diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml
new file mode 100644
index 000000000..ec9d282e1
--- /dev/null
+++ b/.github/workflows/code-review.yml
@@ -0,0 +1,12 @@
+name: Code Review
+
+on:
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  code-review:
+    uses: webmin/webmin-ci-cd/.github/workflows/code-review.yml@main
+    secrets:
+      CODE_REVIEW_API_KEY: ${{ secrets.CODE_REVIEW_API_KEY }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
new file mode 100644
index 000000000..a07d9ff89
--- /dev/null
+++ b/.github/workflows/tests.yml
@@ -0,0 +1,19 @@
+name: Tests
+
+on:
+  pull_request:
+    branches:
+      - master
+  push:
+    branches:
+      - master
+
+jobs:
+  prove:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Perl::Critic
+        run: sudo apt-get update && sudo apt-get install -y libperl-critic-perl
+      - name: prove -lr
+        run: prove -lr
diff --git a/.github/workflows/webmin.dev+webmin.yml b/.github/workflows/webmin.dev+webmin.yml
index 1ec6e6523..8ee6d540e 100644
--- a/.github/workflows/webmin.dev+webmin.yml
+++ b/.github/workflows/webmin.dev+webmin.yml
@@ -26,3 +26,4 @@ jobs:
       DEV_SSH_PRV_KEY: ${{ secrets.DEV_SSH_PRV_KEY }}
       ALL_GPG_PH2: ${{ secrets.ALL_GPG_PH2 }}
       CODE_REVIEW_API_KEY: ${{ secrets.CODE_REVIEW_API_KEY }}
+      CODE_REVIEW_SMTP_PASSWORD: ${{ secrets.CODE_REVIEW_SMTP_PASSWORD }}
diff --git a/acl/acl-lib.pl b/acl/acl-lib.pl
index 765286004..809f0ee44 100755
--- a/acl/acl-lib.pl
+++ b/acl/acl-lib.pl
@@ -1809,6 +1809,7 @@ foreach my $g (&list_groups()) {
 		return $g;
 		}
 	}
+return;
 }
 
 =head2 check_password_restrictions(username, password)
diff --git a/acl/log_parser.pl b/acl/log_parser.pl
index e164d976e..d61cf8d9c 100755
--- a/acl/log_parser.pl
+++ b/acl/log_parser.pl
@@ -16,8 +16,9 @@ my ($user, $script, $action, $type, $object, $p) = @_;
 my $g = $type eq 'group' ? "_g" : "";
 if ($action eq 'modify') {
 	if ($p->{'old'} ne $p->{'name'}) {
-		return &text('log_rename'.$g, "<tt>$p->{'old'}</tt>",
-					      "<tt>$p->{'name'}</tt>");
+		return &text('log_rename'.$g,
+			     "<tt>".&html_escape($p->{'old'})."</tt>",
+			     "<tt>".&html_escape($p->{'name'})."</tt>");
 		}
 	else {
 		return &text('log_modify'.$g,
@@ -26,7 +27,8 @@ if ($action eq 'modify') {
 	}
 elsif ($action eq 'create') {
 	if ($p->{'clone'}) {
-		return &text('log_clone'.$g, "<tt>$p->{'clone'}</tt>",
+		return &text('log_clone'.$g,
+			     "<tt>".&html_escape($p->{'clone'})."</tt>",
 			     "<tt>".&html_escape($object)."</tt>");
 		}
 	else {
@@ -36,21 +38,23 @@ elsif ($action eq 'create') {
 	}
 elsif ($action eq 'delete') {
 	if ($type eq "users" || $type eq "groups") {
-		return &text('log_delete_'.$type, $object);
+		return &text('log_delete_'.$type, &html_escape($object));
 		}
 	else {
-		return &text('log_delete'.$g, "<tt>$object</tt>");
+		return &text('log_delete'.$g,
+			     "<tt>".&html_escape($object)."</tt>");
 		}
 	}
 elsif ($action eq 'joingroup') {
-	return &text('log_joingroup', $object, $p->{'group'});
+	return &text('log_joingroup', &html_escape($object),
+		     &html_escape($p->{'group'}));
 	}
 elsif ($action eq 'acl') {
-	return &text('log_acl', "<tt>$object</tt>",
+	return &text('log_acl', "<tt>".&html_escape($object)."</tt>",
 		     "<i>".&html_escape($p->{'moddesc'})."</i>");
 	}
 elsif ($action eq 'reset') {
-	return &text('log_reset', "<tt>$object</tt>",
+	return &text('log_reset', "<tt>".&html_escape($object)."</tt>",
 		     "<i>".&html_escape($p->{'moddesc'})."</i>");
 	}
 elsif ($action eq 'cert') {
@@ -60,7 +64,9 @@ elsif ($action eq 'switch') {
 	return &text('log_switch', "<tt>".&html_escape($object)."</tt>");
 	}
 elsif ($action eq 'twofactor') {
-	return &text('log_twofactor', $object, $p->{'provider'}, $p->{'id'});
+	return &text('log_twofactor', &html_escape($object),
+		     &html_escape($p->{'provider'}),
+		     &html_escape($p->{'id'}));
 	}
 elsif ($action eq 'forgot') {
 	return &text('log_forgot_'.$type, &html_escape($p->{'user'}),
diff --git a/acl/t/run-tests.t b/acl/t/run-tests.t
new file mode 100644
index 000000000..5f81caae0
--- /dev/null
+++ b/acl/t/run-tests.t
@@ -0,0 +1,1381 @@
+#!/usr/bin/perl
+use strict;
+use warnings;
+use Test::More;
+use Cwd qw(abs_path);
+use File::Temp qw(tempdir);
+
+sub script_dir
+{
+    my $path = $0;
+    if ($path =~ m{^/}) {
+        $path =~ s{/[^/]+$}{};
+        return $path;
+    }
+    my $cwd = `pwd`;
+    chomp($cwd);
+    if ($path =~ m{/}) {
+        $path =~ s{/[^/]+$}{};
+        return $cwd.'/'.$path;
+    }
+    return $cwd;
+}
+
+my $bindir = script_dir();
+my $rootdir = abs_path("$bindir/../..") or die "rootdir: $!";
+
+my $confdir = tempdir(CLEANUP => 1);
+my $vardir = tempdir(CLEANUP => 1);
+open(my $cfh, ">", "$confdir/config") or die "config: $!";
+# generic-linux (not just "linux") is what real modules list in their
+# module.info os_support, so check_os_support() actually finds them.
+print $cfh "os_type=generic-linux\nos_version=0\n";
+close($cfh);
+open(my $vfh, ">", "$confdir/var-path") or die "var-path: $!";
+print $vfh "$vardir\n";
+close($vfh);
+$ENV{'WEBMIN_CONFIG'} = $confdir;
+$ENV{'WEBMIN_VAR'} = $vardir;
+$ENV{'FOREIGN_MODULE_NAME'} = 'acl';
+$ENV{'FOREIGN_ROOT_DIRECTORY'} = $rootdir;
+
+chdir("$bindir/..") or die "chdir: $!";
+
+require "$bindir/../acl-lib.pl";
+{
+    my $r = do "$bindir/../acl_security.pl";
+    if ($@) { die "compile acl_security.pl: $@" }
+    if (!defined($r) && $!) { die "open acl_security.pl: $!" }
+}
+{
+    my $r = do "$bindir/../log_parser.pl";
+    if ($@) { die "compile log_parser.pl: $@" }
+    if (!defined($r) && $!) { die "open log_parser.pl: $!" }
+}
+our (%text, %in, %gconfig);
+
+# Stage 2 fixture: a fully self-contained miniserv.conf + empty user/group/acl
+# files under $confdir, plus stubs for side-effecting subs so tests don't try
+# to signal a real miniserv or scan the whole module tree.
+my $userfile = "$confdir/miniserv.users";
+my $groupfile = "$confdir/webmin.groups";
+my $aclfile = "$confdir/webmin.acl";
+my $miniservconf = "$confdir/miniserv.conf";
+sub _touch { open(my $f, ">", $_[0]) or die "$_[0]: $!"; close($f); }
+_touch($userfile);
+_touch($groupfile);
+_touch($aclfile);
+open(my $mfh, ">", $miniservconf) or die "$miniservconf: $!";
+print $mfh "userfile=$userfile\n";
+print $mfh "keyfile=$confdir/miniserv.pem\n";
+print $mfh "pidfile=$vardir/miniserv.pid\n";
+# Needed so @root_directories has a real value; without this,
+# get_all_module_infos can't enumerate any modules.
+print $mfh "root=$rootdir\n";
+close($mfh);
+$ENV{'MINISERV_CONFIG'} = $miniservconf;
+
+{
+    no warnings 'redefine', 'once';
+    *reload_miniserv  = sub { };
+    *restart_miniserv = sub { };
+    # list_modules() scans the whole module tree; for write-path tests we
+    # only need a small deterministic list.
+    *list_modules = sub { return qw(useradmin apache); };
+}
+
+sub _clear_caches
+{
+    no warnings 'once';
+    # read_file_cached() cache
+    undef(%main::read_file_cache);
+    undef(%main::read_file_missing);
+    undef(%main::read_file_cache_time);
+    # read_file_lines() cache (used by list_groups, modify_group, delete_group)
+    undef(%main::file_cache);
+    undef(%main::file_cache_eol);
+    undef(%main::file_cache_noflush);
+    # read_acl() caches
+    undef(%main::acl_hash_cache);
+    undef(%main::acl_array_cache);
+}
+
+sub _reset_fixture
+{
+    _touch($userfile);
+    _touch($groupfile);
+    _touch($aclfile);
+    _clear_caches();
+    # Drop per-user gconfig keys so previous tests don't leak.
+    foreach my $k (keys %gconfig) {
+        delete($gconfig{$k}) if $k =~ /_(alice|bob|carol|anonymous|testu1)\b/;
+    }
+}
+
+# ---------------------------------------------------------------------------
+# CGI subprocess harness (Stage 3)
+#
+# The acl/*.cgi scripts are imperative top-to-bottom: no caller-guard, no
+# sub definitions, no entry point we can require-and-call. To test them at
+# the contract level we spawn each as a real subprocess with a constructed
+# CGI environment, feed it a POST body, and assert on what an attacker
+# would actually see: the redirect target on success, or the error page on
+# failure.
+#
+# Lever for %access: acl-lib.pl line 24 does `our %access = &get_module_acl();`
+# which reads <confdir>/acl/<base_remote_user>.acl. _seed_user_acl writes that
+# file, so each test controls the caller's privileges directly.
+use IPC::Open3 ();
+use Symbol qw(gensym);
+
+my $cgidir = "$confdir/acl";
+mkdir($cgidir) or die "$cgidir: $!" unless -d $cgidir;
+
+sub _urlenc {
+    my $s = shift;
+    $s = '' if !defined $s;
+    $s =~ s/([^A-Za-z0-9._~-])/sprintf('%%%02X', ord($1))/ge;
+    return $s;
+}
+
+# Write <confdir>/acl/<user>.acl. Pass a hashref of ACL keys (create, edit,
+# delete, switch, mode, mods, gassign, users, groups, perms, etc.).
+sub _seed_user_acl {
+    my ($user, $acl) = @_;
+    open(my $fh, ">", "$cgidir/$user.acl") or die "$cgidir/$user.acl: $!";
+    for my $k (sort keys %$acl) {
+        print $fh "$k=$acl->{$k}\n";
+    }
+    close($fh);
+    _clear_caches();
+}
+
+# Build a urlencoded POST body from a form hashref. Array values get repeated.
+sub _form_body {
+    my ($form) = @_;
+    my $body = '';
+    for my $k (sort keys %$form) {
+        my @vals = ref($form->{$k}) eq 'ARRAY' ? @{$form->{$k}} : ($form->{$k});
+        for my $v (@vals) {
+            $body .= '&' if length $body;
+            $body .= _urlenc($k) . '=' . _urlenc($v);
+        }
+    }
+    return $body;
+}
+
+# Spawn an acl/ CGI as a subprocess.
+# Returns a hashref: { out => stdout, err => stderr, status => exit code,
+#                      location => Location: target if any,
+#                      body => response body after blank line }.
+sub run_cgi {
+    my ($cgi, $form, %opts) = @_;
+    my $body = _form_body($form || {});
+    my $user = exists $opts{user} ? $opts{user} : 'admin';
+
+    my %env = (
+        PATH                   => $ENV{PATH},
+        WEBMIN_CONFIG          => $confdir,
+        WEBMIN_VAR             => $vardir,
+        FOREIGN_MODULE_NAME    => 'acl',
+        FOREIGN_ROOT_DIRECTORY => $rootdir,
+        MINISERV_CONFIG        => $miniservconf,
+        REQUEST_METHOD         => 'POST',
+        SCRIPT_NAME            => "/acl/$cgi",
+        CONTENT_TYPE           => 'application/x-www-form-urlencoded',
+        CONTENT_LENGTH         => length($body),
+        SERVER_NAME            => 'localhost',
+        SERVER_PORT            => '10000',
+        HTTP_HOST              => 'localhost:10000',
+    );
+    if (defined $user) {
+        $env{REMOTE_USER}      = $user;
+        $env{BASE_REMOTE_USER} = $user;
+    }
+    if ($opts{env}) {
+        $env{$_} = $opts{env}{$_} for keys %{$opts{env}};
+    }
+
+    my $errfh = gensym();
+    my $pid;
+    {
+        local %ENV = %env;
+        # Run from inside the acl module dir so `require './acl-lib.pl'`
+        # works as it does under miniserv.
+        $pid = IPC::Open3::open3(my $in, my $out, $errfh,
+                                 $^X, "-I$rootdir", "$rootdir/acl/$cgi");
+        print $in $body if length $body;
+        close($in);
+
+        my ($stdout, $stderr) = ('', '');
+        # Read both streams non-deterministically to avoid pipe deadlock on
+        # very chatty CGIs. The body sizes here are small so a draining
+        # order is fine.
+        local $/;
+        $stdout = <$out>; $stdout = '' if !defined $stdout;
+        $stderr = <$errfh>; $stderr = '' if !defined $stderr;
+        close($out); close($errfh);
+        waitpid($pid, 0);
+        my $status = $? >> 8;
+
+        my ($location) = $stdout =~ /^Location:\s*(\S+)/m;
+        my ($hdr, $rbody) = split(/\r?\n\r?\n/, $stdout, 2);
+        $rbody = '' if !defined $rbody;
+        return {
+            out      => $stdout,
+            err      => $stderr,
+            status   => $status,
+            location => $location,
+            body     => $rbody,
+        };
+    }
+}
+
+# Sanity: libs loaded and key subs are visible.
+ok(defined &encrypt_password, 'acl-lib loaded encrypt_password');
+ok(defined &validate_password, 'acl-lib loaded validate_password');
+ok(defined &acl_security_save, 'acl_security.pl loaded acl_security_save');
+ok(defined &list_acl_yesno_fields, 'acl_security.pl loaded list_acl_yesno_fields');
+
+# to64: small deterministic vectors over the itoa64 alphabet
+#   "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+is(to64(0, 1), '.', 'to64 first char');
+is(to64(1, 1), '/', 'to64 second char');
+is(to64(63, 1), 'z', 'to64 last char');
+is(to64(63, 2), 'z.', 'to64 two chars zero high');
+is(to64(65, 2), '//', 'to64 spans 6-bit boundary');
+
+# obsfucate_email: deterministic mask
+is(obsfucate_email('foo@bar.com'), 'f**@b**.c**',
+   'obsfucate_email three-letter labels');
+is(obsfucate_email('a@b.c'), 'a@b.c',
+   'obsfucate_email single-letter labels unchanged');
+is(obsfucate_email('alice@mail.example.co.uk'),
+   'a****@m***.e******.c*.u*',
+   'obsfucate_email multi-label domain');
+
+# md5-lib: encrypt / validate round-trips per scheme.
+# Each check_* returns a missing-module name or undef-when-supported, which
+# we use as the skip gate so tests pass on a minimal box.
+
+SKIP: {
+    skip 'MD5 unsupported', 5 if check_md5();
+    my $h = encrypt_md5('hunter2', 'abcdefgh');
+    like($h, qr/^\$1\$abcdefgh\$/, 'encrypt_md5 emits $1$ magic');
+    is(encrypt_md5('hunter2', 'abcdefgh'), $h, 'encrypt_md5 deterministic');
+    isnt(encrypt_md5('hunter3', 'abcdefgh'), $h, 'encrypt_md5 sensitive to password');
+    ok(validate_password('hunter2', $h), 'validate_password matches md5 hash');
+    ok(!validate_password('wrong', $h), 'validate_password rejects wrong md5');
+}
+
+SKIP: {
+    skip 'SHA512 unsupported', 4 if check_sha512();
+    my $h = encrypt_sha512('hunter2', '$6$saltsalt$');
+    like($h, qr/^\$6\$saltsalt\$/, 'encrypt_sha512 emits $6$ magic with given salt');
+    is(encrypt_sha512('hunter2', '$6$saltsalt$'), $h,
+       'encrypt_sha512 deterministic');
+    ok(validate_password('hunter2', $h), 'validate_password matches sha512');
+    ok(!validate_password('wrong', $h), 'validate_password rejects wrong sha512');
+}
+
+SKIP: {
+    skip 'yescrypt unsupported', 3 if check_yescrypt();
+    # yescrypt salts are complex; reuse one generated by encrypt_yescrypt.
+    my $h = encrypt_yescrypt('hunter2');
+    like($h, qr/^\$y\$/, 'encrypt_yescrypt emits $y$ magic');
+    ok(validate_password('hunter2', $h), 'validate_password matches yescrypt');
+    ok(!validate_password('wrong', $h), 'validate_password rejects wrong yescrypt');
+}
+
+SKIP: {
+    skip 'Crypt::Eksblowfish::Bcrypt missing', 4 if check_blowfish();
+    my $h = encrypt_blowfish('hunter2');
+    like($h, qr/^\$2a\$/, 'encrypt_blowfish emits $2a$ magic');
+    is(encrypt_blowfish('hunter2', $h), $h, 'encrypt_blowfish reuses embedded salt');
+    ok(validate_password('hunter2', $h), 'validate_password matches blowfish');
+    ok(!validate_password('wrong', $h), 'validate_password rejects wrong blowfish');
+}
+
+# acl_security_save: contract test of the ACL parser that decides which other
+# users a Webmin admin can manage. Drives the sub through every users_def
+# branch, mode==2 branch, and all yes/no fields.
+{
+    no warnings 'once';
+    local %in = (
+        users_def => 1,
+        mode      => 0,
+        groups    => 1,
+        gassign_def => 1,
+    );
+    my %o;
+    acl_security_save(\%o);
+    is($o{'users'}, '*', 'users_def=1 -> users="*"');
+    is($o{'gassign'}, '*', 'gassign_def=1 -> gassign="*"');
+}
+
+{
+    no warnings 'once';
+    local %in = (
+        users_def => 2,
+        mode      => 0,
+        groups    => 1,
+        gassign_def => 1,
+    );
+    my %o;
+    acl_security_save(\%o);
+    is($o{'users'}, '~', 'users_def=2 -> users="~"');
+}
+
+{
+    no warnings 'once';
+    # users_def=0 with null-separated list (the wire format from <select multiple>)
+    local %in = (
+        users_def => 0,
+        users     => "alice\0bob\0carol",
+        mode      => 2,
+        mods      => "useradmin\0apache",
+        groups    => 0,
+        gassign_def => 0,
+        gassign   => "wheel\0staff",
+    );
+    my %o;
+    acl_security_save(\%o);
+    is($o{'users'}, 'alice bob carol',
+       'users_def=0 -> null-separated list joined with spaces');
+    is($o{'mode'}, 2, 'mode passed through');
+    is($o{'mods'}, 'useradmin apache',
+       'mode=2 -> mods joined from null-separated list');
+    is($o{'gassign'}, 'wheel staff',
+       'gassign_def=0 -> gassign joined from null-separated list');
+    is($o{'groups'}, 0, 'groups passed through');
+}
+
+{
+    no warnings 'once';
+    # mode != 2 must clear mods to undef, so saved ACL doesn't carry stale data.
+    local %in = (
+        users_def => 1,
+        mode      => 1,
+        mods      => "leftover",   # should be ignored
+        groups    => 1,
+        gassign_def => 1,
+    );
+    my %o = (mods => 'previous-value');
+    acl_security_save(\%o);
+    is($o{'mode'}, 1, 'mode=1 passed through');
+    is($o{'mods'}, undef, 'mode!=2 -> mods cleared to undef');
+}
+
+# Yes/no fields: every entry in list_acl_yesno_fields should be copied through
+# from %in to $o. This catches accidental drops of e.g. 'pass' or 'switch'.
+{
+    no warnings 'once';
+    my @fields = list_acl_yesno_fields();
+    ok(scalar(grep { $_ eq 'pass' } @fields),
+       'list_acl_yesno_fields includes pass');
+    ok(scalar(grep { $_ eq 'switch' } @fields),
+       'list_acl_yesno_fields includes switch');
+    ok(scalar(grep { $_ eq 'sql' } @fields),
+       'list_acl_yesno_fields includes sql');
+
+    local %in = (
+        users_def => 1,
+        mode => 0,
+        groups => 1,
+        gassign_def => 1,
+        map { $_ => 1 } @fields,
+    );
+    my %o;
+    acl_security_save(\%o);
+    foreach my $f (@fields) {
+        is($o{$f}, 1, "yes/no field $f copied through");
+    }
+}
+
+# acl_line / group_line: ACL file serializers. Fixed-string contract — the
+# parsers in list_users / list_groups depend on this format.
+is(acl_line({ name => 'alice', modules => [ 'useradmin', 'apache' ] }),
+   "alice: useradmin apache\n",
+   'acl_line emits "name: m1 m2\n"');
+is(acl_line({ name => 'bob', modules => [] }),
+   "bob: \n",
+   'acl_line handles empty module list');
+is(acl_line({ name => 'carol' }),
+   "carol: \n",
+   'acl_line handles missing modules key');
+
+is(group_line({ name => 'wheel',
+                members => [ 'alice', 'bob' ],
+                modules => [ 'useradmin' ],
+                desc => 'Sysadmins',
+                ownmods => [ 'apache' ] }),
+   'wheel:alice bob:useradmin:Sysadmins:apache',
+   'group_line emits colon-separated record');
+is(group_line({ name => 'empty' }),
+   'empty::::',
+   'group_line handles all-empty fields without warnings');
+
+# get_unixauth / save_unixauth: round-trip parsing of the unixauth setting in
+# miniserv.conf. The format mixes "*=user" (default mapping) with "scope=user"
+# (group/user-specific). get_unixauth treats a bare token as "*=token".
+{
+    my %miniserv = (
+        unixauth => 'admin staff=ops _wheel=root',
+    );
+    my @auth = get_unixauth(\%miniserv);
+    is_deeply(\@auth, [ [ '*', 'admin' ],
+                        [ 'staff', 'ops' ],
+                        [ '_wheel', 'root' ] ],
+              'get_unixauth parses mixed scope=user and bare tokens');
+
+    my %m2;
+    save_unixauth(\%m2, \@auth);
+    is($m2{'unixauth'}, 'admin staff=ops _wheel=root',
+       'save_unixauth round-trips through get_unixauth');
+
+    my %empty;
+    is_deeply([ get_unixauth(\%empty) ], [],
+              'get_unixauth on missing key returns empty list');
+}
+
+# join_userdb_string + split_userdb_string: URI for the user/group DB. The
+# split form is the parser; the join form is the serializer. They must agree.
+{
+    my $s = join_userdb_string('mysql', 'webmin', 'secret',
+                               'db.example.com', 'webmindb', {});
+    is($s, 'mysql://webmin:secret@db.example.com/webmindb',
+       'join_userdb_string without args');
+    my ($proto, $user, $pass, $host, $prefix, $args) = split_userdb_string($s);
+    is($proto,  'mysql',           'split proto');
+    is($user,   'webmin',          'split user');
+    is($pass,   'secret',          'split pass');
+    is($host,   'db.example.com',  'split host');
+    is($prefix, 'webmindb',        'split prefix');
+    is_deeply($args, {}, 'split args empty');
+
+    my $s2 = join_userdb_string('ldap', 'cn=admin', 'p',
+                                'ldap.example.com', 'dc=example,dc=com',
+                                { userclass => 'webminUser' });
+    like($s2, qr{\?userclass=webminUser$},
+         'join_userdb_string appends ?key=val for single arg');
+    my (undef, undef, undef, undef, undef, $args2) = split_userdb_string($s2);
+    is_deeply($args2, { userclass => 'webminUser' },
+              'single-arg query string round-trips');
+
+    is(join_userdb_string('', 'u', 'p', 'h', 'pre', {}), '',
+       'join_userdb_string returns empty when proto missing');
+}
+
+# can_edit_user: privilege boundary. Drives %access and $base_remote_user
+# directly and passes a synthetic group list so list_groups isn't called.
+{
+    our (%access, $base_remote_user);
+    my @groups = (
+        { name => 'admins', members => [ 'alice', 'bob' ] },
+        { name => 'ops',    members => [ 'carol' ] },
+    );
+    local $base_remote_user = 'alice';
+
+    local %access = (users => '*');
+    ok(can_edit_user('bob', \@groups),
+       'users="*" allows editing anyone');
+    ok(can_edit_user('nonexistent', \@groups),
+       'users="*" allows editing names not in any group');
+
+    local %access = (users => '~');
+    ok(can_edit_user('alice', \@groups),
+       'users="~" allows editing self');
+    ok(!can_edit_user('bob', \@groups),
+       'users="~" denies editing others');
+
+    local %access = (users => 'dave eve');
+    ok(can_edit_user('dave', \@groups),
+       'named user match allowed');
+    ok(can_edit_user('eve', \@groups),
+       'named user match allowed (second token)');
+    ok(!can_edit_user('mallory', \@groups),
+       'unnamed user denied');
+
+    local %access = (users => '_admins');
+    ok(can_edit_user('alice', \@groups),
+       'group prefix _admins allows editing alice (member)');
+    ok(can_edit_user('bob', \@groups),
+       'group prefix _admins allows editing bob (member)');
+    ok(!can_edit_user('carol', \@groups),
+       'group prefix _admins denies carol (not a member)');
+    ok(!can_edit_user('alice', [ ]),
+       'group prefix with empty group list denies');
+}
+
+# generate_random_session_id / generate_random_id: session ID format.
+# Both should return 32 hex chars (lowercase). Two calls must differ.
+{
+    my $sid1 = generate_random_session_id();
+    my $sid2 = generate_random_session_id();
+    like($sid1, qr/^[0-9a-f]{32}$/,
+         'generate_random_session_id returns 32 lowercase hex chars');
+    like($sid2, qr/^[0-9a-f]{32}$/,
+         'generate_random_session_id second call same format');
+    isnt($sid1, $sid2, 'two generate_random_session_id calls differ');
+
+    SKIP: {
+        skip 'no /dev/urandom', 2 unless -r '/dev/urandom';
+        my $id1 = generate_random_id();
+        my $id2 = generate_random_id();
+        like($id1, qr/^[0-9a-f]{32}$/,
+             'generate_random_id returns 32 lowercase hex chars');
+        isnt($id1, $id2, 'two generate_random_id calls differ');
+    }
+}
+
+# hash_session_id: deterministic, with an in-process cache. Use a local cache
+# hash so test ordering doesn't pollute it.
+{
+    our %hash_session_id_cache;
+    local %hash_session_id_cache;
+    my $sid = '0123456789abcdef0123456789abcdef';
+    my $h1 = hash_session_id($sid);
+    ok(length($h1) > 0, 'hash_session_id returns a non-empty hash');
+    is(hash_session_id($sid), $h1,
+       'hash_session_id is deterministic on repeat call (cache hit)');
+    isnt(hash_session_id('feedfacefeedfacefeedfacefeedface'), $h1,
+         'different session id hashes differently');
+}
+
+# md5_perl_module: should report a usable MD5 class on any system with either
+# MD5 or Digest::MD5 available. On a box with neither it returns undef, so
+# skip in that case rather than fail.
+{
+    my $mod = md5_perl_module();
+    if (defined $mod) {
+        like($mod, qr/^(MD5|Digest::MD5)$/,
+             "md5_perl_module returns a known class ($mod)");
+    } else {
+        SKIP: { skip 'no MD5 perl module installed', 1; }
+    }
+}
+
+# Stage 2: fs-backed lifecycle tests.
+
+# create_user / list_users round-trip. Asserts that a user written via
+# create_user reappears with the same key fields when read back via list_users.
+{
+    _reset_fixture();
+    my $hash = encrypt_md5('secret', 'abcdefgh');
+    my $alice = {
+        name        => 'alice',
+        pass        => $hash,
+        modules     => [ 'useradmin', 'apache' ],
+        lastchange  => 1700000000,
+        email       => 'alice@example.com',
+        real        => 'Alice Example',
+    };
+    create_user($alice);
+    _clear_caches();
+    my @users = list_users();
+    my ($got) = grep { $_->{'name'} eq 'alice' } @users;
+    ok($got, 'create_user then list_users finds alice');
+    is($got->{'pass'},       $hash,                 'password persisted');
+    is($got->{'email'},      'alice@example.com',   'email persisted');
+    is($got->{'lastchange'}, '1700000000',          'lastchange persisted');
+    is_deeply([ sort @{$got->{'modules'} || []} ],
+              [ 'apache', 'useradmin' ],
+              'modules persisted via webmin.acl');
+}
+
+# modify_user: change a field and a module set, then re-read.
+{
+    _reset_fixture();
+    my $alice = {
+        name => 'alice',
+        pass => 'x',
+        modules => [ 'useradmin', 'apache' ],
+        email => 'alice@old.example',
+    };
+    create_user($alice);
+    _clear_caches();
+
+    $alice->{'email'}   = 'alice@new.example';
+    $alice->{'modules'} = [ 'useradmin' ];
+    modify_user('alice', $alice);
+    _clear_caches();
+
+    my ($got) = grep { $_->{'name'} eq 'alice' } list_users();
+    is($got->{'email'}, 'alice@new.example', 'modify_user updated email');
+    is_deeply($got->{'modules'}, [ 'useradmin' ],
+              'modify_user reduced module set');
+}
+
+# modify_user with rename: name change is reflected in users file and ACL.
+{
+    _reset_fixture();
+    create_user({ name => 'alice', pass => 'x',
+                  modules => [ 'useradmin' ] });
+    _clear_caches();
+
+    modify_user('alice', { name => 'alice2', pass => 'x',
+                           modules => [ 'useradmin' ] });
+    _clear_caches();
+
+    my @names = map { $_->{'name'} } list_users();
+    ok((grep { $_ eq 'alice2' } @names),  'rename created alice2');
+    ok(!(grep { $_ eq 'alice'  } @names), 'old alice no longer present');
+}
+
+# delete_user removes the row from miniserv.users and webmin.acl.
+{
+    _reset_fixture();
+    create_user({ name => 'alice', pass => 'x',
+                  modules => [ 'useradmin' ] });
+    create_user({ name => 'bob',   pass => 'y',
+                  modules => [ 'apache' ] });
+    _clear_caches();
+
+    delete_user('alice');
+    _clear_caches();
+
+    my @names = map { $_->{'name'} } list_users();
+    is_deeply([ sort @names ], [ 'bob' ],
+              'delete_user removes alice, leaves bob');
+
+    # webmin.acl should also no longer list alice
+    open(my $afh, '<', $aclfile) or die;
+    my $contents = do { local $/; <$afh> };
+    close($afh);
+    unlike($contents, qr/^alice:/m, 'delete_user removed alice from webmin.acl');
+    like($contents, qr/^bob:/m,      'delete_user left bob in webmin.acl');
+}
+
+# create_user must reject the reserved "webmin" name. error() exits unless
+# error_must_die is set, so flip that just for this block.
+{
+    _reset_fixture();
+    no warnings 'once';
+    local $main::error_must_die = 1;
+    eval { create_user({ name => 'webmin', pass => 'x' }) };
+    ok($@, 'create_user dies on reserved name "webmin"');
+    like($@, qr/Invalid username/, 'reserved-name error mentions "Invalid username"');
+}
+
+# Group lifecycle: create, modify (with rename), delete.
+{
+    _reset_fixture();
+    create_group({ name => 'wheel',
+                   members => [ 'alice', 'bob' ],
+                   modules => [ 'useradmin' ],
+                   desc => 'Sysadmins',
+                   ownmods => [ 'apache' ] });
+    _clear_caches();
+    my ($got) = grep { $_->{'name'} eq 'wheel' } list_groups();
+    ok($got, 'create_group then list_groups finds wheel');
+    is_deeply([ sort @{$got->{'members'}} ], [ 'alice', 'bob' ],
+              'group members persisted');
+    is_deeply($got->{'modules'}, [ 'useradmin' ], 'group modules persisted');
+    is($got->{'desc'}, 'Sysadmins', 'group desc persisted');
+    is_deeply($got->{'ownmods'}, [ 'apache' ], 'group ownmods persisted');
+
+    modify_group('wheel', { name => 'wheel',
+                            members => [ 'alice' ],
+                            modules => [ 'useradmin', 'apache' ],
+                            desc => 'Sysadmins (reduced)' });
+    _clear_caches();
+    ($got) = grep { $_->{'name'} eq 'wheel' } list_groups();
+    is_deeply($got->{'members'}, [ 'alice' ], 'modify_group reduced members');
+    is_deeply([ sort @{$got->{'modules'}} ],
+              [ 'apache', 'useradmin' ],
+              'modify_group expanded modules');
+    is($got->{'desc'}, 'Sysadmins (reduced)', 'modify_group updated desc');
+
+    modify_group('wheel', { name => 'admins',
+                            members => [ 'alice' ],
+                            modules => [],
+                            desc => 'Renamed' });
+    _clear_caches();
+    my @names = map { $_->{'name'} } list_groups();
+    ok((grep { $_ eq 'admins' } @names), 'modify_group renames wheel to admins');
+    ok(!(grep { $_ eq 'wheel' } @names), 'old wheel gone after rename');
+
+    delete_group('admins');
+    _clear_caches();
+    is_deeply([ map { $_->{'name'} } list_groups() ], [],
+              'delete_group removes the only group');
+}
+
+# copy_acl_files (file mode): copy a module ACL file from one name to another.
+{
+    _reset_fixture();
+    my $mdir = "$confdir/useradmin";
+    mkdir($mdir);
+    open(my $fh, '>', "$mdir/source.acl") or die;
+    print $fh "k1=v1\nk2=v2\n";
+    close($fh);
+
+    copy_acl_files('source', 'dest', [ 'useradmin' ]);
+    ok(-r "$mdir/dest.acl", 'copy_acl_files created destination .acl');
+    _clear_caches();
+    my %got;
+    read_file("$mdir/dest.acl", \%got);
+    is_deeply(\%got, { k1 => 'v1', k2 => 'v2' },
+              'copy_acl_files preserved key/value pairs');
+}
+
+# can_module_acl: true when acl_security.pl or config.info exists in the
+# module's dir, false otherwise. Override module_root_directory so we can
+# point at synthetic dirs under $confdir without touching the real tree.
+{
+    my $modroot = "$confdir/can_module_acl_mods";
+    mkdir($modroot);
+    mkdir("$modroot/withacl");
+    _touch("$modroot/withacl/acl_security.pl");
+    mkdir("$modroot/withcfg");
+    _touch("$modroot/withcfg/config.info");
+    mkdir("$modroot/neither");
+
+    no warnings 'redefine';
+    local *module_root_directory = sub {
+        my $d = ref($_[0]) ? $_[0]->{'dir'} : $_[0];
+        return "$modroot/$d";
+    };
+    ok( can_module_acl({ dir => 'withacl' }),
+       'can_module_acl true when acl_security.pl present');
+    ok( can_module_acl({ dir => 'withcfg' }),
+       'can_module_acl true when config.info present');
+    ok(!can_module_acl({ dir => 'neither' }),
+       'can_module_acl false when neither file present');
+}
+
+# get_safe_acl: reads safeacl file in the module dir, parses key=value.
+{
+    my $modroot = "$confdir/get_safe_acl_mods";
+    mkdir($modroot);
+    mkdir("$modroot/safe");
+    open(my $sfh, '>', "$modroot/safe/safeacl") or die;
+    print $sfh "view=1\nedit=0\n";
+    close($sfh);
+    mkdir("$modroot/nosafe");
+    _clear_caches();
+    no warnings 'redefine';
+    local *module_root_directory = sub {
+        my $d = ref($_[0]) ? $_[0]->{'dir'} : $_[0];
+        return "$modroot/$d";
+    };
+    my $r = get_safe_acl('safe');
+    is_deeply($r, { view => '1', edit => '0' },
+              'get_safe_acl parses safeacl key=value');
+    is(get_safe_acl('nosafe'), undef,
+       'get_safe_acl returns undef when safeacl missing');
+}
+
+# encrypt_password salt-shape dispatch: $1$ -> MD5, $6$ -> SHA512, otherwise
+# default. The default branch goes via useradmin if installed; we just verify
+# the $1$ and $6$ branches which are pure.
+{
+    SKIP: {
+        skip 'MD5 unsupported', 1 if check_md5();
+        my $h = encrypt_password('hunter2', '$1$abcdefgh$XYZ');
+        like($h, qr/^\$1\$abcdefgh\$/,
+             'encrypt_password with $1$ salt -> MD5 hash');
+    }
+    SKIP: {
+        skip 'SHA512 unsupported', 1 if check_sha512();
+        my $h = encrypt_password('hunter2', '$6$saltsalt$');
+        like($h, qr/^\$6\$saltsalt\$/,
+             'encrypt_password with $6$ salt -> SHA512 hash');
+    }
+}
+
+# check_password_restrictions: each rule should fire independently and a
+# compliant password should return undef. Drives miniserv.conf flags via
+# put_miniserv_config so the real read path is exercised.
+{
+    _reset_fixture();
+    # Pre-create a user with an old hash for the pass_oldblock branch.
+    my $oldpw = '$1$abcdefgh$old';
+    SKIP: {
+        skip 'MD5 unsupported', 7 if check_md5();
+        my $real_old = encrypt_md5('oldsecret', 'abcdefgh');
+        create_user({ name => 'alice', pass => 'x',
+                      modules => [ 'useradmin' ],
+                      olds => [ $real_old ] });
+    _clear_caches();
+
+        my %miniserv;
+        get_miniserv_config(\%miniserv);
+        $miniserv{'pass_minsize'} = 8;
+        $miniserv{'pass_regexps'} = '[0-9]'."\t".'![Pp]assword';
+        $miniserv{'pass_nouser'}  = 1;
+        $miniserv{'pass_oldblock'} = 5;
+        put_miniserv_config(\%miniserv);
+        # put_miniserv_config doesn't bump mtime in time for the stat cache
+        # in tight tests; force a re-read.
+    _clear_caches();
+
+        ok(check_password_restrictions('alice', 'sh0rt'),
+           'pass_minsize rule rejects short password');
+        ok(check_password_restrictions('alice', 'longenoughbutnodigits'),
+           'pass_regexps positive rule rejects password without digit');
+        ok(check_password_restrictions('alice', 'Password12345'),
+           'pass_regexps negated rule rejects password matching "Password"');
+        ok(check_password_restrictions('alice', 'alice12345!!'),
+           'pass_nouser rule rejects password containing username');
+        ok(check_password_restrictions('alice', 'oldsecret'),
+           'pass_oldblock rejects reuse of an old password');
+
+        is(check_password_restrictions('alice', 'fresh-Pa55-9'),
+           undef,
+           'check_password_restrictions returns undef for a compliant password');
+        is(check_password_restrictions('alice', 'fresh-Pa55-9'),
+           undef, 'compliant password still returns undef on second call');
+    }
+}
+
+# Anonymous access round-trip via miniserv.conf "anonymous=" key.
+{
+    _reset_fixture();
+    setup_anonymous_access('/foo', 'useradmin');
+    _clear_caches();
+
+    my ($user, $idx) = get_anonymous_access('/foo');
+    is($user, 'anonymous', 'setup_anonymous_access created the anonymous user');
+    ok($idx >= 0, 'get_anonymous_access reports a positive index');
+
+    # An "anonymous" user with the module should now exist.
+    _clear_caches();
+    my ($auser) = grep { $_->{'name'} eq 'anonymous' } list_users();
+    ok($auser, 'anonymous user exists after setup');
+    ok(scalar(grep { $_ eq 'useradmin' } @{$auser->{'modules'} || []}),
+       'anonymous user has the requested module');
+
+    remove_anonymous_access('/foo', 'useradmin');
+    _clear_caches();
+    my (undef, $idx2) = get_anonymous_access('/foo');
+    is($idx2, -1, 'remove_anonymous_access dropped the mapping');
+}
+
+# delete_from_groups / get_users_group operate on the group file.
+{
+    _reset_fixture();
+    create_group({ name => 'wheel',
+                   members => [ 'alice', 'bob' ],
+                   modules => [ 'useradmin' ] });
+    create_group({ name => 'ops',
+                   members => [ 'carol' ],
+                   modules => [ 'apache' ] });
+    _clear_caches();
+
+    my $g = get_users_group('bob');
+    is($g && $g->{'name'}, 'wheel', 'get_users_group finds bob in wheel');
+    my $miss = get_users_group('nobody');
+    ok(!defined($miss),
+       'get_users_group returns nothing when user is in no group');
+
+    delete_from_groups('bob');
+    _clear_caches();
+    my ($wheel) = grep { $_->{'name'} eq 'wheel' } list_groups();
+    is_deeply($wheel->{'members'}, [ 'alice' ],
+              'delete_from_groups removes bob from wheel');
+}
+
+# parse_webmin_log: each action should produce a non-empty string. We seed
+# %text with templates that include $1/$2 substitutions so we can assert
+# specific values flowed through. This is the audit-trail rendering path,
+# so we also check that user-supplied object names are HTML-escaped.
+{
+    no warnings 'once';
+    local %text = (
+        log_create      => 'Created user $1',
+        log_create_g    => 'Created group $1',
+        log_modify      => 'Modified user $1',
+        log_modify_g    => 'Modified group $1',
+        log_rename      => 'Renamed user $1 to $2',
+        log_rename_g    => 'Renamed group $1 to $2',
+        log_clone       => 'Cloned $1 to $2',
+        log_clone_g     => 'Cloned group $1 to $2',
+        log_delete      => 'Deleted $1',
+        log_delete_g    => 'Deleted group $1',
+        log_delete_users  => 'Bulk deleted users $1',
+        log_delete_groups => 'Bulk deleted groups $1',
+        log_acl         => 'Edited ACL for $1 in $2',
+        log_reset       => 'Reset ACL for $1 in $2',
+        log_cert        => 'Updated cert for $1',
+        log_switch      => 'Switched to $1',
+        log_twofactor   => '2FA $1 provider=$2 id=$3',
+        log_forgot_users => 'Sent reset for $1 to $2',
+        log_joingroup    => 'User $1 joined $2',
+    );
+
+    like(parse_webmin_log('admin', 's', 'create', 'user', 'alice',
+                          { clone => '' }),
+         qr/Created user.*alice/,    'parse_webmin_log create user');
+    like(parse_webmin_log('admin', 's', 'create', 'group', 'wheel',
+                          { clone => '' }),
+         qr/Created group.*wheel/,   'parse_webmin_log create group');
+    like(parse_webmin_log('admin', 's', 'create', 'user', 'bob',
+                          { clone => 'alice' }),
+         qr/Cloned.*alice.*bob/,     'parse_webmin_log create with clone');
+    like(parse_webmin_log('admin', 's', 'modify', 'user', 'alice',
+                          { old => 'alice', name => 'alice' }),
+         qr/Modified user.*alice/,   'parse_webmin_log modify same-name');
+    like(parse_webmin_log('admin', 's', 'modify', 'user', 'alice2',
+                          { old => 'alice', name => 'alice2' }),
+         qr/Renamed user.*alice.*alice2/,
+         'parse_webmin_log modify rename');
+    like(parse_webmin_log('admin', 's', 'delete', 'user', 'alice', {}),
+         qr/Deleted.*alice/,         'parse_webmin_log delete user');
+    like(parse_webmin_log('admin', 's', 'delete', 'users', 'a b c', {}),
+         qr/Bulk deleted users.*a b c/,
+         'parse_webmin_log delete users (bulk)');
+    like(parse_webmin_log('admin', 's', 'acl', 'user', 'alice',
+                          { moddesc => 'User Admin' }),
+         qr/Edited ACL.*alice.*User Admin/,
+         'parse_webmin_log acl edit');
+    like(parse_webmin_log('admin', 's', 'switch', 'user', 'alice', {}),
+         qr/Switched to.*alice/,    'parse_webmin_log switch');
+
+    # html_escape: every branch that interpolates a user-controlled value into
+    # the rendered audit-trail string must come back escaped. These are
+    # defense-in-depth — usernames are normally restricted to a safe charset,
+    # but the audit log is the wrong place to trust upstream validation.
+    my $payload = '<script>x</script>';
+    my $esc     = qr/&lt;script&gt;/;
+
+    for my $case (
+        [ 'delete user',
+          [ 'admin', 's', 'delete', 'user', $payload, {} ] ],
+        [ 'create with clone (clone source)',
+          [ 'admin', 's', 'create', 'user', 'safe',
+            { clone => $payload } ] ],
+        [ 'create with clone (new name)',
+          [ 'admin', 's', 'create', 'user', $payload,
+            { clone => 'safe' } ] ],
+        [ 'modify rename (old name)',
+          [ 'admin', 's', 'modify', 'user', 'safe',
+            { old => $payload, name => 'safe' } ] ],
+        [ 'modify rename (new name)',
+          [ 'admin', 's', 'modify', 'user', 'safe',
+            { old => 'safe', name => $payload } ] ],
+        [ 'joingroup (object)',
+          [ 'admin', 's', 'joingroup', 'user', $payload,
+            { group => 'wheel' } ] ],
+        [ 'joingroup (group)',
+          [ 'admin', 's', 'joingroup', 'user', 'alice',
+            { group => $payload } ] ],
+        [ 'twofactor (object)',
+          [ 'admin', 's', 'twofactor', 'user', $payload,
+            { provider => 'totp', id => 'k' } ] ],
+        [ 'acl (object)',
+          [ 'admin', 's', 'acl', 'user', $payload,
+            { moddesc => 'User Admin' } ] ],
+        [ 'reset (object)',
+          [ 'admin', 's', 'reset', 'user', $payload,
+            { moddesc => 'User Admin' } ] ],
+        [ 'delete users bulk (object)',
+          [ 'admin', 's', 'delete', 'users', $payload, {} ] ],
+        ) {
+        my ($name, $args) = @$case;
+        my $out = parse_webmin_log(@$args);
+        unlike($out, qr/<script>/,
+               "parse_webmin_log html-escapes $name");
+        like($out, $esc,
+             "parse_webmin_log emits entities for $name");
+    }
+
+    # acl/reset moddesc was already escaped pre-fix; keep the test as a
+    # regression guard.
+    my $xss2 = parse_webmin_log('admin', 's', 'acl', 'user', 'alice',
+                                { moddesc => '<img src=x>' });
+    unlike($xss2, qr/<img/,
+           'parse_webmin_log html-escapes moddesc in acl action');
+    like($xss2, qr/&lt;img/,
+         'parse_webmin_log emits escaped entities for moddesc');
+}
+
+# ---------------------------------------------------------------------------
+# Stage 3: CGI contract tests. Each block sets up `%access` for the caller by
+# writing <confdir>/acl/<user>.acl, seeds whatever miniserv-user state the CGI
+# needs, runs the CGI as a subprocess, and asserts on what the caller sees.
+
+# Harness sanity: a CGI with no privileges should reject any action and
+# print an HTML error (not a redirect). switch.cgi is the smallest victim.
+subtest 'CGI harness smoke' => sub {
+    _reset_fixture();
+    _seed_user_acl('admin', { });  # empty ACL -> nothing allowed
+    my $r = run_cgi('switch.cgi', { user => 'someone' });
+    ok(!$r->{location},
+       'no Location header on error path');
+    like($r->{out}, qr{(?:<html|<body|Error)}i,
+         'error path emits an HTML error page');
+};
+
+# delete_user.cgi — four distinct gates. NOTE: <rootdir>/acl/defaultacl has
+# every flag set to 1, and get_module_acl merges it under the per-user ACL.
+# So each denial test must EXPLICITLY set the relevant key to 0; relying on
+# absence is not enough.
+#   1. access{delete} must be true
+#   2. can_edit_user(target) must be true (gated by access{users})
+#   3. target cannot equal $base_remote_user (self-delete)
+#   4. happy path: removes user, removes from groups, redirects.
+subtest 'delete_user.cgi gating' => sub {
+    # 1. access{delete}=0 -> error
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*', delete => 0 });
+    create_user({ name => 'victim', pass => 'x', modules => ['acl'] });
+    my $r = run_cgi('delete_user.cgi', { user => 'victim' });
+    ok(!$r->{location}, 'no redirect when access{delete}=0');
+    like($r->{out}, qr/<html|Error/i,
+         'error page returned when delete privilege missing');
+    ok(get_user('victim'), 'victim still exists after blocked delete');
+    delete_user('victim');
+
+    # 2. can_edit_user=no (users whitelist excludes target) -> error
+    _reset_fixture();
+    _seed_user_acl('admin', { users => 'someone-else' });
+    create_user({ name => 'victim', pass => 'x', modules => ['acl'] });
+    $r = run_cgi('delete_user.cgi', { user => 'victim' });
+    ok(!$r->{location}, 'no redirect when target not in users whitelist');
+    ok(get_user('victim'),
+       'victim still exists when can_edit_user denies');
+    delete_user('victim');
+
+    # 3. self-delete refused (even with users=* and delete=1)
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*' });
+    create_user({ name => 'admin', pass => 'x', modules => ['acl'] });
+    $r = run_cgi('delete_user.cgi', { user => 'admin' });
+    ok(!$r->{location}, 'no redirect on self-delete');
+    like($r->{out}, qr/<html|Error/i,
+         'error page returned on self-delete attempt');
+    ok(get_user('admin'), 'admin still exists after self-delete attempt');
+    delete_user('admin');
+
+    # 4. happy path: deletes user + removes from groups + redirects
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*' });
+    create_user({ name => 'admin',  pass => 'x', modules => ['acl'] });
+    create_user({ name => 'victim', pass => 'x', modules => ['acl'] });
+    create_group({ name => 'g1', members => ['victim', 'admin'],
+                   modules => ['acl'] });
+    $r = run_cgi('delete_user.cgi', { user => 'victim' });
+    ok($r->{location}, 'redirect emitted on successful delete')
+        or diag("stdout: $r->{out}\nstderr: $r->{err}");
+    _clear_caches();
+    ok(!get_user('victim'), 'victim removed from users file');
+    my ($g) = grep { $_->{name} eq 'g1' } list_groups();
+    is(scalar(grep { $_ eq 'victim' } @{$g->{members}}), 0,
+       'victim removed from group g1 members')
+        if $g;
+    delete_group('g1') if $g;
+    delete_user('admin');
+};
+
+# save_acl.cgi — gates the per-module ACL editor.
+#   user path: mode controls which modules are editable; mode=2 + mods=<list>
+#              is the principle-of-least-privilege case worth testing.
+#   group path: access{groups} required.
+#   reset path: removes the .acl file (or .gacl).
+subtest 'save_acl.cgi gating' => sub {
+    # Need a target module dir under $rootdir; useradmin is real.
+    # mode=2, mods='useradmin', target _acl_mod='apache' -> denied
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*', mode => 2, mods => 'useradmin' });
+    create_user({ name => 'target', pass => 'x', modules => ['acl'] });
+    my $r = run_cgi('save_acl.cgi', {
+        _acl_user => 'target', _acl_mod => 'apache', noconfig => 1 });
+    ok(!$r->{location}, 'no redirect when target module not in mods whitelist');
+    like($r->{out}, qr/<html|Error/i,
+         'error page returned for out-of-whitelist module');
+    ok(!-e "$confdir/apache/target.acl",
+       'no .acl written for out-of-whitelist module');
+    delete_user('target');
+
+    # access{groups}=0, _acl_group=g1 -> error
+    # defaultacl sets groups=1, so we must override to 0 to deny.
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*', mode => 0, groups => 0 });
+    create_group({ name => 'g1', members => [], modules => ['acl'] });
+    $r = run_cgi('save_acl.cgi', {
+        _acl_group => 'g1', _acl_mod => 'useradmin', noconfig => 1 });
+    ok(!$r->{location}, 'no redirect on group edit when access{groups}=0');
+    like($r->{out}, qr/<html|Error/i,
+         'error page returned for unauthorized group ACL edit');
+    delete_group('g1');
+
+    # can_edit_user denies -> error
+    _reset_fixture();
+    _seed_user_acl('admin', { users => 'someone-else', mode => 0 });
+    create_user({ name => 'target', pass => 'x', modules => ['acl'] });
+    $r = run_cgi('save_acl.cgi', {
+        _acl_user => 'target', _acl_mod => 'useradmin', noconfig => 1 });
+    ok(!$r->{location},
+       'no redirect when can_edit_user denies the target user');
+    delete_user('target');
+
+    # Happy path: write an ACL for a user. mode=0 = all modules allowed.
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*', mode => 0 });
+    create_user({ name => 'target', pass => 'x', modules => ['acl'] });
+    mkdir("$confdir/useradmin") unless -d "$confdir/useradmin";
+    $r = run_cgi('save_acl.cgi', {
+        _acl_user => 'target', _acl_mod => 'useradmin', noconfig => 1 });
+    ok($r->{location}, 'redirect emitted on successful ACL save')
+        or diag("stdout: $r->{out}\nstderr: $r->{err}");
+    ok(-e "$confdir/useradmin/target.acl",
+       'per-user .acl file created on happy path')
+        or diag("dir contents: " . join(",", glob("$confdir/useradmin/*")) .
+                "\nstdout: $r->{out}\nstderr: $r->{err}");
+    unlink("$confdir/useradmin/target.acl");
+    delete_user('target');
+
+    # Reset path: writes .acl first, then second call with reset=1 removes it.
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*', mode => 0 });
+    create_user({ name => 'target', pass => 'x', modules => ['acl'] });
+    mkdir("$confdir/useradmin") unless -d "$confdir/useradmin";
+    run_cgi('save_acl.cgi', {
+        _acl_user => 'target', _acl_mod => 'useradmin', noconfig => 1 });
+    ok(-e "$confdir/useradmin/target.acl", '.acl exists before reset');
+    $r = run_cgi('save_acl.cgi', {
+        _acl_user => 'target', _acl_mod => 'useradmin', reset => 1 });
+    ok($r->{location}, 'reset path also redirects on success');
+    ok(!-e "$confdir/useradmin/target.acl",
+       '.acl file removed by reset');
+    delete_user('target');
+};
+
+# save_user.cgi — the largest CGI in the module. The security boundaries
+# worth pinning at the contract level are:
+#   - name regex validation (no shell metacharacters, no @prefix)
+#   - the "webmin" reserved-name guard
+#   - access{create} required for new users
+#   - gassign whitelist enforced (cannot assign group user can't manage)
+#   - self-lockout guard: removing the acl module from your own account is
+#     refused (otherwise an admin could lock themselves out and brick the box)
+subtest 'save_user.cgi name validation' => sub {
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*' });
+    create_user({ name => 'admin', pass => 'x', modules => ['acl'] });
+
+    # Bad characters in the username -> error.
+    my $r = run_cgi('save_user.cgi', {
+        name => 'bad name', pass_def => 1, oldpass => 'x', mod => 'acl' });
+    ok(!$r->{location},
+       'no redirect when new username has invalid characters');
+    ok(!get_user('bad name'), 'invalid-name user not created');
+
+    # @-prefix is explicitly forbidden by the regex.
+    $r = run_cgi('save_user.cgi', {
+        name => '@evil', pass_def => 1, oldpass => 'x', mod => 'acl' });
+    ok(!$r->{location}, 'no redirect when name starts with @');
+    ok(!get_user('@evil'), '@-prefix name not created');
+
+    # Reserved name "webmin" is rejected.
+    $r = run_cgi('save_user.cgi', {
+        name => 'webmin', pass_def => 1, oldpass => 'x', mod => 'acl' });
+    ok(!$r->{location}, 'no redirect when name is reserved "webmin"');
+    ok(!get_user('webmin'), 'reserved name "webmin" not created');
+
+    delete_user('admin');
+};
+
+subtest 'save_user.cgi create privilege' => sub {
+    # access{create}=0 -> any create-user attempt is denied.
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*', create => 0 });
+    create_user({ name => 'admin', pass => 'x', modules => ['acl'] });
+
+    my $r = run_cgi('save_user.cgi', {
+        name => 'newbie', pass_def => 1, oldpass => 'x', mod => 'acl' });
+    ok(!$r->{location}, 'no redirect when access{create}=0');
+    ok(!get_user('newbie'),
+       'new user is not created when create privilege is missing');
+    delete_user('admin');
+};
+
+subtest 'save_user.cgi gassign whitelist' => sub {
+    # gassign='admins' allows assigning only to group "admins"; trying to
+    # assign to a different group should fail.
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*', gassign => 'admins' });
+    create_user({ name => 'admin', pass => 'x', modules => ['acl'] });
+    create_group({ name => 'admins', members => [], modules => ['acl'] });
+    create_group({ name => 'evil',   members => [], modules => ['acl'] });
+
+    my $r = run_cgi('save_user.cgi', {
+        name => 'newbie', pass_def => 1, oldpass => 'x',
+        mod => 'acl', group => 'evil' });
+    ok(!$r->{location}, 'no redirect when group not in gassign whitelist');
+    ok(!get_user('newbie'),
+       'user not created when requested group not allowed by gassign');
+
+    delete_group('admins');
+    delete_group('evil');
+    delete_user('admin');
+};
+
+# forgot_form.cgi and forgot_send.cgi — the admin-side password-reset flow.
+# These are NOT the unauthenticated /forgot.cgi flow; they require an
+# authenticated admin and gate on can_edit_user.
+#   - can_edit_user(target) required
+#   - email format must be syntactically valid (or email_def set)
+subtest 'forgot_form.cgi can_edit_user gate' => sub {
+    _reset_fixture();
+    _seed_user_acl('admin', { users => 'someone-else' });
+    create_user({ name => 'target', pass => 'x', modules => ['acl'] });
+    my $r = run_cgi('forgot_form.cgi', { user => 'target' });
+    ok(!$r->{location}, 'no redirect when can_edit_user denies');
+    like($r->{out}, qr/<html|Error/i,
+         'error page when caller cannot edit the target user');
+    delete_user('target');
+};
+
+subtest 'forgot_send.cgi gates' => sub {
+    # 1. can_edit_user denies -> error
+    _reset_fixture();
+    _seed_user_acl('admin', { users => 'someone-else' });
+    create_user({ name => 'target', pass => 'x', modules => ['acl'],
+                  email => 'target@example.com' });
+    my $r = run_cgi('forgot_send.cgi', {
+        user_acc => 'target', user => 'target',
+        email_def => 1 });
+    ok(!$r->{location},
+       'no redirect from forgot_send when can_edit_user denies');
+    # Should NOT have written a forgot-password link file.
+    my @links = glob("$vardir/forgot-password/*");
+    is(scalar(@links), 0,
+       'no forgot-password link written when caller cannot edit target');
+    delete_user('target');
+
+    # 2. Email format invalid -> error.
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*' });
+    create_user({ name => 'target', pass => 'x', modules => ['acl'] });
+    $r = run_cgi('forgot_send.cgi', {
+        user_acc => 'target', user => 'target',
+        email => 'not-an-email' });
+    ok(!$r->{location},
+       'no redirect when email argument fails format validation');
+    @links = glob("$vardir/forgot-password/*");
+    is(scalar(@links), 0,
+       'no forgot-password link written when email is invalid');
+    delete_user('target');
+};
+
+# delete_group.cgi — three gates worth pinning:
+#   1. access{groups} required
+#   2. cannot delete a group you yourself are a member of
+#   3. happy path on an empty group: deletes + redirects
+subtest 'delete_group.cgi gating' => sub {
+    # 1. access{groups}=0 -> error
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*', groups => 0 });
+    create_group({ name => 'g1', members => [], modules => ['acl'] });
+    my $r = run_cgi('delete_group.cgi', { group => 'g1' });
+    ok(!$r->{location}, 'no redirect when access{groups}=0');
+    my ($g) = grep { $_->{name} eq 'g1' } list_groups();
+    ok($g, 'group still exists after blocked delete');
+    delete_group('g1') if $g;
+
+    # 2. caller is a member of the group -> error
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*' });
+    create_user({ name => 'admin', pass => 'x', modules => ['acl'] });
+    create_group({ name => 'g2', members => ['admin'], modules => ['acl'] });
+    $r = run_cgi('delete_group.cgi', { group => 'g2' });
+    ok(!$r->{location},
+       'no redirect when caller is a member of the group being deleted');
+    _clear_caches();
+    ($g) = grep { $_->{name} eq 'g2' } list_groups();
+    ok($g, 'group still exists when caller is member');
+    delete_group('g2') if $g;
+    delete_user('admin');
+
+    # 3. happy path: empty group, no confirm needed -> delete + redirect
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*' });
+    create_group({ name => 'g3', members => [], modules => ['acl'] });
+    $r = run_cgi('delete_group.cgi', { group => 'g3' });
+    ok($r->{location}, 'redirect on successful empty-group delete')
+        or diag("stdout: $r->{out}\nstderr: $r->{err}");
+    _clear_caches();
+    ($g) = grep { $_->{name} eq 'g3' } list_groups();
+    ok(!$g, 'group g3 removed on happy path');
+};
+
+# save_group.cgi — name validation gates mirror save_user.cgi.
+subtest 'save_group.cgi name validation' => sub {
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*' });
+
+    # Bad characters.
+    my $r = run_cgi('save_group.cgi', {
+        name => 'bad name', desc => 'd' });
+    ok(!$r->{location}, 'no redirect when new group name has bad characters');
+    my ($g) = grep { $_->{name} eq 'bad name' } list_groups();
+    ok(!$g, 'invalid-name group not created');
+
+    # @-prefix forbidden.
+    $r = run_cgi('save_group.cgi', { name => '@evil', desc => 'd' });
+    ok(!$r->{location}, 'no redirect when group name starts with @');
+    ($g) = grep { $_->{name} eq '@evil' } list_groups();
+    ok(!$g, '@-prefix group not created');
+
+    # Reserved "webmin".
+    $r = run_cgi('save_group.cgi', { name => 'webmin', desc => 'd' });
+    ok(!$r->{location}, 'no redirect when group name is reserved "webmin"');
+    ($g) = grep { $_->{name} eq 'webmin' } list_groups();
+    ok(!$g, 'reserved name "webmin" not created as a group');
+
+    # Colon in desc is the on-disk separator — rejected.
+    $r = run_cgi('save_group.cgi', {
+        name => 'goodname', desc => 'bad:desc' });
+    ok(!$r->{location}, 'no redirect when description contains colon');
+    ($g) = grep { $_->{name} eq 'goodname' } list_groups();
+    ok(!$g, 'group with colon-bearing description not created');
+};
+
+subtest 'save_user.cgi self-lockout guard' => sub {
+    # Editing yourself out of the acl module is refused — otherwise an
+    # admin could lock themselves out of Webmin entirely.
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*' });
+    create_user({ name => 'admin', pass => 'x', modules => ['acl'] });
+
+    my $r = run_cgi('save_user.cgi', {
+        old => 'admin', name => 'admin', pass_def => 1, oldpass => 'x',
+        # mod = (empty) — no modules selected, drops everything including acl
+    });
+    ok(!$r->{location},
+       'no redirect when admin tries to remove acl from own account');
+    my $me = get_user('admin');
+    my %mods = map { $_ => 1 } @{$me->{modules} || []};
+    ok($mods{acl},
+       'admin still has acl module after blocked self-lockout');
+
+    delete_user('admin');
+};
+
+# switch.cgi — access{switch} required AND can_edit_user(target) required.
+# The happy path is harder to assert because it touches the session DB and
+# kills the cookie. We test the gates here and the no-op contract.
+subtest 'switch.cgi gating' => sub {
+    # 1. access{switch}=0 -> error (defaultacl has switch=1, must override)
+    _reset_fixture();
+    _seed_user_acl('admin', { users => '*', switch => 0 });
+    create_user({ name => 'target', pass => 'x', modules => ['acl'] });
+    my $r = run_cgi('switch.cgi', { user => 'target' });
+    ok(!$r->{location}, 'no redirect when access{switch}=0');
+    like($r->{out}, qr/<html|Error/i,
+         'error page returned when switch privilege missing');
+    delete_user('target');
+
+    # 2. can_edit_user=no (users whitelist) -> error even with switch=1
+    _reset_fixture();
+    _seed_user_acl('admin', { users => 'someone-else' });
+    create_user({ name => 'target', pass => 'x', modules => ['acl'] });
+    $r = run_cgi('switch.cgi', { user => 'target' });
+    ok(!$r->{location},
+       'no redirect when can_edit_user denies (even with switch=1)');
+    delete_user('target');
+};
+
+done_testing();
diff --git a/apache/apache-lib.pl b/apache/apache-lib.pl
index ab7529b2c..01a6aabb5 100755
--- a/apache/apache-lib.pl
+++ b/apache/apache-lib.pl
@@ -436,6 +436,13 @@ foreach $v (@virt) {
 return \@get_config_cache;
 }
 
