Merge pull request #267 from containous/add-retries

add retries request

.github/CONTRIBUTING.md

@@ -37,14 +37,14 @@ traefik*
 
 The idea behind `glide` is the following :
 
-- when checkout(ing) a project, **run `glide up --quick`** to install
+- when checkout(ing) a project, **run `glide install`** to install
   (`go get …`) the dependencies in the `GOPATH`.
 - if you need another dependency, import and use it in
   the source, and **run `glide get github.com/Masterminds/cookoo`** to save it in
   `vendor` and add it to your `glide.yaml`.
 
 ```bash
-$ glide up --quick
+$ glide install
 # generate
 $ go generate
 # Simple go build

.gitignore

@@ -1,6 +1,7 @@
 /dist
 gen.go
 .idea
+.intellij
 log
 *.iml
 traefik
@@ -8,4 +9,4 @@ traefik.toml
 *.test
 vendor/
 static/
-glide.lock
+.vscode/

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+-   repo: git://github.com/pre-commit/pre-commit-hooks
+    sha: 44e1753f98b0da305332abe26856c3e621c5c439
+    hooks:
+    -   id: detect-private-key
+-   repo: git://github.com/containous/pre-commit-hooks
+    sha: 35e641b5107671e94102b0ce909648559e568d61
+    hooks:
+    -   id: goFmt
+    -   id: goLint
+    -   id: goErrcheck

.travis.yml

@@ -1,3 +1,7 @@
+branches:
+  except:
+    - /^v\d\.\d\.\d.*$/
+    
 env:
   REPO: $TRAVIS_REPO_SLUG
   VERSION: v1.0.0-beta.$TRAVIS_BUILD_NUMBER

Makefile

@@ -4,6 +4,7 @@ TRAEFIK_ENVS := \
 	-e OS_ARCH_ARG \
 	-e OS_PLATFORM_ARG \
 	-e TESTFLAGS \
+	-e VERBOSE \
 	-e VERSION
 
 SRCS = $(shell git ls-files '*.go' | grep -v '^external/')
@@ -41,8 +42,8 @@ test-unit: build
 test-integration: build
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate test-integration
 
-validate: build
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-gofmt validate-govet validate-golint
+validate: build 
+	$(DOCKER_RUN_TRAEFIK) ./script/make.sh  validate-gofmt validate-govet validate-golint 
 
 validate-gofmt: build
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-gofmt
@@ -84,7 +85,7 @@ generate-webui: build-webui
 	fi
 
 lint:
-	$(foreach file,$(SRCS),golint $(file) || exit;)
+	script/validate-golint
 
 fmt:
 	gofmt -s -l -w $(SRCS)

README.md

@@ -4,22 +4,21 @@
 </p>
 
 [![Build Status](https://travis-ci.org/containous/traefik.svg?branch=master)](https://travis-ci.org/containous/traefik)
-[![License](https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square)](https://github.com/containous/traefik/blob/master/LICENSE.md)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
 [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
 [![Twitter](https://img.shields.io/twitter/follow/traefikproxy.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefikproxy)
 
 
 
 Træfɪk is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
-It supports several backends ([Docker :whale:](https://www.docker.com/), [Mesos/Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Zookeeper](https://zookeeper.apache.org), [BoltDB](https://github.com/boltdb/bolt), Rest API, file...) to manage its configuration automatically and dynamically.
+It supports several backends ([Docker :whale:](https://www.docker.com/), [Swarm :whale: :whale:](https://docs.docker.com/swarm), [Mesos/Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Zookeeper](https://zookeeper.apache.org), [BoltDB](https://github.com/boltdb/bolt), Rest API, file...) to manage its configuration automatically and dynamically.
 
 
 ## Features
 
 - [It's fast](docs/index.md#benchmarks)
 - No dependency hell, single binary made with go
-- Simple json Rest API
-- Simple TOML file configuration
+- Rest API
 - Multiple backends supported: Docker, Mesos/Marathon, Consul, Etcd, and more to come
 - Watchers for backends, can listen change in backends to apply a new configuration automatically
 - Hot-reloading of configuration. No need to restart the process
@@ -29,10 +28,12 @@ It supports several backends ([Docker :whale:](https://www.docker.com/), [Mesos/
 - Rest Metrics
 - Tiny docker image included [![Image Layers](https://badge.imagelayers.io/containous/traefik:latest.svg)](https://imagelayers.io/?images=containous/traefik:latest)
 - SSL backends support
-- SSL frontend support
+- SSL frontend support (with SNI)
 - Clean AngularJS Web UI
 - Websocket support
 - HTTP/2 support
+- Retry request if network error
+- [Let's Encrypt](https://letsencrypt.org) support (Automatic HTTPS)
 
 ## Demo
 
@@ -53,6 +54,7 @@ You can access to a simple HTML frontend of Træfik.
 - [Gorilla mux](https://github.com/gorilla/mux): famous request router
 - [Negroni](https://github.com/codegangsta/negroni): web middlewares made simple
 - [Manners](https://github.com/mailgun/manners): graceful shutdown of http.Handler servers
+- [Lego](https://github.com/xenolf/lego): the best [Let's Encrypt](https://letsencrypt.org) library in go
 
 ## Quick start
 

acme/acme.go

@@ -0,0 +1,405 @@
+package acme
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"errors"
+	"fmt"
+	log "github.com/Sirupsen/logrus"
+	"github.com/xenolf/lego/acme"
+	"io/ioutil"
+	fmtlog "log"
+	"os"
+	"reflect"
+	"sync"
+	"time"
+)
+
+// Account is used to store lets encrypt registration info
+type Account struct {
+	Email              string
+	Registration       *acme.RegistrationResource
+	PrivateKey         []byte
+	DomainsCertificate DomainsCertificates
+}
+
+// GetEmail returns email
+func (a Account) GetEmail() string {
+	return a.Email
+}
+
+// GetRegistration returns lets encrypt registration resource
+func (a Account) GetRegistration() *acme.RegistrationResource {
+	return a.Registration
+}
+
+// GetPrivateKey returns private key
+func (a Account) GetPrivateKey() crypto.PrivateKey {
+	if privateKey, err := x509.ParsePKCS1PrivateKey(a.PrivateKey); err == nil {
+		return privateKey
+	}
+	log.Errorf("Cannot unmarshall private key %+v", a.PrivateKey)
+	return nil
+}
+
+// Certificate is used to store certificate info
+type Certificate struct {
+	Domain        string
+	CertURL       string
+	CertStableURL string
+	PrivateKey    []byte
+	Certificate   []byte
+}
+
+// DomainsCertificates stores a certificate for multiple domains
+type DomainsCertificates struct {
+	Certs []*DomainsCertificate
+	lock  *sync.RWMutex
+}
+
+func (dc *DomainsCertificates) init() error {
+	if dc.lock == nil {
+		dc.lock = &sync.RWMutex{}
+	}
+	dc.lock.Lock()
+	defer dc.lock.Unlock()
+	for _, domainsCertificate := range dc.Certs {
+		tlsCert, err := tls.X509KeyPair(domainsCertificate.Certificate.Certificate, domainsCertificate.Certificate.PrivateKey)
+		if err != nil {
+			return err
+		}
+		domainsCertificate.tlsCert = &tlsCert
+	}
+	return nil
+}
+
+func (dc *DomainsCertificates) renewCertificates(acmeCert *Certificate, domain Domain) error {
+	dc.lock.Lock()
+	defer dc.lock.Unlock()
+
+	for _, domainsCertificate := range dc.Certs {
+		if reflect.DeepEqual(domain, domainsCertificate.Domains) {
+			domainsCertificate.Certificate = acmeCert
+			tlsCert, err := tls.X509KeyPair(acmeCert.Certificate, acmeCert.PrivateKey)
+			if err != nil {
+				return err
+			}
+			domainsCertificate.tlsCert = &tlsCert
+			return nil
+		}
+	}
+	return errors.New("Certificate to renew not found for domain " + domain.Main)
+}
+
+func (dc *DomainsCertificates) addCertificateForDomains(acmeCert *Certificate, domain Domain) (*DomainsCertificate, error) {
+	dc.lock.Lock()
+	defer dc.lock.Unlock()
+
+	tlsCert, err := tls.X509KeyPair(acmeCert.Certificate, acmeCert.PrivateKey)
+	if err != nil {
+		return nil, err
+	}
+	cert := DomainsCertificate{Domains: domain, Certificate: acmeCert, tlsCert: &tlsCert}
+	dc.Certs = append(dc.Certs, &cert)
+	return &cert, nil
+}
+
+func (dc *DomainsCertificates) getCertificateForDomain(domainToFind string) (*DomainsCertificate, bool) {
+	dc.lock.RLock()
+	defer dc.lock.RUnlock()
+	for _, domainsCertificate := range dc.Certs {
+		domains := []string{}
+		domains = append(domains, domainsCertificate.Domains.Main)
+		domains = append(domains, domainsCertificate.Domains.SANs...)
+		for _, domain := range domains {
+			if domain == domainToFind {
+				return domainsCertificate, true
+			}
+		}
+	}
+	return nil, false
+}
+
+func (dc *DomainsCertificates) exists(domainToFind Domain) (*DomainsCertificate, bool) {
+	dc.lock.RLock()
+	defer dc.lock.RUnlock()
+	for _, domainsCertificate := range dc.Certs {
+		if reflect.DeepEqual(domainToFind, domainsCertificate.Domains) {
+			return domainsCertificate, true
+		}
+	}
+	return nil, false
+}
+
+// DomainsCertificate contains a certificate for multiple domains
+type DomainsCertificate struct {
+	Domains     Domain
+	Certificate *Certificate
+	tlsCert     *tls.Certificate
+}
+
+// ACME allows to connect to lets encrypt and retrieve certs
+type ACME struct {
+	Email       string
+	Domains     []Domain
+	StorageFile string
+	OnDemand    bool
+	CAServer    string
+	EntryPoint  string
+	storageLock sync.RWMutex
+}
+
+// Domain holds a domain name with SANs
+type Domain struct {
+	Main string
+	SANs []string
+}
+
+// CreateConfig creates a tls.config from using ACME configuration
+func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(domain string) bool) error {
+	acme.Logger = fmtlog.New(ioutil.Discard, "", 0)
+
+	if len(a.StorageFile) == 0 {
+		return errors.New("Empty StorageFile, please provide a filenmae for certs storage")
+	}
+
+	log.Debugf("Generating default certificate...")
+	if len(tlsConfig.Certificates) == 0 {
+		// no certificates in TLS config, so we add a default one
+		cert, err := generateDefaultCertificate()
+		if err != nil {
+			return err
+		}
+		tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)
+	}
+	var account *Account
+	var needRegister bool
+
+	// if certificates in storage, load them
+	if fileInfo, err := os.Stat(a.StorageFile); err == nil && fileInfo.Size() != 0 {
+		log.Infof("Loading ACME certificates...")
+		// load account
+		account, err = a.loadAccount(a)
+		if err != nil {
+			return err
+		}
+	} else {
+		log.Infof("Generating ACME Account...")
+		// Create a user. New accounts need an email and private key to start
+		privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
+		if err != nil {
+			return err
+		}
+		account = &Account{
+			Email:      a.Email,
+			PrivateKey: x509.MarshalPKCS1PrivateKey(privateKey),
+		}
+		account.DomainsCertificate = DomainsCertificates{Certs: []*DomainsCertificate{}, lock: &sync.RWMutex{}}
+		needRegister = true
+	}
+
+	client, err := a.buildACMEClient(account)
+	if err != nil {
+		return err
+	}
+	client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.DNS01})
+	wrapperChallengeProvider := newWrapperChallengeProvider()
+	client.SetChallengeProvider(acme.TLSSNI01, wrapperChallengeProvider)
+
+	if needRegister {
+		// New users will need to register; be sure to save it
+		reg, err := client.Register()
+		if err != nil {
+			return err
+		}
+		account.Registration = reg
+	}
+
+	// The client has a URL to the current Let's Encrypt Subscriber
+	// Agreement. The user will need to agree to it.
+	err = client.AgreeToTOS()
+	if err != nil {
+		return err
+	}
+
+	go a.retrieveCertificates(client, account)
+
+	tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		if challengeCert, ok := wrapperChallengeProvider.getCertificate(clientHello.ServerName); ok {
+			return challengeCert, nil
+		}
+		if domainCert, ok := account.DomainsCertificate.getCertificateForDomain(clientHello.ServerName); ok {
+			return domainCert.tlsCert, nil
+		}
+		if a.OnDemand {
+			if CheckOnDemandDomain != nil && !CheckOnDemandDomain(clientHello.ServerName) {
+				return nil, nil
+			}
+			return a.loadCertificateOnDemand(client, account, clientHello)
+		}
+		return nil, nil
+	}
+
+	ticker := time.NewTicker(24 * time.Hour)
+	go func() {
+		for {
+			select {
+			case <-ticker.C:
+
+				if err := a.renewCertificates(client, account); err != nil {
+					log.Errorf("Error renewing ACME certificate %+v: %s", account, err.Error())
+				}
+			}
+		}
+
+	}()
+	return nil
+}
+
+func (a *ACME) retrieveCertificates(client *acme.Client, account *Account) {
+	log.Infof("Retrieving ACME certificates...")
+	for _, domain := range a.Domains {
+		// check if cert isn't already loaded
+		if _, exists := account.DomainsCertificate.exists(domain); !exists {
+			domains := []string{}
+			domains = append(domains, domain.Main)
+			domains = append(domains, domain.SANs...)
