Merge pull request #299 from containous/add-better-benchmarks

add better benchmarks

.dockerignore

@@ -1,3 +1,5 @@
 dist/
 vendor/
 !dist/traefik
+site/
+**/*.test

.github/CONTRIBUTING.md

@@ -37,14 +37,14 @@ traefik*
 
 The idea behind `glide` is the following :
 
-- when checkout(ing) a project, **run `glide up --quick`** to install
+- when checkout(ing) a project, **run `glide install`** to install
   (`go get …`) the dependencies in the `GOPATH`.
 - if you need another dependency, import and use it in
   the source, and **run `glide get github.com/Masterminds/cookoo`** to save it in
   `vendor` and add it to your `glide.yaml`.
 
 ```bash
-$ glide up --quick
+$ glide install
 # generate
 $ go generate
 # Simple go build

.gitignore

@@ -1,6 +1,7 @@
 /dist
 gen.go
 .idea
+.intellij
 log
 *.iml
 traefik
@@ -8,4 +9,5 @@ traefik.toml
 *.test
 vendor/
 static/
-glide.lock
+.vscode/
+site/

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+-   repo: git://github.com/pre-commit/pre-commit-hooks
+    sha: 44e1753f98b0da305332abe26856c3e621c5c439
+    hooks:
+    -   id: detect-private-key
+-   repo: git://github.com/containous/pre-commit-hooks
+    sha: 35e641b5107671e94102b0ce909648559e568d61
+    hooks:
+    -   id: goFmt
+    -   id: goLint
+    -   id: goErrcheck

.travis.yml

@@ -1,27 +1,28 @@
+branches:
+  except:
+  - /^v\d\.\d\.\d.*$/
 env:
-  REPO: $TRAVIS_REPO_SLUG
-  VERSION: v1.0.0-beta.$TRAVIS_BUILD_NUMBER
-
+  global:
+    - secure: btt4r13t09gQlHb6gYrvGC2yGCMMHfnp1Mz1RQedc4Mpf/FfT8aE6xmK2a2i9CCvskjrP0t/BFaS4yxIURjnFRn+ugQIEa0pLspB9UJArW/vgOSpIWM9/OQ/fg8z5XuMxN6Md4DL1/iLypMNSageA1x0TRdt89+D1N1dALpg5XRCXLFbC84TLi0gjlFuib9ibPKzEhLT+anCRJ6iZMzeupDSoaCVbAtJMoDvXw4+4AcRZ1+k4MybBLyCib5boaEOt4pTT88mz4Kk0YaMwPVJyg9Qv36VqyUcPS09Yd95LuyVQ4+tZt8Y1ccbIzULsK+sLM3hLCzxlmlpN3dQBlZJiiRtQde0mgGAKyC0P0A1XjuDTywcsa5edB+fTk1Dsewz9xZ9V0NmMz8t+UNZnaSsAPga9i86jULbXUUwMVSzVRc+Xgx02liB/8qI1xYC9FM6ilStt7rn7mF0k3KbiWhcptgeXjO6Lah9FjEKd5w4MXsdUSTi/86rQaLo+kj+XdaTrXCTulKHyRyQEUj+8V1w0oVz7pcGjePHd7y5oU9ByifVQy6sytuFBfRZvugM5bKHo+i0pcWvixrZS42DrzwxZJsspANOvqSe5ifVbvOkfUppQdCBIwptxV5N1b49XPKU3W/w34QJ8xGmKp3TFA7WwVCztriFHjPgiRpB3EG99Bg=
+    - REPO: $TRAVIS_REPO_SLUG
+    - VERSION: v1.0.0-beta.$TRAVIS_BUILD_NUMBER
 sudo: required
-
 services:
-  - docker
-
+- docker
 install:
-  - sudo service docker stop
-  - sudo curl https://get.docker.com/builds/Linux/x86_64/docker-1.10.1 -o /usr/bin/docker
-  - sudo chmod +x /usr/bin/docker
-  - sudo service docker start
-
+- sudo service docker stop
+- sudo curl https://get.docker.com/builds/Linux/x86_64/docker-1.10.1 -o /usr/bin/docker
+- sudo chmod +x /usr/bin/docker
+- sudo service docker start
+- pip install --user mkdocs
+- pip install --user pymdown-extensions
 before_script:
-  - make validate
-  - make binary
-
+- make validate
+- make binary
 script:
-  - make test-unit
-  - make test-integration
-  - make crossbinary
-  - make image
-
+- make test-unit
+- make test-integration
+- make crossbinary
+- make image
 after_success:
- - make deploy
+- make deploy

Makefile

@@ -4,6 +4,7 @@ TRAEFIK_ENVS := \
 	-e OS_ARCH_ARG \
 	-e OS_PLATFORM_ARG \
 	-e TESTFLAGS \
+	-e VERBOSE \
 	-e VERSION
 
 SRCS = $(shell git ls-files '*.go' | grep -v '^external/')
@@ -23,35 +24,26 @@ print-%: ; @echo $*=$($*)
 
 default: binary
 
-all: generate-webui build
+all: generate-webui build ## validate all checks, build linux binary, run all tests\ncross non-linux binaries
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh
 
-binary: generate-webui build
+binary: generate-webui build ## build the linux binary
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate binary
 
-crossbinary: generate-webui build
+crossbinary: generate-webui build ## cross build the non-linux binaries
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate crossbinary
 
-test: build
+test: build ## run the unit and integration tests
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate test-unit binary test-integration
 
-test-unit: build
+test-unit: build ## run the unit tests
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate test-unit
 
-test-integration: build
+test-integration: build ## run the integration tests
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate test-integration
 
-validate: build
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-gofmt validate-govet validate-golint
-
-validate-gofmt: build
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-gofmt
-
-validate-govet: build
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-govet
-
-validate-golint: build
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-golint
+validate: build  ## validate gofmt, golint and go vet
+	$(DOCKER_RUN_TRAEFIK) ./script/make.sh  validate-gofmt validate-govet validate-golint 
 
 build: dist
 	docker build -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
@@ -62,10 +54,10 @@ build-webui:
 build-no-cache: dist
 	docker build --no-cache -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
 
-shell: build
+shell: build ## start a shell inside the build env
 	$(DOCKER_RUN_TRAEFIK) /bin/bash
 
-image: build
+image: build ## build a docker traefik image 
 	docker build -t $(TRAEFIK_IMAGE) .
 
 dist:
@@ -84,10 +76,13 @@ generate-webui: build-webui
 	fi
 
 lint:
-	$(foreach file,$(SRCS),golint $(file) || exit;)
+	script/validate-golint
 
 fmt:
 	gofmt -s -l -w $(SRCS)
 
 deploy:
 	./script/deploy.sh
+
+help: ## this help
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)

README.md

@@ -1,25 +1,50 @@
 
 <p align="center">
-<img src="http://traefik.github.io/traefik.logo.svg" alt="Træfɪk" title="Træfɪk" />
+<img src="docs/img/traefik.logo.png" alt="Træfɪk" title="Træfɪk" />
 </p>
 
 [![Build Status](https://travis-ci.org/containous/traefik.svg?branch=master)](https://travis-ci.org/containous/traefik)
-[![License](https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square)](https://github.com/containous/traefik/blob/master/LICENSE.md)
+[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
+[![Go Report Card](https://goreportcard.com/badge/kubernetes/helm)](http://goreportcard.com/report/containous/traefik)
+[![Image Layer](https://badge.imagelayers.io/traefik:latest.svg)](https://imagelayers.io/?images=traefik)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
 [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
 [![Twitter](https://img.shields.io/twitter/follow/traefikproxy.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefikproxy)
 
 
-
 Træfɪk is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
-It supports several backends ([Docker :whale:](https://www.docker.com/), [Mesos/Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Zookeeper](https://zookeeper.apache.org), [BoltDB](https://github.com/boltdb/bolt), Rest API, file...) to manage its configuration automatically and dynamically.
+It supports several backends ([Docker](https://www.docker.com/), [Swarm](https://docs.docker.com/swarm), [Mesos/Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Zookeeper](https://zookeeper.apache.org), [BoltDB](https://github.com/boltdb/bolt), Rest API, file...) to manage its configuration automatically and dynamically.
+
+## Overview
+
+Imagine that you have deployed a bunch of microservices on your infrastructure. You probably used a service registry (like etcd or consul) and/or an orchestrator (swarm, Mesos/Marathon) to manage all these services.
+If you want your users to access some of your microservices from the Internet, you will have to use a reverse proxy and configure it using virtual hosts or prefix paths:
+
+- domain `api.domain.com` will point the microservice `api` in your private network
+- path `domain.com/web` will point the microservice `web` in your private network
+- domain `backoffice.domain.com` will point the microservices `backoffice` in your private network, load-balancing between your multiple instances
+
+But a microservices architecture is dynamic... Services are added, removed, killed or upgraded often, eventually several times a day.
+
+Traditional reverse-proxies are not natively dynamic. You can't change their configuration and hot-reload easily.
+
+Here enters Træfɪk.
+
+![Architecture](docs/img/architecture.png)
+
+Træfɪk can listen to your service registry/orchestrator API, and knows each time a microservice is added, removed, killed or upgraded, and can generate its configuration automatically.
+Routes to your services will be created instantly.
+
+Run it and forget it!
+  
+  
 
 
 ## Features
 
-- [It's fast](docs/index.md#benchmarks)
+- [It's fast](http://docs.traefik.io/benchmarks)
 - No dependency hell, single binary made with go
-- Simple json Rest API
-- Simple TOML file configuration
+- Rest API
 - Multiple backends supported: Docker, Mesos/Marathon, Consul, Etcd, and more to come
 - Watchers for backends, can listen change in backends to apply a new configuration automatically
 - Hot-reloading of configuration. No need to restart the process
@@ -27,12 +52,14 @@ It supports several backends ([Docker :whale:](https://www.docker.com/), [Mesos/
 - Circuit breakers on backends
 - Round Robin, rebalancer load-balancers
 - Rest Metrics
-- Tiny docker image included [![Image Layers](https://badge.imagelayers.io/containous/traefik:latest.svg)](https://imagelayers.io/?images=containous/traefik:latest)
+- [Tiny](https://imagelayers.io/?images=traefik) [official](https://hub.docker.com/r/_/traefik/) docker image included
 - SSL backends support
-- SSL frontend support
+- SSL frontend support (with SNI)
 - Clean AngularJS Web UI
 - Websocket support
 - HTTP/2 support
+- Retry request if network error
+- [Let's Encrypt](https://letsencrypt.org) support (Automatic HTTPS)
 
 ## Demo
 
@@ -53,6 +80,7 @@ You can access to a simple HTML frontend of Træfik.
 - [Gorilla mux](https://github.com/gorilla/mux): famous request router
 - [Negroni](https://github.com/codegangsta/negroni): web middlewares made simple
 - [Manners](https://github.com/mailgun/manners): graceful shutdown of http.Handler servers
+- [Lego](https://github.com/xenolf/lego): the best [Let's Encrypt](https://letsencrypt.org) library in go
 
 ## Quick start
 
@@ -65,7 +93,7 @@ You can access to a simple HTML frontend of Træfik.
 - Use the tiny Docker image:
 
 ```shell
-docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml containous/traefik
+docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
 ```
 
 - From sources:
@@ -76,7 +104,7 @@ git clone https://github.com/containous/traefik
 
 ## Documentation
 
-You can find the complete documentation [here](docs/index.md).
+You can find the complete documentation [here](https://docs.traefik.io).
 
 ## Contributing
 

acme/acme.go

@@ -0,0 +1,423 @@
+package acme
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"errors"
+	"fmt"
+	log "github.com/Sirupsen/logrus"
+	"github.com/containous/traefik/safe"
+	"github.com/xenolf/lego/acme"
+	"io/ioutil"
+	fmtlog "log"
+	"os"
+	"reflect"
+	"sync"
+	"time"
+)
+
+// Account is used to store lets encrypt registration info
+type Account struct {
+	Email              string
+	Registration       *acme.RegistrationResource
+	PrivateKey         []byte
+	DomainsCertificate DomainsCertificates
+}
+
+// GetEmail returns email
+func (a Account) GetEmail() string {
+	return a.Email
+}
+
+// GetRegistration returns lets encrypt registration resource
+func (a Account) GetRegistration() *acme.RegistrationResource {
+	return a.Registration
+}
+
+// GetPrivateKey returns private key
+func (a Account) GetPrivateKey() crypto.PrivateKey {
+	if privateKey, err := x509.ParsePKCS1PrivateKey(a.PrivateKey); err == nil {
+		return privateKey
+	}
+	log.Errorf("Cannot unmarshall private key %+v", a.PrivateKey)
+	return nil
+}
+
+// Certificate is used to store certificate info
+type Certificate struct {
+	Domain        string
+	CertURL       string
+	CertStableURL string
+	PrivateKey    []byte
+	Certificate   []byte
+}
+
+// DomainsCertificates stores a certificate for multiple domains
+type DomainsCertificates struct {
+	Certs []*DomainsCertificate
+	lock  *sync.RWMutex
+}
+
+func (dc *DomainsCertificates) init() error {
+	if dc.lock == nil {
+		dc.lock = &sync.RWMutex{}
+	}
+	dc.lock.Lock()
+	defer dc.lock.Unlock()
+	for _, domainsCertificate := range dc.Certs {
+		tlsCert, err := tls.X509KeyPair(domainsCertificate.Certificate.Certificate, domainsCertificate.Certificate.PrivateKey)
+		if err != nil {
+			return err
+		}
+		domainsCertificate.tlsCert = &tlsCert
+	}
+	return nil
+}
+
+func (dc *DomainsCertificates) renewCertificates(acmeCert *Certificate, domain Domain) error {
+	dc.lock.Lock()
+	defer dc.lock.Unlock()
+
+	for _, domainsCertificate := range dc.Certs {
+		if reflect.DeepEqual(domain, domainsCertificate.Domains) {
+			domainsCertificate.Certificate = acmeCert
+			tlsCert, err := tls.X509KeyPair(acmeCert.Certificate, acmeCert.PrivateKey)
+			if err != nil {
+				return err
+			}
+			domainsCertificate.tlsCert = &tlsCert
+			return nil
+		}
+	}
+	return errors.New("Certificate to renew not found for domain " + domain.Main)
+}
+
+func (dc *DomainsCertificates) addCertificateForDomains(acmeCert *Certificate, domain Domain) (*DomainsCertificate, error) {
+	dc.lock.Lock()
+	defer dc.lock.Unlock()
+
+	tlsCert, err := tls.X509KeyPair(acmeCert.Certificate, acmeCert.PrivateKey)
+	if err != nil {
+		return nil, err
+	}
+	cert := DomainsCertificate{Domains: domain, Certificate: acmeCert, tlsCert: &tlsCert}
+	dc.Certs = append(dc.Certs, &cert)
+	return &cert, nil
+}
+
+func (dc *DomainsCertificates) getCertificateForDomain(domainToFind string) (*DomainsCertificate, bool) {
+	dc.lock.RLock()
+	defer dc.lock.RUnlock()
+	for _, domainsCertificate := range dc.Certs {
+		domains := []string{}
+		domains = append(domains, domainsCertificate.Domains.Main)
+		domains = append(domains, domainsCertificate.Domains.SANs...)
+		for _, domain := range domains {
+			if domain == domainToFind {
+				return domainsCertificate, true
+			}
+		}
+	}
+	return nil, false
+}
+
+func (dc *DomainsCertificates) exists(domainToFind Domain) (*DomainsCertificate, bool) {
+	dc.lock.RLock()
+	defer dc.lock.RUnlock()
+	for _, domainsCertificate := range dc.Certs {
+		if reflect.DeepEqual(domainToFind, domainsCertificate.Domains) {
+			return domainsCertificate, true
+		}
+	}
+	return nil, false
+}
+
+// DomainsCertificate contains a certificate for multiple domains
+type DomainsCertificate struct {
+	Domains     Domain
+	Certificate *Certificate
+	tlsCert     *tls.Certificate
+}
+
+func (dc *DomainsCertificate) needRenew() bool {
+	for _, c := range dc.tlsCert.Certificate {
+		crt, err := x509.ParseCertificate(c)
+		if err != nil {
+			// If there's an error, we assume the cert is broken, and needs update
+			return true
+		}
+		// <= 7 days left, renew certificate
+		if crt.NotAfter.Before(time.Now().Add(time.Duration(24 * 7 * time.Hour))) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// ACME allows to connect to lets encrypt and retrieve certs
+type ACME struct {
+	Email       string
+	Domains     []Domain
+	StorageFile string
+	OnDemand    bool
+	CAServer    string
+	EntryPoint  string
+	storageLock sync.RWMutex
+}
+
+// Domain holds a domain name with SANs
+type Domain struct {
+	Main string
+	SANs []string
+}
+
+// CreateConfig creates a tls.config from using ACME configuration
+func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(domain string) bool) error {
+	acme.Logger = fmtlog.New(ioutil.Discard, "", 0)
+
+	if len(a.StorageFile) == 0 {
+		return errors.New("Empty StorageFile, please provide a filenmae for certs storage")
+	}
+
+	log.Debugf("Generating default certificate...")
+	if len(tlsConfig.Certificates) == 0 {
+		// no certificates in TLS config, so we add a default one
+		cert, err := generateDefaultCertificate()
+		if err != nil {
+			return err
+		}
+		tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)
+	}
+	var account *Account
+	var needRegister bool
+
+	// if certificates in storage, load them
+	if fileInfo, err := os.Stat(a.StorageFile); err == nil && fileInfo.Size() != 0 {
+		log.Infof("Loading ACME certificates...")
+		// load account
+		account, err = a.loadAccount(a)
+		if err != nil {
+			return err
+		}
+	} else {
+		log.Infof("Generating ACME Account...")
+		// Create a user. New accounts need an email and private key to start
+		privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
+		if err != nil {
+			return err
+		}
+		account = &Account{
+			Email:      a.Email,
+			PrivateKey: x509.MarshalPKCS1PrivateKey(privateKey),
+		}
+		account.DomainsCertificate = DomainsCertificates{Certs: []*DomainsCertificate{}, lock: &sync.RWMutex{}}
+		needRegister = true
+	}
+
+	client, err := a.buildACMEClient(account)
+	if err != nil {
+		return err
+	}
+	client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.DNS01})
+	wrapperChallengeProvider := newWrapperChallengeProvider()
+	client.SetChallengeProvider(acme.TLSSNI01, wrapperChallengeProvider)
+
+	if needRegister {
+		// New users will need to register; be sure to save it
+		reg, err := client.Register()
+		if err != nil {
+			return err
+		}
+		account.Registration = reg
+	}
+
+	// The client has a URL to the current Let's Encrypt Subscriber
+	// Agreement. The user will need to agree to it.
+	err = client.AgreeToTOS()
+	if err != nil {
+		return err
+	}
+
+	safe.Go(func() {
+		a.retrieveCertificates(client, account)
+	})
+
+	tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		if challengeCert, ok := wrapperChallengeProvider.getCertificate(clientHello.ServerName); ok {
+			return challengeCert, nil
+		}
+		if domainCert, ok := account.DomainsCertificate.getCertificateForDomain(clientHello.ServerName); ok {
+			return domainCert.tlsCert, nil
+		}
+		if a.OnDemand {
+			if CheckOnDemandDomain != nil && !CheckOnDemandDomain(clientHello.ServerName) {
+				return nil, nil
+			}
+			return a.loadCertificateOnDemand(client, account, clientHello)
+		}
+		return nil, nil
+	}
+
+	ticker := time.NewTicker(24 * time.Hour)
+	safe.Go(func() {
+		for {
+			select {
+			case <-ticker.C:
+
+				if err := a.renewCertificates(client, account); err != nil {
+					log.Errorf("Error renewing ACME certificate %+v: %s", account, err.Error())
+				}
+			}
+		}
+
+	})
+	return nil
+}
+
+func (a *ACME) retrieveCertificates(client *acme.Client, account *Account) {
+	log.Infof("Retrieving ACME certificates...")
+	for _, domain := range a.Domains {
+		// check if cert isn't already loaded
+		if _, exists := account.DomainsCertificate.exists(domain); !exists {
+			domains := []string{}
+			domains = append(domains, domain.Main)
+			domains = append(domains, domain.SANs...)
+			certificateResource, err := a.getDomainsCertificates(client, domains)
+			if err != nil {
+				log.Errorf("Error getting ACME certificate for domain %s: %s", domains, err.Error())
+				continue
+			}
+			_, err = account.DomainsCertificate.addCertificateForDomains(certificateResource, domain)
+			if err != nil {
+				log.Errorf("Error adding ACME certificate for domain %s: %s", domains, err.Error())
+				continue
+			}
+			if err = a.saveAccount(account); err != nil {
+				log.Errorf("Error Saving ACME account %+v: %s", account, err.Error())
+				continue
+			}
+		}
+	}
+	log.Infof("Retrieved ACME certificates")
+}
+
+func (a *ACME) renewCertificates(client *acme.Client, account *Account) error {
+	for _, certificateResource := range account.DomainsCertificate.Certs {
+		if certificateResource.needRenew() {
+			log.Debugf("Renewing certificate %+v", certificateResource.Domains)
+			renewedCert, err := client.RenewCertificate(acme.CertificateResource{
+				Domain:        certificateResource.Certificate.Domain,
+				CertURL:       certificateResource.Certificate.CertURL,
+				CertStableURL: certificateResource.Certificate.CertStableURL,
+				PrivateKey:    certificateResource.Certificate.PrivateKey,
+				Certificate:   certificateResource.Certificate.Certificate,
+			}, false)
+			if err != nil {
+				return err
+			}
+			log.Debugf("Renewed certificate %+v", certificateResource.Domains)
+			renewedACMECert := &Certificate{
+				Domain:        renewedCert.Domain,
+				CertURL:       renewedCert.CertURL,
+				CertStableURL: renewedCert.CertStableURL,
+				PrivateKey:    renewedCert.PrivateKey,
+				Certificate:   renewedCert.Certificate,
+			}
+			err = account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains)
+			if err != nil {
+				return err
+			}
+			if err = a.saveAccount(account); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (a *ACME) buildACMEClient(Account *Account) (*acme.Client, error) {
+	caServer := "https://acme-v01.api.letsencrypt.org/directory"
+	if len(a.CAServer) > 0 {
+		caServer = a.CAServer
+	}
+	client, err := acme.NewClient(caServer, Account, acme.RSA4096)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
+
+func (a *ACME) loadCertificateOnDemand(client *acme.Client, Account *Account, clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if certificateResource, ok := Account.DomainsCertificate.getCertificateForDomain(clientHello.ServerName); ok {
+		return certificateResource.tlsCert, nil
+	}
+	Certificate, err := a.getDomainsCertificates(client, []string{clientHello.ServerName})
+	if err != nil {
+		return nil, err
+	}
+	log.Debugf("Got certificate on demand for domain %s", clientHello.ServerName)
+	cert, err := Account.DomainsCertificate.addCertificateForDomains(Certificate, Domain{Main: clientHello.ServerName})
+	if err != nil {
+		return nil, err
+	}
+	if err = a.saveAccount(Account); err != nil {
+		return nil, err
+	}
+	return cert.tlsCert, nil
+}
+
+func (a *ACME) loadAccount(acmeConfig *ACME) (*Account, error) {
+	a.storageLock.RLock()
+	defer a.storageLock.RUnlock()
+	Account := Account{
+		DomainsCertificate: DomainsCertificates{},
+	}
+	file, err := ioutil.ReadFile(acmeConfig.StorageFile)
+	if err != nil {
+		return nil, err
+	}
+	if err := json.Unmarshal(file, &Account); err != nil {
+		return nil, err
+	}
+	err = Account.DomainsCertificate.init()
+	if err != nil {
+		return nil, err
+	}
+	log.Infof("Loaded ACME config from storage %s", acmeConfig.StorageFile)
+	return &Account, nil
+}
+
+func (a *ACME) saveAccount(Account *Account) error {
+	a.storageLock.Lock()
+	defer a.storageLock.Unlock()
+	// write account to file
+	data, err := json.MarshalIndent(Account, "", "  ")
+	if err != nil {
+		return err
+	}
+	return ioutil.WriteFile(a.StorageFile, data, 0644)
+}
+
+func (a *ACME) getDomainsCertificates(client *acme.Client, domains []string) (*Certificate, error) {
+	log.Debugf("Loading ACME certificates %s...", domains)
+	bundle := false
+	certificate, failures := client.ObtainCertificate(domains, bundle, nil)
+	if len(failures) > 0 {
+		log.Error(failures)
+		return nil, fmt.Errorf("Cannot obtain certificates %s+v", failures)
+	}
+	log.Debugf("Loaded ACME certificates %s", domains)
+	return &Certificate{
+		Domain:        certificate.Domain,
+		CertURL:       certificate.CertURL,
+		CertStableURL: certificate.CertStableURL,
+		PrivateKey:    certificate.PrivateKey,
+		Certificate:   certificate.Certificate,
+	}, nil
+}

acme/challengeProvider.go

@@ -0,0 +1,56 @@
+package acme
+
+import (
+	"crypto/tls"
+	"sync"
+
+	"crypto/x509"
+	"github.com/xenolf/lego/acme"
+)
+
+type wrapperChallengeProvider struct {
+	challengeCerts map[string]*tls.Certificate
+	lock           sync.RWMutex
+}
+
+func newWrapperChallengeProvider() *wrapperChallengeProvider {
+	return &wrapperChallengeProvider{
+		challengeCerts: map[string]*tls.Certificate{},
+	}
+}
+
+func (c *wrapperChallengeProvider) getCertificate(domain string) (cert *tls.Certificate, exists bool) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	if cert, ok := c.challengeCerts[domain]; ok {
+		return cert, true
+	}
+	return nil, false
+}
+
+func (c *wrapperChallengeProvider) Present(domain, token, keyAuth string) error {
+	cert, err := acme.TLSSNI01ChallengeCert(keyAuth)
+	if err != nil {
+		return err
+	}
+	cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
+	if err != nil {
+		return err
+	}
+
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	for i := range cert.Leaf.DNSNames {
+		c.challengeCerts[cert.Leaf.DNSNames[i]] = &cert
+	}
+
+	return nil
+
+}
+
+func (c *wrapperChallengeProvider) CleanUp(domain, token, keyAuth string) error {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	delete(c.challengeCerts, domain)
+	return nil
+}

acme/crypto.go

@@ -0,0 +1,78 @@
+package acme
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/hex"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"time"
+)
+
+func generateDefaultCertificate() (*tls.Certificate, error) {
+	rsaPrivKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+	rsaPrivPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(rsaPrivKey)})
+
+	randomBytes := make([]byte, 100)
+	_, err = rand.Read(randomBytes)
+	if err != nil {
+		return nil, err
+	}
+	zBytes := sha256.Sum256(randomBytes)
+	z := hex.EncodeToString(zBytes[:sha256.Size])
+	domain := fmt.Sprintf("%s.%s.traefik.default", z[:32], z[32:])
+	tempCertPEM, err := generatePemCert(rsaPrivKey, domain)
+	if err != nil {
+		return nil, err
+	}
+
+	certificate, err := tls.X509KeyPair(tempCertPEM, rsaPrivPEM)
+	if err != nil {
+		return nil, err
+	}
+
+	return &certificate, nil
+}
+func generatePemCert(privKey *rsa.PrivateKey, domain string) ([]byte, error) {
+	derBytes, err := generateDerCert(privKey, time.Time{}, domain)
+	if err != nil {
+		return nil, err
+	}
+
+	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}), nil
+}
+
+func generateDerCert(privKey *rsa.PrivateKey, expiration time.Time, domain string) ([]byte, error) {
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return nil, err
+	}
+
+	if expiration.IsZero() {
+		expiration = time.Now().Add(365)
+	}
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			CommonName: "TRAEFIK DEFAULT CERT",
+		},
+		NotBefore: time.Now(),
+		NotAfter:  expiration,
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment,
+		BasicConstraintsValid: true,
+		DNSNames:              []string{domain},
+	}
+
+	return x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
+}

build.Dockerfile

@@ -1,11 +1,11 @@
 FROM golang:1.6.0-alpine
 
-RUN apk update && apk add git bash gcc
-
-RUN go get github.com/Masterminds/glide
-RUN go get github.com/mitchellh/gox
-RUN go get github.com/jteeuwen/go-bindata/...