+# flush_config_cache()
+# Delete all in-memory config caches
+sub flush_config_cache
+{
+undef(@get_config_cache);
+}
+
 # get_config_file(filename, [&seen-files])
 # Returns a list of config hash refs from some file
 sub get_config_file
@@ -788,6 +795,428 @@ unlink($file);
 &delete_webfile_link($file);
 }
 
+# can_manage_vhost_files()
+# Returns 1 if this system uses Debian-style available/enabled site dirs
+sub can_manage_vhost_files
+{
+return 0 if ($gconfig{'os_type'} ne 'debian-linux');
+my $avail = &vhost_available_dir();
+my $enabled = &vhost_enabled_dir();
+return $avail && -d $avail && $enabled && -d $enabled &&
+       &simplify_path(&resolve_links($avail)) ne
+       &simplify_path(&resolve_links($enabled));
+}
+
+# vhost_available_dir()
+# Returns the configured directory of available Apache virtual host files
+sub vhost_available_dir
+{
+return $config{'virt_file'} ? &server_root($config{'virt_file'}) : undef;
+}
+
+# vhost_enabled_dir()
+# Returns the configured directory of enabled Apache virtual host symlinks
+sub vhost_enabled_dir
+{
+return $config{'link_dir'} ? &server_root($config{'link_dir'}) : undef;
+}
+
+# get_vhost_available_files()
+# Returns real config files from the directory used for new virtual hosts
+sub get_vhost_available_files
+{
+my @rv;
+return @rv if (!&can_manage_vhost_files());
+my $avail = &vhost_available_dir();
+opendir(AVAIL, $avail) || return @rv;
+foreach my $f (sort { lc($a) cmp lc($b) } readdir(AVAIL)) {
+	next if ($f eq "." || $f eq "..");
+	my $file = $avail."/".$f;
+	my $rfile = &simplify_path(&resolve_links($file));
+	next if (!$rfile || !-f $rfile || !-r $rfile);
+	push(@rv, $rfile);
+	}
+closedir(AVAIL);
+return &unique(@rv);
+}
+
+# find_virtuals_in_file(file)
+# Returns VirtualHost blocks parsed from one config file
+sub find_virtuals_in_file
+{
+my ($file) = @_;
+my $rfile = &simplify_path(&resolve_links($file));
+$rfile ||= $file;
+return ( ) if (!-r $rfile);
+my @conf = &get_config_file($rfile);
+return grep { $_->{'file'} eq $rfile }
+       &find_directive_struct("VirtualHost", \@conf);
+}
+
+# is_default_vhost(&virt)
+# Returns 1 if a VirtualHost looks like a default/catch-all host
+sub is_default_vhost
+{
+my ($virt) = @_;
+return 1 if (!$virt);
+return 1 if ($virt->{'value'} =~ /_default_/i);
+return 1 if (!&find_directive("ServerName", $virt->{'members'}));
+return 0;
+}
+
+# can_manage_vhost_file(file)
+# Returns 1 if all virtual hosts in a file are manageable by this user
+sub can_manage_vhost_file
+{
+my ($file) = @_;
+my $rfile = &simplify_path(&resolve_links($file));
+$rfile ||= $file;
+return 0 if (!$rfile || !-f $rfile || !-r $rfile);
+my @virts = &find_virtuals_in_file($rfile);
+return 0 if (!@virts);
+foreach my $virt (@virts) {
+	return 0 if (&is_default_vhost($virt));
+	return 0 if (!&can_edit_virt($virt));
+	}
+return 1;
+}
+
+# can_manage_vhost_state_file(file)
+# Returns 1 if a virtual host file can have its enabled state managed here
+sub can_manage_vhost_state_file
+{
+my ($file) = @_;
+my $rfile = &simplify_path(&resolve_links($file));
+$rfile ||= $file;
+return 0 if (!$rfile || !-f $rfile);
+my %available = map { $_, 1 } &get_vhost_available_files();
+return 0 if (!$available{$rfile});
+return &can_manage_vhost_file($rfile);
+}
+
+# get_virtual_list_rows(&config)
+# Returns row hashes for the virtual-host list, preserving sites-available order
+sub get_virtual_list_rows
+{
+my ($conf) = @_;
+my @active = grep { &can_edit_virt($_) }
+	     &find_directive_struct("VirtualHost", $conf);
+if (&can_manage_vhost_files()) {
+	my @rows;
+	my %active_by_file;
+	foreach my $v (@active) {
+		my $file = &simplify_path(&resolve_links($v->{'file'}));
+		$file ||= $v->{'file'};
+		push(@{$active_by_file{$file}}, $v);
+		}
+	my %done_virt;
+	foreach my $file (&get_vhost_available_files()) {
+		my @filevirts = @{$active_by_file{$file} || [ ]};
+		my $active = @filevirts ? 1 : 0;
+		if (!@filevirts) {
+			@filevirts = grep { &can_edit_virt($_) &&
+					     !&is_default_vhost($_) }
+				     &find_virtuals_in_file($file);
+			}
+		foreach my $v (@filevirts) {
+			push(@rows, { 'virt' => $v,
+				      'active' => $active,
+				      'file' => $file });
+			$done_virt{$v}++;
+			}
+		}
+	foreach my $v (@active) {
+		next if ($done_virt{$v});
+		push(@rows, { 'virt' => $v,
+			      'active' => 1,
+			      'file' => $v->{'file'} });
+		}
+	return @rows;
+	}
+return map { { 'virt' => $_, 'active' => 1, 'file' => $_->{'file'} } }
+       @active;
+}
+
+# vhost_file_link(file)
+# Returns the enabled symlink path for a virtual host file
+sub vhost_file_link
+{
+my ($file) = @_;
+return undef if (!&can_manage_vhost_files());
+my $rfile = &simplify_path(&resolve_links($file));
+$rfile ||= $file;
+my $avail = &vhost_available_dir();
+my $short;
+if (opendir(AVAIL, $avail)) {
+	foreach my $f (sort { lc($a) cmp lc($b) } readdir(AVAIL)) {
+		next if ($f eq "." || $f eq "..");
+		my $afile = $avail."/".$f;
+		my $rafile = &simplify_path(&resolve_links($afile));
+		if ($rafile && $rafile eq $rfile) {
+			$short = $f;
+			last;
+			}
+		}
+	closedir(AVAIL);
+	}
+$short ||= $rfile;
+$short =~ s/^.*\///;
+return &vhost_enabled_dir()."/".$short;
+}
+
+# vhost_file_links(file)
+# Returns enabled symlinks for a virtual host file
+sub vhost_file_links
+{
+my ($file) = @_;
+my @rv;
+return @rv if (!&can_manage_vhost_files());
+my $rfile = &simplify_path(&resolve_links($file));
+$rfile ||= $file;
+my $enabled = &vhost_enabled_dir();
+opendir(LINKDIR, $enabled) || return @rv;
+foreach my $f (readdir(LINKDIR)) {
+	next if ($f eq "." || $f eq "..");
+	my $link = $enabled."/".$f;
+	next if (!-l $link);
+	my $rlink = &simplify_path(&resolve_links($link));
+	if ($rlink && $rlink eq $rfile) {
+		push(@rv, $link);
+		}
+	}
+closedir(LINKDIR);
+return @rv;
+}
+
+# vhost_file_enabled(file)
+# Returns 1 if a virtual host file has an enabled symlink
+sub vhost_file_enabled
+{
+my ($file) = @_;
+return scalar(&vhost_file_links($file)) ? 1 : 0;
+}
+
+# enable_vhost_file(file)
+# Enables a virtual host file and rolls back if apache configtest fails
+sub enable_vhost_file
+{
+my ($file) = @_;
+my $rfile = &simplify_path(&resolve_links($file));
+$rfile ||= $file;
+return $text{'enable_efile'} if (!&can_manage_vhost_state_file($rfile));
+my $verr = &virtualmin_vhost_file_state_error($rfile, "enable");
+return $verr if ($verr);
+my $link = &vhost_file_link($rfile);
+$link || return $text{'enable_elinkdir'};
+return undef if (&vhost_file_enabled($rfile));
+if (-e $link || -l $link) {
+	return &text('enable_elinkexists', "<tt>".&html_escape($link)."</tt>");
+	}
+&symlink_logged($rfile, $link) ||
+	return &text('enable_elink', "<tt>".&html_escape($link)."</tt>",
+		     "<tt>".&html_escape($!)."</tt>");
+my $err = &test_config();
+if ($err) {
+	&unlink_logged($link);
+	return &text('enable_etest', "<tt>".&html_escape($err)."</tt>");
+	}
+&flush_config_cache();
+&update_last_config_change();
+return undef;
+}
+
+# disable_vhost_file(file)
+# Disables a virtual host file and rolls back if apache configtest fails
+sub disable_vhost_file
+{
+my ($file) = @_;
+my $rfile = &simplify_path(&resolve_links($file));
+$rfile ||= $file;
+return $text{'enable_efile'} if (!&can_manage_vhost_state_file($rfile));
+my $verr = &virtualmin_vhost_file_state_error($rfile, "disable");
+return $verr if ($verr);
+my @links = &vhost_file_links($file);
+return undef if (!@links);
+my @restore = map { [ $_, readlink($_) ] } @links;
+my @removed;
+foreach my $link (@links) {
+	if (!&unlink_logged($link)) {
+		foreach my $r (@removed) {
+			&symlink_logged($r->[1], $r->[0])
+				if (defined($r->[1]) && !-e $r->[0] && !-l $r->[0]);
+			}
+		return &text('enable_eunlink',
+			     "<tt>".&html_escape($link)."</tt>",
+			     "<tt>".&html_escape($!)."</tt>");
+		}
+	my ($restore) = grep { $_->[0] eq $link } @restore;
+	push(@removed, $restore) if ($restore);
+	}
+my $err = &test_config();
+if ($err) {
+	foreach my $r (@restore) {
+		&symlink_logged($r->[1], $r->[0])
+			if (defined($r->[1]) && !-e $r->[0] && !-l $r->[0]);
+		}
+	return &text('enable_etest', "<tt>".&html_escape($err)."</tt>");
+	}
+&flush_config_cache();
+&update_last_config_change();
+return undef;
+}
+
+# virtualmin_available()
+# Returns 1 if Virtualmin is installed and supported on this system
+sub virtualmin_available
+{
+return $main::apache_virtualmin_available
+	if (defined($main::apache_virtualmin_available));
+$main::apache_virtualmin_available = &foreign_check("virtual-server");
+return $main::apache_virtualmin_available;
+}
+
+# virtualmin_domain_by_name(name)
+# Returns a Virtualmin domain object by domain name, if one exists
+sub virtualmin_domain_by_name
+{
+my ($name) = @_;
+return undef if (!&virtualmin_available());
+return $main::apache_virtualmin_domain_by_name_cache{$name}
+	if (exists($main::apache_virtualmin_domain_by_name_cache{$name}));
+&foreign_require("virtual-server");
+my $d = &virtual_server::get_domain_by("dom", $name);
+$main::apache_virtualmin_domain_by_name_cache{$name} = $d;
+return $d;
+}
+
+# virtual_names(&virt)
+# Returns all hostnames from ServerName and ServerAlias directives
+sub virtual_names
+{
+my ($virt) = @_;
+my @rv;
+my $sn = &find_directive("ServerName", $virt->{'members'});
+push(@rv, $sn) if ($sn);
+foreach my $sa (&find_directive_struct("ServerAlias", $virt->{'members'})) {
+	push(@rv, @{$sa->{'words'} || [ ]});
+	if (!@{$sa->{'words'} || [ ]} && $sa->{'value'}) {
+		push(@rv, $sa->{'value'});
+		}
+	}
+return grep { $_ && $_ ne "*" } &unique(@rv);
+}
+
+# virtualmin_domain_for_vhost_file(file)
+# Returns the Virtualmin domain object for a virtual host file, if any
+sub virtualmin_domain_for_vhost_file
+{
+my ($file) = @_;
+return undef if (!&virtualmin_available());
+my $rfile = &simplify_path(&resolve_links($file));
+$rfile ||= $file;
+return $main::apache_virtualmin_domain_for_file_cache{$rfile}
+	if (exists($main::apache_virtualmin_domain_for_file_cache{$rfile}));
+foreach my $virt (&find_virtuals_in_file($file)) {
+	next if (!&can_edit_virt($virt));
+	foreach my $name (&virtual_names($virt)) {
+		my $d = &virtualmin_domain_by_name($name);
+		if (!$d && $name =~ /^www\.(\S+)/i) {
+			$d = &virtualmin_domain_by_name($1);
+			}
+		if ($d) {
+			$main::apache_virtualmin_domain_for_file_cache{$rfile} = $d;
+			return $d;
+			}
+		}
+	}
+$main::apache_virtualmin_domain_for_file_cache{$rfile} = undef;
+return undef;
+}
+
+# vhost_file_state(file)
+# Returns the effective enabled state for a virtual host file
+sub vhost_file_state
+{
+my ($file) = @_;
+my $d = &virtualmin_domain_for_vhost_file($file);
+if ($d) {
+	return { 'enabled' => $d->{'disabled'} ? 0 : 1,
+		 'source' => 'virtualmin',
+		 'domain' => $d };
+	}
+return { 'enabled' => &vhost_file_enabled($file) ? 1 : 0,
+	 'source' => 'apache' };
+}
+
+# vhost_file_toggle_action(file)
+# Returns the action needed to toggle a virtual host file's effective state
+sub vhost_file_toggle_action
+{
+my ($file) = @_;
+return &vhost_file_state($file)->{'enabled'} ? "disable" : "enable";
+}
+
+# virtualmin_domain_state_link(&domain, enabled?)
+# Returns a link to the Virtualmin state change form for some domain
+sub virtualmin_domain_state_link
+{
+my ($d, $enabled) = @_;
+my $page = $enabled ? "disable_domain.cgi" : "enable_domain.cgi";
+my $label = $enabled ? $text{'enable_virtualmin_disable_label'} :
+		       $text{'enable_virtualmin_enable_label'};
+my $url = "../virtual-server/".$page."?dom=".&urlize($d->{'id'});
+return &ui_link(&quote_escape($url), "\"".$label."\"");
+}
+
+# virtualmin_vhost_file_state_error(file, action)
+# Returns an error if a Virtualmin-owned site is being enabled or disabled here
+sub virtualmin_vhost_file_state_error
+{
+my ($file, $action) = @_;
+return undef if ($action ne "enable" && $action ne "disable");
+my $state_info = &vhost_file_state($file);
+return undef if ($state_info->{'source'} ne "virtualmin");
+my $d = $state_info->{'domain'};
+return undef if (!$d);
+my $state = lc($state_info->{'enabled'} ? $text{'index_enabled'} :
+					  $text{'index_disabled'});
+my $dom = "<tt>".&html_escape($d->{'dom'})."</tt>";
+my $link = &virtualmin_domain_state_link($d, $state_info->{'enabled'});
+return $state_info->{'enabled'} ?
+	&text('enable_evirtualmin_disable', $dom, $state, $link) :
+	&text('enable_evirtualmin_enable', $dom, $state, $link);
+}
+
+# delete_virtuals_from_file(file, &virtualhosts...)
+# Deletes VirtualHost blocks from one file and removes the file if empty
+sub delete_virtuals_from_file
+{
+my ($file, @virts) = @_;
+return 0 if (!@virts);
+my $lref = &read_file_lines($file);
+foreach my $virt (sort { $b->{'line'} <=> $a->{'line'} } @virts) {
+	my $len = $virt->{'eline'} - $virt->{'line'} + 1;
+	splice(@$lref, $virt->{'line'}, $len);
+	}
+my $empty = 1;
+foreach my $line (@$lref) {
+	if ($line =~ /\S/) {
+		$empty = 0;
+		last;
+		}
+	}
+&flush_file_lines($file);
+if ($empty) {
+	foreach my $link (&vhost_file_links($file)) {
+		&unlink_logged($link);
+		}
+	&unlink_logged($file);
+	}
+&flush_config_cache();
+&update_last_config_change();
+return scalar(@virts);
+}
+
 # renumber(&config, line, file, offset)
 # Recursively changes the line number of all directives from some file 
 # beyond the given line.
@@ -1544,9 +1973,10 @@ return undef;
 # if necessary.
 sub before_changing
 {
+my @extra = grep { $_ } @_;
 if ($config{'test_always'} || $access{'test_always'}) {
 	local $conf = &get_config();
-	local @files = &unique(map { $_->{'file'} } @$conf);
+	local @files = &unique((map { $_->{'file'} } @$conf), @extra);
 	local $/ = undef;
 	local $f;
 	foreach $f (@files) {
@@ -1969,10 +2399,11 @@ return @rv;
 sub create_webfile_link
 {
 local ($file) = @_;
-if ($config{'link_dir'}) {
+my $linkdir = &vhost_enabled_dir();
+if ($linkdir) {
 	local $short = $file;
 	$short =~ s/^.*\///;
-	local $linksrc = "$config{'link_dir'}/$short";
+	local $linksrc = "$linkdir/$short";
 	&lock_file($linksrc);
 	symlink($file, $linksrc);
 	&unlock_file($linksrc);
@@ -1985,16 +2416,16 @@ if ($config{'link_dir'}) {
 sub delete_webfile_link
 {
 local ($file) = @_;
-if ($config{'link_dir'}) {
-	local $short = $file;
-	$short =~ s/^.*\///;
-	opendir(LINKDIR, $config{'link_dir'});
+$file = &simplify_path(&resolve_links($file));
+my $linkdir = &vhost_enabled_dir();
+if ($linkdir && opendir(LINKDIR, $linkdir)) {
 	foreach my $f (readdir(LINKDIR)) {
-		if ($f ne "." && $f ne ".." &&
-		    (&simplify_path(
-		       &resolve_links($config{'link_dir'}."/".$f)) eq $file ||
-		     $short eq $f)) {
-			&unlink_logged($config{'link_dir'}."/".$f);
+		if ($f ne "." && $f ne "..") {
+			my $link = $linkdir."/".$f;
+			next if (!-l $link);
+			if (&simplify_path(&resolve_links($link)) eq $file) {
+				&unlink_logged($link);
+				}
 			}
 		}
 	closedir(LINKDIR);
diff --git a/apache/delete_vservs.cgi b/apache/delete_vservs.cgi
index c5901f6d5..1fb5ad6e6 100755
--- a/apache/delete_vservs.cgi
+++ b/apache/delete_vservs.cgi
@@ -3,31 +3,107 @@
 
 require './apache-lib.pl';
 &ReadParse();
-&error_setup($text{'delete_err'});
+@d = split(/\0/, $in{'d'});
+$file_action = $in{'toggle'} ? "toggle" : undef;
+&error_setup($file_action ? $text{'enable_err'} : $text{'delete_err'});
 $access{'vaddr'} || &error($text{'delete_ecannot'});
 $conf = &get_config();
-@d = split(/\0/, $in{'d'});
+$can_vhost_files = &can_manage_vhost_files();
 @d || &error($text{'delete_enone'});
 
+if ($file_action) {
+	&can_manage_vhost_files() || &error($text{'enable_elinkdir'});
+	foreach $d (@d) {
+		if ($d =~ /^file\t([^\t]+)/) {
+			$file = $1;
+			}
+		elsif ($d !~ /^file\t/) {
+			($vmembers, $vconf) = &get_virtual_config($d);
+			next if (!$vconf || !&can_edit_virt($vconf));
+			$file = $vconf->{'file'};
+			}
+		else {
+			next;
+			}
+		$rfile = $file ? &simplify_path(&resolve_links($file)) : undef;
+		$files{$rfile}++ if ($rfile && -f $rfile &&
+				      &can_manage_vhost_state_file($rfile));
+		}
+	@files = keys %files;
+	@files || &error($text{'enable_enone'});
+	foreach $file (@files) {
+		$action = &vhost_file_toggle_action($file);
+		$err = &virtualmin_vhost_file_state_error($file, $action);
+		$err && &error($err);
+		$file_actions{$file} = $action;
+		}
+	foreach $file (@files) {
+		$err = $file_actions{$file} eq "enable" ?
+			&enable_vhost_file($file) :
+			&disable_vhost_file($file);
+		$err && &error($err);
+		}
+	&webmin_log($file_action, "vhostfile", scalar(@files));
+	&redirect("");
+	exit;
+	}
+if (!$in{'delete'}) {
+	&error($text{'delete_eaction'});
+	}
+
 # Get them all
 foreach $d (@d) {
+	if ($d =~ /^file\t([^\t]+)\t(\d+)$/) {
+		push(@{$file_lines{$1}}, $2);
+		next;
+		}
+	elsif ($d =~ /^file\t/) {
+		next;
+		}
 	($vmembers, $vconf) = &get_virtual_config($d);
+	$vconf || &error($text{'delete_egone'});
 	&can_edit_virt($vconf) || &error(&text('delete_ecannot2',
 					       &virtual_name($vconf)));
+	$can_vhost_files && &is_default_vhost($vconf) &&
+		&error($text{'delete_edefault'});
 	push(@virts, $vconf);
 	}
+if (%file_lines) {
+	foreach $file (keys %file_lines) {
+		$rfile = &simplify_path(&resolve_links($file));
+		next if (!$rfile || !-f $rfile ||
+			 !&can_manage_vhost_state_file($rfile));
+		@fvirts = &find_virtuals_in_file($rfile);
+		foreach $line (@{$file_lines{$file}}) {
+			($vconf) = grep { $_->{'line'} == $line } @fvirts;
+			$vconf || &error($text{'delete_egone'});
+			&can_edit_virt($vconf) ||
+				&error(&text('delete_ecannot2',
+					     &virtual_name($vconf)));
+			&is_default_vhost($vconf) &&
+				&error($text{'delete_edefault'});
+			push(@{$file_virts{$rfile}}, $vconf);
+			}
+		}
+	}
+@virts || %file_virts || &error($text{'delete_enone'});
 
 # Delete their structures
-&before_changing();
+&before_changing(keys %file_virts);
 foreach $vconf (@virts) {
 	&lock_file($vconf->{'file'});
 	&save_directive_struct($vconf, undef, $conf, $conf);
 	&delete_file_if_empty($vconf->{'file'});
 	}
+foreach $file (keys %file_virts) {
+	&lock_file($file);
+	$deleted += &delete_virtuals_from_file($file, @{$file_virts{$file}});
+	&unlock_file($file);
+	}
 &flush_file_lines();
 &unlock_all_files();
 &update_last_config_change();
 &after_changing();
-&webmin_log("virts", "delete", scalar(@virts));
+$deleted += scalar(@virts);
+&webmin_log("virts", "delete", $deleted);
 &redirect("");
-
diff --git a/apache/index.cgi b/apache/index.cgi
index e5c896e89..f0ccc7efe 100755
--- a/apache/index.cgi
+++ b/apache/index.cgi
@@ -102,6 +102,10 @@ if (&can_edit_virt()) {
 	push(@vproxy, undef);
 	$sn ||= &get_system_hostname();
 	push(@vurl, $defport ? "http://$sn:$defport/" : "http://$sn/");
+	push(@vfile, undef);
+	push(@vstatus, "");
+	push(@vsel, undef);
+	push(@vfilemanage, 0);
 	$showing_default++;
 	}
 
@@ -128,16 +132,23 @@ elsif ($httpd_modules{'core'} >= 1.2) {
 	$ba = &find_directive("ServerName", $conf);
 	$nv{&to_ipaddress($ba ? $ba : &get_system_hostname())}++;
 	}
-@virt = grep { &can_edit_virt($_) } @virt;
+$can_vhost_files = &can_manage_vhost_files();
+@vrows = &get_virtual_list_rows($conf);
 if ($config{'show_order'} == 1) {
 	# sort by server name
-	@virt = sort { &server_name_sort($a) cmp &server_name_sort($b) } @virt;
+	@vrows = sort { &server_name_sort($a->{'virt'}) cmp
+			&server_name_sort($b->{'virt'}) } @vrows;
 	}
 elsif ($config{'show_order'} == 2) {
 	# sort by IP address
-	@virt = sort { &server_ip_sort($a) cmp &server_ip_sort($b) } @virt;
+	@vrows = sort { &server_ip_sort($a->{'virt'}) cmp
+			&server_ip_sort($b->{'virt'}) } @vrows;
 	}
-foreach $v (@virt) {
+@virt = map { $_->{'virt'} } grep { $_->{'active'} } @vrows;
+%available_vhost_file = map { $_, 1 } &get_vhost_available_files()
+	if ($can_vhost_files);
+foreach $r (@vrows) {
+	$v = $r->{'virt'};
 	$vm = $v->{'members'};
 	if ($v->{'words'}->[0] =~ /^\[(\S+)\]:(\d+)$/) {
 		# IPv6 address and port
@@ -163,7 +174,7 @@ foreach $v (@virt) {
 	$idx = &indexof($v, @$conf);
 	push(@vidx, $idx);
 	push(@vname, $text{'index_virt'});
-	push(@vlink, "virt_index.cgi?virt=$idx");
+	push(@vlink, $r->{'active'} ? "virt_index.cgi?virt=$idx" : undef);
 	$sname = &find_directive("ServerName", $vm);
 	local $daddr = $addr eq "_default_" ||
                        ($addr eq "*" && $httpd_modules{'core'} < 1.2);
@@ -225,10 +236,34 @@ foreach $v (@virt) {
 		}
 	$sp = undef if ($sp == 80 && $prot eq "http" ||
 			$sp == 443 && $prot eq "https");
-	push(@vurl, $sp ? "$prot://$sn:$sp/" : "$prot://$sn/");
+	push(@vurl, $r->{'active'} ?
+		    ($sp ? "$prot://$sn:$sp/" : "$prot://$sn/") : undef);
+	local $rfile = $r->{'file'} ? &simplify_path(&resolve_links($r->{'file'}))
+				    : undef;
+	push(@vfile, $rfile);
+	local $status = "";
+	if ($can_vhost_files && $rfile && $available_vhost_file{$rfile}) {
+		local $enabled = &vhost_file_state($rfile)->{'enabled'};
+		$status = $enabled ? $text{'index_enabled'} :
+				     $text{'index_disabled'};
+		}
+	push(@vstatus, $status);
+	local $file_manage = $can_vhost_files && $rfile &&
+			     $available_vhost_file{$rfile} &&
+			     &can_manage_vhost_state_file($rfile);
+	push(@vfilemanage, $file_manage ? 1 : 0);
+	local $sel;
+	if ($r->{'active'} && (!$can_vhost_files || !&is_default_vhost($v))) {
+		$sel = $idx;
+		}
+	elsif (!$r->{'active'} && $can_vhost_files && $rfile &&
+	       $available_vhost_file{$rfile} && $file_manage) {
+		$sel = "file\t".$rfile."\t".$v->{'line'};
+		}
+	push(@vsel, $sel);
 	}
 
-if (@vlink == 1 && !$access{'global'} && $access{'virts'} ne "*" &&
+if (@vlink == 1 && $vlink[0] && !$access{'global'} && $access{'virts'} ne "*" &&
     !$access{'create'} && $access{'noconfig'}) {
 	# Can only manage one vhost, so go direct to it
 	&redirect($vlink[0]);
@@ -297,7 +332,9 @@ if ($access{'global'}) {
 # work out select links
 print &ui_tabs_start_tab("mode", "list");
 #print $text{'index_desclist'},"<p>\n";
-$showdel = $access{'vaddr'} && ($vidx[0] || $vidx[1]);
+$showdel = $access{'vaddr'} &&
+	   grep { defined($_) && $_ ne "" } @vsel;
+$showtoggle = $can_vhost_files && grep { $_ } @vfilemanage;
 @links = ( );
 if ($showdel) {
 	push(@links, &select_all_link("d"),
@@ -326,8 +363,10 @@ if ($config{'max_servers'} && @vname > $config{'max_servers'}) {
 	}
 elsif ($config{'show_list'} && scalar(@vname)) {
 	# as list for people with lots of servers
+	$list_form = "vhosts_form";
 	if ($showdel) {
-		print &ui_form_start("delete_vservs.cgi", "post");
+		print &ui_form_start("delete_vservs.cgi", "post", undef,
+				     "id='$list_form'");
 		}
 	print &ui_links_row(\@links);
 	print &ui_columns_start([
@@ -337,19 +376,23 @@ elsif ($config{'show_list'} && scalar(@vname)) {
 		$text{'index_port'},
 		$text{'index_name'},
 		$text{'index_root'},
+		$can_vhost_files ? ( $text{'index_status'} ) : ( ),
 		$text{'index_url'} ], 100);
 	for($i=0; $i<@vname; $i++) {
 		local @cols;
-		push(@cols, &ui_link($vlink[$i], $vname[$i]) );
+		push(@cols, $vlink[$i] ? &ui_link($vlink[$i], $vname[$i]) :
+					  $vname[$i] );
 		push(@cols, &html_escape($vaddr[$i]));
 		push(@cols, &html_escape($vport[$i]));
 		push(@cols, $vserv[$i] || $text{'index_auto'});
 		push(@cols, &html_escape($vproxy[$i]) ||
 			    &html_escape($vroot[$i]));
-		push(@cols, &ui_link($vurl[$i], $text{'index_view'}) );
-		if ($showdel && $vidx[$i]) {
+		push(@cols, $vstatus[$i]) if ($can_vhost_files);
+		push(@cols, $vurl[$i] ? &ui_link($vurl[$i], $text{'index_view'}) :
+					"" );
+		if ($showdel && defined($vsel[$i]) && $vsel[$i] ne "") {
 			print &ui_checked_columns_row(\@cols, undef,
-						      "d", $vidx[$i]);
+						      "d", $vsel[$i]);
 			}
 		elsif ($showdel) {
 			print &ui_columns_row([ "", @cols ]);
@@ -361,13 +404,23 @@ elsif ($config{'show_list'} && scalar(@vname)) {
 	print &ui_columns_end();
 	print &ui_links_row(\@links);
 	if ($showdel) {
-		print &ui_form_end([ [ "delete", $text{'index_delete'} ] ]);
+		if ($showtoggle) {
+			print &ui_form_end_side_by_side($list_form,
+				[ [ "delete", $text{'index_delete'} ] ],
+				[ [ "toggle", $text{'index_toggle'}, undef,
+				    undef, "form=\"$list_form\"" ] ]);
+			}
+		else {
+			print &ui_form_end([ [ "delete", $text{'index_delete'} ] ]);
+			}
 		}
 	}
 else {
 	# as icons for niceness
+	$list_form = "vhosts_form";
 	if ($showdel) {
-		print &ui_form_start("delete_vservs.cgi", "post");
+		print &ui_form_start("delete_vservs.cgi", "post", undef,
+				     "id='$list_form'");
 		}
 	print &ui_links_row(\@links);
 	print "<table width=100% cellpadding=5>\n";
@@ -376,8 +429,9 @@ else {
 		print '<div class="row icons-row inline-row">';
 		&generate_icon("images/virt.gif", $vname[$i], $vlink[$i],
 			       undef, undef, undef,
-			       $vidx[$i] && $access{'vaddr'} ?
-					&ui_checkbox("d", $vidx[$i]) : "");
+			       defined($vsel[$i]) && $vsel[$i] ne "" &&
+			       $access{'vaddr'} ?
+					&ui_checkbox("d", $vsel[$i]) : "");
 		print "</div>\n";
 		print "</td> <td valign=top>\n";
 		print "$vdesc[$i]<br>\n";
@@ -397,12 +451,24 @@ else {
 			print "<b>$text{'index_root'}</b> ",
 			      &html_escape($vroot[$i]),"</td> </tr>\n";
 			}
+		if ($can_vhost_files && $vstatus[$i]) {
+			print "<tr><td colspan=2><b>$text{'index_status'}</b> ",
+			      $vstatus[$i],"</td></tr>\n";
+			}
 		print "</table></td> </tr>\n";
 		}
 	print "</table>\n";
 	print &ui_links_row(\@links);
 	if ($showdel) {
-		print &ui_form_end([ [ "delete", $text{'index_delete'} ] ]);
+		if ($showtoggle) {
+			print &ui_form_end_side_by_side($list_form,
+				[ [ "delete", $text{'index_delete'} ] ],
+				[ [ "toggle", $text{'index_toggle'}, undef,
+				    undef, "form=\"$list_form\"" ] ]);
+			}
+		else {
+			print &ui_form_end([ [ "delete", $text{'index_delete'} ] ]);
+			}
 		}
 	}
 print &ui_tabs_end_tab();
@@ -492,4 +558,3 @@ return $addr eq '_default_' || $addr eq '*' ? undef :
        $addr =~ /^\[(\S+)\]$/ && &check_ip6address($1) ? $1 :
 			         &to_ipaddress($addr);
 }
-
diff --git a/apache/lang/en b/apache/lang/en
index 466f83f5b..011c32837 100644
--- a/apache/lang/en
+++ b/apache/lang/en
@@ -34,6 +34,9 @@ index_listen=Listen on address (if needed)
 index_port=Port
 index_name=Server Name
 index_root=Document Root
+index_status=State
+index_enabled=Enabled
+index_disabled=Disabled
 index_url=URL
 index_view=Open..
 index_adddir=Allow access to this directory
@@ -57,6 +60,7 @@ index_fmode1=Virtual servers file $1
 index_fmode1d=New file under virtual servers directory $1
 index_fmode2=Selected file..
 index_delete=Delete Selected Servers
+index_toggle=Toggle State
 
 cvirt_ecannot=You are not allowed to create a virtual server
 cvirt_err=Failed to create virtual server
@@ -1032,6 +1036,7 @@ log_stop=Stopped webserver
 log_apply=Applied changes
 log_manual=Manually edited configuration file $1
 log_virts_delete=Deleted $1 virtual servers
+log_toggle_vhostfile=Toggled state of $1 virtual host files
 
 search_title=Find Servers
 search_notfound=No matching virtual servers found
@@ -1148,6 +1153,22 @@ delete_err=Failed to delete virtual servers
 delete_enone=None selected
 delete_ecannot=You are not allowed to delete servers
 delete_ecannot2=You are not allowed to edit the server $1
+delete_eaction=No action was selected
+delete_egone=The selected virtual server no longer exists
+delete_edefault=The default virtual server cannot be deleted
+
+enable_err=Failed to change virtual host file state
+enable_enone=No manageable virtual host files were selected
+enable_efile=Virtual host file does not exist or cannot be managed
+enable_elinkdir=No enabled virtual host links directory is configured
+enable_elink=Failed to create symbolic link $1 : $2
+enable_eunlink=Failed to remove symbolic link $1 : $2
+enable_elinkexists=The symbolic link $1 already exists
+enable_etest=Apache configuration test failed after changing the virtual host file state : $1
+enable_evirtualmin_disable=This Apache virtual host is managed by Virtualmin virtual server $1, which is currently $2. Site disabling should be done in Virtualmin using $3.
+enable_evirtualmin_enable=This Apache virtual host is managed by Virtualmin virtual server $1, which is currently $2. Site enabling should be done in Virtualmin using $3.
+enable_virtualmin_disable_label=Disable and Delete &#x21fe; Disable Virtual Server
+enable_virtualmin_enable_label=Disable and Delete &#x21fe; Enable Virtual Server
 
