong syntax (VarsMatcher)",
-			expression: &MatchExpression{
-				Expr: `vars('foo', 'bar')`,
-			},
-			wantErr: true,
-		},
-		{
-			name: "vars error no args (VarsMatcher)",
-			expression: &MatchExpression{
-				Expr: `vars()`,
-			},
-			wantErr: true,
-		},
-		{
-			name: "vars_regexp value (MatchVarsRE)",
-			expression: &MatchExpression{
-				Expr: `vars_regexp('foo', 'ba?r')`,
-			},
-			urlTarget:  "https://example.com/foo",
-			wantResult: true,
-		},
-		{
-			name: "vars_regexp value with name (MatchVarsRE)",
-			expression: &MatchExpression{
-				Expr: `vars_regexp('name', 'foo', 'ba?r')`,
-			},
-			urlTarget:  "https://example.com/foo",
-			wantResult: true,
-		},
-		{
-			name: "vars_regexp matches placeholder, needs escape (MatchVarsRE)",
-			expression: &MatchExpression{
-				Expr: `vars_regexp('\{http.request.uri.path}', '/fo?o')`,
-			},
-			urlTarget:  "https://example.com/foo",
-			wantResult: true,
-		},
-		{
-			name: "vars_regexp error no args (MatchVarsRE)",
-			expression: &MatchExpression{
-				Expr: `vars_regexp()`,
-			},
-			wantErr: true,
-		},
 	}
 )
 
@@ -467,9 +396,6 @@ func TestMatchExpressionMatch(t *testing.T) {
 			}
 			repl := caddy.NewReplacer()
 			ctx := context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl)
-			ctx = context.WithValue(ctx, VarsCtxKey, map[string]any{
-				"foo": "bar",
-			})
 			req = req.WithContext(ctx)
 			addHTTPVarsToReplacer(repl, req, httptest.NewRecorder())
 
@@ -489,11 +415,7 @@ func TestMatchExpressionMatch(t *testing.T) {
 				}
 			}
 
-			matches, err := tc.expression.MatchWithError(req)
-			if err != nil {
-				t.Errorf("MatchExpression.Match() error = %v", err)
-			}
-			if matches != tc.wantResult {
+			if tc.expression.Match(req) != tc.wantResult {
 				t.Errorf("MatchExpression.Match() expected to return '%t', for expression : '%s'", tc.wantResult, tc.expression.Expr)
 			}
 		})
@@ -514,9 +436,6 @@ func BenchmarkMatchExpressionMatch(b *testing.B) {
 			}
 			repl := caddy.NewReplacer()
 			ctx := context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl)
-			ctx = context.WithValue(ctx, VarsCtxKey, map[string]any{
-				"foo": "bar",
-			})
 			req = req.WithContext(ctx)
 			addHTTPVarsToReplacer(repl, req, httptest.NewRecorder())
 			if tc.clientCertificate != nil {
@@ -536,7 +455,7 @@ func BenchmarkMatchExpressionMatch(b *testing.B) {
 			}
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
-				tc.expression.MatchWithError(req)
+				tc.expression.Match(req)
 			}
 		})
 	}

modules/caddyhttp/encode/encode.go

@@ -24,7 +24,6 @@ import (
 	"io"
 	"math"
 	"net/http"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"
@@ -113,8 +112,7 @@ func (enc *Encode) Provision(ctx caddy.Context) error {
 					"application/x-ttf*",
 					"application/xhtml+xml*",
 					"application/xml*",
-					"font/ttf*",
-					"font/otf*",
+					"font/*",
 					"image/svg+xml*",
 					"image/vnd.microsoft.icon*",
 					"image/x-icon*",
@@ -267,14 +265,6 @@ func (rw *responseWriter) FlushError() error {
 		// to rw.Write (see bug in #4314)
 		return nil
 	}
-	// also flushes the encoder, if any
-	// see: https://github.com/jjiang-stripe/caddy-slow-gzip
-	if rw.w != nil {
-		err := rw.w.Flush()
-		if err != nil {
-			return err
-		}
-	}
 	//nolint:bodyclose
 	return http.NewResponseController(rw.ResponseWriter).Flush()
 }
@@ -442,9 +432,12 @@ func AcceptedEncodings(r *http.Request, preferredOrder []string) []string {
 		}
 
 		// set server preference
-		prefOrder := slices.Index(preferredOrder, encName)
-		if prefOrder > -1 {
-			prefOrder = len(preferredOrder) - prefOrder
+		prefOrder := -1
+		for i, p := range preferredOrder {
+			if encName == p {
+				prefOrder = len(preferredOrder) - i
+				break
+			}
 		}
 
 		prefs = append(prefs, encodingPreference{
@@ -481,7 +474,6 @@ type encodingPreference struct {
 type Encoder interface {
 	io.WriteCloser
 	Reset(io.Writer)
-	Flush() error // encoder by default buffers data to maximize compressing rate
 }
 
 // Encoding is a type which can create encoders of its kind

modules/caddyhttp/fileserver/browse.go

@@ -33,7 +33,6 @@ import (
 	"time"
 
 	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
@@ -53,32 +52,14 @@ var BrowseTemplate string
 type Browse struct {
 	// Filename of the template to use instead of the embedded browse template.
 	TemplateFile string `json:"template_file,omitempty"`
-
 	// Determines whether or not targets of symlinks should be revealed.
 	RevealSymlinks bool `json:"reveal_symlinks,omitempty"`
-
-	// Override the default sort.
-	// It includes the following options:
-	//   - sort_by: name(default), namedirfirst, size, time
-	//   - order: asc(default), desc
-	// eg.:
-	//   - `sort time desc` will sort by time in descending order
-	//   - `sort size` will sort by size in ascending order
-	// The first option must be `sort_by` and the second option must be `order` (if exists).
-	SortOptions []string `json:"sort,omitempty"`
-
-	// FileLimit limits the number of up to n DirEntry values in directory order.
-	FileLimit int `json:"file_limit,omitempty"`
 }
 
-const (
-	defaultDirEntryLimit = 10000
-)
-
 func (fsrv *FileServer) serveBrowse(fileSystem fs.FS, root, dirPath string, w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
-	if c := fsrv.logger.Check(zapcore.DebugLevel, "browse enabled; listing directory contents"); c != nil {
-		c.Write(zap.String("path", dirPath), zap.String("root", root))
-	}
+	fsrv.logger.Debug("browse enabled; listing directory contents",
+		zap.String("path", dirPath),
+		zap.String("root", root))
 
 	// Navigation on the client-side gets messed up if the
 	// URL doesn't end in a trailing slash because hrefs to
@@ -100,9 +81,7 @@ func (fsrv *FileServer) serveBrowse(fileSystem fs.FS, root, dirPath string, w ht
 	origReq := r.Context().Value(caddyhttp.OriginalRequestCtxKey).(http.Request)
 	if r.URL.Path == "" || path.Base(origReq.URL.Path) == path.Base(r.URL.Path) {
 		if !strings.HasSuffix(origReq.URL.Path, "/") {
-			if c := fsrv.logger.Check(zapcore.DebugLevel, "redirecting to trailing slash to preserve hrefs"); c != nil {
-				c.Write(zap.String("request_path", r.URL.Path))
-			}
+			fsrv.logger.Debug("redirecting to trailing slash to preserve hrefs", zap.String("request_path", r.URL.Path))
 			return redirect(w, r, origReq.URL.Path+"/")
 		}
 	}
@@ -213,11 +192,7 @@ func (fsrv *FileServer) serveBrowse(fileSystem fs.FS, root, dirPath string, w ht
 }
 
 func (fsrv *FileServer) loadDirectoryContents(ctx context.Context, fileSystem fs.FS, dir fs.ReadDirFile, root, urlPath string, repl *caddy.Replacer) (*browseTemplateContext, error) {
-	dirLimit := defaultDirEntryLimit
-	if fsrv.Browse.FileLimit != 0 {
-		dirLimit = fsrv.Browse.FileLimit
-	}
-	files, err := dir.ReadDir(dirLimit)
+	files, err := dir.ReadDir(10000) // TODO: this limit should probably be configurable
 	if err != nil && err != io.EOF {
 		return nil, err
 	}
@@ -231,34 +206,11 @@ func (fsrv *FileServer) loadDirectoryContents(ctx context.Context, fileSystem fs
 // browseApplyQueryParams applies query parameters to the listing.
 // It mutates the listing and may set cookies.
 func (fsrv *FileServer) browseApplyQueryParams(w http.ResponseWriter, r *http.Request, listing *browseTemplateContext) {
-	var orderParam, sortParam string
-
-	// The configs in Caddyfile have lower priority than Query params,
-	// so put it at first.
-	for idx, item := range fsrv.Browse.SortOptions {
-		// Only `sort` & `order`, 2 params are allowed
-		if idx >= 2 {
-			break
-		}
-		switch item {
-		case sortByName, sortByNameDirFirst, sortBySize, sortByTime:
-			sortParam = item
-		case sortOrderAsc, sortOrderDesc:
-			orderParam = item
-		}
-	}
-
 	layoutParam := r.URL.Query().Get("layout")
+	sortParam := r.URL.Query().Get("sort")
+	orderParam := r.URL.Query().Get("order")
 	limitParam := r.URL.Query().Get("limit")
 	offsetParam := r.URL.Query().Get("offset")
-	sortParamTmp := r.URL.Query().Get("sort")
-	if sortParamTmp != "" {
-		sortParam = sortParamTmp
-	}
-	orderParamTmp := r.URL.Query().Get("order")
-	if orderParamTmp != "" {
-		orderParam = orderParamTmp
-	}
 
 	switch layoutParam {
 	case "list", "grid", "":
@@ -281,11 +233,11 @@ func (fsrv *FileServer) browseApplyQueryParams(w http.ResponseWriter, r *http.Re
 	// then figure out the order
 	switch orderParam {
 	case "":
-		orderParam = sortOrderAsc
+		orderParam = "asc"
 		if orderCookie, orderErr := r.Cookie("order"); orderErr == nil {
 			orderParam = orderCookie.Value
 		}
-	case sortOrderAsc, sortOrderDesc:
+	case "asc", "desc":
 		http.SetCookie(w, &http.Cookie{Name: "order", Value: orderParam, Secure: r.TLS != nil})
 	}
 

