Merge pull request #695 from containous/prepare-release-v1.0.3

Prepare release v1.0.3
2025-09-15 13:44:21 +03:00 · 2016-09-22 15:00:43 +02:00 · 2016-09-22 14:15:53 +02:00 · 2016-09-22 14:09:20 +02:00 · 2016-09-22 13:47:06 +02:00 · 2016-08-02 19:20:43 +02:00
113 changed files with 8095 additions and 1491 deletions
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -76,3 +76,51 @@ ok      github.com/containous/traefik   0.005s  coverage: 4.1% of statements

 Test success
 ```
+
+For development purpose, you can specifiy which tests to run by using:
+```
+# Run every tests in the MyTest suite
+TESTFLAGS="-check.f MyTestSuite" make test-integration
+
+# Run the test "MyTest" in the MyTest suite
+TESTFLAGS="-check.f MyTestSuite.MyTest" make test-integration
+
+# Run every tests starting with "My", in the MyTest suite
+TESTFLAGS="-check.f MyTestSuite.My" make test-integration
+
+# Run every tests ending with "Test", in the MyTest suite
+TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration
+```
+
+More: https://labix.org/gocheck
+
+### Documentation
+
+The [documentation site](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/)
+
+First make sure you have python and pip installed
+
+```
+$ python --version
+Python 2.7.2
+$ pip --version
+pip 1.5.2
+```
+
+Then install mkdocs with pip
+
+```
+$ pip install mkdocs
+```
+
+To test documentaion localy run `mkdocs serve` in the root directory, this should start a server localy to preview your changes.
+
+```
+$ mkdocs serve
+INFO    -  Building documentation... 
+WARNING -  Config value: 'theme'. Warning: The theme 'united' will be removed in an upcoming MkDocs release. See http://www.mkdocs.org/about/release-notes/ for more details 
+INFO    -  Cleaning site directory 
+[I 160505 22:31:24 server:281] Serving on http://127.0.0.1:8000
+[I 160505 22:31:24 handlers:59] Start watching changes
+[I 160505 22:31:24 handlers:61] Start detecting changes
+```
--- a/.gitignore
+++ b/.gitignore
@@ -10,4 +10,6 @@ traefik.toml
 vendor/
 static/
 .vscode/
-site/
+site/
+*.log
+*.exe
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,19 +1,23 @@
 branches:
-  except:
-  - /^v\d\.\d\.\d.*$/
 env:
  global:
    - secure: btt4r13t09gQlHb6gYrvGC2yGCMMHfnp1Mz1RQedc4Mpf/FfT8aE6xmK2a2i9CCvskjrP0t/BFaS4yxIURjnFRn+ugQIEa0pLspB9UJArW/vgOSpIWM9/OQ/fg8z5XuMxN6Md4DL1/iLypMNSageA1x0TRdt89+D1N1dALpg5XRCXLFbC84TLi0gjlFuib9ibPKzEhLT+anCRJ6iZMzeupDSoaCVbAtJMoDvXw4+4AcRZ1+k4MybBLyCib5boaEOt4pTT88mz4Kk0YaMwPVJyg9Qv36VqyUcPS09Yd95LuyVQ4+tZt8Y1ccbIzULsK+sLM3hLCzxlmlpN3dQBlZJiiRtQde0mgGAKyC0P0A1XjuDTywcsa5edB+fTk1Dsewz9xZ9V0NmMz8t+UNZnaSsAPga9i86jULbXUUwMVSzVRc+Xgx02liB/8qI1xYC9FM6ilStt7rn7mF0k3KbiWhcptgeXjO6Lah9FjEKd5w4MXsdUSTi/86rQaLo+kj+XdaTrXCTulKHyRyQEUj+8V1w0oVz7pcGjePHd7y5oU9ByifVQy6sytuFBfRZvugM5bKHo+i0pcWvixrZS42DrzwxZJsspANOvqSe5ifVbvOkfUppQdCBIwptxV5N1b49XPKU3W/w34QJ8xGmKp3TFA7WwVCztriFHjPgiRpB3EG99Bg=
    - REPO: $TRAVIS_REPO_SLUG
-    - VERSION: v1.0.0-beta.$TRAVIS_BUILD_NUMBER
+    - VERSION: $TRAVIS_TAG
+    - CODENAME: reblochon
+  matrix:
+    - DOCKER_VERSION=1.9.1
+    - DOCKER_VERSION=1.10.1
 sudo: required
 services:
 - docker
 install:
 - sudo service docker stop
- sudo curl https://get.docker.com/builds/Linux/x86_64/docker-1.10.1 -o /usr/bin/docker
+- sudo curl https://get.docker.com/builds/Linux/x86_64/docker-${DOCKER_VERSION} -o /usr/bin/docker
 - sudo chmod +x /usr/bin/docker
 - sudo service docker start
+- sleep 5
+- docker version
 - pip install --user mkdocs
 - pip install --user pymdown-extensions
 before_script:
@@ -26,3 +30,4 @@ script:
 - make image
 after_success:
 - make deploy
+- make deploy-pr
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -0,0 +1,162 @@
+# Change Log
+
+## [v1.0.3](https://github.com/containous/traefik/tree/v1.0.3) (2016-09-22)
+[Full Changelog](https://github.com/containous/traefik/compare/v1.0.2...v1.0.3)
+
+**Fixed bugs:**
+
+- traefik hangs - stops handling requests [\#662](https://github.com/containous/traefik/issues/662)
+- Traefik crashing [\#458](https://github.com/containous/traefik/issues/458)
+
+**Merged pull requests:**
+
+- Fix health race [\#693](https://github.com/containous/traefik/pull/693) ([emilevauge](https://github.com/emilevauge))
+
+## [v1.0.2](https://github.com/containous/traefik/tree/v1.0.2) (2016-08-02)
+[Full Changelog](https://github.com/containous/traefik/compare/v1.0.1...v1.0.2)
+
+**Fixed bugs:**
+
+- ACME: revoke certificate on agreement update [\#579](https://github.com/containous/traefik/issues/579)
+
+**Closed issues:**
+
+- Exclude some frontends in consul catalog [\#555](https://github.com/containous/traefik/issues/555)
+
+**Merged pull requests:**
+
+- Bump oxy version, fix streaming [\#584](https://github.com/containous/traefik/pull/584) ([emilevauge](https://github.com/emilevauge))
+- Fix ACME TOS [\#582](https://github.com/containous/traefik/pull/582) ([emilevauge](https://github.com/emilevauge))
+
+## [v1.0.1](https://github.com/containous/traefik/tree/v1.0.1) (2016-07-19)
+[Full Changelog](https://github.com/containous/traefik/compare/v1.0.0...v1.0.1)
+
+**Implemented enhancements:**
+
+- Error with -consulcatalog and missing load balance method on 1.0.0 [\#524](https://github.com/containous/traefik/issues/524)
+- Kubernetes provider: should allow the master url to be override [\#501](https://github.com/containous/traefik/issues/501)
+
+**Fixed bugs:**
+
+- Flag --etcd.endpoint default [\#508](https://github.com/containous/traefik/issues/508)
+- Conditional ACME on demand generation [\#505](https://github.com/containous/traefik/issues/505)
+- Important delay with streams \(Mozilla EventSource\) [\#503](https://github.com/containous/traefik/issues/503)
+
+**Closed issues:**
+
+- Can I use Traefik without a domain name? [\#539](https://github.com/containous/traefik/issues/539)
+- Priortities in 1.0.0 not behaving [\#506](https://github.com/containous/traefik/issues/506)
+- Route by path [\#500](https://github.com/containous/traefik/issues/500)
+
+**Merged pull requests:**
+
+- Update server.go [\#531](https://github.com/containous/traefik/pull/531) ([Jsewill](https://github.com/Jsewill))
+- Add sse support [\#527](https://github.com/containous/traefik/pull/527) ([emilevauge](https://github.com/emilevauge))
+- Fix acme checkOnDemandDomain [\#512](https://github.com/containous/traefik/pull/512) ([emilevauge](https://github.com/emilevauge))
+- Fix default etcd port [\#511](https://github.com/containous/traefik/pull/511) ([errm](https://github.com/errm))
+
+## [v1.0.0](https://github.com/containous/traefik/tree/v1.0.0) (2016-07-05)
+[Full Changelog](https://github.com/containous/traefik/compare/v1.0.0-rc3...v1.0.0)
+
+**Fixed bugs:**
+
+- Enable to define empty TLS option by flag for Let's Encrypt [\#488](https://github.com/containous/traefik/issues/488)
+- \[Docker\] No IP in backend in host networking mode [\#487](https://github.com/containous/traefik/issues/487)
+- Response is compressed when not requested [\#485](https://github.com/containous/traefik/issues/485)
+- loadConfig modifies configuration causing same config check to fail [\#480](https://github.com/containous/traefik/issues/480)
+
+**Closed issues:**
+
+- svg logo [\#482](https://github.com/containous/traefik/issues/482)
+- etcd tries to connect with TLS even with --etcd.tls=false [\#456](https://github.com/containous/traefik/issues/456)
+- Zookeeper - KV connection error: Failed to test KV store connection [\#455](https://github.com/containous/traefik/issues/455)
+- "Not Found" api response needed instead of 404  [\#454](https://github.com/containous/traefik/issues/454)
+- domain label doesn't work on docker [\#447](https://github.com/containous/traefik/issues/447)
+- Any chance of a windows release? [\#425](https://github.com/containous/traefik/issues/425)
+
+**Merged pull requests:**
+
+- Fix windows builds [\#495](https://github.com/containous/traefik/pull/495) ([emilevauge](https://github.com/emilevauge))
+- Fix host Docker network [\#494](https://github.com/containous/traefik/pull/494) ([emilevauge](https://github.com/emilevauge))
+- Fix empty tls flag [\#493](https://github.com/containous/traefik/pull/493) ([emilevauge](https://github.com/emilevauge))
+- Fix webui proxying [\#492](https://github.com/containous/traefik/pull/492) ([emilevauge](https://github.com/emilevauge))
+- Fix default weight in server.LoadConfig [\#491](https://github.com/containous/traefik/pull/491) ([emilevauge](https://github.com/emilevauge))
+- Fix retry headers, simplify ResponseRecorder [\#490](https://github.com/containous/traefik/pull/490) ([emilevauge](https://github.com/emilevauge))
+
+## [v1.0.0-rc3](https://github.com/containous/traefik/tree/v1.0.0-rc3) (2016-06-23)
+[Full Changelog](https://github.com/containous/traefik/compare/v1.0.0-rc2...v1.0.0-rc3)
+
+**Implemented enhancements:**
+
+- support more than one rule to Docker backend [\#419](https://github.com/containous/traefik/issues/419)
+
+**Fixed bugs:**
+
+- consulCatalog issue when serviceName contains a dot [\#475](https://github.com/containous/traefik/issues/475)
+- Issue with empty responses [\#463](https://github.com/containous/traefik/issues/463)
+- Severe memory leak in beta.470 and beyond crashes Traefik server  [\#462](https://github.com/containous/traefik/issues/462)
+- Marathon that starts with a space causes parsing errors. [\#459](https://github.com/containous/traefik/issues/459)
+- A frontend route without a rule \(or empty rule\) causes a crash when traefik starts [\#453](https://github.com/containous/traefik/issues/453)
+- container dropped out when connecting to Docker Swarm [\#442](https://github.com/containous/traefik/issues/442)
+- Traefik setting Accept-Encoding: gzip on requests \(Traefik may also be broken with chunked responses\) [\#421](https://github.com/containous/traefik/issues/421)
+
+**Closed issues:**
+
+- HTTP headers case gets modified [\#466](https://github.com/containous/traefik/issues/466)
+- File frontend \> Marathon Backend [\#465](https://github.com/containous/traefik/issues/465)
+- Websocket: Unable to hijack the connection [\#452](https://github.com/containous/traefik/issues/452)
+- kubernetes: Received event spamming? [\#449](https://github.com/containous/traefik/issues/449)
+- kubernetes: backends not updated when i scale replication controller? [\#448](https://github.com/containous/traefik/issues/448)
+- Add href link on frontend [\#436](https://github.com/containous/traefik/issues/436)
+- Multiple Domains Rule [\#430](https://github.com/containous/traefik/issues/430)
+
+**Merged pull requests:**
+
+- Disable constraints in doc until 1.1 [\#479](https://github.com/containous/traefik/pull/479) ([emilevauge](https://github.com/emilevauge))
+- Sort nodes before creating consul catalog config [\#478](https://github.com/containous/traefik/pull/478) ([keis](https://github.com/keis))
+- Fix spamming events in listenProviders [\#477](https://github.com/containous/traefik/pull/477) ([emilevauge](https://github.com/emilevauge))
+- Fix empty responses [\#476](https://github.com/containous/traefik/pull/476) ([emilevauge](https://github.com/emilevauge))
+- Fix acme renew [\#472](https://github.com/containous/traefik/pull/472) ([emilevauge](https://github.com/emilevauge))
+- Fix typo in error message. [\#471](https://github.com/containous/traefik/pull/471) ([KevinBusse](https://github.com/KevinBusse))
+- Fix errors load config [\#470](https://github.com/containous/traefik/pull/470) ([emilevauge](https://github.com/emilevauge))
+- Typo: Replace French words by English ones [\#469](https://github.com/containous/traefik/pull/469) ([kumy](https://github.com/kumy))
+- Fix marathon TLS/basic auth [\#468](https://github.com/containous/traefik/pull/468) ([emilevauge](https://github.com/emilevauge))
+- Fix memory leak in listenProviders [\#464](https://github.com/containous/traefik/pull/464) ([emilevauge](https://github.com/emilevauge))
+- Fix websocket connection Hijack [\#460](https://github.com/containous/traefik/pull/460) ([emilevauge](https://github.com/emilevauge))
+- Fix default KV configuration [\#450](https://github.com/containous/traefik/pull/450) ([emilevauge](https://github.com/emilevauge))
+- Fix panic if listContainers fails… [\#443](https://github.com/containous/traefik/pull/443) ([vdemeester](https://github.com/vdemeester))
+- mount acme folder instead of file [\#441](https://github.com/containous/traefik/pull/441) ([NicolasGeraud](https://github.com/NicolasGeraud))
+- feat\(constraints\): Supports constraints for docker backend [\#438](https://github.com/containous/traefik/pull/438) ([samber](https://github.com/samber))
+
+## [v1.0.0-rc2](https://github.com/containous/traefik/tree/v1.0.0-rc2) (2016-06-07)
+[Full Changelog](https://github.com/containous/traefik/compare/v1.0.0-rc1...v1.0.0-rc2)
+
+**Implemented enhancements:**
+
+- Add @samber to maintainers [\#440](https://github.com/containous/traefik/pull/440) ([emilevauge](https://github.com/emilevauge))
+
+**Fixed bugs:**
+
+- Panic on help [\#429](https://github.com/containous/traefik/issues/429)
+- Bad default values in configuration [\#427](https://github.com/containous/traefik/issues/427)
+
+**Closed issues:**
+
+- Traefik doesn't listen on IPv4 ports [\#434](https://github.com/containous/traefik/issues/434)
+- Not listening on port 80 [\#432](https://github.com/containous/traefik/issues/432)
+- docs need updating for new frontend rules format [\#423](https://github.com/containous/traefik/issues/423)
+- Does traefik supports for Mac? \(For devlelopment\)  [\#417](https://github.com/containous/traefik/issues/417)
+
+**Merged pull requests:**
+
+- Allow multiple rules [\#435](https://github.com/containous/traefik/pull/435) ([fclaeys](https://github.com/fclaeys))
+- Add routes priorities [\#433](https://github.com/containous/traefik/pull/433) ([emilevauge](https://github.com/emilevauge))
+- Fix default configuration [\#428](https://github.com/containous/traefik/pull/428) ([emilevauge](https://github.com/emilevauge))
+- Fix marathon groups subdomain [\#426](https://github.com/containous/traefik/pull/426) ([emilevauge](https://github.com/emilevauge))
+- Fix travis tag check [\#422](https://github.com/containous/traefik/pull/422) ([emilevauge](https://github.com/emilevauge))
+- log info about TOML configuration file using [\#420](https://github.com/containous/traefik/pull/420) ([cocap10](https://github.com/cocap10))
+- Doc about skipping some integration tests with '-check.f ConsulCatalogSuite' [\#418](https://github.com/containous/traefik/pull/418) ([samber](https://github.com/samber))
+
+
+
+\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
--- a/9
+++ b/9
@@ -5,7 +5,8 @@ TRAEFIK_ENVS := \
 	-e OS_PLATFORM_ARG \
 	-e TESTFLAGS \
 	-e VERBOSE \
-	-e VERSION
+	-e VERSION \
+	-e CODENAME

 SRCS = $(shell git ls-files '*.go' | grep -v '^external/')

@@ -18,6 +19,7 @@ REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
 TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
 INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -v "/var/run/docker.sock:/var/run/docker.sock")

+DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
 DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) -it $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"

 print-%: ; @echo $*=$($*)
@@ -46,7 +48,7 @@ validate: build  ## validate gofmt, golint and go vet
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh  validate-gofmt validate-govet validate-golint 

 build: dist
-	docker build -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
+	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .

 build-webui:
 	docker build -t traefik-webui -f webui/Dockerfile webui
@@ -84,5 +86,8 @@ fmt:
 deploy:
 	./script/deploy.sh

+deploy-pr:
+	./script/deploy-pr.sh
+
 help: ## this help
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
--- a/README.md
+++ b/README.md
@@ -13,7 +13,7 @@


 Træfɪk is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
-It supports several backends ([Docker](https://www.docker.com/), [Swarm](https://docs.docker.com/swarm), [Mesos/Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Zookeeper](https://zookeeper.apache.org), [BoltDB](https://github.com/boltdb/bolt), Rest API, file...) to manage its configuration automatically and dynamically.
+It supports several backends ([Docker](https://www.docker.com/), [Swarm](https://docs.docker.com/swarm), [Mesos/Marathon](https://mesosphere.github.io/marathon/), [Kubernetes](http://kubernetes.io/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Zookeeper](https://zookeeper.apache.org), [BoltDB](https://github.com/boltdb/bolt), Rest API, file...) to manage its configuration automatically and dynamically.

 ## Overview

@@ -59,13 +59,15 @@ Run it and forget it!
 - Websocket support
 - HTTP/2 support
 - Retry request if network error
- [Let's Encrypt](https://letsencrypt.org) support (Automatic HTTPS)
+- [Let's Encrypt](https://letsencrypt.org) support (Automatic HTTPS with renewal)

 ## Demo

-Here is a demo of Træfɪk using Docker backend, showing a load-balancing between two servers, hot reloading of configuration, and graceful shutdown.

-[![asciicast](https://asciinema.org/a/4tcyde7riou5vxulo6my3mtko.png)](https://asciinema.org/a/4tcyde7riou5vxulo6my3mtko)
+Here is a talk (in french) given by [Emile Vauge](https://github.com/emilevauge) at the [Devoxx France 2016](http://www.devoxx.fr) conference. 
+You will learn fundamental Træfɪk features and see some demos with Docker, Mesos/Marathon and Lets'Encrypt. 
+
+[![Traefik Devoxx France](http://img.youtube.com/vi/QvAz9mVx5TI/0.jpg)](http://www.youtube.com/watch?v=QvAz9mVx5TI)

 ## Web UI

@@ -76,7 +78,7 @@ You can access to a simple HTML frontend of Træfik.

 ## Plumbing

- [Oxy](https://github.com/vulcand/oxy): an awsome proxy library made by Mailgun guys
+- [Oxy](https://github.com/vulcand/oxy): an awesome proxy library made by Mailgun guys
 - [Gorilla mux](https://github.com/gorilla/mux): famous request router
 - [Negroni](https://github.com/codegangsta/negroni): web middlewares made simple
 - [Manners](https://github.com/mailgun/manners): graceful shutdown of http.Handler servers
@@ -87,7 +89,7 @@ You can access to a simple HTML frontend of Træfik.
 - The simple way: grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and just run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):