 syslog_desc=Apache error log
 
diff --git a/apache/t/vhost-files.t b/apache/t/vhost-files.t
new file mode 100644
index 000000000..012c49fe2
--- /dev/null
+++ b/apache/t/vhost-files.t
@@ -0,0 +1,409 @@
+#!/usr/bin/perl
+# Tests for Debian-style Apache sites-available/sites-enabled handling.
+
+use strict;
+use warnings;
+use Test::More;
+use File::Basename qw(dirname);
+use File::Path qw(make_path);
+use File::Spec;
+use File::Temp qw(tempdir);
+use Cwd qw(abs_path);
+
+my $root = abs_path(File::Spec->catdir(dirname(__FILE__), '..', '..'));
+my $tmp = abs_path(tempdir(CLEANUP => 1));
+my $webmin_config = File::Spec->catdir($tmp, 'webmin-config');
+my $webmin_var = File::Spec->catdir($tmp, 'webmin-var');
+my $apache_root = File::Spec->catdir($tmp, 'apache2');
+my $available = File::Spec->catdir($apache_root, 'sites-available');
+my $enabled = File::Spec->catdir($apache_root, 'sites-enabled');
+my $apache_conf = File::Spec->catfile($apache_root, 'apache2.conf');
+
+make_path($webmin_config, $webmin_var, "$webmin_config/apache",
+	  "$webmin_var/apache", $apache_root, $available, $enabled);
+
+sub write_text
+{
+my ($file, $text) = @_;
+open(my $fh, '>', $file) || die "Failed to write $file: $!";
+print $fh $text;
+close($fh) || die "Failed to close $file: $!";
+}
+
+sub read_text
+{
+my ($file) = @_;
+open(my $fh, '<', $file) || die "Failed to read $file: $!";
+local $/ = undef;
+my $text = <$fh>;
+close($fh) || die "Failed to close $file: $!";
+return $text;
+}
+
+sub vhost_conf
+{
+my ($name, $rootdir) = @_;
+my $name_line = defined($name) ? "    ServerName $name\n" : "";
+return "<VirtualHost *:80>\n".
+       $name_line.
+       "    DocumentRoot $rootdir\n".
+       "</VirtualHost>\n";
+}
+
+my $default = File::Spec->catfile($available, '000-default.conf');
+my $alpha = File::Spec->catfile($available, 'alpha.conf');
+my $beta = File::Spec->catfile($available, 'beta.conf');
+my $charlie = File::Spec->catfile($available, 'charlie.conf');
+
+write_text($default, vhost_conf(undef, '/srv/default'));
+write_text($alpha, vhost_conf('alpha.example', '/srv/alpha'));
+write_text($beta, vhost_conf('beta.example', '/srv/beta'));
+write_text($charlie, vhost_conf('charlie.example', '/srv/charlie'));
+write_text($apache_conf,
+	"ServerRoot \"$apache_root\"\n".
+	"Listen 80\n".
+	"IncludeOptional $enabled/*.conf\n");
+
+symlink($default, File::Spec->catfile($enabled, '000-default.conf')) ||
+	die "Failed to symlink default: $!";
+symlink($alpha, File::Spec->catfile($enabled, 'alpha.conf')) ||
+	die "Failed to symlink alpha: $!";
+symlink($charlie, File::Spec->catfile($enabled, 'charlie.conf')) ||
+	die "Failed to symlink charlie: $!";
+
+write_text(File::Spec->catfile($webmin_config, 'config'),
+	"os_type=debian-linux\n".
+	"os_version=12\n".
+	"real_os_type=Debian Linux\n".
+	"real_os_version=12\n");
+write_text(File::Spec->catfile($webmin_config, 'miniserv.conf'),
+	"root=$root\n");
+write_text(File::Spec->catfile($webmin_config, 'apache', 'config'),
+	"httpd_dir=$apache_root\n".
+	"httpd_path=/bin/true\n".
+	"httpd_conf=$apache_conf\n".
+	"apachectl_path=/bin/true\n".
+	"httpd_version=2.4.57\n".
+	"test_apachectl=0\n".
+	"test_config=1\n".
+	"virt_file=$available\n".
+	"link_dir=$enabled\n");
+
+$ENV{'WEBMIN_CONFIG'} = $webmin_config;
+$ENV{'WEBMIN_VAR'} = $webmin_var;
+$ENV{'FOREIGN_MODULE_NAME'} = 'apache';
+$ENV{'FOREIGN_ROOT_DIRECTORY'} = $root;
+$ENV{'REMOTE_USER'} = 'root';
+
+unshift(@INC, $root);
+require File::Spec->catfile($root, 'apache', 'apache-lib.pl');
+
+{
+	no warnings 'once';
+	$main::text{'enable_elinkdir'} = 'No enabled virtual host links directory is configured';
+	$main::text{'enable_efile'} = 'Virtual host file does not exist or cannot be managed';
+	$main::text{'enable_elink'} = 'Failed to create symbolic link $1 : $2';
+	$main::text{'enable_eunlink'} = 'Failed to remove symbolic link $1 : $2';
+	$main::text{'enable_elinkexists'} = 'The symbolic link $1 already exists';
+	$main::text{'enable_etest'} = 'Apache configuration test failed after changing the virtual host file state : $1';
+	$main::text{'enable_evirtualmin_disable'} = 'This Apache virtual host is managed by Virtualmin virtual server $1, which is currently $2. Site disabling should be done in Virtualmin using $3.';
+	$main::text{'enable_evirtualmin_enable'} = 'This Apache virtual host is managed by Virtualmin virtual server $1, which is currently $2. Site enabling should be done in Virtualmin using $3.';
+	$main::text{'enable_virtualmin_disable_label'} = 'Disable and Delete &#x21fe; Disable Virtual Server';
+	$main::text{'enable_virtualmin_enable_label'} = 'Disable and Delete &#x21fe; Enable Virtual Server';
+	$main::text{'index_enabled'} = 'Enabled';
+	$main::text{'index_disabled'} = 'Disabled';
+	$main::text{'eafter'} = 'Apache configuration test failed : $1';
+}
+
+sub apache_config
+{
+main::flush_config_cache();
+my $conf = main::get_config();
+ok($conf, 'test apache config can be parsed');
+return $conf;
+}
+
+sub row_names
+{
+return [ map {
+	scalar(main::find_directive('ServerName', $_->{'virt'}->{'members'})) || ''
+	} @_ ];
+}
+
+sub row_states
+{
+return [ map { $_->{'active'} ? 'enabled' : 'disabled' } @_ ];
+}
+
+subtest 'sites-available files are manageable and ordered' => sub {
+	ok(main::can_manage_vhost_files(),
+	   'sites-available/enabled dirs are manageable');
+	is_deeply(
+		[ main::get_vhost_available_files() ],
+		[ $default, $alpha, $beta, $charlie ],
+		'available files are listed in stable filename order',
+	);
+
+	my @rows = main::get_virtual_list_rows(apache_config());
+	is_deeply(row_names(@rows),
+		  [ '', 'alpha.example', 'beta.example', 'charlie.example' ],
+		  'disabled rows stay in sites-available order');
+	is_deeply(row_states(@rows),
+		  [ 'enabled', 'enabled', 'disabled', 'enabled' ],
+		  'row active state follows sites-enabled symlinks');
+	ok(!main::can_manage_vhost_file($default),
+	   'default virtual host file is not file-state manageable');
+};
+
+subtest 'disable removes only the enabled symlink' => sub {
+	no warnings 'once';
+	unlink($main::last_config_change_flag);
+	unlink($main::last_restart_time_flag);
+	main::restart_last_restart_time();
+	my $old = time() - 10;
+	utime($old, $old, $main::last_restart_time_flag);
+
+	{
+		no warnings 'redefine';
+		local *main::test_config = sub { return undef; };
+		is(main::disable_vhost_file($alpha), undef, 'disable succeeds');
+	}
+	ok(main::needs_config_restart(),
+	   'disable marks config as needing apply');
+
+	ok(-f $alpha, 'disable leaves the sites-available file in place');
+	ok(!-e File::Spec->catfile($enabled, 'alpha.conf'),
+	   'disable removes the sites-enabled symlink');
+
+	my @rows = main::get_virtual_list_rows(apache_config());
+	is_deeply(row_names(@rows),
+		  [ '', 'alpha.example', 'beta.example', 'charlie.example' ],
+		  'disabled row remains in the same list position');
+	is_deeply(row_states(@rows),
+		  [ 'enabled', 'disabled', 'disabled', 'enabled' ],
+		  'disabled row status is updated');
+};
+
+subtest 'enable creates a symlink without touching the source file' => sub {
+	no warnings 'once';
+	unlink($main::last_config_change_flag);
+	unlink($main::last_restart_time_flag);
+	main::restart_last_restart_time();
+	my $old = time() - 10;
+	utime($old, $old, $main::last_restart_time_flag);
+
+	{
+		no warnings 'redefine';
+		local *main::test_config = sub { return undef; };
+		is(main::enable_vhost_file($beta), undef, 'enable succeeds');
+	}
+	ok(main::needs_config_restart(),
+	   'enable marks config as needing apply');
+
+	my $link = File::Spec->catfile($enabled, 'beta.conf');
+	ok(-f $beta, 'enable leaves the sites-available file in place');
+	ok(-l $link, 'enable creates the sites-enabled symlink');
+	is(readlink($link), $beta, 'enabled symlink points to the available file');
+	ok(main::vhost_file_enabled($beta), 'vhost_file_enabled sees the symlink');
+};
+
+subtest 'same-name symlink to another target is not disabled' => sub {
+	my $otherdir = File::Spec->catdir($tmp, 'other-sites');
+	my $other = File::Spec->catfile($otherdir, 'charlie.conf');
+	my $link = File::Spec->catfile($enabled, 'charlie.conf');
+	make_path($otherdir);
+	write_text($other, vhost_conf('other.example', '/srv/other'));
+	unlink($link) || die "Failed to remove charlie link: $!";
+	symlink($other, $link) || die "Failed to symlink other charlie: $!";
+
+	ok(!main::vhost_file_enabled($charlie),
+	   'same-name symlink to another file is not considered enabled');
+	{
+		no warnings 'redefine';
+		local *main::test_config = sub { return undef; };
+		is(main::disable_vhost_file($charlie), undef, 'disable is a no-op');
+	}
+	ok(-l $link, 'same-name symlink to another target is preserved');
+	is(readlink($link), $other, 'preserved symlink target is unchanged');
+};
+
+subtest 'disabled default virtual hosts stay hidden' => sub {
+	my $disabled_default = File::Spec->catfile($available,
+						  'zz-disabled-default.conf');
+	write_text($disabled_default, vhost_conf(undef, '/srv/disabled-default'));
+
+	my @rows = main::get_virtual_list_rows(apache_config());
+	ok(!(grep { $_->{'file'} eq $disabled_default } @rows),
+	   'disabled catch-all virtual host file is not listed as a normal vhost');
+};
+
+subtest 'legacy webfile link helpers resolve relative link_dir' => sub {
+	my $relative = File::Spec->catfile($available, 'relative.conf');
+	my $link = File::Spec->catfile($enabled, 'relative.conf');
+	write_text($relative, vhost_conf('relative.example', '/srv/relative'));
+	unlink($link);
+
+	{
+		no warnings 'once';
+		local $main::config{'link_dir'} = 'sites-enabled';
+		main::create_webfile_link($relative);
+		ok(-l $link, 'relative link_dir creates link under ServerRoot');
+		is(readlink($link), $relative,
+		   'created relative link_dir symlink points to the vhost file');
+		main::delete_webfile_link($relative);
+		ok(!-e $link && !-l $link,
+		   'relative link_dir delete removes the enabled symlink');
+	}
+};
+
+subtest 'file-level actions require access to every virtual host in the file' => sub {
+	my $mixed = File::Spec->catfile($available, 'mixed.conf');
+	write_text($mixed,
+		vhost_conf('alpha.example', '/srv/mixed-alpha').
+		vhost_conf('hidden.example', '/srv/mixed-hidden'));
+
+	{
+		no warnings 'once';
+		local $main::access{'virts'} = 'alpha.example:80';
+		ok(!main::can_manage_vhost_file($mixed),
+		   'mixed-access file cannot be managed by a restricted user');
+	}
+	ok(main::can_manage_vhost_file($mixed),
+	   'shared file can be managed when all contained vhosts are allowed');
+};
+
+subtest 'state helpers enforce allowed files and ACLs directly' => sub {
+	my $outside = File::Spec->catfile($tmp, 'outside.conf');
+	write_text($outside, vhost_conf('outside.example', '/srv/outside'));
+	is(main::enable_vhost_file($outside),
+	   'Virtual host file does not exist or cannot be managed',
+	   'enable rejects files outside sites-available');
+
+	my $mixed = File::Spec->catfile($available, 'state-mixed.conf');
+	write_text($mixed,
+		vhost_conf('alpha.example', '/srv/state-alpha').
+		vhost_conf('hidden.example', '/srv/state-hidden'));
+	{
+		no warnings 'once';
+		local $main::access{'virts'} = 'alpha.example:80';
+		is(main::enable_vhost_file($mixed),
+		   'Virtual host file does not exist or cannot be managed',
+		   'enable rejects mixed-access files without relying on caller validation');
+	}
+};
+
+subtest 'change rollback covers extra disabled vhost files' => sub {
+	my $rollback = File::Spec->catfile($available, 'rollback.conf');
+	my $original = vhost_conf('rollback.example', '/srv/rollback');
+	write_text($rollback, $original);
+	my @virts = main::find_virtuals_in_file($rollback);
+	is(scalar(@virts), 1, 'rollback fixture has one vhost');
+
+	{
+		no warnings qw(redefine once);
+		local %main::before_changing;
+		local $main::config{'test_always'} = 1;
+		local *main::test_config = sub { return 'bad config'; };
+		local *main::error = sub { die $_[0]; };
+		main::before_changing($rollback);
+		is(main::delete_virtuals_from_file($rollback, @virts), 1,
+		   'disabled vhost file deletion removes the vhost');
+		ok(!-e $rollback, 'empty disabled vhost file is deleted');
+		like(eval { main::after_changing(); 1 } ? '' : $@,
+		     qr/bad config/, 'failed post-change test reports an error');
+	}
+	ok(-f $rollback, 'rollback recreates the disabled vhost file');
+	is(read_text($rollback), $original,
+	   'rollback restores the disabled vhost file contents');
+};
+
+subtest 'apache configtest failure rolls back link changes' => sub {
+	my $delta = File::Spec->catfile($available, 'delta.conf');
+	my $delta_link = File::Spec->catfile($enabled, 'delta.conf');
+	write_text($delta, vhost_conf('delta.example', '/srv/delta'));
+
+	{
+		no warnings 'redefine';
+		local *main::test_config = sub { return 'bad config'; };
+		like(main::enable_vhost_file($delta), qr/bad config/,
+		     'failed enable reports apache configtest output');
+	}
+	ok(!-e $delta_link, 'failed enable removes the new symlink');
+
+	symlink($delta, $delta_link) || die "Failed to symlink delta: $!";
+	{
+		no warnings 'redefine';
+		local *main::test_config = sub { return 'bad config'; };
+		like(main::disable_vhost_file($delta), qr/bad config/,
+		     'failed disable reports apache configtest output');
+	}
+	ok(-l $delta_link, 'failed disable restores the removed symlink');
+	is(readlink($delta_link), $delta, 'restored symlink target is unchanged');
+};
+
+subtest 'Virtualmin-managed virtual host files cannot be toggled directly' => sub {
+	my $enabled_domain = File::Spec->catfile($available, 'vm-enabled.conf');
+	my $disabled_domain = File::Spec->catfile($available, 'vm-disabled.conf');
+	write_text($enabled_domain,
+		vhost_conf('www.vm-enabled.example', '/srv/vm-enabled'));
+	write_text($disabled_domain,
+		vhost_conf('vm-disabled.example', '/srv/vm-disabled'));
+
+	{
+		no warnings qw(redefine once);
+		local %main::apache_virtualmin_domain_for_file_cache;
+		local %main::apache_virtualmin_domain_by_name_cache;
+		local *main::virtualmin_available = sub { return 1; };
+		local *main::virtualmin_domain_by_name = sub {
+			my ($name) = @_;
+			return $name eq 'vm-enabled.example' ?
+				{ 'dom' => $name, 'id' => '12345',
+				  'disabled' => '' } :
+			       $name eq 'vm-disabled.example' ?
+				{ 'dom' => $name, 'id' => '67890',
+				  'disabled' => 'web' } :
+				undef;
+			};
+
+		my $disable_err =
+			main::virtualmin_vhost_file_state_error($enabled_domain,
+								'disable');
+		my $enabled_state = main::vhost_file_state($enabled_domain);
+		is($enabled_state->{'source'}, 'virtualmin',
+		   'Virtualmin is the effective state source for managed files');
+		ok($enabled_state->{'enabled'},
+		   'Virtualmin enabled domain is reported as enabled');
+		is(main::vhost_file_toggle_action($enabled_domain), 'disable',
+		   'toggle action follows the Virtualmin enabled state');
+		like($disable_err, qr/currently enabled/,
+		     'Virtualmin state is included for enabled domains');
+		like($disable_err, qr/Disable Virtual Server/,
+		     'disabling directs users to Virtualmin disable action');
+		like($disable_err,
+		     qr{virtual-server/disable_domain\.cgi\?dom=12345},
+		     'disabling links to the Virtualmin disable form');
+
+		my $enable_err =
+			main::virtualmin_vhost_file_state_error($disabled_domain,
+								'enable');
+		my $disabled_state = main::vhost_file_state($disabled_domain);
+		is($disabled_state->{'source'}, 'virtualmin',
+		   'Virtualmin remains the state source for disabled domains');
+		ok(!$disabled_state->{'enabled'},
+		   'Virtualmin disabled domain is reported as disabled');
+		is(main::vhost_file_toggle_action($disabled_domain), 'enable',
+		   'toggle action follows the Virtualmin disabled state');
+		like($enable_err, qr/currently disabled/,
+		     'Virtualmin state is included for disabled domains');
+		like($enable_err, qr/Enable Virtual Server/,
+		     'enabling directs users to Virtualmin enable action');
+		like($enable_err,
+		     qr{virtual-server/enable_domain\.cgi\?dom=67890},
+		     'enabling links to the Virtualmin enable form');
+
+		is(main::virtualmin_vhost_file_state_error($alpha, 'disable'),
+		   undef, 'non-Virtualmin virtual host files can still be toggled');
+	}
+};
+
+done_testing();
diff --git a/fastrpc.cgi b/fastrpc.cgi
index ff25ea399..aaa3af7cd 100755
--- a/fastrpc.cgi
+++ b/fastrpc.cgi
@@ -4,11 +4,12 @@
 # client. From then on, direct TCP connections can be made to this port
 # to send requests and get replies.
 
-$main::allow_rpc_only = 1;
 BEGIN { push(@INC, "."); };
 use WebminCore;
 use POSIX;
 use Socket;
+
+$main::allow_rpc_only = 1;
 $force_lang = $default_lang;
 &init_config();
 
diff --git a/makedist.pl b/makedist.pl
index 963cc379e..7c2cb2520 100755
--- a/makedist.pl
+++ b/makedist.pl
@@ -111,8 +111,9 @@ if (!$release || !-d "$tardir/$dir") {
 			next if ($f =~ /^\./ || $f =~ /\.git$/ ||
 				 $f =~ /\.(tar|wbm|wbt)\.gz$/ ||
 				 $f eq "README.md" || $f =~ /^makemodule.*\.pl$/ ||
-				 $f eq "linux.sh" || $f eq "freebsd.sh" || 
-				 $f eq "LICENCE" || $f eq "version");
+			 	 $f eq "linux.sh" || $f eq "freebsd.sh" ||
+				 $f eq "LICENCE" || $f eq "version" ||
+				 (-d "$m/$f" && ($f eq "t" || $f eq "xt")));
 			$flist .= " $m/$f";
 			}
 		closedir(DIR);
diff --git a/makemoduledeb.pl b/makemoduledeb.pl
index a80da26de..eb8be1780 100755
--- a/makemoduledeb.pl
+++ b/makemoduledeb.pl
@@ -244,6 +244,7 @@ system("find $usr_dir -name .git | xargs rm -rf");
 system("find $usr_dir -name .github | xargs rm -rf");
 system("find $usr_dir -name RELEASE | xargs rm -rf");
 system("find $usr_dir -name RELEASE.sh | xargs rm -rf");
+system("find $usr_dir -type d \\( -name t -o -name xt \\) | xargs rm -rf");
 if (-r "$usr_dir/$mod/EXCLUDE") {
 	system("cd $usr_dir/$mod && cat EXCLUDE | xargs rm -rf");
 	system("rm -f $usr_dir/$mod/EXCLUDE");
@@ -621,10 +622,10 @@ if ($dsc_file) {
 	$diffmd5 =~ s/\s+.*\n//g;
 	my @diffst = stat($diff_file);
 
-	# Create a tar file of the module directory
+	# Create a tar file of the cleaned staged module directory
 	my $tar_file = $dsc_file;
 	$tar_file =~ s/[^\/]+$//; $tar_file .= "$prefix$mod-$ver.tar.gz";
-	system("cd $par ; tar czf $tar_file $source_mod");
+	system("cd $usr_dir ; tar czf $tar_file $mod");
 	my $md5 = `md5sum $tar_file`;
 	$md5 =~ s/\s+.*\n//g;
 	my @st = stat($tar_file);
diff --git a/makemodulerpm.pl b/makemodulerpm.pl
index 36570f457..69e342f66 100755
--- a/makemodulerpm.pl
+++ b/makemodulerpm.pl
@@ -266,7 +266,7 @@ system("/usr/bin/find /tmp/makemodulerpm -name .git | xargs rm -rf");
 system("/usr/bin/find /tmp/makemodulerpm -name .github | xargs rm -rf");
 system("/usr/bin/find /tmp/makemodulerpm -name RELEASE | xargs rm -rf");
 system("/usr/bin/find /tmp/makemodulerpm -name RELEASE.sh | xargs rm -rf");
-system("/usr/bin/find /tmp/makemodulerpm -name t | xargs rm -rf");
+system("/usr/bin/find /tmp/makemodulerpm -type d \\( -name t -o -name xt \\) | xargs rm -rf");
 if (-r "/tmp/makemodulerpm/$mod/EXCLUDE") {
 	system("cd /tmp/makemodulerpm/$mod && cat EXCLUDE | xargs rm -rf");
 	system("rm -f /tmp/makemodulerpm/$mod/EXCLUDE");
diff --git a/miniserv.pl b/miniserv.pl
index 8b457c4f4..e61f9faf6 100755
--- a/miniserv.pl
+++ b/miniserv.pl
@@ -6779,15 +6779,14 @@ return $newhash eq $hash;
 }
 
 # encrypt_sha512(password, [salt])
-# Hashes a password, possibly with the given salt, with SHA512
+# Hashes a password, possibly with the given salt, with SHA512. The salt
+# arg may be a full $6$salt$hash form (verification) or a bare $6$salt$
+# (fresh hashing) — either way it must be passed to crypt() intact so
+# crypt() selects SHA512. Only synthesise a new salt when none is given.
 sub encrypt_sha512
 {
 my ($passwd, $salt) = @_;
-if ($salt =~ /^\$6\$([^\$]+)/) {
-	# Extract actual salt from already encrypted password
-	$salt = $1;
-	}
-$salt ||= '$6$'.substr(time(), -8).'$';
+$salt = '$6$'.substr(time(), -8).'$' if (!$salt || $salt !~ /^\$6\$/);
 return crypt($passwd, $salt);
 }
 
diff --git a/nftables/nftables-lib.pl b/nftables/nftables-lib.pl
index 7f1ea9c82..f27898fc5 100644
--- a/nftables/nftables-lib.pl
+++ b/nftables/nftables-lib.pl
@@ -1175,7 +1175,8 @@ foreach my $svc (read_etc_service_defs($services_file)) {
 foreach my $svc (setup_quick_service_defs()) {
 	merge_quick_service(\%defs, $svc);
 	}
-return sort { lc($a->{'label'}) cmp lc($b->{'label'}) } values %defs;
+my @sorted = sort { lc($a->{'label'}) cmp lc($b->{'label'}) } values %defs;
+return @sorted;
 }
 
 # service_search_text(&service)
@@ -2543,7 +2544,7 @@ foreach my $service (@services) {
 	my $port = $map->{lc($proto || '')}->{lc($service)};
 	return $port if (defined($port));
 	}
-return undef;
+return;
 }
 
 # read_etc_services([services-file])
@@ -2616,12 +2617,12 @@ return 0;
 sub configured_port_from_address
 {
 my ($value, $default) = @_;
-return undef if (!defined($value) || $value eq '');
+return if (!defined($value) || $value eq '');
 return $1 if ($value =~ /^(\d+)$/);
 return $1 if ($value =~ /^\[[^\]]+\]:(\d+)$/);
 return $1 if ($value =~ /^[^:]+:(\d+)$/);
 return $default if (defined($default) && $value =~ /\S/);
-return undef;
+return;
 }
 
 # address_is_loopback(address)
diff --git a/nginx/acl_security.pl b/nginx/acl_security.pl
index 242409cda..dacdc9eec 100755
--- a/nginx/acl_security.pl
+++ b/nginx/acl_security.pl
@@ -38,6 +38,11 @@ print &ui_table_row($text{'acl_root'},
 print &ui_table_row($text{'acl_global'},
 	&ui_yesno_radio("global", $o->{'global'}));
 
+# Can manually edit configuration files?
+print &ui_table_row($text{'acl_manual'},
+	&ui_yesno_radio("manual",
+		defined($o->{'manual'}) ? $o->{'manual'} : $o->{'global'}));
+
 # Can edit log files?
 print &ui_table_row($text{'acl_logs'},
 	&ui_yesno_radio("logs", $o->{'logs'}));
@@ -59,6 +64,7 @@ $o->{'edit'} = $in{'edit'};
 $o->{'create'} = $in{'create'};
 $o->{'root'} = $in{'root'};
 $o->{'global'} = $in{'global'};
+$o->{'manual'} = $in{'manual'};
 $o->{'logs'} = $in{'logs'};
 $o->{'user'} = $in{'user'};
 $o->{'stop'} = $in{'stop'};
diff --git a/nginx/delete_servers.cgi b/nginx/delete_servers.cgi
index fed1a6ef7..107e884d1 100755
--- a/nginx/delete_servers.cgi
+++ b/nginx/delete_servers.cgi
@@ -6,11 +6,65 @@ use warnings;
 require './nginx-lib.pl';
 our (%text, %in, %config, %access);
 &ReadParse();
-&error_setup($text{'delete_err'});
+my @items = split(/\0/, $in{'d'} || "");
+my $file_action = $in{'toggle'} ? "toggle" :
+		  $in{'enable'} ? "enable" :
+		  $in{'disable'} ? "disable" : undef;
+&error_setup($file_action ? $text{'enable_err'} : $text{'delete_err'});
 $access{'edit'} || &error($text{'server_ecannotedit'});
 
-my @ids = split(/\0/, $in{'d'} || "");
-@ids || &error($text{'delete_enone'});
+if ($file_action) {
+	&can_manage_server_files() || &error($text{'enable_elinkdir'});
+	my %add_to = map { $_, 1 } &get_add_to_files();
+	my %files;
+	foreach my $item (@items) {
+		my $file;
+		if ($item =~ /^file\t([^\t]+)/) {
+			$file = $1;
+			}
+		else {
+			my $server = &find_server($item);
+			next if (!$server || !&can_edit_server($server));
+			$file = $server->{'file'};
+			}
+		my $rfile = $file ? &resolve_links($file) : undef;
+		$files{$rfile}++ if ($rfile && -f $rfile && $add_to{$rfile} &&
+				      &can_manage_server_file($rfile));
+		}
+	my @files = keys %files;
+	@files || &error($text{'enable_enone'});
+	my %file_actions;
+	foreach my $file (@files) {
+		my $action = $file_action eq "toggle" ?
+				&server_file_toggle_action($file) : $file_action;
+		my $err = &virtualmin_server_file_state_error($file, $action);
+		$err && &error($err);
+		$file_actions{$file} = $action;
+		}
+	foreach my $file (@files) {
+		my $err = $file_actions{$file} eq "enable" ?
+				&enable_server_file($file) :
+				&disable_server_file($file);
+		$err && &error($err);
+		}
+	&webmin_log($file_action, "serverfile", scalar(@files));
+	&redirect("");
+	exit;
+	}
+if (!$in{'delete'}) {
+	&error($text{'delete_eaction'});
+	}
+
+my (@ids, %file_lines);
+foreach my $item (@items) {
+	if ($item =~ /^file\t([^\t]+)\t(\d+)$/) {
+		push(@{$file_lines{$1}}, $2);
+		}
+	elsif ($item !~ /^file\t/) {
+		push(@ids, $item);
+		}
+	}
+@ids || %file_lines || &error($text{'delete_enone'});
 
 # Validate the selected server blocks before locking config files.
 foreach my $id (@ids) {
@@ -19,36 +73,54 @@ foreach my $id (@ids) {
 	&can_edit_server($server) || &error($text{'server_ecannot'});
 	&is_default_server_block($server) && &error($text{'delete_edefault'});
 	}
+my %add_to = map { $_, 1 } &get_add_to_files();
+my %file_servers;
+foreach my $file (keys %file_lines) {
+	my $rfile = &resolve_links($file);
+	next if (!$rfile || !-f $rfile || !$add_to{$rfile} ||
+		 !&can_manage_server_file($rfile));
+	my @servers = &find_servers_in_file($rfile);
+	foreach my $line (@{$file_lines{$file}}) {
+		my ($server) = grep { $_->{'line'} == $line } @servers;
+		$server || &error($text{'server_egone'});
+		&can_edit_server($server) || &error($text{'server_ecannot'});
+		&is_default_server_block($server) && &error($text{'delete_edefault'});
+		push(@{$file_servers{$rfile}}, $server);
+		}
+	}
+@ids || %file_servers || &error($text{'delete_enone'});
 
-&lock_all_config_files();
-my $conf = &get_config();
-my $http = &find("http", $conf);
-if (!$http) {
-	&unlock_all_config_files();
-	&error(&text('index_ehttp', "<tt>$config{'nginx_config'}</tt>"));
-	}
 my @servers;
-foreach my $id (@ids) {
-	my $server = &find_server($id);
-	if (!$server) {
+if (@ids) {
+	&lock_all_config_files();
+	my $conf = &get_config();
+	my $http = &find("http", $conf);
+	if (!$http) {
 		&unlock_all_config_files();
-		&error($text{'server_egone'});
+		&error(&text('index_ehttp', "<tt>$config{'nginx_config'}</tt>"));
 		}
-	if (!&can_edit_server($server)) {
-		&unlock_all_config_files();
-		&error($text{'server_ecannot'});
+	foreach my $id (@ids) {
+		my $server = &find_server($id);
+		if (!$server) {
+			&unlock_all_config_files();
+			&error($text{'server_egone'});
+			}
+		if (!&can_edit_server($server)) {
+			&unlock_all_config_files();
+			&error($text{'server_ecannot'});
+			}
+		if (&is_default_server_block($server)) {
+			&unlock_all_config_files();
+			&error($text{'delete_edefault'});
+			}
+		push(@servers, $server);
 		}
-	if (&is_default_server_block($server)) {
-		&unlock_all_config_files();
-		&error($text{'delete_edefault'});
+	foreach my $server (@servers) {
+		&save_directive($http, [ $server ], [ ]);
 		}
-	push(@servers, $server);
+	&flush_config_file_lines();
+	&unlock_all_config_files();
 	}
-foreach my $server (@servers) {
-	&save_directive($http, [ $server ], [ ]);
-	}
-&flush_config_file_lines();
-&unlock_all_config_files();
 foreach my $server (@servers) {
 	&delete_server_link($server);
 	}
@@ -57,5 +129,12 @@ foreach my $server (@servers) {
 	next if ($done_file{$server->{'file'}}++);
 	&delete_server_file_if_empty($server);
 	}
-&webmin_log("delete", "servers", scalar(@servers));
+foreach my $file (keys %file_servers) {
+	&lock_file($file);
+	&delete_servers_from_file($file, @{$file_servers{$file}});
+	&unlock_file($file);
+	}
+my $count = scalar(@servers) +
+	    scalar(map { @$_ } values %file_servers);
+&webmin_log("delete", "servers", $count);
 &redirect("");
diff --git a/nginx/edit_manual.cgi b/nginx/edit_manual.cgi
index 71cbe0678..bbb029ab9 100755
--- a/nginx/edit_manual.cgi
+++ b/nginx/edit_manual.cgi
@@ -6,13 +6,14 @@ use warnings;
 require './nginx-lib.pl';
 &ReadParse();
 our (%text, %in, %access);
-$access{'global'} || &error($text{'index_eglobal'});
+&can_edit_manual_config() || &error($text{'manual_ecannot'});
 
 &ui_print_header(undef, $text{'manual_title'}, "");
 
-my @files = &get_all_config_files();
+my @files = &get_manual_config_files();
 $in{'file'} ||= $files[0];
-&indexof($in{'file'}, @files) >= 0 || &error($text{'manual_efile'});
+$in{'file'} = &resolve_manual_config_file($in{'file'}, @files) ||
+	&error($text{'manual_efile'});
 
 # Show file selector
 print &ui_form_start("edit_manual.cgi");
@@ -38,4 +39,3 @@ print &ui_table_end();
 print &ui_form_end([ [ undef, $text{'save'} ] ]);
 
 &ui_print_footer("", $text{'index_return'});
-
diff --git a/nginx/edit_server.cgi b/nginx/edit_server.cgi
index 8df1bb388..8522f7e2b 100755
--- a/nginx/edit_server.cgi
+++ b/nginx/edit_server.cgi
@@ -28,10 +28,18 @@ if ($in{'id'}) {
 	my @spages = ( $access{'logs'} ? ( "slogs" ) : ( ),
 		       "sdocs", "ssl", "fcgi", "sssi", "sgzip", "sproxy",
 		       "saccess", "srewrite", );
+	my @slinks = map { "edit_".$_.".cgi?id=".&urlize($in{'id'}) } @spages;
+	my @stitles = map { $text{$_."_title"} } @spages;
+	my @sicons = map { "images/".$_.".gif" } @spages;
+	if (&can_edit_manual_config() && &can_edit_manual_file($server->{'file'})) {
+		push(@slinks, "edit_manual.cgi?file=".&urlize($server->{'file'}));
+		push(@stitles, $text{'manual_server'});
+		push(@sicons, "images/manual.gif");
+		}
 	&icons_table(
-		[ map { "edit_".$_.".cgi?id=".&urlize($in{'id'}) } @spages ],
-		[ map { $text{$_."_title"} } @spages ],
-		[ map { "images/".$_.".gif" } @spages ],
+		\@slinks,
+		\@stitles,
+		\@sicons,
 		);
 
 	# Show table for locations
diff --git a/nginx/index.cgi b/nginx/index.cgi
index 58960c305..abe7a4952 100755
--- a/nginx/index.cgi
+++ b/nginx/index.cgi
@@ -48,7 +48,8 @@ print &ui_tabs_start(\@tabs, "mode", $mode, 1);
 if ($access{'global'}) {
 	# Show icons for global config types
 	print &ui_tabs_start_tab("mode", "global");
-	my @gpages = ( "net", "mime", "logs", "docs", "ssi", "misc", "manual" );
+	my @gpages = ( "net", "mime", "logs", "docs", "ssi", "misc",
+		       &can_edit_manual_config() ? ( "manual" ) : ( ) );
 	&icons_table(
 		[ map { "edit_".$_.".cgi" } @gpages ],
 		[ map { $text{$_."_title"} } @gpages ],
@@ -60,21 +61,41 @@ if ($access{'global'}) {
 # Show list of server blocks
 print &ui_tabs_start_tab("mode", "list");
 my @allservers = &find("server", $http);
-my @servers = grep { &can_edit_server($_) } @allservers;
-if (@servers) {
+my $can_files = &can_manage_server_files();
+my @add_to_files = $can_files ? &get_add_to_files() : ( );
+my %add_to_file = map { $_, 1 } @add_to_files;
+my @rows = &get_server_list_rows($http);
+if (@rows) {
 	my $can_delete = $access{'edit'};
+	my $has_proxy;
+	foreach my $r (@rows) {
+		my (undef, $proxy) = &server_root_proxy_state($r->{'server'});
+		$has_proxy ||= $proxy;
+		}
 	my @heads = ( $can_delete ? ( "" ) : ( ),
 		      $text{'index_name'},
 		      $text{'index_ip'},
 		      $text{'index_port'},
-		      $text{'index_root'} );
+		      $text{'index_root'},
+		      $has_proxy ? ( $text{'index_proxytarget'} ) : ( ),
+		      $can_files ? ( $text{'index_status'} ) : ( ),
+		      $text{'index_url'} );
 	my @data;
-	foreach my $s (@servers) {
+	foreach my $r (@rows) {
+		my $s = $r->{'server'};
 		my $name = &find_value("server_name", $s);
 		$name ||= "";
 		my $default = &is_default_server_block($s);
 		my $showname = !$default ?
 			&html_escape($name) : $text{'default_server_block'};
+		my $id = &server_id($s);
+		my $name_sort = ($default ? "0 " : "1 ").
+				lc($default ? $text{'default_server_block'} : $name);
+		my $name_sort_attr = &quote_escape($name_sort);
+		my $shownamelink = $r->{'active'} ?
+			"<a href='edit_server.cgi?id=".
+			  &urlize($id)."'>".$showname."</a>" :
+			$showname;
 
 		# Extract all IPs and ports from listen directives
 		my (@ips, @ports);
@@ -86,43 +107,67 @@ if (@servers) {
 			push(@ports, $port);
 			}
 
-		my $rootdir = &find_value("root", $s);
-		my $root = $rootdir;
-		if (!$root) {
-			my @locs = &find("location", $s);
-			my ($rootloc) = grep { $_->{'value'} eq '/' } @locs;
-			if ($rootloc) {
-				$rootdir = &find_value("root", $rootloc);
-				$root = $rootdir ||
-					"<i>$text{'index_noroot'}</i>";
+		my @cols;
+		my $status = "";
+		if ($can_files) {
+			if ($add_to_file{$r->{'file'}}) {
+				my $enabled =
+					&server_file_state($r->{'file'})->{'enabled'};
+				$status = $enabled ? $text{'index_enabled'} :
+						     $text{'index_disabled'};
 				}
-			else {
-				$root = "<i>$text{'index_norootloc'}</i>";
-				}
-			$rootdir ||= "";
 			}
-		my $id = $name.";".$rootdir;
-		my @cols = (
-			"<a href='edit_server.cgi?id=".&urlize($id)."'>".
-			  $showname."</a>",
+		push(@cols, { 'type' => 'string',
+			      'value' => $shownamelink,
+			      'td' => "data-sort=\"$name_sort_attr\" ".
+				      "data-order=\"$name_sort_attr\"" });
+		push(@cols,
 			join("<br>", @ips),
 			join("<br>", @ports),
-			$root );
-		if ($can_delete && !$default) {
+			&server_root_summary($s) );
+		push(@cols, &server_proxy_summary($s)) if ($has_proxy);
+		push(@cols, $status) if ($can_files);
+		my $url = $r->{'active'} ? &server_url($s) : undef;
+		push(@cols, $url ? &ui_link(&quote_escape($url),
+			$text{'index_view'}, undef,
+			'target="_blank" rel="noopener noreferrer"') : "");
+		if ($can_delete && $r->{'active'} && !$default) {
 			unshift(@cols, { 'type' => 'checkbox',
 					 'name' => 'd',
 					 'value' => $id });
 			}
+		elsif ($can_delete && $can_files && !$r->{'active'} &&
+		       !$default && $add_to_file{$r->{'file'}}) {
+			unshift(@cols, { 'type' => 'checkbox',
+					 'name' => 'd',
+					 'value' => "file\t".$r->{'file'}.
+						    "\t".$s->{'line'} });
+			}
 		elsif ($can_delete) {
 			unshift(@cols, "");
 			}
 		push(@data, \@cols);
 		}
 	if ($can_delete) {
-		print &ui_form_columns_table(
-			"delete_servers.cgi",
-			[ [ "delete", $text{'index_delete'} ] ],
-			1, [ ], [ ], \@heads, 100, \@data);
+		my $list_form = "server_blocks_form";
+		my $has_checkbox = grep {
+			ref($_->[0]) && $_->[0]->{'type'} eq 'checkbox'
+			} @data;
+		my $links = $has_checkbox ?
+			&ui_links_row([ &select_all_link("d", 0),
+					&select_invert_link("d", 0) ]) : "";
+		my @left_buttons = ( [ "delete", $text{'index_delete'} ] );
+		my @right_buttons = $can_files ?
+			( [ "toggle", $text{'index_toggle'}, undef, undef,
+			    "form=\"$list_form\"" ] ) : ( );
+		print &ui_form_start("delete_servers.cgi", "post", undef,
+				     "id='$list_form'");
+		print $links;
+		print &ui_columns_table(\@heads, 100, \@data);
+		print $links;
+		print &ui_form_end_side_by_side($list_form,
+						\@left_buttons,
+						\@right_buttons);
 		}
 	else {
 		print &ui_columns_table(\@heads, 100, \@data);
diff --git a/nginx/lang/en b/nginx/lang/en
index 3e18b44ed..f20bf7fc3 100644
--- a/nginx/lang/en
+++ b/nginx/lang/en
@@ -2,15 +2,22 @@ index_version=Nginx version $1
 index_econfig=The Nginx configuration file $1 was not found on your system. Use the <a href='$2'>module configuration</a> page to enter the correct path.
 index_ecmd=The Nginx command $1 was not found on your system. Use the <a href='$2'>module configuration</a> page to enter the correct path.
 index_ehttp=No <tt>http</tt> section was found in your Nginx config file $1. Maybe it is not setup as a webserver?
-index_name=Server block name
+index_name=Server Block Name
 default_server_block=Default Server
-index_ip=IP addresses
-index_port=Port numbers
-index_root=Root directory
+index_status=State
+index_ip=Address
+index_port=Port
+index_root=Root Directory
+index_proxytarget=Proxy Target
+index_url=URL
+index_view=Open..
+index_toggle=Toggle State
+index_enabled=Enabled
+index_disabled=Disabled
 index_any=Any IPv4 address
 index_any6=Any IPv6 address
-index_noroot=No root location
-index_norootloc=Not a directory
+index_noroot=No root directory
+index_noproxy=No proxy target
 index_none=No server blocks have been created yet.
 index_noneaccess=No server blocks that you have access to have been created yet.
 index_add=Add a new Nginx server block.
@@ -25,6 +32,7 @@ index_stopdesc=Shut down all running Nginx webserver processes.
 index_start=Start Nginx Webserver
 index_startdesc=Start up the Nginx webserver using the current configuration.
 index_restart=Apply Nginx Configuration
+index_apply_changes=Apply Changes
 index_restartdesc=Apply the current configuration by stopping and re-starting the Nginx webserver.
 index_delete=Delete Selected Server Blocks
 index_eglobal=You are not allowed to edit global settings
@@ -143,12 +151,14 @@ opt_essi_types=$1 is not a valid MIME type
 opt_essi_value_length=Maximum parameter length must be a number
 
 manual_title=Edit Configuration Files
+manual_server=Edit Configuration File
 manual_file=Editing configuration file:
 manual_ok=Switch
 manual_efile=Selected file is not part of the Nginx configuration!
 manual_test=Test new configuration before saving?
 manual_elink=Dangling symbolic link!
 manual_err=Failed to save configuration file
+manual_ecannot=You are not allowed to manually edit configuration files!
 