+			certificateResource, err := a.getDomainsCertificates(client, domains)
+			if err != nil {
+				log.Errorf("Error getting ACME certificate for domain %s: %s", domains, err.Error())
+				continue
+			}
+			_, err = account.DomainsCertificate.addCertificateForDomains(certificateResource, domain)
+			if err != nil {
+				log.Errorf("Error adding ACME certificate for domain %s: %s", domains, err.Error())
+				continue
+			}
+			if err = a.saveAccount(account); err != nil {
+				log.Errorf("Error Saving ACME account %+v: %s", account, err.Error())
+				continue
+			}
+		}
+	}
+	log.Infof("Retrieved ACME certificates")
+}
+
+func (a *ACME) renewCertificates(client *acme.Client, account *Account) error {
+	for _, certificateResource := range account.DomainsCertificate.Certs {
+		// <= 7 days left, renew certificate
+		if certificateResource.tlsCert.Leaf.NotAfter.Before(time.Now().Add(time.Duration(24 * 7 * time.Hour))) {
+			log.Debugf("Renewing certificate %+v", certificateResource.Domains)
+			renewedCert, err := client.RenewCertificate(acme.CertificateResource{
+				Domain:        certificateResource.Certificate.Domain,
+				CertURL:       certificateResource.Certificate.CertURL,
+				CertStableURL: certificateResource.Certificate.CertStableURL,
+				PrivateKey:    certificateResource.Certificate.PrivateKey,
+				Certificate:   certificateResource.Certificate.Certificate,
+			}, false)
+			if err != nil {
+				return err
+			}
+			log.Debugf("Renewed certificate %+v", certificateResource.Domains)
+			renewedACMECert := &Certificate{
+				Domain:        renewedCert.Domain,
+				CertURL:       renewedCert.CertURL,
+				CertStableURL: renewedCert.CertStableURL,
+				PrivateKey:    renewedCert.PrivateKey,
+				Certificate:   renewedCert.Certificate,
+			}
+			err = account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains)
+			if err != nil {
+				return err
+			}
+			if err = a.saveAccount(account); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (a *ACME) buildACMEClient(Account *Account) (*acme.Client, error) {
+	caServer := "https://acme-v01.api.letsencrypt.org/directory"
+	if len(a.CAServer) > 0 {
+		caServer = a.CAServer
+	}
+	client, err := acme.NewClient(caServer, Account, acme.RSA4096)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
+
+func (a *ACME) loadCertificateOnDemand(client *acme.Client, Account *Account, clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if certificateResource, ok := Account.DomainsCertificate.getCertificateForDomain(clientHello.ServerName); ok {
+		return certificateResource.tlsCert, nil
+	}
+	Certificate, err := a.getDomainsCertificates(client, []string{clientHello.ServerName})
+	if err != nil {
+		return nil, err
+	}
+	log.Debugf("Got certificate on demand for domain %s", clientHello.ServerName)
+	cert, err := Account.DomainsCertificate.addCertificateForDomains(Certificate, Domain{Main: clientHello.ServerName})
+	if err != nil {
+		return nil, err
+	}
+	if err = a.saveAccount(Account); err != nil {
+		return nil, err
+	}
+	return cert.tlsCert, nil
+}
+
+func (a *ACME) loadAccount(acmeConfig *ACME) (*Account, error) {
+	a.storageLock.RLock()
+	defer a.storageLock.RUnlock()
+	Account := Account{
+		DomainsCertificate: DomainsCertificates{},
+	}
+	file, err := ioutil.ReadFile(acmeConfig.StorageFile)
+	if err != nil {
+		return nil, err
+	}
+	if err := json.Unmarshal(file, &Account); err != nil {
+		return nil, err
+	}
+	err = Account.DomainsCertificate.init()
+	if err != nil {
+		return nil, err
+	}
+	log.Infof("Loaded ACME config from storage %s", acmeConfig.StorageFile)
+	return &Account, nil
+}
+
+func (a *ACME) saveAccount(Account *Account) error {
+	a.storageLock.Lock()
+	defer a.storageLock.Unlock()
+	// write account to file
+	data, err := json.MarshalIndent(Account, "", "  ")
+	if err != nil {
+		return err
+	}
+	return ioutil.WriteFile(a.StorageFile, data, 0644)
+}
+
+func (a *ACME) getDomainsCertificates(client *acme.Client, domains []string) (*Certificate, error) {
+	log.Debugf("Loading ACME certificates %s...", domains)
+	bundle := false
+	certificate, failures := client.ObtainCertificate(domains, bundle, nil)
+	if len(failures) > 0 {
+		log.Error(failures)
+		return nil, fmt.Errorf("Cannot obtain certificates %s+v", failures)
+	}
+	log.Debugf("Loaded ACME certificates %s", domains)
+	return &Certificate{
+		Domain:        certificate.Domain,
+		CertURL:       certificate.CertURL,
+		CertStableURL: certificate.CertStableURL,
+		PrivateKey:    certificate.PrivateKey,
+		Certificate:   certificate.Certificate,
+	}, nil
+}

acme/challengeProvider.go

@@ -0,0 +1,56 @@
+package acme
+
+import (
+	"crypto/tls"
+	"sync"
+
+	"crypto/x509"
+	"github.com/xenolf/lego/acme"
+)
+
+type wrapperChallengeProvider struct {
+	challengeCerts map[string]*tls.Certificate
+	lock           sync.RWMutex
+}
+
+func newWrapperChallengeProvider() *wrapperChallengeProvider {
+	return &wrapperChallengeProvider{
+		challengeCerts: map[string]*tls.Certificate{},
+	}
+}
+
+func (c *wrapperChallengeProvider) getCertificate(domain string) (cert *tls.Certificate, exists bool) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	if cert, ok := c.challengeCerts[domain]; ok {
+		return cert, true
+	}
+	return nil, false
+}
+
+func (c *wrapperChallengeProvider) Present(domain, token, keyAuth string) error {
+	cert, err := acme.TLSSNI01ChallengeCert(keyAuth)
+	if err != nil {
+		return err
+	}
+	cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
+	if err != nil {
+		return err
+	}
+
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	for i := range cert.Leaf.DNSNames {
+		c.challengeCerts[cert.Leaf.DNSNames[i]] = &cert
+	}
+
+	return nil
+
+}
+
+func (c *wrapperChallengeProvider) CleanUp(domain, token, keyAuth string) error {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	delete(c.challengeCerts, domain)
+	return nil
+}

acme/crypto.go

@@ -0,0 +1,78 @@
+package acme
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/hex"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"time"
+)
+
+func generateDefaultCertificate() (*tls.Certificate, error) {
+	rsaPrivKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+	rsaPrivPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(rsaPrivKey)})
+
+	randomBytes := make([]byte, 100)
+	_, err = rand.Read(randomBytes)
+	if err != nil {
+		return nil, err
+	}
+	zBytes := sha256.Sum256(randomBytes)
+	z := hex.EncodeToString(zBytes[:sha256.Size])
+	domain := fmt.Sprintf("%s.%s.traefik.default", z[:32], z[32:])
+	tempCertPEM, err := generatePemCert(rsaPrivKey, domain)
+	if err != nil {
+		return nil, err
+	}
+
+	certificate, err := tls.X509KeyPair(tempCertPEM, rsaPrivPEM)
+	if err != nil {
+		return nil, err
+	}
+
+	return &certificate, nil
+}
+func generatePemCert(privKey *rsa.PrivateKey, domain string) ([]byte, error) {
+	derBytes, err := generateDerCert(privKey, time.Time{}, domain)
+	if err != nil {
+		return nil, err
+	}
+
+	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}), nil
+}
+
+func generateDerCert(privKey *rsa.PrivateKey, expiration time.Time, domain string) ([]byte, error) {
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return nil, err
+	}
+
+	if expiration.IsZero() {
+		expiration = time.Now().Add(365)
+	}
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			CommonName: "TRAEFIK DEFAULT CERT",
+		},
+		NotBefore: time.Now(),
+		NotAfter:  expiration,
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment,
+		BasicConstraintsValid: true,
+		DNSNames:              []string{domain},
+	}
+
+	return x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
+}

build.Dockerfile

@@ -1,11 +1,11 @@
 FROM golang:1.6.0-alpine
 
-RUN apk update && apk add git bash gcc
-
-RUN go get github.com/Masterminds/glide
-RUN go get github.com/mitchellh/gox
-RUN go get github.com/jteeuwen/go-bindata/...
-RUN go get github.com/golang/lint/golint
+RUN apk update && apk add git bash gcc musl-dev \
+&& go get github.com/Masterminds/glide \
+&& go get github.com/mitchellh/gox \
+&& go get github.com/jteeuwen/go-bindata/... \
+&& go get github.com/golang/lint/golint \
+&& go get github.com/kisielk/errcheck
 
 # Which docker version to test on
 ENV DOCKER_VERSION 1.10.1
@@ -24,6 +24,7 @@ RUN ln -s /usr/local/bin/docker-${DOCKER_VERSION} /usr/local/bin/docker
 WORKDIR /go/src/github.com/containous/traefik
 
 COPY glide.yaml glide.yaml
-RUN glide up --quick
+COPY glide.lock glide.lock
+RUN glide install
 
 COPY . /go/src/github.com/containous/traefik

cmd.go

@@ -126,6 +126,7 @@ func init() {
 	traefikCmd.PersistentFlags().StringVar(&arguments.Marathon.Filename, "marathon.filename", "", "Override default configuration template. For advanced users :)")
 	traefikCmd.PersistentFlags().StringVar(&arguments.Marathon.Endpoint, "marathon.endpoint", "http://127.0.0.1:8080", "Marathon server endpoint. You can also specify multiple endpoint for Marathon")
 	traefikCmd.PersistentFlags().StringVar(&arguments.Marathon.Domain, "marathon.domain", "", "Default domain used")
+	traefikCmd.PersistentFlags().BoolVar(&arguments.Marathon.ExposedByDefault, "marathon.exposedByDefault", true, "Expose Marathon apps by default")
 
 	traefikCmd.PersistentFlags().BoolVar(&arguments.consul, "consul", false, "Enable Consul backend")
 	traefikCmd.PersistentFlags().BoolVar(&arguments.Consul.Watch, "consul.watch", true, "Watch provider")
@@ -165,15 +166,15 @@ func init() {
 	traefikCmd.PersistentFlags().StringVar(&arguments.Boltdb.Endpoint, "boltdb.endpoint", "127.0.0.1:4001", "Boltdb server endpoint")
 	traefikCmd.PersistentFlags().StringVar(&arguments.Boltdb.Prefix, "boltdb.prefix", "/traefik", "Prefix used for KV store")
 
-	viper.BindPFlag("configFile", traefikCmd.PersistentFlags().Lookup("configFile"))
-	viper.BindPFlag("graceTimeOut", traefikCmd.PersistentFlags().Lookup("graceTimeOut"))
-	//viper.BindPFlag("defaultEntryPoints", traefikCmd.PersistentFlags().Lookup("defaultEntryPoints"))
-	viper.BindPFlag("logLevel", traefikCmd.PersistentFlags().Lookup("logLevel"))
+	_ = viper.BindPFlag("configFile", traefikCmd.PersistentFlags().Lookup("configFile"))
+	_ = viper.BindPFlag("graceTimeOut", traefikCmd.PersistentFlags().Lookup("graceTimeOut"))
+	_ = viper.BindPFlag("logLevel", traefikCmd.PersistentFlags().Lookup("logLevel"))
 	// TODO: wait for this issue to be corrected: https://github.com/spf13/viper/issues/105
-	viper.BindPFlag("providersThrottleDuration", traefikCmd.PersistentFlags().Lookup("providersThrottleDuration"))
-	viper.BindPFlag("maxIdleConnsPerHost", traefikCmd.PersistentFlags().Lookup("maxIdleConnsPerHost"))
+	_ = viper.BindPFlag("providersThrottleDuration", traefikCmd.PersistentFlags().Lookup("providersThrottleDuration"))
+	_ = viper.BindPFlag("maxIdleConnsPerHost", traefikCmd.PersistentFlags().Lookup("maxIdleConnsPerHost"))
 	viper.SetDefault("providersThrottleDuration", time.Duration(2*time.Second))
 	viper.SetDefault("logLevel", "ERROR")
+	viper.SetDefault("MaxIdleConnsPerHost", 200)
 }
 
 func run() {
@@ -195,7 +196,11 @@ func run() {
 
 	if len(globalConfiguration.TraefikLogsFile) > 0 {
 		fi, err := os.OpenFile(globalConfiguration.TraefikLogsFile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666)
-		defer fi.Close()
+		defer func() {
+			if err := fi.Close(); err != nil {
+				log.Error("Error closinf file", err)
+			}
+		}()
 		if err != nil {
 			log.Fatal("Error opening file", err)
 		} else {

configuration.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/containous/traefik/acme"
 	"github.com/containous/traefik/provider"
 	"github.com/containous/traefik/types"
 	"github.com/mitchellh/mapstructure"
@@ -22,9 +23,11 @@ type GlobalConfiguration struct {
 	TraefikLogsFile           string
 	LogLevel                  string
 	EntryPoints               EntryPoints
+	ACME                      *acme.ACME
 	DefaultEntryPoints        DefaultEntryPoints
 	ProvidersThrottleDuration time.Duration
 	MaxIdleConnsPerHost       int
+	Retry                     *Retry
 	Docker                    *provider.Docker
 	File                      *provider.File
 	Web                       *WebProvider
@@ -92,7 +95,9 @@ func (ep *EntryPoints) Set(value string) error {
 	var tls *TLS
 	if len(result["TLS"]) > 0 {
 		certs := Certificates{}
-		certs.Set(result["TLS"])
+		if err := certs.Set(result["TLS"]); err != nil {
+			return err
+		}
 		tls = &TLS{
 			Certificates: certs,
 		}
@@ -178,6 +183,12 @@ type Certificate struct {
 	KeyFile  string
 }
 
+// Retry contains request retry config
+type Retry struct {
+	Attempts int
+	MaxMem   int64
+}
+
 // NewGlobalConfiguration returns a GlobalConfiguration with default values.
 func NewGlobalConfiguration() *GlobalConfiguration {
 	return new(GlobalConfiguration)
@@ -244,6 +255,7 @@ func LoadConfiguration() *GlobalConfiguration {
 		viper.Set("boltdb", arguments.Boltdb)
 	}
 	if err := unmarshal(&configuration); err != nil {
+
 		fmtlog.Fatalf("Error reading file: %s", err)
 	}
 

docs/index.md

@@ -1,6 +1,6 @@
-![Træfɪk](http://traefik.github.io/traefik.logo.svg "Træfɪk")
-___
-
+<p align="center">
+<img src="http://traefik.github.io/traefik.logo.svg" alt="Træfɪk" title="Træfɪk" />
+</p>
 
 # <a id="top"></a> Documentation
 
@@ -54,15 +54,20 @@ Various methods of load-balancing is supported:
 - `drr`: Dynamic Round Robin: increases weights on servers that perform better than others. It also rolls back to original weights if the servers have changed.
