Prepare release v1.4.0

CHANGELOG.md

@@ -1,5 +1,268 @@
 # Change Log
 
+## [v1.4.0](https://github.com/containous/traefik/tree/v1.4.0) (2017-05-31)
+[All Commits](https://github.com/containous/traefik/compare/v1.3.0-rc1...v1.4.0)
+
+**Enhancements:**
+- **[acme]** Display Traefik logs in integration tests ([#2114](https://github.com/containous/traefik/pull/2114) by [ldez](https://github.com/ldez))
+- **[acme]** Make the ACME developments testing easier ([#1769](https://github.com/containous/traefik/pull/1769) by [nmengin](https://github.com/nmengin))
+- **[acme]** contrib: Dump keys/certs from acme.json to files ([#1484](https://github.com/containous/traefik/pull/1484) by [brianredbeard](https://github.com/brianredbeard))
+- **[api]** Add HTTP HEAD handling to /ping endpoint ([#1768](https://github.com/containous/traefik/pull/1768) by [martinbaillie](https://github.com/martinbaillie))
+- **[authentication,consulcatalog]** Add Basic auth for consul catalog ([#2027](https://github.com/containous/traefik/pull/2027) by [mmatur](https://github.com/mmatur))
+- **[authentication,marathon]** Add marathon label to configure basic auth ([#1799](https://github.com/containous/traefik/pull/1799) by [nikore](https://github.com/nikore))
+- **[authentication,ecs]** Add basic auth for ecs ([#2026](https://github.com/containous/traefik/pull/2026) by [mmatur](https://github.com/mmatur))
+- **[authentication,middleware]** Add forward authentication option ([#1972](https://github.com/containous/traefik/pull/1972) by [drampelt](https://github.com/drampelt))
+- **[authentication]** Manage Headers for the Authentication forwarding. ([#2132](https://github.com/containous/traefik/pull/2132) by [ldez](https://github.com/ldez))
+- **[consulcatalog,sticky-session]** Enable loadbalancer.sticky for Consul Catalog ([#1917](https://github.com/containous/traefik/pull/1917) by [nbonneval](https://github.com/nbonneval))
+- **[consulcatalog]** Exposed by default feature in Consul Catalog ([#2006](https://github.com/containous/traefik/pull/2006) by [mmatur](https://github.com/mmatur))
+- **[consulcatalog]** Speeding up consul catalog health change detection ([#1694](https://github.com/containous/traefik/pull/1694) by [vholovko](https://github.com/vholovko))
+- **[consulcatalog]** Enhanced flexibility in Consul Catalog configuration ([#1565](https://github.com/containous/traefik/pull/1565) by [aantono](https://github.com/aantono))
+- **[docker,k8s]** IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support) ([#1332](https://github.com/containous/traefik/pull/1332) by [MaZderMind](https://github.com/MaZderMind))
+- **[ecs,sticky-session]** Enable loadbalancer.sticky for ECS ([#1925](https://github.com/containous/traefik/pull/1925) by [mmatur](https://github.com/mmatur))
+- **[ecs]** Add support for several ECS backends ([#1913](https://github.com/containous/traefik/pull/1913) by [mmatur](https://github.com/mmatur))
+- **[file]** Allow file provider to load service config from files in a directory. ([#1672](https://github.com/containous/traefik/pull/1672) by [rjshep](https://github.com/rjshep))
+- **[healthcheck]** Add healthcheck command ([#1982](https://github.com/containous/traefik/pull/1982) by [emilevauge](https://github.com/emilevauge))
+- **[healthcheck]** Allow overriding the port used for healthchecks ([#1567](https://github.com/containous/traefik/pull/1567) by [bakins](https://github.com/bakins))
+- **[k8s,rules]** kubernetes ingress rewrite-target implementation ([#1723](https://github.com/containous/traefik/pull/1723) by [mlaccetti](https://github.com/mlaccetti))
+- **[k8s]** Added ability to override frontend priority for k8s ingress router ([#1874](https://github.com/containous/traefik/pull/1874) by [DiverOfDark](https://github.com/DiverOfDark))
+- **[kv]** Adds definitions to backend kv template for health checking ([#1644](https://github.com/containous/traefik/pull/1644) by [zachomedia](https://github.com/zachomedia))
+- **[logs,dynamodb,ecs,marathon]** Link some providers logs to Traefik ([#1746](https://github.com/containous/traefik/pull/1746) by [ldez](https://github.com/ldez))
+- **[logs,marathon]** remove confusing go-marathon log message ([#1810](https://github.com/containous/traefik/pull/1810) by [marco-jantke](https://github.com/marco-jantke))
+- **[logs]** Send traefik logs to stdout instead stderr ([#2054](https://github.com/containous/traefik/pull/2054) by [marco-jantke](https://github.com/marco-jantke))
+- **[logs]** enable logging to stdout for access logs ([#1683](https://github.com/containous/traefik/pull/1683) by [marco-jantke](https://github.com/marco-jantke))
+- **[logs]** Logs & errors review ([#1673](https://github.com/containous/traefik/pull/1673) by [ldez](https://github.com/ldez))
+- **[logs]** Switch access logging to logrus ([#1647](https://github.com/containous/traefik/pull/1647) by [rjshep](https://github.com/rjshep))
+- **[logs]** log X-Forwarded-For as ClientHost if present ([#1946](https://github.com/containous/traefik/pull/1946) by [mildis](https://github.com/mildis))
+- **[logs]** Restore: First stage of access logging middleware. ([#1571](https://github.com/containous/traefik/pull/1571) by [ldez](https://github.com/ldez))
+- **[logs]** Add log file close and reopen on receipt of SIGUSR1 ([#1761](https://github.com/containous/traefik/pull/1761) by [rjshep](https://github.com/rjshep))
+- **[logs]** add RetryAttempts to AccessLog in JSON format ([#1793](https://github.com/containous/traefik/pull/1793) by [marco-jantke](https://github.com/marco-jantke))
+- **[logs]** Add JSON as access logging format ([#1669](https://github.com/containous/traefik/pull/1669) by [rjshep](https://github.com/rjshep))
+- **[marathon]** Support multi-port service routing for containers running on Marathon ([#1742](https://github.com/containous/traefik/pull/1742) by [aantono](https://github.com/aantono))
+- **[marathon]** Improve Marathon integration tests. ([#1406](https://github.com/containous/traefik/pull/1406) by [timoreimann](https://github.com/timoreimann))
