Fix consul catalog refresh problems

- user-guide review.
- add DataDog and StatD configuration.
- sync sample.toml and doc.
- split entry points doc.
- Deprecated.

.github/CODEOWNERS

@@ -0,0 +1,24 @@
+provider/kubernetes/**  @containous/kubernetes
+provider/rancher/**     @containous/rancher
+provider/marathon/**    @containous/marathon
+provider/docker/**      @containous/docker
+
+docs/user-guide/kubernetes.md       @containous/kubernetes
+docs/user-guide/marathon.md         @containous/marathon
+docs/user-guide/swarm.md            @containous/docker
+docs/user-guide/swarm-mode.md       @containous/docker
+
+docs/configuration/backends/docker.md       @containous/docker
+docs/configuration/backends/kubernetes.md   @containous/kubernetes
+docs/configuration/backends/marathon.md     @containous/marathon
+docs/configuration/backends/rancher.md      @containous/rancher
+
+examples/k8s/                   @containous/kubernetes
+examples/compose-k8s.yaml       @containous/kubernetes
+examples/k8s.namespace.yaml     @containous/kubernetes
+examples/compose-rancher.yml    @containous/rancher
+examples/compose-marathon.yml   @containous/marathon
+
+vendor/github.com/gambol99/go-marathon  @containous/marathon
+vendor/github.com/rancher               @containous/rancher
+vendor/k8s.io/                          @containous/kubernetes

.github/CONTRIBUTING.md

@@ -1,150 +0,0 @@
-# Contributing
-
-### Building
-
-You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build traefik. For changes to its dependencies, the `glide` dependency management tool and `glide-vc` plugin are required.
-
-#### Method 1: Using `Docker` and `Makefile`
-
-You need to run the `binary` target. This will create binaries for Linux platform in the `dist` folder.
-
-```bash
-$ make binary
-docker build -t "traefik-dev:no-more-godep-ever" -f build.Dockerfile .
-Sending build context to Docker daemon 295.3 MB
-Step 0 : FROM golang:1.7
- ---> 8c6473912976
-Step 1 : RUN go get github.com/Masterminds/glide
-[...]
-docker run --rm  -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/emile/dev/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:no-more-godep-ever" ./script/make.sh generate binary
----> Making bundle: generate (in .)
-removed 'gen.go'
-
----> Making bundle: binary (in .)
-
-$ ls dist/
-traefik*
-```
-
-#### Method 2: Using `go`
-
-###### Setting up your `go` environment
-
-- You need `go` v1.7+
-- It is recommended you clone Træfik into a directory like `~/go/src/github.com/containous/traefik` (This is the official golang workspace hierarchy, and will allow dependencies to resolve properly)
-- This will allow your `GOPATH` and `PATH` variable to be set to `~/go` via:
-```bash
-$ export GOPATH=~/go
-$ export PATH=$PATH:$GOPATH/bin
-```
-
-This can be verified via `$ go env`
-- You will want to add those 2 export lines to your `.bashrc` or `.bash_profile`
-- You need `go-bindata` to be able to use `go generate` command (needed to build) : `$ go get github.com/jteeuwen/go-bindata/...` (Please note, the ellipses are required)
-
-#### Setting up `glide` and `glide-vc` for dependency management
-
-- Glide is not required for building; however, it is necessary to modify dependencies (i.e., add, update, or remove third-party packages)
-- Glide can be installed either via homebrew: `$ brew install glide` or via the official glide script: `$ curl https://glide.sh/get | sh`
-- The glide plugin `glide-vc` must be installed from source: `go get github.com/sgotti/glide-vc`
-
-If you want to add a dependency, use `$ glide get` to have glide put it into the vendor folder and update the glide manifest/lock files (`glide.yaml` and `glide.lock`, respectively). A following `glide-vc` run should be triggered to trim down the size of the vendor folder. The final result must be committed into VCS.
-
-Dependencies for the integration tests in the `integration` folder are managed in a separate `integration/glide.yaml` file using the same toolset.
-
-Care must be taken to choose the right arguments to `glide` when dealing with either main or integration test dependencies, or otherwise risk ending up with a broken build. For that reason, the helper script `script/glide.sh` encapsulates the gory details and conveniently calls `glide-vc` as well. Call it without parameters for basic usage instructions.
-
-Here's a full example:
-
-```bash
-# install the new main dependency github.com/foo/bar and minimize vendor size
-$ ./script/glide.sh get github.com/foo/bar
-# install another dependency, this time for the integration tests
-$ ( cd integration && ../script/glide.sh get github.com/baz/quuz )
-# generate (Only required to integrate other components such as web dashboard)
-$ go generate
-# Standard go build
-$ go build
-# Using gox to build multiple platform
-$ gox "linux darwin" "386 amd64 arm" \
-    -output="dist/traefik_{{.OS}}-{{.Arch}}" \
-    ./cmd/traefik
-# run other commands like tests
-```
-
-### Tests
-
-##### Method 1: `Docker` and `make`
-
-You can run unit tests using the `test-unit` target and the
-integration test using the `test-integration` target.
-
-```bash
-$ make test-unit
-docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
-# […]
-docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/vincent/src/github/vdemeester/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
----> Making bundle: generate (in .)
-removed 'gen.go'
-
----> Making bundle: test-unit (in .)
-+ go test -cover -coverprofile=cover.out .
-ok      github.com/containous/traefik   0.005s  coverage: 4.1% of statements
-
-Test success
-```
-
-For development purposes, you can specify which tests to run by using:
-```bash
-# Run every tests in the MyTest suite
-TESTFLAGS="-check.f MyTestSuite" make test-integration
-
-# Run the test "MyTest" in the MyTest suite
-TESTFLAGS="-check.f MyTestSuite.MyTest" make test-integration
-
-# Run every tests starting with "My", in the MyTest suite
-TESTFLAGS="-check.f MyTestSuite.My" make test-integration
-
-# Run every tests ending with "Test", in the MyTest suite
-TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration
-```
-
-More: https://labix.org/gocheck
-
-##### Method 2: `go`
-
-- Tests can be run from the cloned directory, by `$ go test ./...` which should return `ok` similar to:
-```
-ok      _/home/vincent/src/github/vdemeester/traefik    0.004s
-```
-
-### Documentation
-
-The [documentation site](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/)
-
-First make sure you have python and pip installed
-
-```shell
-$ python --version
-Python 2.7.2
-$ pip --version
-pip 1.5.2
-```
-
-Then install mkdocs with pip
-
-```shell
-$ pip install mkdocs
-```
-
-To test documentation locally run `mkdocs serve` in the root directory, this should start a server locally to preview your changes.
-
-```shell
-$ mkdocs serve
-INFO    -  Building documentation...
-WARNING -  Config value: 'theme'. Warning: The theme 'united' will be removed in an upcoming MkDocs release. See http://www.mkdocs.org/about/release-notes/ for more details
-INFO    -  Cleaning site directory
-[I 160505 22:31:24 server:281] Serving on http://127.0.0.1:8000
-[I 160505 22:31:24 handlers:59] Start watching changes
-[I 160505 22:31:24 handlers:61] Start detecting changes
-```

.github/ISSUE_TEMPLATE.md

@@ -1,16 +1,29 @@
 <!--
-PLEASE READ THIS MESSAGE.
+DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 
-Please keep in mind that the GitHub issue tracker is not intended as a general support forum, but for reporting bugs and feature requests.
-
-For other type of questions, consider using one of:
+The issue tracker is for reporting bugs and feature requests only.
+For end-user related support questions, refer to one of the following:
 
+- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
 - the Traefik community Slack channel: https://traefik.herokuapp.com
-- StackOverflow: https://stackoverflow.com/questions/tagged/traefik
+
+-->
+
+
+### Do you want to request a *feature* or report a *bug*?
+
+<!--
+If you intend to ask a support question: DO NOT FILE AN ISSUE.
+-->
+
+### What did you do?
+
+<!--
 
 HOW TO WRITE A GOOD ISSUE?
 
-- if it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I. 
+- Respect the issue template as more as possible.
+- If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
 - The title must be short and descriptive.
 - Explain the conditions which led you to write this issue: the context.
 - The context should lead to something, an idea or a problem that you’re facing.
@@ -19,14 +32,6 @@ HOW TO WRITE A GOOD ISSUE?
 
 -->
 
-### Do you want to request a *feature* or report a *bug*?
-
-
-
-### What did you do?
-
-
-
 ### What did you expect to see?
 
 
@@ -37,6 +42,12 @@ HOW TO WRITE A GOOD ISSUE?
 
 ### Output of `traefik version`: (_What version of Traefik are you using?_)
 
+<!--
+For the Traefik Docker image:
+    docker run [IMAGE] version
+    ex: docker run traefik version
+-->
+
 ```
 (paste your output here)
 ```

.github/cpr.sh

@@ -1,26 +0,0 @@
-#!/bin/sh
-#
-# git config --global alias.cpr '!sh .github/cpr.sh'
-
-set -e # stop on error
-
-usage="$(basename "$0") pr -- Checkout a Pull Request locally"
-
-if [ "$#" -ne 1 ]; then
-    echo "Illegal number of parameters"
-    echo "$usage" >&2
-    exit 1
-fi
-
-command -v jq >/dev/null 2>&1 || { echo "I require jq but it's not installed.  Aborting." >&2; exit 1; }
-
-set -x # echo on
-
-initial=$(git rev-parse --abbrev-ref HEAD)
-pr=$1
-remote=$(curl -s https://api.github.com/repos/containous/traefik/pulls/$pr | jq -r .head.repo.owner.login)
-branch=$(curl -s https://api.github.com/repos/containous/traefik/pulls/$pr | jq -r .head.ref)
-
-git remote add $remote git@github.com:$remote/traefik.git
-git fetch $remote $branch
-git checkout -t -b "$pr--$branch" $remote/$branch

.github/rmpr.sh

@@ -1,27 +0,0 @@
-#!/bin/sh
-#
-# git config --global alias.rmpr '!sh .github/rmpr.sh'
-
-set -e # stop on error
-
-usage="$(basename "$0") pr -- remove a Pull Request local branch & remote"
-
-if [ "$#" -ne 1 ]; then
-    echo "Illegal number of parameters"
-    echo "$usage" >&2
-    exit 1
-fi
-
-command -v jq >/dev/null 2>&1 || { echo "I require jq but it's not installed.  Aborting." >&2; exit 1; }
-
-set -x # echo on
-
-initial=$(git rev-parse --abbrev-ref HEAD)
-pr=$1
-remote=$(curl -s https://api.github.com/repos/containous/traefik/pulls/$pr | jq -r .head.repo.owner.login)
-branch=$(curl -s https://api.github.com/repos/containous/traefik/pulls/$pr | jq -r .head.ref)
-
-# clean
-git checkout $initial
-git branch -D "$pr--$branch"
-git remote remove $remote

.github/rpr.sh

@@ -1,36 +0,0 @@
-#!/bin/sh
-#
-# git config --global alias.rpr '!sh .github/rpr.sh'
-
-set -e # stop on error
-
-usage="$(basename "$0") pr remote/branch -- rebase a Pull Request against a remote branch"
-
-if [ "$#" -ne 2 ]; then
-    echo "Illegal number of parameters"
-    echo "$usage" >&2
-    exit 1
-fi
-
-command -v jq >/dev/null 2>&1 || { echo "I require jq but it's not installed.  Aborting." >&2; exit 1; }
-
-set -x # echo on
-
-initial=$(git rev-parse --abbrev-ref HEAD)
-pr=$1
-base=$2
-remote=$(curl -s https://api.github.com/repos/containous/traefik/pulls/$pr | jq -r .head.repo.owner.login)
-branch=$(curl -s https://api.github.com/repos/containous/traefik/pulls/$pr | jq -r .head.ref)
-
-clean ()
-{
-    git checkout $initial
-    .github/rmpr.sh $pr
-}
-
-trap clean EXIT
-
-.github/cpr.sh $pr
-
-git rebase $base
-git push --force-with-lease $remote "$pr--$branch"

.gitignore

@@ -11,3 +11,4 @@
 *.log
 *.exe
 .DS_Store
+/example/acme/acme.json

.semaphoreci/setup.sh

@@ -2,7 +2,7 @@
 set -e
 
 sudo -E apt-get -yq update
-sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-engine=${DOCKER_VERSION}*
+sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*
 docker version
 
 pip install --user -r requirements.txt

.semaphoreci/vars

@@ -1,12 +1,8 @@
 #!/usr/bin/env bash
 set -e
 
-export secure='btt4r13t09gQlHb6gYrvGC2yGCMMHfnp1Mz1RQedc4Mpf/FfT8aE6xmK2a2i9CCvskjrP0t/BFaS4yxIURjnFRn+ugQIEa0pLspB9UJArW/vgOSpIWM9/OQ/fg8z5XuMxN6Md4DL1/iLypMNSageA1x0TRdt89+D1N1dALpg5XRCXLFbC84TLi0gjlFuib9ibPKzEhLT+anCRJ6iZMzeupDSoaCVbAtJMoDvXw4+4AcRZ1+k4MybBLyCib5boaEOt4pTT88mz4Kk0YaMwPVJyg9Qv36VqyUcPS09Yd95LuyVQ4+tZt8Y1ccbIzULsK+sLM3hLCzxlmlpN3dQBlZJiiRtQde0mgGAKyC0P0A1XjuDTywcsa5edB+fTk1Dsewz9xZ9V0NmMz8t+UNZnaSsAPga9i86jULbXUUwMVSzVRc+Xgx02liB/8qI1xYC9FM6ilStt7rn7mF0k3KbiWhcptgeXjO6Lah9FjEKd5w4MXsdUSTi/86rQaLo+kj+XdaTrXCTulKHyRyQEUj+8V1w0oVz7pcGjePHd7y5oU9ByifVQy6sytuFBfRZvugM5bKHo+i0pcWvixrZS42DrzwxZJsspANOvqSe5ifVbvOkfUppQdCBIwptxV5N1b49XPKU3W/w34QJ8xGmKp3TFA7WwVCztriFHjPgiRpB3EG99Bg='
-
 export REPO='containous/traefik'
 
-export DOCKER_VERSION=1.12.6
-
 if VERSION=$(git describe --exact-match --abbrev=0 --tags);
 then
   export VERSION
@@ -14,7 +10,7 @@ else
   export VERSION=''
 fi
 
-export CODENAME=raclette
+export CODENAME=roquefort
 
 export N_MAKE_JOBS=2
 

.travis.yml

@@ -6,12 +6,10 @@ services:
 
 env:
   global:
-    - secure: btt4r13t09gQlHb6gYrvGC2yGCMMHfnp1Mz1RQedc4Mpf/FfT8aE6xmK2a2i9CCvskjrP0t/BFaS4yxIURjnFRn+ugQIEa0pLspB9UJArW/vgOSpIWM9/OQ/fg8z5XuMxN6Md4DL1/iLypMNSageA1x0TRdt89+D1N1dALpg5XRCXLFbC84TLi0gjlFuib9ibPKzEhLT+anCRJ6iZMzeupDSoaCVbAtJMoDvXw4+4AcRZ1+k4MybBLyCib5boaEOt4pTT88mz4Kk0YaMwPVJyg9Qv36VqyUcPS09Yd95LuyVQ4+tZt8Y1ccbIzULsK+sLM3hLCzxlmlpN3dQBlZJiiRtQde0mgGAKyC0P0A1XjuDTywcsa5edB+fTk1Dsewz9xZ9V0NmMz8t+UNZnaSsAPga9i86jULbXUUwMVSzVRc+Xgx02liB/8qI1xYC9FM6ilStt7rn7mF0k3KbiWhcptgeXjO6Lah9FjEKd5w4MXsdUSTi/86rQaLo+kj+XdaTrXCTulKHyRyQEUj+8V1w0oVz7pcGjePHd7y5oU9ByifVQy6sytuFBfRZvugM5bKHo+i0pcWvixrZS42DrzwxZJsspANOvqSe5ifVbvOkfUppQdCBIwptxV5N1b49XPKU3W/w34QJ8xGmKp3TFA7WwVCztriFHjPgiRpB3EG99Bg=
     - REPO: $TRAVIS_REPO_SLUG
     - VERSION: $TRAVIS_TAG
-    - CODENAME: raclette
+    - CODENAME: roquefort
     - N_MAKE_JOBS: 2
-    - DOCKER_VERSION: 1.12.6
 
 script:
 - echo "Skipping tests... (Tests are executed on SemaphoreCI)"
@@ -21,11 +19,11 @@ before_deploy:
     if ! [ "$BEFORE_DEPLOY_RUN" ]; then
       export BEFORE_DEPLOY_RUN=1;
       sudo -E apt-get -yq update;
-      sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-engine=${DOCKER_VERSION}*;
+      sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*;
       docker version;
       pip install --user -r requirements.txt;
       make -j${N_MAKE_JOBS} crossbinary-parallel;
-      make image;
+      make image-dirty;
       mkdocs build --clean;
       tar cfz dist/traefik-${VERSION}.src.tar.gz --exclude-vcs --exclude dist .;
     fi

CHANGELOG.md

@@ -1,5 +1,205 @@
 # Change Log
 
+## [v1.4.0-rc1](https://github.com/containous/traefik/tree/v1.4.0-rc1) (2017-08-28)
+[All Commits](https://github.com/containous/traefik/compare/v1.3.0-rc1...v1.4.0-rc1)
+
+**Enhancements:**
+- **[acme]** Make the ACME developments testing easier ([#1769](https://github.com/containous/traefik/pull/1769) by [nmengin](https://github.com/nmengin))
+- **[acme]** contrib: Dump keys/certs from acme.json to files ([#1484](https://github.com/containous/traefik/pull/1484) by [brianredbeard](https://github.com/brianredbeard))
+- **[api]** Add HTTP HEAD handling to /ping endpoint ([#1768](https://github.com/containous/traefik/pull/1768) by [martinbaillie](https://github.com/martinbaillie))
+- **[authentication,marathon]** Add marathon label to configure basic auth ([#1799](https://github.com/containous/traefik/pull/1799) by [nikore](https://github.com/nikore))
+- **[authentication,middleware]** Add forward authentication option ([#1972](https://github.com/containous/traefik/pull/1972) by [drampelt](https://github.com/drampelt))
+- **[consul,sticky-session]** Enable loadbalancer.sticky for Consul Catalog ([#1917](https://github.com/containous/traefik/pull/1917) by [nbonneval](https://github.com/nbonneval))
+- **[consul]** Enhanced flexibility in Consul Catalog configuration ([#1565](https://github.com/containous/traefik/pull/1565) by [aantono](https://github.com/aantono))
+- **[consul]** Exposed by default feature in Consul Catalog ([#2006](https://github.com/containous/traefik/pull/2006) by [mmatur](https://github.com/mmatur))
+- **[consul]** Speeding up consul catalog health change detection ([#1694](https://github.com/containous/traefik/pull/1694) by [vholovko](https://github.com/vholovko))
+- **[docker,k8s]** IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) ([#1332](https://github.com/containous/traefik/pull/1332) by [MaZderMind](https://github.com/MaZderMind))
+- **[ecs,sticky-session]** Enable loadbalancer.sticky for ECS ([#1925](https://github.com/containous/traefik/pull/1925) by [mmatur](https://github.com/mmatur))
+- **[ecs]** Add support for several ECS backends ([#1913](https://github.com/containous/traefik/pull/1913) by [mmatur](https://github.com/mmatur))
+- **[healthcheck]** Add healthcheck command ([#1982](https://github.com/containous/traefik/pull/1982) by [emilevauge](https://github.com/emilevauge))
+- **[healthcheck]** Allow overriding the port used for healthchecks ([#1567](https://github.com/containous/traefik/pull/1567) by [bakins](https://github.com/bakins))
+- **[k8s,rules]** kubernetes ingress rewrite-target implementation ([#1723](https://github.com/containous/traefik/pull/1723) by [mlaccetti](https://github.com/mlaccetti))
+- **[k8s]** Added ability to override frontend priority for k8s ingress router ([#1874](https://github.com/containous/traefik/pull/1874) by [DiverOfDark](https://github.com/DiverOfDark))
+- **[kv]** Adds definitions to backend kv template for health checking ([#1644](https://github.com/containous/traefik/pull/1644) by [zachomedia](https://github.com/zachomedia))
+- **[logs,dynamodb,ecs,marathon]** Link some providers logs to Traefik ([#1746](https://github.com/containous/traefik/pull/1746) by [ldez](https://github.com/ldez))
+- **[logs,marathon]** remove confusing go-marathon log message ([#1810](https://github.com/containous/traefik/pull/1810) by [marco-jantke](https://github.com/marco-jantke))
+- **[logs]** enable logging to stdout for access logs ([#1683](https://github.com/containous/traefik/pull/1683) by [marco-jantke](https://github.com/marco-jantke))
+- **[logs]** Logs & errors review ([#1673](https://github.com/containous/traefik/pull/1673) by [ldez](https://github.com/ldez))
+- **[logs]** log X-Forwarded-For as ClientHost if present ([#1946](https://github.com/containous/traefik/pull/1946) by [mildis](https://github.com/mildis))
+- **[logs]** Switch access logging to logrus ([#1647](https://github.com/containous/traefik/pull/1647) by [rjshep](https://github.com/rjshep))
+- **[logs]** add RetryAttempts to AccessLog in JSON format ([#1793](https://github.com/containous/traefik/pull/1793) by [marco-jantke](https://github.com/marco-jantke))
+- **[logs]** Restore: First stage of access logging middleware. ([#1571](https://github.com/containous/traefik/pull/1571) by [ldez](https://github.com/ldez))
+- **[logs]** Add log file close and reopen on receipt of SIGUSR1 ([#1761](https://github.com/containous/traefik/pull/1761) by [rjshep](https://github.com/rjshep))
+- **[logs]** Add JSON as access logging format ([#1669](https://github.com/containous/traefik/pull/1669) by [rjshep](https://github.com/rjshep))
+- **[marathon]** Add support for readiness checks. ([#1883](https://github.com/containous/traefik/pull/1883) by [timoreimann](https://github.com/timoreimann))
+- **[marathon]** Exported getSubDomain function from Marathon provider ([#1693](https://github.com/containous/traefik/pull/1693) by [aantono](https://github.com/aantono))
+- **[marathon]** Improve Marathon integration tests. ([#1406](https://github.com/containous/traefik/pull/1406) by [timoreimann](https://github.com/timoreimann))
+- **[marathon]** Use single API call to fetch Marathon resources. ([#1815](https://github.com/containous/traefik/pull/1815) by [timoreimann](https://github.com/timoreimann))
+- **[marathon]** Move marathon mock ([#1732](https://github.com/containous/traefik/pull/1732) by [ldez](https://github.com/ldez))
+- **[marathon]** Support multi-port service routing for containers running on Marathon ([#1742](https://github.com/containous/traefik/pull/1742) by [aantono](https://github.com/aantono))
+- **[marathon]** Use test builder. ([#1871](https://github.com/containous/traefik/pull/1871) by [timoreimann](https://github.com/timoreimann))
+- **[metrics]** DataDog and StatsD Metrics Support ([#1701](https://github.com/containous/traefik/pull/1701) by [aantono](https://github.com/aantono))
+- **[metrics]** Add status code to request duration metric ([#1755](https://github.com/containous/traefik/pull/1755) by [marco-jantke](https://github.com/marco-jantke))
+- **[metrics]** Add metrics for backend_retries_total ([#1504](https://github.com/containous/traefik/pull/1504) by [marco-jantke](https://github.com/marco-jantke))
+- **[metrics]** Extract metrics to own package and refactor implementations ([#1968](https://github.com/containous/traefik/pull/1968) by [marco-jantke](https://github.com/marco-jantke))
+- **[metrics]** Added RetryMetrics to DataDog and StatsD providers ([#1884](https://github.com/containous/traefik/pull/1884) by [aantono](https://github.com/aantono))
+- **[middleware]** Return 503 on empty backend ([#1748](https://github.com/containous/traefik/pull/1748) by [marco-jantke](https://github.com/marco-jantke))
+- **[middleware]** Add configurable timeouts and curate default timeout settings ([#1873](https://github.com/containous/traefik/pull/1873) by [marco-jantke](https://github.com/marco-jantke))
+- **[middleware]** Custom Error Pages ([#1675](https://github.com/containous/traefik/pull/1675) by [bparli](https://github.com/bparli))
+- **[middleware]** Retry only on real network errors ([#1549](https://github.com/containous/traefik/pull/1549) by [marco-jantke](https://github.com/marco-jantke))
+- **[middleware]** Fix command bug content. ([#2002](https://github.com/containous/traefik/pull/2002) by [ldez](https://github.com/ldez))
+- **[middleware]** Create Header Middleware ([#1236](https://github.com/containous/traefik/pull/1236) by [dtomcej](https://github.com/dtomcej))
+- **[oxy]** Support X-Forwarded-Port. ([#1960](https://github.com/containous/traefik/pull/1960) by [ldez](https://github.com/ldez))
+- **[provider,tls]** Added a check to ensure clientTLS configuration contains either a cert or a key ([#1932](https://github.com/containous/traefik/pull/1932) by [aantono](https://github.com/aantono))
+- **[provider]** Factorize labels ([#1843](https://github.com/containous/traefik/pull/1843) by [ldez](https://github.com/ldez))
+- **[provider]** Replace go routine by Safe.Go ([#1879](https://github.com/containous/traefik/pull/1879) by [ldez](https://github.com/ldez))
+- **[provider]** Deflake integration tests ([#1599](https://github.com/containous/traefik/pull/1599) by [ldez](https://github.com/ldez))
+- **[rancher]** Refactor into dual Rancher API/Metadata providers ([#1563](https://github.com/containous/traefik/pull/1563) by [martinbaillie](https://github.com/martinbaillie))
+- **[rules]** Simplify stripPrefix and stripPrefixRegex tests ([#1699](https://github.com/containous/traefik/pull/1699) by [ldez](https://github.com/ldez))
+- **[rules]** Add support for Query String filtering ([#1934](https://github.com/containous/traefik/pull/1934) by [driverpt](https://github.com/driverpt))
+- **[rules]** Enhance rules tests. ([#1679](https://github.com/containous/traefik/pull/1679) by [ldez](https://github.com/ldez))
+- **[sticky-session]** make the cookie name unique to the backend being served ([#1716](https://github.com/containous/traefik/pull/1716) by [richardjq](https://github.com/richardjq))
+- **[tls]** Handle RootCAs certificate ([#1789](https://github.com/containous/traefik/pull/1789) by [Juliens](https://github.com/Juliens))
+- **[tls]** enable TLS client forwarding ([#1446](https://github.com/containous/traefik/pull/1446) by [drewwells](https://github.com/drewwells))
+- **[webui]** Minor Health UI fixes ([#1651](https://github.com/containous/traefik/pull/1651) by [mihaitodor](https://github.com/mihaitodor))
+- **[webui]** Proxy in dev mode ([#1544](https://github.com/containous/traefik/pull/1544) by [maxwo](https://github.com/maxwo))
+- extract lb configuration steps into method ([#1841](https://github.com/containous/traefik/pull/1841) by [marco-jantke](https://github.com/marco-jantke))
+- Allow file provider to load service config from files in a directory. ([#1672](https://github.com/containous/traefik/pull/1672) by [rjshep](https://github.com/rjshep))
+- Add whitelist configuration option for entrypoints ([#1702](https://github.com/containous/traefik/pull/1702) by [christopherobin](https://github.com/christopherobin))
+- Enhance integration tests ([#1842](https://github.com/containous/traefik/pull/1842) by [ldez](https://github.com/ldez))
+- Add helloworld tests with gRPC ([#1845](https://github.com/containous/traefik/pull/1845) by [Juliens](https://github.com/Juliens))
+- Add the sprig functions in the template engine ([#1891](https://github.com/containous/traefik/pull/1891) by [thomasbach76](https://github.com/thomasbach76))
+- Refactor globalConfiguration / WebProvider ([#1938](https://github.com/containous/traefik/pull/1938) by [Juliens](https://github.com/Juliens))
+- Code cleaning. ([#1956](https://github.com/containous/traefik/pull/1956) by [ldez](https://github.com/ldez))
+- Add proxy protocol ([#2004](https://github.com/containous/traefik/pull/2004) by [emilevauge](https://github.com/emilevauge))
+- Bump gorilla/mux version. ([#1954](https://github.com/containous/traefik/pull/1954) by [ldez](https://github.com/ldez))
+
+**Bug fixes:**
+- **[docker]** Error handling for docker swarm mode ([#1533](https://github.com/containous/traefik/pull/1533) by [tanyadegurechaff](https://github.com/tanyadegurechaff))
+- **[healthcheck]** Bind healthcheck to backend by entryPointName ([#1868](https://github.com/containous/traefik/pull/1868) by [chrigl](https://github.com/chrigl))
+- **[k8s]** Use default frontend priority of zero. ([#1906](https://github.com/containous/traefik/pull/1906) by [timoreimann](https://github.com/timoreimann))
+- **[marathon]** Assign filtered tasks to apps contained in slice. ([#1881](https://github.com/containous/traefik/pull/1881) by [timoreimann](https://github.com/timoreimann))
+- **[marathon]** Fix fallback to other nodes for Marathon ([#1740](https://github.com/containous/traefik/pull/1740) by [marco-jantke](https://github.com/marco-jantke))
+- **[middleware]** compress: preserve status code ([#1948](https://github.com/containous/traefik/pull/1948) by [ldez](https://github.com/ldez))
+- **[sticky-session]** Setting the Cookie Path explicitly to root ([#1950](https://github.com/containous/traefik/pull/1950) by [marcopaga](https://github.com/marcopaga))
+
+**Documentation:**
+- **[acme,provider]** Re-organize documentation ([#2012](https://github.com/containous/traefik/pull/2012) by [jmaitrehenry](https://github.com/jmaitrehenry))
+- **[acme]** Add guide for Docker, Traefik & Letsencrypt ([#1923](https://github.com/containous/traefik/pull/1923) by [mvdstam](https://github.com/mvdstam))
+- **[acme]** Update docs for dnsimple env vars. ([#1872](https://github.com/containous/traefik/pull/1872) by [klud1](https://github.com/klud1))
+- **[acme]** Improve Let's Encrypt documentation ([#1885](https://github.com/containous/traefik/pull/1885) by [nmengin](https://github.com/nmengin))
+- **[authentication,k8s]** traefik controller access to secrets ([#1707](https://github.com/containous/traefik/pull/1707) by [spinto](https://github.com/spinto))
+- **[consul,tls]** doc change regarding consul SSL ([#1774](https://github.com/containous/traefik/pull/1774) by [bitsofinfo](https://github.com/bitsofinfo))
+- **[consul]** added consul acl token note ([#1720](https://github.com/containous/traefik/pull/1720) by [bitsofinfo](https://github.com/bitsofinfo))
+- **[docker]** Add more visibility to docker stack deploy label issue ([#1984](https://github.com/containous/traefik/pull/1984) by [jmaitrehenry](https://github.com/jmaitrehenry))
+- **[k8s,marathon]** Mark Marathon and Kubernetes as constraint-supporting. ([#1964](https://github.com/containous/traefik/pull/1964) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** examples/k8s: fix ui ingress port out of sync with deployment ([#1943](https://github.com/containous/traefik/pull/1943) by [borancar](https://github.com/borancar))
+- **[k8s]** Update the documentation to use DaemonSet or Deployment ([#1735](https://github.com/containous/traefik/pull/1735) by [saschagrunert](https://github.com/saschagrunert))
+- **[k8s]** Moved namespace to correct place ([#1911](https://github.com/containous/traefik/pull/1911) by [markround](https://github.com/markround))
+- **[k8s]** Improve documentation. ([#1831](https://github.com/containous/traefik/pull/1831) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Add secrets resource to in-line RBAC spec. ([#1890](https://github.com/containous/traefik/pull/1890) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Fix docs about default namespaces. ([#1961](https://github.com/containous/traefik/pull/1961) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Update usage of `.local` with `.minikube` in k8s docs ([#1551](https://github.com/containous/traefik/pull/1551) by [errm](https://github.com/errm))
+- **[marathon]** Fix documentation glitches. ([#1996](https://github.com/containous/traefik/pull/1996) by [timoreimann](https://github.com/timoreimann))
+- **[provider]** Clarify that provider-enabling argument parameters set all defaults. ([#1830](https://github.com/containous/traefik/pull/1830) by [timoreimann](https://github.com/timoreimann))
+- **[rancher]** Update Rancher documentation. ([#1776](https://github.com/containous/traefik/pull/1776) by [ldez](https://github.com/ldez))
+- **[webui]** Document yarnpkg. ([#1558](https://github.com/containous/traefik/pull/1558) by [Stibbons](https://github.com/Stibbons))
+- Add play-with-docker example ([#1726](https://github.com/containous/traefik/pull/1726) by [marcosnils](https://github.com/marcosnils))
+- Update contributing guide build steps ([#1801](https://github.com/containous/traefik/pull/1801) by [jsturtevant](https://github.com/jsturtevant))
+- Add Nicolas Mengin to maintainers ([#1792](https://github.com/containous/traefik/pull/1792) by [emilevauge](https://github.com/emilevauge))
+- Add Julien Salleyron to maintainers ([#1790](https://github.com/containous/traefik/pull/1790) by [emilevauge](https://github.com/emilevauge))
+- Change to a more flexible PR review process ([#1781](https://github.com/containous/traefik/pull/1781) by [emilevauge](https://github.com/emilevauge))
+- Traefik "bug" command documentation ([#1811](https://github.com/containous/traefik/pull/1811) by [ldez](https://github.com/ldez))
+- Add Marco Jantke to maintainers ([#1980](https://github.com/containous/traefik/pull/1980) by [emilevauge](https://github.com/emilevauge))
+- toml page - replace li by table ([#1995](https://github.com/containous/traefik/pull/1995) by [jmaitrehenry](https://github.com/jmaitrehenry))
+- Update golang version in contributing guide ([#2018](https://github.com/containous/traefik/pull/2018) by [ArikaChen](https://github.com/ArikaChen))
+- Release cycle. ([#1812](https://github.com/containous/traefik/pull/1812) by [ldez](https://github.com/ldez))
+- Remove Russel from maintainers ([#1614](https://github.com/containous/traefik/pull/1614) by [emilevauge](https://github.com/emilevauge))
+- Update CONTRIBUTING.md. ([#1667](https://github.com/containous/traefik/pull/1667) by [timoreimann](https://github.com/timoreimann))
+- drop "slave" wording for "worker" ([#1645](https://github.com/containous/traefik/pull/1645) by [djalal](https://github.com/djalal))
+- Use more inclusive language in README.md {guys => folks} ([#1640](https://github.com/containous/traefik/pull/1640) by [igorwwwwwwwwwwwwwwwwwwww](https://github.com/igorwwwwwwwwwwwwwwwwwwww))
+- Remove Thomas Recloux from maintainers ([#1616](https://github.com/containous/traefik/pull/1616) by [emilevauge](https://github.com/emilevauge))
+- Update documentation for 1.4 release ([#2011](https://github.com/containous/traefik/pull/2011) by [emilevauge](https://github.com/emilevauge))
+- Small toml documentation update ([#1603](https://github.com/containous/traefik/pull/1603) by [antoine-aumjaud](https://github.com/antoine-aumjaud))
+- Add @ldez to maintainers ([#1589](https://github.com/containous/traefik/pull/1589) by [emilevauge](https://github.com/emilevauge))
+- doc: add labels documentation. ([#1582](https://github.com/containous/traefik/pull/1582) by [ldez](https://github.com/ldez))
+- Change Traefik intro video ([#1893](https://github.com/containous/traefik/pull/1893) by [emilevauge](https://github.com/emilevauge))
+- Update GraceTimeOut documentation ([#1875](https://github.com/containous/traefik/pull/1875) by [marco-jantke](https://github.com/marco-jantke))
+
+**Misc:**
+- Merge v1.3.7 ([#2013](https://github.com/containous/traefik/pull/2013) by [ldez](https://github.com/ldez))
+- Merge 1.3.6 ([#1992](https://github.com/containous/traefik/pull/1992) by [ldez](https://github.com/ldez))
+- Merge 1.3.5 ([#1909](https://github.com/containous/traefik/pull/1909) by [ldez](https://github.com/ldez))
+- Merge 1.3.3 ([#1836](https://github.com/containous/traefik/pull/1836) by [ldez](https://github.com/ldez))
+- Merge v1.3.2 to master  ([#1809](https://github.com/containous/traefik/pull/1809) by [ldez](https://github.com/ldez))
+- Merge current v1.3 ([#1797](https://github.com/containous/traefik/pull/1797) by [ldez](https://github.com/ldez))
+- Merge current v1.3 ([#1786](https://github.com/containous/traefik/pull/1786) by [ldez](https://github.com/ldez))
+- Merge v1.3.1 to master ([#1763](https://github.com/containous/traefik/pull/1763) by [ldez](https://github.com/ldez))
+- Merge current v1.3 ([#1753](https://github.com/containous/traefik/pull/1753) by [ldez](https://github.com/ldez))
+- Merge current v1.3 ([#1705](https://github.com/containous/traefik/pull/1705) by [ldez](https://github.com/ldez))
+- Merge current v1.3 to master ([#1697](https://github.com/containous/traefik/pull/1697) by [ldez](https://github.com/ldez))
+- Merge v1 3 0 ([#1692](https://github.com/containous/traefik/pull/1692) by [ldez](https://github.com/ldez))
+- Merge current v1.3 to master (rc3) ([#1666](https://github.com/containous/traefik/pull/1666) by [ldez](https://github.com/ldez))
+- Merge current v1.3 to master  ([#1643](https://github.com/containous/traefik/pull/1643) by [ldez](https://github.com/ldez))
+- Merge v1.3.0-rc2 master ([#1613](https://github.com/containous/traefik/pull/1613) by [emilevauge](https://github.com/emilevauge))
+
+## [v1.3.7](https://github.com/containous/traefik/tree/v1.3.7) (2017-08-25)
+[All Commits](https://github.com/containous/traefik/compare/v1.3.6...v1.3.7)
+
+**Bug fixes:**
+- **[oxy]** Only forward X-Forwarded-Port. ([#2007](https://github.com/containous/traefik/pull/2007) by [ldez](https://github.com/ldez))
+
+## [v1.3.6](https://github.com/containous/traefik/tree/v1.3.6) (2017-08-20)
+[All Commits](https://github.com/containous/traefik/compare/v1.3.5...v1.3.6)
+
+**Bug fixes:**
+- **[oxy,websocket]** Websocket parameters and protocol. ([#1970](https://github.com/containous/traefik/pull/1970) by [ldez](https://github.com/ldez))
+
+## [v1.3.5](https://github.com/containous/traefik/tree/v1.3.5) (2017-08-01)
+[All Commits](https://github.com/containous/traefik/compare/v1.3.4...v1.3.5)
+
+**Bug fixes:**
+- **[websocket]** Oxy with fixes on websocket + integration tests ([#1905](https://github.com/containous/traefik/pull/1905) by [Juliens](https://github.com/Juliens))
+
+## [v1.3.4](https://github.com/containous/traefik/tree/v1.3.4) (2017-07-27)
+[All Commits](https://github.com/containous/traefik/compare/v1.3.3...v1.3.4)
+
+**Bug fixes:**
+- **[middleware]** Double compression. ([#1863](https://github.com/containous/traefik/pull/1863) by [ldez](https://github.com/ldez))
+- **[middleware]** Fix replace path rule ([#1859](https://github.com/containous/traefik/pull/1859) by [dedalusj](https://github.com/dedalusj))
+- **[websocket]** New oxy with gorilla for websocket with integration tests ([#1896](https://github.com/containous/traefik/pull/1896) by [Juliens](https://github.com/Juliens))
+
+## [v1.3.3](https://github.com/containous/traefik/tree/v1.3.3) (2017-07-06)
+[All Commits](https://github.com/containous/traefik/compare/v1.3.2...v1.3.3)
+
+**Bug fixes:**
+- **[k8s]** Undo the Secrets controller sync wait. ([#1828](https://github.com/containous/traefik/pull/1828) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Tell glog to log everything into STDERR. ([#1817](https://github.com/containous/traefik/pull/1817) by [timoreimann](https://github.com/timoreimann))
+
+## [v1.3.2](https://github.com/containous/traefik/tree/v1.3.2) (2017-06-29)
+[All Commits](https://github.com/containous/traefik/compare/v1.3.1...v1.3.2)
+
+**Bug fixes:**
+- **[acme]** Add provided certificate checking before LE certificate generation with OnHostRule option ([#1772](https://github.com/containous/traefik/pull/1772) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Fix race on closing event channel. ([#1798](https://github.com/containous/traefik/pull/1798) by [timoreimann](https://github.com/timoreimann))
+- **[marathon]** Upgrade go-marathon to dd6cbd4. ([#1800](https://github.com/containous/traefik/pull/1800) by [timoreimann](https://github.com/timoreimann))
+- **[oxy,websocket]** Problem with keepalive when switching protocol failed ([#1782](https://github.com/containous/traefik/pull/1782) by [ldez](https://github.com/ldez))
+- **[oxy]** Fix proxying of unannounced trailers ([#1805](https://github.com/containous/traefik/pull/1805) by [ldez](https://github.com/ldez))
+
+## [v1.3.1](https://github.com/containous/traefik/tree/v1.3.1) (2017-06-16)
+[All Commits](https://github.com/containous/traefik/compare/v1.3.0...v1.3.1)
+
+**Enhancements:**
+- **[logs,eureka,marathon]** Minor logs changes ([#1749](https://github.com/containous/traefik/pull/1749) by [ldez](https://github.com/ldez))
+
+**Bug fixes:**
+- **[k8s]** Use correct type when watching for k8s secrets ([#1700](https://github.com/containous/traefik/pull/1700) by [kekoav](https://github.com/kekoav))
+- **[middleware]** fix: Double compression. ([#1714](https://github.com/containous/traefik/pull/1714) by [ldez](https://github.com/ldez))
+- **[webui]** Don't fail when backend or frontend are empty. ([#1757](https://github.com/containous/traefik/pull/1757) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[k8s]** Fix capitalization of PathPrefixStrip in kubernetes doc ([#1695](https://github.com/containous/traefik/pull/1695) by [Miouge1](https://github.com/Miouge1))
+
 ## [v1.3.0](https://github.com/containous/traefik/tree/v1.3.0) (2017-05-31)
 [All Commits](https://github.com/containous/traefik/compare/v1.2.0-rc1...v1.3.0)
 

CONTRIBUTING.md

@@ -0,0 +1,228 @@
+# Contributing
+
+## Building
+
+You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build traefik. For changes to its dependencies, the `glide` dependency management tool and `glide-vc` plugin are required.
+
+### Method 1: Using `Docker` and `Makefile`
+
+You need to run the `binary` target. This will create binaries for Linux platform in the `dist` folder.
+
+```bash
+$ make binary
+docker build -t "traefik-dev:no-more-godep-ever" -f build.Dockerfile .
+Sending build context to Docker daemon 295.3 MB
+Step 0 : FROM golang:1.9-alpine
+ ---> 8c6473912976
+Step 1 : RUN go get github.com/Masterminds/glide
+[...]
+docker run --rm  -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/emile/dev/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:no-more-godep-ever" ./script/make.sh generate binary
+---> Making bundle: generate (in .)
+removed 'gen.go'
+
+---> Making bundle: binary (in .)
+
+$ ls dist/
+traefik*
+```
+
+### Method 2: Using `go`
+
+##### Setting up your `go` environment
+
+- You need `go` v1.9+
+- It is recommended you clone Træfik into a directory like `~/go/src/github.com/containous/traefik` (This is the official golang workspace hierarchy, and will allow dependencies to resolve properly)
+- Set your `GOPATH` and `PATH` variable to be set to `~/go` via:
+
+```bash
+export GOPATH=~/go
+export PATH=$PATH:$GOPATH/bin
+```
+
+> Note: You will want to add those 2 export lines to your `.bashrc` or `.bash_profile`
+
+- Verify your environment is setup properly by running `$ go env`.  Depending on your OS and environment you should see output similar to:
+
+```bash
+GOARCH="amd64"
+GOBIN=""
+GOEXE=""
+GOHOSTARCH="amd64"
+GOHOSTOS="linux"
+GOOS="linux"
+GOPATH="/home/<yourusername>/go"
+GORACE=""
+## more go env's will be listed
+```
+
+##### Build Træfik
+
+Once your environment is set up and the Træfik repository cloned you can build Træfik. You need get `go-bindata` once to be able to use `go generate` command as part of the build.  The steps to build are:
+
+```bash
+cd ~/go/src/github.com/containous/traefik
+
+# Get go-bindata. Please note, the ellipses are required
+go get github.com/jteeuwen/go-bindata/...
+
+# Start build
+go generate
+
+# Standard go build
+go build ./cmd/traefik
+# run other commands like tests
+```
+
+You will find the Træfik executable in the `~/go/src/github.com/containous/traefik` folder as `traefik`.
+
+### Setting up `glide` and `glide-vc` for dependency management
+
+- Glide is not required for building; however, it is necessary to modify dependencies (i.e., add, update, or remove third-party packages)
+- Glide can be installed either via homebrew: `$ brew install glide` or via the official glide script: `$ curl https://glide.sh/get | sh`
+- The glide plugin `glide-vc` must be installed from source: `go get github.com/sgotti/glide-vc`
+
+If you want to add a dependency, use `$ glide get` to have glide put it into the vendor folder and update the glide manifest/lock files (`glide.yaml` and `glide.lock`, respectively). A following `glide-vc` run should be triggered to trim down the size of the vendor folder. The final result must be committed into VCS.
+
+Care must be taken to choose the right arguments to `glide` when dealing with dependencies, or otherwise risk ending up with a broken build. For that reason, the helper script `script/glide.sh` encapsulates the gory details and conveniently calls `glide-vc` as well. Call it without parameters for basic usage instructions.
+
+Here's a full example using glide to add a new dependency:
+
+```bash
+# install the new main dependency github.com/foo/bar and minimize vendor size
+$ ./script/glide.sh get github.com/foo/bar
+# generate (Only required to integrate other components such as web dashboard)
+$ go generate
+# Standard go build
+$ go build ./cmd/traefik
+# run other commands like tests
+```
+
+### Tests
+
+#### Method 1: `Docker` and `make`
+
+You can run unit tests using the `test-unit` target and the
+integration test using the `test-integration` target.
+
+```bash
+$ make test-unit
+docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
+# […]
+docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/vincent/src/github/vdemeester/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
+---> Making bundle: generate (in .)
+removed 'gen.go'
+
+---> Making bundle: test-unit (in .)
++ go test -cover -coverprofile=cover.out .
+ok      github.com/containous/traefik   0.005s  coverage: 4.1% of statements
+
+Test success
+```
+
+For development purposes, you can specify which tests to run by using:
+```bash
+# Run every tests in the MyTest suite
+TESTFLAGS="-check.f MyTestSuite" make test-integration
+
+# Run the test "MyTest" in the MyTest suite
+TESTFLAGS="-check.f MyTestSuite.MyTest" make test-integration
+
+# Run every tests starting with "My", in the MyTest suite
+TESTFLAGS="-check.f MyTestSuite.My" make test-integration
+
+# Run every tests ending with "Test", in the MyTest suite
+TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration
+```
+
+More: https://labix.org/gocheck
+
+#### Method 2: `go`
+
+- Tests can be run from the cloned directory, by `$ go test ./...` which should return `ok` similar to:
+```
+ok      _/home/vincent/src/github/vdemeester/traefik    0.004s
+```
+
+## Documentation
+
+The [documentation site](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/)
+
+First make sure you have python and pip installed
+
+```shell
+$ python --version
+Python 2.7.2
+$ pip --version
+pip 1.5.2
+```
+
+Then install mkdocs with pip
+
+```shell
+$ pip install mkdocs
+```
+
+To test documentation locally run `mkdocs serve` in the root directory, this should start a server locally to preview your changes.
+
+```shell
+$ mkdocs serve
+INFO    -  Building documentation...
+WARNING -  Config value: 'theme'. Warning: The theme 'united' will be removed in an upcoming MkDocs release. See http://www.mkdocs.org/about/release-notes/ for more details
+INFO    -  Cleaning site directory
+[I 160505 22:31:24 server:281] Serving on http://127.0.0.1:8000
+[I 160505 22:31:24 handlers:59] Start watching changes
+[I 160505 22:31:24 handlers:61] Start detecting changes
+```
+
+
+## How to Write a Good Issue
+
+Please keep in mind that the GitHub issue tracker is not intended as a general support forum, but for reporting bugs and feature requests.
+
+For end-user related support questions, refer to one of the following:
+- the Traefik community Slack channel: [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
+- [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
+
+### Title
+
+The title must be short and descriptive. (~60 characters)
+
+### Description
+
+- Respect the issue template as much as possible. [template](.github/ISSUE_TEMPLATE.md)
+- If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
+- Explain the conditions which led you to write this issue: the context.
+- The context should lead to something, an idea or a problem that you’re facing.
+- Remain clear and concise.
+- Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
+
+
+## How to Write a Good Pull Request
+
+### Title
+
+The title must be short and descriptive. (~60 characters)
+
+### Description
+
+- Respect the pull request template as much as possible. [template](.github/PULL_REQUEST_TEMPLATE.md)
+- Explain the conditions which led you to write this PR: the context.
+- The context should lead to something, an idea or a problem that you’re facing.
+- Remain clear and concise.
+- Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
+
+### Content
+
+- Make it small.
+- Do only one thing.
+- Write useful descriptions and titles.
+- Avoid re-formatting.
+- Make sure the code builds.
+- Make sure all tests pass.
+- Add tests.
+- Address review comments in terms of additional commits.
+- Do not amend/squash existing ones unless the PR is trivial.
+- If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
+
+
+Read [10 tips for better pull requests](http://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).

MAINTAINER.md

@@ -0,0 +1,144 @@
+# Maintainers
+
+## The team
+
+* Emile Vauge [@emilevauge](https://github.com/emilevauge)
+* Vincent Demeester [@vdemeester](https://github.com/vdemeester)
+* Ed Robinson [@errm](https://github.com/errm)
+* Daniel Tomcej [@dtomcej](https://github.com/dtomcej)
+* Manuel Zapf [@SantoDE](https://github.com/SantoDE)
+* Timo Reimann [@timoreimann](https://github.com/timoreimann)
+* Ludovic Fernandez [@ldez](https://github.com/ldez)
+* Julien Salleyron [@juliens](https://github.com/juliens)
+* Nicolas Mengin [@nmengin](https://github.com/nmengin)
+* Marco Jantke [@marco-jantke](https://github.com/marco-jantke)
+
+
+## PR review process:
+
+* The status `needs-design-review` is only used in complex/heavy/tricky PRs.
+* From `1` to `2`: 1 design LGTM in comment, by a senior maintainer, if needed.
+* From `2` to `3`: 3 LGTM by any maintainer.
+* If needed, a specific maintainer familiar with a particular domain can be requested for the review.
+
+We use [PRM](https://github.com/ldez/prm) to manage locally pull requests.
+
+
+## Bots
+
+### [Myrmica Lobicornis](https://github.com/containous/lobicornis/)
+
+**Update and Merge Pull Request**
+
+The maintainer giving the final LGTM must add the `status/3-needs-merge` label to trigger the merge bot.
+
+By default, a squash-rebase merge will be carried out.
+If you want to preserve commits you must add `bot/merge-method-rebase` before `status/3-needs-merge`.
+
+The status `status/4-merge-in-progress` is only for the bot.
+
+If the bot is not able to perform the merge, the label `bot/need-human-merge` is added.  
+In this case you must solve conflicts/CI/... and after you only need to remove `bot/need-human-merge`.
+
+
+### [Myrmica Bibikoffi](https://github.com/containous/bibikoffi/)
+
+* closes stale issues [cron]
+    * use some criterion as number of days between creation, last update, labels, ...
+
+
+### [Myrmica Aloba](https://github.com/containous/aloba)
+
+**Manage GitHub labels**
+
+* Add labels on new PR [GitHub WebHook]
+* Add and remove `contributor/waiting-for-corrections` label when a review request changes [GitHub WebHook]
+* Weekly report of PR status on Slack (CaptainPR) [cron]
+
+
+## Labels
+
+If we open/look an issue/PR, we must add a `kind/*` and an `area/*`.
+
+### Contributor
+
+* `contributor/need-more-information`: we need more information from the contributor in order to analyze a problem.
+* `contributor/waiting-for-feedback`: we need the contributor to give us feedback.
+* `contributor/waiting-for-corrections`: we need the contributor to take actions in order to move forward with a PR. **(only for PR)**
+* `contributor/needs-resolve-conflicts`: use it only when there is some conflicts (and an automatic rebase is not possible). **(only for PR)** _[bot, humans]_
+
+### Kind
+
+* `kind/enhancement`: a new or improved feature.
+* `kind/question`: It's a question. **(only for issue)**
+* `kind/proposal`: proposal PR/issues need a public debate.
+  * _Proposal issues_ are design proposal that need to be refined with multiple contributors.
+  * _Proposal PRs_ are technical prototypes that need to be refined with multiple contributors.
+
+* `kind/bug/possible`: if we need to analyze to understand if it's a bug or not. **(only for issues)** _[bot only]_
+* `kind/bug/confirmed`: we are sure, it's a bug. **(only for issues)**
+* `kind/bug/fix`: it's a bug fix. **(only for PR)**
+
+### Resolution
+
+* `resolution/duplicate`: it's a duplicate issue/PR.
+* `resolution/declined`: Rule #1 of open-source: no is temporary, yes is forever.
+* `WIP`: Work In Progress. **(only for PR)**
+
+### Platform
+
+* `platform/windows`: Windows related.
+
+### Area
+
+* `area/acme`: ACME related.
+* `area/api`: Traefik API related.
+* `area/authentication`: Authentication related.
+* `area/cluster`: Traefik clustering related.
+* `area/documentation`: regards improving/adding documentation.
+* `area/infrastructure`: related to CI or Traefik building scripts.
+* `area/healthcheck`: Health-check related.
+* `area/logs`: Traefik logs related.
+* `area/middleware`: Middleware related.
+* `area/middleware/metrics`: Metrics related. (Prometheus, StatsD, ...)
+* `area/oxy`: Oxy related.
+* `area/provider`: related to all providers.
+* `area/provider/boltdb`: Boltd DB related.
+* `area/provider/consul`: Consul related.
+* `area/provider/docker`: Docker and Swarm related.
+* `area/provider/ecs`: ECS related.
+* `area/provider/etcd`: Etcd related.
+* `area/provider/eureka`: Eureka related.
+* `area/provider/file`: file provider related.
+* `area/provider/k8s`: Kubernetes related.
+* `area/provider/marathon`: Marathon related.
+* `area/provider/mesos`: Mesos related.
+* `area/provider/rancher`: Rancher related.
+* `area/provider/zk`: Zoo Keeper related.
+* `area/sticky-session`: Sticky session related.
+* `area/tls`: TLS related.
+* `area/websocket`: WebSocket related.
+* `area/webui`: Web UI related.
+
+### Priority
+
+* `priority/P0`: needs hot fix. **(only for issue)**
+* `priority/P1`: need to be fixed in next release. **(only for issue)**
+* `priority/P2`: need to be fixed in the future. **(only for issue)**
+* `priority/P3`: maybe. **(only for issue)**
+
+### PR size
+
+* `size/S`: small PR. **(only for PR)** _[bot only]_
+* `size/M`: medium PR. **(only for PR)** _[bot only]_
+* `size/L`: Large PR. **(only for PR)** _[bot only]_
+
+### Status - Workflow
+
+The `status/*` labels represent the desired state in the workflow.
+
+* `status/0-needs-triage`: all new issue or PR have this status. _[bot only]_
+* `status/1-needs-design-review`: need a design review. **(only for PR)**
+* `status/2-needs-review`: need a code/documentation review. **(only for PR)**
+* `status/3-needs-merge`: ready to merge. **(only for PR)**
+* `status/4-merge-in-progress`: merge in progress. _[bot only]_

Makefile

@@ -7,15 +7,17 @@ TRAEFIK_ENVS := \
 	-e VERBOSE \
 	-e VERSION \
 	-e CODENAME \
-	-e TESTDIRS
+	-e TESTDIRS \
+	-e CI \
+	-e CONTAINER=DOCKER		# Indicator for integration tests that we are running inside a container.
 
