Merge pull request #308 from mholt/letsencrypt

Let's Encrypt

Merge pull request #308 from mholt/letsencrypt
Let's Encrypt
295d21f3 · Matt Holt · 09341fca · 86642749 · 09341fca · 295d21f3
Commit 295d21f3 authored Nov 02, 2015 by Matt Holt
84 changed files
--- a/app/app.go
+++ b/app/app.go
-// Package app holds application-global state to make it accessible
-// by other packages in the application.
-//
-// This package differs from config in that the things in app aren't
-// really related to server configuration.
-package app
-
-import (
-	"errors"
-	"runtime"
-	"strconv"
-	"strings"
-	"sync"
-
-	"github.com/mholt/caddy/server"
-)
-
-const (
-	// Name is the program name
-	Name = "Caddy"
-
-	// Version is the program version
-	Version = "0.7.6"
-)
-
-var (
-	// Servers is a list of all the currently-listening servers
-	Servers []*server.Server
-
-	// ServersMutex protects the Servers slice during changes
-	ServersMutex sync.Mutex
-
-	// Wg is used to wait for all servers to shut down
-	Wg sync.WaitGroup
-
-	// HTTP2 indicates whether HTTP2 is enabled or not
-	HTTP2 bool // TODO: temporary flag until http2 is standard
-
-	// Quiet mode hides non-error initialization output
-	Quiet bool
-)
-
-// SetCPU parses string cpu and sets GOMAXPROCS
-// according to its value. It accepts either
-// a number (e.g. 3) or a percent (e.g. 50%).
-func SetCPU(cpu string) error {
-	var numCPU int
-
-	availCPU := runtime.NumCPU()
-
-	if strings.HasSuffix(cpu, "%") {
-		// Percent
-		var percent float32
-		pctStr := cpu[:len(cpu)-1]
-		pctInt, err := strconv.Atoi(pctStr)
-		if err != nil || pctInt < 1 || pctInt > 100 {
-			return errors.New("invalid CPU value: percentage must be between 1-100")
-		}
-		percent = float32(pctInt) / 100
-		numCPU = int(float32(availCPU) * percent)
-	} else {
-		// Number
-		num, err := strconv.Atoi(cpu)
-		if err != nil || num < 1 {
-			return errors.New("invalid CPU value: provide a number or percent greater than 0")
-		}
-		numCPU = num
-	}
-
-	if numCPU > availCPU {
-		numCPU = availCPU
-	}
-
-	runtime.GOMAXPROCS(numCPU)
-	return nil
-}
--- a/caddy/assets/path.go
+++ b/caddy/assets/path.go
+package assets
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+)
+
+// Path returns the path to the folder
+// where the application may store data. This
+// currently resolves to ~/.caddy
+func Path() string {
+	return filepath.Join(userHomeDir(), ".caddy")
+}
+
+// userHomeDir returns the user's home directory according to
+// environment variables.
+//
+// Credit: http://stackoverflow.com/a/7922977/1048862
+func userHomeDir() string {
+	if runtime.GOOS == "windows" {
+		home := os.Getenv("HOMEDRIVE") + os.Getenv("HOMEPATH")
+		if home == "" {
+			home = os.Getenv("USERPROFILE")
+		}
+		return home
+	}
+	return os.Getenv("HOME")
+}
--- a/caddy/assets/path_test.go
+++ b/caddy/assets/path_test.go
+package assets
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestPath(t *testing.T) {
+	if actual := Path(); !strings.HasSuffix(actual, ".caddy") {
+		t.Errorf("Expected path to be a .caddy folder, got: %v", actual)
+	}
+}
--- a/caddy/caddy.go
+++ b/caddy/caddy.go
+// Package caddy implements the Caddy web server as a service.
+//
+// To use this package, follow a few simple steps:
+//
+//   1. Set the AppName and AppVersion variables.
+//   2. Call LoadCaddyfile() to get the Caddyfile (it
+//      might have been piped in as part of a restart).
+//      You should pass in your own Caddyfile loader.
+//   3. Call caddy.Start() to start Caddy, caddy.Stop()
+//      to stop it, or caddy.Restart() to restart it.
+//
+// You should use caddy.Wait() to wait for all Caddy servers
+// to quit before your process exits.
+//
+// Importing this package has the side-effect of trapping
+// SIGINT on all platforms and SIGUSR1 on not-Windows systems.
+// It has to do this in order to perform shutdowns or reloads.
+package caddy
+
+import (
+	"bytes"
+	"encoding/gob"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net"
+	"os"
+	"path"
+	"strings"
+	"sync"
+
+	"github.com/mholt/caddy/caddy/letsencrypt"
+	"github.com/mholt/caddy/server"
+)
+
+// Configurable application parameters
+var (
+	// The name and version of the application.
+	AppName, AppVersion string
+
+	// If true, initialization will not show any informative output.
+	Quiet bool
+
+	// DefaultInput is the default configuration to use when config input is empty or missing.
+	DefaultInput = CaddyfileInput{
+		Contents: []byte(fmt.Sprintf("%s:%s\nroot %s", DefaultHost, DefaultPort, DefaultRoot)),
+	}
+
+	// HTTP2 indicates whether HTTP2 is enabled or not
+	HTTP2 bool // TODO: temporary flag until http2 is standard
+)
+
+var (
+	// caddyfile is the input configuration text used for this process
+	caddyfile Input
+
+	// caddyfileMu protects caddyfile during changes
+	caddyfileMu sync.Mutex
+
+	// incompleteRestartErr occurs if this process is a fork
+	// of the parent but no Caddyfile was piped in
+	incompleteRestartErr = errors.New("cannot finish restart successfully")
+
+	// servers is a list of all the currently-listening servers
+	servers []*server.Server
+
+	// serversMu protects the servers slice during changes
+	serversMu sync.Mutex
+
+	// wg is used to wait for all servers to shut down
+	wg sync.WaitGroup
+
+	// loadedGob is used if this is a child process as part of
+	// a graceful restart; it is used to map listeners to their
+	// index in the list of inherited file descriptors. This
+	// variable is not safe for concurrent access.
+	loadedGob caddyfileGob
+)
+
+const (
+	DefaultHost = "0.0.0.0"
+	DefaultPort = "2015"
+	DefaultRoot = "."
+)
+
+// Start starts Caddy with the given Caddyfile. If cdyfile
+// is nil or the process is forked from a parent as part of
+// a graceful restart, Caddy will check to see if Caddyfile
+// was piped from stdin and use that. It blocks until all the
+// servers are listening.
+//
+// If this process is a fork and no Caddyfile was piped in,
+// an error will be returned (the Restart() function does this
+// for you automatically). If this process is NOT a fork and
+// cdyfile is nil, a default configuration will be assumed.
+// In any case, an error is returned if Caddy could not be
+// started.
+func Start(cdyfile Input) error {
+	// TODO: What if already started -- is that an error?
+
+	var err error
+
+	// Input must never be nil; try to load something
+	if cdyfile == nil {
+		cdyfile, err = LoadCaddyfile(nil)
+		if err != nil {
+			return err
+		}
+	}
+
+	caddyfileMu.Lock()
+	caddyfile = cdyfile
+	caddyfileMu.Unlock()
+
+	// load the server configs (activates Let's Encrypt)
+	configs, err := loadConfigs(path.Base(cdyfile.Path()), bytes.NewReader(cdyfile.Body()))
+	if err != nil {
+		return err
+	}
+
+	// group virtualhosts by address
+	groupings, err := arrangeBindings(configs)
+	if err != nil {
+		return err
+	}
+
+	// Start each server with its one or more configurations
+	err = startServers(groupings)
+	if err != nil {
+		return err
+	}
+
+	// Close remaining file descriptors we may have inherited that we don't need
+	if isRestart() {
+		for _, fdIndex := range loadedGob.ListenerFds {
+			file := os.NewFile(fdIndex, "")
+			fln, err := net.FileListener(file)
+			if err == nil {
+				fln.Close()
+			}
+		}
+	}
+
+	// Show initialization output
+	if !Quiet && !isRestart() {
+		var checkedFdLimit bool
+		for _, group := range groupings {
+			for _, conf := range group.Configs {
+				// Print address of site
+				fmt.Println(conf.Address())
+
+				// Note if non-localhost site resolves to loopback interface
+				if group.BindAddr.IP.IsLoopback() && !isLocalhost(conf.Host) {
+					fmt.Printf("Notice: %s is only accessible on this machine (%s)\n",
+						conf.Host, group.BindAddr.IP.String())
+				}
+				if !checkedFdLimit && !group.BindAddr.IP.IsLoopback() && !isLocalhost(conf.Host) {
+					checkFdlimit()
+					checkedFdLimit = true
+				}
+			}
+		}
+	}
+
+	// Tell parent process that we got this
+	if isRestart() {
+		ppipe := os.NewFile(3, "") // parent is listening on pipe at index 3
+		ppipe.Write([]byte("success"))
+		ppipe.Close()
+	}
+
+	return nil
+}
+
+// startServers starts all the servers in groupings,
+// taking into account whether or not this process is
+// a child from a graceful restart or not. It blocks
+// until the servers are listening.
+func startServers(groupings Group) error {
+	var startupWg sync.WaitGroup
+
+	for _, group := range groupings {
+		s, err := server.New(group.BindAddr.String(), group.Configs)
+		if err != nil {
+			log.Fatal(err)
+		}
+		s.HTTP2 = HTTP2 // TODO: This setting is temporary
+
+		var ln server.ListenerFile
+		if isRestart() {
+			// Look up this server's listener in the map of inherited file descriptors;
+			// if we don't have one, we must make a new one.
+			if fdIndex, ok := loadedGob.ListenerFds[s.Addr]; ok {
+				file := os.NewFile(fdIndex, "")
+
+				fln, err := net.FileListener(file)
+				if err != nil {
+					log.Fatal(err)
+				}
+
+				ln, ok = fln.(server.ListenerFile)
+				if !ok {
+					log.Fatal("listener was not a ListenerFile")
+				}
+
+				delete(loadedGob.ListenerFds, s.Addr) // mark it as used
+			}
+		}
+
+		wg.Add(1)
+		go func(s *server.Server, ln server.ListenerFile) {
+			defer wg.Done()
+
+			if ln != nil {
+				err = s.Serve(ln)
+			} else {
+				err = s.ListenAndServe()
+			}
+
+			// "use of closed network connection" is normal if doing graceful shutdown...
+			if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
+				if isRestart() {
+					log.Fatal(err)
+				} else {
+					log.Println(err)
+				}
+			}
+		}(s, ln)
+
+		startupWg.Add(1)
+		go func(s *server.Server) {
+			defer startupWg.Done()
+			s.WaitUntilStarted()
+		}(s)
+
+		serversMu.Lock()
+		servers = append(servers, s)
+		serversMu.Unlock()
+	}
+
+	startupWg.Wait()
+
+	return nil
+}
+
+// Stop stops all servers. It blocks until they are all stopped.
+// It does NOT execute shutdown callbacks that may have been
+// configured by middleware (they are executed on SIGINT).