 ```shell
-./traefik -c traefik.toml
+./traefik --configFile=traefik.toml
 ```

 - Use the tiny Docker image:
@@ -110,6 +112,11 @@ You can find the complete documentation [here](https://docs.traefik.io).

 Please refer to [this section](.github/CONTRIBUTING.md).

+## Support
+
+You can join [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com) to get basic support.
+If you prefer a commercial support, please contact [containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
+
 ## Træfɪk here and there

 These projects use Træfɪk internally. If your company uses Træfɪk, we would be glad to get your feedback :) Contact us on [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
@@ -133,8 +140,18 @@ Europe. We provide consulting, development, training and support for the world
 software products.


-
 [![Asteris](docs/img/asteris.logo.png)](https://aster.is)

 Founded in 2014, Asteris creates next-generation infrastructure software for the modern datacenter. Asteris writes software that makes it easy for companies to implement continuous delivery and realtime data pipelines. We support the HashiCorp stack, along with Kubernetes, Apache Mesos, Spark and Kafka. We're core committers on mantl.io, consul-cli and mesos-consul.
-.
+
+## Maintainers
+
+- Emile Vauge [@emilevauge](https://github.com/emilevauge)
+- Vincent Demeester [@vdemeester](https://github.com/vdemeester)
+- Samuel Berthe [@samber](https://github.com/samber)
+- Russell Clare [@Russell-IO](https://github.com/Russell-IO)
+- Ed Robinson [@errm](https://github.com/errm)
+
+## Credits
+
+Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the logo ![logo](docs/img/traefik.icon.png)
--- a/acme/acme.go
+++ b/acme/acme.go
@@ -16,6 +16,7 @@ import (
 	fmtlog "log"
 	"os"
 	"reflect"
+	"strings"
 	"sync"
 	"time"
 )
@@ -84,11 +85,11 @@ func (dc *DomainsCertificates) renewCertificates(acmeCert *Certificate, domain D

 	for _, domainsCertificate := range dc.Certs {
 		if reflect.DeepEqual(domain, domainsCertificate.Domains) {
-			domainsCertificate.Certificate = acmeCert
 			tlsCert, err := tls.X509KeyPair(acmeCert.Certificate, acmeCert.PrivateKey)
 			if err != nil {
 				return err
 			}
+			domainsCertificate.Certificate = acmeCert
 			domainsCertificate.tlsCert = &tlsCert
 			return nil
 		}
@@ -161,15 +162,50 @@ func (dc *DomainsCertificate) needRenew() bool {

 // ACME allows to connect to lets encrypt and retrieve certs
 type ACME struct {
-	Email       string
-	Domains     []Domain
-	StorageFile string
-	OnDemand    bool
-	CAServer    string
-	EntryPoint  string
+	Email       string   `description:"Email address used for registration"`
+	Domains     []Domain `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"`
+	StorageFile string   `description:"File used for certificates storage."`
+	OnDemand    bool     `description:"Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."`
+	CAServer    string   `description:"CA server to use."`
+	EntryPoint  string   `description:"Entrypoint to proxy acme challenge to."`
 	storageLock sync.RWMutex
 }

+//Domains parse []Domain
+type Domains []Domain
+
+//Set []Domain
+func (ds *Domains) Set(str string) error {
+	fargs := func(c rune) bool {
+		return c == ',' || c == ';'
+	}
+	// get function
+	slice := strings.FieldsFunc(str, fargs)
+	if len(slice) < 1 {
+		return fmt.Errorf("Parse error ACME.Domain. Imposible to parse %s", str)
+	}
+	d := Domain{
+		Main: slice[0],
+		SANs: []string{},
+	}
+	if len(slice) > 1 {
+		d.SANs = slice[1:]
+	}
+	*ds = append(*ds, d)
+	return nil
+}
+
+//Get []Domain
+func (ds *Domains) Get() interface{} { return []Domain(*ds) }
+
+//String returns []Domain in string
+func (ds *Domains) String() string { return fmt.Sprintf("%+v", *ds) }
+
+//SetValue sets []Domain into the parser
+func (ds *Domains) SetValue(val interface{}) {
+	*ds = Domains(val.([]Domain))
+}
+
 // Domain holds a domain name with SANs
 type Domain struct {
 	Main string
@@ -181,7 +217,7 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
 	acme.Logger = fmtlog.New(ioutil.Discard, "", 0)

 	if len(a.StorageFile) == 0 {
-		return errors.New("Empty StorageFile, please provide a filenmae for certs storage")
+		return errors.New("Empty StorageFile, please provide a filename for certs storage")
 	}

 	log.Debugf("Generating default certificate...")
@@ -239,12 +275,29 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
 	// The client has a URL to the current Let's Encrypt Subscriber
 	// Agreement. The user will need to agree to it.
 	err = client.AgreeToTOS()
+	if err != nil {
+		// Let's Encrypt Subscriber Agreement renew ?
+		reg, err := client.QueryRegistration()
+		if err != nil {
+			return err
+		}
+		account.Registration = reg
+		err = client.AgreeToTOS()
+		if err != nil {
+			log.Errorf("Error sending ACME agreement to TOS: %+v: %s", account, err.Error())
+		}
+	}
+	// save account
+	err = a.saveAccount(account)
 	if err != nil {
 		return err
 	}

 	safe.Go(func() {
 		a.retrieveCertificates(client, account)
+		if err := a.renewCertificates(client, account); err != nil {
+			log.Errorf("Error renewing ACME certificate %+v: %s", account, err.Error())
+		}
 	})

 	tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
@@ -268,7 +321,6 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
 		for {
 			select {
 			case <-ticker.C:
-
 				if err := a.renewCertificates(client, account); err != nil {
 					log.Errorf("Error renewing ACME certificate %+v: %s", account, err.Error())
 				}
@@ -307,6 +359,7 @@ func (a *ACME) retrieveCertificates(client *acme.Client, account *Account) {
 }

 func (a *ACME) renewCertificates(client *acme.Client, account *Account) error {
+	log.Debugf("Testing certificate renew...")
 	for _, certificateResource := range account.DomainsCertificate.Certs {
 		if certificateResource.needRenew() {
 			log.Debugf("Renewing certificate %+v", certificateResource.Domains)
@@ -316,9 +369,10 @@ func (a *ACME) renewCertificates(client *acme.Client, account *Account) error {
 				CertStableURL: certificateResource.Certificate.CertStableURL,
 				PrivateKey:    certificateResource.Certificate.PrivateKey,
 				Certificate:   certificateResource.Certificate.Certificate,
-			}, false)
+			}, true)
 			if err != nil {
-				return err
+				log.Errorf("Error renewing certificate: %v", err)
+				continue
 			}
 			log.Debugf("Renewed certificate %+v", certificateResource.Domains)
 			renewedACMECert := &Certificate{
@@ -330,10 +384,12 @@ func (a *ACME) renewCertificates(client *acme.Client, account *Account) error {
 			}
 			err = account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains)
 			if err != nil {
-				return err
+				log.Errorf("Error renewing certificate: %v", err)
+				continue
 			}
 			if err = a.saveAccount(account); err != nil {
-				return err
+				log.Errorf("Error saving ACME account: %v", err)
+				continue
 			}
 		}
 	}
@@ -406,7 +462,7 @@ func (a *ACME) saveAccount(Account *Account) error {

 func (a *ACME) getDomainsCertificates(client *acme.Client, domains []string) (*Certificate, error) {
 	log.Debugf("Loading ACME certificates %s...", domains)
-	bundle := false
+	bundle := true
 	certificate, failures := client.ObtainCertificate(domains, bundle, nil)
 	if len(failures) > 0 {
 		log.Error(failures)
--- a/acme/acme_test.go
+++ b/acme/acme_test.go
@@ -0,0 +1,258 @@
+package acme
+
+import (
+	"reflect"
+	"sync"
+	"testing"
+)
+
+func TestDomainsSet(t *testing.T) {
+	checkMap := map[string]Domains{
+		"":                                   {},
+		"foo.com":                            {Domain{Main: "foo.com", SANs: []string{}}},
+		"foo.com,bar.net":                    {Domain{Main: "foo.com", SANs: []string{"bar.net"}}},
+		"foo.com,bar1.net,bar2.net,bar3.net": {Domain{Main: "foo.com", SANs: []string{"bar1.net", "bar2.net", "bar3.net"}}},
+	}
+	for in, check := range checkMap {
+		ds := Domains{}
+		ds.Set(in)
+		if !reflect.DeepEqual(check, ds) {
+			t.Errorf("Expected %+v\nGot %+v", check, ds)
+		}
+	}
+}
+
+func TestDomainsSetAppend(t *testing.T) {
+	inSlice := []string{
+		"",
+		"foo1.com",
+		"foo2.com,bar.net",
+		"foo3.com,bar1.net,bar2.net,bar3.net",
+	}
+	checkSlice := []Domains{
+		{},
+		{
+			Domain{
+				Main: "foo1.com",
+				SANs: []string{}}},
+		{
+			Domain{
+				Main: "foo1.com",
+				SANs: []string{}},
+			Domain{
+				Main: "foo2.com",
+				SANs: []string{"bar.net"}}},
+		{
+			Domain{
+				Main: "foo1.com",
+				SANs: []string{}},
+			Domain{
+				Main: "foo2.com",
+				SANs: []string{"bar.net"}},
+			Domain{Main: "foo3.com",
+				SANs: []string{"bar1.net", "bar2.net", "bar3.net"}}},
+	}
+	ds := Domains{}
+	for i, in := range inSlice {
+		ds.Set(in)
+		if !reflect.DeepEqual(checkSlice[i], ds) {
+			t.Errorf("Expected  %s %+v\nGot %+v", in, checkSlice[i], ds)
+		}
+	}
+}
+
+func TestCertificatesRenew(t *testing.T) {
+	domainsCertificates := DomainsCertificates{
+		lock: &sync.RWMutex{},
+		Certs: []*DomainsCertificate{
+			{
+				Domains: Domain{
+					Main: "foo1.com",
+					SANs: []string{}},
+				Certificate: &Certificate{
+					Domain:        "foo1.com",
+					CertURL:       "url",
+					CertStableURL: "url",
+					PrivateKey: []byte(`
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA6OqHGdwGy20+3Jcz9IgfN4IR322X2Hhwk6n8Hss/Ws7FeTZo
+PvXW8uHeI1bmQJsy9C6xo3odzO64o7prgMZl5eDw5fk1mmUij3J3nM3gwtc/Cc+8
+ADXGldauASdHBFTRvWQge0Pv/Q5U0fyL2VCHoR9mGv4CQ7nRNKPus0vYJMbXoTbO
+8z4sIbNz3Ov9o/HGMRb8D0rNPTMdC62tHSbiO1UoxLXr9dcBOGt786AsiRTJ8bq9
+GCVQgzd0Wftb8z6ddW2YuWrmExlkHdfC4oG0D5SU1QB4ldPyl7fhVWlfHwC1NX+c
+RnDSEeYkAcdvvIekdM/yH+z62XhwToM0E9TCzwIDAQABAoIBACq3EC3S50AZeeTU
+qgeXizoP1Z1HKQjfFa5PB1jSZ30M3LRdIQMi7NfASo/qmPGSROb5RUS42YxC34PP
+ZXXJbNiaxzM13/m/wHXURVFxhF3XQc1X1p+nPRMvutulS2Xk9E4qdbaFgBbFsRKN
+oUwqc6U97+jVWq72/gIManNhXnNn1n1SRLBEkn+WStMPn6ZvWRlpRMjhy0c1mpwg
+u6em92HvMvfKPQ60naUhdKp+q0rsLp2YKWjiytos9ENSYI5gAGLIDhKeqiD8f92E
+4FGPmNRipwxCE2SSvZFlM26tRloWVcBPktRN79hUejE8iopiqVS0+4h/phZ2wG0D
+18cqVpECgYEA+qmagnhm0LLvwVkUN0B2nRARQEFinZDM4Hgiv823bQvc9I8dVTqJ
+aIQm5y4Y5UA3xmyDsRoO7GUdd0oVeh9GwTONzMRCOny/mOuOC51wXPhKHhI0O22u
+sfbOHszl+bxl6ZQMUJa2/I8YIWBLU5P+fTgrfNwBEgZ3YPwUV5tyHNcCgYEA7eAv
+pjQkbJNRq/fv/67sojN7N9QoH84egN5cZFh5d8PJomnsvy5JDV4WaG1G6mJpqjdD
+YRVdFw5oZ4L8yCVdCeK9op896Uy51jqvfSe3+uKmNqE0qDHgaLubQNI8yYc5sacW
+fYJBmDR6rNIeE7Q2240w3CdKfREuXdDnhyTTEskCgYBFeAnFTP8Zqe2+hSSQJ4J4
+BwLw7u4Yww+0yja/N5E1XItRD/TOMRnx6GYrvd/ScVjD2kEpLRKju2ZOMC8BmHdw
+hgwvitjcAsTK6cWFPI3uhjVsXhkxuzUmR0Naz+iQrQEFmi1LjGmMV1AVt+1IbYSj
+SZTr1sFJMJeXPmWY3hDjIwKBgQC4H9fCJoorIL0PB5NVreishHzT8fw84ibqSTPq
+2DDtazcf6C3AresN1c4ydqN1uUdg4fXdp9OujRBzTwirQ4CIrmFrBye89g7CrBo6
+Hgxivh06G/3OUw0JBG5f9lvnAiy+Pj9CVxi+36A1NU7ioZP0zY0MW71koW/qXlFY
+YkCfQQKBgBqwND/c3mPg7iY4RMQ9XjrKfV9o6FMzA51lAinjujHlNgsBmqiR951P
+NA3kWZQ73D3IxeLEMaGHpvS7andPN3Z2qPhe+FbJKcF6ZZNTrFQkh/Fpz3wmYPo1
+GIL4+09kNgMRWapaROqI+/3+qJQ+GVJZIPfYC0poJOO6vYqifWe8
+-----END RSA PRIVATE KEY-----
+`),
+					Certificate: []byte(`
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAeGgAwIBAgIJAK78ukR/Qu4rMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV
+BAMMCGZvbzEuY29tMB4XDTE2MDYxOTIyMDMyM1oXDTI2MDYxNzIyMDMyM1owEzER
+MA8GA1UEAwwIZm9vMS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDo6ocZ3AbLbT7clzP0iB83ghHfbZfYeHCTqfweyz9azsV5Nmg+9dby4d4jVuZA
+mzL0LrGjeh3M7rijumuAxmXl4PDl+TWaZSKPcneczeDC1z8Jz7wANcaV1q4BJ0cE
+VNG9ZCB7Q+/9DlTR/IvZUIehH2Ya/gJDudE0o+6zS9gkxtehNs7zPiwhs3Pc6/2j
+8cYxFvwPSs09Mx0Lra0dJuI7VSjEtev11wE4a3vzoCyJFMnxur0YJVCDN3RZ+1vz
+Pp11bZi5auYTGWQd18LigbQPlJTVAHiV0/KXt+FVaV8fALU1f5xGcNIR5iQBx2+8
+h6R0z/If7PrZeHBOgzQT1MLPAgMBAAGjUDBOMB0GA1UdDgQWBBRFLH1wF6BT51uq
+yWNqBnCrPFIglzAfBgNVHSMEGDAWgBRFLH1wF6BT51uqyWNqBnCrPFIglzAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAr7aH3Db6TeAZkg4Zd7SoF2q11
+erzv552PgQUyezMZcRBo2q1ekmUYyy2600CBiYg51G+8oUqjJKiKnBuaqbMX7pFa
+FsL7uToZCGA57cBaVejeB+p24P5bxoJGKCMeZcEBe5N93Tqu5WBxNEX7lQUo6TSs
+gSN2Olf3/grNKt5V4BduSIQZ+YHlPUWLTaz5B1MXKSUqjmabARP9lhjO14u9USvi
+dMBDFskJySQ6SUfz3fyoXELoDOVbRZETuSodpw+aFCbEtbcQCLT3A0FG+BEPayZH
+tt19zKUlr6e+YFpyjQPGZ7ZkY7iMgHEkhKrXx2DiZ1+cif3X1xfXWQr0S5+E
+-----END CERTIFICATE-----
+`),
+				},
+			},
+			{
+				Domains: Domain{
+					Main: "foo2.com",
+					SANs: []string{}},
+				Certificate: &Certificate{
+					Domain:        "foo2.com",
+					CertURL:       "url",
+					CertStableURL: "url",
+					PrivateKey: []byte(`
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEA7rIVuSrZ3FfYXhR3qaWwfVcgiqKS//yXFzNqkJS6mz9nRCNT
+lPawvrCFIRKdR7UO7xD7A5VTcbrGOAaTvrEaH7mB/4FGL+gN4AiTbVFpKXngAYEW
+A3//zeBZ7XUSWaQ+CNC+l796JeoDvQD++KwCke4rVD1pGN1hpVEeGhwzyKOYPKLo
+4+AGVe1LFWw4U/v8Iil1/gBBehZBILuhASpXy4W132LJPl76/EbGqh0nVz2UlFqU
+HRxO+2U2ba4YIpI+0/VOQ9Cq/TzHSUdTTLfBHE/Qb+aDBfptMWTRvAngLqUglOcZ
+Fi6SAljxEkJO6z6btmoVUWsoKBpbIHDC5++dZwIDAQABAoIBAAD8rYhRfAskNdnV
+vdTuwXcTOCg6md8DHWDULpmgc9EWhwfKGZthFcQEGNjVKd9VCVXFvTP7lxe+TPmI
+VW4Rb2k4LChxUWf7TqthfbKTBptMTLfU39Ft4xHn3pdTx5qlSjhhHJimCwxDFnbe
+nS9MDsqpsHYtttSKfc/gMP6spS4sNPZ/r9zseT3eWkBEhn+FQABxJiuPcQ7q7S+Q
+uOghmr7f3FeYvizQOhBtULsLrK/hsmQIIB4amS1QlpNWKbIoiUPNPjCA5PVQyAER
+waYjuc7imBbeD98L/z8bRTlEskSKjtPSEXGVHa9OYdBU+02Ci6TjKztUp6Ho7JE9
+tcHj+eECgYEA+9Ntv6RqIdpT/4/52JYiR+pOem3U8tweCOmUqm/p/AWyfAJTykqt
+cJ8RcK1MfM+uoa5Sjm8hIcA2XPVEqH2J50PC4w04Q3xtfsz3xs7KJWXQCoha8D0D
+ZIFNroEPnld0qOuJzpIIteXTrCLhSu17ZhN+Wk+5gJ7Ewu/QMM5OPjECgYEA8qbw
+zfwSjE6jkrqO70jzqSxgi2yjo0vMqv+BNBuhxhDTBXnKQI1KsHoiS0FkSLSJ9+DS
+CT3WEescD2Lumdm2s9HXvaMmnDSKBY58NqCGsNzZifSgmj1H/yS9FX8RXfSjXcxq
+RDvTbD52/HeaCiOxHZx8JjmJEb+ZKJC4MDvjtxcCgYBM516GvgEjYXdxfliAiijh
+6W4Z+Vyk5g/ODPc3rYG5U0wUjuljx7Z7xDghPusy2oGsIn5XvRxTIE35yXU0N1Jb
+69eiWzEpeuA9bv7kGdal4RfNf6K15wwYL1y3w/YvFuorg/LLwNEkK5Ge6e//X9Ll
+c2KM1fgCjXntRitAHGDMoQKBgDnkgodioLpA+N3FDN0iNqAiKlaZcOFA8G/LzfO0
+tAAhe3dO+2YzT6KTQSNbUqXWDSTKytHRowVbZrJ1FCA4xVJZunNQPaH/Fv8EY7ZU
+zk3cIzq61qZ2AHtrNIGwc2BLQb7bSm9FJsgojxLlJidNJLC/6Q7lo0JMyCnZfVhk
+sYu5AoGAZt/MfyFTKm674UddSNgGEt86PyVYbLMnRoAXOaNB38AE12kaYHPil1tL
+FnL8OQLpbX5Qo2JGgeZRlpMJ4Jxw2zzvUKr/n+6khaLxHmtX48hMu2QM7ZvnkZCs
+Kkgz6v+Wcqm94ugtl3HSm+u9xZzVQxN6gu/jZQv3VpQiAZHjPYc=
+-----END RSA PRIVATE KEY-----
+`),
+					Certificate: []byte(`
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAeGgAwIBAgIJAK25/Z9Jz6IBMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV
+BAMMCGZvbzIuY29tMB4XDTE2MDYyMDA5MzUyNloXDTI2MDYxODA5MzUyNlowEzER
+MA8GA1UEAwwIZm9vMi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDushW5KtncV9heFHeppbB9VyCKopL//JcXM2qQlLqbP2dEI1OU9rC+sIUhEp1H
+tQ7vEPsDlVNxusY4BpO+sRofuYH/gUYv6A3gCJNtUWkpeeABgRYDf//N4FntdRJZ
+pD4I0L6Xv3ol6gO9AP74rAKR7itUPWkY3WGlUR4aHDPIo5g8oujj4AZV7UsVbDhT
+/wiKXX+AEF6FkEgu6EBKlfLhbXfYsk+Xvr8RsaqHSdXPZSUWpQdHE77ZTZtrhgi
+kj7T9U5D0Kr9PMdJR1NMt8EcT9Bv5oMF+m0xZNG8CeAupSCU5xkWLpICWPESQk7r
+Ppu2ahVRaygoGlsgcMLn751nAgMBAAGjUDBOMB0GA1UdDgQWBBQ6FZWqB9qI4NN+
+2jFY6xH8uoUTnTAfBgNVHSMEGDAWgBQ6FZWqB9qI4NN+2jFY6xH8uoUTnTAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCRhuf2dQhIEOmSOGgtRELF2wB6
+NWXt0lCty9x4u+zCvITXV8Z0C34VQGencO3H2bgyC3ZxNpPuwZfEc2Pxe8W6bDc/
+OyLckk9WLo00Tnr2t7rDOeTjEGuhXFZkhIbJbKdAH8cEXrxKR8UXWtZgTv/b8Hv/
+g6tbeH6TzBsdMoFtUCsyWxygYwnLU+quuYvE2s9FiCegf2mdYTCh/R5J5n/51gfB
+uC+NakKMfaCvNg3mOAFSYC/0r0YcKM/5ldKGTKTCVJAMhnmBnyRc/70rKkVRFy2g
+iIjUFs+9aAgfCiL0WlyyXYAtIev2gw4FHUVlcT/xKks+x8Kgj6e5LTIrRRwW
+-----END CERTIFICATE-----
+`),
+				},
+			},
+		},
+	}
+
+	newCertificate := &Certificate{
+		Domain:        "foo1.com",
+		CertURL:       "url",
+		CertStableURL: "url",
+		PrivateKey: []byte(`
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA1OdSuXK2zeSLf0UqgrI4pjkpaqhra++pnda4Li4jXo151svi
+Sn7DSynJOoq1jbfRJAoyDhxsBC4S4RuD54U5elJ4wLPZXmHRsvb+NwiHs9VmDqwu
+It21btuqeNMebkab5cnDnC6KKufMhXRcRAlluYXyCkQe/+N+LlUQd6Js34TixMpk
+eQOX4/OVrokSyVRnIq4u+o0Ufe7z5+41WVH63tcy7Hwi7244aLUzZCs+QQa2Dw6f
+qEwjbonr974fM68UxDjTZEQy9u24yDzajhDBp1OTAAklh7U+li3g9dSyNVBFXqEu
+nW2fyBvLqeJOSTihqfcrACB/YYhYOX94vMXELQIDAQABAoIBAFYK3t3fxI1VTiMz
+WsjTKh3TgC+AvVkz1ILbojfXoae22YS7hUrCDD82NgMYx+LsZPOBw1T8m5Lc4/hh
+3F8W8nHDHtYSWUjRk6QWOgsXwXAmUEahw0uH+qlA0ZZfDC9ZDexCLHHURTat03Qj
+4J4GhjwCLB2GBlk4IWisLCmNVR7HokrpfIw4oM1aB5E21Tl7zh/x7ikRijEkUsKw
+7YhaMeLJqBnMnAdV63hhF7FaDRjl8P2s/3octz/6pqDIABrDrUW3KAkNYCZIWdhF
+Kk0wRMbZ/WrYT9GIGoJe7coQC7ezTrlrEkAFEIPGHCLkgXB/0TyuSy0yY59e4zmi
+VvHoWUECgYEA/rOL2KJ/p+TZW7+YbsUzs0+F+M+G6UCr0nWfYN9MKmNtmns3eLDG
+pIpBMc5mjqeJR/sCCdkD8OqHC202Y8e4sr0pKSBeBofh2BmXtpyu3QQ50Pa63RS
+SK6mYUrFqPmFFDbNGpFI4sIeI+Vf6hm96FQPnyPtUTGqk39m0RbWM/UCgYEA1f04
+Nf3wbqwqIHZjYpPmymfjleyMn3hGUjpi7pmI6inXGMk3nkeG1cbOhnfPxL5BWD12
+3RqHI2B4Z4r0BMyjctDNb1TxhMIpm5+PKm5KeeKfoYA85IS0mEeq6VdMm3mL1x/O
+3LYvcUvAEVf6pWX/+ZFLMudqhF3jbTrdNOC6ZFkCgYBKpEeJdyW+CD0CvEVpwPUD
+yXxTjE3XMZKpHLtWYlop2fWW3iFFh1jouci3k8L3xdHuw0oioZibXhYOJ/7l+yFs
+CVpknakrj0xKGiAmEBKriLojbClN80rh7fzoakc+29D6OY0mCgm4GndGwcO4EU8s
+NOZXFupHbyy0CRQSloSzuQKBgQC1Z/MtIlefGuijmHlsakGuuR+gS2ZzEj1bHBAe
+gZ4mFM46PuqdjblqpR0TtaI3AarXqVOI4SJLBU9NR+jR4MF3Zjeh9/q/NvKa8Usn
+B1Svu0TkXphAiZenuKnVIqLY8tNvzZFKXlAd1b+/dDwR10SHR3rebnxINmfEg7Bf
+UVvyEQKBgAEjI5O6LSkLNpbVn1l2IO8u8D2RkFqs/Sbx78uFta3f9Gddzb4wMnt3
+jVzymghCLp4Qf1ump/zC5bcQ8L97qmnjJ+H8X9HwmkqetuI362JNnz+12YKVDIWi
+wI7SJ8BwDqYMrLw6/nE+degn39KedGDH8gz5cZcdlKTZLjbuBOfU
+-----END RSA PRIVATE KEY-----
+`),
+		Certificate: []byte(`
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAeGgAwIBAgIJAPQiOiQcwYaRMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV
+BAMMCGZvbzEuY29tMB4XDTE2MDYxOTIyMTE1NFoXDTI2MDYxNzIyMTE1NFowEzER
+MA8GA1UEAwwIZm9vMS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDU51K5crbN5It/RSqCsjimOSlqqGtr76md1rguLiNejXnWy+JKfsNLKck6irWN
+t9EkCjIOHGwELhLhG4PnhTl6UnjAs9leYdGy9v43CIez1WYOrC4i3bVu26p40x5u
+RpvlycOcLooq58yFdFxECWW5hfIKRB7/434uVRB3omzfhOLEymR5A5fj85WuiRLJ
+VGciri76jRR97vPn7jVZUfre1zLsfCLvbjhotTNkKz5BBrYPDp+oTCNuiev3vh8z
+rxTEONNkRDL27bjIPNqOEMGnU5MACSWHtT6WLeD11LI1UEVeoS6dbZ/IG8up4k5J
+OKGp9ysAIH9hiFg5f3i8xcQtAgMBAAGjUDBOMB0GA1UdDgQWBBQPfkS5ehpstmSb
+8CGJE7GxSCxl2DAfBgNVHSMEGDAWgBQPfkS5ehpstmSb8CGJE7GxSCxl2DAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQA99A+itS9ImdGRGgHZ5fSusiEq
+wkK5XxGyagL1S0f3VM8e78VabSvC0o/xdD7DHVg6Az8FWxkkksH6Yd7IKfZZUzvs
+kXQhlOwWpxgmguSmAs4uZTymIoMFRVj3nG664BcXkKu4Yd9UXKNOWP59zgvrCJMM
+oIsmYiq5u0MFpM31BwfmmW3erqIcfBI9OJrmr1XDzlykPZNWtUSSfVuNQ8d4bim9
+XH8RfVLeFbqDydSTCHIFvYthH/ESbpRCiGJHoJ8QLfOkhD1k2fI0oJZn5RVtG2W8
+bZME3gHPYCk1QFZUptriMCJ5fMjCgxeOTR+FAkstb/lTRuCc4UyILJguIMar
+-----END CERTIFICATE-----
+`),
+	}
+
+	err := domainsCertificates.renewCertificates(
+		newCertificate,
+		Domain{
+			Main: "foo1.com",
+			SANs: []string{}})
+	if err != nil {
+		t.Errorf("Error in renewCertificates :%v", err)
+	}
+	if len(domainsCertificates.Certs) != 2 {
+		t.Errorf("Expected domainsCertificates length %d %+v\nGot %+v", 2, domainsCertificates.Certs, len(domainsCertificates.Certs))
+	}
+	if !reflect.DeepEqual(domainsCertificates.Certs[0].Certificate, newCertificate) {
+		t.Errorf("Expected new certificate %+v \nGot %+v", newCertificate, domainsCertificates.Certs[0].Certificate)
+	}
+}
--- a/acme/challengeProvider.go
+++ b/acme/challengeProvider.go
@@ -29,7 +29,7 @@ func (c *wrapperChallengeProvider) getCertificate(domain string) (cert *tls.Cert
 }

 func (c *wrapperChallengeProvider) Present(domain, token, keyAuth string) error {
-	cert, err := acme.TLSSNI01ChallengeCert(keyAuth)
+	cert, _, err := acme.TLSSNI01ChallengeCert(keyAuth)
 	if err != nil {
 		return err
 	}
--- a/adapters.go
+++ b/adapters.go
@@ -23,9 +23,9 @@ func (oxylogger *OxyLogger) Warningf(format string, args ...interface{}) {
 	log.Warningf(format, args...)
 }

-// Errorf logs specified string as Error level in logrus.
+// Errorf logs specified string as Warningf level in logrus.
 func (oxylogger *OxyLogger) Errorf(format string, args ...interface{}) {
-	log.Errorf(format, args...)
+	log.Warningf(format, args...)
 }

 func notFoundHandler(w http.ResponseWriter, r *http.Request) {
--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -1,17 +1,12 @@
-FROM golang:1.6.0-alpine
+FROM golang:1.6.2

-RUN apk update && apk add git bash gcc musl-dev \
-&& go get github.com/Masterminds/glide \
-&& go get github.com/mitchellh/gox \
+RUN go get github.com/Masterminds/glide \
 && go get github.com/jteeuwen/go-bindata/... \
 && go get github.com/golang/lint/golint \
 && go get github.com/kisielk/errcheck

 # Which docker version to test on
-ENV DOCKER_VERSION 1.10.1
-
-# enable GO15VENDOREXPERIMENT
-ENV GO15VENDOREXPERIMENT 1
+ARG DOCKER_VERSION=1.10.1

 # Download docker
 RUN set -ex; \
@@ -27,4 +22,4 @@ COPY glide.yaml glide.yaml
 COPY glide.lock glide.lock
 RUN glide install

-COPY . /go/src/github.com/containous/traefik
+COPY . /go/src/github.com/containous/traefik
--- a/cmd.go
+++ b/cmd.go
@@ -1,219 +0,0 @@
-/*
-Copyright
-*/
-package main
-
-import (
-	"encoding/json"
-	fmtlog "log"
-	"os"
-	"strings"
-	"time"
-
-	log "github.com/Sirupsen/logrus"
-	"github.com/containous/traefik/middlewares"
-	"github.com/containous/traefik/provider"
-	"github.com/spf13/cobra"
-	"github.com/spf13/viper"
-	"net/http"
-)
-
-var traefikCmd = &cobra.Command{
-	Use:   "traefik",
-	Short: "traefik, a modern reverse proxy",
-	Long: `traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
-Complete documentation is available at http://traefik.io`,
-	Run: func(cmd *cobra.Command, args []string) {
-		run()
-	},
-}
-var versionCmd = &cobra.Command{
-	Use:   "version",
-	Short: "Print version",
-	Long:  `Print version`,
-	Run: func(cmd *cobra.Command, args []string) {
-		fmtlog.Println(Version + " built on the " + BuildDate)
-		os.Exit(0)
-	},
-}
-
-var arguments = struct {
-	GlobalConfiguration
-	web           bool
-	file          bool
-	docker        bool
-	dockerTLS     bool
-	marathon      bool
-	consul        bool
-	consulTLS     bool
-	consulCatalog bool
-	zookeeper     bool
-	etcd          bool
-	etcdTLS       bool
-	boltdb        bool
-}{
-	GlobalConfiguration{
-		EntryPoints: make(EntryPoints),
-		Docker: &provider.Docker{
-			TLS: &provider.DockerTLS{},
-		},
-		File:     &provider.File{},
-		Web:      &WebProvider{},
-		Marathon: &provider.Marathon{},
-		Consul: &provider.Consul{
-			Kv: provider.Kv{
-				TLS: &provider.KvTLS{},
-			},
-		},
-		ConsulCatalog: &provider.ConsulCatalog{},
-		Zookeeper:     &provider.Zookepper{},
-		Etcd: &provider.Etcd{
-			Kv: provider.Kv{
-				TLS: &provider.KvTLS{},
-			},
-		},
-		Boltdb: &provider.BoltDb{},
-	},
-	false,
-	false,
-	false,
-	false,
-	false,
-	false,
-	false,
-	false,
-	false,
-	false,
-	false,
-	false,
-}
-
-func init() {
-	traefikCmd.AddCommand(versionCmd)
-	traefikCmd.PersistentFlags().StringP("configFile", "c", "", "Configuration file to use (TOML, JSON, YAML, HCL).")
-	traefikCmd.PersistentFlags().StringP("graceTimeOut", "g", "10", "Timeout in seconds. Duration to give active requests a chance to finish during hot-reloads")
-	traefikCmd.PersistentFlags().String("accessLogsFile", "log/access.log", "Access logs file")
-	traefikCmd.PersistentFlags().String("traefikLogsFile", "log/traefik.log", "Traefik logs file")
-	traefikCmd.PersistentFlags().Var(&arguments.EntryPoints, "entryPoints", "Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key'")
-	traefikCmd.PersistentFlags().Var(&arguments.DefaultEntryPoints, "defaultEntryPoints", "Entrypoints to be used by frontends that do not specify any entrypoint")
-	traefikCmd.PersistentFlags().StringP("logLevel", "l", "ERROR", "Log level")
-	traefikCmd.PersistentFlags().DurationVar(&arguments.ProvidersThrottleDuration, "providersThrottleDuration", time.Duration(2*time.Second), "Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time.")
-	traefikCmd.PersistentFlags().Int("maxIdleConnsPerHost", 0, "If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, DefaultMaxIdleConnsPerHost is used")
-
-	traefikCmd.PersistentFlags().BoolVar(&arguments.web, "web", false, "Enable Web backend")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Web.Address, "web.address", ":8080", "Web administration port")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Web.CertFile, "web.cerFile", "", "SSL certificate")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Web.KeyFile, "web.keyFile", "", "SSL certificate")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.Web.ReadOnly, "web.readOnly", false, "Enable read only API")
-
-	traefikCmd.PersistentFlags().BoolVar(&arguments.file, "file", false, "Enable File backend")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.File.Watch, "file.watch", true, "Watch provider")
-	traefikCmd.PersistentFlags().StringVar(&arguments.File.Filename, "file.filename", "", "Override default configuration template. For advanced users :)")
-
-	traefikCmd.PersistentFlags().BoolVar(&arguments.docker, "docker", false, "Enable Docker backend")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.Docker.Watch, "docker.watch", true, "Watch provider")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Docker.Filename, "docker.filename", "", "Override default configuration template. For advanced users :)")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Docker.Endpoint, "docker.endpoint", "unix:///var/run/docker.sock", "Docker server endpoint. Can be a tcp or a unix socket endpoint")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Docker.Domain, "docker.domain", "", "Default domain used")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.dockerTLS, "docker.tls", false, "Enable Docker TLS support")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Docker.TLS.CA, "docker.tls.ca", "", "TLS CA")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Docker.TLS.Cert, "docker.tls.cert", "", "TLS cert")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Docker.TLS.Key, "docker.tls.key", "", "TLS key")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.Docker.TLS.InsecureSkipVerify, "docker.tls.insecureSkipVerify", false, "TLS insecure skip verify")
-
-	traefikCmd.PersistentFlags().BoolVar(&arguments.marathon, "marathon", false, "Enable Marathon backend")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.Marathon.Watch, "marathon.watch", true, "Watch provider")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Marathon.Filename, "marathon.filename", "", "Override default configuration template. For advanced users :)")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Marathon.Endpoint, "marathon.endpoint", "http://127.0.0.1:8080", "Marathon server endpoint. You can also specify multiple endpoint for Marathon")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Marathon.Domain, "marathon.domain", "", "Default domain used")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.Marathon.ExposedByDefault, "marathon.exposedByDefault", true, "Expose Marathon apps by default")
-
-	traefikCmd.PersistentFlags().BoolVar(&arguments.consul, "consul", false, "Enable Consul backend")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.Consul.Watch, "consul.watch", true, "Watch provider")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Consul.Filename, "consul.filename", "", "Override default configuration template. For advanced users :)")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Consul.Endpoint, "consul.endpoint", "127.0.0.1:8500", "Comma sepparated Consul server endpoints")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Consul.Prefix, "consul.prefix", "/traefik", "Prefix used for KV store")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.consulTLS, "consul.tls", false, "Enable Consul TLS support")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Consul.TLS.CA, "consul.tls.ca", "", "TLS CA")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Consul.TLS.Cert, "consul.tls.cert", "", "TLS cert")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Consul.TLS.Key, "consul.tls.key", "", "TLS key")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.Consul.TLS.InsecureSkipVerify, "consul.tls.insecureSkipVerify", false, "TLS insecure skip verify")
-
-	traefikCmd.PersistentFlags().BoolVar(&arguments.consulCatalog, "consulCatalog", false, "Enable Consul catalog backend")
-	traefikCmd.PersistentFlags().StringVar(&arguments.ConsulCatalog.Domain, "consulCatalog.domain", "", "Default domain used")
-	traefikCmd.PersistentFlags().StringVar(&arguments.ConsulCatalog.Endpoint, "consulCatalog.endpoint", "127.0.0.1:8500", "Consul server endpoint")
-
-	traefikCmd.PersistentFlags().BoolVar(&arguments.zookeeper, "zookeeper", false, "Enable Zookeeper backend")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.Zookeeper.Watch, "zookeeper.watch", true, "Watch provider")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Zookeeper.Filename, "zookeeper.filename", "", "Override default configuration template. For advanced users :)")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Zookeeper.Endpoint, "zookeeper.endpoint", "127.0.0.1:2181", "Comma sepparated Zookeeper server endpoints")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Zookeeper.Prefix, "zookeeper.prefix", "/traefik", "Prefix used for KV store")
-
-	traefikCmd.PersistentFlags().BoolVar(&arguments.etcd, "etcd", false, "Enable Etcd backend")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.Etcd.Watch, "etcd.watch", true, "Watch provider")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Etcd.Filename, "etcd.filename", "", "Override default configuration template. For advanced users :)")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Etcd.Endpoint, "etcd.endpoint", "127.0.0.1:4001", "Comma sepparated Etcd server endpoints")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Etcd.Prefix, "etcd.prefix", "/traefik", "Prefix used for KV store")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.etcdTLS, "etcd.tls", false, "Enable Etcd TLS support")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Etcd.TLS.CA, "etcd.tls.ca", "", "TLS CA")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Etcd.TLS.Cert, "etcd.tls.cert", "", "TLS cert")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Etcd.TLS.Key, "etcd.tls.key", "", "TLS key")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.Etcd.TLS.InsecureSkipVerify, "etcd.tls.insecureSkipVerify", false, "TLS insecure skip verify")
-
-	traefikCmd.PersistentFlags().BoolVar(&arguments.boltdb, "boltdb", false, "Enable Boltdb backend")
-	traefikCmd.PersistentFlags().BoolVar(&arguments.Boltdb.Watch, "boltdb.watch", true, "Watch provider")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Boltdb.Filename, "boltdb.filename", "", "Override default configuration template. For advanced users :)")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Boltdb.Endpoint, "boltdb.endpoint", "127.0.0.1:4001", "Boltdb server endpoint")
-	traefikCmd.PersistentFlags().StringVar(&arguments.Boltdb.Prefix, "boltdb.prefix", "/traefik", "Prefix used for KV store")
-
-	_ = viper.BindPFlag("configFile", traefikCmd.PersistentFlags().Lookup("configFile"))
-	_ = viper.BindPFlag("graceTimeOut", traefikCmd.PersistentFlags().Lookup("graceTimeOut"))
-	_ = viper.BindPFlag("logLevel", traefikCmd.PersistentFlags().Lookup("logLevel"))
-	// TODO: wait for this issue to be corrected: https://github.com/spf13/viper/issues/105
-	_ = viper.BindPFlag("providersThrottleDuration", traefikCmd.PersistentFlags().Lookup("providersThrottleDuration"))
-	_ = viper.BindPFlag("maxIdleConnsPerHost", traefikCmd.PersistentFlags().Lookup("maxIdleConnsPerHost"))
-	viper.SetDefault("providersThrottleDuration", time.Duration(2*time.Second))
-	viper.SetDefault("logLevel", "ERROR")
-	viper.SetDefault("MaxIdleConnsPerHost", 200)
-}
-
-func run() {
-	fmtlog.SetFlags(fmtlog.Lshortfile | fmtlog.LstdFlags)
-
-	// load global configuration
-	globalConfiguration := LoadConfiguration()
-
-	http.DefaultTransport.(*http.Transport).MaxIdleConnsPerHost = globalConfiguration.MaxIdleConnsPerHost
-	loggerMiddleware := middlewares.NewLogger(globalConfiguration.AccessLogsFile)
-	defer loggerMiddleware.Close()
-
-	// logging
-	level, err := log.ParseLevel(strings.ToLower(globalConfiguration.LogLevel))
-	if err != nil {
-		log.Fatal("Error getting level", err)
-	}
-	log.SetLevel(level)
-
-	if len(globalConfiguration.TraefikLogsFile) > 0 {
-		fi, err := os.OpenFile(globalConfiguration.TraefikLogsFile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666)
-		defer func() {
-			if err := fi.Close(); err != nil {
-				log.Error("Error closinf file", err)
-			}
-		}()
-		if err != nil {
-			log.Fatal("Error opening file", err)
-		} else {
-			log.SetOutput(fi)
-			log.SetFormatter(&log.TextFormatter{DisableColors: true, FullTimestamp: true, DisableSorting: true})
-		}
-	} else {
-		log.SetFormatter(&log.TextFormatter{FullTimestamp: true, DisableSorting: true})
-	}
-	jsonConf, _ := json.Marshal(globalConfiguration)
-	log.Debugf("Global configuration loaded %s", string(jsonConf))
-	server := NewServer(*globalConfiguration)
-	server.Start()
-	defer server.Close()
-	log.Info("Shutting down")
-}
--- a/configuration.go
+++ b/configuration.go
@@ -3,40 +3,45 @@ package main
 import (
 	"errors"
 	"fmt"
-	fmtlog "log"
-	"regexp"
-	"strings"
-	"time"
-
 	"github.com/containous/traefik/acme"
 	"github.com/containous/traefik/provider"
 	"github.com/containous/traefik/types"
-	"github.com/mitchellh/mapstructure"
-	"github.com/spf13/viper"
+	"regexp"
+	"strings"
+	"time"
 )

+// TraefikConfiguration holds GlobalConfiguration and other stuff
+type TraefikConfiguration struct {
+	GlobalConfiguration
+	ConfigFile string `short:"c" description:"Configuration file to use (TOML)."`
+}
+
 // GlobalConfiguration holds global configuration (with providers, etc.).
 // It's populated from the traefik configuration file passed as an argument to the binary.
 type GlobalConfiguration struct {
-	GraceTimeOut              int64
-	AccessLogsFile            string
-	TraefikLogsFile           string
-	LogLevel                  string
-	EntryPoints               EntryPoints
-	ACME                      *acme.ACME
-	DefaultEntryPoints        DefaultEntryPoints
-	ProvidersThrottleDuration time.Duration
-	MaxIdleConnsPerHost       int
-	Retry                     *Retry
-	Docker                    *provider.Docker
-	File                      *provider.File
-	Web                       *WebProvider
-	Marathon                  *provider.Marathon
-	Consul                    *provider.Consul
-	ConsulCatalog             *provider.ConsulCatalog
-	Etcd                      *provider.Etcd
-	Zookeeper                 *provider.Zookepper
-	Boltdb                    *provider.BoltDb
+	GraceTimeOut              int64                   `short:"g" description:"Duration to give active requests a chance to finish during hot-reload"`
+	Debug                     bool                    `short:"d" description:"Enable debug mode"`
+	AccessLogsFile            string                  `description:"Access logs file"`
+	TraefikLogsFile           string                  `description:"Traefik logs file"`
+	LogLevel                  string                  `short:"l" description:"Log level"`
+	EntryPoints               EntryPoints             `description:"Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key'"`
+	Constraints               types.Constraints       `description:"Filter services by constraint, matching with service tags."`
+	ACME                      *acme.ACME              `description:"Enable ACME (Let's Encrypt): automatic SSL"`
+	DefaultEntryPoints        DefaultEntryPoints      `description:"Entrypoints to be used by frontends that do not specify any entrypoint"`
+	ProvidersThrottleDuration time.Duration           `description:"Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time."`
+	MaxIdleConnsPerHost       int                     `description:"If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, DefaultMaxIdleConnsPerHost is used"`
+	Retry                     *Retry                  `description:"Enable retry sending request if network error"`
+	Docker                    *provider.Docker        `description:"Enable Docker backend"`
+	File                      *provider.File          `description:"Enable File backend"`
+	Web                       *WebProvider            `description:"Enable Web backend"`
+	Marathon                  *provider.Marathon      `description:"Enable Marathon backend"`
+	Consul                    *provider.Consul        `description:"Enable Consul backend"`
+	ConsulCatalog             *provider.ConsulCatalog `description:"Enable Consul catalog backend"`
+	Etcd                      *provider.Etcd          `description:"Enable Etcd backend"`
+	Zookeeper                 *provider.Zookepper     `description:"Enable Zookeeper backend"`
+	Boltdb                    *provider.BoltDb        `description:"Enable Boltdb backend"`
+	Kubernetes                *provider.Kubernetes    `description:"Enable Kubernetes backend"`
 }

 // DefaultEntryPoints holds default entry points
@@ -45,7 +50,7 @@ type DefaultEntryPoints []string
 // String is the method to format the flag's value, part of the flag.Value interface.
 // The String method's output will be used in diagnostics.
 func (dep *DefaultEntryPoints) String() string {
-	return fmt.Sprintf("%#v", dep)
+	return strings.Join(*dep, ",")
 }

 // Set is the method to set the flag value, part of the flag.Value interface.
@@ -62,9 +67,17 @@ func (dep *DefaultEntryPoints) Set(value string) error {
 	return nil
 }

+// Get return the EntryPoints map
+func (dep *DefaultEntryPoints) Get() interface{} { return DefaultEntryPoints(*dep) }
+
+// SetValue sets the EntryPoints map with val
+func (dep *DefaultEntryPoints) SetValue(val interface{}) {
+	*dep = DefaultEntryPoints(val.(DefaultEntryPoints))
+}
+
 // Type is type of the struct
 func (dep *DefaultEntryPoints) Type() string {
-	return fmt.Sprint("defaultentrypoints²")
+	return fmt.Sprint("defaultentrypoints")
 }

 // EntryPoints holds entry points configuration of the reverse proxy (ip, port, TLS...)
@@ -73,14 +86,14 @@ type EntryPoints map[string]*EntryPoint
 // String is the method to format the flag's value, part of the flag.Value interface.
 // The String method's output will be used in diagnostics.
 func (ep *EntryPoints) String() string {
-	return ""
+	return fmt.Sprintf("%+v", *ep)
 }

 // Set is the method to set the flag value, part of the flag.Value interface.
 // Set's argument is a string to be parsed to set the flag.
 // It's a comma-separated list, so we split it.
 func (ep *EntryPoints) Set(value string) error {
-	regex := regexp.MustCompile("(?:Name:(?P<Name>\\S*))\\s*(?:Address:(?P<Address>\\S*))?\\s*(?:TLS:(?P<TLS>\\S*))?\\s*(?:Redirect.EntryPoint:(?P<RedirectEntryPoint>\\S*))?\\s*(?:Redirect.Regex:(?P<RedirectRegex>\\S*))?\\s*(?:Redirect.Replacement:(?P<RedirectReplacement>\\S*))?")
+	regex := regexp.MustCompile("(?:Name:(?P<Name>\\S*))\\s*(?:Address:(?P<Address>\\S*))?\\s*(?:TLS:(?P<TLS>\\S*))?\\s*((?P<TLSACME>TLS))?\\s*(?:Redirect.EntryPoint:(?P<RedirectEntryPoint>\\S*))?\\s*(?:Redirect.Regex:(?P<RedirectRegex>\\S*))?\\s*(?:Redirect.Replacement:(?P<RedirectReplacement>\\S*))?")
 	match := regex.FindAllStringSubmatch(value, -1)
 	if match == nil {
 		return errors.New("Bad EntryPoints format: " + value)
@@ -101,6 +114,10 @@ func (ep *EntryPoints) Set(value string) error {
 		tls = &TLS{
 			Certificates: certs,
 		}
+	} else if len(result["TLSACME"]) > 0 {
+		tls = &TLS{
+			Certificates: Certificates{},
+		}
 	}
 	var redirect *Redirect
 	if len(result["RedirectEntryPoint"]) > 0 || len(result["RedirectRegex"]) > 0 || len(result["RedirectReplacement"]) > 0 {
@@ -120,9 +137,17 @@ func (ep *EntryPoints) Set(value string) error {
 	return nil
 }

+// Get return the EntryPoints map
+func (ep *EntryPoints) Get() interface{} { return EntryPoints(*ep) }
+
+// SetValue sets the EntryPoints map with val
+func (ep *EntryPoints) SetValue(val interface{}) {
+	*ep = EntryPoints(val.(EntryPoints))
+}
+
 // Type is type of the struct
 func (ep *EntryPoints) Type() string {
-	return fmt.Sprint("entrypoints²")
+	return fmt.Sprint("entrypoints")
 }

 // EntryPoint holds an entry point configuration of the reverse proxy (ip, port, TLS...)
@@ -185,114 +210,105 @@ type Certificate struct {

 // Retry contains request retry config
 type Retry struct {
-	Attempts int
-	MaxMem   int64
+	Attempts int `description:"Number of attempts"`
 }

-// NewGlobalConfiguration returns a GlobalConfiguration with default values.
-func NewGlobalConfiguration() *GlobalConfiguration {
-	return new(GlobalConfiguration)
+// NewTraefikDefaultPointersConfiguration creates a TraefikConfiguration with pointers default values
+func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
+	//default Docker
+	var defaultDocker provider.Docker
+	defaultDocker.Watch = true
+	defaultDocker.Endpoint = "unix:///var/run/docker.sock"
+
+	// default File
+	var defaultFile provider.File
+	defaultFile.Watch = true
+	defaultFile.Filename = "" //needs equivalent to  viper.ConfigFileUsed()
+
+	// default Web
+	var defaultWeb WebProvider
+	defaultWeb.Address = ":8080"
+
+	// default Marathon
+	var defaultMarathon provider.Marathon
+	defaultMarathon.Watch = true
+	defaultMarathon.Endpoint = "http://127.0.0.1:8080"
+	defaultMarathon.ExposedByDefault = true
+	defaultMarathon.Constraints = []types.Constraint{}
+
+	// default Consul
+	var defaultConsul provider.Consul
+	defaultConsul.Watch = true
+	defaultConsul.Endpoint = "127.0.0.1:8500"
+	defaultConsul.Prefix = "traefik"
+	defaultConsul.Constraints = []types.Constraint{}
+
+	// default ConsulCatalog
+	var defaultConsulCatalog provider.ConsulCatalog
+	defaultConsulCatalog.Endpoint = "127.0.0.1:8500"
+	defaultConsulCatalog.Constraints = []types.Constraint{}
+
+	// default Etcd
+	var defaultEtcd provider.Etcd
+	defaultEtcd.Watch = true
+	defaultEtcd.Endpoint = "127.0.0.1:2379"
+	defaultEtcd.Prefix = "/traefik"
+	defaultEtcd.Constraints = []types.Constraint{}
+
+	//default Zookeeper
+	var defaultZookeeper provider.Zookepper
+	defaultZookeeper.Watch = true
+	defaultZookeeper.Endpoint = "127.0.0.1:2181"
+	defaultZookeeper.Prefix = "/traefik"
+	defaultZookeeper.Constraints = []types.Constraint{}
+
+	//default Boltdb
+	var defaultBoltDb provider.BoltDb
+	defaultBoltDb.Watch = true
+	defaultBoltDb.Endpoint = "127.0.0.1:4001"
+	defaultBoltDb.Prefix = "/traefik"
+	defaultBoltDb.Constraints = []types.Constraint{}
+
+	//default Kubernetes
+	var defaultKubernetes provider.Kubernetes
+	defaultKubernetes.Watch = true
+	defaultKubernetes.Endpoint = "http://127.0.0.1:8080"
+	defaultKubernetes.Constraints = []types.Constraint{}
+
+	defaultConfiguration := GlobalConfiguration{
+		Docker:        &defaultDocker,
+		File:          &defaultFile,
+		Web:           &defaultWeb,
+		Marathon:      &defaultMarathon,
+		Consul:        &defaultConsul,
+		ConsulCatalog: &defaultConsulCatalog,
+		Etcd:          &defaultEtcd,
+		Zookeeper:     &defaultZookeeper,
+		Boltdb:        &defaultBoltDb,
+		Kubernetes:    &defaultKubernetes,
+		Retry:         &Retry{},
+	}
+	return &TraefikConfiguration{
+		GlobalConfiguration: defaultConfiguration,
+	}
 }

-// LoadConfiguration returns a GlobalConfiguration.
-func LoadConfiguration() *GlobalConfiguration {
-	configuration := NewGlobalConfiguration()
-	viper.SetEnvPrefix("traefik")
-	viper.SetConfigType("toml")
-	viper.AutomaticEnv()
-	if len(viper.GetString("configFile")) > 0 {
-		viper.SetConfigFile(viper.GetString("configFile"))
-	} else {
-		viper.SetConfigName("traefik") // name of config file (without extension)
+// NewTraefikConfiguration creates a TraefikConfiguration with default values
+func NewTraefikConfiguration() *TraefikConfiguration {
+	return &TraefikConfiguration{
+		GlobalConfiguration: GlobalConfiguration{
+			GraceTimeOut:              10,
+			AccessLogsFile:            "",
+			TraefikLogsFile:           "",
+			LogLevel:                  "ERROR",
+			EntryPoints:               map[string]*EntryPoint{},
+			Constraints:               []types.Constraint{},
+			DefaultEntryPoints:        []string{},
+			ProvidersThrottleDuration: time.Duration(2 * time.Second),
+			MaxIdleConnsPerHost:       200,
+		},
+		ConfigFile: "",
 	}
-	viper.AddConfigPath("/etc/traefik/")   // path to look for the config file in
-	viper.AddConfigPath("$HOME/.traefik/") // call multiple times to add many search paths
-	viper.AddConfigPath(".")               // optionally look for config in the working directory
-	if err := viper.ReadInConfig(); err != nil {
-		fmtlog.Fatalf("Error reading file: %s", err)
-	}
-
-	if len(arguments.EntryPoints) > 0 {
-		viper.Set("entryPoints", arguments.EntryPoints)
-	}
-	if len(arguments.DefaultEntryPoints) > 0 {
-		viper.Set("defaultEntryPoints", arguments.DefaultEntryPoints)
-	}
-	if arguments.web {
-		viper.Set("web", arguments.Web)
-	}
-	if arguments.file {
-		viper.Set("file", arguments.File)
-	}
-	if !arguments.dockerTLS {
-		arguments.Docker.TLS = nil
-	}
-	if arguments.docker {
-		viper.Set("docker", arguments.Docker)
-	}
-	if arguments.marathon {
-		viper.Set("marathon", arguments.Marathon)
-	}
-	if !arguments.consulTLS {
-		arguments.Consul.TLS = nil
-	}
-	if arguments.consul {
-		viper.Set("consul", arguments.Consul)
-	}
-	if arguments.consulCatalog {
-		viper.Set("consulCatalog", arguments.ConsulCatalog)
-	}
-	if arguments.zookeeper {
-		viper.Set("zookeeper", arguments.Zookeeper)
-	}
-	if !arguments.etcdTLS {
-		arguments.Etcd.TLS = nil
-	}
-	if arguments.etcd {
-		viper.Set("etcd", arguments.Etcd)
-	}
-	if arguments.boltdb {
-		viper.Set("boltdb", arguments.Boltdb)
-	}
-	if err := unmarshal(&configuration); err != nil {
-
-		fmtlog.Fatalf("Error reading file: %s", err)
-	}
-
-	if len(configuration.EntryPoints) == 0 {
-		configuration.EntryPoints = make(map[string]*EntryPoint)
-		configuration.EntryPoints["http"] = &EntryPoint{
-			Address: ":80",
-		}
-		configuration.DefaultEntryPoints = []string{"http"}
-	}
-
-	if configuration.File != nil && len(configuration.File.Filename) == 0 {
-		// no filename, setting to global config file
-		configuration.File.Filename = viper.ConfigFileUsed()
-	}
-
-	return configuration
-}
-
-func unmarshal(rawVal interface{}) error {
-	config := &mapstructure.DecoderConfig{
-		DecodeHook:       mapstructure.StringToTimeDurationHookFunc(),
-		Metadata:         nil,
-		Result:           rawVal,
-		WeaklyTypedInput: true,
-	}
-
-	decoder, err := mapstructure.NewDecoder(config)
-	if err != nil {
-		return err
-	}
-
-	err = decoder.Decode(viper.AllSettings())
-	if err != nil {
-		return err
-	}
-	return nil
 }

 type configs map[string]*types.Configuration
--- a/docs/basics.md
+++ b/docs/basics.md
@@ -19,7 +19,7 @@ Let's zoom on Træfɪk and have an overview of its internal architecture:
 ![Architecture](img/internal.png)

 - Incoming requests end on [entrypoints](#entrypoints), as the name suggests, they are the network entry points into Træfɪk (listening port, SSL, traffic redirection...).
- Traffic is then forwared to a matching [frontend](#frontends). A frontend defines routes from [entrypoints](#entrypoints) to [backends](#backends).
+- Traffic is then forwarded to a matching [frontend](#frontends). A frontend defines routes from [entrypoints](#entrypoints) to [backends](#backends).
 Routes are created using requests fields (`Host`, `Path`, `Headers`...) and can match or not a request.
 - The [frontend](#frontends) will then send the request to a [backend](#backends). A backend can be composed by one or more [servers](#servers), and by a load-balancing strategy.
 - Finally, the [server](#servers) will forward the request to the corresponding microservice in the private network.
@@ -50,8 +50,8 @@ Here is an example of entrypoints definition:
 ```

 - Two entrypoints are defined `http` and `https`.
- `http` listens on port `80` et `https` on port `443`.
- We enable SSL en `https` by giving a certificate and a key.
+- `http` listens on port `80` and `https` on port `443`.
+- We enable SSL on `https` by giving a certificate and a key.
 - We also redirect all the traffic from entrypoint `http` to `https`.

 ## Frontends
@@ -69,8 +69,10 @@ Frontends can be defined using the following rules:
 - `PathPrefix`: PathPrefix adds a matcher for the URL path prefixes. This matches if the given template is a prefix of the full URL path.
 - `PathPrefixStrip`: Same as `PathPrefix` but strip the given prefix from the request URL's Path.

+You can use multiple rules by separating them by `;`
+
 You can optionally enable `passHostHeader` to forward client `Host` header to the backend.
- 
+
 Here is an example of frontends definition:

 ```toml
@@ -78,22 +80,85 @@ Here is an example of frontends definition:
  [frontends.frontend1]
  backend = "backend2"
    [frontends.frontend1.routes.test_1]
-    rule = "Host: test.localhost, test2.localhost"
+    rule = "Host:test.localhost,test2.localhost"
  [frontends.frontend2]
  backend = "backend1"
  passHostHeader = true
+  priority = 10
  entrypoints = ["https"] # overrides defaultEntryPoints
    [frontends.frontend2.routes.test_1]
-    rule = "Host: localhost, {subdomain:[a-z]+}.localhost"
+    rule = "Host:localhost,{subdomain:[a-z]+}.localhost"
  [frontends.frontend3]
  backend = "backend2"
-    rule = "Path:/test"
+    [frontends.frontend3.routes.test_1]
+    rule = "Host:test3.localhost;Path:/test"
 ```

 - Three frontends are defined: `frontend1`, `frontend2` and `frontend3`
- `frontend1` will forward the traffic to the `backend2` if the rule `Host: test.localhost, test2.localhost` is matched
- `frontend2` will forward the traffic to the `backend1` if the rule `Host: localhost, {subdomain:[a-z]+}.localhost` is matched (forwarding client `Host` header to the backend)
- `frontend3` will forward the traffic to the `backend2` if the rule `Path:/test` is matched
+- `frontend1` will forward the traffic to the `backend2` if the rule `Host:test.localhost,test2.localhost` is matched
+- `frontend2` will forward the traffic to the `backend1` if the rule `Host:localhost,{subdomain:[a-z]+}.localhost` is matched (forwarding client `Host` header to the backend)
+- `frontend3` will forward the traffic to the `backend2` if the rules `Host:test3.localhost` **AND** `Path:/test` are matched
+
+### Combining multiple rules
+
+As seen in the previous example, you can combine multiple rules.
+In TOML file, you can use multiple routes:
+
+```toml
+  [frontends.frontend3]
+  backend = "backend2"
+    [frontends.frontend3.routes.test_1]
+    rule = "Host:test3.localhost"
+    [frontends.frontend3.routes.test_2]
+    rule = "Host:Path:/test"
+```
+
+Here `frontend3` will forward the traffic to the `backend2` if the rules `Host:test3.localhost` **AND** `Path:/test` are matched.
+You can also use the notation using a `;` separator, same result:
+
+```toml
+  [frontends.frontend3]
+  backend = "backend2"
+    [frontends.frontend3.routes.test_1]
+    rule = "Host:test3.localhost;Path:/test"
+```
+
+Finally, you can create a rule to bind multiple domains or Path to a frontend, using the `,` separator:
+
+```toml
+ [frontends.frontend2]
+    [frontends.frontend2.routes.test_1]
+    rule = "Host:test1.localhost,test2.localhost"
+  [frontends.frontend3]
+  backend = "backend2"
+    [frontends.frontend3.routes.test_1]
+    rule = "Path:/test1,/test2"
+```
+
+### Priorities
+
+By default, routes will be sorted (in descending order) using rules length (to avoid path overlap):
+`PathPrefix:/12345` will be matched before `PathPrefix:/1234` that will be matched before `PathPrefix:/1`.
+
+You can customize priority by frontend:
+
+```
+  [frontends]
+    [frontends.frontend1]
+    backend = "backend1"
+    priority = 10
+    passHostHeader = true
+      [frontends.frontend1.routes.test_1]
+      rule = "PathPrefix:/to"
+    [frontends.frontend2]
+    priority = 5
+    backend = "backend2"
+    passHostHeader = true
+      [frontends.frontend2.routes.test_1]
+      rule = "PathPrefix:/toto"
+```
+
+Here, `frontend1` will be matched before `frontend2` (`10 > 5`).

 ## Backends

@@ -107,7 +172,7 @@ A circuit breaker can also be applied to a backend, preventing high loads on fai
 Initial state is Standby. CB observes the statistics and does not modify the request.
 In case if condition matches, CB enters Tripped state, where it responds with predefines code or redirects to another frontend.
 Once Tripped timer expires, CB enters Recovering state and resets all stats.
-In case if the condition does not match and recovery timer expries, CB enters Standby state.
+In case if the condition does not match and recovery timer expires, CB enters Standby state.

 It can be configured using:

@@ -120,9 +185,29 @@ For example:
 - `LatencyAtQuantileMS(50.0) > 50`:  watch latency at quantile in milliseconds.
 - `ResponseCodeRatio(500, 600, 0, 600) > 0.5`: ratio of response codes in range [500-600) to  [0-600)

+To proactively prevent backends from being overwhelmed with high load, a maximum connection limit can
+also be applied to each backend.
+
+Maximum connections can be configured by specifying an integer value for `maxconn.amount` and
+`maxconn.extractorfunc` which is a strategy used to determine how to categorize requests in order to
+evaluate the maximum connections.
+
+For example:
+```toml
+[backends]
+  [backends.backend1]
+    [backends.backend1.maxconn]
+       amount = 10
+       extractorfunc = "request.host"
+```
+
+- `backend1` will return `HTTP code 429 Too Many Requests` if there are already 10 requests in progress for the same Host header.
+- Another possible value for `extractorfunc` is `client.ip` which will categorize requests based on client source ip.
+- Lastly `extractorfunc` can take the value of `request.header.ANY_HEADER` which will categorize requests based on `ANY_HEADER` that you provide.
+
 ## Servers

-Servers are simply defined using a `URL`. You can also apply a custom `weight` to each server (this will be used by load-balacning).
+Servers are simply defined using a `URL`. You can also apply a custom `weight` to each server (this will be used by load-balancing).

 Here is an example of backends and servers definition:

--- a/docs/benchmarks.md
+++ b/docs/benchmarks.md
@@ -146,7 +146,7 @@ defaultEntryPoints = ["http"]

 ### whoami:
 ```
-wrk -t8 -c1000 -d60s -H "Host: test.traefik" --latency  http://IP-whoami:80/bench
+wrk -t20 -c1000 -d60s -H "Host: test.traefik" --latency  http://IP-whoami:80/bench
 Running 1m test @ http://IP-whoami:80/bench
  20 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
@@ -184,7 +184,7 @@ Transfer/sec:      4.97MB

 ### traefik:
 ```
-wrk -t8 -c1000 -d60s -H "Host: test.traefik" --latency  http://IP-traefik:8000/bench
+wrk -t20 -c1000 -d60s -H "Host: test.traefik" --latency  http://IP-traefik:8000/bench
 Running 1m test @ http://IP-traefik:8000/bench
  20 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
@@ -207,6 +207,7 @@ Traefik is obviously slower than Nginx, but not so much: Traefik can serve 28392
 Not bad for young project :) !

 Some areas of possible improvements:
+
 - Use [GO_REUSEPORT](https://github.com/kavu/go_reuseport) listener
 - Run a separate server instance per CPU core with `GOMAXPROCS=1` (it appears during benchmarks that there is a lot more context switches with traefik than with nginx)

--- a/docs/css/traefik.css
+++ b/docs/css/traefik.css
@@ -40,4 +40,22 @@ h1, h2, h3, H4 {

 blockquote p {
    font-size: 14px;
+}
+
+.navbar-default .navbar-nav>.open>a, .navbar-default .navbar-nav>.open>a:hover, .navbar-default .navbar-nav>.open>a:focus {
+    color: #fff;
+    background-color: #25606F;
+}
+
+.dropdown-menu>li>a:hover, .dropdown-menu>li>a:focus {
+    color: #fff;
+    text-decoration: none;
+    background-color: #25606F;
+}
+
+.dropdown-menu>.active>a, .dropdown-menu>.active>a:hover, .dropdown-menu>.active>a:focus {
+    color: #fff;
+    text-decoration: none;
+    background-color: #25606F;
+    outline: 0;
 }
--- a/docs/index.md
+++ b/docs/index.md
@@ -38,9 +38,10 @@ Run it and forget it!

 ## Demo

-Here is a demo of Træfɪk using Docker backend, showing a load-balancing between two servers, hot reloading of configuration, and graceful shutdown.
+Here is a talk (in french) given by [Emile Vauge](https://github.com/emilevauge) at the [Devoxx France 2016](http://www.devoxx.fr) conference. 
+You will learn fundamental Træfɪk features and see some demos with Docker, Mesos/Marathon and Lets'Encrypt. 

-[![asciicast](https://asciinema.org/a/4tcyde7riou5vxulo6my3mtko.png)](https://asciinema.org/a/4tcyde7riou5vxulo6my3mtko)
+[![Traefik Devoxx France](https://img.youtube.com/vi/QvAz9mVx5TI/0.jpg)](https://www.youtube.com/watch?v=QvAz9mVx5TI)

 ## Get it

--- a/docs/toml.md
+++ b/docs/toml.md
@@ -89,6 +89,10 @@
 #     [entryPoints.http.redirect]
 #       regex = "^http://localhost/(.*)"
 #       replacement = "http://mydomain/$1"
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
 ```

 ## Retry configuration
@@ -98,7 +102,7 @@
 #
 # Optional
 #
-# [retry]
+[retry]

 # Number of attempts
 #
@@ -106,43 +110,48 @@
 # Default: (number servers in backend) -1
 #
 # attempts = 3
-
-# Sets the maximum request body to be stored in memory in Mo
-#
-# Optional
-# Default: 2
-#
-# maxMem = 3
 ```

 ## ACME (Let's Encrypt) configuration

 ```toml
+# Sample entrypoint configuration when using ACME
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+
 # Enable ACME (Let's Encrypt): automatic SSL
 #
 # Optional
 #
-# [acme]
+[acme]

 # Email address used for registration
 #
 # Required
 #
-# email = "test@traefik.io"
+email = "test@traefik.io"

 # File used for certificates storage.
-# WARNING, if you use Traefik in Docker, don't forget to mount this file as a volume.
+# WARNING, if you use Traefik in Docker, you have 2 options:
+#  - create a file on your host and mount it has a volume
+#      storageFile = "acme.json"
+#      $ docker run -v "/my/host/acme.json:acme.json" traefik
+#  - mount the folder containing the file has a volume
+#      storageFile = "/etc/traefik/acme/acme.json"
+#      $ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 #
 # Required
 #
-# storageFile = "acme.json"
+storageFile = "acme.json"

 # Entrypoint to proxy acme challenge to.
-# WARNING, must point to an entrypoint on port 443 
+# WARNING, must point to an entrypoint on port 443
 #
 # Required
 #
-# entryPoint = "https"
+entryPoint = "https"

 # Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate.
 # WARNING, TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DoS attacks.
@@ -162,6 +171,7 @@

 # Domains list
 # You can provide SANs (alternative domains) to each main domain
+# All domains must have A/AAAA records pointing to Traefik
 # WARNING, Take note that Let's Encrypt have rate limiting: https://community.letsencrypt.org/t/quick-start-guide/1631
 # Each domain & SANs will lead to a certificate request.
 #
@@ -175,6 +185,13 @@
 #   main = "local3.com"
 # [[acme.domains]]
 #   main = "local4.com"
+[[acme.domains]]
+   main = "local1.com"
+   sans = ["test1.local1.com", "test2.local1.com"]
+[[acme.domains]]
+   main = "local3.com"
+[[acme.domains]]
+   main = "local4.com"
 ```

 # Configuration backends
@@ -218,6 +235,9 @@ defaultEntryPoints = ["http", "https"]
    url = "http://172.17.0.3:80"
    weight = 1
  [backends.backend2]
+    [backends.backend1.maxconn]
+      amount = 10
+      extractorfunc = "request.host"
    [backends.backend2.LoadBalancer]
      method = "drr"
    [backends.backend2.servers.server1]
@@ -235,6 +255,7 @@ defaultEntryPoints = ["http", "https"]
  [frontends.frontend2]
  backend = "backend1"
  passHostHeader = true
+  priority = 10
  entrypoints = ["https"] # overrides defaultEntryPoints
    [frontends.frontend2.routes.test_1]
    rule = "Host:{subdomain:[a-z]+}.localhost"
@@ -244,7 +265,7 @@ defaultEntryPoints = ["http", "https"]
    rule = "Path:/test"
 ```

- or put your rules in a separate file, for example `rules.tml`:
+- or put your rules in a separate file, for example `rules.toml`:

 ```toml
 # traefik.toml
@@ -281,6 +302,9 @@ filename = "rules.toml"
    url = "http://172.17.0.3:80"
    weight = 1
  [backends.backend2]
+    [backends.backend1.maxconn]
+      amount = 10
+      extractorfunc = "request.host"
    [backends.backend2.LoadBalancer]
      method = "drr"
    [backends.backend2.servers.server1]
@@ -298,6 +322,7 @@ filename = "rules.toml"
  [frontends.frontend2]
  backend = "backend1"
  passHostHeader = true
+  priority = 10
  entrypoints = ["https"] # overrides defaultEntryPoints
    [frontends.frontend2.routes.test_1]
    rule = "Host:{subdomain:[a-z]+}.localhost"
@@ -512,10 +537,11 @@ Labels can be used on containers to override default behaviour:
 - `traefik.protocol=https`: override the default `http` protocol
 - `traefik.weight=10`: assign this weight to the container
 - `traefik.enable=false`: disable this container in Træfɪk
- `traefik.frontend.rule=Host:test.traefik.io`: override the default frontend rule (Default: `Host:{containerName}.{domain}`). See [frontends](#frontends).
+- `traefik.frontend.rule=Host:test.traefik.io`: override the default frontend rule (Default: `Host:{containerName}.{domain}`).
 - `traefik.frontend.passHostHeader=true`: forward client `Host` header to the backend.
+- `traefik.frontend.priority=10`: override default frontend priority
 - `traefik.frontend.entryPoints=http,https`: assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.
-* `traefik.domain=traefik.localhost`: override the default domain
+- `traefik.docker.network`: Set the docker network to use for connections to this container


 ## Marathon backend
@@ -549,7 +575,6 @@ endpoint = "http://127.0.0.1:8080"
 watch = true

 # Default domain used.
-# Can be overridden by setting the "traefik.domain" label on an application.
 #
 # Required
 #
@@ -566,7 +591,16 @@ domain = "marathon.localhost"
 # Optional
 # Default: false
 #
-# ExposedByDefault = true
+# exposedByDefault = true
+
+# Convert Marathon groups to subdomains
+# Default behavior: /foo/bar/myapp => foo-bar-myapp.{defaultDomain}
+# with groupsAsSubDomains enabled: /foo/bar/myapp => myapp.bar.foo.{defaultDomain}
+#
+# Optional
+# Default: false
+#
+# groupsAsSubDomains = true

 # Enable Marathon basic authentication
 #
@@ -582,6 +616,12 @@ domain = "marathon.localhost"
 #
 # [marathon.TLS]
 # InsecureSkipVerify = true
+
+# DCOSToken for DCOS environment, This will override the Authorization header
+#
+# Optional
+#
+# dcosToken = "xxxxxx"
 ```

 Labels can be used on containers to override default behaviour:
@@ -592,10 +632,46 @@ Labels can be used on containers to override default behaviour:
 - `traefik.protocol=https`: override the default `http` protocol
 - `traefik.weight=10`: assign this weight to the application
 - `traefik.enable=false`: disable this application in Træfɪk
- `traefik.frontend.rule=Host:test.traefik.io`: override the default frontend rule (Default: `Host:{containerName}.{domain}`). See [frontends](#frontends).
+- `traefik.frontend.rule=Host:test.traefik.io`: override the default frontend rule (Default: `Host:{containerName}.{domain}`).
 - `traefik.frontend.passHostHeader=true`: forward client `Host` header to the backend.
+- `traefik.frontend.priority=10`: override default frontend priority
 - `traefik.frontend.entryPoints=http,https`: assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.
-* `traefik.domain=traefik.localhost`: override the default domain
+
+
+## Kubernetes Ingress backend
+
+
+Træfɪk can be configured to use Kubernetes Ingress as a backend configuration:
+
+```toml
+################################################################
+# Kubernetes Ingress configuration backend
+################################################################
+# Enable Kubernetes Ingress configuration backend
+#
+# Optional
+#
+[kubernetes]
+
+# Kubernetes server endpoint
+#
+# When deployed as a replication controller in Kubernetes,
+# Traefik will use env variable KUBERNETES_SERVICE_HOST
+# and KUBERNETES_SERVICE_PORT_HTTPS as endpoint
+# Secure token will be found in /var/run/secrets/kubernetes.io/serviceaccount/token
+# and SSL CA cert in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+#
+# Optional
+#
+# endpoint = "http://localhost:8080"
+# namespaces = ["default","production"]
+```
+
+Annotations can be used on containers to override default behaviour for the whole Ingress resource:
+
+- `traefik.frontend.rule.type: PathPrefixStrip`: override the default frontend rule type (Default: `PathPrefix`).
+
+You can find here an example [ingress](https://raw.githubusercontent.com/containous/traefik/master/examples/k8s.ingress.yaml) and [replication controller](https://raw.githubusercontent.com/containous/traefik/master/examples/k8s.rc.yaml).

 ## Consul backend

@@ -675,11 +751,28 @@ endpoint = "127.0.0.1:8500"
 # Optional
 #
 domain = "consul.localhost"
+
+# Prefix for Consul catalog tags
+#
+# Optional
+#
+prefix = "traefik"
 ```

 This backend will create routes matching on hostname based on the service name
 used in consul.