-SRCS = $(shell git ls-files '*.go' | grep -v '^vendor/' | grep -v '^integration/vendor/')
+SRCS = $(shell git ls-files '*.go' | grep -v '^vendor/')
 
 BIND_DIR := "dist"
 TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/containous/traefik/$(BIND_DIR)"
 
 GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
-TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(GIT_BRANCH))
+TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
 TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
 INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -v "/var/run/docker.sock:/var/run/docker.sock")
@@ -81,9 +83,15 @@ build-no-cache: dist
 shell: build ## start a shell inside the build env
 	$(DOCKER_RUN_TRAEFIK) /bin/bash
 
-image: binary ## build a docker traefik image
+image-dirty: binary ## build a docker traefik image
 	docker build -t $(TRAEFIK_IMAGE) .
 
+image: clear-static binary ## clean up static directory and build a docker traefik image
+	docker build -t $(TRAEFIK_IMAGE) .
+
+clear-static:
+	rm -rf static
+
 dist:
 	mkdir dist
 

README.md

@@ -3,7 +3,7 @@
 <img src="docs/img/traefik.logo.png" alt="Træfik" title="Træfik" />
 </p>
 
-[![Build Status](https://travis-ci.org/containous/traefik.svg?branch=master)](https://travis-ci.org/containous/traefik)
+[![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
 [![Go Report Card](https://goreportcard.com/badge/containous/traefik)](http://goreportcard.com/report/containous/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
@@ -13,7 +13,26 @@
 
 
 Træfik (pronounced like [traffic](https://speak-ipa.bearbin.net/speak.cgi?speak=%CB%88tr%C3%A6f%C9%AAk)) is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
-It supports several backends ([Docker](https://www.docker.com/), [Swarm](https://docs.docker.com/swarm), [Kubernetes](http://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Mesos](https://github.com/apache/mesos), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Zookeeper](https://zookeeper.apache.org), [BoltDB](https://github.com/boltdb/bolt), [Eureka](https://github.com/Netflix/eureka), [Amazon DynamoDB](https://aws.amazon.com/dynamodb/), Rest API, file...) to manage its configuration automatically and dynamically.
+It supports several backends ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), and a lot more) to manage its configuration automatically and dynamically.
+
+---
+
+| **[Overview](#overview)** |
+**[Features](#features)** |
+**[Supported backends](#supported-backends)** |
+**[Quickstart](#quickstart)** |
+**[Web UI](#web-ui)** |
+**[Test it](#test-it)** |
+**[Documentation](#documentation)** |
+**[Support](#support)** |
+**[Release cycle](#release-cycle)** |
+
+| **[Contributing](#contributing)** |
+**[Maintainers](#maintainers)** |
+**[Plumbing](#plumbing)** |
+**[Credits](#credits)** |
+
+---
 
 ## Overview
 
@@ -38,43 +57,50 @@ Routes to your services will be created instantly.
 Run it and forget it!
 
 
-
-
 ## Features
 
-- [It's fast](http://docs.traefik.io/benchmarks)
+- [It's fast](https://docs.traefik.io/benchmarks)
 - No dependency hell, single binary made with go
+- [Tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) official docker image
 - Rest API
-- Multiple backends supported: Docker, Swarm, Kubernetes, Marathon, Mesos, Consul, Etcd, and more to come
-- Watchers for backends, can listen for changes in backends to apply a new configuration automatically
 - Hot-reloading of configuration. No need to restart the process
-- Graceful shutdown http connections
-- Circuit breakers on backends
+- Circuit breakers, retry
 - Round Robin, rebalancer load-balancers
-- Rest Metrics
-- [Tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image included
-- SSL backends support
-- SSL frontend support (with SNI)
+- Metrics (Rest, Prometheus, Datadog, Statd)
 - Clean AngularJS Web UI
-- Websocket support
-- HTTP/2 support
-- Retry request if network error
+- Websocket, HTTP/2, GRPC ready
+- Access Logs (JSON, CLF)
 - [Let's Encrypt](https://letsencrypt.org) support (Automatic HTTPS with renewal)
-- High Availability with cluster mode
+- [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support
+- High Availability with cluster mode (beta)
+
+## Supported backends
+
+- [Docker](https://www.docker.com/) / [Swarm mode](https://docs.docker.com/engine/swarm/)
+- [Kubernetes](https://kubernetes.io)
+- [Mesos](https://github.com/apache/mesos) / [Marathon](https://mesosphere.github.io/marathon/)
+- [Rancher](https://rancher.com) (API, Metadata)
+- [Consul](https://www.consul.io/) / [Etcd](https://coreos.com/etcd/) / [Zookeeper](https://zookeeper.apache.org) / [BoltDB](https://github.com/boltdb/bolt)
+- [Eureka](https://github.com/Netflix/eureka)
+- [Amazon ECS](https://aws.amazon.com/ecs)
+- [Amazon DynamoDB](https://aws.amazon.com/dynamodb)
+- File
+- Rest API
 
 ## Quickstart
 
-You can have a quick look at Træfik in this [Katacoda tutorial](https://www.katacoda.com/courses/traefik/deploy-load-balancer) that shows how to load balance requests between multiple Docker containers.
+You can have a quick look at Træfik in this [Katacoda tutorial](https://www.katacoda.com/courses/traefik/deploy-load-balancer) that shows how to load balance requests between multiple Docker containers. If you are looking for a more comprehensive and real use-case example, you can also check [Play-With-Docker](http://training.play-with-docker.com/traefik-load-balancing/) to see how to load balance between multiple nodes.
 
-Here is a talk given by [Ed Robinson](https://github.com/errm) at the [ContainerCamp UK](https://container.camp) conference.
+Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at [GopherCon 2017](https://gophercon.com/).
+You will learn Træfik basics in less than 10 minutes.
+
+[![Traefik GopherCon 2017](https://img.youtube.com/vi/RgudiksfL-k/0.jpg)](https://www.youtube.com/watch?v=RgudiksfL-k)
+
+Here is a talk given by [Ed Robinson](https://github.com/errm) at [ContainerCamp UK](https://container.camp) conference.
 You will learn fundamental Træfik features and see some demos with Kubernetes.
 
-[![Traefik ContainerCamp UK](http://img.youtube.com/vi/aFtpIShV60I/0.jpg)](https://www.youtube.com/watch?v=aFtpIShV60I)
+[![Traefik ContainerCamp UK](https://img.youtube.com/vi/aFtpIShV60I/0.jpg)](https://www.youtube.com/watch?v=aFtpIShV60I)
 
-Here is a talk (in French) given by [Emile Vauge](https://github.com/emilevauge) at the [Devoxx France 2016](http://www.devoxx.fr) conference. 
-You will learn fundamental Træfik features and see some demos with Docker, Mesos/Marathon and Let's Encrypt. 
-
-[![Traefik Devoxx France](http://img.youtube.com/vi/QvAz9mVx5TI/0.jpg)](http://www.youtube.com/watch?v=QvAz9mVx5TI)
 
 ## Web UI
 
@@ -83,12 +109,6 @@ You can access the simple HTML frontend of Træfik.
 ![Web UI Providers](docs/img/web.frontend.png)
 ![Web UI Health](docs/img/traefik-health.png)
 
-## Plumbing
-
-- [Oxy](https://github.com/vulcand/oxy): an awesome proxy library made by Mailgun guys
-- [Gorilla mux](https://github.com/gorilla/mux): famous request router
-- [Negroni](https://github.com/codegangsta/negroni): web middlewares made simple
-- [Lego](https://github.com/xenolf/lego): the best [Let's Encrypt](https://letsencrypt.org) library in go
 
 ## Test it
 
@@ -98,7 +118,7 @@ You can access the simple HTML frontend of Træfik.
 ./traefik --configFile=traefik.toml
 ```
 
-- Use the tiny Docker image:
+- Use the tiny Docker image and just run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
@@ -110,33 +130,60 @@ docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.to
 git clone https://github.com/containous/traefik
 ```
 
+
 ## Documentation
 
-You can find the complete documentation [here](https://docs.traefik.io).
+You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
+A collection of contributions around Træfik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
-## Contributing
-
-Please refer to [this section](.github/CONTRIBUTING.md).
-
-## Code Of Conduct
-
-Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md). By participating in this project you agree to abide by its terms.
 
 ## Support
 
-You can join [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com) to get basic support.
+To get basic support, you can:
+- join the Træfik community Slack channel: [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
+- use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
+
 If you prefer commercial support, please contact [containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
 
+
+## Release cycle
+
+- Release: We try to release a new version every 2 months
+  - i.e.: 1.3.0, 1.4.0, 1.5.0
+- Release candidate: we do RC (1.**x**.0-rc**y**) before the final release (1.**x**.0)
+  - i.e.: 1.1.0-rc1 -> 1.1.0-rc2 -> 1.1.0-rc3 -> 1.1.0-rc4 -> 1.1.0
+- Bug-fixes: For each version we release bug fixes
+  - i.e.: 1.1.1, 1.1.2, 1.1.3
+  - those versions contain only bug-fixes
+  - no additional features are delivered in those versions
+- Each version is supported until the next one is released
+  - i.e.: 1.1.x will be supported until 1.2.0 is out
+- We use [Semantic Versioning](http://semver.org/)
+
+
+## Contributing
+
+Please refer to [contributing documentation](CONTRIBUTING.md).
+
+
+### Code of Conduct
+
+Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md).
+By participating in this project you agree to abide by its terms.
+
+
 ## Maintainers
 
-- Emile Vauge [@emilevauge](https://github.com/emilevauge)
-- Vincent Demeester [@vdemeester](https://github.com/vdemeester)
-- Russell Clare [@Russell-IO](https://github.com/Russell-IO)
-- Ed Robinson [@errm](https://github.com/errm)
-- Daniel Tomcej [@dtomcej](https://github.com/dtomcej)
-- Manuel Laufenberg [@SantoDE](https://github.com/SantoDE)
-- Thomas Recloux [@trecloux](https://github.com/trecloux)
-- Timo Reimann [@timoreimann](https://github.com/timoreimann)
+[Information about process and maintainers](MAINTAINER.md)
+
+
+## Plumbing
+
+- [Oxy](https://github.com/vulcand/oxy): an awesome proxy library made by Mailgun folks
+- [Gorilla mux](https://github.com/gorilla/mux): famous request router
+- [Negroni](https://github.com/urfave/negroni): web middlewares made simple
+- [Lego](https://github.com/xenolf/lego): the best [Let's Encrypt](https://letsencrypt.org) library in go
+
 
 ## Credits
 

acme/account.go

@@ -6,7 +6,7 @@ import (
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
-	"errors"
+	"fmt"
 	"reflect"
 	"sort"
 	"strings"
@@ -33,7 +33,7 @@ type ChallengeCert struct {
 	certificate *tls.Certificate
 }
 
-// Init inits acccount struct
+// Init inits account struct
 func (a *Account) Init() error {
 	err := a.DomainsCertificate.Init()
 	if err != nil {
@@ -178,7 +178,7 @@ func (dc *DomainsCertificates) renewCertificates(acmeCert *Certificate, domain D
 			return nil
 		}
 	}
-	return errors.New("Certificate to renew not found for domain " + domain.Main)
+	return fmt.Errorf("Certificate to renew not found for domain %s", domain.Main)
 }
 
 func (dc *DomainsCertificates) addCertificateForDomains(acmeCert *Certificate, domain Domain) (*DomainsCertificate, error) {

acme/acme.go

@@ -106,7 +106,7 @@ func (a *ACME) init() error {
 	a.defaultCertificate = cert
 	// TODO: to remove in the futurs
 	if len(a.StorageFile) > 0 && len(a.Storage) == 0 {
-		log.Warnf("ACME.StorageFile is deprecated, use ACME.Storage instead")
+		log.Warn("ACME.StorageFile is deprecated, use ACME.Storage instead")
 		a.Storage = a.StorageFile
 	}
 	a.jobs = channels.NewInfiniteChannel()
@@ -155,8 +155,8 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 
 	ticker := time.NewTicker(24 * time.Hour)
 	leadership.Pool.AddGoCtx(func(ctx context.Context) {
-		log.Infof("Starting ACME renew job...")
-		defer log.Infof("Stopped ACME renew job...")
+		log.Info("Starting ACME renew job...")
+		defer log.Info("Stopped ACME renew job...")
 		for {
 			select {
 			case <-ctx.Done():
@@ -169,7 +169,7 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 
 	leadership.AddListener(func(elected bool) error {
 		if elected {
-			object, err := a.store.Load()
+			_, err := a.store.Load()
 			if err != nil {
 				return err
 			}
@@ -196,7 +196,7 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 			}
 			if needRegister {
 				// New users will need to register; be sure to save it
-				log.Debugf("Register...")
+				log.Debug("Register...")
 				reg, err := a.client.Register()
 				if err != nil {
 					return err
@@ -205,7 +205,7 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 			}
 			// The client has a URL to the current Let's Encrypt Subscriber
 			// Agreement. The user will need to agree to it.
-			log.Debugf("AgreeToTOS...")
+			log.Debug("AgreeToTOS...")
 			err = a.client.AgreeToTOS()
 			if err != nil {
 				// Let's Encrypt Subscriber Agreement renew ?
@@ -254,7 +254,7 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, checkOnDemandDomain func
 	var account *Account
 
 	if fileInfo, fileErr := os.Stat(a.Storage); fileErr == nil && fileInfo.Size() != 0 {
-		log.Infof("Loading ACME Account...")
+		log.Info("Loading ACME Account...")
 		// load account
 		object, err := localStore.Load()
 		if err != nil {
@@ -262,7 +262,7 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, checkOnDemandDomain func
 		}
 		account = object.(*Account)
 	} else {
-		log.Infof("Generating ACME Account...")
+		log.Info("Generating ACME Account...")
 		account, err = NewAccount(a.Email)
 		if err != nil {
 			return err
@@ -277,7 +277,7 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, checkOnDemandDomain func
 
 	if needRegister {
 		// New users will need to register; be sure to save it
-		log.Infof("Register...")
+		log.Info("Register...")
 		reg, err := a.client.Register()
 		if err != nil {
 			return err
@@ -287,7 +287,7 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, checkOnDemandDomain func
 
 	// The client has a URL to the current Let's Encrypt Subscriber
 	// Agreement. The user will need to agree to it.
-	log.Debugf("AgreeToTOS...")
+	log.Debug("AgreeToTOS...")
 	err = a.client.AgreeToTOS()
 	if err != nil {
 		// Let's Encrypt Subscriber Agreement renew ?
@@ -320,7 +320,6 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, checkOnDemandDomain func
 		for range ticker.C {
 			a.renewCertificates()
 		}
-
 	})
 	return nil
 }
@@ -328,14 +327,11 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, checkOnDemandDomain func
 func (a *ACME) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	domain := types.CanonicalDomain(clientHello.ServerName)
 	account := a.store.Get().(*Account)
-	//use regex to test for wildcard certs that might have been added into TLSConfig
-	for k := range a.TLSConfig.NameToCertificate {
-		selector := "^" + strings.Replace(k, "*.", "[^\\.]*\\.?", -1) + "$"
-		match, _ := regexp.MatchString(selector, domain)
-		if match {
-			return a.TLSConfig.NameToCertificate[k], nil
-		}
+
+	if providedCertificate := a.getProvidedCertificate([]string{domain}); providedCertificate != nil {
+		return providedCertificate, nil
 	}
+
 	if challengeCert, ok := a.challengeProvider.getCertificate(domain); ok {
 		log.Debugf("ACME got challenge %s", domain)
 		return challengeCert, nil
@@ -356,7 +352,7 @@ func (a *ACME) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificat
 
 func (a *ACME) retrieveCertificates() {
 	a.jobs.In() <- func() {
-		log.Infof("Retrieving ACME certificates...")
+		log.Info("Retrieving ACME certificates...")
 		for _, domain := range a.Domains {
 			// check if cert isn't already loaded
 			account := a.store.Get().(*Account)
@@ -387,13 +383,13 @@ func (a *ACME) retrieveCertificates() {
 				}
 			}
 		}
-		log.Infof("Retrieved ACME certificates")
+		log.Info("Retrieved ACME certificates")
 	}
 }
 
 func (a *ACME) renewCertificates() {
 	a.jobs.In() <- func() {
-		log.Debugf("Testing certificate renew...")
+		log.Debug("Testing certificate renew...")
 		account := a.store.Get().(*Account)
 		for _, certificateResource := range account.DomainsCertificate.Certs {
 			if certificateResource.needRenew() {
@@ -453,7 +449,7 @@ func dnsOverrideDelay(delay int) error {
 }
 
 func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
-	log.Debugf("Building ACME client...")
+	log.Debug("Building ACME client...")
 	caServer := "https://acme-v01.api.letsencrypt.org/directory"
 	if len(a.CAServer) > 0 {
 		caServer = a.CAServer
@@ -520,11 +516,23 @@ func (a *ACME) loadCertificateOnDemand(clientHello *tls.ClientHelloInfo) (*tls.C
 // LoadCertificateForDomains loads certificates from ACME for given domains
 func (a *ACME) LoadCertificateForDomains(domains []string) {
 	a.jobs.In() <- func() {
-		log.Debugf("LoadCertificateForDomains %s...", domains)
+		log.Debugf("LoadCertificateForDomains %v...", domains)
+
+		if len(domains) == 0 {
+			// no domain
+			return
+		}
+
 		domains = fun.Map(types.CanonicalDomain, domains).([]string)
+
+		// Check provided certificates
+		if a.getProvidedCertificate(domains) != nil {
+			return
+		}
+
 		operation := func() error {
 			if a.client == nil {
-				return fmt.Errorf("ACME client still not built")
+				return errors.New("ACME client still not built")
 			}
 			return nil
 		}
@@ -540,11 +548,7 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 		}
 		account := a.store.Get().(*Account)
 		var domain Domain
-		if len(domains) == 0 {
-			// no domain
-			return
-
-		} else if len(domains) > 1 {
+		if len(domains) > 1 {
 			domain = Domain{Main: domains[0], SANs: domains[1:]}
 		} else {
 			domain = Domain{Main: domains[0]}
@@ -578,6 +582,29 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 	}
 }
 
+// Get provided certificate which check a domains list (Main and SANs)
+func (a *ACME) getProvidedCertificate(domains []string) *tls.Certificate {
+	// Use regex to test for provided certs that might have been added into TLSConfig
+	providedCertMatch := false
+	log.Debugf("Look for provided certificate to validate %s...", domains)
+	for k := range a.TLSConfig.NameToCertificate {
+		selector := "^" + strings.Replace(k, "*.", "[^\\.]*\\.?", -1) + "$"
+		for _, domainToCheck := range domains {
+			providedCertMatch, _ = regexp.MatchString(selector, domainToCheck)
+			if !providedCertMatch {
+				break
+			}
+		}
+		if providedCertMatch {
+			log.Debugf("Got provided certificate for domains %s", domains)
+			return a.TLSConfig.NameToCertificate[k]
+
+		}
+	}
+	log.Debugf("No provided certificate found for domains %s, get ACME certificate.", domains)
+	return nil
+}
+
 func (a *ACME) getDomainsCertificates(domains []string) (*Certificate, error) {
 	domains = fun.Map(types.CanonicalDomain, domains).([]string)
 	log.Debugf("Loading ACME certificates %s...", domains)

acme/acme_test.go

@@ -1,6 +1,7 @@
 package acme
 
 import (
+	"crypto/tls"
 	"encoding/base64"
 	"net/http"
 	"net/http/httptest"
@@ -9,6 +10,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/xenolf/lego/acme"
 )
 
@@ -222,14 +224,14 @@ func TestNoPreCheckOverride(t *testing.T) {
 		t.Errorf("Error in dnsOverrideDelay :%v", err)
 	}
 	if acme.PreCheckDNS != nil {
-		t.Errorf("Unexpected change to acme.PreCheckDNS when leaving DNS verification as is.")
+		t.Error("Unexpected change to acme.PreCheckDNS when leaving DNS verification as is.")
 	}
 }
 
 func TestSillyPreCheckOverride(t *testing.T) {
 	err := dnsOverrideDelay(-5)
 	if err == nil {
-		t.Errorf("Missing expected error in dnsOverrideDelay!")
+		t.Error("Missing expected error in dnsOverrideDelay!")
 	}
 }
 
@@ -240,7 +242,7 @@ func TestPreCheckOverride(t *testing.T) {
 		t.Errorf("Error in dnsOverrideDelay :%v", err)
 	}
 	if acme.PreCheckDNS == nil {
-		t.Errorf("No change to acme.PreCheckDNS when meant to be adding enforcing override function.")
+		t.Error("No change to acme.PreCheckDNS when meant to be adding enforcing override function.")
 	}
 }
 
@@ -271,9 +273,24 @@ cijFkALeQp/qyeXdFld2v9gUN3eCgljgcl0QweRoIc=---`)
 		t.Errorf("Error in buildACMEClient: %v", err)
 	}
 	if client == nil {
-		t.Errorf("No client from buildACMEClient!")
+		t.Error("No client from buildACMEClient!")
 	}
 	if acme.PreCheckDNS == nil {
-		t.Errorf("No change to acme.PreCheckDNS when meant to be adding enforcing override function.")
+		t.Error("No change to acme.PreCheckDNS when meant to be adding enforcing override function.")
 	}
 }
+
+func TestAcme_getProvidedCertificate(t *testing.T) {
+	mm := make(map[string]*tls.Certificate)
+	mm["*.containo.us"] = &tls.Certificate{}
+	mm["traefik.acme.io"] = &tls.Certificate{}
+
+	a := ACME{TLSConfig: &tls.Config{NameToCertificate: mm}}
+
+	domains := []string{"traefik.containo.us", "trae.containo.us"}
+	certificate := a.getProvidedCertificate(domains)
+	assert.NotNil(t, certificate)
+	domains = []string{"traefik.acme.io", "trae.acme.io"}
+	certificate = a.getProvidedCertificate(domains)
+	assert.Nil(t, certificate)
+}

acme/crypto.go

@@ -123,10 +123,8 @@ func pemEncode(data interface{}) []byte {
 		pemBlock = &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes}
 	case *rsa.PrivateKey:
 		pemBlock = &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}
-		break
 	case *x509.CertificateRequest:
 		pemBlock = &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: key.Raw}
-		break
 	case []byte:
 		pemBlock = &pem.Block{Type: "CERTIFICATE", Bytes: []byte(data.([]byte))}
 	}

auth/forward.go

@@ -0,0 +1,60 @@
+package auth
+
+import (
+	"io/ioutil"
+	"net/http"
+
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/types"
+)
+
+// Forward the authentication to a external server
+func Forward(forward *types.Forward, w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+	httpClient := http.Client{}
+
+	if forward.TLS != nil {
+		tlsConfig, err := forward.TLS.CreateTLSConfig()
+		if err != nil {
+			log.Debugf("Impossible to configure TLS to call %s. Cause %s", forward.Address, err)
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		httpClient.Transport = &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
+
+	}
+
+	forwardReq, err := http.NewRequest(http.MethodGet, forward.Address, nil)
+	if err != nil {
+		log.Debugf("Error calling %s. Cause %s", forward.Address, err)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	forwardReq.Header = r.Header
+
+	forwardResponse, forwardErr := httpClient.Do(forwardReq)
+	if forwardErr != nil {
+		log.Debugf("Error calling %s. Cause: %s", forward.Address, forwardErr)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	body, readError := ioutil.ReadAll(forwardResponse.Body)
+	if readError != nil {
+		log.Debugf("Error reading body %s. Cause: %s", forward.Address, readError)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	defer forwardResponse.Body.Close()
+
+	if forwardResponse.StatusCode < http.StatusOK || forwardResponse.StatusCode >= http.StatusMultipleChoices {
+		log.Debugf("Remote error %s. StatusCode: %d", forward.Address, forwardResponse.StatusCode)
+		w.WriteHeader(forwardResponse.StatusCode)
+		w.Write(body)
+		return
+	}
+
+	r.RequestURI = r.URL.RequestURI()
+	next(w, r)
+}

build.Dockerfile

@@ -1,11 +1,8 @@
-FROM golang:1.8
+FROM golang:1.9-alpine
 
-# Install a more recent version of mercurial to avoid mismatching results
-# between glide run on a decently updated host system and the build container.
-RUN awk '$1 ~ "^deb" { $3 = $3 "-backports"; print; exit }' /etc/apt/sources.list > /etc/apt/sources.list.d/backports.list && \
-  DEBIAN_FRONTEND=noninteractive apt-get update && \
-  DEBIAN_FRONTEND=noninteractive apt-get install -t jessie-backports --yes --no-install-recommends mercurial=3.9.1-1~bpo8+1 && \
-  rm -fr /var/lib/apt/lists/
+RUN apk --update upgrade \
+&& apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar \
+&& rm -rf /var/cache/apk/*
 
 RUN go get github.com/jteeuwen/go-bindata/... \
 && go get github.com/golang/lint/golint \
@@ -15,8 +12,7 @@ RUN go get github.com/jteeuwen/go-bindata/... \
 && go get github.com/sgotti/glide-vc
 
 # Which docker version to test on
-ARG DOCKER_VERSION=1.10.3
-
+ARG DOCKER_VERSION=17.03.2
 
 # Which glide version to test on
 ARG GLIDE_VERSION=v0.12.3
@@ -28,7 +24,7 @@ RUN mkdir -p /usr/local/bin \
 
 # Download docker
 RUN mkdir -p /usr/local/bin \
-    && curl -fL https://get.docker.com/builds/Linux/x86_64/docker-${DOCKER_VERSION}.tgz \
+    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}-ce.tgz \
     | tar -xzC /usr/local/bin --transform 's#^.+/##x'
 
 WORKDIR /go/src/github.com/containous/traefik

cluster/datastore.go

@@ -80,7 +80,7 @@ func (d *Datastore) watchChanges() error {
 	if err != nil {
 		return err
 	}
-	go func() {
+	safe.Go(func() {
 		ctx, cancel := context.WithCancel(d.ctx)
 		operation := func() error {
 			for {
@@ -97,7 +97,6 @@ func (d *Datastore) watchChanges() error {
 					if err != nil {
 						return err
 					}
-					// log.Debugf("Datastore object change received: %+v", d.meta)
 					if d.listener != nil {
 						err := d.listener(d.meta.object)
 						if err != nil {
@@ -114,12 +113,12 @@ func (d *Datastore) watchChanges() error {
 		if err != nil {
 			log.Errorf("Error in watch datastore: %v", err)
 		}
-	}()
+	})
 	return nil
 }
 
 func (d *Datastore) reload() error {
-	log.Debugf("Datastore reload")
+	log.Debug("Datastore reload")
 	d.localLock.Lock()
 	err := d.kv.LoadConfig(d.meta)
 	if err != nil {

cluster/leadership.go

@@ -54,7 +54,7 @@ func (l *Leadership) Participate(pool *safe.Pool) {
 	})
 }
 
-// AddListener adds a leadership listerner
+// AddListener adds a leadership listener
 func (l *Leadership) AddListener(listener LeaderListener) {
 	l.listeners = append(l.listeners, listener)
 }
@@ -86,7 +86,7 @@ func (l *Leadership) onElection(elected bool) {
 		l.leader.Set(true)
 		l.Start()
 	} else {
-		log.Infof("Node %s elected slave ♝", l.Cluster.Node)
+		log.Infof("Node %s elected worker ♝", l.Cluster.Node)
 		l.leader.Set(false)
 		l.Stop()
 	}

cmd/traefik/bug.go

@@ -17,18 +17,32 @@ import (
 var (
 	bugtracker  = "https://github.com/containous/traefik/issues/new"
 	bugTemplate = `<!--
-PLEASE READ THIS MESSAGE.
+DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 
-Please keep in mind that the GitHub issue tracker is not intended as a general support forum, but for reporting bugs and feature requests.
-
-For other type of questions, consider using one of:
+The issue tracker is for reporting bugs and feature requests only.
+For end-user related support questions, refer to one of the following:
 
+- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
 - the Traefik community Slack channel: https://traefik.herokuapp.com
-- StackOverflow: https://stackoverflow.com/questions/tagged/traefik
+
+-->
+
+### Do you want to request a *feature* or report a *bug*?
+
+(If you intend to ask a support question: **DO NOT FILE AN ISSUE**.
+Use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik)
+or [Slack](https://traefik.herokuapp.com) instead.)
+
+
+
+### What did you do?
+
+<!--
 
 HOW TO WRITE A GOOD ISSUE?
 
-- if it's possible use the command` + "`" + `traefik bug` + "`" + `. See https://www.youtube.com/watch?v=Lyz62L8m93I.
+- Respect the issue template as more as possible.
+- If it's possible use the command ` + "`" + "traefik bug" + "`" + `. See https://www.youtube.com/watch?v=Lyz62L8m93I.
 - The title must be short and descriptive.
 - Explain the conditions which led you to write this issue: the context.
 - The context should lead to something, an idea or a problem that you’re facing.
@@ -37,12 +51,6 @@ HOW TO WRITE A GOOD ISSUE?
 
 -->
 
-### Do you want to request a *feature* or report a *bug*?
-
-
-### What did you do?
-
-
 
 ### What did you expect to see?
 
@@ -60,7 +68,7 @@ HOW TO WRITE A GOOD ISSUE?
 
 ### What is your environment & configuration (arguments, toml, provider, platform, ...)?
 
-` + "```" + `toml
+` + "```" + `json
 {{.Configuration}}
 ` + "```" + `
 
@@ -118,7 +126,7 @@ func newBugCmd(traefikConfiguration interface{}, traefikPointersConfiguration in
 			body := bug.String()
 			URL := bugtracker + "?body=" + url.QueryEscape(body)
 			if err := openBrowser(URL); err != nil {
-				fmt.Print("Please file a new issue at " + bugtracker + " using this template:\n\n")
+				fmt.Printf("Please file a new issue at %s using this template:\n\n", bugtracker)
 				fmt.Print(body)
 			}
 
@@ -146,7 +154,7 @@ func openBrowser(URL string) error {
 }
 
 func anonymize(input string) string {
-	replace := "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+	replace := "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx\""
 	mailExp := regexp.MustCompile(`\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3}"`)
 	return xurls.Relaxed.ReplaceAllString(mailExp.ReplaceAllString(input, replace), replace)
 }

cmd/traefik/bug_test.go

@@ -0,0 +1,193 @@
+package main
+
+import (
+	"testing"
+)
+
+func Test_anonymize(t *testing.T) {
+	baseConfiguration := `
+{
+ "GraceTimeOut": 10000000000,
+ "Debug": false,
+ "CheckNewVersion": true,
+ "AccessLogsFile": "",
+ "TraefikLogsFile": "",
+ "LogLevel": "ERROR",
+ "EntryPoints": {
+  "http": {
+   "Network": "",
+   "Address": ":80",
+   "TLS": null,
+   "Redirect": {
+    "EntryPoint": "https",
+    "Regex": "",
+    "Replacement": ""
+   },
+   "Auth": null,
+   "Compress": false
+  },
+  "https": {
+   "Network": "",
+   "Address": ":443",
+   "TLS": {
+    "MinVersion": "",
+    "CipherSuites": null,
+    "Certificates": null,
+    "ClientCAFiles": null
+   },
+   "Redirect": null,
+   "Auth": null,
+   "Compress": false
+  }
+ },
+ "Cluster": null,
+ "Constraints": [],
+ "ACME": {
+  "Email": "foo@bar.com",
+  "Domains": [
+   {
+    "Main": "foo@bar.com",
+    "SANs": null
+   },
+   {
+    "Main": "foo@bar.com",
+    "SANs": null
+   }
+  ],
+  "Storage": "",
+  "StorageFile": "/acme/acme.json",
+  "OnDemand": true,
+  "OnHostRule": true,
+  "CAServer": "",
+  "EntryPoint": "https",
+  "DNSProvider": "",
+  "DelayDontCheckDNS": 0,
+  "ACMELogging": false,
+  "TLSConfig": null
+ },
+ "DefaultEntryPoints": [
+  "https",
+  "http"
+ ],
+ "ProvidersThrottleDuration": 2000000000,
+ "MaxIdleConnsPerHost": 200,
+ "IdleTimeout": 180000000000,
+ "InsecureSkipVerify": false,
+ "Retry": null,
+ "HealthCheck": {
+  "Interval": 30000000000
+ },
+ "Docker": null,
+ "File": null,
+ "Web": null,
+ "Marathon": null,
+ "Consul": null,
+ "ConsulCatalog": null,
+ "Etcd": null,
+ "Zookeeper": null,
+ "Boltdb": null,
+ "Kubernetes": null,
+ "Mesos": null,
+ "Eureka": null,
+ "ECS": null,
+ "Rancher": null,
+ "DynamoDB": null,
+ "ConfigFile": "/etc/traefik/traefik.toml"
+}
+`
+	expectedConfiguration := `
+{
+ "GraceTimeOut": 10000000000,
+ "Debug": false,
+ "CheckNewVersion": true,
+ "AccessLogsFile": "",
+ "TraefikLogsFile": "",
+ "LogLevel": "ERROR",
+ "EntryPoints": {
+  "http": {
+   "Network": "",
+   "Address": ":80",
+   "TLS": null,
+   "Redirect": {
+    "EntryPoint": "https",
+    "Regex": "",
+    "Replacement": ""
+   },
+   "Auth": null,
+   "Compress": false
+  },
+  "https": {
+   "Network": "",
+   "Address": ":443",
+   "TLS": {
+    "MinVersion": "",
+    "CipherSuites": null,
+    "Certificates": null,
+    "ClientCAFiles": null
+   },
+   "Redirect": null,
+   "Auth": null,
+   "Compress": false
+  }
+ },
+ "Cluster": null,
+ "Constraints": [],
+ "ACME": {
+  "Email": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+  "Domains": [
+   {
+    "Main": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+    "SANs": null
+   },
+   {
+    "Main": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+    "SANs": null
+   }
+  ],
+  "Storage": "",
+  "StorageFile": "/acme/acme.json",
+  "OnDemand": true,
+  "OnHostRule": true,
+  "CAServer": "",
+  "EntryPoint": "https",
+  "DNSProvider": "",
+  "DelayDontCheckDNS": 0,
+  "ACMELogging": false,
+  "TLSConfig": null
+ },
+ "DefaultEntryPoints": [
+  "https",
+  "http"
+ ],
+ "ProvidersThrottleDuration": 2000000000,
+ "MaxIdleConnsPerHost": 200,
+ "IdleTimeout": 180000000000,
+ "InsecureSkipVerify": false,
+ "Retry": null,
+ "HealthCheck": {
+  "Interval": 30000000000
+ },
+ "Docker": null,
+ "File": null,
+ "Web": null,
+ "Marathon": null,
+ "Consul": null,
+ "ConsulCatalog": null,
+ "Etcd": null,
+ "Zookeeper": null,
+ "Boltdb": null,
+ "Kubernetes": null,
+ "Mesos": null,
+ "Eureka": null,
+ "ECS": null,
+ "Rancher": null,
+ "DynamoDB": null,
+ "ConfigFile": "/etc/traefik/traefik.toml"
+}
+`
+	anomConfiguration := anonymize(baseConfiguration)
+
+	if anomConfiguration != expectedConfiguration {
+		t.Errorf("Got %s, want %s.", anomConfiguration, expectedConfiguration)
+	}
+}

cmd/traefik/configuration.go

@@ -0,0 +1,209 @@
+package main
+
+import (
+	"time"
+
+	"github.com/containous/flaeg"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/middlewares/accesslog"
+	"github.com/containous/traefik/provider/boltdb"
+	"github.com/containous/traefik/provider/consul"
+	"github.com/containous/traefik/provider/docker"
+	"github.com/containous/traefik/provider/dynamodb"
+	"github.com/containous/traefik/provider/ecs"
+	"github.com/containous/traefik/provider/etcd"
+	"github.com/containous/traefik/provider/file"
+	"github.com/containous/traefik/provider/kubernetes"
+	"github.com/containous/traefik/provider/marathon"
+	"github.com/containous/traefik/provider/mesos"
+	"github.com/containous/traefik/provider/rancher"
+	"github.com/containous/traefik/provider/web"
+	"github.com/containous/traefik/provider/zk"
+	"github.com/containous/traefik/types"
+)
+
+// TraefikConfiguration holds GlobalConfiguration and other stuff
+type TraefikConfiguration struct {
+	configuration.GlobalConfiguration `mapstructure:",squash"`
+	ConfigFile                        string `short:"c" description:"Configuration file to use (TOML)."`
+}
+
+// NewTraefikDefaultPointersConfiguration creates a TraefikConfiguration with pointers default values
+func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
+	//default Docker
+	var defaultDocker docker.Provider
+	defaultDocker.Watch = true
+	defaultDocker.ExposedByDefault = true
+	defaultDocker.Endpoint = "unix:///var/run/docker.sock"
+	defaultDocker.SwarmMode = false
+
+	// default File
+	var defaultFile file.Provider
+	defaultFile.Watch = true
+	defaultFile.Filename = "" //needs equivalent to  viper.ConfigFileUsed()
+
+	// default Web
+	var defaultWeb web.Provider
+	defaultWeb.Address = ":8080"
+	defaultWeb.Statistics = &types.Statistics{
+		RecentErrors: 10,
+	}
+
+	// default Metrics
+	defaultWeb.Metrics = &types.Metrics{
+		Prometheus: &types.Prometheus{
+			Buckets: types.Buckets{0.1, 0.3, 1.2, 5},
+		},
+		Datadog: &types.Datadog{
+			Address:      "localhost:8125",
+			PushInterval: "10s",
+		},
+		StatsD: &types.Statsd{
+			Address:      "localhost:8125",
+			PushInterval: "10s",
+		},
+	}
+
+	// default Marathon
+	var defaultMarathon marathon.Provider
+	defaultMarathon.Watch = true
+	defaultMarathon.Endpoint = "http://127.0.0.1:8080"
+	defaultMarathon.ExposedByDefault = true
+	defaultMarathon.Constraints = types.Constraints{}
+	defaultMarathon.DialerTimeout = flaeg.Duration(60 * time.Second)
+	defaultMarathon.KeepAlive = flaeg.Duration(10 * time.Second)
+
+	// default Consul
+	var defaultConsul consul.Provider
+	defaultConsul.Watch = true
+	defaultConsul.Endpoint = "127.0.0.1:8500"
+	defaultConsul.Prefix = "traefik"
+	defaultConsul.Constraints = types.Constraints{}
+
+	// default CatalogProvider
+	var defaultConsulCatalog consul.CatalogProvider
+	defaultConsulCatalog.Endpoint = "127.0.0.1:8500"
+	defaultConsulCatalog.ExposedByDefault = true
+	defaultConsulCatalog.Constraints = types.Constraints{}
+	defaultConsulCatalog.Prefix = "traefik"
+	defaultConsulCatalog.FrontEndRule = "Host:{{.ServiceName}}.{{.Domain}}"
+
+	// default Etcd
+	var defaultEtcd etcd.Provider
+	defaultEtcd.Watch = true
+	defaultEtcd.Endpoint = "127.0.0.1:2379"
+	defaultEtcd.Prefix = "/traefik"
+	defaultEtcd.Constraints = types.Constraints{}
+
+	//default Zookeeper
+	var defaultZookeeper zk.Provider
+	defaultZookeeper.Watch = true
+	defaultZookeeper.Endpoint = "127.0.0.1:2181"
+	defaultZookeeper.Prefix = "/traefik"
+	defaultZookeeper.Constraints = types.Constraints{}
+
+	//default Boltdb
+	var defaultBoltDb boltdb.Provider
+	defaultBoltDb.Watch = true
+	defaultBoltDb.Endpoint = "127.0.0.1:4001"
+	defaultBoltDb.Prefix = "/traefik"
+	defaultBoltDb.Constraints = types.Constraints{}
+
+	//default Kubernetes
+	var defaultKubernetes kubernetes.Provider
+	defaultKubernetes.Watch = true
+	defaultKubernetes.Endpoint = ""
+	defaultKubernetes.LabelSelector = ""
+	defaultKubernetes.Constraints = types.Constraints{}
+
+	// default Mesos
+	var defaultMesos mesos.Provider
+	defaultMesos.Watch = true
+	defaultMesos.Endpoint = "http://127.0.0.1:5050"
+	defaultMesos.ExposedByDefault = true
+	defaultMesos.Constraints = types.Constraints{}
+	defaultMesos.RefreshSeconds = 30
+	defaultMesos.ZkDetectionTimeout = 30
+	defaultMesos.StateTimeoutSecond = 30
+
+	//default ECS
+	var defaultECS ecs.Provider
+	defaultECS.Watch = true
+	defaultECS.ExposedByDefault = true
+	defaultECS.AutoDiscoverClusters = false
+	defaultECS.Clusters = ecs.Clusters{"default"}
+	defaultECS.RefreshSeconds = 15
+	defaultECS.Constraints = types.Constraints{}
+
+	//default Rancher
+	var defaultRancher rancher.Provider
+	defaultRancher.Watch = true
+	defaultRancher.ExposedByDefault = true
+	defaultRancher.RefreshSeconds = 15
+
+	// default DynamoDB
+	var defaultDynamoDB dynamodb.Provider
+	defaultDynamoDB.Constraints = types.Constraints{}
+	defaultDynamoDB.RefreshSeconds = 15
+	defaultDynamoDB.TableName = "traefik"
+	defaultDynamoDB.Watch = true
+
+	// default AccessLog
+	defaultAccessLog := types.AccessLog{
+		Format:   accesslog.CommonFormat,
+		FilePath: "",
+	}
+
+	defaultConfiguration := configuration.GlobalConfiguration{
+		Docker:        &defaultDocker,
+		File:          &defaultFile,
+		Web:           &defaultWeb,
+		Marathon:      &defaultMarathon,
+		Consul:        &defaultConsul,
+		ConsulCatalog: &defaultConsulCatalog,
+		Etcd:          &defaultEtcd,
+		Zookeeper:     &defaultZookeeper,
+		Boltdb:        &defaultBoltDb,
+		Kubernetes:    &defaultKubernetes,
+		Mesos:         &defaultMesos,
+		ECS:           &defaultECS,
+		Rancher:       &defaultRancher,
+		DynamoDB:      &defaultDynamoDB,
+		Retry:         &configuration.Retry{},
+		HealthCheck:   &configuration.HealthCheckConfig{},
+		AccessLog:     &defaultAccessLog,
+	}
+
+	return &TraefikConfiguration{
+		GlobalConfiguration: defaultConfiguration,
+	}
+}
+
+// NewTraefikConfiguration creates a TraefikConfiguration with default values
+func NewTraefikConfiguration() *TraefikConfiguration {
+	return &TraefikConfiguration{
+		GlobalConfiguration: configuration.GlobalConfiguration{
+			GraceTimeOut:              flaeg.Duration(10 * time.Second),
+			AccessLogsFile:            "",
+			TraefikLogsFile:           "",
+			LogLevel:                  "ERROR",
+			EntryPoints:               map[string]*configuration.EntryPoint{},
+			Constraints:               types.Constraints{},
+			DefaultEntryPoints:        []string{},
+			ProvidersThrottleDuration: flaeg.Duration(2 * time.Second),
+			MaxIdleConnsPerHost:       200,
+			IdleTimeout:               flaeg.Duration(0),
+			HealthCheck: &configuration.HealthCheckConfig{
+				Interval: flaeg.Duration(configuration.DefaultHealthCheckInterval),
+			},
+			RespondingTimeouts: &configuration.RespondingTimeouts{
+				IdleTimeout: flaeg.Duration(configuration.DefaultIdleTimeout),
+			},
+			ForwardingTimeouts: &configuration.ForwardingTimeouts{
+				DialTimeout: flaeg.Duration(configuration.DefaultDialTimeout),
+			},
+			CheckNewVersion: true,
+		},
+		ConfigFile: "",
+	}
+}

cmd/traefik/traefik.go

@@ -18,9 +18,11 @@ import (
 	"github.com/containous/staert"
 	"github.com/containous/traefik/acme"
 	"github.com/containous/traefik/cluster"
+	"github.com/containous/traefik/configuration"
 	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/middlewares"
+	"github.com/containous/traefik/provider/ecs"
 	"github.com/containous/traefik/provider/kubernetes"
+	"github.com/containous/traefik/provider/rancher"
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/server"
 	"github.com/containous/traefik/types"
@@ -34,8 +36,8 @@ func main() {
 	runtime.GOMAXPROCS(runtime.NumCPU())
 
 	//traefik config inits
-	traefikConfiguration := server.NewTraefikConfiguration()
-	traefikPointersConfiguration := server.NewTraefikDefaultPointersConfiguration()
+	traefikConfiguration := NewTraefikConfiguration()
+	traefikPointersConfiguration := NewTraefikDefaultPointersConfiguration()
 	//traefik Command init
 	traefikCmd := &flaeg.Command{
 		Name: "traefik",
@@ -44,7 +46,19 @@ Complete documentation is available at https://traefik.io`,
 		Config:                traefikConfiguration,
 		DefaultPointersConfig: traefikPointersConfiguration,
 		Run: func() error {
-			run(traefikConfiguration)
+			globalConfiguration := traefikConfiguration.GlobalConfiguration
+			if globalConfiguration.File != nil && len(globalConfiguration.File.Filename) == 0 {
+				// no filename, setting to global config file
+				if len(traefikConfiguration.ConfigFile) != 0 {
+					globalConfiguration.File.Filename = traefikConfiguration.ConfigFile
+				} else {
+					log.Errorln("Error using file configuration backend, no filename defined")
+				}
+			}
+			if len(traefikConfiguration.ConfigFile) != 0 {
+				log.Infof("Using TOML configuration file %s", traefikConfiguration.ConfigFile)
+			}
+			run(&globalConfiguration)
 			return nil
 		},
 	}
@@ -53,7 +67,7 @@ Complete documentation is available at https://traefik.io`,
 	var kv *staert.KvSource
 	var err error
 
-	storeconfigCmd := &flaeg.Command{
+	storeConfigCmd := &flaeg.Command{
 		Name:                  "storeconfig",
 		Description:           `Store the static traefik configuration into a Key-value stores. Traefik will not start.`,
 		Config:                traefikConfiguration,
@@ -73,8 +87,8 @@ Complete documentation is available at https://traefik.io`,
 			}
 			if traefikConfiguration.GlobalConfiguration.ACME != nil && len(traefikConfiguration.GlobalConfiguration.ACME.StorageFile) > 0 {
 				// convert ACME json file to KV store
-				store := acme.NewLocalStore(traefikConfiguration.GlobalConfiguration.ACME.StorageFile)
-				object, err := store.Load()
+				localStore := acme.NewLocalStore(traefikConfiguration.GlobalConfiguration.ACME.StorageFile)
+				object, err := localStore.Load()
 				if err != nil {
 					return err
 				}
@@ -99,20 +113,60 @@ Complete documentation is available at https://traefik.io`,
 		},
 	}
 
+	healthCheckCmd := &flaeg.Command{
+		Name:                  "healthcheck",
+		Description:           `Calls traefik /ping to check health (web provider must be enabled)`,
+		Config:                traefikConfiguration,
+		DefaultPointersConfig: traefikPointersConfiguration,
+		Run: func() error {
+			if traefikConfiguration.Web == nil {
+				fmt.Println("Please enable the web provider to use healtcheck.")
+				os.Exit(1)
+			}
+			client := &http.Client{Timeout: 5 * time.Second}
+			protocol := "http"
+			if len(traefikConfiguration.Web.CertFile) > 0 {
+				protocol = "https"
+				tr := &http.Transport{
+					TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+				}
+				client.Transport = tr
+			}
+			resp, err := client.Head(protocol + "://" + traefikConfiguration.Web.Address + "/ping")
+			if err != nil {
+				fmt.Printf("Error calling healthcheck: %s\n", err)
+				os.Exit(1)
+			}
+			if resp.StatusCode != http.StatusOK {
+				fmt.Printf("Bad healthcheck status: %s\n", resp.Status)
+				os.Exit(1)
+			}
+			fmt.Printf("OK: %s\n", resp.Request.URL)
+			os.Exit(0)
+			return nil
+		},
+		Metadata: map[string]string{
+			"parseAllSources": "true",
+		},
+	}
+
 	//init flaeg source
 	f := flaeg.New(traefikCmd, os.Args[1:])
 	//add custom parsers
-	f.AddParser(reflect.TypeOf(server.EntryPoints{}), &server.EntryPoints{})
-	f.AddParser(reflect.TypeOf(server.DefaultEntryPoints{}), &server.DefaultEntryPoints{})
+	f.AddParser(reflect.TypeOf(configuration.EntryPoints{}), &configuration.EntryPoints{})
+	f.AddParser(reflect.TypeOf(configuration.DefaultEntryPoints{}), &configuration.DefaultEntryPoints{})
+	f.AddParser(reflect.TypeOf(configuration.RootCAs{}), &configuration.RootCAs{})
 	f.AddParser(reflect.TypeOf(types.Constraints{}), &types.Constraints{})
 	f.AddParser(reflect.TypeOf(kubernetes.Namespaces{}), &kubernetes.Namespaces{})
+	f.AddParser(reflect.TypeOf(ecs.Clusters{}), &ecs.Clusters{})
 	f.AddParser(reflect.TypeOf([]acme.Domain{}), &acme.Domains{})
 	f.AddParser(reflect.TypeOf(types.Buckets{}), &types.Buckets{})
 
 	//add commands
 	f.AddCommand(newVersionCmd())
 	f.AddCommand(newBugCmd(traefikConfiguration, traefikPointersConfiguration))
-	f.AddCommand(storeconfigCmd)
+	f.AddCommand(storeConfigCmd)
+	f.AddCommand(healthCheckCmd)
 
 	usedCmd, err := f.GetCommand()
 	if err != nil {
@@ -169,33 +223,38 @@ Complete documentation is available at https://traefik.io`,
 	os.Exit(0)
 }
 
-func run(traefikConfiguration *server.TraefikConfiguration) {
+func run(globalConfiguration *configuration.GlobalConfiguration) {
 	fmtlog.SetFlags(fmtlog.Lshortfile | fmtlog.LstdFlags)
 
-	// load global configuration
-	globalConfiguration := traefikConfiguration.GlobalConfiguration
-
-	http.DefaultTransport.(*http.Transport).MaxIdleConnsPerHost = globalConfiguration.MaxIdleConnsPerHost
-	if globalConfiguration.InsecureSkipVerify {
-		http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
-	loggerMiddleware := middlewares.NewLogger(globalConfiguration.AccessLogsFile)
-	defer loggerMiddleware.Close()
-
-	if globalConfiguration.File != nil && len(globalConfiguration.File.Filename) == 0 {
-		// no filename, setting to global config file
-		if len(traefikConfiguration.ConfigFile) != 0 {
-			globalConfiguration.File.Filename = traefikConfiguration.ConfigFile
-		} else {
-			log.Errorln("Error using file configuration backend, no filename defined")
-		}
-	}
+	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
 	if len(globalConfiguration.EntryPoints) == 0 {
-		globalConfiguration.EntryPoints = map[string]*server.EntryPoint{"http": {Address: ":80"}}
+		globalConfiguration.EntryPoints = map[string]*configuration.EntryPoint{"http": {Address: ":80"}}
 		globalConfiguration.DefaultEntryPoints = []string{"http"}
 	}
 
+	if globalConfiguration.Rancher != nil {
+		// Ensure backwards compatibility for now
+		if len(globalConfiguration.Rancher.AccessKey) > 0 ||
+			len(globalConfiguration.Rancher.Endpoint) > 0 ||
+			len(globalConfiguration.Rancher.SecretKey) > 0 {
+
+			if globalConfiguration.Rancher.API == nil {
+				globalConfiguration.Rancher.API = &rancher.APIConfiguration{
+					AccessKey: globalConfiguration.Rancher.AccessKey,
+					SecretKey: globalConfiguration.Rancher.SecretKey,
+					Endpoint:  globalConfiguration.Rancher.Endpoint,
+				}
+			}
+			log.Warn("Deprecated configuration found: rancher.[accesskey|secretkey|endpoint]. " +
+				"Please use rancher.api.[accesskey|secretkey|endpoint] instead.")
+		}
+
+		if globalConfiguration.Rancher.Metadata != nil && len(globalConfiguration.Rancher.Metadata.Prefix) == 0 {
+			globalConfiguration.Rancher.Metadata.Prefix = "latest"
+		}
+	}
+
 	if globalConfiguration.Debug {
 		globalConfiguration.LogLevel = "DEBUG"
 	}
@@ -214,16 +273,15 @@ func run(traefikConfiguration *server.TraefikConfiguration) {
 			log.Errorf("Failed to create log path %s: %s", dir, err)
 		}
 