modules/caddyhttp/fileserver/browse.html

@@ -1,17 +1,10 @@
-{{ $nonce := uuidv4 -}}
-{{ $nonceAttribute := print "nonce=" (quote $nonce) -}}
-{{ $csp := printf "default-src 'none'; img-src 'self'; object-src 'none'; base-uri 'none'; script-src 'nonce-%s'; style-src 'nonce-%s'; frame-ancestors 'self'; form-action 'self';" $nonce $nonce -}}
-{{/* To disable the Content-Security-Policy, set this to false */}}{{ $enableCsp := true -}}
-{{ if $enableCsp -}}
-  {{- .RespHeader.Set "Content-Security-Policy" $csp -}}
-{{ end -}}
 {{- define "icon"}}
 	{{- if .IsDir}}
 		{{- if .IsSymlink}}
 		<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-folder-filled" width="24" height="24" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
 			<path stroke="none" d="M0 0h24v24H0z" fill="none"/>
 			<path d="M9 3a1 1 0 0 1 .608 .206l.1 .087l2.706 2.707h6.586a3 3 0 0 1 2.995 2.824l.005 .176v8a3 3 0 0 1 -2.824 2.995l-.176 .005h-14a3 3 0 0 1 -2.995 -2.824l-.005 -.176v-11a3 3 0 0 1 2.824 -2.995l.176 -.005h4z" stroke-width="0" fill="currentColor"/>
-			<path fill="#000" d="M2.795 17.306c0-2.374 1.792-4.314 4.078-4.538v-1.104a.38.38 0 0 1 .651-.272l2.45 2.492a.132.132 0 0 1 0 .188l-2.45 2.492a.381.381 0 0 1-.651-.272V15.24c-1.889.297-3.436 1.39-3.817 3.26a2.809 2.809 0 0 1-.261-1.193Z" stroke-width=".127478"/>
+			<path fill="#000" d="M2.795 17.306c0-2.374 1.792-4.314 4.078-4.538v-1.104a.38.38 0 0 1 .651-.272l2.45 2.492a.132.132 0 0 1 0 .188l-2.45 2.492a.381.381 0 0 1-.651-.272V15.24c-1.889.297-3.436 1.39-3.817 3.26a2.809 2.809 0 0 1-.261-1.193Z" style="stroke-width:.127478"/>
 		</svg>
 		{{- else}}
 		<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-folder-filled" width="24" height="24" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
@@ -310,7 +303,7 @@
 		<meta charset="utf-8">
 		<meta name="color-scheme" content="light dark">
 		<meta name="viewport" content="width=device-width, initial-scale=1.0">
-<style {{ $nonceAttribute }}>
+<style>
 * { padding: 0; margin: 0; box-sizing: border-box; }
 
 body {
@@ -349,10 +342,6 @@ svg,
 	text-decoration: none;
 }
 
-#layout-list, #layout-grid {
-	cursor: pointer;
-}
-
 .wrapper {
 	max-width: 1200px;
 	margin-left: auto;
@@ -779,10 +768,10 @@ footer {
 