+func Stop() error {
+	letsencrypt.Deactivate()
+
+	serversMu.Lock()
+	for _, s := range servers {
+		s.Stop() // TODO: error checking/reporting?
+	}
+	servers = []*server.Server{} // don't reuse servers
+	serversMu.Unlock()
+
+	return nil
+}
+
+// Wait blocks until all servers are stopped.
+func Wait() {
+	wg.Wait()
+}
+
+// LoadCaddyfile loads a Caddyfile in a way that prioritizes
+// reading from stdin pipe; otherwise it calls loader to load
+// the Caddyfile. If loader does not return a Caddyfile, the
+// default one will be returned. Thus, if there are no other
+// errors, this function always returns at least the default
+// Caddyfile (not the previously-used Caddyfile).
+func LoadCaddyfile(loader func() (Input, error)) (cdyfile Input, err error) {
+	// If we are a fork, finishing the restart is highest priority;
+	// piped input is required in this case.
+	if isRestart() {
+		err := gob.NewDecoder(os.Stdin).Decode(&loadedGob)
+		if err != nil {
+			return nil, err
+		}
+		cdyfile = loadedGob.Caddyfile
+	}
+
+	// Otherwise, we first try to get from stdin pipe
+	if cdyfile == nil {
+		cdyfile, err = CaddyfileFromPipe(os.Stdin)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// No piped input, so try the user's loader instead
+	if cdyfile == nil && loader != nil {
+		cdyfile, err = loader()
+	}
+
+	// Otherwise revert to default
+	if cdyfile == nil {
+		cdyfile = DefaultInput
+	}
+
+	return
+}
+
+// CaddyfileFromPipe loads the Caddyfile input from f if f is
+// not interactive input. f is assumed to be a pipe or stream,
+// such as os.Stdin. If f is not a pipe, no error is returned
+// but the Input value will be nil. An error is only returned
+// if there was an error reading the pipe, even if the length
+// of what was read is 0.
+func CaddyfileFromPipe(f *os.File) (Input, error) {
+	fi, err := f.Stat()
+	if err == nil && fi.Mode()&os.ModeCharDevice == 0 {
+		// Note that a non-nil error is not a problem. Windows
+		// will not create a stdin if there is no pipe, which
+		// produces an error when calling Stat(). But Unix will
+		// make one either way, which is why we also check that
+		// bitmask.
+		// BUG: Reading from stdin after this fails (e.g. for the let's encrypt email address) (OS X)
+		confBody, err := ioutil.ReadAll(f)
+		if err != nil {
+			return nil, err
+		}
+		return CaddyfileInput{
+			Contents: confBody,
+			Filepath: f.Name(),
+		}, nil
+	}
+
+	// not having input from the pipe is not itself an error,
+	// just means no input to return.
+	return nil, nil
+}
+
+// Caddyfile returns the current Caddyfile
+func Caddyfile() Input {
+	caddyfileMu.Lock()
+	defer caddyfileMu.Unlock()
+	return caddyfile
+}
+
+// Input represents a Caddyfile; its contents and file path
+// (which should include the file name at the end of the path).
+// If path does not apply (e.g. piped input) you may use
+// any understandable value. The path is mainly used for logging,
+// error messages, and debugging.
+type Input interface {
+	// Gets the Caddyfile contents
+	Body() []byte
+
+	// Gets the path to the origin file
+	Path() string
+
+	// IsFile returns true if the original input was a file on the file system
+	// that could be loaded again later if requested.
+	IsFile() bool
+}
--- a/caddy/caddy_test.go
+++ b/caddy/caddy_test.go
+package caddy
+
+import (
+	"net/http"
+	"testing"
+	"time"
+)
+
+func TestCaddyStartStop(t *testing.T) {
+	caddyfile := "localhost:1984\ntls off"
+
+	for i := 0; i < 2; i++ {
+		err := Start(CaddyfileInput{Contents: []byte(caddyfile)})
+		if err != nil {
+			t.Fatalf("Error starting, iteration %d: %v", i, err)
+		}
+
+		client := http.Client{
+			Timeout: time.Duration(2 * time.Second),
+		}
+		resp, err := client.Get("http://localhost:1984")
+		if err != nil {
+			t.Fatalf("Expected GET request to succeed (iteration %d), but it failed: %v", i, err)
+		}
+		resp.Body.Close()
+
+		err = Stop()
+		if err != nil {
+			t.Fatalf("Error stopping, iteration %d: %v", i, err)
+		}
+	}
+}
--- a/caddy/caddyfile/json.go
+++ b/caddy/caddyfile/json.go
+package caddyfile
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+
+	"github.com/mholt/caddy/caddy/parse"
+)
+
+const filename = "Caddyfile"
+
+// ToJSON converts caddyfile to its JSON representation.
+func ToJSON(caddyfile []byte) ([]byte, error) {
+	var j Caddyfile
+
+	serverBlocks, err := parse.ServerBlocks(filename, bytes.NewReader(caddyfile), false)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, sb := range serverBlocks {
+		block := ServerBlock{Body: make(map[string]interface{})}
+
+		for _, host := range sb.HostList() {
+			block.Hosts = append(block.Hosts, strings.TrimSuffix(host, ":"))
+		}
+
+		for dir, tokens := range sb.Tokens {
+			disp := parse.NewDispenserTokens(filename, tokens)
+			disp.Next() // the first token is the directive; skip it
+			block.Body[dir] = constructLine(disp)
+		}
+
+		j = append(j, block)
+	}
+
+	result, err := json.Marshal(j)
+	if err != nil {
+		return nil, err
+	}
+
+	return result, nil
+}
+
+// constructLine transforms tokens into a JSON-encodable structure;
+// but only one line at a time, to be used at the top-level of
+// a server block only (where the first token on each line is a
+// directive) - not to be used at any other nesting level.
+func constructLine(d parse.Dispenser) interface{} {
+	var args []interface{}
+
+	all := d.RemainingArgs()
+	for _, arg := range all {
+		args = append(args, arg)
+	}
+
+	d.Next()
+	if d.Val() == "{" {
+		args = append(args, constructBlock(d))
+	}
+
+	return args
+}
+
+// constructBlock recursively processes tokens into a
+// JSON-encodable structure.
+func constructBlock(d parse.Dispenser) interface{} {
+	block := make(map[string]interface{})
+
+	for d.Next() {
+		if d.Val() == "}" {
+			break
+		}
+
+		dir := d.Val()
+		all := d.RemainingArgs()
+
+		var args []interface{}
+		for _, arg := range all {
+			args = append(args, arg)
+		}
+		if d.Val() == "{" {
+			args = append(args, constructBlock(d))
+		}
+
+		block[dir] = args
+	}
+
+	return block
+}
+
+// FromJSON converts JSON-encoded jsonBytes to Caddyfile text
+func FromJSON(jsonBytes []byte) ([]byte, error) {
+	var j Caddyfile
+	var result string
+
+	err := json.Unmarshal(jsonBytes, &j)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, sb := range j {
+		for i, host := range sb.Hosts {
+			if hostname, port, err := net.SplitHostPort(host); err == nil {
+				if port == "http" || port == "https" {
+					host = port + "://" + hostname
+				}
+			}
+			if i > 0 {
+				result += ", "
+			}
+			result += strings.TrimSuffix(host, ":")
+		}
+		result += jsonToText(sb.Body, 1)
+	}
+
+	return []byte(result), nil
+}
+
+// jsonToText recursively transforms a scope of JSON into plain
+// Caddyfile text.
+func jsonToText(scope interface{}, depth int) string {
+	var result string
+
+	switch val := scope.(type) {
+	case string:
+		if strings.ContainsAny(val, "\" \n\t\r") {
+			result += ` "` + strings.Replace(val, "\"", "\\\"", -1) + `"`
+		} else {
+			result += " " + val
+		}
+	case int:
+		result += " " + strconv.Itoa(val)
+	case float64:
+		result += " " + fmt.Sprintf("%v", val)
+	case bool:
+		result += " " + fmt.Sprintf("%t", val)
+	case map[string]interface{}:
+		result += " {\n"
+		for param, args := range val {
+			result += strings.Repeat("\t", depth) + param
+			result += jsonToText(args, depth+1) + "\n"
+		}
+		result += strings.Repeat("\t", depth-1) + "}"
+	case []interface{}:
+		for _, v := range val {
+			result += jsonToText(v, depth)
+		}
+	}
+
+	return result
+}
+
+type Caddyfile []ServerBlock
+
+type ServerBlock struct {
+	Hosts []string               `json:"hosts"`
+	Body  map[string]interface{} `json:"body"`
+}
--- a/caddy/caddyfile/json_test.go
+++ b/caddy/caddyfile/json_test.go
+package caddyfile
+
+import "testing"
+
+var tests = []struct {
+	caddyfile, json string
+}{
+	{ // 0
+		caddyfile: `foo {
+	root /bar
+}`,
+		json: `[{"hosts":["foo"],"body":{"root":["/bar"]}}]`,
+	},
+	{ // 1
+		caddyfile: `host1, host2 {
+	dir {
+		def
+	}
+}`,
+		json: `[{"hosts":["host1","host2"],"body":{"dir":[{"def":null}]}}]`,
+	},
+	{ // 2
+		caddyfile: `host1, host2 {
+	dir abc {
+		def ghi
+	}
+}`,
+		json: `[{"hosts":["host1","host2"],"body":{"dir":["abc",{"def":["ghi"]}]}}]`,
+	},
+	{ // 3
+		caddyfile: `host1:1234, host2:5678 {
+	dir abc {
+	}
+}`,
+		json: `[{"hosts":["host1:1234","host2:5678"],"body":{"dir":["abc",{}]}}]`,
+	},
+	{ // 4
+		caddyfile: `host {
+	foo "bar baz"
+}`,
+		json: `[{"hosts":["host"],"body":{"foo":["bar baz"]}}]`,
+	},
+	{ // 5
+		caddyfile: `host, host:80 {
+	foo "bar \"baz\""
+}`,
+		json: `[{"hosts":["host","host:80"],"body":{"foo":["bar \"baz\""]}}]`,
+	},
+	{ // 6
+		caddyfile: `host {
+	foo "bar
+baz"
+}`,
+		json: `[{"hosts":["host"],"body":{"foo":["bar\nbaz"]}}]`,
+	},
+	{ // 7
+		caddyfile: `host {
+	dir 123 4.56 true
+}`,
+		json: `[{"hosts":["host"],"body":{"dir":["123","4.56","true"]}}]`, // NOTE: I guess we assume numbers and booleans should be encoded as strings...?
+	},
+	{ // 8
+		caddyfile: `http://host, https://host {
+}`,
+		json: `[{"hosts":["host:http","host:https"],"body":{}}]`, // hosts in JSON are always host:port format (if port is specified), for consistency
+	},
+}
+
+func TestToJSON(t *testing.T) {
+	for i, test := range tests {
+		output, err := ToJSON([]byte(test.caddyfile))
+		if err != nil {
+			t.Errorf("Test %d: %v", i, err)
+		}
+		if string(output) != test.json {
+			t.Errorf("Test %d\nExpected:\n'%s'\nActual:\n'%s'", i, test.json, string(output))
+		}
+	}
+}
+
+func TestFromJSON(t *testing.T) {
+	for i, test := range tests {
+		output, err := FromJSON([]byte(test.json))
+		if err != nil {
+			t.Errorf("Test %d: %v", i, err)
+		}
+		if string(output) != test.caddyfile {
+			t.Errorf("Test %d\nExpected:\n'%s'\nActual:\n'%s'", i, test.caddyfile, string(output))
+		}
+	}
+}
--- a/config/config.go
+++ b/config/config.go
--- a/config/config_test.go
+++ b/config/config_test.go
-package config
+package caddy

 import (
 	"reflect"