-RUN go get github.com/golang/lint/golint
+RUN apk update && apk add git bash gcc musl-dev \
+&& go get github.com/Masterminds/glide \
+&& go get github.com/mitchellh/gox \
+&& go get github.com/jteeuwen/go-bindata/... \
+&& go get github.com/golang/lint/golint \
+&& go get github.com/kisielk/errcheck
 
 # Which docker version to test on
 ENV DOCKER_VERSION 1.10.1
@@ -24,6 +24,7 @@ RUN ln -s /usr/local/bin/docker-${DOCKER_VERSION} /usr/local/bin/docker
 WORKDIR /go/src/github.com/containous/traefik
 
 COPY glide.yaml glide.yaml
-RUN glide up --quick
+COPY glide.lock glide.lock
+RUN glide install
 
 COPY . /go/src/github.com/containous/traefik

cmd.go

@@ -126,6 +126,7 @@ func init() {
 	traefikCmd.PersistentFlags().StringVar(&arguments.Marathon.Filename, "marathon.filename", "", "Override default configuration template. For advanced users :)")
 	traefikCmd.PersistentFlags().StringVar(&arguments.Marathon.Endpoint, "marathon.endpoint", "http://127.0.0.1:8080", "Marathon server endpoint. You can also specify multiple endpoint for Marathon")
 	traefikCmd.PersistentFlags().StringVar(&arguments.Marathon.Domain, "marathon.domain", "", "Default domain used")
+	traefikCmd.PersistentFlags().BoolVar(&arguments.Marathon.ExposedByDefault, "marathon.exposedByDefault", true, "Expose Marathon apps by default")
 
 	traefikCmd.PersistentFlags().BoolVar(&arguments.consul, "consul", false, "Enable Consul backend")
 	traefikCmd.PersistentFlags().BoolVar(&arguments.Consul.Watch, "consul.watch", true, "Watch provider")
@@ -165,15 +166,15 @@ func init() {
 	traefikCmd.PersistentFlags().StringVar(&arguments.Boltdb.Endpoint, "boltdb.endpoint", "127.0.0.1:4001", "Boltdb server endpoint")
 	traefikCmd.PersistentFlags().StringVar(&arguments.Boltdb.Prefix, "boltdb.prefix", "/traefik", "Prefix used for KV store")
 
-	viper.BindPFlag("configFile", traefikCmd.PersistentFlags().Lookup("configFile"))
-	viper.BindPFlag("graceTimeOut", traefikCmd.PersistentFlags().Lookup("graceTimeOut"))
-	//viper.BindPFlag("defaultEntryPoints", traefikCmd.PersistentFlags().Lookup("defaultEntryPoints"))
-	viper.BindPFlag("logLevel", traefikCmd.PersistentFlags().Lookup("logLevel"))
+	_ = viper.BindPFlag("configFile", traefikCmd.PersistentFlags().Lookup("configFile"))
+	_ = viper.BindPFlag("graceTimeOut", traefikCmd.PersistentFlags().Lookup("graceTimeOut"))
+	_ = viper.BindPFlag("logLevel", traefikCmd.PersistentFlags().Lookup("logLevel"))
 	// TODO: wait for this issue to be corrected: https://github.com/spf13/viper/issues/105
-	viper.BindPFlag("providersThrottleDuration", traefikCmd.PersistentFlags().Lookup("providersThrottleDuration"))
-	viper.BindPFlag("maxIdleConnsPerHost", traefikCmd.PersistentFlags().Lookup("maxIdleConnsPerHost"))
+	_ = viper.BindPFlag("providersThrottleDuration", traefikCmd.PersistentFlags().Lookup("providersThrottleDuration"))
+	_ = viper.BindPFlag("maxIdleConnsPerHost", traefikCmd.PersistentFlags().Lookup("maxIdleConnsPerHost"))
 	viper.SetDefault("providersThrottleDuration", time.Duration(2*time.Second))
 	viper.SetDefault("logLevel", "ERROR")
+	viper.SetDefault("MaxIdleConnsPerHost", 200)
 }
 
 func run() {
@@ -195,7 +196,11 @@ func run() {
 
 	if len(globalConfiguration.TraefikLogsFile) > 0 {
 		fi, err := os.OpenFile(globalConfiguration.TraefikLogsFile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666)
-		defer fi.Close()
+		defer func() {
+			if err := fi.Close(); err != nil {
+				log.Error("Error closinf file", err)
+			}
+		}()
 		if err != nil {
 			log.Fatal("Error opening file", err)
 		} else {

configuration.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/containous/traefik/acme"
 	"github.com/containous/traefik/provider"
 	"github.com/containous/traefik/types"
 	"github.com/mitchellh/mapstructure"
@@ -22,9 +23,11 @@ type GlobalConfiguration struct {
 	TraefikLogsFile           string
 	LogLevel                  string
 	EntryPoints               EntryPoints
+	ACME                      *acme.ACME
 	DefaultEntryPoints        DefaultEntryPoints
 	ProvidersThrottleDuration time.Duration
 	MaxIdleConnsPerHost       int
+	Retry                     *Retry
 	Docker                    *provider.Docker
 	File                      *provider.File
 	Web                       *WebProvider
@@ -92,7 +95,9 @@ func (ep *EntryPoints) Set(value string) error {
 	var tls *TLS
 	if len(result["TLS"]) > 0 {
 		certs := Certificates{}
-		certs.Set(result["TLS"])
+		if err := certs.Set(result["TLS"]); err != nil {
+			return err
+		}
 		tls = &TLS{
 			Certificates: certs,
 		}
@@ -178,6 +183,12 @@ type Certificate struct {
 	KeyFile  string
 }
 
+// Retry contains request retry config
+type Retry struct {
+	Attempts int
+	MaxMem   int64
+}
+
 // NewGlobalConfiguration returns a GlobalConfiguration with default values.
 func NewGlobalConfiguration() *GlobalConfiguration {
 	return new(GlobalConfiguration)
@@ -244,6 +255,7 @@ func LoadConfiguration() *GlobalConfiguration {
 		viper.Set("boltdb", arguments.Boltdb)
 	}
 	if err := unmarshal(&configuration); err != nil {
+
 		fmtlog.Fatalf("Error reading file: %s", err)
 	}
 

contrib/systemd/traefik.service

@@ -2,5 +2,5 @@
 Description=Traefik
 
 [Service]
-ExecStart=/usr/bin/traefik /etc/traefik.toml
+ExecStart=/usr/bin/traefik --configFile=/etc/traefik.toml
 Restart=on-failure

docs/CNAME

@@ -0,0 +1 @@
+docs.traefik.io

docs/basics.md

@@ -0,0 +1,182 @@
+
+# Concepts
+
+Let's take our example from the [overview](https://docs.traefik.io/#overview) again:
+
+
+> Imagine that you have deployed a bunch of microservices on your infrastructure. You probably used a service registry (like etcd or consul) and/or an orchestrator (swarm, Mesos/Marathon) to manage all these services.
+> If you want your users to access some of your microservices from the Internet, you will have to use a reverse proxy and configure it using virtual hosts or prefix paths:
+
+> - domain `api.domain.com` will point the microservice `api` in your private network
+> - path `domain.com/web` will point the microservice `web` in your private network
+> - domain `backoffice.domain.com` will point the microservices `backoffice` in your private network, load-balancing between your multiple instances
+
+> ![Architecture](img/architecture.png)
+
+Let's zoom on Træfɪk and have an overview of its internal architecture:
+
+
+![Architecture](img/internal.png)
+
+- Incoming requests end on [entrypoints](#entrypoints), as the name suggests, they are the network entry points into Træfɪk (listening port, SSL, traffic redirection...).
+- Traffic is then forwared to a matching [frontend](#frontends). A frontend defines routes from [entrypoints](#entrypoints) to [backends](#backends).
+Routes are created using requests fields (`Host`, `Path`, `Headers`...) and can match or not a request.
+- The [frontend](#frontends) will then send the request to a [backend](#backends). A backend can be composed by one or more [servers](#servers), and by a load-balancing strategy.
+- Finally, the [server](#servers) will forward the request to the corresponding microservice in the private network.
+
+## Entrypoints
+
+Entrypoints are the network entry points into Træfɪk.
+They can be defined using:
+
+- a port (80, 443...)
+- SSL (Certificates. Keys...)
+- redirection to another entrypoint (redirect `HTTP` to `HTTPS`)
+
+Here is an example of entrypoints definition:
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      certFile = "tests/traefik.crt"
+      keyFile = "tests/traefik.key"
+```
+
+- Two entrypoints are defined `http` and `https`.
+- `http` listens on port `80` et `https` on port `443`.
+- We enable SSL en `https` by giving a certificate and a key.
+- We also redirect all the traffic from entrypoint `http` to `https`.
+
+## Frontends
+
+A frontend is a set of rules that forwards the incoming traffic from an entrypoint to a backend.
+Frontends can be defined using the following rules:
+
+- `Headers: Content-Type, application/json`: Headers adds a matcher for request header values. It accepts a sequence of key/value pairs to be matched.
+- `HeadersRegexp: Content-Type, application/(text|json)`: Regular expressions can be used with headers as well. It accepts a sequence of key/value pairs, where the value has regex support.
+- `Host: traefik.io, www.traefik.io`: Match request host with given host list.
+- `HostRegexp: traefik.io, {subdomain:[a-z]+}.traefik.io`: Adds a matcher for the URL hosts. It accepts templates with zero or more URL variables enclosed by `{}`. Variables can define an optional regexp pattern to be matched.
+- `Method: GET, POST, PUT`: Method adds a matcher for HTTP methods. It accepts a sequence of one or more methods to be matched.
+- `Path: /products/, /articles/{category}/{id:[0-9]+}`: Path adds a matcher for the URL paths. It accepts templates with zero or more URL variables enclosed by `{}`.
+- `PathStrip`: Same as `Path` but strip the given prefix from the request URL's Path.
+- `PathPrefix`: PathPrefix adds a matcher for the URL path prefixes. This matches if the given template is a prefix of the full URL path.
+- `PathPrefixStrip`: Same as `PathPrefix` but strip the given prefix from the request URL's Path.
+
+You can optionally enable `passHostHeader` to forward client `Host` header to the backend.
+ 
+Here is an example of frontends definition:
+
+```toml
+[frontends]
+  [frontends.frontend1]
+  backend = "backend2"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host: test.localhost, test2.localhost"
+  [frontends.frontend2]
+  backend = "backend1"
+  passHostHeader = true
+  entrypoints = ["https"] # overrides defaultEntryPoints
+    [frontends.frontend2.routes.test_1]
+    rule = "Host: localhost, {subdomain:[a-z]+}.localhost"
+  [frontends.frontend3]
+  backend = "backend2"
+    rule = "Path:/test"
+```
+
+- Three frontends are defined: `frontend1`, `frontend2` and `frontend3`
+- `frontend1` will forward the traffic to the `backend2` if the rule `Host: test.localhost, test2.localhost` is matched
+- `frontend2` will forward the traffic to the `backend1` if the rule `Host: localhost, {subdomain:[a-z]+}.localhost` is matched (forwarding client `Host` header to the backend)
+- `frontend3` will forward the traffic to the `backend2` if the rule `Path:/test` is matched
+
+## Backends
+
+A backend is responsible to load-balance the traffic coming from one or more frontends to a set of http servers.
+Various methods of load-balancing is supported:
+
+- `wrr`: Weighted Round Robin
+- `drr`: Dynamic Round Robin: increases weights on servers that perform better than others. It also rolls back to original weights if the servers have changed.
+
+A circuit breaker can also be applied to a backend, preventing high loads on failing servers.
+Initial state is Standby. CB observes the statistics and does not modify the request.
+In case if condition matches, CB enters Tripped state, where it responds with predefines code or redirects to another frontend.
+Once Tripped timer expires, CB enters Recovering state and resets all stats.
+In case if the condition does not match and recovery timer expries, CB enters Standby state.
+
+It can be configured using:
+
+- Methods: `LatencyAtQuantileMS`, `NetworkErrorRatio`, `ResponseCodeRatio`
+- Operators:  `AND`, `OR`, `EQ`, `NEQ`, `LT`, `LE`, `GT`, `GE`
+
+For example:
+
+- `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window for a frontend
+- `LatencyAtQuantileMS(50.0) > 50`:  watch latency at quantile in milliseconds.
+- `ResponseCodeRatio(500, 600, 0, 600) > 0.5`: ratio of response codes in range [500-600) to  [0-600)
+
+## Servers
+
+Servers are simply defined using a `URL`. You can also apply a custom `weight` to each server (this will be used by load-balacning).
+
+Here is an example of backends and servers definition:
+
+```toml
+[backends]
+  [backends.backend1]
+    [backends.backend1.circuitbreaker]
+      expression = "NetworkErrorRatio() > 0.5"
+    [backends.backend1.servers.server1]
+    url = "http://172.17.0.2:80"
+    weight = 10
+    [backends.backend1.servers.server2]
+    url = "http://172.17.0.3:80"
+    weight = 1
+  [backends.backend2]
+    [backends.backend2.LoadBalancer]
+      method = "drr"
+    [backends.backend2.servers.server1]
+    url = "http://172.17.0.4:80"
+    weight = 1
+    [backends.backend2.servers.server2]
+    url = "http://172.17.0.5:80"
+    weight = 2
+```
+
+- Two backends are defined: `backend1` and `backend2`
+- `backend1` will forward the traffic to two servers: `http://172.17.0.2:80"` with weight `10` and `http://172.17.0.3:80` with weight `1` using default `wrr` load-balancing strategy.
+- `backend2` will forward the traffic to two servers: `http://172.17.0.4:80"` with weight `1` and `http://172.17.0.5:80` with weight `2` using `drr` load-balancing strategy.
+- a circuit breaker is added on `backend1` using the expression `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window
+
+# Launch
+
+Træfɪk can be configured using a TOML file configuration, arguments, or both.
+By default, Træfɪk will try to find a `traefik.toml` in the following places:
+
+- `/etc/traefik/`
+- `$HOME/.traefik/`
+- `.` *the working directory*
+
+You can override this by setting a `configFile` argument:
+
+```bash
+$ traefik --configFile=foo/bar/myconfigfile.toml
+```
+
+Træfɪk uses the following precedence order. Each item takes precedence over the item below it:
+
+- arguments
+- configuration file
+- default
+
+It means that arguments overrides configuration file.
+Each argument is described in the help section:
+
+```bash
+$ traefik --help
+```

docs/benchmarks.md

@@ -0,0 +1,212 @@
+# Benchmarks
+
+## Configuration
+
+I would like to thanks [vincentbernat](https://github.com/vincentbernat) from [exoscale.ch](https://www.exoscale.ch) who kindly provided the infrastructure needed for the benchmarks.
+
+I used 4 VMs for the tests with the following configuration:
+
+- 32 GB RAM
+- 8 CPU Cores
+- 10 GB SSD
+- Ubuntu 14.04 LTS 64-bit
+
+## Setup
+
+1. One VM used to launch the benchmarking tool [wrk](https://github.com/wg/wrk)
+2. One VM for traefik (v1.0.0-beta.416) / nginx (v1.4.6)
+3. Two VMs for 2 backend servers in go [whoami](https://github.com/emilevauge/whoamI/)
+
+Each VM has been tuned using the following limits:
+
+```bash
+sysctl -w fs.file-max="9999999"
+sysctl -w fs.nr_open="9999999"
+sysctl -w net.core.netdev_max_backlog="4096"
+sysctl -w net.core.rmem_max="16777216"
+sysctl -w net.core.somaxconn="65535"
+sysctl -w net.core.wmem_max="16777216"
+sysctl -w net.ipv4.ip_local_port_range="1025       65535"
+sysctl -w net.ipv4.tcp_fin_timeout="30"
+sysctl -w net.ipv4.tcp_keepalive_time="30"
+sysctl -w net.ipv4.tcp_max_syn_backlog="20480"
+sysctl -w net.ipv4.tcp_max_tw_buckets="400000"
+sysctl -w net.ipv4.tcp_no_metrics_save="1"
+sysctl -w net.ipv4.tcp_syn_retries="2"
+sysctl -w net.ipv4.tcp_synack_retries="2"
+sysctl -w net.ipv4.tcp_tw_recycle="1"
+sysctl -w net.ipv4.tcp_tw_reuse="1"
+sysctl -w vm.min_free_kbytes="65536"
+sysctl -w vm.overcommit_memory="1"
+ulimit -n 9999999
+```
+
+### Nginx
+
+Here is the config Nginx file use `/etc/nginx/nginx.conf`:
+
+```
+user www-data;
+worker_processes auto;
+worker_rlimit_nofile 200000;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 10000;
+    use epoll;
+    multi_accept on;
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 300;
+    keepalive_requests 10000;
+    types_hash_max_size 2048;
+
+    open_file_cache max=200000 inactive=300s; 
+    open_file_cache_valid 300s; 
+    open_file_cache_min_uses 2;
+    open_file_cache_errors on;
+
+    server_tokens off;
+    dav_methods off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    access_log /var/log/nginx/access.log combined;
+    error_log /var/log/nginx/error.log warn;
+
+    gzip off;
+    gzip_vary off;
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*.conf;
+}
+```
+
+Here is the Nginx vhost file used:
+
+```
+upstream whoami {
+    server IP-whoami1:80;
+    server IP-whoami2:80;
+    keepalive 300;
+}
+
+server {
+    listen 8001;
+    server_name test.traefik;
+    access_log off;
+    error_log /dev/null crit;
+    if ($host != "test.traefik") {
+        return 404;
+    }
+    location / {
+        proxy_pass http://whoami;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+	proxy_set_header  X-Forwarded-Host $host;
+    }
+}
+```
+
+### Traefik
+
+Here is the `traefik.toml` file used:
+
+```
+MaxIdleConnsPerHost = 100000
+defaultEntryPoints = ["http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":8000"
+
+[file]
+[backends]
+  [backends.backend1]
+    [backends.backend1.servers.server1]
+    url = "http://IP-whoami1:80"
+    weight = 1
+    [backends.backend1.servers.server2]
+    url = "http://IP-whoami2:80"
+    weight = 1
+
+[frontends]
+  [frontends.frontend1]
+  backend = "backend1"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host: test.traefik"
+```
+
+## Results
+
+### whoami:
+```
+wrk -t8 -c1000 -d60s -H "Host: test.traefik" --latency  http://IP-whoami:80/bench
+Running 1m test @ http://IP-whoami:80/bench
+  20 threads and 1000 connections
+  Thread Stats   Avg      Stdev     Max   +/- Stdev
+    Latency    70.28ms  134.72ms   1.91s    89.94%
+    Req/Sec     2.92k   742.42     8.78k    68.80%
+  Latency Distribution
+     50%   10.63ms
+     75%   75.64ms
+     90%  205.65ms
+     99%  668.28ms
+  3476705 requests in 1.00m, 384.61MB read
+  Socket errors: connect 0, read 0, write 0, timeout 103
+Requests/sec:  57894.35
+Transfer/sec:      6.40MB
+```
+
+### nginx:
+```
+wrk -t20 -c1000 -d60s -H "Host: test.traefik" --latency  http://IP-nginx:8001/bench
+Running 1m test @ http://IP-nginx:8001/bench
+  20 threads and 1000 connections
+  Thread Stats   Avg      Stdev     Max   +/- Stdev
+    Latency   101.25ms  180.09ms   1.99s    89.34%
+    Req/Sec     1.69k   567.69     9.39k    72.62%
+  Latency Distribution
+     50%   15.46ms
+     75%  129.11ms
+     90%  302.44ms
+     99%  846.59ms
+  2018427 requests in 1.00m, 298.36MB read
+  Socket errors: connect 0, read 0, write 0, timeout 90
+Requests/sec:  33591.67
+Transfer/sec:      4.97MB
+```
+
+### traefik:
+```
+wrk -t8 -c1000 -d60s -H "Host: test.traefik" --latency  http://IP-traefik:8000/bench
+Running 1m test @ http://IP-traefik:8000/bench
+  20 threads and 1000 connections
+  Thread Stats   Avg      Stdev     Max   +/- Stdev
+    Latency    91.72ms  150.43ms   2.00s    90.50%
+    Req/Sec     1.43k   266.37     2.97k    69.77%
+  Latency Distribution
+     50%   19.74ms
+     75%  121.98ms
+     90%  237.39ms
+     99%  687.49ms
+  1705073 requests in 1.00m, 188.63MB read
+  Socket errors: connect 0, read 0, write 0, timeout 7
+Requests/sec:  28392.44
+Transfer/sec:      3.14MB
+```
+
+## Conclusion
+
+Traefik is obviously slower than Nginx, but not so much: Traefik can serve 28392 requests/sec and Nginx 33591 requests/sec which gives a ratio of 85%.
+Not bad for young project :) !
+
+Some areas of possible improvements:
+- Use [GO_REUSEPORT](https://github.com/kavu/go_reuseport) listener
+- Run a separate server instance per CPU core with `GOMAXPROCS=1` (it appears during benchmarks that there is a lot more context switches with traefik than with nginx)
+

docs/css/traefik.css

@@ -0,0 +1,43 @@
+a {
+    color: #37ABC8;
+    text-decoration: none;
+}
+
+a:hover, a:focus {
+    color: #25606F;
+    text-decoration: underline;
+}
+
+h1, h2, h3, H4 {
+    color: #37ABC8;
+}
+
+.navbar-default {
+    background-color: #37ABC8;
+    border-color: #25606F;
+}
+
+.navbar-default .navbar-nav>.active>a, .navbar-default .navbar-nav>.active>a:hover, .navbar-default .navbar-nav>.active>a:focus {
+    color: #fff;
+    background-color: #25606F;
+}
+
+.navbar-default .navbar-nav>li>a:hover, .navbar-default .navbar-nav>li>a:focus {
+    color: #fff;
+    background-color: #25606F;
+}
+
+.navbar-default .navbar-toggle {
+    border-color: #25606F;
+}
+
+.navbar-default .navbar-toggle:hover, .navbar-default .navbar-toggle:focus .navbar-toggle {
+    background-color: #25606F;
+}
+.navbar-default .navbar-collapse, .navbar-default .navbar-form {
+    border-color: #25606F;
+}
+
+blockquote p {
+    font-size: 14px;
+}

docs/img/letsencrypt-logo-horizontal.svg

@@ -0,0 +1,172 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="337.37802"
+   height="107.921"
+   id="svg2"
+   version="1.1"
+   inkscape:version="0.48.4 r9939"
+   sodipodi:docname="letsencrypt-logo-horizontal.svg">
+  <metadata
+     id="metadata37">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <defs
+     id="defs35" />
+  <sodipodi:namedview
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1"
+     objecttolerance="10"
+     gridtolerance="10"
+     guidetolerance="10"
+     inkscape:pageopacity="0"
+     inkscape:pageshadow="2"
+     inkscape:window-width="640"
+     inkscape:window-height="480"
+     id="namedview33"
+     showgrid="false"
+     fit-margin-bottom="30"
+     fit-margin-top="0"
+     fit-margin-left="0"
+     fit-margin-right="0"
+     inkscape:zoom="0.72861357"
+     inkscape:cx="168.57"
+     inkscape:cy="69.027001"
+     inkscape:window-x="0"
+     inkscape:window-y="30"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="svg2" />
+  <g
+     id="g4"
+     transform="translate(-0.930001,-1.606)">
+    <title
+       id="title6">Layer 1</title>
+    <g
+       id="svg_1">
+      <g
+         id="svg_2">
+        <g
+           id="svg_3">
+          <path
+             id="svg_4"
+             d="m 76.621002,68.878998 0,-31.406998 7.629997,0 0,24.796997 12.153999,0 0,6.609001 -19.783997,0 0,9.99e-4 z"
+             inkscape:connector-curvature="0"
+             style="fill:#2c3c69" />
+          <path
+             id="svg_5"
+             d="m 121.547,58.098999 c 0,0.295998 0,0.592003 0,0.888 0,0.295997 -0.015,0.576004 -0.044,0.843002 l -16.01301,0 c 0.059,0.620995 0.244,1.182999 0.555,1.685997 0.311,0.502998 0.71,0.938004 1.197,1.308998 0.488,0.370003 1.035,0.658005 1.642,0.864006 0.605,0.208 1.234,0.310997 1.885,0.310997 1.153,0 2.13,-0.213997 2.928,-0.642998 0.799,-0.429001 1.449,-0.983002 1.952,-1.664001 l 5.05699,3.194 c -1.03498,1.507996 -2.40199,2.668999 -4.10299,3.482002 -1.701,0.811996 -3.676,1.219994 -5.922,1.219994 -1.657,0 -3.224,-0.259995 -4.702,-0.775993 -1.479,-0.518005 -2.772,-1.271004 -3.882,-2.263 -1.108,-0.990005 -1.981,-2.210007 -2.616996,-3.659004 -0.635994,-1.448997 -0.953003,-3.104996 -0.953003,-4.969002 0,-1.802994 0.309998,-3.437996 0.931,-4.900997 0.620999,-1.463001 1.463999,-2.706001 2.528999,-3.726002 1.064,-1.021 2.32,-1.811996 3.771,-2.373997 1.448,-0.561001 3.016,-0.843002 4.701,-0.843002 1.626,0 3.12,0.274002 4.48,0.820999 1.36,0.546997 2.528,1.338001 3.505,2.373001 0.976,1.035 1.73599,2.292 2.284,3.771 0.546,1.478001 0.819,3.165001 0.819,5.056 z m -6.698,-2.794998 c 0,-1.153 -0.362,-2.144001 -1.087,-2.972 -0.725,-0.827 -1.812,-1.242001 -3.26,-1.242001 -0.71,0 -1.36,0.111 -1.952,0.333 -0.59199,0.222 -1.108,0.525002 -1.553,0.909 -0.443,0.384998 -0.798,0.835999 -1.064,1.354 -0.266,0.517998 -0.414,1.057999 -0.443,1.618 l 9.359,0 z"
+             inkscape:connector-curvature="0"
+             style="fill:#2c3c69" />
+          <path
+             id="svg_6"
+             d="m 133.168,52.200001 0,8.461002 c 0,1.038994 0.2,1.816994 0.60001,2.337997 0.39799,0.519997 1.11499,0.778 2.151,0.778 0.35399,0 0.73098,-0.028 1.13099,-0.089 0.39901,-0.05901 0.73101,-0.147003 0.998,-0.266006 l 0.089,5.323006 c -0.50299,0.176994 -1.13899,0.332001 -1.90699,0.465996 -0.76999,0.133003 -1.538,0.199005 -2.307,0.199005 -1.479,0 -2.722,-0.186005 -3.727,-0.556007 C 129.19,68.484002 128.384,67.949998 127.77901,67.252 127.172,66.556001 126.73599,65.725999 126.47,64.762002 126.203,63.799005 126.071,62.724 126.071,61.538003 l 0,-9.338001 -3.549,0 0,-5.412003 3.504,0 0,-5.810997 7.142,0 0,5.810997 5.19,0 0,5.412003 -5.19,0 z"
+             inkscape:connector-curvature="0"
+             style="fill:#2c3c69" />
+          <path
+             id="svg_7"
+             d="m 161.91299,53.307999 c -0.59201,-0.560997 -1.28601,-1.034 -2.085,-1.418999 -0.79801,-0.383999 -1.64099,-0.577 -2.528,-0.577 -0.681,0 -1.30899,0.133999 -1.885,0.398998 -0.57699,0.267002 -0.865,0.726002 -0.865,1.375 0,0.621002 0.317,1.064003 0.953,1.331001 0.636,0.266998 1.664,0.562 3.08299,0.887001 0.82801,0.177998 1.664,0.43 2.50701,0.754997 0.843,0.324997 1.604,0.754005 2.28399,1.286003 0.68001,0.531998 1.22701,1.182999 1.64202,1.951996 0.41299,0.769005 0.62098,1.686005 0.62098,2.75 0,1.391006 -0.28099,2.565002 -0.84298,3.526001 -0.56201,0.960999 -1.29401,1.737 -2.19602,2.329002 -0.902,0.592002 -1.91499,1.019997 -3.03799,1.286003 -1.12399,0.266998 -2.248,0.398994 -3.371,0.398994 -1.80499,0 -3.571,-0.287994 -5.302,-0.864998 C 149.161,68.146002 147.719,67.294996 146.566,66.170995 l 4.08099,-4.303001 c 0.649,0.710007 1.448,1.302002 2.395,1.774002 0.946,0.473999 1.952,0.709999 3.017,0.709999 0.592,0 1.176,-0.140999 1.752,-0.421997 0.577,-0.279999 0.86501,-0.776001 0.86501,-1.485001 0,-0.681 -0.35401,-1.182999 -1.06401,-1.509003 -0.71,-0.324997 -1.818,-0.664993 -3.327,-1.020996 -0.769,-0.177002 -1.53799,-0.413002 -2.30699,-0.709 -0.77001,-0.295998 -1.457,-0.694 -2.06202,-1.197998 -0.60598,-0.502007 -1.10199,-1.123001 -1.48599,-1.863007 -0.384,-0.737995 -0.576,-1.625996 -0.576,-2.660995 0,-1.331001 0.28,-2.462002 0.843,-3.394001 0.562,-0.931999 1.286,-1.692001 2.174,-2.284 0.88701,-0.591999 1.87001,-1.027 2.949,-1.308998 1.079,-0.281998 2.151,-0.422001 3.217,-0.422001 1.655,0 3.274,0.259998 4.856,0.776001 1.582,0.517998 2.921,1.293999 4.015,2.328999 l -3.995,4.127998 z"
+             inkscape:connector-curvature="0"
+             style="fill:#2c3c69" />
+          <path
+             id="svg_8"
+             d="m 179.56799,68.878998 0,-31.406998 21.114,0 0,6.388 -13.795,0 0,5.944 13.041,0 0,6.077 -13.041,0 0,6.521 14.594,0 0,6.476997 -21.913,0 z"
+             inkscape:connector-curvature="0"
+             style="fill:#2c3c69" />
+          <path
+             id="svg_9"
+             d="m 220.675,68.878998 0,-12.065994 c 0,-0.621002 -0.053,-1.212002 -0.155,-1.774002 -0.104,-0.562 -0.274,-1.057003 -0.511,-1.486 -0.237,-0.428001 -0.569,-0.769001 -0.998,-1.021 -0.429,-0.25 -0.96899,-0.377003 -1.619,-0.377003 -0.65001,0 -1.22,0.127003 -1.70799,0.377003 -0.487,0.251999 -0.89501,0.599998 -1.22001,1.042999 -0.32499,0.443001 -0.569,0.953999 -0.731,1.529999 -0.16299,0.577 -0.244,1.175999 -0.244,1.797001 l 0,11.976997 -7.319,0 0,-22.091 7.05301,0 0,3.061001 0.089,0 c 0.26699,-0.473 0.613,-0.938 1.043,-1.396 0.428,-0.459 0.932,-0.850998 1.50801,-1.175999 0.57699,-0.325001 1.20498,-0.591999 1.88598,-0.799 0.68001,-0.206001 1.40401,-0.311001 2.17301,-0.311001 1.479,0 2.735,0.266998 3.77099,0.799 1.036,0.532002 1.87001,1.220001 2.50701,2.062 0.636,0.842999 1.09401,1.812 1.375,2.904999 0.28,1.095001 0.421,2.189003 0.421,3.283001 l 0,13.661999 -7.321,0 0,9.99e-4 z"