 </style>
 {{- if eq .Layout "grid"}}
-<style {{ $nonceAttribute }}>.wrapper { max-width: none; } main { margin-top: 1px; }</style>
+<style>.wrapper { max-width: none; } main { margin-top: 1px; }</style>
 {{- end}}
 </head>
-<body>
+<body onload="initPage()">
 	<header>
 		<div class="wrapper">
 			<div class="breadcrumbs">Folder Path</div>
@@ -810,7 +799,7 @@ footer {
 						</span>
 						{{- end}}
 					</div>
-					<a id="layout-list" class='layout{{if eq $.Layout "list" ""}}current{{end}}'>
+					<a href="javascript:queryParam('layout', '')" id="layout-list" class='layout{{if eq $.Layout "list" ""}}current{{end}}'>
 						<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-layout-list" width="16" height="16" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
 							<path stroke="none" d="M0 0h24v24H0z" fill="none"/>
 							<path d="M4 4m0 2a2 2 0 0 1 2 -2h12a2 2 0 0 1 2 2v2a2 2 0 0 1 -2 2h-12a2 2 0 0 1 -2 -2z"/>
@@ -818,7 +807,7 @@ footer {
 						</svg>
 						List
 					</a>
-					<a id="layout-grid" class='layout{{if eq $.Layout "grid"}}current{{end}}'>
+					<a href="javascript:queryParam('layout', 'grid')" id="layout-grid" class='layout{{if eq $.Layout "grid"}}current{{end}}'>
 						<svg xmlns="http://www.w3.org/2000/svg" class="icon icon-tabler icon-tabler-layout-grid" width="16" height="16" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
 							<path stroke="none" d="M0 0h24v24H0z" fill="none"/>
 							<path d="M4 4m0 1a1 1 0 0 1 1 -1h4a1 1 0 0 1 1 1v4a1 1 0 0 1 -1 1h-4a1 1 0 0 1 -1 -1z"/>
@@ -897,7 +886,7 @@ footer {
 									<path d="M10 10m-7 0a7 7 0 1 0 14 0a7 7 0 1 0 -14 0"/>
 									<path d="M21 21l-6 -6"/>
 								</svg>
-								<input type="search" placeholder="Search" id="filter">
+								<input type="search" placeholder="Search" id="filter" onkeyup='filter()'>
 							</div>
 						</th>
 						<th>
@@ -991,7 +980,7 @@ footer {
 							<div class="sizebar">
 								<div class="sizebar-bar"></div>
 								<div class="sizebar-text">
-									{{if .IsSymlink}}↱&nbsp;{{end}}{{.HumanSize}}
+									{{.HumanSize}}
 								</div>
 							</div>
 						</td>
@@ -1011,70 +1000,70 @@ footer {
 		<footer>
 			Served with
 			<a rel="noopener noreferrer" href="https://caddyserver.com">
-				<svg class="caddy-logo" viewBox="0 0 379 114" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" fill-rule="evenodd" clip-rule="evenodd" stroke-linecap="round" stroke-linejoin="round">
+				<svg class="caddy-logo" viewBox="0 0 379 114" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round;">
 					<g transform="matrix(1,0,0,1,-1982.99,-530.985)">
 						<g transform="matrix(1.16548,0,0,1.10195,1823.12,393.466)">
 							<g transform="matrix(1,0,0,1,0.233052,1.17986)">
 								<g id="Icon" transform="matrix(0.858013,0,0,0.907485,-3224.99,-1435.83)">
 									<g>
 										<g transform="matrix(-0.191794,-0.715786,0.715786,-0.191794,4329.14,4673.64)">
-											<path d="M3901.56,610.734C3893.53,610.261 3886.06,608.1 3879.2,604.877C3872.24,601.608 3866.04,597.093 3860.8,591.633C3858.71,589.457 3856.76,587.149 3854.97,584.709C3853.2,582.281 3851.57,579.733 3850.13,577.066C3845.89,569.224 3843.21,560.381 3842.89,550.868C3842.57,543.321 3843.64,536.055 3845.94,529.307C3848.37,522.203 3852.08,515.696 3856.83,510.049L3855.79,509.095C3850.39,514.54 3846.02,520.981 3842.9,528.125C3839.84,535.125 3838.03,542.781 3837.68,550.868C3837.34,561.391 3839.51,571.425 3843.79,580.306C3845.27,583.38 3847.03,586.304 3849.01,589.049C3851.01,591.806 3853.24,594.39 3855.69,596.742C3861.75,602.568 3869,607.19 3877.03,610.1C3884.66,612.867 3892.96,614.059 3901.56,613.552L3901.56,610.734Z" fill="rgb(0,144,221)"/>
+											<path d="M3901.56,610.734C3893.53,610.261 3886.06,608.1 3879.2,604.877C3872.24,601.608 3866.04,597.093 3860.8,591.633C3858.71,589.457 3856.76,587.149 3854.97,584.709C3853.2,582.281 3851.57,579.733 3850.13,577.066C3845.89,569.224 3843.21,560.381 3842.89,550.868C3842.57,543.321 3843.64,536.055 3845.94,529.307C3848.37,522.203 3852.08,515.696 3856.83,510.049L3855.79,509.095C3850.39,514.54 3846.02,520.981 3842.9,528.125C3839.84,535.125 3838.03,542.781 3837.68,550.868C3837.34,561.391 3839.51,571.425 3843.79,580.306C3845.27,583.38 3847.03,586.304 3849.01,589.049C3851.01,591.806 3853.24,594.39 3855.69,596.742C3861.75,602.568 3869,607.19 3877.03,610.1C3884.66,612.867 3892.96,614.059 3901.56,613.552L3901.56,610.734Z" style="fill:rgb(0,144,221);"/>
 										</g>
 										<g transform="matrix(-0.191794,-0.715786,0.715786,-0.191794,4329.14,4673.64)">
-											<path d="M3875.69,496.573C3879.62,494.538 3883.8,492.897 3888.2,491.786C3892.49,490.704 3896.96,490.124 3901.56,490.032C3903.82,490.13 3906.03,490.332 3908.21,490.688C3917.13,492.147 3925.19,495.814 3932.31,500.683C3936.13,503.294 3939.59,506.335 3942.81,509.619C3947.09,513.98 3950.89,518.816 3953.85,524.232C3958.2,532.197 3960.96,541.186 3961.32,550.868C3961.61,558.748 3960.46,566.345 3957.88,573.322C3956.09,578.169 3953.7,582.753 3950.66,586.838C3947.22,591.461 3942.96,595.427 3938.27,598.769C3933.66,602.055 3928.53,604.619 3923.09,606.478C3922.37,606.721 3921.6,606.805 3920.93,607.167C3920.42,607.448 3920.14,607.854 3919.69,608.224L3920.37,610.389C3920.98,610.432 3921.47,610.573 3922.07,610.474C3922.86,610.344 3923.55,609.883 3924.28,609.566C3931.99,606.216 3938.82,601.355 3944.57,595.428C3947.02,592.903 3949.25,590.174 3951.31,587.319C3953.59,584.168 3955.66,580.853 3957.43,577.348C3961.47,569.34 3964.01,560.422 3964.36,550.868C3964.74,540.511 3962.66,530.628 3958.48,521.868C3955.57,515.775 3951.72,510.163 3946.95,505.478C3943.37,501.962 3939.26,498.99 3934.84,496.562C3926.88,492.192 3917.87,489.76 3908.37,489.229C3906.12,489.104 3903.86,489.054 3901.56,489.154C3896.87,489.06 3892.3,489.519 3887.89,490.397C3883.3,491.309 3878.89,492.683 3874.71,494.525L3875.69,496.573Z" fill="rgb(0,144,221)"/>
+											<path d="M3875.69,496.573C3879.62,494.538 3883.8,492.897 3888.2,491.786C3892.49,490.704 3896.96,490.124 3901.56,490.032C3903.82,490.13 3906.03,490.332 3908.21,490.688C3917.13,492.147 3925.19,495.814 3932.31,500.683C3936.13,503.294 3939.59,506.335 3942.81,509.619C3947.09,513.98 3950.89,518.816 3953.85,524.232C3958.2,532.197 3960.96,541.186 3961.32,550.868C3961.61,558.748 3960.46,566.345 3957.88,573.322C3956.09,578.169 3953.7,582.753 3950.66,586.838C3947.22,591.461 3942.96,595.427 3938.27,598.769C3933.66,602.055 3928.53,604.619 3923.09,606.478C3922.37,606.721 3921.6,606.805 3920.93,607.167C3920.42,607.448 3920.14,607.854 3919.69,608.224L3920.37,610.389C3920.98,610.432 3921.47,610.573 3922.07,610.474C3922.86,610.344 3923.55,609.883 3924.28,609.566C3931.99,606.216 3938.82,601.355 3944.57,595.428C3947.02,592.903 3949.25,590.174 3951.31,587.319C3953.59,584.168 3955.66,580.853 3957.43,577.348C3961.47,569.34 3964.01,560.422 3964.36,550.868C3964.74,540.511 3962.66,530.628 3958.48,521.868C3955.57,515.775 3951.72,510.163 3946.95,505.478C3943.37,501.962 3939.26,498.99 3934.84,496.562C3926.88,492.192 3917.87,489.76 3908.37,489.229C3906.12,489.104 3903.86,489.054 3901.56,489.154C3896.87,489.06 3892.3,489.519 3887.89,490.397C3883.3,491.309 3878.89,492.683 3874.71,494.525L3875.69,496.573Z" style="fill:rgb(0,144,221);"/>
 										</g>
 									</g>
 									<g>
 										<g transform="matrix(-3.37109,-0.514565,0.514565,-3.37109,4078.07,1806.88)">
-											<path d="M22,12C22,10.903 21.097,10 20,10C19.421,10 18.897,10.251 18.53,10.649C18.202,11.006 18,11.481 18,12C18,13.097 18.903,14 20,14C21.097,14 22,13.097 22,12Z" fill="none" fill-rule="nonzero" stroke="rgb(0,144,221)" stroke-width="1.05px"/>
+											<path d="M22,12C22,10.903 21.097,10 20,10C19.421,10 18.897,10.251 18.53,10.649C18.202,11.006 18,11.481 18,12C18,13.097 18.903,14 20,14C21.097,14 22,13.097 22,12Z" style="fill:none;fill-rule:nonzero;stroke:rgb(0,144,221);stroke-width:1.05px;"/>
 										</g>
 										<g transform="matrix(-5.33921,-5.26159,-3.12106,-6.96393,4073.87,1861.55)">
-											<path d="M10.315,5.333C10.315,5.333 9.748,5.921 9.03,6.673C7.768,7.995 6.054,9.805 6.054,9.805L6.237,9.86C6.237,9.86 8.045,8.077 9.36,6.771C10.107,6.028 10.689,5.444 10.689,5.444L10.315,5.333Z" fill="rgb(0,144,221)"/>
+											<path d="M10.315,5.333C10.315,5.333 9.748,5.921 9.03,6.673C7.768,7.995 6.054,9.805 6.054,9.805L6.237,9.86C6.237,9.86 8.045,8.077 9.36,6.771C10.107,6.028 10.689,5.444 10.689,5.444L10.315,5.333Z" style="fill:rgb(0,144,221);"/>
 										</g>
 									</g>
 									<g id="Padlock" transform="matrix(3.11426,0,0,3.11426,3938.31,1737.25)">
 										<g>
-											<path d="M9.876,21L18.162,21C18.625,21 19,20.625 19,20.162L19,11.838C19,11.375 18.625,11 18.162,11L5.838,11C5.375,11 5,11.375 5,11.838L5,16.758" fill="none" stroke="rgb(34,182,56)" stroke-width="1.89px" stroke-linecap="butt" stroke-linejoin="miter"/>
-											<path d="M8,11L8,7C8,4.806 9.806,3 12,3C14.194,3 16,4.806 16,7L16,11" fill="none" fill-rule="nonzero" stroke="rgb(34,182,56)" stroke-width="1.89px"/>
+											<path d="M9.876,21L18.162,21C18.625,21 19,20.625 19,20.162L19,11.838C19,11.375 18.625,11 18.162,11L5.838,11C5.375,11 5,11.375 5,11.838L5,16.758" style="fill:none;stroke:rgb(34,182,56);stroke-width:1.89px;stroke-linecap:butt;stroke-linejoin:miter;"/>
+											<path d="M8,11L8,7C8,4.806 9.806,3 12,3C14.194,3 16,4.806 16,7L16,11" style="fill:none;fill-rule:nonzero;stroke:rgb(34,182,56);stroke-width:1.89px;"/>
 										</g>
 									</g>
 									<g>
 										<g transform="matrix(5.30977,0.697415,-0.697415,5.30977,3852.72,1727.97)">
-											<path d="M22,12C22,11.659 21.913,11.337 21.76,11.055C21.421,10.429 20.756,10 20,10C18.903,10 18,10.903 18,12C18,13.097 18.903,14 20,14C21.097,14 22,13.097 22,12Z" fill="none" fill-rule="nonzero" stroke="rgb(0,144,221)" stroke-width="0.98px"/>
+											<path d="M22,12C22,11.659 21.913,11.337 21.76,11.055C21.421,10.429 20.756,10 20,10C18.903,10 18,10.903 18,12C18,13.097 18.903,14 20,14C21.097,14 22,13.097 22,12Z" style="fill:none;fill-rule:nonzero;stroke:rgb(0,144,221);stroke-width:0.98px;"/>
 										</g>
 										<g transform="matrix(4.93114,2.49604,1.11018,5.44847,3921.41,1726.72)">
-											<path d="M8.902,6.77C8.902,6.77 7.235,8.253 6.027,9.366C5.343,9.996 4.819,10.502 4.819,10.502L5.52,11.164C5.52,11.164 6.021,10.637 6.646,9.951C7.749,8.739 9.219,7.068 9.219,7.068L8.902,6.77Z" fill="rgb(0,144,221)"/>
+											<path d="M8.902,6.77C8.902,6.77 7.235,8.253 6.027,9.366C5.343,9.996 4.819,10.502 4.819,10.502L5.52,11.164C5.52,11.164 6.021,10.637 6.646,9.951C7.749,8.739 9.219,7.068 9.219,7.068L8.902,6.77Z" style="fill:rgb(0,144,221);"/>
 										</g>
 									</g>
 								</g>
 								<g id="Text">
 									<g id="Wordmark" transform="matrix(1.32271,0,0,2.60848,-899.259,-791.691)">
 										<g id="y" transform="matrix(0.50291,0,0,0.281607,905.533,304.987)">
-											<path d="M192.152,286.875L202.629,268.64C187.804,270.106 183.397,265.779 180.143,263.391C176.888,261.004 174.362,257.99 172.563,254.347C170.765,250.705 169.866,246.691 169.866,242.305L169.866,208.107L183.21,208.107L183.21,242.213C183.21,245.188 183.896,247.822 185.268,250.116C186.64,252.41 188.465,254.197 190.743,255.475C193.022,256.754 195.501,257.393 198.182,257.393C200.894,257.393 203.393,256.75 205.68,255.463C207.966,254.177 209.799,252.391 211.178,250.105C212.558,247.818 213.248,245.188 213.248,242.213L213.248,208.107L226.545,208.107L226.545,242.305C226.545,246.707 225.378,258.46 218.079,268.64C215.735,271.909 207.835,286.875 207.835,286.875L192.152,286.875Z" fill="rgb(47,47,47)" fill-rule="nonzero"/>