-		fi, err := os.OpenFile(globalConfiguration.TraefikLogsFile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666)
+		err = log.OpenFile(globalConfiguration.TraefikLogsFile)
 		defer func() {
-			if err := fi.Close(); err != nil {
-				log.Error("Error closing file", err)
+			if err := log.CloseFile(); err != nil {
+				log.Error("Error closing log", err)
 			}
 		}()
 		if err != nil {
 			log.Error("Error opening file", err)
 		} else {
-			log.SetOutput(fi)
 			log.SetFormatter(&logrus.TextFormatter{DisableColors: true, FullTimestamp: true, DisableSorting: true})
 		}
 	} else {
@@ -245,11 +303,8 @@ func run(traefikConfiguration *server.TraefikConfiguration) {
 		})
 	}
 
-	if len(traefikConfiguration.ConfigFile) != 0 {
-		log.Infof("Using TOML configuration file %s", traefikConfiguration.ConfigFile)
-	}
 	log.Debugf("Global configuration loaded %s", string(jsonConf))
-	svr := server.NewServer(globalConfiguration)
+	svr := server.NewServer(*globalConfiguration)
 	svr.Start()
 	defer svr.Close()
 	sent, err := daemon.SdNotify(false, "READY=1")
@@ -278,34 +333,34 @@ func run(traefikConfiguration *server.TraefikConfiguration) {
 
 // CreateKvSource creates KvSource
 // TLS support is enable for Consul and Etcd backends
-func CreateKvSource(traefikConfiguration *server.TraefikConfiguration) (*staert.KvSource, error) {
+func CreateKvSource(traefikConfiguration *TraefikConfiguration) (*staert.KvSource, error) {
 	var kv *staert.KvSource
-	var store store.Store
+	var kvStore store.Store
 	var err error
 
 	switch {
 	case traefikConfiguration.Consul != nil:
-		store, err = traefikConfiguration.Consul.CreateStore()
+		kvStore, err = traefikConfiguration.Consul.CreateStore()
 		kv = &staert.KvSource{
-			Store:  store,
+			Store:  kvStore,
 			Prefix: traefikConfiguration.Consul.Prefix,
 		}
 	case traefikConfiguration.Etcd != nil:
-		store, err = traefikConfiguration.Etcd.CreateStore()
+		kvStore, err = traefikConfiguration.Etcd.CreateStore()
 		kv = &staert.KvSource{
-			Store:  store,
+			Store:  kvStore,
 			Prefix: traefikConfiguration.Etcd.Prefix,
 		}
 	case traefikConfiguration.Zookeeper != nil:
-		store, err = traefikConfiguration.Zookeeper.CreateStore()
+		kvStore, err = traefikConfiguration.Zookeeper.CreateStore()
 		kv = &staert.KvSource{
-			Store:  store,
+			Store:  kvStore,
 			Prefix: traefikConfiguration.Zookeeper.Prefix,
 		}
 	case traefikConfiguration.Boltdb != nil:
-		store, err = traefikConfiguration.Boltdb.CreateStore()
+		kvStore, err = traefikConfiguration.Boltdb.CreateStore()
 		kv = &staert.KvSource{
-			Store:  store,
+			Store:  kvStore,
 			Prefix: traefikConfiguration.Boltdb.Prefix,
 		}
 	}

cmd/traefik/version.go

@@ -30,7 +30,7 @@ func newVersionCmd() *flaeg.Command {
 			if err := getVersionPrint(os.Stdout); err != nil {
 				return err
 			}
-			fmt.Printf("\n")
+			fmt.Print("\n")
 			return nil
 
 		},

configuration/configuration.go

@@ -0,0 +1,440 @@
+package configuration
+
+import (
+	"crypto/tls"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/containous/flaeg"
+	"github.com/containous/traefik/acme"
+	"github.com/containous/traefik/provider/boltdb"
+	"github.com/containous/traefik/provider/consul"
+	"github.com/containous/traefik/provider/docker"
+	"github.com/containous/traefik/provider/dynamodb"
+	"github.com/containous/traefik/provider/ecs"
+	"github.com/containous/traefik/provider/etcd"
+	"github.com/containous/traefik/provider/eureka"
+	"github.com/containous/traefik/provider/file"
+	"github.com/containous/traefik/provider/kubernetes"
+	"github.com/containous/traefik/provider/marathon"
+	"github.com/containous/traefik/provider/mesos"
+	"github.com/containous/traefik/provider/rancher"
+	"github.com/containous/traefik/provider/web"
+	"github.com/containous/traefik/provider/zk"
+	"github.com/containous/traefik/types"
+)
+
+const (
+	// DefaultHealthCheckInterval is the default health check interval.
+	DefaultHealthCheckInterval = 30 * time.Second
+
+	// DefaultDialTimeout when connecting to a backend server.
+	DefaultDialTimeout = 30 * time.Second
+
+	// DefaultIdleTimeout before closing an idle connection.
+	DefaultIdleTimeout = 180 * time.Second
+)
+
+// GlobalConfiguration holds global configuration (with providers, etc.).
+// It's populated from the traefik configuration file passed as an argument to the binary.
+type GlobalConfiguration struct {
+	GraceTimeOut              flaeg.Duration          `short:"g" description:"Duration to give active requests a chance to finish before Traefik stops"`
+	Debug                     bool                    `short:"d" description:"Enable debug mode"`
+	CheckNewVersion           bool                    `description:"Periodically check if a new version has been released"`
+	AccessLogsFile            string                  `description:"(Deprecated) Access logs file"` // Deprecated
+	AccessLog                 *types.AccessLog        `description:"Access log settings"`
+	TraefikLogsFile           string                  `description:"Traefik logs file. Stdout is used when omitted or empty"`
+	LogLevel                  string                  `short:"l" description:"Log level"`
+	EntryPoints               EntryPoints             `description:"Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'"`
+	Cluster                   *types.Cluster          `description:"Enable clustering"`
+	Constraints               types.Constraints       `description:"Filter services by constraint, matching with service tags"`
+	ACME                      *acme.ACME              `description:"Enable ACME (Let's Encrypt): automatic SSL"`
+	DefaultEntryPoints        DefaultEntryPoints      `description:"Entrypoints to be used by frontends that do not specify any entrypoint"`
+	ProvidersThrottleDuration flaeg.Duration          `description:"Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time."`
+	MaxIdleConnsPerHost       int                     `description:"If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, DefaultMaxIdleConnsPerHost is used"`
+	IdleTimeout               flaeg.Duration          `description:"(Deprecated) maximum amount of time an idle (keep-alive) connection will remain idle before closing itself."` // Deprecated
+	InsecureSkipVerify        bool                    `description:"Disable SSL certificate verification"`
+	RootCAs                   RootCAs                 `description:"Add cert file for self-signed certicate"`
+	Retry                     *Retry                  `description:"Enable retry sending request if network error"`
+	HealthCheck               *HealthCheckConfig      `description:"Health check parameters"`
+	RespondingTimeouts        *RespondingTimeouts     `description:"Timeouts for incoming requests to the Traefik instance"`
+	ForwardingTimeouts        *ForwardingTimeouts     `description:"Timeouts for requests forwarded to the backend servers"`
+	Docker                    *docker.Provider        `description:"Enable Docker backend with default settings"`
+	File                      *file.Provider          `description:"Enable File backend with default settings"`
+	Web                       *web.Provider           `description:"Enable Web backend with default settings"`
+	Marathon                  *marathon.Provider      `description:"Enable Marathon backend with default settings"`
+	Consul                    *consul.Provider        `description:"Enable Consul backend with default settings"`
+	ConsulCatalog             *consul.CatalogProvider `description:"Enable Consul catalog backend with default settings"`
+	Etcd                      *etcd.Provider          `description:"Enable Etcd backend with default settings"`
+	Zookeeper                 *zk.Provider            `description:"Enable Zookeeper backend with default settings"`
+	Boltdb                    *boltdb.Provider        `description:"Enable Boltdb backend with default settings"`
+	Kubernetes                *kubernetes.Provider    `description:"Enable Kubernetes backend with default settings"`
+	Mesos                     *mesos.Provider         `description:"Enable Mesos backend with default settings"`
+	Eureka                    *eureka.Provider        `description:"Enable Eureka backend with default settings"`
+	ECS                       *ecs.Provider           `description:"Enable ECS backend with default settings"`
+	Rancher                   *rancher.Provider       `description:"Enable Rancher backend with default settings"`
+	DynamoDB                  *dynamodb.Provider      `description:"Enable DynamoDB backend with default settings"`
+}
+
+// DefaultEntryPoints holds default entry points
+type DefaultEntryPoints []string
+
+// String is the method to format the flag's value, part of the flag.Value interface.
+// The String method's output will be used in diagnostics.
+func (dep *DefaultEntryPoints) String() string {
+	return strings.Join(*dep, ",")
+}
+
+// Set is the method to set the flag value, part of the flag.Value interface.
+// Set's argument is a string to be parsed to set the flag.
+// It's a comma-separated list, so we split it.
+func (dep *DefaultEntryPoints) Set(value string) error {
+	entrypoints := strings.Split(value, ",")
+	if len(entrypoints) == 0 {
+		return fmt.Errorf("bad DefaultEntryPoints format: %s", value)
+	}
+	for _, entrypoint := range entrypoints {
+		*dep = append(*dep, entrypoint)
+	}
+	return nil
+}
+
+// Get return the EntryPoints map
+func (dep *DefaultEntryPoints) Get() interface{} {
+	return DefaultEntryPoints(*dep)
+}
+
+// SetValue sets the EntryPoints map with val
+func (dep *DefaultEntryPoints) SetValue(val interface{}) {
+	*dep = DefaultEntryPoints(val.(DefaultEntryPoints))
+}
+
+// Type is type of the struct
+func (dep *DefaultEntryPoints) Type() string {
+	return "defaultentrypoints"
+}
+
+// RootCAs hold the CA we want to have in root
+type RootCAs []FileOrContent
+
+// FileOrContent hold a file path or content
+type FileOrContent string
+
+func (f FileOrContent) String() string {
+	return string(f)
+}
+
+func (f FileOrContent) Read() ([]byte, error) {
+	var content []byte
+	if _, err := os.Stat(f.String()); err == nil {
+		content, err = ioutil.ReadFile(f.String())
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		content = []byte(f)
+	}
+	return content, nil
+}
+
+// String is the method to format the flag's value, part of the flag.Value interface.
+// The String method's output will be used in diagnostics.
+func (r *RootCAs) String() string {
+	sliceOfString := make([]string, len([]FileOrContent(*r)))
+	for key, value := range *r {
+		sliceOfString[key] = value.String()
+	}
+	return strings.Join(sliceOfString, ",")
+}
+
+// Set is the method to set the flag value, part of the flag.Value interface.
+// Set's argument is a string to be parsed to set the flag.
+// It's a comma-separated list, so we split it.
+func (r *RootCAs) Set(value string) error {
+	rootCAs := strings.Split(value, ",")
+	if len(rootCAs) == 0 {
+		return fmt.Errorf("bad RootCAs format: %s", value)
+	}
+	for _, rootCA := range rootCAs {
+		*r = append(*r, FileOrContent(rootCA))
+	}
+	return nil
+}
+
+// Get return the EntryPoints map
+func (r *RootCAs) Get() interface{} {
+	return RootCAs(*r)
+}
+
+// SetValue sets the EntryPoints map with val
+func (r *RootCAs) SetValue(val interface{}) {
+	*r = RootCAs(val.(RootCAs))
+}
+
+// Type is type of the struct
+func (r *RootCAs) Type() string {
+	return "rootcas"
+}
+
+// EntryPoints holds entry points configuration of the reverse proxy (ip, port, TLS...)
+type EntryPoints map[string]*EntryPoint
+
+// String is the method to format the flag's value, part of the flag.Value interface.
+// The String method's output will be used in diagnostics.
+func (ep *EntryPoints) String() string {
+	return fmt.Sprintf("%+v", *ep)
+}
+
+// Set is the method to set the flag value, part of the flag.Value interface.
+// Set's argument is a string to be parsed to set the flag.
+// It's a comma-separated list, so we split it.
+func (ep *EntryPoints) Set(value string) error {
+	regex := regexp.MustCompile(`(?:Name:(?P<Name>\S*))\s*(?:Address:(?P<Address>\S*))?\s*(?:TLS:(?P<TLS>\S*))?\s*((?P<TLSACME>TLS))?\s*(?:CA:(?P<CA>\S*))?\s*(?:Redirect.EntryPoint:(?P<RedirectEntryPoint>\S*))?\s*(?:Redirect.Regex:(?P<RedirectRegex>\\S*))?\s*(?:Redirect.Replacement:(?P<RedirectReplacement>\S*))?\s*(?:Compress:(?P<Compress>\S*))?\s*(?:WhiteListSourceRange:(?P<WhiteListSourceRange>\S*))?\s*(?:ProxyProtocol:(?P<ProxyProtocol>\S*))?`)
+	match := regex.FindAllStringSubmatch(value, -1)
+	if match == nil {
+		return fmt.Errorf("bad EntryPoints format: %s", value)
+	}
+	matchResult := match[0]
+	result := make(map[string]string)
+	for i, name := range regex.SubexpNames() {
+		if i != 0 {
+			result[name] = matchResult[i]
+		}
+	}
+	var configTLS *TLS
+	if len(result["TLS"]) > 0 {
+		certs := Certificates{}
+		if err := certs.Set(result["TLS"]); err != nil {
+			return err
+		}
+		configTLS = &TLS{
+			Certificates: certs,
+		}
+	} else if len(result["TLSACME"]) > 0 {
+		configTLS = &TLS{
+			Certificates: Certificates{},
+		}
+	}
+	if len(result["CA"]) > 0 {
+		files := strings.Split(result["CA"], ",")
+		configTLS.ClientCAFiles = files
+	}
+	var redirect *Redirect
+	if len(result["RedirectEntryPoint"]) > 0 || len(result["RedirectRegex"]) > 0 || len(result["RedirectReplacement"]) > 0 {
+		redirect = &Redirect{
+			EntryPoint:  result["RedirectEntryPoint"],
+			Regex:       result["RedirectRegex"],
+			Replacement: result["RedirectReplacement"],
+		}
+	}
+
+	compress := false
+	if len(result["Compress"]) > 0 {
+		compress = strings.EqualFold(result["Compress"], "true") ||
+			strings.EqualFold(result["Compress"], "enable") ||
+			strings.EqualFold(result["Compress"], "on")
+	}
+
+	whiteListSourceRange := []string{}
+	if len(result["WhiteListSourceRange"]) > 0 {
+		whiteListSourceRange = strings.Split(result["WhiteListSourceRange"], ",")
+	}
+
+	proxyprotocol := false
+	if len(result["ProxyProtocol"]) > 0 {
+		proxyprotocol = strings.EqualFold(result["ProxyProtocol"], "true") ||
+			strings.EqualFold(result["ProxyProtocol"], "enable") ||
+			strings.EqualFold(result["ProxyProtocol"], "on")
+	}
+
+	(*ep)[result["Name"]] = &EntryPoint{
+		Address:              result["Address"],
+		TLS:                  configTLS,
+		Redirect:             redirect,
+		Compress:             compress,
+		WhitelistSourceRange: whiteListSourceRange,
+		ProxyProtocol:        proxyprotocol,
+	}
+
+	return nil
+}
+
+// Get return the EntryPoints map
+func (ep *EntryPoints) Get() interface{} {
+	return EntryPoints(*ep)
+}
+
+// SetValue sets the EntryPoints map with val
+func (ep *EntryPoints) SetValue(val interface{}) {
+	*ep = EntryPoints(val.(EntryPoints))
+}
+
+// Type is type of the struct
+func (ep *EntryPoints) Type() string {
+	return "entrypoints"
+}
+
+// EntryPoint holds an entry point configuration of the reverse proxy (ip, port, TLS...)
+type EntryPoint struct {
+	Network              string
+	Address              string
+	TLS                  *TLS
+	Redirect             *Redirect
+	Auth                 *types.Auth
+	WhitelistSourceRange []string
+	Compress             bool
+	ProxyProtocol        bool
+}
+
+// Redirect configures a redirection of an entry point to another, or to an URL
+type Redirect struct {
+	EntryPoint  string
+	Regex       string
+	Replacement string
+}
+
+// TLS configures TLS for an entry point
+type TLS struct {
+	MinVersion    string
+	CipherSuites  []string
+	Certificates  Certificates
+	ClientCAFiles []string
+}
+
+// MinVersion Map of allowed TLS minimum versions
+var MinVersion = map[string]uint16{
+	`VersionTLS10`: tls.VersionTLS10,
+	`VersionTLS11`: tls.VersionTLS11,
+	`VersionTLS12`: tls.VersionTLS12,
+}
+
+// CipherSuites Map of TLS CipherSuites from crypto/tls
+// Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants
+var CipherSuites = map[string]uint16{
+	`TLS_RSA_WITH_RC4_128_SHA`:                tls.TLS_RSA_WITH_RC4_128_SHA,
+	`TLS_RSA_WITH_3DES_EDE_CBC_SHA`:           tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	`TLS_RSA_WITH_AES_128_CBC_SHA`:            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+	`TLS_RSA_WITH_AES_256_CBC_SHA`:            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+	`TLS_RSA_WITH_AES_128_CBC_SHA256`:         tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+	`TLS_RSA_WITH_AES_128_GCM_SHA256`:         tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+	`TLS_RSA_WITH_AES_256_GCM_SHA384`:         tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+	`TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`:        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+	`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`:    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`:    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	`TLS_ECDHE_RSA_WITH_RC4_128_SHA`:          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+	`TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`:     tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`:      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`:      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+	`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`:   tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+	`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`:   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`:   tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`:    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+	`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`:  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+}
+
+// Certificates defines traefik certificates type
+// Certs and Keys could be either a file path, or the file content itself
+type Certificates []Certificate
+
+//CreateTLSConfig creates a TLS config from Certificate structures
+func (certs *Certificates) CreateTLSConfig() (*tls.Config, error) {
+	config := &tls.Config{}
+	config.Certificates = []tls.Certificate{}
+	certsSlice := []Certificate(*certs)
+	for _, v := range certsSlice {
+		cert := tls.Certificate{}
+
+		var err error
+
+		certContent, err := v.CertFile.Read()
+		if err != nil {
+			return nil, err
+		}
+
+		keyContent, err := v.KeyFile.Read()
+		if err != nil {
+			return nil, err
+		}
+
+		cert, err = tls.X509KeyPair(certContent, keyContent)
+		if err != nil {
+			return nil, err
+		}
+
+		config.Certificates = append(config.Certificates, cert)
+	}
+	return config, nil
+}
+
+// String is the method to format the flag's value, part of the flag.Value interface.
+// The String method's output will be used in diagnostics.
+func (certs *Certificates) String() string {
+	if len(*certs) == 0 {
+		return ""
+	}
+	var result []string
+	for _, certificate := range *certs {
+		result = append(result, certificate.CertFile.String()+","+certificate.KeyFile.String())
+	}
+	return strings.Join(result, ";")
+}
+
+// Set is the method to set the flag value, part of the flag.Value interface.
+// Set's argument is a string to be parsed to set the flag.
+// It's a comma-separated list, so we split it.
+func (certs *Certificates) Set(value string) error {
+	certificates := strings.Split(value, ";")
+	for _, certificate := range certificates {
+		files := strings.Split(certificate, ",")
+		if len(files) != 2 {
+			return fmt.Errorf("bad certificates format: %s", value)
+		}
+		*certs = append(*certs, Certificate{
+			CertFile: FileOrContent(files[0]),
+			KeyFile:  FileOrContent(files[1]),
+		})
+	}
+	return nil
+}
+
+// Type is type of the struct
+func (certs *Certificates) Type() string {
+	return "certificates"
+}
+
+// Certificate holds a SSL cert/key pair
+// Certs and Key could be either a file path, or the file content itself
+type Certificate struct {
+	CertFile FileOrContent
+	KeyFile  FileOrContent
+}
+
+// Retry contains request retry config
+type Retry struct {
+	Attempts int `description:"Number of attempts"`
+}
+
+// HealthCheckConfig contains health check configuration parameters.
+type HealthCheckConfig struct {
+	Interval flaeg.Duration `description:"Default periodicity of enabled health checks"`
+}
+
+// RespondingTimeouts contains timeout configurations for incoming requests to the Traefik instance.
+type RespondingTimeouts struct {
+	ReadTimeout  flaeg.Duration `description:"ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set"`
+	WriteTimeout flaeg.Duration `description:"WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set"`
+	IdleTimeout  flaeg.Duration `description:"IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. Defaults to 180 seconds. If zero, no timeout is set"`
+}
+
+// ForwardingTimeouts contains timeout configurations for forwarding requests to the backend servers.
+type ForwardingTimeouts struct {
+	DialTimeout           flaeg.Duration `description:"The amount of time to wait until a connection to a backend server can be established. Defaults to 30 seconds. If zero, no timeout exists"`
+	ResponseHeaderTimeout flaeg.Duration `description:"The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists"`
+}

contrib/scripts/dumpcerts.sh

@@ -0,0 +1,151 @@
+#!/usr/bin/env bash
+# Copyright (c) 2017 Brian 'redbeard' Harrington <redbeard@dead-city.org>
+#
+# dumpcerts.sh - A simple utility to explode a Traefik acme.json file into a
+#                directory of certificates and a private key
+#
+# Usage - dumpcerts.sh /etc/traefik/acme.json /etc/ssl/
+#
+# Dependencies -
+#   util-linux
+#   openssl
+#   jq
+# The MIT License (MIT)
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+# Exit codes:
+# 1 - A component is missing or could not be read
+# 2 - There was a problem reading acme.json
+# 4 - The destination certificate directory does not exist
+# 8 - Missing private key
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+USAGE="$(basename "$0") <path to acme> <destination cert directory>"
+
+# Allow us to exit on a missing jq binary
+exit_jq() {
+	echo "
+You must have the binary 'jq' to use this.
+jq is available at: https://stedolan.github.io/jq/download/
+
+${USAGE}" >&2
+	exit 1
+}
+
+bad_acme() {
+	echo "
+There was a problem parsing your acme.json file.
+
+${USAGE}" >&2
+	exit 2
+}
+
+if [ $# -ne 2 ]; then
+	echo "
+Insufficient number of parameters.
+
+${USAGE}" >&2
+	exit 1
+fi
+
+readonly acmefile="${1}"
+readonly certdir="${2%/}"
+
+if [ ! -r "${acmefile}" ]; then
+	echo "
+There was a problem reading from '${acmefile}'
+We need to read this file to explode the JSON bundle... exiting.
+
+${USAGE}" >&2
+	exit 2
+fi
+
+
+if [ ! -d "${certdir}" ]; then
+	echo "
+Path ${certdir} does not seem to be a directory
+We need a directory in which to explode the JSON bundle... exiting.
+
+${USAGE}" >&2
+	exit 4
+fi
+
+jq=$(command -v jq) || exit_jq
+
+priv=$(${jq} -e -r '.PrivateKey' "${acmefile}") || bad_acme
+
+if [ ! -n "${priv}" ]; then
+	echo "
+There didn't seem to be a private key in ${acmefile}.
+Please ensure that there is a key in this file and try again." >&2
+	exit 8
+fi
+
+# If they do not exist, create the needed subdirectories for our assets
+# and place each in a variable for later use, normalizing the path
+mkdir -p "${certdir}"/{certs,private}
+
+pdir="${certdir}/private/"
+cdir="${certdir}/certs/"
+
+# Save the existing umask, change the default mode to 600, then
+# after writing the private key switch it back to the default
+oldumask=$(umask)
+umask 177
+trap 'umask ${oldumask}' EXIT
+
+# traefik stores the private key in stripped base64 format but the certificates
+# bundled as a base64 object without stripping headers.  This normalizes the
+# headers and formatting.
+#
+# In testing this out it was a balance between the following mechanisms:
+# gawk:
+#  echo ${priv} | awk 'BEGIN {print "-----BEGIN RSA PRIVATE KEY-----"}
+#     {gsub(/.{64}/,"&\n")}1
+#     END {print "-----END RSA PRIVATE KEY-----"}' > "${pdir}/letsencrypt.key"
+#
+# openssl:
+# echo -e "-----BEGIN RSA PRIVATE KEY-----\n${priv}\n-----END RSA PRIVATE KEY-----" \
+#   | openssl rsa -inform pem -out "${pdir}/letsencrypt.key"
+#
+# and sed:
+# echo "-----BEGIN RSA PRIVATE KEY-----" > "${pdir}/letsencrypt.key"
+# echo ${priv} | sed 's/(.{64})/\1\n/g' >> "${pdir}/letsencrypt.key"
+# echo "-----END RSA PRIVATE KEY-----" > "${pdir}/letsencrypt.key"
+#
+# In the end, openssl was chosen because most users will need this script
+# *because* of openssl combined with the fact that it will refuse to write the
+# key if it does not parse out correctly. The other mechanisms were left as
+# comments so that the user can choose the mechanism most appropriate to them.
+echo -e "-----BEGIN RSA PRIVATE KEY-----\n${priv}\n-----END RSA PRIVATE KEY-----" \
+   | openssl rsa -inform pem -out "${pdir}/letsencrypt.key"
+
+# Process the certificates for each of the domains in acme.json
+for domain in $(jq -r '.DomainsCertificate.Certs[].Certificate.Domain' acme.json); do
+	# Traefik stores a cert bundle for each domain.  Within this cert
+	# bundle there is both proper the certificate and the Let's Encrypt CA
+	echo "Extracting cert bundle for ${domain}"
+	cert=$(jq -e -r --arg domain "$domain" '.DomainsCertificate.Certs[].Certificate |
+         	select (.Domain == $domain )| .Certificate' ${acmefile}) || bad_acme
+	echo "${cert}" | base64 --decode > "${cdir}/${domain}.pem"
+done

docs/basics.md

@@ -1,5 +1,6 @@
+# Basics
 
-# Concepts
+## Concepts
 
 Let's take our example from the [overview](https://docs.traefik.io/#overview) again:
 
@@ -24,7 +25,7 @@ Routes are created using requests fields (`Host`, `Path`, `Headers`...) and can
 - The [frontend](#frontends) will then send the request to a [backend](#backends). A backend can be composed by one or more [servers](#servers), and by a load-balancing strategy.
 - Finally, the [server](#servers) will forward the request to the corresponding microservice in the private network.
 
-## Entrypoints
+### Entrypoints
 
 Entrypoints are the network entry points into Træfik.
 They can be defined using:
@@ -71,13 +72,13 @@ And here is another example with client certificate authentication:
 - One or several files containing Certificate Authorities in PEM format are added.
 - It is possible to have multiple CA:s in the same file or keep them in separate files.
 
-## Frontends
+### Frontends
 
 A frontend consists of a set of rules that determine how incoming requests are forwarded from an entrypoint to a backend.
 
 Rules may be classified in one of two groups: Modifiers and matchers.
 
-### Modifiers
+#### Modifiers
 
 Modifier rules only modify the request. They do not have any impact on routing decisions being made.
 
@@ -86,48 +87,61 @@ Following is the list of existing modifier rules:
 - `AddPrefix: /products`: Add path prefix to the existing request path prior to forwarding the request to the backend.
 - `ReplacePath: /serverless-path`: Replaces the path and adds the old path to the `X-Replaced-Path` header. Useful for mapping to AWS Lambda or Google Cloud Functions.
 
-### Matchers
+#### Matchers
 
 Matcher rules determine if a particular request should be forwarded to a backend.
 
-Separate multiple rule values by `,` (comma) in order to enable ANY semantics (i.e., forward a request if any rule matches). Does not work for `Headers` and `HeadersRegexp`.
+Separate multiple rule values by `,` (comma) in order to enable ANY semantics (i.e., forward a request if any rule matches).
+Does not work for `Headers` and `HeadersRegexp`.
 
 Separate multiple rule values by `;` (semicolon) in order to enable ALL semantics (i.e., forward a request if all rules match).
 
-You can optionally enable `passHostHeader` to forward client `Host` header to the backend.
-
 Following is the list of existing matcher rules along with examples:
 
-- `Headers: Content-Type, application/json`: Match HTTP header. It accepts a comma-separated key/value pair where both key and value must be literals.
-- `HeadersRegexp: Content-Type, application/(text|json)`: Match HTTP header. It accepts a comma-separated key/value pair where the key must be a literal and the value may be a literal or a regular expression.
-- `Host: traefik.io, www.traefik.io`: Match request host. It accepts a sequence of literal hosts.
-- `HostRegexp: traefik.io, {subdomain:[a-z]+}.traefik.io`: Match request host. It accepts a sequence of literal and regular expression hosts.
-- `Method: GET, POST, PUT`: Match request HTTP method. It accepts a sequence of HTTP methods.
-- `Path: /products/, /articles/{category}/{id:[0-9]+}`: Match exact request path. It accepts a sequence of literal and regular expression paths.
-- `PathStrip: /products/`: Match exact path and strip off the path prior to forwarding the request to the backend. It accepts a sequence of literal paths.
-- `PathStripRegex: /articles/{category}/{id:[0-9]+}`: Match exact path and strip off the path prior to forwarding the request to the backend. It accepts a sequence of literal and regular expression paths.
-- `PathPrefix: /products/, /articles/{category}/{id:[0-9]+}`: Match request prefix path. It accepts a sequence of literal and regular expression prefix paths.
-- `PathPrefixStrip: /products/`: Match request prefix path and strip off the path prefix prior to forwarding the request to the backend. It accepts a sequence of literal prefix paths. Starting with Traefik 1.3, the stripped prefix path will be available in the `X-Forwarded-Prefix` header.
-- `PathPrefixStripRegex: /articles/{category}/{id:[0-9]+}`: Match request prefix path and strip off the path prefix prior to forwarding the request to the backend. It accepts a sequence of literal and regular expression prefix paths. Starting with Traefik 1.3, the stripped prefix path will be available in the `X-Forwarded-Prefix` header.
+| Matcher                                                    | Description                                                                                                                                                                                                                                                                             |
+|------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `Headers: Content-Type, application/json`                  | Match HTTP header. It accepts a comma-separated key/value pair where both key and value must be literals.                                                                                                                                                                               |
+| `HeadersRegexp: Content-Type, application/(text/json)`     | Match HTTP header. It accepts a comma-separated key/value pair where the key must be a literal and the value may be a literal or a regular expression.                                                                                                                                  |
+| `Host: traefik.io, www.traefik.io`                         | Match request host. It accepts a sequence of literal hosts.                                                                                                                                                                                                                             |
+| `HostRegexp: traefik.io, {subdomain:[a-z]+}.traefik.io`    | Match request host. It accepts a sequence of literal and regular expression hosts.                                                                                                                                                                                                      |
+| `Method: GET, POST, PUT`                                   | Match request HTTP method. It accepts a sequence of HTTP methods.                                                                                                                                                                                                                       |
+| `Path: /products/, /articles/{category}/{id:[0-9]+}`       | Match exact request path. It accepts a sequence of literal and regular expression paths.                                                                                                                                                                                                |
+| `PathStrip: /products/`                                    | Match exact path and strip off the path prior to forwarding the request to the backend. It accepts a sequence of literal paths.                                                                                                                                                         |
+| `PathStripRegex: /articles/{category}/{id:[0-9]+}`         | Match exact path and strip off the path prior to forwarding the request to the backend. It accepts a sequence of literal and regular expression paths.                                                                                                                                  |
+| `PathPrefix: /products/, /articles/{category}/{id:[0-9]+}` | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths.                                                                                                                                                                                        |
+| `PathPrefixStrip: /products/`                              | Match request prefix path and strip off the path prefix prior to forwarding the request to the backend. It accepts a sequence of literal prefix paths. Starting with Traefik 1.3, the stripped prefix path will be available in the `X-Forwarded-Prefix` header.                        |
+| `PathPrefixStripRegex: /articles/{category}/{id:[0-9]+}`   | Match request prefix path and strip off the path prefix prior to forwarding the request to the backend. It accepts a sequence of literal and regular expression prefix paths. Starting with Traefik 1.3, the stripped prefix path will be available in the `X-Forwarded-Prefix` header. |
+| `Query: foo=bar, bar=baz`                                  | Match Query String parameters. It accepts a sequence of key=value pairs.                                                                                                                                                                                                                |
 
-In order to use regular expressions with Host and Path matchers, you must declare an arbitrarily named variable followed by the colon-separated regular expression, all enclosed in curly braces. Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used. Example: `/posts/{id:[0-9]+}`.
+In order to use regular expressions with Host and Path matchers, you must declare an arbitrarily named variable followed by the colon-separated regular expression, all enclosed in curly braces. Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used (example: `/posts/{id:[0-9]+}`).
 
-(Note that the variable has no special meaning; however, it is required by the gorilla/mux dependency which embeds the regular expression and defines the syntax.)
+!!! note
+    The variable has no special meaning; however, it is required by the [gorilla/mux](https://github.com/gorilla/mux) dependency which embeds the regular expression and defines the syntax.
 
-#### Path Matcher Usage Guidelines
+You can optionally enable `passHostHeader` to forward client `Host` header to the backend.
+You can also optionally enable `passTLSCert` to forward TLS Client certificates to the backend.
+
+##### Path Matcher Usage Guidelines
 
 This section explains when to use the various path matchers.
 
 Use `Path` if your backend listens on the exact path only. For instance, `Path: /products` would match `/products` but not `/products/shoes`.
 
-Use a `*Prefix*` matcher if your backend listens on a particular base path but also serves requests on sub-paths. For instance, `PathPrefix: /products` would match `/products` but also `/products/shoes` and `/products/shirts`. Since the path is forwarded as-is, your backend is expected to listen on `/products`.
+Use a `*Prefix*` matcher if your backend listens on a particular base path but also serves requests on sub-paths.
+For instance, `PathPrefix: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.
+Since the path is forwarded as-is, your backend is expected to listen on `/products`.
 
-Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix. For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`. Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
-If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs. Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend). The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.
+Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
+For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.  
+Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.  
+If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.  
+Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).  
+The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.
 
-Instead of distinguishing your backends by path only, you can add a Host matcher to the mix. That way, namespacing of your backends happens on the basis of hosts in addition to paths.
+Instead of distinguishing your backends by path only, you can add a Host matcher to the mix.
+That way, namespacing of your backends happens on the basis of hosts in addition to paths.
 
-### Examples
+#### Examples
 
 Here is an example of frontends definition:
 
@@ -140,6 +154,7 @@ Here is an example of frontends definition:
   [frontends.frontend2]
   backend = "backend1"
   passHostHeader = true
+  passTLSCert = true
   priority = 10
   entrypoints = ["https"] # overrides defaultEntryPoints
     [frontends.frontend2.routes.test_1]
@@ -155,14 +170,14 @@ Here is an example of frontends definition:
 - `frontend2` will forward the traffic to the `backend1` if the rule `Host:localhost,{subdomain:[a-z]+}.localhost` is matched (forwarding client `Host` header to the backend)
 - `frontend3` will forward the traffic to the `backend2` if the rules `Host:test3.localhost` **AND** `Path:/test` are matched
 
-### Combining multiple rules
+#### Combining multiple rules
 
 As seen in the previous example, you can combine multiple rules.
 In TOML file, you can use multiple routes:
 
 ```toml
-[frontends.frontend3]
-backend = "backend2"
+  [frontends.frontend3]
+  backend = "backend2"
     [frontends.frontend3.routes.test_1]
     rule = "Host:test3.localhost"
     [frontends.frontend3.routes.test_2]
@@ -173,8 +188,8 @@ Here `frontend3` will forward the traffic to the `backend2` if the rules `Host:t
 You can also use the notation using a `;` separator, same result:
 
 ```toml
-[frontends.frontend3]
-backend = "backend2"
+  [frontends.frontend3]
+  backend = "backend2"
     [frontends.frontend3.routes.test_1]
     rule = "Host:test3.localhost;Path:/test"
 ```
@@ -182,16 +197,16 @@ backend = "backend2"
 Finally, you can create a rule to bind multiple domains or Path to a frontend, using the `,` separator:
 
 ```toml
-[frontends.frontend2]
+ [frontends.frontend2]
     [frontends.frontend2.routes.test_1]
     rule = "Host:test1.localhost,test2.localhost"
-[frontends.frontend3]
-backend = "backend2"
+  [frontends.frontend3]
+  backend = "backend2"
     [frontends.frontend3.routes.test_1]
     rule = "Path:/test1,/test2"
 ```
 
-### Rules Order
+#### Rules Order
 
 When combining `Modifier` rules with `Matcher` rules, it is important to remember that `Modifier` rules **ALWAYS** apply after the `Matcher` rules.  
 The following rules are both `Matchers` and `Modifiers`, so the `Matcher` portion of the rule will apply first, and the `Modifier` will apply later.
@@ -210,7 +225,7 @@ The following rules are both `Matchers` and `Modifiers`, so the `Matcher` portio
 5. `AddPrefix`
 6. `ReplacePath`
 
-### Priorities
+#### Priorities
 
 By default, routes will be sorted (in descending order) using rules length (to avoid path overlap):
 `PathPrefix:/12345` will be matched before `PathPrefix:/1234` that will be matched before `PathPrefix:/1`.
@@ -218,7 +233,7 @@ By default, routes will be sorted (in descending order) using rules length (to a
 You can customize priority by frontend:
 
 ```toml
-[frontends]
+  [frontends]
     [frontends.frontend1]
     backend = "backend1"
     priority = 10
@@ -235,7 +250,49 @@ You can customize priority by frontend:
 
 Here, `frontend1` will be matched before `frontend2` (`10 > 5`).
 
-## Backends
+#### Custom headers
+
+Custom headers can be configured through the frontends, to add headers to either requests or responses that match the frontend's rules. This allows for setting headers such as `X-Script-Name` to be added to the request, or custom headers to be added to the response:
+
+```toml
+[frontends]
+  [frontends.frontend1]
+  backend = "backend1"
+    [frontends.frontend1.headers.customresponseheaders]
+    X-Custom-Response-Header = "True"
+    [frontends.frontend1.headers.customrequestheaders]
+    X-Script-Name = "test"
+    [frontends.frontend1.routes.test_1]
+    rule = "PathPrefixStrip:/cheese"
+```
+
+In this example, all matches to the path `/cheese` will have the `X-Script-Name` header added to the proxied request, and the `X-Custom-Response-Header` added to the response.
+
+#### Security headers
+
+Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured per frontend in a similar manner to the custom headers above. This functionality allows for some easy security features to quickly be set. An example of some of the security headers:
+
+```toml
+[frontends]
+  [frontends.frontend1]
+  backend = "backend1"
+    [frontends.frontend1.headers]
+    FrameDeny = true
+    [frontends.frontend1.routes.test_1]
+    rule = "PathPrefixStrip:/cheddar"
+  [frontends.frontend2]
+  backend = "backend2"
+    [frontends.frontend2.headers]
+    SSLRedirect = true
+    [frontends.frontend2.routes.test_1]
+    rule = "PathPrefixStrip:/stilton"
+```
+
+In this example, traffic routed through the first frontend will have the `X-Frame-Options` header set to `DENY`, and the second will only allow HTTPS request through, otherwise will return a 301 HTTPS redirect.
+
+The detailed documentation for those security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
+
+### Backends
 
 A backend is responsible to load-balance the traffic coming from one or more frontends to a set of http servers.
 Various methods of load-balancing are supported:
@@ -296,8 +353,9 @@ A health check can be configured in order to remove a backend from LB rotation
 as long as it keeps returning HTTP status codes other than 200 OK to HTTP GET
 requests periodically carried out by Traefik. The check is defined by a path
 appended to the backend URL and an interval (given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)) specifying how
-often the health check should be executed (the default being 30 seconds). Each
-backend must respond to the health check within 5 seconds.
+often the health check should be executed (the default being 30 seconds).
+Each backend must respond to the health check within 5 seconds.
+By default, the port of the backend server is used, however, this may be overridden.
 
 A recovering backend returning 200 OK responses again is being returned to the
 LB rotation pool.
@@ -311,9 +369,22 @@ For example:
     interval = "10s"
 ```
 
-## Servers
+To use a different port for the healthcheck:
+```toml
+[backends]
+  [backends.backend1]
+    [backends.backend1.healthcheck]
+    path = "/health"
+    interval = "10s"
+    port = 8080
+```
 
-Servers are simply defined using a `URL`. You can also apply a custom `weight` to each server (this will be used by load-balancing).
+### Servers
+
+Servers are simply defined using a `url`. You can also apply a custom `weight` to each server (this will be used by load-balancing).
+
+!!! note
+    Paths in `url` are ignored. Use `Modifier` to specify paths instead.
 
 Here is an example of backends and servers definition:
 
@@ -344,55 +415,57 @@ Here is an example of backends and servers definition:
 - `backend2` will forward the traffic to two servers: `http://172.17.0.4:80"` with weight `1` and `http://172.17.0.5:80` with weight `2` using `drr` load-balancing strategy.
 - a circuit breaker is added on `backend1` using the expression `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window
 
-# Configuration
+
+## Configuration
 
 Træfik's configuration has two parts:
 
 - The [static Træfik configuration](/basics#static-trfk-configuration) which is loaded only at the beginning.
 - The [dynamic Træfik configuration](/basics#dynamic-trfk-configuration) which can be hot-reloaded (no need to restart the process).
 
-
-## Static Træfik configuration
+### Static Træfik configuration
 
 The static configuration is the global configuration which is setting up connections to configuration backends and entrypoints.
 
 Træfik can be configured using many configuration sources with the following precedence order.
 Each item takes precedence over the item below it:
 
-- [Key-value Store](/basics/#key-value-stores)
+- [Key-value store](/basics/#key-value-stores)
 - [Arguments](/basics/#arguments)
 - [Configuration file](/basics/#configuration-file)
 - Default
 
-It means that arguments override configuration file, and Key-value Store overrides arguments.
+It means that arguments override configuration file, and key-value store overrides arguments.
 
-### Configuration file
+Note that the provider-enabling argument parameters (e.g., `--docker`) set all default values for the specific provider. It must not be used if a configuration source with less precedence wants to set a non-default provider value.
+
+#### Configuration file
 
 By default, Træfik will try to find a `traefik.toml` in the following places:
 
 - `/etc/traefik/`
 - `$HOME/.traefik/`
-- `.` *the working directory*
+- `.` _the working directory_
 
 You can override this by setting a `configFile` argument:
 
 ```bash
-$ traefik --configFile=foo/bar/myconfigfile.toml
+traefik --configFile=foo/bar/myconfigfile.toml
 ```
 
-Please refer to the [global configuration](/toml/#global-configuration) section to get documentation on it.
+Please refer to the [global configuration](/configuration/commons) section to get documentation on it.
 
-### Arguments
+#### Arguments
 
 Each argument (and command) is described in the help section:
 
 ```bash
-$ traefik --help
+traefik --help
 ```
 
 Note that all default values will be displayed as well.
 
-### Key-value stores
+#### Key-value stores
 
 Træfik supports several Key-value stores:
 
@@ -403,7 +476,7 @@ Træfik supports several Key-value stores:
 
 Please refer to the [User Guide Key-value store configuration](/user-guide/kv-config/) section to get documentation on it.
 
-## Dynamic Træfik configuration
+### Dynamic Træfik configuration
 
 The dynamic configuration concerns :
 
@@ -411,32 +484,60 @@ The dynamic configuration concerns :
 - [Backends](/basics/#backends)
 - [Servers](/basics/#servers)
 
-Træfik can hot-reload those rules which could be provided by [multiple configuration backends](/toml/#configuration-backends).
+Træfik can hot-reload those rules which could be provided by [multiple configuration backends](/configuration/commons).
 
 We only need to enable `watch` option to make Træfik watch configuration backend changes and generate its configuration automatically.
 Routes to services will be created and updated instantly at any changes.
 
-Please refer to the [configuration backends](/toml/#configuration-backends) section to get documentation on it.
+Please refer to the [configuration backends](/configuration/commons) section to get documentation on it.
 
-# Commands
+## Commands
 
-Usage: `traefik [command] [--flag=flag_argument]`
+### traefik
 
-List of Træfik available commands with description :                                                             
+Usage:
+```bash
+traefik [command] [--flag=flag_argument]
+```
 
-- `version` : Print version 
+List of Træfik available commands with description :
+
+- `version` : Print version
 - `storeconfig` : Store the static traefik configuration into a Key-value stores. Please refer to the [Store Træfik configuration](/user-guide/kv-config/#store-trfk-configuration) section to get documentation on it.
+- `bug`: The easiest way to submit a pre-filled issue.
+- `healthcheck`: Calls traefik `/ping` to check health.
 
 Each command may have related flags.
 All those related flags will be displayed with :
 
 ```bash
-$ traefik [command] --help
+traefik [command] --help
 ```
 
 Note that each command is described at the beginning of the help section:
 