+             inkscape:connector-curvature="0"
+             style="fill:#2c3c69" />
+          <path
+             id="svg_10"
+             d="m 246.71301,53.929001 c -0.41501,-0.532001 -0.977,-0.959999 -1.686,-1.285999 -0.70999,-0.325001 -1.43601,-0.488003 -2.174,-0.488003 -0.77,0 -1.464,0.155003 -2.085,0.466 -0.62101,0.310997 -1.153,0.726002 -1.59701,1.242001 -0.44299,0.518002 -0.79199,1.117001 -1.04299,1.797001 -0.251,0.681004 -0.377,1.404003 -0.377,2.174 0,0.768997 0.11799,1.493004 0.35499,2.173004 0.23601,0.681 0.58301,1.279999 1.04201,1.796997 0.45799,0.517998 1.005,0.924995 1.642,1.220001 0.636,0.295998 1.35299,0.443001 2.151,0.443001 0.73801,0 1.47099,-0.139999 2.19501,-0.421005 0.72401,-0.281006 1.30899,-0.687996 1.75198,-1.220001 l 4.03702,4.924004 c -0.91703,0.887001 -2.10102,1.582001 -3.54901,2.084999 -1.44899,0.501999 -2.987,0.753998 -4.61299,0.753998 -1.74501,0 -3.37401,-0.266998 -4.88701,-0.798996 -1.512,-0.531998 -2.82601,-1.308998 -3.941,-2.329002 -1.11599,-1.019997 -1.99299,-2.253998 -2.63299,-3.702995 -0.64,-1.448997 -0.959,-3.090004 -0.959,-4.924004 0,-1.804001 0.31898,-3.431 0.959,-4.880001 0.64,-1.447998 1.51699,-2.683998 2.63299,-3.703999 1.11499,-1.021 2.43,-1.804001 3.941,-2.351002 1.513,-0.546997 3.127,-0.820999 4.843,-0.820999 0.798,0 1.589,0.074 2.373,0.223 0.783,0.147003 1.53699,0.348 2.26199,0.599003 0.72501,0.251003 1.39002,0.562 1.996,0.931999 0.60599,0.369999 1.13202,0.776001 1.57502,1.219997 l -4.21201,4.877003 z"
+             inkscape:connector-curvature="0"
+             style="fill:#2c3c69" />
+          <path
+             id="svg_11"
+             d="m 268.03201,52.776001 c -0.32599,-0.089 -0.64401,-0.146999 -0.95401,-0.177002 -0.30999,-0.03 -0.61398,-0.045 -0.90899,-0.045 -0.97599,0 -1.797,0.177998 -2.46201,0.530998 -0.66498,0.354 -1.19699,0.781002 -1.59698,1.283001 -0.39902,0.500999 -0.68802,1.047001 -0.86503,1.636997 -0.177,0.589996 -0.26599,1.105003 -0.26599,1.548004 l 0,11.324997 -7.27499,0 0,-22.063999 7.009,0 0,3.194 0.089,0 c 0.56201,-1.132 1.35901,-2.055 2.396,-2.77 1.03402,-0.715 2.23202,-1.071999 3.59302,-1.071999 0.29498,0 0.58398,0.016 0.86499,0.045 0.27999,0.029 0.51001,0.074 0.68801,0.133003 L 268.03201,52.776 z"
+             inkscape:connector-curvature="0"
+             style="fill:#2c3c69" />
+          <path
+             id="svg_12"
+             d="m 285.12201,72.206001 c -0.44299,1.153 -0.939,2.181 -1.48599,3.083 -0.547,0.901001 -1.19702,1.669998 -1.95102,2.306999 -0.754,0.636002 -1.642,1.114998 -2.66199,1.441002 -1.01999,0.324997 -2.22601,0.487999 -3.61499,0.487999 -0.681,0 -1.38299,-0.045 -2.10602,-0.134003 -0.72598,-0.089 -1.354,-0.207001 -1.88598,-0.353996 L 272.215,72.916 c 0.354,0.116997 0.746,0.213997 1.17602,0.288002 0.42798,0.073 0.81998,0.110001 1.17499,0.110001 1.12399,0 1.93701,-0.259003 2.44,-0.776001 0.50199,-0.518005 0.931,-1.249001 1.28601,-2.195 l 0.70999,-1.818001 -9.22699,-21.736 8.073,0 4.92398,14.195 0.133,0 4.392,-14.195 7.71802,0 -9.89301,25.417 z"
+             inkscape:connector-curvature="0"
+             style="fill:#2c3c69" />
+          <path
+             id="svg_13"
+             d="m 321.496,57.745003 c 0,1.537994 -0.237,3.016998 -0.70999,4.435997 -0.474,1.419998 -1.16101,2.668999 -2.06201,3.748001 -0.90201,1.080002 -2.004,1.945 -3.30499,2.596001 -1.30201,0.649002 -2.78,0.975998 -4.43702,0.975998 -1.35998,0 -2.64599,-0.273003 -3.85901,-0.82 -1.21301,-0.546997 -2.15799,-1.293999 -2.83898,-2.239998 l -0.088,0 0,13.085999 -7.27502,0 0,-32.739002 6.92001,0 0,2.706001 0.133,0 c 0.681,-0.887001 1.61899,-1.662998 2.81698,-2.328999 C 307.98801,46.5 309.39999,46.167 311.02701,46.167 c 1.59698,0 3.04498,0.311001 4.34698,0.931999 1.301,0.621002 2.40201,1.464001 3.305,2.528 0.90298,1.063999 1.59701,2.299999 2.08502,3.704002 0.488,1.404999 0.73199,2.876999 0.73199,4.414001 z m -7.05301,0 c 0,-0.709999 -0.11001,-1.403999 -0.332,-2.085003 -0.22201,-0.68 -0.548,-1.278999 -0.97699,-1.797001 -0.42901,-0.516998 -0.96902,-0.938 -1.61902,-1.264 -0.64999,-0.326 -1.40399,-0.487999 -2.26199,-0.487999 -0.828,0 -1.56799,0.162998 -2.21799,0.487999 -0.651,0.325001 -1.20602,0.754002 -1.664,1.285999 -0.45901,0.532001 -0.81302,1.139 -1.06402,1.818001 -0.25199,0.681004 -0.37699,1.375004 -0.37699,2.085003 0,0.709999 0.125,1.404999 0.37699,2.084999 0.251,0.681 0.60501,1.285995 1.06402,1.818001 0.45798,0.531998 1.013,0.961998 1.664,1.286995 0.64899,0.325005 1.38999,0.487 2.21799,0.487 0.85699,0 1.61099,-0.161995 2.26199,-0.487 0.651,-0.325005 1.19001,-0.754997 1.61902,-1.286995 0.42902,-0.531998 0.75498,-1.146004 0.97699,-1.841003 0.22101,-0.693001 0.332,-1.394997 0.332,-2.104996 z"
+             inkscape:connector-curvature="0"
+             style="fill:#2c3c69" />
+          <path
+             id="svg_14"
+             d="m 333.11801,52.200001 0,8.461002 c 0,1.038994 0.20001,1.816994 0.60001,2.337997 0.39798,0.519997 1.11499,0.778 2.151,0.778 0.354,0 0.73099,-0.028 1.13098,-0.089 0.39902,-0.05901 0.73102,-0.147003 0.99802,-0.266006 l 0.089,5.323006 c -0.50299,0.176994 -1.139,0.332001 -1.90698,0.465996 -0.77002,0.133003 -1.53802,0.199005 -2.307,0.199005 -1.47901,0 -2.72202,-0.186005 -3.72702,-0.556007 -1.00599,-0.369995 -1.81199,-0.903999 -2.417,-1.601997 -0.60699,-0.695999 -1.043,-1.526001 -1.30899,-2.489998 C 326.15302,63.799005 326.021,62.724 326.021,61.538003 l 0,-9.338001 -3.54898,0 0,-5.412003 3.50399,0 0,-5.810997 7.142,0 0,5.810997 5.19,0 0,5.412003 -5.19,0 z"
+             inkscape:connector-curvature="0"
+             style="fill:#2c3c69" />
+        </g>
+      </g>
+      <path
+         id="svg_15"
+         d="m 145.00999,36.869999 c -2.18299,0 -3.89199,1.573002 -3.89199,3.582001 0,2.116001 1.43899,3.536999 3.582,3.536999 0.183,0 0.35599,-0.017 0.51899,-0.05 -0.343,1.566002 -1.852,2.690002 -3.27799,2.915001 l -0.29001,0.046 0,3.376999 0.376,-0.036 c 1.73,-0.165001 3.439,-0.951 4.691,-2.157001 1.632,-1.572998 2.49501,-3.843998 2.49501,-6.568001 0,-2.691998 -1.76799,-4.646 -4.20301,-4.646 z"
+         inkscape:connector-curvature="0"
+         style="fill:#2c3c69" />
+    </g>
+    <g
+       id="svg_16">
+      <path
+         id="svg_17"
+         d="m 46.488998,37.568001 -8.039997,0 0,-4.128002 c 0,-3.296997 -2.683002,-5.979 -5.98,-5.979 -3.297001,0 -5.979,2.683002 -5.979,5.979 l 0,4.128002 -8.040001,0 0,-4.128002 c 0,-7.73 6.288998,-14.019999 14.02,-14.019999 7.731002,0 14.02,6.289 14.02,14.019999 l 0,4.128002 -0.001,0 z"
+         inkscape:connector-curvature="0"
+         style="fill:#f9a11d" />
+    </g>
+    <path
+       id="svg_18"
+       d="m 49.731998,37.568001 -34.524998,0 c -1.474001,0 -2.68,1.205997 -2.68,2.68 l 0,25.540001 c 0,1.473999 1.205999,2.68 2.68,2.68 l 34.524998,0 c 1.474003,0 2.68,-1.206001 2.68,-2.68 l 0,-25.540001 c 0,-1.474003 -1.205997,-2.68 -2.68,-2.68 z m -15.512997,16.769001 0,3.460995 c 0,0.966003 -0.784,1.749001 -1.749001,1.749001 -0.965001,0 -1.749001,-0.783997 -1.749001,-1.749001 l 0,-3.459995 c -1.076,-0.611 -1.803001,-1.764 -1.803001,-3.09 0,-1.962002 1.591,-3.552002 3.552002,-3.552002 1.961998,0 3.551998,1.591 3.551998,3.552002 0,1.325001 -0.727001,2.478001 -1.802998,3.089001 z"
+       inkscape:connector-curvature="0"
+       style="fill:#2c3c69" />
+    <path
+       id="svg_19"
+       d="m 11.707001,33.759998 -8.331,0 c -1.351001,0 -2.446,-1.094997 -2.446,-2.445999 0,-1.351002 1.094999,-2.445999 2.446,-2.445999 l 8.331,0 c 1.351,0 2.445999,1.095001 2.445999,2.445999 0,1.350998 -1.096001,2.445999 -2.445999,2.445999 z"
+       inkscape:connector-curvature="0"
+       style="fill:#f9a11d" />
+    <path
+       id="svg_20"
+       d="m 17.575001,20.655001 c -0.546001,0 -1.097,-0.182001 -1.552,-0.557001 l -6.59,-5.418999 C 8.39,13.820999 8.239001,12.280001 9.098,11.236 9.956,10.193001 11.497,10.042 12.541001,10.9 l 6.59,5.419001 c 1.042999,0.858 1.194,2.399 0.334999,3.442999 -0.483,0.589001 -1.184,0.893002 -1.890999,0.893002 z"
+       inkscape:connector-curvature="0"
+       style="fill:#f9a11d" />
+    <path
+       id="svg_21"
+       d="m 32.469002,14.895 c -1.351002,0 -2.446003,-1.095001 -2.446003,-2.446001 l 0,-8.396999 c 0,-1.351 1.095001,-2.446 2.446003,-2.446 1.351002,0 2.445999,1.095 2.445999,2.446 l 0,8.396999 c 0,1.351 -1.095001,2.446001 -2.445999,2.446001 z"
+       inkscape:connector-curvature="0"
+       style="fill:#f9a11d" />
+    <g
+       id="svg_22">
+      <g
+         id="svg_23">
+        <path
+           id="svg_24"
+           d="M 47.362999,20.655001 C 46.655998,20.655001 45.956001,20.351 45.472,19.761999 44.613998,18.719 44.764,17.177 45.806999,16.319 l 6.59,-5.419001 c 1.044003,-0.858 2.585003,-0.706999 3.442997,0.336 0.858002,1.042999 0.708,2.584999 -0.334999,3.443001 l -6.589996,5.418999 C 48.459999,20.472999 47.91,20.655 47.362999,20.655 z"
+           inkscape:connector-curvature="0"
+           style="fill:#f9a11d" />
+      </g>
+    </g>
+    <path
+       id="svg_25"
+       d="m 61.563004,33.759998 -8.410004,0 c -1.351002,0 -2.445999,-1.094997 -2.445999,-2.445999 0,-1.351002 1.094997,-2.445999 2.445999,-2.445999 l 8.410004,0 c 1.350998,0 2.445999,1.095001 2.445999,2.445999 0,1.350998 -1.095001,2.445999 -2.445999,2.445999 z"
+       inkscape:connector-curvature="0"
+       style="fill:#f9a11d" />
+  </g>
+</svg>

docs/toml.md

@@ -0,0 +1,994 @@
+
+# Global configuration
+
+## Main section
+
+```toml
+# traefik.toml
+################################################################
+# Global configuration
+################################################################
+
+# Traefik logs file
+# If not defined, logs to stdout
+#
+# Optional
+#
+# traefikLogsFile = "log/traefik.log"
+
+# Access logs file
+#
+# Optional
+#
+# accessLogsFile = "log/access.log"
+
+# Log level
+#
+# Optional
+# Default: "ERROR"
+#
+# logLevel = "ERROR"
+
+# Backends throttle duration: minimum duration between 2 events from providers
+# before applying a new configuration. It avoids unnecessary reloads if multiples events
+# are sent in a short amount of time.
+#
+# Optional
+# Default: "2s"
+#
+# ProvidersThrottleDuration = "5s"
+
+# If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, DefaultMaxIdleConnsPerHost is used.
+# If you encounter 'too many open files' errors, you can either change this value, or change `ulimit` value.
+#
+# Optional
+# Default: http.DefaultMaxIdleConnsPerHost
+#
+# MaxIdleConnsPerHost = 200
+
+# Entrypoints to be used by frontends that do not specify any entrypoint.
+# Each frontend can specify its own entrypoints.
+#
+# Optional
+# Default: ["http"]
+#
+# defaultEntryPoints = ["http", "https"]
+```
+
+## Entrypoints definition
+
+```toml
+# Entrypoints definition
+#
+# Optional
+# Default:
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#
+# To redirect an http entrypoint to an https entrypoint (with SNI support):
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#     [entryPoints.http.redirect]
+#       entryPoint = "https"
+#   [entryPoints.https]
+#   address = ":443"
+#     [entryPoints.https.tls]
+#       [[entryPoints.https.tls.certificates]]
+#       CertFile = "integration/fixtures/https/snitest.com.cert"
+#       KeyFile = "integration/fixtures/https/snitest.com.key"
+#       [[entryPoints.https.tls.certificates]]
+#       CertFile = "integration/fixtures/https/snitest.org.cert"
+#       KeyFile = "integration/fixtures/https/snitest.org.key"
+#
+# To redirect an entrypoint rewriting the URL:
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#     [entryPoints.http.redirect]
+#       regex = "^http://localhost/(.*)"
+#       replacement = "http://mydomain/$1"
+```
+
+## Retry configuration
+
+```toml
+# Enable retry sending request if network error
+#
+# Optional
+#
+# [retry]
+
+# Number of attempts
+#
+# Optional
+# Default: (number servers in backend) -1
+#
+# attempts = 3
+
+# Sets the maximum request body to be stored in memory in Mo
+#
+# Optional
+# Default: 2
+#
+# maxMem = 3
+```
+
+## ACME (Let's Encrypt) configuration
+
+```toml
+# Enable ACME (Let's Encrypt): automatic SSL
+#
+# Optional
+#
+# [acme]
+
+# Email address used for registration
+#
+# Required
+#
+# email = "test@traefik.io"
+
+# File used for certificates storage.
+# WARNING, if you use Traefik in Docker, don't forget to mount this file as a volume.
+#
+# Required
+#
+# storageFile = "acme.json"
+
+# Entrypoint to proxy acme challenge to.
+# WARNING, must point to an entrypoint on port 443 
+#
+# Required
+#
+# entryPoint = "https"
+
+# Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate.
+# WARNING, TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DoS attacks.
+# WARNING, Take note that Let's Encrypt have rate limiting: https://community.letsencrypt.org/t/quick-start-guide/1631
+#
+# Optional
+#
+# onDemand = true
+
+# CA server to use
+# Uncomment the line to run on the staging let's encrypt server
+# Leave comment to go to prod
+#
+# Optional
+#
+# caServer = "https://acme-staging.api.letsencrypt.org/directory"
+
+# Domains list
+# You can provide SANs (alternative domains) to each main domain
+# WARNING, Take note that Let's Encrypt have rate limiting: https://community.letsencrypt.org/t/quick-start-guide/1631
+# Each domain & SANs will lead to a certificate request.
+#
+# [[acme.domains]]
+#   main = "local1.com"
+#   sans = ["test1.local1.com", "test2.local1.com"]
+# [[acme.domains]]
+#   main = "local2.com"
+#   sans = ["test1.local2.com", "test2x.local2.com"]
+# [[acme.domains]]
+#   main = "local3.com"
+# [[acme.domains]]
+#   main = "local4.com"
+```
+
+# Configuration backends
+
+## File backend
+
+Like any other reverse proxy, Træfɪk can be configured with a file. You have two choices:
+
+- simply add your configuration at the end of the global configuration file `traefik.toml` :
+
+```toml
+# traefik.toml
+logLevel = "DEBUG"
+defaultEntryPoints = ["http", "https"]
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+      entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.com.cert"
+      KeyFile = "integration/fixtures/https/snitest.com.key"
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.org.cert"
+      KeyFile = "integration/fixtures/https/snitest.org.key"
+
+[file]
+
+# rules
+[backends]
+  [backends.backend1]
+    [backends.backend1.circuitbreaker]
+      expression = "NetworkErrorRatio() > 0.5"
+    [backends.backend1.servers.server1]
+    url = "http://172.17.0.2:80"
+    weight = 10
+    [backends.backend1.servers.server2]
+    url = "http://172.17.0.3:80"
+    weight = 1
+  [backends.backend2]
+    [backends.backend2.LoadBalancer]
+      method = "drr"
+    [backends.backend2.servers.server1]
+    url = "http://172.17.0.4:80"
+    weight = 1
+    [backends.backend2.servers.server2]
+    url = "http://172.17.0.5:80"
+    weight = 2
+
+[frontends]
+  [frontends.frontend1]
+  backend = "backend2"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host:test.localhost"
+  [frontends.frontend2]
+  backend = "backend1"
+  passHostHeader = true
+  entrypoints = ["https"] # overrides defaultEntryPoints
+    [frontends.frontend2.routes.test_1]
+    rule = "Host:{subdomain:[a-z]+}.localhost"
+  [frontends.frontend3]
+  entrypoints = ["http", "https"] # overrides defaultEntryPoints
+  backend = "backend2"
+    rule = "Path:/test"
+```
+
+- or put your rules in a separate file, for example `rules.tml`:
+
+```toml
+# traefik.toml
+logLevel = "DEBUG"
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+      entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.com.cert"
+      KeyFile = "integration/fixtures/https/snitest.com.key"
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.org.cert"
+      KeyFile = "integration/fixtures/https/snitest.org.key"
+
+[file]
+filename = "rules.toml"
+```
+
+```toml
+# rules.toml
+[backends]
+  [backends.backend1]
+    [backends.backend1.circuitbreaker]
+      expression = "NetworkErrorRatio() > 0.5"
+    [backends.backend1.servers.server1]
+    url = "http://172.17.0.2:80"
+    weight = 10
+    [backends.backend1.servers.server2]
+    url = "http://172.17.0.3:80"
+    weight = 1
+  [backends.backend2]
+    [backends.backend2.LoadBalancer]
+      method = "drr"
+    [backends.backend2.servers.server1]
+    url = "http://172.17.0.4:80"
+    weight = 1
+    [backends.backend2.servers.server2]
+    url = "http://172.17.0.5:80"
+    weight = 2
+
+[frontends]
+  [frontends.frontend1]
+  backend = "backend2"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host:test.localhost"
+  [frontends.frontend2]
+  backend = "backend1"
+  passHostHeader = true
+  entrypoints = ["https"] # overrides defaultEntryPoints
+    [frontends.frontend2.routes.test_1]
+    rule = "Host:{subdomain:[a-z]+}.localhost"
+  [frontends.frontend3]
+  entrypoints = ["http", "https"] # overrides defaultEntryPoints
+  backend = "backend2"
+    rule = "Path:/test"
+```
+
+If you want Træfɪk to watch file changes automatically, just add:
+
+```toml
+[file]
+watch = true
+```
+
+## API backend
+
+Træfik can be configured using a restful api.
+To enable it:
+
+```toml
+[web]
+address = ":8080"
+
+# SSL certificate and key used
+#
+# Optional
+#
+# CertFile = "traefik.crt"
+# KeyFile = "traefik.key"
+#
+# Set REST API to read-only mode
+#
+# Optional
+# ReadOnly = false
+```
+
+- `/`: provides a simple HTML frontend of Træfik
+
+![Web UI Providers](img/web.frontend.png)
+![Web UI Health](img/traefik-health.png)
+
+- `/health`: `GET` json metrics
+
+```sh
+$ curl -s "http://localhost:8080/health" | jq .
+{
+  // Træfɪk PID
+  "pid": 2458,
+  // Træfɪk server uptime (formated time)
+  "uptime": "39m6.885931127s",
+  //  Træfɪk server uptime in seconds
+  "uptime_sec": 2346.885931127,
+  // current server date
+  "time": "2015-10-07 18:32:24.362238909 +0200 CEST",
+  // current server date in seconds
+  "unixtime": 1444235544,
+  // count HTTP response status code in realtime
+  "status_code_count": {
+    "502": 1
+  },
+  // count HTTP response status code since Træfɪk started
+  "total_status_code_count": {
+    "200": 7,
+    "404": 21,
+    "502": 13
+  },
+  // count HTTP response
+  "count": 1,
+  // count HTTP response
+  "total_count": 41,
+  // sum of all response time (formated time)
+  "total_response_time": "35.456865605s",
+  // sum of all response time in seconds
+  "total_response_time_sec": 35.456865605,
+  // average response time (formated time)
+  "average_response_time": "864.8016ms",
+  // average response time in seconds
+  "average_response_time_sec": 0.8648016000000001
+}
+```
+
+- `/api`: `GET` configuration for all providers
+
+```sh
+$ curl -s "http://localhost:8080/api" | jq .
+{
+  "file": {
+    "frontends": {
+      "frontend2": {
+        "routes": {
+          "test_2": {
+            "rule": "Path:/test"
+          }
+        },
+        "backend": "backend1"
+      },
+      "frontend1": {
+        "routes": {
+          "test_1": {
+            "rule": "Host:test.localhost"
+          }
+        },
+        "backend": "backend2"
+      }
+    },
+    "backends": {
+      "backend2": {
+        "loadBalancer": {
+          "method": "drr"
+        },
+        "servers": {
+          "server2": {
+            "weight": 2,
+            "URL": "http://172.17.0.5:80"
+          },
+          "server1": {
+            "weight": 1,
+            "url": "http://172.17.0.4:80"
+          }
+        }
+      },
+      "backend1": {
+        "loadBalancer": {
+          "method": "wrr"
+        },
+        "circuitBreaker": {
+          "expression": "NetworkErrorRatio() > 0.5"
+        },
+        "servers": {
+          "server2": {
+            "weight": 1,
+            "url": "http://172.17.0.3:80"
+          },
+          "server1": {
+            "weight": 10,
+            "url": "http://172.17.0.2:80"
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+- `/api/providers`: `GET` providers
+- `/api/providers/{provider}`: `GET` or `PUT` provider
+- `/api/providers/{provider}/backends`: `GET` backends
+- `/api/providers/{provider}/backends/{backend}`: `GET` a backend
+- `/api/providers/{provider}/backends/{backend}/servers`: `GET` servers in a backend
+- `/api/providers/{provider}/backends/{backend}/servers/{server}`: `GET` a server in a backend
+- `/api/providers/{provider}/frontends`: `GET` frontends
+- `/api/providers/{provider}/frontends/{frontend}`: `GET` a frontend
+- `/api/providers/{provider}/frontends/{frontend}/routes`: `GET` routes in a frontend
+- `/api/providers/{provider}/frontends/{frontend}/routes/{route}`: `GET` a route in a frontend
+
+
+## Docker backend
+
+Træfɪk can be configured to use Docker as a backend configuration:
+
+```toml
+################################################################
+# Docker configuration backend
+################################################################
+
+# Enable Docker configuration backend
+#
+# Optional
+#
+[docker]
+
+# Docker server endpoint. Can be a tcp or a unix socket endpoint.
+#
+# Required
+#
+endpoint = "unix:///var/run/docker.sock"
+
+# Default domain used.
+# Can be overridden by setting the "traefik.domain" label on a container.
+#
+# Required
+#
+domain = "docker.localhost"
+
+# Enable watch docker changes
+#
+# Optional
+#
+watch = true
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "docker.tmpl"
+
+# Enable docker TLS connection
+#
+#  [docker.tls]
+#  ca = "/etc/ssl/ca.crt"
+#  cert = "/etc/ssl/docker.crt"
+#  key = "/etc/ssl/docker.key"
+#  insecureskipverify = true
+```
+
+Labels can be used on containers to override default behaviour:
+
+- `traefik.backend=foo`: assign the container to `foo` backend
+- `traefik.port=80`: register this port. Useful when the container exposes multiples ports.
+- `traefik.protocol=https`: override the default `http` protocol
+- `traefik.weight=10`: assign this weight to the container
+- `traefik.enable=false`: disable this container in Træfɪk
+- `traefik.frontend.rule=Host:test.traefik.io`: override the default frontend rule (Default: `Host:{containerName}.{domain}`). See [frontends](#frontends).
+- `traefik.frontend.passHostHeader=true`: forward client `Host` header to the backend.
+- `traefik.frontend.entryPoints=http,https`: assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.
+* `traefik.domain=traefik.localhost`: override the default domain
+
+
+## Marathon backend
+
+Træfɪk can be configured to use Marathon as a backend configuration:
+
+
+```toml
+################################################################
+# Mesos/Marathon configuration backend
+################################################################
+
+# Enable Marathon configuration backend
+#
+# Optional
+#
+[marathon]
+
+# Marathon server endpoint.
+# You can also specify multiple endpoint for Marathon:
+# endpoint := "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
+#
+# Required
+#
+endpoint = "http://127.0.0.1:8080"
+
+# Enable watch Marathon changes
+#
+# Optional
+#
+watch = true
+
+# Default domain used.
+# Can be overridden by setting the "traefik.domain" label on an application.
+#
+# Required
+#
+domain = "marathon.localhost"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "marathon.tmpl"
+
+# Expose Marathon apps by default in traefik
+#
+# Optional
+# Default: false
+#
+# ExposedByDefault = true
+
+# Enable Marathon basic authentication
+#
+# Optional
+#
+#  [marathon.basic]
+#  httpBasicAuthUser = "foo"
+#  httpBasicPassword = "bar"
+
+# TLS client configuration. https://golang.org/pkg/crypto/tls/#Config
+#
+# Optional
+#
+# [marathon.TLS]
+# InsecureSkipVerify = true
+```
+
+Labels can be used on containers to override default behaviour:
+
+- `traefik.backend=foo`: assign the application to `foo` backend
+- `traefik.portIndex=1`: register port by index in the application's ports array. Useful when the application exposes multiple ports.
+- `traefik.port=80`: register the explicit application port value. Cannot be used alongside `traefik.portIndex`.
+- `traefik.protocol=https`: override the default `http` protocol
+- `traefik.weight=10`: assign this weight to the application
+- `traefik.enable=false`: disable this application in Træfɪk
+- `traefik.frontend.rule=Host:test.traefik.io`: override the default frontend rule (Default: `Host:{containerName}.{domain}`). See [frontends](#frontends).
+- `traefik.frontend.passHostHeader=true`: forward client `Host` header to the backend.
+- `traefik.frontend.entryPoints=http,https`: assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.
+* `traefik.domain=traefik.localhost`: override the default domain
+
+## Consul backend
+
+Træfɪk can be configured to use Consul as a backend configuration:
+
+```toml
+################################################################
+# Consul KV configuration backend
+################################################################
+
+# Enable Consul KV configuration backend
+#
+# Optional
+#
+[consul]
+
+# Consul server endpoint
+#
+# Required
+#
+endpoint = "127.0.0.1:8500"
+
+# Enable watch Consul changes
+#
+# Optional
+#
+watch = true
+
+# Prefix used for KV store.
+#
+# Optional
+#
+prefix = "traefik"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "consul.tmpl"
+
+# Enable consul TLS connection
+#
+# Optional
+#
+# [consul.tls]
+# ca = "/etc/ssl/ca.crt"
+# cert = "/etc/ssl/consul.crt"
+# key = "/etc/ssl/consul.key"
+# insecureskipverify = true
+```
+
+Please refer to the [Key Value storage structure](#key-value-storage-structure) section to get documentation en traefik KV structure.
+
+## Consul catalog backend
+
+Træfɪk can be configured to use service discovery catalog of Consul as a backend configuration:
+
+```toml
+################################################################
+# Consul Catalog configuration backend
+################################################################
+
+# Enable Consul Catalog configuration backend
+#
+# Optional
+#
+[consulCatalog]
+
+# Consul server endpoint
+#
+# Required
+#
+endpoint = "127.0.0.1:8500"
+
+# Default domain used.
+#
+# Optional
+#
+domain = "consul.localhost"
+```
+
+This backend will create routes matching on hostname based on the service name
+used in consul.
+
+
+## Etcd backend
+
+Træfɪk can be configured to use Etcd as a backend configuration:
+
+```toml
+################################################################
+# Etcd configuration backend
+################################################################
+
+# Enable Etcd configuration backend
+#
+# Optional
+#
+# [etcd]
+
+# Etcd server endpoint
+#
+# Required
+#
+# endpoint = "127.0.0.1:4001"
+
+# Enable watch Etcd changes
+#
+# Optional
+#
+# watch = true
+
+# Prefix used for KV store.