+											<path d="M192.152,286.875L202.629,268.64C187.804,270.106 183.397,265.779 180.143,263.391C176.888,261.004 174.362,257.99 172.563,254.347C170.765,250.705 169.866,246.691 169.866,242.305L169.866,208.107L183.21,208.107L183.21,242.213C183.21,245.188 183.896,247.822 185.268,250.116C186.64,252.41 188.465,254.197 190.743,255.475C193.022,256.754 195.501,257.393 198.182,257.393C200.894,257.393 203.393,256.75 205.68,255.463C207.966,254.177 209.799,252.391 211.178,250.105C212.558,247.818 213.248,245.188 213.248,242.213L213.248,208.107L226.545,208.107L226.545,242.305C226.545,246.707 225.378,258.46 218.079,268.64C215.735,271.909 207.835,286.875 207.835,286.875L192.152,286.875Z" style="fill:rgb(47,47,47);fill-rule:nonzero;"/>
 										</g>
 										<g id="add" transform="matrix(0.525075,0,0,0.281607,801.871,304.987)">
 											<g transform="matrix(116.242,0,0,116.242,161.846,267.39)">
-												<path d="M0.276,0.012C0.227,0.012 0.186,0 0.15,-0.024C0.115,-0.048 0.088,-0.08 0.069,-0.12C0.05,-0.161 0.04,-0.205 0.04,-0.254C0.04,-0.305 0.051,-0.35 0.072,-0.39C0.094,-0.431 0.125,-0.463 0.165,-0.487C0.205,-0.51 0.254,-0.522 0.31,-0.522C0.366,-0.522 0.413,-0.51 0.452,-0.486C0.491,-0.463 0.521,-0.431 0.542,-0.39C0.562,-0.35 0.573,-0.305 0.573,-0.256L0.573,-0L0.458,-0L0.458,-0.095L0.456,-0.095C0.446,-0.076 0.433,-0.058 0.417,-0.042C0.401,-0.026 0.381,-0.013 0.358,-0.003C0.335,0.007 0.307,0.012 0.276,0.012ZM0.307,-0.086C0.337,-0.086 0.363,-0.093 0.386,-0.108C0.408,-0.123 0.426,-0.144 0.438,-0.17C0.45,-0.195 0.456,-0.224 0.456,-0.256C0.456,-0.288 0.45,-0.317 0.438,-0.342C0.426,-0.367 0.409,-0.387 0.387,-0.402C0.365,-0.417 0.338,-0.424 0.308,-0.424C0.276,-0.424 0.249,-0.417 0.226,-0.402C0.204,-0.387 0.186,-0.366 0.174,-0.341C0.162,-0.315 0.156,-0.287 0.156,-0.255C0.156,-0.224 0.162,-0.195 0.174,-0.169C0.186,-0.144 0.203,-0.123 0.226,-0.108C0.248,-0.093 0.275,-0.086 0.307,-0.086Z" fill="rgb(47,47,47)" fill-rule="nonzero"/>
+												<path d="M0.276,0.012C0.227,0.012 0.186,0 0.15,-0.024C0.115,-0.048 0.088,-0.08 0.069,-0.12C0.05,-0.161 0.04,-0.205 0.04,-0.254C0.04,-0.305 0.051,-0.35 0.072,-0.39C0.094,-0.431 0.125,-0.463 0.165,-0.487C0.205,-0.51 0.254,-0.522 0.31,-0.522C0.366,-0.522 0.413,-0.51 0.452,-0.486C0.491,-0.463 0.521,-0.431 0.542,-0.39C0.562,-0.35 0.573,-0.305 0.573,-0.256L0.573,-0L0.458,-0L0.458,-0.095L0.456,-0.095C0.446,-0.076 0.433,-0.058 0.417,-0.042C0.401,-0.026 0.381,-0.013 0.358,-0.003C0.335,0.007 0.307,0.012 0.276,0.012ZM0.307,-0.086C0.337,-0.086 0.363,-0.093 0.386,-0.108C0.408,-0.123 0.426,-0.144 0.438,-0.17C0.45,-0.195 0.456,-0.224 0.456,-0.256C0.456,-0.288 0.45,-0.317 0.438,-0.342C0.426,-0.367 0.409,-0.387 0.387,-0.402C0.365,-0.417 0.338,-0.424 0.308,-0.424C0.276,-0.424 0.249,-0.417 0.226,-0.402C0.204,-0.387 0.186,-0.366 0.174,-0.341C0.162,-0.315 0.156,-0.287 0.156,-0.255C0.156,-0.224 0.162,-0.195 0.174,-0.169C0.186,-0.144 0.203,-0.123 0.226,-0.108C0.248,-0.093 0.275,-0.086 0.307,-0.086Z" style="fill:rgb(47,47,47);fill-rule:nonzero;"/>
 											</g>
 											<g transform="matrix(116.242,0,0,116.242,226.592,267.39)">
-												<path d="M0.306,0.012C0.265,0.012 0.229,0.006 0.196,-0.008C0.163,-0.021 0.135,-0.039 0.112,-0.064C0.089,-0.088 0.071,-0.117 0.059,-0.151C0.046,-0.185 0.04,-0.222 0.04,-0.263C0.04,-0.315 0.051,-0.36 0.072,-0.399C0.093,-0.437 0.122,-0.468 0.159,-0.489C0.196,-0.511 0.239,-0.522 0.287,-0.522C0.311,-0.522 0.333,-0.518 0.355,-0.511C0.377,-0.504 0.396,-0.493 0.413,-0.48C0.431,-0.466 0.445,-0.451 0.455,-0.433L0.456,-0.433L0.456,-0.73L0.571,-0.73L0.571,-0.261C0.571,-0.205 0.56,-0.156 0.537,-0.115C0.515,-0.074 0.484,-0.043 0.444,-0.021C0.405,0.001 0.358,0.012 0.306,0.012ZM0.306,-0.086C0.335,-0.086 0.361,-0.093 0.384,-0.107C0.406,-0.122 0.423,-0.141 0.436,-0.167C0.448,-0.192 0.455,-0.221 0.455,-0.255C0.455,-0.288 0.448,-0.317 0.436,-0.343C0.423,-0.368 0.406,-0.388 0.383,-0.402C0.361,-0.417 0.335,-0.424 0.305,-0.424C0.276,-0.424 0.251,-0.417 0.228,-0.402C0.206,-0.387 0.188,-0.368 0.175,-0.342C0.163,-0.317 0.156,-0.288 0.156,-0.255C0.156,-0.222 0.163,-0.193 0.175,-0.167C0.188,-0.142 0.206,-0.122 0.229,-0.108C0.251,-0.093 0.277,-0.086 0.306,-0.086Z" fill="rgb(47,47,47)" fill-rule="nonzero"/>
+												<path d="M0.306,0.012C0.265,0.012 0.229,0.006 0.196,-0.008C0.163,-0.021 0.135,-0.039 0.112,-0.064C0.089,-0.088 0.071,-0.117 0.059,-0.151C0.046,-0.185 0.04,-0.222 0.04,-0.263C0.04,-0.315 0.051,-0.36 0.072,-0.399C0.093,-0.437 0.122,-0.468 0.159,-0.489C0.196,-0.511 0.239,-0.522 0.287,-0.522C0.311,-0.522 0.333,-0.518 0.355,-0.511C0.377,-0.504 0.396,-0.493 0.413,-0.48C0.431,-0.466 0.445,-0.451 0.455,-0.433L0.456,-0.433L0.456,-0.73L0.571,-0.73L0.571,-0.261C0.571,-0.205 0.56,-0.156 0.537,-0.115C0.515,-0.074 0.484,-0.043 0.444,-0.021C0.405,0.001 0.358,0.012 0.306,0.012ZM0.306,-0.086C0.335,-0.086 0.361,-0.093 0.384,-0.107C0.406,-0.122 0.423,-0.141 0.436,-0.167C0.448,-0.192 0.455,-0.221 0.455,-0.255C0.455,-0.288 0.448,-0.317 0.436,-0.343C0.423,-0.368 0.406,-0.388 0.383,-0.402C0.361,-0.417 0.335,-0.424 0.305,-0.424C0.276,-0.424 0.251,-0.417 0.228,-0.402C0.206,-0.387 0.188,-0.368 0.175,-0.342C0.163,-0.317 0.156,-0.288 0.156,-0.255C0.156,-0.222 0.163,-0.193 0.175,-0.167C0.188,-0.142 0.206,-0.122 0.229,-0.108C0.251,-0.093 0.277,-0.086 0.306,-0.086Z" style="fill:rgb(47,47,47);fill-rule:nonzero;"/>
 											</g>
 											<g transform="matrix(116.242,0,0,116.242,290.293,267.39)">
-												<path d="M0.306,0.012C0.265,0.012 0.229,0.006 0.196,-0.008C0.163,-0.021 0.135,-0.039 0.112,-0.064C0.089,-0.088 0.071,-0.117 0.059,-0.151C0.046,-0.185 0.04,-0.222 0.04,-0.263C0.04,-0.315 0.051,-0.36 0.072,-0.399C0.093,-0.437 0.122,-0.468 0.159,-0.489C0.196,-0.511 0.239,-0.522 0.287,-0.522C0.311,-0.522 0.333,-0.518 0.355,-0.511C0.377,-0.504 0.396,-0.493 0.413,-0.48C0.431,-0.466 0.445,-0.451 0.455,-0.433L0.456,-0.433L0.456,-0.73L0.571,-0.73L0.571,-0.261C0.571,-0.205 0.56,-0.156 0.537,-0.115C0.515,-0.074 0.484,-0.043 0.444,-0.021C0.405,0.001 0.358,0.012 0.306,0.012ZM0.306,-0.086C0.335,-0.086 0.361,-0.093 0.384,-0.107C0.406,-0.122 0.423,-0.141 0.436,-0.167C0.448,-0.192 0.455,-0.221 0.455,-0.255C0.455,-0.288 0.448,-0.317 0.436,-0.343C0.423,-0.368 0.406,-0.388 0.383,-0.402C0.361,-0.417 0.335,-0.424 0.305,-0.424C0.276,-0.424 0.251,-0.417 0.228,-0.402C0.206,-0.387 0.188,-0.368 0.175,-0.342C0.163,-0.317 0.156,-0.288 0.156,-0.255C0.156,-0.222 0.163,-0.193 0.175,-0.167C0.188,-0.142 0.206,-0.122 0.229,-0.108C0.251,-0.093 0.277,-0.086 0.306,-0.086Z" fill="rgb(47,47,47)" fill-rule="nonzero"/>
+												<path d="M0.306,0.012C0.265,0.012 0.229,0.006 0.196,-0.008C0.163,-0.021 0.135,-0.039 0.112,-0.064C0.089,-0.088 0.071,-0.117 0.059,-0.151C0.046,-0.185 0.04,-0.222 0.04,-0.263C0.04,-0.315 0.051,-0.36 0.072,-0.399C0.093,-0.437 0.122,-0.468 0.159,-0.489C0.196,-0.511 0.239,-0.522 0.287,-0.522C0.311,-0.522 0.333,-0.518 0.355,-0.511C0.377,-0.504 0.396,-0.493 0.413,-0.48C0.431,-0.466 0.445,-0.451 0.455,-0.433L0.456,-0.433L0.456,-0.73L0.571,-0.73L0.571,-0.261C0.571,-0.205 0.56,-0.156 0.537,-0.115C0.515,-0.074 0.484,-0.043 0.444,-0.021C0.405,0.001 0.358,0.012 0.306,0.012ZM0.306,-0.086C0.335,-0.086 0.361,-0.093 0.384,-0.107C0.406,-0.122 0.423,-0.141 0.436,-0.167C0.448,-0.192 0.455,-0.221 0.455,-0.255C0.455,-0.288 0.448,-0.317 0.436,-0.343C0.423,-0.368 0.406,-0.388 0.383,-0.402C0.361,-0.417 0.335,-0.424 0.305,-0.424C0.276,-0.424 0.251,-0.417 0.228,-0.402C0.206,-0.387 0.188,-0.368 0.175,-0.342C0.163,-0.317 0.156,-0.288 0.156,-0.255C0.156,-0.222 0.163,-0.193 0.175,-0.167C0.188,-0.142 0.206,-0.122 0.229,-0.108C0.251,-0.093 0.277,-0.086 0.306,-0.086Z" style="fill:rgb(47,47,47);fill-rule:nonzero;"/>
 											</g>
 										</g>
 										<g id="c" transform="matrix(-0.0716462,0.31304,-0.583685,-0.0384251,1489.76,-444.051)">
-											<path d="M2668.11,700.4C2666.79,703.699 2666.12,707.216 2666.12,710.766C2666.12,726.268 2678.71,738.854 2694.21,738.854C2709.71,738.854 2722.3,726.268 2722.3,710.766C2722.3,704.111 2719.93,697.672 2715.63,692.597L2707.63,699.378C2710.33,702.559 2711.57,706.602 2711.81,710.766C2712.2,717.38 2706.61,724.52 2697.27,726.637C2683.9,728.581 2676.61,720.482 2676.61,710.766C2676.61,708.541 2677.03,706.336 2677.85,704.269L2668.11,700.4Z" fill="rgb(46,46,46)"/>
+											<path d="M2668.11,700.4C2666.79,703.699 2666.12,707.216 2666.12,710.766C2666.12,726.268 2678.71,738.854 2694.21,738.854C2709.71,738.854 2722.3,726.268 2722.3,710.766C2722.3,704.111 2719.93,697.672 2715.63,692.597L2707.63,699.378C2710.33,702.559 2711.57,706.602 2711.81,710.766C2712.2,717.38 2706.61,724.52 2697.27,726.637C2683.9,728.581 2676.61,720.482 2676.61,710.766C2676.61,708.541 2677.03,706.336 2677.85,704.269L2668.11,700.4Z" style="fill:rgb(46,46,46);"/>
 										</g>
 									</g>
 									<g id="R" transform="matrix(0.426446,0,0,0.451034,-1192.44,-722.167)">
 										<g transform="matrix(1,0,0,1,-0.10786,0.450801)">
 											<g transform="matrix(12.1247,0,0,12.1247,3862.61,1929.9)">
-												<path d="M0.073,-0L0.073,-0.7L0.383,-0.7C0.428,-0.7 0.469,-0.69 0.506,-0.67C0.543,-0.651 0.572,-0.623 0.594,-0.588C0.616,-0.553 0.627,-0.512 0.627,-0.465C0.627,-0.418 0.615,-0.377 0.592,-0.342C0.569,-0.306 0.539,-0.279 0.501,-0.259L0.57,-0.128C0.574,-0.12 0.579,-0.115 0.584,-0.111C0.59,-0.107 0.596,-0.106 0.605,-0.106L0.664,-0.106L0.664,-0L0.587,-0C0.56,-0 0.535,-0.007 0.514,-0.02C0.493,-0.034 0.476,-0.052 0.463,-0.075L0.381,-0.232C0.375,-0.231 0.368,-0.231 0.361,-0.231C0.354,-0.231 0.347,-0.231 0.34,-0.231L0.192,-0.231L0.192,-0L0.073,-0ZM0.192,-0.336L0.368,-0.336C0.394,-0.336 0.417,-0.341 0.438,-0.351C0.459,-0.361 0.476,-0.376 0.489,-0.396C0.501,-0.415 0.507,-0.438 0.507,-0.465C0.507,-0.492 0.501,-0.516 0.488,-0.535C0.475,-0.554 0.459,-0.569 0.438,-0.579C0.417,-0.59 0.394,-0.595 0.369,-0.595L0.192,-0.595L0.192,-0.336Z" fill="rgb(46,46,46)" fill-rule="nonzero"/>
+												<path d="M0.073,-0L0.073,-0.7L0.383,-0.7C0.428,-0.7 0.469,-0.69 0.506,-0.67C0.543,-0.651 0.572,-0.623 0.594,-0.588C0.616,-0.553 0.627,-0.512 0.627,-0.465C0.627,-0.418 0.615,-0.377 0.592,-0.342C0.569,-0.306 0.539,-0.279 0.501,-0.259L0.57,-0.128C0.574,-0.12 0.579,-0.115 0.584,-0.111C0.59,-0.107 0.596,-0.106 0.605,-0.106L0.664,-0.106L0.664,-0L0.587,-0C0.56,-0 0.535,-0.007 0.514,-0.02C0.493,-0.034 0.476,-0.052 0.463,-0.075L0.381,-0.232C0.375,-0.231 0.368,-0.231 0.361,-0.231C0.354,-0.231 0.347,-0.231 0.34,-0.231L0.192,-0.231L0.192,-0L0.073,-0ZM0.192,-0.336L0.368,-0.336C0.394,-0.336 0.417,-0.341 0.438,-0.351C0.459,-0.361 0.476,-0.376 0.489,-0.396C0.501,-0.415 0.507,-0.438 0.507,-0.465C0.507,-0.492 0.501,-0.516 0.488,-0.535C0.475,-0.554 0.459,-0.569 0.438,-0.579C0.417,-0.59 0.394,-0.595 0.369,-0.595L0.192,-0.595L0.192,-0.336Z" style="fill:rgb(46,46,46);fill-rule:nonzero;"/>
 											</g>
 										</g>
 										<g transform="matrix(1,0,0,1,0.278569,0.101881)">
-											<circle cx="3866.43" cy="1926.14" r="8.923" fill="none" stroke="rgb(46,46,46)" stroke-width="2px" stroke-linecap="butt" stroke-linejoin="miter"/>
+											<circle cx="3866.43" cy="1926.14" r="8.923" style="fill:none;stroke:rgb(46,46,46);stroke-width:2px;stroke-linecap:butt;stroke-linejoin:miter;"/>
 										</g>
 									</g>
 								</g>
@@ -1085,7 +1074,7 @@ footer {
 			</a>
 		</footer>
 