+Additional settings can be defined using Consul Catalog tags:
+
+- `traefik.enable=false`: disable this container in Træfɪk
+- `traefik.protocol=https`: override the default `http` protocol
+- `traefik.backend.weight=10`: assign this weight to the container
+- `traefik.backend.circuitbreaker=NetworkErrorRatio() > 0.5`
+- `traefik.backend.loadbalancer=drr`: override the default load balancing mode
+- `traefik.frontend.rule=Host:test.traefik.io`: override the default frontend rule (Default: `Host:{containerName}.{domain}`).
+- `traefik.frontend.passHostHeader=true`: forward client `Host` header to the backend.
+- `traefik.frontend.priority=10`: override default frontend priority
+- `traefik.frontend.entryPoints=http,https`: assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.

 ## Etcd backend

@@ -694,25 +787,25 @@ Træfɪk can be configured to use Etcd as a backend configuration:
 #
 # Optional
 #
-# [etcd]
+[etcd]

 # Etcd server endpoint
 #
 # Required
 #
-# endpoint = "127.0.0.1:4001"
+endpoint = "127.0.0.1:2379"

 # Enable watch Etcd changes
 #
 # Optional
 #
-# watch = true
+watch = true

 # Prefix used for KV store.
 #
 # Optional
 #
-# prefix = "/traefik"
+prefix = "/traefik"

 # Override default configuration template. For advanced users :)
 #
@@ -747,25 +840,25 @@ Træfɪk can be configured to use Zookeeper as a backend configuration:
 #
 # Optional
 #
-# [zookeeper]
+[zookeeper]

 # Zookeeper server endpoint
 #
 # Required
 #
-# endpoint = "127.0.0.1:2181"
+endpoint = "127.0.0.1:2181"

 # Enable watch Zookeeper changes
 #
 # Optional
 #
-# watch = true
+watch = true

 # Prefix used for KV store.
 #
 # Optional
 #
-# prefix = "/traefik"
+prefix = "/traefik"

 # Override default configuration template. For advanced users :)
 #
@@ -789,25 +882,25 @@ Træfɪk can be configured to use BoltDB as a backend configuration:
 #
 # Optional
 #
-# [boltdb]
+[boltdb]

 # BoltDB file
 #
 # Required
 #
-# endpoint = "/my.db"
+endpoint = "/my.db"

 # Enable watch BoltDB changes
 #
 # Optional
 #
-# watch = true
+watch = true

 # Prefix used for KV store.
 #
 # Optional
 #
-# prefix = "/traefik"
+prefix = "/traefik"

 # Override default configuration template. For advanced users :)
 #
@@ -836,6 +929,8 @@ The Keys-Values structure should look (using `prefix = "/traefik"`):

 | Key                                                 | Value                  |
 |-----------------------------------------------------|------------------------|
+| `/traefik/backends/backend2/maxconn/amount`         | `10`                   |
+| `/traefik/backends/backend2/maxconn/extractorfunc`  | `request.host`         |
 | `/traefik/backends/backend2/loadbalancer/method`    | `drr`                  |
 | `/traefik/backends/backend2/servers/server1/url`    | `http://172.17.0.4:80` |
 | `/traefik/backends/backend2/servers/server1/weight` | `1`                    |
@@ -851,12 +946,13 @@ The Keys-Values structure should look (using `prefix = "/traefik"`):

 - frontend 2

-| Key                                                | Value        |
-|----------------------------------------------------|--------------|
-| `/traefik/frontends/frontend2/backend`             | `backend1`   |
-| `/traefik/frontends/frontend2/passHostHeader`      | `true`       |
-| `/traefik/frontends/frontend2/entrypoints`         | `http,https` |
-| `/traefik/frontends/frontend2/routes/test_2/rule`  | `Path:/test` |
+| Key                                                | Value              |
+|----------------------------------------------------|--------------------|
+| `/traefik/frontends/frontend2/backend`             | `backend1`         |
+| `/traefik/frontends/frontend2/passHostHeader`      | `true`             |
+| `/traefik/frontends/frontend2/priority`            | `10`               |
+| `/traefik/frontends/frontend2/entrypoints`         | `http,https`       |
+| `/traefik/frontends/frontend2/routes/test_2/rule`  | `PathPrefix:/test` |

 ## Atomic configuration changes

@@ -895,100 +991,3 @@ Once the `/traefik/alias` key is updated, the new `/traefik_configurations/2` co
 | `/traefik_configurations/2/backends/backend1/servers/server2/weight`    | `5`                        |

 Note that Træfɪk *will not watch for key changes in the `/traefik_configurations` prefix*. It will only watch for changes in the `/traefik` prefix. Further, if the `/traefik/alias` key is set, all other sibling keys with the `/traefik` prefix are ignored.
-
-
-# Examples
-
-## HTTP only
-
-```
-defaultEntryPoints = ["http"]
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-```
-
-## HTTP + HTTPS (with SNI)
-
-```
-defaultEntryPoints = ["http", "https"]
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.com.cert"
-      KeyFile = "integration/fixtures/https/snitest.com.key"
-      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.org.cert"
-      KeyFile = "integration/fixtures/https/snitest.org.key"
-```
-
-## HTTP redirect on HTTPS
-
-```
-defaultEntryPoints = ["http", "https"]
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-    [entryPoints.http.redirect]
-    entryPoint = "https"
-  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-      [[entryPoints.https.tls.certificates]]
-      certFile = "tests/traefik.crt"
-      keyFile = "tests/traefik.key"
-```
-
-## Let's Encrypt support
-
-```
-[entryPoints]
-  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-      # certs used as default certs
-      [[entryPoints.https.tls.certificates]]
-      certFile = "tests/traefik.crt"
-      keyFile = "tests/traefik.key"
-[acme]
-email = "test@traefik.io"
-storageFile = "acme.json"
-onDemand = true
-caServer = "http://172.18.0.1:4000/directory"
-entryPoint = "https"
-
-[[acme.domains]]
-  main = "local1.com"
-  sans = ["test1.local1.com", "test2.local1.com"]
-[[acme.domains]]
-  main = "local2.com"
-  sans = ["test1.local2.com", "test2x.local2.com"]
-[[acme.domains]]
-  main = "local3.com"
-[[acme.domains]]
-  main = "local4.com"
-```
-
-## Override entrypoints in frontends
-
-```
-[frontends]
-  [frontends.frontend1]
-  backend = "backend2"
-    [frontends.frontend1.routes.test_1]
-    rule = "Host:test.localhost"
-  [frontends.frontend2]
-  backend = "backend1"
-  passHostHeader = true
-  entrypoints = ["https"] # overrides defaultEntryPoints
-    [frontends.frontend2.routes.test_1]
-    rule = "Host:{subdomain:[a-z]+}.localhost"
-  [frontends.frontend3]
-  entrypoints = ["http", "https"] # overrides defaultEntryPoints
-  backend = "backend2"
-    rule = "Path:/test"
-```
--- a/docs/user-guide/examples.md
+++ b/docs/user-guide/examples.md
@@ -0,0 +1,98 @@
+
+# Examples
+
+You will find here some configuration examples of Træfɪk.
+
+## HTTP only
+
+```
+defaultEntryPoints = ["http"]
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+```
+
+## HTTP + HTTPS (with SNI)
+
+```
+defaultEntryPoints = ["http", "https"]
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.com.cert"
+      KeyFile = "integration/fixtures/https/snitest.com.key"
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.org.cert"
+      KeyFile = "integration/fixtures/https/snitest.org.key"
+```
+
+## HTTP redirect on HTTPS
+
+```
+defaultEntryPoints = ["http", "https"]
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      certFile = "tests/traefik.crt"
+      keyFile = "tests/traefik.key"
+```
+
+## Let's Encrypt support
+
+```
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      # certs used as default certs
+      [[entryPoints.https.tls.certificates]]
+      certFile = "tests/traefik.crt"
+      keyFile = "tests/traefik.key"
+[acme]
+email = "test@traefik.io"
+storageFile = "acme.json"
+onDemand = true
+caServer = "http://172.18.0.1:4000/directory"
+entryPoint = "https"
+
+[[acme.domains]]
+  main = "local1.com"
+  sans = ["test1.local1.com", "test2.local1.com"]
+[[acme.domains]]
+  main = "local2.com"
+  sans = ["test1.local2.com", "test2x.local2.com"]
+[[acme.domains]]
+  main = "local3.com"
+[[acme.domains]]
+  main = "local4.com"
+```
+
+## Override entrypoints in frontends
+
+```
+[frontends]
+  [frontends.frontend1]
+  backend = "backend2"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host:test.localhost"
+  [frontends.frontend2]
+  backend = "backend1"
+  passHostHeader = true
+  entrypoints = ["https"] # overrides defaultEntryPoints
+    [frontends.frontend2.routes.test_1]
+    rule = "Host:{subdomain:[a-z]+}.localhost"
+  [frontends.frontend3]
+  entrypoints = ["http", "https"] # overrides defaultEntryPoints
+  backend = "backend2"
+    rule = "Path:/test"
+```
--- a/docs/user-guide/swarm.md
+++ b/docs/user-guide/swarm.md
@@ -0,0 +1,170 @@
+# Swarm cluster
+
+This section explains how to create a multi-host [swarm](https://docs.docker.com/swarm) cluster using [docker-machine](https://docs.docker.com/machine/) and how to deploy Træfɪk on it.
+The cluster will be made of:
+
+- 2 servers
+- 1 swarm master
+- 2 swarm nodes
+- 1 [overlay](https://docs.docker.com/engine/userguide/networking/dockernetworks/#an-overlay-network) network (multi-host networking)
+
+## Prerequisites
+
+1. You will need to install [docker-machine](https://docs.docker.com/machine/)
+2. You will need the latest [VirtualBox](https://www.virtualbox.org/wiki/Downloads)
+
+## Cluster provisioning
+
+We will first follow [this guide](https://docs.docker.com/engine/userguide/networking/get-started-overlay/) to create the cluster.
+
+### Create machine `mh-keystore`
+
+This machine will be the service registry of our cluster.
+
+```sh
+docker-machine create -d virtualbox mh-keystore
+```
+
+Then we install the service registry [Consul](https://consul.io) on this machine:
+
+```sh
+eval "$(docker-machine env mh-keystore)"
+docker run -d \
+    -p "8500:8500" \
+    -h "consul" \
+    progrium/consul -server -bootstrap
+```
+
+### Create machine `mhs-demo0`
+
+This machine will have a swarm master and a swarm agent on it.
+
+```sh
+docker-machine create -d virtualbox \
+    --swarm --swarm-master \
+    --swarm-discovery="consul://$(docker-machine ip mh-keystore):8500" \
+    --engine-opt="cluster-store=consul://$(docker-machine ip mh-keystore):8500" \
+    --engine-opt="cluster-advertise=eth1:2376" \
+    mhs-demo0
+```
+
+### Create machine `mhs-demo1`
+
+This machine will have a swarm agent on it.
+
+```sh
+docker-machine create -d virtualbox \
+    --swarm \
+    --swarm-discovery="consul://$(docker-machine ip mh-keystore):8500" \
+    --engine-opt="cluster-store=consul://$(docker-machine ip mh-keystore):8500" \
+    --engine-opt="cluster-advertise=eth1:2376" \
+    mhs-demo1
+```
+
+### Create the overlay Network
+
+Create the overlay network on the swarm master:
+
+```sh
+eval $(docker-machine env --swarm mhs-demo0)
+docker network create --driver overlay --subnet=10.0.9.0/24 my-net
+```
+
+## Deploy Træfɪk
+
+Deploy Træfɪk:
+
+```sh
+docker $(docker-machine config mhs-demo0) run \
+    -d \
+    -p 80:80 -p 8080:8080 \
+    --net=my-net \
+    -v /var/lib/boot2docker/:/ssl \
+    traefik \
+    -l DEBUG \
+    -c /dev/null \
+    --docker \
+    --docker.domain traefik \
+    --docker.endpoint tcp://$(docker-machine ip mhs-demo0):3376 \
+    --docker.tls \
+    --docker.tls.ca /ssl/ca.pem \
+    --docker.tls.cert /ssl/server.pem \
+    --docker.tls.key /ssl/server-key.pem \
+    --docker.tls.insecureSkipVerify \
+    --docker.watch  \
+    --web
+```
+
+Let's explain this command:
+
+- `-p 80:80 -p 8080:8080`: we bind ports 80 and 8080
+- `--net=my-net`: run the container on the network my-net
+- `-v /var/lib/boot2docker/:/ssl`: mount the ssl keys generated by docker-machine
+- `-c /dev/null`: empty config file
+- `--docker`: enable docker backend
+- `--docker.endpoint tcp://172.18.0.1:3376`: connect to the swarm master using the docker_gwbridge network
+- `--docker.tls`: enable TLS using the docker-machine keys
+- `--web`: activate the webUI on port 8080
+
+## Deploy your apps
+
+We can now deploy our app on the cluster, here [whoami](https://github.com/emilevauge/whoami), a simple web server in GO, on the network `my-net`:
+
+```sh
+eval $(docker-machine env --swarm mhs-demo0)
+docker run -d --name=whoami0 --net=my-net --env="constraint:node==mhs-demo0" emilevauge/whoami
+docker run -d --name=whoami1 --net=my-net --env="constraint:node==mhs-demo1" emilevauge/whoami
+```
+
+Check that everything is started:
+
+```sh
+docker ps
+CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                                                      NAMES
+ba2c21488299        emilevauge/whoami   "/whoamI"                8 seconds ago       Up 9 seconds        80/tcp                                                     mhs-demo1/whoami1
+8147a7746e7a        emilevauge/whoami   "/whoamI"                19 seconds ago      Up 20 seconds       80/tcp                                                     mhs-demo0/whoami0
+8fbc39271b4c        traefik             "/traefik -l DEBUG -c"   36 seconds ago      Up 37 seconds       192.168.99.101:80->80/tcp, 192.168.99.101:8080->8080/tcp   mhs-demo0/serene_bhabha
+```
+
+## Access to your apps through Træfɪk
+
+```sh
+curl -H Host:whoami0.traefik http://$(docker-machine ip mhs-demo0)
+Hostname: 8147a7746e7a
+IP: 127.0.0.1
+IP: ::1
+IP: 10.0.9.3
+IP: fe80::42:aff:fe00:903
+IP: 172.18.0.3
+IP: fe80::42:acff:fe12:3
+GET / HTTP/1.1
+Host: 10.0.9.3:80
+User-Agent: curl/7.35.0
+Accept: */*
+Accept-Encoding: gzip
+X-Forwarded-For: 192.168.99.1
+X-Forwarded-Host: 10.0.9.3:80
+X-Forwarded-Proto: http
+X-Forwarded-Server: 8fbc39271b4c
+
+curl -H Host:whoami1.traefik http://$(docker-machine ip mhs-demo0)
+Hostname: ba2c21488299
+IP: 127.0.0.1
+IP: ::1
+IP: 10.0.9.4
+IP: fe80::42:aff:fe00:904
+IP: 172.18.0.2
+IP: fe80::42:acff:fe12:2
+GET / HTTP/1.1
+Host: 10.0.9.4:80
+User-Agent: curl/7.35.0
+Accept: */*
+Accept-Encoding: gzip
+X-Forwarded-For: 192.168.99.1
+X-Forwarded-Host: 10.0.9.4:80
+X-Forwarded-Proto: http
+X-Forwarded-Server: 8fbc39271b4c
+```
+
+![](http://i.giphy.com/ujUdrdpX7Ok5W.gif)
+
--- a/examples/accessLog/.gitignore
+++ b/examples/accessLog/.gitignore
@@ -0,0 +1,2 @@
+exampleHandler
+exampleHandler.exe
--- a/examples/accessLog/exampleHandler.go
+++ b/examples/accessLog/exampleHandler.go
@@ -0,0 +1,46 @@
+/*
+Simple program to start a web server on a specified port
+*/
+package main
+
+import (
+	"flag"
+	"fmt"
+	"net/http"
+	"os"
+)
+
+var (
+	name string
+	port int
+	help *bool
+)
+
+func init() {
+	flag.StringVar(&name, "n", "", "Name of handler for messages")
+	flag.IntVar(&port, "p", 0, "Port number to listen")
+	help = flag.Bool("h", false, "Displays help message")
+}
+
+func usage() {
+	fmt.Printf("Usage: example -n name -p port \n")
+	os.Exit(2)
+}
+
+func handler(w http.ResponseWriter, r *http.Request) {
+	fmt.Fprintf(w, "%s: Received query %s!\n", name, r.URL.Path[1:])
+}
+
+func main() {
+	flag.Parse()
+	if *help || len(name) == 0 || port <= 0 {
+		usage()
+	}
+	http.HandleFunc("/", handler)
+	fmt.Printf("%s: Listening on :%d...\n", name, port)
+	if er := http.ListenAndServe(fmt.Sprintf(":%d", port), nil); er != nil {
+		fmt.Printf("%s: Error from ListenAndServe: %s", name, er.Error())
+		os.Exit(1)
+	}
+	fmt.Printf("%s: How'd we get past listen and serve???\n", name)
+}
--- a/examples/accessLog/runAb.sh
+++ b/examples/accessLog/runAb.sh
@@ -0,0 +1,122 @@
+#!/bin/bash
+usage()
+{
+  echo 'runAb.sh - Run Apache Benchmark to test access log'
+  echo '   Usage: runAb.sh [--conn nnn] [--log xxx] [--num nnn] [--time nnn] [--wait nn]'
+  echo '     -c|--conn - number of simultaneous connections (default 100)'
+  echo '     -l|--log  - name of logfile (default benchmark.log)'
+  echo '     -n|--num  - number of requests (default 50000); ignored when -t specified'
+  echo '     -t|--time - time in seconds for benchmark (default no limit)'
+  echo '     -w|--wait - number of seconds to wait for Traefik to initialize (default 15)'
+  echo '   '
+  exit
+}
+
+# Parse options
+
+conn=100
+num=50000
+wait=15
+time=0
+logfile=""
+while [[ $1 =~ ^- ]]
+do
+  case $1 in
+    -c|--conn)
+      conn=$2
+      shift
+      ;;
+    -h|--help)
+      usage
+      ;;
+    -l|--log|--logfile)
+      logfile=$2
+      shift
+      ;;
+    -n|--num)
+      num=$2
+      shift
+      ;;
+    -t|--time)
+      time=$2
+      shift
+      ;;
+    -w|--wait)
+      wait=$2
+      shift
+      ;;
+    *)
+      echo Unknown option "$1"
+      usage
+  esac
+  shift
+done
+if [ -z "$logfile" ] ; then
+  logfile="benchmark.log"
+fi
+
+# Change to accessLog examples directory
+
+[ -d examples/accessLog ] && cd examples/accessLog
+if [ ! -r exampleHandler.go ] ; then
+  echo Please run this script either from the traefik repo root or from the examples/accessLog directory
+  exit
+fi
+
+# Kill traefik and any running example processes
+
+sudo pkill -f traefik
+pkill -f exampleHandler
+[ ! -d log ] && mkdir log
+
+# Start new example processes
+
+go build exampleHandler.go
+[ $? -ne 0 ] && exit $?
+./exampleHandler -n Handler1 -p 8081 &
+[ $? -ne 0 ] && exit $?
+./exampleHandler -n Handler2 -p 8082 &
+[ $? -ne 0 ] && exit $?
+./exampleHandler -n Handler3 -p 8083 &
+[ $? -ne 0 ] && exit $?
+
+# Wait a couple of seconds for handlers to initialize and start Traefik
+
+cd ../..
+sleep 2s
+echo Starting Traefik...
+sudo ./traefik -c examples/accessLog/traefik.ab.toml &
+[ $? -ne 0 ] && exit $?
+
+# Wait for Traefik to initialize and run ab
+
+echo Waiting $wait seconds before starting ab benchmark
+sleep ${wait}s
+echo
+stime=`date '+%s'`
+if [ $time -eq 0 ] ; then
+  echo Benchmark starting `date` with $conn connections until $num requests processed | tee $logfile
+  echo | tee -a $logfile
+  echo ab -k -c $conn -n $num http://127.0.0.1/test | tee -a $logfile
+  echo | tee -a $logfile
+  ab -k -c $conn -n $num http://127.0.0.1/test 2>&1 | tee -a $logfile
+else
+  if [ $num -ne 50000 ] ; then
+    echo Request count ignored when --time specified
+  fi
+  echo Benchmark starting `date` with $conn connections for $time seconds | tee $logfile
+  echo | tee -a $logfile
+  echo ab -k -c $conn -t $time -n 100000000 http://127.0.0.1/test | tee -a $logfile
+  echo | tee -a $logfile
+  ab -k -c $conn -t $time -n 100000000 http://127.0.0.1/test 2>&1 | tee -a $logfile
+fi
+
+etime=`date '+%s'`
+let "dt=$etime - $stime"
+let "ds=$dt % 60"
+let "dm=($dt / 60) % 60"
+let "dh=$dt / 3600"
+echo | tee -a $logfile
+printf "Benchmark ended `date` after %d:%02d:%02d\n" $dh $dm $ds | tee -a $logfile
+echo Results available in $logfile
+
--- a/examples/accessLog/runExample.sh
+++ b/examples/accessLog/runExample.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+# Script to run a three-server example.  This script runs the three servers and restarts Traefik
+# Once it is running, use the command:
+#
+# curl http://127.0.0.1:80/test{1,2,2}
+#
+# to send requests to send test requests to the servers.  You should see a response like:
+#
+# Handler1: received query test1!
+# Handler2: received query test2!
+# Handler3: received query test2!
+#
+# and can then inspect log/access.log to see frontend, backend, and timing
+
+# Kill traefik and any running example processes
+sudo pkill -f traefik
+pkill -f exampleHandler
+[ ! -d log ] && mkdir log
+
+# Start new example processes
+cd examples/accessLog
+go build exampleHandler.go
+[ $? -ne 0 ] && exit $?
+./exampleHandler -n Handler1 -p 8081 &
+[ $? -ne 0 ] && exit $?
+./exampleHandler -n Handler2 -p 8082 &
+[ $? -ne 0 ] && exit $?
+./exampleHandler -n Handler3 -p 8083 &
+[ $? -ne 0 ] && exit $?
+
+# Wait a couple of seconds for handlers to initialize and start Traefik
+cd ../..
+sleep 2s
+echo Starting Traefik...
+sudo ./traefik -c examples/accessLog/traefik.example.toml &
+[ $? -ne 0 ] && exit $?
+
+echo Sample handlers and traefik started successfully!
+echo 'Use command curl http://127.0.0.1:80/test{1,2,2} to drive test'
+echo Then inspect log/access.log to verify it contains frontend, backend, and timing
--- a/examples/accessLog/traefik.ab.toml
+++ b/examples/accessLog/traefik.ab.toml
@@ -0,0 +1,37 @@
+################################################################
+# Global configuration
+################################################################
+traefikLogsFile = "log/traefik.log"
+accessLogsFile = "log/access.log"
+logLevel = "DEBUG"
+
+################################################################
+# Web configuration backend
+################################################################
+[web]
+address = ":7888"
+
+################################################################
+# File configuration backend
+################################################################
+[file]
+
+################################################################
+# rules
+################################################################
+ [backends]
+   [backends.backend]
+     [backends.backend.LoadBalancer]
+       method = "drr"
+     [backends.backend.servers.server1]
+       url = "http://127.0.0.1:8081"
+     [backends.backend.servers.server2]
+       url = "http://127.0.0.1:8082"
+     [backends.backend.servers.server3]
+       url = "http://127.0.0.1:8083"
+ [frontends]
+   [frontends.frontend]
+   backend = "backend"
+   passHostHeader = true
+     [frontends.frontend.routes.test]
+     rule = "Path: /test"
--- a/examples/accessLog/traefik.example.toml
+++ b/examples/accessLog/traefik.example.toml
@@ -0,0 +1,42 @@
+################################################################
+# Global configuration
+################################################################
+traefikLogsFile = "log/traefik.log"
+accessLogsFile = "log/access.log"
+logLevel = "DEBUG"
+
+################################################################
+# Web configuration backend
+################################################################
+[web]
+address = ":7888"
+
+################################################################
+# File configuration backend
+################################################################
+[file]
+
+################################################################
+# rules
+################################################################
+ [backends]
+   [backends.backend1]
+     [backends.backend1.servers.server1]
+       url = "http://127.0.0.1:8081"
+   [backends.backend2]
+     [backends.backend2.LoadBalancer]
+       method = "drr"
+     [backends.backend2.servers.server1]
+       url = "http://127.0.0.1:8082"
+     [backends.backend2.servers.server2]
+       url = "http://127.0.0.1:8083"
+  [frontends]
+   [frontends.frontend1]
+   backend = "backend1"
+     [frontends.frontend1.routes.test_1]
+     rule = "Path: /test1"
+   [frontends.frontend2]
+   backend = "backend2"
+   passHostHeader = true
+     [frontends.frontend2.routes.test_2]
+     rule = "Path: /test2"
--- a/examples/compose-consul.yml
+++ b/examples/compose-consul.yml
@@ -1,21 +1,25 @@
-consul:
-  image: progrium/consul
-  command: -server -bootstrap -advertise 12.0.0.254 -log-level debug -ui-dir /ui
-  ports:
-    - "8400:8400"
-    - "8500:8500"
-    - "8600:53/udp"
-  expose:
-    - "8300"
-    - "8301"
-    - "8301/udp"
-    - "8302"
-    - "8302/udp"
+version: '2'
+services:
+  consul:
+    image: progrium/consul
+    command: -server -bootstrap -advertise 12.0.0.254 -log-level debug -ui-dir /ui
+    ports:
+      - "8400:8400"
+      - "8500:8500"
+      - "8600:53/udp"
+    expose:
+      - "8300"
+      - "8301"
+      - "8301/udp"
+      - "8302"
+      - "8302/udp"

-registrator:
-  image: gliderlabs/registrator:master
-  command: -internal consulkv://consul:8500/traefik
-  volumes:
-    - /var/run/docker.sock:/tmp/docker.sock
-  links:
-    - consul
+  registrator:
+    depends_on:
+      - consul
+    image: gliderlabs/registrator:master
+    command: -internal consul://consul:8500
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock
+    links:
+      - consul
--- a/examples/compose-etcd.yml
+++ b/examples/compose-etcd.yml
@@ -0,0 +1,4 @@
+etcd:
+  image: gcr.io/google_containers/etcd:2.2.1
+  net: host
+  command: ['/usr/local/bin/etcd', '--addr=127.0.0.1:2379', '--bind-addr=0.0.0.0:2379', '--data-dir=/var/etcd/data']
--- a/examples/compose-k8s.yaml
+++ b/examples/compose-k8s.yaml
@@ -0,0 +1,12 @@
+kubelet:
+  image: gcr.io/google_containers/hyperkube-amd64:v1.2.2
+  privileged: true
+  pid: host
+  net : host
+  volumes:
+    - /:/rootfs:ro
+    - /sys:/sys:ro
+    - /var/lib/docker/:/var/lib/docker:rw
+    - /var/lib/kubelet/:/var/lib/kubelet:rw
+    - /var/run:/var/run:rw
+  command: ['/hyperkube', 'kubelet', '--containerized', '--hostname-override=127.0.0.1', '--address=0.0.0.0', '--api-servers=http://localhost:8080', '--config=/etc/kubernetes/manifests', '--allow-privileged=true', '--v=2']
--- a/examples/compose-marathon.yml
+++ b/examples/compose-marathon.yml
@@ -6,7 +6,7 @@ zk:
    ZK_ID: 1

 master:
-  image: mesosphere/mesos-master:0.26.0-0.2.145.ubuntu1404
+  image: mesosphere/mesos-master:0.28.1-2.0.20.ubuntu1404
  net: host
  environment:
    MESOS_ZK: zk://127.0.0.1:2181/mesos
@@ -17,7 +17,7 @@ master:
    MESOS_WORK_DIR: /var/lib/mesos

 slave:
-  image: mesosphere/mesos-slave:0.26.0-0.2.145.ubuntu1404
+  image: mesosphere/mesos-slave:0.28.1-2.0.20.ubuntu1404
  net: host
  pid: host
  privileged: true
@@ -34,7 +34,7 @@ slave:
    - /lib/x86_64-linux-gnu/libsystemd-journal.so.0:/lib/x86_64-linux-gnu/libsystemd-journal.so.0

 marathon:
-  image: mesosphere/marathon:v0.13.0
+  image: mesosphere/marathon:v1.1.1
  net: host
  environment:
    MARATHON_MASTER: zk://127.0.0.1:2181/mesos
--- a/examples/compose-traefik.yml
+++ b/examples/compose-traefik.yml
@@ -1,12 +1,11 @@
 traefik:
  image: traefik
-  command: --web --docker --docker.domain=docker.localhost --logLevel=DEBUG
+  command: -c /dev/null --web --docker --docker.domain=docker.localhost --logLevel=DEBUG
  ports:
    - "80:80"
    - "8080:8080"
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock
-    - /dev/null:/traefik.toml

 whoami1:
  image: emilevauge/whoami
--- a/examples/consul-config.sh
+++ b/examples/consul-config.sh
@@ -17,11 +17,9 @@ curl -i -H "Accept: application/json" -X PUT -d "2"                           ht
 # frontend 1
 curl -i -H "Accept: application/json" -X PUT -d "backend2"                    http://localhost:8500/v1/kv/traefik/frontends/frontend1/backend
 curl -i -H "Accept: application/json" -X PUT -d "http"                        http://localhost:8500/v1/kv/traefik/frontends/frontend1/entrypoints
-curl -i -H "Accept: application/json" -X PUT -d "Host"                        http://localhost:8500/v1/kv/traefik/frontends/frontend1/routes/test_1/rule
-curl -i -H "Accept: application/json" -X PUT -d "test.localhost"              http://localhost:8500/v1/kv/traefik/frontends/frontend1/routes/test_1/value
+curl -i -H "Accept: application/json" -X PUT -d "Host:test.localhost"         http://localhost:8500/v1/kv/traefik/frontends/frontend1/routes/test_1/rule

 # frontend 2
 curl -i -H "Accept: application/json" -X PUT -d "backend1"                    http://localhost:8500/v1/kv/traefik/frontends/frontend2/backend
-curl -i -H "Accept: application/json" -X PUT -d "http,https"                  http://localhost:8500/v1/kv/traefik/frontends/frontend2/entrypoints
-curl -i -H "Accept: application/json" -X PUT -d "Path"                        http://localhost:8500/v1/kv/traefik/frontends/frontend2/routes/test_2/rule
-curl -i -H "Accept: application/json" -X PUT -d "/test"                       http://localhost:8500/v1/kv/traefik/frontends/frontend2/routes/test_2/value
+curl -i -H "Accept: application/json" -X PUT -d "http"                  http://localhost:8500/v1/kv/traefik/frontends/frontend2/entrypoints
+curl -i -H "Accept: application/json" -X PUT -d "Path:/test"                  http://localhost:8500/v1/kv/traefik/frontends/frontend2/routes/test_2/rule
--- a/examples/etcd-config.sh
+++ b/examples/etcd-config.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# backend 1
+curl -i -H "Accept: application/json" -X PUT -d value="NetworkErrorRatio() > 0.5"   http://localhost:2379/v2/keys/traefik/backends/backend1/circuitbreaker/expression
+curl -i -H "Accept: application/json" -X PUT -d value="http://172.17.0.2:80"        http://localhost:2379/v2/keys/traefik/backends/backend1/servers/server1/url
+curl -i -H "Accept: application/json" -X PUT -d value="10"                          http://localhost:2379/v2/keys/traefik/backends/backend1/servers/server1/weight
+curl -i -H "Accept: application/json" -X PUT -d value="http://172.17.0.3:80"        http://localhost:2379/v2/keys/traefik/backends/backend1/servers/server2/url
+curl -i -H "Accept: application/json" -X PUT -d value="1"                           http://localhost:2379/v2/keys/traefik/backends/backend1/servers/server2/weight
+
+# backend 2
+curl -i -H "Accept: application/json" -X PUT -d value="drr"                         http://localhost:2379/v2/keys/traefik/backends/backend2/loadbalancer/method
+curl -i -H "Accept: application/json" -X PUT -d value="http://172.17.0.4:80"        http://localhost:2379/v2/keys/traefik/backends/backend2/servers/server1/url
+curl -i -H "Accept: application/json" -X PUT -d value="1"                           http://localhost:2379/v2/keys/traefik/backends/backend2/servers/server1/weight
+curl -i -H "Accept: application/json" -X PUT -d value="http://172.17.0.5:80"        http://localhost:2379/v2/keys/traefik/backends/backend2/servers/server2/url
+curl -i -H "Accept: application/json" -X PUT -d value="2"                           http://localhost:2379/v2/keys/traefik/backends/backend2/servers/server2/weight
+
+# frontend 1
+curl -i -H "Accept: application/json" -X PUT -d value="backend2"                    http://localhost:2379/v2/keys/traefik/frontends/frontend1/backend
+curl -i -H "Accept: application/json" -X PUT -d value="http"                        http://localhost:2379/v2/keys/traefik/frontends/frontend1/entrypoints
+curl -i -H "Accept: application/json" -X PUT -d value="Host:test.localhost"         http://localhost:2379/v2/keys/traefik/frontends/frontend1/routes/test_1/rule
+
+# frontend 2
+curl -i -H "Accept: application/json" -X PUT -d value="backend1"                    http://localhost:2379/v2/keys/traefik/frontends/frontend2/backend
+curl -i -H "Accept: application/json" -X PUT -d value="http"                        http://localhost:2379/v2/keys/traefik/frontends/frontend2/entrypoints
+curl -i -H "Accept: application/json" -X PUT -d value="Path:/test"                  http://localhost:2379/v2/keys/traefik/frontends/frontend2/routes/test_2/rule
--- a/examples/k8s.ingress.yaml
+++ b/examples/k8s.ingress.yaml
@@ -0,0 +1,111 @@
+# 3 Services for the 3 endpoints of the Ingress
+apiVersion: v1
+kind: Service
+metadata:
+  name: service1
+  labels:
+    app: whoami
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    nodePort: 30283
+    targetPort: 80
+    protocol: TCP
+    name: https
+  selector:
+    app: whoami
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: service2
+  labels:
+    app: whoami
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    nodePort: 30284
+    targetPort: 80
+    protocol: TCP
+    name: http
+  selector:
+    app: whoami
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: service3
+  labels:
+    app: whoami
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    nodePort: 30285
+    targetPort: 80
+    protocol: TCP
+    name: http
+  selector:
+    app: whoami
+---
+# A single RC matching all Services
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: whoami
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+      - name: whoami
+        image: emilevauge/whoami
+        ports:
+        - containerPort: 80
+---
+# An Ingress with 2 hosts and 3 endpoints
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: whoami-ingress
+spec:
+  rules:
+  - host: foo.localhost
+    http:
+      paths:
+      - path: /bar
+        backend:
+          serviceName: service1
+          servicePort: 80
+  - host: bar.localhost
+    http:
+      paths:
+      - backend:
+          serviceName: service2
+          servicePort: 80
+      - backend:
+          serviceName: service3
+          servicePort: 80
+
+---
+# Another Ingress with PathPrefixStrip
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: whoami-ingress-stripped
+  annotations:
+    traefik.frontend.rule.type: "PathPrefixStrip"
+spec:
+  rules:
+  - host: foo.localhost
+    http:
+      paths:
+      - path: /prefixWillBeStripped
+        backend:
+          serviceName: service1
+          servicePort: 80
--- a/examples/k8s.namespace.sh
+++ b/examples/k8s.namespace.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+kubectl create -f - << EOF
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: kube-system
+  labels:
+    name: kube-system
+EOF
--- a/examples/k8s.rc.yaml
+++ b/examples/k8s.rc.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: traefik-ingress-controller
+  labels:
+    k8s-app: traefik-ingress-lb
+spec:
+  replicas: 1
+  selector:
+    k8s-app: traefik-ingress-lb
+  template:
+    metadata:
+      labels:
+        k8s-app: traefik-ingress-lb
+        name: traefik-ingress-lb
+    spec:
+      terminationGracePeriodSeconds: 60
+      containers:
+      - image: traefik
+        name: traefik-ingress-lb
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          hostPort: 80
+        - containerPort: 443
+          hostPort: 443
+        - containerPort: 8080
+        args:
+        - --web
+        - --kubernetes
+        - --logLevel=DEBUG
--- a/examples/whoami-group.json
+++ b/examples/whoami-group.json
@@ -0,0 +1,40 @@
+{
+    "id": "/foo",
+    "groups": [
+        {
+            "id": "/foo/bar",
+            "apps": [
+                {
+                    "id": "whoami",
+                    "cpus": 0.1,
+                    "mem": 64.0,
+                    "instances": 3,
+                    "container": {
+                        "type": "DOCKER",
+                        "docker": {
+                            "image": "emilevauge/whoami",
+                            "network": "BRIDGE",
+                            "portMappings": [
+                                {
+                                    "containerPort": 80,
+                                    "hostPort": 0,
+                                    "protocol": "tcp"
+                                }
+                            ]
+                        }
+                    },
+                    "healthChecks": [
+                        {
+                            "protocol": "HTTP",
+                            "portIndex": 0,
+                            "path": "/",
+                            "gracePeriodSeconds": 5,
+                            "intervalSeconds": 20,
+                            "maxConsecutiveFailures": 3
+                        }
+                    ]
+                }
+            ]
+        }
+    ]
+}
--- a/examples/whoami.json
+++ b/examples/whoami.json
@@ -25,7 +25,8 @@
  ],
  "labels": {
      "traefik.weight": "1",
-      "traefik.protocole": "http",
-      "traefik.frontend.rule" : "Headers:Host,test.localhost"
+      "traefik.protocol": "http",
+      "traefik.frontend.rule" : "Host:test.marathon.localhost",
+      "traefik.frontend.priority" : "10"
  }
 }
--- a/generate.go
+++ b/generate.go
@@ -3,6 +3,7 @@ Copyright
 */

 //go:generate rm -vf autogen/gen.go
+//go:generate mkdir -p static
 //go:generate go-bindata -pkg autogen -o autogen/gen.go ./static/... ./templates/...