+- **[marathon]** Exported getSubDomain function from Marathon provider ([#1693](https://github.com/containous/traefik/pull/1693) by [aantono](https://github.com/aantono))
+- **[marathon]** Use test builder. ([#1871](https://github.com/containous/traefik/pull/1871) by [timoreimann](https://github.com/timoreimann))
+- **[marathon]** Add support for readiness checks. ([#1883](https://github.com/containous/traefik/pull/1883) by [timoreimann](https://github.com/timoreimann))
+- **[marathon]** Move marathon mock ([#1732](https://github.com/containous/traefik/pull/1732) by [ldez](https://github.com/ldez))
+- **[marathon]** Use single API call to fetch Marathon resources. ([#1815](https://github.com/containous/traefik/pull/1815) by [timoreimann](https://github.com/timoreimann))
+- **[metrics]** Added RetryMetrics to DataDog and StatsD providers ([#1884](https://github.com/containous/traefik/pull/1884) by [aantono](https://github.com/aantono))
+- **[metrics]** Extract metrics to own package and refactor implementations ([#1968](https://github.com/containous/traefik/pull/1968) by [marco-jantke](https://github.com/marco-jantke))
+- **[metrics]** Add metrics for backend_retries_total ([#1504](https://github.com/containous/traefik/pull/1504) by [marco-jantke](https://github.com/marco-jantke))
+- **[metrics]** Add status code to request duration metric ([#1755](https://github.com/containous/traefik/pull/1755) by [marco-jantke](https://github.com/marco-jantke))
+- **[middleware]** Add trusted whitelist proxy protocol ([#2234](https://github.com/containous/traefik/pull/2234) by [emilevauge](https://github.com/emilevauge)))
+- **[metrics]** DataDog and StatsD Metrics Support ([#1701](https://github.com/containous/traefik/pull/1701) by [aantono](https://github.com/aantono))
+- **[middleware]** Create Header Middleware ([#1236](https://github.com/containous/traefik/pull/1236) by [dtomcej](https://github.com/dtomcej))
+- **[middleware]** Add configurable timeouts and curate default timeout settings ([#1873](https://github.com/containous/traefik/pull/1873) by [marco-jantke](https://github.com/marco-jantke))
+- **[middleware]** Fix command bug content. ([#2002](https://github.com/containous/traefik/pull/2002) by [ldez](https://github.com/ldez))
+- **[middleware]** Retry only on real network errors ([#1549](https://github.com/containous/traefik/pull/1549) by [marco-jantke](https://github.com/marco-jantke))
+- **[middleware]** Return 503 on empty backend ([#1748](https://github.com/containous/traefik/pull/1748) by [marco-jantke](https://github.com/marco-jantke))
+- **[middleware]** Custom Error Pages ([#1675](https://github.com/containous/traefik/pull/1675) by [bparli](https://github.com/bparli))
+- **[oxy]** Support X-Forwarded-Port. ([#1960](https://github.com/containous/traefik/pull/1960) by [ldez](https://github.com/ldez))
+- **[provider,tls]** Added a check to ensure clientTLS configuration contains either a cert or a key ([#1932](https://github.com/containous/traefik/pull/1932) by [aantono](https://github.com/aantono))
+- **[provider]** Deflake integration tests ([#1599](https://github.com/containous/traefik/pull/1599) by [ldez](https://github.com/ldez))
+- **[provider]** Factorize labels ([#1843](https://github.com/containous/traefik/pull/1843) by [ldez](https://github.com/ldez))
+- **[provider]** Replace go routine by Safe.Go ([#1879](https://github.com/containous/traefik/pull/1879) by [ldez](https://github.com/ldez))
+- **[rancher]** Refactor into dual Rancher API/Metadata providers ([#1563](https://github.com/containous/traefik/pull/1563) by [martinbaillie](https://github.com/martinbaillie))
+- **[rules]** Add support for Query String filtering ([#1934](https://github.com/containous/traefik/pull/1934) by [driverpt](https://github.com/driverpt))
+- **[rules]** Simplify stripPrefix and stripPrefixRegex tests ([#1699](https://github.com/containous/traefik/pull/1699) by [ldez](https://github.com/ldez))
+- **[rules]** Enhance rules tests. ([#1679](https://github.com/containous/traefik/pull/1679) by [ldez](https://github.com/ldez))
+- **[sticky-session]** make the cookie name unique to the backend being served ([#1716](https://github.com/containous/traefik/pull/1716) by [richardjq](https://github.com/richardjq))
+- **[tls]** Handle RootCAs certificate ([#1789](https://github.com/containous/traefik/pull/1789) by [Juliens](https://github.com/Juliens))
+- **[tls]** enable TLS client forwarding ([#1446](https://github.com/containous/traefik/pull/1446) by [drewwells](https://github.com/drewwells))
+- **[websocket]** Add tests for urlencoded part in url ([#2199](https://github.com/containous/traefik/pull/2199) by [Juliens](https://github.com/Juliens))
+- **[websocket]** Add test for SSL TERMINATION in Websocket IT ([#2063](https://github.com/containous/traefik/pull/2063) by [Juliens](https://github.com/Juliens)
+- **[webui]** Proxy in dev mode ([#1544](https://github.com/containous/traefik/pull/1544) by [maxwo](https://github.com/maxwo))
+- **[webui]** Minor Health UI fixes ([#1651](https://github.com/containous/traefik/pull/1651) by [mihaitodor](https://github.com/mihaitodor))
+- Fail fast in IT and fix some flaky tests ([#2126](https://github.com/containous/traefik/pull/2126) by [ldez](https://github.com/ldez))
+- extract lb configuration steps into method ([#1841](https://github.com/containous/traefik/pull/1841) by [marco-jantke](https://github.com/marco-jantke))
+- Add whitelist configuration option for entrypoints ([#1702](https://github.com/containous/traefik/pull/1702) by [christopherobin](https://github.com/christopherobin))
+- Enhance integration tests ([#1842](https://github.com/containous/traefik/pull/1842) by [ldez](https://github.com/ldez))
+- Add helloworld tests with gRPC ([#1845](https://github.com/containous/traefik/pull/1845) by [Juliens](https://github.com/Juliens))
+- Add the sprig functions in the template engine ([#1891](https://github.com/containous/traefik/pull/1891) by [thomasbach76](https://github.com/thomasbach76))