--- a/config/directives.go
+++ b/config/directives.go
-package config
+package caddy

 import (
-	"github.com/mholt/caddy/config/parse"
-	"github.com/mholt/caddy/config/setup"
+	"github.com/mholt/caddy/caddy/parse"
+	"github.com/mholt/caddy/caddy/setup"
 	"github.com/mholt/caddy/middleware"
 )

@@ -42,7 +42,7 @@ func init() {
 var directiveOrder = []directive{
 	// Essential directives that initialize vital configuration settings
 	{"root", setup.Root},
-	{"tls", setup.TLS},
+	{"tls", setup.TLS}, // letsencrypt is set up just after tls
 	{"bind", setup.BindHost},

 	// Other directives that don't create HTTP handlers

--- a/caddy/helpers.go
+++ b/caddy/helpers.go
+package caddy
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strconv"
+	"strings"
+
+	"github.com/mholt/caddy/caddy/letsencrypt"
+)
+
+func init() {
+	letsencrypt.OnChange = func() error { return Restart(nil) }
+}
+
+// isLocalhost returns true if host looks explicitly like a localhost address.
+func isLocalhost(host string) bool {
+	return host == "localhost" || host == "::1" || strings.HasPrefix(host, "127.")
+}
+
+// checkFdlimit issues a warning if the OS max file descriptors is below a recommended minimum.
+func checkFdlimit() {
+	const min = 4096
+
+	// Warn if ulimit is too low for production sites
+	if runtime.GOOS == "linux" || runtime.GOOS == "darwin" {
+		out, err := exec.Command("sh", "-c", "ulimit -n").Output() // use sh because ulimit isn't in Linux $PATH
+		if err == nil {
+			// Note that an error here need not be reported
+			lim, err := strconv.Atoi(string(bytes.TrimSpace(out)))
+			if err == nil && lim < min {
+				fmt.Printf("Warning: File descriptor limit %d is too low for production sites. At least %d is recommended. Set with \"ulimit -n %d\".\n", lim, min, min)
+			}
+		}
+	}
+}
+
+// caddyfileGob maps bind address to index of the file descriptor
+// in the Files array passed to the child process. It also contains
+// the caddyfile contents. Used only during graceful restarts.
+type caddyfileGob struct {
+	ListenerFds map[string]uintptr
+	Caddyfile   Input
+}
+
+// isRestart returns whether this process is, according
+// to env variables, a fork as part of a graceful restart.
+func isRestart() bool {
+	return os.Getenv("CADDY_RESTART") == "true"
+}
+
+// CaddyfileInput represents a Caddyfile as input
+// and is simply a convenient way to implement
+// the Input interface.
+type CaddyfileInput struct {
+	Filepath string
+	Contents []byte
+	RealFile bool
+}
+
+// Body returns c.Contents.
+func (c CaddyfileInput) Body() []byte { return c.Contents }
+
+// Path returns c.Filepath.
+func (c CaddyfileInput) Path() string { return c.Filepath }
+
+// Path returns true if the original input was a real file on the file system.
+func (c CaddyfileInput) IsFile() bool { return c.RealFile }
--- a/caddy/letsencrypt/crypto.go
+++ b/caddy/letsencrypt/crypto.go
+package letsencrypt
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"io/ioutil"
+	"os"
+)
+
+// loadRSAPrivateKey loads a PEM-encoded RSA private key from file.
+func loadRSAPrivateKey(file string) (*rsa.PrivateKey, error) {
+	keyBytes, err := ioutil.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+	keyBlock, _ := pem.Decode(keyBytes)
+	return x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+}
+
+// saveRSAPrivateKey saves a PEM-encoded RSA private key to file.
+func saveRSAPrivateKey(key *rsa.PrivateKey, file string) error {
+	pemKey := pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}
+	keyOut, err := os.Create(file)
+	if err != nil {
+		return err
+	}
+	defer keyOut.Close()
+	return pem.Encode(keyOut, &pemKey)
+}
--- a/caddy/letsencrypt/crypto_test.go
+++ b/caddy/letsencrypt/crypto_test.go
+package letsencrypt
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"os"
+	"testing"
+)
+
+func init() {
+	rsaKeySizeToUse = 128 // make tests faster; small key size OK for testing
+}
+
+func TestSaveAndLoadRSAPrivateKey(t *testing.T) {
+	keyFile := "test.key"
+	defer os.Remove(keyFile)
+
+	privateKey, err := rsa.GenerateKey(rand.Reader, rsaKeySizeToUse)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// test save
+	err = saveRSAPrivateKey(privateKey, keyFile)
+	if err != nil {
+		t.Fatal("error saving private key:", err)
+	}
+
+	// test load
+	loadedKey, err := loadRSAPrivateKey(keyFile)
+	if err != nil {
+		t.Error("error loading private key:", err)
+	}
+
+	// very loaded key is correct
+	if !rsaPrivateKeysSame(privateKey, loadedKey) {
+		t.Error("Expected key bytes to be the same, but they weren't")
+	}
+}
+
+// rsaPrivateKeyBytes returns the bytes of DER-encoded key.
+func rsaPrivateKeyBytes(key *rsa.PrivateKey) []byte {
+	return x509.MarshalPKCS1PrivateKey(key)
+}
+
+// rsaPrivateKeysSame compares the bytes of a and b and returns true if they are the same.
+func rsaPrivateKeysSame(a, b *rsa.PrivateKey) bool {
+	return bytes.Equal(rsaPrivateKeyBytes(a), rsaPrivateKeyBytes(b))
+}
--- a/caddy/letsencrypt/handler.go
+++ b/caddy/letsencrypt/handler.go
+package letsencrypt
+
+import (
+	"crypto/tls"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"sync"
+	"sync/atomic"
+
+	"github.com/mholt/caddy/middleware"
+)
+
+// Handler is a Caddy middleware that can proxy ACME requests
+// to the real ACME endpoint. This is necessary to renew certificates
+// while the server is running. Obviously, a site served on port
+// 443 (HTTPS) binds to that port, so another listener created by
+// our acme client can't bind successfully and solve the challenge.
+// Thus, we chain this handler in so that it can, when activated,
+// proxy ACME requests to an ACME client listening on an alternate
+// port.
+type Handler struct {
+	sync.Mutex      // protects the ChallengePath property
+	Next            middleware.Handler
+	ChallengeActive int32  // use sync/atomic for speed to set/get this flag
+	ChallengePath   string // the exact request path to match before proxying
+}
+
+// ServeHTTP is basically a no-op unless an ACME challenge is active on this host
+// and the request path matches the expected path exactly.
+func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
+	// Only if challenge is active
+	if atomic.LoadInt32(&h.ChallengeActive) == 1 {
+		h.Lock()
+		path := h.ChallengePath
+		h.Unlock()
+
+		// Request path must be correct; if so, proxy to ACME client
+		if r.URL.Path == path {
+			upstream, err := url.Parse("https://" + r.Host + ":" + alternatePort)
+			if err != nil {
+				return http.StatusInternalServerError, err
+			}
+			proxy := httputil.NewSingleHostReverseProxy(upstream)
+			proxy.Transport = &http.Transport{
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // client uses self-signed cert
+			}
+			proxy.ServeHTTP(w, r)
+			return 0, nil
+		}
+	}
+
+	return h.Next.ServeHTTP(w, r)
+}
+
+// ChallengeOn enables h to proxy ACME requests.
+func (h *Handler) ChallengeOn(challengePath string) {
+	h.Lock()
+	h.ChallengePath = challengePath
+	h.Unlock()
+	atomic.StoreInt32(&h.ChallengeActive, 1)
+}
+
+// ChallengeOff disables ACME proxying from this h.
+func (h *Handler) ChallengeOff(success bool) {
+	atomic.StoreInt32(&h.ChallengeActive, 0)
+}
--- a/caddy/letsencrypt/letsencrypt.go
+++ b/caddy/letsencrypt/letsencrypt.go
--- a/caddy/letsencrypt/letsencrypt_test.go
+++ b/caddy/letsencrypt/letsencrypt_test.go
+package letsencrypt
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/mholt/caddy/middleware/redirect"
+	"github.com/mholt/caddy/server"
+)
+
+func TestRedirPlaintextHost(t *testing.T) {
+	cfg := redirPlaintextHost(server.Config{
+		Host: "example.com",
+		Port: "http",
+	})
+
+	// Check host and port
+	if actual, expected := cfg.Host, "example.com"; actual != expected {
+		t.Errorf("Expected redir config to have host %s but got %s", expected, actual)
+	}
+	if actual, expected := cfg.Port, "http"; actual != expected {
+		t.Errorf("Expected redir config to have port '%s' but got '%s'", expected, actual)
+	}
+
+	// Make sure redirect handler is set up properly
+	if cfg.Middleware == nil || len(cfg.Middleware["/"]) != 1 {
+		t.Fatalf("Redir config middleware not set up properly; got: %#v", cfg.Middleware)
+	}
+
+	handler, ok := cfg.Middleware["/"][0](nil).(redirect.Redirect)
+	if !ok {
+		t.Fatalf("Expected a redirect.Redirect middleware, but got: %#v", handler)
+	}
+	if len(handler.Rules) != 1 {
+		t.Fatalf("Expected one redirect rule, got: %#v", handler.Rules)
+	}
+
+	// Check redirect rule for correctness
+	if actual, expected := handler.Rules[0].FromScheme, "http"; actual != expected {
+		t.Errorf("Expected redirect rule to be from scheme '%s' but is actually from '%s'", expected, actual)
+	}
+	if actual, expected := handler.Rules[0].FromPath, "/"; actual != expected {
+		t.Errorf("Expected redirect rule to be for path '%s' but is actually for '%s'", expected, actual)
+	}
+	if actual, expected := handler.Rules[0].To, "https://example.com{uri}"; actual != expected {
+		t.Errorf("Expected redirect rule to be to URL '%s' but is actually to '%s'", expected, actual)
+	}
+	if actual, expected := handler.Rules[0].Code, http.StatusMovedPermanently; actual != expected {
+		t.Errorf("Expected redirect rule to have code %d but was %d", expected, actual)
+	}
+}
--- a/caddy/letsencrypt/maintain.go
+++ b/caddy/letsencrypt/maintain.go
+package letsencrypt
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"log"
+	"time"
+
+	"github.com/mholt/caddy/server"
+	"github.com/xenolf/lego/acme"
+)
+
+// OnChange is a callback function that will be used to restart
+// the application or the part of the application that uses
+// the certificates maintained by this package. When at least
+// one certificate is renewed or an OCSP status changes, this
+// function will be called.
+var OnChange func() error
+
+// maintainAssets is a permanently-blocking function
+// that loops indefinitely and, on a regular schedule, checks
+// certificates for expiration and initiates a renewal of certs
+// that are expiring soon. It also updates OCSP stapling and
+// performs other maintenance of assets.
+//
+// You must pass in the server configs to maintain and the channel
+// which you'll close when maintenance should stop, to allow this
+// goroutine to clean up after itself and unblock.
+func maintainAssets(configs []server.Config, stopChan chan struct{}) {
+	renewalTicker := time.NewTicker(renewInterval)
+	ocspTicker := time.NewTicker(ocspInterval)
+
+	for {
+		select {
+		case <-renewalTicker.C:
+			n, errs := renewCertificates(configs, true)
+			if len(errs) > 0 {
+				for _, err := range errs {
+					log.Printf("[ERROR] cert renewal: %v\n", err)
+				}
+			}
+			// even if there was an error, some renewals may have succeeded
+			if n > 0 && OnChange != nil {
+				err := OnChange()
+				if err != nil {
+					log.Printf("[ERROR] onchange after cert renewal: %v\n", err)
+				}
+			}
+		case <-ocspTicker.C:
+			for bundle, oldStatus := range ocspStatus {
+				_, newStatus, err := acme.GetOCSPForCert(*bundle)
+				if err == nil && newStatus != oldStatus && OnChange != nil {
