4 files changed, 91 insertions, 45 deletions

diff --git a/caddyconfig/httpcaddyfile/addresses.go b/caddyconfig/httpcaddyfile/addresses.go
index 3aedb60..64c5d4f 100644
--- a/caddyconfig/httpcaddyfile/addresses.go
+++ b/caddyconfig/httpcaddyfile/addresses.go
@@ -45,7 +45,7 @@ import (
 // key of its server block (specifying the host part), and each key may have
 // a different port. And we definitely need to be sure that a site which is
 // bound to be served on a specific interface is not served on others just
-// beceause that is more convenient: it would be a potential security risk
+// because that is more convenient: it would be a potential security risk
 // if the difference between interfaces means private vs. public.
 //
 // So what this function does for the example above is iterate each server
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index a085fcb..3b5a4f5 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -37,7 +37,7 @@ func init() {
 	RegisterHandlerDirective("redir", parseRedir)
 	RegisterHandlerDirective("respond", parseRespond)
 	RegisterHandlerDirective("route", parseRoute)
-	RegisterHandlerDirective("handle", parseSegmentAsSubroute)
+	RegisterHandlerDirective("handle", parseHandle)
 	RegisterDirective("handle_errors", parseHandleErrors)
 	RegisterDirective("log", parseLog)
 }
@@ -152,6 +152,18 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			// policy that is looking for any tag but the last one to be
 			// loaded won't find it, and TLS handshakes will fail (see end)
 			// of issue #3004)
+
+			// tlsCertTags maps certificate filenames to their tag.
+			// This is used to remember which tag is used for each
+			// certificate files, since we need to avoid loading
+			// the same certificate files more than once, overwriting
+			// previous tags
+			tlsCertTags, ok := h.State["tlsCertTags"].(map[string]string)
+			if !ok {
+				tlsCertTags = make(map[string]string)
+				h.State["tlsCertTags"] = tlsCertTags
+			}
+
 			tag, ok := tlsCertTags[certFilename]
 			if !ok {
 				// haven't seen this cert file yet, let's give it a tag
@@ -521,10 +533,15 @@ func parseLog(h Helper) ([]ConfigValue, error) {
 
 		var val namedCustomLog
 		if !reflect.DeepEqual(cl, new(caddy.CustomLog)) {
+			logCounter, ok := h.State["logCounter"].(int)
+			if !ok {
+				logCounter = 0
+			}
 			cl.Include = []string{"http.log.access"}
 			val.name = fmt.Sprintf("log%d", logCounter)
 			val.log = cl
 			logCounter++
+			h.State["logCounter"] = logCounter
 		}
 		configValues = append(configValues, ConfigValue{
 			Class: "custom_log",
@@ -533,12 +550,3 @@ func parseLog(h Helper) ([]ConfigValue, error) {
 	}
 	return configValues, nil
 }
-
-// tlsCertTags maps certificate filenames to their tag.
-// This is used to remember which tag is used for each
-// certificate files, since we need to avoid loading
-// the same certificate files more than once, overwriting
-// previous tags
-var tlsCertTags = make(map[string]string)
-
-var logCounter int
diff --git a/caddyconfig/httpcaddyfile/directives.go b/caddyconfig/httpcaddyfile/directives.go
index f82e2a8..e7a9686 100644
--- a/caddyconfig/httpcaddyfile/directives.go
+++ b/caddyconfig/httpcaddyfile/directives.go
@@ -114,6 +114,8 @@ func RegisterHandlerDirective(dir string, setupFunc UnmarshalHandlerFunc) {
 // Caddyfile tokens.
 type Helper struct {
 	*caddyfile.Dispenser
+	// State stores intermediate variables during caddyfile adaptation.
+	State        map[string]interface{}
 	options      map[string]interface{}
 	warnings     *[]caddyconfig.Warning
 	matcherDefs  map[string]caddy.ModuleMap
@@ -161,6 +163,23 @@ func (h Helper) MatcherToken() (caddy.ModuleMap, bool, error) {
 	return matcherSetFromMatcherToken(h.Dispenser.Token(), h.matcherDefs, h.warnings)
 }
 