 
 A circuit breaker can also be applied to a backend, preventing high loads on failing servers.
+Initial state is Standby. CB observes the statistics and does not modify the request.
+In case if condition matches, CB enters Tripped state, where it responds with predefines code or redirects to another frontend.
+Once Tripped timer expires, CB enters Recovering state and resets all stats.
+In case if the condition does not match and recovery timer expries, CB enters Standby state.
+
 It can be configured using:
 
 - Methods: `LatencyAtQuantileMS`, `NetworkErrorRatio`, `ResponseCodeRatio`
 - Operators:  `AND`, `OR`, `EQ`, `NEQ`, `LT`, `LE`, `GT`, `GE`
 
 For example:
-- `NetworkErrorRatio() > 0.5`
-- `LatencyAtQuantileMS(50.0) > 50`
-- `ResponseCodeRatio(500, 600, 0, 600) > 0.5`
+- `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window for a frontend
+- `LatencyAtQuantileMS(50.0) > 50`:  watch latency at quantile in milliseconds.
+- `ResponseCodeRatio(500, 600, 0, 600) > 0.5`: ratio of response codes in range [500-600) to  [0-600)
 
 
 ## <a id="launch"></a> Launch configuration
@@ -87,6 +92,7 @@ Træfɪk uses the following precedence order. Each item takes precedence over th
 
 It means that arguments overrides configuration file.
 Each argument is described in the help section:
+
 ```bash
 $ traefik --help
 traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
@@ -150,6 +156,7 @@ Flags:
       --marathon                             Enable Marathon backend
       --marathon.domain string               Default domain used
       --marathon.endpoint string             Marathon server endpoint. You can also specify multiple endpoint for Marathon (default "http://127.0.0.1:8080")
+      --marathon.exposedByDefault            Expose Marathon apps by default (default true)
       --marathon.filename string             Override default configuration template. For advanced users :)
       --marathon.watch                       Watch provider (default true)
       --maxIdleConnsPerHost int              If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, DefaultMaxIdleConnsPerHost is used
@@ -177,46 +184,6 @@ Use "traefik [command] --help" for more information about a command.
 # Global configuration
 ################################################################
 
-# Entrypoints definition
-#
-# Optional
-# Default:
-# [entryPoints]
-#   [entryPoints.http]
-#   address = ":80"
-#
-# To redirect an http entrypoint to an https entrypoint (with SNI support):
-# [entryPoints]
-#   [entryPoints.http]
-#   address = ":80"
-#     [entryPoints.http.redirect]
-#       entryPoint = "https"
-#   [entryPoints.https]
-#   address = ":443"
-#     [entryPoints.https.tls]
-#       [[entryPoints.https.tls.certificates]]
-#       CertFile = "integration/fixtures/https/snitest.com.cert"
-#       KeyFile = "integration/fixtures/https/snitest.com.key"
-#       [[entryPoints.https.tls.certificates]]
-#       CertFile = "integration/fixtures/https/snitest.org.cert"
-#       KeyFile = "integration/fixtures/https/snitest.org.key"
-#
-# To redirect an entrypoint rewriting the URL:
-# [entryPoints]
-#   [entryPoints.http]
-#   address = ":80"
-#     [entryPoints.http.redirect]
-#       regex = "^http://localhost/(.*)"
-#       replacement = "http://mydomain/$1"
-
-# Entrypoints to be used by frontends that do not specify any entrypoint.
-# Each frontend can specify its own entrypoints.
-#
-# Optional
-# Default: ["http"]
-#
-# defaultEntryPoints = ["http", "https"]
-
 # Timeout in seconds.
 # Duration to give active requests a chance to finish during hot-reloads
 #
@@ -262,6 +229,223 @@ Use "traefik [command] --help" for more information about a command.
 #
 # MaxIdleConnsPerHost = 200
 
+# Entrypoints to be used by frontends that do not specify any entrypoint.
+# Each frontend can specify its own entrypoints.
+#
+# Optional
+# Default: ["http"]
+#
+# defaultEntryPoints = ["http", "https"]
+
+# Enable ACME (Let's Encrypt): automatic SSL
+#
+# Optional
+#
+# [acme]
+
+# Email address used for registration
+#
+# Required
+#
+# email = "test@traefik.io"
+
+# File used for certificates storage.
+# WARNING, if you use Traefik in Docker, don't forget to mount this file as a volume.
+#
+# Required
+#
+# storageFile = "acme.json"
+
+# Entrypoint to proxy acme challenge to.
+# WARNING, must point to an entrypoint on port 443 
+#
+# Required
+#
+# entryPoint = "https"
+
+# Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate.
+# WARNING, TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DoS attacks.
+# WARNING, Take note that Let's Encrypt have rate limiting: https://community.letsencrypt.org/t/quick-start-guide/1631
+#
+# Optional
+#
+# onDemand = true
+
+# CA server to use
+# Uncomment the line to run on the staging let's encrypt server
+# Leave comment to go to prod
+#
+# Optional
+#
+# caServer = "https://acme-staging.api.letsencrypt.org/directory"
+
+# Domains list
+# You can provide SANs (alternative domains) to each main domain
+# WARNING, Take note that Let's Encrypt have rate limiting: https://community.letsencrypt.org/t/quick-start-guide/1631
+# Each domain & SANs will lead to a certificate request.
+#
+# [[acme.domains]]
+#   main = "local1.com"
+#   sans = ["test1.local1.com", "test2.local1.com"]
+# [[acme.domains]]
+#   main = "local2.com"
+#   sans = ["test1.local2.com", "test2x.local2.com"]
+# [[acme.domains]]
+#   main = "local3.com"
+# [[acme.domains]]
+#   main = "local4.com"
+
+
+# Entrypoints definition
+#
+# Optional
+# Default:
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#
+# To redirect an http entrypoint to an https entrypoint (with SNI support):
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#     [entryPoints.http.redirect]
+#       entryPoint = "https"
+#   [entryPoints.https]
+#   address = ":443"
+#     [entryPoints.https.tls]
+#       [[entryPoints.https.tls.certificates]]
+#       CertFile = "integration/fixtures/https/snitest.com.cert"
+#       KeyFile = "integration/fixtures/https/snitest.com.key"
+#       [[entryPoints.https.tls.certificates]]
+#       CertFile = "integration/fixtures/https/snitest.org.cert"
+#       KeyFile = "integration/fixtures/https/snitest.org.key"
+#
+# To redirect an entrypoint rewriting the URL:
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#     [entryPoints.http.redirect]
+#       regex = "^http://localhost/(.*)"
+#       replacement = "http://mydomain/$1"
+
+# Enable retry sending request if network error
+#
+# Optional
+#
+# [retry]
+
+# Number of attempts
+#
+# Optional
+# Default: (number servers in backend) -1
+#
+# attempts = 3
+
+# Sets the maximum request body to be stored in memory in Mo
+#
+# Optional
+# Default: 2
+#
+# maxMem = 3
+```
+
+### Samples
+
+#### HTTP only
+
+```
+defaultEntryPoints = ["http"]
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+```
+
+### HTTP + HTTPS (with SNI)
+
+```
+defaultEntryPoints = ["http", "https"]
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.com.cert"
+      KeyFile = "integration/fixtures/https/snitest.com.key"
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.org.cert"
+      KeyFile = "integration/fixtures/https/snitest.org.key"
+```
+
+### HTTP redirect on HTTPS
+
+```
+defaultEntryPoints = ["http", "https"]
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      certFile = "tests/traefik.crt"
+      keyFile = "tests/traefik.key"
+```
+
+### Let's Encrypt support
+
+```
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      # certs used as default certs
+      [[entryPoints.https.tls.certificates]]
+      certFile = "tests/traefik.crt"
+      keyFile = "tests/traefik.key"
+[acme]
+email = "test@traefik.io"
+storageFile = "acme.json"
+onDemand = true
+caServer = "http://172.18.0.1:4000/directory"
+entryPoint = "https"
+
+[[acme.domains]]
+  main = "local1.com"
+  sans = ["test1.local1.com", "test2.local1.com"]
+[[acme.domains]]
+  main = "local2.com"
+  sans = ["test1.local2.com", "test2x.local2.com"]
+[[acme.domains]]
+  main = "local3.com"
+[[acme.domains]]
+  main = "local4.com"
+```
+
+### Override entrypoints in frontends
+
+```
+[frontends]
+  [frontends.frontend1]
+  backend = "backend2"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host"
+    value = "test.localhost"
+  [frontends.frontend2]
+  backend = "backend1"
+  passHostHeader = true
+  entrypoints = ["https"] # overrides defaultEntryPoints
+    [frontends.frontend2.routes.test_1]
+    rule = "Host"
+    value = "{subdomain:[a-z]+}.localhost"
+  [frontends.frontend3]
+  entrypoints = ["http", "https"] # overrides defaultEntryPoints
+  backend = "backend2"
+    rule = "Path"
+    value = "/test"
 ```
 
 
@@ -658,6 +842,13 @@ domain = "marathon.localhost"
 #
 # filename = "marathon.tmpl"
 
+# Expose Marathon apps by default in traefik
+#
+# Optional
+# Default: false
+#
+# ExposedByDefault = true
+
 # Enable Marathon basic authentication
 #
 # Optional

glide.lock

@@ -0,0 +1,273 @@
+hash: 21d4e8dc80c87101568a719ecf01d1af9a1b58f03c5c9dc864a8cb1005ddc160
+updated: 2016-03-29T21:50:20.577439177+02:00
+imports:
+- name: github.com/alecthomas/template
+  version: b867cc6ab45cece8143cfcc6fc9c77cf3f2c23c0
+- name: github.com/alecthomas/units
+  version: 6b4e7dc5e3143b85ea77909c72caf89416fc2915
+- name: github.com/boltdb/bolt
+  version: 51f99c862475898df9773747d3accd05a7ca33c1
+- name: github.com/BurntSushi/toml
+  version: bd2bdf7f18f849530ef7a1c29a4290217cab32a1
+- name: github.com/BurntSushi/ty
+  version: 6add9cd6ad42d389d6ead1dde60b4ad71e46fd74
+  subpackages:
+  - fun
+- name: github.com/cenkalti/backoff
+  version: 4dc77674aceaabba2c7e3da25d4c823edfb73f99
+- name: github.com/codahale/hdrhistogram
+  version: 954f16e8b9ef0e5d5189456aa4c1202758e04f17
+- name: github.com/codegangsta/cli
+  version: bf4a526f48af7badd25d2cb02d587e1b01be3b50
+- name: github.com/codegangsta/negroni
+  version: c7477ad8e330bef55bf1ebe300cf8aa67c492d1b
+- name: github.com/containous/oxy
+  version: 0b5b371bce661385d35439204298fa6fb5db5463
+  subpackages:
+  - cbreaker
+  - forward
+  - memmetrics
+  - roundrobin
+  - utils
+  - stream
+- name: github.com/coreos/go-etcd
+  version: cc90c7b091275e606ad0ca7102a23fb2072f3f5e
+  subpackages:
+  - etcd
+- name: github.com/davecgh/go-spew
+  version: 5215b55f46b2b919f50a1df0eaa5886afe4e3b3d
+  subpackages:
+  - spew
+- name: github.com/docker/distribution
+  version: 9038e48c3b982f8e82281ea486f078a73731ac4e
+- name: github.com/docker/docker
+  version: f39987afe8d611407887b3094c03d6ba6a766a67
+  subpackages:
+  - autogen
+  - api
+  - cliconfig
+  - daemon/network
+  - graph/tags
+  - image
+  - opts
+  - pkg/archive
+  - pkg/fileutils
+  - pkg/homedir
+  - pkg/httputils
+  - pkg/ioutils
+  - pkg/jsonmessage
+  - pkg/mflag
+  - pkg/nat
+  - pkg/parsers
+  - pkg/pools
+  - pkg/promise
+  - pkg/random
+  - pkg/stdcopy
+  - pkg/stringid
+  - pkg/symlink
+  - pkg/system
+  - pkg/tarsum
+  - pkg/term
+  - pkg/timeutils
+  - pkg/tlsconfig
+  - pkg/ulimit
+  - pkg/units
+  - pkg/urlutil
+  - pkg/useragent
+  - pkg/version
+  - registry
+  - runconfig
+  - utils
+  - volume
+- name: github.com/docker/libcompose
+  version: e290a513ba909ca3afefd5cd611f3a3fe56f6a3a
+  subpackages:
+  - docker
+  - logger
+  - lookup
+  - project
+  - utils
+- name: github.com/docker/libkv
+  version: 3732f7ff1b56057c3158f10bceb1e79133025373
+  subpackages:
+  - store
+  - store/boltdb
+  - store/consul
+  - store/etcd
+  - store/zookeeper
+- name: github.com/docker/libtrust
+  version: 9cbd2a1374f46905c68a4eb3694a130610adc62a
+- name: github.com/donovanhide/eventsource
+  version: d8a3071799b98cacd30b6da92f536050ccfe6da4
+- name: github.com/elazarl/go-bindata-assetfs
+  version: d5cac425555ca5cf00694df246e04f05e6a55150
+- name: github.com/flynn/go-shlex
+  version: 3f9db97f856818214da2e1057f8ad84803971cff
+- name: github.com/fsouza/go-dockerclient
+  version: a49c8269a6899cae30da1f8a4b82e0ce945f9967
+  subpackages:
+  - external/github.com/docker/docker/opts
+  - external/github.com/docker/docker/pkg/archive
+  - external/github.com/docker/docker/pkg/fileutils
+  - external/github.com/docker/docker/pkg/homedir
+  - external/github.com/docker/docker/pkg/stdcopy
+  - external/github.com/hashicorp/go-cleanhttp
+  - external/github.com/Sirupsen/logrus
+  - external/github.com/docker/docker/pkg/idtools
+  - external/github.com/docker/docker/pkg/ioutils
+  - external/github.com/docker/docker/pkg/pools
+  - external/github.com/docker/docker/pkg/promise
+  - external/github.com/docker/docker/pkg/system