+					log.Printf("[INFO] ocsp status changed from %v to %v\n", oldStatus, newStatus)
+					err := OnChange()
+					if err != nil {
+						log.Printf("[ERROR] onchange after ocsp update: %v\n", err)
+					}
+					break
+				}
+			}
+		case <-stopChan:
+			renewalTicker.Stop()
+			ocspTicker.Stop()
+			return
+		}
+	}
+}
+
+// renewCertificates loops through all configured site and
+// looks for certificates to renew. Nothing is mutated
+// through this function; all changes happen directly on disk.
+// It returns the number of certificates renewed and any errors
+// that occurred. It only performs a renewal if necessary.
+// If useCustomPort is true, a custom port will be used, and
+// whatever is listening at 443 better proxy ACME requests to it.
+// Otherwise, the acme package will create its own listener on 443.
+func renewCertificates(configs []server.Config, useCustomPort bool) (int, []error) {
+	log.Print("[INFO] Processing certificate renewals...")
+	var errs []error
+	var n int
+
+	defer func() {
+		// reset these so as to not interfere with other challenges
+		acme.OnSimpleHTTPStart = nil
+		acme.OnSimpleHTTPEnd = nil
+	}()
+
+	for _, cfg := range configs {
+		// Host must be TLS-enabled and have existing assets managed by LE
+		if !cfg.TLS.Enabled || !existingCertAndKey(cfg.Host) {
+			continue
+		}
+
+		// Read the certificate and get the NotAfter time.
+		certBytes, err := ioutil.ReadFile(storage.SiteCertFile(cfg.Host))
+		if err != nil {
+			errs = append(errs, err)
+			continue // still have to check other certificates
+		}
+		expTime, err := acme.GetPEMCertExpiration(certBytes)
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
+
+		// The time returned from the certificate is always in UTC.
+		// So calculate the time left with local time as UTC.
+		// Directly convert it to days for the following checks.
+		daysLeft := int(expTime.Sub(time.Now().UTC()).Hours() / 24)
+
+		// Renew with two weeks or less remaining.
+		if daysLeft <= 14 {
+			log.Printf("[INFO] There are %d days left on the certificate of %s. Trying to renew now.", daysLeft, cfg.Host)
+			var client *acme.Client
+			if useCustomPort {
+				client, err = newClientPort("", alternatePort) // email not used for renewal
+			} else {
+				client, err = newClient("")
+			}
+			if err != nil {
+				errs = append(errs, err)
+				continue
+			}
+
+			// Read metadata
+			metaBytes, err := ioutil.ReadFile(storage.SiteMetaFile(cfg.Host))
+			if err != nil {
+				errs = append(errs, err)
+				continue
+			}
+
+			privBytes, err := ioutil.ReadFile(storage.SiteKeyFile(cfg.Host))
+			if err != nil {
+				errs = append(errs, err)
+				continue
+			}
+
+			var certMeta acme.CertificateResource
+			err = json.Unmarshal(metaBytes, &certMeta)
+			certMeta.Certificate = certBytes
+			certMeta.PrivateKey = privBytes
+
+			// Tell the handler to accept and proxy acme request in order to solve challenge
+			acme.OnSimpleHTTPStart = acmeHandlers[cfg.Host].ChallengeOn
+			acme.OnSimpleHTTPEnd = acmeHandlers[cfg.Host].ChallengeOff
+
+			// Renew certificate.
+			// TODO: revokeOld should be an option in the caddyfile
+			// TODO: bundle should be an option in the caddyfile as well :)
+		Renew:
+			newCertMeta, err := client.RenewCertificate(certMeta, true, true)
+			if err != nil {
+				if _, ok := err.(acme.TOSError); ok {
+					err := client.AgreeToTOS()
+					if err != nil {
+						errs = append(errs, err)
+					}
+					goto Renew
+				}
+
+				time.Sleep(10 * time.Second)
+				newCertMeta, err = client.RenewCertificate(certMeta, true, true)
+				if err != nil {
+					errs = append(errs, err)
+					continue
+				}
+			}
+
+			saveCertsAndKeys([]acme.CertificateResource{newCertMeta})
+			n++
+		} else if daysLeft <= 30 {
+			// Warn on 30 days remaining. TODO: Just do this once...
+			log.Printf("[WARN] There are %d days left on the certificate for %s. Will renew when 14 days remain.\n", daysLeft, cfg.Host)
+		}
+	}
+
+	return n, errs
+}
+
+// acmeHandlers is a map of host to ACME handler. These
+// are used to proxy ACME requests to the ACME client
+// when port 443 is in use.
+var acmeHandlers = make(map[string]*Handler)
--- a/caddy/letsencrypt/storage.go
+++ b/caddy/letsencrypt/storage.go
+package letsencrypt
+
+import (
+	"path/filepath"
+	"strings"
+
+	"github.com/mholt/caddy/caddy/assets"
+)
+
+// storage is used to get file paths in a consistent,
+// cross-platform way for persisting Let's Encrypt assets
+// on the file system.
+var storage = Storage(filepath.Join(assets.Path(), "letsencrypt"))
+
+// Storage is a root directory and facilitates
+// forming file paths derived from it.
+type Storage string
+
+// Sites gets the directory that stores site certificate and keys.
+func (s Storage) Sites() string {
+	return filepath.Join(string(s), "sites")
+}
+
+// Site returns the path to the folder containing assets for domain.
+func (s Storage) Site(domain string) string {
+	return filepath.Join(s.Sites(), domain)
+}
+
+// CertFile returns the path to the certificate file for domain.
+func (s Storage) SiteCertFile(domain string) string {
+	return filepath.Join(s.Site(domain), domain+".crt")
+}
+
+// SiteKeyFile returns the path to domain's private key file.
+func (s Storage) SiteKeyFile(domain string) string {
+	return filepath.Join(s.Site(domain), domain+".key")
+}
+
+// SiteMetaFile returns the path to the domain's asset metadata file.
+func (s Storage) SiteMetaFile(domain string) string {
+	return filepath.Join(s.Site(domain), domain+".json")
+}
+
+// Users gets the directory that stores account folders.
+func (s Storage) Users() string {
+	return filepath.Join(string(s), "users")
+}
+
+// User gets the account folder for the user with email.
+func (s Storage) User(email string) string {
+	if email == "" {
+		email = emptyEmail
+	}
+	return filepath.Join(s.Users(), email)
+}
+
+// UserRegFile gets the path to the registration file for
+// the user with the given email address.
+func (s Storage) UserRegFile(email string) string {
+	if email == "" {
+		email = emptyEmail
+	}
+	fileName := emailUsername(email)
+	if fileName == "" {
+		fileName = "registration"
+	}
+	return filepath.Join(s.User(email), fileName+".json")
+}
+
+// UserKeyFile gets the path to the private key file for
+// the user with the given email address.
+func (s Storage) UserKeyFile(email string) string {
+	if email == "" {
+		email = emptyEmail
+	}
+	fileName := emailUsername(email)
+	if fileName == "" {
+		fileName = "private"
+	}
+	return filepath.Join(s.User(email), fileName+".key")
+}
+
+// emailUsername returns the username portion of an
+// email address (part before '@') or the original
+// input if it can't find the "@" symbol.
+func emailUsername(email string) string {
+	at := strings.Index(email, "@")
+	if at == -1 {
+		return email
+	} else if at == 0 {
+		return email[1:]
+	}
+	return email[:at]
+}
--- a/caddy/letsencrypt/storage_test.go
+++ b/caddy/letsencrypt/storage_test.go
+package letsencrypt
+
+import (
+	"path/filepath"
+	"testing"
+)
+
+func TestStorage(t *testing.T) {
+	storage = Storage("./letsencrypt")
+
+	if expected, actual := filepath.Join("letsencrypt", "sites"), storage.Sites(); actual != expected {
+		t.Errorf("Expected Sites() to return '%s' but got '%s'", expected, actual)
+	}
+	if expected, actual := filepath.Join("letsencrypt", "sites", "test.com"), storage.Site("test.com"); actual != expected {
+		t.Errorf("Expected Site() to return '%s' but got '%s'", expected, actual)
+	}
+	if expected, actual := filepath.Join("letsencrypt", "sites", "test.com", "test.com.crt"), storage.SiteCertFile("test.com"); actual != expected {
+		t.Errorf("Expected SiteCertFile() to return '%s' but got '%s'", expected, actual)
+	}
+	if expected, actual := filepath.Join("letsencrypt", "sites", "test.com", "test.com.key"), storage.SiteKeyFile("test.com"); actual != expected {
+		t.Errorf("Expected SiteKeyFile() to return '%s' but got '%s'", expected, actual)
+	}
+	if expected, actual := filepath.Join("letsencrypt", "sites", "test.com", "test.com.json"), storage.SiteMetaFile("test.com"); actual != expected {
+		t.Errorf("Expected SiteMetaFile() to return '%s' but got '%s'", expected, actual)
+	}
+	if expected, actual := filepath.Join("letsencrypt", "users"), storage.Users(); actual != expected {
+		t.Errorf("Expected Users() to return '%s' but got '%s'", expected, actual)
+	}
+	if expected, actual := filepath.Join("letsencrypt", "users", "me@example.com"), storage.User("me@example.com"); actual != expected {
+		t.Errorf("Expected User() to return '%s' but got '%s'", expected, actual)
+	}
+	if expected, actual := filepath.Join("letsencrypt", "users", "me@example.com", "me.json"), storage.UserRegFile("me@example.com"); actual != expected {
+		t.Errorf("Expected UserRegFile() to return '%s' but got '%s'", expected, actual)
+	}
+	if expected, actual := filepath.Join("letsencrypt", "users", "me@example.com", "me.key"), storage.UserKeyFile("me@example.com"); actual != expected {
+		t.Errorf("Expected UserKeyFile() to return '%s' but got '%s'", expected, actual)
+	}
+
+	// Test with empty emails
+	if expected, actual := filepath.Join("letsencrypt", "users", emptyEmail), storage.User(emptyEmail); actual != expected {
+		t.Errorf("Expected User(\"\") to return '%s' but got '%s'", expected, actual)
+	}
+	if expected, actual := filepath.Join("letsencrypt", "users", emptyEmail, emptyEmail+".json"), storage.UserRegFile(""); actual != expected {
+		t.Errorf("Expected UserRegFile(\"\") to return '%s' but got '%s'", expected, actual)
+	}
+	if expected, actual := filepath.Join("letsencrypt", "users", emptyEmail, emptyEmail+".key"), storage.UserKeyFile(""); actual != expected {
+		t.Errorf("Expected UserKeyFile(\"\") to return '%s' but got '%s'", expected, actual)
+	}
+}
+
+func TestEmailUsername(t *testing.T) {
+	for i, test := range []struct {
+		input, expect string
+	}{
+		{
+			input:  "username@example.com",
+			expect: "username",
+		},
+		{
+			input:  "plus+addressing@example.com",
+			expect: "plus+addressing",
+		},
+		{
+			input:  "me+plus-addressing@example.com",
+			expect: "me+plus-addressing",
+		},
+		{
+			input:  "not-an-email",
+			expect: "not-an-email",
+		},
+		{
+			input:  "@foobar.com",
+			expect: "foobar.com",
+		},
+		{
+			input:  emptyEmail,
+			expect: emptyEmail,
+		},
+	} {
+		if actual := emailUsername(test.input); actual != test.expect {
+			t.Errorf("Test %d: Expected username to be '%s' but was '%s'", i, test.expect, actual)
+		}
+	}
+}
--- a/caddy/letsencrypt/user.go
+++ b/caddy/letsencrypt/user.go
+package letsencrypt
+
+import (
+	"bufio"
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/mholt/caddy/server"
+	"github.com/xenolf/lego/acme"
+)
+
+// User represents a Let's Encrypt user account.
+type User struct {
+	Email        string
+	Registration *acme.RegistrationResource
+	key          *rsa.PrivateKey
+}
+
+// GetEmail gets u's email.
+func (u User) GetEmail() string {
+	return u.Email
+}
+