 ```bash
-$ traefik --help
+traefik --help
 ```
 
+### Command: bug
+
+Here is the easiest way to submit a pre-filled issue on [Træfik GitHub](https://github.com/containous/traefik).
+
+```bash
+traefik bug
+```
+
+See https://www.youtube.com/watch?v=Lyz62L8m93I.
+
+### Command: healthcheck
+
+This command allows to check the health of Traefik. Its exit status is `0` if Traefik is healthy and `1` if it is unhealthy.
+This can be used with Docker [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism.
+
+Note: the `web` provider must be enabled to allow `/ping` calls by the `healthcheck` command.
+
+```bash
+$ traefik healthcheck
+OK: http://:8082/ping
+```

docs/configuration/acme.md

@@ -0,0 +1,114 @@
+## ACME (Let's Encrypt) configuration
+
+```toml
+# Sample entrypoint configuration when using ACME
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+
+# Enable ACME (Let's Encrypt): automatic SSL
+[acme]
+
+# Email address used for registration
+#
+# Required
+#
+email = "test@traefik.io"
+
+# File or key used for certificates storage.
+# WARNING, if you use Traefik in Docker, you have 2 options:
+#  - create a file on your host and mount it as a volume
+#      storageFile = "acme.json"
+#      $ docker run -v "/my/host/acme.json:acme.json" traefik
+#  - mount the folder containing the file as a volume
+#      storageFile = "/etc/traefik/acme/acme.json"
+#      $ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
+#
+# Required
+#
+storage = "acme.json" # or "traefik/acme/account" if using KV store
+
+# Entrypoint to proxy acme challenge/apply certificates to.
+# WARNING, must point to an entrypoint on port 443
+#
+# Required
+#
+entryPoint = "https"
+
+# Use a DNS based acme challenge rather than external HTTPS access, e.g. for a firewalled server
+# Select the provider that matches the DNS domain that will host the challenge TXT record,
+# and provide environment variables with access keys to enable setting it:
+#  - cloudflare: CLOUDFLARE_EMAIL, CLOUDFLARE_API_KEY
+#  - digitalocean: DO_AUTH_TOKEN
+#  - dnsimple: DNSIMPLE_EMAIL, DNSIMPLE_OAUTH_TOKEN
+#  - dnsmadeeasy: DNSMADEEASY_API_KEY, DNSMADEEASY_API_SECRET
+#  - exoscale: EXOSCALE_API_KEY, EXOSCALE_API_SECRET
+#  - gandi: GANDI_API_KEY
+#  - linode: LINODE_API_KEY
+#  - manual: none, but run traefik interactively & turn on acmeLogging to see instructions & press Enter
+#  - namecheap: NAMECHEAP_API_USER, NAMECHEAP_API_KEY
+#  - rfc2136: RFC2136_TSIG_KEY, RFC2136_TSIG_SECRET, RFC2136_TSIG_ALGORITHM, RFC2136_NAMESERVER
+#  - route53: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, or configured user/instance IAM profile
+#  - dyn: DYN_CUSTOMER_NAME, DYN_USER_NAME, DYN_PASSWORD
+#  - vultr: VULTR_API_KEY
+#  - ovh: OVH_ENDPOINT, OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEY
+#  - pdns: PDNS_API_KEY, PDNS_API_URL
+#
+# Optional
+#
+# dnsProvider = "digitalocean"
+
+# By default, the dnsProvider will verify the TXT DNS challenge record before letting ACME verify
+# If delayDontCheckDNS is greater than zero, avoid this & instead just wait so many seconds.
+# Useful if internal networks block external DNS queries
+#
+# Optional
+#
+# delayDontCheckDNS = 0
+
+# If true, display debug log messages from the acme client library
+#
+# Optional
+#
+# acmeLogging = true
+
+# Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate.
+# WARNING, TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DoS attacks.
+# WARNING, Take note that Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits
+#
+# Optional
+#
+# onDemand = true
+
+# Enable certificate generation on frontends Host rules. This will request a certificate from Let's Encrypt for each frontend with a Host rule.
+# For example, a rule Host:test1.traefik.io,test2.traefik.io will request a certificate with main domain test1.traefik.io and SAN test2.traefik.io.
+#
+# Optional
+#
+# OnHostRule = true
+
+# CA server to use
+# Uncomment the line to run on the staging let's encrypt server
+# Leave comment to go to prod
+#
+# Optional
+#
+# caServer = "https://acme-staging.api.letsencrypt.org/directory"
+
+# Domains list
+# You can provide SANs (alternative domains) to each main domain
+# All domains must have A/AAAA records pointing to Traefik
+# WARNING, Take note that Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits
+# Each domain & SANs will lead to a certificate request.
+# [[acme.domains]]
+# main = "local1.com"
+# sans = ["test1.local1.com", "test2.local1.com"]
+# [[acme.domains]]
+# main = "local2.com"
+# sans = ["test1.local2.com", "test2.local2.com"]
+# [[acme.domains]]
+# main = "local3.com"
+# [[acme.domains]]
+# main = "local4.com"
+```

docs/configuration/backends/boltdb.md

@@ -0,0 +1,36 @@
+# BoltDB Backend
+
+Træfik can be configured to use BoltDB as a backend configuration:
+
+```toml
+################################################################
+# BoltDB configuration backend
+################################################################
+
+# Enable BoltDB configuration backend
+[boltdb]
+
+# BoltDB file
+#
+# Required
+#
+endpoint = "/my.db"
+
+# Enable watch BoltDB changes
+#
+# Optional
+#
+watch = true
+
+# Prefix used for KV store.
+#
+# Optional
+#
+prefix = "/traefik"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+filename = "boltdb.tmpl"
+```

docs/configuration/backends/consul.md

@@ -0,0 +1,117 @@
+# Consul Backend
+
+## Consul Key-Value backend
+
+Træfik can be configured to use Consul as a backend configuration:
+
+```toml
+################################################################
+# Consul KV configuration backend
+################################################################
+
+# Enable Consul KV configuration backend
+[consul]
+
+# Consul server endpoint
+#
+# Required
+#
+endpoint = "127.0.0.1:8500"
+
+# Enable watch Consul changes
+#
+# Optional
+#
+watch = true
+
+# Prefix used for KV store.
+#
+# Optional
+#
+prefix = "traefik"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "consul.tmpl"
+
+# Enable consul TLS connection
+#
+# Optional
+#
+# [consul.tls]
+# ca = "/etc/ssl/ca.crt"
+# cert = "/etc/ssl/consul.crt"
+# key = "/etc/ssl/consul.key"
+# insecureskipverify = true
+```
+
+Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on traefik KV structure.
+
+## Consul catalog backend
+
+Træfik can be configured to use service discovery catalog of Consul as a backend configuration:
+
+```toml
+################################################################
+# Consul Catalog configuration backend
+################################################################
+
+# Enable Consul Catalog configuration backend
+[consulCatalog]
+
+# Consul server endpoint
+#
+# Required
+#
+endpoint = "127.0.0.1:8500"
+
+# Default domain used.
+#
+# Optional
+#
+domain = "consul.localhost"
+
+# Expose Consul catalog services by default in traefik
+#
+# Optional
+#
+exposedByDefault = false
+
+# Prefix for Consul catalog tags
+#
+# Optional
+#
+prefix = "traefik"
+
+# Default frontEnd Rule for Consul services
+#
+# The format is a Go Template with:
+# - ".ServiceName", ".Domain" and ".Attributes" available
+# - "getTag(name, tags, defaultValue)", "hasTag(name, tags)" and "getAttribute(name, tags, defaultValue)" functions are available
+# - "getAttribute(...)" function uses prefixed tag names based on "prefix" value
+#
+# Optional
+#
+#frontEndRule = "Host:{{.ServiceName}}.{{Domain}}"
+```
+
+This backend will create routes matching on hostname based on the service name used in consul.
+
+Additional settings can be defined using Consul Catalog tags:
+
+| Tag                                               | Description                                                                                                                                                                        |
+|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.enable=false`                            | Disable this container in Træfik                                                                                                                                                   |
+| `traefik.protocol=https`                          | Override the default `http` protocol                                                                                                                                               |
+| `traefik.backend.weight=10`                       | Assign this weight to the container                                                                                                                                                |
+| `traefik.backend.circuitbreaker=EXPR`             | Create a [circuit breaker](/basics/#backends) to be used against the backend, ex: `NetworkErrorRatio() > 0.`                                                                       |
+| `traefik.backend.loadbalancer=drr`                | Override the default load balancing mode                                                                                                                                           |
+| `traefik.backend.maxconn.amount=10`               | Set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                               |
+| `traefik.backend.maxconn.extractorfunc=client.ip` | Set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect. |
+| `traefik.frontend.rule=Host:test.traefik.io`      | Override the default frontend rule (Default: `Host:{{.ServiceName}}.{{.Domain}}`).                                                                                                 |
+| `traefik.frontend.passHostHeader=true`            | Forward client `Host` header to the backend.                                                                                                                                       |
+| `traefik.frontend.priority=10`                    | Override default frontend priority                                                                                                                                                 |
+| `traefik.frontend.entryPoints=http,https`         | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.                                                                                           |
+| `traefik.frontend.auth.basic=EXPR`                | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                   |

docs/configuration/backends/docker.md

@@ -0,0 +1,171 @@
+# Docker Backend
+
+Træfik can be configured to use Docker as a backend configuration.
+
+## Docker
+
+```toml
+################################################################
+# Docker configuration backend
+################################################################
+
+# Enable Docker configuration backend
+[docker]
+
+# Docker server endpoint. Can be a tcp or a unix socket endpoint.
+#
+# Required
+#
+endpoint = "unix:///var/run/docker.sock"
+
+# Default domain used.
+# Can be overridden by setting the "traefik.domain" label on a container.
+#
+# Required
+#
+domain = "docker.localhost"
+
+# Enable watch docker changes
+#
+# Optional
+#
+watch = true
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "docker.tmpl"
+
+# Expose containers by default in traefik
+# If set to false, containers that don't have `traefik.enable=true` will be ignored
+#
+# Optional
+# Default: true
+#
+exposedbydefault = true
+
+# Use the IP address from the binded port instead of the inner network one. For specific use-case :)
+#
+# Optional
+# Default: false
+#
+usebindportip = true
+
+# Use Swarm Mode services as data provider
+#
+# Optional
+# Default: false
+#
+swarmmode = false
+
+# Enable docker TLS connection
+#
+# Optional
+#
+#  [docker.tls]
+#  ca = "/etc/ssl/ca.crt"
+#  cert = "/etc/ssl/docker.crt"
+#  key = "/etc/ssl/docker.key"
+#  insecureskipverify = true
+```
+
+## Docker Swarm Mode
+
+```toml
+################################################################
+# Docker Swarmmode configuration backend
+################################################################
+
+# Enable Docker configuration backend
+[docker]
+
+# Docker server endpoint. Can be a tcp or a unix socket endpoint.
+#
+# Required
+# Default: "unix:///var/run/docker.sock"
+#
+endpoint = "tcp://127.0.0.1:2375"
+
+# Default domain used.
+# Can be overridden by setting the "traefik.domain" label on a services.
+#
+# Optional
+# Default: ""
+#
+domain = "docker.localhost"
+
+# Enable watch docker changes
+#
+# Optional
+#
+watch = true
+
+# Use Docker Swarm Mode as data provider
+swarmmode = true
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "docker.tmpl"
+
+# Expose services by default in traefik
+#
+# Optional
+# Default: true
+#
+exposedbydefault = false
+
+# Enable docker TLS connection
+#
+# Optional
+#
+#  [swarm.tls]
+#  ca = "/etc/ssl/ca.crt"
+#  cert = "/etc/ssl/docker.crt"
+#  key = "/etc/ssl/docker.key"
+#  insecureskipverify = true
+```
+
+## Labels can be used on containers to override default behaviour
+
+| Label                                             | Description                                                                                                                                                                                                                                                                                                                                                                                                                   |
+|---------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.backend=foo`                             | Give the name `foo` to the generated backend for this container.                                                                                                                                                                                                                                                                                                                                                              |
+| `traefik.backend.maxconn.amount=10`               | Set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                                                                                                                                                                                                                                                                          |
+| `traefik.backend.maxconn.extractorfunc=client.ip` | Set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect.                                                                                                                                                                                                                                            |
+| `traefik.backend.loadbalancer.method=drr`         | Override the default `wrr` load balancer algorithm                                                                                                                                                                                                                                                                                                                                                                            |
+| `traefik.backend.loadbalancer.sticky=true`        | Enable backend sticky sessions                                                                                                                                                                                                                                                                                                                                                                                                |
+| `traefik.backend.loadbalancer.swarm=true`         | Use Swarm's inbuilt load balancer (only relevant under Swarm Mode).                                                                                                                                                                                                                                                                                                                                                           |
+| `traefik.backend.circuitbreaker.expression=EXPR`  | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                                                                                                                                                                                                                  |
+| `traefik.port=80`                                 | Register this port. Useful when the container exposes multiples ports.                                                                                                                                                                                                                                                                                                                                                        |
+| `traefik.protocol=https`                          | Override the default `http` protocol                                                                                                                                                                                                                                                                                                                                                                                          |
+| `traefik.weight=10`                               | Assign this weight to the container                                                                                                                                                                                                                                                                                                                                                                                           |
+| `traefik.enable=false`                            | Disable this container in Træfik                                                                                                                                                                                                                                                                                                                                                                                              |
+| `traefik.frontend.rule=EXPR`                      | Override the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`.                                                                                                                                                                                                                                                                   |
+| `traefik.frontend.passHostHeader=true`            | Forward client `Host` header to the backend.                                                                                                                                                                                                                                                                                                                                                                                  |
+| `traefik.frontend.priority=10`                    | Override default frontend priority                                                                                                                                                                                                                                                                                                                                                                                            |
+| `traefik.frontend.entryPoints=http,https`         | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`                                                                                                                                                                                                                                                                                                                                       |
+| `traefik.frontend.auth.basic=EXPR`                | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                                                                                                                                                                                                                              |
+| `traefik.frontend.whitelistSourceRange:RANGE`     | List of IP-Ranges which are allowed to access. An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access.                                                                                                                                                                                                           |
+| `traefik.docker.network`                          | Set the docker network to use for connections to this container. If a container is linked to several networks, be sure to set the proper network name (you can check with docker inspect <container_id>) otherwise it will randomly pick one (depending on how docker is returning them). For instance when deploying docker `stack` from compose files, the compose defined networks will be prefixed with the `stack` name. |
+
+### Services labels can be used for overriding default behaviour
+
+| Label                                             | Description                                                                                      |
+|---------------------------------------------------|--------------------------------------------------------------------------------------------------|
+| `traefik.<service-name>.port=PORT`                | Overrides `traefik.port`. If several ports need to be exposed, the service labels could be used. |
+| `traefik.<service-name>.protocol`                 | Overrides `traefik.protocol`.                                                                    |
+| `traefik.<service-name>.weight`                   | Assign this service weight. Overrides `traefik.weight`.                                          |
+| `traefik.<service-name>.frontend.backend=BACKEND` | Assign this service frontend to `BACKEND`. Default is to assign to the service backend.          |
+| `traefik.<service-name>.frontend.entryPoints`     | Overrides `traefik.frontend.entrypoints`                                                         |
+| `traefik.<service-name>.frontend.auth.basic`      | Sets a Basic Auth for that frontend                                                              |
+| `traefik.<service-name>.frontend.passHostHeader`  | Overrides `traefik.frontend.passHostHeader`.                                                     |
+| `traefik.<service-name>.frontend.priority`        | Overrides `traefik.frontend.priority`.                                                           |
+| `traefik.<service-name>.frontend.rule`            | Overrides `traefik.frontend.rule`.                                                               |
+
+!!! warning
+    when running inside a container, Træfik will need network access through:
+
+    `docker network connect <network> <traefik-container>`

docs/configuration/backends/dynamodb.md

@@ -0,0 +1,63 @@
+# DynamoDB Backend
+
+Træfik can be configured to use Amazon DynamoDB as a backend configuration:
+
+```toml
+################################################################
+# DynamoDB configuration backend
+################################################################
+
+# Enable DynamoDB configuration backend
+[dynamodb]
+
+# DyanmoDB Table Name
+#
+# Optional
+#
+TableName = "traefik"
+
+# Enable watch DynamoDB changes
+#
+# Optional
+#
+Watch = true
+
+# Polling interval (in seconds)
+#
+# Optional
+#
+RefreshSeconds = 15
+
+# Region to use when connecting to AWS
+#
+# Required
+#
+Region = "us-west-1"
+
+# AccessKeyID to use when connecting to AWS
+#
+# Optional
+#
+AccessKeyID = "abc"
+
+# SecretAccessKey to use when connecting to AWS
+#
+# Optional
+#
+SecretAccessKey = "123"
+
+# Endpoint of local dynamodb instance for testing
+#
+# Optional
+#
+Endpoint = "http://localhost:8080"
+```
+
+Items in the `dynamodb` table must have three attributes:
+
+- `id` (string): The id is the primary key.
+- `name`(string): The name is used as the name of the frontend or backend.
+- `frontend` or `backend` (map): This attribute's structure matches exactly the structure of a Frontend or Backend type in traefik.  
+    See `types/types.go` for details.  
+    The presence or absence of this attribute determines its type.
+    So an item should never have both a `frontend` and a `backend` attribute.

docs/configuration/backends/ecs.md

@@ -0,0 +1,124 @@
+# ECS Backend
+
+Træfik can be configured to use Amazon ECS as a backend configuration:
+
+```toml
+################################################################
+# ECS configuration backend
+################################################################
+
+# Enable ECS configuration backend
+[ecs]
+
+# ECS Cluster Name
+#
+# DEPRECATED - Please use Clusters
+#
+Cluster = "default"
+
+# ECS Clusters Name
+#
+# Optional
+# Default: ["default"]
+#
+Clusters = ["default"]
+
+# Enable watch ECS changes
+#
+# Optional
+# Default: true
+#
+Watch = true
+
+# Enable auto discover ECS clusters
+#
+# Optional
+# Default: false
+#
+AutoDiscoverClusters = false
+
+# Polling interval (in seconds)
+#
+# Optional
+# Default: 15
+#
+RefreshSeconds = 15
+
+# Expose ECS services by default in traefik
+#
+# Optional
+# Default: true
+#
+ExposedByDefault = false
+
+# Region to use when connecting to AWS
+#
+# Optional
+#
+Region = "us-east-1"
+
+# AccessKeyID to use when connecting to AWS
+#
+# Optional
+#
+AccessKeyID = "abc"
+
+# SecretAccessKey to use when connecting to AWS
+#
+# Optional
+#
+SecretAccessKey = "123"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "ecs.tmpl"
+```
+
+Labels can be used on task containers to override default behaviour:
+
+| Label                                             | Description                                                                              |
+|---------------------------------------------------|------------------------------------------------------------------------------------------|
+| `traefik.protocol=https`                          | override the default `http` protocol                                                     |
+| `traefik.weight=10`                               | assign this weight to the container                                                      |
+| `traefik.enable=false`                            | disable this container in Træfik                                                         |
+| `traefik.backend.loadbalancer.method=drr`         | override the default `wrr` load balancer algorithm                                       |
+| `traefik.backend.loadbalancer.sticky=true`        | enable backend sticky sessions                                                           |
+| `traefik.frontend.rule=Host:test.traefik.io`      | override the default frontend rule (Default: `Host:{containerName}.{domain}`).           |
+| `traefik.frontend.passHostHeader=true`            | forward client `Host` header to the backend.                                             |
+| `traefik.frontend.priority=10`                    | override default frontend priority                                                       |
+| `traefik.frontend.entryPoints=http,https`         | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. |
+| `traefik.frontend.auth.basic=EXPR`                | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`         |
+
+If `AccessKeyID`/`SecretAccessKey` is not given credentials will be resolved in the following order:
+
+- From environment variables; `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
+- Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.
+- EC2 instance role or ECS task role
+
+Træfik needs the following policy to read ECS information:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "TraefikECSReadAccess",
+            "Effect": "Allow",
+            "Action": [
+                "ecs:ListClusters",
+                "ecs:DescribeClusters",
+                "ecs:ListTasks",
+                "ecs:DescribeTasks",
+                "ecs:DescribeContainerInstances",
+                "ecs:DescribeTaskDefinition",
+                "ec2:DescribeInstances"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+}
+```

docs/configuration/backends/etcd.md

@@ -0,0 +1,55 @@
+# Etcd Backend
+
+Træfik can be configured to use Etcd as a backend configuration:
+
+```toml
+################################################################
+# Etcd configuration backend
+################################################################
+
+# Enable Etcd configuration backend
+[etcd]
+
+# Etcd server endpoint
+#
+# Required
+#
+endpoint = "127.0.0.1:2379"
+
+# Enable watch Etcd changes
+#
+# Optional
+#
+watch = true
+
+# Prefix used for KV store.
+#
+# Optional
+#
+prefix = "/traefik"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "etcd.tmpl"
+
+# Use etcd user/pass authentication
+#
+# Optional
+#
+# username = foo
+# password = bar
+
+# Enable etcd TLS connection
+#
+# Optional
+#
+# [etcd.tls]
+# ca = "/etc/ssl/ca.crt"
+# cert = "/etc/ssl/etcd.crt"
+# key = "/etc/ssl/etcd.key"
+# insecureskipverify = true
+```
+
+Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on traefik KV structure.

docs/configuration/backends/eureka.md

@@ -0,0 +1,31 @@
+# Eureka Backend
+
+Træfik can be configured to use Eureka as a backend configuration:
+
+```toml
+################################################################
+# Eureka configuration backend
+################################################################
+
+# Enable Eureka configuration backend
+[eureka]
+
+# Eureka server endpoint.
+# endpoint := "http://my.eureka.server/eureka"
+#
+# Required
+#
+endpoint = "http://my.eureka.server/eureka"
+
+# Override default configuration time between refresh
+#
+# Optional
+# default 30s
+delay = "1m"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "eureka.tmpl"
+```

docs/configuration/backends/file.md

@@ -0,0 +1,162 @@
+# File Backends
+
+Like any other reverse proxy, Træfik can be configured with a file. You have three choices:
+
+## Simple
+
+Add your configuration at the end of the global configuration file `traefik.toml`:
+
+```toml
+defaultEntryPoints = ["http", "https"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.com.cert"
+      KeyFile = "integration/fixtures/https/snitest.com.key"
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.org.cert"
+      KeyFile = "integration/fixtures/https/snitest.org.key"
+
+[file]
+
+# rules
+[backends]
+  [backends.backend1]
+    [backends.backend1.circuitbreaker]
+    expression = "NetworkErrorRatio() > 0.5"
+    [backends.backend1.servers.server1]
+    url = "http://172.17.0.2:80"
+    weight = 10
+    [backends.backend1.servers.server2]
+    url = "http://172.17.0.3:80"
+    weight = 1
+  [backends.backend2]
+    [backends.backend2.maxconn]
+    amount = 10
+    extractorfunc = "request.host"
+    [backends.backend2.LoadBalancer]
+    method = "drr"
+    [backends.backend2.servers.server1]
+    url = "http://172.17.0.4:80"
+    weight = 1
+    [backends.backend2.servers.server2]
+    url = "http://172.17.0.5:80"
+    weight = 2
+
+[frontends]
+  [frontends.frontend1]
+  backend = "backend2"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host:test.localhost"
+
+  [frontends.frontend2]
+  backend = "backend1"
+  passHostHeader = true
+  priority = 10
+
+  # restrict access to this frontend to the specified list of IPv4/IPv6 CIDR Nets
+  # an unset or empty list allows all Source-IPs to access
+  # if one of the Net-Specifications are invalid, the whole list is invalid
+  # and allows all Source-IPs to access.
+  whitelistSourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
+
+  entrypoints = ["https"] # overrides defaultEntryPoints
+    [frontends.frontend2.routes.test_1]
+    rule = "Host:{subdomain:[a-z]+}.localhost"
+
+  [frontends.frontend3]
+  entrypoints = ["http", "https"] # overrides defaultEntryPoints
+  backend = "backend2"
+  rule = "Path:/test"
+```
+
+## Rules in a Separate File
+
+Put your rules in a separate file, for example `rules.toml`:
+
+```toml
+# traefik.toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+      entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.com.cert"
+      KeyFile = "integration/fixtures/https/snitest.com.key"
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.org.cert"
+      KeyFile = "integration/fixtures/https/snitest.org.key"
+
+[file]
+filename = "rules.toml"
+```
+
+```toml
+# rules.toml
+[backends]
+  [backends.backend1]
+    [backends.backend1.circuitbreaker]
+    expression = "NetworkErrorRatio() > 0.5"
+    [backends.backend1.servers.server1]
+    url = "http://172.17.0.2:80"
+    weight = 10
+    [backends.backend1.servers.server2]
+    url = "http://172.17.0.3:80"
+    weight = 1
+  [backends.backend2]
+    [backends.backend2.maxconn]
+    amount = 10
+    extractorfunc = "request.host"
+    [backends.backend2.LoadBalancer]
+    method = "drr"
+    [backends.backend2.servers.server1]
+    url = "http://172.17.0.4:80"
+    weight = 1
+    [backends.backend2.servers.server2]
+    url = "http://172.17.0.5:80"
+    weight = 2
+
+[frontends]
+  [frontends.frontend1]
+  backend = "backend2"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host:test.localhost"
+  [frontends.frontend2]
+  backend = "backend1"
+  passHostHeader = true
+  priority = 10
+  entrypoints = ["https"] # overrides defaultEntryPoints
+    [frontends.frontend2.routes.test_1]
+    rule = "Host:{subdomain:[a-z]+}.localhost"
+  [frontends.frontend3]
+  entrypoints = ["http", "https"] # overrides defaultEntryPoints
+  backend = "backend2"
+  rule = "Path:/test"
+```
+
+## Multiple .toml Files
+
+You could have multiple `.toml` files in a directory:
+
+```toml
+[file]
+directory = "/path/to/config/"
+```
+
+If you want Træfik to watch file changes automatically, just add:
+
+```toml
+[file]
+watch = true
+```

docs/configuration/backends/kubernetes.md

@@ -0,0 +1,100 @@
+# Kubernetes Ingress Backend
+
+Træfik can be configured to use Kubernetes Ingress as a backend configuration:
+
+```toml
+################################################################
+# Kubernetes Ingress configuration backend
+################################################################
+# Enable Kubernetes Ingress configuration backend
+[kubernetes]
+
+# Kubernetes server endpoint
+#
+# When deployed as a replication controller in Kubernetes, Traefik will use
+# the environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT
+# to construct the endpoint.
+# Secure token will be found in /var/run/secrets/kubernetes.io/serviceaccount/token
+# and SSL CA cert in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+#
+# The endpoint may be given to override the environment variable values.
+#
+# When the environment variables are not found, Traefik will try to connect to
+# the Kubernetes API server with an external-cluster client. In this case, the
+# endpoint is required. Specifically, it may be set to the URL used by
+# `kubectl proxy` to connect to a Kubernetes cluster from localhost.
+#
+# Optional for in-cluster configuration, required otherwise
+# Default: empty
+#
+# endpoint = "http://localhost:8080"
+
+# Bearer token used for the Kubernetes client configuration.
+#
+# Optional
+# Default: empty
+#
+# token = "my token"
+
+# Path to the certificate authority file used for the Kubernetes client
+# configuration.
+#
+# Optional
+# Default: empty
+#
+# certAuthFilePath = "/my/ca.crt"
+
+# Array of namespaces to watch.
+#
+# Optional
+# Default: all namespaces (empty array).
+#
+# namespaces = ["default", "production"]
+
+# Ingress label selector to identify Ingress objects that should be processed.
+# See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors for details.
+#
+# Optional
+# Default: empty (process all Ingresses)
+#
+# labelselector = "A and not B"
+```
+
+Annotations can be used on containers to override default behaviour for the whole Ingress resource:
+
+- `traefik.frontend.rule.type: PathPrefixStrip`: override the default frontend rule type (Default: `PathPrefix`).
+- `traefik.frontend.priority: 3`: override the default frontend rule priority (Default: `len(Path)`).
+
+Annotations can be used on the Kubernetes service to override default behaviour:
+
+- `traefik.backend.loadbalancer.method=drr`: override the default `wrr` load balancer algorithm
+- `traefik.backend.loadbalancer.sticky=true`: enable backend sticky sessions
+
+You can find here an example [ingress](https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-ingress.yaml) and [replication controller](https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik.yaml).
+
+Additionally, an annotation can be used on Kubernetes services to set the [circuit breaker expression](https://docs.traefik.io/basics/#backends) for a backend.
+
+- `traefik.backend.circuitbreaker: <expression>`: set the circuit breaker expression for the backend (Default: nil).
+
+As known from nginx when used as Kubernetes Ingress Controller, a List of IP-Ranges which are allowed to access can be configured by using an ingress annotation:
+
+- `ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"`
+
+An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access.
+
+
+### Authentication
+
+Is possible to add additional authentication annotations in the Ingress rule.
+The source of the authentication is a secret that contains usernames and passwords inside the the key auth.
+
+- `ingress.kubernetes.io/auth-type`: `basic`
+- `ingress.kubernetes.io/auth-secret`: contains the usernames and passwords with access to the paths defined in the Ingress Rule.
+
+The secret must be created in the same namespace as the Ingress rule.
+
+Limitations:
+
+- Basic authentication only.
+- Realm not configurable; only `traefik` default.
+- Secret must contain only single file.

docs/configuration/backends/marathon.md

@@ -0,0 +1,167 @@
+# Marathon Backend
+
+Træfik can be configured to use Marathon as a backend configuration:
+
+```toml
+################################################################
+# Mesos/Marathon configuration backend
+################################################################
+
+# Enable Marathon configuration backend
+[marathon]
+
+# Marathon server endpoint.
+# You can also specify multiple endpoint for Marathon:
+# endpoint := "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
+#
+# Required
+#
+endpoint = "http://127.0.0.1:8080"
+
+# Enable watch Marathon changes
+#
+# Optional
+#
+watch = true
+
+# Default domain used.
+# Can be overridden by setting the "traefik.domain" label on an application.
+#
+# Required
+#
+domain = "marathon.localhost"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "marathon.tmpl"
+
+# Expose Marathon apps by default in traefik
+#
+# Optional
+# Default: true
+#
+# exposedByDefault = true
+
+# Convert Marathon groups to subdomains
+# Default behavior: /foo/bar/myapp => foo-bar-myapp.{defaultDomain}
+# with groupsAsSubDomains enabled: /foo/bar/myapp => myapp.bar.foo.{defaultDomain}
+#
+# Optional
+# Default: false
+#
+# groupsAsSubDomains = true
+
+# Enable compatibility with marathon-lb labels
+#
+# Optional
+# Default: false
+#
+# marathonLBCompatibility = true
+
+# Enable Marathon basic authentication
+#
+# Optional
+#
+#  [marathon.basic]
+#  httpBasicAuthUser = "foo"
+#  httpBasicPassword = "bar"
+
+# TLS client configuration. https://golang.org/pkg/crypto/tls/#Config
+#
+# Optional
+#
+# [marathon.TLS]
+# CA = "/etc/ssl/ca.crt"
+# Cert = "/etc/ssl/marathon.cert"
+# Key = "/etc/ssl/marathon.key"
+# InsecureSkipVerify = true
+
+# DCOSToken for DCOS environment, This will override the Authorization header
+#
+# Optional
+#
+# dcosToken = "xxxxxx"
+
+# Override DialerTimeout
+# Amount of time to allow the Marathon provider to wait to open a TCP connection
+# to a Marathon master.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
+# values (digits). If no units are provided, the value is parsed assuming
+# seconds.
+#
+# Optional
+# Default: "60s"
+# dialerTimeout = "60s"
+
+# Set the TCP Keep Alive interval for the Marathon HTTP Client.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
+# values (digits). If no units are provided, the value is parsed assuming
+# seconds.
+#
+# Optional
+# Default: "10s"
+#
+# keepAlive = "10s"
+
+# By default, a task's IP address (as returned by the Marathon API) is used as
+# backend server if an IP-per-task configuration can be found; otherwise, the
+# name of the host running the task is used.
+# The latter behavior can be enforced by enabling this switch.
+#
+# Optional
+# Default: false
+#
+# forceTaskHostname = false
+
+# Applications may define readiness checks which are probed by Marathon during
+# deployments periodically and the results exposed via the API. Enabling the
+# following parameter causes Traefik to filter out tasks whose readiness checks
+# have not succeeded.
+# Note that the checks are only valid at deployment times. See the Marathon
+# guide for details.
+#
+# Optional
+# Default: false
+#
+# respectReadinessChecks = false
+```
+
+Labels can be used on containers to override default behaviour:
+
+| Label                                                                 | Description                                                                                                                                                                        |
+|-----------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.backend=foo`                                                 | assign the application to `foo` backend                                                                                                                                            |
+| `traefik.backend.maxconn.amount=10`                                   | set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                               |
+| `traefik.backend.maxconn.extractorfunc=client.ip`                     | set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect. |
+| `traefik.backend.loadbalancer.method=drr`                             | override the default `wrr` load balancer algorithm                                                                                                                                 |
+| `traefik.backend.loadbalancer.sticky=true`                            | enable backend sticky sessions                                                                                                                                                     |
+| `traefik.backend.circuitbreaker.expression=NetworkErrorRatio() > 0.5` | create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                       |
+| `traefik.backend.healthcheck.path=/health`                            | set the Traefik health check path [default: no health checks]                                                                                                                      |
+| `traefik.backend.healthcheck.interval=5s`                             | sets a custom health check interval in Go-parseable (`time.ParseDuration`) format [default: 30s]                                                                                   |
+| `traefik.portIndex=1`                                                 | register port by index in the application's ports array. Useful when the application exposes multiple ports.                                                                       |
+| `traefik.port=80`                                                     | register the explicit application port value. Cannot be used alongside `traefik.portIndex`.                                                                                        |
+| `traefik.protocol=https`                                              | override the default `http` protocol                                                                                                                                               |
+| `traefik.weight=10`                                                   | assign this weight to the application                                                                                                                                              |
+| `traefik.enable=false`                                                | disable this application in Træfik                                                                                                                                                 |
+| `traefik.frontend.rule=Host:test.traefik.io`                          | override the default frontend rule (Default: `Host:{containerName}.{domain}`).                                                                                                     |
+| `traefik.frontend.passHostHeader=true`                                | forward client `Host` header to the backend.                                                                                                                                       |
+| `traefik.frontend.priority=10`                                        | override default frontend priority                                                                                                                                                 |
+| `traefik.frontend.entryPoints=http,https`                             | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.                                                                                           |
+| `traefik.frontend.auth.basic=EXPR`                                    | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`.                                                                                                  |
+
+If several ports need to be exposed from a container, the services labels can be used:
+
+| Label                                                  | Description                                                                                          |
+|--------------------------------------------------------|------------------------------------------------------------------------------------------------------|
+| `traefik.<service-name>.port=443`                      | create a service binding with frontend/backend using this port. Overrides `traefik.port`.            |
+| `traefik.<service-name>.portIndex=1`                   | create a service binding with frontend/backend using this port index. Overrides `traefik.portIndex`. |
+| `traefik.<service-name>.protocol=https`                | assign `https` protocol. Overrides `traefik.protocol`.                                               |
+| `traefik.<service-name>.weight=10`                     | assign this service weight. Overrides `traefik.weight`.                                              |
+| `traefik.<service-name>.frontend.backend=fooBackend`   | assign this service frontend to `foobackend`. Default is to assign to the service backend.           |
+| `traefik.<service-name>.frontend.entryPoints=http`     | assign this service entrypoints. Overrides `traefik.frontend.entrypoints`.                           |
+| `traefik.<service-name>.frontend.auth.basic=test:EXPR` | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                     |
+| `traefik.<service-name>.frontend.passHostHeader=true`  | Forward client `Host` header to the backend. Overrides `traefik.frontend.passHostHeader`.            |
+| `traefik.<service-name>.frontend.priority=10`          | assign the service frontend priority. Overrides `traefik.frontend.priority`.                         |
+| `traefik.<service-name>.frontend.rule=Path:/foo`       | assign the service frontend rule. Overrides `traefik.frontend.rule`.                                 |

docs/configuration/backends/mesos.md

@@ -0,0 +1,81 @@
+# Mesos Generic Backend
+
+Træfik can be configured to use Mesos as a backend configuration:
+
+```toml
+################################################################
+# Mesos configuration backend
+################################################################
+
+# Enable Mesos configuration backend
+[mesos]
+
+# Mesos server endpoint.
+# You can also specify multiple endpoint for Mesos:
+# endpoint = "192.168.35.40:5050,192.168.35.41:5050,192.168.35.42:5050"
+# endpoint = "zk://192.168.35.20:2181,192.168.35.21:2181,192.168.35.22:2181/mesos"
+#
+# Required
+#
+endpoint = "http://127.0.0.1:8080"
+
+# Enable watch Mesos changes
+#
+# Optional
+#
+watch = true
+
+# Default domain used.
+# Can be overridden by setting the "traefik.domain" label on an application.
+#
+# Required
+#
+domain = "mesos.localhost"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "mesos.tmpl"
+
+# Expose Mesos apps by default in traefik
+#
+# Optional
+# Default: false
+#
+# ExposedByDefault = true
+
+# TLS client configuration. https://golang.org/pkg/crypto/tls/#Config
+#
+# Optional
+#
+# [mesos.TLS]
+# InsecureSkipVerify = true
+
+# Zookeeper timeout (in seconds)
+#
+# Optional
+# Default: 30
+#
+# ZkDetectionTimeout = 30
+
+# Polling interval (in seconds)
+#
+# Optional
+# Default: 30
+#
+# RefreshSeconds = 30
+
+# IP sources (e.g. host, docker, mesos, rkt)
+#
+# Optional
+#
+# IPSources = "host"
+
+# HTTP Timeout (in seconds)
+#
+# Optional
+# Default: 30
+#
+# StateTimeoutSecond = "30"
+```

docs/configuration/backends/rancher.md

@@ -0,0 +1,121 @@
+# Rancher Backend
+
+Træfik can be configured to use Rancher as a backend configuration:
+
+```toml
+################################################################
+# Rancher configuration backend
+################################################################
+
+# Enable Rancher configuration backend
+[rancher]
+
+# Default domain used.
+# Can be overridden by setting the "traefik.domain" label on an service.
+#
+# Required
+#
+domain = "rancher.localhost"
+
+# Enable watch Rancher changes
+#
+# Optional
+# Default: true
+#
+watch = true
+
+# Polling interval (in seconds)
+#
+# Optional
+#
+refreshSeconds = 15
+
+# Expose Rancher services by default in traefik
+#
+# Optional
+# Default: true
+#
+exposedByDefault = false
+
+# Filter services with unhealthy states and inactive states
+#
+# Optional
+# Default: false
+#
+enableServiceHealthFilter = true
+```
+
+## Rancher Metadata Service
+
+```toml
+# Enable Rancher metadata service configuration backend instead of the API
+# configuration backend
+#
+# Optional
+# Default: false
+#
+[rancher.metadata]
+
+# Poll the Rancher metadata service for changes every `rancher.RefreshSeconds`
+# NOTE: this is less accurate than the default long polling technique which
+# will provide near instantaneous updates to Traefik
+#
+# Optional
+# Default: false
+#
+intervalPoll = true
+
+# Prefix used for accessing the Rancher metadata service
+#
+# Optional
+# Default: "/latest"
+#
+prefix = "/2016-07-29"
+```
+
+## Rancher API
+
+```toml
+# Enable Rancher API configuration backend
+#
+# Optional
+# Default: true
+#
+[rancher.api]
+
+# Endpoint to use when connecting to the Rancher API
+#
+# Required
+endpoint = "http://rancherserver.example.com/v1"
+
+# AccessKey to use when connecting to the Rancher API
+#
+# Required
+accessKey = "XXXXXXXXXXXXXXXXXXXX"
+
+# SecretKey to use when connecting to the Rancher API
+#
+# Required
+secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+```
+
+!!! note
+    If Traefik needs access to the Rancher API, you need to set the `endpoint`, `accesskey` and `secretkey` parameters.
+
+    To enable traefik to fetch information about the Environment it's deployed in only, you need to create an `Environment API Key`.
+    This can be found within the API Key advanced options.
+
+## Labels
+
+Labels can be used on task containers to override default behaviour:
+
+| Label                                        | Description                                                                              |
+|----------------------------------------------|------------------------------------------------------------------------------------------|
+| `traefik.protocol=https`                     | override the default `http` protocol                                                     |
+| `traefik.weight=10`                          | assign this weight to the container                                                      |
+| `traefik.enable=false`                       | disable this container in Træfik                                                         |
+| `traefik.frontend.rule=Host:test.traefik.io` | override the default frontend rule (Default: `Host:{containerName}.{domain}`).           |
+| `traefik.frontend.passHostHeader=true`       | forward client `Host` header to the backend.                                             |
+| `traefik.frontend.priority=10`               | override default frontend priority                                                       |
+| `traefik.frontend.entryPoints=http,https`    | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. |
+| `traefik.frontend.auth.basic=EXPR`           | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`.        |

docs/configuration/backends/web.md

@@ -0,0 +1,272 @@
+# Web Backend
+
+Træfik can be configured:
+
+- using a RESTful api.
+- to use a metric system (like Prometheus, DataDog or StatD, ...).
+- to expose a Web Dashboard.
+
+## Configuration
+
+```toml
+[web]
+
+# Web administration port
+#
+# Required
+#
+address = ":8080"
+
+# SSL certificate and key used
+#
+# Optional
+#
+# CertFile = "traefik.crt"
+# KeyFile = "traefik.key"
+
+# Set REST API to read-only mode
+#
+# Optional
+# ReadOnly = false
+
+# Enable more detailed statistics
+# [web.statistics]
+#   RecentErrors = 10
+```
+
+## Web UI
+
+![Web UI Providers](/img/web.frontend.png)
+
+![Web UI Health](/img/traefik-health.png)
+
+### Authentication
+
+- Basic Authentication
+
+Passwords can be encoded in MD5, SHA1 and BCrypt: you can use `htpasswd` to generate those ones.
+
+Users can be specified directly in the toml file, or indirectly by referencing an external file;
+ if both are provided, the two are merged, with external file contents having precedence.
+
+```toml
+# To enable basic auth on the webui with 2 user/pass: test:test and test2:test2
+  [web.auth.basic]
+    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
+    usersFile = "/path/to/.htpasswd"
+```
+
+- Digest Authentication
+
+You can use `htdigest` to generate those ones.
+
+Users can be specified directly in the toml file, or indirectly by referencing an external file;
+ if both are provided, the two are merged, with external file contents having precedence
+
+```toml
+# To enable digest auth on the webui with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
+  [web.auth.digest]
+    users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
+    usersFile = "/path/to/.htdigest"
+```
+
+
+## Metrics
+
+You can enable Traefik to export internal metrics to different monitoring systems.
+
+- Prometheus
+
+```toml
+# To enable Traefik to export internal metrics to Prometheus
+[web.metrics.prometheus]
+  Buckets=[0.1,0.3,1.2,5.0]
+```
+
+- DataDog
+
+```toml
+# DataDog metrics exporter type
+[web.metrics.datadog]
+  Address = "localhost:8125"
+  Pushinterval = "10s"
+```
+
+- StatsD
+
+```toml
+# StatsD metrics exporter type
+[web.metrics.statsd]
+  Address = "localhost:8125"
+  Pushinterval = "10s"
+```
+
+## API
+
+| Path                                                            |     Method    | Description                                                                                        |
+|-----------------------------------------------------------------|:-------------:|----------------------------------------------------------------------------------------------------|
+| `/`                                                             |     `GET`     | Provides a simple HTML frontend of Træfik                                                          |
+| `/ping`                                                         | `GET`, `HEAD` | A simple endpoint to check for Træfik process liveness. Return a code `200` with the content: `OK` |
+| `/health`                                                       |     `GET`     | json health metrics                                                                                |
+| `/api`                                                          |     `GET`     | Configuration for all providers                                                                    |
+| `/api/providers`                                                |     `GET`     | Providers                                                                                          |
+| `/api/providers/{provider}`                                     |  `GET`, `PUT` | Get or update provider                                                                             |
+| `/api/providers/{provider}/backends`                            |     `GET`     | List backends                                                                                      |
+| `/api/providers/{provider}/backends/{backend}`                  |     `GET`     | Get backend                                                                                        |
+| `/api/providers/{provider}/backends/{backend}/servers`          |     `GET`     | List servers in backend                                                                            |
+| `/api/providers/{provider}/backends/{backend}/servers/{server}` |     `GET`     | Get a server in a backend                                                                          |
+| `/api/providers/{provider}/frontends`                           |     `GET`     | List frontends                                                                                     |
+| `/api/providers/{provider}/frontends/{frontend}`                |     `GET`     | Get a frontend                                                                                     |
+| `/api/providers/{provider}/frontends/{frontend}/routes`         |     `GET`     | List routes in a frontend                                                                          |
+| `/api/providers/{provider}/frontends/{frontend}/routes/{route}` |     `GET`     | Get a route in a frontend                                                                          |
+| `/metrics`                                                      |     `GET`     | Export internal metrics                                                                            |
+
+### Example
+
+#### Ping
+
+```shell
+$ curl -sv "http://localhost:8080/ping"
+```
+```shell
+*   Trying ::1...
+* Connected to localhost (::1) port 8080 (#0)
+> GET /ping HTTP/1.1
+> Host: localhost:8080
+> User-Agent: curl/7.43.0
+> Accept: */*
+>
+< HTTP/1.1 200 OK
+< Date: Thu, 25 Aug 2016 01:35:36 GMT
+< Content-Length: 2
+< Content-Type: text/plain; charset=utf-8
+<
+* Connection #0 to host localhost left intact
+OK
+```
+
+#### Health
+
+```shell
+$ curl -s "http://localhost:8080/health" | jq .
+```
+```json
+{
+  // Træfik PID
+  "pid": 2458,
+  // Træfik server uptime (formated time)
+  "uptime": "39m6.885931127s",
+  //  Træfik server uptime in seconds
+  "uptime_sec": 2346.885931127,
+  // current server date
+  "time": "2015-10-07 18:32:24.362238909 +0200 CEST",
+  // current server date in seconds
+  "unixtime": 1444235544,
+  // count HTTP response status code in realtime
+  "status_code_count": {
+    "502": 1
+  },
+  // count HTTP response status code since Træfik started
+  "total_status_code_count": {
+    "200": 7,
+    "404": 21,
+    "502": 13
+  },
+  // count HTTP response
+  "count": 1,
+  // count HTTP response
+  "total_count": 41,
+  // sum of all response time (formated time)
+  "total_response_time": "35.456865605s",
+  // sum of all response time in seconds
+  "total_response_time_sec": 35.456865605,
+  // average response time (formated time)
+  "average_response_time": "864.8016ms",
+  // average response time in seconds
+  "average_response_time_sec": 0.8648016000000001,
+
+  // request statistics [requires --web.statistics to be set]
+  // ten most recent requests with 4xx and 5xx status codes
+  "recent_errors": [
+    {
+      // status code
+      "status_code": 500,
+      // description of status code
+      "status": "Internal Server Error",
+      // request HTTP method
+      "method": "GET",
+      // request hostname
+      "host": "localhost",
+      // request path
+      "path": "/path",
+      // RFC 3339 formatted date/time
+      "time": "2016-10-21T16:59:15.418495872-07:00"
+    }
+  ]
+}
+```
+
+#### Provider configurations
+
+```shell
+$ curl -s "http://localhost:8080/api" | jq .
+```
+```json
+{
+  "file": {
+    "frontends": {
+      "frontend2": {
+        "routes": {
+          "test_2": {
+            "rule": "Path:/test"
+          }
+        },
+        "backend": "backend1"
+      },
+      "frontend1": {
+        "routes": {
+          "test_1": {
+            "rule": "Host:test.localhost"
+          }
+        },
+        "backend": "backend2"
+      }
+    },
+    "backends": {
+      "backend2": {
+        "loadBalancer": {
+          "method": "drr"
+        },
+        "servers": {
+          "server2": {
+            "weight": 2,
+            "URL": "http://172.17.0.5:80"
+          },
+          "server1": {
+            "weight": 1,
+            "url": "http://172.17.0.4:80"
+          }
+        }
+      },
+      "backend1": {
+        "loadBalancer": {
+          "method": "wrr"
+        },
+        "circuitBreaker": {
+          "expression": "NetworkErrorRatio() > 0.5"
+        },
+        "servers": {
+          "server2": {
+            "weight": 1,
+            "url": "http://172.17.0.3:80"
+          },
+          "server1": {
+            "weight": 10,
+            "url": "http://172.17.0.2:80"
+          }
+        }
+      }
+    }
+  }
+}
+```

docs/configuration/backends/zookeeper.md

@@ -0,0 +1,38 @@
+# Zookeeper Backend
+
+Træfik can be configured to use Zookeeper as a backend configuration:
+
+```toml
+################################################################
+# Zookeeper configuration backend
+################################################################
+
+# Enable Zookeeperconfiguration backend
+[zookeeper]
+
+# Zookeeper server endpoint
+#
+# Required
+#
+endpoint = "127.0.0.1:2181"
+
+# Enable watch Zookeeper changes
+#
+# Optional
+#
+watch = true
+
+# Prefix used for KV store.
+#
+# Optional
+#
+prefix = "traefik"
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "zookeeper.tmpl"
+```
+
+Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on traefik KV structure.

docs/configuration/commons.md

@@ -0,0 +1,409 @@
+# Global Configuration
+
+## Main Section
+
+```toml
+# Duration to give active requests a chance to finish before Traefik stops.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
+# If no units are provided, the value is parsed assuming seconds.
+# Note: in this time frame no new requests are accepted.
+#
+# Optional
+# Default: "10s"
+#
+# graceTimeOut = "10s"
+
+# Enable debug mode
+#
+# Optional
+# Default: false
+#
+# debug = true
+
+# Periodically check if a new version has been released
+#
+# Optional
+# Default: true
+#
+# checkNewVersion = false
+
+# Backends throttle duration: minimum duration in seconds between 2 events from providers
+# before applying a new configuration. It avoids unnecessary reloads if multiples events
+# are sent in a short amount of time.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
+# values (digits). If no units are provided, the value is parsed assuming
+# seconds.
+#
+# Optional
+# Default: "2s"
+#
+# ProvidersThrottleDuration = "2s"
+
+# Controls the maximum idle (keep-alive) connections to keep per-host. If zero, DefaultMaxIdleConnsPerHost
+# from the Go standard library net/http module is used.
+# If you encounter 'too many open files' errors, you can either increase this
+# value or change the `ulimit`.
+#
+# Optional
+# Default: 200
+#
+# MaxIdleConnsPerHost = 200
+
+# If set to true invalid SSL certificates are accepted for backends.
+# Note: This disables detection of man-in-the-middle attacks so should only be used on secure backend networks.
+#
+# Optional
+# Default: false
+#
+# InsecureSkipVerify = true
+
+# Register Certificates in the RootCA. This certificates will be use for backends calls.
+# Note: You can use file path or cert content directly
+# Optional
+# Default: []
+#
+# RootCAs = [ "/mycert.cert" ]
+
+# Entrypoints to be used by frontends that do not specify any entrypoint.
+# Each frontend can specify its own entrypoints.
+#
+# Optional
+# Default: ["http"]
+#
+# defaultEntryPoints = ["http", "https"]
+```
+
+
+## Constraints
+
+In a micro-service architecture, with a central service discovery, setting constraints limits Træfik scope to a smaller number of routes.
+
+Træfik filters services according to service attributes/tags set in your configuration backends.
+
+Supported backends:
+
+- Docker
+- Consul K/V
+- BoltDB
+- Zookeeper
+- Etcd
+- Consul Catalog
+- Rancher
+- Marathon
+- Kubernetes (using a provider-specific mechanism based on label selectors)
+
+Supported filters:
+
+- `tag`
+
+### Simple
+
+```toml
+# Simple matching constraint
+constraints = ["tag==api"]
+
+# Simple mismatching constraint
+constraints = ["tag!=api"]
+
+# Globbing
+constraints = ["tag==us-*"]
+```
+
+### Multiple
+
+```toml
+# Multiple constraints
+#   - "tag==" must match with at least one tag
+#   - "tag!=" must match with none of tags
+constraints = ["tag!=us-*", "tag!=asia-*"]
+```
+
+### Backend-specific
+
+```toml
+# Backend-specific constraint
+[consulCatalog]
+endpoint = "127.0.0.1:8500"
+constraints = ["tag==api"]
+
+[marathon]
+endpoint = "127.0.0.1:8800"
+constraints = ["tag==api", "tag!=v*-beta"]
+```
+
+
+## Logs Definition
+
+### Traefik logs
+
+```toml
+# Traefik logs file
+# If not defined, logs to stdout
+traefikLogsFile = "log/traefik.log"
+
+# Log level
+#
+# Optional
+# Default: "ERROR"
+#
+# Accepted values, in order of severity: "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC"
+# Messages at and above the selected level will be logged.
+#
+logLevel = "ERROR"
+```
+
+### Access Logs
+
+Access logs are written when `[accessLog]` is defined.
+By default it will write to stdout and produce logs in the textual Common Log Format (CLF), extended with additional fields.
+
+To enable access logs using the default settings just add the `[accessLog]` entry.
+```toml
+[accessLog]
+```
+
+To write the logs into a logfile specify the `filePath`.
+```toml
+[accessLog]
+filePath = "/path/to/access.log"
+```
+
+To write JSON format logs, specify `json` as the format:
+```toml
+[accessLog]
+filePath = "/path/to/access.log"
+format = "json"
+```
+
+Deprecated way (before 1.4):
+```toml
+# Access logs file
+#
+# DEPRECATED - see [accessLog] lower down
+#
+accessLogsFile = "log/access.log"
+```
+
+### Log Rotation
+
+Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
+This allows the logs to be rotated and processed by an external program, such as `logrotate`.
+
+!!! note
+    that this does not work on Windows due to the lack of USR signals.
+
+
+## Custom Error pages
+
+Custom error pages can be returned, in lieu of the default, according to frontend-configured ranges of HTTP Status codes.
+In the example below, if a 503 status is returned from the frontend "website", the custom error page at http://2.3.4.5/503.html is returned with the actual status code set in the HTTP header.
+Note, the `503.html` page itself is not hosted on traefik, but some other infrastructure.
+
+```toml
+[frontends]
+  [frontends.website]
+  backend = "website"
+  [frontends.website.errors]
+    [frontends.website.errors.network]
+    status = ["500-599"]
+    backend = "error"
+    query = "/{status}.html"
+  [frontends.website.routes.website]
+  rule = "Host: website.mydomain.com"
+
+[backends]
+  [backends.website]
+    [backends.website.servers.website]
+    url = "https://1.2.3.4"
+  [backends.error]
+    [backends.error.servers.error]
+    url = "http://2.3.4.5"
+```
+
+In the above example, the error page rendered was based on the status code.
+Instead, the query parameter can also be set to some generic error page like so: `query = "/500s.html"`
+
+Now the `500s.html` error page is returned for the configured code range.
+The configured status code ranges are inclusive; that is, in the above example, the `500s.html` page will be returned for status codes `500` through, and including, `599`.
+
+
+## Retry Configuration
+
+```toml
+# Enable retry sending request if network error
+[retry]
+
+# Number of attempts
+#
+# Optional
+# Default: (number servers in backend) -1
+#
+# attempts = 3
+```
+
+
+## Health Check Configuration
+
+```toml
+# Enable custom health check options.
+[healthcheck]
+
+# Set the default health check interval. Will only be effective if health check
+# paths are defined. Given provider-specific support, the value may be
+# overridden on a per-backend basis.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
+# values (digits). If no units are provided, the value is parsed assuming
+# seconds.
+#
+# Optional
+# Default: "30s"
+#
+# interval = "30s"
+```
+
+
+## Timeouts
+
+### Responding Timeouts
+
+`respondingTimeouts` are timeouts for incoming requests to the Traefik instance.
+
+```toml
+[respondingTimeouts]
+
+# readTimeout is the maximum duration for reading the entire request, including the body.
+# If zero, no timeout exists.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
+# values (digits). If no units are provided, the value is parsed assuming seconds.
+#
+# Optional
+# Default: "0s"
+#
+# readTimeout = "5s"
+
+# writeTimeout is the maximum duration before timing out writes of the response. It covers the time from the end of
+# the request header read to the end of the response write.
+# If zero, no timeout exists.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
+# values (digits). If no units are provided, the value is parsed assuming seconds.
+#
+# Optional
+# Default: "0s"
+#
+# writeTimeout = "5s"
+
+# idleTimeout is the maximum duration an idle (keep-alive) connection will remain idle before closing itself.
+# If zero, no timeout exists.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
+# values (digits). If no units are provided, the value is parsed assuming seconds.
+#
+# Optional
+# Default: "180s"
+#
+# idleTimeout = "360s"
+```
+
+### Forwarding Timeouts
+
+`forwardingTimeouts` are timeouts for requests forwarded to the backend servers.
+
+```toml
+[forwardingTimeouts]
+
+# dialTimeout is the amount of time to wait until a connection to a backend server can be established.
+# If zero, no timeout exists.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
+# values (digits). If no units are provided, the value is parsed assuming seconds.
+#
+# Optional
+# Default: "30s"
+#
+# dialTimeout = "30s"
+
+# responseHeaderTimeout is the amount of time to wait for a server's response headers after fully writing the request (including its body, if any).
+# If zero, no timeout exists.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
+# values (digits). If no units are provided, the value is parsed assuming seconds.
+#
+# Optional
+# Default: "0s"
+#
+# responseHeaderTimeout = "0s"
+```
+
+### Idle Timeout (deprecated)
+
+Use [respondingTimeouts](/configuration/commons/#responding-timeouts) instead of `IdleTimeout`.
+In the case both settings are configured, the deprecated option will be overwritten.
+
+`IdleTimeout` is the maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.
+This is set to enforce closing of stale client connections.
+
+Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
+If no units are provided, the value is parsed assuming seconds.
+
+```toml
+# IdleTimeout
+#
+# DEPRECATED - see [respondingTimeouts] section.
+#
+# Optional
+# Default: "180s"
+#
+IdleTimeout = "360s"
+```
+
+
+## Override Default Configuration Template
+
+!!! warning
+    For advanced users only.
+
+Supported by all backends except: File backend, Web backend and DynamoDB backend.
+
+```toml
+[backend_name]
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+# Default: ""
+#
+filename = "custom_config_template.tpml"
+
+# Enable debug logging of generated configuration template.
+#
+# Optional
+# Default: false
+#
+debugLogGeneratedTemplate = true
+```
+
+Example:
+
+```toml
+[marathon]
+filename = "my_custom_config_template.tpml"
+```
+
+The template files can be written using functions provided by:
+
+- [go template](https://golang.org/pkg/text/template/)
+- [sprig library](https://masterminds.github.io/sprig/)
+
+Example:
+
+```tmpl
+[backends]
+  [backends.backend1]
+  url = "http://firstserver"
+  [backends.backend2]
+  url = "http://secondserver"
+
+{{$frontends := dict "frontend1" "backend1" "frontend2" "backend2"}}
+[frontends]
+{{range $frontend, $backend := $frontends}}
+  [frontends.{{$frontend}}]
+  backend = "{{$backend}}"
+{{end}}
+```

docs/configuration/entrypoints.md

@@ -0,0 +1,162 @@
+# Entry Points Definition
+
+```toml
+# Entrypoints definition
+#
+# Default:
+# [entryPoints]
+#   [entryPoints.http]
+#   address = ":80"
+#
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+```
+
+## Redirect HTTP to HTTPS
+
+To redirect an http entrypoint to an https entrypoint (with SNI support).
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.com.cert"
+      KeyFile = "integration/fixtures/https/snitest.com.key"
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.org.cert"
+      KeyFile = "integration/fixtures/https/snitest.org.key"
+```
+
+## Rewriting URL
+
+To redirect an entrypoint rewriting the URL.
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    regex = "^http://localhost/(.*)"
+    replacement = "http://mydomain/$1"
+```
+
+## TLS Mutual Authentication
+
+Only accept clients that present a certificate signed by a specified Certificate Authority (CA).
+`ClientCAFiles` can be configured with multiple `CA:s` in the same file or use multiple files containing one or several `CA:s`.
+The `CA:s` has to be in PEM format.
+
+All clients will be required to present a valid cert.
+The requirement will apply to all server certs in the entrypoint.
+
+In the example below both `snitest.com` and `snitest.org` will require client certs
+
+```toml
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+  [entryPoints.https.tls]
+  ClientCAFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
+    [[entryPoints.https.tls.certificates]]
+    CertFile = "integration/fixtures/https/snitest.com.cert"
+    KeyFile = "integration/fixtures/https/snitest.com.key"
+    [[entryPoints.https.tls.certificates]]
+    CertFile = "integration/fixtures/https/snitest.org.cert"
+    KeyFile = "integration/fixtures/https/snitest.org.key"
+```
+
+
+## Authentication
+
+### Basic Authentication
+
+Passwords can be encoded in MD5, SHA1 and BCrypt: you can use `htpasswd` to generate those ones.
+
+Users can be specified directly in the toml file, or indirectly by referencing an external file;
+ if both are provided, the two are merged, with external file contents having precedence.
+
+```toml
+# To enable basic auth on an entrypoint with 2 user/pass: test:test and test2:test2
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.http.auth.basic]
+  users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
+  usersFile = "/path/to/.htpasswd"
+```
+
+### Digest Authentication
+
+You can use `htdigest` to generate those ones.
+
+Users can be specified directly in the toml file, or indirectly by referencing an external file;
+ if both are provided, the two are merged, with external file contents having precedence
+
+```toml
+# To enable digest auth on an entrypoint with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.http.auth.basic]
+  users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
+  usersFile = "/path/to/.htdigest"
+```
+
+## Specify Minimum TLS Version
+
+To specify an https entrypoint with a minimum TLS version, and specifying an array of cipher suites (from crypto/tls).
+
+```toml
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+    MinVersion = "VersionTLS12"
+    CipherSuites = ["TLS_RSA_WITH_AES_256_GCM_SHA384"]
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.com.cert"
+      KeyFile = "integration/fixtures/https/snitest.com.key"
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "integration/fixtures/https/snitest.org.cert"
+      KeyFile = "integration/fixtures/https/snitest.org.key"
+```
+
+## Compression
+
+To enable compression support using gzip format.
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  compress = true
+```
+
+## Whitelisting
+
+To enable IP whitelisting at the entrypoint level.
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  whiteListSourceRange = ["127.0.0.1/32"]
+```
+
+## ProxyProtocol Support
+
+To enable [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support.
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  proxyprotocol = true
+```

docs/css/traefik.css

@@ -1,61 +0,0 @@
-a {
-    color: #37ABC8;
-    text-decoration: none;
-}
-
-a:hover, a:focus {
-    color: #25606F;
-    text-decoration: underline;
-}
-
-h1, h2, h3, H4 {
-    color: #37ABC8;
-}
-
-.navbar-default {
-    background-color: #37ABC8;
-    border-color: #25606F;
-}
-
-.navbar-default .navbar-nav>.active>a, .navbar-default .navbar-nav>.active>a:hover, .navbar-default .navbar-nav>.active>a:focus {
-    color: #fff;
-    background-color: #25606F;
-}
-
-.navbar-default .navbar-nav>li>a:hover, .navbar-default .navbar-nav>li>a:focus {
-    color: #fff;
-    background-color: #25606F;
-}
-
-.navbar-default .navbar-toggle {
-    border-color: #25606F;
-}
-
-.navbar-default .navbar-toggle:hover, .navbar-default .navbar-toggle:focus .navbar-toggle {
-    background-color: #25606F;
-}
-.navbar-default .navbar-collapse, .navbar-default .navbar-form {
-    border-color: #25606F;
-}
-
-blockquote p {
-    font-size: 14px;
-}
-
-.navbar-default .navbar-nav>.open>a, .navbar-default .navbar-nav>.open>a:hover, .navbar-default .navbar-nav>.open>a:focus {
-    color: #fff;
-    background-color: #25606F;
-}
-
-.dropdown-menu>li>a:hover, .dropdown-menu>li>a:focus {
-    color: #fff;
-    text-decoration: none;
-    background-color: #25606F;
-}
-
-.dropdown-menu>.active>a, .dropdown-menu>.active>a:hover, .dropdown-menu>.active>a:focus {
-    color: #fff;
-    text-decoration: none;
-    background-color: #25606F;
-    outline: 0;
-}

docs/index.md

@@ -2,16 +2,16 @@
 <img src="img/traefik.logo.png" alt="Træfik" title="Træfik" />
 </p>
 
-[![Build Status](https://travis-ci.org/containous/traefik.svg?branch=master)](https://travis-ci.org/containous/traefik)
+[![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
-[![Go Report Card](https://goreportcard.com/badge/kubernetes/helm)](http://goreportcard.com/report/containous/traefik)
+[![Go Report Card](https://goreportcard.com/badge/kubernetes/helm)](https://goreportcard.com/report/containous/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
 [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
 [![Twitter](https://img.shields.io/twitter/follow/traefikproxy.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefikproxy)
 
 
 Træfik (pronounced like [traffic](https://speak-ipa.bearbin.net/speak.cgi?speak=%CB%88tr%C3%A6f%C9%AAk)) is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
-It supports several backends ([Docker](https://www.docker.com/), [Swarm](https://docs.docker.com/swarm), [Mesos/Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Zookeeper](https://zookeeper.apache.org), [BoltDB](https://github.com/boltdb/bolt), [Amazon ECS](https://aws.amazon.com/ecs/), [Amazon DynamoDB](https://aws.amazon.com/dynamodb/), Rest API, file...) to manage its configuration automatically and dynamically.
+It supports several backends ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), and a lot more) to manage its configuration automatically and dynamically.
 
 ## Overview
 
@@ -35,20 +35,50 @@ Routes to your services will be created instantly.
 
 Run it and forget it!
 
+## Features
+
+- [It's fast](https://docs.traefik.io/benchmarks)
+- No dependency hell, single binary made with go
+- [Tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) official docker image
+- Rest API
+- Hot-reloading of configuration. No need to restart the process
+- Circuit breakers, retry
+- Round Robin, rebalancer load-balancers
+- Metrics (Rest, Prometheus, Datadog, Statd)
+- Clean AngularJS Web UI
+- Websocket, HTTP/2, GRPC ready
+- Access Logs (JSON, CLF)
+- [Let's Encrypt](https://letsencrypt.org) support (Automatic HTTPS with renewal)
+- High Availability with cluster mode
+
+
+## Supported backends
+
+- [Docker](https://www.docker.com/) / [Swarm mode](https://docs.docker.com/engine/swarm/)
+- [Kubernetes](https://kubernetes.io)
+- [Mesos](https://github.com/apache/mesos) / [Marathon](https://mesosphere.github.io/marathon/)
+- [Rancher](https://rancher.com) (API, Metadata)
+- [Consul](https://www.consul.io/) / [Etcd](https://coreos.com/etcd/) / [Zookeeper](https://zookeeper.apache.org) / [BoltDB](https://github.com/boltdb/bolt)
+- [Eureka](https://github.com/Netflix/eureka)
+- [Amazon ECS](https://aws.amazon.com/ecs)
+- [Amazon DynamoDB](https://aws.amazon.com/dynamodb)
+- File
+- Rest API
+
 
 ## Quickstart
 
 You can have a quick look at Træfik in this [Katacoda tutorial](https://www.katacoda.com/courses/traefik/deploy-load-balancer) that shows how to load balance requests between multiple Docker containers.
 
-Here is a talk given by [Ed Robinson](https://github.com/errm) at the [ContainerCamp UK](https://container.camp) conference.
+Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at [GopherCon 2017](https://gophercon.com).
+You will learn Træfik basics in less than 10 minutes.
+
+[![Traefik GopherCon 2017](https://img.youtube.com/vi/RgudiksfL-k/0.jpg)](https://www.youtube.com/watch?v=RgudiksfL-k)
+
+Here is a talk given by [Ed Robinson](https://github.com/errm) at [ContainerCamp UK](https://container.camp) conference.
 You will learn fundamental Træfik features and see some demos with Kubernetes.
 
-[![Traefik ContainerCamp UK](http://img.youtube.com/vi/aFtpIShV60I/0.jpg)](https://www.youtube.com/watch?v=aFtpIShV60I)
-
-Here is a talk (in French) given by [Emile Vauge](https://github.com/emilevauge) at the [Devoxx France 2016](http://www.devoxx.fr) conference. 
-You will learn fundamental Træfik features and see some demos with Docker, Mesos/Marathon and Let's Encrypt. 
-
-[![Traefik Devoxx France](http://img.youtube.com/vi/QvAz9mVx5TI/0.jpg)](http://www.youtube.com/watch?v=QvAz9mVx5TI)
+[![Traefik ContainerCamp UK](https://img.youtube.com/vi/aFtpIShV60I/0.jpg)](https://www.youtube.com/watch?v=aFtpIShV60I)
 
 ## Get it
 
@@ -95,9 +125,11 @@ networks:
 
 Start it from within the `traefik` folder:
 
-    docker-compose up -d
+```shell
+docker-compose up -d
+```
 
-In a browser you may open `http://localhost:8080` to access Træfik's dashboard and observe the following magic.
+In a browser you may open [http://localhost:8080](http://localhost:8080) to access Træfik's dashboard and observe the following magic.
 
 Now, create a folder named `test` and create a `docker-compose.yml` in it with this content:
 
@@ -129,7 +161,10 @@ docker-compose scale whoami=2
 Finally, test load-balancing between the two services `test_whoami_1` and `test_whoami_2`:
 