 //go:generate mkdir -p vendor/github.com/docker/docker/autogen/dockerversion
--- a/glide.lock
+++ b/glide.lock
@@ -1,272 +1,308 @@
-hash: 79b6eb2a613b5e2ce5c57150eec41ac04def3f232a3613fd8b5a88b5e1041b38
-updated: 2016-04-02T15:42:37.505896092+02:00
+hash: c7c28fa3f095cd3e31f8531dd5badeb196256965f003f5cbadd0f509960aa647
+updated: 2016-08-01T17:16:21.884990443+02:00
 imports:
- name: github.com/alecthomas/template
-  version: b867cc6ab45cece8143cfcc6fc9c77cf3f2c23c0
- name: github.com/alecthomas/units
-  version: 6b4e7dc5e3143b85ea77909c72caf89416fc2915
 - name: github.com/boltdb/bolt
-  version: 51f99c862475898df9773747d3accd05a7ca33c1
+  version: 5cc10bbbc5c141029940133bb33c9e969512a698
 - name: github.com/BurntSushi/toml
-  version: bd2bdf7f18f849530ef7a1c29a4290217cab32a1
+  version: 99064174e013895bbd9b025c31100bd1d9b590ca
 - name: github.com/BurntSushi/ty
  version: 6add9cd6ad42d389d6ead1dde60b4ad71e46fd74
  subpackages:
  - fun
 - name: github.com/cenkalti/backoff
-  version: 4dc77674aceaabba2c7e3da25d4c823edfb73f99
+  version: cdf48bbc1eb78d1349cbda326a4a037f7ba565c6
 - name: github.com/codahale/hdrhistogram
-  version: 954f16e8b9ef0e5d5189456aa4c1202758e04f17
+  version: f8ad88b59a584afeee9d334eff879b104439117b
 - name: github.com/codegangsta/cli
-  version: bf4a526f48af7badd25d2cb02d587e1b01be3b50
+  version: 1efa31f08b9333f1bd4882d61f9d668a70cd902e
 - name: github.com/codegangsta/negroni
-  version: c7477ad8e330bef55bf1ebe300cf8aa67c492d1b
- name: github.com/containous/oxy
-  version: 0b5b371bce661385d35439204298fa6fb5db5463
+  version: dc6b9d037e8dab60cbfc09c61d6932537829be8b
+- name: github.com/containous/flaeg
+  version: b98687da5c323650f4513fda6b6203fcbdec9313
+- name: github.com/containous/mux
+  version: a819b77bba13f0c0cbe36e437bc2e948411b3996
+- name: github.com/containous/staert
+  version: e2aa88e235a02dd52aa1d5d9de75f9d9139d1602
+- name: github.com/coreos/etcd
+  version: 1c9e0a0e33051fed6c05c141e6fcbfe5c7f2a899
  subpackages:
-  - cbreaker
-  - forward
-  - memmetrics
-  - roundrobin
-  - utils
-  - stream
- name: github.com/coreos/go-etcd
-  version: cc90c7b091275e606ad0ca7102a23fb2072f3f5e
-  subpackages:
-  - etcd
+  - client
+  - pkg/pathutil
+  - pkg/types
 - name: github.com/davecgh/go-spew
  version: 5215b55f46b2b919f50a1df0eaa5886afe4e3b3d
  subpackages:
  - spew
 - name: github.com/docker/distribution
-  version: ff6f38ccb69afa96214c7ee955359465d1fc767a
+  version: 857d0f15c0a4d8037175642e0ca3660829551cb5
  subpackages:
  - reference
+  - digest
+  - registry/api/errcode
+  - registry/client/auth
+  - registry/client/transport
+  - registry/client
+  - context
+  - registry/api/v2
+  - registry/storage/cache
+  - registry/storage/cache/memory
+  - uuid
 - name: github.com/docker/docker
-  version: f39987afe8d611407887b3094c03d6ba6a766a67
+  version: 9837ec4da53f15f9120d53a6e1517491ba8b0261
  subpackages:
-  - autogen
-  - api
+  - namesgenerator
+  - pkg/namesgenerator
+  - pkg/random
  - cliconfig
-  - daemon/network
-  - graph/tags
+  - cliconfig/configfile
+  - pkg/jsonmessage
+  - pkg/promise
+  - pkg/stdcopy
+  - pkg/term
+  - reference
+  - registry
+  - runconfig/opts
+  - pkg/homedir
+  - pkg/jsonlog
+  - pkg/system
+  - pkg/term/windows
  - image
+  - image/v1
+  - pkg/ioutils
  - opts
+  - pkg/httputils
+  - pkg/mflag
+  - pkg/stringid
+  - pkg/tarsum
+  - pkg/mount
+  - pkg/signal
+  - pkg/urlutil
+  - builder
+  - builder/dockerignore
  - pkg/archive
  - pkg/fileutils
-  - pkg/homedir
-  - pkg/httputils
-  - pkg/ioutils
-  - pkg/jsonmessage
-  - pkg/mflag
-  - pkg/nat
-  - pkg/parsers
-  - pkg/pools
-  - pkg/promise
-  - pkg/random
-  - pkg/stdcopy
-  - pkg/stringid
+  - pkg/progress
+  - pkg/streamformatter
+  - layer
+  - pkg/longpath
+  - api/types/backend
+  - pkg/chrootarchive
+  - pkg/gitutils
  - pkg/symlink
-  - pkg/system
-  - pkg/tarsum
-  - pkg/term
-  - pkg/timeutils
-  - pkg/tlsconfig
-  - pkg/ulimit
-  - pkg/units
-  - pkg/urlutil
-  - pkg/useragent
-  - pkg/version
-  - registry
-  - runconfig
-  - utils
-  - volume
+  - pkg/idtools
+  - pkg/pools
+  - daemon/graphdriver
+  - pkg/reexec
+  - pkg/plugins
+  - pkg/plugins/transport
 - name: github.com/docker/engine-api
-  version: 8924d6900370b4c7e7984be5adc61f50a80d7537
+  version: 3d3d0b6c9d2651aac27f416a6da0224c1875b3eb
  subpackages:
  - client
  - types
-  - types/container
+  - types/events
  - types/filters
-  - types/strslice
+  - types/container
+  - types/network
  - client/transport
  - client/transport/cancellable
-  - types/network
+  - types/reference
  - types/registry
  - types/time
+  - types/versions
  - types/blkiodev
+  - types/strslice
 - name: github.com/docker/go-connections
-  version: f549a9393d05688dff0992ef3efd8bbe6c628aeb
+  version: 990a1a1a70b0da4c4cb70e117971a4f0babfbf1a
  subpackages:
-  - nat
  - sockets
  - tlsconfig
+  - nat
 - name: github.com/docker/go-units
-  version: 5d2041e26a699eaca682e2ea41c8f891e1060444
+  version: f2d77a61e3c169b43402a0a1e84f06daf29b8190
 - name: github.com/docker/libcompose
-  version: e290a513ba909ca3afefd5cd611f3a3fe56f6a3a
+  version: 8ee7bcc364f7b8194581a3c6bd9fa019467c7873
+  subpackages:
+  - docker
+  - project
+  - project/events
+  - project/options
+  - config
+  - docker/builder
+  - docker/client
+  - labels
+  - logger
+  - lookup
+  - utils
+  - yaml
+  - version
 - name: github.com/docker/libkv
-  version: 3732f7ff1b56057c3158f10bceb1e79133025373
+  version: 35d3e2084c650109e7bcc7282655b1bc8ba924ff
  subpackages:
  - store
  - store/boltdb
  - store/consul
  - store/etcd
  - store/zookeeper
- name: github.com/docker/libtrust
-  version: 9cbd2a1374f46905c68a4eb3694a130610adc62a
 - name: github.com/donovanhide/eventsource
-  version: d8a3071799b98cacd30b6da92f536050ccfe6da4
+  version: fd1de70867126402be23c306e1ce32828455d85b
 - name: github.com/elazarl/go-bindata-assetfs
-  version: d5cac425555ca5cf00694df246e04f05e6a55150
- name: github.com/flynn/go-shlex
-  version: 3f9db97f856818214da2e1057f8ad84803971cff
+  version: 57eb5e1fc594ad4b0b1dbea7b286d299e0cb43c2
 - name: github.com/gambol99/go-marathon
-  version: ade11d1dc2884ee1f387078fc28509559b6235d1
+  version: a558128c87724cd7430060ef5aedf39f83937f55
 - name: github.com/go-check/check
-  version: 11d3bc7aa68e238947792f30573146a3231fc0f1
- name: github.com/golang/glog
-  version: fca8c8854093a154ff1eb580aae10276ad6b1b5f
+  version: 4f90aeace3a26ad7021961c297b22c42160c7b25
 - name: github.com/google/go-querystring
-  version: 6bb77fe6f42b85397288d4f6f67ac72f8f400ee7
+  version: 9235644dd9e52eeae6fa48efd539fdc351a0af53
  subpackages:
  - query
 - name: github.com/gorilla/context
-  version: 215affda49addc4c8ef7e2534915df2c8c35c6cd
- name: github.com/gorilla/handlers
-  version: 40694b40f4a928c062f56849989d3e9cd0570e5f
- name: github.com/gorilla/mux
-  version: f15e0c49460fd49eebe2bcc8486b05d1bef68d3a
- name: github.com/gorilla/websocket
-  version: e2e3d8414d0fbae04004f151979f4e27c6747fe7
+  version: aed02d124ae4a0e94fea4541c8effd05bf0c8296
 - name: github.com/hashicorp/consul
-  version: de080672fee9e6104572eeea89eccdca135bb918
+  version: 8a8271fd81cdaa1bbc20e4ced86531b90c7eaf79
  subpackages:
  - api
- name: github.com/hashicorp/hcl
-  version: 2604f3bda7e8960c1be1063709e7d7f0765048d0
+- name: github.com/hashicorp/go-cleanhttp
+  version: 875fb671b3ddc66f8e2f0acc33829c8cb989a38d
+- name: github.com/hashicorp/serf
+  version: 6c4672d66fc6312ddde18399262943e21175d831
  subpackages:
-  - hcl/ast
-  - hcl/parser
-  - hcl/token
-  - json/parser
-  - hcl/scanner
-  - hcl/strconv
-  - json/scanner
-  - json/token
- name: github.com/inconshreveable/mousetrap
-  version: 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
- name: github.com/kr/pretty
-  version: add1dbc86daf0f983cd4a48ceb39deb95c729b67
- name: github.com/kr/text
-  version: bb797dc4fb8320488f47bf11de07a733d7233e1f
- name: github.com/magiconair/properties
-  version: c265cfa48dda6474e208715ca93e987829f572f8
- name: github.com/mailgun/log
-  version: 44874009257d4d47ba9806f1b7f72a32a015e4d8
+  - coordinate
+  - serf
+- name: github.com/libkermit/docker
+  version: 3b5eb2973efff7af33cfb65141deaf4ed25c6d02
+  subpackages:
+  - compose
+- name: github.com/libkermit/docker-check
+  version: bb75a86b169c6c5d22c0ee98278124036f272d7b
+  subpackages:
+  - compose
 - name: github.com/mailgun/manners
  version: fada45142db3f93097ca917da107aa3fad0ffcb5
- name: github.com/mailgun/multibuf
-  version: 565402cd71fbd9c12aa7e295324ea357e970a61e
 - name: github.com/mailgun/timetools
  version: fd192d755b00c968d312d23f521eb0cdc6f66bd0
+- name: github.com/mattn/go-shellwords
+  version: 525bedee691b5a8df547cb5cf9f86b7fb1883e24
 - name: github.com/Microsoft/go-winio
-  version: 9e2895e5f6c3f16473b91d37fae6e89990a4520c
+  version: ce2922f643c8fd76b46cadc7f404a06282678b34
 - name: github.com/miekg/dns
-  version: 7e024ce8ce18b21b475ac6baf8fa3c42536bf2fa
- name: github.com/mitchellh/mapstructure
-  version: d2dd0262208475919e1a362f675cfc0e7c10e905
+  version: 5d001d020961ae1c184f9f8152fdc73810481677
+- name: github.com/moul/http2curl
+  version: b1479103caacaa39319f75e7f57fc545287fca0d
+- name: github.com/ogier/pflag
+  version: 45c278ab3607870051a2ea9040bb85fcb8557481
 - name: github.com/opencontainers/runc
-  version: 4ab132458fc3e9dbeea624153e0331952dc4c8d5
+  version: bd1d3ac0480c5d3babac10dc32cff2886563219c
  subpackages:
  - libcontainer/user
+- name: github.com/parnurzeal/gorequest
+  version: 045012d33ef41ea146c1b675df9296d0dc1a212d
 - name: github.com/pmezard/go-difflib
  version: d8ed2627bdf02c080bf22230dbb337003b7aba2d
  subpackages:
  - difflib
+- name: github.com/ryanuber/go-glob
+  version: 572520ed46dbddaed19ea3d9541bdd0494163693
 - name: github.com/samuel/go-zookeeper
-  version: fa6674abf3f4580b946a01bf7a1ce4ba8766205b
+  version: e64db453f3512cade908163702045e0f31137843
  subpackages:
  - zk
 - name: github.com/Sirupsen/logrus
-  version: 418b41d23a1bf978c06faea5313ba194650ac088
- name: github.com/spf13/cast
-  version: ee7b3e0353166ab1f3a605294ac8cd2b77953778
- name: github.com/spf13/cobra
-  version: 2ccf9e982a3e3eb21eba9c9ad8e546529fd74c71
-  subpackages:
-  - cobra
- name: github.com/spf13/jwalterweatherman
-  version: 33c24e77fb80341fe7130ee7c594256ff08ccc46
- name: github.com/spf13/pflag
-  version: 7f60f83a2c81bc3c3c0d5297f61ddfa68da9d3b7
- name: github.com/spf13/viper
-  version: a212099cbe6fbe8d07476bfda8d2d39b6ff8f325
+  version: a283a10442df8dc09befd873fab202bf8a253d6a
+- name: github.com/streamrail/concurrent-map
+  version: 65a174a3a4188c0b7099acbc6cfa0c53628d3287
 - name: github.com/stretchr/objx
  version: cbeaeb16a013161a98496fad62933b1d21786672
 - name: github.com/stretchr/testify
-  version: 6fe211e493929a8aac0469b93f28b1d0688a9a3a
+  version: d77da356e56a7428ad25149ca77381849a6a5232
  subpackages:
  - mock
  - assert
 - name: github.com/thoas/stats
-  version: 54ed61c2b47e263ae2f01b86837b0c4bd1da28e8
+  version: 152b5d051953fdb6e45f14b6826962aadc032324
+- name: github.com/ugorji/go
+  version: b94837a2404ab90efe9289e77a70694c355739cb
+  subpackages:
+  - codec
 - name: github.com/unrolled/render
-  version: 26b4e3aac686940fe29521545afad9966ddfc80c
+  version: 198ad4d8b8a4612176b804ca10555b222a086b40
 - name: github.com/vdemeester/docker-events
-  version: bd72e1848b08db4b5ed1a2e9277621b9f5e5d1f3
- name: github.com/vdemeester/libkermit
-  version: 7e4e689a6fa9281e0fb9b7b9c297e22d5342a5ec
+  version: 20e6d2db238723e68197a9e3c6c34c99a9893a9c
 - name: github.com/vdemeester/shakers
  version: 24d7f1d6a71aa5d9cbe7390e4afb66b7eef9e1b3
 - name: github.com/vulcand/oxy
-  version: 8aaf36279137ac04ace3792a4f86098631b27d5a
+  version: 4298f24d572dc554eb984f2ffdf6bdd54d4bd613
+  repo: https://github.com/containous/oxy.git
+  vcs: git
  subpackages:
-  - memmetrics
+  - cbreaker
+  - connlimit
+  - forward
+  - roundrobin
+  - stream
  - utils
+  - memmetrics
 - name: github.com/vulcand/predicate
-  version: cb0bff91a7ab7cf7571e661ff883fc997bc554a3
+  version: 19b9dde14240d94c804ae5736ad0e1de10bf8fe6
 - name: github.com/vulcand/route
  version: cb89d787ddbb1c5849a7ac9f79004c1fd12a4a32
 - name: github.com/vulcand/vulcand
-  version: 475540bb016702d5b7cc4674e37f48ee3e144a69
+  version: 28a4e5c0892167589737b95ceecbcef00295be50
  subpackages:
  - plugin/rewrite
  - plugin
+  - conntracker
  - router
- name: github.com/wendal/errors
-  version: f66c77a7882b399795a8987ebf87ef64a427417e
 - name: github.com/xenolf/lego
-  version: ca19a90028e242e878585941c2a27c8f3b3efc25
+  version: b2fad6198110326662e9e356a97199078a4a775c
  subpackages:
  - acme
 - name: golang.org/x/crypto
-  version: 9e7f5dc375abeb9619ea3c5c58502c428f457aa2
+  version: d81fdb778bf2c40a91b24519d60cdc5767318829
  subpackages:
  - ocsp
 - name: golang.org/x/net
-  version: d9558e5c97f85372afee28cf2b6059d7d3818919
+  version: b400c2eff1badec7022a8c8f5bea058b6315eed7
  subpackages:
  - context
  - publicsuffix
  - proxy
 - name: golang.org/x/sys
-  version: eb2c74142fd19a79b3f237334c7384d5167b1b46
+  version: 62bee037599929a6e9146f29d10dd5208c43507d
  subpackages:
  - unix
- name: gopkg.in/alecthomas/kingpin.v2
-  version: 639879d6110b1b0409410c7b737ef0bb18325038
+  - windows
 - name: gopkg.in/fsnotify.v1
-  version: 96c060f6a6b7e0d6f75fddd10efeaca3e5d1bcb0
+  version: a8a77c9133d2d6fd8334f3260d06f60e8d80a5fb
 - name: gopkg.in/mgo.v2
-  version: 22287bab4379e1fbf6002fb4eb769888f3fb224c
+  version: 29cc868a5ca65f401ff318143f9408d02f4799cc
  subpackages:
  - bson
 - name: gopkg.in/square/go-jose.v1
-  version: 40d457b439244b546f023d056628e5184136899b
+  version: e3f973b66b91445ec816dd7411ad1b6495a5a2fc
  subpackages:
  - cipher
  - json
- name: gopkg.in/yaml.v2
-  version: 7ad95dd0798a40da1ccdff6dff35fd177b5edf40
-devImports: []
+testImports:
+- name: github.com/Azure/go-ansiterm
+  version: fa152c58bc15761d0200cb75fe958b89a9d4888e
+  subpackages:
+  - winterm
+- name: github.com/cloudfoundry-incubator/candiedyaml
+  version: 99c3df83b51532e3615f851d8c2dbb638f5313bf
+- name: github.com/flynn/go-shlex
+  version: 3f9db97f856818214da2e1057f8ad84803971cff
+- name: github.com/gorilla/mux
+  version: 9fa818a44c2bf1396a17f9d5a3c0f6dd39d2ff8e
+- name: github.com/vbatts/tar-split
+  version: 28bc4c32f9fa9725118a685c9ddd7ffdbdbfe2c8
+  subpackages:
+  - tar/asm
+  - tar/storage
+  - archive/tar
+- name: github.com/xeipuuv/gojsonpointer
+  version: e0fe6f68307607d540ed8eac07a342c33fa1b54a
+- name: github.com/xeipuuv/gojsonreference
+  version: e02fc20de94c78484cd5ffb007f8af96be030a45
+- name: github.com/xeipuuv/gojsonschema
+  version: 66a3de92def23708184148ae337750915875e7c1
--- a/glide.yaml
+++ b/glide.yaml
@@ -1,176 +1,84 @@
-package: main
+package: github.com/containous/traefik
 import:
-  - package: github.com/coreos/go-etcd
-    ref:     cc90c7b091275e606ad0ca7102a23fb2072f3f5e
-    subpackages:
-      - etcd
-  - package: github.com/mailgun/log
-    ref:     44874009257d4d47ba9806f1b7f72a32a015e4d8
-  - package: github.com/containous/oxy
-    ref:     0b5b371bce661385d35439204298fa6fb5db5463
-    subpackages:
-      - cbreaker
-      - forward
-      - memmetrics
-      - roundrobin
-      - utils
-  - package: github.com/hashicorp/consul
-    ref:     de080672fee9e6104572eeea89eccdca135bb918
-    subpackages:
-      - api
-  - package: github.com/samuel/go-zookeeper
-    ref:     fa6674abf3f4580b946a01bf7a1ce4ba8766205b
-    subpackages:
-      - zk
-  - package: github.com/docker/libtrust
-    ref:     9cbd2a1374f46905c68a4eb3694a130610adc62a
-  - package: github.com/go-check/check
-    ref:     11d3bc7aa68e238947792f30573146a3231fc0f1
-  - package: golang.org/x/net
-    ref:     d9558e5c97f85372afee28cf2b6059d7d3818919
-    subpackages:
-      - context
-  - package: github.com/gorilla/handlers
-    ref:     40694b40f4a928c062f56849989d3e9cd0570e5f
-  - package: github.com/docker/libkv
-    ref:     3732f7ff1b56057c3158f10bceb1e79133025373
-  - package: github.com/alecthomas/template
-    ref:     b867cc6ab45cece8143cfcc6fc9c77cf3f2c23c0
-  - package: github.com/vdemeester/shakers
-    ref:     24d7f1d6a71aa5d9cbe7390e4afb66b7eef9e1b3
-  - package: github.com/alecthomas/units
-    ref:     6b4e7dc5e3143b85ea77909c72caf89416fc2915
-  - package: github.com/gambol99/go-marathon
-    ref:     ade11d1dc2884ee1f387078fc28509559b6235d1
-  - package: github.com/vulcand/predicate
-    ref:     cb0bff91a7ab7cf7571e661ff883fc997bc554a3
-  - package: github.com/thoas/stats
-    ref:     54ed61c2b47e263ae2f01b86837b0c4bd1da28e8
-  - package: github.com/Sirupsen/logrus
-    ref:     418b41d23a1bf978c06faea5313ba194650ac088
-  - package: github.com/unrolled/render
-    ref:     26b4e3aac686940fe29521545afad9966ddfc80c
-  - package: github.com/flynn/go-shlex
-    ref:     3f9db97f856818214da2e1057f8ad84803971cff
-  - package: github.com/boltdb/bolt
-    ref:     51f99c862475898df9773747d3accd05a7ca33c1
-  - package: gopkg.in/mgo.v2
-    ref:     22287bab4379e1fbf6002fb4eb769888f3fb224c
-    subpackages:
-      - bson
-  - package: github.com/docker/docker
-    ref:     f39987afe8d611407887b3094c03d6ba6a766a67
-    subpackages:
-      - autogen
-      - api
-      - cliconfig
-      - daemon/network
-      - graph/tags
-      - image
-      - opts
-      - pkg/archive
-      - pkg/fileutils
-      - pkg/homedir
-      - pkg/httputils
-      - pkg/ioutils
-      - pkg/jsonmessage
-      - pkg/mflag
-      - pkg/nat
-      - pkg/parsers
-      - pkg/pools
-      - pkg/promise
-      - pkg/random
-      - pkg/stdcopy
-      - pkg/stringid
-      - pkg/symlink
-      - pkg/system
-      - pkg/tarsum
-      - pkg/term
-      - pkg/timeutils
-      - pkg/tlsconfig
-      - pkg/ulimit
-      - pkg/units
-      - pkg/urlutil
-      - pkg/useragent
-      - pkg/version
-      - registry
-      - runconfig
-      - utils
-      - volume
-  - package: github.com/mailgun/timetools
-    ref:     fd192d755b00c968d312d23f521eb0cdc6f66bd0
-  - package: github.com/codegangsta/negroni
-    ref:     c7477ad8e330bef55bf1ebe300cf8aa67c492d1b
-  - package: gopkg.in/yaml.v2
-    ref:     7ad95dd0798a40da1ccdff6dff35fd177b5edf40
-  - package: github.com/opencontainers/runc
-    ref:     4ab132458fc3e9dbeea624153e0331952dc4c8d5
-    subpackages:
-      - libcontainer/user
-  - package: github.com/gorilla/mux
-    ref:     f15e0c49460fd49eebe2bcc8486b05d1bef68d3a
-  - package: github.com/BurntSushi/ty
-    ref:     6add9cd6ad42d389d6ead1dde60b4ad71e46fd74
-  - package: github.com/elazarl/go-bindata-assetfs
-    ref:     d5cac425555ca5cf00694df246e04f05e6a55150
-  - package: github.com/BurntSushi/toml
-    ref:     bd2bdf7f18f849530ef7a1c29a4290217cab32a1
-  - package: gopkg.in/alecthomas/kingpin.v2
-    ref:     639879d6110b1b0409410c7b737ef0bb18325038
-  - package: github.com/cenkalti/backoff
-    ref:     4dc77674aceaabba2c7e3da25d4c823edfb73f99
-  - package: gopkg.in/fsnotify.v1
-    ref:     96c060f6a6b7e0d6f75fddd10efeaca3e5d1bcb0
-  - package: github.com/mailgun/manners
-    ref:     fada45142db3f93097ca917da107aa3fad0ffcb5
-  - package: github.com/gorilla/context
-    ref:     215affda49addc4c8ef7e2534915df2c8c35c6cd
-  - package: github.com/codahale/hdrhistogram
-    ref:     954f16e8b9ef0e5d5189456aa4c1202758e04f17
-  - package: github.com/gorilla/websocket
-  - package: github.com/donovanhide/eventsource
-    ref:     d8a3071799b98cacd30b6da92f536050ccfe6da4
-  - package: github.com/golang/glog
-    ref:     fca8c8854093a154ff1eb580aae10276ad6b1b5f
-  - package: github.com/spf13/cast
-    ref: ee7b3e0353166ab1f3a605294ac8cd2b77953778
-  - package: github.com/mitchellh/mapstructure
-  - package: github.com/spf13/jwalterweatherman
-  - package: github.com/spf13/pflag
-  - package: github.com/wendal/errors
-  - package: github.com/hashicorp/hcl
-  - package: github.com/kr/pretty
-  - package: github.com/magiconair/properties
-  - package: github.com/kr/text
-  - package: github.com/spf13/viper
-    ref: a212099cbe6fbe8d07476bfda8d2d39b6ff8f325
-  - package: github.com/spf13/cobra
-    subpackages:
-    - /cobra
-  - package: github.com/google/go-querystring/query
-  - package: github.com/vulcand/vulcand/plugin/rewrite
-  - package: github.com/stretchr/testify/mock
-  - package: github.com/xenolf/lego
-  - package: github.com/vdemeester/libkermit
-    ref: 7e4e689a6fa9281e0fb9b7b9c297e22d5342a5ec
-  - package: github.com/docker/libcompose
-    version: e290a513ba909ca3afefd5cd611f3a3fe56f6a3a
-  - package: github.com/docker/distribution
-    version: ff6f38ccb69afa96214c7ee955359465d1fc767a
-    subpackages:
-    - reference
-  - package: github.com/docker/engine-api
-    subpackages:
-    - client
-    - types
-    - types/container
-    - types/filters
-    - types/strslice
-  - package: github.com/vdemeester/docker-events
-  - package: github.com/docker/go-connections
-    subpackages:
-    - nat
-    - sockets
-    - tlsconfig
-  - package: github.com/docker/go-units
-  - package: github.com/mailgun/multibuf
+- package: github.com/BurntSushi/toml
+- package: github.com/BurntSushi/ty
+  subpackages:
+  - fun
+- package: github.com/Sirupsen/logrus
+- package: github.com/cenkalti/backoff
+- package: github.com/codegangsta/negroni
+- package: github.com/containous/flaeg
+  version: b98687da5c323650f4513fda6b6203fcbdec9313
+- package: github.com/vulcand/oxy
+  version: 4298f24d572dc554eb984f2ffdf6bdd54d4bd613
+  repo: https://github.com/containous/oxy.git
+  vcs: git
+  subpackages:
+  - cbreaker
+  - connlimit
+  - forward
+  - roundrobin
+  - stream
+  - utils
+- package: github.com/containous/staert
+  version: e2aa88e235a02dd52aa1d5d9de75f9d9139d1602
+- package: github.com/docker/engine-api
+  version: 3d3d0b6c9d2651aac27f416a6da0224c1875b3eb
+  subpackages:
+  - client
+  - types
+  - types/events
+  - types/filters
+- package: github.com/docker/go-connections
+  subpackages:
+  - sockets
+  - tlsconfig
+- package: github.com/docker/libkv
+  subpackages:
+  - store
+  - store/boltdb
+  - store/consul
+  - store/etcd
+  - store/zookeeper
+- package: github.com/elazarl/go-bindata-assetfs
+- package: github.com/gambol99/go-marathon
+  version: a558128c87724cd7430060ef5aedf39f83937f55
+- package: github.com/containous/mux
+- package: github.com/hashicorp/consul
+  subpackages:
+  - api
+- package: github.com/mailgun/manners
+- package: github.com/parnurzeal/gorequest
+- package: github.com/streamrail/concurrent-map
+- package: github.com/stretchr/testify
+  subpackages:
+  - mock
+- package: github.com/thoas/stats
+- package: github.com/unrolled/render
+- package: github.com/vdemeester/docker-events
+  version: 20e6d2db238723e68197a9e3c6c34c99a9893a9c
+- package: github.com/vulcand/vulcand
+  subpackages:
+  - plugin/rewrite
+- package: github.com/xenolf/lego
+  version: b2fad6198110326662e9e356a97199078a4a775c
+  subpackages:
+  - acme
+- package: golang.org/x/net
+  subpackages:
+  - context
+- package: gopkg.in/fsnotify.v1
+- package: github.com/libkermit/docker-check
+  version: bb75a86b169c6c5d22c0ee98278124036f272d7b
+- package: github.com/libkermit/docker
+  version: 3b5eb2973efff7af33cfb65141deaf4ed25c6d02
+- package: github.com/docker/docker
+  version: 9837ec4da53f15f9120d53a6e1517491ba8b0261
+  subpackages:
+  - namesgenerator
+- package: github.com/go-check/check
+- package: github.com/docker/libcompose
+  version: 8ee7bcc364f7b8194581a3c6bd9fa019467c7873
+- package: github.com/mattn/go-shellwords
+- package: github.com/vdemeester/shakers
+- package: github.com/ryanuber/go-glob
--- a/integration/access_log_test.go
+++ b/integration/access_log_test.go
@@ -0,0 +1,106 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"os/exec"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/go-check/check"
+	shellwords "github.com/mattn/go-shellwords"
+
+	checker "github.com/vdemeester/shakers"
+)
+
+// AccessLogSuite
+type AccessLogSuite struct{ BaseSuite }
+
+func (s *AccessLogSuite) TestAccessLog(c *check.C) {
+	// Ensure working directory is clean
+	os.Remove("access.log")
+	os.Remove("traefik.log")
+
+	// Start Traefik
+	cmd := exec.Command(traefikBinary, "--configFile=fixtures/access_log_config.toml")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+	defer os.Remove("access.log")
+	defer os.Remove("traefik.log")
+
+	time.Sleep(500 * time.Millisecond)
+
+	// Verify Traefik started OK
+	traefikLog, err := ioutil.ReadFile("traefik.log")
+	c.Assert(err, checker.IsNil)
+	if len(traefikLog) > 0 {
+		fmt.Printf("%s\n", string(traefikLog))
+		c.Assert(len(traefikLog), checker.Equals, 0)
+	}
+
+	// Start test servers
+	ts1 := startAccessLogServer(8081)
+	defer ts1.Close()
+	ts2 := startAccessLogServer(8082)
+	defer ts2.Close()
+	ts3 := startAccessLogServer(8083)
+	defer ts3.Close()
+
+	// Make some requests
+	_, err = http.Get("http://127.0.0.1:8000/test1")
+	c.Assert(err, checker.IsNil)
+	_, err = http.Get("http://127.0.0.1:8000/test2")
+	c.Assert(err, checker.IsNil)
+	_, err = http.Get("http://127.0.0.1:8000/test2")
+	c.Assert(err, checker.IsNil)
+
+	// Verify access.log output as expected
+	accessLog, err := ioutil.ReadFile("access.log")
+	c.Assert(err, checker.IsNil)
+	lines := strings.Split(string(accessLog), "\n")
+	count := 0
+	for i, line := range lines {
+		if len(line) > 0 {
+			count++
+			tokens, err := shellwords.Parse(line)
+			c.Assert(err, checker.IsNil)
+			c.Assert(len(tokens), checker.Equals, 13)
+			c.Assert(tokens[6], checker.Equals, "200")
+			c.Assert(tokens[9], checker.Equals, fmt.Sprintf("%d", i+1))
+			c.Assert(strings.HasPrefix(tokens[10], "frontend"), checker.True)
+			c.Assert(strings.HasPrefix(tokens[11], "http://127.0.0.1:808"), checker.True)
+			c.Assert(regexp.MustCompile("^\\d+\\.\\d+.*s$").MatchString(tokens[12]), checker.True)
+		}
+	}
+	c.Assert(count, checker.Equals, 3)
+
+	// Verify no other Traefik problems
+	traefikLog, err = ioutil.ReadFile("traefik.log")
+	c.Assert(err, checker.IsNil)
+	if len(traefikLog) > 0 {
+		fmt.Printf("%s\n", string(traefikLog))
+		c.Assert(len(traefikLog), checker.Equals, 0)
+	}
+}
+
+func startAccessLogServer(port int) (ts *httptest.Server) {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "Received query %s!\n", r.URL.Path[1:])
+	})
+	if listener, err := net.Listen("tcp", fmt.Sprintf("127.0.0.1:%d", port)); err != nil {
+		panic(err)
+	} else {
+		ts = &httptest.Server{
+			Listener: listener,
+			Config:   &http.Server{Handler: handler},
+		}
+		ts.Start()
+	}
+	return
+}
--- a/integration/basic_test.go
+++ b/integration/basic_test.go
@@ -5,36 +5,28 @@ import (
 	"os/exec"
 	"time"

-	"fmt"
 	"github.com/go-check/check"

+	"bytes"
 	checker "github.com/vdemeester/shakers"
 )

 // SimpleSuite
 type SimpleSuite struct{ BaseSuite }

-func (s *SimpleSuite) TestNoOrInexistentConfigShouldFail(c *check.C) {
-	cmd := exec.Command(traefikBinary)
-	output, err := cmd.CombinedOutput()
-
-	c.Assert(err, checker.NotNil)
-	c.Assert(string(output), checker.Contains, "Error reading file: open : no such file or directory")
-
-	nonExistentFile := "non/existent/file.toml"
-	cmd = exec.Command(traefikBinary, "--configFile="+nonExistentFile)
-	output, err = cmd.CombinedOutput()
-
-	c.Assert(err, checker.NotNil)
-	c.Assert(string(output), checker.Contains, fmt.Sprintf("Error reading file: open %s: no such file or directory", nonExistentFile))
-}
-
 func (s *SimpleSuite) TestInvalidConfigShouldFail(c *check.C) {
 	cmd := exec.Command(traefikBinary, "--configFile=fixtures/invalid_configuration.toml")
-	output, err := cmd.CombinedOutput()

-	c.Assert(err, checker.NotNil)
-	c.Assert(string(output), checker.Contains, "Error reading file: While parsing config: Near line 1")
+	var b bytes.Buffer
+	cmd.Stdout = &b
+	cmd.Stderr = &b
+
+	cmd.Start()
+	time.Sleep(500 * time.Millisecond)
+	defer cmd.Process.Kill()
+	output := b.Bytes()
+
+	c.Assert(string(output), checker.Contains, "Near line 0 (last key parsed ''): Bare keys cannot contain '{'")
 }

 func (s *SimpleSuite) TestSimpleDefaultConfig(c *check.C) {
@@ -65,3 +57,34 @@ func (s *SimpleSuite) TestWithWebConfig(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	c.Assert(resp.StatusCode, checker.Equals, 200)
 }
+
+func (s *SimpleSuite) TestDefaultEntryPoints(c *check.C) {
+	cmd := exec.Command(traefikBinary, "--debug")
+
+	var b bytes.Buffer
+	cmd.Stdout = &b
+	cmd.Stderr = &b
+
+	cmd.Start()
+	time.Sleep(500 * time.Millisecond)
+	defer cmd.Process.Kill()
+	output := b.Bytes()
+
+	c.Assert(string(output), checker.Contains, "\\\"DefaultEntryPoints\\\":[\\\"http\\\"]")
+}
+
+func (s *SimpleSuite) TestPrintHelp(c *check.C) {
+	cmd := exec.Command(traefikBinary, "--help")
+
+	var b bytes.Buffer
+	cmd.Stdout = &b
+	cmd.Stderr = &b
+
+	cmd.Start()
+	time.Sleep(500 * time.Millisecond)
+	defer cmd.Process.Kill()
+	output := b.Bytes()
+
+	c.Assert(string(output), checker.Not(checker.Contains), "panic:")
+	c.Assert(string(output), checker.Contains, "Usage:")
+}
--- a/integration/constraint_test.go
+++ b/integration/constraint_test.go
@@ -0,0 +1,209 @@
+package main
+
+import (
+	"net/http"
+	"os/exec"
+	"time"
+
+	"github.com/go-check/check"
+	"github.com/hashicorp/consul/api"
+
+	checker "github.com/vdemeester/shakers"
+)
+
+// Constraint test suite
+type ConstraintSuite struct {
+	BaseSuite
+	consulIP     string
+	consulClient *api.Client
+}
+
+func (s *ConstraintSuite) SetUpSuite(c *check.C) {
+
+	s.createComposeProject(c, "constraints")
+	s.composeProject.Start(c)
+
+	consul := s.composeProject.Container(c, "consul")
+
+	s.consulIP = consul.NetworkSettings.IPAddress
+	config := api.DefaultConfig()
+	config.Address = s.consulIP + ":8500"
+	consulClient, err := api.NewClient(config)
+	if err != nil {
+		c.Fatalf("Error creating consul client")
+	}
+	s.consulClient = consulClient
+
+	// Wait for consul to elect itself leader
+	time.Sleep(2000 * time.Millisecond)
+}
+
+func (s *ConstraintSuite) registerService(name string, address string, port int, tags []string) error {
+	catalog := s.consulClient.Catalog()
+	_, err := catalog.Register(
+		&api.CatalogRegistration{
+			Node:    address,
+			Address: address,
+			Service: &api.AgentService{
+				ID:      name,
+				Service: name,
+				Address: address,
+				Port:    port,
+				Tags:    tags,
+			},
+		},
+		&api.WriteOptions{},
+	)
+	return err
+}
+
+func (s *ConstraintSuite) deregisterService(name string, address string) error {
+	catalog := s.consulClient.Catalog()
+	_, err := catalog.Deregister(
+		&api.CatalogDeregistration{
+			Node:      address,
+			Address:   address,
+			ServiceID: name,
+		},
+		&api.WriteOptions{},
+	)
+	return err
+}
+
+func (s *ConstraintSuite) TestMatchConstraintGlobal(c *check.C) {
+	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml", "--constraints=tag==api")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	nginx := s.composeProject.Container(c, "nginx")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{"traefik.tags=api"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	time.Sleep(5000 * time.Millisecond)
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+	resp, err := client.Do(req)
+
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 200)
+}
+
+func (s *ConstraintSuite) TestDoesNotMatchConstraintGlobal(c *check.C) {
+	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml", "--constraints=tag==api")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	nginx := s.composeProject.Container(c, "nginx")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	time.Sleep(5000 * time.Millisecond)
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+	resp, err := client.Do(req)
+
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
+}
+
+func (s *ConstraintSuite) TestMatchConstraintProvider(c *check.C) {
+	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml", "--consulCatalog.constraints=tag==api")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	nginx := s.composeProject.Container(c, "nginx")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{"traefik.tags=api"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	time.Sleep(5000 * time.Millisecond)
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+	resp, err := client.Do(req)
+
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 200)
+}
+
+func (s *ConstraintSuite) TestDoesNotMatchConstraintProvider(c *check.C) {
+	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml", "--consulCatalog.constraints=tag==api")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	nginx := s.composeProject.Container(c, "nginx")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	time.Sleep(5000 * time.Millisecond)
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+	resp, err := client.Do(req)
+
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
+}
+
+func (s *ConstraintSuite) TestMatchMultipleConstraint(c *check.C) {
+	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml", "--consulCatalog.constraints=tag==api", "--constraints=tag!=us-*")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	nginx := s.composeProject.Container(c, "nginx")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{"traefik.tags=api", "traefik.tags=eu-1"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	time.Sleep(5000 * time.Millisecond)
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+	resp, err := client.Do(req)
+
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 200)
+}
+
+func (s *ConstraintSuite) TestDoesNotMatchMultipleConstraint(c *check.C) {
+	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml", "--consulCatalog.constraints=tag==api", "--constraints=tag!=us-*")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	nginx := s.composeProject.Container(c, "nginx")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{"traefik.tags=api", "traefik.tags=us-1"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	time.Sleep(5000 * time.Millisecond)
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+	resp, err := client.Do(req)
+
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
+}
--- a/integration/consul_catalog_test.go
+++ b/integration/consul_catalog_test.go
@@ -39,7 +39,7 @@ func (s *ConsulCatalogSuite) SetUpSuite(c *check.C) {
 	time.Sleep(2000 * time.Millisecond)
 }

-func (s *ConsulCatalogSuite) registerService(name string, address string, port int) error {
+func (s *ConsulCatalogSuite) registerService(name string, address string, port int, tags []string) error {
 	catalog := s.consulClient.Catalog()
 	_, err := catalog.Register(
 		&api.CatalogRegistration{
@@ -50,6 +50,7 @@ func (s *ConsulCatalogSuite) registerService(name string, address string, port i
 				Service: name,
 				Address: address,
 				Port:    port,
+				Tags:    tags,
 			},
 		},
 		&api.WriteOptions{},
@@ -93,7 +94,7 @@ func (s *ConsulCatalogSuite) TestSingleService(c *check.C) {

 	nginx := s.composeProject.Container(c, "nginx")

-	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80)
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{})
 	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
 	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)

--- a/integration/consul_test.go
+++ b/integration/consul_test.go
@@ -5,29 +5,188 @@ import (
 	"os/exec"
 	"time"

+	"github.com/docker/libkv"
+	"github.com/docker/libkv/store"
+	"github.com/docker/libkv/store/consul"
 	"github.com/go-check/check"

+	"errors"
+	"github.com/containous/traefik/integration/utils"
 	checker "github.com/vdemeester/shakers"
+	"io/ioutil"
+	"os"
+	"strings"
 )

 // Consul test suites (using libcompose)
-type ConsulSuite struct{ BaseSuite }
+type ConsulSuite struct {
+	BaseSuite
+	kv store.Store
+}

 func (s *ConsulSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "consul")
+	s.composeProject.Start(c)
+
+	consul.Register()
+	kv, err := libkv.NewStore(
+		store.CONSUL,
+		[]string{s.composeProject.Container(c, "consul").NetworkSettings.IPAddress + ":8500"},
+		&store.Config{
+			ConnectionTimeout: 10 * time.Second,
+		},
+	)
+	if err != nil {
+		c.Fatal("Cannot create store consul")
+	}
+	s.kv = kv
+
+	// wait for consul
+	err = utils.Try(60*time.Second, func() error {
+		_, err := kv.Exists("test")
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
 }

 func (s *ConsulSuite) TestSimpleConfiguration(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--configFile=fixtures/consul/simple.toml")
+	consulHost := s.composeProject.Container(c, "consul").NetworkSettings.IPAddress
+	file := s.adaptFile(c, "fixtures/consul/simple.toml", struct{ ConsulHost string }{consulHost})
+	defer os.Remove(file)
+	cmd := exec.Command(traefikBinary, "--configFile="+file)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()

 	time.Sleep(500 * time.Millisecond)
-	// TODO validate : run on 80
 	resp, err := http.Get("http://127.0.0.1:8000/")

 	// Expected a 404 as we did not configure anything
 	c.Assert(err, checker.IsNil)
 	c.Assert(resp.StatusCode, checker.Equals, 404)
 }
+
+func (s *ConsulSuite) TestNominalConfiguration(c *check.C) {
+	consulHost := s.composeProject.Container(c, "consul").NetworkSettings.IPAddress
+	file := s.adaptFile(c, "fixtures/consul/simple.toml", struct{ ConsulHost string }{consulHost})
+	defer os.Remove(file)
+	cmd := exec.Command(traefikBinary, "--configFile="+file)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	whoami1 := s.composeProject.Container(c, "whoami1")
+	whoami2 := s.composeProject.Container(c, "whoami2")
+	whoami3 := s.composeProject.Container(c, "whoami3")
+	whoami4 := s.composeProject.Container(c, "whoami4")
+
+	backend1 := map[string]string{
+		"traefik/backends/backend1/circuitbreaker/expression": "NetworkErrorRatio() > 0.5",
+		"traefik/backends/backend1/servers/server1/url":       "http://" + whoami1.NetworkSettings.IPAddress + ":80",
+		"traefik/backends/backend1/servers/server1/weight":    "10",
+		"traefik/backends/backend1/servers/server2/url":       "http://" + whoami2.NetworkSettings.IPAddress + ":80",
+		"traefik/backends/backend1/servers/server2/weight":    "1",
+	}
+	backend2 := map[string]string{
+		"traefik/backends/backend2/loadbalancer/method":    "drr",
+		"traefik/backends/backend2/servers/server1/url":    "http://" + whoami3.NetworkSettings.IPAddress + ":80",
+		"traefik/backends/backend2/servers/server1/weight": "1",
+		"traefik/backends/backend2/servers/server2/url":    "http://" + whoami4.NetworkSettings.IPAddress + ":80",
+		"traefik/backends/backend2/servers/server2/weight": "2",
+	}
+	frontend1 := map[string]string{
+		"traefik/frontends/frontend1/backend":            "backend2",
+		"traefik/frontends/frontend1/entrypoints":        "http",
+		"traefik/frontends/frontend1/priority":           "1",
+		"traefik/frontends/frontend1/routes/test_1/rule": "Host:test.localhost",
+	}
+	frontend2 := map[string]string{
+		"traefik/frontends/frontend2/backend":            "backend1",
+		"traefik/frontends/frontend2/entrypoints":        "http",
+		"traefik/frontends/frontend2/priority":           "10",
+		"traefik/frontends/frontend2/routes/test_2/rule": "Path:/test",
+	}
+	for key, value := range backend1 {
+		err := s.kv.Put(key, []byte(value), nil)
+		c.Assert(err, checker.IsNil)
+	}
+	for key, value := range backend2 {
+		err := s.kv.Put(key, []byte(value), nil)
+		c.Assert(err, checker.IsNil)
+	}
+	for key, value := range frontend1 {
+		err := s.kv.Put(key, []byte(value), nil)
+		c.Assert(err, checker.IsNil)
+	}
+	for key, value := range frontend2 {
+		err := s.kv.Put(key, []byte(value), nil)
+		c.Assert(err, checker.IsNil)
+	}
+
+	// wait for consul
+	err = utils.Try(60*time.Second, func() error {
+		_, err := s.kv.Exists("traefik/frontends/frontend2/routes/test_2/rule")
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
+
+	// wait for traefik
+	err = utils.TryRequest("http://127.0.0.1:8081/api/providers", 60*time.Second, func(res *http.Response) error {
+		body, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			return err
+		}
+		if !strings.Contains(string(body), "Path:/test") {
+			return errors.New("Incorrect traefik config")
+		}
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
+
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.localhost"
+	response, err := client.Do(req)
+
+	c.Assert(err, checker.IsNil)
+	c.Assert(response.StatusCode, checker.Equals, 200)
+
+	body, err := ioutil.ReadAll(response.Body)
+	c.Assert(err, checker.IsNil)
+	if !strings.Contains(string(body), whoami3.NetworkSettings.IPAddress) &&
+		!strings.Contains(string(body), whoami4.NetworkSettings.IPAddress) {
+		c.Fail()
+	}
+
+	req, err = http.NewRequest("GET", "http://127.0.0.1:8000/test", nil)
+	c.Assert(err, checker.IsNil)
+	response, err = client.Do(req)
+
+	c.Assert(err, checker.IsNil)
+	c.Assert(response.StatusCode, checker.Equals, 200)
+
+	body, err = ioutil.ReadAll(response.Body)
+	c.Assert(err, checker.IsNil)
+	if !strings.Contains(string(body), whoami1.NetworkSettings.IPAddress) &&
+		!strings.Contains(string(body), whoami2.NetworkSettings.IPAddress) {
+		c.Fail()
+	}
+
+	req, err = http.NewRequest("GET", "http://127.0.0.1:8000/test2", nil)
+	resp, err := client.Do(req)
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
+
+	req, err = http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	req.Host = "test2.localhost"
+	resp, err = client.Do(req)
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
+}
--- a/integration/docker_test.go
+++ b/integration/docker_test.go
@@ -13,8 +13,8 @@ import (
 	"github.com/docker/docker/pkg/namesgenerator"
 	"github.com/go-check/check"

-	d "github.com/vdemeester/libkermit/docker"
-	docker "github.com/vdemeester/libkermit/docker/check"
+	d "github.com/libkermit/docker"
+	docker "github.com/libkermit/docker-check"
 	checker "github.com/vdemeester/shakers"
 )

--- a/integration/etcd_test.go
+++ b/integration/etcd_test.go
@@ -1,24 +1,64 @@
 package main

 import (
+	"github.com/go-check/check"
 	"net/http"
 	"os/exec"
 	"time"

-	"github.com/go-check/check"
-
 	checker "github.com/vdemeester/shakers"
+
+	"errors"
+	"fmt"
+	"github.com/containous/traefik/integration/utils"
+	"github.com/docker/libkv"
+	"github.com/docker/libkv/store"
+	"github.com/docker/libkv/store/etcd"
+	"io/ioutil"
+	"os"
+	"strings"
 )

 // Etcd test suites (using libcompose)
-type EtcdSuite struct{ BaseSuite }
+type EtcdSuite struct {
+	BaseSuite
+	kv store.Store
+}

 func (s *EtcdSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "etcd")
+	s.composeProject.Start(c)
+
+	etcd.Register()
+	url := s.composeProject.Container(c, "etcd").NetworkSettings.IPAddress + ":2379"
+	kv, err := libkv.NewStore(
+		store.ETCD,
+		[]string{url},
+		&store.Config{
+			ConnectionTimeout: 10 * time.Second,
+		},
+	)
+	if err != nil {
+		c.Fatal("Cannot create store etcd")
+	}
+	s.kv = kv
+
+	// wait for etcd
+	err = utils.Try(60*time.Second, func() error {
+		_, err := kv.Exists("test")
+		if err != nil {
+			return fmt.Errorf("Etcd connection error to %s: %v", url, err)
+		}
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
 }

 func (s *EtcdSuite) TestSimpleConfiguration(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--configFile=fixtures/etcd/simple.toml")
+	etcdHost := s.composeProject.Container(c, "etcd").NetworkSettings.IPAddress
+	file := s.adaptFile(c, "fixtures/etcd/simple.toml", struct{ EtcdHost string }{etcdHost})
+	defer os.Remove(file)
+	cmd := exec.Command(traefikBinary, "--configFile="+file)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
@@ -31,3 +71,125 @@ func (s *EtcdSuite) TestSimpleConfiguration(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	c.Assert(resp.StatusCode, checker.Equals, 404)
 }
+
+func (s *EtcdSuite) TestNominalConfiguration(c *check.C) {
+	etcdHost := s.composeProject.Container(c, "etcd").NetworkSettings.IPAddress
+	file := s.adaptFile(c, "fixtures/etcd/simple.toml", struct{ EtcdHost string }{etcdHost})
+	defer os.Remove(file)
+	cmd := exec.Command(traefikBinary, "--configFile="+file)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	whoami1 := s.composeProject.Container(c, "whoami1")
+	whoami2 := s.composeProject.Container(c, "whoami2")
+	whoami3 := s.composeProject.Container(c, "whoami3")
+	whoami4 := s.composeProject.Container(c, "whoami4")
+
+	backend1 := map[string]string{
+		"/traefik/backends/backend1/circuitbreaker/expression": "NetworkErrorRatio() > 0.5",
+		"/traefik/backends/backend1/servers/server1/url":       "http://" + whoami1.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend1/servers/server1/weight":    "10",
+		"/traefik/backends/backend1/servers/server2/url":       "http://" + whoami2.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend1/servers/server2/weight":    "1",
+	}
+	backend2 := map[string]string{
+		"/traefik/backends/backend2/loadbalancer/method":    "drr",
+		"/traefik/backends/backend2/servers/server1/url":    "http://" + whoami3.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend2/servers/server1/weight": "1",
+		"/traefik/backends/backend2/servers/server2/url":    "http://" + whoami4.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend2/servers/server2/weight": "2",
+	}
+	frontend1 := map[string]string{
+		"/traefik/frontends/frontend1/backend":            "backend2",
+		"/traefik/frontends/frontend1/entrypoints":        "http",
+		"/traefik/frontends/frontend1/priority":           "1",
+		"/traefik/frontends/frontend1/routes/test_1/rule": "Host:test.localhost",
+	}
+	frontend2 := map[string]string{
+		"/traefik/frontends/frontend2/backend":            "backend1",
+		"/traefik/frontends/frontend2/entrypoints":        "http",
+		"/traefik/frontends/frontend2/priority":           "10",
+		"/traefik/frontends/frontend2/routes/test_2/rule": "Path:/test",
+	}
+	for key, value := range backend1 {
+		err := s.kv.Put(key, []byte(value), nil)
+		c.Assert(err, checker.IsNil)
+	}
+	for key, value := range backend2 {
+		err := s.kv.Put(key, []byte(value), nil)
+		c.Assert(err, checker.IsNil)
+	}
+	for key, value := range frontend1 {
+		err := s.kv.Put(key, []byte(value), nil)
+		c.Assert(err, checker.IsNil)
+	}
+	for key, value := range frontend2 {
+		err := s.kv.Put(key, []byte(value), nil)
+		c.Assert(err, checker.IsNil)
+	}
+
+	// wait for etcd
+	err = utils.Try(60*time.Second, func() error {
+		_, err := s.kv.Exists("/traefik/frontends/frontend2/routes/test_2/rule")
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
+
+	// wait for traefik
+	err = utils.TryRequest("http://127.0.0.1:8081/api/providers", 60*time.Second, func(res *http.Response) error {
+		body, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			return err
+		}
+		if !strings.Contains(string(body), "Path:/test") {
+			return errors.New("Incorrect traefik config")
+		}
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
+
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.localhost"
+	response, err := client.Do(req)
+
+	c.Assert(err, checker.IsNil)
+	c.Assert(response.StatusCode, checker.Equals, 200)
+
+	body, err := ioutil.ReadAll(response.Body)
+	c.Assert(err, checker.IsNil)
+	if !strings.Contains(string(body), whoami3.NetworkSettings.IPAddress) &&
+		!strings.Contains(string(body), whoami4.NetworkSettings.IPAddress) {
+		c.Fail()
+	}
+
+	req, err = http.NewRequest("GET", "http://127.0.0.1:8000/test", nil)
+	c.Assert(err, checker.IsNil)
+	response, err = client.Do(req)
+
+	c.Assert(err, checker.IsNil)
+	c.Assert(response.StatusCode, checker.Equals, 200)
+
+	body, err = ioutil.ReadAll(response.Body)
+	c.Assert(err, checker.IsNil)
+	if !strings.Contains(string(body), whoami1.NetworkSettings.IPAddress) &&
+		!strings.Contains(string(body), whoami2.NetworkSettings.IPAddress) {
+		c.Fail()
+	}
+
+	req, err = http.NewRequest("GET", "http://127.0.0.1:8000/test2", nil)
+	req.Host = "test2.localhost"
+	resp, err := client.Do(req)
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
+
+	req, err = http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	resp, err = client.Do(req)
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, 404)
+}
--- a/integration/fixtures/access_log_config.toml
+++ b/integration/fixtures/access_log_config.toml
@@ -0,0 +1,46 @@
+################################################################
+# Global configuration
+################################################################
+traefikLogsFile = "traefik.log"
+accessLogsFile = "access.log"
+logLevel = "ERROR"
+defaultEntryPoints = ["http"]
+[entryPoints]
+  [entryPoints.http]
+  address = ":8000"
+
+################################################################
+# Web configuration backend
+################################################################
+[web]
+address = ":7888"
+
+################################################################
+# File configuration backend
+################################################################
+[file]
+
+################################################################
+# rules
+################################################################
+ [backends]
+   [backends.backend1]
+     [backends.backend1.servers.server1]
+       url = "http://127.0.0.1:8081"
+   [backends.backend2]
+     [backends.backend2.LoadBalancer]
+       method = "drr"
+     [backends.backend2.servers.server1]
+       url = "http://127.0.0.1:8082"
+     [backends.backend2.servers.server2]
+       url = "http://127.0.0.1:8083"
+  [frontends]
+   [frontends.frontend1]
+   backend = "backend1"
+     [frontends.frontend1.routes.test_1]
+     rule = "Path: /test1"
+   [frontends.frontend2]
+   backend = "backend2"
+   passHostHeader = true
+     [frontends.frontend2.routes.test_2]
+     rule = "Path: /test2"
--- a/integration/fixtures/consul/simple.toml
+++ b/integration/fixtures/consul/simple.toml
@@ -1,9 +1,16 @@
 defaultEntryPoints = ["http"]

+logLevel = "DEBUG"
+
 [entryPoints]
  [entryPoints.http]
  address = ":8000"

-logLevel = "DEBUG"

 [consul]
+  endpoint = "{{.ConsulHost}}:8500"
+  watch = true
+  prefix = "traefik"
+  
+[web]
+  address = ":8081"
--- a/integration/fixtures/docker/simple.toml
+++ b/integration/fixtures/docker/simple.toml
@@ -1,11 +1,11 @@
 defaultEntryPoints = ["http"]

+logLevel = "DEBUG"
+
 [entryPoints]
  [entryPoints.http]
  address = ":8000"

-logLevel = "DEBUG"
-
 [docker]

 # It's dynamagic !
--- a/integration/fixtures/etcd/simple.toml
+++ b/integration/fixtures/etcd/simple.toml
@@ -1,10 +1,16 @@
 defaultEntryPoints = ["http"]

+logLevel = "DEBUG"
+
 [entryPoints]
  [entryPoints.http]
  address = ":8000"

-logLevel = "DEBUG"

 [etcd]
-  endpoint = "127.0.0.1:4003,127.0.0.1:4002,127.0.0.1:4001"
+  endpoint = "{{.EtcdHost}}:2379"
+  prefix = "/traefik"
+  watch = true
+
+[web]
+  address = ":8081"
--- a/integration/integration_test.go
+++ b/integration/integration_test.go
@@ -13,7 +13,7 @@ import (
 	"github.com/containous/traefik/integration/utils"
 	"github.com/go-check/check"

-	compose "github.com/vdemeester/libkermit/compose/check"
+	"github.com/libkermit/docker-check/compose"
 	checker "github.com/vdemeester/shakers"
 )