+// ExtractMatcherSet is like MatcherToken, except this is a higher-level
+// method that returns the matcher set described by the matcher token,
+// or nil if there is none, and deletes the matcher token from the
+// dispenser and resets it as if this look-ahead never happened. Useful
+// when wrapping a route (one or more handlers) in a user-defined matcher.
+func (h Helper) ExtractMatcherSet() (caddy.ModuleMap, error) {
+	matcherSet, hasMatcher, err := h.MatcherToken()
+	if err != nil {
+		return nil, err
+	}
+	if hasMatcher {
+		h.Dispenser.Delete() // strip matcher token
+	}
+	h.Dispenser.Reset() // pretend this lookahead never happened
+	return matcherSet, nil
+}
+
 // NewRoute returns config values relevant to creating a new HTTP route.
 func (h Helper) NewRoute(matcherSet caddy.ModuleMap,
 	handler caddyhttp.MiddlewareHandler) []ConfigValue {
@@ -266,28 +285,31 @@ func sortRoutes(routes []ConfigValue) {
 				return false
 			}
 
-			if len(iRoute.MatcherSetsRaw) == 1 && len(jRoute.MatcherSetsRaw) == 1 {
-				// use already-decoded matcher, or decode if it's the first time seeing it
-				iPM, jPM := decodedMatchers[i], decodedMatchers[j]
-				if iPM == nil {
-					var pathMatcher caddyhttp.MatchPath
-					_ = json.Unmarshal(iRoute.MatcherSetsRaw[0]["path"], &pathMatcher)
-					decodedMatchers[i] = pathMatcher
-					iPM = pathMatcher
-				}
-				if jPM == nil {
-					var pathMatcher caddyhttp.MatchPath
-					_ = json.Unmarshal(jRoute.MatcherSetsRaw[0]["path"], &pathMatcher)
-					decodedMatchers[j] = pathMatcher
-					jPM = pathMatcher
-				}
+			// use already-decoded matcher, or decode if it's the first time seeing it
+			iPM, jPM := decodedMatchers[i], decodedMatchers[j]
+			if iPM == nil && len(iRoute.MatcherSetsRaw) == 1 {
+				var pathMatcher caddyhttp.MatchPath
+				_ = json.Unmarshal(iRoute.MatcherSetsRaw[0]["path"], &pathMatcher)
+				decodedMatchers[i] = pathMatcher
+				iPM = pathMatcher
+			}
+			if jPM == nil && len(jRoute.MatcherSetsRaw) == 1 {
+				var pathMatcher caddyhttp.MatchPath
+				_ = json.Unmarshal(jRoute.MatcherSetsRaw[0]["path"], &pathMatcher)
+				decodedMatchers[j] = pathMatcher
+				jPM = pathMatcher
+			}
 
-				// if there is only one path in the matcher, sort by
-				// longer path (more specific) first
-				if len(iPM) == 1 && len(jPM) == 1 {
-					return len(iPM[0]) > len(jPM[0])
-				}
+			// sort by longer path (more specific) first; missing
+			// path matchers are treated as zero-length paths
+			var iPathLen, jPathLen int
+			if iPM != nil {
+				iPathLen = len(iPM[0])
+			}
+			if jPM != nil {
+				jPathLen = len(jPM[0])
 			}
+			return iPathLen > jPathLen
 		}
 
 		return dirPositions[iDir] < dirPositions[jDir]
diff --git a/caddyconfig/httpcaddyfile/httptype.go b/caddyconfig/httpcaddyfile/httptype.go
index aaec2e9..d880d97 100644
--- a/caddyconfig/httpcaddyfile/httptype.go
+++ b/caddyconfig/httpcaddyfile/httptype.go
@@ -42,6 +42,7 @@ func (st ServerType) Setup(originalServerBlocks []caddyfile.ServerBlock,
 	options map[string]interface{}) (*caddy.Config, []caddyconfig.Warning, error) {
 	var warnings []caddyconfig.Warning
 	gc := counter{new(int)}
+	state := make(map[string]interface{})
 