 ```shell
-$ curl -H Host:whoami.docker.localhost http://127.0.0.1
+curl -H Host:whoami.docker.localhost http://127.0.0.1
+```
+
+```yaml
 Hostname: ef194d07634a
 IP: 127.0.0.1
 IP: ::1
@@ -144,8 +179,13 @@ X-Forwarded-For: 172.17.0.1
 X-Forwarded-Host: 172.17.0.4:80
 X-Forwarded-Proto: http
 X-Forwarded-Server: dbb60406010d
+```
 
-$ curl -H Host:whoami.docker.localhost http://127.0.0.1
+```shell
+curl -H Host:whoami.docker.localhost http://127.0.0.1
+```
+
+```yaml
 Hostname: 6c3c5df0c79a
 IP: 127.0.0.1
 IP: ::1

docs/theme/js/extra.js

@@ -0,0 +1,4 @@
+/* Highlight */
+(function(hljs) {
+    hljs.initHighlightingOnLoad();
+})(hljs);

docs/theme/js/hljs/LICENSE

@@ -0,0 +1,24 @@
+Copyright (c) 2006, Ivan Sagalaev
+All rights reserved.
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of highlight.js nor the names of its contributors 
+      may be used to endorse or promote products derived from this software 
+      without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY
+EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE REGENTS AND CONTRIBUTORS BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

docs/theme/partials/footer.html

@@ -0,0 +1,104 @@
+<!--
+  Copyright (c) 2016-2017 Martin Donath <martin.donath@squidfunk.com>
+
+  Permission is hereby granted, free of charge, to any person obtaining a copy
+  of this software and associated documentation files (the "Software"), to
+  deal in the Software without restriction, including without limitation the
+  rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+  sell copies of the Software, and to permit persons to whom the Software is
+  furnished to do so, subject to the following conditions:
+
+  The above copyright notice and this permission notice shall be included in
+  all copies or substantial portions of the Software.
+
+  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+  FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
+  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+  FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+  IN THE SOFTWARE.
+-->
+
+{% import "partials/language.html" as lang %}
+
+<!-- Application footer -->
+<footer class="md-footer">
+
+    <!-- Link to previous and/or next page -->
+    {% if page.previous_page or page.next_page %}
+    <!--<div class="md-footer-nav">-->
+        <!--<nav class="md-footer-nav__inner md-grid">-->
+            <!-- -->
+            <!-- Link to previous page -->
+            <!--{% if page.previous_page %}-->
+            <!--<a href="{{ page.previous_page.url }}"-->
+               <!--title="{{ page.previous_page.title }}"-->
+               <!--class="md-flex md-footer-nav__link md-footer-nav__link&#45;&#45;prev"-->
+               <!--rel="prev">-->
+                <!--<div class="md-flex__cell md-flex__cell&#45;&#45;shrink">-->
+                    <!--<i class="md-icon md-icon&#45;&#45;arrow-back-->
+                    <!--md-footer-nav__button"></i>-->
+                <!--</div>-->
+                <!--<div class="md-flex__cell md-flex__cell&#45;&#45;stretch-->
+                  <!--md-footer-nav__title">-->
+              <!--<span class="md-flex__ellipsis">-->
+                <!--<span class="md-footer-nav__direction">-->
+                  <!--{{ lang.t("footer.previous") }} -->
+                <!--</span>-->
+                <!--{{ page.previous_page.title }}-->
+              <!--</span>-->
+                <!--</div>-->
+            <!--</a>-->
+            <!--{% endif %}-->
+            <!-- -->
+            <!-- Link to next page -->
+            <!--{% if page.next_page %}-->
+            <!--<a href="{{ page.next_page.url }}" title="{{ page.next_page.title }}"-->
+               <!--class="md-flex md-footer-nav__link md-footer-nav__link&#45;&#45;next"-->
+               <!--rel="next">-->
+                <!--<div class="md-flex__cell md-flex__cell&#45;&#45;stretch-->
+                  <!--md-footer-nav__title">-->
+              <!--<span class="md-flex__ellipsis">-->
+                <!--<span class="md-footer-nav__direction">-->
+                  <!--{{ lang.t("footer.next") }}-->
+                <!--</span>-->
+                <!--{{ page.next_page.title }}-->
+              <!--</span>-->
+                <!--</div>-->
+                <!--<div class="md-flex__cell md-flex__cell&#45;&#45;shrink">-->
+                    <!--<i class="md-icon md-icon&#45;&#45;arrow-forward-->
+                    <!--md-footer-nav__button"></i>-->
+                <!--</div>-->
+            <!--</a>-->
+            <!--{% endif %}-->
+        <!--</nav>-->
+    <!--</div>-->
+    {% endif %}
+
+    <!-- Further information -->
+    <div class="md-footer-meta md-typeset">
+        <div class="md-footer-meta__inner md-grid">
+
+            <!-- Copyright and theme information -->
+            <div class="md-footer-copyright">
+                {% if config.copyright %}
+                <div class="md-footer-copyright__highlight">
+                    {{ config.copyright }}
+                </div>
+                {% endif %}
+                powered by
+                <a href="http://www.mkdocs.org" title="MkDocs">MkDocs</a>
+                and
+                <a href="http://squidfunk.github.io/mkdocs-material/"
+                   title="Material for MkDocs">
+                    Material for MkDocs</a>
+            </div>
+
+            <!-- Social links -->
+            {% block social %}
+            {% include "partials/social.html" %}
+            {% endblock %}
+        </div>
+    </div>
+</footer>

docs/theme/styles/atom-one-light.css

@@ -0,0 +1,96 @@
+/*
+
+Atom One Light by Daniel Gamage
+Original One Light Syntax theme from https://github.com/atom/one-light-syntax
+
+base:    #fafafa
+mono-1:  #383a42
+mono-2:  #686b77
+mono-3:  #a0a1a7
+hue-1:   #0184bb
+hue-2:   #4078f2
+hue-3:   #a626a4
+hue-4:   #50a14f
+hue-5:   #e45649
+hue-5-2: #c91243
+hue-6:   #986801
+hue-6-2: #c18401
+
+*/
+
+.hljs {
+  display: block;
+  overflow-x: auto;
+  padding: 0.5em;
+  color: #383a42;
+  background: #fafafa;
+}
+
+.hljs-comment,
+.hljs-quote {
+  color: #a0a1a7;
+  font-style: italic;
+}
+
+.hljs-doctag,
+.hljs-keyword,
+.hljs-formula {
+  color: #a626a4;
+}
+
+.hljs-section,
+.hljs-name,
+.hljs-selector-tag,
+.hljs-deletion,
+.hljs-subst {
+  color: #e45649;
+}
+
+.hljs-literal {
+  color: #0184bb;
+}
+
+.hljs-string,
+.hljs-regexp,
+.hljs-addition,
+.hljs-attribute,
+.hljs-meta-string {
+  color: #50a14f;
+}
+
+.hljs-built_in,
+.hljs-class .hljs-title {
+  color: #c18401;
+}
+
+.hljs-attr,
+.hljs-variable,
+.hljs-template-variable,
+.hljs-type,
+.hljs-selector-class,
+.hljs-selector-attr,
+.hljs-selector-pseudo,
+.hljs-number {
+  color: #986801;
+}
+
+.hljs-symbol,
+.hljs-bullet,
+.hljs-link,
+.hljs-meta,
+.hljs-selector-id,
+.hljs-title {
+  color: #4078f2;
+}
+
+.hljs-emphasis {
+  font-style: italic;
+}
+
+.hljs-strong {
+  font-weight: bold;
+}
+
+.hljs-link {
+  text-decoration: underline;
+}

docs/theme/styles/extra.css

@@ -0,0 +1,15 @@
+.md-logo img {
+    background-color: white;
+    border-radius: 50%;
+    width: 30px;
+    height: 30px;
+}
+
+/* Fix for Chrome */
+.md-typeset__table td code {
+    word-break: unset;
+}
+.md-typeset__table tr :nth-child(1) {
+    word-wrap: break-word;
+    max-width: 30em;
+}

docs/user-guide/cluster.md

@@ -1,6 +1,6 @@
 # Clustering / High Availability (beta)
 
-This guide explains how tu use Træfik in high availability mode.
+This guide explains how to use Træfik in high availability mode.
 In order to deploy and configure multiple Træfik instances, without copying the same configuration file on each instance, we will use a distributed Key-Value store.
 
 ## Prerequisites
@@ -15,6 +15,7 @@ Please refer to [this section](/user-guide/kv-config/#store-configuration-in-key
 ## Deploy a Træfik cluster
 
 Once your Træfik configuration is uploaded on your KV store, you can start each Træfik instance.
-A Træfik cluster is based on a master/slave model.
-When starting, Træfik will elect a master. If this instance fails, another master will be automatically elected.
+A Træfik cluster is based on a manager/worker model.
+When starting, Træfik will elect a manager.
+If this instance fails, another manager will be automatically elected.
 

docs/user-guide/docker-and-lets-encrypt.md

@@ -0,0 +1,217 @@
+# Docker & Traefik
+
+In this use case, we want to use Traefik as a _layer-7_ load balancer with SSL termination for a set of micro-services used to run a web application.
+We also want to automatically _discover any services_ on the Docker host and let Traefik reconfigure itself automatically when containers get created (or shut down) so HTTP traffic can be routed accordingly.
+In addition, we want to use Let's Encrypt to automatically generate and renew SSL certificates per hostname.
+
+## Setting Up
+
+In order for this to work, you'll need a server with a public IP address, with Docker installed on it.
+In this example, we're using the fictitious domain _my-awesome-app.org_.
+In real-life, you'll want to use your own domain and have the DNS configured accordingly so the hostname records you'll want to use point to the aforementioned public IP address.
+
+## Networking
+
+Docker containers can only communicate with each other over TCP when they share at least one network.
+This makes sense from a topological point of view in the context of networking, since Docker under the hood creates IPTable rules so containers can't reach other containers _unless you'd want to_.
+In this example, we're going to use a single network called `web` where all containers that are handling HTTP traffic (including Traefik) will reside in.
+
+On the Docker host, run the following command:
+
+```shell
+docker network create web
+```
+
+Now, let's create a directory on the server where we will configure the rest of Traefik:
+
+```shell
+mkdir -p /opt/traefik
+```
+
+Within this directory, we're going to create 3 empty files:
+
+```shell
+touch /opt/traefik/docker-compose.yml
+touch /opt/traefik/acme.json && chmod 600 /opt/traefik/acme.json
+touch /opt/traefik/traefik.toml
+```
+
+The `docker-compose.yml` file will provide us with a simple, consistent and more importantly, a deterministic way to create Traefik.
+The contents of the file is as follows:
+
+```yaml
+version: '2'
+
+services:
+  traefik:
+    image: traefik:1.3.5
+    restart: always
+    ports:
+      - 80:80
+      - 443:443
+    networks:
+      - web
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /srv/traefik/traefik.toml:/traefik.toml
+      - /srv/traefik/acme.json:/acme.json
+    container_name: traefik
+
+networks:
+  web:
+    external: true
+```
+
+As you can see, we're mounting the `traefik.toml` file as well as the (empty) `acme.json` file in the container.
+Also, we're mounting the `/var/run/docker.sock` Docker socket in the container as well, so Traefik can listen to Docker events and reconfigure it's own internal configuration when containers are created (or shut down).
+Also, we're making sure the container is automatically restarted by the Docker engine in case of problems (or: if the server is rebooted).
+We're publishing the default HTTP ports `80` and `443` on the host, and making sure the container is placed within the `web` network we've created earlier on.
+Finally, we're giving this container a static name called `traefik`.
+
+Let's take a look at a simply `traefik.toml` configuration as well before we'll create the Traefik container:
+
+```toml
+debug = false
+checkNewVersion = true
+logLevel = "ERROR"
+defaultEntryPoints = ["https","http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+  [entryPoints.https.tls]
+
+[retry]
+
+[docker]
+endpoint = "unix:///var/run/docker.sock"
+domain = "my-awesome-app.org"
+watch = true
+exposedbydefault = false
+
+[acme]
+email = "your-email-here@my-awesome-app.org"
+storage = "acme.json"
+entryPoint = "https"
+OnHostRule = true
+```
+
+This is the minimum configuration required to do the following:
+
+- Log `ERROR`-level messages (or more severe) to the console, but silence `DEBUG`-level messagse
+- Check for new versions of Traefik periodically
+- Create two entry points, namely an `HTTP` endpoint on port `80`, and an `HTTPS` endpoint on port `443` where all incoming traffic on port `80` will immediately get redirected to `HTTPS`.
+- Enable the Docker configuration backend and listen for container events on the Docker unix socket we've mounted earlier. However, **new containers will not be exposed by Traefik by default, we'll get into this in a bit!**
+- Enable automatic request and configuration of SSL certificates using Let's Encrypt. These certificates will be stored in the `acme.json` file, which you can back-up yourself and store off-premises.
+
+Alright, let's boot the container. From the `/opt/traefik` directory, run `docker-compose up -d` which will create and start the Traefik container.
+
+## Exposing Web Services to the Outside World
+
+Now that we've fully configured and started Traefik, it's time to get our applications running!
+
+Let's take a simple example of a micro-service project consisting of various services, where some will be exposed to the outside world and some will not. The `docker-compose.yml` of our project looks like this:
+
+```yaml
+version: "2.1"
+
+services:
+  app:
+    image: my-docker-registry.com/my-awesome-app/app:latest
+    depends_on:
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    restart: always
+    networks:
+      - web
+      - default
+    expose:
+      - "9000"
+    labels:
+      - "traefik.backend=my-awesome-app-app"
+      - "traefik.docker.network=web"
+      - "traefik.frontend.rule=Host:app.my-awesome-app.org"
+      - "traefik.enable=true"
+      - "traefik.port=9000"
+
+  db:
+    image: my-docker-registry.com/back-end/5.7
+    restart: always
+
+  redis:
+    image: my-docker-registry.com/back-end/redis:4-alpine
+    restart: always
+
+  events:
+    image: my-docker-registry.com/my-awesome-app/events:latest
+    depends_on:
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    restart: always
+    networks:
+      - web
+      - default
+    expose:
+      - "3000"
+    labels:
+      - "traefik.backend=my-awesome-app-events"
+      - "traefik.docker.network=web"
+      - "traefik.frontend.rule=Host:events.my-awesome-app.org"
+      - "traefik.enable=true"
+      - "traefik.port=3000"
+
+networks:
+  web:
+    external: true
+```
+
+Here, we can see a set of services with two applications that we're actually exposing to the outside world.
+Notice how there isn't a single container that has any published ports to the host -- everything is routed through Docker networks.
+Also, only the containers that we want traffic to get routed to are attached to the `web` network we created at the start of this document.
+Since the `traefik` container we've created and started earlier is also attached to this network, HTTP requests can now get routed to these containers.
+
+### Labels
+
+As mentioned earlier, we don't want containers exposed automatically by Traefik.
+The reason behind this is simple: we want to have control over this process ourselves.
+Thanks to Docker labels, we can tell Traefik how to create it's internal routing configuration.
+Let's take a look at the labels themselves for the `app` service, which is a HTTP webservice listing on port 9000:
+
+```yaml
+- "traefik.backend=my-awesome-app-app"
+- "traefik.docker.network=web"
+- "traefik.frontend.rule=Host:app.my-awesome-app.org"
+- "traefik.enable=true"
+- "traefik.port=9000"
+```
+
+First, we specify the `backend` name which corresponds to the actual service we're routing **to**.
+We also tell Traefik to use the `web` network to route HTTP traffic to this container. With the `frontend.rule` label, we tell Traefik that we want to route to this container if the incoming HTTP request contains the `Host` `app.my-awesome-app.org`.
+Essentially, this is the actual rule used for Layer-7 load balancing.
+With the `traefik.enable` label, we tell Traefik to include this container in it's internal configuration.
+Finally but not unimportantly, we tell Traefik to route **to** port `9000`, since that is the actual TCP/IP port the container actually listens on.
+
+#### Gotchas and tips
+
+- Always specify the correct port where the container expects HTTP traffic using `traefik.port` label.
+    If a container exposes multiple ports, Traefik may forward traffic to the wrong port.
+    Even if a container only exposes one port, you should always write configuration defensively and explicitly.
+- Should you choose to enable the `exposedbydefault` flag in the `traefik.toml` configuration, be aware that all containers that are placed in the same network as Traefik will automatically be reachable from the outside world, for everyone and everyone to see.
+    Usually, this is a bad idea.
+- With the `traefik.frontend.auth.basic` label, it's possible for Traefik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.
+- Traefik has built-in support to automatically export [Prometheus](https://prometheus.io) metrics
+- Traefik supports websockets out of the box. In the example above, the `events`-service could be a NodeJS-based application which allows clients to connect using websocket protocol.
+    Thanks to the fact that HTTPS in our example is enforced, these websockets are automatically secure as well (WSS)
+
+### Final thoughts
+
+Using Traefik as a Layer-7 load balancer in combination with both Docker and Let's Encrypt provides you with an extremely flexible, performant and self-configuring solution for your projects.
+With Let's Encrypt, your endpoints are automatically secured with production-ready SSL certificates that are renewed automatically as well.

docs/user-guide/examples.md

@@ -1,4 +1,3 @@
-
 # Examples
 
 You will find here some configuration examples of Træfik.
@@ -44,25 +43,23 @@ defaultEntryPoints = ["http", "https"]
   address = ":443"
     [entryPoints.https.tls]
       [[entryPoints.https.tls.certificates]]
-      certFile = "tests/traefik.crt"
-      keyFile = "tests/traefik.key"
+      CertFile = "examples/traefik.crt"
+      KeyFile = "examples/traefik.key"
 ```
 
 ## Let's Encrypt support
 
+### Basic example
+
 ```toml
 [entryPoints]
   [entryPoints.https]
   address = ":443"
     [entryPoints.https.tls]
-      # certs used as default certs
-      [[entryPoints.https.tls.certificates]]
-      certFile = "tests/traefik.crt"
-      keyFile = "tests/traefik.key"
+
 [acme]
 email = "test@traefik.io"
-storageFile = "acme.json"
-onDemand = true
+storage = "acme.json"
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"
 
@@ -78,6 +75,166 @@ entryPoint = "https"
   main = "local4.com"
 ```
 
+This configuration allows generating Let's Encrypt certificates for the four domains `local[1-4].com` with described SANs.
+Traefik generates these certificates when it starts and it needs to be restart if new domains are added.
+
+### OnHostRule option
+
+```toml
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+
+[acme]
+email = "test@traefik.io"
+storage = "acme.json"
+onHostRule = true
+caServer = "http://172.18.0.1:4000/directory"
+entryPoint = "https"
+
+[[acme.domains]]
+  main = "local1.com"
+  sans = ["test1.local1.com", "test2.local1.com"]
+[[acme.domains]]
+  main = "local2.com"
+  sans = ["test1.local2.com", "test2x.local2.com"]
+[[acme.domains]]
+  main = "local3.com"
+[[acme.domains]]
+  main = "local4.com"
+```
+
+This configuration allows generating Let's Encrypt certificates for the four domains `local[1-4].com`.
+Traefik generates these certificates when it starts.
+
+If a backend is added with a `onHost` rule, Traefik will automatically generate the Let's Encrypt certificate for the new domain.
+
+### OnDemand option
+
+```toml
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+
+[acme]
+email = "test@traefik.io"
+storage = "acme.json"
+OnDemand = true
+caServer = "http://172.18.0.1:4000/directory"
+entryPoint = "https"
+
+```
+
+This configuration allows generating a Let's Encrypt certificate during the first HTTPS request on a new domain.
+
+
+!!! note
+    This option simplifies the configuration but :
+
+    * TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DDoS attacks.
+    * Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits
+
+    That's why, it's better to use the `onHostRule` optin if possible.
+
+### DNS challenge
+
+```toml
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+
+[acme]
+email = "test@traefik.io"
+storage = "acme.json"
+dnsProvider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
+delayDontCheckDNS = 0
+caServer = "http://172.18.0.1:4000/directory"
+entryPoint = "https"
+
+[[acme.domains]]
+  main = "local1.com"
+  sans = ["test1.local1.com", "test2.local1.com"]
+[[acme.domains]]
+  main = "local2.com"
+  sans = ["test1.local2.com", "test2x.local2.com"]
+[[acme.domains]]
+  main = "local3.com"
+[[acme.domains]]
+  main = "local4.com"
+```
+
+DNS challenge needs environment variables to be executed. This variables have to be set on the machine/container which host Traefik.
+These variables has described [in this section](toml/#acme-lets-encrypt-configuration).
+
+### OnHostRule option and provided certificates
+
+```toml
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "examples/traefik.crt"
+      KeyFile = "examples/traefik.key"
+
+[acme]
+email = "test@traefik.io"
+storage = "acme.json"
+onHostRule = true
+caServer = "http://172.18.0.1:4000/directory"
+entryPoint = "https"
+
+```
+
+Traefik will only try to generate a Let's encrypt certificate if the domain cannot be checked by the provided certificates.
+
+### Cluster mode
+
+#### Prerequisites
+
+Before to use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations](/user-guide/kv-config) and more precisely to [this section](/user-guide/kv-config/#store-configuration-in-key-value-store) in the way to know how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.
+
+#### Configuration
+
+```toml
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+
+[acme]
+email = "test@traefik.io"
+storage = "traefik/acme/account"
+caServer = "http://172.18.0.1:4000/directory"
+entryPoint = "https"
+
+[[acme.domains]]
+  main = "local1.com"
+  sans = ["test1.local1.com", "test2.local1.com"]
+[[acme.domains]]
+  main = "local2.com"
+  sans = ["test1.local2.com", "test2x.local2.com"]
+[[acme.domains]]
+  main = "local3.com"
+[[acme.domains]]
+  main = "local4.com"
+
+[consul]
+  endpoint = "127.0.0.1:8500"
+  watch = true
+  prefix = "traefik"
+
+```
+
+This configuration allows to use the key `traefik/acme/account` to get/set Let's Encrypt certificates content.
+The `consul` provider contains the configuration.
+
+!!! note
+    It's possible to use others key-value store providers as described [here](/user-guide/kv-config/#key-value-store-configuration).
+
 ## Override entrypoints in frontends
 
 ```toml
@@ -89,6 +246,7 @@ entryPoint = "https"
   [frontends.frontend2]
   backend = "backend1"
   passHostHeader = true
+  passTLSCert = true
   entrypoints = ["https"] # overrides defaultEntryPoints
     [frontends.frontend2.routes.test_1]
     rule = "Host:{subdomain:[a-z]+}.localhost"

docs/user-guide/kubernetes.md

@@ -1,26 +1,25 @@
 # Kubernetes Ingress Controller
 
 This guide explains how to use Træfik as an Ingress controller in a Kubernetes cluster.
-If you are not familiar with Ingresses in Kubernetes you might want to read the [Kubernetes user guide](http://kubernetes.io/docs/user-guide/ingress/)
+If you are not familiar with Ingresses in Kubernetes you might want to read the [Kubernetes user guide](https://kubernetes.io/docs/concepts/services-networking/ingress/)
 
 The config files used in this guide can be found in the [examples directory](https://github.com/containous/traefik/tree/master/examples/k8s)
 
 ## Prerequisites
 
-1. A working Kubernetes cluster. If you want to follow along with this guide, you should setup [minikube](http://kubernetes.io/docs/getting-started-guides/minikube/)
+1. A working Kubernetes cluster. If you want to follow along with this guide, you should setup [minikube](https://kubernetes.io/docs/getting-started-guides/minikube/)
 on your machine, as it is the quickest way to get a local Kubernetes cluster setup for experimentation and development.
 
-2. The `kubectl` binary should be [installed on your workstation](http://kubernetes.io/docs/getting-started-guides/minikube/#download-kubectl).
+2. The `kubectl` binary should be [installed on your workstation](https://kubernetes.io/docs/getting-started-guides/minikube/#download-kubectl).
 
 ### Role Based Access Control configuration (Kubernetes 1.6+ only)
 
-Kubernetes introduces [Role Based Access Control (RBAC)](https://kubernetes.io/docs/admin/authorization/rbac/) in 1.6+ to allow fine-grained control
-of Kubernetes resources and api.
+Kubernetes introduces [Role Based Access Control (RBAC)](https://kubernetes.io/docs/admin/authorization/rbac/) in 1.6+ to allow fine-grained control of Kubernetes resources and api.
 
-If your cluster is configured with RBAC, you may need to authorize Traefik to use
-kubernetes API using ClusterRole and ClusterRoleBinding resources:
+If your cluster is configured with RBAC, you may need to authorize Træfik to use the Kubernetes API using ClusterRole and ClusterRoleBinding resources:
 
-_Note: your cluster may have suitable ClusterRoles already setup, but the following should work everywhere_
+!!! note
+    your cluster may have suitable ClusterRoles already setup, but the following should work everywhere
 
 ```yaml
 ---
@@ -35,6 +34,7 @@ rules:
       - pods
       - services
       - endpoints
+      - secrets
     verbs:
       - get
       - list
@@ -68,13 +68,17 @@ subjects:
 kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml
 ```
 
-## Deploy Træfik using a Deployment object
+## Deploy Træfik using a Deployment or DaemonSet
 
-We are going to deploy Træfik with a
-[Deployment](http://kubernetes.io/docs/user-guide/deployments/), as this will
-allow you to easily roll out config changes or update the image.
+It is possible to use Træfik with a [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) or a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) object,
+ whereas both options have their own pros and cons:
+ The scalability is much better when using a Deployment, because you will have a Single-Pod-per-Node model when using the DeaemonSet.
+It is possible to exclusively run a Service on a dedicated set of machines using taints and tolerations with a DaemonSet.
+On the other hand the DaemonSet allows you to access any Node directly on Port 80 and 443, where you have to setup a [Service](https://kubernetes.io/docs/concepts/services-networking/service/) object with a Deployment.
 
-```yaml
+The Deployment objects looks like this:
+
+```yml
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -105,41 +109,118 @@ spec:
       containers:
       - image: traefik
         name: traefik-ingress-lb
-        resources:
-          limits:
-            cpu: 200m
-            memory: 30Mi
-          requests:
-            cpu: 100m
-            memory: 20Mi
-        ports:
-        - containerPort: 80
-          hostPort: 80
-        - containerPort: 8080
         args:
         - --web
         - --kubernetes
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: traefik-ingress-service
+spec:
+  selector:
+    k8s-app: traefik-ingress-lb
+  ports:
+    - protocol: TCP
+      port: 80
+      name: web
+    - protocol: TCP
+      port: 8080
+      name: admin
+  type: NodePort
 ```
-[examples/k8s/traefik.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/traefik.yaml)
+[examples/k8s/traefik-deployment.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/traefik-deployment.yaml)
 
-> notice that we binding port 80 on the Træfik container to port 80 on the host.
-> With a multi node cluster we might expose Træfik with a NodePort or LoadBalancer service
-> and run more than 1 replica of Træfik for high availability.
+> The Service will expose two NodePorts which allow access to the ingress and the web interface.
 
-To deploy Træfik to your cluster start by submitting the deployment to the cluster with `kubectl`:
+The DaemonSet objects looks not much different:
+
+```yaml
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik-ingress-controller
+  namespace: kube-system
+---
+kind: DaemonSet
+apiVersion: extensions/v1beta1
+metadata:
+  name: traefik-ingress-controller
+  namespace: kube-system
+  labels:
+    k8s-app: traefik-ingress-lb
+spec:
+  template:
+    metadata:
+      labels:
+        k8s-app: traefik-ingress-lb
+        name: traefik-ingress-lb
+    spec:
+      serviceAccountName: traefik-ingress-controller
+      terminationGracePeriodSeconds: 60
+      hostNetwork: true
+      containers:
+      - image: traefik
+        name: traefik-ingress-lb
+        ports:
+        - name: http
+          containerPort: 80
+          hostPort: 80
+        - name: admin
+          containerPort: 8080
+        securityContext:
+          privileged: true
+        args:
+        - -d
+        - --web
+        - --kubernetes
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: traefik-ingress-service
+spec:
+  selector:
+    k8s-app: traefik-ingress-lb
+  ports:
+    - protocol: TCP
+      port: 80
+      name: web
+    - protocol: TCP
+      port: 8080
+      name: admin
+  type: NodePort
+```
+
+[examples/k8s/traefik-ds.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/traefik-ds.yaml)
+
+To deploy Træfik to your cluster start by submitting one of the YAML files to the cluster with `kubectl`:
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik.yaml
+$ kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-deployment.yaml
 ```
 
-### Check the deployment
+```shell
+$ kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-ds.yaml
+```
 
-Now lets check if our deployment was successful.
+There are some significant differences between using Deployments and DaemonSets.
+The Deployment has easier up and down scaling possibilities. It can implement full pod lifecycle and supports rolling updates from Kubernetes 1.2.
+At least one Pod is needed to run the Deployment.
+The DaemonSet automatically scales to all nodes that meets a specific selector and guarantees to fill nodes one at a time.
+Rolling updates are fully supported from Kubernetes 1.7 for DaemonSets as well.
+
+
+
+### Check the Pods
+
+Now lets check if our command was successful.
 
 Start by listing the pods in the `kube-system` namespace:
 
 ```shell
-$kubectl --namespace=kube-system get pods
+$ kubectl --namespace=kube-system get pods
 
 NAME                                         READY     STATUS    RESTARTS   AGE
 kube-addon-manager-minikubevm                1/1       Running   0          4h
@@ -147,39 +228,45 @@ kubernetes-dashboard-s8krj                   1/1       Running   0          4h
 traefik-ingress-controller-678226159-eqseo   1/1       Running   0          7m
 ```
 
-You should see that after submitting the Deployment to Kubernetes it has launched
-a pod, and it is now running. _It might take a few moments for kubernetes to pull
-the Træfik image and start the container._
+You should see that after submitting the Deployment or DaemonSet to Kubernetes it has launched a Pod, and it is now running.
+_It might take a few moments for kubernetes to pull the Træfik image and start the container._
 
 > You could also check the deployment with the Kubernetes dashboard, run
 > `minikube dashboard` to open it in your browser, then choose the `kube-system`
 > namespace from the menu at the top right of the screen.
 
-You should now be able to access Træfik on port 80 of your minikube instance.
+You should now be able to access Træfik on port 80 of your Minikube instance when using the DaemonSet:
 
 ```sh
 curl $(minikube ip)
 404 page not found
 ```
 
+If you decided to use the deployment, then you need to target the correct NodePort, which can be seen then you execute `kubectl get services --namespace=kube-system`.
+
+```sh
+curl $(minikube ip):<NODEPORT>
+404 page not found
+```
+
 > We expect to see a 404 response here as we haven't yet given Træfik any configuration.
 
 ## Deploy Træfik using Helm Chart
 
-Instead of installing Træfik via a Deployment object, you can also use the Træfik Helm chart.
+Instead of installing Træfik via an own object, you can also use the Træfik Helm chart.
+This allows more complex configuration via Kubernetes [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configmap/) and enabled TLS certificates.
 
 Install Træfik chart by:
 
-```sh
-helm install stable/traefik
+```shell
+$ helm install stable/traefik
 ```
 
 For more information, check out [the doc](https://github.com/kubernetes/charts/tree/master/stable/traefik).
 
 ## Submitting An Ingress to the cluster.
 
-Lets start by creating a Service and an Ingress that will expose the
-[Træfik Web UI](https://github.com/containous/traefik#web-ui).
+Lets start by creating a Service and an Ingress that will expose the [Træfik Web UI](https://github.com/containous/traefik#web-ui).
 
 ```yaml
 apiVersion: v1
@@ -203,7 +290,7 @@ metadata:
     kubernetes.io/ingress.class: traefik
 spec:
   rules:
-  - host: traefik-ui.local
+  - host: traefik-ui.minikube
     http:
       paths:
       - backend:
@@ -216,23 +303,21 @@ spec:
 kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/ui.yaml
 ```
 
-Now lets setup an entry in our /etc/hosts file to route `traefik-ui.local`
-to our cluster.
+Now lets setup an entry in our /etc/hosts file to route `traefik-ui.minikube` to our cluster.
 
 > In production you would want to set up real dns entries.
 
 > You can get the ip address of your minikube instance by running `minikube ip`
 
 ```shell
-echo "$(minikube ip) traefik-ui.local" | sudo tee -a /etc/hosts
+echo "$(minikube ip) traefik-ui.minikube" | sudo tee -a /etc/hosts
 ```
 
-We should now be able to visit [traefik-ui.local](http://traefik-ui.local) in the browser and view the Træfik Web UI.
+We should now be able to visit [traefik-ui.minikube](http://traefik-ui.minikube) in the browser and view the Træfik Web UI.
 
 ## Name based routing
 
-In this example we are going to setup websites for 3 of the United Kingdoms
-best loved cheeses, Cheddar, Stilton and Wensleydale.
+In this example we are going to setup websites for 3 of the United Kingdoms best loved cheeses, Cheddar, Stilton and Wensleydale.
 
 First lets start by launching the 3 pods for the cheese websites.
 
@@ -410,21 +495,21 @@ metadata:
     kubernetes.io/ingress.class: traefik
 spec:
   rules:
-  - host: stilton.local
+  - host: stilton.minikube
     http:
       paths:
       - path: /
         backend:
           serviceName: stilton
           servicePort: http
-  - host: cheddar.local
+  - host: cheddar.minikube
     http:
       paths:
       - path: /
         backend:
           serviceName: cheddar
           servicePort: http
-  - host: wensleydale.local
+  - host: wensleydale.minikube
     http:
       paths:
       - path: /
@@ -440,26 +525,21 @@ spec:
 kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-ingress.yaml
 ```
 
-Now visit the [Træfik dashboard](http://traefik-ui.local/) and you should
-see a frontend for each host. Along with a backend listing for each service
-with a Server set up for each pod.
+Now visit the [Træfik dashboard](http://traefik-ui.minikube/) and you should see a frontend for each host. Along with a backend listing for each service with a Server set up for each pod.
 
-If you edit your `/etc/hosts` again you should be able to access the cheese
-websites in your browser.
+If you edit your `/etc/hosts` again you should be able to access the cheese websites in your browser.
 
 ```shell
-echo "$(minikube ip) stilton.local cheddar.local wensleydale.local" | sudo tee -a /etc/hosts
+echo "$(minikube ip) stilton.minikube cheddar.minikube wensleydale.minikube" | sudo tee -a /etc/hosts
 ```
 
-* [Stilton](http://stilton.local/)
-* [Cheddar](http://cheddar.local/)
-* [Wensleydale](http://wensleydale.local/)
+* [Stilton](http://stilton.minikube/)
+* [Cheddar](http://cheddar.minikube/)
+* [Wensleydale](http://wensleydale.minikube/)
 
 ## Path based routing
 
-Now lets suppose that our fictional client has decided that while they are
-super happy about our cheesy web design, when they asked for 3 websites
-they had not really bargained on having to buy 3 domain names.
+Now lets suppose that our fictional client has decided that while they are super happy about our cheesy web design, when they asked for 3 websites they had not really bargained on having to buy 3 domain names.
 
 No problem, we say, why don't we reconfigure the sites to host all 3 under one domain.
 
@@ -471,10 +551,10 @@ metadata:
   name: cheeses
   annotations:
     kubernetes.io/ingress.class: traefik
-    traefik.frontend.rule.type: pathprefixstrip
+    traefik.frontend.rule.type: PathPrefixStrip
 spec:
   rules:
-  - host: cheeses.local
+  - host: cheeses.minikube
     http:
       paths:
       - path: /stilton
@@ -501,14 +581,59 @@ kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/exa
 ```
 
 ```shell
-echo "$(minikube ip) cheeses.local" | sudo tee -a /etc/hosts
+echo "$(minikube ip) cheeses.minikube" | sudo tee -a /etc/hosts
 ```
 
 You should now be able to visit the websites in your browser.
 
-* [cheeses.local/stilton](http://cheeses.local/stilton/)
-* [cheeses.local/cheddar](http://cheeses.local/cheddar/)
-* [cheeses.local/wensleydale](http://cheeses.local/wensleydale/)
+* [cheeses.minikube/stilton](http://cheeses.minikube/stilton/)
+* [cheeses.minikube/cheddar](http://cheeses.minikube/cheddar/)
+* [cheeses.minikube/wensleydale](http://cheeses.minikube/wensleydale/)
+
+## Specifying priority for routing
+
+Sometimes you need to specify priority for ingress route, especially when handling wildcard routes.
+This can be done by adding annotation `traefik.frontend.priority`, i.e.:
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: wildcard-cheeses
+  annotations:
+    traefik.frontend.priority: 1
+spec:
+  rules:
+  - host: *.minikube
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: stilton
+          servicePort: http
+
+kind: Ingress
+metadata:
+  name: specific-cheeses
+  annotations:
+    traefik.frontend.priority: 2
+spec:
+  rules:
+  - host: specific.minikube
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: stilton
+          servicePort: http
+```
+
+
+## Forwarding to ExternalNames
+
+When specifying an [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#services-without-selectors),
+Træfik will forward requests to the given host accordingly and use HTTPS when the Service port matches 443.
+This still requires setting up a proper port mapping on the Service from the Ingress port to the (external) Service port.
 
 ## Disable passing the Host header
 
@@ -525,8 +650,7 @@ disablePassHostHeaders = true
 
 ### Disable per ingress
 
-To disable passing the Host header per ingress resource set the `traefik.frontend.passHostHeader`
-annotation on your ingress to `false`.
+To disable passing the Host header per ingress resource set the `traefik.frontend.passHostHeader` annotation on your ingress to `false`.
 
 Here is an example ingress definition:
 ```yaml
@@ -562,13 +686,12 @@ spec:
   externalName: static.otherdomain.com
 ```
 
-If you were to visit example.com/static the request would then be passed onto
-static.otherdomain.com/static and static.otherdomain.com would receive the
-request with the Host header being static.otherdomain.com.
+If you were to visit `example.com/static` the request would then be passed onto `static.otherdomain.com/static` and s`tatic.otherdomain.com` would receive the request with the Host header being `static.otherdomain.com`.
 
-Note: The per ingress annotation overides whatever the global value is set to.
-So you could set `disablePassHostHeaders` to `true` in your toml file and then enable passing 
-the host header per ingress if you wanted.
+!!! note
+    The per ingress annotation overides whatever the global value is set to.
+    So you could set `disablePassHostHeaders` to `true` in your toml file and then enable passing
+    the host header per ingress if you wanted.
 
 ## Excluding an ingress from Træfik
 
@@ -577,4 +700,4 @@ By default if the annotation is not set at all Træfik will include the ingress.
 If the annotation is set to anything other than traefik or a blank string Træfik will ignore it.
 
 
-![](http://i.giphy.com/ujUdrdpX7Ok5W.gif)
+![](https://i.giphy.com/ujUdrdpX7Ok5W.gif)

docs/user-guide/kv-config.md

@@ -1,4 +1,3 @@
-
 # Key-value store configuration
 
 Both [static global configuration](/user-guide/kv-config/#static-configuration-in-key-value-store) and [dynamic](/user-guide/kv-config/#dynamic-configuration-in-key-value-store) configuration can be sorted in a Key-value store.
@@ -12,7 +11,7 @@ Træfik supports several Key-value stores:
 - [ZooKeeper](https://zookeeper.apache.org/)
 - [boltdb](https://github.com/boltdb/bolt)
 
-# Static configuration in Key-value store
+## Static configuration in Key-value store
 
 We will see the steps to set it up with an easy example.
 Note that we could do the same with any other Key-value Store.
@@ -113,6 +112,7 @@ And there, the same global configuration in the Key-value Store (using `prefix =
 | `/traefik/web/address`                                    | `:8081`                                                       |
 
 In case you are setting key values manually:
+
 - Remember to specify the indexes (`0`,`1`, `2`, ... ) under prefixes `/traefik/defaultentrypoints/` and `/traefik/entrypoints/https/tls/certificates/` in order to match the global configuration structure.
 - Be careful to give the correct IP address and port on the key `/traefik/consul/endpoint`.
 
@@ -135,11 +135,24 @@ traefik:
     - "8080:8080"
 ```
 
-NB : Be careful to give the correct IP address and port in the flag `--consul.endpoint`.
+!!! warning
+    Be careful to give the correct IP address and port in the flag `--consul.endpoint`.
+
+## Consul ACL Token support
+
+To specify a Consul ACL token for Traefik, we have to set a System Environment variable named `CONSUL_HTTP_TOKEN` prior to starting traefik. This variable must be initialized with the ACL token value.
+
+If Traefik is launched into a Docker container, the variable `CONSUL_HTTP_TOKEN` can be initialized with the `-e` Docker option : `-e "CONSUL_HTTP_TOKEN=[consul-acl-token-value]"`
 
 ## TLS support
 
-So far, only [Consul](https://consul.io) and [etcd](https://coreos.com/etcd/) support TLS connections. 
+To connect to a Consul endpoint using SSL, simply specify `https://` in the `consul.endpoint` property
+
+- `--consul.endpoint=https://[consul-host]:[consul-ssl-port]`
+
+## TLS support with client certificates
+
+So far, only [Consul](https://consul.io) and [etcd](https://coreos.com/etcd/) support TLS connections with client certificates.
 To set it up, we should enable [consul security](https://www.consul.io/docs/internals/security.html) (or [etcd security](https://coreos.com/etcd/docs/latest/security.html)).
 
 Then, we have to provide CA, Cert and Key to Træfik using `consul` flags :
@@ -161,12 +174,14 @@ Note that we can either give directly directly the file content itself (instead
 Remember the command `traefik --help` to display the updated list of flags.
 
 # Dynamic configuration in Key-value store
+
 Following our example, we will provide backends/frontends rules to Træfik.
 
 Note that this section is independent of the way Træfik got its static configuration.
 It means that the static configuration can either come from the same Key-value store or from any other sources.
 
 ## Key-value storage structure
+
 Here is the toml configuration we would like to store in the store :
 
 ```toml
@@ -263,7 +278,10 @@ Træfik can watch the backends/frontends configuration changes and generate its
 
 Note that only backends/frontends rules are dynamic, the rest of the Træfik configuration stay static.
 
-The [Etcd](https://github.com/coreos/etcd/issues/860) and [Consul](https://github.com/hashicorp/consul/issues/886) backends do not support updating multiple keys atomically. As a result, it may be possible for Træfik to read an intermediate configuration state despite judicious use of the `--providersThrottleDuration` flag. To solve this problem, Træfik supports a special key called `/traefik/alias`. If set, Træfik use the value as an alternative key prefix.
+The [Etcd](https://github.com/coreos/etcd/issues/860) and [Consul](https://github.com/hashicorp/consul/issues/886) backends do not support updating multiple keys atomically.
+As a result, it may be possible for Træfik to read an intermediate configuration state despite judicious use of the `--providersThrottleDuration` flag.
+To solve this problem, Træfik supports a special key called `/traefik/alias`.
+If set, Træfik use the value as an alternative key prefix.
 
 Given the key structure below, Træfik will use the `http://172.17.0.2:80` as its only backend (frontend keys have been omitted for brevity).
 
@@ -273,7 +291,8 @@ Given the key structure below, Træfik will use the `http://172.17.0.2:80` as it
 | `/traefik_configurations/1/backends/backend1/servers/server1/url`       | `http://172.17.0.2:80`      |
 | `/traefik_configurations/1/backends/backend1/servers/server1/weight`    | `10`                        |
 
-When an atomic configuration change is required, you may write a new configuration at an alternative prefix. Here, although the `/traefik_configurations/2/...` keys have been set, the old configuration is still active because the `/traefik/alias` key still points to `/traefik_configurations/1`:
+When an atomic configuration change is required, you may write a new configuration at an alternative prefix.
+Here, although the `/traefik_configurations/2/...` keys have been set, the old configuration is still active because the `/traefik/alias` key still points to `/traefik_configurations/1`:
 
 | Key                                                                     | Value                       |
 |-------------------------------------------------------------------------|-----------------------------|
@@ -285,7 +304,8 @@ When an atomic configuration change is required, you may write a new configurati
 | `/traefik_configurations/2/backends/backend1/servers/server2/url`       | `http://172.17.0.3:80`      |
 | `/traefik_configurations/2/backends/backend1/servers/server2/weight`    | `5`                        |
 
-Once the `/traefik/alias` key is updated, the new `/traefik_configurations/2` configuration becomes active atomically. Here, we have a 50% balance between the `http://172.17.0.3:80` and the `http://172.17.0.4:80` hosts while no traffic is sent to the `172.17.0.2:80` host:
+Once the `/traefik/alias` key is updated, the new `/traefik_configurations/2` configuration becomes active atomically.
+Here, we have a 50% balance between the `http://172.17.0.3:80` and the `http://172.17.0.4:80` hosts while no traffic is sent to the `172.17.0.2:80` host:
 
 | Key                                                                     | Value                       |
 |-------------------------------------------------------------------------|-----------------------------|
@@ -306,7 +326,7 @@ Don't forget to [setup the connection between Træfik and Key-value store](/user
 The static Træfik configuration in a key-value store can be automatically created and updated, using the [`storeconfig` subcommand](/basics/#commands).
 