@@ -23,6 +23,7 @@ func Test(t *testing.T) {

 func init() {
 	check.Suite(&SimpleSuite{})
+	check.Suite(&AccessLogSuite{})
 	check.Suite(&HTTPSSuite{})
 	check.Suite(&FileSuite{})
 	check.Suite(&DockerSuite{})
@@ -30,6 +31,7 @@ func init() {
 	check.Suite(&ConsulCatalogSuite{})
 	check.Suite(&EtcdSuite{})
 	check.Suite(&MarathonSuite{})
+	check.Suite(&ConstraintSuite{})
 }

 var traefikBinary = "../dist/traefik"
@@ -63,7 +65,11 @@ func (s *BaseSuite) adaptFileForHost(c *check.C, path string) string {
 		// Default docker socket
 		dockerHost = "unix:///var/run/docker.sock"
 	}
+	tempObjects := struct{ DockerHost string }{dockerHost}
+	return s.adaptFile(c, path, tempObjects)
+}

+func (s *BaseSuite) adaptFile(c *check.C, path string, tempObjects interface{}) string {
 	// Load file
 	tmpl, err := template.ParseFiles(path)
 	c.Assert(err, checker.IsNil)
@@ -73,7 +79,7 @@ func (s *BaseSuite) adaptFileForHost(c *check.C, path string) string {
 	c.Assert(err, checker.IsNil)
 	defer tmpFile.Close()

-	err = tmpl.ExecuteTemplate(tmpFile, prefix, struct{ DockerHost string }{dockerHost})
+	err = tmpl.ExecuteTemplate(tmpFile, prefix, tempObjects)
 	c.Assert(err, checker.IsNil)
 	err = tmpFile.Sync()

--- a/integration/marathon_test.go
+++ b/integration/marathon_test.go
@@ -15,6 +15,19 @@ type MarathonSuite struct{ BaseSuite }

 func (s *MarathonSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "marathon")
+	s.composeProject.Start(c)
+	// wait for marathon
+	// err := utils.TryRequest("http://127.0.0.1:8080/ping", 60*time.Second, func(res *http.Response) error {
+	// 	body, err := ioutil.ReadAll(res.Body)
+	// 	if err != nil {
+	// 		return err
+	// 	}
+	// 	if !strings.Contains(string(body), "ping") {
+	// 		return errors.New("Incorrect marathon config")
+	// 	}
+	// 	return nil
+	// })
+	// c.Assert(err, checker.IsNil)
 }

 func (s *MarathonSuite) TestSimpleConfiguration(c *check.C) {
--- a/integration/resources/compose/constraints.yml
+++ b/integration/resources/compose/constraints.yml
@@ -0,0 +1,17 @@
+consul:
+  image: progrium/consul
+  command: -server -bootstrap -log-level debug -ui-dir /ui
+  ports:
+    - "8400:8400"
+    - "8500:8500"
+    - "8600:53/udp"
+  expose:
+    - "8300"
+    - "8301"
+    - "8301/udp"
+    - "8302"
+    - "8302/udp"
+nginx:
+  image: nginx
+  ports:
+    - "8881:80"
--- a/integration/resources/compose/consul.yml
+++ b/integration/resources/compose/consul.yml
@@ -1,6 +1,6 @@
 consul:
  image: progrium/consul
-  command: -server -bootstrap -advertise 12.0.0.254 -log-level debug -ui-dir /ui
+  command: -server -bootstrap -log-level debug -ui-dir /ui
  ports:
    - "8400:8400"
    - "8500:8500"
@@ -10,4 +10,16 @@ consul:
    - "8301"
    - "8301/udp"
    - "8302"
-    - "8302/udp"
+    - "8302/udp"  
+    
+whoami1:
+  image: emilevauge/whoami
+  
+whoami2:
+  image: emilevauge/whoami
+  
+whoami3:
+  image: emilevauge/whoami
+  
+whoami4:
+  image: emilevauge/whoami
--- a/integration/resources/compose/etcd.yml
+++ b/integration/resources/compose/etcd.yml
@@ -1,30 +1,14 @@
-etcd1:
-  image: quay.io/coreos/etcd:v2.2.0
-  net: "host"
-  command: >
-    --name etcd1
-    --listen-peer-urls http://localhost:7001
-    --listen-client-urls http://localhost:4001
-    --initial-advertise-peer-urls http://localhost:7001
-    --advertise-client-urls http://localhost:4001
-    --initial-cluster etcd1=http://localhost:7001,etcd2=http://localhost:7002,etcd3=http://localhost:7003
-etcd2:
-  image: quay.io/coreos/etcd:v2.2.0
-  net: "host"
-  command: >
-    --name etcd2
-    --listen-peer-urls http://localhost:7002
-    --listen-client-urls http://localhost:4002
-    --initial-advertise-peer-urls http://localhost:7002
-    --advertise-client-urls http://localhost:4002
-    --initial-cluster etcd1=http://localhost:7001,etcd2=http://localhost:7002,etcd3=http://localhost:7003
-etcd3:
-  image: quay.io/coreos/etcd:v2.2.0
-  net: "host"
-  command: >
-    --name etcd3
-    --listen-peer-urls http://localhost:7003
-    --listen-client-urls http://localhost:4003
-    --initial-advertise-peer-urls http://localhost:7003
-    --advertise-client-urls http://localhost:4003
-    --initial-cluster etcd1=http://localhost:7001,etcd2=http://localhost:7002,etcd3=http://localhost:7003
+etcd:
+  image: containous/docker-etcd
+  
+whoami1:
+  image: emilevauge/whoami
+  
+whoami2:
+  image: emilevauge/whoami
+  
+whoami3:
+  image: emilevauge/whoami
+  
+whoami4:
+  image: emilevauge/whoami
--- a/integration/resources/compose/marathon.yml
+++ b/integration/resources/compose/marathon.yml
@@ -6,7 +6,7 @@ zk:
    ZK_ID: " 1"

 master:
-  image: mesosphere/mesos-master:0.23.0-1.0.ubuntu1404
+  image: mesosphere/mesos-master:0.28.1-2.0.20.ubuntu1404
  net: host
  environment:
    MESOS_ZK: zk://127.0.0.1:2181/mesos
@@ -17,7 +17,7 @@ master:
    MESOS_WORK_DIR: /var/lib/mesos

 slave:
-  image: mesosphere/mesos-slave:0.23.0-1.0.ubuntu1404
+  image: mesosphere/mesos-slave:0.28.1-2.0.20.ubuntu1404
  net: host
  pid: host
  privileged: true
@@ -31,12 +31,13 @@ slave:
    - /usr/bin/docker:/usr/bin/docker:ro
    - /usr/lib/x86_64-linux-gnu/libapparmor.so.1:/usr/lib/x86_64-linux-gnu/libapparmor.so.1:ro
    - /var/run/docker.sock:/var/run/docker.sock
+    - /lib/x86_64-linux-gnu/libsystemd-journal.so.0:/lib/x86_64-linux-gnu/libsystemd-journal.so.0

 marathon:
-  image: mesosphere/marathon:v0.9.2
+  image: mesosphere/marathon:v1.1.1
  net: host
  environment:
    MARATHON_MASTER: zk://127.0.0.1:2181/mesos
    MARATHON_ZK: zk://127.0.0.1:2181/marathon
    MARATHON_HOSTNAME: 127.0.0.1
-  command: --event_subscriber http_callback
+  command: --event_subscriber http_callback
--- a/integration/utils/try.go
+++ b/integration/utils/try.go
@@ -0,0 +1,50 @@
+package utils
+
+import (
+	"errors"
+	"github.com/cenkalti/backoff"
+	"net/http"
+	"strconv"
+	"time"
+)
+
+// TryRequest try operation timeout, and retry backoff
+func TryRequest(url string, timeout time.Duration, condition Condition) error {
+	exponentialBackOff := backoff.NewExponentialBackOff()
+	exponentialBackOff.MaxElapsedTime = timeout
+	var res *http.Response
+	err := backoff.Retry(func() error {
+		var err error
+		res, err = http.Get(url)
+		if err != nil {
+			return err
+		}
+		return condition(res)
+	}, exponentialBackOff)
+	return err
+}
+
+// Try try operation timeout, and retry backoff
+func Try(timeout time.Duration, operation func() error) error {
+	exponentialBackOff := backoff.NewExponentialBackOff()
+	exponentialBackOff.MaxElapsedTime = timeout
+	err := backoff.Retry(operation, exponentialBackOff)
+	return err
+}
+
+// Condition is a retry condition function.
+// It receives a response, and returns an error
+// if the response failed the condition.
+type Condition func(*http.Response) error
+
+// ErrorIfStatusCodeIsNot returns a retry condition function.
+// The condition returns an error
+// if the given response's status code is not the given HTTP status code.
+func ErrorIfStatusCodeIsNot(status int) Condition {
+	return func(res *http.Response) error {
+		if res.StatusCode != status {
+			return errors.New("Bad status. Got: " + res.Status + ", expected:" + strconv.Itoa(status))
+		}
+		return nil
+	}
+}
--- a/middlewares/cbreaker.go
+++ b/middlewares/cbreaker.go
@@ -3,7 +3,7 @@ package middlewares
 import (
 	"net/http"

-	"github.com/containous/oxy/cbreaker"
+	"github.com/vulcand/oxy/cbreaker"
 )

 // CircuitBreaker holds the oxy circuit breaker.
@@ -12,9 +12,12 @@ type CircuitBreaker struct {
 }

 // NewCircuitBreaker returns a new CircuitBreaker.
-func NewCircuitBreaker(next http.Handler, expression string, options ...cbreaker.CircuitBreakerOption) *CircuitBreaker {
-	circuitBreaker, _ := cbreaker.New(next, expression, options...)
-	return &CircuitBreaker{circuitBreaker}
+func NewCircuitBreaker(next http.Handler, expression string, options ...cbreaker.CircuitBreakerOption) (*CircuitBreaker, error) {
+	circuitBreaker, err := cbreaker.New(next, expression, options...)
+	if err != nil {
+		return nil, err
+	}
+	return &CircuitBreaker{circuitBreaker}, nil
 }

 func (cb *CircuitBreaker) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
--- a/middlewares/handlerSwitcher.go
+++ b/middlewares/handlerSwitcher.go
@@ -1,40 +1,35 @@
 package middlewares

 import (
-	"github.com/gorilla/mux"
+	"github.com/containous/mux"
+	"github.com/containous/traefik/safe"
 	"net/http"
-	"sync"
 )

 // HandlerSwitcher allows hot switching of http.ServeMux
 type HandlerSwitcher struct {
-	handler     *mux.Router
-	handlerLock *sync.Mutex
+	handler *safe.Safe
 }

 // NewHandlerSwitcher builds a new instance of HandlerSwitcher
 func NewHandlerSwitcher(newHandler *mux.Router) (hs *HandlerSwitcher) {
 	return &HandlerSwitcher{
-		handler:     newHandler,
-		handlerLock: &sync.Mutex{},
+		handler: safe.New(newHandler),
 	}
 }

 func (hs *HandlerSwitcher) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
-	hs.handlerLock.Lock()
-	handlerBackup := hs.handler
-	hs.handlerLock.Unlock()
+	handlerBackup := hs.handler.Get().(*mux.Router)
 	handlerBackup.ServeHTTP(rw, r)
 }

 // GetHandler returns the current http.ServeMux
 func (hs *HandlerSwitcher) GetHandler() (newHandler *mux.Router) {
-	return hs.handler
+	handler := hs.handler.Get().(*mux.Router)
+	return handler
 }

 // UpdateHandler safely updates the current http.ServeMux with a new one
 func (hs *HandlerSwitcher) UpdateHandler(newHandler *mux.Router) {
-	hs.handlerLock.Lock()
-	hs.handler = newHandler
-	defer hs.handlerLock.Unlock()
+	hs.handler.Set(newHandler)
 }
--- a/middlewares/logger.go
+++ b/middlewares/logger.go
@@ -1,18 +1,55 @@
 package middlewares

 import (
-	"log"
+	"bufio"
+	"fmt"
+	log "github.com/Sirupsen/logrus"
+	"github.com/streamrail/concurrent-map"
+	"io"
+	"net"
 	"net/http"
 	"os"
-
-	"github.com/gorilla/handlers"
+	"strconv"
+	"strings"
+	"sync/atomic"
+	"time"
 )

-// Logger is a middleware handler that logs the request as it goes in and the response as it goes out.
+const (
+	loggerReqidHeader = "X-Traefik-Reqid"
+)
+
+/*
+Logger writes each request and its response to the access log.
+It gets some information from the logInfoResponseWriter set up by previous middleware.
+*/
 type Logger struct {
 	file *os.File
 }

+// Logging handler to log frontend name, backend name, and elapsed time
+type frontendBackendLoggingHandler struct {
+	reqid       string
+	writer      io.Writer
+	handlerFunc http.HandlerFunc
+}
+
+var (
+	reqidCounter        uint64       // Request ID
+	infoRwMap           = cmap.New() // Map of reqid to response writer
+	backend2FrontendMap *map[string]string
+)
+
+// logInfoResponseWriter is a wrapper of type http.ResponseWriter
+// that tracks frontend and backend names and request status and size
+type logInfoResponseWriter struct {
+	rw       http.ResponseWriter
+	backend  string
+	frontend string
+	status   int
+	size     int
+}
+
 // NewLogger returns a new Logger instance.
 func NewLogger(file string) *Logger {
 	if len(file) > 0 {
@@ -25,15 +62,136 @@ func NewLogger(file string) *Logger {
 	return &Logger{nil}
 }

+// SetBackend2FrontendMap is called by server.go to set up frontend translation
+func SetBackend2FrontendMap(newMap *map[string]string) {
+	backend2FrontendMap = newMap
+}
+
 func (l *Logger) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
 	if l.file == nil {
 		next(rw, r)
 	} else {
-		handlers.CombinedLoggingHandler(l.file, next).ServeHTTP(rw, r)
+		reqid := strconv.FormatUint(atomic.AddUint64(&reqidCounter, 1), 10)
+		r.Header[loggerReqidHeader] = []string{reqid}
+		defer deleteReqid(r, reqid)
+		frontendBackendLoggingHandler{reqid, l.file, next}.ServeHTTP(rw, r)
 	}
 }

-// Close closes the logger (i.e. the file).
-func (l *Logger) Close() {
-	l.file.Close()
+// Delete a reqid from the map and the request's headers
+func deleteReqid(r *http.Request, reqid string) {
+	infoRwMap.Remove(reqid)
+	delete(r.Header, loggerReqidHeader)
+}
+
+// Save the backend name for the Logger
+func saveBackendNameForLogger(r *http.Request, backendName string) {
+	if reqidHdr := r.Header[loggerReqidHeader]; len(reqidHdr) == 1 {
+		reqid := reqidHdr[0]
+		if infoRw, ok := infoRwMap.Get(reqid); ok {
+			infoRw.(*logInfoResponseWriter).SetBackend(backendName)
+			infoRw.(*logInfoResponseWriter).SetFrontend((*backend2FrontendMap)[backendName])
+		}
+	}
+}
+
+// Close closes the Logger (i.e. the file).
+func (l *Logger) Close() {
+	if l.file != nil {
+		l.file.Close()
+	}
+}
+
+// Logging handler to log frontend name, backend name, and elapsed time
+func (fblh frontendBackendLoggingHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+	startTime := time.Now()
+	infoRw := &logInfoResponseWriter{rw: rw}
+	infoRwMap.Set(fblh.reqid, infoRw)
+	fblh.handlerFunc(infoRw, req)
+
+	username := "-"
+	url := *req.URL
+	if url.User != nil {
+		if name := url.User.Username(); name != "" {
+			username = name
+		}
+	}
+
+	host, _, err := net.SplitHostPort(req.RemoteAddr)
+	if err != nil {
+		host = req.RemoteAddr
+	}
+
+	ts := startTime.Format("02/Jan/2006:15:04:05 -0700")
+	method := req.Method
+	uri := url.RequestURI()
+	if qmIndex := strings.Index(uri, "?"); qmIndex > 0 {
+		uri = uri[0:qmIndex]
+	}
+	proto := req.Proto
+	referer := req.Referer()
+	agent := req.UserAgent()
+
+	frontend := strings.TrimPrefix(infoRw.GetFrontend(), "frontend-")
+	backend := infoRw.GetBackend()
+	status := infoRw.GetStatus()
+	size := infoRw.GetSize()
+
+	elapsed := time.Now().UTC().Sub(startTime.UTC())
+	fmt.Fprintf(fblh.writer, `%s - %s [%s] "%s %s %s" %d %d "%s" "%s" %s "%s" "%s" %s%s`,
+		host, username, ts, method, uri, proto, status, size, referer, agent, fblh.reqid, frontend, backend, elapsed, "\n")
+
+}
+
+func (lirw *logInfoResponseWriter) Header() http.Header {
+	return lirw.rw.Header()
+}
+
+func (lirw *logInfoResponseWriter) Write(b []byte) (int, error) {
+	if lirw.status == 0 {
+		lirw.status = http.StatusOK
+	}
+	size, err := lirw.rw.Write(b)
+	lirw.size += size
+	return size, err
+}
+
+func (lirw *logInfoResponseWriter) WriteHeader(s int) {
+	lirw.rw.WriteHeader(s)
+	lirw.status = s
+}
+
+func (lirw *logInfoResponseWriter) Flush() {
+	f, ok := lirw.rw.(http.Flusher)
+	if ok {
+		f.Flush()
+	}
+}
+
+func (lirw *logInfoResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	return lirw.rw.(http.Hijacker).Hijack()
+}
+
+func (lirw *logInfoResponseWriter) GetStatus() int {
+	return lirw.status
+}
+
+func (lirw *logInfoResponseWriter) GetSize() int {
+	return lirw.size
+}
+
+func (lirw *logInfoResponseWriter) GetBackend() string {
+	return lirw.backend
+}
+
+func (lirw *logInfoResponseWriter) GetFrontend() string {
+	return lirw.frontend
+}
+
+func (lirw *logInfoResponseWriter) SetBackend(backend string) {
+	lirw.backend = backend
+}
+
+func (lirw *logInfoResponseWriter) SetFrontend(frontend string) {
+	lirw.frontend = frontend
 }
--- a/middlewares/logger_test.go
+++ b/middlewares/logger_test.go
@@ -0,0 +1,116 @@
+package middlewares
+
+import (
+	"fmt"
+	shellwords "github.com/mattn/go-shellwords"
+	"github.com/stretchr/testify/assert"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+)
+
+type logtestResponseWriter struct{}
+
+var (
+	logger                  *Logger
+	logfileName             = "traefikTestLogger.log"
+	logfilePath             string
+	helloWorld              = "Hello, World"
+	testBackendName         = "http://127.0.0.1/testBackend"
+	testFrontendName        = "testFrontend"
+	testStatus              = 123
+	testHostname            = "TestHost"
+	testUsername            = "TestUser"
+	testPath                = "http://testpath"
+	testPort                = 8181
+	testProto               = "HTTP/0.0"
+	testMethod              = "POST"
+	testReferer             = "testReferer"
+	testUserAgent           = "testUserAgent"
+	testBackend2FrontendMap = map[string]string{
+		testBackendName: testFrontendName,
+	}
+	printedLogdata bool
+)
+
+func TestLogger(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		logfilePath = filepath.Join(os.Getenv("TEMP"), logfileName)
+	} else {
+		logfilePath = filepath.Join("/tmp", logfileName)
+	}
+
+	logger = NewLogger(logfilePath)
+	defer cleanup()
+	SetBackend2FrontendMap(&testBackend2FrontendMap)
+
+	r := &http.Request{
+		Header: map[string][]string{
+			"User-Agent": {testUserAgent},
+			"Referer":    {testReferer},
+		},
+		Proto:      testProto,
+		Host:       testHostname,
+		Method:     testMethod,
+		RemoteAddr: fmt.Sprintf("%s:%d", testHostname, testPort),
+		URL: &url.URL{
+			User: url.UserPassword(testUsername, ""),
+			Path: testPath,
+		},
+	}
+
+	logger.ServeHTTP(&logtestResponseWriter{}, r, LogWriterTestHandlerFunc)
+
+	if logdata, err := ioutil.ReadFile(logfilePath); err != nil {
+		fmt.Printf("%s\n%s\n", string(logdata), err.Error())
+		assert.Nil(t, err)
+	} else if tokens, err := shellwords.Parse(string(logdata)); err != nil {
+		fmt.Printf("%s\n", err.Error())
+		assert.Nil(t, err)
+	} else if assert.Equal(t, 14, len(tokens), printLogdata(logdata)) {
+		assert.Equal(t, testHostname, tokens[0], printLogdata(logdata))
+		assert.Equal(t, testUsername, tokens[2], printLogdata(logdata))
+		assert.Equal(t, fmt.Sprintf("%s %s %s", testMethod, testPath, testProto), tokens[5], printLogdata(logdata))
+		assert.Equal(t, fmt.Sprintf("%d", testStatus), tokens[6], printLogdata(logdata))
+		assert.Equal(t, fmt.Sprintf("%d", len(helloWorld)), tokens[7], printLogdata(logdata))
+		assert.Equal(t, testReferer, tokens[8], printLogdata(logdata))
+		assert.Equal(t, testUserAgent, tokens[9], printLogdata(logdata))
+		assert.Equal(t, "1", tokens[10], printLogdata(logdata))
+		assert.Equal(t, testFrontendName, tokens[11], printLogdata(logdata))
+		assert.Equal(t, testBackendName, tokens[12], printLogdata(logdata))
+	}
+}
+
+func cleanup() {
+	logger.Close()
+	os.Remove(logfilePath)
+}
+
+func printLogdata(logdata []byte) string {
+	return fmt.Sprintf(
+		"\nExpected: %s\n"+
+			"Actual:   %s",
+		"TestHost - TestUser [13/Apr/2016:07:14:19 -0700] \"POST http://testpath HTTP/0.0\" 123 12 \"testReferer\" \"testUserAgent\" 1 \"testFrontend\" \"http://127.0.0.1/testBackend\" 1ms",
+		string(logdata))
+}
+
+func LogWriterTestHandlerFunc(rw http.ResponseWriter, r *http.Request) {
+	rw.Write([]byte(helloWorld))
+	rw.WriteHeader(testStatus)
+	saveBackendNameForLogger(r, testBackendName)
+}
+
+func (lrw *logtestResponseWriter) Header() http.Header {
+	return map[string][]string{}
+}
+
+func (lrw *logtestResponseWriter) Write(b []byte) (int, error) {
+	return len(b), nil
+}
+
+func (lrw *logtestResponseWriter) WriteHeader(s int) {
+}
--- a/middlewares/retry.go
+++ b/middlewares/retry.go
@@ -0,0 +1,92 @@
+package middlewares
+
+import (
+	"bufio"
+	"bytes"
+	log "github.com/Sirupsen/logrus"
+	"github.com/vulcand/oxy/utils"
+	"net"
+	"net/http"
+)
+
+// Retry is a middleware that retries requests
+type Retry struct {
+	attempts int
+	next     http.Handler
+}
+
+// NewRetry returns a new Retry instance
+func NewRetry(attempts int, next http.Handler) *Retry {
+	return &Retry{
+		attempts: attempts,
+		next:     next,
+	}
+}
+
+func (retry *Retry) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	attempts := 1
+	for {
+		recorder := NewRecorder()
+		recorder.responseWriter = rw
+		retry.next.ServeHTTP(recorder, r)
+		if !isNetworkError(recorder.Code) || attempts >= retry.attempts {
+			utils.CopyHeaders(rw.Header(), recorder.Header())
+			rw.WriteHeader(recorder.Code)
+			rw.Write(recorder.Body.Bytes())
+			break
+		}
+		attempts++
+		log.Debugf("New attempt %d for request: %v", attempts, r.URL)
+	}
+}
+
+func isNetworkError(status int) bool {
+	return status == http.StatusBadGateway || status == http.StatusGatewayTimeout
+}
+
+// ResponseRecorder is an implementation of http.ResponseWriter that
+// records its mutations for later inspection in tests.
+type ResponseRecorder struct {
+	Code      int           // the HTTP response code from WriteHeader
+	HeaderMap http.Header   // the HTTP response headers
+	Body      *bytes.Buffer // if non-nil, the bytes.Buffer to append written data to
+
+	responseWriter http.ResponseWriter
+}
+
+// NewRecorder returns an initialized ResponseRecorder.
+func NewRecorder() *ResponseRecorder {
+	return &ResponseRecorder{
+		HeaderMap: make(http.Header),
+		Body:      new(bytes.Buffer),
+		Code:      200,
+	}
+}
+
+// Header returns the response headers.
+func (rw *ResponseRecorder) Header() http.Header {
+	m := rw.HeaderMap
+	if m == nil {
+		m = make(http.Header)
+		rw.HeaderMap = m
+	}
+	return m
+}
+
+// Write always succeeds and writes to rw.Body, if not nil.
+func (rw *ResponseRecorder) Write(buf []byte) (int, error) {
+	if rw.Body != nil {
+		return rw.Body.Write(buf)
+	}
+	return 0, nil
+}
+
+// WriteHeader sets rw.Code.
+func (rw *ResponseRecorder) WriteHeader(code int) {
+	rw.Code = code
+}
+
+// Hijack hijacks the connection
+func (rw *ResponseRecorder) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	return rw.responseWriter.(http.Hijacker).Hijack()
+}
--- a/middlewares/routes.go
+++ b/middlewares/routes.go
@@ -5,7 +5,7 @@ import (
 	"log"
 	"net/http"

-	"github.com/gorilla/mux"
+	"github.com/containous/mux"
 )

 // Routes holds the gorilla mux routes (for the API & co).
--- a/middlewares/saveBackend.go
+++ b/middlewares/saveBackend.go
@@ -0,0 +1,20 @@
+package middlewares
+
+import (
+	"net/http"
+)
+
+// SaveBackend sends the backend name to the logger.
+type SaveBackend struct {
+	next http.Handler
+}
+
+// NewSaveBackend creates a SaveBackend
+func NewSaveBackend(next http.Handler) *SaveBackend {
+	return &SaveBackend{next}
+}
+
+func (sb *SaveBackend) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	saveBackendNameForLogger(r, (*r.URL).String())
+	sb.next.ServeHTTP(rw, r)
+}
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -46,4 +46,7 @@ pages:
  - Getting Started: index.md
  - Basics: basics.md
  - traefik.toml: toml.md
+  - User Guide:
+      - 'Configuration examples': 'user-guide/examples.md'
+      - 'Swarm cluster': 'user-guide/swarm.md'
  - Benchmarks: benchmarks.md
--- a/mocks/Marathon.go
+++ b/mocks/Marathon.go
@@ -169,13 +169,13 @@ func (_m *Marathon) DeleteApplication(name string) (*marathon.DeploymentID, erro
 	return r0, r1
 }

-// UpdateApplication provides a mock function with given fields: application
-func (_m *Marathon) UpdateApplication(application *marathon.Application) (*marathon.DeploymentID, error) {
-	ret := _m.Called(application)
+// UpdateApplication provides a mock function with given fields: application, force
+func (_m *Marathon) UpdateApplication(application *marathon.Application, force bool) (*marathon.DeploymentID, error) {
+	ret := _m.Called(application, force)

 	var r0 *marathon.DeploymentID
-	if rf, ok := ret.Get(0).(func(*marathon.Application) *marathon.DeploymentID); ok {
-		r0 = rf(application)
+	if rf, ok := ret.Get(0).(func(*marathon.Application, bool) *marathon.DeploymentID); ok {
+		r0 = rf(application, force)
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).(*marathon.DeploymentID)
@@ -183,8 +183,8 @@ func (_m *Marathon) UpdateApplication(application *marathon.Application) (*marat
 	}

 	var r1 error
-	if rf, ok := ret.Get(1).(func(*marathon.Application) error); ok {
-		r1 = rf(application)
+	if rf, ok := ret.Get(1).(func(*marathon.Application, bool) error); ok {
+		r1 = rf(application, force)
 	} else {
 		r1 = ret.Error(1)
 	}
@@ -307,6 +307,29 @@ func (_m *Marathon) Application(name string) (*marathon.Application, error) {
 	return r0, r1
 }

+// ApplicationByVersion provides a mock function with given fields: name, version
+func (_m *Marathon) ApplicationByVersion(name string, version string) (*marathon.Application, error) {
+	ret := _m.Called(name, version)
+
+	var r0 *marathon.Application
+	if rf, ok := ret.Get(0).(func(string, string) *marathon.Application); ok {
+		r0 = rf(name, version)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*marathon.Application)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(string, string) error); ok {
+		r1 = rf(name, version)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
 // WaitOnApplication provides a mock function with given fields: name, timeout
 func (_m *Marathon) WaitOnApplication(name string, timeout time.Duration) error {
 	ret := _m.Called(name, timeout)
--- a/provider/boltdb.go
+++ b/provider/boltdb.go
@@ -1,6 +1,7 @@
 package provider

 import (
+	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/docker/libkv/store"
 	"github.com/docker/libkv/store/boltdb"
@@ -8,13 +9,13 @@ import (

 // BoltDb holds configurations of the BoltDb provider.
 type BoltDb struct {
-	Kv `mapstructure:",squash"`
+	Kv
 }

 // Provide allows the provider to provide configurations to traefik
 // using the given configuration channel.
-func (provider *BoltDb) Provide(configurationChan chan<- types.ConfigMessage) error {
+func (provider *BoltDb) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints []types.Constraint) error {
 	provider.storeType = store.BOLTDB
 	boltdb.Register()
-	return provider.provide(configurationChan)
+	return provider.provide(configurationChan, pool, constraints)
 }
--- a/provider/consul.go
+++ b/provider/consul.go
@@ -1,6 +1,7 @@
 package provider

 import (
+	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/docker/libkv/store"
 	"github.com/docker/libkv/store/consul"
@@ -8,13 +9,13 @@ import (

 // Consul holds configurations of the Consul provider.
 type Consul struct {
-	Kv `mapstructure:",squash"`
+	Kv
 }

 // Provide allows the provider to provide configurations to traefik
 // using the given configuration channel.
-func (provider *Consul) Provide(configurationChan chan<- types.ConfigMessage) error {
+func (provider *Consul) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints []types.Constraint) error {
 	provider.storeType = store.CONSUL
 	consul.Register()
-	return provider.provide(configurationChan)
+	return provider.provide(configurationChan, pool, constraints)
 }
--- a/provider/consul_catalog.go
+++ b/provider/consul_catalog.go
@@ -2,10 +2,13 @@ package provider

 import (
 	"errors"
+	"sort"
+	"strconv"
 	"strings"
 	"text/template"
 	"time"

+	"github.com/BurntSushi/ty/fun"
 	log "github.com/Sirupsen/logrus"
 	"github.com/cenkalti/backoff"
 	"github.com/containous/traefik/safe"
@@ -16,21 +19,58 @@ import (
 const (
 	// DefaultWatchWaitTime is the duration to wait when polling consul
 	DefaultWatchWaitTime = 15 * time.Second
+	// DefaultConsulCatalogTagPrefix is a prefix for additional service/node configurations
+	DefaultConsulCatalogTagPrefix = "traefik"
 )

 // ConsulCatalog holds configurations of the Consul catalog provider.
 type ConsulCatalog struct {
-	BaseProvider `mapstructure:",squash"`
-	Endpoint     string
-	Domain       string
-	client       *api.Client
+	BaseProvider
+	Endpoint string `description:"Consul server endpoint"`
+	Domain   string `description:"Default domain used"`
+	client   *api.Client
+	Prefix   string
+}
+
+type serviceUpdate struct {
+	ServiceName string
+	Attributes  []string
 }

 type catalogUpdate struct {
-	Service string
+	Service *serviceUpdate
 	Nodes   []*api.ServiceEntry
 }

+type nodeSorter []*api.ServiceEntry
+
+func (a nodeSorter) Len() int {
+	return len(a)
+}
+
+func (a nodeSorter) Swap(i int, j int) {
+	a[i], a[j] = a[j], a[i]
+}
+
+func (a nodeSorter) Less(i int, j int) bool {
+	lentr := a[i]
+	rentr := a[j]
+
+	ls := strings.ToLower(lentr.Service.Service)
+	lr := strings.ToLower(rentr.Service.Service)
+
+	if ls != lr {
+		return ls < lr
+	}
+	if lentr.Service.Address != rentr.Service.Address {
+		return lentr.Service.Address < rentr.Service.Address
+	}
+	if lentr.Node.Address != rentr.Node.Address {
+		return lentr.Node.Address < rentr.Node.Address
+	}
+	return lentr.Service.Port < rentr.Service.Port
+}
+
 func (provider *ConsulCatalog) watchServices(stopCh <-chan struct{}) <-chan map[string][]string {
 	watchCh := make(chan map[string][]string)

@@ -79,41 +119,125 @@ func (provider *ConsulCatalog) healthyNodes(service string) (catalogUpdate, erro
 		return catalogUpdate{}, err
 	}

+	nodes := fun.Filter(func(node *api.ServiceEntry) bool {
+		constraintTags := provider.getContraintTags(node.Service.Tags)
+		ok, failingConstraint := provider.MatchConstraints(constraintTags)
+		if ok == false && failingConstraint != nil {
+			log.Debugf("Service %v pruned by '%v' constraint", service, failingConstraint.String())
+		}
+		return ok
+	}, data).([]*api.ServiceEntry)
+
+	//Merge tags of nodes matching constraints, in a single slice.
+	tags := fun.Foldl(func(node *api.ServiceEntry, set []string) []string {
+		return fun.Keys(fun.Union(
+			fun.Set(set),
+			fun.Set(node.Service.Tags),
+		).(map[string]bool)).([]string)
+	}, []string{}, nodes).([]string)
+
 	return catalogUpdate{
-		Service: service,
-		Nodes:   data,
+		Service: &serviceUpdate{
+			ServiceName: service,
+			Attributes:  tags,
+		},
+		Nodes: nodes,
 	}, nil
 }

+func (provider *ConsulCatalog) getEntryPoints(list string) []string {
+	return strings.Split(list, ",")
+}
+
 func (provider *ConsulCatalog) getBackend(node *api.ServiceEntry) string {
 	return strings.ToLower(node.Service.Service)
 }

-func (provider *ConsulCatalog) getFrontendValue(service string) string {
-	return "Host:" + service + "." + provider.Domain
+func (provider *ConsulCatalog) getFrontendRule(service serviceUpdate) string {
+	customFrontendRule := provider.getAttribute("frontend.rule", service.Attributes, "")
+	if customFrontendRule != "" {
+		return customFrontendRule
+	}
+	return "Host:" + service.ServiceName + "." + provider.Domain
+}
+
+func (provider *ConsulCatalog) getBackendAddress(node *api.ServiceEntry) string {
+	if node.Service.Address != "" {
+		return node.Service.Address
+	}
+	return node.Node.Address
+}
+
+func (provider *ConsulCatalog) getBackendName(node *api.ServiceEntry, index int) string {
+	serviceName := strings.ToLower(node.Service.Service) + "--" + node.Service.Address + "--" + strconv.Itoa(node.Service.Port)
+
+	for _, tag := range node.Service.Tags {
+		serviceName += "--" + normalize(tag)
+	}
+
+	serviceName = strings.Replace(serviceName, ".", "-", -1)
+	serviceName = strings.Replace(serviceName, "=", "-", -1)
+
+	// unique int at the end
+	serviceName += "--" + strconv.Itoa(index)
+	return serviceName
+}
+
+func (provider *ConsulCatalog) getAttribute(name string, tags []string, defaultValue string) string {
+	for _, tag := range tags {
+		if strings.Index(strings.ToLower(tag), DefaultConsulCatalogTagPrefix+".") == 0 {
+			if kv := strings.SplitN(tag[len(DefaultConsulCatalogTagPrefix+"."):], "=", 2); len(kv) == 2 && strings.ToLower(kv[0]) == strings.ToLower(name) {
+				return kv[1]
+			}
+		}
+	}
+	return defaultValue
+}
+
+func (provider *ConsulCatalog) getContraintTags(tags []string) []string {
+	var list []string
+
+	for _, tag := range tags {
+		if strings.Index(strings.ToLower(tag), DefaultConsulCatalogTagPrefix+".tags=") == 0 {
+			splitedTags := strings.Split(tag[len(DefaultConsulCatalogTagPrefix+".tags="):], ",")
+			list = append(list, splitedTags...)
+		}
+	}
+
+	return list
 }

 func (provider *ConsulCatalog) buildConfig(catalog []catalogUpdate) *types.Configuration {
 	var FuncMap = template.FuncMap{
-		"getBackend":       provider.getBackend,
-		"getFrontendValue": provider.getFrontendValue,
-		"replace":          replace,
+		"getBackend":        provider.getBackend,
+		"getFrontendRule":   provider.getFrontendRule,
+		"getBackendName":    provider.getBackendName,
+		"getBackendAddress": provider.getBackendAddress,
+		"getAttribute":      provider.getAttribute,
+		"getEntryPoints":    provider.getEntryPoints,
 	}

 	allNodes := []*api.ServiceEntry{}
-	serviceNames := []string{}
+	services := []*serviceUpdate{}
 	for _, info := range catalog {
-		if len(info.Nodes) > 0 {
-			serviceNames = append(serviceNames, info.Service)
-			allNodes = append(allNodes, info.Nodes...)
+		for _, node := range info.Nodes {
+			isEnabled := provider.getAttribute("enable", node.Service.Tags, "true")
+			if isEnabled != "false" && len(info.Nodes) > 0 {
+				services = append(services, info.Service)
+				allNodes = append(allNodes, info.Nodes...)
+				break
+			}
+
 		}
 	}
+	// Ensure a stable ordering of nodes so that identical configurations may be detected
+	sort.Sort(nodeSorter(allNodes))

 	templateObjects := struct {
-		Services []string
+		Services []*serviceUpdate
 		Nodes    []*api.ServiceEntry
 	}{
-		Services: serviceNames,
+		Services: services,
 		Nodes:    allNodes,
 	}

@@ -140,13 +264,16 @@ func (provider *ConsulCatalog) getNodes(index map[string][]string) ([]catalogUpd
 			if err != nil {
 				return nil, err
 			}
-			nodes = append(nodes, healthy)
+			// healthy.Nodes can be empty if constraints do not match, without throwing error
+			if healthy.Service != nil && len(healthy.Nodes) > 0 {
+				nodes = append(nodes, healthy)
+			}
 		}
 	}
 	return nodes, nil
 }

-func (provider *ConsulCatalog) watch(configurationChan chan<- types.ConfigMessage) error {
+func (provider *ConsulCatalog) watch(configurationChan chan<- types.ConfigMessage, stop chan bool) error {
 	stopCh := make(chan struct{})
 	serviceCatalog := provider.watchServices(stopCh)

@@ -154,6 +281,8 @@ func (provider *ConsulCatalog) watch(configurationChan chan<- types.ConfigMessag

 	for {
 		select {
+		case <-stop:
+			return nil
 		case index, ok := <-serviceCatalog:
 			if !ok {
 				return errors.New("Consul service list nil")
@@ -174,7 +303,7 @@ func (provider *ConsulCatalog) watch(configurationChan chan<- types.ConfigMessag

 // Provide allows the provider to provide configurations to traefik
 // using the given configuration channel.
-func (provider *ConsulCatalog) Provide(configurationChan chan<- types.ConfigMessage) error {
+func (provider *ConsulCatalog) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints []types.Constraint) error {
 	config := api.DefaultConfig()
 	config.Address = provider.Endpoint
 	client, err := api.NewClient(config)
@@ -182,13 +311,14 @@ func (provider *ConsulCatalog) Provide(configurationChan chan<- types.ConfigMess
 		return err
 	}
 	provider.client = client
+	provider.Constraints = append(provider.Constraints, constraints...)

-	safe.Go(func() {
+	pool.Go(func(stop chan bool) {
 		notify := func(err error, time time.Duration) {
 			log.Errorf("Consul connection error %+v, retrying in %s", err, time)
 		}
 		worker := func() error {
-			return provider.watch(configurationChan)
+			return provider.watch(configurationChan, stop)
 		}
 		err := backoff.RetryNotify(worker, backoff.NewExponentialBackOff(), notify)
 		if err != nil {
--- a/provider/consul_catalog_test.go
+++ b/provider/consul_catalog_test.go
@@ -2,6 +2,7 @@ package provider

 import (
 	"reflect"
+	"sort"
 	"testing"

 	"github.com/containous/traefik/types"
@@ -14,17 +15,161 @@ func TestConsulCatalogGetFrontendRule(t *testing.T) {
 	}

 	services := []struct {
-		service  string
+		service  serviceUpdate
 		expected string
 	}{
 		{
-			service:  "foo",
+			service: serviceUpdate{
+				ServiceName: "foo",
+				Attributes:  []string{},
+			},
 			expected: "Host:foo.localhost",
 		},
+		{
+			service: serviceUpdate{
+				ServiceName: "foo",
+				Attributes: []string{
+					"traefik.frontend.rule=Host:*.example.com",
+				},
+			},
+			expected: "Host:*.example.com",
+		},
 	}

 	for _, e := range services {
-		actual := provider.getFrontendValue(e.service)
+		actual := provider.getFrontendRule(e.service)
+		if actual != e.expected {
+			t.Fatalf("expected %q, got %q", e.expected, actual)
+		}
+	}
+}
+
+func TestConsulCatalogGetAttribute(t *testing.T) {
+	provider := &ConsulCatalog{
+		Domain: "localhost",
+	}
+
+	services := []struct {
+		tags         []string
+		key          string
+		defaultValue string
+		expected     string
+	}{
+		{
+			tags: []string{
+				"foo.bar=ramdom",
+				"traefik.backend.weight=42",
+			},
+			key:          "backend.weight",
+			defaultValue: "",
+			expected:     "42",
+		},
+		{
+			tags: []string{
+				"foo.bar=ramdom",
+				"traefik.backend.wei=42",
+			},
+			key:          "backend.weight",
+			defaultValue: "",
+			expected:     "",
+		},
+	}
+
+	for _, e := range services {
+		actual := provider.getAttribute(e.key, e.tags, e.defaultValue)
+		if actual != e.expected {
+			t.Fatalf("expected %q, got %q", e.expected, actual)
+		}
+	}
+}
+
+func TestConsulCatalogGetBackendAddress(t *testing.T) {
+	provider := &ConsulCatalog{
+		Domain: "localhost",
+	}
+
+	services := []struct {
+		node     *api.ServiceEntry
+		expected string
+	}{
+		{
+			node: &api.ServiceEntry{
+				Node: &api.Node{
+					Address: "10.1.0.1",
+				},
+				Service: &api.AgentService{
+					Address: "10.2.0.1",
+				},
+			},
+			expected: "10.2.0.1",
+		},
+		{
+			node: &api.ServiceEntry{
+				Node: &api.Node{
+					Address: "10.1.0.1",
+				},
+				Service: &api.AgentService{
+					Address: "",
+				},
+			},
+			expected: "10.1.0.1",
+		},
+	}
+
+	for _, e := range services {
+		actual := provider.getBackendAddress(e.node)
+		if actual != e.expected {
+			t.Fatalf("expected %q, got %q", e.expected, actual)
+		}
+	}
+}
+
+func TestConsulCatalogGetBackendName(t *testing.T) {
+	provider := &ConsulCatalog{
+		Domain: "localhost",
+	}
+
+	services := []struct {
+		node     *api.ServiceEntry
+		expected string
+	}{
+		{
+			node: &api.ServiceEntry{
+				Service: &api.AgentService{
+					Service: "api",
+					Address: "10.0.0.1",
+					Port:    80,
+					Tags:    []string{},
+				},
+			},
+			expected: "api--10-0-0-1--80--0",
+		},
+		{
+			node: &api.ServiceEntry{
+				Service: &api.AgentService{
+					Service: "api",
+					Address: "10.0.0.1",
+					Port:    80,
+					Tags:    []string{"traefik.weight=42", "traefik.enable=true"},
+				},
+			},
+			expected: "api--10-0-0-1--80--traefik-weight-42--traefik-enable-true--1",
+		},
+		{
+			node: &api.ServiceEntry{
+				Service: &api.AgentService{
+					Service: "api",
+					Address: "10.0.0.1",
+					Port:    80,
+					Tags:    []string{"a funny looking tag"},
+				},
+			},
+			expected: "api--10-0-0-1--80--a-funny-looking-tag--2",
+		},
+	}
+
+	for i, e := range services {
+		actual := provider.getBackendName(e.node, i)
 		if actual != e.expected {
 			t.Fatalf("expected %q, got %q", e.expected, actual)
 		}
@@ -49,7 +194,10 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 		{
 			nodes: []catalogUpdate{
 				{
-					Service: "test",
+					Service: &serviceUpdate{
+						ServiceName: "test",
+						Attributes:  []string{},
+					},
 				},
 			},
 			expectedFrontends: map[string]*types.Frontend{},
@@ -58,13 +206,26 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 		{
 			nodes: []catalogUpdate{
 				{
-					Service: "test",
+					Service: &serviceUpdate{
+						ServiceName: "test",
+						Attributes: []string{
+							"traefik.backend.loadbalancer=drr",
+							"traefik.backend.circuitbreaker=NetworkErrorRatio() > 0.5",
+							"random.foo=bar",
+						},
+					},
 					Nodes: []*api.ServiceEntry{
 						{
 							Service: &api.AgentService{
 								Service: "test",
 								Address: "127.0.0.1",
 								Port:    80,
+								Tags: []string{
+									"traefik.backend.weight=42",
+									"random.foo=bar",
+									"traefik.backend.passHostHeader=true",
+									"traefik.protocol=https",
+								},
 							},
 							Node: &api.Node{
 								Node:    "localhost",
@@ -76,7 +237,8 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 			},
 			expectedFrontends: map[string]*types.Frontend{
 				"frontend-test": {
-					Backend: "backend-test",
+					Backend:        "backend-test",
+					PassHostHeader: true,
 					Routes: map[string]types.Route{
 						"route-host-test": {
 							Rule: "Host:test.localhost",
@@ -87,12 +249,17 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 			expectedBackends: map[string]*types.Backend{
 				"backend-test": {
 					Servers: map[string]types.Server{
-						"test--127-0-0-1--80": {
-							URL: "http://127.0.0.1:80",
+						"test--127-0-0-1--80--traefik-backend-weight-42--random-foo-bar--traefik-backend-passHostHeader-true--traefik-protocol-https--0": {
+							URL:    "https://127.0.0.1:80",
+							Weight: 42,
 						},
 					},
-					CircuitBreaker: nil,
-					LoadBalancer:   nil,
+					CircuitBreaker: &types.CircuitBreaker{
+						Expression: "NetworkErrorRatio() > 0.5",
+					},
+					LoadBalancer: &types.LoadBalancer{
+						Method: "drr",
+					},
 				},
 			},
 		},
@@ -108,3 +275,195 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 		}
 	}
 }
+
+func TestConsulCatalogNodeSorter(t *testing.T) {
+	cases := []struct {
+		nodes    []*api.ServiceEntry
+		expected []*api.ServiceEntry
+	}{
+		{
+			nodes:    []*api.ServiceEntry{},
+			expected: []*api.ServiceEntry{},
+		},
+		{
+			nodes: []*api.ServiceEntry{
+				{
+					Service: &api.AgentService{
+						Service: "foo",
+						Address: "127.0.0.1",
+						Port:    80,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.1",
+					},
+				},
+			},
+			expected: []*api.ServiceEntry{
+				{
+					Service: &api.AgentService{
+						Service: "foo",
+						Address: "127.0.0.1",
+						Port:    80,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.1",
+					},
+				},
+			},
+		},
+		{
+			nodes: []*api.ServiceEntry{
+				{
+					Service: &api.AgentService{
+						Service: "foo",
+						Address: "127.0.0.2",
+						Port:    80,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.2",
+					},
+				},
+				{
+					Service: &api.AgentService{
+						Service: "bar",
+						Address: "127.0.0.2",
+						Port:    81,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.2",
+					},
+				},
+				{
+					Service: &api.AgentService{
+						Service: "foo",
+						Address: "127.0.0.1",
+						Port:    80,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.1",
+					},
+				},
+				{
+					Service: &api.AgentService{
+						Service: "bar",
+						Address: "127.0.0.2",
+						Port:    80,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.2",
+					},
+				},
+			},
+			expected: []*api.ServiceEntry{
+				{
+					Service: &api.AgentService{
+						Service: "bar",
+						Address: "127.0.0.2",
+						Port:    80,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.2",
+					},
+				},
+				{
+					Service: &api.AgentService{
+						Service: "bar",
+						Address: "127.0.0.2",
+						Port:    81,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.2",
+					},
+				},
+				{
+					Service: &api.AgentService{
+						Service: "foo",
+						Address: "127.0.0.1",
+						Port:    80,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.1",
+					},
+				},
+				{
+					Service: &api.AgentService{
+						Service: "foo",
+						Address: "127.0.0.2",
+						Port:    80,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.2",
+					},
+				},
+			},
+		},
+		{
+			nodes: []*api.ServiceEntry{
+				{
+					Service: &api.AgentService{
+						Service: "foo",
+						Address: "",
+						Port:    80,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.2",
+					},
+				},
+				{
+					Service: &api.AgentService{
+						Service: "foo",
+						Address: "",
+						Port:    80,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.1",
+					},
+				},
+			},
+			expected: []*api.ServiceEntry{
+				{
+					Service: &api.AgentService{
+						Service: "foo",
+						Address: "",
+						Port:    80,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.1",
+					},
+				},
+				{
+					Service: &api.AgentService{
+						Service: "foo",
+						Address: "",
+						Port:    80,
+					},
+					Node: &api.Node{
+						Node:    "localhost",
+						Address: "127.0.0.2",
+					},
+				},
+			},
+		},
+	}
+
+	for _, c := range cases {
+		sort.Sort(nodeSorter(c.nodes))
+		actual := c.nodes
+		if !reflect.DeepEqual(actual, c.expected) {
+			t.Fatalf("expected %q, got %q", c.expected, actual)
+		}
+	}
+}
--- a/provider/docker.go
+++ b/provider/docker.go
@@ -29,18 +29,18 @@ const DockerAPIVersion string = "1.21"