+#
+# Optional
+#
+# prefix = "/traefik"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "etcd.tmpl"
+
+# Enable etcd TLS connection
+#
+# Optional
+#
+# [etcd.tls]
+# ca = "/etc/ssl/ca.crt"
+# cert = "/etc/ssl/etcd.crt"
+# key = "/etc/ssl/etcd.key"
+# insecureskipverify = true
+```
+
+Please refer to the [Key Value storage structure](#key-value-storage-structure) section to get documentation en traefik KV structure.
+
+
+## Zookeeper backend
+
+Træfɪk can be configured to use Zookeeper as a backend configuration:
+
+```toml
+################################################################
+# Zookeeper configuration backend
+################################################################
+
+# Enable Zookeeperconfiguration backend
+#
+# Optional
+#
+# [zookeeper]
+
+# Zookeeper server endpoint
+#
+# Required
+#
+# endpoint = "127.0.0.1:2181"
+
+# Enable watch Zookeeper changes
+#
+# Optional
+#
+# watch = true
+
+# Prefix used for KV store.
+#
+# Optional
+#
+# prefix = "/traefik"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "zookeeper.tmpl"
+```
+
+Please refer to the [Key Value storage structure](#key-value-storage-structure) section to get documentation en traefik KV structure.
+
+## BoltDB backend
+
+Træfɪk can be configured to use BoltDB as a backend configuration:
+
+```toml
+################################################################
+# BoltDB configuration backend
+################################################################
+
+# Enable BoltDB configuration backend
+#
+# Optional
+#
+# [boltdb]
+
+# BoltDB file
+#
+# Required
+#
+# endpoint = "/my.db"
+
+# Enable watch BoltDB changes
+#
+# Optional
+#
+# watch = true
+
+# Prefix used for KV store.
+#
+# Optional
+#
+# prefix = "/traefik"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "boltdb.tmpl"
+```
+
+Please refer to the [Key Value storage structure](#key-value-storage-structure) section to get documentation en traefik KV structure.
+
+## Key-value storage structure
+
+The Keys-Values structure should look (using `prefix = "/traefik"`):
+
+- backend 1
+
+| Key                                                    | Value                       |
+|--------------------------------------------------------|-----------------------------|
+| `/traefik/backends/backend1/circuitbreaker/expression` | `NetworkErrorRatio() > 0.5` |
+| `/traefik/backends/backend1/servers/server1/url`       | `http://172.17.0.2:80`      |
+| `/traefik/backends/backend1/servers/server1/weight`    | `10`                        |
+| `/traefik/backends/backend1/servers/server2/url`       | `http://172.17.0.3:80`      |
+| `/traefik/backends/backend1/servers/server2/weight`    | `1`                         |
+
+- backend 2
+
+| Key                                                 | Value                  |
+|-----------------------------------------------------|------------------------|
+| `/traefik/backends/backend2/loadbalancer/method`    | `drr`                  |
+| `/traefik/backends/backend2/servers/server1/url`    | `http://172.17.0.4:80` |
+| `/traefik/backends/backend2/servers/server1/weight` | `1`                    |
+| `/traefik/backends/backend2/servers/server2/url`    | `http://172.17.0.5:80` |
+| `/traefik/backends/backend2/servers/server2/weight` | `2`                    |
+
+- frontend 1
+
+| Key                                               | Value                 |
+|---------------------------------------------------|-----------------------|
+| `/traefik/frontends/frontend1/backend`            | `backend2`            |
+| `/traefik/frontends/frontend1/routes/test_1/rule` | `Host:test.localhost` |
+
+- frontend 2
+
+| Key                                                | Value        |
+|----------------------------------------------------|--------------|
+| `/traefik/frontends/frontend2/backend`             | `backend1`   |
+| `/traefik/frontends/frontend2/passHostHeader`      | `true`       |
+| `/traefik/frontends/frontend2/entrypoints`         | `http,https` |
+| `/traefik/frontends/frontend2/routes/test_2/rule`  | `Path:/test` |
+
+## Atomic configuration changes
+
+The [Etcd](https://github.com/coreos/etcd/issues/860) and [Consul](https://github.com/hashicorp/consul/issues/886) backends do not support updating multiple keys atomically. As a result, it may be possible for Træfɪk to read an intermediate configuration state despite judicious use of the `--providersThrottleDuration` flag. To solve this problem, Træfɪk supports a special key called `/traefik/alias`. If set, Træfɪk use the value as an alternative key prefix.
+
+Given the key structure below, Træfɪk will use the `http://172.17.0.2:80` as its only backend (frontend keys have been omitted for brevity).
+
+| Key                                                                     | Value                       |
+|-------------------------------------------------------------------------|-----------------------------|
+| `/traefik/alias`                                                        | `/traefik_configurations/1` |
+| `/traefik_configurations/1/backends/backend1/servers/server1/url`       | `http://172.17.0.2:80`      |
+| `/traefik_configurations/1/backends/backend1/servers/server1/weight`    | `10`                        |
+
+When an atomic configuration change is required, you may write a new configuration at an alternative prefix. Here, although the `/traefik_configurations/2/...` keys have been set, the old configuration is still active because the `/traefik/alias` key still points to `/traefik_configurations/1`:
+
+| Key                                                                     | Value                       |
+|-------------------------------------------------------------------------|-----------------------------|
+| `/traefik/alias`                                                        | `/traefik_configurations/1` |
+| `/traefik_configurations/1/backends/backend1/servers/server1/url`       | `http://172.17.0.2:80`      |
+| `/traefik_configurations/1/backends/backend1/servers/server1/weight`    | `10`                        |
+| `/traefik_configurations/2/backends/backend1/servers/server1/url`       | `http://172.17.0.2:80`      |
+| `/traefik_configurations/2/backends/backend1/servers/server1/weight`    | `5`                        |
+| `/traefik_configurations/2/backends/backend1/servers/server2/url`       | `http://172.17.0.3:80`      |
+| `/traefik_configurations/2/backends/backend1/servers/server2/weight`    | `5`                        |
+
+Once the `/traefik/alias` key is updated, the new `/traefik_configurations/2` configuration becomes active atomically. Here, we have a 50% balance between the `http://172.17.0.3:80` and the `http://172.17.0.4:80` hosts while no traffic is sent to the `172.17.0.2:80` host:
+
+| Key                                                                     | Value                       |
+|-------------------------------------------------------------------------|-----------------------------|
+| `/traefik/alias`                                                        | `/traefik_configurations/2` |
+| `/traefik_configurations/1/backends/backend1/servers/server1/url`       | `http://172.17.0.2:80`      |
+| `/traefik_configurations/1/backends/backend1/servers/server1/weight`    | `10`                        |
+| `/traefik_configurations/2/backends/backend1/servers/server1/url`       | `http://172.17.0.3:80`      |
+| `/traefik_configurations/2/backends/backend1/servers/server1/weight`    | `5`                        |
+| `/traefik_configurations/2/backends/backend1/servers/server2/url`       | `http://172.17.0.4:80`      |
+| `/traefik_configurations/2/backends/backend1/servers/server2/weight`    | `5`                        |
+
+Note that Træfɪk *will not watch for key changes in the `/traefik_configurations` prefix*. It will only watch for changes in the `/traefik` prefix. Further, if the `/traefik/alias` key is set, all other sibling keys with the `/traefik` prefix are ignored.
+
+
+# Examples
+
+## HTTP only
+
+```
+defaultEntryPoints = ["http"]
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+```
+
+## HTTP + HTTPS (with SNI)
+
+```
+defaultEntryPoints = ["http", "https"]
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.com.cert"
+      KeyFile = "integration/fixtures/https/snitest.com.key"
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.org.cert"
+      KeyFile = "integration/fixtures/https/snitest.org.key"
+```
+
+## HTTP redirect on HTTPS
+
+```
+defaultEntryPoints = ["http", "https"]
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      certFile = "tests/traefik.crt"
+      keyFile = "tests/traefik.key"
+```
+
+## Let's Encrypt support
+
+```
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      # certs used as default certs
+      [[entryPoints.https.tls.certificates]]
+      certFile = "tests/traefik.crt"
+      keyFile = "tests/traefik.key"
+[acme]
+email = "test@traefik.io"
+storageFile = "acme.json"
+onDemand = true
+caServer = "http://172.18.0.1:4000/directory"
+entryPoint = "https"
+
+[[acme.domains]]
+  main = "local1.com"
+  sans = ["test1.local1.com", "test2.local1.com"]
+[[acme.domains]]
+  main = "local2.com"
+  sans = ["test1.local2.com", "test2x.local2.com"]
+[[acme.domains]]
+  main = "local3.com"
+[[acme.domains]]
+  main = "local4.com"
+```
+
+## Override entrypoints in frontends
+
+```
+[frontends]
+  [frontends.frontend1]
+  backend = "backend2"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host:test.localhost"
+  [frontends.frontend2]
+  backend = "backend1"
+  passHostHeader = true
+  entrypoints = ["https"] # overrides defaultEntryPoints
+    [frontends.frontend2.routes.test_1]
+    rule = "Host:{subdomain:[a-z]+}.localhost"
+  [frontends.frontend3]
+  entrypoints = ["http", "https"] # overrides defaultEntryPoints
+  backend = "backend2"
+    rule = "Path:/test"
+```

examples/compose-traefik.yml

@@ -0,0 +1,21 @@
+traefik:
+  image: traefik
+  command: --web --docker --docker.domain=docker.localhost --logLevel=DEBUG
+  ports:
+    - "80:80"
+    - "8080:8080"
+  volumes:
+    - /var/run/docker.sock:/var/run/docker.sock
+    - /dev/null:/traefik.toml
+
+whoami1:
+  image: emilevauge/whoami
+  labels:
+    - "traefik.backend=whoami"
+    - "traefik.frontend.rule=Host:whoami.docker.localhost"
+
+whoami2:
+  image: emilevauge/whoami
+  labels:
+    - "traefik.backend=whoami"
+    - "traefik.frontend.rule=Host:whoami.docker.localhost"

examples/whoami.json

@@ -25,6 +25,7 @@
   ],
   "labels": {
       "traefik.weight": "1",
-      "traefik.protocole": "http"
+      "traefik.protocole": "http",
+      "traefik.frontend.rule" : "Headers:Host,test.localhost"
   }
 }

glide.lock

@@ -0,0 +1,272 @@
+hash: 79b6eb2a613b5e2ce5c57150eec41ac04def3f232a3613fd8b5a88b5e1041b38
+updated: 2016-04-02T15:42:37.505896092+02:00
+imports:
+- name: github.com/alecthomas/template
+  version: b867cc6ab45cece8143cfcc6fc9c77cf3f2c23c0
+- name: github.com/alecthomas/units
+  version: 6b4e7dc5e3143b85ea77909c72caf89416fc2915
+- name: github.com/boltdb/bolt
+  version: 51f99c862475898df9773747d3accd05a7ca33c1
+- name: github.com/BurntSushi/toml
+  version: bd2bdf7f18f849530ef7a1c29a4290217cab32a1
+- name: github.com/BurntSushi/ty
+  version: 6add9cd6ad42d389d6ead1dde60b4ad71e46fd74
+  subpackages:
+  - fun
+- name: github.com/cenkalti/backoff
+  version: 4dc77674aceaabba2c7e3da25d4c823edfb73f99
+- name: github.com/codahale/hdrhistogram
+  version: 954f16e8b9ef0e5d5189456aa4c1202758e04f17
+- name: github.com/codegangsta/cli
+  version: bf4a526f48af7badd25d2cb02d587e1b01be3b50
+- name: github.com/codegangsta/negroni
+  version: c7477ad8e330bef55bf1ebe300cf8aa67c492d1b
+- name: github.com/containous/oxy
+  version: 0b5b371bce661385d35439204298fa6fb5db5463
+  subpackages:
+  - cbreaker
+  - forward
+  - memmetrics
+  - roundrobin
+  - utils
+  - stream
+- name: github.com/coreos/go-etcd
+  version: cc90c7b091275e606ad0ca7102a23fb2072f3f5e
+  subpackages:
+  - etcd
+- name: github.com/davecgh/go-spew
+  version: 5215b55f46b2b919f50a1df0eaa5886afe4e3b3d
+  subpackages:
+  - spew
+- name: github.com/docker/distribution
+  version: ff6f38ccb69afa96214c7ee955359465d1fc767a
+  subpackages:
+  - reference
+- name: github.com/docker/docker
+  version: f39987afe8d611407887b3094c03d6ba6a766a67
+  subpackages:
+  - autogen
+  - api
+  - cliconfig
+  - daemon/network
+  - graph/tags
+  - image
+  - opts
+  - pkg/archive
+  - pkg/fileutils
+  - pkg/homedir
+  - pkg/httputils
+  - pkg/ioutils
+  - pkg/jsonmessage
+  - pkg/mflag
+  - pkg/nat
+  - pkg/parsers
+  - pkg/pools
+  - pkg/promise
+  - pkg/random
+  - pkg/stdcopy
+  - pkg/stringid
+  - pkg/symlink
+  - pkg/system
+  - pkg/tarsum
+  - pkg/term
+  - pkg/timeutils
+  - pkg/tlsconfig
+  - pkg/ulimit
+  - pkg/units
+  - pkg/urlutil
+  - pkg/useragent
+  - pkg/version
+  - registry
+  - runconfig
+  - utils
+  - volume
+- name: github.com/docker/engine-api
+  version: 8924d6900370b4c7e7984be5adc61f50a80d7537
+  subpackages:
+  - client
+  - types
+  - types/container
+  - types/filters
+  - types/strslice
+  - client/transport
+  - client/transport/cancellable
+  - types/network
+  - types/registry
+  - types/time
+  - types/blkiodev
+- name: github.com/docker/go-connections
+  version: f549a9393d05688dff0992ef3efd8bbe6c628aeb
+  subpackages:
+  - nat
+  - sockets
+  - tlsconfig
+- name: github.com/docker/go-units
+  version: 5d2041e26a699eaca682e2ea41c8f891e1060444
+- name: github.com/docker/libcompose
+  version: e290a513ba909ca3afefd5cd611f3a3fe56f6a3a
+- name: github.com/docker/libkv
+  version: 3732f7ff1b56057c3158f10bceb1e79133025373
+  subpackages:
+  - store
+  - store/boltdb
+  - store/consul
+  - store/etcd
+  - store/zookeeper
+- name: github.com/docker/libtrust
+  version: 9cbd2a1374f46905c68a4eb3694a130610adc62a
+- name: github.com/donovanhide/eventsource
+  version: d8a3071799b98cacd30b6da92f536050ccfe6da4
+- name: github.com/elazarl/go-bindata-assetfs
+  version: d5cac425555ca5cf00694df246e04f05e6a55150
+- name: github.com/flynn/go-shlex
+  version: 3f9db97f856818214da2e1057f8ad84803971cff
+- name: github.com/gambol99/go-marathon
+  version: ade11d1dc2884ee1f387078fc28509559b6235d1
+- name: github.com/go-check/check
+  version: 11d3bc7aa68e238947792f30573146a3231fc0f1
+- name: github.com/golang/glog
+  version: fca8c8854093a154ff1eb580aae10276ad6b1b5f
+- name: github.com/google/go-querystring
+  version: 6bb77fe6f42b85397288d4f6f67ac72f8f400ee7
+  subpackages:
+  - query
+- name: github.com/gorilla/context
+  version: 215affda49addc4c8ef7e2534915df2c8c35c6cd
+- name: github.com/gorilla/handlers
+  version: 40694b40f4a928c062f56849989d3e9cd0570e5f
+- name: github.com/gorilla/mux
+  version: f15e0c49460fd49eebe2bcc8486b05d1bef68d3a
+- name: github.com/gorilla/websocket
+  version: e2e3d8414d0fbae04004f151979f4e27c6747fe7
+- name: github.com/hashicorp/consul
+  version: de080672fee9e6104572eeea89eccdca135bb918
+  subpackages:
+  - api
+- name: github.com/hashicorp/hcl
+  version: 2604f3bda7e8960c1be1063709e7d7f0765048d0
+  subpackages:
+  - hcl/ast
+  - hcl/parser
+  - hcl/token
+  - json/parser
+  - hcl/scanner
+  - hcl/strconv
+  - json/scanner
+  - json/token
+- name: github.com/inconshreveable/mousetrap
+  version: 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
+- name: github.com/kr/pretty
+  version: add1dbc86daf0f983cd4a48ceb39deb95c729b67
+- name: github.com/kr/text
+  version: bb797dc4fb8320488f47bf11de07a733d7233e1f
+- name: github.com/magiconair/properties
+  version: c265cfa48dda6474e208715ca93e987829f572f8
+- name: github.com/mailgun/log
+  version: 44874009257d4d47ba9806f1b7f72a32a015e4d8
+- name: github.com/mailgun/manners
+  version: fada45142db3f93097ca917da107aa3fad0ffcb5
+- name: github.com/mailgun/multibuf
+  version: 565402cd71fbd9c12aa7e295324ea357e970a61e
+- name: github.com/mailgun/timetools
+  version: fd192d755b00c968d312d23f521eb0cdc6f66bd0
+- name: github.com/Microsoft/go-winio
+  version: 9e2895e5f6c3f16473b91d37fae6e89990a4520c
+- name: github.com/miekg/dns
+  version: 7e024ce8ce18b21b475ac6baf8fa3c42536bf2fa
+- name: github.com/mitchellh/mapstructure
+  version: d2dd0262208475919e1a362f675cfc0e7c10e905
+- name: github.com/opencontainers/runc
+  version: 4ab132458fc3e9dbeea624153e0331952dc4c8d5
+  subpackages:
+  - libcontainer/user
+- name: github.com/pmezard/go-difflib
+  version: d8ed2627bdf02c080bf22230dbb337003b7aba2d
+  subpackages:
+  - difflib
+- name: github.com/samuel/go-zookeeper
+  version: fa6674abf3f4580b946a01bf7a1ce4ba8766205b
+  subpackages:
+  - zk
+- name: github.com/Sirupsen/logrus
+  version: 418b41d23a1bf978c06faea5313ba194650ac088
+- name: github.com/spf13/cast
+  version: ee7b3e0353166ab1f3a605294ac8cd2b77953778
+- name: github.com/spf13/cobra
+  version: 2ccf9e982a3e3eb21eba9c9ad8e546529fd74c71
+  subpackages:
+  - cobra
+- name: github.com/spf13/jwalterweatherman
+  version: 33c24e77fb80341fe7130ee7c594256ff08ccc46
+- name: github.com/spf13/pflag
+  version: 7f60f83a2c81bc3c3c0d5297f61ddfa68da9d3b7
+- name: github.com/spf13/viper
+  version: a212099cbe6fbe8d07476bfda8d2d39b6ff8f325
+- name: github.com/stretchr/objx
+  version: cbeaeb16a013161a98496fad62933b1d21786672
+- name: github.com/stretchr/testify
+  version: 6fe211e493929a8aac0469b93f28b1d0688a9a3a
+  subpackages:
+  - mock
+  - assert
+- name: github.com/thoas/stats
+  version: 54ed61c2b47e263ae2f01b86837b0c4bd1da28e8
+- name: github.com/unrolled/render
+  version: 26b4e3aac686940fe29521545afad9966ddfc80c
+- name: github.com/vdemeester/docker-events
+  version: bd72e1848b08db4b5ed1a2e9277621b9f5e5d1f3
+- name: github.com/vdemeester/libkermit
+  version: 7e4e689a6fa9281e0fb9b7b9c297e22d5342a5ec
+- name: github.com/vdemeester/shakers
+  version: 24d7f1d6a71aa5d9cbe7390e4afb66b7eef9e1b3
+- name: github.com/vulcand/oxy
+  version: 8aaf36279137ac04ace3792a4f86098631b27d5a
+  subpackages:
+  - memmetrics
+  - utils
+- name: github.com/vulcand/predicate
+  version: cb0bff91a7ab7cf7571e661ff883fc997bc554a3
+- name: github.com/vulcand/route
+  version: cb89d787ddbb1c5849a7ac9f79004c1fd12a4a32
+- name: github.com/vulcand/vulcand
+  version: 475540bb016702d5b7cc4674e37f48ee3e144a69
+  subpackages:
+  - plugin/rewrite
+  - plugin
+  - router
+- name: github.com/wendal/errors
+  version: f66c77a7882b399795a8987ebf87ef64a427417e
+- name: github.com/xenolf/lego
+  version: ca19a90028e242e878585941c2a27c8f3b3efc25
+  subpackages:
+  - acme
+- name: golang.org/x/crypto
+  version: 9e7f5dc375abeb9619ea3c5c58502c428f457aa2
+  subpackages:
+  - ocsp
+- name: golang.org/x/net
+  version: d9558e5c97f85372afee28cf2b6059d7d3818919
+  subpackages:
+  - context
+  - publicsuffix
+  - proxy
+- name: golang.org/x/sys
+  version: eb2c74142fd19a79b3f237334c7384d5167b1b46
+  subpackages:
+  - unix
+- name: gopkg.in/alecthomas/kingpin.v2
+  version: 639879d6110b1b0409410c7b737ef0bb18325038
+- name: gopkg.in/fsnotify.v1
+  version: 96c060f6a6b7e0d6f75fddd10efeaca3e5d1bcb0
+- name: gopkg.in/mgo.v2
+  version: 22287bab4379e1fbf6002fb4eb769888f3fb224c
+  subpackages:
+  - bson
+- name: gopkg.in/square/go-jose.v1
+  version: 40d457b439244b546f023d056628e5184136899b
+  subpackages:
+  - cipher
+  - json
+- name: gopkg.in/yaml.v2
+  version: 7ad95dd0798a40da1ccdff6dff35fd177b5edf40
+devImports: []

glide.yaml

@@ -4,12 +4,10 @@ import:
     ref:     cc90c7b091275e606ad0ca7102a23fb2072f3f5e
     subpackages:
       - etcd
-  - package: github.com/docker/distribution
-    ref:     9038e48c3b982f8e82281ea486f078a73731ac4e
   - package: github.com/mailgun/log
     ref:     44874009257d4d47ba9806f1b7f72a32a015e4d8
-  - package: github.com/mailgun/oxy
-    ref:     547c334d658398c05b346c0b79d8f47ba2e1473b
+  - package: github.com/containous/oxy
+    ref:     0b5b371bce661385d35439204298fa6fb5db5463
     subpackages:
       - cbreaker
       - forward
@@ -26,7 +24,7 @@ import:
       - zk
   - package: github.com/docker/libtrust
     ref:     9cbd2a1374f46905c68a4eb3694a130610adc62a
-  - package: gopkg.in/check.v1
+  - package: github.com/go-check/check
     ref:     11d3bc7aa68e238947792f30573146a3231fc0f1
   - package: golang.org/x/net
     ref:     d9558e5c97f85372afee28cf2b6059d7d3818919
@@ -39,25 +37,21 @@ import:
   - package: github.com/alecthomas/template
     ref:     b867cc6ab45cece8143cfcc6fc9c77cf3f2c23c0
   - package: github.com/vdemeester/shakers
-    ref:     8fe734f75f3a70b651cbfbf8a55a009da09e8dc5
+    ref:     24d7f1d6a71aa5d9cbe7390e4afb66b7eef9e1b3
   - package: github.com/alecthomas/units
     ref:     6b4e7dc5e3143b85ea77909c72caf89416fc2915
   - package: github.com/gambol99/go-marathon
     ref:     ade11d1dc2884ee1f387078fc28509559b6235d1
-  - package: github.com/mailgun/predicate
+  - package: github.com/vulcand/predicate
     ref:     cb0bff91a7ab7cf7571e661ff883fc997bc554a3
   - package: github.com/thoas/stats
     ref:     54ed61c2b47e263ae2f01b86837b0c4bd1da28e8
-  - package: github.com/samalba/dockerclient
-    ref:     cfb489c624b635251a93e74e1e90eb0959c5367f
   - package: github.com/Sirupsen/logrus
     ref:     418b41d23a1bf978c06faea5313ba194650ac088
   - package: github.com/unrolled/render
     ref:     26b4e3aac686940fe29521545afad9966ddfc80c
   - package: github.com/flynn/go-shlex
     ref:     3f9db97f856818214da2e1057f8ad84803971cff
-  - package: github.com/fsouza/go-dockerclient
-    ref:     a49c8269a6899cae30da1f8a4b82e0ce945f9967
   - package: github.com/boltdb/bolt
     ref:     51f99c862475898df9773747d3accd05a7ca33c1
   - package: gopkg.in/mgo.v2
@@ -123,14 +117,6 @@ import:
     ref:     bd2bdf7f18f849530ef7a1c29a4290217cab32a1
   - package: gopkg.in/alecthomas/kingpin.v2
     ref:     639879d6110b1b0409410c7b737ef0bb18325038
-  - package: github.com/docker/libcompose
-    ref:     d3089811c119a211469a9cc93caea684d937e5d3
-    subpackages:
-      - docker
-      - logger
-      - lookup
-      - project
-      - utils
   - package: github.com/cenkalti/backoff
     ref:     4dc77674aceaabba2c7e3da25d4c823edfb73f99
   - package: gopkg.in/fsnotify.v1
@@ -164,4 +150,27 @@ import:
   - package: github.com/google/go-querystring/query
   - package: github.com/vulcand/vulcand/plugin/rewrite
   - package: github.com/stretchr/testify/mock
-
+  - package: github.com/xenolf/lego
+  - package: github.com/vdemeester/libkermit
+    ref: 7e4e689a6fa9281e0fb9b7b9c297e22d5342a5ec
+  - package: github.com/docker/libcompose
+    version: e290a513ba909ca3afefd5cd611f3a3fe56f6a3a
+  - package: github.com/docker/distribution
+    version: ff6f38ccb69afa96214c7ee955359465d1fc767a
+    subpackages:
+    - reference
+  - package: github.com/docker/engine-api
+    subpackages:
+    - client
+    - types
+    - types/container
+    - types/filters
+    - types/strslice
+  - package: github.com/vdemeester/docker-events
+  - package: github.com/docker/go-connections
+    subpackages:
+    - nat
+    - sockets
+    - tlsconfig
+  - package: github.com/docker/go-units
+  - package: github.com/mailgun/multibuf

integration/basic_test.go

@@ -6,8 +6,9 @@ import (
 	"time"
 
 	"fmt"
+	"github.com/go-check/check"
+
 	checker "github.com/vdemeester/shakers"
-	check "gopkg.in/check.v1"
 )
 
 // SimpleSuite
@@ -46,10 +47,9 @@ func (s *SimpleSuite) TestSimpleDefaultConfig(c *check.C) {
 	// TODO validate : run on 80
 	resp, err := http.Get("http://127.0.0.1:8000/")
 
-	// Expected no response as we did not configure anything
-	c.Assert(resp, checker.IsNil)
-	c.Assert(err, checker.NotNil)
-	c.Assert(err.Error(), checker.Contains, fmt.Sprintf("getsockopt: connection refused"))
+	// Expected a 404 as we did not configure anything
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
 }
 
 func (s *SimpleSuite) TestWithWebConfig(c *check.C) {

integration/consul_catalog_test.go

@@ -1,18 +1,15 @@
 package main
 
 import (
-	"fmt"
 	"io/ioutil"
 	"net/http"
-	"os"
 	"os/exec"
 	"time"
 
-	"github.com/docker/docker/opts"
-	"github.com/fsouza/go-dockerclient"
+	"github.com/go-check/check"
 	"github.com/hashicorp/consul/api"
+
 	checker "github.com/vdemeester/shakers"
-	check "gopkg.in/check.v1"
 )
 
 // Consul catalog test suites
@@ -20,30 +17,14 @@ type ConsulCatalogSuite struct {
 	BaseSuite
 	consulIP     string
 	consulClient *api.Client
-	dockerClient *docker.Client
-}
-
-func (s *ConsulCatalogSuite) GetContainer(name string) (*docker.Container, error) {
-	return s.dockerClient.InspectContainer(name)
 }
 
 func (s *ConsulCatalogSuite) SetUpSuite(c *check.C) {
-	dockerHost := os.Getenv("DOCKER_HOST")
-	if dockerHost == "" {
-		// FIXME Handle windows -- see if dockerClient already handle that or not
-		dockerHost = fmt.Sprintf("unix://%s", opts.DefaultUnixSocket)
-	}
-	// Make sure we can speak to docker
-	dockerClient, err := docker.NewClient(dockerHost)
-	c.Assert(err, checker.IsNil, check.Commentf("Error connecting to docker daemon"))
-	s.dockerClient = dockerClient
 
 	s.createComposeProject(c, "consul_catalog")
-	err = s.composeProject.Up()
-	c.Assert(err, checker.IsNil, check.Commentf("Error starting project"))
+	s.composeProject.Start(c)
 
-	consul, err := s.GetContainer("integration-test-consul_catalog_consul_1")
-	c.Assert(err, checker.IsNil, check.Commentf("Error finding consul container"))
+	consul := s.composeProject.Container(c, "consul")
 
 	s.consulIP = consul.NetworkSettings.IPAddress
 	config := api.DefaultConfig()
@@ -110,8 +91,7 @@ func (s *ConsulCatalogSuite) TestSingleService(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	nginx, err := s.GetContainer("integration-test-consul_catalog_nginx_1")
-	c.Assert(err, checker.IsNil, check.Commentf("Error finding nginx container"))
+	nginx := s.composeProject.Container(c, "nginx")
 
 	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80)
 	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))

integration/consul_test.go

@@ -5,11 +5,18 @@ import (
 	"os/exec"
 	"time"
 
-	"fmt"
+	"github.com/go-check/check"
+
 	checker "github.com/vdemeester/shakers"
-	check "gopkg.in/check.v1"
 )
 
+// Consul test suites (using libcompose)
+type ConsulSuite struct{ BaseSuite }
+
+func (s *ConsulSuite) SetUpSuite(c *check.C) {
+	s.createComposeProject(c, "consul")
+}
+
 func (s *ConsulSuite) TestSimpleConfiguration(c *check.C) {
 	cmd := exec.Command(traefikBinary, "--configFile=fixtures/consul/simple.toml")
 	err := cmd.Start()
@@ -20,8 +27,7 @@ func (s *ConsulSuite) TestSimpleConfiguration(c *check.C) {
 	// TODO validate : run on 80
 	resp, err := http.Get("http://127.0.0.1:8000/")
 
-	// Expected no response as we did not configure anything
-	c.Assert(resp, checker.IsNil)
-	c.Assert(err, checker.NotNil)
-	c.Assert(err.Error(), checker.Contains, fmt.Sprintf("getsockopt: connection refused"))
+	// Expected a 404 as we did not configure anything
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
 }

integration/docker_test.go

@@ -7,13 +7,15 @@ import (
 	"net/http"
 	"os"
 	"os/exec"
+	"strings"
 	"time"
 
-	"github.com/docker/docker/opts"
 	"github.com/docker/docker/pkg/namesgenerator"
-	"github.com/fsouza/go-dockerclient"
+	"github.com/go-check/check"
+
+	d "github.com/vdemeester/libkermit/docker"
+	docker "github.com/vdemeester/libkermit/docker/check"
 	checker "github.com/vdemeester/shakers"
-	check "gopkg.in/check.v1"
 )
 
 var (
@@ -31,108 +33,46 @@ var (
 // Docker test suites
 type DockerSuite struct {
 	BaseSuite
-	client *docker.Client
+	project *docker.Project
 }
 
 func (s *DockerSuite) startContainer(c *check.C, image string, args ...string) string {
-	return s.startContainerWithConfig(c, docker.CreateContainerOptions{
-		Config: &docker.Config{
-			Image: image,
-			Cmd:   args,
-		},
+	return s.startContainerWithConfig(c, image, d.ContainerConfig{
+		Cmd: args,
 	})
 }
 
 func (s *DockerSuite) startContainerWithLabels(c *check.C, image string, labels map[string]string, args ...string) string {
-	return s.startContainerWithConfig(c, docker.CreateContainerOptions{
-		Config: &docker.Config{
-			Image:  image,
-			Cmd:    args,
-			Labels: labels,
-		},
+	return s.startContainerWithConfig(c, image, d.ContainerConfig{
+		Cmd:    args,
+		Labels: labels,
 	})
 }
 
-func (s *DockerSuite) startContainerWithConfig(c *check.C, config docker.CreateContainerOptions) string {
+func (s *DockerSuite) startContainerWithConfig(c *check.C, image string, config d.ContainerConfig) string {
 	if config.Name == "" {
 		config.Name = namesgenerator.GetRandomName(10)
 	}
-	if config.Config.Labels == nil {
-		config.Config.Labels = map[string]string{}
-	}
-	config.Config.Labels[TestLabel] = "true"
 
-	container, err := s.client.CreateContainer(config)
-	c.Assert(err, checker.IsNil, check.Commentf("Error creating a container using config %v", config))
+	container := s.project.StartWithConfig(c, image, config)
 
-	err = s.client.StartContainer(container.ID, &docker.HostConfig{})
-	c.Assert(err, checker.IsNil, check.Commentf("Error starting container %v", container))
-
-	return container.Name
+	// FIXME(vdemeester) this is ugly (it's because of the / in front of the name in docker..)