+  - external/github.com/docker/docker/pkg/longpath
+  - external/github.com/opencontainers/runc/libcontainer/user
+  - external/golang.org/x/sys/unix
+  - external/golang.org/x/net/context
+  - external/github.com/docker/go-units
+- name: github.com/gambol99/go-marathon
+  version: ade11d1dc2884ee1f387078fc28509559b6235d1
+- name: github.com/golang/glog
+  version: fca8c8854093a154ff1eb580aae10276ad6b1b5f
+- name: github.com/google/go-querystring
+  version: 6bb77fe6f42b85397288d4f6f67ac72f8f400ee7
+  subpackages:
+  - query
+- name: github.com/gorilla/context
+  version: 215affda49addc4c8ef7e2534915df2c8c35c6cd
+- name: github.com/gorilla/handlers
+  version: 40694b40f4a928c062f56849989d3e9cd0570e5f
+- name: github.com/gorilla/mux
+  version: f15e0c49460fd49eebe2bcc8486b05d1bef68d3a
+- name: github.com/gorilla/websocket
+  version: e2e3d8414d0fbae04004f151979f4e27c6747fe7
+- name: github.com/hashicorp/consul
+  version: de080672fee9e6104572eeea89eccdca135bb918
+  subpackages:
+  - api
+- name: github.com/hashicorp/hcl
+  version: 2604f3bda7e8960c1be1063709e7d7f0765048d0
+  subpackages:
+  - hcl/ast
+  - hcl/parser
+  - hcl/token
+  - json/parser
+  - hcl/scanner
+  - hcl/strconv
+  - json/scanner
+  - json/token
+- name: github.com/inconshreveable/mousetrap
+  version: 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
+- name: github.com/kr/pretty
+  version: add1dbc86daf0f983cd4a48ceb39deb95c729b67
+- name: github.com/kr/text
+  version: bb797dc4fb8320488f47bf11de07a733d7233e1f
+- name: github.com/magiconair/properties
+  version: c265cfa48dda6474e208715ca93e987829f572f8
+- name: github.com/mailgun/log
+  version: 44874009257d4d47ba9806f1b7f72a32a015e4d8
+- name: github.com/mailgun/manners
+  version: fada45142db3f93097ca917da107aa3fad0ffcb5
+- name: github.com/mailgun/multibuf
+  version: 565402cd71fbd9c12aa7e295324ea357e970a61e
+- name: github.com/mailgun/predicate
+  version: cb0bff91a7ab7cf7571e661ff883fc997bc554a3
+- name: github.com/mailgun/timetools
+  version: fd192d755b00c968d312d23f521eb0cdc6f66bd0
+- name: github.com/miekg/dns
+  version: 7e024ce8ce18b21b475ac6baf8fa3c42536bf2fa
+- name: github.com/mitchellh/mapstructure
+  version: d2dd0262208475919e1a362f675cfc0e7c10e905
+- name: github.com/opencontainers/runc
+  version: 4ab132458fc3e9dbeea624153e0331952dc4c8d5
+  subpackages:
+  - libcontainer/user
+- name: github.com/pmezard/go-difflib
+  version: d8ed2627bdf02c080bf22230dbb337003b7aba2d
+  subpackages:
+  - difflib
+- name: github.com/samalba/dockerclient
+  version: cfb489c624b635251a93e74e1e90eb0959c5367f
+- name: github.com/samuel/go-zookeeper
+  version: fa6674abf3f4580b946a01bf7a1ce4ba8766205b
+  subpackages:
+  - zk
+- name: github.com/Sirupsen/logrus
+  version: 418b41d23a1bf978c06faea5313ba194650ac088
+- name: github.com/spf13/cast
+  version: ee7b3e0353166ab1f3a605294ac8cd2b77953778
+- name: github.com/spf13/cobra
+  version: c678ff029ee250b65714e518f4f5c5cb934955de
+  subpackages:
+  - cobra
+- name: github.com/spf13/jwalterweatherman
+  version: 33c24e77fb80341fe7130ee7c594256ff08ccc46
+- name: github.com/spf13/pflag
+  version: 7f60f83a2c81bc3c3c0d5297f61ddfa68da9d3b7
+- name: github.com/spf13/viper
+  version: a212099cbe6fbe8d07476bfda8d2d39b6ff8f325
+- name: github.com/stretchr/objx
+  version: cbeaeb16a013161a98496fad62933b1d21786672
+- name: github.com/stretchr/testify
+  version: 6fe211e493929a8aac0469b93f28b1d0688a9a3a
+  subpackages:
+  - mock
+  - assert
+- name: github.com/thoas/stats
+  version: 54ed61c2b47e263ae2f01b86837b0c4bd1da28e8
+- name: github.com/unrolled/render
+  version: 26b4e3aac686940fe29521545afad9966ddfc80c
+- name: github.com/vdemeester/libkermit
+  version: 01a5399bdbd3312916c9fa4848108fbc81fe88d8
+- name: github.com/vdemeester/shakers
+  version: 8fe734f75f3a70b651cbfbf8a55a009da09e8dc5
+- name: github.com/vulcand/oxy
+  version: 8aaf36279137ac04ace3792a4f86098631b27d5a
+  subpackages:
+  - memmetrics
+  - utils
+- name: github.com/vulcand/predicate
+  version: cb0bff91a7ab7cf7571e661ff883fc997bc554a3
+- name: github.com/vulcand/route
+  version: cb89d787ddbb1c5849a7ac9f79004c1fd12a4a32
+- name: github.com/vulcand/vulcand
+  version: 475540bb016702d5b7cc4674e37f48ee3e144a69
+  subpackages:
+  - plugin/rewrite
+  - plugin
+  - router
+- name: github.com/wendal/errors
+  version: f66c77a7882b399795a8987ebf87ef64a427417e
+- name: github.com/xenolf/lego
+  version: ca19a90028e242e878585941c2a27c8f3b3efc25
+  subpackages:
+  - acme
+- name: golang.org/x/crypto
+  version: 9e7f5dc375abeb9619ea3c5c58502c428f457aa2
+  subpackages:
+  - ocsp
+- name: golang.org/x/net
+  version: d9558e5c97f85372afee28cf2b6059d7d3818919
+  subpackages:
+  - context
+  - publicsuffix
+- name: golang.org/x/sys
+  version: eb2c74142fd19a79b3f237334c7384d5167b1b46
+  subpackages:
+  - unix
+- name: gopkg.in/alecthomas/kingpin.v2
+  version: 639879d6110b1b0409410c7b737ef0bb18325038
+- name: gopkg.in/check.v1
+  version: 11d3bc7aa68e238947792f30573146a3231fc0f1
+- name: gopkg.in/fsnotify.v1
+  version: 96c060f6a6b7e0d6f75fddd10efeaca3e5d1bcb0
+- name: gopkg.in/mgo.v2
+  version: 22287bab4379e1fbf6002fb4eb769888f3fb224c
+  subpackages:
+  - bson
+- name: gopkg.in/square/go-jose.v1
+  version: 7d9df93c5ee8a09ed250b3b2360972fa29b4bb3c
+  subpackages:
+  - cipher
+  - json
+- name: gopkg.in/yaml.v2
+  version: 7ad95dd0798a40da1ccdff6dff35fd177b5edf40
+devImports: []

glide.yaml

@@ -8,8 +8,8 @@ import:
     ref:     9038e48c3b982f8e82281ea486f078a73731ac4e
   - package: github.com/mailgun/log
     ref:     44874009257d4d47ba9806f1b7f72a32a015e4d8
-  - package: github.com/mailgun/oxy
-    ref:     547c334d658398c05b346c0b79d8f47ba2e1473b
+  - package: github.com/containous/oxy
+    ref:     0b5b371bce661385d35439204298fa6fb5db5463
     subpackages:
       - cbreaker
       - forward
@@ -124,7 +124,7 @@ import:
   - package: gopkg.in/alecthomas/kingpin.v2
     ref:     639879d6110b1b0409410c7b737ef0bb18325038
   - package: github.com/docker/libcompose
-    ref:     d3089811c119a211469a9cc93caea684d937e5d3
+    ref:     e290a513ba909ca3afefd5cd611f3a3fe56f6a3a
     subpackages:
       - docker
       - logger
@@ -164,4 +164,7 @@ import:
   - package: github.com/google/go-querystring/query
   - package: github.com/vulcand/vulcand/plugin/rewrite
   - package: github.com/stretchr/testify/mock
-
+  - package: github.com/xenolf/lego
+  - package: github.com/vdemeester/libkermit
+    ref: 01a5399bdbd3312916c9fa4848108fbc81fe88d8
+  - package: github.com/mailgun/multibuf

integration/basic_test.go

@@ -46,10 +46,9 @@ func (s *SimpleSuite) TestSimpleDefaultConfig(c *check.C) {
 	// TODO validate : run on 80
 	resp, err := http.Get("http://127.0.0.1:8000/")
 
-	// Expected no response as we did not configure anything
-	c.Assert(resp, checker.IsNil)
-	c.Assert(err, checker.NotNil)
-	c.Assert(err.Error(), checker.Contains, fmt.Sprintf("getsockopt: connection refused"))
+	// Expected a 404 as we did not configure anything
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
 }
 
 func (s *SimpleSuite) TestWithWebConfig(c *check.C) {

integration/consul_catalog_test.go

@@ -1,16 +1,14 @@
 package main
 
 import (
-	"fmt"
 	"io/ioutil"
 	"net/http"
-	"os"
 	"os/exec"
 	"time"
 
-	"github.com/docker/docker/opts"
-	"github.com/fsouza/go-dockerclient"
 	"github.com/hashicorp/consul/api"
+	docker "github.com/vdemeester/libkermit/docker"
+
 	checker "github.com/vdemeester/shakers"
 	check "gopkg.in/check.v1"
 )
@@ -20,29 +18,19 @@ type ConsulCatalogSuite struct {
 	BaseSuite
 	consulIP     string
 	consulClient *api.Client
-	dockerClient *docker.Client
-}
-
-func (s *ConsulCatalogSuite) GetContainer(name string) (*docker.Container, error) {
-	return s.dockerClient.InspectContainer(name)
+	project      *docker.Project
 }
 
 func (s *ConsulCatalogSuite) SetUpSuite(c *check.C) {
-	dockerHost := os.Getenv("DOCKER_HOST")
-	if dockerHost == "" {
-		// FIXME Handle windows -- see if dockerClient already handle that or not
-		dockerHost = fmt.Sprintf("unix://%s", opts.DefaultUnixSocket)
-	}
-	// Make sure we can speak to docker
-	dockerClient, err := docker.NewClient(dockerHost)
-	c.Assert(err, checker.IsNil, check.Commentf("Error connecting to docker daemon"))
-	s.dockerClient = dockerClient
+	project, err := docker.NewProjectFromEnv()
+	c.Assert(err, checker.IsNil, check.Commentf("Error while creating docker project"))
+	s.project = project
 
 	s.createComposeProject(c, "consul_catalog")
-	err = s.composeProject.Up()
+	err = s.composeProject.Start()
 	c.Assert(err, checker.IsNil, check.Commentf("Error starting project"))
 
-	consul, err := s.GetContainer("integration-test-consul_catalog_consul_1")
+	consul, err := s.project.Inspect("integration-test-consul_catalog_consul_1")
 	c.Assert(err, checker.IsNil, check.Commentf("Error finding consul container"))
 
 	s.consulIP = consul.NetworkSettings.IPAddress
@@ -110,7 +98,7 @@ func (s *ConsulCatalogSuite) TestSingleService(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	nginx, err := s.GetContainer("integration-test-consul_catalog_nginx_1")
+	nginx, err := s.project.Inspect("integration-test-consul_catalog_nginx_1")
 	c.Assert(err, checker.IsNil, check.Commentf("Error finding nginx container"))
 
 	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80)

integration/consul_test.go

@@ -5,11 +5,17 @@ import (
 	"os/exec"
 	"time"
 
-	"fmt"
 	checker "github.com/vdemeester/shakers"
 	check "gopkg.in/check.v1"
 )
 
+// Consul test suites (using libcompose)
+type ConsulSuite struct{ BaseSuite }
+
+func (s *ConsulSuite) SetUpSuite(c *check.C) {
+	s.createComposeProject(c, "consul")
+}
+
 func (s *ConsulSuite) TestSimpleConfiguration(c *check.C) {
 	cmd := exec.Command(traefikBinary, "--configFile=fixtures/consul/simple.toml")
 	err := cmd.Start()
@@ -20,8 +26,7 @@ func (s *ConsulSuite) TestSimpleConfiguration(c *check.C) {
 	// TODO validate : run on 80
 	resp, err := http.Get("http://127.0.0.1:8000/")
 
-	// Expected no response as we did not configure anything
-	c.Assert(resp, checker.IsNil)
-	c.Assert(err, checker.NotNil)
-	c.Assert(err.Error(), checker.Contains, fmt.Sprintf("getsockopt: connection refused"))
+	// Expected a 404 as we did not configure anything
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
 }

integration/docker_test.go

@@ -7,11 +7,12 @@ import (
 	"net/http"
 	"os"
 	"os/exec"
+	"strings"
 	"time"
 
-	"github.com/docker/docker/opts"
 	"github.com/docker/docker/pkg/namesgenerator"
-	"github.com/fsouza/go-dockerclient"
+	"github.com/vdemeester/libkermit/docker"
+
 	checker "github.com/vdemeester/shakers"
 	check "gopkg.in/check.v1"
 )
@@ -31,108 +32,50 @@ var (
 // Docker test suites
 type DockerSuite struct {
 	BaseSuite
-	client *docker.Client
+	project *docker.Project
 }
 
 func (s *DockerSuite) startContainer(c *check.C, image string, args ...string) string {
-	return s.startContainerWithConfig(c, docker.CreateContainerOptions{
-		Config: &docker.Config{
-			Image: image,
-			Cmd:   args,
-		},
+	return s.startContainerWithConfig(c, image, docker.ContainerConfig{
+		Cmd: args,
 	})
 }
 
 func (s *DockerSuite) startContainerWithLabels(c *check.C, image string, labels map[string]string, args ...string) string {
-	return s.startContainerWithConfig(c, docker.CreateContainerOptions{
-		Config: &docker.Config{
-			Image:  image,
-			Cmd:    args,
-			Labels: labels,
-		},
+	return s.startContainerWithConfig(c, image, docker.ContainerConfig{
+		Cmd:    args,
+		Labels: labels,
 	})
 }
 
-func (s *DockerSuite) startContainerWithConfig(c *check.C, config docker.CreateContainerOptions) string {
+func (s *DockerSuite) startContainerWithConfig(c *check.C, image string, config docker.ContainerConfig) string {
 	if config.Name == "" {
 		config.Name = namesgenerator.GetRandomName(10)
 	}
-	if config.Config.Labels == nil {
-		config.Config.Labels = map[string]string{}
-	}
-	config.Config.Labels[TestLabel] = "true"
 
-	container, err := s.client.CreateContainer(config)
-	c.Assert(err, checker.IsNil, check.Commentf("Error creating a container using config %v", config))
+	container, err := s.project.StartWithConfig(image, config)
+	c.Assert(err, checker.IsNil, check.Commentf("Error starting a container using config %v", config))
 
-	err = s.client.StartContainer(container.ID, &docker.HostConfig{})
-	c.Assert(err, checker.IsNil, check.Commentf("Error starting container %v", container))
-
-	return container.Name
+	// FIXME(vdemeester) this is ugly (it's because of the / in front of the name in docker..)