 	// load all the server blocks and associate them with a "pile"
 	// of config values; also prohibit duplicate keys because they
@@ -133,14 +134,17 @@ func (st ServerType) Setup(originalServerBlocks []caddyfile.ServerBlock,
 				return nil, warnings, fmt.Errorf("%s:%d: unrecognized directive: %s", tkn.File, tkn.Line, dir)
 			}
 
-			results, err := dirFunc(Helper{
+			h := Helper{
 				Dispenser:    caddyfile.NewDispenser(segment),
 				options:      options,
 				warnings:     &warnings,
 				matcherDefs:  matcherDefs,
 				parentBlock:  sb.block,
 				groupCounter: gc,
-			})
+				State:        state,
+			}
+
+			results, err := dirFunc(h)
 			if err != nil {
 				return nil, warnings, fmt.Errorf("parsing caddyfile tokens for '%s': %v", dir, err)
 			}
@@ -169,9 +173,10 @@ func (st ServerType) Setup(originalServerBlocks []caddyfile.ServerBlock,
 
 	// now that each server is configured, make the HTTP app
 	httpApp := caddyhttp.App{
-		HTTPPort:  tryInt(options["http_port"], &warnings),
-		HTTPSPort: tryInt(options["https_port"], &warnings),
-		Servers:   servers,
+		HTTPPort:   tryInt(options["http_port"], &warnings),
+		HTTPSPort:  tryInt(options["https_port"], &warnings),
+		DefaultSNI: tryString(options["default_sni"], &warnings),
+		Servers:    servers,
 	}
 
 	// now for the TLS app! (TODO: refactor into own func)
@@ -326,7 +331,23 @@ func (st ServerType) Setup(originalServerBlocks []caddyfile.ServerBlock,
 			&warnings)
 	}
 	if adminConfig, ok := options["admin"].(string); ok && adminConfig != "" {
-		cfg.Admin = &caddy.AdminConfig{Listen: adminConfig}
+		if adminConfig == "off" {
+			cfg.Admin = &caddy.AdminConfig{Disabled: true}
+		} else {
+			cfg.Admin = &caddy.AdminConfig{Listen: adminConfig}
+		}
+	}
+	if len(customLogs) > 0 {
+		if cfg.Logging == nil {
+			cfg.Logging = &caddy.Logging{
+				Logs: make(map[string]*caddy.CustomLog),
+			}
+		}
+		for _, ncl := range customLogs {
+			if ncl.name != "" {
+				cfg.Logging.Logs[ncl.name] = ncl.log
+			}
+		}
 	}
 	if len(customLogs) > 0 {
 		if cfg.Logging == nil {
@@ -985,12 +1006,12 @@ func sliceContains(haystack []string, needle string) bool {
 	return false
 }
 
-// specifity returns len(s) minus any wildcards (*) and
+// specificity returns len(s) minus any wildcards (*) and
 // placeholders ({...}). Basically, it's a length count
 // that penalizes the use of wildcards and placeholders.
 // This is useful for comparing hostnames and paths.
 // However, wildcards in paths are not a sure answer to
-// the question of specificity. For exmaple,
+// the question of specificity. For example,
 // '*.example.com' is clearly less specific than
 // 'a.example.com', but is '/a' more or less specific
 // than '/a*'?
@@ -1021,17 +1042,12 @@ func (c counter) nextGroup() string {
 	return name
 }
 
-type matcherSetAndTokens struct {
-	matcherSet caddy.ModuleMap
-	tokens     []caddyfile.Token
-}
-
 type namedCustomLog struct {
 	name string
 	log  *caddy.CustomLog
 }
 
-// sbAddrAssocation is a mapping from a list of
+// sbAddrAssociation is a mapping from a list of
 // addresses to a list of server blocks that are
 // served on those addresses.
 type sbAddrAssociation struct {