-		<script {{ $nonceAttribute }}>
+		<script>
 			const filterEl = document.getElementById('filter');
 			filterEl?.focus({ preventScroll: true });
 
@@ -1131,20 +1120,6 @@ footer {
 				});
 			}
 
-			const filterElem = document.getElementById("filter");
-			if (filterElem) {
-				filterElem.addEventListener("keyup", filter);
-			}
-
-			document.getElementById("layout-list").addEventListener("click", function() {
-				queryParam('layout', '');
-			});
-			document.getElementById("layout-grid").addEventListener("click", function() {
-				queryParam('layout', 'grid');
-			});
-
-			window.addEventListener("load", initPage);
-
 			function queryParam(k, v) {
 				const qs = new URLSearchParams(window.location.search);
 				if (!v) {

modules/caddyhttp/fileserver/browsetplcontext.go

@@ -21,7 +21,6 @@ import (
 	"os"
 	"path"
 	"path/filepath"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"
@@ -29,7 +28,6 @@ import (
 
 	"github.com/dustin/go-humanize"
 	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
@@ -59,9 +57,9 @@ func (fsrv *FileServer) directoryListing(ctx context.Context, fileSystem fs.FS,
 
 		info, err := entry.Info()
 		if err != nil {
-			if c := fsrv.logger.Check(zapcore.ErrorLevel, "could not get info about directory entry"); c != nil {
-				c.Write(zap.String("name", entry.Name()), zap.String("root", root))
-			}
+			fsrv.logger.Error("could not get info about directory entry",
+				zap.String("name", entry.Name()),
+				zap.String("root", root))
 			continue
 		}
 
@@ -82,13 +80,6 @@ func (fsrv *FileServer) directoryListing(ctx context.Context, fileSystem fs.FS,
 		}
 
 		size := info.Size()
-
-		if !isDir {
-			// increase the total by the symlink's size, not the target's size,
-			// by incrementing before we follow the symlink
-			tplCtx.TotalFileSize += size
-		}
-
 		fileIsSymlink := isSymlink(info)
 		symlinkPath := ""
 		if fileIsSymlink {
@@ -112,8 +103,7 @@ func (fsrv *FileServer) directoryListing(ctx context.Context, fileSystem fs.FS,
 		}
 
 		if !isDir {
-			// increase the total including the symlink target's size
-			tplCtx.TotalFileSizeFollowingSymlinks += size
+			tplCtx.TotalFileSize += size
 		}
 
 		u := url.URL{Path: "./" + name} // prepend with "./" to fix paths with ':' in the name
@@ -160,15 +150,9 @@ type browseTemplateContext struct {
 	// The number of files (items that aren't directories) in the listing.
 	NumFiles int `json:"num_files"`
 
-	// The total size of all files in the listing. Only includes the
-	// size of the files themselves, not the size of symlink targets
-	// (i.e. the calculation of this value does not follow symlinks).
+	// The total size of all files in the listing.
 	TotalFileSize int64 `json:"total_file_size"`
 
-	// The total size of all files in the listing, including the
-	// size of the files targeted by symlinks.
-	TotalFileSizeFollowingSymlinks int64 `json:"total_file_size_following_symlinks"`
-
 	// Sort column used
 	Sort string `json:"sort,omitempty"`
 
@@ -282,9 +266,12 @@ type fileInfo struct {
 
 // HasExt returns true if the filename has any of the given suffixes, case-insensitive.
 func (fi fileInfo) HasExt(exts ...string) bool {
-	return slices.ContainsFunc(exts, func(ext string) bool {
-		return strings.HasSuffix(strings.ToLower(fi.Name), strings.ToLower(ext))
-	})
+	for _, ext := range exts {
+		if strings.HasSuffix(strings.ToLower(fi.Name), strings.ToLower(ext)) {
+			return true
+		}
+	}
+	return false
 }
 
 // HumanSize returns the size of the file as a
@@ -301,12 +288,6 @@ func (btc browseTemplateContext) HumanTotalFileSize() string {
 	return humanize.IBytes(uint64(btc.TotalFileSize))
 }
 
-// HumanTotalFileSizeFollowingSymlinks is the same as HumanTotalFileSize
-// except the returned value reflects the size of symlink targets.
-func (btc browseTemplateContext) HumanTotalFileSizeFollowingSymlinks() string {
-	return humanize.IBytes(uint64(btc.TotalFileSizeFollowingSymlinks))
-}
-
 // HumanModTime returns the modified time of the file
 // as a human-readable string given by format.
 func (fi fileInfo) HumanModTime(format string) string {
@@ -372,7 +353,4 @@ const (
 	sortByNameDirFirst = "namedirfirst"
 	sortBySize         = "size"
 	sortByTime         = "time"
-
-	sortOrderAsc  = "asc"
-	sortOrderDesc = "desc"
 )

modules/caddyhttp/fileserver/caddyfile.go

@@ -16,7 +16,6 @@ package fileserver
 
 import (
 	"path/filepath"
-	"strconv"
 	"strings"
 
 	"github.com/caddyserver/caddy/v2"
@@ -79,7 +78,7 @@ func (fsrv *FileServer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 		return d.ArgErr()
 	}
 
-	for nesting := d.Nesting(); d.NextBlock(nesting); {
+	for d.NextBlock(0) {
 		switch d.Val() {
 		case "fs":
 			if !d.NextArg() {
@@ -120,26 +119,6 @@ func (fsrv *FileServer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 						return d.Err("Symlinks path reveal is already enabled")
 					}
 					fsrv.Browse.RevealSymlinks = true
-				case "sort":
-					for d.NextArg() {
-						dVal := d.Val()
-						switch dVal {
-						case sortByName, sortByNameDirFirst, sortBySize, sortByTime, sortOrderAsc, sortOrderDesc:
-							fsrv.Browse.SortOptions = append(fsrv.Browse.SortOptions, dVal)
-						default:
-							return d.Errf("unknown sort option '%s'", dVal)
-						}
-					}
-				case "file_limit":
-					fileLimit := d.RemainingArgs()
-					if len(fileLimit) != 1 {
-						return d.Err("file_limit should have an integer value")
-					}
-					val, _ := strconv.Atoi(fileLimit[0])
-					if fsrv.Browse.FileLimit != 0 {
-						return d.Err("file_limit is already enabled")
-					}
-					fsrv.Browse.FileLimit = val
 				default:
 					return d.Errf("unknown subdirective '%s'", d.Val())
 				}

modules/caddyhttp/fileserver/command.go

@@ -66,7 +66,6 @@ respond with a file listing.`,
 			cmd.Flags().BoolP("templates", "t", false, "Enable template rendering")
 			cmd.Flags().BoolP("access-log", "a", false, "Enable the access log")
 			cmd.Flags().BoolP("debug", "v", false, "Enable verbose debug logs")
-			cmd.Flags().IntP("file-limit", "f", defaultDirEntryLimit, "Max directories to read")
 			cmd.Flags().BoolP("no-compress", "", false, "Disable Zstandard and Gzip compression")
 			cmd.Flags().StringSliceP("precompressed", "p", []string{}, "Specify precompression file extensions. Compression preference implied from flag order.")
 			cmd.RunE = caddycmd.WrapCommandFuncForCobra(cmdFileServer)
@@ -92,7 +91,6 @@ func cmdFileServer(fs caddycmd.Flags) (int, error) {
 	browse := fs.Bool("browse")
 	templates := fs.Bool("templates")
 	accessLog := fs.Bool("access-log")
-	fileLimit := fs.Int("file-limit")
 	debug := fs.Bool("debug")
 	revealSymlinks := fs.Bool("reveal-symlinks")
 	compress := !fs.Bool("no-compress")
@@ -153,7 +151,7 @@ func cmdFileServer(fs caddycmd.Flags) (int, error) {
 	}
 
 	if browse {
-		handler.Browse = &Browse{RevealSymlinks: revealSymlinks, FileLimit: fileLimit}
+		handler.Browse = &Browse{RevealSymlinks: revealSymlinks}
 	}
 
 	handlers = append(handlers, caddyconfig.JSONModuleObject(handler, "handler", "file_server", nil))

modules/caddyhttp/fileserver/matcher.go

@@ -33,7 +33,6 @@ import (
 	"github.com/google/cel-go/common/types/ref"
 	"github.com/google/cel-go/parser"
 	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
@@ -173,7 +172,7 @@ func (m *MatchFile) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 func (MatchFile) CELLibrary(ctx caddy.Context) (cel.Library, error) {
 	requestType := cel.ObjectType("http.Request")
 