+	return strings.SplitAfter(container.Name, "/")[1]
 }
 
 func (s *DockerSuite) SetUpSuite(c *check.C) {
-	dockerHost := os.Getenv("DOCKER_HOST")
-	if dockerHost == "" {
-		// FIXME Handle windows -- see if dockerClient already handle that or not
-		dockerHost = fmt.Sprintf("unix://%s", opts.DefaultUnixSocket)
-	}
-	// Make sure we can speak to docker
-	dockerClient, err := docker.NewClient(dockerHost)
-	c.Assert(err, checker.IsNil, check.Commentf("Error connecting to docker daemon"))
-
-	s.client = dockerClient
-	c.Assert(s.client.Ping(), checker.IsNil)
+	project := docker.NewProjectFromEnv(c)
+	s.project = project
 
 	// Pull required images
 	for repository, tag := range RequiredImages {
 		image := fmt.Sprintf("%s:%s", repository, tag)
-		_, err := s.client.InspectImage(image)
-		if err != nil {
-			if err != docker.ErrNoSuchImage {
-				c.Fatalf("Error while inspect image %s", image)
-			}
-			err = s.client.PullImage(docker.PullImageOptions{
-				Repository: repository,
-				Tag:        tag,
-			}, docker.AuthConfiguration{})
-			c.Assert(err, checker.IsNil, check.Commentf("Error while pulling image %s", image))
-		}
-	}
-}
-
-func (s *DockerSuite) cleanContainers(c *check.C) {
-	// Clean the mess, a.k.a. the running containers with the right label
-	containerList, err := s.client.ListContainers(docker.ListContainersOptions{
-		Filters: map[string][]string{
-			"label": {fmt.Sprintf("%s=true", TestLabel)},
-		},
-	})
-	c.Assert(err, checker.IsNil, check.Commentf("Error listing containers started by traefik"))
-
-	for _, container := range containerList {
-		err = s.client.KillContainer(docker.KillContainerOptions{
-			ID: container.ID,
-		})
-		c.Assert(err, checker.IsNil, check.Commentf("Error killing container %v", container))
-		if os.Getenv("CIRCLECI") == "" {
-			// On circleci, we won't delete them — it errors out for now >_<
-			err = s.client.RemoveContainer(docker.RemoveContainerOptions{
-				ID:            container.ID,
-				RemoveVolumes: true,
-			})
-			c.Assert(err, checker.IsNil, check.Commentf("Error removing container %v", container))
-		}
+		s.project.Pull(c, image)
 	}
 }
 
 func (s *DockerSuite) TearDownTest(c *check.C) {
-	s.cleanContainers(c)
-}
-
-func (s *DockerSuite) TearDownSuite(c *check.C) {
-	// Call cleanContainers, just in case (?)
-	// s.cleanContainers(c)
+	s.project.Clean(c, os.Getenv("CIRCLECI") != "")
 }
 
 func (s *DockerSuite) TestSimpleConfiguration(c *check.C) {
@@ -190,8 +130,7 @@ func (s *DockerSuite) TestDockerContainersWithLabels(c *check.C) {
 	defer os.Remove(file)
 	// Start a container with some labels
 	labels := map[string]string{
-		"traefik.frontend.rule":  "Host",
-		"traefik.frontend.value": "my.super.host",
+		"traefik.frontend.rule": "Host:my.super.host",
 	}
 	s.startContainerWithLabels(c, "swarm:1.0.0", labels, "manage", "token://blabla")
 

integration/etcd_test.go

@@ -5,11 +5,18 @@ import (
 	"os/exec"
 	"time"
 
-	"fmt"
+	"github.com/go-check/check"
+
 	checker "github.com/vdemeester/shakers"
-	check "gopkg.in/check.v1"
 )
 
+// Etcd test suites (using libcompose)
+type EtcdSuite struct{ BaseSuite }
+
+func (s *EtcdSuite) SetUpSuite(c *check.C) {
+	s.createComposeProject(c, "etcd")
+}
+
 func (s *EtcdSuite) TestSimpleConfiguration(c *check.C) {
 	cmd := exec.Command(traefikBinary, "--configFile=fixtures/etcd/simple.toml")
 	err := cmd.Start()
@@ -20,8 +27,7 @@ func (s *EtcdSuite) TestSimpleConfiguration(c *check.C) {
 	// TODO validate : run on 80
 	resp, err := http.Get("http://127.0.0.1:8000/")
 
-	// Expected no response as we did not configure anything
-	c.Assert(resp, checker.IsNil)
-	c.Assert(err, checker.NotNil)
-	c.Assert(err.Error(), checker.Contains, fmt.Sprintf("getsockopt: connection refused"))
+	// Expected a 404 as we did not configure anything
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
 }

integration/file_test.go

@@ -5,10 +5,20 @@ import (
 	"os/exec"
 	"time"
 
+	"github.com/go-check/check"
+
 	checker "github.com/vdemeester/shakers"
-	check "gopkg.in/check.v1"
 )
 
+// File test suites
+type FileSuite struct{ BaseSuite }
+
+func (s *FileSuite) SetUpSuite(c *check.C) {
+	s.createComposeProject(c, "file")
+
+	s.composeProject.Start(c)
+}
+
 func (s *FileSuite) TestSimpleConfiguration(c *check.C) {
 	cmd := exec.Command(traefikBinary, "--configFile=fixtures/file/simple.toml")
 	err := cmd.Start()

integration/fixtures/file/simple.toml

@@ -33,10 +33,8 @@ logLevel = "DEBUG"
   [frontends.frontend1]
   backend = "backend2"
     [frontends.frontend1.routes.test_1]
-    rule = "Host"
-    value = "test.localhost"
+    rule = "Host:test.localhost"
   [frontends.frontend2]
   backend = "backend1"
     [frontends.frontend2.routes.test_2]
-    rule = "Path"
-    value = "/test"
+    rule = "Path:/test"

integration/fixtures/https/https_sni.toml

@@ -27,10 +27,8 @@ defaultEntryPoints = ["https"]
   [frontends.frontend1]
   backend = "backend1"
     [frontends.frontend1.routes.test_1]
-    rule = "Host"
-    value = "snitest.com"
+    rule = "Host:snitest.com"
   [frontends.frontend2]
   backend = "backend2"
     [frontends.frontend2.routes.test_2]
-    rule = "Host"
-    value = "snitest.org"
+    rule = "Host:snitest.org"

integration/https_test.go

@@ -8,8 +8,9 @@ import (
 	"os/exec"
 	"time"
 
+	"github.com/go-check/check"
+
 	checker "github.com/vdemeester/shakers"
-	check "gopkg.in/check.v1"
 )
 
 // HTTPSSuite

integration/integration_test.go

@@ -11,11 +11,10 @@ import (
 	"text/template"
 
 	"github.com/containous/traefik/integration/utils"
-	"github.com/docker/libcompose/docker"
-	"github.com/docker/libcompose/project"
+	"github.com/go-check/check"
 
+	compose "github.com/vdemeester/libkermit/compose/check"
 	checker "github.com/vdemeester/shakers"
-	check "gopkg.in/check.v1"
 )
 
 func Test(t *testing.T) {
@@ -35,102 +34,21 @@ func init() {
 
 var traefikBinary = "../dist/traefik"
 
-// File test suites
-type FileSuite struct{ BaseSuite }
-
-func (s *FileSuite) SetUpSuite(c *check.C) {
-	s.createComposeProject(c, "file")
-
-	s.composeProject.Up()
-}
-
-// Consul test suites (using libcompose)
-type ConsulSuite struct{ BaseSuite }
-
-func (s *ConsulSuite) SetUpSuite(c *check.C) {
-	s.createComposeProject(c, "consul")
-}
-
-// Etcd test suites (using libcompose)
-type EtcdSuite struct{ BaseSuite }
-
-func (s *EtcdSuite) SetUpSuite(c *check.C) {
-	s.createComposeProject(c, "etcd")
-}
-
-// Marathon test suites (using libcompose)
-type MarathonSuite struct{ BaseSuite }
-
-func (s *MarathonSuite) SetUpSuite(c *check.C) {
-	s.createComposeProject(c, "marathon")
-}
-
 type BaseSuite struct {
-	composeProject *project.Project
-	listenChan     chan project.Event
-	started        chan bool
-	stopped        chan bool
-	deleted        chan bool
+	composeProject *compose.Project
 }
 
 func (s *BaseSuite) TearDownSuite(c *check.C) {
 	// shutdown and delete compose project
 	if s.composeProject != nil {
-		s.composeProject.Down()
-		<-s.stopped
-		defer close(s.stopped)
-
-		s.composeProject.Delete()
-		<-s.deleted
-		defer close(s.deleted)
+		s.composeProject.Stop(c)
 	}
 }
 
 func (s *BaseSuite) createComposeProject(c *check.C, name string) {
-	composeProject, err := docker.NewProject(&docker.Context{
-		Context: project.Context{
-			ComposeFiles: []string{
-				fmt.Sprintf("resources/compose/%s.yml", name),
-			},
-			ProjectName: fmt.Sprintf("integration-test-%s", name),
-		},
-	})
-	c.Assert(err, checker.IsNil)
-	s.composeProject = composeProject
-
-	err = composeProject.Create()
-	c.Assert(err, checker.IsNil)
-
-	s.started = make(chan bool)
-	s.stopped = make(chan bool)
-	s.deleted = make(chan bool)
-
-	s.listenChan = make(chan project.Event)
-	go s.startListening(c)
-
-	composeProject.AddListener(s.listenChan)
-
-	err = composeProject.Start()
-	c.Assert(err, checker.IsNil)
-
-	// Wait for compose to start
-	<-s.started
-	defer close(s.started)
-}
-
-func (s *BaseSuite) startListening(c *check.C) {
-	for event := range s.listenChan {
-		// FIXME Add a timeout on event ?
-		if event.EventType == project.EventProjectStartDone {
-			s.started <- true
-		}
-		if event.EventType == project.EventProjectDownDone {
-			s.stopped <- true
-		}
-		if event.EventType == project.EventProjectDeleteDone {
-			s.deleted <- true
-		}
-	}
+	projectName := fmt.Sprintf("integration-test-%s", name)
+	composeFile := fmt.Sprintf("resources/compose/%s.yml", name)
+	s.composeProject = compose.CreateProject(c, projectName, composeFile)
 }
 
 func (s *BaseSuite) traefikCmd(c *check.C, args ...string) (*exec.Cmd, string) {

integration/marathon_test.go

@@ -1,15 +1,22 @@
 package main
 
 import (
-	"fmt"
 	"net/http"
 	"os/exec"
 	"time"
 
+	"github.com/go-check/check"
+
 	checker "github.com/vdemeester/shakers"
-	check "gopkg.in/check.v1"
 )
 
+// Marathon test suites (using libcompose)
+type MarathonSuite struct{ BaseSuite }
+
+func (s *MarathonSuite) SetUpSuite(c *check.C) {
+	s.createComposeProject(c, "marathon")
+}
+
 func (s *MarathonSuite) TestSimpleConfiguration(c *check.C) {
 	cmd := exec.Command(traefikBinary, "--configFile=fixtures/marathon/simple.toml")
 	err := cmd.Start()
@@ -20,8 +27,7 @@ func (s *MarathonSuite) TestSimpleConfiguration(c *check.C) {
 	// TODO validate : run on 80
 	resp, err := http.Get("http://127.0.0.1:8000/")
 
-	// Expected no response as we did not configure anything
-	c.Assert(resp, checker.IsNil)
-	c.Assert(err, checker.NotNil)
-	c.Assert(err.Error(), checker.Contains, fmt.Sprintf("getsockopt: connection refused"))
+	// Expected a 404 as we did not configure anything
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
 }

middlewares/StripPrefix.go

@@ -1,22 +0,0 @@
-package middlewares
-
-import (
-	"net/http"
-	"strings"
-)
-
-// StripPrefix is a middleware used to strip prefix from an URL request
-type StripPrefix struct {
-	Handler http.Handler
-	Prefix  string
-}
-
-func (s *StripPrefix) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if p := strings.TrimPrefix(r.URL.Path, s.Prefix); len(p) < len(r.URL.Path) {
-		r.URL.Path = p
-		r.RequestURI = r.URL.RequestURI()
-		s.Handler.ServeHTTP(w, r)
-	} else {
-		http.NotFound(w, r)
-	}
-}

middlewares/cbreaker.go

@@ -3,7 +3,7 @@ package middlewares
 import (
 	"net/http"
 
-	"github.com/mailgun/oxy/cbreaker"
+	"github.com/containous/oxy/cbreaker"
 )
 
 // CircuitBreaker holds the oxy circuit breaker.

middlewares/stripPrefix.go

@@ -0,0 +1,29 @@
+package middlewares
+
+import (
+	"net/http"
+	"strings"
+)
+
+// StripPrefix is a middleware used to strip prefix from an URL request
+type StripPrefix struct {
+	Handler  http.Handler
+	Prefixes []string
+}
+
+func (s *StripPrefix) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	for _, prefix := range s.Prefixes {
+		if p := strings.TrimPrefix(r.URL.Path, strings.TrimSpace(prefix)); len(p) < len(r.URL.Path) {
+			r.URL.Path = p
+			r.RequestURI = r.URL.RequestURI()
+			s.Handler.ServeHTTP(w, r)
+			return
+		}
+	}
+	http.NotFound(w, r)
+}
+
+// SetHandler sets handler
+func (s *StripPrefix) SetHandler(Handler http.Handler) {
+	s.Handler = Handler
+}

middlewares/websocket.go

@@ -1,52 +0,0 @@
-package middlewares
-
-import (
-	"net/http"
-	"strings"
-	"time"
-
-	log "github.com/Sirupsen/logrus"
-	"github.com/mailgun/oxy/roundrobin"
-)
-
-// WebsocketUpgrader holds Websocket configuration.
-type WebsocketUpgrader struct {
-	rr *roundrobin.RoundRobin
-}
-
-// NewWebsocketUpgrader returns a new WebsocketUpgrader.
-func NewWebsocketUpgrader(rr *roundrobin.RoundRobin) *WebsocketUpgrader {
-	wu := WebsocketUpgrader{
-		rr: rr,
-	}
-	return &wu
-}
-
-func (u *WebsocketUpgrader) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	// If request is websocket, serve with golang websocket server to do protocol handshake
-	if strings.Join(req.Header["Upgrade"], "") == "websocket" {
-		start := time.Now().UTC()
-		url, err := u.rr.NextServer()
-		if err != nil {
-			log.Errorf("Can't round robin in websocket middleware")
-			return
-		}
-		log.Debugf("Websocket forward to %s", url.String())
-		NewProxy(url).ServeHTTP(w, req)
-
-		if req.TLS != nil {
-			log.Debugf("Round trip: %v, duration: %v tls:version: %x, tls:resume:%t, tls:csuite:%x, tls:server:%v",
-				req.URL, time.Now().UTC().Sub(start),
-				req.TLS.Version,
-				req.TLS.DidResume,
-				req.TLS.CipherSuite,
-				req.TLS.ServerName)
-		} else {
-			log.Debugf("Round trip: %v, duration: %v",
-				req.URL, time.Now().UTC().Sub(start))
-		}
-
-		return
-	}
-	u.rr.ServeHTTP(w, req)
-}

middlewares/websocketproxy.go

@@ -1,179 +0,0 @@
-package middlewares
-
-import (
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"strings"
-
-	log "github.com/Sirupsen/logrus"
-	"github.com/gorilla/websocket"
-)
-
-// Original developpement made by https://github.com/koding/websocketproxy
-var (
-	// DefaultUpgrader specifies the parameters for upgrading an HTTP
-	// connection to a WebSocket connection.
-	DefaultUpgrader = &websocket.Upgrader{
-		ReadBufferSize:  1024,
-		WriteBufferSize: 1024,
-	}
-
-	// DefaultDialer is a dialer with all fields set to the default zero values.
-	DefaultDialer = websocket.DefaultDialer
-)
-
-// WebsocketProxy is an HTTP Handler that takes an incoming WebSocket
-// connection and proxies it to another server.
-type WebsocketProxy struct {
-	// Backend returns the backend URL which the proxy uses to reverse proxy
-	// the incoming WebSocket connection. Request is the initial incoming and
-	// unmodified request.
-	Backend func(*http.Request) *url.URL
-
-	// Upgrader specifies the parameters for upgrading a incoming HTTP
-	// connection to a WebSocket connection. If nil, DefaultUpgrader is used.
-	Upgrader *websocket.Upgrader
-
-	//  Dialer contains options for connecting to the backend WebSocket server.
-	//  If nil, DefaultDialer is used.
-	Dialer *websocket.Dialer
-}
-
-// ProxyHandler returns a new http.Handler interface that reverse proxies the
-// request to the given target.
-func ProxyHandler(target *url.URL) http.Handler {
-	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-		NewProxy(target).ServeHTTP(rw, req)
-	})
-}
-
-// NewProxy returns a new Websocket reverse proxy that rewrites the
-// URL's to the scheme, host and base path provider in target.
-func NewProxy(target *url.URL) *WebsocketProxy {
-	backend := func(r *http.Request) *url.URL {
-		// Shallow copy
-		u := *target
-		u.Fragment = r.URL.Fragment
-		u.Path = r.URL.Path
-		u.RawQuery = r.URL.RawQuery
-		rurl := u.String()
-		if strings.HasPrefix(rurl, "http") {
-			u.Scheme = "ws"
-		}
-		if strings.HasPrefix(rurl, "https") {
-			u.Scheme = "wss"
-		}
-		return &u
-	}
-	return &WebsocketProxy{Backend: backend}
-}
-
-// ServeHTTP implements the http.Handler that proxies WebSocket connections.
-func (w *WebsocketProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
-	if w.Backend == nil {
-		log.Errorf("Websocketproxy: backend function is not defined")
-		http.Error(rw, "Backend not found", http.StatusInternalServerError)
-		http.NotFound(rw, req)
-		return
-	}
-
-	backendURL := w.Backend(req)
-	if backendURL == nil {
-		log.Errorf("Websocketproxy: backend URL is nil")
-		http.Error(rw, "Backend URL is nil", http.StatusInternalServerError)
-		return
-	}
-
-	dialer := w.Dialer
-	if w.Dialer == nil {
-		dialer = DefaultDialer
-	}
-
-	// Pass headers from the incoming request to the dialer to forward them to
-	// the final destinations.
-	requestHeader := http.Header{}
-	requestHeader.Add("Origin", req.Header.Get("Origin"))
-	for _, prot := range req.Header[http.CanonicalHeaderKey("Sec-WebSocket-Protocol")] {
-		requestHeader.Add("Sec-WebSocket-Protocol", prot)
-	}
-	for _, cookie := range req.Header[http.CanonicalHeaderKey("Cookie")] {
-		requestHeader.Add("Cookie", cookie)
-	}
-	for _, auth := range req.Header[http.CanonicalHeaderKey("Authorization")] {
-		requestHeader.Add("Authorization", auth)
-	}
-
-	// Pass X-Forwarded-For headers too, code below is a part of
-	// httputil.ReverseProxy. See http://en.wikipedia.org/wiki/X-Forwarded-For
-	// for more information
-	// TODO: use RFC7239 http://tools.ietf.org/html/rfc7239
-	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
-		// If we aren't the first proxy retain prior
-		// X-Forwarded-For information as a comma+space
-		// separated list and fold multiple headers into one.
-		if prior, ok := req.Header["X-Forwarded-For"]; ok {
-			clientIP = strings.Join(prior, ", ") + ", " + clientIP
-		}
-		requestHeader.Set("X-Forwarded-For", clientIP)
-	}
-
-	// Set the originating protocol of the incoming HTTP request. The SSL might
-	// be terminated on our site and because we doing proxy adding this would
-	// be helpful for applications on the backend.
-	requestHeader.Set("X-Forwarded-Proto", "http")
-	if req.TLS != nil {
-		requestHeader.Set("X-Forwarded-Proto", "https")
-	}
-
-	//frontend Origin != backend Origin
-	requestHeader.Del("Origin")
-
-	// Connect to the backend URL, also pass the headers we get from the requst
-	// together with the Forwarded headers we prepared above.
-	// TODO: support multiplexing on the same backend connection instead of
-	// opening a new TCP connection time for each request. This should be
-	// optional:
-	// http://tools.ietf.org/html/draft-ietf-hybi-websocket-multiplexing-01
-	connBackend, resp, err := dialer.Dial(backendURL.String(), requestHeader)
-	if err != nil {
-		log.Errorf("Websocketproxy: couldn't dial to remote backend url %s, %s, %+v", backendURL.String(), err, resp)
-		http.Error(rw, "Remote backend unreachable", http.StatusBadGateway)
-		return
-	}
-	defer connBackend.Close()
-
-	upgrader := w.Upgrader
-	if w.Upgrader == nil {
-		upgrader = DefaultUpgrader
-	}
-
-	// Only pass those headers to the upgrader.
-	upgradeHeader := http.Header{}
-	upgradeHeader.Set("Sec-WebSocket-Protocol",
-		resp.Header.Get(http.CanonicalHeaderKey("Sec-WebSocket-Protocol")))
-	upgradeHeader.Set("Set-Cookie",
-		resp.Header.Get(http.CanonicalHeaderKey("Set-Cookie")))
-
-	// Now upgrade the existing incoming request to a WebSocket connection.
-	// Also pass the header that we gathered from the Dial handshake.
-	connPub, err := upgrader.Upgrade(rw, req, upgradeHeader)
-	if err != nil {
-		log.Errorf("Websocketproxy: couldn't upgrade %s", err)
-		http.NotFound(rw, req)
-		return
-	}
-	defer connPub.Close()
-
-	errc := make(chan error, 2)
-	cp := func(dst io.Writer, src io.Reader) {
-		_, err := io.Copy(dst, src)
-		errc <- err
-	}
-
-	// Start our proxy now, everything is ready...
-	go cp(connBackend.UnderlyingConn(), connPub.UnderlyingConn())
-	go cp(connPub.UnderlyingConn(), connBackend.UnderlyingConn())
-	<-errc
-}

mkdocs.yml

@@ -0,0 +1,49 @@
+site_name: Traefik
+site_description: Traefik Documentation
+site_author: containo.us
+site_url: https://docs.traefik.io
+
+repo_name: 'GitHub'
+repo_url: 'https://github.com/containous/traefik'
+
+# Documentation and theme
+docs_dir: 'docs'
+theme: united
+# theme: readthedocs
+# theme: 'material'
+# theme: bootstrap
+
+site_favicon: 'img/traefik.icon.png'
+
+# Copyright
+copyright: Copyright (c) 2016 Containous SAS
+
+# Options
+extra:
+#   version: 0.2.2
+  logo: img/traefik.logo.png
+  # author:
+  #   twitter: traefikproxy
+  palette:
+    primary: 'blue'
+    accent: 'light blue'
+  i18n:
+    prev: 'Previous'
+    next: 'Next'  
+  
+markdown_extensions:
+#   - codehilite(css_class=code)
+  - admonition
+#   - toc:
+#       permalink: '##'
+  # - fenced_code
+      
+extra_css:
+    - css/traefik.css
+      
+# Page tree
+pages:
+  - Getting Started: index.md
+  - Basics: basics.md
+  - traefik.toml: toml.md
+  - Benchmarks: benchmarks.md

provider/consul_catalog.go

@@ -8,6 +8,7 @@ import (
 
 	log "github.com/Sirupsen/logrus"
 	"github.com/cenkalti/backoff"
+	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/hashicorp/consul/api"
 )
@@ -35,7 +36,7 @@ func (provider *ConsulCatalog) watchServices(stopCh <-chan struct{}) <-chan map[
 
 	catalog := provider.client.Catalog()
 
-	go func() {
+	safe.Go(func() {
 		defer close(watchCh)
 
 		opts := &api.QueryOptions{WaitTime: DefaultWatchWaitTime}
@@ -64,7 +65,7 @@ func (provider *ConsulCatalog) watchServices(stopCh <-chan struct{}) <-chan map[
 				watchCh <- data
 			}
 		}
-	}()
+	})
 
 	return watchCh
 }
@@ -89,7 +90,7 @@ func (provider *ConsulCatalog) getBackend(node *api.ServiceEntry) string {
 }
 
 func (provider *ConsulCatalog) getFrontendValue(service string) string {
-	return service + "." + provider.Domain
+	return "Host:" + service + "." + provider.Domain
 }
 
 func (provider *ConsulCatalog) buildConfig(catalog []catalogUpdate) *types.Configuration {
@@ -182,7 +183,7 @@ func (provider *ConsulCatalog) Provide(configurationChan chan<- types.ConfigMess
 	}
 	provider.client = client
 
-	go func() {
+	safe.Go(func() {
 		notify := func(err error, time time.Duration) {
 			log.Errorf("Consul connection error %+v, retrying in %s", err, time)
 		}
@@ -193,7 +194,7 @@ func (provider *ConsulCatalog) Provide(configurationChan chan<- types.ConfigMess
 		if err != nil {
 			log.Fatalf("Cannot connect to consul server %+v", err)
 		}
-	}()
+	})
 
 	return err
 }

provider/consul_catalog_test.go

@@ -8,7 +8,7 @@ import (
 	"github.com/hashicorp/consul/api"
 )
 
-func TestConsulCatalogGetFrontendValue(t *testing.T) {
+func TestConsulCatalogGetFrontendRule(t *testing.T) {
 	provider := &ConsulCatalog{
 		Domain: "localhost",
 	}
@@ -19,7 +19,7 @@ func TestConsulCatalogGetFrontendValue(t *testing.T) {
 	}{
 		{
 			service:  "foo",
-			expected: "foo.localhost",
+			expected: "Host:foo.localhost",
 		},
 	}
 
@@ -63,6 +63,7 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 						{
 							Service: &api.AgentService{
 								Service: "test",
+								Address: "127.0.0.1",
 								Port:    80,
 							},
 							Node: &api.Node{
@@ -78,8 +79,7 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 					Backend: "backend-test",
 					Routes: map[string]types.Route{
 						"route-host-test": {
-							Rule:  "Host",
-							Value: "test.localhost",
+							Rule: "Host:test.localhost",
 						},
 					},
 				},
@@ -87,7 +87,7 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 			expectedBackends: map[string]*types.Backend{
 				"backend-test": {
 					Servers: map[string]types.Server{
-						"server-localhost-80": {
+						"test--127-0-0-1--80": {
 							URL: "http://127.0.0.1:80",
 						},
 					},

provider/docker.go

@@ -2,19 +2,31 @@ package provider
 
 import (
 	"errors"
-	"fmt"
+	"net/http"
 	"strconv"
 	"strings"
 	"text/template"
 	"time"
 
+	"golang.org/x/net/context"
+
 	"github.com/BurntSushi/ty/fun"
 	log "github.com/Sirupsen/logrus"
 	"github.com/cenkalti/backoff"
+	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
-	"github.com/fsouza/go-dockerclient"
+	"github.com/docker/engine-api/client"
+	dockertypes "github.com/docker/engine-api/types"
+	eventtypes "github.com/docker/engine-api/types/events"
+	"github.com/docker/engine-api/types/filters"
+	"github.com/docker/go-connections/sockets"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/vdemeester/docker-events"
 )
 
+// DockerAPIVersion is a constant holding the version of the Docker API traefik will use
+const DockerAPIVersion string = "1.21"
+
 // Docker holds configurations of the Docker provider.