+// GetRegistration gets u's registration resource.
+func (u User) GetRegistration() *acme.RegistrationResource {
+	return u.Registration
+}
+
+// GetPrivateKey gets u's private key.
+func (u User) GetPrivateKey() *rsa.PrivateKey {
+	return u.key
+}
+
+// getUser loads the user with the given email from disk.
+// If the user does not exist, it will create a new one,
+// but it does NOT save new users to the disk or register
+// them via ACME.
+func getUser(email string) (User, error) {
+	var user User
+
+	// open user file
+	regFile, err := os.Open(storage.UserRegFile(email))
+	if err != nil {
+		if os.IsNotExist(err) {
+			// create a new user
+			return newUser(email)
+		}
+		return user, err
+	}
+	defer regFile.Close()
+
+	// load user information
+	err = json.NewDecoder(regFile).Decode(&user)
+	if err != nil {
+		return user, err
+	}
+
+	// load their private key
+	user.key, err = loadRSAPrivateKey(storage.UserKeyFile(email))
+	if err != nil {
+		return user, err
+	}
+
+	return user, nil
+}
+
+// saveUser persists a user's key and account registration
+// to the file system. It does NOT register the user via ACME.
+func saveUser(user User) error {
+	// make user account folder
+	err := os.MkdirAll(storage.User(user.Email), 0700)
+	if err != nil {
+		return err
+	}
+
+	// save private key file
+	err = saveRSAPrivateKey(user.key, storage.UserKeyFile(user.Email))
+	if err != nil {
+		return err
+	}
+
+	// save registration file
+	jsonBytes, err := json.MarshalIndent(&user, "", "\t")
+	if err != nil {
+		return err
+	}
+
+	return ioutil.WriteFile(storage.UserRegFile(user.Email), jsonBytes, 0600)
+}
+
+// newUser creates a new User for the given email address
+// with a new private key. This function does NOT save the
+// user to disk or register it via ACME. If you want to use
+// a user account that might already exist, call getUser
+// instead.
+func newUser(email string) (User, error) {
+	user := User{Email: email}
+	privateKey, err := rsa.GenerateKey(rand.Reader, rsaKeySizeToUse)
+	if err != nil {
+		return user, errors.New("error generating private key: " + err.Error())
+	}
+	user.key = privateKey
+	return user, nil
+}
+
+// getEmail does everything it can to obtain an email
+// address from the user to use for TLS for cfg. If it
+// cannot get an email address, it returns empty string.
+// (It will warn the user of the consequences of an
+// empty email.)
+func getEmail(cfg server.Config) string {
+	// First try the tls directive from the Caddyfile
+	leEmail := cfg.TLS.LetsEncryptEmail
+	if leEmail == "" {
+		// Then try memory (command line flag or typed by user previously)
+		leEmail = DefaultEmail
+	}
+	if leEmail == "" {
+		// Then try to get most recent user email ~/.caddy/users file
+		userDirs, err := ioutil.ReadDir(storage.Users())
+		if err == nil {
+			var mostRecent os.FileInfo
+			for _, dir := range userDirs {
+				if !dir.IsDir() {
+					continue
+				}
+				if mostRecent == nil || dir.ModTime().After(mostRecent.ModTime()) {
+					mostRecent = dir
+				}
+			}
+			if mostRecent != nil {
+				leEmail = mostRecent.Name()
+			}
+		}
+	}
+	if leEmail == "" {
+		// Alas, we must bother the user and ask for an email address;
+		// if they proceed they also agree to the SA.
+		reader := bufio.NewReader(stdin)
+		fmt.Println("Your sites will be served over HTTPS automatically using Let's Encrypt.")
+		fmt.Println("By continuing, you agree to the Let's Encrypt Subscriber Agreement at:")
+		fmt.Println("  " + saURL) // TODO: Show current SA link
+		fmt.Println("Please enter your email address so you can recover your account if needed.")
+		fmt.Println("You can leave it blank, but you'll lose the ability to recover your account.")
+		fmt.Print("Email address: ")
+		var err error
+		leEmail, err = reader.ReadString('\n')
+		if err != nil {
+			return ""
+		}
+		DefaultEmail = leEmail
+		Agreed = true
+	}
+	return strings.TrimSpace(leEmail)
+}
+
+// promptUserAgreement prompts the user to agree to the agreement
+// at agreementURL via stdin. If the agreement has changed, then pass
+// true as the second argument. If this is the user's first time
+// agreeing, pass false. It returns whether the user agreed or not.
+func promptUserAgreement(agreementURL string, changed bool) bool {
+	if changed {
+		fmt.Printf("The Let's Encrypt Subscriber Agreement has changed:\n  %s\n", agreementURL)
+		fmt.Print("Do you agree to the new terms? (y/n): ")
+	} else {
+		fmt.Printf("To continue, you must agree to the Let's Encrypt Subscriber Agreement:\n  %s\n", agreementURL)
+		fmt.Print("Do you agree to the terms? (y/n): ")
+	}
+
+	reader := bufio.NewReader(stdin)
+	answer, err := reader.ReadString('\n')
+	if err != nil {
+		return false
+	}
+	answer = strings.ToLower(strings.TrimSpace(answer))
+
+	return answer == "y" || answer == "yes"
+}
+
+// stdin is used to read the user's input if prompted;
+// this is changed by tests during tests.
+var stdin = io.ReadWriter(os.Stdin)
+
+// The name of the folder for accounts where the email
+// address was not provided; default 'username' if you will.
+const emptyEmail = "default"
+
+// TODO: Use latest
+const saURL = "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
--- a/caddy/letsencrypt/user_test.go
+++ b/caddy/letsencrypt/user_test.go
+package letsencrypt
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"io"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/mholt/caddy/server"
+	"github.com/xenolf/lego/acme"
+)
+
+func TestUser(t *testing.T) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 128)
+	if err != nil {
+		t.Fatalf("Could not generate test private key: %v", err)
+	}
+	u := User{
+		Email:        "me@mine.com",
+		Registration: new(acme.RegistrationResource),
+		key:          privateKey,
+	}
+
+	if expected, actual := "me@mine.com", u.GetEmail(); actual != expected {
+		t.Errorf("Expected email '%s' but got '%s'", expected, actual)
+	}
+	if u.GetRegistration() == nil {
+		t.Error("Expected a registration resource, but got nil")
+	}
+	if expected, actual := privateKey, u.GetPrivateKey(); actual != expected {
+		t.Errorf("Expected the private key at address %p but got one at %p instead ", expected, actual)
+	}
+}
+
+func TestNewUser(t *testing.T) {
+	email := "me@foobar.com"
+	user, err := newUser(email)
+	if err != nil {
+		t.Fatalf("Error creating user: %v", err)
+	}
+	if user.key == nil {
+		t.Error("Private key is nil")
+	}
+	if user.Email != email {
+		t.Errorf("Expected email to be %s, but was %s", email, user.Email)
+	}
+	if user.Registration != nil {
+		t.Error("New user already has a registration resource; it shouldn't")
+	}
+}
+
+func TestSaveUser(t *testing.T) {
+	storage = Storage("./testdata")
+	defer os.RemoveAll(string(storage))
+
+	email := "me@foobar.com"
+	user, err := newUser(email)
+	if err != nil {
+		t.Fatalf("Error creating user: %v", err)
+	}
+
+	err = saveUser(user)
+	if err != nil {
+		t.Fatalf("Error saving user: %v", err)
+	}
+	_, err = os.Stat(storage.UserRegFile(email))
+	if err != nil {
+		t.Errorf("Cannot access user registration file, error: %v", err)
+	}
+	_, err = os.Stat(storage.UserKeyFile(email))
+	if err != nil {
+		t.Errorf("Cannot access user private key file, error: %v", err)
+	}
+}
+
+func TestGetUserDoesNotAlreadyExist(t *testing.T) {
+	storage = Storage("./testdata")
+	defer os.RemoveAll(string(storage))
+
+	user, err := getUser("user_does_not_exist@foobar.com")
+	if err != nil {
+		t.Fatalf("Error getting user: %v", err)
+	}
+
+	if user.key == nil {
+		t.Error("Expected user to have a private key, but it was nil")
+	}
+}
+
+func TestGetUserAlreadyExists(t *testing.T) {
+	storage = Storage("./testdata")
+	defer os.RemoveAll(string(storage))
+
+	email := "me@foobar.com"
+
+	// Set up test
+	user, err := newUser(email)
+	if err != nil {
+		t.Fatalf("Error creating user: %v", err)
+	}
+	err = saveUser(user)
+	if err != nil {
+		t.Fatalf("Error saving user: %v", err)
+	}
+
+	// Expect to load user from disk
+	user2, err := getUser(email)
+	if err != nil {
+		t.Fatalf("Error getting user: %v", err)
+	}
+
+	// Assert keys are the same
+	if !rsaPrivateKeysSame(user.key, user2.key) {
+		t.Error("Expected private key to be the same after loading, but it wasn't")
+	}
+
+	// Assert emails are the same
+	if user.Email != user2.Email {
+		t.Errorf("Expected emails to be equal, but was '%s' before and '%s' after loading", user.Email, user2.Email)
+	}
+}
+
+func TestGetEmail(t *testing.T) {
+	storage = Storage("./testdata")
+	defer os.RemoveAll(string(storage))
+	DefaultEmail = "test2@foo.com"
+
+	// Test1: Use email in config
+	config := server.Config{
+		TLS: server.TLSConfig{
+			LetsEncryptEmail: "test1@foo.com",
+		},
+	}
+	actual := getEmail(config)
+	if actual != "test1@foo.com" {
+		t.Errorf("Did not get correct email from config; expected '%s' but got '%s'", "test1@foo.com", actual)
+	}
+
+	// Test2: Use default email from flag (or user previously typing it)
+	actual = getEmail(server.Config{})
+	if actual != DefaultEmail {
+		t.Errorf("Did not get correct email from config; expected '%s' but got '%s'", DefaultEmail, actual)
+	}
+
+	// Test3: Get input from user
+	DefaultEmail = ""
+	stdin = new(bytes.Buffer)
+	_, err := io.Copy(stdin, strings.NewReader("test3@foo.com\n"))
+	if err != nil {
+		t.Fatalf("Could not simulate user input, error: %v", err)
+	}
+	actual = getEmail(server.Config{})
+	if actual != "test3@foo.com" {
+		t.Errorf("Did not get correct email from user input prompt; expected '%s' but got '%s'", "test3@foo.com", actual)
+	}
+
+	// Test4: Get most recent email from before
+	DefaultEmail = ""
+	for i, eml := range []string{
+		"test4-3@foo.com",
+		"test4-2@foo.com",
+		"test4-1@foo.com",
+	} {
+		u, err := newUser(eml)
+		if err != nil {
+			t.Fatalf("Error creating user %d: %v", i, err)
+		}
+		err = saveUser(u)
+		if err != nil {
+			t.Fatalf("Error saving user %d: %v", i, err)
+		}
+
+		// Change modified time so they're all different, so the test becomes deterministic
+		f, err := os.Stat(storage.User(eml))
+		if err != nil {
+			t.Fatalf("Could not access user folder for '%s': %v", eml, err)
+		}
+		chTime := f.ModTime().Add(-(time.Duration(i) * time.Second))
+		if err := os.Chtimes(storage.User(eml), chTime, chTime); err != nil {
+			t.Fatalf("Could not change user folder mod time for '%s': %v", eml, err)
+		}
+	}
+
+	actual = getEmail(server.Config{})
+	if actual != "test4-3@foo.com" {
+		t.Errorf("Did not get correct email from storage; expected '%s' but got '%s'", "test4-3@foo.com", actual)
+	}
+}
--- a/config/parse/dispenser.go
+++ b/config/parse/dispenser.go
--- a/config/parse/dispenser_test.go
+++ b/config/parse/dispenser_test.go
--- a/config/parse/import_test1.txt
+++ b/config/parse/import_test1.txt
--- a/config/parse/import_test2.txt
+++ b/config/parse/import_test2.txt
--- a/config/parse/lexer.go
+++ b/config/parse/lexer.go
--- a/config/parse/lexer_test.go
+++ b/config/parse/lexer_test.go
--- a/config/parse/parse.go
+++ b/config/parse/parse.go
@@ -5,9 +5,11 @@ import "io"