+	return strings.SplitAfter(container.Name, "/")[1]
 }
 
 func (s *DockerSuite) SetUpSuite(c *check.C) {
-	dockerHost := os.Getenv("DOCKER_HOST")
-	if dockerHost == "" {
-		// FIXME Handle windows -- see if dockerClient already handle that or not
-		dockerHost = fmt.Sprintf("unix://%s", opts.DefaultUnixSocket)
-	}
-	// Make sure we can speak to docker
-	dockerClient, err := docker.NewClient(dockerHost)
-	c.Assert(err, checker.IsNil, check.Commentf("Error connecting to docker daemon"))
-
-	s.client = dockerClient
-	c.Assert(s.client.Ping(), checker.IsNil)
+	project, err := docker.NewProjectFromEnv()
+	c.Assert(err, checker.IsNil, check.Commentf("Error while creating docker project"))
+	s.project = project
 
 	// Pull required images
 	for repository, tag := range RequiredImages {
 		image := fmt.Sprintf("%s:%s", repository, tag)
-		_, err := s.client.InspectImage(image)
-		if err != nil {
-			if err != docker.ErrNoSuchImage {
-				c.Fatalf("Error while inspect image %s", image)
-			}
-			err = s.client.PullImage(docker.PullImageOptions{
-				Repository: repository,
-				Tag:        tag,
-			}, docker.AuthConfiguration{})
-			c.Assert(err, checker.IsNil, check.Commentf("Error while pulling image %s", image))
-		}
-	}
-}
-
-func (s *DockerSuite) cleanContainers(c *check.C) {
-	// Clean the mess, a.k.a. the running containers with the right label
-	containerList, err := s.client.ListContainers(docker.ListContainersOptions{
-		Filters: map[string][]string{
-			"label": {fmt.Sprintf("%s=true", TestLabel)},
-		},
-	})
-	c.Assert(err, checker.IsNil, check.Commentf("Error listing containers started by traefik"))
-
-	for _, container := range containerList {
-		err = s.client.KillContainer(docker.KillContainerOptions{
-			ID: container.ID,
-		})
-		c.Assert(err, checker.IsNil, check.Commentf("Error killing container %v", container))
-		if os.Getenv("CIRCLECI") == "" {
-			// On circleci, we won't delete them — it errors out for now >_<
-			err = s.client.RemoveContainer(docker.RemoveContainerOptions{
-				ID:            container.ID,
-				RemoveVolumes: true,
-			})
-			c.Assert(err, checker.IsNil, check.Commentf("Error removing container %v", container))
-		}
+		s.project.Pull(image)
+		c.Assert(err, checker.IsNil, check.Commentf("Error while pulling image %s", image))
 	}
 }
 
 func (s *DockerSuite) TearDownTest(c *check.C) {
-	s.cleanContainers(c)
-}
-
-func (s *DockerSuite) TearDownSuite(c *check.C) {
-	// Call cleanContainers, just in case (?)
-	// s.cleanContainers(c)
+	err := s.project.Clean(os.Getenv("CIRCLECI") != "")
+	c.Assert(err, checker.IsNil, check.Commentf("Error while cleaning containers"))
 }
 
 func (s *DockerSuite) TestSimpleConfiguration(c *check.C) {

integration/etcd_test.go

@@ -5,11 +5,17 @@ import (
 	"os/exec"
 	"time"
 
-	"fmt"
 	checker "github.com/vdemeester/shakers"
 	check "gopkg.in/check.v1"
 )
 
+// Etcd test suites (using libcompose)
+type EtcdSuite struct{ BaseSuite }
+
+func (s *EtcdSuite) SetUpSuite(c *check.C) {
+	s.createComposeProject(c, "etcd")
+}
+
 func (s *EtcdSuite) TestSimpleConfiguration(c *check.C) {
 	cmd := exec.Command(traefikBinary, "--configFile=fixtures/etcd/simple.toml")
 	err := cmd.Start()
@@ -20,8 +26,7 @@ func (s *EtcdSuite) TestSimpleConfiguration(c *check.C) {
 	// TODO validate : run on 80
 	resp, err := http.Get("http://127.0.0.1:8000/")
 
-	// Expected no response as we did not configure anything
-	c.Assert(resp, checker.IsNil)
-	c.Assert(err, checker.NotNil)
-	c.Assert(err.Error(), checker.Contains, fmt.Sprintf("getsockopt: connection refused"))
+	// Expected a 404 as we did not configure anything
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
 }

integration/file_test.go

@@ -9,6 +9,15 @@ import (
 	check "gopkg.in/check.v1"
 )
 
+// File test suites
+type FileSuite struct{ BaseSuite }
+
+func (s *FileSuite) SetUpSuite(c *check.C) {
+	s.createComposeProject(c, "file")
+
+	s.composeProject.Start()
+}
+
 func (s *FileSuite) TestSimpleConfiguration(c *check.C) {
 	cmd := exec.Command(traefikBinary, "--configFile=fixtures/file/simple.toml")
 	err := cmd.Start()

integration/integration_test.go

@@ -11,8 +11,7 @@ import (
 	"text/template"
 
 	"github.com/containous/traefik/integration/utils"
-	"github.com/docker/libcompose/docker"
-	"github.com/docker/libcompose/project"
+	"github.com/vdemeester/libkermit/compose"
 
 	checker "github.com/vdemeester/shakers"
 	check "gopkg.in/check.v1"
@@ -35,102 +34,24 @@ func init() {
 
 var traefikBinary = "../dist/traefik"
 
-// File test suites
-type FileSuite struct{ BaseSuite }
-
-func (s *FileSuite) SetUpSuite(c *check.C) {
-	s.createComposeProject(c, "file")
-
-	s.composeProject.Up()
-}
-
-// Consul test suites (using libcompose)
-type ConsulSuite struct{ BaseSuite }
-
-func (s *ConsulSuite) SetUpSuite(c *check.C) {
-	s.createComposeProject(c, "consul")
-}
-
-// Etcd test suites (using libcompose)
-type EtcdSuite struct{ BaseSuite }
-
-func (s *EtcdSuite) SetUpSuite(c *check.C) {
-	s.createComposeProject(c, "etcd")
-}
-
-// Marathon test suites (using libcompose)
-type MarathonSuite struct{ BaseSuite }
-
-func (s *MarathonSuite) SetUpSuite(c *check.C) {
-	s.createComposeProject(c, "marathon")
-}
-
 type BaseSuite struct {
-	composeProject *project.Project
-	listenChan     chan project.Event
-	started        chan bool
-	stopped        chan bool
-	deleted        chan bool
+	composeProject *compose.Project
 }
 
 func (s *BaseSuite) TearDownSuite(c *check.C) {
 	// shutdown and delete compose project
 	if s.composeProject != nil {
-		s.composeProject.Down()
-		<-s.stopped
-		defer close(s.stopped)
-
-		s.composeProject.Delete()
-		<-s.deleted
-		defer close(s.deleted)
+		err := s.composeProject.Stop()
+		c.Assert(err, checker.IsNil)
 	}
 }
 
 func (s *BaseSuite) createComposeProject(c *check.C, name string) {
-	composeProject, err := docker.NewProject(&docker.Context{
-		Context: project.Context{
-			ComposeFiles: []string{
-				fmt.Sprintf("resources/compose/%s.yml", name),
-			},
-			ProjectName: fmt.Sprintf("integration-test-%s", name),
-		},
-	})
+	projectName := fmt.Sprintf("integration-test-%s", name)
+	composeFile := fmt.Sprintf("resources/compose/%s.yml", name)
+	composeProject, err := compose.CreateProject(projectName, composeFile)
 	c.Assert(err, checker.IsNil)
 	s.composeProject = composeProject
-
-	err = composeProject.Create()
-	c.Assert(err, checker.IsNil)
-
-	s.started = make(chan bool)
-	s.stopped = make(chan bool)
-	s.deleted = make(chan bool)
-
-	s.listenChan = make(chan project.Event)
-	go s.startListening(c)
-
-	composeProject.AddListener(s.listenChan)
-
-	err = composeProject.Start()
-	c.Assert(err, checker.IsNil)
-
-	// Wait for compose to start
-	<-s.started
-	defer close(s.started)
-}
-
-func (s *BaseSuite) startListening(c *check.C) {
-	for event := range s.listenChan {
-		// FIXME Add a timeout on event ?
-		if event.EventType == project.EventProjectStartDone {
-			s.started <- true
-		}
-		if event.EventType == project.EventProjectDownDone {
-			s.stopped <- true
-		}
-		if event.EventType == project.EventProjectDeleteDone {
-			s.deleted <- true
-		}
-	}
 }
 
 func (s *BaseSuite) traefikCmd(c *check.C, args ...string) (*exec.Cmd, string) {

integration/marathon_test.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"fmt"
 	"net/http"
 	"os/exec"
 	"time"
@@ -10,6 +9,13 @@ import (
 	check "gopkg.in/check.v1"
 )
 
+// Marathon test suites (using libcompose)
+type MarathonSuite struct{ BaseSuite }
+
+func (s *MarathonSuite) SetUpSuite(c *check.C) {
+	s.createComposeProject(c, "marathon")
+}
+
 func (s *MarathonSuite) TestSimpleConfiguration(c *check.C) {
 	cmd := exec.Command(traefikBinary, "--configFile=fixtures/marathon/simple.toml")
 	err := cmd.Start()
@@ -20,8 +26,7 @@ func (s *MarathonSuite) TestSimpleConfiguration(c *check.C) {
 	// TODO validate : run on 80
 	resp, err := http.Get("http://127.0.0.1:8000/")
 
-	// Expected no response as we did not configure anything
-	c.Assert(resp, checker.IsNil)
-	c.Assert(err, checker.NotNil)
-	c.Assert(err.Error(), checker.Contains, fmt.Sprintf("getsockopt: connection refused"))
+	// Expected a 404 as we did not configure anything
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
 }

middlewares/cbreaker.go

@@ -3,7 +3,7 @@ package middlewares
 import (
 	"net/http"
 
-	"github.com/mailgun/oxy/cbreaker"
+	"github.com/containous/oxy/cbreaker"
 )
 
 // CircuitBreaker holds the oxy circuit breaker.

middlewares/websocket.go

@@ -1,52 +0,0 @@
-package middlewares
-
-import (
-	"net/http"
-	"strings"
-	"time"
-
-	log "github.com/Sirupsen/logrus"
-	"github.com/mailgun/oxy/roundrobin"
-)
-
-// WebsocketUpgrader holds Websocket configuration.
-type WebsocketUpgrader struct {
-	rr *roundrobin.RoundRobin
-}
-
-// NewWebsocketUpgrader returns a new WebsocketUpgrader.