-	matcherFactory := func(data ref.Val) (caddyhttp.RequestMatcherWithError, error) {
+	matcherFactory := func(data ref.Val) (caddyhttp.RequestMatcher, error) {
 		values, err := caddyhttp.CELValueToMapStrList(data)
 		if err != nil {
 			return nil, err
@@ -191,7 +190,7 @@ func (MatchFile) CELLibrary(ctx caddy.Context) (cel.Library, error) {
 
 		var try_policy string
 		if len(values["try_policy"]) > 0 {
-			try_policy = values["try_policy"][0]
+			root = values["try_policy"][0]
 		}
 
 		m := MatchFile{
@@ -225,7 +224,7 @@ func celFileMatcherMacroExpander() parser.MacroExpander {
 	return func(eh parser.ExprHelper, target ast.Expr, args []ast.Expr) (ast.Expr, *common.Error) {
 		if len(args) == 0 {
 			return eh.NewCall("file",
-				eh.NewIdent(caddyhttp.CELRequestVarName),
+				eh.NewIdent("request"),
 				eh.NewMap(),
 			), nil
 		}
@@ -233,7 +232,7 @@ func celFileMatcherMacroExpander() parser.MacroExpander {
 			arg := args[0]
 			if isCELStringLiteral(arg) || isCELCaddyPlaceholderCall(arg) {
 				return eh.NewCall("file",
-					eh.NewIdent(caddyhttp.CELRequestVarName),
+					eh.NewIdent("request"),
 					eh.NewMap(eh.NewMapEntry(
 						eh.NewLiteral(types.String("try_files")),
 						eh.NewList(arg),
@@ -242,7 +241,7 @@ func celFileMatcherMacroExpander() parser.MacroExpander {
 				), nil
 			}
 			if isCELTryFilesLiteral(arg) {
-				return eh.NewCall("file", eh.NewIdent(caddyhttp.CELRequestVarName), arg), nil
+				return eh.NewCall("file", eh.NewIdent("request"), arg), nil
 			}
 			return nil, &common.Error{
 				Location: eh.OffsetLocation(arg.ID()),
@@ -259,7 +258,7 @@ func celFileMatcherMacroExpander() parser.MacroExpander {
 			}
 		}
 		return eh.NewCall("file",
-			eh.NewIdent(caddyhttp.CELRequestVarName),
+			eh.NewIdent("request"),
 			eh.NewMap(eh.NewMapEntry(
 				eh.NewLiteral(types.String("try_files")),
 				eh.NewList(args...),
@@ -313,22 +312,12 @@ func (m MatchFile) Validate() error {
 //   - http.matchers.file.type: file or directory
 //   - http.matchers.file.remainder: Portion remaining after splitting file path (if configured)
 func (m MatchFile) Match(r *http.Request) bool {
-	match, err := m.selectFile(r)
-	if err != nil {
-		// nolint:staticcheck
-		caddyhttp.SetVar(r.Context(), caddyhttp.MatcherErrorVarKey, err)
-	}
-	return match
-}
-
-// MatchWithError returns true if r matches m.
-func (m MatchFile) MatchWithError(r *http.Request) (bool, error) {
 	return m.selectFile(r)
 }
 
 // selectFile chooses a file according to m.TryPolicy by appending
 // the paths in m.TryFiles to m.Root, with placeholder replacements.
-func (m MatchFile) selectFile(r *http.Request) (bool, error) {
+func (m MatchFile) selectFile(r *http.Request) (matched bool) {
 	repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
 
 	root := filepath.Clean(repl.ReplaceAll(m.Root, "."))
@@ -337,10 +326,8 @@ func (m MatchFile) selectFile(r *http.Request) (bool, error) {
 
 	fileSystem, ok := m.fsmap.Get(fsName)
 	if !ok {
-		if c := m.logger.Check(zapcore.ErrorLevel, "use of unregistered filesystem"); c != nil {
-			c.Write(zap.String("fs", fsName))
-		}
-		return false, nil
+		m.logger.Error("use of unregistered filesystem", zap.String("fs", fsName))
+		return false
 	}
 	type matchCandidate struct {
 		fullpath, relative, splitRemainder string
@@ -369,10 +356,7 @@ func (m MatchFile) selectFile(r *http.Request) (bool, error) {
 			return val, nil
 		})
 		if err != nil {
-			if c := m.logger.Check(zapcore.ErrorLevel, "evaluating placeholders"); c != nil {
-				c.Write(zap.Error(err))
-			}
-
+			m.logger.Error("evaluating placeholders", zap.Error(err))
 			expandedFile = file // "oh well," I guess?
 		}
 
@@ -395,9 +379,7 @@ func (m MatchFile) selectFile(r *http.Request) (bool, error) {
 		} else {
 			globResults, err = fs.Glob(fileSystem, fullPattern)
 			if err != nil {
-				if c := m.logger.Check(zapcore.ErrorLevel, "expanding glob"); c != nil {
-					c.Write(zap.Error(err))
-				}
+				m.logger.Error("expanding glob", zap.Error(err))
 			}
 		}
 
@@ -431,18 +413,15 @@ func (m MatchFile) selectFile(r *http.Request) (bool, error) {
 	switch m.TryPolicy {
 	case "", tryPolicyFirstExist:
 		for _, pattern := range m.TryFiles {
-			// If the pattern is a status code, emit an error,
-			// which short-circuits the middleware pipeline and
-			// writes an HTTP error response.
 			if err := parseErrorCode(pattern); err != nil {
-				return false, err
+				caddyhttp.SetVar(r.Context(), caddyhttp.MatcherErrorVarKey, err)
+				return
 			}
-
 			candidates := makeCandidates(pattern)
 			for _, c := range candidates {
 				if info, exists := m.strictFileExists(fileSystem, c.fullpath); exists {
 					setPlaceholders(c, info)
-					return true, nil
+					return true
 				}
 			}
 		}
@@ -463,10 +442,10 @@ func (m MatchFile) selectFile(r *http.Request) (bool, error) {
 			}
 		}
 		if largestInfo == nil {
-			return false, nil
+			return false
 		}
 		setPlaceholders(largest, largestInfo)
-		return true, nil
+		return true
 
 	case tryPolicySmallestSize:
 		var smallestSize int64
@@ -484,10 +463,10 @@ func (m MatchFile) selectFile(r *http.Request) (bool, error) {
 			}
 		}
 		if smallestInfo == nil {
-			return false, nil
+			return false
 		}
 		setPlaceholders(smallest, smallestInfo)
-		return true, nil
+		return true
 
 	case tryPolicyMostRecentlyMod:
 		var recent matchCandidate
@@ -504,13 +483,13 @@ func (m MatchFile) selectFile(r *http.Request) (bool, error) {
 			}
 		}
 		if recentInfo == nil {
-			return false, nil
+			return false
 		}
 		setPlaceholders(recent, recentInfo)
-		return true, nil
+		return true
 	}
 
-	return false, nil
+	return
 }
 
 // parseErrorCode checks if the input is a status
@@ -647,7 +626,7 @@ func isCELCaddyPlaceholderCall(e ast.Expr) bool {
 	switch e.Kind() {
 	case ast.CallKind:
 		call := e.AsCall()
-		if call.FunctionName() == caddyhttp.CELPlaceholderFuncName {
+		if call.FunctionName() == "caddyPlaceholder" {
 			return true
 		}
 	case ast.UnspecifiedExprKind, ast.ComprehensionKind, ast.IdentKind, ast.ListKind, ast.LiteralKind, ast.MapKind, ast.SelectKind, ast.StructKind:
@@ -716,7 +695,7 @@ const (
 
 // Interface guards
 var (
-	_ caddy.Validator                   = (*MatchFile)(nil)
-	_ caddyhttp.RequestMatcherWithError = (*MatchFile)(nil)
-	_ caddyhttp.CELLibraryProducer      = (*MatchFile)(nil)
+	_ caddy.Validator              = (*MatchFile)(nil)
+	_ caddyhttp.RequestMatcher     = (*MatchFile)(nil)
+	_ caddyhttp.CELLibraryProducer = (*MatchFile)(nil)
 )

modules/caddyhttp/fileserver/matcher_test.go

@@ -130,10 +130,7 @@ func TestFileMatcher(t *testing.T) {
 		req := &http.Request{URL: u}
 		repl := caddyhttp.NewTestReplacer(req)
 
-		result, err := m.MatchWithError(req)
-		if err != nil {
-			t.Errorf("Test %d: unexpected error: %v", i, err)
-		}
+		result := m.Match(req)
 		if result != tc.matched {
 			t.Errorf("Test %d: expected match=%t, got %t", i, tc.matched, result)
 		}
@@ -243,10 +240,7 @@ func TestPHPFileMatcher(t *testing.T) {
 		req := &http.Request{URL: u}
 		repl := caddyhttp.NewTestReplacer(req)
 
-		result, err := m.MatchWithError(req)
-		if err != nil {
-			t.Errorf("Test %d: unexpected error: %v", i, err)
-		}
+		result := m.Match(req)
 		if result != tc.matched {
 			t.Errorf("Test %d: expected match=%t, got %t", i, tc.matched, result)
 		}
@@ -295,7 +289,6 @@ var expressionTests = []struct {
 	wantErr           bool
 	wantResult        bool
 	clientCertificate []byte
-	expectedPath      string
 }{
 	{
 		name: "file error no args (MatchFile)",
@@ -361,15 +354,6 @@ var expressionTests = []struct {
 		urlTarget:  "https://example.com/nopenope.txt",
 		wantResult: false,
 	},
-	{
-		name: "file match long pattern foo.txt with try_policy (MatchFile)",
-		expression: &caddyhttp.MatchExpression{
-			Expr: `file({"root": "./testdata", "try_policy": "largest_size", "try_files": ["foo.txt", "large.txt"]})`,
-		},
-		urlTarget:    "https://example.com/",
-		wantResult:   true,
-		expectedPath: "/large.txt",
-	},
 }
 
 func TestMatchExpressionMatch(t *testing.T) {
@@ -395,24 +379,9 @@ func TestMatchExpressionMatch(t *testing.T) {
 			ctx := context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl)
 			req = req.WithContext(ctx)
 
-			matches, err := tc.expression.MatchWithError(req)
-			if err != nil {
-				t.Errorf("MatchExpression.Match() error = %v", err)
-				return
-			}
-			if matches != tc.wantResult {
+			if tc.expression.Match(req) != tc.wantResult {
 				t.Errorf("MatchExpression.Match() expected to return '%t', for expression : '%s'", tc.wantResult, tc.expression.Expr)
 			}
-
-			if tc.expectedPath != "" {
-				path, ok := repl.Get("http.matchers.file.relative")
-				if !ok {
-					t.Errorf("MatchExpression.Match() expected to return path '%s', but got none", tc.expectedPath)
-				}
-				if path != tc.expectedPath {
-					t.Errorf("MatchExpression.Match() expected to return path '%s', but got '%s'", tc.expectedPath, path)
-				}
-			}
 		})
 	}
 }

modules/caddyhttp/fileserver/staticfiles.go

@@ -15,7 +15,6 @@
 package fileserver
 
 import (
-	"bytes"
 	"errors"
 	"fmt"
 	"io"
@@ -31,7 +30,6 @@ import (
 	"strings"
 
 	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
@@ -237,24 +235,6 @@ func (fsrv *FileServer) Provision(ctx caddy.Context) error {
 		fsrv.precompressors[ae] = p
 	}
 
-	if fsrv.Browse != nil {
-		// check sort options
-		for idx, sortOption := range fsrv.Browse.SortOptions {
-			switch idx {
-			case 0:
-				if sortOption != sortByName && sortOption != sortByNameDirFirst && sortOption != sortBySize && sortOption != sortByTime {
-					return fmt.Errorf("the first option must be one of the following: %s, %s, %s, %s, but got %s", sortByName, sortByNameDirFirst, sortBySize, sortByTime, sortOption)
-				}
-			case 1:
-				if sortOption != sortOrderAsc && sortOption != sortOrderDesc {
-					return fmt.Errorf("the second option must be one of the following: %s, %s, but got %s", sortOrderAsc, sortOrderDesc, sortOption)
-				}
-			default:
-				return fmt.Errorf("only max 2 sort options are allowed, but got %d", idx+1)
-			}
-		}
-	}
-
 	return nil
 }
 
@@ -287,14 +267,11 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 	// remove any trailing `/` as it breaks fs.ValidPath() in the stdlib
 	filename := strings.TrimSuffix(caddyhttp.SanitizedPathJoin(root, r.URL.Path), "/")
 