 // ServerBlocks parses the input just enough to organize tokens,
 // in order, by server block. No further parsing is performed.
-// Server blocks are returned in the order in which they appear.
-func ServerBlocks(filename string, input io.Reader) ([]serverBlock, error) {
-	p := parser{Dispenser: NewDispenser(filename, input)}
+// If checkDirectives is true, only valid directives will be allowed
+// otherwise we consider it a parse error. Server blocks are returned
+// in the order in which they appear.
+func ServerBlocks(filename string, input io.Reader, checkDirectives bool) ([]serverBlock, error) {
+	p := parser{Dispenser: NewDispenser(filename, input), checkDirectives: checkDirectives}
 	blocks, err := p.parseAll()
 	return blocks, err
 }

--- a/config/parse/parse_test.go
+++ b/config/parse/parse_test.go
--- a/config/parse/parsing.go
+++ b/config/parse/parsing.go
@@ -9,8 +9,9 @@ import (

 type parser struct {
 	Dispenser
-	block serverBlock // current server block being parsed
-	eof   bool        // if we encounter a valid EOF in a hard place
+	block           serverBlock // current server block being parsed
+	eof             bool        // if we encounter a valid EOF in a hard place
+	checkDirectives bool        // if true, directives must be known
 }

 func (p *parser) parseAll() ([]serverBlock, error) {
@@ -220,8 +221,10 @@ func (p *parser) directive() error {
 	dir := p.Val()
 	nesting := 0

-	if _, ok := ValidDirectives[dir]; !ok {
-		return p.Errf("Unknown directive '%s'", dir)
+	if p.checkDirectives {
+		if _, ok := ValidDirectives[dir]; !ok {
+			return p.Errf("Unknown directive '%s'", dir)
+		}
 	}

 	// The directive itself is appended as a relevant token

--- a/config/parse/parsing_test.go
+++ b/config/parse/parsing_test.go
@@ -375,6 +375,6 @@ func setupParseTests() {

 func testParser(input string) parser {
 	buf := strings.NewReader(input)
-	p := parser{Dispenser: NewDispenser("Test", buf)}
+	p := parser{Dispenser: NewDispenser("Test", buf), checkDirectives: true}
 	return p
 }
--- a/caddy/restart.go
+++ b/caddy/restart.go
+// +build !windows
+
+package caddy
+
+import (
+	"encoding/gob"
+	"io/ioutil"
+	"log"
+	"os"
+	"syscall"
+)
+
+func init() {
+	gob.Register(CaddyfileInput{})
+}
+
+// Restart restarts the entire application; gracefully with zero
+// downtime if on a POSIX-compatible system, or forcefully if on
+// Windows but with imperceptibly-short downtime.
+//
+// The restarted application will use newCaddyfile as its input
+// configuration. If newCaddyfile is nil, the current (existing)
+// Caddyfile configuration will be used.
+//
+// Note: The process must exist in the same place on the disk in
+// order for this to work. Thus, multiple graceful restarts don't
+// work if executing with `go run`, since the binary is cleaned up
+// when `go run` sees the initial parent process exit.
+func Restart(newCaddyfile Input) error {
+	if newCaddyfile == nil {
+		caddyfileMu.Lock()
+		newCaddyfile = caddyfile
+		caddyfileMu.Unlock()
+	}
+
+	if len(os.Args) == 0 { // this should never happen...
+		os.Args = []string{""}
+	}
+
+	// Tell the child that it's a restart
+	os.Setenv("CADDY_RESTART", "true")
+
+	// Prepare our payload to the child process
+	cdyfileGob := caddyfileGob{
+		ListenerFds: make(map[string]uintptr),
+		Caddyfile:   newCaddyfile,
+	}
+
+	// Prepare a pipe to the fork's stdin so it can get the Caddyfile
+	rpipe, wpipe, err := os.Pipe()
+	if err != nil {
+		return err
+	}
+
+	// Prepare a pipe that the child process will use to communicate
+	// its success or failure with us, the parent
+	sigrpipe, sigwpipe, err := os.Pipe()
+	if err != nil {
+		return err
+	}
+
+	// Pass along current environment and file descriptors to child.
+	// Ordering here is very important: stdin, stdout, stderr, sigpipe,
+	// and then the listener file descriptors (in order).
+	fds := []uintptr{rpipe.Fd(), os.Stdout.Fd(), os.Stderr.Fd(), sigwpipe.Fd()}
+
+	// Now add file descriptors of the sockets
+	serversMu.Lock()
+	for i, s := range servers {
+		fds = append(fds, s.ListenerFd())
+		cdyfileGob.ListenerFds[s.Addr] = uintptr(4 + i) // 4 fds come before any of the listeners
+	}
+	serversMu.Unlock()
+
+	// Fork the process with the current environment and file descriptors
+	execSpec := &syscall.ProcAttr{
+		Env:   os.Environ(),
+		Files: fds,
+	}
+	_, err = syscall.ForkExec(os.Args[0], os.Args, execSpec)
+	if err != nil {
+		return err
+	}
+
+	// Feed it the Caddyfile
+	err = gob.NewEncoder(wpipe).Encode(cdyfileGob)
+	if err != nil {
+		return err
+	}
+	wpipe.Close()
+
+	// Wait for child process to signal success or fail
+	sigwpipe.Close() // close our copy of the write end of the pipe or we might be stuck
+	answer, err := ioutil.ReadAll(sigrpipe)
+	if err != nil || len(answer) == 0 {
+		log.Println("restart: child failed to initialize; changes not applied")
+		return incompleteRestartErr
+	}
+
+	// Child process is listening now; we can stop all our servers here.
+	return Stop()
+}
--- a/caddy/restart_windows.go
+++ b/caddy/restart_windows.go
+package caddy
+
+func Restart(newCaddyfile Input) error {
+	if newCaddyfile == nil {
+		caddyfileMu.Lock()
+		newCaddyfile = caddyfile
+		caddyfileMu.Unlock()
+	}
+
+	wg.Add(1) // barrier so Wait() doesn't unblock
+
+	err := Stop()
+	if err != nil {
+		return err
+	}
+
+	err = Start(newCaddyfile)
+	if err != nil {
+		return err
+	}
+
+	wg.Done() // take down our barrier
+
+	return nil
+}
--- a/config/setup/basicauth.go
+++ b/config/setup/basicauth.go
--- a/config/setup/basicauth_test.go
+++ b/config/setup/basicauth_test.go
--- a/config/setup/bindhost.go
+++ b/config/setup/bindhost.go
--- a/config/setup/browse.go
+++ b/config/setup/browse.go
--- a/config/setup/controller.go
+++ b/config/setup/controller.go
@@ -5,7 +5,7 @@ import (
 	"net/http"
 	"strings"

-	"github.com/mholt/caddy/config/parse"
+	"github.com/mholt/caddy/caddy/parse"
 	"github.com/mholt/caddy/middleware"
 	"github.com/mholt/caddy/server"
 )