 server_create=Create a New Server Block
 server_edit=Edit Server Block
@@ -200,8 +210,21 @@ server_eclash=A server block with the same name already exists
 server_pp=Proxy to $1
 server_eexist=No Nginx server found
 delete_err=Failed to delete server blocks
+delete_eaction=No action was selected
 delete_enone=No server blocks were selected to delete
 delete_edefault=The default server block cannot be deleted
+enable_err=Failed to change server file state
+enable_enone=No manageable server files were selected
+enable_efile=Server file does not exist or cannot be managed
+enable_elinkdir=No enabled server-block links directory is configured
+enable_elink=Failed to create symbolic link $1 : $2
+enable_eunlink=Failed to remove symbolic link $1 : $2
+enable_elinkexists=The symbolic link $1 already exists
+enable_etest=Nginx configuration test failed after changing the server file state : $1
+enable_evirtualmin_disable=This Nginx server block is managed by Virtualmin virtual server $1, which is currently $2. Site disabling should be done in Virtualmin using $3.
+enable_evirtualmin_enable=This Nginx server block is managed by Virtualmin virtual server $1, which is currently $2. Site enabling should be done in Virtualmin using $3.
+enable_virtualmin_disable_label=Disable and Delete &#x21fe; Disable Virtual Server
+enable_virtualmin_enable_label=Disable and Delete &#x21fe; Enable Virtual Server
 
 slogs_title=Server Block Logging
 slogs_header=Log file options
@@ -334,6 +357,10 @@ log_manual=Manually edited config file $1
 log_create_server=Created server block $1
 log_modify_server=Modified server block $1
 log_delete_server=Deleted server block $1
+log_delete_servers=Deleted $1 server blocks
+log_toggle_serverfile=Toggled state of $1 server block files
+log_enable_serverfile=Enabled $1 server block files
+log_disable_serverfile=Disabled $1 server block files
 log_slogs_server=Changed logging options for $1
 log_ssl_server=Change SSL configuration for $1
 log_sdocs_server=Changed document options for $1
@@ -398,6 +425,7 @@ acl_create=Can create server blocks?
 acl_stop=Can stop and start Nginx?
 acl_root=Allowed directories for locations
 acl_global=Can edit global settings?
+acl_manual=Can manually edit raw configuration files?
 acl_logs=Can configure log files?
 acl_user=Write password files as user
 
diff --git a/nginx/log_parser.pl b/nginx/log_parser.pl
index f78fb98fd..d628a6def 100755
--- a/nginx/log_parser.pl
+++ b/nginx/log_parser.pl
@@ -26,6 +26,12 @@ elsif ($type eq 'server') {
 	return &text('log_'.$action.'_server',
 		     "<tt>".&html_escape($object)."</tt>");
 	}
+elsif ($type eq 'servers') {
+	return &text('log_'.$action.'_servers', $object);
+	}
+elsif ($type eq 'serverfile') {
+	return &text('log_'.$action.'_serverfile', $object);
+	}
 elsif ($type eq 'location') {
 	return &text('log_'.$action.'_location',
 		     "<tt>".&html_escape($object)."</tt>",
@@ -41,4 +47,3 @@ else {
 	}
 return undef;
 }
-
diff --git a/nginx/nginx-lib.pl b/nginx/nginx-lib.pl
index 6b751e3c8..7a7c6d3fe 100644
--- a/nginx/nginx-lib.pl
+++ b/nginx/nginx-lib.pl
@@ -11,8 +11,11 @@ eval "use WebminCore;";
 our %access = &get_module_acl();
 our ($get_config_cache, $get_config_parent_cache, %list_directives_cache,
      @list_modules_cache, @open_config_files);
-our (%config, %text, %in, $module_root_directory);
+our ($last_config_change_flag, $last_restart_time_flag);
+our (%config, %text, %in, $module_root_directory, $module_var_directory);
 &set_nginx_config_defaults();
+$last_config_change_flag = $module_var_directory."/config-flag";
+$last_restart_time_flag = $module_var_directory."/restart-flag";
 
 my @lock_all_config_files_cache;
 
@@ -522,9 +525,11 @@ if ($parent->{'type'}) {
 sub flush_config_file_lines
 {
 my ($parent) = @_;
-foreach my $f (&unique(@open_config_files)) {
+my @files = &unique(@open_config_files);
+foreach my $f (@files) {
 	&flush_file_lines($f);
 	}
+&update_last_config_change() if (@files);
 @open_config_files = ( );
 }
 
@@ -565,6 +570,29 @@ if ($parent->{'type'}) {
 return &unique(@rv);
 }
 
+# get_manual_config_files([&parent])
+# Returns all config files this user can manually edit
+sub get_manual_config_files
+{
+my ($parent) = @_;
+my @files = map { &resolve_links($_) || $_ } &get_all_config_files($parent);
+@files = &unique(@files);
+return @files if (!$access{'vhosts'});
+return grep { &can_edit_manual_file($_) } @files;
+}
+
+# resolve_manual_config_file(file, [files...])
+# Resolves a submitted manual config file path, if it is allowed
+sub resolve_manual_config_file
+{
+my ($file, @files) = @_;
+return undef if (!$file);
+@files = &get_manual_config_files() if (!@files);
+my $rfile = &resolve_links($file);
+$rfile ||= $file;
+return &indexof($rfile, @files) >= 0 ? $rfile : undef;
+}
+
 # directive_indent(&directive, &parent, &file-lines)
 # Returns the exact whitespace prefix to use when writing a directive
 sub directive_indent
@@ -1480,7 +1508,11 @@ return $? ? $out : undef;
 sub start_nginx
 {
 my $out = &backquote_logged("$config{'start_cmd'} 2>&1 </dev/null");
-return $? ? $out : undef;
+if ($?) {
+	return $out;
+	}
+&update_last_restart_time();
+return undef;
 }
 
 # apply_nginx()
@@ -1489,7 +1521,11 @@ return $? ? $out : undef;
 sub apply_nginx
 {
 my $out = &backquote_logged("$config{'apply_cmd'} 2>&1 </dev/null");
-return $? ? $out : undef;
+if ($?) {
+	return $out;
+	}
+&update_last_restart_time();
+return undef;
 }
 
 # nginx_action_links()
@@ -1502,7 +1538,11 @@ if (&is_nginx_running()) {
 	if ($access{'stop'}) {
 		push(@rv, &ui_link("stop.cgi?$args", $text{'index_stop'}));
 		}
-	push(@rv, &ui_link("restart.cgi?$args", $text{'index_restart'}));
+	my $needs = &needs_config_restart();
+	my $apply = $text{'index_apply_changes'} || $text{'index_restart'};
+	my $label = $needs ? "<b>$apply</b>" : $apply;
+	my $url = "restart.cgi?$args";
+	push(@rv, &ui_link($url, $label));
 	}
 elsif ($access{'stop'}) {
 	push(@rv, &ui_link("start.cgi?$args", $text{'index_start'}));
@@ -1510,6 +1550,33 @@ elsif ($access{'stop'}) {
 return join("<br>\n", @rv);
 }
 
+# update_last_config_change()
+# Updates the flag file indicating when the config was changed
+sub update_last_config_change
+{
+&open_lock_tempfile(my $fh, ">$last_config_change_flag", 0, 1);
+&close_tempfile($fh);
+}
+
+# update_last_restart_time()
+# Updates the flag file indicating when the config was applied
+sub update_last_restart_time
+{
+&open_lock_tempfile(my $fh, ">$last_restart_time_flag", 0, 1);
+&close_tempfile($fh);
+}
+
+# needs_config_restart()
+# Returns 1 if a restart is needed after a config change
+sub needs_config_restart
+{
+my @cst = stat($last_config_change_flag);
+my @rst = stat($last_restart_time_flag);
+return 0 if (!@cst);
+return 1 if (!@rst);
+return $cst[9] > $rst[9] ? 1 : 0;
+}
+
 # this_url()
 # Returns the current module URL
 sub this_url
@@ -1530,6 +1597,485 @@ my $out = &backquote_logged("$config{'nginx_cmd'} -t 2>&1 </dev/null");
 return $? || $out !~ /syntax\s+is\s+ok/ ? $out : undef;
 }
 
+# can_manage_server_files()
+# Returns 1 if this system uses Debian-style available/enabled site dirs
+sub can_manage_server_files
+{
+return $config{'add_to'} && -d $config{'add_to'} &&
+       $config{'add_link'} && -d $config{'add_link'};
+}
+
+# get_add_to_files()
+# Returns config files from the directory used for new server blocks
+sub get_add_to_files
+{
+my @rv;
+if ($config{'add_to'} && -d $config{'add_to'}) {
+	opendir(ADDTO, $config{'add_to'}) || return @rv;
+	foreach my $f (sort { lc($a) cmp lc($b) } readdir(ADDTO)) {
+		next if ($f eq "." || $f eq "..");
+		my $file = $config{'add_to'}."/".$f;
+		my $rfile = &resolve_links($file);
+		next if (!$rfile || !-f $rfile || !-r $rfile);
+		push(@rv, $rfile);
+		}
+	closedir(ADDTO);
+	}
+return &unique(@rv);
+}
+
+# find_servers_in_file(file)
+# Returns server blocks parsed from one config file
+sub find_servers_in_file
+{
+my ($file) = @_;
+my $rfile = &resolve_links($file);
+$rfile ||= $file;
+return ( ) if (!-r $rfile);
+my $conf = &read_config_file($rfile);
+return grep { $_->{'file'} eq $rfile } &find_recursive("server", $conf);
+}
+
+# can_manage_server_file(file)
+# Returns 1 if all server blocks in a file are manageable by this user
+sub can_manage_server_file
+{
+my ($file) = @_;
+my $rfile = &resolve_links($file);
+$rfile ||= $file;
+return 0 if (!$rfile || !-f $rfile || !-r $rfile);
+my @servers = &find_servers_in_file($rfile);
+return 0 if (!@servers);
+foreach my $server (@servers) {
+	return 0 if (!&can_edit_server($server));
+	}
+return 1;
+}
+
+# delete_servers_from_file(file, &servers...)
+# Deletes server blocks from one config file and removes the file if empty
+sub delete_servers_from_file
+{
+my ($file, @servers) = @_;
+return 0 if (!@servers);
+my $lref = &read_file_lines($file);
+foreach my $server (sort { $b->{'line'} <=> $a->{'line'} } @servers) {
+	my $len = $server->{'eline'} - $server->{'line'} + 1;
+	splice(@$lref, $server->{'line'}, $len);
+	}
+my $empty = 1;
+foreach my $line (@$lref) {
+	if ($line =~ /\S/) {
+		$empty = 0;
+		last;
+		}
+	}
+&flush_file_lines($file);
+if ($empty) {
+	foreach my $link (&server_file_links($file)) {
+		&unlink_logged($link);
+		}
+	&unlink_logged($file);
+	}
+&update_last_config_change();
+return scalar(@servers);
+}
+
+# get_server_list_rows(&http)
+# Returns row hashes for the server blocks list, preserving sites-available order
+sub get_server_list_rows
+{
+my ($http) = @_;
+my @allservers = &find("server", $http);
+my @servers = grep { &can_edit_server($_) } @allservers;
+my $default_first = sub {
+	return ( grep { &is_default_server_block($_->{'server'}) } @_ ),
+	       ( grep { !&is_default_server_block($_->{'server'}) } @_ );
+	};
+if (&can_manage_server_files()) {
+	my @rows;
+	my %active_by_file;
+	foreach my $s (@servers) {
+		my $file = &resolve_links($s->{'file'});
+		$file ||= $s->{'file'};
+		push(@{$active_by_file{$file}}, $s);
+		}
+	my %done_server;
+	foreach my $file (&get_add_to_files()) {
+		my @fileservers = @{$active_by_file{$file} || [ ]};
+		my $active = @fileservers ? 1 : 0;
+		if (!@fileservers) {
+			@fileservers = grep { &can_edit_server($_) }
+				      &find_servers_in_file($file);
+			}
+		foreach my $s (@fileservers) {
+			push(@rows, { 'server' => $s,
+				      'active' => $active,
+				      'file' => $file });
+			$done_server{$s}++;
+			}
+		}
+	foreach my $s (@servers) {
+		next if ($done_server{$s});
+		push(@rows, { 'server' => $s,
+			      'active' => 1,
+			      'file' => $s->{'file'} });
+		}
+	return &$default_first(@rows);
+	}
+return &$default_first(
+	map { { 'server' => $_, 'active' => 1, 'file' => $_->{'file'} } }
+	@servers);
+}
+
+# server_file_link(file)
+# Returns the enabled symlink path for a server file
+sub server_file_link
+{
+my ($file) = @_;
+return undef if (!&can_manage_server_files());
+my $short = $file;
+$short =~ s/^.*\///;
+return $config{'add_link'}."/".$short;
+}
+
+# server_file_links(file)
+# Returns enabled symlinks for a server file
+sub server_file_links
+{
+my ($file) = @_;
+my @rv;
+return @rv if (!&can_manage_server_files());
+my $rfile = &resolve_links($file);
+$rfile ||= $file;
+opendir(LINKDIR, $config{'add_link'}) || return @rv;
+foreach my $f (readdir(LINKDIR)) {
+	next if ($f eq "." || $f eq "..");
+	my $link = $config{'add_link'}."/".$f;
+	next if (!-l $link);
+	my $rlink = &resolve_links($link);
+	if ($rlink && $rlink eq $rfile) {
+		push(@rv, $link);
+		}
+	}
+closedir(LINKDIR);
+return @rv;
+}
+
+# server_file_enabled(file)
+# Returns 1 if a server file has an enabled symlink
+sub server_file_enabled
+{
+my ($file) = @_;
+return scalar(&server_file_links($file)) ? 1 : 0;
+}
+
+# enable_server_file(file)
+# Enables a server file and rolls back if nginx -t fails
+sub enable_server_file
+{
+my ($file) = @_;
+my $rfile = &resolve_links($file);
+$rfile ||= $file;
+my $link = &server_file_link($rfile);
+$link || return $text{'enable_elinkdir'};
+return undef if (&server_file_enabled($rfile));
+if (-e $link || -l $link) {
+	return &text('enable_elinkexists', "<tt>".&html_escape($link)."</tt>");
+	}
+&symlink_logged($rfile, $link) ||
+	return &text('enable_elink', "<tt>".&html_escape($link)."</tt>",
+		     "<tt>".&html_escape($!)."</tt>");
+my $err = &test_config();
+if ($err) {
+	&unlink_logged($link);
+	return &text('enable_etest', "<tt>".&html_escape($err)."</tt>");
+	}
+&update_last_config_change();
+return undef;
+}
+
+# disable_server_file(file)
+# Disables a server file and rolls back if nginx -t fails
+sub disable_server_file
+{
+my ($file) = @_;
+my @links = &server_file_links($file);
+return undef if (!@links);
+my @restore = map { [ $_, readlink($_) ] } @links;
+my @removed;
+foreach my $link (@links) {
+	if (!&unlink_logged($link)) {
+		foreach my $r (@removed) {
+			&symlink_logged($r->[1], $r->[0])
+				if (defined($r->[1]) && !-e $r->[0] && !-l $r->[0]);
+			}
+		return &text('enable_eunlink',
+			     "<tt>".&html_escape($link)."</tt>",
+			     "<tt>".&html_escape($!)."</tt>");
+		}
+	my ($restore) = grep { $_->[0] eq $link } @restore;
+	push(@removed, $restore) if ($restore);
+	}
+my $err = &test_config();
+if ($err) {
+	foreach my $r (@restore) {
+		&symlink_logged($r->[1], $r->[0])
+			if (defined($r->[1]) && !-e $r->[0] && !-l $r->[0]);
+		}
+	return &text('enable_etest', "<tt>".&html_escape($err)."</tt>");
+	}
+&update_last_config_change();
+return undef;
+}
+
+# virtualmin_available()
+# Returns 1 if Virtualmin is installed and supported on this system
+sub virtualmin_available
+{
+return $main::nginx_virtualmin_available
+	if (defined($main::nginx_virtualmin_available));
+$main::nginx_virtualmin_available = &foreign_check("virtual-server");
+return $main::nginx_virtualmin_available;
+}
+
+# virtualmin_domain_by_name(name)
+# Returns a Virtualmin domain object by domain name, if one exists
+sub virtualmin_domain_by_name
+{
+my ($name) = @_;
+return undef if (!&virtualmin_available());
+return $main::nginx_virtualmin_domain_by_name_cache{$name}
+	if (exists($main::nginx_virtualmin_domain_by_name_cache{$name}));
+&foreign_require("virtual-server");
+my $d = &virtual_server::get_domain_by("dom", $name);
+$main::nginx_virtualmin_domain_by_name_cache{$name} = $d;
+return $d;
+}
+
+# server_names(&server)
+# Returns all names from server_name directives in a server block
+sub server_names
+{
+my ($server) = @_;
+my @rv;
+foreach my $sn (&find("server_name", $server)) {
+	push(@rv, @{$sn->{'words'} || [ ]});
+	if (!@{$sn->{'words'} || [ ]} && $sn->{'value'}) {
+		push(@rv, $sn->{'value'});
+		}
+	}
+return grep { $_ && $_ ne "_" && $_ ne "-" } &unique(@rv);
+}
+
+# virtualmin_domain_for_server_file(file)
+# Returns the Virtualmin domain object for a server file, if any
+sub virtualmin_domain_for_server_file
+{
+my ($file) = @_;
+return undef if (!&virtualmin_available());
+my $rfile = &resolve_links($file);
+$rfile ||= $file;
+return $main::nginx_virtualmin_domain_for_file_cache{$rfile}
+	if (exists($main::nginx_virtualmin_domain_for_file_cache{$rfile}));
+foreach my $server (&find_servers_in_file($file)) {
+	foreach my $name (&server_names($server)) {
+		my $d = &virtualmin_domain_by_name($name);
+		if ($d) {
+			$main::nginx_virtualmin_domain_for_file_cache{$rfile} = $d;
+			return $d;
+			}
+		}
+	}
+$main::nginx_virtualmin_domain_for_file_cache{$rfile} = undef;
+return undef;
+}
+
+# server_file_state(file)
+# Returns the effective enabled state for a server file
+sub server_file_state
+{
+my ($file) = @_;
+my $d = &virtualmin_domain_for_server_file($file);
+if ($d) {
+	return { 'enabled' => $d->{'disabled'} ? 0 : 1,
+		 'source' => 'virtualmin',
+		 'domain' => $d };
+	}
+return { 'enabled' => &server_file_enabled($file) ? 1 : 0,
+	 'source' => 'nginx' };
+}
+
+# server_file_toggle_action(file)
+# Returns the action needed to toggle a server file's effective state
+sub server_file_toggle_action
+{
+my ($file) = @_;
+return &server_file_state($file)->{'enabled'} ? "disable" : "enable";
+}
+
+# virtualmin_domain_state_link(&domain, enabled?)
+# Returns a link to the Virtualmin state change form for some domain
+sub virtualmin_domain_state_link
+{
+my ($d, $enabled) = @_;
+my $page = $enabled ? "disable_domain.cgi" : "enable_domain.cgi";
+my $label = $enabled ? $text{'enable_virtualmin_disable_label'} :
+		       $text{'enable_virtualmin_enable_label'};
+my $url = "../virtual-server/".$page."?dom=".&urlize($d->{'id'});
+return &ui_link(&quote_escape($url), "\"".$label."\"");
+}
+
+# virtualmin_server_file_state_error(file, action)
+# Returns an error if a Virtualmin-owned site is being enabled or disabled here
+sub virtualmin_server_file_state_error
+{
+my ($file, $action) = @_;
+return undef if ($action ne "enable" && $action ne "disable");
+my $state_info = &server_file_state($file);
+return undef if ($state_info->{'source'} ne "virtualmin");
+my $d = $state_info->{'domain'};
+return undef if (!$d);
+my $state = lc($state_info->{'enabled'} ? $text{'index_enabled'} :
+					  $text{'index_disabled'});
+my $dom = "<tt>".&html_escape($d->{'dom'})."</tt>";
+my $link = &virtualmin_domain_state_link($d, $state_info->{'enabled'});
+return $state_info->{'enabled'} ?
+	&text('enable_evirtualmin_disable', $dom, $state, $link) :
+	&text('enable_evirtualmin_enable', $dom, $state, $link);
+}
+
+# proxy_pass_value(&proxy_pass)
+# Returns the target URL from a proxy_pass directive
+sub proxy_pass_value
+{
+my ($pp) = @_;
+my @w = @{$pp->{'words'}};
+return (@w ? $w[0] : undef) || $pp->{'value'};
+}
+
+# server_proxy_target(&server|&location)
+# Returns the first proxy_pass target under a server or location block
+sub server_proxy_target
+{
+my ($conf) = @_;
+my ($pp) = &find_recursive("proxy_pass", $conf);
+return undef if (!$pp);
+return &proxy_pass_value($pp);
+}
+
+# server_proxy_pairs(&server)
+# Returns location path and proxy_pass target pairs for a server block
+sub server_proxy_pairs
+{
+my ($server) = @_;
+my @rv;
+foreach my $loc (&find("location", $server)) {
+	my $path = &location_path($loc) || "/";
+	foreach my $pp (&find_recursive("proxy_pass", $loc)) {
+		my $target = &proxy_pass_value($pp);
+		push(@rv, [ $path, $target ])
+			if (defined($target) && $target ne "");
+		}
+	}
+foreach my $pp (&find("proxy_pass", $server)) {
+	my $target = &proxy_pass_value($pp);
+	push(@rv, [ "/", $target ])
+		if (defined($target) && $target ne "");
+	}
+return @rv;
+}
+
+# server_root_summary(&server)
+# Returns the root directory for a server block, or a missing-root message
+sub server_root_summary
+{
+my ($server) = @_;
+my $root = &server_root_value($server);
+return defined($root) && $root ne "" ? &html_escape($root) :
+	"<i>$text{'index_noroot'}</i>";
+}
+
+# server_root_value(&server)
+# Returns the configured root directory for a server block
+sub server_root_value
+{
+my ($server) = @_;
+my $root = &find_value("root", $server);
+return $root if ($root);
+
+my @locs = &find("location", $server);
+my ($rootloc) = grep { &location_path($_) eq '/' } @locs;
+if ($rootloc) {
+	$root = &find_value("root", $rootloc);
+	return $root if ($root);
+	}
+return undef;
+}
+
+# server_proxy_summary(&server)
+# Returns the most relevant proxy target for a server block
+sub server_proxy_summary
+{
+my ($server) = @_;
+my @pairs = &server_proxy_pairs($server);
+return "<i>$text{'index_noproxy'}</i>" if (!@pairs);
+return join("<br>", map {
+	&html_escape($_->[0])." &#x21fe; ".&html_escape($_->[1])
+	} @pairs);
+}
+
+# server_root_proxy_summary(&server)
+# Returns the root directory or most relevant proxy target for a server block
+sub server_root_proxy_summary
+{
+my ($server) = @_;
+my $root = &server_root_value($server);
+return &html_escape($root) if (defined($root) && $root ne "");
+my $pp = &server_proxy_target($server);
+return &text('server_pp', "<tt>".&html_escape($pp)."</tt>")
+	if ($pp);
+return &server_root_summary($server);
+}
+
+# server_root_proxy_state(&server)
+# Returns booleans for whether a server has root and proxy_pass directives
+sub server_root_proxy_state
+{
+my ($server) = @_;
+my $has_root = &find_recursive("root", $server) ? 1 : 0;
+my $has_proxy = &server_proxy_target($server) ? 1 : 0;
+return ($has_root, $has_proxy);
+}
+
+# server_url(&server)
+# Returns the browser URL for a server block
+sub server_url
+{
+my ($server) = @_;
+my $name = &find_value("server_name", $server);
+return undef if (&is_default_server_block($server));
+return undef if (!$name || $name !~ /^[A-Za-z0-9.-]+$/);
+
+my ($best_scheme, $best_port);
+foreach my $l (&find("listen", $server)) {
+	my @w = @{$l->{'words'}};
+	my $addr = shift(@w);
+	next if (!$addr);
+	my (undef, $port) = &split_ip_port($addr);
+	my $ssl = grep { $_ eq "ssl" } @w;
+	my $scheme = $ssl || $port == 443 ? "https" : "http";
+	if (!$best_scheme || $scheme eq "https") {
+		($best_scheme, $best_port) = ($scheme, $port);
+		}
+	}
+$best_scheme ||= "http";
+$best_port ||= $best_scheme eq "https" ? 443 : 80;
+$best_port = undef if ($best_scheme eq "http" && $best_port == 80 ||
+		       $best_scheme eq "https" && $best_port == 443);
+return $best_scheme."://".$name.($best_port ? ":".$best_port : "")."/";
+}
+
 # find_server(id)
 # Convenience function to find an HTTP server object with some ID
 sub find_server
@@ -1677,7 +2223,8 @@ if ($config{'add_link'}) {
 	my $link = $server->{'file'};
 	$link =~ s/^.*\///;
 	$link = $config{'add_link'}."/".$link;
-	&symlink_logged($server->{'file'}, $link);
+	&update_last_config_change()
+		if (&symlink_logged($server->{'file'}, $link));
 	}
 }
 
@@ -1689,6 +2236,7 @@ sub delete_server_link
 my ($server) = @_;
 if ($config{'add_link'}) {
 	my $file = $server->{'file'};
+	my $changed;
         my $short = $file;
         $short =~ s/^.*\///;
         opendir(LINKDIR, $config{'add_link'});
@@ -1696,10 +2244,11 @@ if ($config{'add_link'}) {
                 if ($f ne "." && $f ne ".." &&
                     (&resolve_links($config{'add_link'}."/".$f) eq $file ||
                      $short eq $f)) {
-                        &unlink_logged($config{'add_link'}."/".$f);
+                        $changed++ if (&unlink_logged($config{'add_link'}."/".$f));
                         }
                 }
         closedir(LINKDIR);
+	&update_last_config_change() if ($changed);
         }
 }
 
@@ -1714,7 +2263,8 @@ foreach my $l (@$lref) {
 	$count++ if ($l =~ /\S/);
 	}
 if (!$count) {
-	&unlink_logged($server->{'file'});
+	&update_last_config_change()
+		if (&unlink_logged($server->{'file'}));
 	}
 }
 
@@ -1775,6 +2325,22 @@ return 0 if (!$name);
 return &indexoflc($name, split(/\s+/, $access{'vhosts'})) >= 0;
 }
 
+# can_edit_manual_config()
+# Returns 1 if the user can manually edit raw configuration files
+sub can_edit_manual_config
+{
+return defined($access{'manual'}) ? $access{'manual'} : $access{'global'};
+}
+
+# can_edit_manual_file(file)
+# Returns 1 if the user can manually edit some raw configuration file
+sub can_edit_manual_file
+{
+my ($file) = @_;
+return 1 if (!$access{'vhosts'});
+return &can_manage_server_file($file);
+}
+
 # can_directory(dir)
 # Check if some directory is under one of the allowed roots
 sub can_directory
diff --git a/nginx/save_manual.cgi b/nginx/save_manual.cgi
index 741efb5c5..61ea1aba0 100755
--- a/nginx/save_manual.cgi
+++ b/nginx/save_manual.cgi
@@ -7,16 +7,11 @@ require './nginx-lib.pl';
 &ReadParseMime();
 our (%text, %in, %access);
 &error_setup($text{'manual_err'});
-$access{'global'} || &error($text{'index_eglobal'});
+&can_edit_manual_config() || &error($text{'manual_ecannot'});
 
-my @files = &get_all_config_files();
-&indexof($in{'file'}, @files) >= 0 || &error($text{'manual_efile'});
-
-# Follow links to get the real file
-while(-l $in{'file'}) {
-	$in{'file'} = readlink($in{'file'});
-	}
-$in{'file'} || &error($text{'manual_elink'});
+my @files = &get_manual_config_files();
+$in{'file'} = &resolve_manual_config_file($in{'file'}, @files) ||
+	&error($text{'manual_efile'});
 