-func NewWebsocketUpgrader(rr *roundrobin.RoundRobin) *WebsocketUpgrader {
-	wu := WebsocketUpgrader{
-		rr: rr,
-	}
-	return &wu
-}
-
-func (u *WebsocketUpgrader) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	// If request is websocket, serve with golang websocket server to do protocol handshake
-	if strings.Join(req.Header["Upgrade"], "") == "websocket" {
-		start := time.Now().UTC()
-		url, err := u.rr.NextServer()
-		if err != nil {
-			log.Errorf("Can't round robin in websocket middleware")
-			return
-		}
-		log.Debugf("Websocket forward to %s", url.String())
-		NewProxy(url).ServeHTTP(w, req)
-
-		if req.TLS != nil {
-			log.Debugf("Round trip: %v, duration: %v tls:version: %x, tls:resume:%t, tls:csuite:%x, tls:server:%v",
-				req.URL, time.Now().UTC().Sub(start),
-				req.TLS.Version,
-				req.TLS.DidResume,
-				req.TLS.CipherSuite,
-				req.TLS.ServerName)
-		} else {
-			log.Debugf("Round trip: %v, duration: %v",
-				req.URL, time.Now().UTC().Sub(start))
-		}
-
-		return
-	}
-	u.rr.ServeHTTP(w, req)
-}

middlewares/websocketproxy.go

@@ -1,179 +0,0 @@
-package middlewares
-
-import (
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"strings"
-
-	log "github.com/Sirupsen/logrus"
-	"github.com/gorilla/websocket"
-)
-
-// Original developpement made by https://github.com/koding/websocketproxy
-var (
-	// DefaultUpgrader specifies the parameters for upgrading an HTTP
-	// connection to a WebSocket connection.
-	DefaultUpgrader = &websocket.Upgrader{
-		ReadBufferSize:  1024,
-		WriteBufferSize: 1024,
-	}
-
-	// DefaultDialer is a dialer with all fields set to the default zero values.
-	DefaultDialer = websocket.DefaultDialer
-)
-
-// WebsocketProxy is an HTTP Handler that takes an incoming WebSocket
-// connection and proxies it to another server.
-type WebsocketProxy struct {
-	// Backend returns the backend URL which the proxy uses to reverse proxy
-	// the incoming WebSocket connection. Request is the initial incoming and
-	// unmodified request.
-	Backend func(*http.Request) *url.URL
-
-	// Upgrader specifies the parameters for upgrading a incoming HTTP
-	// connection to a WebSocket connection. If nil, DefaultUpgrader is used.
-	Upgrader *websocket.Upgrader
-
-	//  Dialer contains options for connecting to the backend WebSocket server.
-	//  If nil, DefaultDialer is used.
-	Dialer *websocket.Dialer
-}
-
-// ProxyHandler returns a new http.Handler interface that reverse proxies the
-// request to the given target.
-func ProxyHandler(target *url.URL) http.Handler {
-	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-		NewProxy(target).ServeHTTP(rw, req)
-	})
-}
-
-// NewProxy returns a new Websocket reverse proxy that rewrites the
-// URL's to the scheme, host and base path provider in target.
-func NewProxy(target *url.URL) *WebsocketProxy {
-	backend := func(r *http.Request) *url.URL {
-		// Shallow copy
-		u := *target
-		u.Fragment = r.URL.Fragment
-		u.Path = r.URL.Path
-		u.RawQuery = r.URL.RawQuery
-		rurl := u.String()
-		if strings.HasPrefix(rurl, "http") {
-			u.Scheme = "ws"
-		}
-		if strings.HasPrefix(rurl, "https") {
-			u.Scheme = "wss"
-		}
-		return &u
-	}
-	return &WebsocketProxy{Backend: backend}
-}
-
-// ServeHTTP implements the http.Handler that proxies WebSocket connections.
-func (w *WebsocketProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
-	if w.Backend == nil {
-		log.Errorf("Websocketproxy: backend function is not defined")
-		http.Error(rw, "Backend not found", http.StatusInternalServerError)
-		http.NotFound(rw, req)
-		return
-	}
-
-	backendURL := w.Backend(req)
-	if backendURL == nil {
-		log.Errorf("Websocketproxy: backend URL is nil")
-		http.Error(rw, "Backend URL is nil", http.StatusInternalServerError)
-		return
-	}
-
-	dialer := w.Dialer
-	if w.Dialer == nil {
-		dialer = DefaultDialer
-	}
-
-	// Pass headers from the incoming request to the dialer to forward them to
-	// the final destinations.
-	requestHeader := http.Header{}
-	requestHeader.Add("Origin", req.Header.Get("Origin"))
-	for _, prot := range req.Header[http.CanonicalHeaderKey("Sec-WebSocket-Protocol")] {
-		requestHeader.Add("Sec-WebSocket-Protocol", prot)
-	}
-	for _, cookie := range req.Header[http.CanonicalHeaderKey("Cookie")] {
-		requestHeader.Add("Cookie", cookie)
-	}
-	for _, auth := range req.Header[http.CanonicalHeaderKey("Authorization")] {
-		requestHeader.Add("Authorization", auth)
-	}
-
-	// Pass X-Forwarded-For headers too, code below is a part of
-	// httputil.ReverseProxy. See http://en.wikipedia.org/wiki/X-Forwarded-For
-	// for more information
-	// TODO: use RFC7239 http://tools.ietf.org/html/rfc7239
-	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
-		// If we aren't the first proxy retain prior
-		// X-Forwarded-For information as a comma+space
-		// separated list and fold multiple headers into one.
-		if prior, ok := req.Header["X-Forwarded-For"]; ok {
-			clientIP = strings.Join(prior, ", ") + ", " + clientIP
-		}
-		requestHeader.Set("X-Forwarded-For", clientIP)
-	}
-
-	// Set the originating protocol of the incoming HTTP request. The SSL might
-	// be terminated on our site and because we doing proxy adding this would
-	// be helpful for applications on the backend.
-	requestHeader.Set("X-Forwarded-Proto", "http")
-	if req.TLS != nil {
-		requestHeader.Set("X-Forwarded-Proto", "https")
-	}
-
-	//frontend Origin != backend Origin
-	requestHeader.Del("Origin")
-
-	// Connect to the backend URL, also pass the headers we get from the requst
-	// together with the Forwarded headers we prepared above.
-	// TODO: support multiplexing on the same backend connection instead of
-	// opening a new TCP connection time for each request. This should be
-	// optional:
-	// http://tools.ietf.org/html/draft-ietf-hybi-websocket-multiplexing-01
-	connBackend, resp, err := dialer.Dial(backendURL.String(), requestHeader)
-	if err != nil {
-		log.Errorf("Websocketproxy: couldn't dial to remote backend url %s, %s, %+v", backendURL.String(), err, resp)
-		http.Error(rw, "Remote backend unreachable", http.StatusBadGateway)
-		return
-	}
-	defer connBackend.Close()
-
-	upgrader := w.Upgrader
-	if w.Upgrader == nil {
-		upgrader = DefaultUpgrader
-	}
-
-	// Only pass those headers to the upgrader.
-	upgradeHeader := http.Header{}
-	upgradeHeader.Set("Sec-WebSocket-Protocol",
-		resp.Header.Get(http.CanonicalHeaderKey("Sec-WebSocket-Protocol")))
-	upgradeHeader.Set("Set-Cookie",
-		resp.Header.Get(http.CanonicalHeaderKey("Set-Cookie")))
-
-	// Now upgrade the existing incoming request to a WebSocket connection.
-	// Also pass the header that we gathered from the Dial handshake.
-	connPub, err := upgrader.Upgrade(rw, req, upgradeHeader)
-	if err != nil {
-		log.Errorf("Websocketproxy: couldn't upgrade %s", err)
-		http.NotFound(rw, req)
-		return
-	}
-	defer connPub.Close()
-
-	errc := make(chan error, 2)
-	cp := func(dst io.Writer, src io.Reader) {
-		_, err := io.Copy(dst, src)
-		errc <- err
-	}
-
-	// Start our proxy now, everything is ready...
-	go cp(connBackend.UnderlyingConn(), connPub.UnderlyingConn())
-	go cp(connPub.UnderlyingConn(), connBackend.UnderlyingConn())
-	<-errc
-}

provider/docker.go

@@ -34,35 +34,39 @@ type DockerTLS struct {
 // Provide allows the provider to provide configurations to traefik
 // using the given configuration channel.
 func (provider *Docker) Provide(configurationChan chan<- types.ConfigMessage) error {
+	go func() {
+		operation := func() error {
+			var dockerClient *docker.Client
+			var err error
 
-	var dockerClient *docker.Client
-	var err error
-
-	if provider.TLS != nil {
-		dockerClient, err = docker.NewTLSClient(provider.Endpoint,
-			provider.TLS.Cert, provider.TLS.Key, provider.TLS.CA)
-		if err == nil {
-			dockerClient.TLSConfig.InsecureSkipVerify = provider.TLS.InsecureSkipVerify
-		}
-	} else {
-		dockerClient, err = docker.NewClient(provider.Endpoint)
-	}
-	if err != nil {
-		log.Errorf("Failed to create a client for docker, error: %s", err)
-		return err
-	}
-	err = dockerClient.Ping()
-	if err != nil {
-		log.Errorf("Docker connection error %+v", err)
-		return err
-	}
-	log.Debug("Docker connection established")
-	if provider.Watch {
-		dockerEvents := make(chan *docker.APIEvents)
-		dockerClient.AddEventListener(dockerEvents)
-		log.Debug("Docker listening")
-		go func() {
-			operation := func() error {
+			if provider.TLS != nil {
+				dockerClient, err = docker.NewTLSClient(provider.Endpoint,
+					provider.TLS.Cert, provider.TLS.Key, provider.TLS.CA)
+				if err == nil {
+					dockerClient.TLSConfig.InsecureSkipVerify = provider.TLS.InsecureSkipVerify
+				}
+			} else {
+				dockerClient, err = docker.NewClient(provider.Endpoint)
+			}
+			if err != nil {
+				log.Errorf("Failed to create a client for docker, error: %s", err)
+				return err
+			}
+			err = dockerClient.Ping()
+			if err != nil {
+				log.Errorf("Docker connection error %+v", err)
+				return err
+			}
+			log.Debug("Docker connection established")
+			configuration := provider.loadDockerConfig(listContainers(dockerClient))
+			configurationChan <- types.ConfigMessage{
+				ProviderName:  "docker",
+				Configuration: configuration,
+			}
+			if provider.Watch {
+				dockerEvents := make(chan *docker.APIEvents)
+				dockerClient.AddEventListener(dockerEvents)
+				log.Debug("Docker listening")
 				for {
 					event := <-dockerEvents
 					if event == nil {
@@ -81,21 +85,17 @@ func (provider *Docker) Provide(configurationChan chan<- types.ConfigMessage) er
 					}
 				}
 			}
-			notify := func(err error, time time.Duration) {
-				log.Errorf("Docker connection error %+v, retrying in %s", err, time)
-			}
-			err := backoff.RetryNotify(operation, backoff.NewExponentialBackOff(), notify)
-			if err != nil {
-				log.Fatalf("Cannot connect to docker server %+v", err)
-			}
-		}()
-	}
+			return nil
+		}
+		notify := func(err error, time time.Duration) {
+			log.Errorf("Docker connection error %+v, retrying in %s", err, time)
+		}
+		err := backoff.RetryNotify(operation, backoff.NewExponentialBackOff(), notify)
+		if err != nil {
+			log.Fatalf("Cannot connect to docker server %+v", err)
+		}
+	}()
 
-	configuration := provider.loadDockerConfig(listContainers(dockerClient))
-	configurationChan <- types.ConfigMessage{
-		ProviderName:  "docker",
-		Configuration: configuration,
-	}
 	return nil
 }
 

provider/marathon.go

@@ -17,12 +17,13 @@ import (
 
 // Marathon holds configuration of the Marathon provider.