-	if c := fsrv.logger.Check(zapcore.DebugLevel, "sanitized path join"); c != nil {
-		c.Write(
-			zap.String("site_root", root),
-			zap.String("fs", fsName),
-			zap.String("request_path", r.URL.Path),
-			zap.String("result", filename),
-		)
-	}
+	fsrv.logger.Debug("sanitized path join",
+		zap.String("site_root", root),
+		zap.String("fs", fsName),
+		zap.String("request_path", r.URL.Path),
+		zap.String("result", filename))
 
 	// get information about the file
 	info, err := fs.Stat(fileSystem, filename)
@@ -317,12 +294,9 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 			indexPath := caddyhttp.SanitizedPathJoin(filename, indexPage)
 			if fileHidden(indexPath, filesToHide) {
 				// pretend this file doesn't exist
-				if c := fsrv.logger.Check(zapcore.DebugLevel, "hiding index file"); c != nil {
-					c.Write(
-						zap.String("filename", indexPath),
-						zap.Strings("files_to_hide", filesToHide),
-					)
-				}
+				fsrv.logger.Debug("hiding index file",
+					zap.String("filename", indexPath),
+					zap.Strings("files_to_hide", filesToHide))
 				continue
 			}
 
@@ -342,9 +316,7 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 			info = indexInfo
 			filename = indexPath
 			implicitIndexFile = true
-			if c := fsrv.logger.Check(zapcore.DebugLevel, "located index file"); c != nil {
-				c.Write(zap.String("filename", filename))
-			}
+			fsrv.logger.Debug("located index file", zap.String("filename", filename))
 			break
 		}
 	}
@@ -352,12 +324,9 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 	// if still referencing a directory, delegate
 	// to browse or return an error
 	if info.IsDir() {
-		if c := fsrv.logger.Check(zapcore.DebugLevel, "no index file in directory"); c != nil {
-			c.Write(
-				zap.String("path", filename),
-				zap.Strings("index_filenames", fsrv.IndexNames),
-			)
-		}
+		fsrv.logger.Debug("no index file in directory",
+			zap.String("path", filename),
+			zap.Strings("index_filenames", fsrv.IndexNames))
 		if fsrv.Browse != nil && !fileHidden(filename, filesToHide) {
 			return fsrv.serveBrowse(fileSystem, root, filename, w, r, next)
 		}
@@ -367,12 +336,9 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 	// one last check to ensure the file isn't hidden (we might
 	// have changed the filename from when we last checked)
 	if fileHidden(filename, filesToHide) {
-		if c := fsrv.logger.Check(zapcore.DebugLevel, "hiding file"); c != nil {
-			c.Write(
-				zap.String("filename", filename),
-				zap.Strings("files_to_hide", filesToHide),
-			)
-		}
+		fsrv.logger.Debug("hiding file",
+			zap.String("filename", filename),
+			zap.Strings("files_to_hide", filesToHide))
 		return fsrv.notFound(w, r, next)
 	}
 
@@ -390,21 +356,15 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 		if path.Base(origReq.URL.Path) == path.Base(r.URL.Path) {
 			if implicitIndexFile && !strings.HasSuffix(origReq.URL.Path, "/") {
 				to := origReq.URL.Path + "/"
-				if c := fsrv.logger.Check(zapcore.DebugLevel, "redirecting to canonical URI (adding trailing slash for directory"); c != nil {
-					c.Write(
-						zap.String("from_path", origReq.URL.Path),
-						zap.String("to_path", to),
-					)
-				}
+				fsrv.logger.Debug("redirecting to canonical URI (adding trailing slash for directory)",
+					zap.String("from_path", origReq.URL.Path),
+					zap.String("to_path", to))
 				return redirect(w, r, to)
 			} else if !implicitIndexFile && strings.HasSuffix(origReq.URL.Path, "/") {
 				to := origReq.URL.Path[:len(origReq.URL.Path)-1]
-				if c := fsrv.logger.Check(zapcore.DebugLevel, "redirecting to canonical URI (removing trailing slash for file"); c != nil {
-					c.Write(
-						zap.String("from_path", origReq.URL.Path),
-						zap.String("to_path", to),
-					)
-				}
+				fsrv.logger.Debug("redirecting to canonical URI (removing trailing slash for file)",
+					zap.String("from_path", origReq.URL.Path),
+					zap.String("to_path", to))
 				return redirect(w, r, to)
 			}
 		}
@@ -432,19 +392,13 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 		compressedFilename := filename + precompress.Suffix()
 		compressedInfo, err := fs.Stat(fileSystem, compressedFilename)
 		if err != nil || compressedInfo.IsDir() {
-			if c := fsrv.logger.Check(zapcore.DebugLevel, "precompressed file not accessible"); c != nil {
-				c.Write(zap.String("filename", compressedFilename), zap.Error(err))
-			}
+			fsrv.logger.Debug("precompressed file not accessible", zap.String("filename", compressedFilename), zap.Error(err))
 			continue
 		}
-		if c := fsrv.logger.Check(zapcore.DebugLevel, "opening compressed sidecar file"); c != nil {
-			c.Write(zap.String("filename", compressedFilename), zap.Error(err))
-		}
+		fsrv.logger.Debug("opening compressed sidecar file", zap.String("filename", compressedFilename), zap.Error(err))
 		file, err = fsrv.openFile(fileSystem, compressedFilename, w)
 		if err != nil {
-			if c := fsrv.logger.Check(zapcore.WarnLevel, "opening precompressed file failed"); c != nil {
-				c.Write(zap.String("filename", compressedFilename), zap.Error(err))
-			}
+			fsrv.logger.Warn("opening precompressed file failed", zap.String("filename", compressedFilename), zap.Error(err))
 			if caddyErr, ok := err.(caddyhttp.HandlerError); ok && caddyErr.StatusCode == http.StatusServiceUnavailable {
 				return err
 			}
@@ -475,9 +429,7 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 
 	// no precompressed file found, use the actual file
 	if file == nil {
-		if c := fsrv.logger.Check(zapcore.DebugLevel, "opening file"); c != nil {
-			c.Write(zap.String("filename", filename))
-		}
+		fsrv.logger.Debug("opening file", zap.String("filename", filename))
 
 		// open the file
 		file, err = fsrv.openFile(fileSystem, filename, w)
@@ -577,14 +529,10 @@ func (fsrv *FileServer) openFile(fileSystem fs.FS, filename string, w http.Respo
 	if err != nil {
 		err = fsrv.mapDirOpenError(fileSystem, err, filename)
 		if errors.Is(err, fs.ErrNotExist) {
-			if c := fsrv.logger.Check(zapcore.DebugLevel, "file not found"); c != nil {
-				c.Write(zap.String("filename", filename), zap.Error(err))
-			}
+			fsrv.logger.Debug("file not found", zap.String("filename", filename), zap.Error(err))
 			return nil, caddyhttp.Error(http.StatusNotFound, err)
 		} else if errors.Is(err, fs.ErrPermission) {
-			if c := fsrv.logger.Check(zapcore.DebugLevel, "permission denied"); c != nil {
-				c.Write(zap.String("filename", filename), zap.Error(err))
-			}
+			fsrv.logger.Debug("permission denied", zap.String("filename", filename), zap.Error(err))
 			return nil, caddyhttp.Error(http.StatusForbidden, err)
 		}
 		// maybe the server is under load and ran out of file descriptors?
@@ -592,9 +540,7 @@ func (fsrv *FileServer) openFile(fileSystem fs.FS, filename string, w http.Respo
 		//nolint:gosec
 		backoff := weakrand.Intn(maxBackoff-minBackoff) + minBackoff
 		w.Header().Set("Retry-After", strconv.Itoa(backoff))
-		if c := fsrv.logger.Check(zapcore.DebugLevel, "retry after backoff"); c != nil {
-			c.Write(zap.String("filename", filename), zap.Int("backoff", backoff), zap.Error(err))
-		}
+		fsrv.logger.Debug("retry after backoff", zap.String("filename", filename), zap.Int("backoff", backoff), zap.Error(err))
 		return nil, caddyhttp.Error(http.StatusServiceUnavailable, err)
 	}
 	return file, nil
@@ -744,10 +690,6 @@ func (fsrv *FileServer) getEtagFromFile(fileSystem fs.FS, filename string) (stri
 		if err != nil {
 			return "", fmt.Errorf("cannot read etag from file %s: %v", etagFilename, err)
 		}
-
-		// Etags should not contain newline characters
-		etag = bytes.ReplaceAll(etag, []byte("\n"), []byte{})
-
 		return string(etag), nil
 	}
 	return "", nil

modules/caddyhttp/fileserver/testdata/large.txt

@@ -1,3 +0,0 @@
-This is a file with more content than the other files in this directory
-such that tests using the largest_size policy pick this file, or the
-smallest_size policy avoids this file.

modules/caddyhttp/headers/headers.go

@@ -135,14 +135,13 @@ type HeaderOps struct {
 func (ops *HeaderOps) Provision(_ caddy.Context) error {
 	for fieldName, replacements := range ops.Replace {
 		for i, r := range replacements {
-			if r.SearchRegexp == "" {
-				continue
+			if r.SearchRegexp != "" {
+				re, err := regexp.Compile(r.SearchRegexp)
+				if err != nil {
+					return fmt.Errorf("replacement %d for header field '%s': %v", i, fieldName, err)
+				}
+				replacements[i].re = re
 			}
-			re, err := regexp.Compile(r.SearchRegexp)
-			if err != nil {
-				return fmt.Errorf("replacement %d for header field '%s': %v", i, fieldName, err)
-			}
-			replacements[i].re = re
 		}
 	}
 	return nil
@@ -200,7 +199,9 @@ func (ops HeaderOps) ApplyTo(hdr http.Header, repl *caddy.Replacer) {
 	for _, fieldName := range ops.Delete {
 		fieldName = repl.ReplaceKnown(fieldName, "")
 		if fieldName == "*" {
-			clear(hdr)
+			for existingField := range hdr {
+				delete(hdr, existingField)
+			}
 		}
 	}
 

modules/caddyhttp/intercept/intercept.go

@@ -23,7 +23,6 @@ import (
 	"sync"
 
 	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
@@ -51,6 +50,7 @@ type Intercept struct {
 	//
 	// Three new placeholders are available in this handler chain:
 	// - `{http.intercept.status_code}` The status code from the response
+	// - `{http.intercept.status_text}` The status text from the response
 	// - `{http.intercept.header.*}` The headers from the response
 	HandleResponse []caddyhttp.ResponseHandler `json:"handle_response,omitempty"`
 
@@ -161,14 +161,12 @@ func (ir Intercept) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddy
 
 	// set up the replacer so that parts of the original response can be
 	// used for routing decisions
-	for field, value := range rec.Header() {
+	for field, value := range r.Header {
 		repl.Set("http.intercept.header."+field, strings.Join(value, ","))
 	}
 	repl.Set("http.intercept.status_code", rec.Status())
 
-	if c := ir.logger.Check(zapcore.DebugLevel, "handling response"); c != nil {
-		c.Write(zap.Int("handler", rec.handlerIndex))
-	}
+	ir.logger.Debug("handling response", zap.Int("handler", rec.handlerIndex))
 
 	// pass the request through the response handler routes
 	return rec.handler.Routes.Compile(next).ServeHTTP(w, r)

modules/caddyhttp/ip_matchers.go

@@ -26,11 +26,9 @@ import (
 	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/common/types/ref"
 	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
-	"github.com/caddyserver/caddy/v2/internal"
 )
 