 ```bash
-$ traefik storeconfig [flags] ...
+traefik storeconfig [flags] ...
 ```
 This command is here only to automate the [process which upload the configuration into the Key-value store](/user-guide/kv-config/#upload-the-configuration-in-the-key-value-store).
 Træfik will not start but the [static configuration](/basics/#static-trfk-configuration) will be uploaded into the Key-value store.
@@ -326,4 +346,4 @@ Then remove the line `storageFile = "acme.json"` from your TOML config file.
 
 That's it!
 
-![](http://i.giphy.com/ujUdrdpX7Ok5W.gif)
+![](https://i.giphy.com/ujUdrdpX7Ok5W.gif)

docs/user-guide/marathon.md

@@ -1,4 +1,3 @@
-
 # Marathon
 
 This guide explains how to integrate Marathon and operate the cluster in a reliable way from Traefik's standpoint.
@@ -13,11 +12,14 @@ Marathon offers multiple ways to run (Docker-containerized) applications, the mo
 
 Traefik tries to detect the configured mode and route traffic to the right IP addresses. It is possible to force using task hosts with the `forceTaskHostname` option.
 
-Given the complexity of the subject, it is possible that the heuristic fails. Apart from filing an issue and waiting for the feature request / bug report to get addressed, one workaround for such situations is to customize the Marathon template file to the individual needs. (Note that this does _not_ require rebuilding Traefik but only to point the `filename` configuration parameter to a customized version of the `marathon.tmpl` file on Traefik startup.)
+Given the complexity of the subject, it is possible that the heuristic fails.
+Apart from filing an issue and waiting for the feature request / bug report to get addressed, one workaround for such situations is to customize the Marathon template file to the individual needs.
+(Note that this does _not_ require rebuilding Traefik but only to point the `filename` configuration parameter to a customized version of the `marathon.tmpl` file on Traefik startup.)
 
 # Port detection
 
-Traefik also attempts to determine the right port (which is a [non-trivial matter in Marathon](https://mesosphere.github.io/marathon/docs/ports.html)). Following is the order by which Traefik tries to identify the port (the first one that yields a positive result will be used):
+Traefik also attempts to determine the right port (which is a [non-trivial matter in Marathon](https://mesosphere.github.io/marathon/docs/ports.html)).
+Following is the order by which Traefik tries to identify the port (the first one that yields a positive result will be used):
 
 1. A arbitrary port specified through the `traefik.port` label.
 1. The task port (possibly indexed through the `traefik.portIndex` label, otherwise the first one).
@@ -40,15 +42,22 @@ The following sub-sections describe how to resolve or mitigate each scenario.
 
 ### Startup
 
-In general, it is possible to define [readiness checks](https://mesosphere.github.io/marathon/docs/readiness-checks.html) (available since Marathon version 1.1) per application and have Marathon take these into account during the startup phase. The idea is that each application provides an HTTP endpoint that Marathon queries periodically during an ongoing deployment in order to mark the associated readiness check result as successful if and only if the endpoint returns a response within the configured HTTP code range. As long as the check keeps failing, Marathon will not proceed with the deployment (within the configured upgrade stategy bounds).
+It is possible to define [readiness checks](https://mesosphere.github.io/marathon/docs/readiness-checks.html) (available since Marathon version 1.1) per application and have Marathon take these into account during the startup phase.
+The idea is that each application provides an HTTP endpoint that Marathon queries periodically during an ongoing deployment in order to mark the associated readiness check result as successful if and only if the endpoint returns a response within the configured HTTP code range.
+As long as the check keeps failing, Marathon will not proceed with the deployment (within the configured upgrade strategy bounds).
 
-Unfortunately, Traefik does not respect the result of the readiness check yet. Support is expected to land in a not-too-distant future release of Traefik, however, as being tracked by [issue 1559](https://github.com/containous/traefik/issues/1559).
+Beginning with version 1.4, Traefik respects readiness check results if the Traefik option is set and checks are configured on the applications accordingly.
+Note that due to the way readiness check results are currently exposed by the Marathon API, ready tasks may be taken into rotation with a small delay.
+It is on the order of one readiness check timeout interval (as configured on the application specifiation) and guarantees that non-ready tasks do not receive traffic prematurely.
 
-A current mitigation strategy is to enable [retries](http://docs.traefik.io/toml/#retry-configuration) and make sure that a sufficient number of healthy application tasks exist so that one retry will likely hit one of those. Apart from its probabilistic nature, the workaround comes at the price of increased latency.
+If readiness checks are not possible, a current mitigation strategy is to enable [retries](/configuration/commons#retry-configuration) and make sure that a sufficient number of healthy application tasks exist so that one retry will likely hit one of those.
+Apart from its probabilistic nature, the workaround comes at the price of increased latency.
 
 ### Shutdown
 
-It is possible to install a [termination handler](https://mesosphere.github.io/marathon/docs/health-checks.html) (available since Marathon version 1.3) with each application whose responsibility it is to delay the shutdown process long enough until the backend has been taken out of load-balancing rotation with reasonable confidence (i.e., Traefik has received an update from the Marathon event bus, recomputes the available Marathon backends, and applies the new configuration). Specifically, each termination handler should install a signal handler listening for a SIGTERM signal and implement the following steps on signal reception:
+It is possible to install a [termination handler](https://mesosphere.github.io/marathon/docs/health-checks.html) (available since Marathon version 1.3) with each application whose responsibility it is to delay the shutdown process long enough until the backend has been taken out of load-balancing rotation with reasonable confidence
+(i.e., Traefik has received an update from the Marathon event bus, recomputes the available Marathon backends, and applies the new configuration).
+Specifically, each termination handler should install a signal handler listening for a SIGTERM signal and implement the following steps on signal reception:
 
 1. Disable Keep-Alive HTTP connections.
 1. Keep accepting HTTP requests for a certain period of time.
@@ -58,20 +67,26 @@ It is possible to install a [termination handler](https://mesosphere.github.io/m
 
 Traefik already ignores Marathon tasks whose state does not match `TASK_RUNNING`; since terminating tasks transition into the `TASK_KILLING` and eventually `TASK_KILLED` state, there is nothing further that needs to be done on Traefik's end.
 
-How long HTTP requests should continue to be accepted in step 2 depends on how long Traefik needs to receive and process the Marathon configuration update. Under regular operational conditions, it should be on the order of seconds, with 10 seconds possibly being a good default value.
+How long HTTP requests should continue to be accepted in step 2 depends on how long Traefik needs to receive and process the Marathon configuration update.
+Under regular operational conditions, it should be on the order of seconds, with 10 seconds possibly being a good default value.
 
-Again, configuring Traefik to do retries (as discussed in the previous section) can serve as a decent workaround strategy. Paired with termination handlers, they would cover for those cases where either the termination sequence or Traefik cannot complete their part of the orchestration process in time.
+Again, configuring Traefik to do retries (as discussed in the previous section) can serve as a decent workaround strategy.
+Paired with termination handlers, they would cover for those cases where either the termination sequence or Traefik cannot complete their part of the orchestration process in time.
 
 ### Failure
 
-A failing application always happens unexpectedly, and hence, it is very difficult or even impossible to rule out the adversal effects categorically. Failure reasons vary broadly and could stretch from unacceptable slowness, a task crash, or a network split.
+A failing application always happens unexpectedly, and hence, it is very difficult or even impossible to rule out the adversal effects categorically.
+Failure reasons vary broadly and could stretch from unacceptable slowness, a task crash, or a network split.
 
 There are two mitigaton efforts:
 
 1. Configure [Marathon health checks](https://mesosphere.github.io/marathon/docs/health-checks.html) on each application.
 1. Configure Traefik health checks (possibly via the `traefik.backend.healthcheck.*` labels) and make sure they probe with proper frequency.
 
-The Marathon health check makes sure that applications once deemed dysfunctional are being rescheduled to different slaves. However, they might take a while to get triggered and the follow-up processes to complete. For that reason, the Treafik health check provides an additional check that responds more rapidly and does not require a configuration reload to happen. Additionally, it protects from cases that the Marathon health check may not be able to cover, such as a network split.
+The Marathon health check makes sure that applications once deemed dysfunctional are being rescheduled to different slaves.
+However, they might take a while to get triggered and the follow-up processes to complete.
+For that reason, the Treafik health check provides an additional check that responds more rapidly and does not require a configuration reload to happen.
+Additionally, it protects from cases that the Marathon health check may not be able to cover, such as a network split.
 
 ## (Non-)Alternatives
 
@@ -81,16 +96,21 @@ There are a few alternatives of varying quality that are frequently asked for. T
 
 It may seem obvious to reuse the Marathon health checks as a signal to Traefik whether an application should be taken into load-balancing rotation or not.
 
-Apart from the increased latency a failing health check may have, a major problem with this is is that Marathon does not persist the health check results. Consequently, if a master re-election occurs in the Marathon clusters, all health check results will revert to the _unknown_ state, effectively causing all applications inside the cluster to become unavailable and leading to a complete cluster failure. Re-elections do not only happen during regular maintenance work (often requiring rolling upgrades of the Marathon nodes) but also when the Marathon leader fails spontaneously). As such, there is no way to handle this situation deterministically.
+Apart from the increased latency a failing health check may have, a major problem with this is is that Marathon does not persist the health check results.
+Consequently, if a master re-election occurs in the Marathon clusters, all health check results will revert to the _unknown_ state, effectively causing all applications inside the cluster to become unavailable and leading to a complete cluster failure.
+Re-elections do not only happen during regular maintenance work (often requiring rolling upgrades of the Marathon nodes) but also when the Marathon leader fails spontaneously.
+As such, there is no way to handle this situation deterministically.
 
 Finally, Marathon health checks are not mandatory (the default is to use the task state as reported by Mesos), so requiring them for Traefik would raise the entry barrier for Marathon users.
 
-Traefik used to use the health check results but moved away from it as [users reported the dramatic consequences](https://github.com/containous/traefik/issues/653).
+Traefik used to use the health check results as a strict requirement but moved away from it as [users reported the dramatic consequences](https://github.com/containous/traefik/issues/653).
+If health check results are known to exist, however, they will be used to signal task availability.
 
 ### Draining
 
 Another common approach is to let a proxy drain backends that are supposed to shut down. That is, once a backend is supposed to shut down, Traefik would stop forwarding requests.
 
-On the plus side, this would not require any modifications to the application in question. However, implementing this fully within Traefik seems like a non-trivial undertaking. Additionally, the approach is less flexible compared to a custom termination handler since only the latter allows for the implementation of custom termination sequences that go beyond simple request draining (e.g., persisting a snapshot state to disk prior to terminating).
+On the plus side, this would not require any modifications to the application in question. However, implementing this fully within Traefik seems like a non-trivial undertaking.
+Additionally, the approach is less flexible compared to a custom termination handler since only the latter allows for the implementation of custom termination sequences that go beyond simple request draining (e.g., persisting a snapshot state to disk prior to terminating).
 
 The feature is currently not implemented; a request for draining in general is at [issue 41](https://github.com/containous/traefik/issues/41).

docs/user-guide/swarm-mode.md

@@ -1,8 +1,6 @@
 # Docker Swarm (mode) cluster
 
-This section explains how to create a multi-host docker cluster with
-swarm mode using [docker-machine](https://docs.docker.com/machine) and
-how to deploy Træfik on it.
+This section explains how to create a multi-host docker cluster with swarm mode using [docker-machine](https://docs.docker.com/machine) and how to deploy Træfik on it.
 
 The cluster consists of:
 
@@ -59,6 +57,8 @@ Let's validate the cluster is up and running.
 
 ```shell
 docker-machine ssh manager docker node ls
+```
+```
 ID                           HOSTNAME  STATUS  AVAILABILITY  MANAGER STATUS
 2a770ov9vixeadep674265u1n    worker1   Ready   Active
 dbi3or4q8ii8elbws70g4hkdh *  manager   Ready   Active        Leader
@@ -73,11 +73,9 @@ docker-machine ssh manager "docker network create --driver=overlay traefik-net"
 
 ## Deploy Træfik
 
-Let's deploy Træfik as a docker service in our cluster. The only
-requirement for Træfik to work with swarm mode is that it needs to run
-on a manager node — we are going to use a
-[constraint](https://docs.docker.com/engine/reference/commandline/service_create/#/specify-service-constraints-constraint) for
-that.
+Let's deploy Træfik as a docker service in our cluster.
+The only requirement for Træfik to work with swarm mode is that it needs to run on a manager node — we are going to use a
+[constraint](https://docs.docker.com/engine/reference/commandline/service_create/#/specify-service-constraints-constraint) for that.
 
 ```shell
 docker-machine ssh manager "docker service create \
@@ -96,24 +94,17 @@ docker-machine ssh manager "docker service create \
 
 Let's explain this command:
 
-- `--publish 80:80 --publish 8080:8080`: we publish port `80` and
-  `8080` on the cluster.
-- `--constraint=node.role==manager`: we ask docker to schedule Træfik
-  on a manager node.
+- `--publish 80:80 --publish 8080:8080`: we publish port `80` and `8080` on the cluster.
+- `--constraint=node.role==manager`: we ask docker to schedule Træfik on a manager node.
 - `--mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock`:
-  we bind mount the docker socket where Træfik is scheduled to be able
-  to speak to the daemon.
-- `--network traefik-net`: we attach the Træfik service (and thus
-  the underlying container) to the `traefik-net` network.
-- `--docker`: enable docker backend, and `--docker.swarmmode` to
-  enable the swarm mode on Træfik.
+  we bind mount the docker socket where Træfik is scheduled to be able to speak to the daemon.
+- `--network traefik-net`: we attach the Træfik service (and thus the underlying container) to the `traefik-net` network.
+- `--docker`: enable docker backend, and `--docker.swarmmode` to enable the swarm mode on Træfik.
 - `--web`: activate the webUI on port 8080
 
 ## Deploy your apps
 
-We can now deploy our app on the cluster,
-here [whoami](https://github.com/emilevauge/whoami), a simple web
-server in Go. We start 2 services, on the `traefik-net` network.
+We can now deploy our app on the cluster, here [whoami](https://github.com/emilevauge/whoami), a simple web server in Go. We start 2 services, on the `traefik-net` network.
 
 ```shell
 docker-machine ssh manager "docker service create \
@@ -131,12 +122,15 @@ docker-machine ssh manager "docker service create \
 ```
 
 Note that we set whoami1 to use sticky sessions (`--label traefik.backend.loadbalancer.sticky=true`).  We'll demonstrate that later.
-If using `docker stack deploy`, there is [a specific way that the labels must be defined in the docker-compose file](https://github.com/containous/traefik/issues/994#issuecomment-269095109).
+
+**Note**: If using `docker stack deploy`, there is [a specific way that the labels must be defined in the docker-compose file](https://github.com/containous/traefik/issues/994#issuecomment-269095109).
 
 Check that everything is scheduled and started:
 
 ```shell
 docker-machine ssh manager "docker service ls"
+```
+```
 ID            NAME     REPLICAS  IMAGE              COMMAND
 ab046gpaqtln  whoami0  1/1       emilevauge/whoami
 cgfg5ifzrpgm  whoami1  1/1       emilevauge/whoami
@@ -147,6 +141,8 @@ dtpl249tfghc  traefik  1/1       traefik            --docker --docker.swarmmode
 
 ```shell
 curl -H Host:whoami0.traefik http://$(docker-machine ip manager)
+```
+```yaml
 Hostname: 8147a7746e7a
 IP: 127.0.0.1
 IP: ::1
@@ -163,8 +159,11 @@ X-Forwarded-For: 192.168.99.1
 X-Forwarded-Host: 10.0.9.3:80
 X-Forwarded-Proto: http
 X-Forwarded-Server: 8fbc39271b4c
-
+```
+```shell
 curl -H Host:whoami1.traefik http://$(docker-machine ip manager)
+```
+```yaml
 Hostname: ba2c21488299
 IP: 127.0.0.1
 IP: ::1
@@ -183,11 +182,12 @@ X-Forwarded-Proto: http
 X-Forwarded-Server: 8fbc39271b4c
 ```
 
-Note that as Træfik is published, you can access it from any machine
-and not only the manager.
+Note that as Træfik is published, you can access it from any machine and not only the manager.
 
 ```shell
 curl -H Host:whoami0.traefik http://$(docker-machine ip worker1)
+```
+```yaml
 Hostname: 8147a7746e7a
 IP: 127.0.0.1
 IP: ::1
@@ -204,8 +204,11 @@ X-Forwarded-For: 192.168.99.1
 X-Forwarded-Host: 10.0.9.3:80
 X-Forwarded-Proto: http
 X-Forwarded-Server: 8fbc39271b4c
-
+```
+```shell
 curl -H Host:whoami1.traefik http://$(docker-machine ip worker2)
+```
+```yaml
 Hostname: ba2c21488299
 IP: 127.0.0.1
 IP: ::1
@@ -237,6 +240,8 @@ Check that we now have 5 replicas of each `whoami` service:
 
 ```shell
 docker-machine ssh manager "docker service ls"
+```
+```
 ID            NAME     REPLICAS  IMAGE              COMMAND
 ab046gpaqtln  whoami0  5/5       emilevauge/whoami
 cgfg5ifzrpgm  whoami1  5/5       emilevauge/whoami
@@ -244,9 +249,13 @@ dtpl249tfghc  traefik  1/1       traefik            --docker --docker.swarmmode
 ```
 ## Access to your whoami0 through Træfik multiple times.
 
-Repeat the following command multiple times and note that the Hostname changes each time as Traefik load balances each request against the 5 tasks.
+Repeat the following command multiple times and note that the Hostname changes each time as Traefik load balances each request against the 5 tasks:
+
 ```shell
 curl -H Host:whoami0.traefik http://$(docker-machine ip manager)
+```
+
+```yaml
 Hostname: 8147a7746e7a
 IP: 127.0.0.1
 IP: ::1
@@ -265,9 +274,13 @@ X-Forwarded-Proto: http
 X-Forwarded-Server: 8fbc39271b4c
 ```
 
-Do the same against whoami1.  
+Do the same against whoami1:
+
 ```shell
 curl -H Host:whoami1.traefik http://$(docker-machine ip manager)
+```
+
+```yaml
 Hostname: ba2c21488299
 IP: 127.0.0.1
 IP: ::1
@@ -285,16 +298,16 @@ X-Forwarded-Host: 10.0.9.4:80
 X-Forwarded-Proto: http
 X-Forwarded-Server: 8fbc39271b4c
 ```
-Wait, I thought we added the sticky flag to whoami1?  Traefik relies on a cookie to maintain stickyness so you'll need to test this with a browser.
+Wait, I thought we added the sticky flag to `whoami1`?  Traefik relies on a cookie to maintain stickyness so you'll need to test this with a browser.
 
-First you need to add whoami1.traefik to your hosts file:
-```ssh
+First you need to add `whoami1.traefik` to your hosts file:
+
+```shell
 if [ -n "$(grep whoami1.traefik /etc/hosts)" ];
 then
-echo "whoami1.traefik already exists (make sure the ip is current)"; 
+    echo "whoami1.traefik already exists (make sure the ip is current)";
 else
-sudo -- sh -c -e "echo '$(docker-machine ip manager)\twhoami1.traefik' 
->> /etc/hosts"; 
+    sudo -- sh -c -e "echo '$(docker-machine ip manager)\twhoami1.traefik' >> /etc/hosts";
 fi
 ```
 
@@ -302,4 +315,4 @@ Now open your browser and go to http://whoami1.traefik/
 
 You will now see that stickyness is maintained.
 
-![](http://i.giphy.com/ujUdrdpX7Ok5W.gif)
+![](https://i.giphy.com/ujUdrdpX7Ok5W.gif)

docs/user-guide/swarm.md

@@ -120,6 +120,8 @@ Check that everything is started:
 
 ```shell
 docker ps
+```
+```
 CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                                                      NAMES
 ba2c21488299        emilevauge/whoami   "/whoamI"                8 seconds ago       Up 9 seconds        80/tcp                                                     mhs-demo1/whoami1
 8147a7746e7a        emilevauge/whoami   "/whoamI"                19 seconds ago      Up 20 seconds       80/tcp                                                     mhs-demo0/whoami0
@@ -130,6 +132,8 @@ ba2c21488299        emilevauge/whoami   "/whoamI"                8 seconds ago
 
 ```shell
 curl -H Host:whoami0.traefik http://$(docker-machine ip mhs-demo0)
+```
+```yaml
 Hostname: 8147a7746e7a
 IP: 127.0.0.1
 IP: ::1
@@ -146,8 +150,12 @@ X-Forwarded-For: 192.168.99.1
 X-Forwarded-Host: 10.0.9.3:80
 X-Forwarded-Proto: http
 X-Forwarded-Server: 8fbc39271b4c
+```
 