 type Marathon struct {
-	BaseProvider   `mapstructure:",squash"`
-	Endpoint       string
-	Domain         string
-	Basic          *MarathonBasic
-	TLS            *tls.Config
-	marathonClient marathon.Marathon
+	BaseProvider     `mapstructure:",squash"`
+	Endpoint         string
+	Domain           string
+	ExposedByDefault bool
+	Basic            *MarathonBasic
+	TLS              *tls.Config
+	marathonClient   marathon.Marathon
 }
 
 // MarathonBasic holds basic authentication specific configurations
@@ -115,7 +116,7 @@ func (provider *Marathon) loadMarathonConfig() *types.Configuration {
 
 	//filter tasks
 	filteredTasks := fun.Filter(func(task marathon.Task) bool {
-		return taskFilter(task, applications)
+		return taskFilter(task, applications, provider.ExposedByDefault)
 	}, tasks.Tasks).([]marathon.Task)
 
 	//filter apps
@@ -140,7 +141,7 @@ func (provider *Marathon) loadMarathonConfig() *types.Configuration {
 	return configuration
 }
 
-func taskFilter(task marathon.Task, applications *marathon.Applications) bool {
+func taskFilter(task marathon.Task, applications *marathon.Applications, exposedByDefaultFlag bool) bool {
 	if len(task.Ports) == 0 {
 		log.Debug("Filtering marathon task without port %s", task.AppID)
 		return false
@@ -150,7 +151,8 @@ func taskFilter(task marathon.Task, applications *marathon.Applications) bool {
 		log.Errorf("Unable to get marathon application from task %s", task.AppID)
 		return false
 	}
-	if application.Labels["traefik.enable"] == "false" {
+
+	if !isApplicationEnabled(application, exposedByDefaultFlag) {
 		log.Debugf("Filtering disabled marathon task %s", task.AppID)
 		return false
 	}
@@ -227,6 +229,10 @@ func getApplication(task marathon.Task, apps []marathon.Application) (marathon.A
 	return marathon.Application{}, errors.New("Application not found: " + task.AppID)
 }
 
+func isApplicationEnabled(application marathon.Application, exposedByDefault bool) bool {
+	return exposedByDefault && application.Labels["traefik.enable"] != "false" || application.Labels["traefik.enable"] == "true"
+}
+
 func (provider *Marathon) getLabel(application marathon.Application, label string) (string, error) {
 	for key, value := range application.Labels {
 		if key == label {

provider/marathon_test.go

@@ -110,8 +110,9 @@ func TestMarathonLoadConfig(t *testing.T) {
 	for _, c := range cases {
 		fakeClient := newFakeClient(c.applicationsError, c.applications, c.tasksError, c.tasks)
 		provider := &Marathon{
-			Domain:         "docker.localhost",
-			marathonClient: fakeClient,
+			Domain:           "docker.localhost",
+			ExposedByDefault: true,
+			marathonClient:   fakeClient,
 		}
 		actualConfig := provider.loadMarathonConfig()
 		if c.expectedNil {
@@ -132,22 +133,25 @@ func TestMarathonLoadConfig(t *testing.T) {
 
 func TestMarathonTaskFilter(t *testing.T) {
 	cases := []struct {
-		task         marathon.Task
-		applications *marathon.Applications
-		expected     bool
+		task             marathon.Task
+		applications     *marathon.Applications
+		expected         bool
+		exposedByDefault bool
 	}{
 		{
-			task:         marathon.Task{},
-			applications: &marathon.Applications{},
-			expected:     false,
+			task:             marathon.Task{},
+			applications:     &marathon.Applications{},
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
 				AppID: "test",
 				Ports: []int{80},
 			},
-			applications: &marathon.Applications{},
-			expected:     false,
+			applications:     &marathon.Applications{},
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -161,7 +165,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -176,7 +181,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -194,7 +200,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -212,7 +219,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: true,
+			expected:         true,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -230,7 +238,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -248,7 +257,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: true,
+			expected:         true,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -266,7 +276,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -285,7 +296,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -303,7 +315,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -326,7 +339,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -352,7 +366,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: false,
+			expected:         false,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -367,7 +382,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: true,
+			expected:         true,
+			exposedByDefault: true,
 		},
 		{
 			task: marathon.Task{
@@ -390,12 +406,67 @@ func TestMarathonTaskFilter(t *testing.T) {
 					},
 				},
 			},
-			expected: true,
+			expected:         true,
+			exposedByDefault: true,
+		},
+		{
+			task: marathon.Task{
+				AppID: "disable-default-expose",
+				Ports: []int{80},
+			},
+			applications: &marathon.Applications{
+				Apps: []marathon.Application{
+					{
+						ID:    "disable-default-expose",
+						Ports: []int{80},
+					},
+				},
+			},
+			expected:         false,
+			exposedByDefault: false,
+		},
+		{
+			task: marathon.Task{
+				AppID: "disable-default-expose-disable-in-label",
+				Ports: []int{80},
+			},
+			applications: &marathon.Applications{
+				Apps: []marathon.Application{
+					{
+						ID:    "disable-default-expose-disable-in-label",
+						Ports: []int{80},
+						Labels: map[string]string{
+							"traefik.enable": "false",
+						},
+					},
+				},
+			},
+			expected:         false,
+			exposedByDefault: false,
+		},
+		{
+			task: marathon.Task{
+				AppID: "disable-default-expose-enable-in-label",
+				Ports: []int{80},
+			},
+			applications: &marathon.Applications{
+				Apps: []marathon.Application{
+					{
+						ID:    "disable-default-expose-enable-in-label",
+						Ports: []int{80},
+						Labels: map[string]string{
+							"traefik.enable": "true",
+						},
+					},
+				},
+			},
+			expected:         true,
+			exposedByDefault: false,
 		},
 	}
 
 	for _, c := range cases {
-		actual := taskFilter(c.task, c.applications)
+		actual := taskFilter(c.task, c.applications, c.exposedByDefault)
 		if actual != c.expected {
 			t.Fatalf("expected %v, got %v", c.expected, actual)
 		}

script/binary

@@ -8,6 +8,11 @@ fi
 
 rm -f dist/traefik
 
+FLAGS=""
+if [ -n "$VERBOSE" ]; then
+    FLAGS="${FLAGS} -v"
+fi
+
 if [ -z "$VERSION" ]; then
     VERSION=$(git rev-parse HEAD)
 fi
@@ -17,4 +22,4 @@ if [ -z "$DATE" ]; then
 fi
 
 # Build binaries
-CGO_ENABLED=0 go build -ldflags "-X main.Version=$VERSION -X main.BuildDate=$DATE" -a -installsuffix nocgo -o dist/traefik .
+CGO_ENABLED=0 GOGC=off go build $FLAGS -ldflags "-X main.Version=$VERSION -X main.BuildDate=$DATE" -a -installsuffix nocgo -o dist/traefik .

script/crossbinary

@@ -32,5 +32,5 @@ fi
 rm -f dist/traefik_*
 
 # Build binaries
-gox -ldflags "-X main.Version=$VERSION -X main.BuildDate=$DATE" "${OS_PLATFORM_ARG[@]}" "${OS_ARCH_ARG[@]}" \
+GOGC=off gox -ldflags "-X main.Version=$VERSION -X main.BuildDate=$DATE" "${OS_PLATFORM_ARG[@]}" "${OS_ARCH_ARG[@]}" \
     -output="dist/traefik_{{.OS}}-{{.Arch}}"

script/test-integration

@@ -4,7 +4,11 @@ set -e
 export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 export DEST=.
 
-TESTFLAGS="$TESTFLAGS -test.timeout=30m -check.v"
+TESTFLAGS="${TESTFLAGS} -test.timeout=30m -check.v"
+
+if [ -n "$VERBOSE" ]; then
+    TESTFLAGS="${TESTFLAGS} -v"
+fi
 
 cd integration
 CGO_ENABLED=0 go test $TESTFLAGS

script/test-unit

@@ -26,6 +26,10 @@ find_dirs() {
 
 TESTFLAGS="-cover -coverprofile=cover.out ${TESTFLAGS}"
 
+if [ -n "$VERBOSE" ]; then
+    TESTFLAGS="${TESTFLAGS} -v"
+fi
+
 if [ -z "$TESTDIRS" ]; then
     TESTDIRS=$(find_dirs '*_test.go')
 fi

script/validate-errcheck

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+source "$(dirname "$BASH_SOURCE")/.validate"
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/' || true) )
+unset IFS
+
+errors=()
+failedErrcheck=$(errcheck .)
+if [ "$failedErrcheck" ]; then
+    errors+=( "$failedErrcheck" )
+fi
+
+if [ ${#errors[@]} -eq 0 ]; then
+	echo 'Congratulations!  All Go source files have been errchecked.'
+else
+	{
+		echo "Errors from errcheck:"
+		for err in "${errors[@]}"; do
+			echo "$err"
+		done
+		echo
+		echo 'Please fix the above errors. You can test via "errcheck" and commit the result.'
+		echo
+	} >&2
+	false
+fi

server.go

@@ -14,27 +14,29 @@ import (
 	"reflect"
 	"regexp"
 	"sort"
+	"strconv"
 	"sync"
 	"syscall"
 	"time"
 
 	log "github.com/Sirupsen/logrus"
 	"github.com/codegangsta/negroni"
+	"github.com/containous/oxy/cbreaker"
+	"github.com/containous/oxy/forward"
+	"github.com/containous/oxy/roundrobin"
+	"github.com/containous/oxy/stream"
 	"github.com/containous/traefik/middlewares"
 	"github.com/containous/traefik/provider"
 	"github.com/containous/traefik/types"
 	"github.com/gorilla/mux"
 	"github.com/mailgun/manners"
-	"github.com/mailgun/oxy/cbreaker"
-	"github.com/mailgun/oxy/forward"
-	"github.com/mailgun/oxy/roundrobin"
 )
 
 var oxyLogger = &OxyLogger{}
 
 // Server is the reverse-proxy/load-balancer engine
 type Server struct {
-	serverEntryPoints          map[string]serverEntryPoint
+	serverEntryPoints          serverEntryPoints
 	configurationChan          chan types.ConfigMessage
 	configurationValidatedChan chan types.ConfigMessage
 	signals                    chan os.Signal
@@ -46,6 +48,8 @@ type Server struct {
 	loggerMiddleware           *middlewares.Logger
 }
 
+type serverEntryPoints map[string]*serverEntryPoint
+
 type serverEntryPoint struct {
 	httpServer *manners.GracefulServer
 	httpRouter *middlewares.HandlerSwitcher
@@ -55,7 +59,7 @@ type serverEntryPoint struct {
 func NewServer(globalConfiguration GlobalConfiguration) *Server {
 	server := new(Server)
 
-	server.serverEntryPoints = make(map[string]serverEntryPoint)
+	server.serverEntryPoints = make(map[string]*serverEntryPoint)
 	server.configurationChan = make(chan types.ConfigMessage, 10)
 	server.configurationValidatedChan = make(chan types.ConfigMessage, 10)
 	server.signals = make(chan os.Signal, 1)
@@ -71,6 +75,7 @@ func NewServer(globalConfiguration GlobalConfiguration) *Server {
 
 // Start starts the server and blocks until server is shutted down.
 func (server *Server) Start() {
+	server.startHTTPServers()
 	go server.listenProviders()
 	go server.listenConfigurations()
 	server.configureProviders()
@@ -96,13 +101,26 @@ func (server *Server) Close() {
 	server.loggerMiddleware.Close()
 }
 
+func (server *Server) startHTTPServers() {
+	server.serverEntryPoints = server.buildEntryPoints(server.globalConfiguration)
+	for newServerEntryPointName, newServerEntryPoint := range server.serverEntryPoints {
+		newsrv, err := server.prepareServer(newServerEntryPointName, newServerEntryPoint.httpRouter, server.globalConfiguration.EntryPoints[newServerEntryPointName], nil, server.loggerMiddleware, metrics)
+		if err != nil {
+			log.Fatal("Error preparing server: ", err)
+		}
+		serverEntryPoint := server.serverEntryPoints[newServerEntryPointName]
+		serverEntryPoint.httpServer = newsrv
+		go server.startServer(serverEntryPoint.httpServer, server.globalConfiguration)
+	}
+}
+
 func (server *Server) listenProviders() {
 	lastReceivedConfiguration := time.Unix(0, 0)
 	lastConfigs := make(map[string]*types.ConfigMessage)
 	for {
 		configMsg := <-server.configurationChan
 		jsonConf, _ := json.Marshal(configMsg.Configuration)
-		log.Debugf("Configuration receveived from provider %s: %s", configMsg.ProviderName, string(jsonConf))
+		log.Debugf("Configuration received from provider %s: %s", configMsg.ProviderName, string(jsonConf))
 		lastConfigs[configMsg.ProviderName] = &configMsg
 		if time.Now().After(lastReceivedConfiguration.Add(time.Duration(server.globalConfiguration.ProvidersThrottleDuration))) {
 			log.Debugf("Last %s config received more than %s, OK", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration)
@@ -141,22 +159,8 @@ func (server *Server) listenConfigurations() {
 			if err == nil {
 				server.serverLock.Lock()
 				for newServerEntryPointName, newServerEntryPoint := range newServerEntryPoints {
-					currentServerEntryPoint := server.serverEntryPoints[newServerEntryPointName]
-					if currentServerEntryPoint.httpServer == nil {
-						newsrv, err := server.prepareServer(newServerEntryPoint.httpRouter, server.globalConfiguration.EntryPoints[newServerEntryPointName], nil, server.loggerMiddleware, metrics)
-						if err != nil {
-							log.Fatal("Error preparing server: ", err)
-						}
-						go server.startServer(newsrv, server.globalConfiguration)
-						currentServerEntryPoint.httpServer = newsrv
-						currentServerEntryPoint.httpRouter = newServerEntryPoint.httpRouter
-						server.serverEntryPoints[newServerEntryPointName] = currentServerEntryPoint
-						log.Infof("Created new Handler: %p", newServerEntryPoint.httpRouter.GetHandler())
-					} else {
-						handlerSwitcher := currentServerEntryPoint.httpRouter
-						handlerSwitcher.UpdateHandler(newServerEntryPoint.httpRouter.GetHandler())
-						log.Infof("Created new Handler: %p", newServerEntryPoint.httpRouter.GetHandler())
-					}
+					server.serverEntryPoints[newServerEntryPointName].httpRouter.UpdateHandler(newServerEntryPoint.httpRouter.GetHandler())
+					log.Infof("Server configuration reloaded on %s", server.serverEntryPoints[newServerEntryPointName].httpServer.Addr)
 				}
 				server.currentConfigurations = newConfigurations
 				server.serverLock.Unlock()
@@ -222,26 +226,41 @@ func (server *Server) listenSignals() {
 }
 
 // creates a TLS config that allows terminating HTTPS for multiple domains using SNI
-func (server *Server) createTLSConfig(tlsOption *TLS) (*tls.Config, error) {
+func (server *Server) createTLSConfig(entryPointName string, tlsOption *TLS, router *middlewares.HandlerSwitcher) (*tls.Config, error) {
 	if tlsOption == nil {
 		return nil, nil
 	}
-	if len(tlsOption.Certificates) == 0 {
-		return nil, nil
-	}
 
 	config := &tls.Config{}
-	if config.NextProtos == nil {
-		config.NextProtos = []string{"http/1.1"}
-	}
-
-	var err error
-	config.Certificates = make([]tls.Certificate, len(tlsOption.Certificates))
-	for i, v := range tlsOption.Certificates {
-		config.Certificates[i], err = tls.LoadX509KeyPair(v.CertFile, v.KeyFile)
+	config.Certificates = []tls.Certificate{}
+	for _, v := range tlsOption.Certificates {
+		cert, err := tls.LoadX509KeyPair(v.CertFile, v.KeyFile)
 		if err != nil {
 			return nil, err
 		}
+		config.Certificates = append(config.Certificates, cert)
+	}
+
+	if server.globalConfiguration.ACME != nil {
+		if _, ok := server.serverEntryPoints[server.globalConfiguration.ACME.EntryPoint]; ok {
+			if entryPointName == server.globalConfiguration.ACME.EntryPoint {
+				checkOnDemandDomain := func(domain string) bool {
+					if router.GetHandler().Match(&http.Request{URL: &url.URL{}, Host: domain}, &mux.RouteMatch{}) {
+						return true
+					}
+					return false
+				}
+				err := server.globalConfiguration.ACME.CreateConfig(config, checkOnDemandDomain)
+				if err != nil {
+					return nil, err
+				}
+			}
+		} else {
+			return nil, errors.New("Unknown entrypoint " + server.globalConfiguration.ACME.EntryPoint + " for ACME configuration")
+		}
+	}
+	if len(config.Certificates) == 0 {
+		return nil, errors.New("No certificates found for TLS entrypoint " + entryPointName)
 	}
 	// BuildNameToCertificate parses the CommonName and SubjectAlternateName fields
 	// in each certificate and populates the config.NameToCertificate map.