 // Docker holds configurations of the Docker provider.
 type Docker struct {
-	BaseProvider `mapstructure:",squash"`
-	Endpoint     string
-	Domain       string
-	TLS          *DockerTLS
+	BaseProvider
+	Endpoint string     `description:"Docker server endpoint. Can be a tcp or a unix socket endpoint"`
+	Domain   string     `description:"Default domain used"`
+	TLS      *DockerTLS `description:"Enable Docker TLS support"`
 }

 // DockerTLS holds TLS specific configurations
 type DockerTLS struct {
-	CA                 string
-	Cert               string
-	Key                string
-	InsecureSkipVerify bool
+	CA                 string `description:"TLS CA"`
+	Cert               string `description:"TLS cert"`
+	Key                string `description:"TLS key"`
+	InsecureSkipVerify bool   `description:"TLS insecure skip verify"`
 }

 func (provider *Docker) createClient() (client.APIClient, error) {
@@ -79,7 +79,9 @@ func (provider *Docker) createClient() (client.APIClient, error) {

 // Provide allows the provider to provide configurations to traefik
 // using the given configuration channel.
-func (provider *Docker) Provide(configurationChan chan<- types.ConfigMessage) error {
+func (provider *Docker) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints []types.Constraint) error {
+	provider.Constraints = append(provider.Constraints, constraints...)
+	// TODO register this routine in pool, and watch for stop channel
 	safe.Go(func() {
 		operation := func() error {
 			var err error
@@ -89,9 +91,11 @@ func (provider *Docker) Provide(configurationChan chan<- types.ConfigMessage) er
 				log.Errorf("Failed to create a client for docker, error: %s", err)
 				return err
 			}
-			version, err := dockerClient.ServerVersion(context.Background())
+
+			ctx := context.Background()
+			version, err := dockerClient.ServerVersion(ctx)
 			log.Debugf("Docker connection established with docker %s (API %s)", version.Version, version.APIVersion)
-			containers, err := listContainers(dockerClient)
+			containers, err := listContainers(ctx, dockerClient)
 			if err != nil {
 				log.Errorf("Failed to list containers for docker, error %s", err)
 				return err
@@ -102,7 +106,16 @@ func (provider *Docker) Provide(configurationChan chan<- types.ConfigMessage) er
 				Configuration: configuration,
 			}
 			if provider.Watch {
-				ctx, cancel := context.WithCancel(context.Background())
+				ctx, cancel := context.WithCancel(ctx)
+				pool.Go(func(stop chan bool) {
+					for {
+						select {
+						case <-stop:
+							cancel()
+							return
+						}
+					}
+				})
 				f := filters.NewArgs()
 				f.Add("type", "container")
 				options := dockertypes.EventsOptions{
@@ -111,11 +124,12 @@ func (provider *Docker) Provide(configurationChan chan<- types.ConfigMessage) er
 				eventHandler := events.NewHandler(events.ByAction)
 				startStopHandle := func(m eventtypes.Message) {
 					log.Debugf("Docker event received %+v", m)
-					containers, err := listContainers(dockerClient)
+					containers, err := listContainers(ctx, dockerClient)
 					if err != nil {
 						log.Errorf("Failed to list containers for docker, error %s", err)
 						// Call cancel to get out of the monitor
 						cancel()
+						return
 					}
 					configuration := provider.loadDockerConfig(containers)
 					if configuration != nil {
@@ -127,6 +141,7 @@ func (provider *Docker) Provide(configurationChan chan<- types.ConfigMessage) er
 				}
 				eventHandler.Handle("start", startStopHandle)
 				eventHandler.Handle("die", startStopHandle)
+
 				errChan := events.MonitorWithHandler(ctx, dockerClient, options, eventHandler)
 				if err := <-errChan; err != nil {
 					return err
@@ -149,22 +164,25 @@ func (provider *Docker) Provide(configurationChan chan<- types.ConfigMessage) er
 func (provider *Docker) loadDockerConfig(containersInspected []dockertypes.ContainerJSON) *types.Configuration {
 	var DockerFuncMap = template.FuncMap{
 		"getBackend":        provider.getBackend,
+		"getIPAddress":      provider.getIPAddress,
 		"getPort":           provider.getPort,
 		"getWeight":         provider.getWeight,
 		"getDomain":         provider.getDomain,
 		"getProtocol":       provider.getProtocol,
 		"getPassHostHeader": provider.getPassHostHeader,
+		"getPriority":       provider.getPriority,
 		"getEntryPoints":    provider.getEntryPoints,
 		"getFrontendRule":   provider.getFrontendRule,
 		"replace":           replace,
 	}

 	// filter containers
-	filteredContainers := fun.Filter(containerFilter, containersInspected).([]dockertypes.ContainerJSON)
+	filteredContainers := fun.Filter(provider.ContainerFilter, containersInspected).([]dockertypes.ContainerJSON)

 	frontends := map[string][]dockertypes.ContainerJSON{}
 	for _, container := range filteredContainers {
-		frontends[provider.getFrontendName(container)] = append(frontends[provider.getFrontendName(container)], container)
+		frontendName := provider.getFrontendName(container)
+		frontends[frontendName] = append(frontends[frontendName], container)
 	}

 	templateObjects := struct {
@@ -184,12 +202,13 @@ func (provider *Docker) loadDockerConfig(containersInspected []dockertypes.Conta
 	return configuration
 }

-func containerFilter(container dockertypes.ContainerJSON) bool {
-	if len(container.NetworkSettings.Ports) == 0 {
-		log.Debugf("Filtering container without port %s", container.Name)
+// ContainerFilter checks if container have to be exposed
+func (provider *Docker) ContainerFilter(container dockertypes.ContainerJSON) bool {
+	_, err := strconv.Atoi(container.Config.Labels["traefik.port"])
+	if len(container.NetworkSettings.Ports) == 0 && err != nil {
+		log.Debugf("Filtering container without port and no traefik.port label %s", container.Name)
 		return false
 	}
-	_, err := strconv.Atoi(container.Config.Labels["traefik.port"])
 	if len(container.NetworkSettings.Ports) > 1 && err != nil {
 		log.Debugf("Filtering container with more than 1 port and no traefik.port label %s", container.Name)
 		return false
@@ -200,6 +219,14 @@ func containerFilter(container dockertypes.ContainerJSON) bool {
 		return false
 	}

+	constraintTags := strings.Split(container.Config.Labels["traefik.tags"], ",")
+	if ok, failingConstraint := provider.MatchConstraints(constraintTags); !ok {
+		if failingConstraint != nil {
+			log.Debugf("Container %v pruned by '%v' constraint", container.Name, failingConstraint.String())
+		}
+		return false
+	}
+
 	return true
 }

@@ -223,7 +250,7 @@ func (provider *Docker) getFrontendRule(container dockertypes.ContainerJSON) str
 	if label, err := getLabel(container, "traefik.frontend.rule"); err == nil {
 		return label
 	}
-	return "Host:" + getEscapedName(container.Name) + "." + provider.Domain
+	return "Host:" + provider.getSubDomain(container.Name) + "." + provider.Domain
 }

 func (provider *Docker) getBackend(container dockertypes.ContainerJSON) string {
@@ -233,6 +260,29 @@ func (provider *Docker) getBackend(container dockertypes.ContainerJSON) string {
 	return normalize(container.Name)
 }

+func (provider *Docker) getIPAddress(container dockertypes.ContainerJSON) string {
+	if label, err := getLabel(container, "traefik.docker.network"); err == nil && label != "" {
+		networks := container.NetworkSettings.Networks
+		if networks != nil {
+			network := networks[label]
+			if network != nil {
+				return network.IPAddress
+			}
+		}
+	}
+
+	// If net==host, quick n' dirty, we return 127.0.0.1
+	// This will work locally, but will fail with swarm.
+	if container.HostConfig != nil && "host" == container.HostConfig.NetworkMode {
+		return "127.0.0.1"
+	}
+
+	for _, network := range container.NetworkSettings.Networks {
+		return network.IPAddress
+	}
+	return ""
+}
+
 func (provider *Docker) getPort(container dockertypes.ContainerJSON) string {
 	if label, err := getLabel(container, "traefik.port"); err == nil {
 		return label
@@ -268,7 +318,14 @@ func (provider *Docker) getPassHostHeader(container dockertypes.ContainerJSON) s
 	if passHostHeader, err := getLabel(container, "traefik.frontend.passHostHeader"); err == nil {
 		return passHostHeader
 	}
-	return "false"
+	return "true"
+}
+
+func (provider *Docker) getPriority(container dockertypes.ContainerJSON) string {
+	if priority, err := getLabel(container, "traefik.frontend.priority"); err == nil {
+		return priority
+	}
+	return "0"
 }

 func (provider *Docker) getEntryPoints(container dockertypes.ContainerJSON) []string {
@@ -303,8 +360,8 @@ func getLabels(container dockertypes.ContainerJSON, labels []string) (map[string
 	return foundLabels, globalErr
 }

-func listContainers(dockerClient client.APIClient) ([]dockertypes.ContainerJSON, error) {
-	containerList, err := dockerClient.ContainerList(context.Background(), dockertypes.ContainerListOptions{})
+func listContainers(ctx context.Context, dockerClient client.APIClient) ([]dockertypes.ContainerJSON, error) {
+	containerList, err := dockerClient.ContainerList(ctx, dockertypes.ContainerListOptions{})
 	if err != nil {
 		return []dockertypes.ContainerJSON{}, err
 	}
@@ -312,11 +369,17 @@ func listContainers(dockerClient client.APIClient) ([]dockertypes.ContainerJSON,

 	// get inspect containers
 	for _, container := range containerList {
-		containerInspected, err := dockerClient.ContainerInspect(context.Background(), container.ID)
+		containerInspected, err := dockerClient.ContainerInspect(ctx, container.ID)
 		if err != nil {
-			log.Warnf("Failed to inpsect container %s, error: %s", container.ID, err)
+			log.Warnf("Failed to inspect container %s, error: %s", container.ID, err)
+		} else {
+			containersInspected = append(containersInspected, containerInspected)
 		}
-		containersInspected = append(containersInspected, containerInspected)
 	}
 	return containersInspected, nil
 }
+
+// Escape beginning slash "/", convert all others to dash "-"
+func (provider *Docker) getSubDomain(name string) string {
+	return strings.Replace(strings.TrimPrefix(name, "/"), "/", "-", -1)
+}
--- a/provider/docker_test.go
+++ b/provider/docker_test.go
@@ -203,6 +203,106 @@ func TestDockerGetBackend(t *testing.T) {
 	}
 }

+func TestDockerGetIPAddress(t *testing.T) { // TODO
+	provider := &Docker{}
+
+	containers := []struct {
+		container docker.ContainerJSON
+		expected  string
+	}{
+		{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "bar",
+				},
+				Config: &container.Config{},
+				NetworkSettings: &docker.NetworkSettings{
+					Networks: map[string]*network.EndpointSettings{
+						"testnet": {
+							IPAddress: "10.11.12.13",
+						},
+					},
+				},
+			},
+			expected: "10.11.12.13",
+		},
+		{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "bar",
+				},
+				Config: &container.Config{
+					Labels: map[string]string{
+						"traefik.docker.network": "testnet",
+					},
+				},
+				NetworkSettings: &docker.NetworkSettings{
+					Networks: map[string]*network.EndpointSettings{
+						"nottestnet": {
+							IPAddress: "10.11.12.13",
+						},
+					},
+				},
+			},
+			expected: "10.11.12.13",
+		},
+		{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "bar",
+				},
+				Config: &container.Config{
+					Labels: map[string]string{
+						"traefik.docker.network": "testnet2",
+					},
+				},
+				NetworkSettings: &docker.NetworkSettings{
+					Networks: map[string]*network.EndpointSettings{
+						"testnet1": {
+							IPAddress: "10.11.12.13",
+						},
+						"testnet2": {
+							IPAddress: "10.11.12.14",
+						},
+					},
+				},
+			},
+			expected: "10.11.12.14",
+		},
+		{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "bar",
+					HostConfig: &container.HostConfig{
+						NetworkMode: "host",
+					},
+				},
+				Config: &container.Config{
+					Labels: map[string]string{},
+				},
+				NetworkSettings: &docker.NetworkSettings{
+					Networks: map[string]*network.EndpointSettings{
+						"testnet1": {
+							IPAddress: "10.11.12.13",
+						},
+						"testnet2": {
+							IPAddress: "10.11.12.14",
+						},
+					},
+				},
+			},
+			expected: "127.0.0.1",
+		},
+	}
+
+	for _, e := range containers {
+		actual := provider.getIPAddress(e.container)
+		if actual != e.expected {
+			t.Fatalf("expected %q, got %q", e.expected, actual)
+		}
+	}
+}
+
 func TestDockerGetPort(t *testing.T) {
 	provider := &Docker{}

@@ -250,6 +350,20 @@ func TestDockerGetPort(t *testing.T) {
 		// 	},
 		// 	expected: "80",
 		// },
+		{
+			container: docker.ContainerJSON{
+				ContainerJSONBase: &docker.ContainerJSONBase{
+					Name: "test",
+				},
+				Config: &container.Config{
+					Labels: map[string]string{
+						"traefik.port": "8080",
+					},
+				},
+				NetworkSettings: &docker.NetworkSettings{},
+			},
+			expected: "8080",
+		},
 		{
 			container: docker.ContainerJSON{
 				ContainerJSONBase: &docker.ContainerJSONBase{
@@ -401,7 +515,6 @@ func TestDockerGetProtocol(t *testing.T) {

 func TestDockerGetPassHostHeader(t *testing.T) {
 	provider := &Docker{}
-
 	containers := []struct {
 		container docker.ContainerJSON
 		expected  string
@@ -413,7 +526,7 @@ func TestDockerGetPassHostHeader(t *testing.T) {
 				},
 				Config: &container.Config{},
 			},
-			expected: "false",
+			expected: "true",
 		},
 		{
 			container: docker.ContainerJSON{
@@ -422,11 +535,11 @@ func TestDockerGetPassHostHeader(t *testing.T) {
 				},
 				Config: &container.Config{
 					Labels: map[string]string{
-						"traefik.frontend.passHostHeader": "true",
+						"traefik.frontend.passHostHeader": "false",
 					},
 				},
 			},
-			expected: "true",
+			expected: "false",
 		},
 	}

@@ -532,6 +645,7 @@ func TestDockerGetLabels(t *testing.T) {
 }

 func TestDockerTraefikFilter(t *testing.T) {
+	provider := Docker{}
 	containers := []struct {
 		container docker.ContainerJSON
 		expected  bool
@@ -703,7 +817,7 @@ func TestDockerTraefikFilter(t *testing.T) {
 	}

 	for _, e := range containers {
-		actual := containerFilter(e.container)
+		actual := provider.ContainerFilter(e.container)
 		if actual != e.expected {
 			t.Fatalf("expected %v for %+v, got %+v", e.expected, e, actual)
 		}
@@ -743,11 +857,12 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 				},
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				`"frontend-Host-test-docker-localhost"`: {
-					Backend:     "backend-test",
-					EntryPoints: []string{},
+				"frontend-Host-test-docker-localhost": {
+					Backend:        "backend-test",
+					PassHostHeader: true,
+					EntryPoints:    []string{},
 					Routes: map[string]types.Route{
-						`"route-frontend-Host-test-docker-localhost"`: {
+						"route-frontend-Host-test-docker-localhost": {
 							Rule: "Host:test.docker.localhost",
 						},
 					},
@@ -815,20 +930,22 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 				},
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				`"frontend-Host-test1-docker-localhost"`: {
-					Backend:     "backend-foobar",
-					EntryPoints: []string{"http", "https"},
+				"frontend-Host-test1-docker-localhost": {
+					Backend:        "backend-foobar",
+					PassHostHeader: true,
+					EntryPoints:    []string{"http", "https"},
 					Routes: map[string]types.Route{
-						`"route-frontend-Host-test1-docker-localhost"`: {
+						"route-frontend-Host-test1-docker-localhost": {
 							Rule: "Host:test1.docker.localhost",
 						},
 					},
 				},
-				`"frontend-Host-test2-docker-localhost"`: {
-					Backend:     "backend-foobar",
-					EntryPoints: []string{},
+				"frontend-Host-test2-docker-localhost": {
+					Backend:        "backend-foobar",
+					PassHostHeader: true,
+					EntryPoints:    []string{},
 					Routes: map[string]types.Route{
-						`"route-frontend-Host-test2-docker-localhost"`: {
+						"route-frontend-Host-test2-docker-localhost": {
 							Rule: "Host:test2.docker.localhost",
 						},
 					},
--- a/provider/etcd.go
+++ b/provider/etcd.go
@@ -1,6 +1,7 @@
 package provider

 import (
+	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/docker/libkv/store"
 	"github.com/docker/libkv/store/etcd"
@@ -8,13 +9,13 @@ import (

 // Etcd holds configurations of the Etcd provider.
 type Etcd struct {
-	Kv `mapstructure:",squash"`
+	Kv
 }

 // Provide allows the provider to provide configurations to traefik
 // using the given configuration channel.
-func (provider *Etcd) Provide(configurationChan chan<- types.ConfigMessage) error {
+func (provider *Etcd) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints []types.Constraint) error {
 	provider.storeType = store.ETCD
 	etcd.Register()
-	return provider.provide(configurationChan)
+	return provider.provide(configurationChan, pool, constraints)
 }
--- a/provider/file.go
+++ b/provider/file.go
@@ -14,12 +14,12 @@ import (

 // File holds configurations of the File provider.
 type File struct {
-	BaseProvider `mapstructure:",squash"`
+	BaseProvider
 }

 // Provide allows the provider to provide configurations to traefik
 // using the given configuration channel.
-func (provider *File) Provide(configurationChan chan<- types.ConfigMessage) error {
+func (provider *File) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, _ []types.Constraint) error {
 	watcher, err := fsnotify.NewWatcher()
 	if err != nil {
 		log.Error("Error creating file watcher", err)
@@ -35,10 +35,12 @@ func (provider *File) Provide(configurationChan chan<- types.ConfigMessage) erro

 	if provider.Watch {
 		// Process events
-		safe.Go(func() {
+		pool.Go(func(stop chan bool) {
 			defer watcher.Close()
 			for {
 				select {
+				case <-stop:
+					return
 				case event := <-watcher.Events:
 					if strings.Contains(event.Name, file.Name()) {
 						log.Debug("File event:", event)
--- a/provider/k8s/client.go
+++ b/provider/k8s/client.go
@@ -0,0 +1,274 @@
+package k8s
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"github.com/parnurzeal/gorequest"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+const (
+	// APIEndpoint defines the base path for kubernetes API resources.
+	APIEndpoint        = "/api/v1"
+	extentionsEndpoint = "/apis/extensions/v1beta1"
+	defaultIngress     = "/ingresses"
+	namespaces         = "/namespaces/"
+)
+
+// Client is a client for the Kubernetes master.
+type Client interface {
+	GetIngresses(predicate func(Ingress) bool) ([]Ingress, error)
+	GetService(name, namespace string) (Service, error)
+	GetEndpoints(name, namespace string) (Endpoints, error)
+	WatchAll(stopCh <-chan bool) (chan interface{}, chan error, error)
+}
+
+type clientImpl struct {
+	endpointURL string
+	tls         *tls.Config
+	token       string
+	caCert      []byte
+}
+
+// NewClient returns a new Kubernetes client.
+// The provided host is an url (scheme://hostname[:port]) of a
+// Kubernetes master without any path.
+// The provided client is an authorized http.Client used to perform requests to the Kubernetes API master.
+func NewClient(baseURL string, caCert []byte, token string) (Client, error) {
+	validURL, err := url.Parse(baseURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse URL %q: %v", baseURL, err)
+	}
+	return &clientImpl{
+		endpointURL: strings.TrimSuffix(validURL.String(), "/"),
+		token:       token,
+		caCert:      caCert,
+	}, nil
+}
+
+// GetIngresses returns all ingresses in the cluster
+func (c *clientImpl) GetIngresses(predicate func(Ingress) bool) ([]Ingress, error) {
+	getURL := c.endpointURL + extentionsEndpoint + defaultIngress
+
+	body, err := c.do(c.request(getURL))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create ingresses request: GET %q : %v", getURL, err)
+	}
+
+	var ingressList IngressList
+	if err := json.Unmarshal(body, &ingressList); err != nil {
+		return nil, fmt.Errorf("failed to decode list of ingress resources: %v", err)
+	}
+	ingresses := ingressList.Items[:0]
+	for _, ingress := range ingressList.Items {
+		if predicate(ingress) {
+			ingresses = append(ingresses, ingress)
+		}
+	}
+	return ingresses, nil
+}
+
+// WatchIngresses returns all ingresses in the cluster
+func (c *clientImpl) WatchIngresses(stopCh <-chan bool) (chan interface{}, chan error, error) {
+	getURL := c.endpointURL + extentionsEndpoint + defaultIngress
+	return c.watch(getURL, stopCh)
+}
+
+// GetService returns the named service from the named namespace
+func (c *clientImpl) GetService(name, namespace string) (Service, error) {
+	getURL := c.endpointURL + APIEndpoint + namespaces + namespace + "/services/" + name
+
+	body, err := c.do(c.request(getURL))
+	if err != nil {
+		return Service{}, fmt.Errorf("failed to create services request: GET %q : %v", getURL, err)
+	}
+
+	var service Service
+	if err := json.Unmarshal(body, &service); err != nil {
+		return Service{}, fmt.Errorf("failed to decode service resource: %v", err)
+	}
+	return service, nil
+}
+
+// WatchServices returns all services in the cluster
+func (c *clientImpl) WatchServices(stopCh <-chan bool) (chan interface{}, chan error, error) {
+	getURL := c.endpointURL + APIEndpoint + "/services"
+	return c.watch(getURL, stopCh)
+}
+
+// GetEndpoints returns the named Endpoints
+// Endpoints have the same name as the coresponding service
+func (c *clientImpl) GetEndpoints(name, namespace string) (Endpoints, error) {
+	getURL := c.endpointURL + APIEndpoint + namespaces + namespace + "/endpoints/" + name
+
+	body, err := c.do(c.request(getURL))
+	if err != nil {
+		return Endpoints{}, fmt.Errorf("failed to create endpoints request: GET %q : %v", getURL, err)
+	}
+
+	var endpoints Endpoints
+	if err := json.Unmarshal(body, &endpoints); err != nil {
+		return Endpoints{}, fmt.Errorf("failed to decode endpoints resources: %v", err)
+	}
+	return endpoints, nil
+}
+
+// WatchEndpoints returns endpoints in the cluster
+func (c *clientImpl) WatchEndpoints(stopCh <-chan bool) (chan interface{}, chan error, error) {
+	getURL := c.endpointURL + APIEndpoint + "/endpoints"
+	return c.watch(getURL, stopCh)
+}
+
+// WatchAll returns events in the cluster
+func (c *clientImpl) WatchAll(stopCh <-chan bool) (chan interface{}, chan error, error) {
+	watchCh := make(chan interface{}, 10)
+	errCh := make(chan error, 10)
+
+	stopIngresses := make(chan bool)
+	chanIngresses, chanIngressesErr, err := c.WatchIngresses(stopIngresses)
+	if err != nil {
+		return watchCh, errCh, fmt.Errorf("failed to create watch: %v", err)
+	}
+	stopServices := make(chan bool)
+	chanServices, chanServicesErr, err := c.WatchServices(stopServices)
+	if err != nil {
+		return watchCh, errCh, fmt.Errorf("failed to create watch: %v", err)
+	}
+	stopEndpoints := make(chan bool)
+	chanEndpoints, chanEndpointsErr, err := c.WatchEndpoints(stopEndpoints)
+	if err != nil {
+		return watchCh, errCh, fmt.Errorf("failed to create watch: %v", err)
+	}
+	go func() {
+		defer close(watchCh)
+		defer close(errCh)
+		defer close(stopIngresses)
+		defer close(stopServices)
+		defer close(stopEndpoints)
+
+		for {
+			select {
+			case <-stopCh:
+				stopIngresses <- true
+				stopServices <- true
+				stopEndpoints <- true
+				return
+			case err := <-chanIngressesErr:
+				errCh <- err
+			case err := <-chanServicesErr:
+				errCh <- err
+			case err := <-chanEndpointsErr:
+				errCh <- err
+			case event := <-chanIngresses:
+				watchCh <- event
+			case event := <-chanServices:
+				watchCh <- event
+			case event := <-chanEndpoints:
+				watchCh <- event
+			}
+		}
+	}()
+
+	return watchCh, errCh, nil
+}
+
+func (c *clientImpl) do(request *gorequest.SuperAgent) ([]byte, error) {
+	res, body, errs := request.EndBytes()
+	if errs != nil {
+		return nil, fmt.Errorf("failed to create request: GET %q : %v", request.Url, errs)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("http error %d GET %q: %q", res.StatusCode, request.Url, string(body))
+	}
+	return body, nil
+}
+
+func (c *clientImpl) request(url string) *gorequest.SuperAgent {
+	// Make request to Kubernetes API
+	request := gorequest.New().Get(url)
+	request.Transport.DisableKeepAlives = true
+
+	if strings.HasPrefix(url, "http://") {
+		return request
+	}
+
+	if len(c.token) > 0 {
+		request.Header["Authorization"] = "Bearer " + c.token
+		pool := x509.NewCertPool()
+		pool.AppendCertsFromPEM(c.caCert)
+		c.tls = &tls.Config{RootCAs: pool}
+	}
+	return request.TLSClientConfig(c.tls)
+}
+
+// GenericObject generic object
+type GenericObject struct {
+	TypeMeta `json:",inline"`
+	ListMeta `json:"metadata,omitempty"`
+}
+
+func (c *clientImpl) watch(url string, stopCh <-chan bool) (chan interface{}, chan error, error) {
+	watchCh := make(chan interface{}, 10)
+	errCh := make(chan error, 10)
+
+	// get version
+	body, err := c.do(c.request(url))
+	if err != nil {
+		return watchCh, errCh, fmt.Errorf("failed to do version request: GET %q : %v", url, err)
+	}
+
+	var generic GenericObject
+	if err := json.Unmarshal(body, &generic); err != nil {
+		return watchCh, errCh, fmt.Errorf("failed to decode version %v", err)
+	}
+	resourceVersion := generic.ResourceVersion
+
+	url = url + "?watch&resourceVersion=" + resourceVersion
+	// Make request to Kubernetes API
+	request := c.request(url)
+	req, err := request.MakeRequest()
+	if err != nil {
+		return watchCh, errCh, fmt.Errorf("failed to make watch request: GET %q : %v", url, err)
+	}
+	request.Client.Transport = request.Transport
+
+	res, err := request.Client.Do(req)
+	if err != nil {
+		return watchCh, errCh, fmt.Errorf("failed to do watch request: GET %q: %v", url, err)
+	}
+
+	go func() {
+		finishCh := make(chan bool)
+		defer close(finishCh)
+		defer close(watchCh)
+		defer close(errCh)
+		go func() {
+			defer res.Body.Close()
+			for {
+				var eventList interface{}
+				if err := json.NewDecoder(res.Body).Decode(&eventList); err != nil {
+					if !strings.Contains(err.Error(), "net/http: request canceled") {
+						errCh <- fmt.Errorf("failed to decode watch event: GET %q : %v", url, err)
+					}
+					finishCh <- true
+					return
+				}
+				watchCh <- eventList
+			}
+		}()
+		select {
+		case <-stopCh:
+			go func() {
+				request.Transport.CancelRequest(req)
+			}()
+			<-finishCh
+			return
+		}
+	}()
+	return watchCh, errCh, nil
+}
--- a/provider/k8s/endpoints.go
+++ b/provider/k8s/endpoints.go
@@ -0,0 +1,84 @@
+package k8s
+
+// Endpoints is a collection of endpoints that implement the actual service.  Example:
+//   Name: "mysvc",
+//   Subsets: [
+//     {
+//       Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
+//       Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
+//     },
+//     {
+//       Addresses: [{"ip": "10.10.3.3"}],
+//       Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}]
+//     },
+//  ]
+type Endpoints struct {
+	TypeMeta   `json:",inline"`
+	ObjectMeta `json:"metadata,omitempty"`
+
+	// The set of all endpoints is the union of all subsets.
+	Subsets []EndpointSubset
+}
+
+// EndpointSubset is a group of addresses with a common set of ports.  The
+// expanded set of endpoints is the Cartesian product of Addresses x Ports.
+// For example, given:
+//   {
+//     Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
+//     Ports:     [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
+//   }
+// The resulting set of endpoints can be viewed as:
+//     a: [ 10.10.1.1:8675, 10.10.2.2:8675 ],
+//     b: [ 10.10.1.1:309, 10.10.2.2:309 ]
+type EndpointSubset struct {
+	Addresses         []EndpointAddress
+	NotReadyAddresses []EndpointAddress
+	Ports             []EndpointPort
+}
+
+// EndpointAddress is a tuple that describes single IP address.
+type EndpointAddress struct {
+	// The IP of this endpoint.
+	// IPv6 is also accepted but not fully supported on all platforms. Also, certain
+	// kubernetes components, like kube-proxy, are not IPv6 ready.
+	// TODO: This should allow hostname or IP, see #4447.
+	IP string
+	// Optional: Hostname of this endpoint
+	// Meant to be used by DNS servers etc.
+	Hostname string `json:"hostname,omitempty"`
+	// Optional: The kubernetes object related to the entry point.
+	TargetRef *ObjectReference
+}
+
+// EndpointPort is a tuple that describes a single port.
+type EndpointPort struct {
+	// The name of this port (corresponds to ServicePort.Name).  Optional
+	// if only one port is defined.  Must be a DNS_LABEL.
+	Name string
+
+	// The port number.
+	Port int32
+
+	// The IP protocol for this port.
+	Protocol Protocol
+}
+
+// ObjectReference contains enough information to let you inspect or modify the referred object.
+type ObjectReference struct {
+	Kind            string `json:"kind,omitempty"`
+	Namespace       string `json:"namespace,omitempty"`
+	Name            string `json:"name,omitempty"`
+	UID             UID    `json:"uid,omitempty"`
+	APIVersion      string `json:"apiVersion,omitempty"`
+	ResourceVersion string `json:"resourceVersion,omitempty"`
+
+	// Optional. If referring to a piece of an object instead of an entire object, this string
+	// should contain information to identify the sub-object. For example, if the object
+	// reference is to a container within a pod, this would take on a value like:
+	// "spec.containers{name}" (where "name" refers to the name of the container that triggered
+	// the event) or if no container name is specified "spec.containers[2]" (container with
+	// index 2 in this pod). This syntax is chosen only to have some well-defined way of
+	// referencing a part of an object.
+	// TODO: this design is not final and this field is subject to change in the future.
+	FieldPath string `json:"fieldPath,omitempty"`
+}
--- a/provider/k8s/ingress.go
+++ b/provider/k8s/ingress.go
@@ -0,0 +1,151 @@
+package k8s
+
+// Ingress is a collection of rules that allow inbound connections to reach the
+// endpoints defined by a backend. An Ingress can be configured to give services
+// externally-reachable urls, load balance traffic, terminate SSL, offer name
+// based virtual hosting etc.
+type Ingress struct {
+	TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata
+	ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec is the desired state of the Ingress.
+	// More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#spec-and-status
+	Spec IngressSpec `json:"spec,omitempty"`
+
+	// Status is the current state of the Ingress.
+	// More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#spec-and-status
+	Status IngressStatus `json:"status,omitempty"`
+}
+
+// IngressList is a collection of Ingress.
+type IngressList struct {
+	TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata
+	ListMeta `json:"metadata,omitempty"`
+
+	// Items is the list of Ingress.
+	Items []Ingress `json:"items"`
+}
+
+// IngressSpec describes the Ingress the user wishes to exist.
+type IngressSpec struct {
+	// A default backend capable of servicing requests that don't match any
+	// rule. At least one of 'backend' or 'rules' must be specified. This field
+	// is optional to allow the loadbalancer controller or defaulting logic to
+	// specify a global default.
+	Backend *IngressBackend `json:"backend,omitempty"`
+
+	// TLS configuration. Currently the Ingress only supports a single TLS
+	// port, 443. If multiple members of this list specify different hosts, they
+	// will be multiplexed on the same port according to the hostname specified
+	// through the SNI TLS extension, if the ingress controller fulfilling the
+	// ingress supports SNI.
+	TLS []IngressTLS `json:"tls,omitempty"`
+
+	// A list of host rules used to configure the Ingress. If unspecified, or
+	// no rule matches, all traffic is sent to the default backend.
+	Rules []IngressRule `json:"rules,omitempty"`
+	// TODO: Add the ability to specify load-balancer IP through claims
+}
+
+// IngressTLS describes the transport layer security associated with an Ingress.
+type IngressTLS struct {
+	// Hosts are a list of hosts included in the TLS certificate. The values in
+	// this list must match the name/s used in the tlsSecret. Defaults to the
+	// wildcard host setting for the loadbalancer controller fulfilling this
+	// Ingress, if left unspecified.
+	Hosts []string `json:"hosts,omitempty"`
+	// SecretName is the name of the secret used to terminate SSL traffic on 443.
+	// Field is left optional to allow SSL routing based on SNI hostname alone.
+	// If the SNI host in a listener conflicts with the "Host" header field used
+	// by an IngressRule, the SNI host is used for termination and value of the
+	// Host header is used for routing.
+	SecretName string `json:"secretName,omitempty"`
+	// TODO: Consider specifying different modes of termination, protocols etc.
+}
+
+// IngressStatus describe the current state of the Ingress.
+type IngressStatus struct {
+	// LoadBalancer contains the current status of the load-balancer.
+	LoadBalancer LoadBalancerStatus `json:"loadBalancer,omitempty"`
+}
+
+// IngressRule represents the rules mapping the paths under a specified host to
+// the related backend services. Incoming requests are first evaluated for a host
+// match, then routed to the backend associated with the matching IngressRuleValue.
+type IngressRule struct {
+	// Host is the fully qualified domain name of a network host, as defined
+	// by RFC 3986. Note the following deviations from the "host" part of the
+	// URI as defined in the RFC:
+	// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the
+	//	  IP in the Spec of the parent Ingress.
+	// 2. The `:` delimiter is not respected because ports are not allowed.
+	//	  Currently the port of an Ingress is implicitly :80 for http and
+	//	  :443 for https.
+	// Both these may change in the future.
+	// Incoming requests are matched against the host before the IngressRuleValue.
+	// If the host is unspecified, the Ingress routes all traffic based on the
+	// specified IngressRuleValue.
+	Host string `json:"host,omitempty"`
+	// IngressRuleValue represents a rule to route requests for this IngressRule.
+	// If unspecified, the rule defaults to a http catch-all. Whether that sends
+	// just traffic matching the host to the default backend or all traffic to the
+	// default backend, is left to the controller fulfilling the Ingress. Http is
+	// currently the only supported IngressRuleValue.
+	IngressRuleValue `json:",inline,omitempty"`
+}
+
+// IngressRuleValue represents a rule to apply against incoming requests. If the
+// rule is satisfied, the request is routed to the specified backend. Currently
+// mixing different types of rules in a single Ingress is disallowed, so exactly
+// one of the following must be set.
+type IngressRuleValue struct {
+	//TODO:
+	// 1. Consider renaming this resource and the associated rules so they
+	// aren't tied to Ingress. They can be used to route intra-cluster traffic.
+	// 2. Consider adding fields for ingress-type specific global options
+	// usable by a loadbalancer, like http keep-alive.
+
+	HTTP *HTTPIngressRuleValue `json:"http,omitempty"`
+}
+
+// HTTPIngressRuleValue is a list of http selectors pointing to backends.
+// In the example: http://<host>/<path>?<searchpart> -> backend where
+// where parts of the url correspond to RFC 3986, this resource will be used
+// to match against everything after the last '/' and before the first '?'
+// or '#'.
+type HTTPIngressRuleValue struct {
+	// A collection of paths that map requests to backends.
+	Paths []HTTPIngressPath `json:"paths"`
+	// TODO: Consider adding fields for ingress-type specific global
+	// options usable by a loadbalancer, like http keep-alive.
+}
+
+// HTTPIngressPath associates a path regex with a backend. Incoming urls matching
+// the path are forwarded to the backend.
+type HTTPIngressPath struct {
+	// Path is a extended POSIX regex as defined by IEEE Std 1003.1,
+	// (i.e this follows the egrep/unix syntax, not the perl syntax)
+	// matched against the path of an incoming request. Currently it can
+	// contain characters disallowed from the conventional "path"
+	// part of a URL as defined by RFC 3986. Paths must begin with
+	// a '/'. If unspecified, the path defaults to a catch all sending
+	// traffic to the backend.
+	Path string `json:"path,omitempty"`
+
+	// Backend defines the referenced service endpoint to which the traffic
+	// will be forwarded to.
+	Backend IngressBackend `json:"backend"`
+}
+
+// IngressBackend describes all endpoints for a given service and port.
+type IngressBackend struct {
+	// Specifies the name of the referenced service.
+	ServiceName string `json:"serviceName"`
+
+	// Specifies the port of the referenced service.
+	ServicePort IntOrString `json:"servicePort"`
+}
--- a/provider/k8s/service.go
+++ b/provider/k8s/service.go
@@ -0,0 +1,326 @@
+package k8s
+
+import (
+	"encoding/json"
+	"strconv"
+	"time"
+)
+
+// TypeMeta describes an individual object in an API response or request
+// with strings representing the type of the object and its API schema version.
+// Structures that are versioned or persisted should inline TypeMeta.
+type TypeMeta struct {
+	// Kind is a string value representing the REST resource this object represents.
+	// Servers may infer this from the endpoint the client submits requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds
+	Kind string `json:"kind,omitempty"`
+
+	// APIVersion defines the versioned schema of this representation of an object.
+	// Servers should convert recognized schemas to the latest internal value, and
+	// may reject unrecognized values.
+	// More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#resources
+	APIVersion string `json:"apiVersion,omitempty"`
+}
+
+// ObjectMeta is metadata that all persisted resources must have, which includes all objects
+// users must create.
+type ObjectMeta struct {
+	// Name is unique within a namespace.  Name is required when creating resources, although
+	// some resources may allow a client to request the generation of an appropriate name
+	// automatically. Name is primarily intended for creation idempotence and configuration
+	// definition.
+	Name string `json:"name,omitempty"`
+
+	// GenerateName indicates that the name should be made unique by the server prior to persisting
+	// it. A non-empty value for the field indicates the name will be made unique (and the name
+	// returned to the client will be different than the name passed). The value of this field will
+	// be combined with a unique suffix on the server if the Name field has not been provided.
+	// The provided value must be valid within the rules for Name, and may be truncated by the length
+	// of the suffix required to make the value unique on the server.
+	//
+	// If this field is specified, and Name is not present, the server will NOT return a 409 if the
+	// generated name exists - instead, it will either return 201 Created or 500 with Reason
+	// ServerTimeout indicating a unique name could not be found in the time allotted, and the client
+	// should retry (optionally after the time indicated in the Retry-After header).
+	GenerateName string `json:"generateName,omitempty"`
+
+	// Namespace defines the space within which name must be unique. An empty namespace is
+	// equivalent to the "default" namespace, but "default" is the canonical representation.
+	// Not all objects are required to be scoped to a namespace - the value of this field for
+	// those objects will be empty.
+	Namespace string `json:"namespace,omitempty"`
+
+	// SelfLink is a URL representing this object.
+	SelfLink string `json:"selfLink,omitempty"`
+
+	// UID is the unique in time and space value for this object. It is typically generated by
+	// the server on successful creation of a resource and is not allowed to change on PUT
+	// operations.
+	UID UID `json:"uid,omitempty"`
+
+	// An opaque value that represents the version of this resource. May be used for optimistic
+	// concurrency, change detection, and the watch operation on a resource or set of resources.
+	// Clients must treat these values as opaque and values may only be valid for a particular
+	// resource or set of resources. Only servers will generate resource versions.
+	ResourceVersion string `json:"resourceVersion,omitempty"`
+
+	// A sequence number representing a specific generation of the desired state.
+	// Populated by the system. Read-only.
+	Generation int64 `json:"generation,omitempty"`
+
+	// CreationTimestamp is a timestamp representing the server time when this object was
+	// created. It is not guaranteed to be set in happens-before order across separate operations.
+	// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+	CreationTimestamp Time `json:"creationTimestamp,omitempty"`
+
+	// DeletionTimestamp is the time after which this resource will be deleted. This
+	// field is set by the server when a graceful deletion is requested by the user, and is not
+	// directly settable by a client. The resource will be deleted (no longer visible from
+	// resource lists, and not reachable by name) after the time in this field. Once set, this
+	// value may not be unset or be set further into the future, although it may be shortened
+	// or the resource may be deleted prior to this time. For example, a user may request that
+	// a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination
+	// signal to the containers in the pod. Once the resource is deleted in the API, the Kubelet
+	// will send a hard termination signal to the container.
+	DeletionTimestamp *Time `json:"deletionTimestamp,omitempty"`
+
+	// DeletionGracePeriodSeconds records the graceful deletion value set when graceful deletion
+	// was requested. Represents the most recent grace period, and may only be shortened once set.
+	DeletionGracePeriodSeconds *int64 `json:"deletionGracePeriodSeconds,omitempty"`
+
+	// Labels are key value pairs that may be used to scope and select individual resources.
+	// Label keys are of the form:
+	//     label-key ::= prefixed-name | name
+	//     prefixed-name ::= prefix '/' name
+	//     prefix ::= DNS_SUBDOMAIN
+	//     name ::= DNS_LABEL
+	// The prefix is optional.  If the prefix is not specified, the key is assumed to be private
+	// to the user.  Other system components that wish to use labels must specify a prefix.  The
+	// "kubernetes.io/" prefix is reserved for use by kubernetes components.
+	// TODO: replace map[string]string with labels.LabelSet type
+	Labels map[string]string `json:"labels,omitempty"`
+
+	// Annotations are unstructured key value data stored with a resource that may be set by
+	// external tooling. They are not queryable and should be preserved when modifying
+	// objects.  Annotation keys have the same formatting restrictions as Label keys. See the
+	// comments on Labels for details.
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
+// UID is a type that holds unique ID values, including UUIDs.  Because we
+// don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+// intent and helps make sure that UIDs and names do not get conflated.
+type UID string
+
+// Time is a wrapper around time.Time which supports correct
+// marshaling to YAML and JSON.  Wrappers are provided for many
+// of the factory methods that the time package offers.
+//
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+type Time struct {
+	time.Time `protobuf:"-"`
+}
+
+// Service is a named abstraction of software service (for example, mysql) consisting of local port
+// (for example 3306) that the proxy listens on, and the selector that determines which pods
+// will answer requests sent through the proxy.
+type Service struct {
+	TypeMeta   `json:",inline"`
+	ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec defines the behavior of a service.
+	Spec ServiceSpec `json:"spec,omitempty"`
+
+	// Status represents the current status of a service.
+	Status ServiceStatus `json:"status,omitempty"`
+}
+
+// ServiceSpec describes the attributes that a user creates on a service
+type ServiceSpec struct {
+	// Type determines how the service will be exposed.  Valid options: ClusterIP, NodePort, LoadBalancer
+	Type ServiceType `json:"type,omitempty"`
+
+	// Required: The list of ports that are exposed by this service.
+	Ports []ServicePort `json:"ports"`
+
+	// This service will route traffic to pods having labels matching this selector. If empty or not present,
+	// the service is assumed to have endpoints set by an external process and Kubernetes will not modify
+	// those endpoints.
+	Selector map[string]string `json:"selector"`
+
+	// ClusterIP is usually assigned by the master.  If specified by the user
+	// we will try to respect it or else fail the request.  This field can
+	// not be changed by updates.
+	// Valid values are None, empty string (""), or a valid IP address
+	// None can be specified for headless services when proxying is not required
+	ClusterIP string `json:"clusterIP,omitempty"`
+
+	// ExternalIPs are used by external load balancers, or can be set by
+	// users to handle external traffic that arrives at a node.
+	ExternalIPs []string `json:"externalIPs,omitempty"`
+
+	// Only applies to Service Type: LoadBalancer
+	// LoadBalancer will get created with the IP specified in this field.
+	// This feature depends on whether the underlying cloud-provider supports specifying
+	// the loadBalancerIP when a load balancer is created.
+	// This field will be ignored if the cloud-provider does not support the feature.
+	LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
+
+	// Required: Supports "ClientIP" and "None".  Used to maintain session affinity.
+	SessionAffinity ServiceAffinity `json:"sessionAffinity,omitempty"`
+}
+
+// ServicePort service port
+type ServicePort struct {
+	// Optional if only one ServicePort is defined on this service: The
+	// name of this port within the service.  This must be a DNS_LABEL.
+	// All ports within a ServiceSpec must have unique names.  This maps to
+	// the 'Name' field in EndpointPort objects.
+	Name string `json:"name"`
+
+	// The IP protocol for this port.  Supports "TCP" and "UDP".
+	Protocol Protocol `json:"protocol"`
+
+	// The port that will be exposed on the service.
+	Port int `json:"port"`
+
+	// Optional: The target port on pods selected by this service.  If this
+	// is a string, it will be looked up as a named port in the target
+	// Pod's container ports.  If this is not specified, the value
+	// of the 'port' field is used (an identity map).
+	// This field is ignored for services with clusterIP=None, and should be
+	// omitted or set equal to the 'port' field.
+	TargetPort IntOrString `json:"targetPort"`
+
+	// The port on each node on which this service is exposed.
+	// Default is to auto-allocate a port if the ServiceType of this Service requires one.
+	NodePort int `json:"nodePort"`
+}
+
+// ServiceStatus represents the current status of a service
+type ServiceStatus struct {
+	// LoadBalancer contains the current status of the load-balancer,
+	// if one is present.
+	LoadBalancer LoadBalancerStatus `json:"loadBalancer,omitempty"`
+}
+
+// LoadBalancerStatus represents the status of a load-balancer
+type LoadBalancerStatus struct {
+	// Ingress is a list containing ingress points for the load-balancer;
+	// traffic intended for the service should be sent to these ingress points.
+	Ingress []LoadBalancerIngress `json:"ingress,omitempty"`
+}
+
+// LoadBalancerIngress represents the status of a load-balancer ingress point:
+// traffic intended for the service should be sent to an ingress point.
+type LoadBalancerIngress struct {
+	// IP is set for load-balancer ingress points that are IP based
+	// (typically GCE or OpenStack load-balancers)
+	IP string `json:"ip,omitempty"`
+
+	// Hostname is set for load-balancer ingress points that are DNS based
+	// (typically AWS load-balancers)
+	Hostname string `json:"hostname,omitempty"`
+}
+
+// ServiceAffinity Session Affinity Type string
+type ServiceAffinity string
+
+// ServiceType Service Type string describes ingress methods for a service
+type ServiceType string
+
+// Protocol defines network protocols supported for things like container ports.
+type Protocol string
+
+// IntOrString is a type that can hold an int32 or a string.  When used in
+// JSON or YAML marshalling and unmarshalling, it produces or consumes the
+// inner type.  This allows you to have, for example, a JSON field that can
+// accept a name or number.
+// TODO: Rename to Int32OrString
+//
+// +protobuf=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type IntOrString struct {
+	Type   Type
+	IntVal int32
+	StrVal string
+}
+
+// FromInt creates an IntOrString object with an int32 value. It is
+// your responsibility not to call this method with a value greater
+// than int32.
+// TODO: convert to (val int32)
+func FromInt(val int) IntOrString {
+	return IntOrString{Type: Int, IntVal: int32(val)}
+}
+
+// FromString creates an IntOrString object with a string value.
+func FromString(val string) IntOrString {
+	return IntOrString{Type: String, StrVal: val}
+}
+
+// String returns the string value, or the Itoa of the int value.
+func (intstr *IntOrString) String() string {
+	if intstr.Type == String {
+		return intstr.StrVal
+	}
+	return strconv.Itoa(intstr.IntValue())
+}
+
+// IntValue returns the IntVal if type Int, or if
+// it is a String, will attempt a conversion to int.
+func (intstr *IntOrString) IntValue() int {
+	if intstr.Type == String {
+		i, _ := strconv.Atoi(intstr.StrVal)
+		return i
+	}
+	return int(intstr.IntVal)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+func (intstr *IntOrString) UnmarshalJSON(value []byte) error {
+	if value[0] == '"' {
+		intstr.Type = String
+		return json.Unmarshal(value, &intstr.StrVal)
+	}
+	intstr.Type = Int
+	return json.Unmarshal(value, &intstr.IntVal)
+}
+
+// Type represents the stored type of IntOrString.
+type Type int
+
+const (
+	// Int int
+	Int Type = iota // The IntOrString holds an int.
+	//String string
+	String // The IntOrString holds a string.
+)
+
+// ServiceList holds a list of services.
+type ServiceList struct {
+	TypeMeta `json:",inline"`
+	ListMeta `json:"metadata,omitempty"`
+
+	Items []Service `json:"items"`
+}
+
+// ListMeta describes metadata that synthetic resources must have, including lists and
+// various status objects. A resource may have only one of {ObjectMeta, ListMeta}.
+type ListMeta struct {
+	// SelfLink is a URL representing this object.
+	// Populated by the system.
+	// Read-only.
+	SelfLink string `json:"selfLink,omitempty"`
+
+	// String that identifies the server's internal version of this object that
+	// can be used by clients to determine when objects have changed.
+	// Value must be treated as opaque by clients and passed unmodified back to the server.
+	// Populated by the system.
+	// Read-only.
+	// More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#concurrency-control-and-consistency
+	ResourceVersion string `json:"resourceVersion,omitempty"`
+}
--- a/provider/kubernetes.go
+++ b/provider/kubernetes.go
@@ -0,0 +1,315 @@
+package provider
+
+import (
+	"fmt"
+	log "github.com/Sirupsen/logrus"
+	"github.com/cenkalti/backoff"
+	"github.com/containous/traefik/provider/k8s"
+	"github.com/containous/traefik/safe"
+	"github.com/containous/traefik/types"
+	"io"
+	"io/ioutil"
+	"os"
+	"reflect"
+	"strconv"
+	"strings"
+	"text/template"
+	"time"
+)
+
+const (
+	serviceAccountToken  = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+	serviceAccountCACert = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+)
+
+// Namespaces holds kubernetes namespaces
+type Namespaces []string
+
+//Set adds strings elem into the the parser
+//it splits str on , and ;
+func (ns *Namespaces) Set(str string) error {
+	fargs := func(c rune) bool {
+		return c == ',' || c == ';'
+	}
+	// get function
+	slice := strings.FieldsFunc(str, fargs)
+	*ns = append(*ns, slice...)
+	return nil
+}
+
+//Get []string
+func (ns *Namespaces) Get() interface{} { return Namespaces(*ns) }
+
+//String return slice in a string
+func (ns *Namespaces) String() string { return fmt.Sprintf("%v", *ns) }
+
+//SetValue sets []string into the parser
+func (ns *Namespaces) SetValue(val interface{}) {
+	*ns = Namespaces(val.(Namespaces))
+}
+
+// Kubernetes holds configurations of the Kubernetes provider.
+type Kubernetes struct {
+	BaseProvider
+	Endpoint               string     `description:"Kubernetes server endpoint"`
+	DisablePassHostHeaders bool       `description:"Kubernetes disable PassHost Headers"`
+	Namespaces             Namespaces `description:"Kubernetes namespaces"`
+	lastConfiguration      safe.Safe
+}
+
+func (provider *Kubernetes) createClient() (k8s.Client, error) {
+	var token string
+	tokenBytes, err := ioutil.ReadFile(serviceAccountToken)
+	if err == nil {
+		token = string(tokenBytes)
+		log.Debugf("Kubernetes token: %s", token)
+	} else {
+		log.Errorf("Kubernetes load token error: %s", err)
+	}
+	caCert, err := ioutil.ReadFile(serviceAccountCACert)
+	if err == nil {
+		log.Debugf("Kubernetes CA cert: %s", serviceAccountCACert)
+	} else {
+		log.Errorf("Kubernetes load token error: %s", err)
+	}
+	kubernetesHost := os.Getenv("KUBERNETES_SERVICE_HOST")
+	kubernetesPort := os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")
+	if len(kubernetesPort) > 0 && len(kubernetesHost) > 0 {
+		provider.Endpoint = "https://" + kubernetesHost + ":" + kubernetesPort
+	}
+	log.Debugf("Kubernetes endpoint: %s", provider.Endpoint)
+	return k8s.NewClient(provider.Endpoint, caCert, token)
+}
+
+// Provide allows the provider to provide configurations to traefik
+// using the given configuration channel.
+func (provider *Kubernetes) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints []types.Constraint) error {
+	k8sClient, err := provider.createClient()
+	if err != nil {
+		return err
+	}
+	backOff := backoff.NewExponentialBackOff()
+	provider.Constraints = append(provider.Constraints, constraints...)
+
+	pool.Go(func(stop chan bool) {
+		operation := func() error {
+			for {
+				stopWatch := make(chan bool, 5)
+				defer close(stopWatch)
+				eventsChan, errEventsChan, err := k8sClient.WatchAll(stopWatch)
+				if err != nil {
+					log.Errorf("Error watching kubernetes events: %v", err)
+					timer := time.NewTimer(1 * time.Second)
+					select {
+					case <-timer.C:
+						return err
+					case <-stop:
+						return nil
+					}
+				}
+			Watch:
+				for {
+					select {
+					case <-stop:
+						stopWatch <- true
+						return nil
+					case err, ok := <-errEventsChan:
+						stopWatch <- true
+						if ok && strings.Contains(err.Error(), io.EOF.Error()) {
+							// edge case, kubernetes long-polling disconnection
+							break Watch
+						}
+						return err
+					case event := <-eventsChan:
+						log.Debugf("Received event from kubernetes %+v", event)
+						templateObjects, err := provider.loadIngresses(k8sClient)
+						if err != nil {
+							return err
+						}
+						if reflect.DeepEqual(provider.lastConfiguration.Get(), templateObjects) {
+							log.Debugf("Skipping event from kubernetes %+v", event)
+						} else {
+							provider.lastConfiguration.Set(templateObjects)
+							configurationChan <- types.ConfigMessage{
+								ProviderName:  "kubernetes",
+								Configuration: provider.loadConfig(*templateObjects),
+							}
+						}
+					}
+				}
+			}
+		}
+
+		notify := func(err error, time time.Duration) {
+			log.Errorf("Kubernetes connection error %+v, retrying in %s", err, time)
+		}
+		err := backoff.RetryNotify(operation, backOff, notify)
+		if err != nil {
+			log.Fatalf("Cannot connect to Kubernetes server %+v", err)
+		}
+	})
+
+	templateObjects, err := provider.loadIngresses(k8sClient)
+	if err != nil {
+		return err
+	}
+	if reflect.DeepEqual(provider.lastConfiguration.Get(), templateObjects) {
+		log.Debugf("Skipping configuration from kubernetes %+v", templateObjects)
+	} else {
+		provider.lastConfiguration.Set(templateObjects)
+		configurationChan <- types.ConfigMessage{
+			ProviderName:  "kubernetes",
+			Configuration: provider.loadConfig(*templateObjects),
+		}
+	}
+
+	return nil
+}
+
+func (provider *Kubernetes) loadIngresses(k8sClient k8s.Client) (*types.Configuration, error) {
+	ingresses, err := k8sClient.GetIngresses(func(ingress k8s.Ingress) bool {
+		if len(provider.Namespaces) == 0 {
+			return true
+		}
+		for _, n := range provider.Namespaces {
+			if ingress.ObjectMeta.Namespace == n {
+				return true
+			}
+		}
+		return false
+	})
+	if err != nil {
+		log.Errorf("Error retrieving ingresses: %+v", err)
+		return nil, err
+	}
+	templateObjects := types.Configuration{
+		map[string]*types.Backend{},
+		map[string]*types.Frontend{},
+	}
+	PassHostHeader := provider.getPassHostHeader()
+	for _, i := range ingresses {
+		for _, r := range i.Spec.Rules {
+			for _, pa := range r.HTTP.Paths {
+				if _, exists := templateObjects.Backends[r.Host+pa.Path]; !exists {
+					templateObjects.Backends[r.Host+pa.Path] = &types.Backend{
+						Servers: make(map[string]types.Server),
+					}
+				}
+				if _, exists := templateObjects.Frontends[r.Host+pa.Path]; !exists {
+					templateObjects.Frontends[r.Host+pa.Path] = &types.Frontend{
+						Backend:        r.Host + pa.Path,
+						PassHostHeader: PassHostHeader,
+						Routes:         make(map[string]types.Route),
+					}
+				}
+				if len(r.Host) > 0 {
+					if _, exists := templateObjects.Frontends[r.Host+pa.Path].Routes[r.Host]; !exists {
+						templateObjects.Frontends[r.Host+pa.Path].Routes[r.Host] = types.Route{
+							Rule: "Host:" + r.Host,
+						}
+					}
+				}
+				if len(pa.Path) > 0 {
+					ruleType := i.Annotations["traefik.frontend.rule.type"]
+
+					switch strings.ToLower(ruleType) {
+					case "pathprefixstrip":
+						ruleType = "PathPrefixStrip"
+					case "pathstrip":
+						ruleType = "PathStrip"
+					case "path":
+						ruleType = "Path"
+					case "pathprefix":
+						ruleType = "PathPrefix"
+					default:
+						log.Warnf("Unknown RuleType `%s`, falling back to `PathPrefix", ruleType)
+						ruleType = "PathPrefix"
+					}
+
+					templateObjects.Frontends[r.Host+pa.Path].Routes[pa.Path] = types.Route{
+						Rule: ruleType + ":" + pa.Path,
+					}
+				}
+				service, err := k8sClient.GetService(pa.Backend.ServiceName, i.ObjectMeta.Namespace)
+				if err != nil {
+					log.Warnf("Error retrieving services: %v", err)
+					delete(templateObjects.Frontends, r.Host+pa.Path)
+					log.Warnf("Error retrieving services %s", pa.Backend.ServiceName)
+					continue
+				}
+				protocol := "http"
+				for _, port := range service.Spec.Ports {
+					if equalPorts(port, pa.Backend.ServicePort) {
+						if port.Port == 443 {
+							protocol = "https"
+						}
+						endpoints, err := k8sClient.GetEndpoints(service.ObjectMeta.Name, service.ObjectMeta.Namespace)
+						if err != nil {
+							log.Errorf("Error retrieving endpoints: %v", err)
+							continue
+						}
+						if len(endpoints.Subsets) == 0 {
+							log.Warnf("Endpoints not found for %s/%s, falling back to Service ClusterIP", service.ObjectMeta.Namespace, service.ObjectMeta.Name)
+							templateObjects.Backends[r.Host+pa.Path].Servers[string(service.UID)] = types.Server{
+								URL:    protocol + "://" + service.Spec.ClusterIP + ":" + strconv.Itoa(port.Port),
+								Weight: 1,
+							}
+						} else {
+							for _, subset := range endpoints.Subsets {
+								for _, address := range subset.Addresses {
+									url := protocol + "://" + address.IP + ":" + strconv.Itoa(endpointPortNumber(port, subset.Ports))
+									templateObjects.Backends[r.Host+pa.Path].Servers[url] = types.Server{
+										URL:    url,
+										Weight: 1,
+									}
+								}
+							}
+						}
+						break
+					}
+				}
+			}
+		}
+	}
+	return &templateObjects, nil
+}
+
+func endpointPortNumber(servicePort k8s.ServicePort, endpointPorts []k8s.EndpointPort) int {
+	if len(endpointPorts) > 0 {
+		//name is optional if there is only one port
+		port := endpointPorts[0]
+		for _, endpointPort := range endpointPorts {
+			if servicePort.Name == endpointPort.Name {
+				port = endpointPort
+			}
+		}
+		return int(port.Port)
+	}
+	return servicePort.Port
+}
+
+func equalPorts(servicePort k8s.ServicePort, ingressPort k8s.IntOrString) bool {
+	if servicePort.Port == ingressPort.IntValue() {
+		return true
+	}
+	if servicePort.Name != "" && servicePort.Name == ingressPort.String() {
+		return true
+	}
+	return false
+}
+
+func (provider *Kubernetes) getPassHostHeader() bool {
+	if provider.DisablePassHostHeaders {
+		return false
+	}
+	return true
+}
+
+func (provider *Kubernetes) loadConfig(templateObjects types.Configuration) *types.Configuration {
+	var FuncMap = template.FuncMap{}
+	configuration, err := provider.getConfiguration("templates/kubernetes.tmpl", FuncMap, templateObjects)
+	if err != nil {
+		log.Error(err)
+	}
+	return configuration
+}
--- a/provider/kubernetes_test.go
+++ b/provider/kubernetes_test.go
--- a/provider/kv.go
+++ b/provider/kv.go
@@ -10,8 +10,10 @@ import (
 	"text/template"
 	"time"