+```shell
 curl -H Host:whoami1.traefik http://$(docker-machine ip mhs-demo0)
+```
+```yaml
 Hostname: ba2c21488299
 IP: 127.0.0.1
 IP: ::1
@@ -166,4 +174,4 @@ X-Forwarded-Proto: http
 X-Forwarded-Server: 8fbc39271b4c
 ```
 
-![](http://i.giphy.com/ujUdrdpX7Ok5W.gif)
+![](https://i.giphy.com/ujUdrdpX7Ok5W.gif)

examples/acme/Docker_Acme.md

@@ -0,0 +1,30 @@
+# ACME Testing environment
+
+## Objectives
+
+In our integration ACME tests, we use a simulated Let's Encrypt container based stack named boulder.
+
+The goal of this directory is to provide to developers a Traefik-boulder full stack environment.
+This environment may be used in order to quickly test developments on ACME certificates management.
+
+The provided Boulder stack is based on the environment used during integration tests.
+
+## Directory content
+
+* **compose-acme.yml** : Docker-Compose file which contains the description of Traefik and all the boulder stack containers to get,
+* **acme.toml** : Traefik configuration file used by the Traefik container described above,
+* **manage_acme_docker_environment.sh**  Shell script which does all needed checks and manages the docker-compose environment.
+
+## Shell script
+
+### Description
+
+To work fine, boulder needs a domain name, with a related IP and storage file. The shell script allows to check the environment before launching the Docker environment with the rights parameters and to managing this environment.
+
+### Use
+
+The script **manage_acme_docker_environment.sh** requires one argument. This argument can have 3 values :
+
+* **--start** : Check environment and launch a new Docker environment.
+* **--stop** : Stop and delete the current Docker environment.
+* **--restart--** : Concatenate **--stop** and **--start** actions.

examples/acme/acme.toml

@@ -0,0 +1,33 @@
+logLevel = "DEBUG"
+
+defaultEntryPoints = ["http", "https"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+        entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+
+
+[acme]
+email = "test@traefik.io"
+storage = "/etc/traefik/conf/acme.json"
+entryPoint = "https"
+onDemand = false
+OnHostRule = true
+caServer = "http://traefik.localhost.com:4000/directory"
+
+
+[web]
+  address = ":8080"
+
+[docker]
+endpoint = "unix:///var/run/docker.sock"
+domain = "traefik.localhost.com"
+watch = true
+exposedbydefault = false
+
+

examples/acme/compose-acme.yml

@@ -0,0 +1,89 @@
+version: "2"
+
+# IP_HOST : Docker host IP (not 127.0.0.1)
+
+services :
+  boulder:
+      image: containous/boulder:release
+      environment:
+          FAKE_DNS: $IP_HOST
+          PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657
+      extra_hosts:
+        - le.wtf:127.0.0.1
+        - boulder:127.0.0.1
+      ports:
+        - 4000:4000 # ACME
+        - 4002:4002 # OCSP
+        - 4003:4003 # OCSP
+        - 4500:4500 # ct-test-srv
+        - 8000:8000 # debug ports
+        - 8001:8001
+        - 8002:8002
+        - 8003:8003
+        - 8004:8004
+        - 8055:8055 # dns-test-srv updates
+        - 9380:9380 # mail-test-srv
+        - 9381:9381 # mail-test-srv
+      restart: unless-stopped
+      depends_on:
+        - bhsm
+        - bmysql
+        - brabbitmq
+
+  bhsm:
+      image: letsencrypt/boulder-tools:2016-11-02
+      hostname: boulder-hsm
+      networks:
+          default:
+              aliases:
+                - boulder-hsm
+      environment:
+          PKCS11_DAEMON_SOCKET: tcp://0.0.0.0:5657
+      command: /usr/local/bin/pkcs11-daemon /usr/lib/softhsm/libsofthsm.so
+      expose:
+        - 5657
+  bmysql:
+      image: mariadb:10.1
+      hostname: boulder-mysql
+      networks:
+          default:
+              aliases:
+                - boulder-mysql
+      environment:
+          MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
+
+  brabbitmq:
+      image: rabbitmq:3-alpine
+      hostname: boulder-rabbitmq
+      networks:
+          default:
+              aliases:
+                - boulder-rabbitmq
+      environment:
+          RABBITMQ_NODE_IP_ADDRESS: "0.0.0.0"
+
+  traefik:
+      build:
+        context: ../..
+      image: containous/traefik:latest
+      command: --configFile=/etc/traefik/conf/acme.toml
+      restart: unless-stopped
+      extra_hosts:
+        - traefik.localhost.com:$IP_HOST
+      volumes:
+        - "./acme.toml:/etc/traefik/conf/acme.toml:ro"
+        - "/var/run/docker.sock:/var/run/docker.sock:ro"
+        - "./acme.json:/etc/traefik/conf/acme.json:rw"
+      ports:
+        - "80:80"
+        - "443:443"
+        - "5001:443" # Needed for SNI challenge
+      expose:
+        - "8080"
+      labels:
+        - "traefik.port=8080"
+        - "traefik.backend=traefikception"
+        - "traefik.frontend.rule=Host:traefik.localhost.com"
+        - "traefik.enable=true"
+      depends_on:
+        - boulder

examples/acme/manage_acme_docker_environment.sh

@@ -0,0 +1,101 @@
+#! /usr/bin/env bash
+
+# Initialize variables
+readonly traefik_url="traefik.localhost.com"
+readonly basedir=$(dirname $0)
+readonly doc_file=$basedir"/compose-acme.yml"
+
+# Stop and remove Docker environment
+down_environment() {
+    echo "STOP Docker environment"
+    ! docker-compose -f $doc_file down -v &>/dev/null && \
+        echo "[ERROR] Impossible to stop the Docker environment" && exit 11
+}
+
+# Create and start Docker-compose environment or subpart of its services (if services are listed)
+# $@ : List of services to start (optional)
+up_environment() {
+    echo "START Docker environment"
+    ! docker-compose -f $doc_file up -d $@ &>/dev/null && \
+        echo "[ERROR] Impossible to start Docker environment" && exit 21
+}
+
+# Init the environment : get IP address and create needed files
+init_environment() {
+    for netw in $(ip addr show | grep -v "LOOPBACK" | grep -v docker | grep -oE "^[0-9]{1}: .*:" | cut -d ':' -f2); do
+        ip_addr=$(ip addr show $netw | grep -E "inet " | grep -Eo "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" | head -n 1)
+        [[ ! -z $ip_addr ]] && break
+    done
+
+    [[ -z $ip_addr ]] && \
+        echo "[ERROR] Impossible to find an IP address for the Docker host" && exit 31
+
+    # The $traefik_url entry must exist into /etc/hosts file
+    # It has to refer to the $ip_addr IP address
+        [[ $(cat /etc/hosts | grep $traefik_url | grep -vE "^#" | grep -oE "([0-9]+(\.)?){4}") != $ip_addr ]] && \
+            echo "[ERROR] Domain ${traefik_url} has to refer to ${ip_addr} into /etc/hosts file." && exit 32
+    # Export IP_HOST to use it in the DOcker COmpose file
+    export IP_HOST=$ip_addr
+
+    echo "CREATE empty acme.json file"
+    rm -f $basedir/acme.json && \
+    touch $basedir/acme.json && \
+    chmod 600 $basedir/acme.json # Needed for ACME
+}
+
+# Start all the environement
+start() {
+    init_environment
+    echo "Start boulder environment"
+    up_environment bmysql brabbitmq bhsm boulder
+    waiting_counter=12
+    # Not start Traefik if boulder is not started
+    echo "WAIT for boulder..."
+    while [[ -z $(curl -s http://$traefik_url:4000/directory) ]]; do
+        sleep 5
+        let waiting_counter-=1
+        if [[ $waiting_counter -eq 0 ]]; then
+            echo "[ERROR] Impossible to start boulder container in the allowed time, the Docker environment will be stopped"
+            down_environment
+            exit 41
+        fi
+    done
+    echo "START Traefik container"
+    up_environment traefik
+}
+
+# Script usage
+show_usage() {
+    echo
+    echo "USAGE : manage_acme_docker_environment.sh [--start|--stop|--restart]"
+    echo
+}
+
+# Main method
+# $@ All parameters given
+main() {
+
+    [[ $# -ne 1 ]] && show_usage && exit 1
+
+    case $1 in
+        "--start")
+            # Start boulder environment
+            start
+            echo "ENVIRONMENT SUCCESSFULLY STARTED"
+            ;;
+        "--stop")
+            ! down_environment
+            echo "ENVIRONMENT SUCCESSFULLY STOPPED"
+            ;;
+        "--restart")
+            down_environment
+            start
+            echo "ENVIRONMENT SUCCESSFULLY STARTED"
+            ;;
+        *)
+            show_usage && exit 2
+            ;;
+    esac
+}
+
+main $@

examples/k8s/cheese-ingress.yaml

@@ -4,21 +4,21 @@ metadata:
   name: cheese
 spec:
   rules:
-  - host: stilton.local
+  - host: stilton.minikube
     http:
       paths:
       - path: /
         backend:
           serviceName: stilton
           servicePort: http
-  - host: cheddar.local
+  - host: cheddar.minikube
     http:
       paths:
       - path: /
         backend:
           serviceName: cheddar
           servicePort: http
-  - host: wensleydale.local
+  - host: wensleydale.minikube
     http:
       paths:
       - path: /

examples/k8s/cheeses-ingress.yaml

@@ -3,10 +3,10 @@ kind: Ingress
 metadata:
   name: cheeses
   annotations:
-    traefik.frontend.rule.type: pathprefixstrip
+    traefik.frontend.rule.type: PathPrefixStrip
 spec:
   rules:
-  - host: cheeses.local
+  - host: cheeses.minikube
     http:
       paths:
       - path: /stilton

examples/k8s/traefik-deployment.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik-ingress-controller
+  namespace: kube-system
+---
+kind: Deployment
+apiVersion: extensions/v1beta1
+metadata:
+  name: traefik-ingress-controller
+  namespace: kube-system
+  labels:
+    k8s-app: traefik-ingress-lb
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: traefik-ingress-lb
+  template:
+    metadata:
+      labels:
+        k8s-app: traefik-ingress-lb
+        name: traefik-ingress-lb
+    spec:
+      serviceAccountName: traefik-ingress-controller
+      terminationGracePeriodSeconds: 60
+      containers:
+      - image: traefik
+        name: traefik-ingress-lb
+        args:
+        - --web
+        - --kubernetes
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: traefik-ingress-service
+  namespace: kube-system
+spec:
+  selector:
+    k8s-app: traefik-ingress-lb
+  ports:
+    - protocol: TCP
+      port: 80
+      name: web
+    - protocol: TCP
+      port: 8080
+      name: admin
+  type: NodePort

examples/k8s/traefik-ds.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik-ingress-controller
+  namespace: kube-system
+---
+kind: DaemonSet
+apiVersion: extensions/v1beta1
+metadata:
+  name: traefik-ingress-controller
+  namespace: kube-system
+  labels:
+    k8s-app: traefik-ingress-lb
+spec:
+  template:
+    metadata:
+      labels:
+        k8s-app: traefik-ingress-lb
+        name: traefik-ingress-lb
+    spec:
+      serviceAccountName: traefik-ingress-controller
+      terminationGracePeriodSeconds: 60
+      hostNetwork: true
+      containers:
+      - image: traefik
+        name: traefik-ingress-lb
+        ports:
+        - name: http
+          containerPort: 80
+          hostPort: 80
+        - name: admin
+          containerPort: 8080
+        securityContext:
+          privileged: true
+        args:
+        - -d
+        - --web
+        - --kubernetes
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: traefik-ingress-service
+  namespace: kube-system
+spec:
+  selector:
+    k8s-app: traefik-ingress-lb
+  ports:
+    - protocol: TCP
+      port: 80
+      name: web
+    - protocol: TCP
+      port: 8080
+      name: admin
+  type: NodePort

examples/k8s/traefik-rbac.yaml

@@ -10,6 +10,7 @@ rules:
       - pods
       - services
       - endpoints
+      - secrets
     verbs:
       - get
       - list

examples/k8s/traefik.yaml

@@ -1,47 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: traefik-ingress-controller
-  namespace: kube-system
----
-kind: DaemonSet
-apiVersion: extensions/v1beta1
-metadata:
-  name: traefik-ingress-controller
-  namespace: kube-system
-  labels:
-    k8s-app: traefik-ingress-lb
-spec:
-  template:
-    metadata:
-      labels:
-        k8s-app: traefik-ingress-lb
-        name: traefik-ingress-lb
-    spec:
-      serviceAccountName: traefik-ingress-controller
-      terminationGracePeriodSeconds: 60
-      hostNetwork: true
-      containers:
-      - image: traefik
-        name: traefik-ingress-lb
-        resources:
-          limits:
-            cpu: 200m
-            memory: 30Mi
-          requests:
-            cpu: 100m
-            memory: 20Mi
-        ports:
-        - name: http
-          containerPort: 80
-          hostPort: 80
-        - name: admin
-          containerPort: 8081
-        securityContext:
-          privileged: true
-        args:
-        - -d
-        - --web
-        - --web.address=:8081
-        - --kubernetes

examples/k8s/ui.yaml

@@ -10,7 +10,7 @@ spec:
   ports:
   - name: web
     port: 80
-    targetPort: 8081
+    targetPort: 8080
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
@@ -19,7 +19,7 @@ metadata:
   namespace: kube-system
 spec:
   rules:
-  - host: traefik-ui.local
+  - host: traefik-ui.minikube
     http:
       paths:
       - path: /

examples/traefik.crt

@@ -1,21 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDXTCCAkWgAwIBAgIJAPPVb4fq4kkvMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMTUxMDE5MTk0MTU4WhcNMTYxMDE4MTk0MTU4WjBF
-MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAsPnpfnUPbQxSu3oq38OaX/Q6LKZ5gnS04F8kREF2RvCDMWiKOWru+hXb
-udkwU7Fx+7BcDBGsnJGFpY23dDcRurxF1DVs1jIFukH/vbYyHE8JQEgvOGSpDEiv
-rfbcxqK8E/VMrI10eXYGxWzaTFWQOND2PAJ1b5JvZrrzc8rfJ7h5Q24GKnw1999t
-hwsZgpUOh9te7fz1M4XxxRRoliMg0oH9EV3P9Yqq635tjWOix8PcnpcqnRKXVDhk
-TcNtE+45RsPoSgM6nkiXt8HP4afaVUAGAzF41kDm94SNexcyk7gyVsLs2cEI61Eu
-mhvpP3z91md+eAa3If7kU1w70WiY1wIDAQABo1AwTjAdBgNVHQ4EFgQUue6v2TkZ
-1oR0ZzEnnxfKdsGuBPMwHwYDVR0jBBgwFoAUue6v2TkZ1oR0ZzEnnxfKdsGuBPMw
-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAk+xxO8gC40R7+5WVtWvA
-+chNsOoxKyFBOPvGzrYGQbt4OBWKrwQmMXSY3VnjY4GzVaZpOCJOxnupKfZrK4AP
-G+M+NI+J6fHJRCQdov7Xoje5M14FmgjRiLg+haDZhh//11C7P6MQPAzGNUTpUyqV
-Hsi/wwCYvre5bApb/4uDkDlZkLrgN4e1q8+gh6XLj8NPEOEBEI4VpMVoieC1PwnK
-pRfNlTsEhyjeMmOllw9fBKMEvEf1BKsJGaKmQ7zCr1nWznCxyI1Fuf66TfmL8/up
-lK6sQysLEOIgn2gZEjQz4O/9Jj9v8+TvyP4GZIDsCiv33AaeKJVuSkoeCH0Ls2V8
-aQ==
+MIIDHDCCAgQCCQDODsC1A72mSDANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJG
+UjELMAkGA1UECAwCTVAxDTALBgNVBAcMBFRsc2UxEzARBgNVBAoMCkNvbnRhaW5v
+dXMxEDAOBgNVBAsMB1RyYWVmaWswHhcNMTcwODI1MTQxMzU3WhcNMjcwODIzMTQx
+MzU3WjBQMQswCQYDVQQGEwJGUjELMAkGA1UECAwCTVAxDTALBgNVBAcMBFRsc2Ux
+EzARBgNVBAoMCkNvbnRhaW5vdXMxEDAOBgNVBAsMB1RyYWVmaWswggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCacKEL5+AlaArZWyfysY1qbtOWdGj0xwq1
+tZ6GZ0fb+0uVeKzJxPBulpwhmXiofUncvFOpr1paaQQRRgE71A6PSIzc64a3NGmm
+dbju3eOdFVm9za37asFTA2Y87v9HSYJyNSeQgdVCbykhHBrHPrP6kfPx8T7uiPRT
+cYWhL9Ko1IuW2rTjMt2UUmk1IPk2WFMWKM1mopqzrxu/NB+O5wOs7MRO1Z8BtAak
+bclxCQaaE0TgjChlxVPP0us77rCq3///i9kf1x0PGt/LyseaxzAoKfZ6kM6Uq0yk
+psWGSxu7sPXmERsN4tZLj7d/J5A2nvnO7h/bhl2FtBAauzsi3LIbAgMBAAEwDQYJ
+KoZIhvcNAQELBQADggEBACQbp2gcCFbbQE47SwdI7rWDIITylHj0uCXHJfUggkUl
+F/WHIBUdpVaWVOLSysmG8n6fmWTDZOCVNA1+XMjRZUPwVvr//XHjcFpOKfHW47r2
+VeMHQYQpZH7QmsjyvxXZOrz/Ft3uA9Dna1N5nHRYflpfasdRmXbNK81IykR93Dfn
+jV9ecDAQl0ru/YcMmabYx3uoWyTvO57EnbXfiPcwIdKGpykXKTv64vAMtkrJicgX
+jhh+p7ayKklfxinEL7/GCjfSBip7J4DszvLVoyIzmS7HjVdJkpu9agZLYsSl4tCJ
+qnh7nkp/Fd0XdTV17FwL/veMlpq9AkillIKjHl6vFL0=
 -----END CERTIFICATE-----

examples/traefik.key

@@ -1,28 +1,27 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCw+el+dQ9tDFK7
-eirfw5pf9DospnmCdLTgXyREQXZG8IMxaIo5au76Fdu52TBTsXH7sFwMEayckYWl
-jbd0NxG6vEXUNWzWMgW6Qf+9tjIcTwlASC84ZKkMSK+t9tzGorwT9UysjXR5dgbF
-bNpMVZA40PY8AnVvkm9muvNzyt8nuHlDbgYqfDX3322HCxmClQ6H217t/PUzhfHF
-FGiWIyDSgf0RXc/1iqrrfm2NY6LHw9yelyqdEpdUOGRNw20T7jlGw+hKAzqeSJe3
-wc/hp9pVQAYDMXjWQOb3hI17FzKTuDJWwuzZwQjrUS6aG+k/fP3WZ354Brch/uRT
-XDvRaJjXAgMBAAECggEAHvnvO5ojtBOXG4d7n6TuDWODFzOgSwxAaJFemK/Ykvwg
-CnLg1sH3yEAxMGtqgQurBsHMqrQhQVpbSSnv9WB6MvQnSMh9H1SsGfjZWYxdYwUW
-enDoCvfbevHyBgISjJYJU3j5Da7It0XIU6AE6Z2EW91/a+uGQJwh8ZpBaIAW5S2j
-B3k+bASANtwEcDdhGE7iLYeHiAttZo89oSSFZP/mwh84pIU29zUVUtsUaHXrob0p
-iyGXKPa8NqTvIsbX5Kh/lbbCO4KwsOqgs/eqL7cLSv2VfTmSQCJz+ikiVzcw/vJU
-PaT9H4SCBLP73/Gyjf5P14esWvprPQ3ZnWNNDDGWsQKBgQDoWqxQUy6PKY9or7QH
-M985y52Y0QlWdmRaLc8gxfWLU4/3Wn0NH1flkFXJ5X9uZFNoGMQpidJBajepzkNO
-/54V+1NCLUWl7SE5gMeFG8QtEE7ISyjut71CUDSn5mOp7EBARmqRpMZhmXT42RZi
-1zVDkG08ArKdH0Jnvkq5lWHGbwKBgQDC/IYJXkd27XZO+Ti8TdzaU+SSJV26aY++
-0N4pzq0cC6IWadHugH/XrgkfH+ImPzkf6XHrCSqSipJJLZMd473/8IjdOsf54wDP
-/yHKPXWhfC4W2L+6+l34Jo/ebnuDVvDme1nKLcdmxhwz4YZfg/TYbWaFzANrl3St
-beGg9ENIGQKBgBr6/GtPXWauUsK7NFJpyY/yfthR3Z22nayDCTwrAHovN9ZnIYI2
-k4RKoEuTZJqy96Rsy8pvAIUsCk6jbtlrgTXYOzDCBQZhZKxCsehY8wywihVj9NrT
-ZxyeJ58fd48xqbxM8O78jTSkFxsWSi0sBDlWOfjv70GjcZiOVir6l6HtAoGBAJeA
-MAENcQeV4AviltOwx/4Xmwx23gmeRaMklMn1HQoie9FgbU4cJ7kEL3AwjL3c99y0
-vN+7Ion0A0+6iol5z8ISObVzG7gsShBSkwWZlVFgtErqJKb6K5NJGxXf0DYvkkPy
-6cQup7VSDs282HRUiiSzdCpXZvztFCpAq0QtJi3ZAoGACjtJ7zEVs0hB7+sCq/SI
-UHjjv/fjGSm1TVDP46Joqbm62FRdYkEhd+pGMjtGs80OhM+psTZIqe/fgKdKl5yX
-nS9m6f4ny6XCcilfI3+bxXtsmWnpQnybSU2goe2n+Eoi3RcEB68Hp8U0aPjgDULM
-9YDU/ZMupHh/eT79n67QIXw=
------END PRIVATE KEY-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAmnChC+fgJWgK2Vsn8rGNam7TlnRo9McKtbWehmdH2/tLlXis
+ycTwbpacIZl4qH1J3LxTqa9aWmkEEUYBO9QOj0iM3OuGtzRppnW47t3jnRVZvc2t
++2rBUwNmPO7/R0mCcjUnkIHVQm8pIRwaxz6z+pHz8fE+7oj0U3GFoS/SqNSLltq0
+4zLdlFJpNSD5NlhTFijNZqKas68bvzQfjucDrOzETtWfAbQGpG3JcQkGmhNE4Iwo
+ZcVTz9LrO+6wqt///4vZH9cdDxrfy8rHmscwKCn2epDOlKtMpKbFhksbu7D15hEb
+DeLWS4+3fyeQNp75zu4f24ZdhbQQGrs7ItyyGwIDAQABAoIBAQCYFpBSJC/1Rmdg
+s0c81iMYjDlsMgll/FmMpmWNoEoA1ZESintGW94WWdU5tWRAMNm7Oe797ISDAmYS
+CKmQXH1WFzE5IexRoJjmZ4oOGY9cEzmEE/fg3rmxYWieWxIkBr0icTwcL+9u8/9B
+7uZkDli5SmA8g8HgsBhD0Eizel/vB5DyUtm8VoVYvDkkljYO/PGT/ectclr6JK9g
+biP4jkA2a3CTb8KeyBTrYbULWCtwZ7H5fmySXIX4QpJmEcx5Af7nYITU0OEK63uV
+NKCQLDpHyOrDIj+mwjxASBQdUDU7NApCR2MrzmGDRPPCGiEWYao5bCrsNRAoDFuy
+Ux2H+jnRAoGBAM2nOcjJ7nKmOEUTyB0J9ElJRBoChBJAF3ak/aj4xDYAz/hadQL0
+OuulOgmYwHjv7Y5Tx6P5ZQgyComa6rKfNZ/mzgm1wMPsKOi5q5T2Zj/0Pt6xih3x
++PxonLiIS7221U5xlBZUyW1LLIM4gT7NS9n2pxBuNESotmSwFnPru4OzAoGBAMA/
+vyXAnOTRi1on8TDItdPDgq13s0I+q+Fj4+KVCEifRiT9P9NRKQNfvRZI39QGmJ+x
+kGx6VY96SZo5ysm4ElkcKLJ7EcZ38XehG9rar6ZLEAgY4KnA4wDZWmJ1dUm4ZJZI
+Sj2EFmb30V1FP/qo9TFro5Je6P0m9TjFeLKwF4P5AoGAKIu0x9KQMYh2BaB9zsPc
+pupMA/jFAzghqCGlZUAOpzsHxcZH1ZpDV5xO0f+Myws6wdngvYJ5GeGL1E93wFnF
+X85Ihv+PjtEry553prnhtPA5yPwl5/uCBHm3lGZC0JeQfJPGB5UV1XeBwilMyg39
+y25mx8WChprgwv84ngg3AyMCgYEAlb2RPvCFw9xK9FAEFwFeTrELyd1gLIrwCcBq
+MYPvTdFxK0JuQkQG8+/QMdlVLaptmoUNftDSb8zKI2w8PV44PFwofsxJDhNCavF7
+5r1K7vWsaQIni1EH/xNMyT+/uUn8XumzmbKWWGFSG5niuXR8dp/mag2u3+9GNY/p
+8RQjXNECgYAnA7rQ7UVayRQUL8NKB0jhP/J0UomrJRXYx+J5UP7QIoObXlTbDVSi
+VTAiSrhPQIFa1s8ghUgCghwq6KJsZoQzrp1fLLlV/HIN+4XXhYVAmOI/k41rCj/0
+eYTkXlXyFpcaW3h9vVjT1wN9FwbU1kNpFo/PvDLM/SQB7GhFRznDDw==
+-----END RSA PRIVATE KEY-----

glide.lock

@@ -1,5 +1,5 @@
-hash: e59e8244152a823cd3633fb09cdd583c4e5be78d7b50fb7047ba6b6a9ed5e8ec
-updated: 2017-05-19T23:30:19.890844996+02:00
+hash: 7b973a5de5444f7f29252ae78529ee50569174b2c17f4aa89bf15aaf2553c6b7
+updated: 2017-08-25T11:52:16.848940186+02:00
 imports:
 - name: cloud.google.com/go
   version: 2e6a95edb1071d750f6d7db777bf66cd2997af6c
@@ -7,7 +7,11 @@ imports:
   - compute/metadata
   - internal
 - name: github.com/abbot/go-http-auth
-  version: d45c47bedec736d172957bd394786b76626fa8ac
+  version: 0ddd408d5d60ea76e320503cc7dd091992dee608
+- name: github.com/aokoli/goutils
+  version: 3391d3790d23d03408670993e957e8f408993c34
+- name: github.com/armon/go-proxyproto
+  version: 48572f11356f1843b694f21a290d4f1006bc5e47
 - name: github.com/ArthurHlt/go-eureka-client
   version: 9d0a49cbd39aa3634ae1977e9f519a262b10adaf
   subpackages:
@@ -82,26 +86,18 @@ imports:
   version: 9208b142303c12d8899bae836fd524ac9338b4fd
 - name: github.com/codegangsta/cli
   version: bf4a526f48af7badd25d2cb02d587e1b01be3b50
-- name: github.com/codegangsta/negroni
-  version: c0db5feaa33826cd5117930c8f4ee5c0f565eec6
 - name: github.com/containous/flaeg
   version: b5d2dc5878df07c2d74413348186982e7b865871
 - name: github.com/containous/mux
-  version: a819b77bba13f0c0cbe36e437bc2e948411b3996
+  version: af6ea922f7683d9706834157e6b0610e22ccb2db
 - name: github.com/containous/staert
   version: 1e26a71803e428fd933f5f9c8e50a26878f53147
 - name: github.com/coreos/etcd
   version: c400d05d0aa73e21e431c16145e558d624098018
   subpackages:
-  - Godeps/_workspace/src/github.com/coreos/go-systemd/journal
-  - Godeps/_workspace/src/github.com/coreos/pkg/capnslog
-  - Godeps/_workspace/src/github.com/ugorji/go/codec
-  - Godeps/_workspace/src/golang.org/x/net/context
   - client
-  - pkg/fileutil
   - pkg/pathutil
   - pkg/types
-  - version
 - name: github.com/coreos/go-oidc
   version: 5644a2f50e2d2d5ba0b474bc5bc55fea1925936d
   subpackages:
@@ -133,52 +129,91 @@ imports:
   subpackages:
   - dnsimple
 - name: github.com/docker/distribution
-  version: 325b0804fef3a66309d962357aac3c2ce3f4d329
+  version: b38e5838b7b2f2ad48e06ec4b500011976080621
   subpackages:
-  - digest
+  - context
+  - digestset
   - reference
+  - registry/api/errcode
+  - registry/api/v2
+  - registry/client
+  - registry/client/auth
+  - registry/client/auth/challenge
+  - registry/client/transport
+  - registry/storage/cache
+  - registry/storage/cache/memory
+  - uuid
 - name: github.com/docker/docker
-  version: 49bf474f9ed7ce7143a59d1964ff7b7fd9b52178
-  subpackages:
-  - namesgenerator
-- name: github.com/docker/engine-api
-  version: 3d1601b9d2436a70b0dfc045a23f6503d19195df
+  version: 75c7536d2e2e328b644bf69153de879d1d197988
   subpackages:
+  - api
+  - api/types
+  - api/types/blkiodev
+  - api/types/container
+  - api/types/events
+  - api/types/filters
+  - api/types/image
+  - api/types/mount
+  - api/types/network
+  - api/types/registry
+  - api/types/strslice
+  - api/types/swarm
+  - api/types/time
+  - api/types/versions
+  - api/types/volume
+  - builder/dockerignore
   - client
-  - client/transport
-  - client/transport/cancellable
-  - types
-  - types/blkiodev
-  - types/container
-  - types/events
-  - types/filters
-  - types/network
-  - types/reference
-  - types/registry
-  - types/strslice
-  - types/swarm
-  - types/time
-  - types/versions
+  - opts
+  - pkg/archive
+  - pkg/fileutils
+  - pkg/gitutils
+  - pkg/homedir
+  - pkg/httputils
+  - pkg/idtools
+  - pkg/ioutils
+  - pkg/jsonlog
+  - pkg/jsonmessage
+  - pkg/longpath
+  - pkg/mount
+  - pkg/namesgenerator
+  - pkg/pools
+  - pkg/progress
+  - pkg/promise
+  - pkg/random
+  - pkg/stdcopy
+  - pkg/streamformatter
+  - pkg/stringid
+  - pkg/symlink
+  - pkg/system
+  - pkg/tarsum
+  - pkg/term
+  - pkg/term/windows
+  - pkg/tlsconfig
+  - pkg/urlutil
+  - registry
+  - runconfig/opts
 - name: github.com/docker/go-connections
-  version: 990a1a1a70b0da4c4cb70e117971a4f0babfbf1a
+  version: e15c02316c12de00874640cd76311849de2aeed5
   subpackages:
   - nat
   - sockets
   - tlsconfig
 - name: github.com/docker/go-units
-  version: 0dadbb0345b35ec7ef35e228dabb8de89a65bf52
+  version: 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1
 - name: github.com/docker/leadership
   version: 0a913e2d71a12fd14a028452435cb71ac8d82cb6
 - name: github.com/docker/libkv
-  version: 1d8431073ae03cdaedb198a89722f3aab6d418ef
+  version: 93ab0e6c056d325dfbb11e1d58a3b4f5f62e7f3c
   subpackages:
   - store
   - store/boltdb
   - store/consul
   - store/etcd
   - store/zookeeper
+- name: github.com/docker/libtrust
+  version: 9cbd2a1374f46905c68a4eb3694a130610adc62a
 - name: github.com/donovanhide/eventsource
-  version: fd1de70867126402be23c306e1ce32828455d85b
+  version: b8f31a59085e69dd2678cf51840db2ac625cb741
 - name: github.com/eapache/channels
   version: 47238d5aae8c0fefd518ef2bee46290909cf8263
 - name: github.com/eapache/queue
@@ -194,14 +229,14 @@ imports:
 - name: github.com/elazarl/go-bindata-assetfs
   version: 30f82fa23fd844bd5bb1e5f216db87fd77b5eb43
 - name: github.com/emicklei/go-restful
-  version: 892402ba11a2e2fd5e1295dd633481f27365f14d
+  version: 89ef8af493ab468a45a42bb0d89a06fccdd2fb22
   subpackages:
   - log
   - swagger
 - name: github.com/fatih/color
-  version: 9131ab34cf20d2f6d83fdc67168a5430d1c7dc23
+  version: 62e9147c64a1ed519147b62a56a14e83e2be02c1
 - name: github.com/gambol99/go-marathon
-  version: 15ea23e360abb8b25071e677aed344f31838e403
+  version: dd6cbd4c2d71294a19fb89158f2a00d427f174ab
 - name: github.com/ghodss/yaml
   version: 73d445a93680fa1a78ae23a5839bad48f32ba1ee
 - name: github.com/go-ini/ini
@@ -209,9 +244,17 @@ imports:
 - name: github.com/go-kit/kit
   version: f66b0e13579bfc5a48b9e2a94b1209c107ea1f41
   subpackages:
+  - log
   - metrics
+  - metrics/dogstatsd
   - metrics/internal/lv
+  - metrics/internal/ratemap
+  - metrics/multi
   - metrics/prometheus
+  - metrics/statsd
+  - util/conn
+- name: github.com/go-logfmt/logfmt
+  version: 390ab7935ee28ec6b286364bba9b4dd6410cb3d5
 - name: github.com/go-openapi/jsonpointer
   version: 46af16f9f7b149af66e5d1bd010e3574dc06de98
 - name: github.com/go-openapi/jsonreference
@@ -220,19 +263,21 @@ imports:
   version: 6aced65f8501fe1217321abf0749d354824ba2ff
 - name: github.com/go-openapi/swag
   version: 1d0bd113de87027671077d3c71eb3ac5d7dbba72
+- name: github.com/go-stack/stack
+  version: 54be5f394ed2c3e19dac9134a40a95ba5a017f7b
 - name: github.com/gogo/protobuf
   version: 909568be09de550ed094403c2bf8a261b5bb730a
   subpackages:
   - proto
   - sortkeys
 - name: github.com/golang/glog
-  version: fca8c8854093a154ff1eb580aae10276ad6b1b5f
+  version: 44145f04b68cf362d9c4df2182967c2275eaefed
 - name: github.com/golang/protobuf
   version: 2bba0603135d7d7f5cb73b2125beeda19c09f4ef
   subpackages:
   - proto
 - name: github.com/google/go-github
-  version: 6896997c7c9fe603fb9d2e8e92303bb18481e60a
+  version: fe7d11f8add400587b6718d9f39a62e42cb04c28
   subpackages:
   - github
 - name: github.com/google/go-querystring
@@ -244,9 +289,9 @@ imports:
 - name: github.com/googleapis/gax-go
   version: 9af46dd5a1713e8b5cd71106287eba3cefdde50b
 - name: github.com/gorilla/context
-  version: 08b5f424b9271eedf6f9f0ce86cb9396ed337a42
+  version: 215affda49addc4c8ef7e2534915df2c8c35c6cd
 - name: github.com/gorilla/websocket
-  version: a91eba7f97777409bc2c443f5534d41dd20c5720
+  version: a69d9f6de432e2c6b296a947d8a5ee88f68522cf
 - name: github.com/hashicorp/consul
   version: 3f92cc70e8163df866873c16c6d89889b5c95fc4
   subpackages:
@@ -259,6 +304,10 @@ imports:
   version: 19f2c401e122352c047a84d6584dd51e2fb8fcc4
   subpackages:
   - coordinate
+- name: github.com/huandu/xstrings
+  version: 3959339b333561bf62a38b424fd41517c2c90f40
+- name: github.com/imdario/mergo
+  version: 3e95a51e0639b4cf372f2ccf74c86749d747fbdc
 - name: github.com/JamesClonk/vultr
   version: 0f156dd232bc4ebf8a32ba83fec57c0e4c9db69f
   subpackages:
@@ -269,14 +318,20 @@ imports:
   version: 72f9bd7c4e0c2a40055ab3d0f09654f730cce982
 - name: github.com/juju/ratelimit
   version: 77ed1c8a01217656d2080ad51981f6e99adaa177
+- name: github.com/kr/logfmt
+  version: b84e30acd515aadc4b783ad4ff83aff3299bdfe0
 - name: github.com/mailgun/timetools
-  version: fd192d755b00c968d312d23f521eb0cdc6f66bd0
+  version: 7e6055773c5137efbeb3bd2410d705fe10ab6bfd
 - name: github.com/mailru/easyjson
   version: d5b7844b561a7bc640052f1b935f7b800330d7e0
   subpackages:
   - buffer
   - jlexer
   - jwriter
+- name: github.com/Masterminds/semver
+  version: 59c29afe1a994eacb71c833025ca7acf874bb1da
+- name: github.com/Masterminds/sprig
+  version: 9526be0327b26ad31aa70296a7b10704883976d5
 - name: github.com/mattn/go-colorable
   version: 5411d3eea5978e6cdc258b30de592b60df6aba96
   repo: https://github.com/mattn/go-colorable
@@ -312,21 +367,30 @@ imports:
   - records/state
   - util
 - name: github.com/Microsoft/go-winio
-  version: fff283ad5116362ca252298cfc9b95828956d85d
+  version: f533f7a102197536779ea3a8cb881d639e21ec5a
 - name: github.com/miekg/dns
   version: 8060d9f51305bbe024b99679454e62f552cd0b0b
 - name: github.com/mitchellh/mapstructure
-  version: 53818660ed4955e899c0bcafa97299a388bd7c8e
+  version: d0303fe809921458f417bcf828397a65db30a7e4
 - name: github.com/mvdan/xurls
   version: db96455566f05ffe42bd6ac671f05eeb1152b45d
+- name: github.com/Nvveen/Gotty
+  version: 6018b68f96b839edfbe3fb48668853f5dbad88a3
+  repo: https://github.com/ijc25/Gotty.git
+  vcs: git
 - name: github.com/NYTimes/gziphandler
-  version: 22d4470af89e09998fc16b35029df973932df4ae
+  version: 824b33f2a7457025697878c865c323f801118043
+  repo: https://github.com/containous/gziphandler.git
+  vcs: git
 - name: github.com/ogier/pflag
   version: 45c278ab3607870051a2ea9040bb85fcb8557481
-- name: github.com/opencontainers/runc
-  version: 50401b5b4c2e01e4f1372b73a021742deeaf4e2d
+- name: github.com/opencontainers/go-digest
+  version: a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
+- name: github.com/opencontainers/image-spec
+  version: f03dbe35d449c54915d235f1a3cf8f585a24babe
   subpackages:
-  - libcontainer/user
+  - specs-go
+  - specs-go/v1
 - name: github.com/ovh/go-ovh
   version: d2207178e10e4527e8f222fd8707982df8c3af17
   subpackages:
@@ -334,7 +398,7 @@ imports:
 - name: github.com/pborman/uuid
   version: ca53cad383cad2479bbba7f7a1a05797ec1386e4
 - name: github.com/pkg/errors
-  version: ff09b135c25aae272398c51a07235b90a75aa4f0
+  version: c605e284fe17294bda444b34710735b29d1a9d90
 - name: github.com/pmezard/go-difflib
   version: d8ed2627bdf02c080bf22230dbb337003b7aba2d
   subpackages:
@@ -370,6 +434,10 @@ imports:
   version: 5b8f6cc26b355ba03d7611fce3844155b7baf05b
   subpackages:
   - client
+- name: github.com/rancher/go-rancher-metadata
+  version: 95d4962a8f0420be24fb49c2cb4f5491284c62f1
+  subpackages:
+  - metadata
 - name: github.com/ryanuber/go-glob
   version: 256dc444b735e061061cf46c809487313d5b0065
 - name: github.com/samuel/go-zookeeper
@@ -381,7 +449,7 @@ imports:
 - name: github.com/Sirupsen/logrus
   version: 10f801ebc38b33738c9d17d50860f484a0988ff5
 - name: github.com/spf13/pflag
-  version: 5ccb023bc27df288a957c5e994cd44fd19619465
+  version: cb88ea77998c3f024757528e3305022ab50b43be
 - name: github.com/streamrail/concurrent-map
   version: 8bf1e9bacbf65b10c81d0f4314cf2b1ebef728b5
 - name: github.com/stretchr/objx
@@ -406,10 +474,12 @@ imports:
   - codec
 - name: github.com/unrolled/render
   version: 50716a0a853771bb36bfce61a45cdefdb98c2e6e
-- name: github.com/vdemeester/docker-events
-  version: be74d4929ec1ad118df54349fda4b0cba60f849b
+- name: github.com/unrolled/secure
+  version: 824e85271811af89640ea25620c67f6c2eed987e
+- name: github.com/urfave/negroni
+  version: 490e6a555d47ca891a89a150d0c1ef3922dfffe9
 - name: github.com/vulcand/oxy
-  version: f88530866c561d24a6b5aac49f76d6351b788b9f
+  version: 6c94d2888dba2b1a15a89b8a2ca515fc85e07477
   repo: https://github.com/containous/oxy.git
   vcs: git
   subpackages:
@@ -462,6 +532,8 @@ imports:
   - bcrypt
   - blowfish
   - ocsp
+  - pbkdf2
+  - scrypt
 - name: golang.org/x/net
   version: 242b6b35177ec3909636b6cf6a47e8c2c6324b5d
   subpackages:
@@ -475,6 +547,7 @@ imports:
   - proxy
   - publicsuffix
   - trace
+  - websocket
 - name: golang.org/x/oauth2
   version: 7fdf09982454086d5570c7db3e11f360194830ca
   subpackages:
@@ -483,7 +556,7 @@ imports:
   - jws
   - jwt
 - name: golang.org/x/sys
-  version: 8d1157a435470616f975ff9bb013bea8d0962067
+  version: 8f0908ab3b2457e2e15403d3697c9ef5cb4b57a9
   subpackages:
   - unix
   - windows
@@ -500,6 +573,10 @@ imports:
   - unicode/bidi
   - unicode/norm
   - width
+- name: golang.org/x/time
+  version: 8be79e1e0910c292df4e79c241bb7e8f7e725959
+  subpackages:
+  - rate
 - name: google.golang.org/api
   version: 9bf6e6e569ff057f75d9604a46c52928f17d2b54
   subpackages:
@@ -539,11 +616,6 @@ imports:
   version: 3887ee99ecf07df5b447e9b00d9c0b2adaa9f3e4
 - name: gopkg.in/ini.v1
   version: e7fea39b01aea8d5671f6858f0532f56e8bff3a5
-- name: gopkg.in/mgo.v2
-  version: 3f83fa5005286a7fe593b055f0d7771a7dce4655
-  subpackages:
-  - bson
-  - internal/json
 - name: gopkg.in/ns1/ns1-go.v2
   version: 2abc76c60bf88ba33b15d1d87a13f624d8dff956
   subpackages:
@@ -670,4 +742,66 @@ imports:
   - tools/clientcmd/api
   - tools/metrics
   - transport
-testImports: []
+testImports:
+- name: github.com/Azure/go-ansiterm
+  version: 19f72df4d05d31cbe1c56bfc8045c96babff6c7e
+  subpackages:
+  - winterm
+- name: github.com/docker/cli
+  version: d95fd2f38cfc23e077530c6181330727d561b6a0
+  subpackages:
+  - cli/command/image/build
+  - cli/config
+  - cli/config/configfile
+- name: github.com/docker/libcompose
+  version: 1b708aac26a4fc6f9bff31728a8e3a252ef57dbd
+  subpackages:
+  - config
+  - docker
+  - docker/auth
+  - docker/builder
+  - docker/client
+  - docker/container
+  - docker/ctx
+  - docker/image
+  - docker/network
+  - docker/service
+  - docker/volume
+  - labels
+  - logger
+  - lookup
+  - project
+  - project/events
+  - project/options
+  - utils
+  - version
+  - yaml
+- name: github.com/flynn/go-shlex
+  version: 3f9db97f856818214da2e1057f8ad84803971cff
+- name: github.com/go-check/check
+  version: 11d3bc7aa68e238947792f30573146a3231fc0f1
+- name: github.com/gorilla/mux
+  version: e444e69cbd2e2e3e0749a2f3c717cec491552bbf
+- name: github.com/libkermit/compose
+  version: 2048f803f56422a65b455f918d4a61704dc94603
+  subpackages:
+  - check
+- name: github.com/libkermit/docker
+  version: ddede409294e8c5ae66d68ac09edb6b27e8f3e4a
+- name: github.com/libkermit/docker-check
+  version: e0695005d6819191cf8969b479c94c40c8d22aa4
+- name: github.com/opencontainers/runc
+  version: b6b70e53451794e8333e9b602cc096b47a20bd0f
+  subpackages:
+  - libcontainer/system
+  - libcontainer/user
+- name: github.com/stvp/go-udp-testing
+  version: 06eb4f886d9f8242b0c176cf0d3ce5ec2cedda05
+- name: github.com/vdemeester/shakers
+  version: 24d7f1d6a71aa5d9cbe7390e4afb66b7eef9e1b3
+- name: github.com/xeipuuv/gojsonpointer
+  version: 6fe8760cad3569743d51ddbb243b26f8456742dc
+- name: github.com/xeipuuv/gojsonreference
+  version: e02fc20de94c78484cd5ffb007f8af96be030a45
+- name: github.com/xeipuuv/gojsonschema
+  version: 0c8571ac0ce161a5feb57375a9cdf148c98c0f70

glide.yaml

@@ -1,14 +1,18 @@
 package: github.com/containous/traefik
+ignore:
+- github.com/sirupsen/logrus
 import:
 - package: github.com/BurntSushi/toml
+  version: v0.3.0
 - package: github.com/BurntSushi/ty
   subpackages:
   - fun
 - package: github.com/Sirupsen/logrus
+  version: 10f801ebc38b33738c9d17d50860f484a0988ff5
 - package: github.com/cenk/backoff
 - package: github.com/containous/flaeg
 - package: github.com/vulcand/oxy
-  version: f88530866c561d24a6b5aac49f76d6351b788b9f
+  version: 6c94d2888dba2b1a15a89b8a2ca515fc85e07477
   repo: https://github.com/containous/oxy.git
   vcs: git
   subpackages:
@@ -18,22 +22,19 @@ import:
   - roundrobin
   - stream
   - utils
+- package: github.com/urfave/negroni
+  version: 490e6a555d47ca891a89a150d0c1ef3922dfffe9
 - package: github.com/containous/staert
   version: 1e26a71803e428fd933f5f9c8e50a26878f53147
-- package: github.com/docker/engine-api
-  version: v0.4.0
-  subpackages:
-  - client
-  - types
-  - types/events
-  - types/filters
+- package: github.com/docker/docker
+  version: 75c7536d2e2e328b644bf69153de879d1d197988
 - package: github.com/docker/go-connections
-  version: v0.2.1
+  version: e15c02316c12de00874640cd76311849de2aeed5
   subpackages:
   - sockets
   - tlsconfig
 - package: github.com/docker/go-units
-  version: 0dadbb0345b35ec7ef35e228dabb8de89a65bf52
+  version: 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1
 - package: github.com/docker/libkv
   subpackages:
   - store
@@ -47,29 +48,20 @@ import:
   subpackages:
   - api
 - package: github.com/streamrail/concurrent-map
-- package: github.com/stretchr/testify
-  subpackages:
-  - assert
-  - mock
-  - require
 - package: github.com/thoas/stats
   version: 152b5d051953fdb6e45f14b6826962aadc032324
 - package: github.com/unrolled/render
-- package: github.com/vdemeester/docker-events
-  version: be74d4929ec1ad118df54349fda4b0cba60f849b
 - package: github.com/vulcand/vulcand
   version: 42492a3a85e294bdbdd1bcabb8c12769a81ea284
   subpackages:
   - plugin/rewrite
+- package: github.com/vulcand/predicate
+  version: 19b9dde14240d94c804ae5736ad0e1de10bf8fe6
 - package: github.com/xenolf/lego
   version: 5dfe609afb1ebe9da97c9846d97a55415e5a5ccd
   subpackages:
   - acme
 - package: gopkg.in/fsnotify.v1
-- package: github.com/docker/docker
-  version: v1.13.0
-  subpackages:
-  - namesgenerator
 - package: github.com/mattn/go-shellwords
 - package: github.com/ryanuber/go-glob
 - package: github.com/mesos/mesos-go
@@ -87,13 +79,16 @@ import:
   vcs: git
 - package: github.com/abbot/go-http-auth
 - package: github.com/NYTimes/gziphandler
+  repo: https://github.com/containous/gziphandler.git
+  vcs: git
+  version: ^v1002.0.0
 - package: github.com/docker/leadership
 - package: github.com/satori/go.uuid
   version: ^1.1.0
 - package: k8s.io/client-go
   version: v2.0.0
 - package: github.com/gambol99/go-marathon
-  version: d672c6fbb499596869d95146a26e7d0746c06c54
+  version: dd6cbd4c2d71294a19fb89158f2a00d427f174ab
 - package: github.com/ArthurHlt/go-eureka-client
   subpackages:
   - eureka
@@ -107,18 +102,46 @@ import:
 - package: github.com/go-kit/kit
   version: v0.3.0
   subpackages:
+  - log
   - metrics
+  - metrics/dogstatsd
+  - metrics/multi
+  - metrics/prometheus
+  - metrics/statsd
+  - util/conn
+- package: github.com/prometheus/client_golang
+  version: 08fd2e12372a66e68e30523c7642e0cbc3e4fbde
+  subpackages:
+  - prometheus
+- package: github.com/prometheus/common
+  version: 49fee292b27bfff7f354ee0f64e1bc4850462edf
+- package: github.com/prometheus/client_model
+  version: 6f3806018612930941127f2a7c6c453ba2c527d2
+- package: github.com/prometheus/procfs
+  version: a1dba9ce8baed984a2495b658c82687f8157b98f
+- package: github.com/matttproud/golang_protobuf_extensions
+  version: c12348ce28de40eed0136aa2b644d0ee0650e56c
 - package: github.com/eapache/channels
   version: v1.1.0
 - package: golang.org/x/sys
-  version: 8d1157a435470616f975ff9bb013bea8d0962067
+  version: 8f0908ab3b2457e2e15403d3697c9ef5cb4b57a9
 - package: golang.org/x/net
   version: 242b6b35177ec3909636b6cf6a47e8c2c6324b5d
   subpackages:
   - http2
   - context
+  - websocket
 - package: github.com/docker/distribution
-  version: v2.6.0
+  version: b38e5838b7b2f2ad48e06ec4b500011976080621
+- package: github.com/opencontainers/go-digest
+  version: a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
+- package: github.com/opencontainers/image-spec
+  version: f03dbe35d449c54915d235f1a3cf8f585a24babe
+  subpackages:
+  - specs-go
+  - specs-go/v1
+- package: github.com/docker/libtrust
+  version: 9cbd2a1374f46905c68a4eb3694a130610adc62a
 - package: github.com/aws/aws-sdk-go
   version: v1.6.18
   subpackages:
@@ -142,11 +165,59 @@ import:
   version: v0.3
   subpackages:
   - proto
+- package: github.com/golang/protobuf
+  version: 2bba0603135d7d7f5cb73b2125beeda19c09f4ef
 - package: github.com/rancher/go-rancher
   version: 5b8f6cc26b355ba03d7611fce3844155b7baf05b
-- package: golang.org/x/oauth2/google
+- package: golang.org/x/oauth2
   version: 7fdf09982454086d5570c7db3e11f360194830ca
+  subpackages:
+  - google
+- package: golang.org/x/time
+  version: 8be79e1e0910c292df4e79c241bb7e8f7e725959
+- package: github.com/rancher/go-rancher-metadata
+  version: 95d4962a8f0420be24fb49c2cb4f5491284c62f1
 - package: github.com/googleapis/gax-go
   version: 9af46dd5a1713e8b5cd71106287eba3cefdde50b
 - package: google.golang.org/grpc
   version: v1.2.0
+- package: github.com/unrolled/secure
+  version: 824e85271811af89640ea25620c67f6c2eed987e
+- package: github.com/Nvveen/Gotty
+  version: 6018b68f96b839edfbe3fb48668853f5dbad88a3
+  repo: https://github.com/ijc25/Gotty.git
+  vcs: git
+- package: github.com/spf13/pflag
+  version: cb88ea77998c3f024757528e3305022ab50b43be
+- package: github.com/stretchr/testify
+  version: 4d4bfba8f1d1027c4fdbe371823030df51419987
+  subpackages:
+  - assert
+  - mock
+  - require
+- package: github.com/davecgh/go-spew
+  version: 04cdfd42973bb9c8589fd6a731800cf222fde1a9
+  subpackages:
+  - spew
+- package: github.com/Masterminds/sprig
+  version: e039e20e500c2c025d9145be375e27cf42a94174
+- package: github.com/armon/go-proxyproto
+  version: 48572f11356f1843b694f21a290d4f1006bc5e47
+testImport:
+- package: github.com/stvp/go-udp-testing
+- package: github.com/docker/libcompose
+  version: 1b708aac26a4fc6f9bff31728a8e3a252ef57dbd
+- package: github.com/go-check/check
+  version: 11d3bc7aa68e238947792f30573146a3231fc0f1
+- package: github.com/libkermit/compose
+  version: 2048f803f56422a65b455f918d4a61704dc94603
+  subpackages:
+  - check
+- package: github.com/libkermit/docker
+  version: ddede409294e8c5ae66d68ac09edb6b27e8f3e4a
+- package: github.com/libkermit/docker-check
+  version: e0695005d6819191cf8969b479c94c40c8d22aa4
+- package: github.com/mattn/go-shellwords
+- package: github.com/vdemeester/shakers
+- package: github.com/docker/cli
+  version: d95fd2f38cfc23e077530c6181330727d561b6a0

healthcheck/healthcheck.go

@@ -3,8 +3,10 @@ package healthcheck
 import (
 	"context"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
+	"strconv"
 	"sync"
 	"time"
 
@@ -27,6 +29,7 @@ func GetHealthCheck() *HealthCheck {
 // Options are the public health check options.
 type Options struct {
 	Path     string
+	Port     int
 	Interval time.Duration
 	LB       LoadBalancer
 }
@@ -95,7 +98,7 @@ func (hc *HealthCheck) execute(ctx context.Context, backendID string, backend *B
 	for {
 		select {
 		case <-ctx.Done():
-			log.Debugf("Stopping all current Healthcheck goroutines")
+			log.Debug("Stopping all current Healthcheck goroutines")
 			return
 		case <-ticker.C:
 			log.Debugf("Refreshing healthcheck for currentBackend %s ", backendID)
@@ -127,11 +130,32 @@ func checkBackend(currentBackend *BackendHealthCheck) {
 	}
 }
 
+func (backend *BackendHealthCheck) newRequest(serverURL *url.URL) (*http.Request, error) {
+	if backend.Options.Port == 0 {
+		return http.NewRequest("GET", serverURL.String()+backend.Path, nil)
+	}
+
+	// copy the url and add the port to the host
+	u := &url.URL{}
+	*u = *serverURL
+	u.Host = net.JoinHostPort(u.Hostname(), strconv.Itoa(backend.Options.Port))
+	u.Path = u.Path + backend.Path
+
+	return http.NewRequest("GET", u.String(), nil)
+}
+
 func checkHealth(serverURL *url.URL, backend *BackendHealthCheck) bool {
 	client := http.Client{
 		Timeout: backend.requestTimeout,
 	}
-	resp, err := client.Get(serverURL.String() + backend.Path)
+	req, err := backend.newRequest(serverURL)
+	if err != nil {
+		log.Errorf("Failed to create HTTP request [%s] for healthcheck: %s", serverURL, err)
+		return false
+	}
+
+	resp, err := client.Do(req)
+
 	if err == nil {
 		defer resp.Body.Close()
 	}

healthcheck/healthcheck_test.go

@@ -2,7 +2,6 @@ package healthcheck
 
 import (
 	"context"
-	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -10,87 +9,17 @@ import (
 	"testing"
 	"time"
 
+	"github.com/containous/traefik/testhelpers"
 	"github.com/vulcand/oxy/roundrobin"
 )
 
 const healthCheckInterval = 100 * time.Millisecond
 
-type testLoadBalancer struct {
-	// RWMutex needed due to parallel test execution: Both the system-under-test
-	// and the test assertions reference the counters.
-	*sync.RWMutex
-	numRemovedServers  int
-	numUpsertedServers int
-	servers            []*url.URL
-}
-
-func (lb *testLoadBalancer) RemoveServer(u *url.URL) error {
-	lb.Lock()
-	defer lb.Unlock()
-	lb.numRemovedServers++
-	lb.removeServer(u)
-	return nil
-}
-
-func (lb *testLoadBalancer) UpsertServer(u *url.URL, options ...roundrobin.ServerOption) error {
-	lb.Lock()
-	defer lb.Unlock()
-	lb.numUpsertedServers++
-	lb.servers = append(lb.servers, u)
-	return nil
-}
-
-func (lb *testLoadBalancer) Servers() []*url.URL {
-	return lb.servers
-}
-
-func (lb *testLoadBalancer) removeServer(u *url.URL) {
-	var i int
-	var serverURL *url.URL
-	for i, serverURL = range lb.servers {
-		if *serverURL == *u {
-			break
-		}
-	}
-
-	lb.servers = append(lb.servers[:i], lb.servers[i+1:]...)
-}
-
 type testHandler struct {
 	done           func()
 	healthSequence []bool
 }
 
-func newTestServer(done func(), healthSequence []bool) *httptest.Server {
-	handler := &testHandler{
-		done:           done,
-		healthSequence: healthSequence,
-	}
-	return httptest.NewServer(handler)
-}
-
-// ServeHTTP returns 200 or 503 HTTP response codes depending on whether the
-// current request is marked as healthy or not.
-// It calls the given 'done' function once all request health indicators have
-// been depleted.
-func (th *testHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if len(th.healthSequence) == 0 {
-		panic("received unexpected request")
-	}
-
-	healthy := th.healthSequence[0]
-	if healthy {
-		w.WriteHeader(http.StatusOK)
-	} else {
-		w.WriteHeader(http.StatusServiceUnavailable)
-	}
-
-	th.healthSequence = th.healthSequence[1:]
-	if len(th.healthSequence) == 0 {
-		th.done()
-	}
-}
-
 func TestSetBackendsConfiguration(t *testing.T) {
 	tests := []struct {
 		desc                   string
@@ -153,20 +82,20 @@ func TestSetBackendsConfiguration(t *testing.T) {
 				Interval: healthCheckInterval,
 				LB:       lb,
 			})
-			serverURL := MustParseURL(ts.URL)
+			serverURL := testhelpers.MustParseURL(ts.URL)
 			if test.startHealthy {
 				lb.servers = append(lb.servers, serverURL)
 			} else {
 				backend.disabledURLs = append(backend.disabledURLs, serverURL)
 			}
 
-			healthCheck := HealthCheck{
+			check := HealthCheck{
 				Backends: make(map[string]*BackendHealthCheck),
 			}
 			wg := sync.WaitGroup{}
 			wg.Add(1)
 			go func() {
-				healthCheck.execute(ctx, "id", backend)
+				check.execute(ctx, "id", backend)
 				wg.Done()
 			}()
 
@@ -193,10 +122,139 @@ func TestSetBackendsConfiguration(t *testing.T) {
 	}
 }
 
-func MustParseURL(rawurl string) *url.URL {
-	u, err := url.Parse(rawurl)
-	if err != nil {
-		panic(fmt.Sprintf("failed to parse URL '%s': %s", rawurl, err))
+func TestNewRequest(t *testing.T) {
+	tests := []struct {
+		desc     string
+		host     string
+		port     int
+		path     string
+		expected string
+	}{
+		{
+			desc:     "no port override",
+			host:     "backend1:80",
+			port:     0,
+			path:     "/test",
+			expected: "http://backend1:80/test",
+		},
+		{
+			desc:     "port override",
+			host:     "backend2:80",
+			port:     8080,
+			path:     "/test",
+			expected: "http://backend2:8080/test",
+		},
+		{
+			desc:     "no port override with no port in host",
+			host:     "backend1",
+			port:     0,
+			path:     "/health",
+			expected: "http://backend1/health",
+		},
+		{
+			desc:     "port override with no port in host",
+			host:     "backend2",
+			port:     8080,
+			path:     "/health",
+			expected: "http://backend2:8080/health",
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+			backend := NewBackendHealthCheck(
+				Options{
+					Path: test.path,
+					Port: test.port,
+				})
+
+			u := &url.URL{
+				Scheme: "http",
+				Host:   test.host,
+			}
+
+			req, err := backend.newRequest(u)
+			if err != nil {
+				t.Fatalf("failed to create new backend request: %s", err)
+			}
+
+			actual := req.URL.String()
+			if actual != test.expected {
+				t.Fatalf("got %s for healthcheck URL, wanted %s", actual, test.expected)
+			}
+		})
+	}
+}
+
+type testLoadBalancer struct {
+	// RWMutex needed due to parallel test execution: Both the system-under-test
+	// and the test assertions reference the counters.
+	*sync.RWMutex
+	numRemovedServers  int
+	numUpsertedServers int
+	servers            []*url.URL
+}
+
+func (lb *testLoadBalancer) RemoveServer(u *url.URL) error {
+	lb.Lock()
+	defer lb.Unlock()
+	lb.numRemovedServers++
+	lb.removeServer(u)
+	return nil
+}
+
+func (lb *testLoadBalancer) UpsertServer(u *url.URL, options ...roundrobin.ServerOption) error {
+	lb.Lock()
+	defer lb.Unlock()
+	lb.numUpsertedServers++
+	lb.servers = append(lb.servers, u)
+	return nil
+}
+
+func (lb *testLoadBalancer) Servers() []*url.URL {
+	return lb.servers
+}
+
+func (lb *testLoadBalancer) removeServer(u *url.URL) {
+	var i int
+	var serverURL *url.URL
+	for i, serverURL = range lb.servers {
+		if *serverURL == *u {
+			break
+		}
+	}
+
+	lb.servers = append(lb.servers[:i], lb.servers[i+1:]...)
+}
+
+func newTestServer(done func(), healthSequence []bool) *httptest.Server {
+	handler := &testHandler{
+		done:           done,
+		healthSequence: healthSequence,
+	}
+	return httptest.NewServer(handler)
+}
+
+// ServeHTTP returns 200 or 503 HTTP response codes depending on whether the
+// current request is marked as healthy or not.
+// It calls the given 'done' function once all request health indicators have
+// been depleted.
+func (th *testHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if len(th.healthSequence) == 0 {
+		panic("received unexpected request")
+	}
+
+	healthy := th.healthSequence[0]
+	if healthy {
+		w.WriteHeader(http.StatusOK)
+	} else {
+		w.WriteHeader(http.StatusServiceUnavailable)
+	}
+
+	th.healthSequence = th.healthSequence[1:]
+	if len(th.healthSequence) == 0 {
+		th.done()
 	}
-	return u
 }

integration/access_log_test.go

@@ -1,4 +1,4 @@
-package main
+package integration
 
 import (
 	"fmt"
@@ -7,41 +7,51 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
-	"os/exec"
-	"regexp"
 	"strings"
 	"time"
 
+	"github.com/containous/traefik/integration/try"
 	"github.com/go-check/check"
-	shellwords "github.com/mattn/go-shellwords"
-
+	"github.com/mattn/go-shellwords"
 	checker "github.com/vdemeester/shakers"
 )
 
+const (
+	traefikTestLogFile       = "traefik.log"
+	traefikTestAccessLogFile = "access.log"
+)
+
 // AccessLogSuite
 type AccessLogSuite struct{ BaseSuite }
 
 func (s *AccessLogSuite) TestAccessLog(c *check.C) {
 	// Ensure working directory is clean
-	os.Remove("access.log")
-	os.Remove("traefik.log")
+	os.Remove(traefikTestAccessLogFile)
+	os.Remove(traefikTestLogFile)
 
 	// Start Traefik
-	cmd := exec.Command(traefikBinary, "--configFile=fixtures/access_log_config.toml")
+	cmd, _ := s.cmdTraefik(withConfigFile("fixtures/access_log_config.toml"))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
-	defer os.Remove("access.log")
-	defer os.Remove("traefik.log")
 
-	time.Sleep(500 * time.Millisecond)
+	defer os.Remove(traefikTestAccessLogFile)
+	defer os.Remove(traefikTestLogFile)
+
+	err = try.Do(1*time.Second, func() error {
+		if _, err := os.Stat(traefikTestLogFile); err != nil {
+			return fmt.Errorf("could not get stats for log file: %s", err)
+		}
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
 
 	// Verify Traefik started OK
-	traefikLog, err := ioutil.ReadFile("traefik.log")
+	traefikLog, err := ioutil.ReadFile(traefikTestLogFile)
 	c.Assert(err, checker.IsNil)
 	if len(traefikLog) > 0 {
 		fmt.Printf("%s\n", string(traefikLog))
-		c.Assert(len(traefikLog), checker.Equals, 0)
+		c.Assert(traefikLog, checker.HasLen, 0)
 	}
 
 	// Start test servers
@@ -53,42 +63,46 @@ func (s *AccessLogSuite) TestAccessLog(c *check.C) {
 	defer ts3.Close()
 
 	// Make some requests
-	_, err = http.Get("http://127.0.0.1:8000/test1")
+	err = try.GetRequest("http://127.0.0.1:8000/test1", 500*time.Millisecond)
 	c.Assert(err, checker.IsNil)
-	_, err = http.Get("http://127.0.0.1:8000/test2")
+	err = try.GetRequest("http://127.0.0.1:8000/test2", 500*time.Millisecond)
 	c.Assert(err, checker.IsNil)
-	_, err = http.Get("http://127.0.0.1:8000/test2")
+	err = try.GetRequest("http://127.0.0.1:8000/test2", 500*time.Millisecond)
 	c.Assert(err, checker.IsNil)
 
 	// Verify access.log output as expected
-	accessLog, err := ioutil.ReadFile("access.log")
+	accessLog, err := ioutil.ReadFile(traefikTestAccessLogFile)
 	c.Assert(err, checker.IsNil)
 	lines := strings.Split(string(accessLog), "\n")
 	count := 0
 	for i, line := range lines {
 		if len(line) > 0 {
 			count++
-			tokens, err := shellwords.Parse(line)
-			c.Assert(err, checker.IsNil)
-			c.Assert(len(tokens), checker.Equals, 13)
-			c.Assert(tokens[6], checker.Equals, "200")
-			c.Assert(tokens[9], checker.Equals, fmt.Sprintf("%d", i+1))
-			c.Assert(strings.HasPrefix(tokens[10], "frontend"), checker.True)
-			c.Assert(strings.HasPrefix(tokens[11], "http://127.0.0.1:808"), checker.True)
-			c.Assert(regexp.MustCompile("^\\d+ms$").MatchString(tokens[12]), checker.True)
+			CheckAccessLogFormat(c, line, i)
 		}
 	}
-	c.Assert(count, checker.Equals, 3)
+	c.Assert(count, checker.GreaterOrEqualThan, 3)
 
 	// Verify no other Traefik problems
-	traefikLog, err = ioutil.ReadFile("traefik.log")
+	traefikLog, err = ioutil.ReadFile(traefikTestLogFile)
 	c.Assert(err, checker.IsNil)
 	if len(traefikLog) > 0 {
 		fmt.Printf("%s\n", string(traefikLog))
-		c.Assert(len(traefikLog), checker.Equals, 0)
+		c.Assert(traefikLog, checker.HasLen, 0)
 	}
 }
 
+func CheckAccessLogFormat(c *check.C, line string, i int) {
+	tokens, err := shellwords.Parse(line)
+	c.Assert(err, checker.IsNil)
+	c.Assert(tokens, checker.HasLen, 14)
+	c.Assert(tokens[6], checker.Matches, `^\d{3}$`)
+	c.Assert(tokens[10], checker.Equals, fmt.Sprintf("%d", i+1))
+	c.Assert(tokens[11], checker.HasPrefix, "frontend")
+	c.Assert(tokens[12], checker.HasPrefix, "http://127.0.0.1:808")
+	c.Assert(tokens[13], checker.Matches, `^\d+ms$`)
+}
+
 func startAccessLogServer(port int) (ts *httptest.Server) {
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, "Received query %s!\n", r.URL.Path[1:])

integration/acme_test.go

@@ -1,42 +1,46 @@
-package main
+package integration
 
 import (
 	"crypto/tls"
+	"fmt"
 	"net/http"
-	"os"
-	"os/exec"
 	"time"
 
+	"github.com/containous/traefik/integration/try"
+	"github.com/containous/traefik/testhelpers"
 	"github.com/go-check/check"
-
-	"errors"
-	"github.com/containous/traefik/integration/utils"
 	checker "github.com/vdemeester/shakers"
 )
 
 // ACME test suites (using libcompose)
 type AcmeSuite struct {
 	BaseSuite
+	boulderIP string
 }
 
+// Acme tests configuration
+type AcmeTestCase struct {
+	onDemand            bool
+	traefikConfFilePath string
+	domainToCheck       string
+}
+
+const (
+	// Domain to check
+	acmeDomain = "traefik.acme.wtf"
+
+	// Wildcard domain to check
+	wildcardDomain = "*.acme.wtf"
+)
+
 func (s *AcmeSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "boulder")
 	s.composeProject.Start(c)
 
-	boulderHost := s.composeProject.Container(c, "boulder").NetworkSettings.IPAddress
+	s.boulderIP = s.composeProject.Container(c, "boulder").NetworkSettings.IPAddress
 
 	// wait for boulder
-	err := utils.Try(120*time.Second, func() error {
-		resp, err := http.Get("http://" + boulderHost + ":4000/directory")
-		if err != nil {
-			return err
-		}
-		if resp.StatusCode != 200 {
-			return errors.New("Expected http 200 from boulder")
-		}
-		return nil
-	})
-
+	err := try.GetRequest("http://"+s.boulderIP+":4000/directory", 120*time.Second, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
 }
 
@@ -47,16 +51,63 @@ func (s *AcmeSuite) TearDownSuite(c *check.C) {
 	}
 }
 
-func (s *AcmeSuite) TestRetrieveAcmeCertificate(c *check.C) {
-	boulderHost := s.composeProject.Container(c, "boulder").NetworkSettings.IPAddress
-	file := s.adaptFile(c, "fixtures/acme/acme.toml", struct{ BoulderHost string }{boulderHost})
-	defer os.Remove(file)
-	cmd := exec.Command(traefikBinary, "--configFile="+file)
+// Test OnDemand option with none provided certificate
+func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificate(c *check.C) {
+	testCase := AcmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme.toml",
+		onDemand:            true,
+		domainToCheck:       acmeDomain}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
+// Test OnHostRule option with none provided certificate
+func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificate(c *check.C) {
+	testCase := AcmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme.toml",
+		onDemand:            false,
+		domainToCheck:       acmeDomain}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
+// Test OnDemand option with a wildcard provided certificate
+func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithWildcard(c *check.C) {
+	testCase := AcmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_provided.toml",
+		onDemand:            true,
+		domainToCheck:       wildcardDomain}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
+// Test onHostRule option with a wildcard provided certificate
+func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithWildcard(c *check.C) {
+	testCase := AcmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_provided.toml",
+		onDemand:            false,
+		domainToCheck:       wildcardDomain}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
+// Doing an HTTPS request and test the response certificate
+func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
+	file := s.adaptFile(c, testCase.traefikConfFilePath, struct {
+		BoulderHost          string
+		OnDemand, OnHostRule bool
+	}{
+		BoulderHost: s.boulderIP,
+		OnDemand:    testCase.onDemand,
+		OnHostRule:  !testCase.onDemand,
+	})
+
+	cmd, output := s.cmdTraefik(withConfigFile(file))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	backend := startTestServer("9010", 200)
+	backend := startTestServer("9010", http.StatusOK)
 	defer backend.Close()
 
 	tr := &http.Transport{
@@ -65,28 +116,50 @@ func (s *AcmeSuite) TestRetrieveAcmeCertificate(c *check.C) {
 	client := &http.Client{Transport: tr}
 
 	// wait for traefik (generating acme account take some seconds)
-	err = utils.Try(30*time.Second, func() error {
+	err = try.Do(90*time.Second, func() error {
 		_, err := client.Get("https://127.0.0.1:5001")
-		if err != nil {
 		return err
-		}
-		return nil
 	})
+	// TODO: waiting a refactor of integration tests
+	s.displayTraefikLog(c, output)
 	c.Assert(err, checker.IsNil)
 
 	tr = &http.Transport{
 		TLSClientConfig: &tls.Config{
 			InsecureSkipVerify: true,
-			ServerName:         "traefik.acme.wtf",
+			ServerName:         acmeDomain,
 		},
 	}
 	client = &http.Client{Transport: tr}
-	req, _ := http.NewRequest("GET", "https://127.0.0.1:5001/", nil)
-	req.Host = "traefik.acme.wtf"
-	req.Header.Set("Host", "traefik.acme.wtf")
+
+	req := testhelpers.MustNewRequest(http.MethodGet, "https://127.0.0.1:5001/", nil)
+	req.Host = acmeDomain
+	req.Header.Set("Host", acmeDomain)
 	req.Header.Set("Accept", "*/*")
-	resp, err := client.Do(req)
+
+	var resp *http.Response
+
+	// Retry to send a Request which uses the LE generated certificate
+	err = try.Do(60*time.Second, func() error {
+		resp, err = client.Do(req)
+
+		// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
+		req.Close = true
+
+		if err != nil {
+			return err
+		}
+
+		cn := resp.TLS.PeerCertificates[0].Subject.CommonName
+		if cn != testCase.domainToCheck {
+			return fmt.Errorf("domain %s found in place of %s", cn, testCase.domainToCheck)
+		}
+
+		return nil
+	})
+
 	c.Assert(err, checker.IsNil)
-	// Expected a 200
-	c.Assert(resp.StatusCode, checker.Equals, 200)
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
+	// Check Domain into response certificate
+	c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, testCase.domainToCheck)
 }

integration/basic_test.go

@@ -1,13 +1,13 @@
-package main
+package integration
 
 import (
+	"fmt"
 	"net/http"
-	"os/exec"
+	"strings"
 	"time"
 
+	"github.com/containous/traefik/integration/try"
 	"github.com/go-check/check"
-
-	"bytes"
 	checker "github.com/vdemeester/shakers"
 )
 
@@ -15,76 +15,89 @@ import (
 type SimpleSuite struct{ BaseSuite }
 
 func (s *SimpleSuite) TestInvalidConfigShouldFail(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--configFile=fixtures/invalid_configuration.toml")
+	cmd, output := s.cmdTraefik(withConfigFile("fixtures/invalid_configuration.toml"))
 
-	var b bytes.Buffer
-	cmd.Stdout = &b
-	cmd.Stderr = &b
-
-	cmd.Start()
-	time.Sleep(500 * time.Millisecond)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
-	output := b.Bytes()
 
-	c.Assert(string(output), checker.Contains, "Near line 0 (last key parsed ''): bare keys cannot contain '{'")
+	err = try.Do(500*time.Millisecond, func() error {
+		expected := "Near line 0 (last key parsed ''): bare keys cannot contain '{'"
+		actual := output.String()
+
+		if !strings.Contains(actual, expected) {
+			return fmt.Errorf("Got %s, wanted %s", actual, expected)
+		}
+
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
 }
 
 func (s *SimpleSuite) TestSimpleDefaultConfig(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--configFile=fixtures/simple_default.toml")
+	cmd, _ := s.cmdTraefik(withConfigFile("fixtures/simple_default.toml"))
+
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	time.Sleep(500 * time.Millisecond)
 	// TODO validate : run on 80
-	resp, err := http.Get("http://127.0.0.1:8000/")
-
 	// Expected a 404 as we did not configure anything
+	err = try.GetRequest("http://127.0.0.1:8000/", 1*time.Second, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
 }
 
 func (s *SimpleSuite) TestWithWebConfig(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--configFile=fixtures/simple_web.toml")
+	cmd, _ := s.cmdTraefik(withConfigFile("fixtures/simple_web.toml"))
+
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	time.Sleep(500 * time.Millisecond)
-
-	resp, err := http.Get("http://127.0.0.1:8080/api")
-	// Expected a 200
+	err = try.GetRequest("http://127.0.0.1:8080/api", 1*time.Second, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 200)
 }
 
 func (s *SimpleSuite) TestDefaultEntryPoints(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--debug")
+	cmd, output := s.cmdTraefik("--debug")
 
-	var b bytes.Buffer
-	cmd.Stdout = &b
-	cmd.Stderr = &b
-
-	cmd.Start()
-	time.Sleep(500 * time.Millisecond)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
-	output := b.Bytes()
 
-	c.Assert(string(output), checker.Contains, "\"DefaultEntryPoints\":[\"http\"]")
+	err = try.Do(500*time.Millisecond, func() error {
+		expected := "\"DefaultEntryPoints\":[\"http\"]"
+		actual := output.String()
+
+		if !strings.Contains(actual, expected) {
+			return fmt.Errorf("Got %s, wanted %s", actual, expected)
+		}
+
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
 }
 
 func (s *SimpleSuite) TestPrintHelp(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--help")
+	cmd, output := s.cmdTraefik("--help")
 
-	var b bytes.Buffer
-	cmd.Stdout = &b
-	cmd.Stderr = &b
-
-	cmd.Start()
-	time.Sleep(500 * time.Millisecond)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
-	output := b.Bytes()
 
-	c.Assert(string(output), checker.Not(checker.Contains), "panic:")
-	c.Assert(string(output), checker.Contains, "Usage:")
+	err = try.Do(500*time.Millisecond, func() error {
+		expected := "Usage:"