 $in{'data'} =~ s/\r//g;
 my $fh = "CONF";
@@ -43,6 +38,6 @@ else {
 	&print_tempfile($fh, $in{'data'});
 	&close_tempfile($fh);
 	}
+&update_last_config_change();
 &webmin_log("manual", undef, $in{'file'});
 &redirect("");
-
diff --git a/nginx/t/server-files.t b/nginx/t/server-files.t
new file mode 100644
index 000000000..21ac73ccc
--- /dev/null
+++ b/nginx/t/server-files.t
@@ -0,0 +1,521 @@
+#!/usr/bin/perl
+# Tests for Debian-style Nginx sites-available/sites-enabled handling.
+
+use strict;
+use warnings;
+use Test::More;
+use File::Basename qw(dirname);
+use File::Path qw(make_path);
+use File::Spec;
+use File::Temp qw(tempdir);
+use Cwd qw(abs_path);
+
+my $root = abs_path(File::Spec->catdir(dirname(__FILE__), '..', '..'));
+my $tmp = abs_path(tempdir(CLEANUP => 1));
+my $webmin_config = File::Spec->catdir($tmp, 'webmin-config');
+my $webmin_var = File::Spec->catdir($tmp, 'webmin-var');
+my $available = File::Spec->catdir($tmp, 'sites-available');
+my $enabled = File::Spec->catdir($tmp, 'sites-enabled');
+my $nginx_conf = File::Spec->catfile($tmp, 'nginx.conf');
+
+make_path($webmin_config, $webmin_var, "$webmin_config/nginx",
+	  $available, $enabled);
+
+sub write_text
+{
+my ($file, $text) = @_;
+open(my $fh, '>', $file) || die "Failed to write $file: $!";
+print $fh $text;
+close($fh) || die "Failed to close $file: $!";
+}
+
+sub server_conf
+{
+my ($name, $body) = @_;
+return "server {\n".
+       "\tserver_name $name;\n".
+       "\tlisten 80;\n".
+       $body.
+       "}\n";
+}
+
+my $alpha = File::Spec->catfile($available, 'alpha.conf');
+my $beta = File::Spec->catfile($available, 'beta.conf');
+my $charlie = File::Spec->catfile($available, 'charlie.conf');
+my $default = File::Spec->catfile($available, 'default');
+
+write_text($alpha, server_conf('alpha.example', "\troot /srv/alpha;\n"));
+write_text($beta, server_conf('beta.example',
+	"\tlocation / {\n".
+	"\t\tproxy_pass http://127.0.0.1:8080;\n".
+	"\t}\n"));
+write_text($charlie, server_conf('charlie.example', "\troot /srv/charlie;\n"));
+write_text($default, server_conf('_', "\troot /srv/default;\n"));
+write_text($nginx_conf,
+	"events {\n".
+	"}\n".
+	"http {\n".
+	"\tinclude $enabled/*;\n".
+	"}\n");
+
+symlink($alpha, File::Spec->catfile($enabled, 'alpha.conf')) ||
+	die "Failed to symlink alpha: $!";
+symlink($charlie, File::Spec->catfile($enabled, 'charlie.conf')) ||
+	die "Failed to symlink charlie: $!";
+symlink($default, File::Spec->catfile($enabled, 'default')) ||
+	die "Failed to symlink default: $!";
+
+write_text(File::Spec->catfile($webmin_config, 'config'),
+	"os_type=unix\n".
+	"os_version=1\n".
+	"real_os_type=Unix\n".
+	"real_os_version=1\n");
+write_text(File::Spec->catfile($webmin_config, 'miniserv.conf'),
+	"root=$root\n");
+write_text(File::Spec->catfile($webmin_config, 'nginx', 'config'),
+	"nginx_config=$nginx_conf\n".
+	"nginx_cmd=/bin/true\n".
+	"add_to=$available\n".
+	"add_link=$enabled\n");
+
+$ENV{'WEBMIN_CONFIG'} = $webmin_config;
+$ENV{'WEBMIN_VAR'} = $webmin_var;
+$ENV{'FOREIGN_MODULE_NAME'} = 'nginx';
+$ENV{'FOREIGN_ROOT_DIRECTORY'} = $root;
+$ENV{'REMOTE_USER'} = 'root';
+
+unshift(@INC, $root);
+require File::Spec->catfile($root, 'nginx', 'nginx-lib.pl');
+
+{
+	no warnings 'once';
+	$main::text{'server_pp'} = 'Proxy to $1';
+	$main::text{'index_noroot'} = 'No root directory';
+	$main::text{'index_noproxy'} = 'No proxy target';
+}
+
+sub http_config
+{
+main::flush_config_cache();
+my $http = main::find('http', main::get_config());
+ok($http, 'test nginx config has an http block');
+return $http;
+}
+
+sub row_names
+{
+return [ map { scalar main::find_value('server_name', $_->{'server'}) } @_ ];
+}
+
+sub row_states
+{
+return [ map { $_->{'active'} ? 'enabled' : 'disabled' } @_ ];
+}
+
+subtest 'sites-available files are manageable and ordered' => sub {
+	ok(main::can_manage_server_files(), 'sites-available/enabled dirs are manageable');
+	is_deeply(
+		[ main::get_add_to_files() ],
+		[ $alpha, $beta, $charlie, $default ],
+		'available files are listed in stable filename order',
+	);
+
+	my @rows = main::get_server_list_rows(http_config());
+	is_deeply(row_names(@rows),
+		  [ '_', 'alpha.example', 'beta.example', 'charlie.example' ],
+		  'default site is first and other sites stay in sites-available order');
+	is_deeply(row_states(@rows),
+		  [ 'enabled', 'enabled', 'disabled', 'enabled' ],
+		  'row active state follows sites-enabled symlinks');
+};
+
+subtest 'disable removes only the enabled symlink' => sub {
+	no warnings 'once';
+	unlink($main::last_config_change_flag);
+	unlink($main::last_restart_time_flag);
+
+	{
+		no warnings 'redefine';
+		local *main::test_config = sub { return undef; };
+		is(main::disable_server_file($alpha), undef, 'disable succeeds');
+	}
+	ok(main::needs_config_restart(),
+	   'disable marks config as needing apply');
+
+	ok(-f $alpha, 'disable leaves the sites-available file in place');
+	ok(!-e File::Spec->catfile($enabled, 'alpha.conf'),
+	   'disable removes the sites-enabled symlink');
+
+	my @rows = main::get_server_list_rows(http_config());
+	is_deeply(row_names(@rows),
+		  [ '_', 'alpha.example', 'beta.example', 'charlie.example' ],
+		  'disabled row remains in the same list position');
+	is_deeply(row_states(@rows),
+		  [ 'enabled', 'disabled', 'disabled', 'enabled' ],
+		  'disabled row status is updated');
+};
+
+subtest 'enable creates a symlink without touching the source file' => sub {
+	no warnings 'once';
+	unlink($main::last_config_change_flag);
+	unlink($main::last_restart_time_flag);
+
+	{
+		no warnings 'redefine';
+		local *main::test_config = sub { return undef; };
+		is(main::enable_server_file($beta), undef, 'enable succeeds');
+	}
+	ok(main::needs_config_restart(),
+	   'enable marks config as needing apply');
+
+	my $link = File::Spec->catfile($enabled, 'beta.conf');
+	ok(-f $beta, 'enable leaves the sites-available file in place');
+	ok(-l $link, 'enable creates the sites-enabled symlink');
+	is(readlink($link), $beta, 'enabled symlink points to the available file');
+	ok(main::server_file_enabled($beta), 'server_file_enabled sees the symlink');
+};
+
+subtest 'legacy create/delete link helpers still manage symlinks' => sub {
+	no warnings 'once';
+	my $echo = File::Spec->catfile($available, 'echo.conf');
+	my $echo_link = File::Spec->catfile($enabled, 'echo.conf');
+	write_text($echo, server_conf('echo.example', "\troot /srv/echo;\n"));
+	my $server = { 'file' => $echo };
+
+	unlink($main::last_config_change_flag);
+	unlink($main::last_restart_time_flag);
+	main::create_server_link($server);
+	ok(-l $echo_link, 'create_server_link creates expected symlink');
+	is(readlink($echo_link), $echo, 'created symlink points to server file');
+	ok(main::needs_config_restart(),
+	   'create_server_link marks config as needing apply');
+
+	main::update_last_restart_time();
+	my $old = time() - 10;
+	utime($old, $old, $main::last_restart_time_flag);
+	main::delete_server_link($server);
+	ok(!-e $echo_link, 'delete_server_link removes expected symlink');
+	ok(-f $echo, 'delete_server_link leaves server file in place');
+	ok(main::needs_config_restart(),
+	   'delete_server_link marks config as needing apply');
+};
+
+subtest 'disabled server blocks can be deleted from available files' => sub {
+	my $multi = File::Spec->catfile($available, 'multi.conf');
+	write_text($multi,
+		server_conf('one.example', "\troot /srv/one;\n").
+		server_conf('two.example', "\troot /srv/two;\n"));
+	my ($one_server) = grep {
+		main::find_value('server_name', $_) eq 'one.example'
+		} main::find_servers_in_file($multi);
+
+	is(main::delete_servers_from_file($multi, $one_server), 1,
+	   'delete_servers_from_file removes one disabled server block');
+	ok(-f $multi, 'file remains when another server block is present');
+	is_deeply(
+		[ map { scalar main::find_value('server_name', $_) }
+		  main::find_servers_in_file($multi) ],
+		[ 'two.example' ],
+		'only the unselected disabled server block remains');
+
+	my ($two_server) = main::find_servers_in_file($multi);
+	is(main::delete_servers_from_file($multi, $two_server), 1,
+	   'delete_servers_from_file removes the last disabled server block');
+	ok(!-e $multi, 'empty available file is removed after last block delete');
+};
+
+subtest 'same-name symlink to another target is not disabled' => sub {
+	my $otherdir = File::Spec->catdir($tmp, 'other-sites');
+	my $other = File::Spec->catfile($otherdir, 'charlie.conf');
+	my $link = File::Spec->catfile($enabled, 'charlie.conf');
+	make_path($otherdir);
+	write_text($other, server_conf('other.example', "\troot /srv/other;\n"));
+	unlink($link) || die "Failed to remove charlie link: $!";
+	symlink($other, $link) || die "Failed to symlink other charlie: $!";
+
+	ok(!main::server_file_enabled($charlie),
+	   'same-name symlink to another file is not considered enabled');
+	{
+		no warnings 'redefine';
+		local *main::test_config = sub { return undef; };
+		is(main::disable_server_file($charlie), undef, 'disable is a no-op');
+	}
+	ok(-l $link, 'same-name symlink to another target is preserved');
+	is(readlink($link), $other, 'preserved symlink target is unchanged');
+};
+
+subtest 'file-level actions require access to every server in the file' => sub {
+	my $mixed = File::Spec->catfile($available, 'mixed.conf');
+	write_text($mixed,
+		server_conf('alpha.example', "\troot /srv/mixed-alpha;\n").
+		server_conf('hidden.example', "\troot /srv/mixed-hidden;\n"));
+
+	{
+		no warnings 'once';
+		local $main::access{'vhosts'} = 'alpha.example';
+		ok(!main::can_manage_server_file($mixed),
+		   'mixed-access file cannot be managed by a restricted user');
+	}
+	ok(main::can_manage_server_file($mixed),
+	   'mixed-access file can be managed when vhost access is unrestricted');
+};
+
+subtest 'nginx -t failure rolls back link changes' => sub {
+	my $delta = File::Spec->catfile($available, 'delta.conf');
+	my $delta_link = File::Spec->catfile($enabled, 'delta.conf');
+	write_text($delta, server_conf('delta.example', "\troot /srv/delta;\n"));
+
+	{
+		no warnings 'redefine';
+		local *main::test_config = sub { return 'bad config'; };
+		like(main::enable_server_file($delta), qr/bad config/,
+		     'failed enable reports nginx -t output');
+	}
+	ok(!-e $delta_link, 'failed enable removes the new symlink');
+
+	symlink($delta, $delta_link) || die "Failed to symlink delta: $!";
+	{
+		no warnings 'redefine';
+		local *main::test_config = sub { return 'bad config'; };
+		like(main::disable_server_file($delta), qr/bad config/,
+		     'failed disable reports nginx -t output');
+	}
+	ok(-l $delta_link, 'failed disable restores the removed symlink');
+	is(readlink($delta_link), $delta, 'restored symlink target is unchanged');
+};
+
+subtest 'root and proxy summaries are detected' => sub {
+	my ($alpha_server) = main::find_servers_in_file($alpha);
+	my ($beta_server) = main::find_servers_in_file($beta);
+	my ($default_server) = main::find_servers_in_file($default);
+	my $path_proxy = File::Spec->catfile($available, 'path-proxy.conf');
+	write_text($path_proxy,
+		"server {\n".
+		"\tserver_name path.example;\n".
+		"\tlisten 443 ssl http2;\n".
+		"\tlocation /webmin {\n".
+		"\t\tproxy_pass https://127.0.0.1:10000/;\n".
+		"\t\tproxy_http_version 1.1;\n".
+		"\t}\n".
+		"}\n");
+	my $named = File::Spec->catfile($available, 'named-proxy.conf');
+	write_text($named,
+		"server {\n".
+		"\tserver_name named.example;\n".
+		"\tlisten 80;\n".
+		"\tlocation / {\n".
+		"\t\ttry_files \$uri \@backend;\n".
+		"\t}\n".
+		"\tlocation \@backend {\n".
+		"\t\tproxy_pass http://127.0.0.1:8081;\n".
+		"\t}\n".
+		"}\n");
+	my ($path_proxy_server) = main::find_servers_in_file($path_proxy);
+	my ($named_server) = main::find_servers_in_file($named);
+
+	is_deeply([ main::server_root_proxy_state($alpha_server) ], [ 1, 0 ],
+		  'root-only server state is detected');
+	is(main::server_root_summary($alpha_server), '/srv/alpha',
+	   'root-only server root column shows the root directory');
+	is(main::server_proxy_summary($alpha_server), '<i>No proxy target</i>',
+	   'root-only server proxy column shows a missing-proxy message');
+	is(main::server_root_proxy_summary($alpha_server), '/srv/alpha',
+	   'root-only summary shows the root directory');
+	is(main::server_url($alpha_server), 'http://alpha.example/',
+	   'root-only server URL uses HTTP default port');
+	is(main::server_url($default_server), undef,
+	   'default server has no URL link target');
+
+	is_deeply([ main::server_root_proxy_state($beta_server) ], [ 0, 1 ],
+		  'proxy-only server state is detected');
+	is(main::server_root_summary($beta_server), '<i>No root directory</i>',
+	   'proxy-only server root column shows a missing-root message');
+	like(main::server_proxy_summary($beta_server),
+	     qr{/ &#x21fe; http://127\.0\.0\.1:8080},
+	     'proxy-only server proxy column shows the path and proxy target');
+	like(main::server_root_proxy_summary($beta_server),
+	     qr{http://127\.0\.0\.1:8080},
+	     'proxy-only summary shows the proxy target');
+	is(main::server_url($beta_server), 'http://beta.example/',
+	   'proxy-only server URL uses HTTP default port');
+
+	is_deeply([ main::server_root_proxy_state($path_proxy_server) ], [ 0, 1 ],
+		  'non-root-location proxy state is detected');
+	is(main::server_root_summary($path_proxy_server), '<i>No root directory</i>',
+	   'non-root-location proxy root column shows a missing-root message');
+	like(main::server_proxy_summary($path_proxy_server),
+	     qr{/webmin &#x21fe; https://127\.0\.0\.1:10000/},
+	     'non-root-location proxy column shows the path and proxy target');
+	like(main::server_root_proxy_summary($path_proxy_server),
+	     qr{https://127\.0\.0\.1:10000/},
+	     'non-root-location proxy summary shows the proxy target');
+	is(main::server_url($path_proxy_server), 'https://path.example/',
+	   'SSL listener URL uses HTTPS default port');
+
+	is_deeply([ main::server_root_proxy_state($named_server) ], [ 0, 1 ],
+		  'named-location proxy state is detected');
+	like(main::server_proxy_summary($named_server),
+	     qr{\@backend &#x21fe; http://127\.0\.0\.1:8081},
+	     'named-location proxy column shows the path and proxy target');
+	like(main::server_root_proxy_summary($named_server),
+	     qr{http://127\.0\.0\.1:8081},
+	     'named-location proxy summary shows the proxy target');
+	is(main::server_url($named_server), 'http://named.example/',
+	   'named-location proxy URL uses HTTP default port');
+};
+
+subtest 'config change apply flag tracks pending changes' => sub {
+	no warnings 'once';
+	unlink($main::last_config_change_flag);
+	unlink($main::last_restart_time_flag);
+
+	ok(!main::needs_config_restart(),
+	   'no apply needed when no change flag exists');
+	main::update_last_config_change();
+	ok(main::needs_config_restart(),
+	   'apply needed after config change');
+	main::update_last_restart_time();
+	ok(!main::needs_config_restart(),
+	   'apply not needed after config has been applied');
+
+	my $old = time() - 10;
+	utime($old, $old, $main::last_restart_time_flag);
+	main::update_last_config_change();
+	ok(main::needs_config_restart(),
+	   'apply needed when config change is newer than last apply');
+};
+
+subtest 'manual edit ACL is separately configurable' => sub {
+	no warnings 'once';
+	{
+		local %main::access = ( 'global' => 1 );
+		ok(main::can_edit_manual_config(),
+		   'manual edit defaults to global ACL for existing users');
+	}
+	{
+		local %main::access = ( 'global' => 0 );
+		ok(!main::can_edit_manual_config(),
+		   'manual edit is denied when global ACL default is denied');
+	}
+	{
+		local %main::access = ( 'global' => 1, 'manual' => 0 );
+		ok(!main::can_edit_manual_config(),
+		   'manual edit can be disabled for global users');
+	}
+	{
+		local %main::access = ( 'global' => 0, 'manual' => 1 );
+		ok(main::can_edit_manual_config(),
+		   'manual edit can be explicitly enabled');
+	}
+};
+
+subtest 'manual edit files respect vhost ACL' => sub {
+	my $single = File::Spec->catfile($available, 'manual-single.conf');
+	my $shared = File::Spec->catfile($available, 'manual-shared.conf');
+	my $single_link = File::Spec->catfile($tmp, 'manual-single-link.conf');
+	my $shared_link = File::Spec->catfile($tmp, 'manual-shared-link.conf');
+	write_text($single,
+		server_conf('single.example', "\troot /srv/single;\n"));
+	write_text($shared,
+		server_conf('single.example', "\troot /srv/shared-single;\n").
+		server_conf('other.example', "\troot /srv/shared-other;\n"));
+	symlink($single, File::Spec->catfile($enabled, 'manual-single.conf')) ||
+		die "Failed to symlink manual-single: $!";
+	symlink($shared, File::Spec->catfile($enabled, 'manual-shared.conf')) ||
+		die "Failed to symlink manual-shared: $!";
+	symlink($single, $single_link) ||
+		die "Failed to symlink manual-single-link: $!";
+	symlink($shared, $shared_link) ||
+		die "Failed to symlink manual-shared-link: $!";
+	main::flush_config_cache();
+
+	{
+		local %main::access = ( 'manual' => 1,
+					'vhosts' => 'single.example' );
+		my @files = main::get_manual_config_files();
+		ok(main::can_edit_manual_file($single),
+		   'restricted user can manually edit their own single-server file');
+		ok(!main::can_edit_manual_file($shared),
+		   'restricted user cannot manually edit a shared server file');
+		is_deeply(
+			[ grep { $_ eq $single || $_ eq $shared } @files ],
+			[ $single ],
+			'manual file list excludes shared files for restricted users');
+		is(main::resolve_manual_config_file($single_link, @files), $single,
+		   'submitted symlink resolves to an authorized config file');
+		is(main::resolve_manual_config_file($shared_link, @files), undef,
+		   'submitted symlink to unauthorized file is rejected');
+	}
+	{
+		local %main::access = ( 'manual' => 1 );
+		ok(main::can_edit_manual_file($shared),
+		   'unrestricted user can manually edit shared server files');
+	}
+};
+
+subtest 'Virtualmin-managed server files cannot be toggled directly' => sub {
+	my $enabled_domain = File::Spec->catfile($available, 'vm-enabled.conf');
+	my $disabled_domain = File::Spec->catfile($available, 'vm-disabled.conf');
+	write_text($enabled_domain,
+		server_conf('vm-enabled.example www.vm-enabled.example',
+			    "\troot /srv/vm-enabled;\n"));
+	write_text($disabled_domain,
+		server_conf('vm-disabled.example',
+			    "\troot /srv/vm-disabled;\n"));
+
+	{
+		no warnings qw(redefine once);
+		local *main::virtualmin_available = sub { return 1; };
+		local *main::virtualmin_domain_by_name = sub {
+			my ($name) = @_;
+			return $name eq 'vm-enabled.example' ?
+				{ 'dom' => $name, 'id' => '12345',
+				  'disabled' => '' } :
+			       $name eq 'vm-disabled.example' ?
+				{ 'dom' => $name, 'id' => '67890',
+				  'disabled' => 'web' } :
+				undef;
+			};
+
+		my $disable_err =
+			main::virtualmin_server_file_state_error($enabled_domain,
+								 'disable');
+		my $enabled_state = main::server_file_state($enabled_domain);
+		is($enabled_state->{'source'}, 'virtualmin',
+		   'Virtualmin is the effective state source for managed files');
+		ok($enabled_state->{'enabled'},
+		   'Virtualmin enabled domain is reported as enabled');
+		is(main::server_file_toggle_action($enabled_domain), 'disable',
+		   'toggle action follows the Virtualmin enabled state');
+		like($disable_err, qr/currently enabled/,
+		     'Virtualmin state is included for enabled domains');
+		like($disable_err, qr/Disable Virtual Server/,
+		     'disabling directs users to Virtualmin disable action');
+		like($disable_err,
+		     qr{virtual-server/disable_domain\.cgi\?dom=12345},
+		     'disabling links to the Virtualmin disable form');
+
+		my $enable_err =
+			main::virtualmin_server_file_state_error($disabled_domain,
+								 'enable');
+		my $disabled_state = main::server_file_state($disabled_domain);
+		is($disabled_state->{'source'}, 'virtualmin',
+		   'Virtualmin remains the state source for disabled domains');
+		ok(!$disabled_state->{'enabled'},
+		   'Virtualmin disabled domain is reported as disabled');
+		is(main::server_file_toggle_action($disabled_domain), 'enable',
+		   'toggle action follows the Virtualmin disabled state');
+		like($enable_err, qr/currently disabled/,
+		     'Virtualmin state is included for disabled domains');
+		like($enable_err, qr/Enable Virtual Server/,
+		     'enabling directs users to Virtualmin enable action');
+		like($enable_err,
+		     qr{virtual-server/enable_domain\.cgi\?dom=67890},
+		     'enabling links to the Virtualmin enable form');
+
+		is(main::virtualmin_server_file_state_error($alpha, 'disable'),
+		   undef, 'non-Virtualmin server files can still be toggled');
+	}
+};
+
+done_testing();
diff --git a/rpc.cgi b/rpc.cgi
index 3f15fb979..569fdfbac 100755
--- a/rpc.cgi
+++ b/rpc.cgi
@@ -4,13 +4,13 @@
 # other webmin servers. State is preserved by starting a process for each
 # session that listens for requests on a named pipe (and dies after a few
 # seconds of inactivity)
-# access{'rpc'}  0=not allowed 1=allowed 2=allowed if root or admin, 3=allowed
+# access{'rpc'}  0=not allowed 1=allowed 2=allowed if root or admin, 3=RPC only
 
-$main::allow_rpc_only = 1;
 BEGIN { push(@INC, "."); };
 use WebminCore;
 use POSIX;
 