+- Refactor globalConfiguration / WebProvider ([#1938](https://github.com/containous/traefik/pull/1938) by [Juliens](https://github.com/Juliens))
+- Code cleaning. ([#1956](https://github.com/containous/traefik/pull/1956) by [ldez](https://github.com/ldez))
+- Add proxy protocol ([#2004](https://github.com/containous/traefik/pull/2004) by [emilevauge](https://github.com/emilevauge))
+- Bump gorilla/mux version. ([#1954](https://github.com/containous/traefik/pull/1954) by [ldez](https://github.com/ldez))
+
+**Bug fixes:**
+- **[cluster,kv]** Be certain to clear our marshalled representation before reloading it ([#2165](https://github.com/containous/traefik/pull/2165) by [gozer](https://github.com/gozer))
+- **[consulcatalog,docker,ecs,k8s,kv,marathon,rancher,sticky-session]** Backward compatibility for sticky ([#2266](https://github.com/containous/traefik/pull/2266) by [ldez](https://github.com/ldez))
+- **[consulcatalog,docker,ecs,k8s,marathon,rancher,sticky-session]** Stickiness cookie name ([#2232](https://github.com/containous/traefik/pull/2232) by [ldez](https://github.com/ldez))
+- **[consulcatalog,docker,ecs,k8s,marathon,rancher,sticky-session]** Stickiness cookie name. ([#2251](https://github.com/containous/traefik/pull/2251) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Fix consul catalog retry ([#2263](https://github.com/containous/traefik/pull/2263) by [mmatur](https://github.com/mmatur))
+- **[consulcatalog]** Flaky tests and refresh problem in consul catalog ([#2148](https://github.com/containous/traefik/pull/2148) by [Juliens](https://github.com/Juliens))
+- **[consulcatalog]** Consul catalog failed to remove service  ([#2157](https://github.com/containous/traefik/pull/2157) by [Juliens](https://github.com/Juliens))
+- **[consulcatalog]** Fix Consul Catalog refresh ([#2089](https://github.com/containous/traefik/pull/2089) by [Juliens](https://github.com/Juliens))
+- **[docker]** Changed Docker network filter to allow any swarm network ([#2244](https://github.com/containous/traefik/pull/2244) by [pistolero](https://github.com/pistolero))
+- **[docker]** Error handling for docker swarm mode ([#1533](https://github.com/containous/traefik/pull/1533) by [tanyadegurechaff](https://github.com/tanyadegurechaff))
+- **[ecs]** Handle empty ECS Clusters properly ([#2170](https://github.com/containous/traefik/pull/2170) by [jeffreykoetsier](https://github.com/jeffreykoetsier))
+- **[healthcheck]** Fix healthcheck port ([#2131](https://github.com/containous/traefik/pull/2131) by [fredix](https://github.com/fredix))
+- **[healthcheck]** Bind healthcheck to backend by entryPointName ([#1868](https://github.com/containous/traefik/pull/1868) by [chrigl](https://github.com/chrigl))
+- **[k8s]** Continue processing on invalid auth-realm annotation. ([#2252](https://github.com/containous/traefik/pull/2252) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Use default frontend priority of zero. ([#1906](https://github.com/containous/traefik/pull/1906) by [timoreimann](https://github.com/timoreimann))
+- **[kv]** add retry backoff to staert config loading ([#2268](https://github.com/containous/traefik/pull/2268) by [emilevauge](https://github.com/emilevauge))
+- **[logs,middleware]** Enable loss less rotation of log files ([#2062](https://github.com/containous/traefik/pull/2062) by [marco-jantke](https://github.com/marco-jantke))
+- **[logs,middleware]** Access log default values ([#2061](https://github.com/containous/traefik/pull/2061) by [ldez](https://github.com/ldez))
+- **[logs]** Fix flakiness in log rotation test ([#2213](https://github.com/containous/traefik/pull/2213) by [marco-jantke](https://github.com/marco-jantke))
+- **[marathon]** Assign filtered tasks to apps contained in slice. ([#1881](https://github.com/containous/traefik/pull/1881) by [timoreimann](https://github.com/timoreimann))
+- **[marathon]** Fix fallback to other nodes for Marathon ([#1740](https://github.com/containous/traefik/pull/1740) by [marco-jantke](https://github.com/marco-jantke))
+- **[metrics]** prometheus, HTTP method and utf8 ([#2081](https://github.com/containous/traefik/pull/2081) by [ldez](https://github.com/ldez))
+- **[middleware]** Enable prefix matching within slash boundaries ([#2214](https://github.com/containous/traefik/pull/2214) by [marco-jantke](https://github.com/marco-jantke))
+- **[middleware]** Fix SSE subscriptions when retries are enabled ([#2145](https://github.com/containous/traefik/pull/2145) by [marco-jantke](https://github.com/marco-jantke))
+- **[middleware]** compress: preserve status code ([#1948](https://github.com/containous/traefik/pull/1948) by [ldez](https://github.com/ldez))
+- **[rancher]** Add stack name to backend name generation to fix rancher metadata backend ([#2107](https://github.com/containous/traefik/pull/2107) by [SantoDE](https://github.com/SantoDE))
+- **[rancher]** Rancher host IP address ([#2101](https://github.com/containous/traefik/pull/2101) by [matq007](https://github.com/matq007))
+- **[rancher]** fix seconds to really be seconds ([#2259](https://github.com/containous/traefik/pull/2259) by [SantoDE](https://github.com/SantoDE))
+- **[rancher]** fix rancher api environment get ([#2053](https://github.com/containous/traefik/pull/2053) by [SantoDE](https://github.com/SantoDE))
+- **[sticky-session]** Sanitize cookie names. ([#2216](https://github.com/containous/traefik/pull/2216) by [timoreimann](https://github.com/timoreimann))
+- **[sticky-session]** Setting the Cookie Path explicitly to root ([#1950](https://github.com/containous/traefik/pull/1950) by [marcopaga](https://github.com/marcopaga))
+- **[websocket]** Forward upgrade error from backend ([#2187](https://github.com/containous/traefik/pull/2187) by [Juliens](https://github.com/Juliens))
+- **[websocket]** RawPath and Transfer TLSConfig in websocket ([#2088](https://github.com/containous/traefik/pull/2088) by [Juliens](https://github.com/Juliens))
+- Nil body retries ([#2258](https://github.com/containous/traefik/pull/2258) by [Juliens](https://github.com/Juliens))