 type Docker struct {
 	BaseProvider `mapstructure:",squash"`
@@ -31,75 +43,110 @@ type DockerTLS struct {
 	InsecureSkipVerify bool
 }
 
+func (provider *Docker) createClient() (client.APIClient, error) {
+	var httpClient *http.Client
+	httpHeaders := map[string]string{
+		// FIXME(vdemeester) use version here O:)
+		"User-Agent": "Traefik",
+	}
+	if provider.TLS != nil {
+		tlsOptions := tlsconfig.Options{
+			CAFile:             provider.TLS.CA,
+			CertFile:           provider.TLS.Cert,
+			KeyFile:            provider.TLS.Key,
+			InsecureSkipVerify: provider.TLS.InsecureSkipVerify,
+		}
+		config, err := tlsconfig.Client(tlsOptions)
+		if err != nil {
+			return nil, err
+		}
+		tr := &http.Transport{
+			TLSClientConfig: config,
+		}
+		proto, addr, _, err := client.ParseHost(provider.Endpoint)
+		if err != nil {
+			return nil, err
+		}
+
+		sockets.ConfigureTransport(tr, proto, addr)
+
+		httpClient = &http.Client{
+			Transport: tr,
+		}
+	}
+	return client.NewClient(provider.Endpoint, DockerAPIVersion, httpClient, httpHeaders)
+}
+
 // Provide allows the provider to provide configurations to traefik
 // using the given configuration channel.
 func (provider *Docker) Provide(configurationChan chan<- types.ConfigMessage) error {
+	safe.Go(func() {
+		operation := func() error {
+			var err error
 
-	var dockerClient *docker.Client
-	var err error
-
-	if provider.TLS != nil {
-		dockerClient, err = docker.NewTLSClient(provider.Endpoint,
-			provider.TLS.Cert, provider.TLS.Key, provider.TLS.CA)
-		if err == nil {
-			dockerClient.TLSConfig.InsecureSkipVerify = provider.TLS.InsecureSkipVerify
-		}
-	} else {
-		dockerClient, err = docker.NewClient(provider.Endpoint)
-	}
-	if err != nil {
-		log.Errorf("Failed to create a client for docker, error: %s", err)
-		return err
-	}
-	err = dockerClient.Ping()
-	if err != nil {
-		log.Errorf("Docker connection error %+v", err)
-		return err
-	}
-	log.Debug("Docker connection established")
-	if provider.Watch {
-		dockerEvents := make(chan *docker.APIEvents)
-		dockerClient.AddEventListener(dockerEvents)
-		log.Debug("Docker listening")
-		go func() {
-			operation := func() error {
-				for {
-					event := <-dockerEvents
-					if event == nil {
-						return errors.New("Docker event nil")
-						//							log.Fatalf("Docker connection error")
+			dockerClient, err := provider.createClient()
+			if err != nil {
+				log.Errorf("Failed to create a client for docker, error: %s", err)
+				return err
+			}
+			version, err := dockerClient.ServerVersion(context.Background())
+			log.Debugf("Docker connection established with docker %s (API %s)", version.Version, version.APIVersion)
+			containers, err := listContainers(dockerClient)
+			if err != nil {
+				log.Errorf("Failed to list containers for docker, error %s", err)
+				return err
+			}
+			configuration := provider.loadDockerConfig(containers)
+			configurationChan <- types.ConfigMessage{
+				ProviderName:  "docker",
+				Configuration: configuration,
+			}
+			if provider.Watch {
+				ctx, cancel := context.WithCancel(context.Background())
+				f := filters.NewArgs()
+				f.Add("type", "container")
+				options := dockertypes.EventsOptions{
+					Filters: f,
+				}
+				eventHandler := events.NewHandler(events.ByAction)
+				startStopHandle := func(m eventtypes.Message) {
+					log.Debugf("Docker event received %+v", m)
+					containers, err := listContainers(dockerClient)
+					if err != nil {
+						log.Errorf("Failed to list containers for docker, error %s", err)
+						// Call cancel to get out of the monitor
+						cancel()
 					}
-					if event.Status == "start" || event.Status == "die" {
-						log.Debugf("Docker event receveived %+v", event)
-						configuration := provider.loadDockerConfig(listContainers(dockerClient))
-						if configuration != nil {
-							configurationChan <- types.ConfigMessage{
-								ProviderName:  "docker",
-								Configuration: configuration,
-							}
+					configuration := provider.loadDockerConfig(containers)
+					if configuration != nil {
+						configurationChan <- types.ConfigMessage{
+							ProviderName:  "docker",
+							Configuration: configuration,
 						}
 					}
 				}
+				eventHandler.Handle("start", startStopHandle)
+				eventHandler.Handle("die", startStopHandle)
+				errChan := events.MonitorWithHandler(ctx, dockerClient, options, eventHandler)
+				if err := <-errChan; err != nil {
+					return err
+				}
 			}
-			notify := func(err error, time time.Duration) {
-				log.Errorf("Docker connection error %+v, retrying in %s", err, time)
-			}
-			err := backoff.RetryNotify(operation, backoff.NewExponentialBackOff(), notify)
-			if err != nil {
-				log.Fatalf("Cannot connect to docker server %+v", err)
-			}
-		}()
-	}
+			return nil
+		}
+		notify := func(err error, time time.Duration) {
+			log.Errorf("Docker connection error %+v, retrying in %s", err, time)
+		}
+		err := backoff.RetryNotify(operation, backoff.NewExponentialBackOff(), notify)
+		if err != nil {
+			log.Fatalf("Cannot connect to docker server %+v", err)
+		}
+	})
 
-	configuration := provider.loadDockerConfig(listContainers(dockerClient))
-	configurationChan <- types.ConfigMessage{
-		ProviderName:  "docker",
-		Configuration: configuration,
-	}
 	return nil
 }
 
-func (provider *Docker) loadDockerConfig(containersInspected []docker.Container) *types.Configuration {
+func (provider *Docker) loadDockerConfig(containersInspected []dockertypes.ContainerJSON) *types.Configuration {
 	var DockerFuncMap = template.FuncMap{
 		"getBackend":        provider.getBackend,
 		"getPort":           provider.getPort,
@@ -108,22 +155,21 @@ func (provider *Docker) loadDockerConfig(containersInspected []docker.Container)
 		"getProtocol":       provider.getProtocol,
 		"getPassHostHeader": provider.getPassHostHeader,
 		"getEntryPoints":    provider.getEntryPoints,
-		"getFrontendValue":  provider.getFrontendValue,
 		"getFrontendRule":   provider.getFrontendRule,
 		"replace":           replace,
 	}
 
 	// filter containers
-	filteredContainers := fun.Filter(containerFilter, containersInspected).([]docker.Container)
+	filteredContainers := fun.Filter(containerFilter, containersInspected).([]dockertypes.ContainerJSON)
 
-	frontends := map[string][]docker.Container{}
+	frontends := map[string][]dockertypes.ContainerJSON{}
 	for _, container := range filteredContainers {
 		frontends[provider.getFrontendName(container)] = append(frontends[provider.getFrontendName(container)], container)
 	}
 
 	templateObjects := struct {
-		Containers []docker.Container
-		Frontends  map[string][]docker.Container
+		Containers []dockertypes.ContainerJSON
+		Frontends  map[string][]dockertypes.ContainerJSON
 		Domain     string
 	}{
 		filteredContainers,
@@ -138,7 +184,7 @@ func (provider *Docker) loadDockerConfig(containersInspected []docker.Container)
 	return configuration
 }
 
-func containerFilter(container docker.Container) bool {
+func containerFilter(container dockertypes.ContainerJSON) bool {
 	if len(container.NetworkSettings.Ports) == 0 {
 		log.Debugf("Filtering container without port %s", container.Name)
 		return false
@@ -154,50 +200,40 @@ func containerFilter(container docker.Container) bool {
 		return false
 	}
 
-	labels, err := getLabels(container, []string{"traefik.frontend.rule", "traefik.frontend.value"})
-	if len(labels) != 0 && err != nil {
-		log.Debugf("Filtering bad labeled container %s", container.Name)
-		return false
-	}
-
 	return true
 }
 
-func (provider *Docker) getFrontendName(container docker.Container) string {
+func (provider *Docker) getFrontendName(container dockertypes.ContainerJSON) string {
 	// Replace '.' with '-' in quoted keys because of this issue https://github.com/BurntSushi/toml/issues/78
-	frontendName := fmt.Sprintf("%s-%s", provider.getFrontendRule(container), provider.getFrontendValue(container))
-	frontendName = strings.Replace(frontendName, "[", "", -1)
-	frontendName = strings.Replace(frontendName, "]", "", -1)
-
-	return strings.Replace(frontendName, ".", "-", -1)
-}
-
-// GetFrontendValue returns the frontend value for the specified container, using
-// it's label. It returns a default one if the label is not present.
-func (provider *Docker) getFrontendValue(container docker.Container) string {
-	if label, err := getLabel(container, "traefik.frontend.value"); err == nil {
-		return label
-	}
-	return getEscapedName(container.Name) + "." + provider.Domain
+	return normalize(provider.getFrontendRule(container))
 }
 
 // GetFrontendRule returns the frontend rule for the specified container, using
 // it's label. It returns a default one (Host) if the label is not present.
-func (provider *Docker) getFrontendRule(container docker.Container) string {
+func (provider *Docker) getFrontendRule(container dockertypes.ContainerJSON) string {
+	// ⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠
+	// TODO: backwards compatibility with DEPRECATED rule.Value
+	if value, ok := container.Config.Labels["traefik.frontend.value"]; ok {
+		log.Warnf("Label traefik.frontend.value=%s is DEPRECATED (will be removed in v1.0.0), please refer to the rule label: https://github.com/containous/traefik/blob/master/docs/index.md#docker", value)
+		rule, _ := container.Config.Labels["traefik.frontend.rule"]
+		return rule + ":" + value
+	}
+	// ⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠
+
 	if label, err := getLabel(container, "traefik.frontend.rule"); err == nil {
 		return label
 	}
-	return "Host"
+	return "Host:" + getEscapedName(container.Name) + "." + provider.Domain
 }
 
-func (provider *Docker) getBackend(container docker.Container) string {
+func (provider *Docker) getBackend(container dockertypes.ContainerJSON) string {
 	if label, err := getLabel(container, "traefik.backend"); err == nil {
 		return label
 	}
-	return getEscapedName(container.Name)
+	return normalize(container.Name)
 }
 
-func (provider *Docker) getPort(container docker.Container) string {
+func (provider *Docker) getPort(container dockertypes.ContainerJSON) string {
 	if label, err := getLabel(container, "traefik.port"); err == nil {
 		return label
 	}
@@ -207,42 +243,42 @@ func (provider *Docker) getPort(container docker.Container) string {
 	return ""
 }
 
-func (provider *Docker) getWeight(container docker.Container) string {
+func (provider *Docker) getWeight(container dockertypes.ContainerJSON) string {
 	if label, err := getLabel(container, "traefik.weight"); err == nil {
 		return label
 	}
-	return "0"
+	return "1"
 }
 
-func (provider *Docker) getDomain(container docker.Container) string {
+func (provider *Docker) getDomain(container dockertypes.ContainerJSON) string {
 	if label, err := getLabel(container, "traefik.domain"); err == nil {
 		return label
 	}
 	return provider.Domain
 }
 
-func (provider *Docker) getProtocol(container docker.Container) string {
+func (provider *Docker) getProtocol(container dockertypes.ContainerJSON) string {
 	if label, err := getLabel(container, "traefik.protocol"); err == nil {
 		return label
 	}
 	return "http"
 }
 
-func (provider *Docker) getPassHostHeader(container docker.Container) string {
+func (provider *Docker) getPassHostHeader(container dockertypes.ContainerJSON) string {
 	if passHostHeader, err := getLabel(container, "traefik.frontend.passHostHeader"); err == nil {
 		return passHostHeader
 	}
 	return "false"
 }
 
-func (provider *Docker) getEntryPoints(container docker.Container) []string {
+func (provider *Docker) getEntryPoints(container dockertypes.ContainerJSON) []string {
 	if entryPoints, err := getLabel(container, "traefik.frontend.entryPoints"); err == nil {
 		return strings.Split(entryPoints, ",")
 	}
 	return []string{}
 }
 
-func getLabel(container docker.Container, label string) (string, error) {
+func getLabel(container dockertypes.ContainerJSON, label string) (string, error) {
 	for key, value := range container.Config.Labels {
 		if key == label {
 			return value, nil
@@ -251,7 +287,7 @@ func getLabel(container docker.Container, label string) (string, error) {
 	return "", errors.New("Label not found:" + label)
 }
 
-func getLabels(container docker.Container, labels []string) (map[string]string, error) {
+func getLabels(container dockertypes.ContainerJSON, labels []string) (map[string]string, error) {
 	var globalErr error
 	foundLabels := map[string]string{}
 	for _, label := range labels {
@@ -267,14 +303,20 @@ func getLabels(container docker.Container, labels []string) (map[string]string,
 	return foundLabels, globalErr
 }
 
-func listContainers(dockerClient *docker.Client) []docker.Container {
-	containerList, _ := dockerClient.ListContainers(docker.ListContainersOptions{})
-	containersInspected := []docker.Container{}
+func listContainers(dockerClient client.APIClient) ([]dockertypes.ContainerJSON, error) {
+	containerList, err := dockerClient.ContainerList(context.Background(), dockertypes.ContainerListOptions{})
+	if err != nil {
+		return []dockertypes.ContainerJSON{}, err
+	}
+	containersInspected := []dockertypes.ContainerJSON{}
 
 	// get inspect containers
 	for _, container := range containerList {
-		containerInspected, _ := dockerClient.InspectContainer(container.ID)
-		containersInspected = append(containersInspected, *containerInspected)
+		containerInspected, err := dockerClient.ContainerInspect(context.Background(), container.ID)
+		if err != nil {
+			log.Warnf("Failed to inpsect container %s, error: %s", container.ID, err)
+		}
+		containersInspected = append(containersInspected, containerInspected)
 	}
-	return containersInspected
+	return containersInspected, nil
 }

provider/docker_test.go

@@ -6,7 +6,10 @@ import (
 	"testing"
 
 	"github.com/containous/traefik/types"
-	"github.com/fsouza/go-dockerclient"
+	docker "github.com/docker/engine-api/types"
+	"github.com/docker/engine-api/types/container"
+	"github.com/docker/engine-api/types/network"
+	"github.com/docker/go-connections/nat"
 )
 
 func TestDockerGetFrontendName(t *testing.T) {
@@ -15,61 +18,69 @@ func TestDockerGetFrontendName(t *testing.T) {
 	}
 
 	containers := []struct {
-		container docker.Container
+		container docker.ContainerJSON
 		expected  string
 	}{
 		{
-			container: docker.Container{
-				Name:   "foo",
-				Config: &docker.Config{},
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "foo",
+				},
+				Config: &container.Config{},
 			},
 			expected: "Host-foo-docker-localhost",
 		},
 		{
-			container: docker.Container{
-				Name: "bar",
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "bar",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
-						"traefik.frontend.rule": "Header",
+						"traefik.frontend.rule": "Headers:User-Agent,bat/0.1.0",
 					},
 				},
 			},
-			expected: "Header-bar-docker-localhost",
+			expected: "Headers-User-Agent-bat-0-1-0",
 		},
 		{
-			container: docker.Container{
-				Name: "test",
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "test",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
-						"traefik.frontend.value": "foo.bar",
+						"traefik.frontend.rule": "Host:foo.bar",
 					},
 				},
 			},
 			expected: "Host-foo-bar",
 		},
 		{
-			container: docker.Container{
-				Name: "test",
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "test",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
-						"traefik.frontend.value": "foo.bar",
-						"traefik.frontend.rule":  "Header",
+						"traefik.frontend.rule": "Path:/test",
 					},
 				},
 			},
-			expected: "Header-foo-bar",
+			expected: "Path-test",
 		},
 		{
-			container: docker.Container{
-				Name: "test",
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "test",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
-						"traefik.frontend.value": "[foo.bar]",
-						"traefik.frontend.rule":  "Header",
+						"traefik.frontend.rule": "PathPrefix:/test2",
 					},
 				},
 			},
-			expected: "Header-foo-bar",
+			expected: "PathPrefix-test2",
 		},
 	}
 
@@ -81,74 +92,58 @@ func TestDockerGetFrontendName(t *testing.T) {
 	}
 }
 
-func TestDockerGetFrontendValue(t *testing.T) {
+func TestDockerGetFrontendRule(t *testing.T) {
 	provider := &Docker{
 		Domain: "docker.localhost",
 	}
 
 	containers := []struct {
-		container docker.Container
+		container docker.ContainerJSON
 		expected  string
 	}{
 		{
-			container: docker.Container{
-				Name:   "foo",
-				Config: &docker.Config{},
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "foo",
+				},
+				Config: &container.Config{},
 			},
-			expected: "foo.docker.localhost",
+			expected: "Host:foo.docker.localhost",
 		},
 		{
-			container: docker.Container{
-				Name:   "bar",
-				Config: &docker.Config{},
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "bar",
+				},
+				Config: &container.Config{},
 			},
-			expected: "bar.docker.localhost",
+			expected: "Host:bar.docker.localhost",
 		},
 		{
-			container: docker.Container{
-				Name: "test",
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "test",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
-						"traefik.frontend.value": "foo.bar",
+						"traefik.frontend.rule": "Host:foo.bar",
 					},
 				},
 			},
-			expected: "foo.bar",
-		},
-	}
-
-	for _, e := range containers {
-		actual := provider.getFrontendValue(e.container)
-		if actual != e.expected {
-			t.Fatalf("expected %q, got %q", e.expected, actual)
-		}
-	}
-}
-
-func TestDockerGetFrontendRule(t *testing.T) {
-	provider := &Docker{}
-
-	containers := []struct {
-		container docker.Container
-		expected  string
-	}{
-		{
-			container: docker.Container{
-				Name:   "foo",
-				Config: &docker.Config{},
-			},
-			expected: "Host",
+			expected: "Host:foo.bar",
 		},
 		{
-			container: docker.Container{
-				Name: "test",
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "test",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
-						"traefik.frontend.rule": "foo",
+						"traefik.frontend.rule": "Path:/test",
 					},
 				},
 			},
-			expected: "foo",
+			expected: "Path:/test",
 		},
 	}
 
@@ -164,27 +159,33 @@ func TestDockerGetBackend(t *testing.T) {
 	provider := &Docker{}
 
 	containers := []struct {
-		container docker.Container
+		container docker.ContainerJSON
 		expected  string
 	}{
 		{
-			container: docker.Container{
-				Name:   "foo",
-				Config: &docker.Config{},
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "foo",
+				},
+				Config: &container.Config{},
 			},
 			expected: "foo",
 		},
 		{
-			container: docker.Container{
-				Name:   "bar",
-				Config: &docker.Config{},
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "bar",
+				},
+				Config: &container.Config{},
 			},
 			expected: "bar",
 		},
 		{
-			container: docker.Container{
-				Name: "test",
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "test",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
 						"traefik.backend": "foobar",
 					},
@@ -206,24 +207,30 @@ func TestDockerGetPort(t *testing.T) {
 	provider := &Docker{}
 
 	containers := []struct {
-		container docker.Container
+		container docker.ContainerJSON
 		expected  string
 	}{
 		{
-			container: docker.Container{
-				Name:            "foo",
-				Config:          &docker.Config{},
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "foo",
+				},
+				Config:          &container.Config{},
 				NetworkSettings: &docker.NetworkSettings{},
 			},
 			expected: "",
 		},
 		{
-			container: docker.Container{
-				Name:   "bar",
-				Config: &docker.Config{},
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "bar",
+				},
+				Config: &container.Config{},
 				NetworkSettings: &docker.NetworkSettings{
-					Ports: map[docker.Port][]docker.PortBinding{
-						"80/tcp": {},
+					NetworkSettingsBase: docker.NetworkSettingsBase{
+						Ports: nat.PortMap{
+							"80/tcp": {},
+						},
 					},
 				},
 			},
@@ -231,9 +238,9 @@ func TestDockerGetPort(t *testing.T) {
 		},
 		// FIXME handle this better..
 		// {
-		// 	container: docker.Container{
+		// 	container: docker.ContainerJSON{
 		// 		Name:   "bar",
-		// 		Config: &docker.Config{},
+		// 		Config: &container.Config{},
 		// 		NetworkSettings: &docker.NetworkSettings{
 		// 			Ports: map[docker.Port][]docker.PortBinding{
 		// 				"80/tcp":  []docker.PortBinding{},
@@ -244,16 +251,20 @@ func TestDockerGetPort(t *testing.T) {
 		// 	expected: "80",
 		// },
 		{
-			container: docker.Container{
-				Name: "test",
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "test",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
 						"traefik.port": "8080",
 					},
 				},
 				NetworkSettings: &docker.NetworkSettings{
-					Ports: map[docker.Port][]docker.PortBinding{
-						"80/tcp": {},
+					NetworkSettingsBase: docker.NetworkSettingsBase{
+						Ports: nat.PortMap{
+							"80/tcp": {},
+						},
 					},
 				},
 			},
@@ -273,20 +284,24 @@ func TestDockerGetWeight(t *testing.T) {
 	provider := &Docker{}
 
 	containers := []struct {
-		container docker.Container
+		container docker.ContainerJSON
 		expected  string
 	}{
 		{
-			container: docker.Container{
-				Name:   "foo",
-				Config: &docker.Config{},
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "foo",
+				},
+				Config: &container.Config{},
 			},
-			expected: "0",
+			expected: "1",
 		},
 		{
-			container: docker.Container{
-				Name: "test",
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "test",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
 						"traefik.weight": "10",
 					},
@@ -310,20 +325,24 @@ func TestDockerGetDomain(t *testing.T) {
 	}
 
 	containers := []struct {
-		container docker.Container
+		container docker.ContainerJSON
 		expected  string
 	}{
 		{
-			container: docker.Container{
-				Name:   "foo",
-				Config: &docker.Config{},
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "foo",
+				},
+				Config: &container.Config{},
 			},
 			expected: "docker.localhost",
 		},
 		{
-			container: docker.Container{
-				Name: "test",
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "test",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
 						"traefik.domain": "foo.bar",
 					},
@@ -345,20 +364,24 @@ func TestDockerGetProtocol(t *testing.T) {
 	provider := &Docker{}
 
 	containers := []struct {
-		container docker.Container
+		container docker.ContainerJSON
 		expected  string
 	}{
 		{
-			container: docker.Container{
-				Name:   "foo",
-				Config: &docker.Config{},
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "foo",
+				},
+				Config: &container.Config{},
 			},
 			expected: "http",
 		},
 		{
-			container: docker.Container{
-				Name: "test",
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "test",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
 						"traefik.protocol": "https",
 					},
@@ -380,20 +403,24 @@ func TestDockerGetPassHostHeader(t *testing.T) {
 	provider := &Docker{}
 
 	containers := []struct {
-		container docker.Container
+		container docker.ContainerJSON
 		expected  string
 	}{
 		{
-			container: docker.Container{
-				Name:   "foo",
-				Config: &docker.Config{},
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "foo",
+				},
+				Config: &container.Config{},
 			},
 			expected: "false",
 		},
 		{
-			container: docker.Container{
-				Name: "test",
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "test",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
 						"traefik.frontend.passHostHeader": "true",
 					},
@@ -413,18 +440,18 @@ func TestDockerGetPassHostHeader(t *testing.T) {
 
 func TestDockerGetLabel(t *testing.T) {
 	containers := []struct {
-		container docker.Container
+		container docker.ContainerJSON
 		expected  string
 	}{
 		{
-			container: docker.Container{
-				Config: &docker.Config{},
+			container: docker.ContainerJSON{
+				Config: &container.Config{},
 			},
 			expected: "Label not found:",
 		},
 		{
-			container: docker.Container{
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				Config: &container.Config{
 					Labels: map[string]string{
 						"foo": "bar",
 					},
@@ -450,20 +477,20 @@ func TestDockerGetLabel(t *testing.T) {
 
 func TestDockerGetLabels(t *testing.T) {
 	containers := []struct {
-		container      docker.Container
+		container      docker.ContainerJSON
 		expectedLabels map[string]string
 		expectedError  string
 	}{
 		{
-			container: docker.Container{
-				Config: &docker.Config{},
+			container: docker.ContainerJSON{
+				Config: &container.Config{},
 			},
 			expectedLabels: map[string]string{},
 			expectedError:  "Label not found:",
 		},
 		{
-			container: docker.Container{
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				Config: &container.Config{
 					Labels: map[string]string{
 						"foo": "fooz",
 					},
@@ -475,8 +502,8 @@ func TestDockerGetLabels(t *testing.T) {
 			expectedError: "Label not found: bar",
 		},
 		{
-			container: docker.Container{
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				Config: &container.Config{
 					Labels: map[string]string{
 						"foo": "fooz",
 						"bar": "barz",
@@ -506,141 +533,168 @@ func TestDockerGetLabels(t *testing.T) {
 
 func TestDockerTraefikFilter(t *testing.T) {
 	containers := []struct {
-		container docker.Container
+		container docker.ContainerJSON
 		expected  bool
 	}{
 		{
-			container: docker.Container{
-				Config:          &docker.Config{},
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "container",
+				},
+				Config:          &container.Config{},
 				NetworkSettings: &docker.NetworkSettings{},
 			},
 			expected: false,
 		},
 		{
-			container: docker.Container{
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "container",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
 						"traefik.enable": "false",
 					},
 				},
 				NetworkSettings: &docker.NetworkSettings{
-					Ports: map[docker.Port][]docker.PortBinding{
-						"80/tcp": {},
+					NetworkSettingsBase: docker.NetworkSettingsBase{
+						Ports: nat.PortMap{
+							"80/tcp": {},
+						},
 					},
 				},
 			},
 			expected: false,
 		},
 		{
-			container: docker.Container{
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "container",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
-						"traefik.frontend.rule": "Host",
+						"traefik.frontend.rule": "Host:foo.bar",
 					},
 				},
 				NetworkSettings: &docker.NetworkSettings{
-					Ports: map[docker.Port][]docker.PortBinding{
-						"80/tcp": {},
-					},
-				},
-			},
-			expected: false,
-		},
-		{
-			container: docker.Container{
-				Config: &docker.Config{
-					Labels: map[string]string{
-						"traefik.frontend.value": "foo.bar",
-					},
-				},
-				NetworkSettings: &docker.NetworkSettings{
-					Ports: map[docker.Port][]docker.PortBinding{
-						"80/tcp": {},
-					},
-				},
-			},
-			expected: false,
-		},
-		{
-			container: docker.Container{
-				Config: &docker.Config{},
-				NetworkSettings: &docker.NetworkSettings{
-					Ports: map[docker.Port][]docker.PortBinding{
-						"80/tcp":  {},
-						"443/tcp": {},
-					},
-				},
-			},
-			expected: false,
-		},
-		{
-			container: docker.Container{
-				Config: &docker.Config{},
-				NetworkSettings: &docker.NetworkSettings{
-					Ports: map[docker.Port][]docker.PortBinding{
-						"80/tcp": {},
+					NetworkSettingsBase: docker.NetworkSettingsBase{
+						Ports: nat.PortMap{
+							"80/tcp": {},
+						},
 					},
 				},
 			},
 			expected: true,
 		},
 		{
-			container: docker.Container{
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "container",
+				},
+				Config: &container.Config{},
+				NetworkSettings: &docker.NetworkSettings{
+					NetworkSettingsBase: docker.NetworkSettingsBase{
+						Ports: nat.PortMap{
+							"80/tcp":  {},
+							"443/tcp": {},
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "container",
+				},
+				Config: &container.Config{},
+				NetworkSettings: &docker.NetworkSettings{
+					NetworkSettingsBase: docker.NetworkSettingsBase{
+						Ports: nat.PortMap{
+							"80/tcp": {},
+						},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "container",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
 						"traefik.port": "80",
 					},
 				},
 				NetworkSettings: &docker.NetworkSettings{
-					Ports: map[docker.Port][]docker.PortBinding{
-						"80/tcp":  {},
-						"443/tcp": {},
+					NetworkSettingsBase: docker.NetworkSettingsBase{
+						Ports: nat.PortMap{
+							"80/tcp":  {},
+							"443/tcp": {},
+						},
 					},
 				},
 			},
 			expected: true,
 		},
 		{
-			container: docker.Container{
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "container",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
 						"traefik.enable": "true",
 					},
 				},
 				NetworkSettings: &docker.NetworkSettings{
-					Ports: map[docker.Port][]docker.PortBinding{
-						"80/tcp": {},
+					NetworkSettingsBase: docker.NetworkSettingsBase{
+						Ports: nat.PortMap{
+							"80/tcp": {},
+						},
 					},
 				},
 			},
 			expected: true,
 		},
 		{
-			container: docker.Container{
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "container",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
 						"traefik.enable": "anything",
 					},
 				},
 				NetworkSettings: &docker.NetworkSettings{
-					Ports: map[docker.Port][]docker.PortBinding{
-						"80/tcp": {},
+					NetworkSettingsBase: docker.NetworkSettingsBase{
+						Ports: nat.PortMap{
+							"80/tcp": {},
+						},
 					},
 				},
 			},
 			expected: true,
 		},
 		{
-			container: docker.Container{
-				Config: &docker.Config{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "container",
+				},
+				Config: &container.Config{
 					Labels: map[string]string{
-						"traefik.frontend.rule":  "Host",
-						"traefik.frontend.value": "foo.bar",
+						"traefik.frontend.rule": "Host:foo.bar",
 					},
 				},
 				NetworkSettings: &docker.NetworkSettings{
-					Ports: map[docker.Port][]docker.PortBinding{
-						"80/tcp": {},
+					NetworkSettingsBase: docker.NetworkSettingsBase{
+						Ports: nat.PortMap{
+							"80/tcp": {},
+						},
 					},
 				},
 			},
@@ -651,33 +705,37 @@ func TestDockerTraefikFilter(t *testing.T) {
 	for _, e := range containers {
 		actual := containerFilter(e.container)
 		if actual != e.expected {
-			t.Fatalf("expected %v, got %v", e.expected, actual)
+			t.Fatalf("expected %v for %+v, got %+v", e.expected, e, actual)
 		}
 	}
 }
 
 func TestDockerLoadDockerConfig(t *testing.T) {
 	cases := []struct {
-		containers        []docker.Container
+		containers        []docker.ContainerJSON
 		expectedFrontends map[string]*types.Frontend
 		expectedBackends  map[string]*types.Backend
 	}{
 		{
-			containers:        []docker.Container{},
+			containers:        []docker.ContainerJSON{},
 			expectedFrontends: map[string]*types.Frontend{},
 			expectedBackends:  map[string]*types.Backend{},
 		},
 		{
-			containers: []docker.Container{
+			containers: []docker.ContainerJSON{
 				{
-					Name:   "test",
-					Config: &docker.Config{},
+					ContainerJSONBase: &docker.ContainerJSONBase{
+						Name: "test",
+					},
+					Config: &container.Config{},
 					NetworkSettings: &docker.NetworkSettings{
-						Ports: map[docker.Port][]docker.PortBinding{
-							"80/tcp": {},
+						NetworkSettingsBase: docker.NetworkSettingsBase{
+							Ports: nat.PortMap{
+								"80/tcp": {},
+							},
 						},
-						Networks: map[string]docker.ContainerNetwork{
-							"bridgde": {
+						Networks: map[string]*network.EndpointSettings{
+							"bridge": {
 								IPAddress: "127.0.0.1",
 							},
 						},
@@ -690,8 +748,7 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 					EntryPoints: []string{},
 					Routes: map[string]types.Route{
 						`"route-frontend-Host-test-docker-localhost"`: {
-							Rule:  "Host",
-							Value: "test.docker.localhost",
+							Rule: "Host:test.docker.localhost",
 						},
 					},
 				},
@@ -700,7 +757,8 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 				"backend-test": {
 					Servers: map[string]types.Server{
 						"server-test": {
-							URL: "http://127.0.0.1:80",
+							URL:    "http://127.0.0.1:80",
+							Weight: 1,
 						},
 					},
 					CircuitBreaker: nil,
@@ -709,39 +767,47 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 			},
 		},
 		{
-			containers: []docker.Container{
+			containers: []docker.ContainerJSON{
 				{
-					Name: "test1",
-					Config: &docker.Config{
+					ContainerJSONBase: &docker.ContainerJSONBase{
+						Name: "test1",
+					},
+					Config: &container.Config{
 						Labels: map[string]string{
 							"traefik.backend":              "foobar",
 							"traefik.frontend.entryPoints": "http,https",
 						},
 					},
 					NetworkSettings: &docker.NetworkSettings{
-						Ports: map[docker.Port][]docker.PortBinding{
-							"80/tcp": {},
+						NetworkSettingsBase: docker.NetworkSettingsBase{
+							Ports: nat.PortMap{
+								"80/tcp": {},
+							},
 						},
-						Networks: map[string]docker.ContainerNetwork{
-							"bridgde": {
+						Networks: map[string]*network.EndpointSettings{
+							"bridge": {
 								IPAddress: "127.0.0.1",
 							},
 						},
 					},
 				},
 				{
-					Name: "test2",
-					Config: &docker.Config{
+					ContainerJSONBase: &docker.ContainerJSONBase{
+						Name: "test2",
+					},
+					Config: &container.Config{
 						Labels: map[string]string{
 							"traefik.backend": "foobar",
 						},
 					},
 					NetworkSettings: &docker.NetworkSettings{
-						Ports: map[docker.Port][]docker.PortBinding{
-							"80/tcp": {},
+						NetworkSettingsBase: docker.NetworkSettingsBase{
+							Ports: nat.PortMap{
+								"80/tcp": {},
+							},
 						},
-						Networks: map[string]docker.ContainerNetwork{
-							"bridgde": {
+						Networks: map[string]*network.EndpointSettings{
+							"bridge": {
 								IPAddress: "127.0.0.1",
 							},
 						},
@@ -754,8 +820,7 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 					EntryPoints: []string{"http", "https"},
 					Routes: map[string]types.Route{
 						`"route-frontend-Host-test1-docker-localhost"`: {
-							Rule:  "Host",
-							Value: "test1.docker.localhost",
+							Rule: "Host:test1.docker.localhost",
 						},
 					},
 				},
@@ -764,8 +829,7 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 					EntryPoints: []string{},
 					Routes: map[string]types.Route{
 						`"route-frontend-Host-test2-docker-localhost"`: {
-							Rule:  "Host",
-							Value: "test2.docker.localhost",
+							Rule: "Host:test2.docker.localhost",
 						},
 					},
 				},
@@ -774,10 +838,12 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 				"backend-foobar": {
 					Servers: map[string]types.Server{
 						"server-test1": {
-							URL: "http://127.0.0.1:80",
+							URL:    "http://127.0.0.1:80",
+							Weight: 1,
 						},
 						"server-test2": {
-							URL: "http://127.0.0.1:80",
+							URL:    "http://127.0.0.1:80",
+							Weight: 1,
 						},
 					},
 					CircuitBreaker: nil,

provider/file.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/BurntSushi/toml"
 	log "github.com/Sirupsen/logrus"
+	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"gopkg.in/fsnotify.v1"
 )
@@ -34,7 +35,7 @@ func (provider *File) Provide(configurationChan chan<- types.ConfigMessage) erro
 
 	if provider.Watch {
 		// Process events
-		go func() {
+		safe.Go(func() {
 			defer watcher.Close()
 			for {
 				select {
@@ -53,7 +54,7 @@ func (provider *File) Provide(configurationChan chan<- types.ConfigMessage) erro
 					log.Error("Watcher event error", error)
 				}
 			}
-		}()
+		})
 		err = watcher.Add(filepath.Dir(file.Name()))
 		if err != nil {
 			log.Error("Error adding file watcher", err)

provider/kv.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/BurntSushi/ty/fun"
 	log "github.com/Sirupsen/logrus"
+	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/docker/libkv"
 	"github.com/docker/libkv/store"
@@ -101,7 +102,9 @@ func (provider *Kv) provide(configurationChan chan<- types.ConfigMessage) error
 	}
 	provider.kvclient = kv
 	if provider.Watch {
-		go provider.watchKv(configurationChan, provider.Prefix)
+		safe.Go(func() {
+			provider.watchKv(configurationChan, provider.Prefix)
+		})
 	}
 	configuration := provider.loadConfig()
 	configurationChan <- types.ConfigMessage{

provider/kv_test.go

@@ -7,6 +7,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/containous/traefik/safe"
 	"github.com/docker/libkv/store"
 	"reflect"
 	"sort"
@@ -256,7 +257,9 @@ func TestKvWatchTree(t *testing.T) {
 	}
 
 	configChan := make(chan types.ConfigMessage)
-	go provider.watchKv(configChan, "prefix")
+	safe.Go(func() {
+		provider.watchKv(configChan, "prefix")
+	})
 
 	select {
 	case c1 := <-returnedChans:

provider/marathon.go

@@ -10,6 +10,7 @@ import (
 	"crypto/tls"
 	"github.com/BurntSushi/ty/fun"
 	log "github.com/Sirupsen/logrus"
+	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/gambol99/go-marathon"
 	"net/http"
@@ -17,12 +18,13 @@ import (
 
 // Marathon holds configuration of the Marathon provider.