+$main::allow_rpc_only = 1;
 &init_config();
 if ($ENV{'REQUEST_METHOD'} eq 'POST') {
 	local $got;
@@ -169,4 +169,3 @@ unlink($fifo1);
 unlink($fifo2);
 exit;
 }
-
diff --git a/t/README.md b/t/README.md
new file mode 100644
index 000000000..27f704ae7
--- /dev/null
+++ b/t/README.md
@@ -0,0 +1,148 @@
+# Webmin test suite
+
+Two kinds of tests live under this tree:
+
+- Repo-root `t/` for core code (`miniserv.pl`, `web-lib-funcs.pl`, top-level
+  scripts, `bin/`).
+- Per-module `t/` for module-internal coverage (see `nftables/t/` for the
+  established pattern: `perlcritic.t` plus a `run-tests.t` smoke harness).
+
+## Running tests
+
+```sh
+prove -lr                                # everything, including modules t/
+prove -lr t                              # everything under repo-root t/
+prove t/compile.t                        # one test file
+WEBMIN_COMPILE_T_FILTER='^\./acl/' prove t/compile.t   # one module
+```
+
+`prove` and Test::More are core, though on RPM-based distros, you need
+`perl-Test-Harness`.
+
+## Coverage reports
+
+```sh
+HARNESS_PERL_SWITCHES=-MDevel::Cover prove -lr
+cover
+```
+
+You need Devel::Cover installed.
+
+## What's here
+
+| File | What it checks |
+| --- | --- |
+| `compile.t` | Every `.pl`, `.cgi`, and shebang-perl script in `bin/` parses cleanly (`perl -c`). Catches breakage from bulk refactors without browsing every page. ~12s for the full tree. |
+| `miniserv.t` | Contract test for `miniserv.pl` functions — status codes, headers, body rendering, log behaviour. Demonstrates the require-and-stub pattern below. |
+
+## The require-and-stub pattern
+
+Many Webmin scripts mix sub definitions with a main body that opens sockets,
+reads `/etc/webmin/*`, or spawns CGIs. To test individual subs in isolation
+we need to `require` the script as a library without running the main body.
+
+Two complementary idioms can be used. Both work; they look different because
+the underlying script does.
+
+### Block wrap (main body precedes sub definitions)
+
+Used by `miniserv.pl`. The executable preamble runs at file scope (so any 
+`my` vars stay file-scoped for the subs below); the main body wraps in
+`unless (caller)`:
+
+```perl
+#!/usr/bin/perl
+use Foo;            # use lines and pragmas stay outside the guard
+
+unless (caller) {
+
+# main body: arg parsing, setup, the actual work
+...
+
+} # end of unless (caller)
+
+sub helper { ... }
+sub other_helper { ... }
+```
+
+### One-liner (sub definitions precede the main call)
+
+Used by most `bin/` CLI tools, which already define `sub main` and dispatch
+to it at the bottom:
+
+```perl
+#!/usr/bin/env perl
+use strict; use warnings;
+
+sub main {
+    ...
+    return 0;
+}
+exit main(\@ARGV) if !caller(0);
+
+sub helper { ... }
+```
+
+`!caller(0)` is true at script invocation (depth-0 frame absent) and false
+under `require`.
+
+## Sub-stubbing in tests
+
+`miniserv.t` is the canonical example. The pattern:
+
+1. `require` the script. The guard skips its main body.
+2. Replace side-effecting subs (socket I/O, logging, disk reads) with
+   capture-buffer overrides under `no warnings 'redefine'`.
+3. Populate package globals (`%miniserv::config`, `@miniserv::roots`, etc.)
+   yourself instead of running the config loader.
+4. Call the sub under test. Assert on contract (status code, presence of
+   required headers, structural balance of emitted markup) — not on
+   cosmetics like exact wording or class names.
+
+Tying tests to the contract rather than the rendering lets the UI evolve
+without breaking the test, while still catching real regressions.
+
+## Tiered coverage policy
+
+Not all 268 modules deserve the same investment.
+
+- **Tier 1 — security-critical, network-facing.** `miniserv.pl`,
+  `web-lib-funcs.pl`, `acl/`, auth, file upload paths. Comprehensive
+  contract tests; mock filesystem and `backquote_command` for parser
+  coverage of external-binary output.
+- **Tier 2 — active refactor surface.** Currently `nftables/`, `firewalld/`,
+  and whichever module is being reviewed. Mandatory tests for new code;
+  `perlcritic.t` at severity 5 as a gate.
+- **Tier 3 — stable OS-config wrappers.** Covered by `compile.t` plus
+  optional per-module `perlcritic.t`. Don't chase line coverage on parsers
+  for config files that haven't changed in a decade.
+
+The goal is not coverage-as-a-number. It's:
+
+- Every parser round-trips its serializer.
+- Every privilege boundary has a test.
+- Every external-binary call has a mock-driven test for its output parser.
+
+## Adding a per-module test directory
+
+```
+yourmodule/
+  t/
+    perlcritic.t   # see nftables/t/perlcritic.t for the template
+    run-tests.t    # see nftables/t/run-tests.t for the WEBMIN_CONFIG / tmpdir setup
+```
+
+A module's tests are reachable from `prove -lr` at the repo root (no
+path arg, so the recursive walk starts at the cwd). `prove -lr t` only
+walks within `t/` and will miss `<module>/t/`.
+
+## Caveats
+
+- `WEBMIN_COMPILE_T_STRICT=1` turns missing-CPAN-module skips into failures.
+  Use this in CI on a fully-provisioned image; leave it off on dev boxes
+  where optional deps (`Pod::Simple::Wiki`, `Encode::Detect::Detector`) may
+  not be installed.
+- `.pl` is also the Polish translation suffix in Webmin. `compile.t` skips
+  `<file>.pl` when a sibling `<file>` (no extension) exists; this catches
+  `config.info.pl` and `module.info.pl` data files without a hardcoded list.
+
diff --git a/t/compile.t b/t/compile.t
new file mode 100644
index 000000000..214055037
--- /dev/null
+++ b/t/compile.t
@@ -0,0 +1,90 @@
+#!/usr/local/bin/perl
+# Verify every .pl and .cgi in the tree parses (perl -c).
+#
+# Catches syntax and `use` breakage from bulk refactors without having
+# to load every page in a browser. The test is the first line of defence
+# for the "we changed thousands of files mechanically, did anything
+# break" question.
+#
+# Skipped:
+#   - $file.pl when a sibling $file (no .pl) exists. Webmin uses .pl as
+#     the Polish translation suffix, so config.info.pl, module.info.pl,
+#     etc. are data files, not Perl.
+#   - Files that fail only because of a missing CPAN module. The file
+#     itself parses, but `use Foo::Bar` can't resolve at compile time.
+#     Treated as a skip so missing optional deps don't gate the suite.
+#     Set WEBMIN_COMPILE_T_STRICT=1 to turn these into failures.
+#
+# Speed: ~12 seconds for the full tree (~3.4k files). Narrow with
+# WEBMIN_COMPILE_T_FILTER=<regex> when iterating on one module.
+
+use strict;
+use warnings;
+use Test::More;
+use File::Find;
+use File::Basename qw(dirname);
+use File::Spec;
+use Cwd qw(abs_path);
+
+my $root = abs_path(File::Spec->catdir(dirname(__FILE__), '..'));
+chdir($root) or die "chdir($root): $!";
+
+my $filter = $ENV{WEBMIN_COMPILE_T_FILTER};
+my $strict = $ENV{WEBMIN_COMPILE_T_STRICT};
+
+my @files;
+find({
+	no_chdir => 1,
+	wanted => sub {
+		return if -d;
+		# .pl and .cgi files, plus extensionless files in bin/ with a
+		# perl shebang. The shebang check keeps us from compile-checking
+		# arbitrary non-perl files just because they share a directory.
+		my $name = $File::Find::name;
+		my $is_pl_or_cgi = $name =~ /\.(pl|cgi)\z/;
+		my $is_bin_dotless = $name =~ m{^\./bin/([^/]+)\z} && $1 !~ /\./;
+		return unless $is_pl_or_cgi || $is_bin_dotless;
+		# Skip the Polish translations that share the .pl suffix.
+		if ($is_pl_or_cgi && $name =~ m{(.+)\.pl\z}) {
+			my $base = $1;
+			return if -f "$base";
+			}
+		# For extensionless bin/ scripts, require a perl shebang.
+		if ($is_bin_dotless) {
+			open(my $fh, '<', $name) or return;
+			my $shebang = <$fh>;
+			close($fh);
+			return unless defined $shebang && $shebang =~ /^#!.*\bperl\b/;
+			}
+		push(@files, $name);
+		},
+	}, '.');
+
+@files = sort @files;
+@files or BAIL_OUT("found no .pl/.cgi/bin scripts under $root");
+
+if ($filter) {
+	@files = grep { /$filter/ } @files;
+	@files or do { diag("filter '$filter' matched zero files"); plan skip_all => "no files match filter"; };
+	}
+
+diag("compile-checking " . scalar(@files) . " files");
+
+for my $f (@files) {
+	my $rel = $f;
+	$rel =~ s{^\./}{};
+	my $out = qx{perl -I. -c -- "$rel" 2>&1};
+	if ($out =~ /\bsyntax OK\b/) {
+		pass("$rel compiles");
+		}
+	elsif (!$strict && $out =~ /Can't locate (\S+\.pm) in \@INC/) {
+		SKIP: { skip("$rel: missing optional CPAN module $1", 1); }
+		}
+	else {
+		fail("$rel compiles");
+		diag($out);
+		}
+	}
+
+done_testing();
+
diff --git a/t/miniserv-http_error.t b/t/miniserv-http_error.t
deleted file mode 100644
index 520744c13..000000000
--- a/t/miniserv-http_error.t
+++ /dev/null
@@ -1,142 +0,0 @@
-#!/usr/bin/perl
-# Tests for miniserv::http_error.
-#
-# miniserv.pl is loaded as a module; its top-level script body is skipped
-# by the `unless (caller) { ... }` guard, so we only get the sub
-# definitions plus a handful of pure-constant globals (@itoa64, @weekday,
-# @month, @miniserv_argv). Everything else (%config, @roots, $datestr,
-# etc.) we populate ourselves.
-
-use strict;
-use warnings;
-use Test::More;
-use File::Basename qw(dirname);
-use File::Spec;
-
-my $script = File::Spec->rel2abs(
-	File::Spec->catfile(dirname(__FILE__), '..', 'miniserv.pl'));
-require $script;
-
-# Capture buffers populated by the overridden I/O subs.
-our @written;
-our @errlog;
-our @reqlog;
-
-# Replace the subs that would otherwise touch SOCK, STDERR, the log file,
-# or read disk. Each capturing override is the minimum needed to keep
-# http_error's control flow intact. `once` is suppressed because these
-# package globals are only ever written from this file.
-{
-	no warnings qw(redefine once);
-	*miniserv::write_data         = sub { push @written, join('', @_); };
-	*miniserv::write_keep_alive   = sub { };
-	*miniserv::log_error          = sub { push @errlog, join('', @_); };
-	*miniserv::log_request        = sub { push @reqlog, [@_]; };
-	*miniserv::embed_error_styles = sub { return ''; };
-	*miniserv::server_info        = sub { return 'MiniServ/test'; };
-	*miniserv::reset_byte_count   = sub { };
-	*miniserv::byte_count         = sub { return 0; };
-}
-
-{
-	no warnings 'once';
-	%miniserv::config   = ();
-	@miniserv::roots    = ('/tmp');
-	@miniserv::preroots = ();
-	$miniserv::datestr  = 'Sun, 01 Jan 2026 00:00:00 GMT';
-}
-
-# Call http_error with capture buffers reset. noexit=1 is REQUIRED — the
-# real sub calls exit() otherwise. shutdown(SOCK,1)/close(SOCK) at the end
-# of http_error warn because SOCK is not a real socket here; the localized
-# warn handler swallows that one specific noise.
-sub run_http_error {
-	my (%args) = @_;
-	@written = ();
-	@errlog  = ();
-	@reqlog  = ();
-	no warnings 'once';
-	local $miniserv::reqline  = $args{reqline};
-	local $miniserv::loghost  = $args{loghost};
-	local $miniserv::authuser = $args{authuser};
-	local $SIG{__WARN__} = sub { };
-	miniserv::http_error(
-		$args{code}, $args{msg}, $args{body},
-		1,             # noexit
-		$args{noerr},
-	);
-	return join('', @written);
-}
-
-# minimal call: code + message, no body, no reqline 
-# Assert on the contract, not the cosmetics: the status code, the
-# presence of required headers, and that the caller's code + message
-# reach the rendered page. Specific wording, header values, decoration
-# (&mdash;), and class names are presentation and may change.
-{
-	my $out = run_http_error(code => 404, msg => 'Not Found');
-
-	like($out, qr{^HTTP/1\.0 404\b},                      'status line carries 404');
-	like($out, qr{\r\nServer:\s+\S},                      'Server header present and non-empty');
-	like($out, qr{\r\nDate:\s+\S},                        'Date header present and non-empty');
-	like($out, qr{\r\nContent-type:\s*text/html\b.*\butf-?8\b}i, 'Content-type is HTML with utf-8 charset');
-	like($out, qr{<title>[^<]*404[^<]*</title>},          'title surfaces the code');
-	like($out, qr{<title>[^<]*Not Found[^<]*</title>},    'title surfaces the message');
-	like($out, qr{<h2\b[^>]*>[^<]*Not Found[^<]*</h2>},   'message appears in a heading');
-	unlike($out, qr{<p\b},                                'no paragraph emitted when body arg absent');
-
-	is(scalar @errlog, 1,                                 'log_error called once');
-	like($errlog[0], qr/Not Found/,                       'log_error received the caller message');
-	is(scalar @reqlog, 0,                                 'log_request skipped when reqline empty');
-}
-
-# body argument renders as a paragraph
-{
-	my $out = run_http_error(code => 500, msg => 'Server Error', body => 'something broke');
-	like($out, qr{<p\b[^>]*>[^<]*\Qsomething broke\E[^<]*</p>}, 'body argument rendered in a paragraph');
-}
-
-# reqline triggers log_request
-{
-	run_http_error(
-		code => 403, msg => 'Forbidden', body => 'no access',
-		reqline => 'GET /secret HTTP/1.0',
-		loghost => '127.0.0.1', authuser => 'bob',
-	);
-	is(scalar @reqlog, 1,                                 'log_request called when reqline is set');
-	is($reqlog[0][0], '127.0.0.1',                        'log_request host arg');
-	is($reqlog[0][1], 'bob',                              'log_request user arg');
-	is($reqlog[0][2], 'GET /secret HTTP/1.0',             'log_request request arg');
-	is($reqlog[0][3], 403,                                'log_request code arg');
-}
-
-# noerr suppresses log_error
-{
-	run_http_error(code => 401, msg => 'Unauthorized', noerr => 1);
-	is(scalar @errlog, 0,                                 'log_error suppressed when noerr is true');
-}
-
-# error_handler config that points to a missing file falls through 
-# This exercises the early branch without triggering `goto rerun` (which
-# only resolves inside handle_request).
-{
-	local $miniserv::config{'error_handler'} = 'definitely-not-a-real-file.cgi';
-	my $out = run_http_error(code => 500, msg => 'Server Error');
-	like($out, qr{^HTTP/1\.0 500\b}, 'falls through to standard path when handler file missing');
-}
-
-# HTML scaffolding is balanced
-{
-	my $out = run_http_error(code => 400, msg => 'Bad Request', body => 'oops');
-	for my $tag (qw(html head title body h2 p)) {
-		my $open  = () = $out =~ /<$tag\b[^>]*>/g;
-		my $close = () = $out =~ /<\/$tag>/g;
-		is($open, $close, "<$tag> tags balanced (open=$open, close=$close)");
-		cmp_ok($open, '>=', 1, "<$tag> appears at least once");
-	}
-	# Sanity-check element ordering: head before body, title inside head.
-	like($out, qr{<html>.*<head>.*<title>.*</title>.*</head>.*<body[^>]*>.*</body>\s*</html>}s,
-	     'top-level elements appear in the expected order');
-}
-
-done_testing();
diff --git a/t/miniserv.t b/t/miniserv.t
new file mode 100644
index 000000000..72a531516
--- /dev/null
+++ b/t/miniserv.t
@@ -0,0 +1,1439 @@
+#!/usr/bin/perl
+# Unit tests for miniserv.pl helper subs.
+#
+# miniserv.pl is loaded as a module; its top-level script body is skipped
+# by the `unless (caller) { ... }` guard, so we only get the sub
+# definitions plus a handful of pure-constant globals (@itoa64, @weekday,
+# @month, @miniserv_argv). Everything else (%config, @roots, $datestr,
+# etc.) we populate ourselves.
+#
+# Each helper has its own `subtest`. Assertions target the contract
+# (status code present, headers present, redaction happened, round-trip
+# is identity, ...), not the exact wording, HTML, or formatting — those
+# are presentation and may change.
+
+use strict;
+use warnings;
+use Test::More;
+use File::Basename qw(dirname);
+use File::Spec;
+
+my $script = File::Spec->rel2abs(
+	File::Spec->catfile(dirname(__FILE__), '..', 'miniserv.pl'));
+require $script;
+
+# Capture buffers populated by overridden I/O subs.
+our @written;
+our @errlog;
+our @reqlog;
+
+# Replace the subs that would otherwise touch SOCK, STDERR, the log file,
+# or read disk. Each capturing override is the minimum needed to keep
+# the subs under test runnable. `once` is suppressed because these
+# package globals are only ever written from this file.
+{
+	no warnings qw(redefine once);
+	*miniserv::write_data         = sub { push @written, join('', @_); };
+	*miniserv::write_keep_alive   = sub { };
+	*miniserv::log_error          = sub { push @errlog, join('', @_); };
+	*miniserv::log_request        = sub { push @reqlog, [@_]; };
+	*miniserv::embed_error_styles = sub { return ''; };
+	*miniserv::server_info        = sub { return 'MiniServ/test'; };
+	*miniserv::reset_byte_count   = sub { };
+	*miniserv::byte_count         = sub { return 0; };
+}
+
+{
+	no warnings 'once';
+	%miniserv::config   = ();
+	@miniserv::roots    = ('/tmp');
+	@miniserv::preroots = ();
+	$miniserv::datestr  = 'Sun, 01 Jan 2026 00:00:00 GMT';
+}
+
+# http_error
+#
+# Call http_error with capture buffers reset. noexit=1 is REQUIRED — the
+# real sub calls exit() otherwise. Warnings about SOCK (not a real socket)
+# and DEBUG (filehandle never opened in tests) are expected and filtered;
+# any other warning fails the test so real regressions stay visible.
+sub run_http_error {
+	my (%args) = @_;
+	@written = ();
+	@errlog  = ();
+	@reqlog  = ();
+	no warnings 'once';
+	local $miniserv::reqline  = $args{reqline};
+	local $miniserv::loghost  = $args{loghost};
+	local $miniserv::authuser = $args{authuser};
+
+	my @warnings;
+	local $SIG{__WARN__} = sub { push @warnings, $_[0]; };
+	miniserv::http_error(
+		$args{code}, $args{msg}, $args{body},
+		1,             # noexit
+		$args{noerr},
+	);
+
+	my @unexpected = grep { !/\b(?:SOCK|DEBUG)\b/ } @warnings;
+	is(scalar @unexpected, 0, 'no unexpected warnings from http_error')
+		or diag("unexpected warnings:\n", @unexpected);
+
+	return join('', @written);
+}
+
+subtest 'http_error' => sub {
+	# minimal call: code + message, no body, no reqline
+	# Assert on the contract, not the cosmetics: the status code, the
+	# presence of required headers, and that the caller's code + message
+	# reach the rendered page. Specific wording, header values, decoration
+	# (&mdash;), and class names are presentation and may change.
+	{
+		my $out = run_http_error(code => 404, msg => 'Not Found');
+
+		like($out, qr{^HTTP/1\.0 404\b},                      'status line carries 404');
+		like($out, qr{\r\nServer:\s+\S},                      'Server header present and non-empty');
+		like($out, qr{\r\nDate:\s+\S},                        'Date header present and non-empty');
+		like($out, qr{\r\nContent-type:\s*text/html\b.*\butf-?8\b}i, 'Content-type is HTML with utf-8 charset');
+		like($out, qr{<title>[^<]*404[^<]*</title>},          'title surfaces the code');
+		like($out, qr{<title>[^<]*Not Found[^<]*</title>},    'title surfaces the message');
+		like($out, qr{<h2\b[^>]*>[^<]*Not Found[^<]*</h2>},   'message appears in a heading');
+		unlike($out, qr{<p\b},                                'no paragraph emitted when body arg absent');
+
+		is(scalar @errlog, 1,                                 'log_error called once');
+		like($errlog[0], qr/Not Found/,                       'log_error received the caller message');
+		is(scalar @reqlog, 0,                                 'log_request skipped when reqline empty');
+	}
+
+	# body argument renders as a paragraph
+	{
+		my $out = run_http_error(code => 500, msg => 'Server Error', body => 'something broke');
+		like($out, qr{<p\b[^>]*>[^<]*\Qsomething broke\E[^<]*</p>}, 'body argument rendered in a paragraph');
+	}
+
+	# reqline triggers log_request
+	{
+		run_http_error(
+			code => 403, msg => 'Forbidden', body => 'no access',
+			reqline => 'GET /secret HTTP/1.0',
+			loghost => '127.0.0.1', authuser => 'bob',
+		);
+		is(scalar @reqlog, 1,                                 'log_request called when reqline is set');
+		is($reqlog[0][0], '127.0.0.1',                        'log_request host arg');
+		is($reqlog[0][1], 'bob',                              'log_request user arg');
+		is($reqlog[0][2], 'GET /secret HTTP/1.0',             'log_request request arg');
+		is($reqlog[0][3], 403,                                'log_request code arg');
+	}
+
+	# noerr suppresses log_error
+	{
+		run_http_error(code => 401, msg => 'Unauthorized', noerr => 1);
+		is(scalar @errlog, 0,                                 'log_error suppressed when noerr is true');
+	}
+
+	# error_handler config that points to a missing file falls through
+	# This exercises the early branch without triggering `goto rerun` (which
+	# only resolves inside handle_request).
+	{
+		local $miniserv::config{'error_handler'} = 'definitely-not-a-real-file.cgi';
+		my $out = run_http_error(code => 500, msg => 'Server Error');
+		like($out, qr{^HTTP/1\.0 500\b}, 'falls through to standard path when handler file missing');
+	}
+
+	# HTML scaffolding is balanced
+	{
+		my $out = run_http_error(code => 400, msg => 'Bad Request', body => 'oops');
+		for my $tag (qw(html head title body h2 p)) {
+			my $open  = () = $out =~ /<$tag\b[^>]*>/g;
+			my $close = () = $out =~ /<\/$tag>/g;
+			is($open, $close, "<$tag> tags balanced (open=$open, close=$close)");
+			cmp_ok($open, '>=', 1, "<$tag> appears at least once");
+		}
+		# Sanity-check element ordering: head before body, title inside head.
+		like($out, qr{<html>.*<head>.*<title>.*</title>.*</head>.*<body[^>]*>.*</body>\s*</html>}s,
+		     'top-level elements appear in the expected order');
+	}
+};
+
+# simplify_path — security-critical path canonicalization
+subtest 'simplify_path' => sub {
+	my $bogus;
+
+	is(miniserv::simplify_path('/foo/bar', $bogus), '/foo/bar', 'plain path passes through');
+	is($bogus, 0,                                                'plain path is not bogus');
+
+	is(miniserv::simplify_path('/foo/./bar', $bogus), '/foo/bar', '. segments collapse');
+	is(miniserv::simplify_path('/foo/../bar', $bogus), '/bar',     '.. segments pop');
+	is($bogus, 0,                                                  'in-bounds .. is not bogus');
+
+	miniserv::simplify_path('/../etc/passwd', $bogus);
+	is($bogus, 1, 'escaping above the root sets the bogus flag');
+
+	miniserv::simplify_path('/foo/../../bar', $bogus);
+	is($bogus, 1, 'multiple .. that overshoot set the bogus flag');
+
+	# Null bytes are stripped — relied on to prevent C-string truncation
+	# attacks downstream.
+	my $clean = miniserv::simplify_path("/foo\0bar/baz", $bogus);
+	unlike($clean, qr/\0/, 'null bytes are removed');
+
+	# Backslash separators get normalized to forward slashes.
+	is(miniserv::simplify_path('foo\\bar', $bogus), '/foo/bar', 'backslashes become forward slashes');
+
+	# Repeated slashes collapse.
+	is(miniserv::simplify_path('//foo///bar//', $bogus), '/foo/bar', 'repeated slashes collapse');
+};
+
+# b64encode / b64decode — round-trip is the contract
+subtest 'b64encode / b64decode round-trip' => sub {
+	for my $s ('a', 'ab', 'abc', 'hello world',
+		   "binary\x00\x01\xff bytes", 'x' x 100) {
+		is(miniserv::b64decode(miniserv::b64encode($s)), $s,
+		   "round-trip preserves ".length($s)." bytes");
+	}
+
+	# Output is restricted to the standard alphabet plus padding.
+	like(miniserv::b64encode('hello'), qr{^[A-Za-z0-9+/=]+$},
+	     'encoded output uses standard base64 alphabet');
+};
+
+# urlize — percent-encoding
+subtest 'urlize' => sub {
+	is(miniserv::urlize('abc123'), 'abc123',     'alphanumerics pass through');
+	is(miniserv::urlize(' '),      '%20',        'space percent-encoded');
+	is(miniserv::urlize('/'),      '%2F',        'slash percent-encoded');
+	like(miniserv::urlize('a b/c'), qr{^a%20b%2Fc$},
+	     'mixed string encodes non-alphanumerics, leaves alphanumerics alone');
+};
+
+# html_escape / html_strip — XSS-relevant
+subtest 'html_escape' => sub {
+	my $out = miniserv::html_escape(q{<script>alert("x")</script>'=&});
+	# Contract: none of the dangerous characters survive as themselves.
+	unlike($out, qr/[<>"'=]/,           'no raw HTML-significant characters remain');
+	unlike($out, qr/&(?!(amp|lt|gt|quot|#39|#61);)/,
+	     'every & is the start of a known entity');
+	# Alphanumerics pass through unchanged.
+	like(miniserv::html_escape('abc 123'), qr/\babc\b.*\b123\b/,
+	     'alphanumerics pass through unchanged');
+};
+
+subtest 'html_strip' => sub {
+	is(miniserv::html_strip('<b>foo</b>'),        'foo',     'simple tags removed');
+	is(miniserv::html_strip('<a href="x">y</a>'), 'y',       'attribute-bearing tags removed');
+	is(miniserv::html_strip('plain text'),        'plain text', 'plain text untouched');
+};
+
+# get_type — MIME lookup
+subtest 'get_type' => sub {
+	no warnings 'once';
+	local %miniserv::mime = (html => 'text/html', png => 'image/png');
+
+	is(miniserv::get_type('foo.html'),     'text/html',  'known extension returns its type');
+	is(miniserv::get_type('foo.png'),      'image/png',  'second known extension');
+	is(miniserv::get_type('foo.unknown'),  'text/plain', 'unknown extension falls back to text/plain');
+	is(miniserv::get_type('noextension'),  'text/plain', 'no extension falls back to text/plain');
+};
+
+# indexof — array index utility
+subtest 'indexof' => sub {
+	is(miniserv::indexof('b', 'a', 'b', 'c'), 1,  'returns 0-based index');
+	is(miniserv::indexof('a', 'a', 'b', 'c'), 0,  'first element matches');
+	is(miniserv::indexof('z', 'a', 'b', 'c'), -1, 'missing returns -1');
+	is(miniserv::indexof('x'),                -1, 'empty haystack returns -1');
+};
+
+# prefix_to_mask — CIDR prefix → dotted-quad netmask
+subtest 'prefix_to_mask' => sub {
+	is(miniserv::prefix_to_mask(0),  '0.0.0.0',         '/0 = all zeros');
+	is(miniserv::prefix_to_mask(8),  '255.0.0.0',       '/8');
+	is(miniserv::prefix_to_mask(16), '255.255.0.0',     '/16');
+	is(miniserv::prefix_to_mask(24), '255.255.255.0',   '/24');
+	is(miniserv::prefix_to_mask(32), '255.255.255.255', '/32 = all ones');
+};
+
+# check_ipaddress / check_ip6address — input validators
+subtest 'check_ipaddress' => sub {
+	ok( miniserv::check_ipaddress('1.2.3.4'),         'valid IPv4 accepted');
+	ok( miniserv::check_ipaddress('0.0.0.0'),         'all-zero IPv4 accepted');
+	ok( miniserv::check_ipaddress('255.255.255.255'), 'all-ones IPv4 accepted');
+	ok(!miniserv::check_ipaddress('256.0.0.1'),       'octet > 255 rejected');
+	ok(!miniserv::check_ipaddress('1.2.3'),           'too-few octets rejected');
+	ok(!miniserv::check_ipaddress('1.2.3.4.5'),       'too-many octets rejected');
+	ok(!miniserv::check_ipaddress(''),                'empty string rejected');
+	ok(!miniserv::check_ipaddress('not an ip'),       'garbage rejected');
+};
+
+subtest 'check_ip6address' => sub {
+	ok( miniserv::check_ip6address('::1'),                  'loopback accepted');
+	ok( miniserv::check_ip6address('2001:db8::1'),          'compressed form accepted');
+	ok( miniserv::check_ip6address('1:2:3:4:5:6:7:8'),      'full form accepted');
+	ok(!miniserv::check_ip6address('not an addr'),          'garbage rejected');
+	ok(!miniserv::check_ip6address('1:2:3:4:5:6:7:8:9'),    'too many groups rejected');
+	ok(!miniserv::check_ip6address('gggg::1'),              'non-hex rejected');
+};
+
+# canonicalize_ip6 / expand_ipv6_bytes
+subtest 'canonicalize_ip6' => sub {
+	my $c = miniserv::canonicalize_ip6('::1');
+	is($c, '0000:0000:0000:0000:0000:0000:0000:0001',
+	   '::1 expands to 8 zero-padded groups');
+
+	my $c2 = miniserv::canonicalize_ip6('2001:DB8::1');
+	is($c2, '2001:0db8:0000:0000:0000:0000:0000:0001',
+	   '2001:DB8::1 lower-cased and zero-expanded');
+
+	# Idempotency: running canonicalize on canonical input returns the same.
+	is(miniserv::canonicalize_ip6($c), $c, 'canonical form is idempotent');
+};
+
+subtest 'expand_ipv6_bytes' => sub {
+	my @bytes = miniserv::expand_ipv6_bytes(
+		miniserv::canonicalize_ip6('::1'));
+	is(scalar @bytes, 16, 'IPv6 expands to 16 bytes');
+	is($bytes[15],     1, 'low byte is 1 for ::1');
+	is($bytes[0],      0, 'high byte is 0 for ::1');
+};
+
+# is_bad_header — ShellShock guard
+subtest 'is_bad_header' => sub {
+	ok( miniserv::is_bad_header('() { :; }; echo pwned'), 'ShellShock-shaped value flagged');
+	ok( miniserv::is_bad_header('  () { x'),              'leading whitespace still flagged');
+	ok(!miniserv::is_bad_header('Mozilla/5.0'),           'plain value not flagged');
+	ok(!miniserv::is_bad_header('text/html'),             'plain value with no parens not flagged');
+};
+
+# is_mobile_useragent
+subtest 'is_mobile_useragent' => sub {
+	no warnings 'once';
+	local @miniserv::mobile_agents = ();
+
+	ok( miniserv::is_mobile_useragent('Mozilla/5.0 (iPhone; CPU iPhone OS)'),
+	    'iPhone UA detected');
+	ok( miniserv::is_mobile_useragent('Nokia6230/2.0'),
+	    'Nokia prefix detected');
+	ok( miniserv::is_mobile_useragent('Mozilla/5.0 (Linux; Android 10; Mobile)'),
+	    'Android-mobile regexp matched');
+	ok(!miniserv::is_mobile_useragent('Mozilla/5.0 (X11; Linux x86_64)'),
+	    'desktop Linux not flagged');
+	ok(!miniserv::is_mobile_useragent('curl/7.88.1'),
+	    'curl not flagged');
+};
+
+# http_date — RFC 1123 GMT date
+subtest 'http_date' => sub {
+	my $d = miniserv::http_date(0);
+	# 1970-01-01 00:00:00 GMT
+	like($d, qr/^Thu,\s+1\s+Jan\s+1970\s+00:00:00\s+GMT$/,
+	     'unix epoch formatted as RFC GMT date');
+
+	like(miniserv::http_date(time()),
+	     qr/^(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat),\s+\d{1,2}\s+(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{4}\s+\d{2}:\d{2}:\d{2}\s+GMT$/,
+	     'current time matches RFC GMT shape');
+};
+
+# split_userdb_string — userdb URI parser
+subtest 'split_userdb_string' => sub {
+	my @r = miniserv::split_userdb_string(
+		'mysql://admin:secret@db.example.com/webmin?ssl=1&port=3307');
+	is(scalar @r, 6, 'valid URI parses to 6 elements');
+	is($r[0], 'mysql',           'protocol');
+	is($r[1], 'admin',           'username');
+	is($r[2], 'secret',          'password');
+	is($r[3], 'db.example.com',  'host');
+	is($r[4], 'webmin',          'prefix');
+	is(ref($r[5]), 'HASH',       'args is a hashref');
+	is($r[5]->{ssl},  '1',       'ssl arg');
+	is($r[5]->{port}, '3307',    'port arg');
+
+	is_deeply([miniserv::split_userdb_string('not a url')], [],
+		  'unparseable input returns empty list');
+};
+
+# get_logged_sensitive_params / sanitise_logged_request
+subtest 'get_logged_sensitive_params' => sub {
+	no warnings 'once';
+	local %miniserv::config = ();
+
+	my @defaults = miniserv::get_logged_sensitive_params();
+	# Contract: default list covers the common sensitive param names.
+	for my $expected (qw(password pass passwd token api_key secret)) {
+		ok((grep { lc($_) eq $expected } @defaults),
+		   "default list contains '$expected'");
+	}
+
+	local $miniserv::config{'log_redact_params'} = 'mycustom, another';
+	my @plus = miniserv::get_logged_sensitive_params();
+	ok((grep { $_ eq 'mycustom' } @plus), 'log_redact_params adds custom name');
+	ok((grep { $_ eq 'another'  } @plus), 'log_redact_params is comma-separable');
+
+	# Dedup: configuring an existing default name does not duplicate.
+	local $miniserv::config{'log_redact_params'} = 'password';
+	my @dup = miniserv::get_logged_sensitive_params();
+	my @pw  = grep { lc($_) eq 'password' } @dup;
+	is(scalar @pw, 1, 'duplicate of default name is deduplicated');
+};
+
+subtest 'sanitise_logged_request' => sub {
+	no warnings 'once';
+	local %miniserv::config = ();
+
+	my $req = 'GET /login?user=alice&password=hunter2 HTTP/1.1';
+	my $out = miniserv::sanitise_logged_request($req);
+
+	unlike($out, qr/hunter2/,    'sensitive value removed');
+	like  ($out, qr/user=alice/, 'non-sensitive param preserved');
+	like  ($out, qr{^GET\s+/login\?.*HTTP/1\.1$}, 'request line shape preserved');
+
+	# Multiple sensitive params on one line.
+	my $multi = 'GET /x?token=abc&api_key=def&q=keep HTTP/1.0';
+	my $mout  = miniserv::sanitise_logged_request($multi);
+	unlike($mout, qr/abc/, 'token value removed');
+	unlike($mout, qr/def/, 'api_key value removed');
+	like  ($mout, qr/q=keep/, 'non-sensitive value preserved');
+
+	# Custom redacted param from config.
+	local $miniserv::config{'log_redact_params'} = 'sessionid';
+	my $custom = miniserv::sanitise_logged_request(
+		'GET /x?sessionid=zzz HTTP/1.1');
+	unlike($custom, qr/zzz/, 'custom-configured param value removed');
+
+	# Undef input survives.
+	is(miniserv::sanitise_logged_request(undef), undef,
+	   'undef input passes through');
+
+	# Non-request strings pass through unchanged.
+	is(miniserv::sanitise_logged_request('not a request line'),
+	   'not a request line',
+	   'non-request input passes through unchanged');
+};
+
+# matches_cron
+subtest 'matches_cron' => sub {
+	ok( miniserv::matches_cron('*',     5, 0), '* matches anything');
+	ok( miniserv::matches_cron('5',     5, 0), 'exact match');
+	ok(!miniserv::matches_cron('6',     5, 0), 'mismatch returns false');
+	ok( miniserv::matches_cron('1,5,9', 5, 0), 'comma list match');
+	ok(!miniserv::matches_cron('1,9',   5, 0), 'comma list miss');
+	ok( miniserv::matches_cron('1-10',  5, 0), 'range match');
+	ok(!miniserv::matches_cron('1-4',   5, 0), 'range miss');
+	ok( miniserv::matches_cron('*/5',  10, 0), 'step match');
+	ok(!miniserv::matches_cron('*/5',   7, 0), 'step miss');
+};
+
+# ip_match — host-based ACL matching (IPv4 only, no DNS branches)
+subtest 'ip_match' => sub {
+	no warnings 'once';
+	local %miniserv::ip_match_cache = ();
+
+	# ip_match rewrites $_[N] in place when converting CIDR to netmask,
+	# so each rule must be passed as a scalar — not a string literal.
+	my $check = sub {
+		my ($remote, $local, @rules) = @_;
+		return miniserv::ip_match($remote, $local, @rules);
+	};
+
+	my $exact_match_rule    = '1.2.3.4';
+	my $exact_miss_rule     = '1.2.3.5';
+	my $cidr_match_rule     = '1.2.3.0/24';
+	my $cidr_miss_rule      = '1.2.4.0/24';
+	my $netmask_rule        = '10.0.0.0/255.0.0.0';
+	my $range_rule          = '1.2.3.5-1.2.3.15';
+	my $partial_rule        = '1.2.3';
+	my $multi_miss_rule     = '9.9.9.9';
+	my $multi_match_rule    = '1.2.3.4';
+
+	# Exact match.
+	ok( $check->('1.2.3.4', '5.6.7.8', $exact_match_rule),
+	    'exact IPv4 match');
+	ok(!$check->('1.2.3.4', '5.6.7.8', $exact_miss_rule),
+	    'one-off IPv4 mismatch');
+
+	# CIDR.
+	ok( $check->('1.2.3.4', '5.6.7.8', $cidr_match_rule),
+	    'CIDR /24 match');
+	ok(!$check->('1.2.3.4', '5.6.7.8', $cidr_miss_rule),
+	    'CIDR /24 miss');
+
+	# Netmask form.
+	ok( $check->('10.0.0.5', '5.6.7.8', $netmask_rule),
+	    'netmask form match');
+
+	# Range form.
+	ok( $check->('1.2.3.10', '5.6.7.8', $range_rule),
+	    'range form match');
+	ok(!$check->('1.2.3.20', '5.6.7.8', $range_rule),
+	    'range form miss');
+
+	# Partial address.
+	ok( $check->('1.2.3.4', '5.6.7.8', $partial_rule),
+	    'partial address /24-equivalent match');
+
+	# Multiple rules: any match wins.
+	ok( $check->('1.2.3.4', '5.6.7.8', $multi_miss_rule, $multi_match_rule),
+	    'second rule matches when first does not');
+};
+
+# users_match — user-list matching (username branch only; the range
+# branch references a different `@uinfo` global and the group branch
+# calls getgrnam, so we test only the contract we'd refactor against).
+subtest 'users_match (username branch)' => sub {
+	my $uinfo = ['alice', 'x', 1000, 1000];
+
+	ok( miniserv::users_match($uinfo, 'alice'),         'matching username returns true');
+	ok( miniserv::users_match($uinfo, 'bob', 'alice'),  'matches against any in the list');
+	ok(!miniserv::users_match($uinfo, 'bob', 'carol'),  'no match returns false');
+	ok(!miniserv::users_match($uinfo),                  'empty user list returns false');
+};
+
+# websocket origin parsing — security-critical for CSWSH prevention
+subtest 'normalise_websocket_origin' => sub {
+	is(miniserv::normalise_websocket_origin('http',  'example.com', 80),
+	   'http://example.com',          'default port 80 dropped for http');
+	is(miniserv::normalise_websocket_origin('https', 'example.com', 443),
+	   'https://example.com',         'default port 443 dropped for https');
+	is(miniserv::normalise_websocket_origin('http',  'example.com', 8080),
+	   'http://example.com:8080',     'non-default port kept');
+	is(miniserv::normalise_websocket_origin('HTTP',  'Example.COM', 80),
+	   'http://example.com',          'scheme and host lower-cased');
+	is(miniserv::normalise_websocket_origin('http',  '[::1]',       8080),
+	   'http://[::1]:8080',           'bracketed IPv6 host preserved');
+	is(miniserv::normalise_websocket_origin('http',  '',            80), undef,
+	   'empty host returns undef');
+	is(miniserv::normalise_websocket_origin('',      'example.com', 80), undef,
+	   'empty scheme returns undef');
+};
+
+subtest 'parse_websocket_origin' => sub {
+	is(miniserv::parse_websocket_origin('http://example.com'),
+	   'http://example.com',           'plain origin');
+	is(miniserv::parse_websocket_origin('https://example.com:8443'),
+	   'https://example.com:8443',     'origin with port');
+	is(miniserv::parse_websocket_origin('http://[2001:db8::1]:80'),
+	   'http://[2001:db8::1]',         'IPv6 with default port stripped');
+	is(miniserv::parse_websocket_origin(undef),  undef, 'undef rejected');
+	is(miniserv::parse_websocket_origin(''),     undef, 'empty rejected');
+	is(miniserv::parse_websocket_origin('null'), undef, 'literal "null" rejected');
+	is(miniserv::parse_websocket_origin('ftp://example.com'), undef,
+	   'non-http(s) scheme rejected');
+	is(miniserv::parse_websocket_origin('not a url'), undef,
+	   'garbage rejected');
+};
+
+subtest 'parse_configured_websocket_origin' => sub {
+	is(miniserv::parse_configured_websocket_origin('ws://example.com'),
+	   'http://example.com',  'ws:// normalized to http://');
+	is(miniserv::parse_configured_websocket_origin('wss://example.com'),
+	   'https://example.com', 'wss:// normalized to https://');
+	is(miniserv::parse_configured_websocket_origin('http://example.com'),
+	   'http://example.com',  'http:// passes through');
+};
+
+subtest 'forwarded_websocket_origin' => sub {
+	is(miniserv::forwarded_websocket_origin('http', 'example.com', 8080),
+	   'http://example.com:8080', 'direct args');
+
+	# Comma-separated forwarded headers: take the first.
+	is(miniserv::forwarded_websocket_origin('http, https', 'a.com, b.com', 80),
+	   'http://a.com', 'first comma-separated value used');
+
+	# Host header that embeds a port.
+	is(miniserv::forwarded_websocket_origin('http', 'example.com:8080', undef),
+	   'http://example.com:8080', 'port embedded in host arg extracted');