+- Fix deprecated IdleTimeout config ([#2143](https://github.com/containous/traefik/pull/2143) by [marco-jantke](https://github.com/marco-jantke))
+- Fixes entry points configuration. ([#2120](https://github.com/containous/traefik/pull/2120) by [ldez](https://github.com/ldez))
+- Delay first version check ([#2215](https://github.com/containous/traefik/pull/2215) by [emilevauge](https://github.com/emilevauge))
+- Move http2 configure transport  ([#2231](https://github.com/containous/traefik/pull/2231) by [Juliens](https://github.com/Juliens))
+- Fix error in prepareServer ([#2076](https://github.com/containous/traefik/pull/2076) by [emilevauge](https://github.com/emilevauge))
+- New entry point parser. ([#2248](https://github.com/containous/traefik/pull/2248) by [ldez](https://github.com/ldez))
+- Add TrustForwardHeader options. ([#2262](https://github.com/containous/traefik/pull/2262) by [ldez](https://github.com/ldez))
+- `bug` command. ([#2178](https://github.com/containous/traefik/pull/2178) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme,provider]** Enhance documentation readability. ([#2095](https://github.com/containous/traefik/pull/2095) by [ldez](https://github.com/ldez))
+- **[acme,provider]** Fix whitespaces ([#2075](https://github.com/containous/traefik/pull/2075) by [chulkilee](https://github.com/chulkilee))
+- **[acme,provider]** Re-organize documentation ([#2012](https://github.com/containous/traefik/pull/2012) by [jmaitrehenry](https://github.com/jmaitrehenry))
+- **[acme]** Fix grammar ([#2208](https://github.com/containous/traefik/pull/2208) by [mvasin](https://github.com/mvasin))
+- **[acme]** Add guide for Docker, Traefik & Letsencrypt ([#1923](https://github.com/containous/traefik/pull/1923) by [mvdstam](https://github.com/mvdstam))
+- **[acme]** Improve Let's Encrypt documentation ([#1885](https://github.com/containous/traefik/pull/1885) by [nmengin](https://github.com/nmengin))
+- **[acme]** Update docs for dnsimple env vars. ([#1872](https://github.com/containous/traefik/pull/1872) by [untalpierre](https://github.com/untalpierre))
+- **[api]** Add examples of proxying ping ([#2102](https://github.com/containous/traefik/pull/2102) by [deitch](https://github.com/deitch))
+- **[authentication,k8s]** traefik controller access to secrets ([#1707](https://github.com/containous/traefik/pull/1707) by [spinto](https://github.com/spinto))
+- **[consul,tls]** doc change regarding consul SSL ([#1774](https://github.com/containous/traefik/pull/1774) by [bitsofinfo](https://github.com/bitsofinfo))
+- **[consulcatalog,docker,ecs,k8s,marathon,rancher,sticky-session]** Stickiness documentation ([#2238](https://github.com/containous/traefik/pull/2238) by [ldez](https://github.com/ldez))
+- **[consul]** added consul acl token note ([#1720](https://github.com/containous/traefik/pull/1720) by [bitsofinfo](https://github.com/bitsofinfo))
+- **[docker]** Updating Docker output and curl for sticky sessions ([#2150](https://github.com/containous/traefik/pull/2150) by [jtyr](https://github.com/jtyr))
+- **[docker]** Add more visibility to docker stack deploy label issue ([#1984](https://github.com/containous/traefik/pull/1984) by [jmaitrehenry](https://github.com/jmaitrehenry))
+- **[ecs]** Fix IAM policy sid. ([#2066](https://github.com/containous/traefik/pull/2066) by [charlieoleary](https://github.com/charlieoleary))
+- **[k8s,marathon]** Mark Marathon and Kubernetes as constraint-supporting. ([#1964](https://github.com/containous/traefik/pull/1964) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Add guide section on production advice, esp. CPU. ([#2113](https://github.com/containous/traefik/pull/2113) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Document ways to partition Ingresses in the k8s guide. ([#2223](https://github.com/containous/traefik/pull/2223) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Remove pod from RBAC rules. ([#2229](https://github.com/containous/traefik/pull/2229) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Quote priority values in annotation examples. ([#2230](https://github.com/containous/traefik/pull/2230) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Fix invalid service yaml example ([#2059](https://github.com/containous/traefik/pull/2059) by [kairen](https://github.com/kairen))
+- **[k8s]** Update usage of `.local` with `.minikube` in k8s docs ([#1551](https://github.com/containous/traefik/pull/1551) by [errm](https://github.com/errm))
+- **[k8s]** Update the documentation to use DaemonSet or Deployment ([#1735](https://github.com/containous/traefik/pull/1735) by [saschagrunert](https://github.com/saschagrunert))
+- **[k8s]** Fix docs about default namespaces. ([#1961](https://github.com/containous/traefik/pull/1961) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Moved namespace to correct place ([#1911](https://github.com/containous/traefik/pull/1911) by [markround](https://github.com/markround))
+- **[k8s]** examples/k8s: fix ui ingress port out of sync with deployment ([#1943](https://github.com/containous/traefik/pull/1943) by [borancar](https://github.com/borancar))
+- **[k8s]** Add secrets resource to in-line RBAC spec. ([#1890](https://github.com/containous/traefik/pull/1890) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Improve documentation. ([#1831](https://github.com/containous/traefik/pull/1831) by [timoreimann](https://github.com/timoreimann))
+- **[marathon]** Fix documentation glitches. ([#1996](https://github.com/containous/traefik/pull/1996) by [timoreimann](https://github.com/timoreimann))
+- **[metrics]** Enhance web backend documentation ([#2122](https://github.com/containous/traefik/pull/2122) by [ldez](https://github.com/ldez))
+- **[mesos]** fix: documentation Mesos. ([#2029](https://github.com/containous/traefik/pull/2029) by [ldez](https://github.com/ldez))
+- **[middleware]** Improve compression documentation ([#2184](https://github.com/containous/traefik/pull/2184) by [errm](https://github.com/errm))