--- a/config/setup/errors.go
+++ b/config/setup/errors.go
--- a/config/setup/errors_test.go
+++ b/config/setup/errors_test.go
--- a/config/setup/ext.go
+++ b/config/setup/ext.go
--- a/config/setup/ext_test.go
+++ b/config/setup/ext_test.go
--- a/config/setup/fastcgi.go
+++ b/config/setup/fastcgi.go
--- a/config/setup/fastcgi_test.go
+++ b/config/setup/fastcgi_test.go
--- a/config/setup/gzip.go
+++ b/config/setup/gzip.go
--- a/config/setup/gzip_test.go
+++ b/config/setup/gzip_test.go
--- a/config/setup/headers.go
+++ b/config/setup/headers.go
--- a/config/setup/headers_test.go
+++ b/config/setup/headers_test.go
--- a/config/setup/internal.go
+++ b/config/setup/internal.go
--- a/config/setup/internal_test.go
+++ b/config/setup/internal_test.go
--- a/config/setup/log.go
+++ b/config/setup/log.go
--- a/config/setup/log_test.go
+++ b/config/setup/log_test.go
--- a/config/setup/markdown.go
+++ b/config/setup/markdown.go
--- a/config/setup/markdown_test.go
+++ b/config/setup/markdown_test.go
--- a/config/setup/mime.go
+++ b/config/setup/mime.go
--- a/config/setup/mime_test.go
+++ b/config/setup/mime_test.go
--- a/config/setup/proxy.go
+++ b/config/setup/proxy.go
--- a/config/setup/redir.go
+++ b/config/setup/redir.go
--- a/config/setup/rewrite.go
+++ b/config/setup/rewrite.go
--- a/config/setup/rewrite_test.go
+++ b/config/setup/rewrite_test.go
--- a/config/setup/roller.go
+++ b/config/setup/roller.go
--- a/config/setup/root.go
+++ b/config/setup/root.go
--- a/config/setup/root_test.go
+++ b/config/setup/root_test.go
--- a/config/setup/startupshutdown.go
+++ b/config/setup/startupshutdown.go
--- a/config/setup/startupshutdown_test.go
+++ b/config/setup/startupshutdown_test.go
--- a/config/setup/templates.go
+++ b/config/setup/templates.go
--- a/config/setup/templates_test.go
+++ b/config/setup/templates_test.go
--- a/config/setup/testdata/blog/first_post.md
+++ b/config/setup/testdata/blog/first_post.md
--- a/config/setup/testdata/header.html
+++ b/config/setup/testdata/header.html
--- a/config/setup/testdata/tpl_with_include.html
+++ b/config/setup/testdata/tpl_with_include.html
--- a/config/setup/tls.go
+++ b/config/setup/tls.go
@@ -9,24 +9,37 @@ import (
 )

 func TLS(c *Controller) (middleware.Middleware, error) {
-	c.TLS.Enabled = true
-
 	if c.Port == "http" {
 		c.TLS.Enabled = false
 		log.Printf("Warning: TLS disabled for %s://%s. To force TLS over the plaintext HTTP port, "+
 			"specify port 80 explicitly (https://%s:80).", c.Port, c.Host, c.Host)
+	} else {
+		c.TLS.Enabled = true // they had a tls directive, so assume it's on unless we confirm otherwise later
 	}

 	for c.Next() {
-		if !c.NextArg() {
-			return nil, c.ArgErr()
-		}
-		c.TLS.Certificate = c.Val()
+		args := c.RemainingArgs()
+		switch len(args) {
+		case 1:
+			c.TLS.LetsEncryptEmail = args[0]

-		if !c.NextArg() {
+			// user can force-disable LE activation this way
+			if c.TLS.LetsEncryptEmail == "off" {
+				c.TLS.Enabled = false
+			}
+		case 2:
+			c.TLS.Certificate = args[0]
+			c.TLS.Key = args[1]
+
+			// manual HTTPS configuration without port specified should be
+			// served on the HTTPS port; that is what user would expect, and
+			// makes it consistent with how the letsencrypt package works.
+			if c.Port == "" {
+				c.Port = "https"
+			}
+		default:
 			return nil, c.ArgErr()
 		}
-		c.TLS.Key = c.Val()

 		// Optional block
 		for c.NextBlock() {

--- a/config/setup/tls_test.go
+++ b/config/setup/tls_test.go
@@ -70,14 +70,7 @@ func TestTLSParseIncompleteParams(t *testing.T) {

 	_, err := TLS(c)
 	if err == nil {
-		t.Errorf("Expected errors, but no error returned")
-	}
-
-	c = NewTestController(`tls cert.key`)
-
-	_, err = TLS(c)
-	if err == nil {
-		t.Errorf("Expected errors, but no error returned")
+		t.Errorf("Expected errors (first check), but no error returned")
 	}
 }


--- a/config/setup/websocket.go
+++ b/config/setup/websocket.go
--- a/config/setup/websocket_test.go
+++ b/config/setup/websocket_test.go
--- a/caddy/sigtrap.go
+++ b/caddy/sigtrap.go
+package caddy
+
+import (
+	"log"
+	"os"
+	"os/signal"
+
+	"github.com/mholt/caddy/server"
+)
+
+func init() {
+	// Trap quit signals (cross-platform)
+	go func() {
+		shutdown := make(chan os.Signal, 1)
+		signal.Notify(shutdown, os.Interrupt, os.Kill)
+		<-shutdown
+
+		var exitCode int
+
+		serversMu.Lock()
+		errs := server.ShutdownCallbacks(servers)
+		serversMu.Unlock()
+
+		if len(errs) > 0 {
+			for _, err := range errs {
+				log.Println(err)
+			}
+			exitCode = 1
+		}
+
+		os.Exit(exitCode)
+	}()
+}
--- a/caddy/sigtrap_posix.go
+++ b/caddy/sigtrap_posix.go
+// +build !windows
+
+package caddy
+
+import (
+	"io/ioutil"
+	"log"
+	"os"
+	"os/signal"
+	"syscall"
+)
+
+func init() {
+	// Trap POSIX-only signals
+	go func() {
+		reload := make(chan os.Signal, 1)
+		signal.Notify(reload, syscall.SIGUSR1) // reload configuration
+
+		for {
+			<-reload
+
+			var updatedCaddyfile Input
+
+			caddyfileMu.Lock()
+			if caddyfile.IsFile() {
+				body, err := ioutil.ReadFile(caddyfile.Path())
+				if err == nil {
+					caddyfile = CaddyfileInput{
+						Filepath: caddyfile.Path(),
+						Contents: body,
+						RealFile: true,
+					}
+				}
+			}
+			caddyfileMu.Unlock()
+
+			err := Restart(updatedCaddyfile)
+			if err != nil {
+				log.Println("error at restart:", err)
+			}
+		}
+	}()
+}
--- a/dist/CHANGES.txt
+++ b/dist/CHANGES.txt
 CHANGES

-<master>
+0.8 beta
+- Let's Encrypt (free, automatic, fully-managed HTTPS for your sites)
+- Graceful restarts (for POSIX-compatible systems)
+- Major internal refactoring to allow use of Caddy as library
 - New directive 'mime' to customize Content-Type based on file extension
+- New -accept flag to accept Let's Encrypt SA without prompt
+- New -email flag to customize default email used for ACME transactions
+- New -ca flag to customize ACME CA server URL
+- New -revoke flag to revoke a certificate
+- browse: Render filenames with multiple whitespace properly
+- markdown: Include Last-Modified header in response
+- startup, shutdown: Better Windows support
+- templates: Bug fix for .Host when port is absent
+- templates: Include Last-Modified header in response
+- templates: Support for custom delimiters
+- tls: For non-local hosts, default port is now 443 unless specified
+- tls: Force-disable HTTPS
+- tls: Specify Let's Encrypt email address
+- Many, many more tests and numerous bug fixes and improvements


 0.7.6 (September 28, 2015)

--- a/dist/README.txt
+++ b/dist/README.txt
-CADDY 0.7.6
+CADDY 0.8 beta

 Website
 	https://caddyserver.com

--- a/main.go
+++ b/main.go
 package main

 import (
-	"bytes"
+	"errors"
 	"flag"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"os"
-	"os/exec"
-	"path"
 	"runtime"
 	"strconv"
 	"strings"

-	"github.com/mholt/caddy/app"
-	"github.com/mholt/caddy/config"
-	"github.com/mholt/caddy/server"
+	"github.com/mholt/caddy/caddy"
+	"github.com/mholt/caddy/caddy/letsencrypt"
 )

 var (
 	conf    string
 	cpu     string
 	version bool
+	revoke  string
+)
+
+const (
+	appName    = "Caddy"
+	appVersion = "0.8 beta"
 )

 func init() {
-	flag.StringVar(&conf, "conf", "", "Configuration file to use (default="+config.DefaultConfigFile+")")
-	flag.BoolVar(&app.HTTP2, "http2", true, "Enable HTTP/2 support") // TODO: temporary flag until http2 merged into std lib
-	flag.BoolVar(&app.Quiet, "quiet", false, "Quiet mode (no initialization output)")
+	flag.StringVar(&conf, "conf", "", "Configuration file to use (default="+caddy.DefaultConfigFile+")")
+	flag.BoolVar(&caddy.HTTP2, "http2", true, "HTTP/2 support") // TODO: temporary flag until http2 merged into std lib
+	flag.BoolVar(&caddy.Quiet, "quiet", false, "Quiet mode (no initialization output)")
 	flag.StringVar(&cpu, "cpu", "100%", "CPU cap")
-	flag.StringVar(&config.Root, "root", config.DefaultRoot, "Root path to default site")
-	flag.StringVar(&config.Host, "host", config.DefaultHost, "Default host")
-	flag.StringVar(&config.Port, "port", config.DefaultPort, "Default port")
+	flag.StringVar(&caddy.Root, "root", caddy.DefaultRoot, "Root path to default site")
+	flag.StringVar(&caddy.Host, "host", caddy.DefaultHost, "Default host")
+	flag.StringVar(&caddy.Port, "port", caddy.DefaultPort, "Default port")
 	flag.BoolVar(&version, "version", false, "Show version")
+	// TODO: Boulder dev URL is: http://192.168.99.100:4000
+	// TODO: Staging API URL is: https://acme-staging.api.letsencrypt.org
+	// TODO: Production endpoint is: https://acme-v01.api.letsencrypt.org
+	flag.StringVar(&letsencrypt.CAUrl, "ca", "https://acme-staging.api.letsencrypt.org", "Certificate authority ACME server")
+	flag.BoolVar(&letsencrypt.Agreed, "agree", false, "Agree to Let's Encrypt Subscriber Agreement")
+	flag.StringVar(&letsencrypt.DefaultEmail, "email", "", "Default Let's Encrypt account email address")
+	flag.StringVar(&revoke, "revoke", "", "Hostname for which to revoke the certificate")
 }

 func main() {
 	flag.Parse()