+
+	# Bracketed IPv6 host with port.
+	is(miniserv::forwarded_websocket_origin('http', '[::1]:8080', undef),
+	   'http://[::1]:8080', 'bracketed IPv6 host+port handled');
+
+	is(miniserv::forwarded_websocket_origin(undef, 'example.com', 80),
+	   undef, 'missing proto returns undef');
+	is(miniserv::forwarded_websocket_origin('http', undef, 80),
+	   undef, 'missing host returns undef');
+};
+
+# ssl_hostname_match — wildcard cert matching
+subtest 'ssl_hostname_match' => sub {
+	is(miniserv::ssl_hostname_match('example.com',  ['example.com']),    1,
+	   'exact match');
+	is(miniserv::ssl_hostname_match('Example.COM',  ['example.com']),    1,
+	   'case-insensitive');
+	is(miniserv::ssl_hostname_match('foo.example.com', ['*.example.com']), 1,
+	   'wildcard subdomain match');
+	is(miniserv::ssl_hostname_match('example.com',  ['*.example.com']),  1,
+	   'wildcard accepts apex too');
+	is(miniserv::ssl_hostname_match('other.com',    ['example.com']),    0,
+	   'no match returns 0');
+	is(miniserv::ssl_hostname_match('anything.tld', ['*']),              2,
+	   'bare * returns 2');
+	is(miniserv::ssl_hostname_match('example.com:8443', ['example.com']), 1,
+	   ':port suffix is stripped before matching');
+};
+
+# Capability probes used by the crypto subtests below. miniserv.pl's
+# detection logic runs inside its `unless(caller)` block, so when we load
+# it as a module the $use_md5 / $use_sha512 / $use_hmac_sha256 globals are
+# undef. Recreate them here from the same probes miniserv.pl uses itself.
+my $have_md5 = eval {
+	require Digest::MD5;
+	Digest::MD5->new->add('x');
+	'Digest::MD5';
+	};
+my $have_sha512 = miniserv::unix_crypt_supports_sha512() ? 1 : 0;
+my $have_hmac   = eval {
+	require Digest::SHA;
+	Digest::SHA::hmac_sha256_hex('x', 'y');
+	1;
+	};
+
+# to64 — itoa64 base64-style encoder used by encrypt_md5
+#
+# Indexes into @itoa64 ("./0123456789A-Za-z"). Output is exactly $n chars;
+# input is processed 6 bits at a time, low bits first.
+subtest 'to64' => sub {
+	is(miniserv::to64(0,  1), '.', 'index 0 → .');
+	is(miniserv::to64(1,  1), '/', 'index 1 → /');
+	is(miniserv::to64(2,  1), '0', 'index 2 → 0');
+	is(miniserv::to64(63, 1), 'z', 'index 63 → z (last alphabet char)');
+
+	is(length(miniserv::to64(0,        4)), 4, 'output length = requested digits');
+	is(length(miniserv::to64(0xffffff, 4)), 4, 'output length is constant, not entropy-dependent');
+
+	like(miniserv::to64(0xabcdef, 4), qr{^[./0-9A-Za-z]{4}$},
+	     'output uses only the itoa64 alphabet');
+
+	# 0x3f occupies the low 6 bits → first char z, remaining shifts → dots.
+	is(miniserv::to64(0x3f, 4), 'z...', 'low-bits-first ordering');
+};
+
+# encrypt_md5 — $1$ MD5-crypt
+#
+# Security-critical: this hashes user passwords. Contract we pin:
+#   - salt is preserved verbatim in the output
+#   - hash body is 22 itoa64 chars
+#   - deterministic for the same input
+#   - passing a full $1$salt$hash form re-extracts the salt (verification)
+#   - a different password produces a different hash
+subtest 'encrypt_md5' => sub {
+	plan skip_all => 'Digest::MD5 not available' if !$have_md5;
+	no warnings 'once';
+	local $miniserv::use_md5 = $have_md5;
+
+	my $h = miniserv::encrypt_md5('password', 'abcdefgh');
+	like($h, qr{^\$1\$abcdefgh\$[./0-9A-Za-z]{22}$},
+	     '$1$<salt>$<22-char hash> shape');
+	is(miniserv::encrypt_md5('password', 'abcdefgh'), $h, 'deterministic');
+	is(miniserv::encrypt_md5('password', $h),         $h,
+	   'salt re-extracted from $1$salt$hash form (verification round-trip)');
+	isnt(miniserv::encrypt_md5('wrong', $h), $h,
+	     'different password → different hash');
+
+	# No-salt form skips the iteration loop and returns just the body.
+	my $bare = miniserv::encrypt_md5('password');
+	unlike($bare, qr{\$}, 'no-salt form has no $-prefix');
+	like  ($bare, qr{^[./0-9A-Za-z]+$}, 'no-salt form uses itoa64 alphabet');
+};
+
+# unix_crypt — thin wrapper over libc crypt (or Crypt::UnixCrypt)
+subtest 'unix_crypt' => sub {
+	no warnings 'once';
+	local $miniserv::use_perl_crypt;
+	my $h = miniserv::unix_crypt('password', 'xy');
+	is(length($h), 13, 'classic DES crypt output is 13 chars');
+	like($h, qr{^xy}, 'salt is the prefix of the output');
+	is  (miniserv::unix_crypt('password', $h), $h, 'verification round-trip');
+	isnt(miniserv::unix_crypt('wrong',    $h), $h, 'wrong password → different hash');
+};
+
+# unix_crypt_supports_sha512 — capability probe used at startup
+subtest 'unix_crypt_supports_sha512' => sub {
+	my $r = miniserv::unix_crypt_supports_sha512();
+	ok(defined($r),           'returns a defined value');
+	ok($r == 0 || $r == 1,    'returns 0 or 1');
+};
+
+# encrypt_sha512 — $6$ SHA512-crypt via libc crypt()
+subtest 'encrypt_sha512' => sub {
+	plan skip_all => 'crypt() does not support SHA512 on this system'
+		if !$have_sha512;
+
+	my $h = miniserv::encrypt_sha512('password', '$6$testtest$');
+	like($h, qr{^\$6\$testtest\$}, '$6$<salt>$ prefix preserved');
+	cmp_ok(length($h), '>', 50,
+	       'SHA512 output is much longer than DES (DES is 13 chars)');
+
+	is  (miniserv::encrypt_sha512('password', $h), $h,
+	     'deterministic for same (password, salt) — verification round-trip');
+	isnt(miniserv::encrypt_sha512('wrong', $h), $h,
+	     'different password → different hash');
+	like(miniserv::encrypt_sha512('password'), qr{^\$6\$},
+	     'no-salt path synthesises $6$ salt');
+};
+
+# password_crypt — verifies a stored hash by recomputing
+#
+# The salt parameter doubles as the expected output: the caller passes the
+# stored hash, and password_crypt returns the recomputed hash. Equality means
+# "password matches". A non-$1$/$6$ salt (or unsupported module) falls through
+# to plain crypt().
+subtest 'password_crypt' => sub {
+	no warnings 'once';
+	local $miniserv::use_md5    = $have_md5;
+	local $miniserv::use_sha512 = $have_sha512;
+	local $miniserv::use_perl_crypt;
+
+	SKIP: {
+		skip 'Digest::MD5 not available', 2 if !$have_md5;
+		my $stored = miniserv::encrypt_md5('hunter2', 'abcdefgh');
+		is  (miniserv::password_crypt('hunter2', $stored), $stored,
+		     '$1$ stored hash + correct password verifies');
+		isnt(miniserv::password_crypt('wrong',   $stored), $stored,
+		     '$1$ stored hash + wrong password does not verify');
+	}
+
+	SKIP: {
+		skip 'SHA512 crypt not available', 2 if !$have_sha512;
+		my $stored = miniserv::encrypt_sha512('hunter2', '$6$testtest$');
+		is  (miniserv::password_crypt('hunter2', $stored), $stored,
+		     '$6$ stored hash + correct password verifies');
+		isnt(miniserv::password_crypt('wrong',   $stored), $stored,
+		     '$6$ stored hash + wrong password does not verify');
+	}
+
+	# 2-char salt → DES fallback (no $1$/$6$ branch taken).
+	my $des = miniserv::unix_crypt('hunter2', 'xy');
+	is(miniserv::password_crypt('hunter2', $des), $des,
+	   'DES stored hash + correct password verifies');
+};
+
+# hash_session_id — three independent code paths, picked by which crypto
+# globals are set. Each branch gets its own subtest so the cache and globals
+# can be reset cleanly via `local`.
+
+subtest 'hash_session_id (HMAC-SHA256 branch)' => sub {
+	plan skip_all => 'Digest::SHA hmac_sha256_hex not available' if !$have_hmac;
+	no warnings 'once';
+	local $miniserv::use_hmac_sha256        = 1;
+	local $miniserv::session_hmac_key       = 'a' x 32;
+	local %miniserv::hash_session_id_cache  = ();
+
+	my $h = miniserv::hash_session_id('sess123');
+	like($h, qr{^[0-9a-f]{64}$}, 'HMAC-SHA256 hex output: 64 hex chars');
+	is  (miniserv::hash_session_id('sess123'), $h,
+	     'second call for same sid is cached (and stable)');
+	isnt(miniserv::hash_session_id('other'), $h,
+	     'different sid → different hash');
+
+	# Different key must change the hash for the same input.
+	%miniserv::hash_session_id_cache = ();
+	local $miniserv::session_hmac_key = 'b' x 32;
+	isnt(miniserv::hash_session_id('sess123'), $h,
+	     'different HMAC key → different hash for the same sid');
+};
+
+subtest 'hash_session_id (MD5 branch)' => sub {
+	plan skip_all => 'Digest::MD5 not available' if !$have_md5;
+	no warnings 'once';
+	local $miniserv::use_hmac_sha256       = 0;
+	local $miniserv::session_hmac_key      = undef;
+	local $miniserv::use_md5               = $have_md5;
+	local %miniserv::hash_session_id_cache = ();
+
+	my $h = miniserv::hash_session_id('sess123');
+	like($h, qr{^[./0-9A-Za-z]{22}$},
+	     'MD5 (no-salt) form: 22 itoa64 chars');
+	is(miniserv::hash_session_id('sess123'), $h, 'cached on second call');
+};
+
+subtest 'hash_session_id (unix_crypt fallback)' => sub {
+	no warnings 'once';
+	local $miniserv::use_hmac_sha256       = 0;
+	local $miniserv::session_hmac_key      = undef;
+	local $miniserv::use_md5               = undef;
+	local %miniserv::hash_session_id_cache = ();
+
+	my $h = miniserv::hash_session_id('sess123');
+	is(length($h), 13, 'DES crypt fallback is 13 chars');
+	is(miniserv::hash_session_id('sess123'), $h, 'cached on second call');
+};
+
+# generate_random_id — session ID generator
+#
+# Two paths: /dev/urandom (preferred) and a rand()-based fallback. The
+# fallback should still produce a 32-char lowercase hex string. With
+# force_urandom=1 and /dev/urandom marked bad, the function must return
+# undef rather than fall back silently.
+subtest 'generate_random_id' => sub {
+	no warnings 'once';
+
+	# Fallback path: pretend /dev/urandom is unusable, allow fallback.
+	{
+		local $miniserv::bad_urandom = 1;
+		my $sid = miniserv::generate_random_id();
+		like($sid, qr{^[0-9a-f]{32}$}, 'fallback produces 32-char lowercase hex id');
+		isnt(miniserv::generate_random_id(), $sid,
+		     'two fallback calls produce different ids');
+	}
+
+	# /dev/urandom path, when available.
+	SKIP: {
+		skip '/dev/urandom not readable', 1 if !-r '/dev/urandom';
+		local $miniserv::bad_urandom = 0;
+		my $sid = miniserv::generate_random_id();
+		like($sid, qr{^[0-9a-f]{32}$},
+		     '/dev/urandom path produces 32-char lowercase hex id');
+	}
+
+	# force_urandom=1 + bad_urandom → no fallback, returns undef.
+	{
+		local $miniserv::bad_urandom = 1;
+		is(miniserv::generate_random_id(1), undef,
+		   'force_urandom=1 with bad_urandom returns undef (no silent fallback)');
+	}
+};
+
+# check_user_time — login allowed by current date/time?
+#
+# Pure logic over a $uinfo hashref once get_user_details is stubbed. We
+# anchor allow-window tests around the current minute-of-day so they pass
+# regardless of when the suite runs.
+subtest 'check_user_time' => sub {
+	no warnings qw(redefine once);
+	my $uinfo;
+	local *miniserv::get_user_details = sub { $uinfo };
+
+	# Unknown user → allowed (returns 1 early).
+	$uinfo = undef;
+	ok(miniserv::check_user_time('alice'), 'unknown user → allowed');
+
+	# Known user with no restrictions → allowed.
+	$uinfo = { 'name' => 'alice' };
+	ok(miniserv::check_user_time('alice'),
+	   'user with no allowdays/allowhours → allowed');
+
+	my @tm = localtime(time());
+	my $today     = $tm[6];
+	my $not_today = ($today + 3) % 7;
+	my $now_min   = $tm[2] * 60 + $tm[1];
+
+	$uinfo = { 'allowdays' => [$today] };
+	ok(miniserv::check_user_time('alice'), 'current weekday in allowdays → allowed');
+
+	$uinfo = { 'allowdays' => [$not_today] };
+	ok(!miniserv::check_user_time('alice'), 'current weekday not in allowdays → denied');
+
+	# Build a window that contains $now_min and is clamped to [0, 1439]
+	# so we never depend on negative bounds happening to compare correctly.
+	my $in_lo = $now_min >= 5    ? $now_min - 5 : 0;
+	my $in_hi = $now_min <= 1434 ? $now_min + 5 : 1439;
+	$uinfo = { 'allowhours' => [$in_lo, $in_hi] };
+	ok(miniserv::check_user_time('alice'), 'current time inside allowhours window → allowed');
+
+	# A fixed window strictly disjoint from $now_min and entirely within
+	# [0, 1439]. Pick the half-day opposite the current time: morning →
+	# evening window, afternoon/night → early-morning window. Either way
+	# the window cannot contain $now_min, and the bounds stay valid.
+	my ($out_lo, $out_hi) = $now_min < 720
+				? (1380, 1430)   # 23:00–23:50
+				: (10,   60);    # 00:10–01:00
+	$uinfo = { 'allowhours' => [$out_lo, $out_hi] };
+	ok(!miniserv::check_user_time('alice'),
+	   'current time outside allowhours window → denied');
+};
+
+# check_user_ip — login allowed from current remote IP?
+#
+# Same shape as check_user_time: stub get_user_details, set $acptip and
+# $localip (package globals that handle_request normally `local`-izes).
+subtest 'check_user_ip' => sub {
+	no warnings qw(redefine once);
+	my $uinfo;
+	local *miniserv::get_user_details = sub { $uinfo };
+	local %miniserv::ip_match_cache   = ();
+	local $miniserv::acptip           = '1.2.3.4';
+	local $miniserv::localip          = '5.6.7.8';
+
+	$uinfo = undef;
+	ok(miniserv::check_user_ip('alice'), 'unknown user → allowed');
+
+	$uinfo = { 'name' => 'alice' };
+	ok(miniserv::check_user_ip('alice'),
+	   'no allow or deny list → allowed');
+
+	my $deny_match = '1.2.3.4';
+	my $deny_miss  = '9.9.9.9';
+	my $allow_match = '1.2.3.4';
+	my $allow_miss  = '9.9.9.9';
+
+	$uinfo = { 'name' => 'alice', 'deny' => [ $deny_match ] };
+	ok(!miniserv::check_user_ip('alice'), 'deny list matches remote → denied');
+
+	$uinfo = { 'name' => 'alice', 'deny' => [ $deny_miss ] };
+	ok(miniserv::check_user_ip('alice'), 'deny list does not match → allowed');
+
+	$uinfo = { 'name' => 'alice', 'allow' => [ $allow_match ] };
+	ok(miniserv::check_user_ip('alice'), 'allow list matches remote → allowed');
+
+	$uinfo = { 'name' => 'alice', 'allow' => [ $allow_miss ] };
+	ok(!miniserv::check_user_ip('alice'), 'allow list does not match → denied');
+};
+
+# is_group_member — primary-gid match OR membership in /etc/group
+#
+# We pin the contract using the current process's own primary group, which
+# is guaranteed to exist on any system that runs the test suite.
+subtest 'is_group_member' => sub {
+	my @pw = getpwuid($<);
+	plan skip_all => 'cannot resolve current user via getpwuid' if !@pw;
+	my $primary_gid = $pw[3];
+	my @gr = getgrgid($primary_gid);
+	plan skip_all => 'cannot resolve current primary gid via getgrgid' if !@gr;
+	my $primary_group = $gr[0];
+
+	# uinfo[3] == primary gid → match regardless of group's member list.
+	my $uinfo_match = ['test-user', 'x', 99999, $primary_gid];
+	ok(miniserv::is_group_member($uinfo_match, $primary_group),
+	   'primary gid match → member');
+
+	# Nonexistent group → 0.
+	ok(!miniserv::is_group_member($uinfo_match,
+	    '__definitely_not_a_real_group_xyzzy__'),
+	   'nonexistent group → not a member');
+
+	# A user that's neither in the group's member list nor sharing its gid.
+	my $other_group;
+	my $other_gid;
+	setgrent();
+	while (my @g = getgrent()) {
+		next if $g[2] == $primary_gid;
+		# Skip groups our synthetic user happens to be "in"
+		next if $g[3] =~ /\bdefinitely-not-in-this-group-xyzzy\b/;
+		$other_group = $g[0];
+		$other_gid   = $g[2];
+		last;
+		}
+	endgrent();
+	SKIP: {
+		skip 'no second group available on this system', 1 if !$other_group;
+		my $alien = ['definitely-not-in-this-group-xyzzy', 'x', 99999, 99999];
+		ok(!miniserv::is_group_member($alien, $other_group),
+		   'gid mismatch + not in member list → not a member');
+	}
+};
+
+# matches_cron — combined range/step (the `1-10/2` branch is not covered above)
+subtest 'matches_cron (range/step)' => sub {
+	ok( miniserv::matches_cron('2-10/2',  4, 0), 'inside range, divisible by step → match');
+	ok(!miniserv::matches_cron('2-10/2',  3, 0), 'inside range, indivisible → miss');
+	ok(!miniserv::matches_cron('2-10/2', 12, 0), 'outside range → miss');
+	ok( miniserv::matches_cron('0-30/15', 15, 0), 'step matches at boundary');
+};
+
+# indexof — duplicate / undef handling
+subtest 'indexof (extras)' => sub {
+	# Duplicates: first hit wins.
+	is(miniserv::indexof('a', 'a', 'b', 'a'), 0,
+	   'duplicate needle returns first index');
+	# Numeric needle compared with `eq` to a string element.
+	is(miniserv::indexof(1, '0', '1', '2'), 1,
+	   'numeric needle matches stringwise');
+};
+
+# get_type — the regex is /\.([A-z0-9]+)$/ — `[A-z]` covers more than letters.
+subtest 'get_type (extras)' => sub {
+	no warnings 'once';
+	local %miniserv::mime = (HTML => 'text/html-upper');
+	# Extension lookup is case-sensitive (the hash key wins or loses literally).
+	is(miniserv::get_type('foo.HTML'), 'text/html-upper',
+	   'extension hash lookup is case-sensitive');
+	is(miniserv::get_type('foo.html'), 'text/plain',
+	   'differently-cased miss falls back to text/plain');
+	# Empty extension — pattern needs at least one char after the dot.
+	is(miniserv::get_type('foo.'), 'text/plain',
+	   'empty extension falls through');
+};
+
+# is_mobile_useragent — config-driven `@mobile_agents` extension list
+subtest 'is_mobile_useragent (config-driven extras)' => sub {
+	no warnings 'once';
+	local @miniserv::mobile_agents = ('MyCustomBrowser');
+
+	ok( miniserv::is_mobile_useragent('Foo MyCustomBrowser/1.0'),
+	    'config-supplied substring matches');
+	ok(!miniserv::is_mobile_useragent('Foo OtherBrowser/1.0'),
+	    'unrelated UA still not flagged');
+	# Text-mode browsers (Lynx, Links) are in the hard-coded prefix list.
+	ok(miniserv::is_mobile_useragent('Lynx/2.8.9rel.1'), 'Lynx prefix flagged');
+	ok(miniserv::is_mobile_useragent('Links (2.21; Linux)'), 'Links prefix flagged');
+};
+
+# urlize — high-bit / control-character behaviour
+subtest 'urlize (extras)' => sub {
+	# Non-ASCII bytes — must be percent-encoded.
+	my $out = miniserv::urlize("\xc3\xa9");        # UTF-8 'é'
+	like($out, qr/^%[0-9A-Fa-f]{2}%[0-9A-Fa-f]{2}$/,
+	     'high-bit UTF-8 bytes are percent-encoded');
+	# Control characters.
+	is(miniserv::urlize("\n"), '%0A', 'newline encoded');
+	is(miniserv::urlize("\t"), '%09', 'tab encoded');
+};
+
+# simplify_path — additional adversarial inputs
+subtest 'simplify_path (extras)' => sub {
+	my $bogus;
+	# An empty string normalises to a bare slash.
+	is(miniserv::simplify_path('', $bogus), '/', 'empty string → /');
+	# A trailing slash is preserved? Run it and pin whatever the contract is.
+	is(miniserv::simplify_path('/foo/', $bogus), '/foo',
+	   'trailing slash collapses');
+	# ".." mixed with concrete segments collapses correctly.
+	is(miniserv::simplify_path('/a/b/c/../../d', $bogus), '/a/d',
+	   'multiple .. pop the right number of segments');
+	is($bogus, 0, '.. that stays in-bounds is not bogus');
+};
+
+# make_datestr — log timestamp format
+subtest 'make_datestr' => sub {
+	no warnings 'once';
+	local @miniserv::month = qw(Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec);
+	local $miniserv::timezone = '+0000';
+
+	my $d = miniserv::make_datestr();
+	# Format: DD/Mon/YYYY:HH:MM:SS +0000 (Apache combined-log shape).
+	like($d, qr{^\d{2}/(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)/\d{4}:\d{2}:\d{2}:\d{2}\s\+0000$},
+	     'datestr matches Apache combined-log shape');
+};
+
+# getenv — case-insensitive env var lookup
+subtest 'getenv' => sub {
+	local %ENV = (FOO => 'upper', bar => 'lower');
+	is(miniserv::getenv('foo'), 'upper', 'lc lookup finds uc-set var');
+	is(miniserv::getenv('FOO'), 'upper', 'uc lookup finds uc-set var');
+	is(miniserv::getenv('BAR'), 'lower', 'uc lookup falls through to lc-set var');
+	is(miniserv::getenv('bar'), 'lower', 'lc lookup finds lc-set var');
+	is(miniserv::getenv('missing'), undef, 'missing var returns undef');
+};
+
+# should_gzip_file — content-type-class allow/deny
+subtest 'should_gzip_file' => sub {
+	ok( miniserv::should_gzip_file('foo.html'), 'html → gzip ok');
+	ok( miniserv::should_gzip_file('foo.css'),  'css → gzip ok');
+	ok( miniserv::should_gzip_file('foo.js'),   'js → gzip ok');
+	ok( miniserv::should_gzip_file('noext'),    'no extension → gzip ok');
+	ok(!miniserv::should_gzip_file('foo.png'),  'png skipped');
+	ok(!miniserv::should_gzip_file('foo.jpg'),  'jpg skipped');
+	ok(!miniserv::should_gzip_file('foo.JPEG'), 'JPEG (uppercase) skipped');
+	ok(!miniserv::should_gzip_file('foo.tif'),  'tif skipped');
+};
+
+# get_expires_time — per-path expiry table with default fallback
+subtest 'get_expires_time' => sub {
+	no warnings 'once';
+	local @miniserv::expires_paths = (
+		[ '\.css$', 3600  ],
+		[ '\.js$',  86400 ],
+		);
+	local %miniserv::config = ('expires' => 60);
+
+	is(miniserv::get_expires_time('/x.css'), 3600,
+	   'matching regexp → its expiry');
+	is(miniserv::get_expires_time('/x.js'),  86400,
+	   'second matching regexp → its expiry');
+	is(miniserv::get_expires_time('/x.html'), 60,
+	   'no match → falls back to config{expires}');
+	# Case-insensitivity is part of the contract (path !~ /$re/i).
+	is(miniserv::get_expires_time('/X.CSS'), 3600,
+	   'regexp match is case-insensitive');
+};
+
+# network_to_address — inet_ntoa / inet_ntop dispatch
+subtest 'network_to_address' => sub {
+	no warnings 'once';
+
+	# 4-byte input always uses inet_ntoa, regardless of $use_ipv6.
+	{
+		local $miniserv::use_ipv6 = 0;
+		is(miniserv::network_to_address(pack("CCCC", 1, 2, 3, 4)),
+		   '1.2.3.4', 'IPv4 bytes formatted via inet_ntoa');
+	}
+
+	# 16-byte input with IPv6 enabled → inet_ntop. miniserv.pl normally
+	# imports inet_ntop via Socket6 (loaded under `eval` at startup); in the
+	# module-load path it may not be bound, so glob it in for the test.
+	SKIP: {
+		eval { require Socket; Socket->import(qw(AF_INET6 inet_ntop inet_pton)); };
+		skip 'Socket lacks IPv6 helpers', 1 if $@;
+		no warnings 'redefine';
+		local *miniserv::inet_ntop = \&Socket::inet_ntop;
+		local $miniserv::use_ipv6 = 1;
+		my $packed = Socket::inet_pton(Socket::AF_INET6(), '::1');
+		is(miniserv::network_to_address($packed), '::1',
+		   'IPv6 bytes formatted via inet_ntop');
+	}
+};
+
+# to_ipaddress — pattern shortcuts that skip DNS
+subtest 'to_ipaddress (pattern shortcuts)' => sub {
+	# IPv4 literal: returned verbatim.
+	is(miniserv::to_ipaddress('1.2.3.4'), '1.2.3.4',
+	   'IPv4 literal short-circuits');
+	# Hostname-glob pattern: returned verbatim.
+	is(miniserv::to_ipaddress('*.example.com'), '*.example.com',
+	   'wildcard hostname pattern short-circuits');
+	# 'LOCAL' literal: returned verbatim.
+	is(miniserv::to_ipaddress('LOCAL'), 'LOCAL',
+	   'LOCAL keyword short-circuits');
+	# CIDR pattern: returned verbatim.
+	is(miniserv::to_ipaddress('10.0.0.0/8'), '10.0.0.0/8',
+	   'CIDR pattern short-circuits');
+};
+
+# ip_match — additional branches: LOCAL, IPv6 exact, IPv6 CIDR, hostname-glob miss
+subtest 'ip_match (extra branches)' => sub {
+	no warnings 'once';
+	local %miniserv::ip_match_cache = ();
+
+	# LOCAL keyword expands to a class-derived prefix of the local IP.
+	my $local_rule = 'LOCAL';
+	ok( miniserv::ip_match('10.1.2.3', '10.9.9.9', $local_rule),
+	    'LOCAL: class-A remote in same /8 as local matches');
+	ok(!miniserv::ip_match('11.1.2.3', '10.9.9.9', $local_rule),
+	    'LOCAL: different /8 does not match');
+
+	# 192.x.x.x is class C → /24 comparison.
+	my $local_rule2 = 'LOCAL';
+	ok( miniserv::ip_match('192.168.1.5', '192.168.1.1', $local_rule2),
+	    'LOCAL: class-C remote in same /24 as local matches');
+	ok(!miniserv::ip_match('192.168.2.5', '192.168.1.1', $local_rule2),
+	    'LOCAL: different /24 does not match');
+
+	# IPv6 exact match.
+	my $v6_exact = '2001:db8::1';
+	ok( miniserv::ip_match('2001:db8::1', '::1', $v6_exact),
+	    'IPv6 exact match (canonicalized)');
+	ok( miniserv::ip_match('2001:DB8::1', '::1', $v6_exact),
+	    'IPv6 exact match is case-insensitive after canonicalization');
+
+	# IPv6 CIDR — /32 covers the leading 4 bytes (2001:0db8:...).
+	my $v6_cidr = '2001:db8::/32';
+	ok( miniserv::ip_match('2001:db8:1234::5', '::1', $v6_cidr),
+	    'IPv6 CIDR /32 covers a host inside the prefix');
+	ok(!miniserv::ip_match('2002:db8:1234::5', '::1', $v6_cidr),
+	    'IPv6 CIDR /32 does not cover a host outside the prefix');
+};
+
+# users_match — group (@-prefix) branch
+subtest 'users_match (group branch)' => sub {
+	# Pick the current user's primary group, guaranteed to resolve.
+	my @pw = getpwuid($<);
+	plan skip_all => 'cannot resolve current user via getpwuid' if !@pw;
+	my $gid = $pw[3];
+	my @gr  = getgrgid($gid);
+	plan skip_all => 'cannot resolve primary gid via getgrgid' if !@gr;
+	my $group = $gr[0];
+
+	# uinfo[3] == primary gid → is_group_member returns true → users_match matches.
+	my $uinfo = ['someuser', 'x', 99999, $gid];
+	ok( miniserv::users_match($uinfo, '@'.$group),
+	    '@<group> matches when uinfo primary gid matches');
+	ok(!miniserv::users_match($uinfo,
+				 '@__definitely_not_a_real_group_xyzzy__'),
+	    '@<nonexistent-group> does not match');
+};
+
+# read_config_file — KEY=VAL parser used at startup
+subtest 'read_config_file' => sub {
+	require File::Temp;
+	my ($fh, $path) = File::Temp::tempfile(UNLINK => 1);
+	print $fh <<'EOF';
+# this is a comment
+
+  key1 = value1
+key2=value2
+  key3   =   has  spaces
+empty=
+EOF
+	close($fh);
+
+	my %got = miniserv::read_config_file($path);
+	is($got{key1},  'value1',         'leading/trailing whitespace trimmed');
+	is($got{key2},  'value2',         'tight key=val parsed');
+	is($got{key3},  'has  spaces',    'interior whitespace preserved');
+	is($got{empty}, '',               'empty value yields empty string');
+	ok(!exists $got{'# this is a comment'}, 'comment lines skipped');
+};
+
+# read_any_file — basic file reader; returns undef on open failure
+subtest 'read_any_file' => sub {
+	require File::Temp;
+	my ($fh, $path) = File::Temp::tempfile(UNLINK => 1);
+	print $fh "line1\nline2\n";
+	close($fh);
+
+	is(miniserv::read_any_file($path), "line1\nline2\n",
+	   'returns the entire file contents');
+	is(miniserv::read_any_file('/definitely/not/a/real/path/xyzzy'), undef,
+	   'open failure returns undef');
+};
+
+# read_mime_types — populates %mime from file + addtype_* config
+subtest 'read_mime_types' => sub {
+	no warnings 'once';
+	require File::Temp;
+	my ($fh, $path) = File::Temp::tempfile(UNLINK => 1);
+	print $fh <<'EOF';
+# comment line
+text/html	html htm
+image/png	png
+EOF
+	close($fh);
+
+	local %miniserv::config = (
+		'mimetypes'        => $path,
+		'addtype_custom'   => 'application/x-custom',
+		);
+	local %miniserv::mime = ();
+
+	miniserv::read_mime_types();
+	is($miniserv::mime{html},   'text/html',          'first extension from file mapped');
+	is($miniserv::mime{htm},    'text/html',          'second extension on same line mapped');
+	is($miniserv::mime{png},    'image/png',          'second line mapped');
+	is($miniserv::mime{custom}, 'application/x-custom', 'addtype_* config overrides file');
+};
+
+# parse_websockets_config — turns websockets_<path> config lines into structs
+subtest 'parse_websockets_config' => sub {
+	no warnings 'once';
+	local %miniserv::config = (
+		'websockets_/chat' => 'host=back.example.com port=9000 proto=ws',
+		'unrelated_key'    => 'ignored',
+		);
+	local @miniserv::websocket_paths = ();
+
+	miniserv::parse_websockets_config();
+	is(scalar @miniserv::websocket_paths, 1, 'one websocket entry produced');
+	my $ws = $miniserv::websocket_paths[0];
+	is($ws->{path},  '/chat',             'path captured from key suffix');
+	is($ws->{host},  'back.example.com',  'host kv parsed');
+	is($ws->{port},  '9000',              'port kv parsed');
+	is($ws->{proto}, 'ws',                'proto kv parsed');
+};
+
+# get_user_details — local-files branch (skips the userdb code path entirely)
+subtest 'get_user_details (local files)' => sub {
+	no warnings 'once';
+	local %miniserv::config       = ();   # no userdb → file path only
+	local %miniserv::users        = ('alice' => 'hashedpass');
+	local %miniserv::certs        = ('alice' => 'CN=Alice');
+	local %miniserv::allow        = ('alice' => ['1.2.3.4']);
+	local %miniserv::deny         = ('alice' => ['9.9.9.9']);
+	local %miniserv::allowdays    = ('alice' => [0, 1, 2]);
+	local %miniserv::allowhours   = ('alice' => [540, 1020]);
+	local %miniserv::lastchanges  = ('alice' => '1700000000');
+	local %miniserv::nochange     = ('alice' => 1);
+	local %miniserv::temppass     = ('alice' => 0);
+	local %miniserv::twofactor    = ('alice' => {
+		'provider' => 'totp', 'id' => 'aliceid', 'apikey' => 'secret' });
+
+	my $u = miniserv::get_user_details('alice');
+	is(ref($u), 'HASH',                       'returns a hashref');
+	is($u->{name},     'alice',               'name field');
+	is($u->{pass},     'hashedpass',          'pass field comes from %users');
+	is($u->{certs},    'CN=Alice',            'certs field');
+	is_deeply($u->{allow}, ['1.2.3.4'],       'allow list');
+	is_deeply($u->{deny},  ['9.9.9.9'],       'deny list');
+	is($u->{twofactor_provider}, 'totp',      'twofactor provider lifted');
+	is($u->{twofactor_id},       'aliceid',   'twofactor id lifted');
+	is($u->{twofactor_apikey},   'secret',    'twofactor apikey lifted');
+
+	is(miniserv::get_user_details('nobody'), undef,
+	   'unknown user with no userdb returns undef');
+
+	# origusername falls back to username for twofactor lookup.
+	local %miniserv::twofactor = (
+		'bob_orig' => { 'provider' => 'duo', 'id' => 'bid', 'apikey' => 'bk' });
+	local %miniserv::users = ('bob_local' => 'hash');
+	my $u2 = miniserv::get_user_details('bob_local', 'bob_orig');
+	is($u2->{twofactor_provider}, 'duo',
+	   'twofactor looked up by origusername when present');
+};
+
+# find_user_by_cert — local-files branch (matches against %certs)
+subtest 'find_user_by_cert (local files)' => sub {
+	no warnings 'once';
+	local %miniserv::config = ();   # no userdb
+	local %miniserv::certs  = (
+		'alice' => 'CN=Alice,Email=alice@example.com',
+		'bob'   => 'CN=Bob,emailAddress=bob@example.com',
+		);
+
+	is(miniserv::find_user_by_cert('CN=Alice,Email=alice@example.com'),
+	   'alice', 'exact match returns username');
+	# emailAddress=/Email= are swapped before comparison.
+	is(miniserv::find_user_by_cert('CN=Alice,emailAddress=alice@example.com'),
+	   'alice', 'Email/emailAddress form aliasing matches');
+	is(miniserv::find_user_by_cert('CN=Bob,Email=bob@example.com'),
+	   'bob',   'reverse aliasing also matches');
+	is(miniserv::find_user_by_cert('CN=Nobody'), undef,
+	   'unknown peer name returns undef');
+};
+
+# get_logout_time — per-user / per-group / default rules
+subtest 'get_logout_time' => sub {
+	no warnings 'once';
+	local %miniserv::logout_time_cache = ();
+
+	# Username branch beats the default.
+	local @miniserv::logouttimes = (
+		[ 'alice', 30 ],
+		[ undef,   10 ],
+		);
+	is(miniserv::get_logout_time('alice', 'sid1'), 30,
+	   'username-specific rule wins');
+	is(miniserv::get_logout_time('alice', 'sid1'), 30,
+	   'second call returns cached value');
+
+	is(miniserv::get_logout_time('charlie', 'sid2'), 10,
+	   'user with no specific rule falls through to default (undef key)');
+
+	# Group rule (@-prefix) — requires that the user resolves via getpwnam,
+	# so use the current process user.
+	my @pw = getpwuid($<);
+	SKIP: {
+		skip 'cannot resolve current user', 1 if !@pw;
+		my @gr = getgrgid($pw[3]);
+		skip 'cannot resolve primary group', 1 if !@gr;
+		local %miniserv::logout_time_cache = ();
+		local @miniserv::logouttimes = (
+			[ '@'.$gr[0], 99 ],
+			[ undef,      10 ],
+			);
+		is(miniserv::get_logout_time($pw[0], 'sid3'), 99,
+		   '@group rule matches via primary gid');
+	}
+};
+
+# build_config_mappings — turns flat %config keys into structured globals
+subtest 'build_config_mappings' => sub {
+	no warnings qw(once redefine);
+	# Stub open_debug_to_log — it touches DEBUG (an unopened fh in tests).
+	local *miniserv::open_debug_to_log = sub { };
+	local *miniserv::to_ipaddress      = sub { return @_; };
+
+	local %miniserv::config = (
+		'anonymous'         => '/pub=guest /api=apiuser',
+		'ipaccess'          => '/admin=10.0.0.0/8',
+		'unauth'            => '^/public/ ^/robots.txt$',
+		'unauthcgi'         => '^/login.cgi$',
+		'redirect'          => '/old=/new',
+		'strip_prefix'      => '/virt',
+		'deny'              => '9.9.9.9 8.8.8.8',
+		'allow'             => '1.2.3.4',
+		'allowusers'        => 'alice bob',
+		'unixauth'          => 'admin=root *=apache',
+		'sessiononly'       => '/api /webhooks',
+		'logouttimes'       => 'alice=15 @wheel=60',
+		'logouttime'        => 5,
+		'davpaths'          => '/dav1 /dav2',
+		'dav_users'         => 'eve',
+		'mobile_agents'     => "Foo\tBar",
+		'mobile_prefixes'   => 'XYZ ABC',
+		'expires_paths'     => "\\.css\$=3600\t\\.js\$=86400",
+		'alwaysresolve'     => 1,   # keep deny/allow as-is (no DNS)
+		);
+
+	# Reset every output global.
+	local %miniserv::anonymous   = ();
+	local %miniserv::ipaccess    = ();
+	local @miniserv::unauth      = ();
+	local @miniserv::unauthcgi   = ();
+	local %miniserv::redirect    = ();
+	local @miniserv::strip_prefix = ();
+	local @miniserv::deny        = ();
+	local @miniserv::allow       = ();
+	local @miniserv::allowusers  = ();
+	local @miniserv::denyusers   = ();
+	local %miniserv::unixauth    = ();
+	local %miniserv::sessiononly = ();
+	local @miniserv::logouttimes = ();
+	local @miniserv::davpaths    = ();
+	local @miniserv::davusers    = ();
+	local @miniserv::mobile_agents   = ();
+	local @miniserv::mobile_prefixes = ();
+	local @miniserv::expires_paths   = ();
+	local %miniserv::sudocache       = ();
+	local %miniserv::cert_names_cache = ();
+
+	miniserv::build_config_mappings();
+
+	is($miniserv::anonymous{'/pub'}, 'guest',         'anonymous map parsed');
+	is($miniserv::ipaccess{'/admin'}, '10.0.0.0/8',   'ipaccess map parsed');
+	is_deeply(\@miniserv::unauth,    ['^/public/', '^/robots.txt$'], 'unauth list parsed');
+	is_deeply(\@miniserv::unauthcgi, ['^/login.cgi$'],                'unauthcgi list parsed');
+	is($miniserv::redirect{'/old'},  '/new',                          'redirect map parsed');
+	is_deeply(\@miniserv::strip_prefix, ['/virt'],                    'strip_prefix parsed');
+	is_deeply(\@miniserv::allowusers,  ['alice', 'bob'],              'allowusers parsed');
+	is(scalar @miniserv::denyusers, 0,
+	   'denyusers stays empty when allowusers is set (mutually exclusive)');
+	is($miniserv::unixauth{admin}, 'root',                            'specific unixauth parsed');
+	is($miniserv::unixauth{'*'},   'apache',                          'default unixauth parsed');
+	ok($miniserv::sessiononly{'/api'},                                'sessiononly entry set');
+	is_deeply(\@miniserv::davpaths,    ['/dav1', '/dav2'],            'davpaths parsed');
+	is_deeply(\@miniserv::davusers,    ['eve'],                       'davusers parsed');
+	is_deeply(\@miniserv::mobile_agents, ['Foo', 'Bar'],
+	          'mobile_agents tab-split');
+
+	# logouttimes: configured rules + an always-match default appended.
+	is(scalar @miniserv::logouttimes, 3, 'two configured + one default');
+	is($miniserv::logouttimes[-1][0], undef, 'last entry is the default rule');
+	is($miniserv::logouttimes[-1][1], 5,     'default uses logouttime');
+
+	# expires_paths: each tab-separated entry becomes [regex, secs].
+	is(scalar @miniserv::expires_paths, 2, 'two expires entries');
+	is_deeply($miniserv::expires_paths[0], ['\.css$', '3600'],
+	          'first expires entry split on =');
+};
+
+# lock_user_password — local-file branch rewrites the users file in place
+subtest 'lock_user_password (local file)' => sub {
+	no warnings qw(once redefine);
+	require File::Temp;
+	my ($fh, $path) = File::Temp::tempfile(UNLINK => 1);
+	# Standard 5-field users line (user:pass:lastchange:certs:opts...).
+	print $fh "alice:hashedpass:0::\n";
+	print $fh "bob:bobhash:0::\n";
+	close($fh);
+
+	local %miniserv::config = ('userfile' => $path);
+	local %miniserv::users  = (
+		'alice' => 'hashedpass',
+		'bob'   => 'bobhash',
+		);
+	# get_user_details would normally do %users → hashref; stub it.
+	local *miniserv::get_user_details = sub {
+		my ($u) = @_;
+		return undef if !exists $miniserv::users{$u};
+		return { 'name' => $u, 'pass' => $miniserv::users{$u} };
+		};
+
+	is(miniserv::lock_user_password('nobody'), -1,
+	   'unknown user returns -1');
+
+	is(miniserv::lock_user_password('alice'), 0, 'lock succeeds');
+	is($miniserv::users{alice}, '!hashedpass',
+	   'in-memory pass is prefixed with !');
+
+	# File on disk reflects the change.
+	open(my $rh, '<', $path) or die "reopen: $!";
+	my $content = do { local $/; <$rh> };
+	close($rh);
+	like  ($content, qr/^alice:!hashedpass:/m,  'alice line rewritten with !');
+	like  ($content, qr/^bob:bobhash:/m,        'bob line untouched');
+
+	# Locking an already-locked user is a no-op (returns 0 but no double-!).
+	is(miniserv::lock_user_password('alice'), 0,
+	   'already-locked user → 0 (no-op)');
+	is($miniserv::users{alice}, '!hashedpass',
+	   'no double-bang prefix on second lock');
+};
+
+done_testing();
diff --git a/t/web-lib-funcs-filter_javascript.t b/t/web-lib-funcs-filter_javascript.t
new file mode 100644
index 000000000..aa87e936c
--- /dev/null
+++ b/t/web-lib-funcs-filter_javascript.t
@@ -0,0 +1,39 @@
+#!/usr/bin/perl
+# Tests for web-lib-funcs.pl filter_javascript.
+
+use strict;
+use warnings;
+use Test::More;
+use File::Basename qw(dirname);
+use File::Spec;
+
+my $script = File::Spec->rel2abs(
+	File::Spec->catfile(dirname(__FILE__), '..', 'web-lib-funcs.pl'));
+require $script;
+
+is(
+	main::filter_javascript('<video/onloadstart=alert(1) src=1>'),
+	'<video/xonloadstart=alert(1) src=1>',
+	'slash-separated HTML5 event handler is disabled',
+);
+
+is(
+	main::filter_javascript('<img src=x onload=alert(1)>'),
+	'<img src=x xonload=alert(1)>',
+	'classic event handler is disabled',
+);
+
+is(
+	main::filter_javascript('<div onwheel = alert(1) onpointerdown=alert(2)>'),
+	'<div xonwheel = alert(1) xonpointerdown=alert(2)>',
+	'multiple modern event handlers are disabled',
+);
+
+is(
+	main::filter_javascript(
+		'<a data-onload="safe" href="javascript:alert(1)">link</a>'),
+	'<a data-onload="safe" href="xjavascript:alert(1)">link</a>',
+	'non-handler attributes are preserved while script URIs are disabled',
+);
+
+done_testing();
diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl
index cb11e08f8..920949c74 100755
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -5741,6 +5741,16 @@ if ($module_name) {
 	$module_root_directory = &module_root_directory($module_name);
 	}
 