+- **[provider]** Clarify that provider-enabling argument parameters set all defaults. ([#1830](https://github.com/containous/traefik/pull/1830) by [timoreimann](https://github.com/timoreimann))
+- **[rancher]** Update Rancher documentation. ([#1776](https://github.com/containous/traefik/pull/1776) by [ldez](https://github.com/ldez))
+- **[webui]** Document yarnpkg. ([#1558](https://github.com/containous/traefik/pull/1558) by [Stibbons](https://github.com/Stibbons))
+- Add forward auth documentation. ([#2110](https://github.com/containous/traefik/pull/2110) by [ldez](https://github.com/ldez))
+- User guide gRPC ([#2108](https://github.com/containous/traefik/pull/2108) by [Juliens](https://github.com/Juliens))
+- Document custom error page restrictions. ([#2104](https://github.com/containous/traefik/pull/2104) by [timoreimann](https://github.com/timoreimann))
+- Prepare release v1.4.0-rc3 ([#2135](https://github.com/containous/traefik/pull/2135) by [Juliens](https://github.com/Juliens))
+- Update gRPC example ([#2191](https://github.com/containous/traefik/pull/2191) by [jsenon](https://github.com/jsenon))
+- Prepare release v1.4.0-rc2 ([#2091](https://github.com/containous/traefik/pull/2091) by [ldez](https://github.com/ldez))
+- Fix grammar mistake in the kv-config docs ([#2197](https://github.com/containous/traefik/pull/2197) by [chr4](https://github.com/chr4))
+- Update cluster.md ([#2073](https://github.com/containous/traefik/pull/2073) by [kmbremner](https://github.com/kmbremner))
+- Prepare release v1.4.0-rc4 ([#2201](https://github.com/containous/traefik/pull/2201) by [nmengin](https://github.com/nmengin))
+- Prepare release v1.4.0-rc5 ([#2241](https://github.com/containous/traefik/pull/2241) by [ldez](https://github.com/ldez))
+- Enhance documentation. ([#2048](https://github.com/containous/traefik/pull/2048) by [ldez](https://github.com/ldez))
+- doc: add notes on server urls with path ([#2045](https://github.com/containous/traefik/pull/2045) by [chulkilee](https://github.com/chulkilee))
+- Enhance security headers doc. ([#2042](https://github.com/containous/traefik/pull/2042) by [ldez](https://github.com/ldez))
+- HTTPS for images, video and links in docs. ([#2041](https://github.com/containous/traefik/pull/2041) by [ldez](https://github.com/ldez))
+- Fix error pages configuration. ([#2038](https://github.com/containous/traefik/pull/2038) by [ldez](https://github.com/ldez))
+- Fix Proxy Protocol documentation ([#2253](https://github.com/containous/traefik/pull/2253) by [emilevauge](https://github.com/emilevauge))
+- Update GraceTimeOut documentation ([#1875](https://github.com/containous/traefik/pull/1875) by [marco-jantke](https://github.com/marco-jantke))
+- Release cycle. ([#1812](https://github.com/containous/traefik/pull/1812) by [ldez](https://github.com/ldez))
+- Update contributing guide build steps ([#1801](https://github.com/containous/traefik/pull/1801) by [jsturtevant](https://github.com/jsturtevant))
+- Add Nicolas Mengin to maintainers ([#1792](https://github.com/containous/traefik/pull/1792) by [emilevauge](https://github.com/emilevauge))
+- Add Julien Salleyron to maintainers ([#1790](https://github.com/containous/traefik/pull/1790) by [emilevauge](https://github.com/emilevauge))
+- Change to a more flexible PR review process ([#1781](https://github.com/containous/traefik/pull/1781) by [emilevauge](https://github.com/emilevauge))
+- Traefik "bug" command documentation ([#1811](https://github.com/containous/traefik/pull/1811) by [ldez](https://github.com/ldez))
+- Change Traefik intro video ([#1893](https://github.com/containous/traefik/pull/1893) by [emilevauge](https://github.com/emilevauge))
+- Prepare release v1.4.0-rc1 ([#2021](https://github.com/containous/traefik/pull/2021) by [ldez](https://github.com/ldez))
+- Add play-with-docker example ([#1726](https://github.com/containous/traefik/pull/1726) by [marcosnils](https://github.com/marcosnils))
+- Add Marco Jantke to maintainers ([#1980](https://github.com/containous/traefik/pull/1980) by [emilevauge](https://github.com/emilevauge))
+- Remove Russel from maintainers ([#1614](https://github.com/containous/traefik/pull/1614) by [emilevauge](https://github.com/emilevauge))
+- Update CONTRIBUTING.md. ([#1667](https://github.com/containous/traefik/pull/1667) by [timoreimann](https://github.com/timoreimann))
+- drop "slave" wording for "worker" ([#1645](https://github.com/containous/traefik/pull/1645) by [djalal](https://github.com/djalal))
+- Use more inclusive language in README.md {guys => folks} ([#1640](https://github.com/containous/traefik/pull/1640) by [igorwwwwwwwwwwwwwwwwwwww](https://github.com/igorwwwwwwwwwwwwwwwwwwww))
+- Remove Thomas Recloux from maintainers ([#1616](https://github.com/containous/traefik/pull/1616) by [emilevauge](https://github.com/emilevauge))
+- Update documentation for 1.4 release ([#2011](https://github.com/containous/traefik/pull/2011) by [emilevauge](https://github.com/emilevauge))
+- Small toml documentation update ([#1603](https://github.com/containous/traefik/pull/1603) by [antoine-aumjaud](https://github.com/antoine-aumjaud))
+- Add @ldez to maintainers ([#1589](https://github.com/containous/traefik/pull/1589) by [emilevauge](https://github.com/emilevauge))
+- doc: add labels documentation. ([#1582](https://github.com/containous/traefik/pull/1582) by [ldez](https://github.com/ldez))
+- Update golang version in contributing guide ([#2018](https://github.com/containous/traefik/pull/2018) by [ArikaChen](https://github.com/ArikaChen))
+- toml page - replace li by table ([#1995](https://github.com/containous/traefik/pull/1995) by [jmaitrehenry](https://github.com/jmaitrehenry))
+
+**Misc:**
+- Merge v1.3.7 ([#2013](https://github.com/containous/traefik/pull/2013) by [ldez](https://github.com/ldez))
+- Merge 1.3.6 ([#1992](https://github.com/containous/traefik/pull/1992) by [ldez](https://github.com/ldez))
+- Merge 1.3.5 ([#1909](https://github.com/containous/traefik/pull/1909) by [ldez](https://github.com/ldez))