+		notExpected := "panic:"
+		actual := output.String()
+
+		if strings.Contains(actual, notExpected) {
+			return fmt.Errorf("Got %s", actual)
+		}
+		if !strings.Contains(actual, expected) {
+			return fmt.Errorf("Got %s, wanted %s", actual, expected)
+		}
+
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
 }

integration/constraint_test.go

@@ -1,13 +1,13 @@
-package main
+package integration
 
 import (
+	"fmt"
 	"net/http"
-	"os/exec"
 	"time"
 
+	"github.com/containous/traefik/integration/try"
 	"github.com/go-check/check"
 	"github.com/hashicorp/consul/api"
-
 	checker "github.com/vdemeester/shakers"
 )
 
@@ -35,7 +35,16 @@ func (s *ConstraintSuite) SetUpSuite(c *check.C) {
 	s.consulClient = consulClient
 
 	// Wait for consul to elect itself leader
-	time.Sleep(2000 * time.Millisecond)
+	err = try.Do(3*time.Second, func() error {
+		leader, err := consulClient.Status().Leader()
+
+		if err != nil || len(leader) == 0 {
+			return fmt.Errorf("Leader not found. %v", err)
+		}
+
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
 }
 
 func (s *ConstraintSuite) registerService(name string, address string, port int, tags []string) error {
@@ -71,7 +80,12 @@ func (s *ConstraintSuite) deregisterService(name string, address string) error {
 }
 
 func (s *ConstraintSuite) TestMatchConstraintGlobal(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml", "--constraints=tag==api")
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost",
+		"--constraints=tag==api")
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
@@ -82,19 +96,21 @@ func (s *ConstraintSuite) TestMatchConstraintGlobal(c *check.C) {
 	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
 	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
 
-	time.Sleep(5000 * time.Millisecond)
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.consul.localhost"
-	resp, err := client.Do(req)
 
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 200)
 }
 
 func (s *ConstraintSuite) TestDoesNotMatchConstraintGlobal(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml", "--constraints=tag==api")
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost",
+		"--constraints=tag==api")
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
@@ -105,19 +121,21 @@ func (s *ConstraintSuite) TestDoesNotMatchConstraintGlobal(c *check.C) {
 	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
 	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
 
-	time.Sleep(5000 * time.Millisecond)
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.consul.localhost"
-	resp, err := client.Do(req)
 
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
 }
 
 func (s *ConstraintSuite) TestMatchConstraintProvider(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml", "--consulCatalog.constraints=tag==api")
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost",
+		"--consulCatalog.constraints=tag==api")
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
@@ -128,19 +146,21 @@ func (s *ConstraintSuite) TestMatchConstraintProvider(c *check.C) {
 	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
 	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
 
-	time.Sleep(5000 * time.Millisecond)
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.consul.localhost"
-	resp, err := client.Do(req)
 
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 200)
 }
 
 func (s *ConstraintSuite) TestDoesNotMatchConstraintProvider(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml", "--consulCatalog.constraints=tag==api")
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost",
+		"--consulCatalog.constraints=tag==api")
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
@@ -151,19 +171,22 @@ func (s *ConstraintSuite) TestDoesNotMatchConstraintProvider(c *check.C) {
 	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
 	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
 
-	time.Sleep(5000 * time.Millisecond)
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.consul.localhost"
-	resp, err := client.Do(req)
 
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
 }
 
 func (s *ConstraintSuite) TestMatchMultipleConstraint(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml", "--consulCatalog.constraints=tag==api", "--constraints=tag!=us-*")
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost",
+		"--consulCatalog.constraints=tag==api",
+		"--constraints=tag!=us-*")
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
@@ -174,19 +197,22 @@ func (s *ConstraintSuite) TestMatchMultipleConstraint(c *check.C) {
 	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
 	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
 
-	time.Sleep(5000 * time.Millisecond)
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.consul.localhost"
-	resp, err := client.Do(req)
 
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 200)
 }
 
 func (s *ConstraintSuite) TestDoesNotMatchMultipleConstraint(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml", "--consulCatalog.constraints=tag==api", "--constraints=tag!=us-*")
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost",
+		"--consulCatalog.constraints=tag==api",
+		"--constraints=tag!=us-*")
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
@@ -197,13 +223,10 @@ func (s *ConstraintSuite) TestDoesNotMatchMultipleConstraint(c *check.C) {
 	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
 	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
 
-	time.Sleep(5000 * time.Millisecond)
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.consul.localhost"
-	resp, err := client.Do(req)
 
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
 }

integration/consul_catalog_test.go

@@ -1,14 +1,13 @@
-package main
+package integration
 
 import (
-	"io/ioutil"
+	"fmt"
 	"net/http"
-	"os/exec"
 	"time"
 
+	"github.com/containous/traefik/integration/try"
 	"github.com/go-check/check"
 	"github.com/hashicorp/consul/api"
-
 	checker "github.com/vdemeester/shakers"
 )
 
@@ -31,12 +30,21 @@ func (s *ConsulCatalogSuite) SetUpSuite(c *check.C) {
 	config.Address = s.consulIP + ":8500"
 	consulClient, err := api.NewClient(config)
 	if err != nil {
-		c.Fatalf("Error creating consul client")
+		c.Fatalf("Error creating consul client. %v", err)
 	}
 	s.consulClient = consulClient
 
 	// Wait for consul to elect itself leader
-	time.Sleep(2000 * time.Millisecond)
+	err = try.Do(3*time.Second, func() error {
+		leader, err := consulClient.Status().Leader()
+
+		if err != nil || len(leader) == 0 {
+			return fmt.Errorf("Leader not found. %v", err)
+		}
+
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
 }
 
 func (s *ConsulCatalogSuite) registerService(name string, address string, port int, tags []string) error {
@@ -58,6 +66,30 @@ func (s *ConsulCatalogSuite) registerService(name string, address string, port i
 	return err
 }
 
+func (s *ConsulCatalogSuite) registerAgentService(name string, address string, port int, tags []string) error {
+	agent := s.consulClient.Agent()
+	err := agent.ServiceRegister(
+		&api.AgentServiceRegistration{
+			ID:      address,
+			Tags:    tags,
+			Name:    name,
+			Address: address,
+			Port:    port,
+			Check: &api.AgentServiceCheck{
+				HTTP:     "http://" + address,
+				Interval: "10s",
+			},
+		},
+	)
+	return err
+}
+
+func (s *ConsulCatalogSuite) deregisterAgentService(address string) error {
+	agent := s.consulClient.Agent()
+	err := agent.ServiceDeregister(address)
+	return err
+}
+
 func (s *ConsulCatalogSuite) deregisterService(name string, address string) error {
 	catalog := s.consulClient.Catalog()
 	_, err := catalog.Deregister(
@@ -72,42 +104,219 @@ func (s *ConsulCatalogSuite) deregisterService(name string, address string) erro
 }
 
 func (s *ConsulCatalogSuite) TestSimpleConfiguration(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--configFile=fixtures/consul_catalog/simple.toml")
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.endpoint="+s.consulIP+":8500")
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	time.Sleep(500 * time.Millisecond)
 	// TODO validate : run on 80
-	resp, err := http.Get("http://127.0.0.1:8000/")
-
 	// Expected a 404 as we did not configure anything
+	err = try.GetRequest("http://127.0.0.1:8000/", 500*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
 }
 
 func (s *ConsulCatalogSuite) TestSingleService(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--consulCatalog", "--consulCatalog.endpoint="+s.consulIP+":8500", "--consulCatalog.domain=consul.localhost", "--configFile=fixtures/consul_catalog/simple.toml")
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost")
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	nginx := s.composeProject.Container(c, "nginx")
+	nginx := s.composeProject.Container(c, "nginx1")
 
 	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{})
 	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
 	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
 
-	time.Sleep(5000 * time.Millisecond)
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.consul.localhost"
-	resp, err := client.Do(req)
 
-	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 200)
-
-	_, err = ioutil.ReadAll(resp.Body)
+	err = try.Request(req, 10*time.Second, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *ConsulCatalogSuite) TestExposedByDefaultFalseSingleService(c *check.C) {
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.exposedByDefault=false",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	nginx := s.composeProject.Container(c, "nginx1")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusNotFound), try.HasBody())
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *ConsulCatalogSuite) TestExposedByDefaultFalseSimpleServiceMultipleNode(c *check.C) {
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.exposedByDefault=false",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	nginx := s.composeProject.Container(c, "nginx1")
+	nginx2 := s.composeProject.Container(c, "nginx2")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	err = s.registerService("test", nginx2.NetworkSettings.IPAddress, 80, []string{"traefik.enable=true"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx2.NetworkSettings.IPAddress)
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *ConsulCatalogSuite) TestExposedByDefaultTrueSimpleServiceMultipleNode(c *check.C) {
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.exposedByDefault=true",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	nginx := s.composeProject.Container(c, "nginx1")
+	nginx2 := s.composeProject.Container(c, "nginx2")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{"name=nginx1"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	err = s.registerService("test", nginx2.NetworkSettings.IPAddress, 80, []string{"name=nginx2"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx2.NetworkSettings.IPAddress)
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers/consul_catalog/backends", 60*time.Second, try.BodyContains("nginx1", "nginx2"))
+	c.Assert(err, checker.IsNil)
+
+}
+
+func (s *ConsulCatalogSuite) TestRefreshConfigWithMultipleNodeWithoutHealthCheck(c *check.C) {
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.exposedByDefault=true",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	nginx := s.composeProject.Container(c, "nginx1")
+	nginx2 := s.composeProject.Container(c, "nginx2")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{"name=nginx1"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	err = s.registerAgentService("test", nginx.NetworkSettings.IPAddress, 80, []string{"name=nginx1"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering agent service"))
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers/consul_catalog/backends", 60*time.Second, try.BodyContains("nginx1"))
+	c.Assert(err, checker.IsNil)
+
+	err = s.registerService("test", nginx2.NetworkSettings.IPAddress, 80, []string{"name=nginx2"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers/consul_catalog/backends", 60*time.Second, try.BodyContains("nginx1", "nginx2"))
+	c.Assert(err, checker.IsNil)
+
+	s.deregisterService("test", nginx2.NetworkSettings.IPAddress)
+
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers/consul_catalog/backends", 60*time.Second, try.BodyContains("nginx1"))
+	c.Assert(err, checker.IsNil)
+
+	err = s.registerService("test", nginx2.NetworkSettings.IPAddress, 80, []string{"name=nginx2"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx2.NetworkSettings.IPAddress)
+
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers/consul_catalog/backends", 60*time.Second, try.BodyContains("nginx1", "nginx2"))
+	c.Assert(err, checker.IsNil)
+
+}
+
+func (s *ConsulCatalogSuite) TestBasicAuthSimpleService(c *check.C) {
+	cmd, output := s.cmdTraefik(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.exposedByDefault=true",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost")
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	defer func() {
+		s.displayTraefikLog(c, output)
+	}()
+
+	nginx := s.composeProject.Container(c, "nginx1")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{
+		"traefik.frontend.auth.basic=test:$2a$06$O5NksJPAcgrC9MuANkSoE.Xe9DSg7KcLLFYNr1Lj6hPcMmvgwxhme,test2:$2y$10$xP1SZ70QbZ4K2bTGKJOhpujkpcLxQcB3kEPF6XAV19IdcqsZTyDEe",
+	})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusUnauthorized), try.HasBody())
+	c.Assert(err, checker.IsNil)
+
+	req.SetBasicAuth("test", "test")
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	c.Assert(err, checker.IsNil)
+
+	req.SetBasicAuth("test2", "test2")
+	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusOK), try.HasBody())
 	c.Assert(err, checker.IsNil)
 }

integration/consul_test.go

@@ -1,20 +1,17 @@
-package main
+package integration
 
 import (
 	"context"
-	"errors"
-	"io/ioutil"
+	"fmt"
 	"net/http"
 	"os"
-	"os/exec"
-	"strings"
 	"sync"
 	"time"
 
 	"github.com/containous/staert"
 	"github.com/containous/traefik/cluster"
-	"github.com/containous/traefik/integration/utils"
-	"github.com/containous/traefik/provider"
+	"github.com/containous/traefik/integration/try"
+	"github.com/containous/traefik/types"
 	"github.com/docker/libkv"
 	"github.com/docker/libkv/store"
 	"github.com/docker/libkv/store/consul"
@@ -46,13 +43,7 @@ func (s *ConsulSuite) setupConsul(c *check.C) {
 	s.kv = kv
 
 	// wait for consul
-	err = utils.Try(60*time.Second, func() error {
-		_, err := kv.Exists("test")
-		if err != nil {
-			return err
-		}
-		return nil
-	})
+	err = try.Do(60*time.Second, try.KVExists(kv, "test"))
 	c.Assert(err, checker.IsNil)
 }
 
@@ -61,7 +52,7 @@ func (s *ConsulSuite) setupConsulTLS(c *check.C) {
 	s.composeProject.Start(c)
 
 	consul.Register()
-	clientTLS := &provider.ClientTLS{
+	clientTLS := &types.ClientTLS{
 		CA:                 "resources/tls/ca.cert",
 		Cert:               "resources/tls/consul.cert",
 		Key:                "resources/tls/consul.key",
@@ -85,13 +76,7 @@ func (s *ConsulSuite) setupConsulTLS(c *check.C) {
 	s.kv = kv
 
 	// wait for consul
-	err = utils.Try(60*time.Second, func() error {
-		_, err := kv.Exists("test")
-		if err != nil {
-			return err
-		}
-		return nil
-	})
+	err = try.Do(60*time.Second, try.KVExists(kv, "test"))
 	c.Assert(err, checker.IsNil)
 }
 
@@ -109,17 +94,15 @@ func (s *ConsulSuite) TestSimpleConfiguration(c *check.C) {
 	consulHost := s.composeProject.Container(c, "consul").NetworkSettings.IPAddress
 	file := s.adaptFile(c, "fixtures/consul/simple.toml", struct{ ConsulHost string }{consulHost})
 	defer os.Remove(file)
-	cmd := exec.Command(traefikBinary, "--configFile="+file)
+
+	cmd, _ := s.cmdTraefik(withConfigFile(file))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	time.Sleep(500 * time.Millisecond)
-	resp, err := http.Get("http://127.0.0.1:8000/")
-
 	// Expected a 404 as we did not configure anything
+	err = try.GetRequest("http://127.0.0.1:8000/", 1*time.Second, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
 }
 
 func (s *ConsulSuite) TestNominalConfiguration(c *check.C) {
@@ -127,28 +110,29 @@ func (s *ConsulSuite) TestNominalConfiguration(c *check.C) {
 	consulHost := s.composeProject.Container(c, "consul").NetworkSettings.IPAddress
 	file := s.adaptFile(c, "fixtures/consul/simple.toml", struct{ ConsulHost string }{consulHost})
 	defer os.Remove(file)
-	cmd := exec.Command(traefikBinary, "--configFile="+file)
+
+	cmd, _ := s.cmdTraefik(withConfigFile(file))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	whoami1 := s.composeProject.Container(c, "whoami1")
-	whoami2 := s.composeProject.Container(c, "whoami2")
-	whoami3 := s.composeProject.Container(c, "whoami3")
-	whoami4 := s.composeProject.Container(c, "whoami4")
+	whoami1IP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
+	whoami2IP := s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress
+	whoami3IP := s.composeProject.Container(c, "whoami3").NetworkSettings.IPAddress
+	whoami4IP := s.composeProject.Container(c, "whoami4").NetworkSettings.IPAddress
 
 	backend1 := map[string]string{
 		"traefik/backends/backend1/circuitbreaker/expression": "NetworkErrorRatio() > 0.5",
-		"traefik/backends/backend1/servers/server1/url":       "http://" + whoami1.NetworkSettings.IPAddress + ":80",
+		"traefik/backends/backend1/servers/server1/url":       "http://" + whoami1IP + ":80",
 		"traefik/backends/backend1/servers/server1/weight":    "10",
-		"traefik/backends/backend1/servers/server2/url":       "http://" + whoami2.NetworkSettings.IPAddress + ":80",
+		"traefik/backends/backend1/servers/server2/url":       "http://" + whoami2IP + ":80",
 		"traefik/backends/backend1/servers/server2/weight":    "1",
 	}
 	backend2 := map[string]string{
 		"traefik/backends/backend2/loadbalancer/method":    "drr",
-		"traefik/backends/backend2/servers/server1/url":    "http://" + whoami3.NetworkSettings.IPAddress + ":80",
+		"traefik/backends/backend2/servers/server1/url":    "http://" + whoami3IP + ":80",
 		"traefik/backends/backend2/servers/server1/weight": "1",
-		"traefik/backends/backend2/servers/server2/url":    "http://" + whoami4.NetworkSettings.IPAddress + ":80",
+		"traefik/backends/backend2/servers/server2/url":    "http://" + whoami4IP + ":80",
 		"traefik/backends/backend2/servers/server2/weight": "2",
 	}
 	frontend1 := map[string]string{
@@ -181,68 +165,38 @@ func (s *ConsulSuite) TestNominalConfiguration(c *check.C) {
 	}
 
 	// wait for consul
-	err = utils.Try(60*time.Second, func() error {
-		_, err := s.kv.Exists("traefik/frontends/frontend2/routes/test_2/rule")
-		if err != nil {
-			return err
-		}
-		return nil
-	})
+	err = try.Do(60*time.Second, try.KVExists(s.kv, "traefik/frontends/frontend2/routes/test_2/rule"))
 	c.Assert(err, checker.IsNil)
 
 	// wait for traefik
-	err = utils.TryRequest("http://127.0.0.1:8081/api/providers", 60*time.Second, func(res *http.Response) error {
-		body, err := ioutil.ReadAll(res.Body)
-		if err != nil {
-			return err
-		}
-		if !strings.Contains(string(body), "Path:/test") {
-			return errors.New("Incorrect traefik config")
-		}
-		return nil
-	})
+	err = try.GetRequest("http://127.0.0.1:8081/api/providers", 60*time.Second, try.BodyContains("Path:/test"))
 	c.Assert(err, checker.IsNil)
 
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.localhost"
-	response, err := client.Do(req)
 
+	err = try.Request(req, 500*time.Millisecond,
+		try.StatusCodeIs(200),
+		try.BodyContainsOr(whoami3IP, whoami4IP))
 	c.Assert(err, checker.IsNil)
-	c.Assert(response.StatusCode, checker.Equals, 200)
 
-	body, err := ioutil.ReadAll(response.Body)
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/test", nil)
 	c.Assert(err, checker.IsNil)
-	if !strings.Contains(string(body), whoami3.NetworkSettings.IPAddress) &&
-		!strings.Contains(string(body), whoami4.NetworkSettings.IPAddress) {
-		c.Fail()
-	}
 
-	req, err = http.NewRequest("GET", "http://127.0.0.1:8000/test", nil)
+	err = try.Request(req, 500*time.Millisecond,
+		try.StatusCodeIs(200),
+		try.BodyContainsOr(whoami1IP, whoami2IP))
 	c.Assert(err, checker.IsNil)
-	response, err = client.Do(req)
 
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/test2", nil)
+	try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(response.StatusCode, checker.Equals, 200)
 
-	body, err = ioutil.ReadAll(response.Body)
-	c.Assert(err, checker.IsNil)
-	if !strings.Contains(string(body), whoami1.NetworkSettings.IPAddress) &&
-		!strings.Contains(string(body), whoami2.NetworkSettings.IPAddress) {
-		c.Fail()
-	}
-
-	req, err = http.NewRequest("GET", "http://127.0.0.1:8000/test2", nil)
-	resp, err := client.Do(req)
-	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
-
-	req, err = http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	req.Host = "test2.localhost"
-	resp, err = client.Do(req)
+	try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
 }
 
 func (s *ConsulSuite) TestGlobalConfiguration(c *check.C) {
@@ -252,41 +206,36 @@ func (s *ConsulSuite) TestGlobalConfiguration(c *check.C) {
 	c.Assert(err, checker.IsNil)
 
 	// wait for consul
-	err = utils.Try(60*time.Second, func() error {
-		_, err := s.kv.Exists("traefik/entrypoints/http/address")
-		if err != nil {
-			return err
-		}
-		return nil
-	})
+	err = try.Do(60*time.Second, try.KVExists(s.kv, "traefik/entrypoints/http/address"))
 	c.Assert(err, checker.IsNil)
 
 	// start traefik
-	cmd := exec.Command(traefikBinary, "--configFile=fixtures/simple_web.toml", "--consul", "--consul.endpoint="+consulHost+":8500")
-	// cmd.Stdout = os.Stdout
-	// cmd.Stderr = os.Stderr
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/simple_web.toml"),
+		"--consul",
+		"--consul.endpoint="+consulHost+":8500")
 
 	err = cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	whoami1 := s.composeProject.Container(c, "whoami1")
-	whoami2 := s.composeProject.Container(c, "whoami2")
-	whoami3 := s.composeProject.Container(c, "whoami3")
-	whoami4 := s.composeProject.Container(c, "whoami4")
+	whoami1IP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
+	whoami2IP := s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress
+	whoami3IP := s.composeProject.Container(c, "whoami3").NetworkSettings.IPAddress
+	whoami4IP := s.composeProject.Container(c, "whoami4").NetworkSettings.IPAddress
 
 	backend1 := map[string]string{
 		"traefik/backends/backend1/circuitbreaker/expression": "NetworkErrorRatio() > 0.5",
-		"traefik/backends/backend1/servers/server1/url":       "http://" + whoami1.NetworkSettings.IPAddress + ":80",
+		"traefik/backends/backend1/servers/server1/url":       "http://" + whoami1IP + ":80",
 		"traefik/backends/backend1/servers/server1/weight":    "10",
-		"traefik/backends/backend1/servers/server2/url":       "http://" + whoami2.NetworkSettings.IPAddress + ":80",
+		"traefik/backends/backend1/servers/server2/url":       "http://" + whoami2IP + ":80",
 		"traefik/backends/backend1/servers/server2/weight":    "1",
 	}
 	backend2 := map[string]string{
 		"traefik/backends/backend2/loadbalancer/method":    "drr",
-		"traefik/backends/backend2/servers/server1/url":    "http://" + whoami3.NetworkSettings.IPAddress + ":80",
+		"traefik/backends/backend2/servers/server1/url":    "http://" + whoami3IP + ":80",
 		"traefik/backends/backend2/servers/server1/weight": "1",
-		"traefik/backends/backend2/servers/server2/url":    "http://" + whoami4.NetworkSettings.IPAddress + ":80",
+		"traefik/backends/backend2/servers/server2/url":    "http://" + whoami4IP + ":80",
 		"traefik/backends/backend2/servers/server2/weight": "2",
 	}
 	frontend1 := map[string]string{
@@ -319,37 +268,20 @@ func (s *ConsulSuite) TestGlobalConfiguration(c *check.C) {
 	}
 
 	// wait for consul
-	err = utils.Try(60*time.Second, func() error {
-		_, err := s.kv.Exists("traefik/frontends/frontend2/routes/test_2/rule")
-		if err != nil {
-			return err
-		}
-		return nil
-	})
+	err = try.Do(60*time.Second, try.KVExists(s.kv, "traefik/frontends/frontend2/routes/test_2/rule"))
 	c.Assert(err, checker.IsNil)
 
 	// wait for traefik
-	err = utils.TryRequest("http://127.0.0.1:8080/api/providers", 60*time.Second, func(res *http.Response) error {
-		body, err := ioutil.ReadAll(res.Body)
-		if err != nil {
-			return err
-		}
-		if !strings.Contains(string(body), "Path:/test") {
-			return errors.New("Incorrect traefik config")
-		}
-		return nil
-	})
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 60*time.Second, try.BodyContains("Path:/test"))
 	c.Assert(err, checker.IsNil)
 
 	//check
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8001/", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8001/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.localhost"
-	response, err := client.Do(req)
 
+	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
-	c.Assert(response.StatusCode, checker.Equals, 200)
 }
 
 func (s *ConsulSuite) skipTestGlobalConfigurationWithClientTLS(c *check.C) {
@@ -361,45 +293,36 @@ func (s *ConsulSuite) skipTestGlobalConfigurationWithClientTLS(c *check.C) {
 	c.Assert(err, checker.IsNil)
 
 	// wait for consul
-	err = utils.Try(60*time.Second, func() error {
-		_, err := s.kv.Exists("traefik/web/address")
-		if err != nil {
-			return err
-		}
-		return nil
-	})
+	err = try.Do(60*time.Second, try.KVExists(s.kv, "traefik/web/address"))
 	c.Assert(err, checker.IsNil)
 
 	// start traefik
-	cmd := exec.Command(traefikBinary, "--configFile=fixtures/simple_web.toml",
-		"--consul", "--consul.endpoint="+consulHost+":8585",
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/simple_web.toml"),
+		"--consul",
+		"--consul.endpoint="+consulHost+":8585",
 		"--consul.tls.ca=resources/tls/ca.cert",
 		"--consul.tls.cert=resources/tls/consul.cert",
 		"--consul.tls.key=resources/tls/consul.key",
 		"--consul.tls.insecureskipverify")
-	// cmd.Stdout = os.Stdout
-	// cmd.Stderr = os.Stderr
 
 	err = cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
 	// wait for traefik
-	err = utils.TryRequest("http://127.0.0.1:8081/api/providers", 60*time.Second, func(res *http.Response) error {
-		_, err := ioutil.ReadAll(res.Body)
-		if err != nil {
-			return err
-		}
-		return nil
-	})
+	err = try.GetRequest("http://127.0.0.1:8081/api/providers", 60*time.Second)
 	c.Assert(err, checker.IsNil)
-
 }
+
 func (s *ConsulSuite) TestCommandStoreConfig(c *check.C) {
 	s.setupConsul(c)
 	consulHost := s.composeProject.Container(c, "consul").NetworkSettings.IPAddress
 
-	cmd := exec.Command(traefikBinary, "storeconfig", "--configFile=fixtures/simple_web.toml", "--consul.endpoint="+consulHost+":8500")
+	cmd, _ := s.cmdTraefik(
+		"storeconfig",
+		withConfigFile("fixtures/simple_web.toml"),
+		"--consul.endpoint="+consulHost+":8500")
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 
@@ -412,22 +335,18 @@ func (s *ConsulSuite) TestCommandStoreConfig(c *check.C) {
 		"/traefik/defaultentrypoints/0":     "http",
 		"/traefik/entrypoints/http/address": ":8000",
 		"/traefik/web/address":              ":8080",
-		"/traefik/consul/endpoint":          (consulHost + ":8500"),
+		"/traefik/consul/endpoint":          consulHost + ":8500",
 	}
 
 	for key, value := range checkmap {
 		var p *store.KVPair
-		err = utils.Try(60*time.Second, func() error {
+		err = try.Do(60*time.Second, func() error {
 			p, err = s.kv.Get(key)
-			if err != nil {
 			return err
-			}
-			return nil
 		})
 		c.Assert(err, checker.IsNil)
 
 		c.Assert(string(p.Value), checker.Equals, value)
-
 	}
 }
 
@@ -457,12 +376,12 @@ func (s *ConsulSuite) TestDatastore(c *check.C) {
 		Int:    1,
 	})
 	c.Assert(err, checker.IsNil)
-	time.Sleep(2 * time.Second)
-	test1 := datastore1.Get().(*TestStruct)
-	c.Assert(test1.String, checker.Equals, "foo")
 
-	test2 := datastore2.Get().(*TestStruct)
-	c.Assert(test2.String, checker.Equals, "foo")
+	err = try.Do(3*time.Second, datastoreContains(datastore1, "foo"))
+	c.Assert(err, checker.IsNil)
+
+	err = try.Do(3*time.Second, datastoreContains(datastore2, "foo"))
+	c.Assert(err, checker.IsNil)
 
 	setter2, _, err := datastore2.Begin()
 	c.Assert(err, checker.IsNil)
@@ -471,12 +390,12 @@ func (s *ConsulSuite) TestDatastore(c *check.C) {
 		Int:    2,
 	})
 	c.Assert(err, checker.IsNil)
-	time.Sleep(2 * time.Second)
-	test1 = datastore1.Get().(*TestStruct)
-	c.Assert(test1.String, checker.Equals, "bar")
 
-	test2 = datastore2.Get().(*TestStruct)
-	c.Assert(test2.String, checker.Equals, "bar")
+	err = try.Do(3*time.Second, datastoreContains(datastore1, "bar"))
+	c.Assert(err, checker.IsNil)
+
+	err = try.Do(3*time.Second, datastoreContains(datastore2, "bar"))
+	c.Assert(err, checker.IsNil)
 
 	wg := &sync.WaitGroup{}
 	wg.Add(4)
@@ -520,3 +439,13 @@ func (s *ConsulSuite) TestDatastore(c *check.C) {
 	}()
 	wg.Wait()
 }
+
+func datastoreContains(datastore *cluster.Datastore, expectedValue string) func() error {
+	return func() error {
+		kvStruct := datastore.Get().(*TestStruct)
+		if kvStruct.String != expectedValue {
+			return fmt.Errorf("Got %s, wanted %s", kvStruct.String, expectedValue)
+		}
+		return nil
+	}
+}

integration/docker_test.go

@@ -1,4 +1,4 @@
-package main
+package integration
 
 import (
 	"encoding/json"
@@ -6,13 +6,13 @@ import (
 	"io/ioutil"
 	"net/http"
 	"os"
-	"os/exec"
 	"strings"
 	"time"
 
+	"github.com/containous/traefik/integration/try"
+	"github.com/containous/traefik/types"
 	"github.com/docker/docker/pkg/namesgenerator"
 	"github.com/go-check/check"
-
 	d "github.com/libkermit/docker"
 	docker "github.com/libkermit/docker-check"
 	checker "github.com/vdemeester/shakers"
@@ -79,18 +79,15 @@ func (s *DockerSuite) TestSimpleConfiguration(c *check.C) {
 	file := s.adaptFileForHost(c, "fixtures/docker/simple.toml")
 	defer os.Remove(file)
 
-	cmd := exec.Command(traefikBinary, "--configFile="+file)
+	cmd, _ := s.cmdTraefik(withConfigFile(file))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	time.Sleep(500 * time.Millisecond)
 	// TODO validate : run on 80
-	resp, err := http.Get("http://127.0.0.1:8000/")
-
-	c.Assert(err, checker.IsNil)
 	// Expected a 404 as we did not comfigure anything
-	c.Assert(resp.StatusCode, checker.Equals, 404)
+	err = try.GetRequest("http://127.0.0.1:8000/", 500*time.Millisecond, try.StatusCodeIs(404))
+	c.Assert(err, checker.IsNil)
 }
 
 func (s *DockerSuite) TestDefaultDockerContainers(c *check.C) {
@@ -99,22 +96,18 @@ func (s *DockerSuite) TestDefaultDockerContainers(c *check.C) {
 	name := s.startContainer(c, "swarm:1.0.0", "manage", "token://blablabla")
 
 	// Start traefik
-	cmd := exec.Command(traefikBinary, "--configFile="+file)
+	cmd, _ := s.cmdTraefik(withConfigFile(file))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	// FIXME Need to wait than 500 milliseconds more (for swarm or traefik to boot up ?)
-	time.Sleep(1500 * time.Millisecond)
-
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/version", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/version", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = fmt.Sprintf("%s.docker.localhost", strings.Replace(name, "_", "-", -1))
-	resp, err := client.Do(req)
 
+	// FIXME Need to wait than 500 milliseconds more (for swarm or traefik to boot up ?)
+	resp, err := try.ResponseUntilStatusCode(req, 1500*time.Millisecond, 200)
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 200)
 
 	body, err := ioutil.ReadAll(resp.Body)
 	c.Assert(err, checker.IsNil)
@@ -130,27 +123,23 @@ func (s *DockerSuite) TestDockerContainersWithLabels(c *check.C) {
 	defer os.Remove(file)
 	// Start a container with some labels
 	labels := map[string]string{
-		"traefik.frontend.rule": "Host:my.super.host",
+		types.LabelFrontendRule: "Host:my.super.host",
 	}
 	s.startContainerWithLabels(c, "swarm:1.0.0", labels, "manage", "token://blabla")
 
 	// Start traefik
-	cmd := exec.Command(traefikBinary, "--configFile="+file)
+	cmd, _ := s.cmdTraefik(withConfigFile(file))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/version", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "my.super.host"
+
 	// FIXME Need to wait than 500 milliseconds more (for swarm or traefik to boot up ?)
-	time.Sleep(1500 * time.Millisecond)
-
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/version", nil)
+	resp, err := try.ResponseUntilStatusCode(req, 1500*time.Millisecond, http.StatusOK)
 	c.Assert(err, checker.IsNil)
-	req.Host = fmt.Sprintf("my.super.host")
-	resp, err := client.Do(req)
-
-	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 200)
 
 	body, err := ioutil.ReadAll(resp.Body)
 	c.Assert(err, checker.IsNil)
@@ -166,25 +155,23 @@ func (s *DockerSuite) TestDockerContainersWithOneMissingLabels(c *check.C) {
 	defer os.Remove(file)
 	// Start a container with some labels
 	labels := map[string]string{
-		"traefik.frontend.value": "my.super.host",
+		types.LabelTraefikFrontendValue: "my.super.host",
 	}
 	s.startContainerWithLabels(c, "swarm:1.0.0", labels, "manage", "token://blabla")
 
 	// Start traefik
-	cmd := exec.Command(traefikBinary, "--configFile="+file)
+	cmd, _ := s.cmdTraefik(withConfigFile(file))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/version", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "my.super.host"
+
 	// FIXME Need to wait than 500 milliseconds more (for swarm or traefik to boot up ?)
-	time.Sleep(1500 * time.Millisecond)
-
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/version", nil)
+	// TODO validate : run on 80
+	// Expected a 404 as we did not comfigure anything
+	err = try.Request(req, 1500*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	req.Host = fmt.Sprintf("my.super.host")
-	resp, err := client.Do(req)
-
-	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
 }

integration/dynamodb_test.go

@@ -1,12 +1,8 @@
-package main
+package integration
 
 import (
-	"errors"
-	"io/ioutil"
 	"net/http"
 	"os"
-	"os/exec"
-	"strings"
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -14,7 +10,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/dynamodb"
 	"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute"
-	"github.com/containous/traefik/integration/utils"
+	"github.com/containous/traefik/integration/try"
 	"github.com/containous/traefik/types"
 	"github.com/go-check/check"
 	checker "github.com/vdemeester/shakers"
@@ -49,7 +45,7 @@ func (s *DynamoDBSuite) SetUpSuite(c *check.C) {
 		Endpoint:    aws.String(dynamoURL),
 	}
 	var sess *session.Session
-	err := utils.Try(60*time.Second, func() error {
+	err := try.Do(60*time.Second, func() error {
 		_, err := session.NewSession(config)
 		if err != nil {
 			return err
@@ -57,6 +53,7 @@ func (s *DynamoDBSuite) SetUpSuite(c *check.C) {
 		sess = session.New(config)
 		return nil
 	})
+	c.Assert(err, checker.IsNil)
 	svc := dynamodb.New(sess)
 
 	// create dynamodb table
@@ -150,28 +147,20 @@ func (s *DynamoDBSuite) TestSimpleConfiguration(c *check.C) {
 	dynamoURL := "http://" + s.composeProject.Container(c, "dynamo").NetworkSettings.IPAddress + ":8000"
 	file := s.adaptFile(c, "fixtures/dynamodb/simple.toml", struct{ DynamoURL string }{dynamoURL})
 	defer os.Remove(file)
-	cmd := exec.Command(traefikBinary, "--configFile="+file)
+	cmd, _ := s.cmdTraefik(withConfigFile(file))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
-	err = utils.TryRequest("http://127.0.0.1:8081/api/providers", 120*time.Second, func(res *http.Response) error {
-		body, err := ioutil.ReadAll(res.Body)
-		if err != nil {
-			return err
-		}
-		if !strings.Contains(string(body), "Host:test.traefik.io") {
-			return errors.New("incorrect traefik config")
-		}
-		return nil
-	})
+
+	err = try.GetRequest("http://127.0.0.1:8081/api/providers", 120*time.Second, try.BodyContains("Host:test.traefik.io"))
 	c.Assert(err, checker.IsNil)
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8080", nil)
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8080", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.traefik.io"
-	response, err := client.Do(req)
+
+	err = try.Request(req, 200*time.Millisecond, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
-	c.Assert(response.StatusCode, checker.Equals, 200)
 }
 
 func (s *DynamoDBSuite) TearDownSuite(c *check.C) {

integration/error_pages_test.go

@@ -0,0 +1,69 @@
+package integration
+
+import (
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/containous/traefik/integration/try"
+	"github.com/go-check/check"
+	checker "github.com/vdemeester/shakers"
+)
+
+// ErrorPagesSuite test suites (using libcompose)
+type ErrorPagesSuite struct {
+	BaseSuite
+	ErrorPageIP string
+	BackendIP   string
+}
+
+func (s *ErrorPagesSuite) SetUpSuite(c *check.C) {
+	s.createComposeProject(c, "error_pages")
+	s.composeProject.Start(c)
+
+	s.ErrorPageIP = s.composeProject.Container(c, "nginx2").NetworkSettings.IPAddress
+	s.BackendIP = s.composeProject.Container(c, "nginx1").NetworkSettings.IPAddress
+}
+
+func (s *ErrorPagesSuite) TestSimpleConfiguration(c *check.C) {
+
+	file := s.adaptFile(c, "fixtures/error_pages/simple.toml", struct {
+		Server1 string
+		Server2 string
+	}{s.BackendIP, s.ErrorPageIP})
+	defer os.Remove(file)
+
+	cmd, _ := s.cmdTraefik(withConfigFile(file))
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	frontendReq, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:80", nil)
+	c.Assert(err, checker.IsNil)
+	frontendReq.Host = "test.local"
+
+	err = try.Request(frontendReq, 2*time.Second, try.BodyContains("nginx"))
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *ErrorPagesSuite) TestErrorPage(c *check.C) {
+
+	//error.toml contains a mis-configuration of the backend host
+	file := s.adaptFile(c, "fixtures/error_pages/error.toml", struct {
+		Server1 string
+		Server2 string
+	}{s.BackendIP, s.ErrorPageIP})
+	defer os.Remove(file)
+
+	cmd, _ := s.cmdTraefik(withConfigFile(file))
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	frontendReq, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:80", nil)
+	c.Assert(err, checker.IsNil)
+	frontendReq.Host = "test.local"
+
+	err = try.Request(frontendReq, 2*time.Second, try.BodyContains("An error occurred."))
+	c.Assert(err, checker.IsNil)
+}

integration/etcd_test.go

@@ -1,23 +1,20 @@
-package main
+package integration
 
 import (
-	"github.com/go-check/check"
+	"crypto/tls"
+	"io/ioutil"
 	"net/http"
-	"os/exec"
+	"os"
+	"strings"
 	"time"
 
-	checker "github.com/vdemeester/shakers"
-
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"github.com/containous/traefik/integration/utils"
+	"github.com/containous/traefik/integration/try"
 	"github.com/docker/libkv"
 	"github.com/docker/libkv/store"
 	"github.com/docker/libkv/store/etcd"
-	"io/ioutil"
-	"os"
-	"strings"
+	"github.com/go-check/check"
+
+	checker "github.com/vdemeester/shakers"
 )
 
 // Etcd test suites (using libcompose)
@@ -45,12 +42,9 @@ func (s *EtcdSuite) SetUpTest(c *check.C) {
 	s.kv = kv
 
 	// wait for etcd
-	err = utils.Try(60*time.Second, func() error {
+	err = try.Do(60*time.Second, func() error {
 		_, err := kv.Exists("test")
-		if err != nil {
-			return fmt.Errorf("Etcd connection error to %s: %v", url, err)
-		}
-		return nil
+		return err
 	})
 	c.Assert(err, checker.IsNil)
 }
@@ -66,48 +60,49 @@ func (s *EtcdSuite) TearDownSuite(c *check.C) {}
 
 func (s *EtcdSuite) TestSimpleConfiguration(c *check.C) {
 	etcdHost := s.composeProject.Container(c, "etcd").NetworkSettings.IPAddress
+
 	file := s.adaptFile(c, "fixtures/etcd/simple.toml", struct{ EtcdHost string }{etcdHost})
 	defer os.Remove(file)
-	cmd := exec.Command(traefikBinary, "--configFile="+file)
+
+	cmd, _ := s.cmdTraefik(withConfigFile(file))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	time.Sleep(1000 * time.Millisecond)
 	// TODO validate : run on 80
-	resp, err := http.Get("http://127.0.0.1:8000/")
-
 	// Expected a 404 as we did not configure anything
+	err = try.GetRequest("http://127.0.0.1:8000/", 1000*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
 }
 
 func (s *EtcdSuite) TestNominalConfiguration(c *check.C) {
 	etcdHost := s.composeProject.Container(c, "etcd").NetworkSettings.IPAddress
+
 	file := s.adaptFile(c, "fixtures/etcd/simple.toml", struct{ EtcdHost string }{etcdHost})
 	defer os.Remove(file)
-	cmd := exec.Command(traefikBinary, "--configFile="+file)
+
+	cmd, _ := s.cmdTraefik(withConfigFile(file))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	whoami1 := s.composeProject.Container(c, "whoami1")
-	whoami2 := s.composeProject.Container(c, "whoami2")
-	whoami3 := s.composeProject.Container(c, "whoami3")
-	whoami4 := s.composeProject.Container(c, "whoami4")
+	whoami1IP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
+	whoami2IP := s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress
+	whoami3IP := s.composeProject.Container(c, "whoami3").NetworkSettings.IPAddress
+	whoami4IP := s.composeProject.Container(c, "whoami4").NetworkSettings.IPAddress
 
 	backend1 := map[string]string{
 		"/traefik/backends/backend1/circuitbreaker/expression": "NetworkErrorRatio() > 0.5",
-		"/traefik/backends/backend1/servers/server1/url":       "http://" + whoami1.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend1/servers/server1/url":       "http://" + whoami1IP + ":80",
 		"/traefik/backends/backend1/servers/server1/weight":    "10",
-		"/traefik/backends/backend1/servers/server2/url":       "http://" + whoami2.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend1/servers/server2/url":       "http://" + whoami2IP + ":80",
 		"/traefik/backends/backend1/servers/server2/weight":    "1",
 	}
 	backend2 := map[string]string{
 		"/traefik/backends/backend2/loadbalancer/method":    "drr",
-		"/traefik/backends/backend2/servers/server1/url":    "http://" + whoami3.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend2/servers/server1/url":    "http://" + whoami3IP + ":80",
 		"/traefik/backends/backend2/servers/server1/weight": "1",
-		"/traefik/backends/backend2/servers/server2/url":    "http://" + whoami4.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend2/servers/server2/url":    "http://" + whoami4IP + ":80",
 		"/traefik/backends/backend2/servers/server2/weight": "2",
 	}
 	frontend1 := map[string]string{
@@ -140,68 +135,56 @@ func (s *EtcdSuite) TestNominalConfiguration(c *check.C) {
 	}
 
 	// wait for etcd
-	err = utils.Try(60*time.Second, func() error {
+	err = try.Do(60*time.Second, func() error {
 		_, err := s.kv.Exists("/traefik/frontends/frontend2/routes/test_2/rule")
-		if err != nil {
 		return err
-		}
-		return nil
 	})
 	c.Assert(err, checker.IsNil)
 
 	// wait for traefik
-	err = utils.TryRequest("http://127.0.0.1:8081/api/providers", 60*time.Second, func(res *http.Response) error {
-		body, err := ioutil.ReadAll(res.Body)
-		if err != nil {
-			return err
-		}
-		if !strings.Contains(string(body), "Path:/test") {
-			return errors.New("Incorrect traefik config")
-		}
-		return nil
-	})
+	err = try.GetRequest("http://127.0.0.1:8081/api/providers", 60*time.Second, try.BodyContains("Path:/test"))
 	c.Assert(err, checker.IsNil)
 
 	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.localhost"
 	response, err := client.Do(req)
 
 	c.Assert(err, checker.IsNil)
-	c.Assert(response.StatusCode, checker.Equals, 200)
+	c.Assert(response.StatusCode, checker.Equals, http.StatusOK)
 
 	body, err := ioutil.ReadAll(response.Body)
 	c.Assert(err, checker.IsNil)
-	if !strings.Contains(string(body), whoami3.NetworkSettings.IPAddress) &&
-		!strings.Contains(string(body), whoami4.NetworkSettings.IPAddress) {
+	if !strings.Contains(string(body), whoami3IP) &&
+		!strings.Contains(string(body), whoami4IP) {
 		c.Fail()
 	}
 
-	req, err = http.NewRequest("GET", "http://127.0.0.1:8000/test", nil)
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/test", nil)
 	c.Assert(err, checker.IsNil)
 	response, err = client.Do(req)
 
 	c.Assert(err, checker.IsNil)
-	c.Assert(response.StatusCode, checker.Equals, 200)
+	c.Assert(response.StatusCode, checker.Equals, http.StatusOK)
 
 	body, err = ioutil.ReadAll(response.Body)
 	c.Assert(err, checker.IsNil)
-	if !strings.Contains(string(body), whoami1.NetworkSettings.IPAddress) &&
-		!strings.Contains(string(body), whoami2.NetworkSettings.IPAddress) {
+	if !strings.Contains(string(body), whoami1IP) &&
+		!strings.Contains(string(body), whoami2IP) {
 		c.Fail()
 	}
 
-	req, err = http.NewRequest("GET", "http://127.0.0.1:8000/test2", nil)
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/test2", nil)
+	c.Assert(err, checker.IsNil)
 	req.Host = "test2.localhost"
 	resp, err := client.Do(req)
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
 
-	req, err = http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
-	resp, err = client.Do(req)
+	resp, err = http.Get("http://127.0.0.1:8000/")
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
 }
 
 func (s *EtcdSuite) TestGlobalConfiguration(c *check.C) {
@@ -210,41 +193,38 @@ func (s *EtcdSuite) TestGlobalConfiguration(c *check.C) {
 	c.Assert(err, checker.IsNil)
 
 	// wait for etcd
-	err = utils.Try(60*time.Second, func() error {
+	err = try.Do(60*time.Second, func() error {
 		_, err := s.kv.Exists("/traefik/entrypoints/http/address")
-		if err != nil {
 		return err
-		}
-		return nil
 	})
 	c.Assert(err, checker.IsNil)
 
 	// start traefik
-	cmd := exec.Command(traefikBinary, "--configFile=fixtures/simple_web.toml", "--etcd", "--etcd.endpoint="+etcdHost+":4001")
-	// cmd.Stdout = os.Stdout
-	// cmd.Stderr = os.Stderr
-
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/simple_web.toml"),
+		"--etcd",
+		"--etcd.endpoint="+etcdHost+":4001")
 	err = cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	whoami1 := s.composeProject.Container(c, "whoami1")
-	whoami2 := s.composeProject.Container(c, "whoami2")
-	whoami3 := s.composeProject.Container(c, "whoami3")
-	whoami4 := s.composeProject.Container(c, "whoami4")
+	whoami1IP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
+	whoami2IP := s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress
+	whoami3IP := s.composeProject.Container(c, "whoami3").NetworkSettings.IPAddress
+	whoami4IP := s.composeProject.Container(c, "whoami4").NetworkSettings.IPAddress
 
 	backend1 := map[string]string{
 		"/traefik/backends/backend1/circuitbreaker/expression": "NetworkErrorRatio() > 0.5",
-		"/traefik/backends/backend1/servers/server1/url":       "http://" + whoami1.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend1/servers/server1/url":       "http://" + whoami1IP + ":80",
 		"/traefik/backends/backend1/servers/server1/weight":    "10",
-		"/traefik/backends/backend1/servers/server2/url":       "http://" + whoami2.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend1/servers/server2/url":       "http://" + whoami2IP + ":80",
 		"/traefik/backends/backend1/servers/server2/weight":    "1",
 	}
 	backend2 := map[string]string{
 		"/traefik/backends/backend2/loadbalancer/method":    "drr",
-		"/traefik/backends/backend2/servers/server1/url":    "http://" + whoami3.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend2/servers/server1/url":    "http://" + whoami3IP + ":80",
 		"/traefik/backends/backend2/servers/server1/weight": "1",
-		"/traefik/backends/backend2/servers/server2/url":    "http://" + whoami4.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend2/servers/server2/url":    "http://" + whoami4IP + ":80",
 		"/traefik/backends/backend2/servers/server2/weight": "2",
 	}
 	frontend1 := map[string]string{
@@ -277,50 +257,37 @@ func (s *EtcdSuite) TestGlobalConfiguration(c *check.C) {
 	}
 
 	// wait for etcd
-	err = utils.Try(60*time.Second, func() error {
+	err = try.Do(60*time.Second, func() error {
 		_, err := s.kv.Exists("/traefik/frontends/frontend2/routes/test_2/rule")
-		if err != nil {
 		return err
-		}
-		return nil
 	})
 	c.Assert(err, checker.IsNil)
 
 	// wait for traefik
-	err = utils.TryRequest("http://127.0.0.1:8080/api/providers", 60*time.Second, func(res *http.Response) error {
-		body, err := ioutil.ReadAll(res.Body)
-		if err != nil {
-			return err
-		}
-		if !strings.Contains(string(body), "Path:/test") {
-			return errors.New("Incorrect traefik config")
-		}
-		return nil
-	})
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 60*time.Second, try.BodyContains("Path:/test"))
 	c.Assert(err, checker.IsNil)
 
 	//check
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8001/", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8001/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.localhost"
-	response, err := client.Do(req)
 
+	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
-	c.Assert(response.StatusCode, checker.Equals, 200)
 }
 
 func (s *EtcdSuite) TestCertificatesContentstWithSNIConfigHandshake(c *check.C) {
 	etcdHost := s.composeProject.Container(c, "etcd").NetworkSettings.IPAddress
 	// start traefik
-	cmd := exec.Command(traefikBinary, "--configFile=fixtures/simple_web.toml", "--etcd", "--etcd.endpoint="+etcdHost+":4001")
-	// cmd.Stdout = os.Stdout
-	// cmd.Stderr = os.Stderr
+	cmd, _ := s.cmdTraefik(
+		withConfigFile("fixtures/simple_web.toml"),
+		"--etcd",
+		"--etcd.endpoint="+etcdHost+":4001")
 
-	whoami1 := s.composeProject.Container(c, "whoami1")
-	whoami2 := s.composeProject.Container(c, "whoami2")
-	whoami3 := s.composeProject.Container(c, "whoami3")
-	whoami4 := s.composeProject.Container(c, "whoami4")
+	whoami1IP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
+	whoami2IP := s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress
+	whoami3IP := s.composeProject.Container(c, "whoami3").NetworkSettings.IPAddress
+	whoami4IP := s.composeProject.Container(c, "whoami4").NetworkSettings.IPAddress
 
 	//Copy the contents of the certificate files into ETCD
 	snitestComCert, err := ioutil.ReadFile("fixtures/https/snitest.com.cert")
@@ -343,16 +310,16 @@ func (s *EtcdSuite) TestCertificatesContentstWithSNIConfigHandshake(c *check.C)
 
 	backend1 := map[string]string{
 		"/traefik/backends/backend1/circuitbreaker/expression": "NetworkErrorRatio() > 0.5",
-		"/traefik/backends/backend1/servers/server1/url":       "http://" + whoami1.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend1/servers/server1/url":       "http://" + whoami1IP + ":80",
 		"/traefik/backends/backend1/servers/server1/weight":    "10",
-		"/traefik/backends/backend1/servers/server2/url":       "http://" + whoami2.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend1/servers/server2/url":       "http://" + whoami2IP + ":80",
 		"/traefik/backends/backend1/servers/server2/weight":    "1",
 	}
 	backend2 := map[string]string{
 		"/traefik/backends/backend2/loadbalancer/method":    "drr",
-		"/traefik/backends/backend2/servers/server1/url":    "http://" + whoami3.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend2/servers/server1/url":    "http://" + whoami3IP + ":80",
 		"/traefik/backends/backend2/servers/server1/weight": "1",
-		"/traefik/backends/backend2/servers/server2/url":    "http://" + whoami4.NetworkSettings.IPAddress + ":80",
+		"/traefik/backends/backend2/servers/server2/url":    "http://" + whoami4IP + ":80",
 		"/traefik/backends/backend2/servers/server2/weight": "2",
 	}
 	frontend1 := map[string]string{
@@ -389,13 +356,7 @@ func (s *EtcdSuite) TestCertificatesContentstWithSNIConfigHandshake(c *check.C)
 	}
 
 	// wait for etcd
-	err = utils.Try(60*time.Second, func() error {
-		_, err := s.kv.Exists("/traefik/frontends/frontend2/routes/test_2/rule")
-		if err != nil {
-			return err
-		}
-		return nil
-	})
+	err = try.Do(60*time.Second, try.KVExists(s.kv, "/traefik/frontends/frontend2/routes/test_2/rule"))
 	c.Assert(err, checker.IsNil)
 
 	err = cmd.Start()
@@ -403,16 +364,7 @@ func (s *EtcdSuite) TestCertificatesContentstWithSNIConfigHandshake(c *check.C)
 	defer cmd.Process.Kill()
 
 	// wait for traefik
-	err = utils.TryRequest("http://127.0.0.1:8080/api/providers", 60*time.Second, func(res *http.Response) error {
-		body, err := ioutil.ReadAll(res.Body)
-		if err != nil {
-			return err
-		}
-		if !strings.Contains(string(body), "Host:snitest.org") {
-			return errors.New("Incorrect traefik config")
-		}
-		return nil
-	})
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 60*time.Second, try.BodyContains("Host:snitest.org"))
 	c.Assert(err, checker.IsNil)
 
 	//check
@@ -435,7 +387,10 @@ func (s *EtcdSuite) TestCertificatesContentstWithSNIConfigHandshake(c *check.C)
 func (s *EtcdSuite) TestCommandStoreConfig(c *check.C) {
 	etcdHost := s.composeProject.Container(c, "etcd").NetworkSettings.IPAddress
 
-	cmd := exec.Command(traefikBinary, "storeconfig", "--configFile=fixtures/simple_web.toml", "--etcd.endpoint="+etcdHost+":4001")
+	cmd, _ := s.cmdTraefik(
+		"storeconfig",
+		withConfigFile("fixtures/simple_web.toml"),
+		"--etcd.endpoint="+etcdHost+":4001")
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 
@@ -448,21 +403,17 @@ func (s *EtcdSuite) TestCommandStoreConfig(c *check.C) {
 		"/traefik/defaultentrypoints/0":     "http",
 		"/traefik/entrypoints/http/address": ":8000",
 		"/traefik/web/address":              ":8080",
-		"/traefik/etcd/endpoint":            (etcdHost + ":4001"),
+		"/traefik/etcd/endpoint":            etcdHost + ":4001",
 	}
 
 	for key, value := range checkmap {
 		var p *store.KVPair
-		err = utils.Try(60*time.Second, func() error {
+		err = try.Do(60*time.Second, func() error {
 			p, err = s.kv.Get(key)
-			if err != nil {
 			return err
-			}
-			return nil
 		})
 		c.Assert(err, checker.IsNil)
 
 		c.Assert(string(p.Value), checker.Equals, value)
-
 	}
 }

integration/eureka_test.go

@@ -1,54 +1,50 @@
-package main
+package integration
 
 import (
 	"bytes"
-	"errors"
-	"io/ioutil"
 	"net/http"
 	"os"
-	"os/exec"
 	"strings"
 	"text/template"
 	"time"
 
-	"github.com/containous/traefik/integration/utils"
+	"github.com/containous/traefik/integration/try"
 	"github.com/go-check/check"
 
 	checker "github.com/vdemeester/shakers"
 )
 
 // Eureka test suites (using libcompose)
-type EurekaSuite struct{ BaseSuite }
+type EurekaSuite struct {
+	BaseSuite
+	eurekaIP  string
+	eurekaURL string
+}
 
 func (s *EurekaSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "eureka")
 	s.composeProject.Start(c)
 
+	eureka := s.composeProject.Container(c, "eureka")
+	s.eurekaIP = eureka.NetworkSettings.IPAddress
+	s.eurekaURL = "http://" + s.eurekaIP + ":8761/eureka/apps"
+
+	// wait for eureka
+	err := try.GetRequest(s.eurekaURL, 60*time.Second)
+	c.Assert(err, checker.IsNil)
 }
 
 func (s *EurekaSuite) TestSimpleConfiguration(c *check.C) {
 
-	eurekaHost := s.composeProject.Container(c, "eureka").NetworkSettings.IPAddress
 	whoami1Host := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
 
-	file := s.adaptFile(c, "fixtures/eureka/simple.toml", struct{ EurekaHost string }{eurekaHost})
+	file := s.adaptFile(c, "fixtures/eureka/simple.toml", struct{ EurekaHost string }{s.eurekaIP})
 	defer os.Remove(file)
-	cmd := exec.Command(traefikBinary, "--configFile="+file)
+	cmd, _ := s.cmdTraefik(withConfigFile(file))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	eurekaURL := "http://" + eurekaHost + ":8761/eureka/apps"
-
-	// wait for eureka
-	err = utils.TryRequest(eurekaURL, 60*time.Second, func(res *http.Response) error {
-		if err != nil {
-			return err
-		}
-		return nil
-	})
-	c.Assert(err, checker.IsNil)
-
 	eurekaTemplate := `
 	{
     "instance": {
@@ -66,7 +62,7 @@ func (s *EurekaSuite) TestSimpleConfiguration(c *check.C) {
     }
 	}`
 
-	tmpl, err := template.New("eurekaTemlate").Parse(eurekaTemplate)
+	tmpl, err := template.New("eurekaTemplate").Parse(eurekaTemplate)
 	c.Assert(err, checker.IsNil)
 	buf := new(bytes.Buffer)
 	templateVars := map[string]string{
@@ -76,36 +72,28 @@ func (s *EurekaSuite) TestSimpleConfiguration(c *check.C) {
 	}
 	// add in eureka
 	err = tmpl.Execute(buf, templateVars)
-	resp, err := http.Post(eurekaURL+"/tests-integration-traefik", "application/json", strings.NewReader(buf.String()))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 204)
+
+	req, err := http.NewRequest(http.MethodPost, s.eurekaURL+"/tests-integration-traefik", strings.NewReader(buf.String()))
+	c.Assert(err, checker.IsNil)
+	req.Header.Set("Content-Type", "application/json")
+
+	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusNoContent))
+	c.Assert(err, checker.IsNil)
 
 	// wait for traefik
-	err = utils.TryRequest("http://127.0.0.1:8080/api/providers", 60*time.Second, func(res *http.Response) error {
-		body, err := ioutil.ReadAll(res.Body)
-		if err != nil {
-			return err
-		}
-		if !strings.Contains(string(body), "Host:tests-integration-traefik") {
-			return errors.New("Incorrect traefik config")
-		}
-		return nil
-	})
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 60*time.Second, try.BodyContains("Host:tests-integration-traefik"))
 	c.Assert(err, checker.IsNil)
 
-	client := &http.Client{}
-	req, err := http.NewRequest("GET", "http://127.0.0.1:8000/", nil)
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "tests-integration-traefik"
-	resp, err = client.Do(req)
 
+	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 200)
 
 	// TODO validate : run on 80
-	resp, err = http.Get("http://127.0.0.1:8000/")
-
 	// Expected a 404 as we did not configure anything
+	err = try.GetRequest("http://127.0.0.1:8000/", 500*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
 }

integration/file_test.go

@@ -1,12 +1,11 @@
-package main
+package integration
 
 import (
 	"net/http"
-	"os/exec"
 	"time"
 
+	"github.com/containous/traefik/integration/try"
 	"github.com/go-check/check"
-
 	checker "github.com/vdemeester/shakers"
 )
 
@@ -20,30 +19,40 @@ func (s *FileSuite) SetUpSuite(c *check.C) {
 }
 
 func (s *FileSuite) TestSimpleConfiguration(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--configFile=fixtures/file/simple.toml")
+	cmd, _ := s.cmdTraefik(withConfigFile("fixtures/file/simple.toml"))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	time.Sleep(1000 * time.Millisecond)
-	resp, err := http.Get("http://127.0.0.1:8000/")
-
 	// Expected a 404 as we did not configure anything
+	err = try.GetRequest("http://127.0.0.1:8000/", 1000*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
 }
 
 // #56 regression test, make sure it does not fail
 func (s *FileSuite) TestSimpleConfigurationNoPanic(c *check.C) {
-	cmd := exec.Command(traefikBinary, "--configFile=fixtures/file/56-simple-panic.toml")
+	cmd, _ := s.cmdTraefik(withConfigFile("fixtures/file/56-simple-panic.toml"))
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer cmd.Process.Kill()
 
-	time.Sleep(1000 * time.Millisecond)
-	resp, err := http.Get("http://127.0.0.1:8000/")
-
 	// Expected a 404 as we did not configure anything
+	err = try.GetRequest("http://127.0.0.1:8000/", 1000*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *FileSuite) TestDirectoryConfiguration(c *check.C) {
+	cmd, _ := s.cmdTraefik(withConfigFile("fixtures/file/directory.toml"))
+
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	// Expected a 404 as we did not configure anything at /test
+	err = try.GetRequest("http://127.0.0.1:8000/test", 1000*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
+	c.Assert(err, checker.IsNil)
+
+	// Expected a 502 as there is no backend server
+	err = try.GetRequest("http://127.0.0.1:8000/test2", 1000*time.Millisecond, try.StatusCodeIs(http.StatusBadGateway))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, 404)
 }

integration/fixtures/acme/README.md

@@ -0,0 +1,37 @@
+# How to generate the self-signed wildcard certificate
+
+```bash
+#!/usr/bin/env bash
+
+# Specify where we will install
+# the wildcard certificate
+SSL_DIR="./ssl"
+
+# Set the wildcarded domain
+# we want to use
+DOMAIN="*.acme.wtf"
+
+# A blank passphrase
+PASSPHRASE=""
+
+# Set our CSR variables
+SUBJ="
+C=FR
+ST=MP
+O=
+localityName=Toulouse
+commonName=$DOMAIN
+organizationalUnitName=Traefik
+emailAddress=
+"
+
+# Create our SSL directory
+# in case it doesn't exist
+sudo mkdir -p "$SSL_DIR"
+
+# Generate our Private Key, CSR and Certificate
+sudo openssl genrsa -out "$SSL_DIR/wildcard.key" 2048
+sudo openssl req -new -subj "$(echo -n "$SUBJ" | tr "\n" "/")" -key "$SSL_DIR/wildcard.key" -out "$SSL_DIR/wildcard.csr" -passin pass:$PASSPHRASE
+sudo openssl x509 -req -days 3650 -in "$SSL_DIR/wildcard.csr" -signkey "$SSL_DIR/wildcard.key" -out "$SSL_DIR/wildcard.crt"
+sudo rm -f "$SSL_DIR/wildcard.csr"
+```

integration/fixtures/acme/acme.toml

@@ -14,7 +14,8 @@ defaultEntryPoints = ["http", "https"]
 email = "test@traefik.io"
 storage = "/dev/null"
 entryPoint = "https"
-onDemand = true
+onDemand = {{.OnDemand}}
+OnHostRule = {{.OnHostRule}}
 caServer = "http://{{.BoulderHost}}:4000/directory"
 
 [file]

integration/fixtures/acme/acme_provided.toml

@@ -0,0 +1,35 @@
+logLevel = "DEBUG"
+
+defaultEntryPoints = ["http", "https"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":8080"
+  [entryPoints.https]
+  address = ":5001"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      CertFile = "fixtures/acme/ssl/wildcard.crt"
+      KeyFile = "fixtures/acme/ssl/wildcard.key"
+
+[acme]
+email = "test@traefik.io"
+storage = "/dev/null"
+entryPoint = "https"
+onDemand = {{.OnDemand}}
+OnHostRule = {{.OnHostRule}}
+caServer = "http://{{.BoulderHost}}:4000/directory"
+
+[file]
+
+[backends]
+  [backends.backend]
+    [backends.backend.servers.server1]
+    url = "http://127.0.0.1:9010"
+
+
+[frontends]
+  [frontends.frontend]
+  backend = "backend"
+    [frontends.frontend.routes.test]
+    rule = "Host:traefik.acme.wtf"

integration/fixtures/acme/ssl/wildcard.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAgwCCQCS90TE7NuTqzANBgkqhkiG9w0BAQsFADBUMQswCQYDVQQGEwJG
+UjELMAkGA1UECAwCTVAxETAPBgNVBAcMCFRvdWxvdXNlMRMwEQYDVQQDDAoqLmFj
+bWUud3RmMRAwDgYDVQQLDAdUcmFlZmlrMB4XDTE3MDYyMzE0NTE0MVoXDTI3MDYy
+MTE0NTE0MVowVDELMAkGA1UEBhMCRlIxCzAJBgNVBAgMAk1QMREwDwYDVQQHDAhU
+b3Vsb3VzZTETMBEGA1UEAwwKKi5hY21lLnd0ZjEQMA4GA1UECwwHVHJhZWZpazCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAODqsVCLhauFZPhPXqZDIKST
+wqoJST+jO5O/WmA7oC4S6JlecRoNsHAXyddd3cQW3yZqB0ryOHrMOpMX0PPXf3jS
+OOXoXA6xsq+RXlR4hDrBkOrj/LR/g62Eiuj2JVO2uy6tKJIetSB/Wzl6OgRkY/um
+EXIc7zQS81/QKg+pg7Z4AYJht5J88nOFHJ3RspUMaH1vJ6LhH3MOUkgFj+I1OiqX
+Tnkd7EDWbkYxAJa0xI2qbmY5VYv8dsIUN+IlPFDtBt87Fc2qv5dQkOz11FDYxWnz
++kxX6+MESLBaTvJjXvG+bzTfh9xCExFQFiN+Us0JuLX8HKQ4MqWL2IiVLsko2osC
+AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAl2jTX2yzUpiufrJ6WtZjKIAH8GF817hS
+dWvt2eyLrBPvllMUj8zqCE5uNVUDVuXQvOhOyx+3zZzfcgfYqbTD8G8amNWcSiRA
+vonoOn1p1pW2OonSi32h3qv5i4gCyh/6cBneYi03lkQ7uLCsJK9+dXTAvoKL6s23
+IXhZGS0Qkvs4vkORA2MX9tyJdyfCCaCx3GpPCGkKrKJ8ePTEvq1ZE2xdhERnV5pz
+L1PRY2QthXXVjMz7AXw0gkHvAbtrKVKR1Tv4ZK34bFBh/kyGAjkcn0zdeFKITqTF
+tCoXWEArmiRqGuXwbqU3mEA9Cv6aMM+0YX89K2InhOnBU80OWs0uMQ==
+-----END CERTIFICATE-----