+	caddy.AppName = appName
+	caddy.AppVersion = appVersion
+
 	if version {
-		fmt.Printf("%s %s\n", app.Name, app.Version)
+		fmt.Printf("%s %s\n", caddy.AppName, caddy.AppVersion)
+		os.Exit(0)
+	}
+	if revoke != "" {
+		err := letsencrypt.Revoke(revoke)
+		if err != nil {
+			log.Fatal(err)
+		}
+		fmt.Printf("Revoked certificate for %s\n", revoke)
 		os.Exit(0)
 	}

 	// Set CPU cap
-	err := app.SetCPU(cpu)
+	err := setCPU(cpu)
 	if err != nil {
 		log.Fatal(err)
 	}

-	// Load config from file
-	addresses, err := loadConfigs()
+	// Get Caddyfile input
+	caddyfile, err := caddy.LoadCaddyfile(loadCaddyfile)
 	if err != nil {
 		log.Fatal(err)
 	}

-	// Start each server with its one or more configurations
-	for addr, configs := range addresses {
-		s, err := server.New(addr.String(), configs)
-		if err != nil {
-			log.Fatal(err)
-		}
-		s.HTTP2 = app.HTTP2 // TODO: This setting is temporary
-		app.Wg.Add(1)
-		go func(s *server.Server) {
-			defer app.Wg.Done()
-			err := s.Serve()
-			if err != nil {
-				log.Fatal(err) // kill whole process to avoid a half-alive zombie server
-			}
-		}(s)
-
-		app.Servers = append(app.Servers, s)
-	}
-
-	// Show initialization output
-	if !app.Quiet {
-		var checkedFdLimit bool
-		for addr, configs := range addresses {
-			for _, conf := range configs {
-				// Print address of site
-				fmt.Println(conf.Address())
-
-				// Note if non-localhost site resolves to loopback interface
-				if addr.IP.IsLoopback() && !isLocalhost(conf.Host) {
-					fmt.Printf("Notice: %s is only accessible on this machine (%s)\n",
-						conf.Host, addr.IP.String())
-				}
-				if !checkedFdLimit && !addr.IP.IsLoopback() && !isLocalhost(conf.Host) {
-					checkFdlimit()
-					checkedFdLimit = true
-				}
-			}
-		}
-	}
-
-	// Wait for all listeners to stop
-	app.Wg.Wait()
-}
-
-// checkFdlimit issues a warning if the OS max file descriptors is below a recommended minimum.
-func checkFdlimit() {
-	const min = 4096
-
-	// Warn if ulimit is too low for production sites
-	if runtime.GOOS == "linux" || runtime.GOOS == "darwin" {
-		out, err := exec.Command("sh", "-c", "ulimit -n").Output() // use sh because ulimit isn't in Linux $PATH
-		if err == nil {
-			// Note that an error here need not be reported
-			lim, err := strconv.Atoi(string(bytes.TrimSpace(out)))
-			if err == nil && lim < min {
-				fmt.Printf("Warning: File descriptor limit %d is too low for production sites. At least %d is recommended. Set with \"ulimit -n %d\".\n", lim, min, min)
-			}
-		}
+	// Start your engines
+	err = caddy.Start(caddyfile)
+	if err != nil {
+		log.Fatal(err)
 	}
-}

-// isLocalhost returns true if the string looks explicitly like a localhost address.
-func isLocalhost(s string) bool {
-	return s == "localhost" || s == "::1" || strings.HasPrefix(s, "127.")
+	// Twiddle your thumbs
+	caddy.Wait()
 }

-// loadConfigs loads configuration from a file or stdin (piped).
-// The configurations are grouped by bind address.
-// Configuration is obtained from one of four sources, tried
-// in this order: 1. -conf flag, 2. stdin, 3. command line argument 4. Caddyfile.
-// If none of those are available, a default configuration is loaded.
-func loadConfigs() (config.Group, error) {
+func loadCaddyfile() (caddy.Input, error) {
 	// -conf flag
 	if conf != "" {
-		file, err := os.Open(conf)
+		contents, err := ioutil.ReadFile(conf)
 		if err != nil {
 			return nil, err
 		}
-		defer file.Close()
-		return config.Load(path.Base(conf), file)
+		return caddy.CaddyfileInput{
+			Contents: contents,
+			Filepath: conf,
+			RealFile: true,
+		}, nil
 	}

-	// stdin
-	fi, err := os.Stdin.Stat()
-	if err == nil && fi.Mode()&os.ModeCharDevice == 0 {
-		// Note that a non-nil error is not a problem. Windows
-		// will not create a stdin if there is no pipe, which
-		// produces an error when calling Stat(). But Unix will
-		// make one either way, which is why we also check that
-		// bitmask.
-		confBody, err := ioutil.ReadAll(os.Stdin)
-		if err != nil {
-			log.Fatal(err)
-		}
-		if len(confBody) > 0 {
-			return config.Load("stdin", bytes.NewReader(confBody))
-		}
-	}
-
-	// Command line Arg
+	// command line args
 	if flag.NArg() > 0 {
-		confBody := ":" + config.DefaultPort + "\n" + strings.Join(flag.Args(), "\n")
-		return config.Load("args", bytes.NewBufferString(confBody))
+		confBody := ":" + caddy.DefaultPort + "\n" + strings.Join(flag.Args(), "\n")
+		return caddy.CaddyfileInput{
+			Contents: []byte(confBody),
+			Filepath: "args",
+		}, nil
 	}

-	// Caddyfile
-	file, err := os.Open(config.DefaultConfigFile)
+	// Caddyfile in cwd
+	contents, err := ioutil.ReadFile(caddy.DefaultConfigFile)
 	if err != nil {
 		if os.IsNotExist(err) {
-			return config.Default()
+			return caddy.DefaultInput, nil
 		}
 		return nil, err
 	}
-	defer file.Close()
+	return caddy.CaddyfileInput{
+		Contents: contents,
+		Filepath: caddy.DefaultConfigFile,
+		RealFile: true,
+	}, nil
+}
+
+// setCPU parses string cpu and sets GOMAXPROCS
+// according to its value. It accepts either
+// a number (e.g. 3) or a percent (e.g. 50%).
+func setCPU(cpu string) error {
+	var numCPU int
+
+	availCPU := runtime.NumCPU()
+
+	if strings.HasSuffix(cpu, "%") {
+		// Percent
+		var percent float32
+		pctStr := cpu[:len(cpu)-1]
+		pctInt, err := strconv.Atoi(pctStr)
+		if err != nil || pctInt < 1 || pctInt > 100 {
+			return errors.New("invalid CPU value: percentage must be between 1-100")
+		}
+		percent = float32(pctInt) / 100
+		numCPU = int(float32(availCPU) * percent)
+	} else {
+		// Number
+		num, err := strconv.Atoi(cpu)
+		if err != nil || num < 1 {
+			return errors.New("invalid CPU value: provide a number or percent greater than 0")
+		}
+		numCPU = num
+	}
+
+	if numCPU > availCPU {
+		numCPU = availCPU
+	}

-	return config.Load(config.DefaultConfigFile, file)
+	runtime.GOMAXPROCS(numCPU)
+	return nil
 }
--- a/app/app_test.go
+++ b/app/app_test.go
-package app_test
+package main

 import (
 	"runtime"
 	"testing"
-
-	"github.com/mholt/caddy/app"
 )

 func TestSetCPU(t *testing.T) {
@@ -26,7 +24,7 @@ func TestSetCPU(t *testing.T) {
 		{"invalid input%", currentCPU, true},
 		{"9999", maxCPU, false}, // over available CPU
 	} {
-		err := app.SetCPU(test.input)
+		err := setCPU(test.input)
 		if test.shouldErr && err == nil {
 			t.Errorf("Test %d: Expected error, but there wasn't any", i)
 		}

--- a/middleware/proxy/upstream.go
+++ b/middleware/proxy/upstream.go
@@ -9,7 +9,7 @@ import (
 	"strings"
 	"time"

-	"github.com/mholt/caddy/config/parse"
+	"github.com/mholt/caddy/caddy/parse"
 )

 var (

--- a/server/config.go
+++ b/server/config.go
@@ -50,13 +50,13 @@ func (c Config) Address() string {
 	return net.JoinHostPort(c.Host, c.Port)
 }

-// TLSConfig describes how TLS should be configured and used,
-// if at all. A certificate and key are both required.
-// The rest is optional.
+// TLSConfig describes how TLS should be configured and used.
 type TLSConfig struct {
 	Enabled                  bool
 	Certificate              string
 	Key                      string
+	LetsEncryptEmail         string
+	OCSPStaple               []byte
 	Ciphers                  []uint16
 	ProtocolMinVersion       uint16
 	ProtocolMaxVersion       uint16

--- a/server/graceful.go
+++ b/server/graceful.go
+package server
+
+import (
+	"net"
+	"os"
+	"sync"
+	"syscall"
+)
+
+// newGracefulListener returns a gracefulListener that wraps l and
+// uses wg (stored in the host server) to count connections.
+func newGracefulListener(l ListenerFile, wg *sync.WaitGroup) *gracefulListener {
+	gl := &gracefulListener{ListenerFile: l, stop: make(chan error), httpWg: wg}
+	go func() {
+		<-gl.stop
+		gl.stopped = true
+		gl.stop <- gl.ListenerFile.Close()
+	}()
+	return gl
+}
+
+// gracefuListener is a net.Listener which can
+// count the number of connections on it. Its
+// methods mainly wrap net.Listener to be graceful.
+type gracefulListener struct {
+	ListenerFile
+	stop    chan error
+	stopped bool
+	httpWg  *sync.WaitGroup // pointer to the host's wg used for counting connections
+}
+
+// Accept accepts a connection. This type wraps
+func (gl *gracefulListener) Accept() (c net.Conn, err error) {
+	c, err = gl.ListenerFile.Accept()
+	if err != nil {
+		return
+	}
+	c = gracefulConn{Conn: c, httpWg: gl.httpWg}
+	gl.httpWg.Add(1)
+	return
+}
+
+// Close immediately closes the listener.
+func (gl *gracefulListener) Close() error {
+	if gl.stopped {
+		return syscall.EINVAL
+	}
+	gl.stop <- nil
+	return <-gl.stop
+}
+
+// File implements ListenerFile; it gets the file of the listening socket.
+func (gl *gracefulListener) File() (*os.File, error) {
+	return gl.ListenerFile.File()
+}
+
+// gracefulConn represents a connection on a
+// gracefulListener so that we can keep track
+// of the number of connections, thus facilitating
+// a graceful shutdown.
+type gracefulConn struct {
+	net.Conn
+	httpWg *sync.WaitGroup // pointer to the host server's connection waitgroup
+}
+
+// Close closes c's underlying connection while updating the wg count.
+func (c gracefulConn) Close() error {
+	err := c.Conn.Close()
+	if err != nil {
+		return err
+	}
+	// close can fail on http2 connections (as of Oct. 2015, before http2 in std lib)
+	// so don't decrement count unless close succeeds
+	c.httpWg.Done()
+	return nil
+}
--- a/server/server.go
+++ b/server/server.go