+- Merge 1.3.3 ([#1836](https://github.com/containous/traefik/pull/1836) by [ldez](https://github.com/ldez))
+- Merge v1.3.2 to master  ([#1809](https://github.com/containous/traefik/pull/1809) by [ldez](https://github.com/ldez))
+- Merge current v1.3 ([#1797](https://github.com/containous/traefik/pull/1797) by [ldez](https://github.com/ldez))
+- Merge current v1.3 ([#1786](https://github.com/containous/traefik/pull/1786) by [ldez](https://github.com/ldez))
+- Merge v1.3.1 to master ([#1763](https://github.com/containous/traefik/pull/1763) by [ldez](https://github.com/ldez))
+- Merge current v1.3 ([#1753](https://github.com/containous/traefik/pull/1753) by [ldez](https://github.com/ldez))
+- Merge current v1.3 ([#1705](https://github.com/containous/traefik/pull/1705) by [ldez](https://github.com/ldez))
+- Merge current v1.3 to master ([#1697](https://github.com/containous/traefik/pull/1697) by [ldez](https://github.com/ldez))
+- Merge v1 3 0 ([#1692](https://github.com/containous/traefik/pull/1692) by [ldez](https://github.com/ldez))
+- Merge current v1.3 to master (rc3) ([#1666](https://github.com/containous/traefik/pull/1666) by [ldez](https://github.com/ldez))
+- Merge current v1.3 to master  ([#1643](https://github.com/containous/traefik/pull/1643) by [ldez](https://github.com/ldez))
+- Merge v1.3.0-rc2 master ([#1613](https://github.com/containous/traefik/pull/1613) by [emilevauge](https://github.com/emilevauge))
+- Merge v1.3 branch into master [2017-05-11] ([#1548](https://github.com/containous/traefik/pull/1548) by [timoreimann](https://github.com/timoreimann))
+
+## [v1.4.0-rc5](https://github.com/containous/traefik/tree/v1.4.0-rc5) (2017-10-10)
+[All Commits](https://github.com/containous/traefik/compare/v1.4.0-rc4...v1.4.0-rc5)
+
+**Enhancements:**
+- **[middleware]** Add trusted whitelist proxy protocol ([#2234](https://github.com/containous/traefik/pull/2234) by [emilevauge](https://github.com/emilevauge))
+
+**Bug fixes:**
+- **[consul,docker,ecs,k8s,marathon,rancher,sticky-session]** Stickiness cookie name ([#2232](https://github.com/containous/traefik/pull/2232) by [ldez](https://github.com/ldez))
+- **[logs]** Fix flakiness in log rotation test ([#2213](https://github.com/containous/traefik/pull/2213) by [marco-jantke](https://github.com/marco-jantke))
+- **[middleware]** Enable prefix matching within slash boundaries ([#2214](https://github.com/containous/traefik/pull/2214) by [marco-jantke](https://github.com/marco-jantke))
+- **[sticky-session]** Sanitize cookie names. ([#2216](https://github.com/containous/traefik/pull/2216) by [timoreimann](https://github.com/timoreimann))
+- Move http2 configure transport  ([#2231](https://github.com/containous/traefik/pull/2231) by [Juliens](https://github.com/Juliens))
+- Delay first version check ([#2215](https://github.com/containous/traefik/pull/2215) by [emilevauge](https://github.com/emilevauge))
+
+**Documentation:**
+- **[acme]** Fix grammar ([#2208](https://github.com/containous/traefik/pull/2208) by [mvasin](https://github.com/mvasin))
+- **[docker,ecs,k8s,marathon,rancher]** Stickiness documentation ([#2238](https://github.com/containous/traefik/pull/2238) by [ldez](https://github.com/ldez))
+- **[k8s]** Quote priority values in annotation examples. ([#2230](https://github.com/containous/traefik/pull/2230) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Remove pod from RBAC rules. ([#2229](https://github.com/containous/traefik/pull/2229) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Document ways to partition Ingresses in the k8s guide. ([#2223](https://github.com/containous/traefik/pull/2223) by [timoreimann](https://github.com/timoreimann))
+
+## [v1.4.0-rc4](https://github.com/containous/traefik/tree/v1.4.0-rc4) (2017-10-02)
+[All Commits](https://github.com/containous/traefik/compare/v1.4.0-rc3...v1.4.0-rc4)
+
+**Bug fixes:**
+- **[cluster,kv]** Be certain to clear our marshalled representation before reloading it ([#2165](https://github.com/containous/traefik/pull/2165) by [gozer](https://github.com/gozer))
+- **[consulcatalog]** Consul catalog failed to remove service  ([#2157](https://github.com/containous/traefik/pull/2157) by [Juliens](https://github.com/Juliens))
+- **[consulcatalog]** Flaky tests and refresh problem in consul catalog ([#2148](https://github.com/containous/traefik/pull/2148) by [Juliens](https://github.com/Juliens))
+- **[ecs]** Handle empty ECS Clusters properly ([#2170](https://github.com/containous/traefik/pull/2170) by [jeffreykoetsier](https://github.com/jeffreykoetsier))
+- **[middleware]** Fix SSE subscriptions when retries are enabled ([#2145](https://github.com/containous/traefik/pull/2145) by [marco-jantke](https://github.com/marco-jantke))
+- **[websocket]** Forward upgrade error from backend ([#2187](https://github.com/containous/traefik/pull/2187) by [Juliens](https://github.com/Juliens))
+- `bug` command. ([#2178](https://github.com/containous/traefik/pull/2178) by [ldez](https://github.com/ldez))
+- Fix deprecated IdleTimeout config ([#2143](https://github.com/containous/traefik/pull/2143) by [marco-jantke](https://github.com/marco-jantke))
+
+**Documentation:**
+- **[docker]** Updating Docker output and curl for sticky sessions ([#2150](https://github.com/containous/traefik/pull/2150) by [jtyr](https://github.com/jtyr))
+- **[middleware]** Improve compression documentation ([#2184](https://github.com/containous/traefik/pull/2184) by [errm](https://github.com/errm))
+- Fix grammar mistake in the kv-config docs ([#2197](https://github.com/containous/traefik/pull/2197) by [chr4](https://github.com/chr4))
+- Update gRPC example ([#2191](https://github.com/containous/traefik/pull/2191) by [jsenon](https://github.com/jsenon))
+
+**Misc:**
+- **[websocket]** Add tests for urlencoded part in url ([#2199](https://github.com/containous/traefik/pull/2199) by [Juliens](https://github.com/Juliens))
+
 ## [v1.4.0-rc3](https://github.com/containous/traefik/tree/v1.4.0-rc3) (2017-09-18)
 [All Commits](https://github.com/containous/traefik/compare/v1.4.0-rc2...v1.4.0-rc3)
 