 // MatchRemoteIP matches requests by the remote IP address,
@@ -81,7 +79,7 @@ func (m *MatchRemoteIP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 				return d.Err("the 'forwarded' option is no longer supported; use the 'client_ip' matcher instead")
 			}
 			if d.Val() == "private_ranges" {
-				m.Ranges = append(m.Ranges, internal.PrivateRangesCIDR()...)
+				m.Ranges = append(m.Ranges, PrivateRangesCIDR()...)
 				continue
 			}
 			m.Ranges = append(m.Ranges, d.Val())
@@ -108,7 +106,7 @@ func (MatchRemoteIP) CELLibrary(ctx caddy.Context) (cel.Library, error) {
 		// internal data type of the MatchPath value.
 		[]*cel.Type{cel.ListType(cel.StringType)},
 		// function to convert a constant list of strings to a MatchPath instance.
-		func(data ref.Val) (RequestMatcherWithError, error) {
+		func(data ref.Val) (RequestMatcher, error) {
 			refStringList := reflect.TypeOf([]string{})
 			strList, err := data.ConvertToNative(refStringList)
 			if err != nil {
@@ -145,39 +143,17 @@ func (m *MatchRemoteIP) Provision(ctx caddy.Context) error {
 
 // Match returns true if r matches m.
 func (m MatchRemoteIP) Match(r *http.Request) bool {
-	match, err := m.MatchWithError(r)
-	if err != nil {
-		SetVar(r.Context(), MatcherErrorVarKey, err)
-	}
-	return match
-}
-
-// MatchWithError returns true if r matches m.
-func (m MatchRemoteIP) MatchWithError(r *http.Request) (bool, error) {
-	// if handshake is not finished, we infer 0-RTT that has
-	// not verified remote IP; could be spoofed, so we throw
-	// HTTP 425 status to tell the client to try again after
-	// the handshake is complete
-	if r.TLS != nil && !r.TLS.HandshakeComplete {
-		return false, Error(http.StatusTooEarly, fmt.Errorf("TLS handshake not complete, remote IP cannot be verified"))
-	}
-
 	address := r.RemoteAddr
 	clientIP, zoneID, err := parseIPZoneFromString(address)
 	if err != nil {
-		if c := m.logger.Check(zapcore.ErrorLevel, "getting remote "); c != nil {
-			c.Write(zap.Error(err))
-		}
-
-		return false, nil
+		m.logger.Error("getting remote IP", zap.Error(err))
+		return false
 	}
 	matches, zoneFilter := matchIPByCidrZones(clientIP, zoneID, m.cidrs, m.zones)
 	if !matches && !zoneFilter {
-		if c := m.logger.Check(zapcore.DebugLevel, "zone ID from remote IP did not match"); c != nil {
-			c.Write(zap.String("zone", zoneID))
-		}
+		m.logger.Debug("zone ID from remote IP did not match", zap.String("zone", zoneID))
 	}
-	return matches, nil
+	return matches
 }
 
 // CaddyModule returns the Caddy module information.
@@ -194,7 +170,7 @@ func (m *MatchClientIP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 	for d.Next() {
 		for d.NextArg() {
 			if d.Val() == "private_ranges" {
-				m.Ranges = append(m.Ranges, internal.PrivateRangesCIDR()...)
+				m.Ranges = append(m.Ranges, PrivateRangesCIDR()...)
 				continue
 			}
 			m.Ranges = append(m.Ranges, d.Val())
@@ -221,7 +197,7 @@ func (MatchClientIP) CELLibrary(ctx caddy.Context) (cel.Library, error) {
 		// internal data type of the MatchPath value.
 		[]*cel.Type{cel.ListType(cel.StringType)},
 		// function to convert a constant list of strings to a MatchPath instance.
-		func(data ref.Val) (RequestMatcherWithError, error) {
+		func(data ref.Val) (RequestMatcher, error) {
 			refStringList := reflect.TypeOf([]string{})
 			strList, err := data.ConvertToNative(refStringList)
 			if err != nil {
@@ -252,42 +228,23 @@ func (m *MatchClientIP) Provision(ctx caddy.Context) error {
 
 // Match returns true if r matches m.
 func (m MatchClientIP) Match(r *http.Request) bool {
-	match, err := m.MatchWithError(r)
-	if err != nil {
-		SetVar(r.Context(), MatcherErrorVarKey, err)
-	}
-	return match
-}
-
-// MatchWithError returns true if r matches m.
-func (m MatchClientIP) MatchWithError(r *http.Request) (bool, error) {
-	// if handshake is not finished, we infer 0-RTT that has
-	// not verified remote IP; could be spoofed, so we throw
-	// HTTP 425 status to tell the client to try again after
-	// the handshake is complete
-	if r.TLS != nil && !r.TLS.HandshakeComplete {
-		return false, Error(http.StatusTooEarly, fmt.Errorf("TLS handshake not complete, remote IP cannot be verified"))
-	}
-
 	address := GetVar(r.Context(), ClientIPVarKey).(string)
 	clientIP, zoneID, err := parseIPZoneFromString(address)
 	if err != nil {
 		m.logger.Error("getting client IP", zap.Error(err))
-		return false, nil
+		return false
 	}
 	matches, zoneFilter := matchIPByCidrZones(clientIP, zoneID, m.cidrs, m.zones)
 	if !matches && !zoneFilter {
 		m.logger.Debug("zone ID from client IP did not match", zap.String("zone", zoneID))
 	}
-	return matches, nil
+	return matches
 }
 
 func provisionCidrsZonesFromRanges(ranges []string) ([]*netip.Prefix, []string, error) {
 	cidrs := []*netip.Prefix{}
 	zones := []string{}
-	repl := caddy.NewReplacer()
 	for _, str := range ranges {
-		str = repl.ReplaceAll(str, "")
 		// Exclude the zone_id from the IP
 		if strings.Contains(str, "%") {
 			split := strings.Split(str, "%")
@@ -354,13 +311,13 @@ func matchIPByCidrZones(clientIP netip.Addr, zoneID string, cidrs []*netip.Prefi
 
 // Interface guards
 var (
-	_ RequestMatcherWithError = (*MatchRemoteIP)(nil)
-	_ caddy.Provisioner       = (*MatchRemoteIP)(nil)
-	_ caddyfile.Unmarshaler   = (*MatchRemoteIP)(nil)
-	_ CELLibraryProducer      = (*MatchRemoteIP)(nil)
+	_ RequestMatcher        = (*MatchRemoteIP)(nil)
+	_ caddy.Provisioner     = (*MatchRemoteIP)(nil)
+	_ caddyfile.Unmarshaler = (*MatchRemoteIP)(nil)
+	_ CELLibraryProducer    = (*MatchRemoteIP)(nil)
 
-	_ RequestMatcherWithError = (*MatchClientIP)(nil)
-	_ caddy.Provisioner       = (*MatchClientIP)(nil)
-	_ caddyfile.Unmarshaler   = (*MatchClientIP)(nil)
-	_ CELLibraryProducer      = (*MatchClientIP)(nil)
+	_ RequestMatcher        = (*MatchClientIP)(nil)
+	_ caddy.Provisioner     = (*MatchClientIP)(nil)
+	_ caddyfile.Unmarshaler = (*MatchClientIP)(nil)
+	_ CELLibraryProducer    = (*MatchClientIP)(nil)
 )

modules/caddyhttp/ip_range.go

@@ -22,7 +22,6 @@ import (
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
-	"github.com/caddyserver/caddy/v2/internal"
 )
 
 func init() {
@@ -93,7 +92,7 @@ func (m *StaticIPRange) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 	}
 	for d.NextArg() {
 		if d.Val() == "private_ranges" {
-			m.Ranges = append(m.Ranges, internal.PrivateRangesCIDR()...)
+			m.Ranges = append(m.Ranges, PrivateRangesCIDR()...)
 			continue
 		}
 		m.Ranges = append(m.Ranges, d.Val())
@@ -122,16 +121,22 @@ func CIDRExpressionToPrefix(expr string) (netip.Prefix, error) {
 	return prefix, nil
 }
 
+// PrivateRangesCIDR returns a list of private CIDR range
+// strings, which can be used as a configuration shortcut.
+func PrivateRangesCIDR() []string {
+	return []string{
+		"192.168.0.0/16",
+		"172.16.0.0/12",
+		"10.0.0.0/8",
+		"127.0.0.1/8",
+		"fd00::/8",
+		"::1",
+	}
+}
+
 // Interface guards
 var (
 	_ caddy.Provisioner     = (*StaticIPRange)(nil)
 	_ caddyfile.Unmarshaler = (*StaticIPRange)(nil)
 	_ IPRangeSource         = (*StaticIPRange)(nil)
 )
-
-// PrivateRangesCIDR returns a list of private CIDR range
-// strings, which can be used as a configuration shortcut.
-// Note: this function is used at least by mholt/caddy-l4.
-func PrivateRangesCIDR() []string {
-	return internal.PrivateRangesCIDR()
-}

modules/caddyhttp/logging.go

@@ -193,7 +193,7 @@ func (sa *StringArray) UnmarshalJSON(b []byte) error {
 // to use, the error log message, and any extra fields.
 // If err is a HandlerError, the returned values will
 // have richer information.
-func errLogValues(err error) (status int, msg string, fields func() []zapcore.Field) {
+func errLogValues(err error) (status int, msg string, fields []zapcore.Field) {
 	var handlerErr HandlerError
 	if errors.As(err, &handlerErr) {
 		status = handlerErr.StatusCode
@@ -202,12 +202,10 @@ func errLogValues(err error) (status int, msg string, fields func() []zapcore.Fi
 		} else {
 			msg = handlerErr.Err.Error()
 		}
-		fields = func() []zapcore.Field {
-			return []zapcore.Field{
-				zap.Int("status", handlerErr.StatusCode),
-				zap.String("err_id", handlerErr.ID),
-				zap.String("err_trace", handlerErr.Trace),
-			}
+		fields = []zapcore.Field{
+			zap.Int("status", handlerErr.StatusCode),
+			zap.String("err_id", handlerErr.ID),
+			zap.String("err_trace", handlerErr.Trace),
 		}
 		return
 	}

modules/caddyhttp/map/map.go

@@ -18,7 +18,6 @@ import (
 	"fmt"
 	"net/http"
 	"regexp"
-	"slices"
 	"strings"
 
 	"github.com/caddyserver/caddy/v2"
@@ -127,7 +126,7 @@ func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhtt
 	// defer work until a variable is actually evaluated by using replacer's Map callback
 	repl.Map(func(key string) (any, bool) {
 		// return early if the variable is not even a configured destination
-		destIdx := slices.Index(h.Destinations, key)
+		destIdx := h.destinationIndex(key)
 		if destIdx < 0 {
 			return nil, false
 		}
@@ -171,6 +170,17 @@ func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhtt
 	return next.ServeHTTP(w, r)
 }
 
+// destinationIndex returns the positional index of the destination
+// is name is a known destination; otherwise it returns -1.
+func (h Handler) destinationIndex(name string) int {
+	for i, dest := range h.Destinations {
+		if dest == name {
+			return i
+		}
+	}
+	return -1
+}
+
 // Mapping describes a mapping from input to outputs.
 type Mapping struct {
 	// The input value to match. Must be distinct from other mappings.