+if (!$main::allow_rpc_only &&
+    $main::webmin_script_type eq 'web' &&
+    !$main::no_acl_check &&
+    !defined($ENV{'FOREIGN_MODULE_NAME'})) {
+	# Check if this user is RPC-only
+	if (&webmin_user_can_rpc() == 2) {
+		&error($text{'erpconly'});
+		}
+	}
+
 if ($module_name && !$main::no_acl_check &&
     (!defined($ENV{'FOREIGN_MODULE_NAME'}) ||
       defined($ENV{'FOREIGN_MODULE_SEC_CHECK'})) &&
@@ -5759,16 +5769,6 @@ if ($module_name && !$main::no_acl_check &&
 	$main::no_acl_check++;
 	}
 
-if (!$main::allow_rpc_only &&
-    $main::webmin_script_type eq 'web' &&
-    !$main::no_acl_check &&
-    !defined($ENV{'FOREIGN_MODULE_NAME'})) {
-	# Check if this user is RPC-only
-	if (&webmin_user_can_rpc() == 2) {
-		&error($text{'erpconly'});
-		}
-	}
-
 # Check the Referer: header for nasty redirects
 my @referers = split(/\s+/, $gconfig{'referers'});
 my $referer_site;
@@ -10179,10 +10179,15 @@ sub filter_javascript
 my ($rv, $type) = @_;
 if (!$type || $type eq 'html') {
 	$rv =~ s/<\s*script[^>]*>([\000-\377]*?)<\s*\/script\s*>//gi;
-	$rv =~ s/(on(Abort|BeforeUnload|Blur|Change|Click|ContextMenu|Copy|Cut|DblClick|Drag|DragEnd|DragEnter|DragLeave|DragOver|DragStart|DragDrop|Drop|Error|Focus|FocusIn|FocusOut|HashChange|Input|Invalid|KeyDown|KeyPress|KeyUp|Load|MouseDown|MouseEnter|MouseLeave|MouseMove|MouseOut|MouseOver|MouseUp|Move|Paste|PageShow|PageHide|Reset|Resize|Scroll|Search|Select|Submit|Toggle|Unload)=)/x$1/gi;
 	$rv =~ s/(javascript(:|&colon;|&#58;|&#x3A;))/x$1/gi;
 	$rv =~ s/(vbscript(:|&colon;|&#58;|&#x3A;))/x$1/gi;
-	$rv =~ s/<([^>]*\s|)(on\S+=)(.*)>/<$1x$2$3>/gi;
+	my $event_attr = qr/on[a-z][a-z0-9_:-]*\s*=/i;
+	my $event_attrs;
+	do {
+		$event_attrs = 0;
+		$event_attrs += $rv =~ s{(<[^>]*?)([\s/]+)($event_attr)}{$1$2x$3}g;
+		$event_attrs += $rv =~ s{(<)($event_attr)}{$1x$2}g;
+		} while ($event_attrs);
 	}
 if ($type eq 'pdf') {
 	$rv =~ s/([\n]*)<<[\n((?:.*?|\n)*?)][\w\s\/]+[\n((?:.*?|\n)*?)][\w\s\/]+JavaScript[\w\s\/]*[\n((?:.*?|\n)*?)][\w\s\/]+\s.*?>>[\n]*/$1/gmsi;
diff --git a/webmin/index.cgi b/webmin/index.cgi
index 6db8c571d..213f9bc54 100755
--- a/webmin/index.cgi
+++ b/webmin/index.cgi
@@ -83,7 +83,7 @@ for(my $i=0; $i<@wlinks; $i++) {
 		}
 	}
 
-print &ui_alert_box(&filter_javascript($in{'message'}), 'success', undef, 1,
+print &ui_alert_box(&html_escape($in{'message'}), 'success', undef, 1,
 		    &html_escape($in{'title'})) if ($in{'message'});
 
 &icons_table(\@wlinks, \@wtitles, \@wicons);
diff --git a/webmin/webmin-lib.pl b/webmin/webmin-lib.pl
index 0e74543a7..86c3c1f64 100755
--- a/webmin/webmin-lib.pl
+++ b/webmin/webmin-lib.pl
@@ -1962,7 +1962,15 @@ my ($title, $msg) = @_;
 if (!$gconfig{'restart_async'}) {
 	&restart_miniserv();
 	my $msg_redir = "";
-	$msg_redir = "?title=".&urlize($title)."&message=".&urlize($msg) if $msg;
+	if ($msg) {
+		$title = defined($title) ? &html_strip($title, " ") : "";
+		$msg = &html_strip($msg, " ");
+		$title =~ s/\s+/ /g;
+		$title =~ s/^\s+|\s+$//g;
+		$msg =~ s/\s+/ /g;
+		$msg =~ s/^\s+|\s+$//g;
+		$msg_redir = "?title=".&urlize($title)."&message=".&urlize($msg);
+		}
 	&redirect($msg_redir);
 	return;
 	}
diff --git a/xmlrpc.cgi b/xmlrpc.cgi
index 9a14aa0ee..aaebefb35 100755
--- a/xmlrpc.cgi
+++ b/xmlrpc.cgi
@@ -19,6 +19,8 @@ BEGIN { push(@INC, "."); };
 use WebminCore;
 use POSIX;
 use Socket;
+
+$main::allow_rpc_only = 1;
 $force_lang = $default_lang;
 $trust_unknown_referers = 2;	# Only trust if referer was not set
 &init_config();
@@ -317,4 +319,3 @@ $xmlerr .= "</methodResponse>\n";
 return $xmlerr;
 }
 
-