+	"errors"
 	"github.com/BurntSushi/ty/fun"
 	log "github.com/Sirupsen/logrus"
+	"github.com/cenkalti/backoff"
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/docker/libkv"
@@ -20,44 +22,58 @@ import (

 // Kv holds common configurations of key-value providers.
 type Kv struct {
-	BaseProvider `mapstructure:",squash"`
-	Endpoint     string
-	Prefix       string
-	TLS          *KvTLS
-	storeType    store.Backend
-	kvclient     store.Store
+	BaseProvider
+	Endpoint  string `description:"Comma sepparated server endpoints"`
+	Prefix    string `description:"Prefix used for KV store"`
+	TLS       *KvTLS `description:"Enable TLS support"`
+	storeType store.Backend
+	kvclient  store.Store
 }

 // KvTLS holds TLS specific configurations
 type KvTLS struct {
-	CA                 string
-	Cert               string
-	Key                string
-	InsecureSkipVerify bool
+	CA                 string `description:"TLS CA"`
+	Cert               string `description:"TLS cert"`
+	Key                string `description:"TLS key"`
+	InsecureSkipVerify bool   `description:"TLS insecure skip verify"`
 }

-func (provider *Kv) watchKv(configurationChan chan<- types.ConfigMessage, prefix string) {
-	for {
-		chanKeys, err := provider.kvclient.WatchTree(provider.Prefix, make(chan struct{}) /* stop chan */)
+func (provider *Kv) watchKv(configurationChan chan<- types.ConfigMessage, prefix string, stop chan bool) error {
+	operation := func() error {
+		events, err := provider.kvclient.WatchTree(provider.Prefix, make(chan struct{}))
 		if err != nil {
-			log.Errorf("Failed to WatchTree %s", err)
-			continue
+			return fmt.Errorf("Failed to KV WatchTree: %v", err)
 		}
-
-		for range chanKeys {
-			configuration := provider.loadConfig()
-			if configuration != nil {
-				configurationChan <- types.ConfigMessage{
-					ProviderName:  string(provider.storeType),
-					Configuration: configuration,
+		for {
+			select {
+			case <-stop:
+				return nil
+			case _, ok := <-events:
+				if !ok {
+					return errors.New("watchtree channel closed")
+				}
+				configuration := provider.loadConfig()
+				if configuration != nil {
+					configurationChan <- types.ConfigMessage{
+						ProviderName:  string(provider.storeType),
+						Configuration: configuration,
+					}
 				}
 			}
 		}
-		log.Warnf("Intermittent failure to WatchTree KV. Retrying.")
 	}
+
+	notify := func(err error, time time.Duration) {
+		log.Errorf("KV connection error: %+v, retrying in %s", err, time)
+	}
+	err := backoff.RetryNotify(operation, backoff.NewExponentialBackOff(), notify)
+	if err != nil {
+		return fmt.Errorf("Cannot connect to KV server: %v", err)
+	}
+	return nil
 }

-func (provider *Kv) provide(configurationChan chan<- types.ConfigMessage) error {
+func (provider *Kv) provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints []types.Constraint) error {
 	storeConfig := &store.Config{
 		ConnectionTimeout: 30 * time.Second,
 		Bucket:            "traefik",
@@ -79,7 +95,7 @@ func (provider *Kv) provide(configurationChan chan<- types.ConfigMessage) error
 		cert, err := tls.LoadX509KeyPair(provider.TLS.Cert, provider.TLS.Key)

 		if err != nil {
-			return fmt.Errorf("Failed to load keypair. %s", err)
+			return fmt.Errorf("Failed to load TLS keypair: %v", err)
 		}

 		storeConfig.TLS = &tls.Config{
@@ -89,27 +105,40 @@ func (provider *Kv) provide(configurationChan chan<- types.ConfigMessage) error
 		}
 	}

-	kv, err := libkv.NewStore(
-		provider.storeType,
-		strings.Split(provider.Endpoint, ","),
-		storeConfig,
-	)
+	operation := func() error {
+		kv, err := libkv.NewStore(
+			provider.storeType,
+			strings.Split(provider.Endpoint, ","),
+			storeConfig,
+		)
+		if err != nil {
+			return fmt.Errorf("Failed to Connect to KV store: %v", err)
+		}
+		if _, err := kv.Exists("qmslkjdfmqlskdjfmqlksjazçueznbvbwzlkajzebvkwjdcqmlsfj"); err != nil {
+			return fmt.Errorf("Failed to test KV store connection: %v", err)
+		}
+		provider.kvclient = kv
+		if provider.Watch {
+			pool.Go(func(stop chan bool) {
+				err := provider.watchKv(configurationChan, provider.Prefix, stop)
+				if err != nil {
+					log.Errorf("Cannot watch KV store: %v", err)
+				}
+			})
+		}
+		configuration := provider.loadConfig()
+		configurationChan <- types.ConfigMessage{
+			ProviderName:  string(provider.storeType),
+			Configuration: configuration,
+		}
+		return nil
+	}
+	notify := func(err error, time time.Duration) {
+		log.Errorf("KV connection error: %+v, retrying in %s", err, time)
+	}
+	err := backoff.RetryNotify(operation, backoff.NewExponentialBackOff(), notify)
 	if err != nil {
-		return err
-	}
-	if _, err := kv.List(""); err != nil {
-		return err
-	}
-	provider.kvclient = kv
-	if provider.Watch {
-		safe.Go(func() {
-			provider.watchKv(configurationChan, provider.Prefix)
-		})
-	}
-	configuration := provider.loadConfig()
-	configurationChan <- types.ConfigMessage{
-		ProviderName:  string(provider.storeType),
-		Configuration: configuration,
+		return fmt.Errorf("Cannot connect to KV server: %v", err)
 	}
 	return nil
 }
@@ -144,7 +173,7 @@ func (provider *Kv) list(keys ...string) []string {
 	}
 	directoryKeys := make(map[string]string)
 	for _, key := range keysPairs {
-		directory := strings.Split(strings.TrimPrefix(key.Key, strings.TrimPrefix(joinedKeys, "/")), "/")[0]
+		directory := strings.Split(strings.TrimPrefix(key.Key, joinedKeys), "/")[0]
 		directoryKeys[directory] = joinedKeys + directory
 	}
 	return fun.Values(directoryKeys).([]string)
@@ -152,7 +181,7 @@ func (provider *Kv) list(keys ...string) []string {

 func (provider *Kv) get(defaultValue string, keys ...string) string {
 	joinedKeys := strings.Join(keys, "")
-	keyPair, err := provider.kvclient.Get(joinedKeys)
+	keyPair, err := provider.kvclient.Get(strings.TrimPrefix(joinedKeys, "/"))
 	if err != nil {
 		log.Warnf("Error getting key %s %s, setting default %s", joinedKeys, err, defaultValue)
 		return defaultValue
--- a/provider/kv_test.go
+++ b/provider/kv_test.go
@@ -7,7 +7,6 @@ import (
 	"testing"
 	"time"

-	"github.com/containous/traefik/safe"
 	"github.com/docker/libkv/store"
 	"reflect"
 	"sort"
@@ -81,7 +80,7 @@ func TestKvList(t *testing.T) {
 				},
 			},
 			keys:     []string{"foo", "/baz/"},
-			expected: []string{"foo/baz/biz", "foo/baz/1", "foo/baz/2"},
+			expected: []string{"foo/baz/1", "foo/baz/2"},
 		},
 	}

@@ -257,9 +256,9 @@ func TestKvWatchTree(t *testing.T) {
 	}

 	configChan := make(chan types.ConfigMessage)
-	safe.Go(func() {
-		provider.watchKv(configChan, "prefix")
-	})
+	go func() {
+		provider.watchKv(configChan, "prefix", make(chan bool, 1))
+	}()

 	select {
 	case c1 := <-returnedChans:
@@ -339,7 +338,7 @@ func (s *Mock) List(prefix string) ([]*store.KVPair, error) {
 	}
 	kv := []*store.KVPair{}
 	for _, kvPair := range s.KVPairs {
-		if strings.HasPrefix(kvPair.Key, prefix) {
+		if strings.HasPrefix(kvPair.Key, prefix) && !strings.ContainsAny(strings.TrimPrefix(kvPair.Key, prefix), "/") {
 			kv = append(kv, kvPair)
 		}
 	}
@@ -365,3 +364,86 @@ func (s *Mock) AtomicDelete(key string, previous *store.KVPair) (bool, error) {
 func (s *Mock) Close() {
 	return
 }
+
+func TestKVLoadConfig(t *testing.T) {
+	provider := &Kv{
+		Prefix: "traefik",
+		kvclient: &Mock{
+			KVPairs: []*store.KVPair{
+				{
+					Key:   "traefik/frontends/frontend.with.dot",
+					Value: []byte(""),
+				},
+				{
+					Key:   "traefik/frontends/frontend.with.dot/backend",
+					Value: []byte("backend.with.dot.too"),
+				},
+				{
+					Key:   "traefik/frontends/frontend.with.dot/routes",
+					Value: []byte(""),
+				},
+				{
+					Key:   "traefik/frontends/frontend.with.dot/routes/route.with.dot",
+					Value: []byte(""),
+				},
+				{
+					Key:   "traefik/frontends/frontend.with.dot/routes/route.with.dot/rule",
+					Value: []byte("Host:test.localhost"),
+				},
+				{
+					Key:   "traefik/backends/backend.with.dot.too",
+					Value: []byte(""),
+				},
+				{
+					Key:   "traefik/backends/backend.with.dot.too/servers",
+					Value: []byte(""),
+				},
+				{
+					Key:   "traefik/backends/backend.with.dot.too/servers/server.with.dot",
+					Value: []byte(""),
+				},
+				{
+					Key:   "traefik/backends/backend.with.dot.too/servers/server.with.dot/url",
+					Value: []byte("http://172.17.0.2:80"),
+				},
+				{
+					Key:   "traefik/backends/backend.with.dot.too/servers/server.with.dot/weight",
+					Value: []byte("1"),
+				},
+			},
+		},
+	}
+	actual := provider.loadConfig()
+	expected := &types.Configuration{
+		Backends: map[string]*types.Backend{
+			"backend.with.dot.too": {
+				Servers: map[string]types.Server{
+					"server.with.dot": {
+						URL:    "http://172.17.0.2:80",
+						Weight: 1,
+					},
+				},
+				CircuitBreaker: nil,
+				LoadBalancer:   nil,
+			},
+		},
+		Frontends: map[string]*types.Frontend{
+			"frontend.with.dot": {
+				Backend:        "backend.with.dot.too",
+				PassHostHeader: true,
+				EntryPoints:    []string{},
+				Routes: map[string]types.Route{
+					"route.with.dot": {
+						Rule: "Host:test.localhost",
+					},
+				},
+			},
+		},
+	}
+	if !reflect.DeepEqual(actual.Backends, expected.Backends) {
+		t.Fatalf("expected %+v, got %+v", expected.Backends, actual.Backends)
+	}
+	if !reflect.DeepEqual(actual.Frontends, expected.Frontends) {
+		t.Fatalf("expected %+v, got %+v", expected.Frontends, actual.Frontends)
+	}
+}
--- a/provider/marathon.go
+++ b/provider/marathon.go
@@ -3,6 +3,7 @@ package provider
 import (
 	"errors"
 	"net/url"
+	"sort"
 	"strconv"
 	"strings"
 	"text/template"
@@ -10,21 +11,25 @@ import (
 	"crypto/tls"
 	"github.com/BurntSushi/ty/fun"
 	log "github.com/Sirupsen/logrus"
+	"github.com/cenkalti/backoff"
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/gambol99/go-marathon"
 	"net/http"
+	"time"
 )

 // Marathon holds configuration of the Marathon provider.
 type Marathon struct {
-	BaseProvider     `mapstructure:",squash"`
-	Endpoint         string
-	Domain           string
-	ExposedByDefault bool
-	Basic            *MarathonBasic
-	TLS              *tls.Config
-	marathonClient   marathon.Marathon
+	BaseProvider
+	Endpoint           string `description:"Marathon server endpoint. You can also specify multiple endpoint for Marathon"`
+	Domain             string `description:"Default domain used"`
+	ExposedByDefault   bool   `description:"Expose Marathon apps by default"`
+	GroupsAsSubDomains bool   `description:"Convert Marathon groups to subdomains"`
+	DCOSToken          string `description:"DCOSToken for DCOS environment, This will override the Authorization header"`
+	Basic              *MarathonBasic
+	TLS                *tls.Config
+	marathonClient     marathon.Marathon
 }

 // MarathonBasic holds basic authentication specific configurations
@@ -34,56 +39,75 @@ type MarathonBasic struct {
 }

 type lightMarathonClient interface {
-	Applications(url.Values) (*marathon.Applications, error)
 	AllTasks(v url.Values) (*marathon.Tasks, error)
+	Applications(url.Values) (*marathon.Applications, error)
 }

 // Provide allows the provider to provide configurations to traefik
 // using the given configuration channel.
-func (provider *Marathon) Provide(configurationChan chan<- types.ConfigMessage) error {
-	config := marathon.NewDefaultConfig()
-	config.URL = provider.Endpoint
-	config.EventsTransport = marathon.EventsTransportSSE
-	if provider.Basic != nil {
-		config.HTTPBasicAuthUser = provider.Basic.HTTPBasicAuthUser
-		config.HTTPBasicPassword = provider.Basic.HTTPBasicPassword
-	}
-	config.HTTPClient = &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: provider.TLS,
-		},
-	}
-	client, err := marathon.NewClient(config)
-	if err != nil {
-		log.Errorf("Failed to create a client for marathon, error: %s", err)
-		return err
-	}
-	provider.marathonClient = client
-	update := make(marathon.EventsChannel, 5)
-	if provider.Watch {
-		if err := client.AddEventsListener(update, marathon.EVENTS_APPLICATIONS); err != nil {
-			log.Errorf("Failed to register for events, %s", err)
-		} else {
-			safe.Go(func() {
+func (provider *Marathon) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints []types.Constraint) error {
+	provider.Constraints = append(provider.Constraints, constraints...)
+	operation := func() error {
+		config := marathon.NewDefaultConfig()
+		config.URL = provider.Endpoint
+		config.EventsTransport = marathon.EventsTransportSSE
+		if provider.Basic != nil {
+			config.HTTPBasicAuthUser = provider.Basic.HTTPBasicAuthUser
+			config.HTTPBasicPassword = provider.Basic.HTTPBasicPassword
+		}
+		if len(provider.DCOSToken) > 0 {
+			config.DCOSToken = provider.DCOSToken
+		}
+		config.HTTPClient = &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: provider.TLS,
+			},
+		}
+		client, err := marathon.NewClient(config)
+		if err != nil {
+			log.Errorf("Failed to create a client for marathon, error: %s", err)
+			return err
+		}
+		provider.marathonClient = client
+		update := make(marathon.EventsChannel, 5)
+		if provider.Watch {
+			if err := client.AddEventsListener(update, marathon.EventIDApplications); err != nil {
+				log.Errorf("Failed to register for events, %s", err)
+				return err
+			}
+			pool.Go(func(stop chan bool) {
+				defer close(update)
 				for {
-					event := <-update
-					log.Debug("Marathon event receveived", event)
-					configuration := provider.loadMarathonConfig()
-					if configuration != nil {
-						configurationChan <- types.ConfigMessage{
-							ProviderName:  "marathon",
-							Configuration: configuration,
+					select {
+					case <-stop:
+						return
+					case event := <-update:
+						log.Debug("Marathon event receveived", event)
+						configuration := provider.loadMarathonConfig()
+						if configuration != nil {
+							configurationChan <- types.ConfigMessage{
+								ProviderName:  "marathon",
+								Configuration: configuration,
+							}
 						}
 					}
 				}
 			})
 		}
+		configuration := provider.loadMarathonConfig()
+		configurationChan <- types.ConfigMessage{
+			ProviderName:  "marathon",
+			Configuration: configuration,
+		}
+		return nil
 	}

-	configuration := provider.loadMarathonConfig()
-	configurationChan <- types.ConfigMessage{
-		ProviderName:  "marathon",
-		Configuration: configuration,
+	notify := func(err error, time time.Duration) {
+		log.Errorf("Marathon connection error %+v, retrying in %s", err, time)
+	}
+	err := backoff.RetryNotify(operation, backoff.NewExponentialBackOff(), notify)
+	if err != nil {
+		log.Fatalf("Cannot connect to Marathon server %+v", err)
 	}
 	return nil
 }
@@ -96,6 +120,7 @@ func (provider *Marathon) loadMarathonConfig() *types.Configuration {
 		"getDomain":          provider.getDomain,
 		"getProtocol":        provider.getProtocol,
 		"getPassHostHeader":  provider.getPassHostHeader,
+		"getPriority":        provider.getPriority,
 		"getEntryPoints":     provider.getEntryPoints,
 		"getFrontendRule":    provider.getFrontendRule,
 		"getFrontendBackend": provider.getFrontendBackend,
@@ -158,8 +183,8 @@ func taskFilter(task marathon.Task, applications *marathon.Applications, exposed
 	}

 	//filter indeterminable task port
-	portIndexLabel := application.Labels["traefik.portIndex"]
-	portValueLabel := application.Labels["traefik.port"]
+	portIndexLabel := (*application.Labels)["traefik.portIndex"]
+	portValueLabel := (*application.Labels)["traefik.port"]
 	if portIndexLabel != "" && portValueLabel != "" {
 		log.Debugf("Filtering marathon task %s specifying both traefik.portIndex and traefik.port labels", task.AppID)
 		return false
@@ -169,14 +194,14 @@ func taskFilter(task marathon.Task, applications *marathon.Applications, exposed
 		return false
 	}
 	if portIndexLabel != "" {
-		index, err := strconv.Atoi(application.Labels["traefik.portIndex"])
+		index, err := strconv.Atoi((*application.Labels)["traefik.portIndex"])
 		if err != nil || index < 0 || index > len(application.Ports)-1 {
 			log.Debugf("Filtering marathon task %s with unexpected value for traefik.portIndex label", task.AppID)
 			return false
 		}
 	}
 	if portValueLabel != "" {
-		port, err := strconv.Atoi(application.Labels["traefik.port"])
+		port, err := strconv.Atoi((*application.Labels)["traefik.port"])
 		if err != nil {
 			log.Debugf("Filtering marathon task %s with unexpected value for traefik.port label", task.AppID)
 			return false
@@ -230,11 +255,11 @@ func getApplication(task marathon.Task, apps []marathon.Application) (marathon.A
 }

 func isApplicationEnabled(application marathon.Application, exposedByDefault bool) bool {
-	return exposedByDefault && application.Labels["traefik.enable"] != "false" || application.Labels["traefik.enable"] == "true"
+	return exposedByDefault && (*application.Labels)["traefik.enable"] != "false" || (*application.Labels)["traefik.enable"] == "true"
 }

 func (provider *Marathon) getLabel(application marathon.Application, label string) (string, error) {
-	for key, value := range application.Labels {
+	for key, value := range *application.Labels {
 		if key == label {
 			return value, nil
 		}
@@ -299,7 +324,14 @@ func (provider *Marathon) getPassHostHeader(application marathon.Application) st
 	if passHostHeader, err := provider.getLabel(application, "traefik.frontend.passHostHeader"); err == nil {
 		return passHostHeader
 	}
-	return "false"
+	return "true"
+}
+
+func (provider *Marathon) getPriority(application marathon.Application) string {
+	if priority, err := provider.getLabel(application, "traefik.frontend.priority"); err == nil {
+		return priority
+	}
+	return "0"
 }

 func (provider *Marathon) getEntryPoints(application marathon.Application) []string {
@@ -323,7 +355,7 @@ func (provider *Marathon) getFrontendRule(application marathon.Application) stri
 	if label, err := provider.getLabel(application, "traefik.frontend.rule"); err == nil {
 		return label
 	}
-	return "Host:" + getEscapedName(application.ID) + "." + provider.Domain
+	return "Host:" + provider.getSubDomain(application.ID) + "." + provider.Domain
 }

 func (provider *Marathon) getBackend(task marathon.Task, applications []marathon.Application) string {
@@ -341,3 +373,13 @@ func (provider *Marathon) getFrontendBackend(application marathon.Application) s
 	}
 	return replace("/", "-", application.ID)
 }
+
+func (provider *Marathon) getSubDomain(name string) string {
+	if provider.GroupsAsSubDomains {
+		splitedName := strings.Split(strings.TrimPrefix(name, "/"), "/")
+		sort.Sort(sort.Reverse(sort.StringSlice(splitedName)))
+		reverseName := strings.Join(splitedName, ".")
+		return reverseName
+	}
+	return strings.Replace(strings.TrimPrefix(name, "/"), "/", "-", -1)
+}
--- a/provider/marathon_test.go
+++ b/provider/marathon_test.go
@@ -19,13 +19,17 @@ func newFakeClient(applicationsError bool, applications *marathon.Applications,
 	// create an instance of our test object
 	fakeClient := new(fakeClient)
 	if applicationsError {
-		fakeClient.On("Applications", mock.AnythingOfType("url.Values")).Return(nil, errors.New("error"))
+		fakeClient.On("Applications", mock.Anything).Return(nil, errors.New("error"))
+	} else {
+		fakeClient.On("Applications", mock.Anything).Return(applications, nil)
 	}
-	fakeClient.On("Applications", mock.AnythingOfType("url.Values")).Return(applications, nil)
-	if tasksError {
-		fakeClient.On("AllTasks", mock.AnythingOfType("*marathon.AllTasksOpts")).Return(nil, errors.New("error"))
+	if !applicationsError {
+		if tasksError {
+			fakeClient.On("AllTasks", mock.Anything).Return(nil, errors.New("error"))
+		} else {
+			fakeClient.On("AllTasks", mock.Anything).Return(tasks, nil)
+		}
 	}
-	fakeClient.On("AllTasks", mock.AnythingOfType("*marathon.AllTasksOpts")).Return(tasks, nil)
 	return fakeClient
 }

@@ -65,8 +69,9 @@ func TestMarathonLoadConfig(t *testing.T) {
 			applications: &marathon.Applications{
 				Apps: []marathon.Application{
 					{
-						ID:    "/test",
-						Ports: []int{80},
+						ID:     "/test",
+						Ports:  []int{80},
+						Labels: &map[string]string{},
 					},
 				},
 			},
@@ -82,8 +87,9 @@ func TestMarathonLoadConfig(t *testing.T) {
 			},
 			expectedFrontends: map[string]*types.Frontend{
 				`frontend-test`: {
-					Backend:     "backend-test",
-					EntryPoints: []string{},
+					Backend:        "backend-test",
+					PassHostHeader: true,
+					EntryPoints:    []string{},
 					Routes: map[string]types.Route{
 						`route-host-test`: {
 							Rule: "Host:test.docker.localhost",
@@ -114,6 +120,7 @@ func TestMarathonLoadConfig(t *testing.T) {
 			marathonClient:   fakeClient,
 		}
 		actualConfig := provider.loadMarathonConfig()
+		fakeClient.AssertExpectations(t)
 		if c.expectedNil {
 			if actualConfig != nil {
 				t.Fatalf("Should have been nil, got %v", actualConfig)
@@ -160,7 +167,8 @@ func TestMarathonTaskFilter(t *testing.T) {
 			applications: &marathon.Applications{
 				Apps: []marathon.Application{
 					{
-						ID: "foo",
+						ID:     "foo",
+						Labels: &map[string]string{},
 					},
 				},
 			},
@@ -175,8 +183,9 @@ func TestMarathonTaskFilter(t *testing.T) {
 			applications: &marathon.Applications{
 				Apps: []marathon.Application{
 					{
-						ID:    "foo",
-						Ports: []int{80, 443},
+						ID:     "foo",
+						Ports:  []int{80, 443},
+						Labels: &map[string]string{},
 					},
 				},
 			},
@@ -193,7 +202,7 @@ func TestMarathonTaskFilter(t *testing.T) {
 					{
 						ID:    "foo",
 						Ports: []int{80},
-						Labels: map[string]string{
+						Labels: &map[string]string{
 							"traefik.enable": "false",
 						},
 					},
@@ -212,7 +221,7 @@ func TestMarathonTaskFilter(t *testing.T) {
 					{
 						ID:    "specify-port-number",
 						Ports: []int{80, 443},
-						Labels: map[string]string{
+						Labels: &map[string]string{
 							"traefik.port": "80",
 						},
 					},
@@ -231,7 +240,7 @@ func TestMarathonTaskFilter(t *testing.T) {
 					{
 						ID:    "specify-unknown-port-number",
 						Ports: []int{80, 443},
-						Labels: map[string]string{
+						Labels: &map[string]string{
 							"traefik.port": "8080",
 						},
 					},
@@ -250,7 +259,7 @@ func TestMarathonTaskFilter(t *testing.T) {
 					{
 						ID:    "specify-port-index",
 						Ports: []int{80, 443},
-						Labels: map[string]string{
+						Labels: &map[string]string{
 							"traefik.portIndex": "0",
 						},
 					},
@@ -269,7 +278,7 @@ func TestMarathonTaskFilter(t *testing.T) {
 					{
 						ID:    "specify-out-of-range-port-index",
 						Ports: []int{80, 443},
-						Labels: map[string]string{
+						Labels: &map[string]string{
 							"traefik.portIndex": "2",
 						},
 					},
@@ -288,7 +297,7 @@ func TestMarathonTaskFilter(t *testing.T) {
 					{
 						ID:    "specify-both-port-index-and-number",
 						Ports: []int{80, 443},
-						Labels: map[string]string{
+						Labels: &map[string]string{
 							"traefik.port":      "443",
 							"traefik.portIndex": "1",
 						},
@@ -306,10 +315,11 @@ func TestMarathonTaskFilter(t *testing.T) {
 			applications: &marathon.Applications{
 				Apps: []marathon.Application{
 					{
-						ID:    "foo",
-						Ports: []int{80},
-						HealthChecks: []*marathon.HealthCheck{
-							marathon.NewDefaultHealthCheck(),
+						ID:     "foo",
+						Ports:  []int{80},
+						Labels: &map[string]string{},
+						HealthChecks: &[]marathon.HealthCheck{
+							*marathon.NewDefaultHealthCheck(),
 						},
 					},
 				},
@@ -330,10 +340,11 @@ func TestMarathonTaskFilter(t *testing.T) {
 			applications: &marathon.Applications{
 				Apps: []marathon.Application{
 					{
-						ID:    "foo",
-						Ports: []int{80},
-						HealthChecks: []*marathon.HealthCheck{
-							marathon.NewDefaultHealthCheck(),
+						ID:     "foo",
+						Ports:  []int{80},
+						Labels: &map[string]string{},
+						HealthChecks: &[]marathon.HealthCheck{
+							*marathon.NewDefaultHealthCheck(),
 						},
 					},
 				},
@@ -357,10 +368,11 @@ func TestMarathonTaskFilter(t *testing.T) {
 			applications: &marathon.Applications{
 				Apps: []marathon.Application{
 					{
-						ID:    "foo",
-						Ports: []int{80},
-						HealthChecks: []*marathon.HealthCheck{
-							marathon.NewDefaultHealthCheck(),
+						ID:     "foo",
+						Ports:  []int{80},
+						Labels: &map[string]string{},
+						HealthChecks: &[]marathon.HealthCheck{
+							*marathon.NewDefaultHealthCheck(),
 						},
 					},
 				},
@@ -376,8 +388,9 @@ func TestMarathonTaskFilter(t *testing.T) {
 			applications: &marathon.Applications{
 				Apps: []marathon.Application{
 					{
-						ID:    "foo",
-						Ports: []int{80},
+						ID:     "foo",
+						Ports:  []int{80},
+						Labels: &map[string]string{},
 					},
 				},
 			},
@@ -397,10 +410,11 @@ func TestMarathonTaskFilter(t *testing.T) {
 			applications: &marathon.Applications{
 				Apps: []marathon.Application{
 					{
-						ID:    "foo",
-						Ports: []int{80},
-						HealthChecks: []*marathon.HealthCheck{
-							marathon.NewDefaultHealthCheck(),
+						ID:     "foo",
+						Ports:  []int{80},
+						Labels: &map[string]string{},
+						HealthChecks: &[]marathon.HealthCheck{
+							*marathon.NewDefaultHealthCheck(),
 						},
 					},
 				},
@@ -416,8 +430,9 @@ func TestMarathonTaskFilter(t *testing.T) {
 			applications: &marathon.Applications{
 				Apps: []marathon.Application{
 					{
-						ID:    "disable-default-expose",
-						Ports: []int{80},
+						ID:     "disable-default-expose",
+						Ports:  []int{80},
+						Labels: &map[string]string{},
 					},
 				},
 			},
@@ -434,7 +449,7 @@ func TestMarathonTaskFilter(t *testing.T) {
 					{
 						ID:    "disable-default-expose-disable-in-label",
 						Ports: []int{80},
-						Labels: map[string]string{
+						Labels: &map[string]string{
 							"traefik.enable": "false",
 						},
 					},
@@ -453,7 +468,7 @@ func TestMarathonTaskFilter(t *testing.T) {
 					{
 						ID:    "disable-default-expose-enable-in-label",
 						Ports: []int{80},
-						Labels: map[string]string{
+						Labels: &map[string]string{
 							"traefik.enable": "true",
 						},
 					},
@@ -485,14 +500,16 @@ func TestMarathonApplicationFilter(t *testing.T) {
 		},
 		{
 			application: marathon.Application{
-				ID: "test",
+				ID:     "test",
+				Labels: &map[string]string{},
 			},
 			filteredTasks: []marathon.Task{},
 			expected:      false,
 		},
 		{
 			application: marathon.Application{
-				ID: "foo",
+				ID:     "foo",
+				Labels: &map[string]string{},
 			},
 			filteredTasks: []marathon.Task{
 				{
@@ -503,7 +520,8 @@ func TestMarathonApplicationFilter(t *testing.T) {
 		},
 		{
 			application: marathon.Application{
-				ID: "foo",
+				ID:     "foo",
+				Labels: &map[string]string{},
 			},
 			filteredTasks: []marathon.Task{
 				{
@@ -538,7 +556,8 @@ func TestMarathonGetPort(t *testing.T) {
 		{
 			applications: []marathon.Application{
 				{
-					ID: "test1",
+					ID:     "test1",
+					Labels: &map[string]string{},
 				},
 			},
 			task: marathon.Task{
@@ -549,7 +568,8 @@ func TestMarathonGetPort(t *testing.T) {
 		{
 			applications: []marathon.Application{
 				{
-					ID: "test1",
+					ID:     "test1",
+					Labels: &map[string]string{},
 				},
 			},
 			task: marathon.Task{
@@ -561,7 +581,8 @@ func TestMarathonGetPort(t *testing.T) {
 		{
 			applications: []marathon.Application{
 				{
-					ID: "test1",
+					ID:     "test1",
+					Labels: &map[string]string{},
 				},
 			},
 			task: marathon.Task{
@@ -574,7 +595,7 @@ func TestMarathonGetPort(t *testing.T) {
 			applications: []marathon.Application{
 				{
 					ID: "specify-port-number",
-					Labels: map[string]string{
+					Labels: &map[string]string{
 						"traefik.port": "443",
 					},
 				},
@@ -589,7 +610,7 @@ func TestMarathonGetPort(t *testing.T) {
 			applications: []marathon.Application{
 				{
 					ID: "specify-port-index",
-					Labels: map[string]string{
+					Labels: &map[string]string{
 						"traefik.portIndex": "1",
 					},
 				},
@@ -627,7 +648,7 @@ func TestMarathonGetWeigh(t *testing.T) {
 			applications: []marathon.Application{
 				{
 					ID: "test1",
-					Labels: map[string]string{
+					Labels: &map[string]string{
 						"traefik.weight": "10",
 					},
 				},
@@ -641,7 +662,7 @@ func TestMarathonGetWeigh(t *testing.T) {
 			applications: []marathon.Application{
 				{
 					ID: "test",
-					Labels: map[string]string{
+					Labels: &map[string]string{
 						"traefik.test": "10",
 					},
 				},
@@ -655,7 +676,7 @@ func TestMarathonGetWeigh(t *testing.T) {
 			applications: []marathon.Application{
 				{
 					ID: "test",
-					Labels: map[string]string{
+					Labels: &map[string]string{
 						"traefik.weight": "10",
 					},
 				},
@@ -685,12 +706,13 @@ func TestMarathonGetDomain(t *testing.T) {
 		expected    string
 	}{
 		{
-			application: marathon.Application{},
-			expected:    "docker.localhost",
+			application: marathon.Application{
+				Labels: &map[string]string{}},
+			expected: "docker.localhost",
 		},
 		{
 			application: marathon.Application{
-				Labels: map[string]string{
+				Labels: &map[string]string{
 					"traefik.domain": "foo.bar",
 				},
 			},
@@ -723,7 +745,7 @@ func TestMarathonGetProtocol(t *testing.T) {
 			applications: []marathon.Application{
 				{
 					ID: "test1",
-					Labels: map[string]string{
+					Labels: &map[string]string{
 						"traefik.protocol": "https",
 					},
 				},
@@ -737,7 +759,7 @@ func TestMarathonGetProtocol(t *testing.T) {
 			applications: []marathon.Application{
 				{
 					ID: "test",
-					Labels: map[string]string{
+					Labels: &map[string]string{
 						"traefik.foo": "bar",
 					},
 				},
@@ -751,7 +773,7 @@ func TestMarathonGetProtocol(t *testing.T) {
 			applications: []marathon.Application{
 				{
 					ID: "test",
-					Labels: map[string]string{
+					Labels: &map[string]string{
 						"traefik.protocol": "https",
 					},
 				},
@@ -779,16 +801,17 @@ func TestMarathonGetPassHostHeader(t *testing.T) {
 		expected    string
 	}{
 		{
-			application: marathon.Application{},
-			expected:    "false",
+			application: marathon.Application{
+				Labels: &map[string]string{}},
+			expected: "true",
 		},
 		{
 			application: marathon.Application{
-				Labels: map[string]string{
-					"traefik.frontend.passHostHeader": "true",
+				Labels: &map[string]string{
+					"traefik.frontend.passHostHeader": "false",
 				},
 			},
-			expected: "true",
+			expected: "false",
 		},
 	}

@@ -808,12 +831,13 @@ func TestMarathonGetEntryPoints(t *testing.T) {
 		expected    []string
 	}{
 		{
-			application: marathon.Application{},
-			expected:    []string{},
+			application: marathon.Application{
+				Labels: &map[string]string{}},
+			expected: []string{},
 		},
 		{
 			application: marathon.Application{
-				Labels: map[string]string{
+				Labels: &map[string]string{
 					"traefik.frontend.entryPoints": "http,https",
 				},
 			},
@@ -840,18 +864,20 @@ func TestMarathonGetFrontendRule(t *testing.T) {
 		expected    string
 	}{
 		{
-			application: marathon.Application{},
-			expected:    "Host:.docker.localhost",
+			application: marathon.Application{
+				Labels: &map[string]string{}},
+			expected: "Host:.docker.localhost",
 		},
 		{
 			application: marathon.Application{
-				ID: "test",
+				ID:     "test",
+				Labels: &map[string]string{},
 			},
 			expected: "Host:test.docker.localhost",
 		},
 		{
 			application: marathon.Application{
-				Labels: map[string]string{
+				Labels: &map[string]string{
 					"traefik.frontend.rule": "Host:foo.bar",
 				},
 			},
@@ -877,7 +903,7 @@ func TestMarathonGetBackend(t *testing.T) {
 		{
 			application: marathon.Application{
 				ID: "foo",
-				Labels: map[string]string{
+				Labels: &map[string]string{
 					"traefik.backend": "bar",
 				},
 			},
--- a/provider/provider.go
+++ b/provider/provider.go
@@ -5,24 +5,45 @@ import (
 	"io/ioutil"
 	"strings"
 	"text/template"
+	"unicode"