 type Marathon struct {
-	BaseProvider   `mapstructure:",squash"`
-	Endpoint       string
-	Domain         string
-	Basic          *MarathonBasic
-	TLS            *tls.Config
-	marathonClient marathon.Marathon
+	BaseProvider     `mapstructure:",squash"`
+	Endpoint         string
+	Domain           string
+	ExposedByDefault bool
+	Basic            *MarathonBasic
+	TLS              *tls.Config
+	marathonClient   marathon.Marathon
 }
 
 // MarathonBasic holds basic authentication specific configurations
@@ -62,7 +64,7 @@ func (provider *Marathon) Provide(configurationChan chan<- types.ConfigMessage)
 		if err := client.AddEventsListener(update, marathon.EVENTS_APPLICATIONS); err != nil {
 			log.Errorf("Failed to register for events, %s", err)
 		} else {
-			go func() {
+			safe.Go(func() {
 				for {
 					event := <-update
 					log.Debug("Marathon event receveived", event)
@@ -74,7 +76,7 @@ func (provider *Marathon) Provide(configurationChan chan<- types.ConfigMessage)
 						}
 					}
 				}
-			}()
+			})
 		}
 	}
 
@@ -95,7 +97,6 @@ func (provider *Marathon) loadMarathonConfig() *types.Configuration {
 		"getProtocol":        provider.getProtocol,
 		"getPassHostHeader":  provider.getPassHostHeader,
 		"getEntryPoints":     provider.getEntryPoints,
-		"getFrontendValue":   provider.getFrontendValue,
 		"getFrontendRule":    provider.getFrontendRule,
 		"getFrontendBackend": provider.getFrontendBackend,
 		"replace":            replace,
@@ -115,7 +116,7 @@ func (provider *Marathon) loadMarathonConfig() *types.Configuration {
 
 	//filter tasks
 	filteredTasks := fun.Filter(func(task marathon.Task) bool {
-		return taskFilter(task, applications)
+		return taskFilter(task, applications, provider.ExposedByDefault)
 	}, tasks.Tasks).([]marathon.Task)
 
 	//filter apps
@@ -140,7 +141,7 @@ func (provider *Marathon) loadMarathonConfig() *types.Configuration {
 	return configuration
 }
 
-func taskFilter(task marathon.Task, applications *marathon.Applications) bool {
+func taskFilter(task marathon.Task, applications *marathon.Applications, exposedByDefaultFlag bool) bool {
 	if len(task.Ports) == 0 {
 		log.Debug("Filtering marathon task without port %s", task.AppID)
 		return false
@@ -150,7 +151,8 @@ func taskFilter(task marathon.Task, applications *marathon.Applications) bool {
 		log.Errorf("Unable to get marathon application from task %s", task.AppID)
 		return false
 	}
-	if application.Labels["traefik.enable"] == "false" {
+
+	if !isApplicationEnabled(application, exposedByDefaultFlag) {
 		log.Debugf("Filtering disabled marathon task %s", task.AppID)
 		return false
 	}
@@ -227,6 +229,10 @@ func getApplication(task marathon.Task, apps []marathon.Application) (marathon.A
 	return marathon.Application{}, errors.New("Application not found: " + task.AppID)
 }
 
+func isApplicationEnabled(application marathon.Application, exposedByDefault bool) bool {
+	return exposedByDefault && application.Labels["traefik.enable"] != "false" || application.Labels["traefik.enable"] == "true"
+}
+
 func (provider *Marathon) getLabel(application marathon.Application, label string) (string, error) {
 	for key, value := range application.Labels {
 		if key == label {
@@ -303,22 +309,21 @@ func (provider *Marathon) getEntryPoints(application marathon.Application) []str
 	return []string{}
 }
 
-// getFrontendValue returns the frontend value for the specified application, using
-// it's label. It returns a default one if the label is not present.
-func (provider *Marathon) getFrontendValue(application marathon.Application) string {
-	if label, err := provider.getLabel(application, "traefik.frontend.value"); err == nil {
-		return label
-	}
-	return getEscapedName(application.ID) + "." + provider.Domain
-}
-
 // getFrontendRule returns the frontend rule for the specified application, using
 // it's label. It returns a default one (Host) if the label is not present.
 func (provider *Marathon) getFrontendRule(application marathon.Application) string {
+	// ⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠
+	// TODO: backwards compatibility with DEPRECATED rule.Value
+	if value, err := provider.getLabel(application, "traefik.frontend.value"); err == nil {
+		log.Warnf("Label traefik.frontend.value=%s is DEPRECATED, please refer to the rule label: https://github.com/containous/traefik/blob/master/docs/index.md#marathon", value)
+		rule, _ := provider.getLabel(application, "traefik.frontend.rule")
+		return rule + ":" + value
+	}
+	// ⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠
 	if label, err := provider.getLabel(application, "traefik.frontend.rule"); err == nil {
 		return label
 	}
-	return "Host"
+	return "Host:" + getEscapedName(application.ID) + "." + provider.Domain
 }
 
 func (provider *Marathon) getBackend(task marathon.Task, applications []marathon.Application) string {

provider/marathon_test.go

@@ -86,8 +86,7 @@ func TestMarathonLoadConfig(t *testing.T) {
 					EntryPoints: []string{},
 					Routes: map[string]types.Route{
 						`route-host-test`: {
-							Rule:  "Host",
-							Value: "test.docker.localhost",
+							Rule: "Host:test.docker.localhost",
 						},
 					},
 				},
@@ -110,8 +109,9 @@ func TestMarathonLoadConfig(t *testing.T) {
 	for _, c := range cases {
 		fakeClient := newFakeClient(c.applicationsError, c.applications, c.tasksError, c.tasks)
 		provider := &Marathon{
-			Domain:         "docker.localhost",
-			marathonClient: fakeClient,
+			Domain:           "docker.localhost",
+			ExposedByDefault: true,
+			marathonClient:   fakeClient,
 		}
 		actualConfig := provider.loadMarathonConfig()
 		if c.expectedNil {
@@ -132,22 +132,25 @@ func TestMarathonLoadConfig(t *testing.T) {
 
 func TestMarathonTaskFilter(t *testing.T) {
 	cases := []struct {
-		task         marathon.Task
-		applications *marathon.Applications
-		expected     bool
+		task             marathon.Task
+		applications     *marathon.Applications
+		expected         bool
+		exposedByDefault bool
 	}{
 		{
-			task:         marathon.Task{},
-			applications: &marathon.Applications{},
-			expected:     false,
+			task:             marathon.Task{},
+			applications:     &marathon.Applications{},
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
 				AppID: "test",
 				Ports: []int{80},
 			},
-			applications: &marathon.Applications{},
-			expected:     false,
+			applications:     &marathon.Applications{},
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -161,7 +164,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -176,7 +180,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -194,7 +199,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -212,7 +218,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: true,
+			expected:         true,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -230,7 +237,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -248,7 +256,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: true,
+			expected:         true,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -266,7 +275,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -285,7 +295,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -303,7 +314,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -326,7 +338,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -352,7 +365,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -367,7 +381,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: true,
+			expected:         true,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -390,12 +405,67 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: true,
+			expected:         true,
+			exposedByDefault: true,
+		},
+		{
+			task: marathon.Task{
+				AppID: "disable-default-expose",
+				Ports: []int{80},
+			},
+			applications: &marathon.Applications{
+				Apps: []marathon.Application{
+					{
+						ID:    "disable-default-expose",
+						Ports: []int{80},
+					},
+				},
+			},
+			expected:         false,
+			exposedByDefault: false,
+		},
+		{
+			task: marathon.Task{
+				AppID: "disable-default-expose-disable-in-label",
+				Ports: []int{80},
+			},
+			applications: &marathon.Applications{
+				Apps: []marathon.Application{
+					{
+						ID:    "disable-default-expose-disable-in-label",
+						Ports: []int{80},
+						Labels: map[string]string{
+							"traefik.enable": "false",
+						},
+					},
+				},
+			},
+			expected:         false,
+			exposedByDefault: false,
+		},
+		{
+			task: marathon.Task{
+				AppID: "disable-default-expose-enable-in-label",
+				Ports: []int{80},
+			},
+			applications: &marathon.Applications{
+				Apps: []marathon.Application{
+					{
+						ID:    "disable-default-expose-enable-in-label",
+						Ports: []int{80},
+						Labels: map[string]string{
+							"traefik.enable": "true",
+						},
+					},
+				},
+			},
+			expected:         true,
+			exposedByDefault: false,
 		},
 	}
 
 	for _, c := range cases {
-		actual := taskFilter(c.task, c.applications)
+		actual := taskFilter(c.task, c.applications, c.exposedByDefault)
 		if actual != c.expected {
 			t.Fatalf("expected %v, got %v", c.expected, actual)
 		}
@@ -760,7 +830,7 @@ func TestMarathonGetEntryPoints(t *testing.T) {
 	}
 }
 
-func TestMarathonGetFrontendValue(t *testing.T) {
+func TestMarathonGetFrontendRule(t *testing.T) {
 	provider := &Marathon{
 		Domain: "docker.localhost",
 	}
@@ -771,50 +841,21 @@ func TestMarathonGetFrontendValue(t *testing.T) {
 	}{
 		{
 			application: marathon.Application{},
-			expected:    ".docker.localhost",
+			expected:    "Host:.docker.localhost",
 		},
 		{
 			application: marathon.Application{
 				ID: "test",
 			},
-			expected: "test.docker.localhost",
+			expected: "Host:test.docker.localhost",
 		},
 		{
 			application: marathon.Application{
 				Labels: map[string]string{
-					"traefik.frontend.value": "foo.bar",
+					"traefik.frontend.rule": "Host:foo.bar",
 				},
 			},
-			expected: "foo.bar",
-		},
-	}
-
-	for _, a := range applications {
-		actual := provider.getFrontendValue(a.application)
-		if actual != a.expected {
-			t.Fatalf("expected %q, got %q", a.expected, actual)
-		}
-	}
-}
-
-func TestMarathonGetFrontendRule(t *testing.T) {
-	provider := &Marathon{}
-
-	applications := []struct {
-		application marathon.Application
-		expected    string
-	}{
-		{
-			application: marathon.Application{},
-			expected:    "Host",
-		},
-		{
-			application: marathon.Application{
-				Labels: map[string]string{
-					"traefik.frontend.rule": "Header",
-				},
-			},
-			expected: "Header",
+			expected: "Host:foo.bar",
 		},
 	}
 

provider/provider.go

@@ -9,6 +9,7 @@ import (
 	"github.com/BurntSushi/toml"
 	"github.com/containous/traefik/autogen"
 	"github.com/containous/traefik/types"
+	"unicode"
 )
 
 // Provider defines methods of a provider.
@@ -67,3 +68,11 @@ func replace(s1 string, s2 string, s3 string) string {
 func getEscapedName(name string) string {
 	return strings.Replace(strings.TrimPrefix(name, "/"), "/", "-", -1)
 }
+
+func normalize(name string) string {
+	fargs := func(c rune) bool {
+		return !unicode.IsLetter(c) && !unicode.IsNumber(c)
+	}
+	// get function
+	return strings.Join(strings.FieldsFunc(name, fargs), "-")
+}

rules.go

@@ -0,0 +1,147 @@
+package main
+
+import (
+	"errors"
+	"github.com/gorilla/mux"
+	"net"
+	"net/http"
+	"reflect"
+	"sort"
+	"strings"
+)
+
+// Rules holds rule parsing and configuration
+type Rules struct {
+	route *serverRoute
+	err   error
+}
+
+func (r *Rules) host(hosts ...string) *mux.Route {
+	return r.route.route.MatcherFunc(func(req *http.Request, route *mux.RouteMatch) bool {
+		reqHost, _, err := net.SplitHostPort(req.Host)
+		if err != nil {
+			reqHost = req.Host
+		}
+		for _, host := range hosts {
+			if reqHost == strings.TrimSpace(host) {
+				return true
+			}
+		}
+		return false
+	})
+}
+
+func (r *Rules) hostRegexp(hosts ...string) *mux.Route {
+	router := r.route.route.Subrouter()
+	for _, host := range hosts {
+		router.Host(strings.TrimSpace(host))
+	}
+	return r.route.route
+}
+
+func (r *Rules) path(paths ...string) *mux.Route {
+	router := r.route.route.Subrouter()
+	for _, path := range paths {
+		router.Path(strings.TrimSpace(path))
+	}
+	return r.route.route
+}
+
+func (r *Rules) pathPrefix(paths ...string) *mux.Route {
+	router := r.route.route.Subrouter()
+	for _, path := range paths {
+		router.PathPrefix(strings.TrimSpace(path))
+	}
+	return r.route.route
+}
+
+type bySize []string
+
+func (a bySize) Len() int           { return len(a) }
+func (a bySize) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a bySize) Less(i, j int) bool { return len(a[i]) > len(a[j]) }
+
+func (r *Rules) pathStrip(paths ...string) *mux.Route {
+	sort.Sort(bySize(paths))
+	r.route.stripPrefixes = paths
+	router := r.route.route.Subrouter()
+	for _, path := range paths {
+		router.Path(strings.TrimSpace(path))
+	}
+	return r.route.route
+}
+
+func (r *Rules) pathPrefixStrip(paths ...string) *mux.Route {
+	sort.Sort(bySize(paths))
+	r.route.stripPrefixes = paths
+	router := r.route.route.Subrouter()
+	for _, path := range paths {
+		router.PathPrefix(strings.TrimSpace(path))
+	}
+	return r.route.route
+}
+
+func (r *Rules) methods(methods ...string) *mux.Route {
+	return r.route.route.Methods(methods...)
+}
+
+func (r *Rules) headers(headers ...string) *mux.Route {
+	return r.route.route.Headers(headers...)
+}
+
+func (r *Rules) headersRegexp(headers ...string) *mux.Route {
+	return r.route.route.HeadersRegexp(headers...)
+}
+
+// Parse parses rules expressions
+func (r *Rules) Parse(expression string) (*mux.Route, error) {
+	functions := map[string]interface{}{
+		"Host":            r.host,
+		"HostRegexp":      r.hostRegexp,
+		"Path":            r.path,
+		"PathStrip":       r.pathStrip,
+		"PathPrefix":      r.pathPrefix,
+		"PathPrefixStrip": r.pathPrefixStrip,
+		"Method":          r.methods,
+		"Headers":         r.headers,
+		"HeadersRegexp":   r.headersRegexp,
+	}
+	f := func(c rune) bool {
+		return c == ':'
+	}
+	// get function
+	parsedFunctions := strings.FieldsFunc(expression, f)
+	if len(parsedFunctions) == 0 {
+		return nil, errors.New("Error parsing rule: " + expression)
+	}
+	parsedFunction, ok := functions[parsedFunctions[0]]
+	if !ok {
+		return nil, errors.New("Error parsing rule: " + expression + ". Unknow function: " + parsedFunctions[0])
+	}
+	parsedFunctions = append(parsedFunctions[:0], parsedFunctions[1:]...)
+	fargs := func(c rune) bool {
+		return c == ',' || c == ';'
+	}
+	// get function
+	parsedArgs := strings.FieldsFunc(strings.Join(parsedFunctions, ":"), fargs)
+	if len(parsedArgs) == 0 {
+		return nil, errors.New("Error parsing args from rule: " + expression)
+	}
+
+	inputs := make([]reflect.Value, len(parsedArgs))
+	for i := range parsedArgs {
+		inputs[i] = reflect.ValueOf(parsedArgs[i])
+	}
+	method := reflect.ValueOf(parsedFunction)
+	if method.IsValid() {
+		resultRoute := method.Call(inputs)[0].Interface().(*mux.Route)
+		if r.err != nil {
+			return nil, r.err
+		}
+		if resultRoute.GetError() != nil {
+			return nil, resultRoute.GetError()
+		}
+		return resultRoute, nil
+	}
+	return nil, errors.New("Method not found: " + parsedFunctions[0])
+}

safe/safe.go

@@ -0,0 +1,28 @@
+package safe
+
+import (
+	"log"
+	"runtime/debug"
+)
+
+// Go starts a recoverable goroutine
+func Go(goroutine func()) {
+	GoWithRecover(goroutine, defaultRecoverGoroutine)
+}
+
+// GoWithRecover starts a recoverable goroutine using given customRecover() function
+func GoWithRecover(goroutine func(), customRecover func(err interface{})) {
+	go func() {
+		defer func() {
+			if err := recover(); err != nil {
+				customRecover(err)
+			}
+		}()
+		goroutine()
+	}()
+}
+
+func defaultRecoverGoroutine(err interface{}) {
+	log.Println(err)
+	debug.PrintStack()
+}

script/binary

@@ -8,6 +8,11 @@ fi
 
 rm -f dist/traefik
 
+FLAGS=""
+if [ -n "$VERBOSE" ]; then
+    FLAGS="${FLAGS} -v"
+fi
+
 if [ -z "$VERSION" ]; then
     VERSION=$(git rev-parse HEAD)
 fi
@@ -17,4 +22,4 @@ if [ -z "$DATE" ]; then
 fi
 
 # Build binaries
-CGO_ENABLED=0 go build -ldflags "-X main.Version=$VERSION -X main.BuildDate=$DATE" -a -installsuffix nocgo -o dist/traefik .
+CGO_ENABLED=0 GOGC=off go build $FLAGS -ldflags "-X main.Version=$VERSION -X main.BuildDate=$DATE" -a -installsuffix nocgo -o dist/traefik .

script/crossbinary

@@ -32,5 +32,5 @@ fi
 rm -f dist/traefik_*
 
 # Build binaries
-gox -ldflags "-X main.Version=$VERSION -X main.BuildDate=$DATE" "${OS_PLATFORM_ARG[@]}" "${OS_ARCH_ARG[@]}" \
+GOGC=off gox -ldflags "-X main.Version=$VERSION -X main.BuildDate=$DATE" "${OS_PLATFORM_ARG[@]}" "${OS_ARCH_ARG[@]}" \
     -output="dist/traefik_{{.OS}}-{{.Arch}}"

script/deploy.sh

@@ -2,34 +2,64 @@
 set -e
 
 if ([ "$TRAVIS_BRANCH" = "master" ] || [ ! -z "$TRAVIS_TAG" ]) && [ "$TRAVIS_PULL_REQUEST" = "false" ]; then
-  echo "Deploying"
+  echo "Deploying..."
 else
   echo "Skipping deploy"
   exit 0
 fi
 
-curl -LO https://github.com/tcnksm/ghr/releases/download/pre-release/linux_amd64.zip
+git config --global user.email "emile@vauge.com"
+git config --global user.name "Emile Vauge"
+
+# load ssh key
+echo "Loading key..."
+openssl aes-256-cbc -d -k "$pass" -in .travis/traefik.id_rsa.enc -out ~/.ssh/traefik.id_rsa
+eval "$(ssh-agent -s)"
+chmod 600 ~/.ssh/traefik.id_rsa
+ssh-add ~/.ssh/traefik.id_rsa
+
+# download github release
+echo "Downloading ghr..."
+curl -LOs https://github.com/tcnksm/ghr/releases/download/pre-release/linux_amd64.zip
 unzip -q linux_amd64.zip
 sudo mv ghr /usr/bin/ghr
 sudo chmod +x /usr/bin/ghr
 
 # github release and tag
+echo "Github release..."
 ghr -t $GITHUB_TOKEN -u containous -r traefik --prerelease ${VERSION} dist/
 
+# update docs.traefik.io
+echo "Generating and updating documentation..."
+# DOESN'T WORK :'(
+# git remote add ssh git@github.com:containous/traefik.git
+# mkdocs gh-deploy -m $VERSION -c -r ssh
+
+mkdir site
+cd site
+git init
+git remote add origin git@github.com:containous/traefik.git
+git fetch origin
+git checkout gh-pages
+cd ..
+mkdocs build --clean
+cd site
+git add .
+echo $VERSION | git commit --file -
+git push -q -f origin gh-pages > /dev/null 2>&1
+
 # update traefik-library-image repo (official Docker image)
-git config --global user.email "emile@vauge.com"
-git config --global user.name "Emile Vauge"
-git clone https://github.com/containous/traefik-library-image.git
+echo "Updating traefik-library-imag repo..."
+git clone git@github.com:containous/traefik-library-image.git
 cd traefik-library-image
-git remote rm origin
-git remote add origin https://emilevauge:${GITHUB_TOKEN}@github.com/containous/traefik-library-image.git
 ./update.sh $VERSION
 git add -A
 echo $VERSION | git commit --file -
 echo $VERSION | git tag -a $VERSION --file -
-git push --follow-tags -u origin master
+git push -q --follow-tags -u origin master > /dev/null 2>&1
 
 # create docker image emilevauge/traefik (compatibility)
+echo "Updating docker emilevauge/traefik image..."
 docker login -e $DOCKER_EMAIL -u $DOCKER_USER -p $DOCKER_PASS
 docker tag containous/traefik emilevauge/traefik:latest
 docker push emilevauge/traefik:latest

script/test-integration

@@ -4,7 +4,11 @@ set -e
 export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 export DEST=.
 
-TESTFLAGS="$TESTFLAGS -test.timeout=30m -check.v"
+TESTFLAGS="${TESTFLAGS} -test.timeout=30m -check.v"
+
+if [ -n "$VERBOSE" ]; then
+    TESTFLAGS="${TESTFLAGS} -v"
+fi
 
 cd integration
 CGO_ENABLED=0 go test $TESTFLAGS

script/test-unit

@@ -26,6 +26,10 @@ find_dirs() {
 
 TESTFLAGS="-cover -coverprofile=cover.out ${TESTFLAGS}"
 
+if [ -n "$VERBOSE" ]; then
+    TESTFLAGS="${TESTFLAGS} -v"
+fi
+
 if [ -z "$TESTDIRS" ]; then
     TESTDIRS=$(find_dirs '*_test.go')
 fi

script/validate-errcheck

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+source "$(dirname "$BASH_SOURCE")/.validate"
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/' || true) )
+unset IFS
+
+errors=()
+failedErrcheck=$(errcheck .)
+if [ "$failedErrcheck" ]; then
+    errors+=( "$failedErrcheck" )
+fi
+
+if [ ${#errors[@]} -eq 0 ]; then
+	echo 'Congratulations!  All Go source files have been errchecked.'
+else
+	{
+		echo "Errors from errcheck:"
+		for err in "${errors[@]}"; do
+			echo "$err"
+		done
+		echo
+		echo 'Please fix the above errors. You can test via "errcheck" and commit the result.'