Makefile

@@ -97,7 +97,7 @@ dist:
 
 run-dev:
 	go generate
-	go build
+	go build ./cmd/traefik
 	./traefik
 
 generate-webui: build-webui
@@ -114,9 +114,7 @@ fmt:
 	gofmt -s -l -w $(SRCS)
 
 pull-images:
-	for f in $(shell find ./integration/resources/compose/ -type f); do \
-		docker-compose -f $$f pull; \
-	done
+	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq  | xargs -P 6 -n 1 docker pull
 
 help: ## this help
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)

cluster/datastore.go

@@ -199,6 +199,10 @@ func (d *Datastore) get() *Metadata {
 func (d *Datastore) Load() (Object, error) {
 	d.localLock.Lock()
 	defer d.localLock.Unlock()
+
+	// clear Object first, as mapstructure's decoder doesn't have ZeroFields set to true for merging purposes
+	d.meta.Object = d.meta.Object[:0]
+
 	err := d.kv.LoadConfig(d.meta)
 	if err != nil {
 		return nil, err

cmd/traefik/anonymize/anonymize.go

@@ -0,0 +1,136 @@
+package anonymize
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"regexp"
+
+	"github.com/mitchellh/copystructure"
+	"github.com/mvdan/xurls"
+)
+
+const (
+	maskShort = "xxxx"
+	maskLarge = maskShort + maskShort + maskShort + maskShort + maskShort + maskShort + maskShort + maskShort
+)
+
+// Do configuration.
+func Do(baseConfig interface{}, indent bool) (string, error) {
+	anomConfig, err := copystructure.Copy(baseConfig)
+	if err != nil {
+		return "", err
+	}
+
+	val := reflect.ValueOf(anomConfig)
+
+	err = doOnStruct(val)
+	if err != nil {
+		return "", err
+	}
+
+	configJSON, err := marshal(anomConfig, indent)
+	if err != nil {
+		return "", err
+	}
+
+	return doOnJSON(string(configJSON)), nil
+}
+
+func doOnJSON(input string) string {
+	mailExp := regexp.MustCompile(`\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3}"`)
+	return xurls.Relaxed.ReplaceAllString(mailExp.ReplaceAllString(input, maskLarge+"\""), maskLarge)
+}
+
+func doOnStruct(field reflect.Value) error {
+	switch field.Kind() {
+	case reflect.Ptr:
+		if !field.IsNil() {
+			if err := doOnStruct(field.Elem()); err != nil {
+				return err
+			}
+		}
+	case reflect.Struct:
+		for i := 0; i < field.NumField(); i++ {
+			fld := field.Field(i)
+			stField := field.Type().Field(i)
+			if !isExported(stField) {
+				continue
+			}
+			if stField.Tag.Get("export") == "true" {
+				if err := doOnStruct(fld); err != nil {
+					return err
+				}
+			} else {
+				if err := reset(fld, stField.Name); err != nil {
+					return err
+				}
+			}
+		}
+	case reflect.Map:
+		for _, key := range field.MapKeys() {
+			if err := doOnStruct(field.MapIndex(key)); err != nil {
+				return err
+			}
+		}
+	case reflect.Slice:
+		for j := 0; j < field.Len(); j++ {
+			if err := doOnStruct(field.Index(j)); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func reset(field reflect.Value, name string) error {
+	if !field.CanSet() {
+		return fmt.Errorf("cannot reset field %s", name)
+	}
+
+	switch field.Kind() {
+	case reflect.Ptr:
+		if !field.IsNil() {
+			field.Set(reflect.Zero(field.Type()))
+		}
+	case reflect.Struct:
+		if field.IsValid() {
+			field.Set(reflect.Zero(field.Type()))
+		}
+	case reflect.String:
+		if field.String() != "" {
+			field.Set(reflect.ValueOf(maskShort))
+		}
+	case reflect.Map:
+		if field.Len() > 0 {
+			field.Set(reflect.MakeMap(field.Type()))
+		}
+	case reflect.Slice:
+		if field.Len() > 0 {
+			field.Set(reflect.MakeSlice(field.Type(), 0, 0))
+		}
+	case reflect.Interface:
+		if !field.IsNil() {
+			return reset(field.Elem(), "")
+		}
+	default:
+		// Primitive type
+		field.Set(reflect.Zero(field.Type()))
+	}
+	return nil
+}
+
+// isExported return true is a struct field is exported, else false
+func isExported(f reflect.StructField) bool {
+	if f.PkgPath != "" && !f.Anonymous {
+		return false
+	}
+	return true
+}
+
+func marshal(anomConfig interface{}, indent bool) ([]byte, error) {
+	if indent {
+		return json.MarshalIndent(anomConfig, "", " ")
+	}
+	return json.Marshal(anomConfig)
+}