 	"github.com/BurntSushi/toml"
 	"github.com/containous/traefik/autogen"
+	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
-	"unicode"
 )

 // Provider defines methods of a provider.
 type Provider interface {
 	// Provide allows the provider to provide configurations to traefik
 	// using the given configuration channel.
-	Provide(configurationChan chan<- types.ConfigMessage) error
+	Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints []types.Constraint) error
 }

 // BaseProvider should be inherited by providers
 type BaseProvider struct {
-	Watch    bool
-	Filename string
+	Watch       bool              `description:"Watch provider"`
+	Filename    string            `description:"Override default configuration template. For advanced users :)"`
+	Constraints types.Constraints `description:"Filter services by constraint, matching with Traefik tags."`
+}
+
+// MatchConstraints must match with EVERY single contraint
+// returns first constraint that do not match or nil
+func (p *BaseProvider) MatchConstraints(tags []string) (bool, *types.Constraint) {
+	// if there is no tags and no contraints, filtering is disabled
+	if len(tags) == 0 && len(p.Constraints) == 0 {
+		return true, nil
+	}
+
+	for _, constraint := range p.Constraints {
+		// xor: if ok and constraint.MustMatch are equal, then no tag is currently matching with the constraint
+		if ok := constraint.MatchConstraintWithAtLeastOneTag(tags); ok != constraint.MustMatch {
+			return false, &constraint
+		}
+	}
+
+	// If no constraint or every constraints matching
+	return true, nil
 }

 func (p *BaseProvider) getConfiguration(defaultTemplateFile string, funcMap template.FuncMap, templateObjects interface{}) (*types.Configuration, error) {
@@ -64,11 +85,6 @@ func replace(s1 string, s2 string, s3 string) string {
 	return strings.Replace(s3, s1, s2, -1)
 }

-// Escape beginning slash "/", convert all others to dash "-"
-func getEscapedName(name string) string {
-	return strings.Replace(strings.TrimPrefix(name, "/"), "/", "-", -1)
-}
-
 func normalize(name string) string {
 	fargs := func(c rune) bool {
 		return !unicode.IsLetter(c) && !unicode.IsNumber(c)
--- a/provider/provider_test.go
+++ b/provider/provider_test.go
@@ -6,6 +6,8 @@ import (
 	"strings"
 	"testing"
 	"text/template"
+
+	"github.com/containous/traefik/types"
 )

 type myProvider struct {
@@ -74,7 +76,7 @@ func TestConfigurationErrors(t *testing.T) {
 					Filename: templateInvalidTOMLFile.Name(),
 				},
 			},
-			expectedError: "Near line 1, key 'Hello': Near line 1: Expected key separator '=', but got '<' instead",
+			expectedError: "Near line 1 (last key parsed 'Hello'): Expected key separator '=', but got '<' instead",
 			funcMap: template.FuncMap{
 				"Foo": func() string {
 					return "bar"
@@ -168,3 +170,138 @@ func TestReplace(t *testing.T) {
 		}
 	}
 }
+
+func TestGetConfigurationReturnsCorrectMaxConnConfiguration(t *testing.T) {
+	templateFile, err := ioutil.TempFile("", "provider-configuration")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(templateFile.Name())
+	data := []byte(`[backends]
+  [backends.backend1]
+    [backends.backend1.maxconn]
+      amount = 10
+      extractorFunc = "request.host"`)
+	err = ioutil.WriteFile(templateFile.Name(), data, 0700)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	provider := &myProvider{
+		BaseProvider{
+			Filename: templateFile.Name(),
+		},
+	}
+	configuration, err := provider.getConfiguration(templateFile.Name(), nil, nil)
+	if err != nil {
+		t.Fatalf("Shouldn't have error out, got %v", err)
+	}
+	if configuration == nil {
+		t.Fatalf("Configuration should not be nil, but was")
+	}
+
+	if configuration.Backends["backend1"].MaxConn.Amount != 10 {
+		t.Fatalf("Configuration did not parse MaxConn.Amount properly")
+	}
+
+	if configuration.Backends["backend1"].MaxConn.ExtractorFunc != "request.host" {
+		t.Fatalf("Configuration did not parse MaxConn.ExtractorFunc properly")
+	}
+}
+
+func TestMatchingConstraints(t *testing.T) {
+	cases := []struct {
+		constraints []types.Constraint
+		tags        []string
+		expected    bool
+	}{
+		// simple test: must match
+		{
+			constraints: []types.Constraint{
+				{
+					Key:       "tag",
+					MustMatch: true,
+					Regex:     "us-east-1",
+				},
+			},
+			tags: []string{
+				"us-east-1",
+			},
+			expected: true,
+		},
+		// simple test: must match but does not match
+		{
+			constraints: []types.Constraint{
+				{
+					Key:       "tag",
+					MustMatch: true,
+					Regex:     "us-east-1",
+				},
+			},
+			tags: []string{
+				"us-east-2",
+			},
+			expected: false,
+		},
+		// simple test: must not match
+		{
+			constraints: []types.Constraint{
+				{
+					Key:       "tag",
+					MustMatch: false,
+					Regex:     "us-east-1",
+				},
+			},
+			tags: []string{
+				"us-east-1",
+			},
+			expected: false,
+		},
+		// complex test: globbing
+		{
+			constraints: []types.Constraint{
+				{
+					Key:       "tag",
+					MustMatch: true,
+					Regex:     "us-east-*",
+				},
+			},
+			tags: []string{
+				"us-east-1",
+			},
+			expected: true,
+		},
+		// complex test: multiple constraints
+		{
+			constraints: []types.Constraint{
+				{
+					Key:       "tag",
+					MustMatch: true,
+					Regex:     "us-east-*",
+				},
+				{
+					Key:       "tag",
+					MustMatch: false,
+					Regex:     "api",
+				},
+			},
+			tags: []string{
+				"api",
+				"us-east-1",
+			},
+			expected: false,
+		},
+	}
+
+	for i, c := range cases {
+		provider := myProvider{
+			BaseProvider{
+				Constraints: c.constraints,
+			},
+		}
+		actual, _ := provider.MatchConstraints(c.tags)
+		if actual != c.expected {
+			t.Fatalf("test #%v: expected %q, got %q, for %q", i, c.expected, actual, c.constraints)
+		}
+	}
+}
--- a/provider/zk.go
+++ b/provider/zk.go
@@ -1,6 +1,7 @@
 package provider

 import (
+	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/docker/libkv/store"
 	"github.com/docker/libkv/store/zookeeper"
@@ -13,8 +14,8 @@ type Zookepper struct {

 // Provide allows the provider to provide configurations to traefik
 // using the given configuration channel.
-func (provider *Zookepper) Provide(configurationChan chan<- types.ConfigMessage) error {
+func (provider *Zookepper) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints []types.Constraint) error {
 	provider.storeType = store.ZK
 	zookeeper.Register()
-	return provider.provide(configurationChan)
+	return provider.provide(configurationChan, pool, constraints)
 }
--- a/rules.go
+++ b/rules.go
@@ -2,7 +2,7 @@ package main

 import (
 	"errors"
-	"github.com/gorilla/mux"
+	"github.com/containous/mux"
 	"net"
 	"net/http"
 	"reflect"
@@ -106,42 +106,61 @@ func (r *Rules) Parse(expression string) (*mux.Route, error) {
 		"Headers":         r.headers,
 		"HeadersRegexp":   r.headersRegexp,
 	}
+
+	if len(expression) == 0 {
+		return nil, errors.New("Empty rule")
+	}
+
 	f := func(c rune) bool {
 		return c == ':'
 	}
-	// get function
-	parsedFunctions := strings.FieldsFunc(expression, f)
-	if len(parsedFunctions) == 0 {
-		return nil, errors.New("Error parsing rule: " + expression)
-	}
-	parsedFunction, ok := functions[parsedFunctions[0]]
-	if !ok {
-		return nil, errors.New("Error parsing rule: " + expression + ". Unknow function: " + parsedFunctions[0])
-	}
-	parsedFunctions = append(parsedFunctions[:0], parsedFunctions[1:]...)
-	fargs := func(c rune) bool {
-		return c == ',' || c == ';'
-	}
-	// get function
-	parsedArgs := strings.FieldsFunc(strings.Join(parsedFunctions, ":"), fargs)
-	if len(parsedArgs) == 0 {
-		return nil, errors.New("Error parsing args from rule: " + expression)
+
+	// Allow multiple rules separated by ;
+	splitRule := func(c rune) bool {
+		return c == ';'
 	}

-	inputs := make([]reflect.Value, len(parsedArgs))
-	for i := range parsedArgs {
-		inputs[i] = reflect.ValueOf(parsedArgs[i])
-	}
-	method := reflect.ValueOf(parsedFunction)
-	if method.IsValid() {
-		resultRoute := method.Call(inputs)[0].Interface().(*mux.Route)
-		if r.err != nil {
-			return nil, r.err
+	parsedRules := strings.FieldsFunc(expression, splitRule)
+
+	var resultRoute *mux.Route
+
+	for _, rule := range parsedRules {
+		// get function
+		parsedFunctions := strings.FieldsFunc(rule, f)
+		if len(parsedFunctions) == 0 {
+			return nil, errors.New("Error parsing rule: '" + rule + "'")
 		}
-		if resultRoute.GetError() != nil {
-			return nil, resultRoute.GetError()
+		parsedFunction, ok := functions[strings.TrimSpace(parsedFunctions[0])]
+		if !ok {
+			return nil, errors.New("Error parsing rule: '" + rule + "'. Unknown function: '" + parsedFunctions[0] + "'")
+		}
+		parsedFunctions = append(parsedFunctions[:0], parsedFunctions[1:]...)
+		fargs := func(c rune) bool {
+			return c == ','
+		}
+		// get function
+		parsedArgs := strings.FieldsFunc(strings.Join(parsedFunctions, ":"), fargs)
+		if len(parsedArgs) == 0 {
+			return nil, errors.New("Error parsing args from rule: '" + rule + "'")
+		}
+
+		inputs := make([]reflect.Value, len(parsedArgs))
+		for i := range parsedArgs {
+			inputs[i] = reflect.ValueOf(strings.TrimSpace(parsedArgs[i]))
+		}
+		method := reflect.ValueOf(parsedFunction)
+		if method.IsValid() {
+			resultRoute = method.Call(inputs)[0].Interface().(*mux.Route)
+			if r.err != nil {
+				return nil, r.err
+			}
+			if resultRoute.GetError() != nil {
+				return nil, resultRoute.GetError()
+			}
+
+		} else {
+			return nil, errors.New("Method not found: '" + parsedFunctions[0] + "'")
 		}
-		return resultRoute, nil
 	}
-	return nil, errors.New("Method not found: " + parsedFunctions[0])
+	return resultRoute, nil
 }
--- a/rules_test.go
+++ b/rules_test.go
@@ -0,0 +1,132 @@
+package main
+
+import (
+	"github.com/containous/mux"
+	"net/http"
+	"net/url"
+	"testing"
+)
+
+func TestParseOneRule(t *testing.T) {
+
+	router := mux.NewRouter()
+	route := router.NewRoute()
+	serverRoute := &serverRoute{route: route}
+	rules := &Rules{route: serverRoute}
+
+	expression := "Host:foo.bar"
+	routeResult, err := rules.Parse(expression)
+
+	if err != nil {
+		t.Fatal("Error while building route for Host:foo.bar")
+	}
+
+	request, err := http.NewRequest("GET", "http://foo.bar", nil)
+	routeMatch := routeResult.Match(request, &mux.RouteMatch{Route: routeResult})
+
+	if routeMatch == false {
+		t.Log(err)
+		t.Fatal("Rule Host:foo.bar don't match")
+	}
+}
+
+func TestParseTwoRules(t *testing.T) {
+
+	router := mux.NewRouter()
+	route := router.NewRoute()
+	serverRoute := &serverRoute{route: route}
+	rules := &Rules{route: serverRoute}
+
+	expression := "Host:foo.bar;Path:/foobar"
+	routeResult, err := rules.Parse(expression)
+
+	if err != nil {
+		t.Fatal("Error while building route for Host:foo.bar;Path:/foobar")
+	}
+
+	request, err := http.NewRequest("GET", "http://foo.bar/foobar", nil)
+	routeMatch := routeResult.Match(request, &mux.RouteMatch{Route: routeResult})
+
+	if routeMatch == false {
+		t.Log(err)
+		t.Fatal("Rule Host:foo.bar;Path:/foobar don't match")
+	}
+}
+
+func TestPriorites(t *testing.T) {
+	router := mux.NewRouter()
+	router.StrictSlash(true)
+	rules := &Rules{route: &serverRoute{route: router.NewRoute()}}
+	routeFoo, err := rules.Parse("PathPrefix:/foo")
+	if err != nil {
+		t.Fatal("Error while building route for PathPrefix:/foo")
+	}
+	fooHandler := &fakeHandler{name: "fooHandler"}
+	routeFoo.Handler(fooHandler)
+
+	if !router.Match(&http.Request{URL: &url.URL{
+		Path: "/foo",
+	}}, &mux.RouteMatch{}) {
+		t.Fatalf("Error matching route")
+	}
+
+	if router.Match(&http.Request{URL: &url.URL{
+		Path: "/fo",
+	}}, &mux.RouteMatch{}) {
+		t.Fatalf("Error matching route")
+	}
+
+	multipleRules := &Rules{route: &serverRoute{route: router.NewRoute()}}
+	routeFoobar, err := multipleRules.Parse("PathPrefix:/foobar")
+	if err != nil {
+		t.Fatal("Error while building route for PathPrefix:/foobar")
+	}
+	foobarHandler := &fakeHandler{name: "foobarHandler"}
+	routeFoobar.Handler(foobarHandler)
+	if !router.Match(&http.Request{URL: &url.URL{
+		Path: "/foo",
+	}}, &mux.RouteMatch{}) {
+		t.Fatalf("Error matching route")
+	}
+	fooMatcher := &mux.RouteMatch{}
+	if !router.Match(&http.Request{URL: &url.URL{
+		Path: "/foobar",
+	}}, fooMatcher) {
+		t.Fatalf("Error matching route")
+	}
+
+	if fooMatcher.Handler == foobarHandler {
+		t.Fatalf("Error matching priority")
+	}
+
+	if fooMatcher.Handler != fooHandler {
+		t.Fatalf("Error matching priority")
+	}
+
+	routeFoo.Priority(1)
+	routeFoobar.Priority(10)
+	router.SortRoutes()
+
+	foobarMatcher := &mux.RouteMatch{}
+	if !router.Match(&http.Request{URL: &url.URL{
+		Path: "/foobar",
+	}}, foobarMatcher) {
+		t.Fatalf("Error matching route")
+	}
+
+	if foobarMatcher.Handler != foobarHandler {
+		t.Fatalf("Error matching priority")
+	}
+
+	if foobarMatcher.Handler == fooHandler {
+		t.Fatalf("Error matching priority")
+	}
+}
+
+type fakeHandler struct {
+	name string
+}
+
+func (h *fakeHandler) ServeHTTP(http.ResponseWriter, *http.Request) {
+
+}
--- a/safe/routine.go
+++ b/safe/routine.go
@@ -0,0 +1,70 @@
+package safe
+
+import (
+	"log"
+	"runtime/debug"
+	"sync"
+)
+
+type routine struct {
+	goroutine func(chan bool)
+	stop      chan bool
+}
+
+// Pool creates a pool of go routines
+type Pool struct {
+	routines  []routine
+	waitGroup sync.WaitGroup
+	lock      sync.Mutex
+}
+
+// Go starts a recoverable goroutine, and can be stopped with stop chan
+func (p *Pool) Go(goroutine func(stop chan bool)) {
+	p.lock.Lock()
+	newRoutine := routine{
+		goroutine: goroutine,
+		stop:      make(chan bool, 1),
+	}
+	p.routines = append(p.routines, newRoutine)
+	p.waitGroup.Add(1)
+	Go(func() {
+		goroutine(newRoutine.stop)
+		p.waitGroup.Done()
+	})
+	p.lock.Unlock()
+}
+
+// Stop stops all started routines, waiting for their termination
+func (p *Pool) Stop() {
+	p.lock.Lock()
+	for _, routine := range p.routines {
+		routine.stop <- true
+	}
+	p.waitGroup.Wait()
+	for _, routine := range p.routines {
+		close(routine.stop)
+	}
+	p.lock.Unlock()
+}
+
+// Go starts a recoverable goroutine
+func Go(goroutine func()) {
+	GoWithRecover(goroutine, defaultRecoverGoroutine)
+}
+
+// GoWithRecover starts a recoverable goroutine using given customRecover() function
+func GoWithRecover(goroutine func(), customRecover func(err interface{})) {
+	go func() {
+		defer func() {
+			if err := recover(); err != nil {
+				customRecover(err)
+			}
+		}()
+		goroutine()
+	}()
+}
+
+func defaultRecoverGoroutine(err interface{}) {
+	log.Println(err)
+	debug.PrintStack()
+}
--- a/safe/safe.go
+++ b/safe/safe.go
@@ -1,28 +1,30 @@
 package safe

 import (
-	"log"
-	"runtime/debug"
+	"sync"
 )

-// Go starts a recoverable goroutine
-func Go(goroutine func()) {
-	GoWithRecover(goroutine, defaultRecoverGoroutine)
+// Safe contains a thread-safe value
+type Safe struct {
+	value interface{}
+	lock  sync.RWMutex
 }

-// GoWithRecover starts a recoverable goroutine using given customRecover() function
-func GoWithRecover(goroutine func(), customRecover func(err interface{})) {
-	go func() {
-		defer func() {
-			if err := recover(); err != nil {
-				customRecover(err)
-			}
-		}()
-		goroutine()
-	}()
+// New create a new Safe instance given a value
+func New(value interface{}) *Safe {
+	return &Safe{value: value, lock: sync.RWMutex{}}
 }

-func defaultRecoverGoroutine(err interface{}) {
-	log.Println(err)
-	debug.PrintStack()
+// Get returns the value
+func (s *Safe) Get() interface{} {
+	s.lock.RLock()
+	defer s.lock.RUnlock()
+	return s.value
+}
+
+// Set sets a new value
+func (s *Safe) Set(value interface{}) {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+	s.value = value
 }
--- a/script/binary
+++ b/script/binary
@@ -17,9 +17,13 @@ if [ -z "$VERSION" ]; then
    VERSION=$(git rev-parse HEAD)
 fi

+if [ -z "$CODENAME" ]; then
+    CODENAME=cheddar
+fi
+
 if [ -z "$DATE" ]; then
    DATE=$(date -u '+%Y-%m-%d_%I:%M:%S%p')
 fi

 # Build binaries
-CGO_ENABLED=0 GOGC=off go build $FLAGS -ldflags "-X main.Version=$VERSION -X main.BuildDate=$DATE" -a -installsuffix nocgo -o dist/traefik .
+CGO_ENABLED=0 GOGC=off go build $FLAGS -ldflags "-s -w -X main.Version=$VERSION -X main.Codename=$CODENAME -X main.BuildDate=$DATE" -a -installsuffix nocgo -o dist/traefik .
--- a/script/crossbinary
+++ b/script/crossbinary
@@ -6,24 +6,14 @@ if ! test -e autogen/gen.go; then
 	false
 fi

-if [ -z "$1" ]; then
-    # Remove windows platform because of
-    # https://github.com/mailgun/log/issues/10
-    OS_PLATFORM_ARG=(-os="darwin linux")
-else
-    OS_PLATFORM_ARG=($1)
-fi
-
-if [ -z "$2" ]; then
-    OS_ARCH_ARG=(-arch="386 amd64 arm")
-else
-    OS_ARCH_ARG=($2)
-fi
-
 if [ -z "$VERSION" ]; then
    VERSION=$(git rev-parse HEAD)
 fi

+if [ -z "$CODENAME" ]; then
+    CODENAME=cheddar
+fi
+
 if [ -z "$DATE" ]; then
    DATE=$(date -u '+%Y-%m-%d_%I:%M:%S%p')
 fi
@@ -31,6 +21,23 @@ fi
 # Get rid of existing binaries
 rm -f dist/traefik_*

-# Build binaries
-GOGC=off gox -ldflags "-X main.Version=$VERSION -X main.BuildDate=$DATE" "${OS_PLATFORM_ARG[@]}" "${OS_ARCH_ARG[@]}" \
-    -output="dist/traefik_{{.OS}}-{{.Arch}}"
+# Build 386 amd64 binaries
+OS_PLATFORM_ARG=(linux darwin windows)
+OS_ARCH_ARG=(386 amd64)
+for OS in ${OS_PLATFORM_ARG[@]}; do
+  for ARCH in ${OS_ARCH_ARG[@]}; do
+    echo "Building binary for $OS/$ARCH..."
+    GOARCH=$ARCH GOOS=$OS CGO_ENABLED=0 go build -ldflags "-s -w -X main.Version=$VERSION -X main.Codename=$CODENAME -X main.BuildDate=$DATE" -o "dist/traefik_$OS-$ARCH" .
+  done
+done
+
+
+# Build arm binaries
+OS_PLATFORM_ARG=(linux)
+OS_ARCH_ARG=(arm arm64)
+for OS in ${OS_PLATFORM_ARG[@]}; do
+  for ARCH in ${OS_ARCH_ARG[@]}; do
+    echo "Building binary for $OS/$ARCH..."
+    GOARCH=$ARCH GOOS=$OS CGO_ENABLED=0 go build -ldflags "-s -w -X main.Version=$VERSION -X main.Codename=$CODENAME -X main.BuildDate=$DATE" -o "dist/traefik_$OS-$ARCH" .
+  done
+done
--- a/script/deploy-pr.sh
+++ b/script/deploy-pr.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+set -e
+
+if ([ -z "$TRAVIS_TAG" ]) && [ "$TRAVIS_PULL_REQUEST" = "false" ] && [ "$DOCKER_VERSION" = "1.10.1" ]; then
+  echo "Deploying PR..."
+else
+  echo "Skipping deploy PR"
+  exit 0
+fi
+
+COMMENT=$(git log -1 --pretty=%B)
+PR=$(echo $COMMENT | grep -oP "Merge pull request #\K(([0-9]*))(?=.*)")
+
+if [ -z "$PR" ]; then
+    echo "Unable to get PR number: $PR from: $COMMENT"
+    exit 0
+fi  
+
+# create docker image containous/traefik
+echo "Updating docker containous/traefik image..."
+docker login -e $DOCKER_EMAIL -u $DOCKER_USER -p $DOCKER_PASS
+docker tag containous/traefik containous/traefik:pr-${PR}
+docker push containous/traefik:pr-${PR}
+
+echo "Deployed"
--- a/script/deploy.sh
+++ b/script/deploy.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 set -e

-if ([ "$TRAVIS_BRANCH" = "master" ] || [ ! -z "$TRAVIS_TAG" ]) && [ "$TRAVIS_PULL_REQUEST" = "false" ]; then
+if [ -n "$TRAVIS_TAG" ] && [ "$DOCKER_VERSION" = "1.10.1" ]; then
  echo "Deploying..."
 else
  echo "Skipping deploy"
--- a/script/test-integration
+++ b/script/test-integration
@@ -11,4 +11,6 @@ if [ -n "$VERBOSE" ]; then
 fi

 cd integration
+echo "Testing against…"
+docker version
 CGO_ENABLED=0 go test $TESTFLAGS
--- a/server.go
+++ b/server.go
@@ -7,6 +7,7 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"errors"
+	"golang.org/x/net/context"
 	"net/http"
 	"net/url"
 	"os"
@@ -14,23 +15,23 @@ import (
 	"reflect"
 	"regexp"
 	"sort"
-	"strconv"
-	"sync"
 	"syscall"
 	"time"

 	log "github.com/Sirupsen/logrus"
 	"github.com/codegangsta/negroni"
-	"github.com/containous/oxy/cbreaker"
-	"github.com/containous/oxy/forward"
-	"github.com/containous/oxy/roundrobin"
-	"github.com/containous/oxy/stream"
+	"github.com/containous/mux"
 	"github.com/containous/traefik/middlewares"
 	"github.com/containous/traefik/provider"
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
-	"github.com/gorilla/mux"
 	"github.com/mailgun/manners"
+	"github.com/streamrail/concurrent-map"
+	"github.com/vulcand/oxy/cbreaker"
+	"github.com/vulcand/oxy/connlimit"
+	"github.com/vulcand/oxy/forward"
+	"github.com/vulcand/oxy/roundrobin"
+	"github.com/vulcand/oxy/utils"
 )

 var oxyLogger = &OxyLogger{}
@@ -43,10 +44,10 @@ type Server struct {
 	signals                    chan os.Signal
 	stopChan                   chan bool
 	providers                  []provider.Provider
-	serverLock                 sync.Mutex
-	currentConfigurations      configs
+	currentConfigurations      safe.Safe
 	globalConfiguration        GlobalConfiguration
 	loggerMiddleware           *middlewares.Logger
+	routinesPool               safe.Pool
 }

 type serverEntryPoints map[string]*serverEntryPoint
@@ -66,13 +67,14 @@ func NewServer(globalConfiguration GlobalConfiguration) *Server {
 	server := new(Server)

 	server.serverEntryPoints = make(map[string]*serverEntryPoint)
-	server.configurationChan = make(chan types.ConfigMessage, 10)
-	server.configurationValidatedChan = make(chan types.ConfigMessage, 10)
+	server.configurationChan = make(chan types.ConfigMessage, 100)
+	server.configurationValidatedChan = make(chan types.ConfigMessage, 100)
 	server.signals = make(chan os.Signal, 1)
-	server.stopChan = make(chan bool)
+	server.stopChan = make(chan bool, 1)
 	server.providers = []provider.Provider{}
 	signal.Notify(server.signals, syscall.SIGINT, syscall.SIGTERM)
-	server.currentConfigurations = make(configs)
+	currentConfigurations := make(configs)
+	server.currentConfigurations.Set(currentConfigurations)
 	server.globalConfiguration = globalConfiguration
 	server.loggerMiddleware = middlewares.NewLogger(globalConfiguration.AccessLogsFile)

@@ -82,11 +84,11 @@ func NewServer(globalConfiguration GlobalConfiguration) *Server {
 // Start starts the server and blocks until server is shutted down.
 func (server *Server) Start() {
 	server.startHTTPServers()
-	safe.Go(func() {
-		server.listenProviders()
+	server.routinesPool.Go(func(stop chan bool) {
+		server.listenProviders(stop)
 	})
-	safe.Go(func() {
-		server.listenConfigurations()
+	server.routinesPool.Go(func(stop chan bool) {
+		server.listenConfigurations(stop)
 	})
 	server.configureProviders()
 	server.startProviders()
@@ -96,19 +98,38 @@ func (server *Server) Start() {

 // Stop stops the server
 func (server *Server) Stop() {
-	for _, serverEntryPoint := range server.serverEntryPoints {
-		serverEntryPoint.httpServer.BlockingClose()
+	for serverEntryPointName, serverEntryPoint := range server.serverEntryPoints {
+		ctx, cancel := context.WithTimeout(context.Background(), time.Duration(server.globalConfiguration.GraceTimeOut)*time.Second)
+		go func() {
+			log.Debugf("Waiting %d seconds before killing connections on entrypoint %s...", 30, serverEntryPointName)
+			serverEntryPoint.httpServer.BlockingClose()
+			cancel()
+		}()
+		<-ctx.Done()
 	}
 	server.stopChan <- true
 }

 // Close destroys the server
 func (server *Server) Close() {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(server.globalConfiguration.GraceTimeOut)*time.Second)
+	go func(ctx context.Context) {
+		<-ctx.Done()
+		if ctx.Err() == context.Canceled {
+			return
+		} else if ctx.Err() == context.DeadlineExceeded {
+			log.Debugf("I love you all :'( ✝")
+			os.Exit(1)
+		}
+	}(ctx)
+	server.routinesPool.Stop()
 	close(server.configurationChan)
 	close(server.configurationValidatedChan)
+	signal.Stop(server.signals)
 	close(server.signals)
 	close(server.stopChan)
 	server.loggerMiddleware.Close()
+	cancel()
 }

 func (server *Server) startHTTPServers() {
@@ -124,56 +145,95 @@ func (server *Server) startHTTPServers() {
 	}
 }

-func (server *Server) listenProviders() {
-	lastReceivedConfiguration := time.Unix(0, 0)
-	lastConfigs := make(map[string]*types.ConfigMessage)
+func (server *Server) listenProviders(stop chan bool) {
+	lastReceivedConfiguration := safe.New(time.Unix(0, 0))
+	lastConfigs := cmap.New()
 	for {
-		configMsg := <-server.configurationChan
-		jsonConf, _ := json.Marshal(configMsg.Configuration)
-		log.Debugf("Configuration received from provider %s: %s", configMsg.ProviderName, string(jsonConf))
-		lastConfigs[configMsg.ProviderName] = &configMsg
-		if time.Now().After(lastReceivedConfiguration.Add(time.Duration(server.globalConfiguration.ProvidersThrottleDuration))) {
-			log.Debugf("Last %s config received more than %s, OK", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration)
-			// last config received more than n s ago
-			server.configurationValidatedChan <- configMsg
-		} else {
-			log.Debugf("Last %s config received less than %s, waiting...", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration)
-			safe.Go(func() {
-				<-time.After(server.globalConfiguration.ProvidersThrottleDuration)
-				if time.Now().After(lastReceivedConfiguration.Add(time.Duration(server.globalConfiguration.ProvidersThrottleDuration))) {
-					log.Debugf("Waited for %s config, OK", configMsg.ProviderName)
-					server.configurationValidatedChan <- *lastConfigs[configMsg.ProviderName]
+		select {
+		case <-stop:
+			return
+		case configMsg, ok := <-server.configurationChan:
+			if !ok {
+				return
+			}
+			server.defaultConfigurationValues(configMsg.Configuration)
+			currentConfigurations := server.currentConfigurations.Get().(configs)
+			jsonConf, _ := json.Marshal(configMsg.Configuration)
+			log.Debugf("Configuration received from provider %s: %s", configMsg.ProviderName, string(jsonConf))
+			if configMsg.Configuration == nil || configMsg.Configuration.Backends == nil && configMsg.Configuration.Frontends == nil {
+				log.Infof("Skipping empty Configuration for provider %s", configMsg.ProviderName)
+			} else if reflect.DeepEqual(currentConfigurations[configMsg.ProviderName], configMsg.Configuration) {
+				log.Infof("Skipping same configuration for provider %s", configMsg.ProviderName)
+			} else {
+				lastConfigs.Set(configMsg.ProviderName, &configMsg)
+				lastReceivedConfigurationValue := lastReceivedConfiguration.Get().(time.Time)
+				if time.Now().After(lastReceivedConfigurationValue.Add(time.Duration(server.globalConfiguration.ProvidersThrottleDuration))) {
+					log.Debugf("Last %s config received more than %s, OK", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration)
+					// last config received more than n s ago
+					server.configurationValidatedChan <- configMsg
+				} else {
+					log.Debugf("Last %s config received less than %s, waiting...", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration)
+					safe.Go(func() {
+						<-time.After(server.globalConfiguration.ProvidersThrottleDuration)
+						lastReceivedConfigurationValue := lastReceivedConfiguration.Get().(time.Time)
+						if time.Now().After(lastReceivedConfigurationValue.Add(time.Duration(server.globalConfiguration.ProvidersThrottleDuration))) {
+							log.Debugf("Waited for %s config, OK", configMsg.ProviderName)
+							if lastConfig, ok := lastConfigs.Get(configMsg.ProviderName); ok {
+								server.configurationValidatedChan <- *lastConfig.(*types.ConfigMessage)
+							}
+						}
+					})
 				}
-			})
+				lastReceivedConfiguration.Set(time.Now())
+			}
 		}
-		lastReceivedConfiguration = time.Now()
 	}
 }

-func (server *Server) listenConfigurations() {
+func (server *Server) defaultConfigurationValues(configuration *types.Configuration) {
+	if configuration == nil || configuration.Frontends == nil {
+		return
+	}
+	for _, frontend := range configuration.Frontends {
+		// default endpoints if not defined in frontends
+		if len(frontend.EntryPoints) == 0 {
+			frontend.EntryPoints = server.globalConfiguration.DefaultEntryPoints
+		}
+	}
+	for backendName, backend := range configuration.Backends {
+		_, err := types.NewLoadBalancerMethod(backend.LoadBalancer)
+		if err != nil {
+			log.Debugf("Error loading load balancer method '%+v' for backend %s: %v. Using default wrr.", backend.LoadBalancer, backendName, err)
+			backend.LoadBalancer = &types.LoadBalancer{Method: "wrr"}
+		}
+	}
+}
+
+func (server *Server) listenConfigurations(stop chan bool) {
 	for {
-		configMsg := <-server.configurationValidatedChan
-		if configMsg.Configuration == nil {
-			log.Info("Skipping empty Configuration")
-		} else if reflect.DeepEqual(server.currentConfigurations[configMsg.ProviderName], configMsg.Configuration) {
-			log.Info("Skipping same configuration")
-		} else {
+		select {
+		case <-stop:
+			return
+		case configMsg, ok := <-server.configurationValidatedChan:
+			if !ok {
+				return
+			}
+			currentConfigurations := server.currentConfigurations.Get().(configs)
+
 			// Copy configurations to new map so we don't change current if LoadConfig fails
 			newConfigurations := make(configs)
-			for k, v := range server.currentConfigurations {
+			for k, v := range currentConfigurations {
 				newConfigurations[k] = v
 			}
 			newConfigurations[configMsg.ProviderName] = configMsg.Configuration

 			newServerEntryPoints, err := server.loadConfig(newConfigurations, server.globalConfiguration)
 			if err == nil {
-				server.serverLock.Lock()
 				for newServerEntryPointName, newServerEntryPoint := range newServerEntryPoints {
 					server.serverEntryPoints[newServerEntryPointName].httpRouter.UpdateHandler(newServerEntryPoint.httpRouter.GetHandler())
 					log.Infof("Server configuration reloaded on %s", server.serverEntryPoints[newServerEntryPointName].httpServer.Addr)
 				}
-				server.currentConfigurations = newConfigurations
-				server.serverLock.Unlock()
+				server.currentConfigurations.Set(newConfigurations)
 			} else {
 				log.Error("Error loading new configuration, aborted ", err)
 			}
@@ -211,6 +271,9 @@ func (server *Server) configureProviders() {
 	if server.globalConfiguration.Boltdb != nil {
 		server.providers = append(server.providers, server.globalConfiguration.Boltdb)
 	}
+	if server.globalConfiguration.Kubernetes != nil {
+		server.providers = append(server.providers, server.globalConfiguration.Kubernetes)
+	}
 }

 func (server *Server) startProviders() {
@@ -220,7 +283,7 @@ func (server *Server) startProviders() {
 		log.Infof("Starting provider %v %s", reflect.TypeOf(provider), jsonConf)
 		currentProvider := provider
 		safe.Go(func() {
-			err := currentProvider.Provide(server.configurationChan)
+			err := currentProvider.Provide(server.configurationChan, &server.routinesPool, server.globalConfiguration.Constraints)
 			if err != nil {
 				log.Errorf("Error starting provider %s", err)
 			}
@@ -255,7 +318,10 @@ func (server *Server) createTLSConfig(entryPointName string, tlsOption *TLS, rou
 		if _, ok := server.serverEntryPoints[server.globalConfiguration.ACME.EntryPoint]; ok {
 			if entryPointName == server.globalConfiguration.ACME.EntryPoint {
 				checkOnDemandDomain := func(domain string) bool {
-					if router.GetHandler().Match(&http.Request{URL: &url.URL{}, Host: domain}, &mux.RouteMatch{}) {
+					routeMatch := &mux.RouteMatch{}
+					router := router.GetHandler()
+					match := router.Match(&http.Request{URL: &url.URL{}, Host: domain}, routeMatch)
+					if match && routeMatch.Route != nil {
 						return true
 					}
 					return false
@@ -344,31 +410,41 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 	redirectHandlers := make(map[string]http.Handler)

 	backends := map[string]http.Handler{}
+	backend2FrontendMap := map[string]string{}
 	for _, configuration := range configurations {
 		frontendNames := sortedFrontendNamesForConfig(configuration)
+	frontend:
 		for _, frontendName := range frontendNames {
 			frontend := configuration.Frontends[frontendName]

 			log.Debugf("Creating frontend %s", frontendName)
-			fwd, _ := forward.New(forward.Logger(oxyLogger), forward.PassHostHeader(frontend.PassHostHeader))
-			// default endpoints if not defined in frontends
-			if len(frontend.EntryPoints) == 0 {
-				frontend.EntryPoints = globalConfiguration.DefaultEntryPoints
+
+			fwd, err := forward.New(forward.Logger(oxyLogger), forward.PassHostHeader(frontend.PassHostHeader))
+			if err != nil {
+				log.Errorf("Error creating forwarder for frontend %s: %v", frontendName, err)
+				log.Errorf("Skipping frontend %s...", frontendName)
+				continue frontend
 			}
+			saveBackend := middlewares.NewSaveBackend(fwd)
 			if len(frontend.EntryPoints) == 0 {
-				log.Errorf("No entrypoint defined for frontend %s, defaultEntryPoints:%s. Skipping it", frontendName, globalConfiguration.DefaultEntryPoints)
-				continue
+				log.Errorf("No entrypoint defined for frontend %s, defaultEntryPoints:%s", frontendName, globalConfiguration.DefaultEntryPoints)
+				log.Errorf("Skipping frontend %s...", frontendName)
+				continue frontend
 			}
 			for _, entryPointName := range frontend.EntryPoints {
 				log.Debugf("Wiring frontend %s to entryPoint %s", frontendName, entryPointName)
 				if _, ok := serverEntryPoints[entryPointName]; !ok {
-					return nil, errors.New("Undefined entrypoint: " + entryPointName)
+					log.Errorf("Undefined entrypoint '%s' for frontend %s", entryPointName, frontendName)
+					log.Errorf("Skipping frontend %s...", frontendName)
+					continue frontend
 				}
 				newServerRoute := &serverRoute{route: serverEntryPoints[entryPointName].httpRouter.GetHandler().NewRoute().Name(frontendName)}
 				for routeName, route := range frontend.Routes {
 					err := getRoute(newServerRoute, &route)
 					if err != nil {
-						return nil, err
+						log.Errorf("Error creating route for frontend %s: %v", frontendName, err)
+						log.Errorf("Skipping frontend %s...", frontendName)
+						continue frontend
 					}
 					log.Debugf("Creating route %s %s", routeName, route.Rule)
 				}
@@ -377,7 +453,9 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 					if redirectHandlers[entryPointName] != nil {
 						newServerRoute.route.Handler(redirectHandlers[entryPointName])
 					} else if handler, err := server.loadEntryPointConfig(entryPointName, entryPoint); err != nil {
-						return nil, err
+						log.Errorf("Error loading entrypoint configuration for frontend %s: %v", frontendName, err)
+						log.Errorf("Skipping frontend %s...", frontendName)
+						continue frontend
 					} else {
 						newServerRoute.route.Handler(handler)
 						redirectHandlers[entryPointName] = handler
@@ -386,13 +464,17 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 					if backends[frontend.Backend] == nil {
 						log.Debugf("Creating backend %s", frontend.Backend)
 						var lb http.Handler
-						rr, _ := roundrobin.New(fwd)
+						rr, _ := roundrobin.New(saveBackend)
 						if configuration.Backends[frontend.Backend] == nil {
-							return nil, errors.New("Undefined backend: " + frontend.Backend)
+							log.Errorf("Undefined backend '%s' for frontend %s", frontend.Backend, frontendName)
+							log.Errorf("Skipping frontend %s...", frontendName)
+							continue frontend
 						}
 						lbMethod, err := types.NewLoadBalancerMethod(configuration.Backends[frontend.Backend].LoadBalancer)
 						if err != nil {
-							configuration.Backends[frontend.Backend].LoadBalancer = &types.LoadBalancer{Method: "wrr"}
+							log.Errorf("Error loading load balancer method '%+v' for frontend %s: %v", configuration.Backends[frontend.Backend].LoadBalancer, frontendName, err)
+							log.Errorf("Skipping frontend %s...", frontendName)
+							continue frontend
 						}
 						switch lbMethod {
 						case types.Drr:
@@ -402,11 +484,16 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 							for serverName, server := range configuration.Backends[frontend.Backend].Servers {
 								url, err := url.Parse(server.URL)
 								if err != nil {
-									return nil, err
+									log.Errorf("Error parsing server URL %s: %v", server.URL, err)
+									log.Errorf("Skipping frontend %s...", frontendName)
+									continue frontend
 								}
+								backend2FrontendMap[url.String()] = frontendName
 								log.Debugf("Creating server %s at %s with weight %d", serverName, url.String(), server.Weight)
 								if err := rebalancer.UpsertServer(url, roundrobin.Weight(server.Weight)); err != nil {
-									return nil, err
+									log.Errorf("Error adding server %s to load balancer: %v", server.URL, err)
+									log.Errorf("Skipping frontend %s...", frontendName)
+									continue frontend
 								}
 							}
 						case types.Wrr:
@@ -415,41 +502,55 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 							for serverName, server := range configuration.Backends[frontend.Backend].Servers {
 								url, err := url.Parse(server.URL)
 								if err != nil {
-									return nil, err
+									log.Errorf("Error parsing server URL %s: %v", server.URL, err)
+									log.Errorf("Skipping frontend %s...", frontendName)
+									continue frontend
 								}
+								backend2FrontendMap[url.String()] = frontendName
 								log.Debugf("Creating server %s at %s with weight %d", serverName, url.String(), server.Weight)
 								if err := rr.UpsertServer(url, roundrobin.Weight(server.Weight)); err != nil {
-									return nil, err
+									log.Errorf("Error adding server %s to load balancer: %v", server.URL, err)
+									log.Errorf("Skipping frontend %s...", frontendName)
+									continue frontend
 								}
 							}
 						}
+						maxConns := configuration.Backends[frontend.Backend].MaxConn
+						if maxConns != nil && maxConns.Amount != 0 {
+							extractFunc, err := utils.NewExtractor(maxConns.ExtractorFunc)
+							if err != nil {
+								log.Errorf("Error creating connlimit: %v", err)
+								log.Errorf("Skipping frontend %s...", frontendName)
+								continue frontend
+							}
+							log.Debugf("Creating loadd-balancer connlimit")
+							lb, err = connlimit.New(lb, extractFunc, maxConns.Amount, connlimit.Logger(oxyLogger))
+							if err != nil {
+								log.Errorf("Error creating connlimit: %v", err)
+								log.Errorf("Skipping frontend %s...", frontendName)
+								continue frontend
+							}
+						}
 						// retry ?
 						if globalConfiguration.Retry != nil {
 							retries := len(configuration.Backends[frontend.Backend].Servers)
 							if globalConfiguration.Retry.Attempts > 0 {
 								retries = globalConfiguration.Retry.Attempts
 							}
-							maxMem := int64(2 * 1024 * 1024)
-							if globalConfiguration.Retry.MaxMem > 0 {
-								maxMem = globalConfiguration.Retry.MaxMem
-							}
-							lb, err = stream.New(lb,
-								stream.Logger(oxyLogger),
-								stream.Retry("IsNetworkError() && Attempts() < "+strconv.Itoa(retries)),
-								stream.MemRequestBodyBytes(maxMem),
-								stream.MaxRequestBodyBytes(maxMem),
-								stream.MemResponseBodyBytes(maxMem),
-								stream.MaxResponseBodyBytes(maxMem))
+							lb = middlewares.NewRetry(retries, lb)
 							log.Debugf("Creating retries max attempts %d", retries)
-							if err != nil {
-								return nil, err
-							}
 						}

 						var negroni = negroni.New()
 						if configuration.Backends[frontend.Backend].CircuitBreaker != nil {
 							log.Debugf("Creating circuit breaker %s", configuration.Backends[frontend.Backend].CircuitBreaker.Expression)
-							negroni.Use(middlewares.NewCircuitBreaker(lb, configuration.Backends[frontend.Backend].CircuitBreaker.Expression, cbreaker.Logger(oxyLogger)))
+							cbreaker, err := middlewares.NewCircuitBreaker(lb, configuration.Backends[frontend.Backend].CircuitBreaker.Expression, cbreaker.Logger(oxyLogger))
+							if err != nil {
+								log.Errorf("Error creating circuit breaker: %v", err)
+								log.Errorf("Skipping frontend %s...", frontendName)
+								continue frontend
+							}
+							negroni.Use(cbreaker)
 						} else {
 							negroni.UseHandler(lb)
 						}
@@ -457,6 +558,9 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 					} else {
 						log.Debugf("Reusing backend %s", frontend.Backend)
 					}
+					if frontend.Priority > 0 {
+						newServerRoute.route.Priority(frontend.Priority)
+					}
 					server.wireFrontendBackend(newServerRoute, backends[frontend.Backend])
 				}
 				err := newServerRoute.route.GetError()
@@ -466,6 +570,11 @@ func (server *Server) loadConfig(configurations configs, globalConfiguration Glo
 			}
 		}
 	}
+	middlewares.SetBackend2FrontendMap(&backend2FrontendMap)
+	//sort routes
+	for _, serverEntryPoint := range serverEntryPoints {
+		serverEntryPoint.httpRouter.GetHandler().SortRoutes()
+	}
 	return serverEntryPoints, nil
 }

@@ -531,6 +640,7 @@ func getRoute(serverRoute *serverRoute, route *types.Route) error {
 	if err != nil {
 		return err
 	}
+	newRoute.Priority(serverRoute.route.GetPriority() + len(route.Rule))
 	serverRoute.route = newRoute
 	return nil
 }
--- a/templates/consul_catalog.tmpl
+++ b/templates/consul_catalog.tmpl
@@ -1,12 +1,42 @@
-[backends]{{range .Nodes}}
-    [backends.backend-{{getBackend .}}.servers.{{.Service.Service | replace "." "-"}}--{{.Service.Address | replace "." "-"}}--{{.Service.Port}}]
-    url = "http://{{.Service.Address}}:{{.Service.Port}}"
+[backends]
+{{range $index, $node := .Nodes}}
+  {{if ne (getAttribute "enable" $node.Service.Tags "true") "false"}}
+    [backends."backend-{{getBackend $node}}".servers."{{getBackendName $node $index}}"]
+      url = "{{getAttribute "protocol" $node.Service.Tags "http"}}://{{getBackendAddress $node}}:{{$node.Service.Port}}"
+      {{$weight := getAttribute "backend.weight" $node.Service.Tags ""}}
+      {{with $weight}}
+        weight = {{$weight}}
+      {{end}}
+    {{end}}
 {{end}}

-[frontends]{{range .Services}}
-  [frontends.frontend-{{.}}]
-  backend = "backend-{{.}}"
-  passHostHeader = false
-    [frontends.frontend-{{.}}.routes.route-host-{{.}}]
-    rule = "{{getFrontendValue .}}"
+{{range .Services}}
+  {{$service := .ServiceName}}
+  {{$circuitBreaker := getAttribute "backend.circuitbreaker" .Attributes ""}}
+  {{with $circuitBreaker}}
+  [backends."backend-{{$service}}".circuitbreaker]
+    expression = "{{$circuitBreaker}}"
+  {{end}}
+
+  {{$loadBalancer := getAttribute "backend.loadbalancer" .Attributes ""}}
+  {{with $loadBalancer}}
+  [backends."backend-{{$service}}".loadbalancer]
+    method = "{{$loadBalancer}}"
+  {{end}}
+{{end}}
+
+[frontends]
+{{range .Services}}
+  [frontends."frontend-{{.ServiceName}}"]
+  backend = "backend-{{.ServiceName}}"
+  passHostHeader = {{getAttribute "frontend.passHostHeader" .Attributes "true"}}
+  priority = {{getAttribute "frontend.priority" .Attributes "0"}}
+  {{$entryPoints := getAttribute "frontend.entrypoints" .Attributes ""}}
+  {{with $entryPoints}}
+    entrypoints = [{{range getEntryPoints $entryPoints}}
+      "{{.}}",
+    {{end}}]
+  {{end}}
+  [frontends."frontend-{{.ServiceName}}".routes."route-host-{{.ServiceName}}"]
+    rule = "{{getFrontendRule .}}"
 {{end}}
--- a/Show More
+++ b/Show More