+		echo
+	} >&2
+	false
+fi

server.go

@@ -14,27 +14,30 @@ import (
 	"reflect"
 	"regexp"
 	"sort"
+	"strconv"
 	"sync"
 	"syscall"
 	"time"
 
 	log "github.com/Sirupsen/logrus"
 	"github.com/codegangsta/negroni"
+	"github.com/containous/oxy/cbreaker"
+	"github.com/containous/oxy/forward"
+	"github.com/containous/oxy/roundrobin"
+	"github.com/containous/oxy/stream"
 	"github.com/containous/traefik/middlewares"
 	"github.com/containous/traefik/provider"
+	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/gorilla/mux"
 	"github.com/mailgun/manners"
-	"github.com/mailgun/oxy/cbreaker"
-	"github.com/mailgun/oxy/forward"
-	"github.com/mailgun/oxy/roundrobin"
 )
 
 var oxyLogger = &OxyLogger{}
 
 // Server is the reverse-proxy/load-balancer engine
 type Server struct {
-	serverEntryPoints          map[string]serverEntryPoint
+	serverEntryPoints          serverEntryPoints
 	configurationChan          chan types.ConfigMessage
 	configurationValidatedChan chan types.ConfigMessage
 	signals                    chan os.Signal
@@ -46,16 +49,23 @@ type Server struct {
 	loggerMiddleware           *middlewares.Logger
 }
 
+type serverEntryPoints map[string]*serverEntryPoint
+
 type serverEntryPoint struct {
 	httpServer *manners.GracefulServer
 	httpRouter *middlewares.HandlerSwitcher
 }
 
+type serverRoute struct {
+	route         *mux.Route
+	stripPrefixes []string
+}
+
 // NewServer returns an initialized Server.
 func NewServer(globalConfiguration GlobalConfiguration) *Server {
 	server := new(Server)
 
-	server.serverEntryPoints = make(map[string]serverEntryPoint)
+	server.serverEntryPoints = make(map[string]*serverEntryPoint)
 	server.configurationChan = make(chan types.ConfigMessage, 10)
 	server.configurationValidatedChan = make(chan types.ConfigMessage, 10)
 	server.signals = make(chan os.Signal, 1)
@@ -71,8 +81,13 @@ func NewServer(globalConfiguration GlobalConfiguration) *Server {
 
 // Start starts the server and blocks until server is shutted down.
 func (server *Server) Start() {
-	go server.listenProviders()
-	go server.listenConfigurations()
+	server.startHTTPServers()
+	safe.Go(func() {
+		server.listenProviders()
+	})
+	safe.Go(func() {
+		server.listenConfigurations()
+	})
 	server.configureProviders()
 	server.startProviders()
 	go server.listenSignals()
@@ -96,13 +111,26 @@ func (server *Server) Close() {
 	server.loggerMiddleware.Close()
 }
 
+func (server *Server) startHTTPServers() {
+	server.serverEntryPoints = server.buildEntryPoints(server.globalConfiguration)
+	for newServerEntryPointName, newServerEntryPoint := range server.serverEntryPoints {
+		newsrv, err := server.prepareServer(newServerEntryPointName, newServerEntryPoint.httpRouter, server.globalConfiguration.EntryPoints[newServerEntryPointName], nil, server.loggerMiddleware, metrics)
+		if err != nil {
+			log.Fatal("Error preparing server: ", err)
+		}
+		serverEntryPoint := server.serverEntryPoints[newServerEntryPointName]
+		serverEntryPoint.httpServer = newsrv
+		go server.startServer(serverEntryPoint.httpServer, server.globalConfiguration)
+	}
+}
+
 func (server *Server) listenProviders() {
 	lastReceivedConfiguration := time.Unix(0, 0)
 	lastConfigs := make(map[string]*types.ConfigMessage)
 	for {
 		configMsg := <-server.configurationChan
 		jsonConf, _ := json.Marshal(configMsg.Configuration)
-		log.Debugf("Configuration receveived from provider %s: %s", configMsg.ProviderName, string(jsonConf))
+		log.Debugf("Configuration received from provider %s: %s", configMsg.ProviderName, string(jsonConf))
 		lastConfigs[configMsg.ProviderName] = &configMsg
 		if time.Now().After(lastReceivedConfiguration.Add(time.Duration(server.globalConfiguration.ProvidersThrottleDuration))) {
 			log.Debugf("Last %s config received more than %s, OK", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration)
@@ -110,13 +138,13 @@ func (server *Server) listenProviders() {
 			server.configurationValidatedChan <- configMsg
 		} else {
 			log.Debugf("Last %s config received less than %s, waiting...", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration)
-			go func() {
+			safe.Go(func() {
 				<-time.After(server.globalConfiguration.ProvidersThrottleDuration)
 				if time.Now().After(lastReceivedConfiguration.Add(time.Duration(server.globalConfiguration.ProvidersThrottleDuration))) {
 					log.Debugf("Waited for %s config, OK", configMsg.ProviderName)
 					server.configurationValidatedChan <- *lastConfigs[configMsg.ProviderName]
 				}
-			}()
+			})
 		}
 		lastReceivedConfiguration = time.Now()
 	}
@@ -141,22 +169,8 @@ func (server *Server) listenConfigurations() {
 			if err == nil {
 				server.serverLock.Lock()
 				for newServerEntryPointName, newServerEntryPoint := range newServerEntryPoints {
-					currentServerEntryPoint := server.serverEntryPoints[newServerEntryPointName]
-					if currentServerEntryPoint.httpServer == nil {
-						newsrv, err := server.prepareServer(newServerEntryPoint.httpRouter, server.globalConfiguration.EntryPoints[newServerEntryPointName], nil, server.loggerMiddleware, metrics)
-						if err != nil {
-							log.Fatal("Error preparing server: ", err)
-						}
-						go server.startServer(newsrv, server.globalConfiguration)
-						currentServerEntryPoint.httpServer = newsrv
-						currentServerEntryPoint.httpRouter = newServerEntryPoint.httpRouter
-						server.serverEntryPoints[newServerEntryPointName] = currentServerEntryPoint
-						log.Infof("Created new Handler: %p", newServerEntryPoint.httpRouter.GetHandler())
-					} else {
-						handlerSwitcher := currentServerEntryPoint.httpRouter
-						handlerSwitcher.UpdateHandler(newServerEntryPoint.httpRouter.GetHandler())
-						log.Infof("Created new Handler: %p", newServerEntryPoint.httpRouter.GetHandler())
-					}
+					server.serverEntryPoints[newServerEntryPointName].httpRouter.UpdateHandler(newServerEntryPoint.httpRouter.GetHandler())
+					log.Infof("Server configuration reloaded on %s", server.serverEntryPoints[newServerEntryPointName].httpServer.Addr)
 				}
 				server.currentConfigurations = newConfigurations
 				server.serverLock.Unlock()
@@ -205,12 +219,12 @@ func (server *Server) startProviders() {
 		jsonConf, _ := json.Marshal(provider)
 		log.Infof("Starting provider %v %s", reflect.TypeOf(provider), jsonConf)
 		currentProvider := provider
-		go func() {
+		safe.Go(func() {
 			err := currentProvider.Provide(server.configurationChan)
 			if err != nil {
 				log.Errorf("Error starting provider %s", err)
 			}
-		}()
+		})
 	}
 }
 
@@ -222,26 +236,41 @@ func (server *Server) listenSignals() {
 }
 
 // creates a TLS config that allows terminating HTTPS for multiple domains using SNI
-func (server *Server) createTLSConfig(tlsOption *TLS) (*tls.Config, error) {
+func (server *Server) createTLSConfig(entryPointName string, tlsOption *TLS, router *middlewares.HandlerSwitcher) (*tls.Config, error) {
 	if tlsOption == nil {
 		return nil, nil
 	}
-	if len(tlsOption.Certificates) == 0 {
-		return nil, nil
-	}
 
 	config := &tls.Config{}
-	if config.NextProtos == nil {
-		config.NextProtos = []string{"http/1.1"}
-	}
-
-	var err error
-	config.Certificates = make([]tls.Certificate, len(tlsOption.Certificates))
-	for i, v := range tlsOption.Certificates {
-		config.Certificates[i], err = tls.LoadX509KeyPair(v.CertFile, v.KeyFile)
+	config.Certificates = []tls.Certificate{}
+	for _, v := range tlsOption.Certificates {
+		cert, err := tls.LoadX509KeyPair(v.CertFile, v.KeyFile)
 		if err != nil {
 			return nil, err
 		}
+		config.Certificates = append(config.Certificates, cert)
+	}
+
+	if server.globalConfiguration.ACME != nil {
+		if _, ok := server.serverEntryPoints[server.globalConfiguration.ACME.EntryPoint]; ok {
+			if entryPointName == server.globalConfiguration.ACME.EntryPoint {
+				checkOnDemandDomain := func(domain string) bool {
+					if router.GetHandler().Match(&http.Request{URL: &url.URL{}, Host: domain}, &mux.RouteMatch{}) {
+						return true
+					}
+					return false
+				}
+				err := server.globalConfiguration.ACME.CreateConfig(config, checkOnDemandDomain)
+				if err != nil {
+					return nil, err
+				}
+			}
+		} else {
+			return nil, errors.New("Unknown entrypoint " + server.globalConfiguration.ACME.EntryPoint + " for ACME configuration")
+		}
+	}
+	if len(config.Certificates) == 0 {
+		return nil, errors.New("No certificates found for TLS entrypoint " + entryPointName)
 	}
 	// BuildNameToCertificate parses the CommonName and SubjectAlternateName fields
 	// in each certificate and populates the config.NameToCertificate map.
@@ -250,30 +279,28 @@ func (server *Server) createTLSConfig(tlsOption *TLS) (*tls.Config, error) {
 }
 
 func (server *Server) startServer(srv *manners.GracefulServer, globalConfiguration GlobalConfiguration) {
-	log.Info("Starting server on ", srv.Addr)
+	log.Infof("Starting server on %s", srv.Addr)
 	if srv.TLSConfig != nil {
-		err := srv.ListenAndServeTLSWithConfig(srv.TLSConfig)
-		if err != nil {
+		if err := srv.ListenAndServeTLSWithConfig(srv.TLSConfig); err != nil {
 			log.Fatal("Error creating server: ", err)
 		}
 	} else {
-		err := srv.ListenAndServe()
-		if err != nil {
+		if err := srv.ListenAndServe(); err != nil {
 			log.Fatal("Error creating server: ", err)
 		}
 	}
 	log.Info("Server stopped")
 }
 
-func (server *Server) prepareServer(router http.Handler, entryPoint *EntryPoint, oldServer *manners.GracefulServer, middlewares ...negroni.Handler) (*manners.GracefulServer, error) {
-	log.Info("Preparing server")
+func (server *Server) prepareServer(entryPointName string, router *middlewares.HandlerSwitcher, entryPoint *EntryPoint, oldServer *manners.GracefulServer, middlewares ...negroni.Handler) (*manners.GracefulServer, error) {
+	log.Infof("Preparing server %s %+v", entryPointName, entryPoint)
 	// middlewares
 	var negroni = negroni.New()
 	for _, middleware := range middlewares {
 		negroni.Use(middleware)
 	}
 	negroni.UseHandler(router)
-	tlsConfig, err := server.createTLSConfig(entryPoint.TLS)
+	tlsConfig, err := server.createTLSConfig(entryPointName, entryPoint.TLS, router)
 	if err != nil {
 		log.Fatalf("Error creating TLS config %s", err)
 		return nil, err
@@ -299,11 +326,11 @@ func (server *Server) prepareServer(router http.Handler, entryPoint *EntryPoint,
 	return gracefulServer, nil
 }
 
-func (server *Server) buildEntryPoints(globalConfiguration GlobalConfiguration) map[string]serverEntryPoint {
-	serverEntryPoints := make(map[string]serverEntryPoint)
+func (server *Server) buildEntryPoints(globalConfiguration GlobalConfiguration) map[string]*serverEntryPoint {
+	serverEntryPoints := make(map[string]*serverEntryPoint)
 	for entryPointName := range globalConfiguration.EntryPoints {
 		router := server.buildDefaultHTTPRouter()
-		serverEntryPoints[entryPointName] = serverEntryPoint{
+		serverEntryPoints[entryPointName] = &serverEntryPoint{
 			httpRouter: middlewares.NewHandlerSwitcher(router),
 		}
 	}
@@ -312,7 +339,7 @@ func (server *Server) buildEntryPoints(globalConfiguration GlobalConfiguration)
 
 // LoadConfig returns a new gorilla.mux Route from the specified global configuration and the dynamic
 // provider configurations.
-func (server *Server) loadConfig(configurations configs, globalConfiguration GlobalConfiguration) (map[string]serverEntryPoint, error) {
+func (server *Server) loadConfig(configurations configs, globalConfiguration GlobalConfiguration) (map[string]*serverEntryPoint, error) {
 	serverEntryPoints := server.buildEntryPoints(globalConfiguration)
 	redirectHandlers := make(map[string]http.Handler)
 
@@ -328,28 +355,31 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 			if len(frontend.EntryPoints) == 0 {
 				frontend.EntryPoints = globalConfiguration.DefaultEntryPoints
 			}
+			if len(frontend.EntryPoints) == 0 {
+				log.Errorf("No entrypoint defined for frontend %s, defaultEntryPoints:%s. Skipping it", frontendName, globalConfiguration.DefaultEntryPoints)
+				continue
+			}
 			for _, entryPointName := range frontend.EntryPoints {
 				log.Debugf("Wiring frontend %s to entryPoint %s", frontendName, entryPointName)
 				if _, ok := serverEntryPoints[entryPointName]; !ok {
 					return nil, errors.New("Undefined entrypoint: " + entryPointName)
 				}
-				newRoute := serverEntryPoints[entryPointName].httpRouter.GetHandler().NewRoute().Name(frontendName)
+				newServerRoute := &serverRoute{route: serverEntryPoints[entryPointName].httpRouter.GetHandler().NewRoute().Name(frontendName)}
 				for routeName, route := range frontend.Routes {
-					log.Debugf("Creating route %s %s:%s", routeName, route.Rule, route.Value)
-					route, err := getRoute(newRoute, route.Rule, route.Value)
+					err := getRoute(newServerRoute, &route)
 					if err != nil {
 						return nil, err
 					}
-					newRoute = route
+					log.Debugf("Creating route %s %s", routeName, route.Rule)
 				}
 				entryPoint := globalConfiguration.EntryPoints[entryPointName]
 				if entryPoint.Redirect != nil {
 					if redirectHandlers[entryPointName] != nil {
-						newRoute.Handler(redirectHandlers[entryPointName])
+						newServerRoute.route.Handler(redirectHandlers[entryPointName])
 					} else if handler, err := server.loadEntryPointConfig(entryPointName, entryPoint); err != nil {
 						return nil, err
 					} else {
-						newRoute.Handler(handler)
+						newServerRoute.route.Handler(handler)
 						redirectHandlers[entryPointName] = handler
 					}
 				} else {
@@ -375,20 +405,47 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 									return nil, err
 								}
 								log.Debugf("Creating server %s at %s with weight %d", serverName, url.String(), server.Weight)
-								rebalancer.UpsertServer(url, roundrobin.Weight(server.Weight))
+								if err := rebalancer.UpsertServer(url, roundrobin.Weight(server.Weight)); err != nil {
+									return nil, err
+								}
 							}
 						case types.Wrr:
 							log.Debugf("Creating load-balancer wrr")
-							lb = middlewares.NewWebsocketUpgrader(rr)
+							lb = rr
 							for serverName, server := range configuration.Backends[frontend.Backend].Servers {
 								url, err := url.Parse(server.URL)
 								if err != nil {
 									return nil, err
 								}
 								log.Debugf("Creating server %s at %s with weight %d", serverName, url.String(), server.Weight)
-								rr.UpsertServer(url, roundrobin.Weight(server.Weight))
+								if err := rr.UpsertServer(url, roundrobin.Weight(server.Weight)); err != nil {
+									return nil, err
+								}
 							}
 						}
+						// retry ?
+						if globalConfiguration.Retry != nil {
+							retries := len(configuration.Backends[frontend.Backend].Servers)
+							if globalConfiguration.Retry.Attempts > 0 {
+								retries = globalConfiguration.Retry.Attempts
+							}
+							maxMem := int64(2 * 1024 * 1024)
+							if globalConfiguration.Retry.MaxMem > 0 {
+								maxMem = globalConfiguration.Retry.MaxMem
+							}
+							lb, err = stream.New(lb,
+								stream.Logger(oxyLogger),
+								stream.Retry("IsNetworkError() && Attempts() < "+strconv.Itoa(retries)),
+								stream.MemRequestBodyBytes(maxMem),
+								stream.MaxRequestBodyBytes(maxMem),
+								stream.MemResponseBodyBytes(maxMem),
+								stream.MaxResponseBodyBytes(maxMem))
+							log.Debugf("Creating retries max attempts %d", retries)
+							if err != nil {
+								return nil, err
+							}
+						}
+
 						var negroni = negroni.New()
 						if configuration.Backends[frontend.Backend].CircuitBreaker != nil {
 							log.Debugf("Creating circuit breaker %s", configuration.Backends[frontend.Backend].CircuitBreaker.Expression)
@@ -400,9 +457,9 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 					} else {
 						log.Debugf("Reusing backend %s", frontend.Backend)
 					}
-					server.wireFrontendBackend(frontend.Routes, newRoute, backends[frontend.Backend])
+					server.wireFrontendBackend(newServerRoute, backends[frontend.Backend])
 				}
-				err := newRoute.GetError()
+				err := newServerRoute.route.GetError()
 				if err != nil {
 					log.Errorf("Error building route: %s", err)
 				}
@@ -412,29 +469,15 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 	return serverEntryPoints, nil
 }
 
-func (server *Server) wireFrontendBackend(routes map[string]types.Route, newRoute *mux.Route, handler http.Handler) {
+func (server *Server) wireFrontendBackend(serverRoute *serverRoute, handler http.Handler) {
 	// strip prefix
-	var strip bool
-	for _, route := range routes {
-		switch route.Rule {
-		case "PathStrip":
-			newRoute.Handler(&middlewares.StripPrefix{
-				Prefix:  route.Value,
-				Handler: handler,
-			})
-			strip = true
-			break
-		case "PathPrefixStrip":
-			newRoute.Handler(&middlewares.StripPrefix{
-				Prefix:  route.Value,
-				Handler: handler,
-			})
-			strip = true
-			break
-		}
-	}
-	if !strip {
-		newRoute.Handler(handler)
+	if len(serverRoute.stripPrefixes) > 0 {
+		serverRoute.route.Handler(&middlewares.StripPrefix{
+			Prefixes: serverRoute.stripPrefixes,
+			Handler:  handler,
+		})
+	} else {
+		serverRoute.route.Handler(handler)
 	}
 }
 
@@ -474,32 +517,29 @@ func (server *Server) buildDefaultHTTPRouter() *mux.Router {
 	return router
 }
 
-func getRoute(any interface{}, rule string, value ...interface{}) (*mux.Route, error) {
-	switch rule {
-	case "PathStrip":
-		rule = "Path"
-	case "PathPrefixStrip":
-		rule = "PathPrefix"
+func getRoute(serverRoute *serverRoute, route *types.Route) error {
+	// ⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠
+	// TODO: backwards compatibility with DEPRECATED rule.Value
+	if len(route.Value) > 0 {
+		route.Rule += ":" + route.Value
+		log.Warnf("Value %s is DEPRECATED (will be removed in v1.0.0), please refer to the new frontend notation: https://github.com/containous/traefik/blob/master/docs/index.md#-frontends", route.Value)
 	}
-	inputs := make([]reflect.Value, len(value))
-	for i := range value {
-		inputs[i] = reflect.ValueOf(value[i])
+	// ⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠
+
+	rules := Rules{route: serverRoute}
+	newRoute, err := rules.Parse(route.Rule)
+	if err != nil {
+		return err
 	}
-	method := reflect.ValueOf(any).MethodByName(rule)
-	if method.IsValid() {
-		return method.Call(inputs)[0].Interface().(*mux.Route), nil
-	}
-	return nil, errors.New("Method not found: " + rule)
+	serverRoute.route = newRoute
+	return nil
 }
 
 func sortedFrontendNamesForConfig(configuration *types.Configuration) []string {
 	keys := []string{}
-
 	for key := range configuration.Frontends {
 		keys = append(keys, key)
 	}
-
 	sort.Strings(keys)
-
 	return keys
 }

templates/consul_catalog.tmpl

@@ -1,6 +1,6 @@
 [backends]{{range .Nodes}}
-    [backends.backend-{{getBackend .}}.servers.server-{{.Node.Node | replace "." "-"}}-{{.Service.Port}}]
-    url = "http://{{.Node.Address}}:{{.Service.Port}}"
+    [backends.backend-{{getBackend .}}.servers.{{.Service.Service | replace "." "-"}}--{{.Service.Address | replace "." "-"}}--{{.Service.Port}}]
+    url = "http://{{.Service.Address}}:{{.Service.Port}}"
 {{end}}
 
 [frontends]{{range .Services}}
@@ -8,6 +8,5 @@
   backend = "backend-{{.}}"
   passHostHeader = false
     [frontends.frontend-{{.}}.routes.route-host-{{.}}]
-    rule = "Host"
-    value = "{{getFrontendValue .}}"
+    rule = "{{getFrontendValue .}}"
 {{end}}

templates/docker.tmpl

@@ -13,5 +13,4 @@
   {{end}}]
     [frontends."frontend-{{$frontend}}".routes."route-frontend-{{$frontend}}"]
     rule = "{{getFrontendRule $container}}"
-    value = "{{getFrontendValue $container}}"
 {{end}}

templates/kv.tmpl

@@ -37,6 +37,5 @@
         {{range $routes}}
         [frontends.{{$frontend}}.routes.{{Last .}}]
         rule = "{{Get "" . "/rule"}}"
-        value = "{{Get "" . "/value"}}"
         {{end}}
 {{end}}

templates/marathon.tmpl

@@ -14,5 +14,4 @@
   {{end}}]
     [frontends.frontend{{.ID | replace "/" "-"}}.routes.route-host{{.ID | replace "/" "-"}}]
     rule = "{{getFrontendRule .}}"
-    value = "{{getFrontendValue .}}"
 {{end}}

traefik.sample.toml

@@ -2,46 +2,6 @@
 # Global configuration
 ################################################################
 
-# Entrypoints definition
-#
-# Optional
-# Default:
-# [entryPoints]
-#   [entryPoints.http]
-#   address = ":80"
-#
-# To redirect an http entrypoint to an https entrypoint (with SNI support):
-# [entryPoints]
-#   [entryPoints.http]
-#   address = ":80"
-#     [entryPoints.http.redirect]
-#       entryPoint = "https"
-#   [entryPoints.https]
-#   address = ":443"
-#     [entryPoints.https.tls]
-#       [[entryPoints.https.tls.certificates]]
-#       CertFile = "integration/fixtures/https/snitest.com.cert"
-#       KeyFile = "integration/fixtures/https/snitest.com.key"
-#       [[entryPoints.https.tls.certificates]]
-#       CertFile = "integration/fixtures/https/snitest.org.cert"
-#       KeyFile = "integration/fixtures/https/snitest.org.key"
-#
-# To redirect an entrypoint rewriting the URL:
-# [entryPoints]
-#   [entryPoints.http]
-#   address = ":80"
-#     [entryPoints.http.redirect]
-#       regex = "^http://localhost/(.*)"
-#       replacement = "http://mydomain/$1"
-
-# Entrypoints to be used by frontends that do not specify any entrypoint.
-# Each frontend can specify its own entrypoints.
-#
-# Optional
-# Default: ["http"]
-#
-# defaultEntryPoints = ["http", "https"]
-
 # Timeout in seconds.
 # Duration to give active requests a chance to finish during hot-reloads
 #
@@ -87,6 +47,122 @@
 #
 # MaxIdleConnsPerHost = 200
 
+# Entrypoints to be used by frontends that do not specify any entrypoint.
+# Each frontend can specify its own entrypoints.
+#
+# Optional
+# Default: ["http"]
+#
+# defaultEntryPoints = ["http", "https"]
+
+# Enable ACME (Let's Encrypt): automatic SSL
+#
+# Optional
+#
+# [acme]
+
+# Email address used for registration
+#
+# Required
+#
+# email = "test@traefik.io"
+
+# File used for certificates storage.
+# WARNING, if you use Traefik in Docker, don't forget to mount this file as a volume.
+#
+# Required
+#
+# storageFile = "acme.json"
+
+# Entrypoint to proxy acme challenge to.
+# WARNING, must point to an entrypoint on port 443 
+#
+# Required
+#
+# entryPoint = "https"
+
+# Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate.
+# WARNING, TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DoS attacks.
+# WARNING, Take note that Let's Encrypt have rate limiting: https://community.letsencrypt.org/t/quick-start-guide/1631
+#
+# Optional
+#
+# onDemand = true
+
+# CA server to use
+# Uncomment the line to run on the staging let's encrypt server
+# Leave comment to go to prod
+#
+# Optional
+#
+# caServer = "https://acme-staging.api.letsencrypt.org/directory"
+
+# Domains list
+# You can provide SANs (alternative domains) to each main domain
+#
+# [[acme.domains]]
+#   main = "local1.com"
+#   sans = ["test1.local1.com", "test2.local1.com"]
+# [[acme.domains]]
+#   main = "local2.com"
+#   sans = ["test1.local2.com", "test2x.local2.com"]
+# [[acme.domains]]
+#   main = "local3.com"
+# [[acme.domains]]
+#   main = "local4.com"
+
+
+# Entrypoints definition
+#
+# Optional
+# Default:
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#
+# To redirect an http entrypoint to an https entrypoint (with SNI support):
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#     [entryPoints.http.redirect]
+#       entryPoint = "https"
+#   [entryPoints.https]
+#   address = ":443"
+#     [entryPoints.https.tls]
+#       [[entryPoints.https.tls.certificates]]
+#       CertFile = "integration/fixtures/https/snitest.com.cert"
+#       KeyFile = "integration/fixtures/https/snitest.com.key"
+#       [[entryPoints.https.tls.certificates]]
+#       CertFile = "integration/fixtures/https/snitest.org.cert"
+#       KeyFile = "integration/fixtures/https/snitest.org.key"
+#
+# To redirect an entrypoint rewriting the URL:
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#     [entryPoints.http.redirect]
+#       regex = "^http://localhost/(.*)"
+#       replacement = "http://mydomain/$1"
+
+# Enable retry sending request if network error
+#
+# Optional
+#
+# [retry]
+
+# Number of attempts
+#
+# Optional
+# Default: (number servers in backend) -1
+#
+# attempts = 3
+
+# Sets the maximum request body to be stored in memory in Mo
+#
+# Optional
+# Default: 2
+#
+# maxMem = 3
 
 ################################################################
 # Web configuration backend
@@ -225,6 +301,13 @@
 #
 # filename = "marathon.tmpl"
 
+# Expose Marathon apps by default in traefik
+#
+# Optional
+# Default: false
+#
+# ExposedByDefault = true
+
 # Enable Marathon basic authentication
 #
 # Optional
@@ -430,17 +513,14 @@
 #   [frontends.frontend1]
 #   backend = "backend2"
 #     [frontends.frontend1.routes.test_1]
-#     rule = "Host"
-#     value = "test.localhost"
+#     rule = "Host: test.localhost, other.localhost"
 #   [frontends.frontend2]
 #   backend = "backend1"
 #   passHostHeader = true
 #   entrypoints = ["https"] # overrides defaultEntryPoints
 #     [frontends.frontend2.routes.test_1]
-#     rule = "Host"
-#     value = "{subdomain:[a-z]+}.localhost"
+#     rule = "Host:{subdomain:[a-z]+}.localhost"
 #   [frontends.frontend3]
 #   entrypoints = ["http", "https"] # overrides defaultEntryPoints
 #   backend = "backend2"
-#     rule = "Path"
-#     value = "/test"
+#     rule = "Path: /test, /other"

types/types.go

@@ -30,8 +30,11 @@ type Server struct {
 
 // Route holds route configuration.
 type Route struct {
-	Rule  string `json:"rule,omitempty"`
+	Rule string `json:"rule,omitempty"`
+	// ⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠
+	// TODO: backwards compatibility with DEPRECATED rule.Value
 	Value string `json:"value,omitempty"`
+	// ⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠
 }
 
 // Frontend holds frontend configuration.

webui/src/app/sections/providers/frontend-monitor/frontend-monitor.html

@@ -7,12 +7,10 @@
       <tr>
         <td><em>Route</em></td>
         <td><em>Rule</em></td>
-        <td><em>Value</em></td>
       </tr>
       <tr data-ng-repeat="(routeId, route) in frontendCtrl.frontend.routes">
         <td>{{routeId}}</td>
-        <td>{{route.rule}}</td>
-        <td><code>{{route.value}}</code></td>
+        <td><code>{{route.rule}}</code></td>
       </tr>
     </table>
   </div>

webui/src/app/traefik.scss

@@ -24,3 +24,11 @@
 .tabset-row__providers {
   margin-top: 3rem;
 }
+
+table {
+  table-layout: fixed; 
+}
+
+td, th {
+    word-wrap: break-word;
+}

webui/src/index.html

@@ -2,9 +2,10 @@
 <html ng-app="traefik">
   <head>
     <meta charset="utf-8">
-      <title>/ˈTræfɪk/</title>
+      <title>Træfɪk</title>
     <meta name="description" content="">
     <meta name="viewport" content="width=device-width">
+    <link rel="icon" type="image/png" href="traefik.icon.png" />
     <!-- Place favicon.ico and apple-touch-icon.png in the root directory -->
 
     <!-- build:css({.tmp/serve,src}) styles/vendor.css -->
@@ -29,7 +30,7 @@
         <nav class="navbar navbar-default">
           <div class="container-fluid">
             <div class="navbar-header">
-              <a class="navbar-brand traefik-text" ui-sref="provider">/ˈTr<span class="traefik-blue">æ</span>fɪk/</a>
+              <a class="navbar-brand traefik-text" ui-sref="provider"><img height="16" src="traefik.icon.png"/></a>
             </div>
 
             <div class="collapse navbar-collapse">