@@ -250,30 +269,28 @@ func (server *Server) createTLSConfig(tlsOption *TLS) (*tls.Config, error) {
 }
 
 func (server *Server) startServer(srv *manners.GracefulServer, globalConfiguration GlobalConfiguration) {
-	log.Info("Starting server on ", srv.Addr)
+	log.Infof("Starting server on %s", srv.Addr)
 	if srv.TLSConfig != nil {
-		err := srv.ListenAndServeTLSWithConfig(srv.TLSConfig)
-		if err != nil {
+		if err := srv.ListenAndServeTLSWithConfig(srv.TLSConfig); err != nil {
 			log.Fatal("Error creating server: ", err)
 		}
 	} else {
-		err := srv.ListenAndServe()
-		if err != nil {
+		if err := srv.ListenAndServe(); err != nil {
 			log.Fatal("Error creating server: ", err)
 		}
 	}
 	log.Info("Server stopped")
 }
 
-func (server *Server) prepareServer(router http.Handler, entryPoint *EntryPoint, oldServer *manners.GracefulServer, middlewares ...negroni.Handler) (*manners.GracefulServer, error) {
-	log.Info("Preparing server")
+func (server *Server) prepareServer(entryPointName string, router *middlewares.HandlerSwitcher, entryPoint *EntryPoint, oldServer *manners.GracefulServer, middlewares ...negroni.Handler) (*manners.GracefulServer, error) {
+	log.Infof("Preparing server %s %+v", entryPointName, entryPoint)
 	// middlewares
 	var negroni = negroni.New()
 	for _, middleware := range middlewares {
 		negroni.Use(middleware)
 	}
 	negroni.UseHandler(router)
-	tlsConfig, err := server.createTLSConfig(entryPoint.TLS)
+	tlsConfig, err := server.createTLSConfig(entryPointName, entryPoint.TLS, router)
 	if err != nil {
 		log.Fatalf("Error creating TLS config %s", err)
 		return nil, err
@@ -299,11 +316,11 @@ func (server *Server) prepareServer(router http.Handler, entryPoint *EntryPoint,
 	return gracefulServer, nil
 }
 
-func (server *Server) buildEntryPoints(globalConfiguration GlobalConfiguration) map[string]serverEntryPoint {
-	serverEntryPoints := make(map[string]serverEntryPoint)
+func (server *Server) buildEntryPoints(globalConfiguration GlobalConfiguration) map[string]*serverEntryPoint {
+	serverEntryPoints := make(map[string]*serverEntryPoint)
 	for entryPointName := range globalConfiguration.EntryPoints {
 		router := server.buildDefaultHTTPRouter()
-		serverEntryPoints[entryPointName] = serverEntryPoint{
+		serverEntryPoints[entryPointName] = &serverEntryPoint{
 			httpRouter: middlewares.NewHandlerSwitcher(router),
 		}
 	}
@@ -312,7 +329,7 @@ func (server *Server) buildEntryPoints(globalConfiguration GlobalConfiguration)
 
 // LoadConfig returns a new gorilla.mux Route from the specified global configuration and the dynamic
 // provider configurations.
-func (server *Server) loadConfig(configurations configs, globalConfiguration GlobalConfiguration) (map[string]serverEntryPoint, error) {
+func (server *Server) loadConfig(configurations configs, globalConfiguration GlobalConfiguration) (map[string]*serverEntryPoint, error) {
 	serverEntryPoints := server.buildEntryPoints(globalConfiguration)
 	redirectHandlers := make(map[string]http.Handler)
 
@@ -328,6 +345,10 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 			if len(frontend.EntryPoints) == 0 {
 				frontend.EntryPoints = globalConfiguration.DefaultEntryPoints
 			}
+			if len(frontend.EntryPoints) == 0 {
+				log.Errorf("No entrypoint defined for frontend %s, defaultEntryPoints:%s. Skipping it", frontendName, globalConfiguration.DefaultEntryPoints)
+				continue
+			}
 			for _, entryPointName := range frontend.EntryPoints {
 				log.Debugf("Wiring frontend %s to entryPoint %s", frontendName, entryPointName)
 				if _, ok := serverEntryPoints[entryPointName]; !ok {
@@ -375,20 +396,47 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 									return nil, err
 								}
 								log.Debugf("Creating server %s at %s with weight %d", serverName, url.String(), server.Weight)
-								rebalancer.UpsertServer(url, roundrobin.Weight(server.Weight))
+								if err := rebalancer.UpsertServer(url, roundrobin.Weight(server.Weight)); err != nil {
+									return nil, err
+								}
 							}
 						case types.Wrr:
 							log.Debugf("Creating load-balancer wrr")
-							lb = middlewares.NewWebsocketUpgrader(rr)
+							lb = rr
 							for serverName, server := range configuration.Backends[frontend.Backend].Servers {
 								url, err := url.Parse(server.URL)
 								if err != nil {
 									return nil, err
 								}
 								log.Debugf("Creating server %s at %s with weight %d", serverName, url.String(), server.Weight)
-								rr.UpsertServer(url, roundrobin.Weight(server.Weight))
+								if err := rr.UpsertServer(url, roundrobin.Weight(server.Weight)); err != nil {
+									return nil, err
+								}
 							}
 						}
+						// retry ?
+						if globalConfiguration.Retry != nil {
+							retries := len(configuration.Backends[frontend.Backend].Servers) - 1
+							if globalConfiguration.Retry.Attempts > 0 {
+								retries = globalConfiguration.Retry.Attempts
+							}
+							maxMem := int64(2 * 1024 * 1024)
+							if globalConfiguration.Retry.MaxMem > 0 {
+								maxMem = globalConfiguration.Retry.MaxMem
+							}
+							lb, err = stream.New(lb,
+								stream.Logger(oxyLogger),
+								stream.Retry("IsNetworkError() && Attempts() < "+strconv.Itoa(retries)),
+								stream.MemRequestBodyBytes(maxMem),
+								stream.MaxRequestBodyBytes(maxMem),
+								stream.MemResponseBodyBytes(maxMem),
+								stream.MaxResponseBodyBytes(maxMem))
+							log.Debugf("Creating retries max attempts %d", retries)
+							if err != nil {
+								return nil, err
+							}
+						}
+
 						var negroni = negroni.New()
 						if configuration.Backends[frontend.Backend].CircuitBreaker != nil {
 							log.Debugf("Creating circuit breaker %s", configuration.Backends[frontend.Backend].CircuitBreaker.Expression)

traefik.sample.toml

@@ -2,46 +2,6 @@
 # Global configuration
 ################################################################
 
-# Entrypoints definition
-#
-# Optional
-# Default:
-# [entryPoints]
-#   [entryPoints.http]
-#   address = ":80"
-#
-# To redirect an http entrypoint to an https entrypoint (with SNI support):
-# [entryPoints]
-#   [entryPoints.http]
-#   address = ":80"
-#     [entryPoints.http.redirect]
-#       entryPoint = "https"
-#   [entryPoints.https]
-#   address = ":443"
-#     [entryPoints.https.tls]
-#       [[entryPoints.https.tls.certificates]]
-#       CertFile = "integration/fixtures/https/snitest.com.cert"
-#       KeyFile = "integration/fixtures/https/snitest.com.key"
-#       [[entryPoints.https.tls.certificates]]
-#       CertFile = "integration/fixtures/https/snitest.org.cert"
-#       KeyFile = "integration/fixtures/https/snitest.org.key"
-#
-# To redirect an entrypoint rewriting the URL:
-# [entryPoints]
-#   [entryPoints.http]
-#   address = ":80"
-#     [entryPoints.http.redirect]
-#       regex = "^http://localhost/(.*)"
-#       replacement = "http://mydomain/$1"
-
-# Entrypoints to be used by frontends that do not specify any entrypoint.
-# Each frontend can specify its own entrypoints.
-#
-# Optional
-# Default: ["http"]
-#
-# defaultEntryPoints = ["http", "https"]
-
 # Timeout in seconds.
 # Duration to give active requests a chance to finish during hot-reloads
 #
@@ -87,6 +47,122 @@
 #
 # MaxIdleConnsPerHost = 200
 
+# Entrypoints to be used by frontends that do not specify any entrypoint.
+# Each frontend can specify its own entrypoints.
+#
+# Optional
+# Default: ["http"]
+#
+# defaultEntryPoints = ["http", "https"]
+
+# Enable ACME (Let's Encrypt): automatic SSL
+#
+# Optional
+#
+# [acme]
+
+# Email address used for registration
+#
+# Required
+#
+# email = "test@traefik.io"
+
+# File used for certificates storage.
+# WARNING, if you use Traefik in Docker, don't forget to mount this file as a volume.
+#
+# Required
+#
+# storageFile = "acme.json"
+
+# Entrypoint to proxy acme challenge to.
+# WARNING, must point to an entrypoint on port 443 
+#
+# Required
+#
+# entryPoint = "https"
+
+# Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate.
+# WARNING, TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DoS attacks.
+# WARNING, Take note that Let's Encrypt have rate limiting: https://community.letsencrypt.org/t/quick-start-guide/1631
+#
+# Optional
+#
+# onDemand = true
+
+# CA server to use
+# Uncomment the line to run on the staging let's encrypt server
+# Leave comment to go to prod
+#
+# Optional
+#
+# caServer = "https://acme-staging.api.letsencrypt.org/directory"
+
+# Domains list
+# You can provide SANs (alternative domains) to each main domain
+#
+# [[acme.domains]]
+#   main = "local1.com"
+#   sans = ["test1.local1.com", "test2.local1.com"]
+# [[acme.domains]]
+#   main = "local2.com"
+#   sans = ["test1.local2.com", "test2x.local2.com"]
+# [[acme.domains]]
+#   main = "local3.com"
+# [[acme.domains]]
+#   main = "local4.com"
+
+
+# Entrypoints definition
+#
+# Optional
+# Default:
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#
+# To redirect an http entrypoint to an https entrypoint (with SNI support):
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#     [entryPoints.http.redirect]
+#       entryPoint = "https"
+#   [entryPoints.https]
+#   address = ":443"
+#     [entryPoints.https.tls]
+#       [[entryPoints.https.tls.certificates]]
+#       CertFile = "integration/fixtures/https/snitest.com.cert"
+#       KeyFile = "integration/fixtures/https/snitest.com.key"
+#       [[entryPoints.https.tls.certificates]]
+#       CertFile = "integration/fixtures/https/snitest.org.cert"
+#       KeyFile = "integration/fixtures/https/snitest.org.key"
+#
+# To redirect an entrypoint rewriting the URL:
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#     [entryPoints.http.redirect]
+#       regex = "^http://localhost/(.*)"
+#       replacement = "http://mydomain/$1"
+
+# Enable retry sending request if network error
+#
+# Optional
+#
+# [retry]
+
+# Number of attempts
+#
+# Optional
+# Default: (number servers in backend) -1
+#
+# attempts = 3
+
+# Sets the maximum request body to be stored in memory in Mo
+#
+# Optional
+# Default: 2
+#
+# maxMem = 3
 
 ################################################################
 # Web configuration backend
@@ -225,6 +301,13 @@
 #
 # filename = "marathon.tmpl"
 
+# Expose Marathon apps by default in traefik
+#
+# Optional
+# Default: false
+#
+# ExposedByDefault = true
+
 # Enable Marathon basic authentication
 #
 # Optional

webui/src/index.html

@@ -2,9 +2,10 @@
 <html ng-app="traefik">
   <head>
     <meta charset="utf-8">
-      <title>/ˈTræfɪk/</title>
+      <title>Træfɪk</title>
     <meta name="description" content="">
     <meta name="viewport" content="width=device-width">
+    <link rel="icon" type="image/png" href="traefik.icon.png" />
     <!-- Place favicon.ico and apple-touch-icon.png in the root directory -->
 
     <!-- build:css({.tmp/serve,src}) styles/vendor.css -->
@@ -29,7 +30,7 @@
         <nav class="navbar navbar-default">
           <div class="container-fluid">
             <div class="navbar-header">
-              <a class="navbar-brand traefik-text" ui-sref="provider">/ˈTr<span class="traefik-blue">æ</span>fɪk/</a>
+              <a class="navbar-brand traefik-text" ui-sref="provider"><img src="traefik.icon.png"/></a>
             </div>
 
             <div class="collapse navbar-collapse">