cmd/traefik/anonymize/anonymize_config_test.go

@@ -0,0 +1,670 @@
+package anonymize
+
+import (
+	"crypto/tls"
+	"testing"
+	"time"
+
+	"github.com/containous/flaeg"
+	"github.com/containous/traefik/acme"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/middlewares"
+	"github.com/containous/traefik/provider"
+	"github.com/containous/traefik/provider/boltdb"
+	"github.com/containous/traefik/provider/consul"
+	"github.com/containous/traefik/provider/docker"
+	"github.com/containous/traefik/provider/dynamodb"
+	"github.com/containous/traefik/provider/ecs"
+	"github.com/containous/traefik/provider/etcd"
+	"github.com/containous/traefik/provider/eureka"
+	"github.com/containous/traefik/provider/file"
+	"github.com/containous/traefik/provider/kubernetes"
+	"github.com/containous/traefik/provider/kv"
+	"github.com/containous/traefik/provider/marathon"
+	"github.com/containous/traefik/provider/mesos"
+	"github.com/containous/traefik/provider/rancher"
+	"github.com/containous/traefik/provider/web"
+	"github.com/containous/traefik/provider/zk"
+	"github.com/containous/traefik/safe"
+	"github.com/containous/traefik/types"
+	thoas_stats "github.com/thoas/stats"
+)
+
+func TestDo_globalConfiguration(t *testing.T) {
+
+	config := &configuration.GlobalConfiguration{}
+
+	config.GraceTimeOut = flaeg.Duration(666 * time.Second)
+	config.Debug = true
+	config.CheckNewVersion = true
+	config.AccessLogsFile = "AccessLogsFile"
+	config.AccessLog = &types.AccessLog{
+		FilePath: "AccessLog FilePath",
+		Format:   "AccessLog Format",
+	}
+	config.TraefikLogsFile = "TraefikLogsFile"
+	config.LogLevel = "LogLevel"
+	config.EntryPoints = configuration.EntryPoints{
+		"foo": {
+			Network: "foo Network",
+			Address: "foo Address",
+			TLS: &configuration.TLS{
+				MinVersion:   "foo MinVersion",
+				CipherSuites: []string{"foo CipherSuites 1", "foo CipherSuites 2", "foo CipherSuites 3"},
+				Certificates: configuration.Certificates{
+					{CertFile: "CertFile 1", KeyFile: "KeyFile 1"},
+					{CertFile: "CertFile 2", KeyFile: "KeyFile 2"},
+				},
+				ClientCAFiles: []string{"foo ClientCAFiles 1", "foo ClientCAFiles 2", "foo ClientCAFiles 3"},
+			},
+			Redirect: &configuration.Redirect{
+				Replacement: "foo Replacement",
+				Regex:       "foo Regex",
+				EntryPoint:  "foo EntryPoint",
+			},
+			Auth: &types.Auth{
+				Basic: &types.Basic{
+					UsersFile: "foo Basic UsersFile",
+					Users:     types.Users{"foo Basic Users 1", "foo Basic Users 2", "foo Basic Users 3"},
+				},
+				Digest: &types.Digest{
+					UsersFile: "foo Digest UsersFile",
+					Users:     types.Users{"foo Digest Users 1", "foo Digest Users 2", "foo Digest Users 3"},
+				},
+				Forward: &types.Forward{
+					Address: "foo Address",
+					TLS: &types.ClientTLS{
+						CA:                 "foo CA",
+						Cert:               "foo Cert",
+						Key:                "foo Key",
+						InsecureSkipVerify: true,
+					},
+					TrustForwardHeader: true,
+				},
+			},
+			WhitelistSourceRange: []string{"foo WhitelistSourceRange 1", "foo WhitelistSourceRange 2", "foo WhitelistSourceRange 3"},
+			Compress:             true,
+			ProxyProtocol: &configuration.ProxyProtocol{
+				TrustedIPs: []string{"127.0.0.1/32", "192.168.0.1"},
+			},
+		},
+		"fii": {
+			Network: "fii Network",
+			Address: "fii Address",
+			TLS: &configuration.TLS{
+				MinVersion:   "fii MinVersion",
+				CipherSuites: []string{"fii CipherSuites 1", "fii CipherSuites 2", "fii CipherSuites 3"},
+				Certificates: configuration.Certificates{
+					{CertFile: "CertFile 1", KeyFile: "KeyFile 1"},
+					{CertFile: "CertFile 2", KeyFile: "KeyFile 2"},
+				},
+				ClientCAFiles: []string{"fii ClientCAFiles 1", "fii ClientCAFiles 2", "fii ClientCAFiles 3"},
+			},
+			Redirect: &configuration.Redirect{
+				Replacement: "fii Replacement",
+				Regex:       "fii Regex",
+				EntryPoint:  "fii EntryPoint",
+			},
+			Auth: &types.Auth{
+				Basic: &types.Basic{
+					UsersFile: "fii Basic UsersFile",
+					Users:     types.Users{"fii Basic Users 1", "fii Basic Users 2", "fii Basic Users 3"},
+				},
+				Digest: &types.Digest{
+					UsersFile: "fii Digest UsersFile",
+					Users:     types.Users{"fii Digest Users 1", "fii Digest Users 2", "fii Digest Users 3"},
+				},
+				Forward: &types.Forward{
+					Address: "fii Address",
+					TLS: &types.ClientTLS{
+						CA:                 "fii CA",
+						Cert:               "fii Cert",
+						Key:                "fii Key",
+						InsecureSkipVerify: true,
+					},
+					TrustForwardHeader: true,
+				},
+			},
+			WhitelistSourceRange: []string{"fii WhitelistSourceRange 1", "fii WhitelistSourceRange 2", "fii WhitelistSourceRange 3"},
+			Compress:             true,
+			ProxyProtocol: &configuration.ProxyProtocol{
+				TrustedIPs: []string{"127.0.0.1/32", "192.168.0.1"},
+			},
+		},
+	}
+	config.Cluster = &types.Cluster{
+		Node: "Cluster Node",
+		Store: &types.Store{
+			Prefix: "Cluster Store Prefix",
+			// ...
+		},
+	}
+	config.Constraints = types.Constraints{
+		{
+			Key:       "Constraints Key 1",
+			Regex:     "Constraints Regex 2",
+			MustMatch: true,
+		},
+		{
+			Key:       "Constraints Key 1",
+			Regex:     "Constraints Regex 2",
+			MustMatch: true,
+		},
+	}
+	config.ACME = &acme.ACME{
+		Email: "acme Email",
+		Domains: []acme.Domain{
+			{
+				Main: "Domains Main",
+				SANs: []string{"Domains acme SANs 1", "Domains acme SANs 2", "Domains acme SANs 3"},
+			},
+		},
+		Storage:           "Storage",
+		StorageFile:       "StorageFile",
+		OnDemand:          true,
+		OnHostRule:        true,
+		CAServer:          "CAServer",
+		EntryPoint:        "EntryPoint",
+		DNSProvider:       "DNSProvider",
+		DelayDontCheckDNS: 666,
+		ACMELogging:       true,
+		TLSConfig: &tls.Config{
+			InsecureSkipVerify: true,
+			// ...
+		},
+	}
+	config.DefaultEntryPoints = configuration.DefaultEntryPoints{"DefaultEntryPoints 1", "DefaultEntryPoints 2", "DefaultEntryPoints 3"}
+	config.ProvidersThrottleDuration = flaeg.Duration(666 * time.Second)
+	config.MaxIdleConnsPerHost = 666
+	config.IdleTimeout = flaeg.Duration(666 * time.Second)
+	config.InsecureSkipVerify = true
+	config.RootCAs = configuration.RootCAs{"RootCAs 1", "RootCAs 2", "RootCAs 3"}
+	config.Retry = &configuration.Retry{
+		Attempts: 666,
+	}
+	config.HealthCheck = &configuration.HealthCheckConfig{
+		Interval: flaeg.Duration(666 * time.Second),
+	}
+	config.RespondingTimeouts = &configuration.RespondingTimeouts{
+		ReadTimeout:  flaeg.Duration(666 * time.Second),
+		WriteTimeout: flaeg.Duration(666 * time.Second),
+		IdleTimeout:  flaeg.Duration(666 * time.Second),
+	}
+	config.ForwardingTimeouts = &configuration.ForwardingTimeouts{
+		DialTimeout:           flaeg.Duration(666 * time.Second),
+		ResponseHeaderTimeout: flaeg.Duration(666 * time.Second),
+	}
+	config.Docker = &docker.Provider{
+		BaseProvider: provider.BaseProvider{
+			Watch:    true,
+			Filename: "docker Filename",
+			Constraints: types.Constraints{
+				{
+					Key:       "docker Constraints Key 1",
+					Regex:     "docker Constraints Regex 2",
+					MustMatch: true,
+				},
+				{
+					Key:       "docker Constraints Key 1",
+					Regex:     "docker Constraints Regex 2",
+					MustMatch: true,
+				},
+			},
+			Trace: true,
+			DebugLogGeneratedTemplate: true,
+		},
+		Endpoint: "docker Endpoint",
+		Domain:   "docker Domain",
+		TLS: &types.ClientTLS{
+			CA:                 "docker CA",
+			Cert:               "docker Cert",
+			Key:                "docker Key",
+			InsecureSkipVerify: true,
+		},
+		ExposedByDefault: true,
+		UseBindPortIP:    true,
+		SwarmMode:        true,
+	}
+	config.File = &file.Provider{
+		BaseProvider: provider.BaseProvider{
+			Watch:    true,
+			Filename: "file Filename",
+			Constraints: types.Constraints{
+				{
+					Key:       "file Constraints Key 1",
+					Regex:     "file Constraints Regex 2",
+					MustMatch: true,
+				},
+				{
+					Key:       "file Constraints Key 1",
+					Regex:     "file Constraints Regex 2",
+					MustMatch: true,
+				},
+			},
+			Trace: true,
+			DebugLogGeneratedTemplate: true,
+		},
+		Directory: "file Directory",
+	}
+	config.Web = &web.Provider{
+		Address:  "web Address",
+		CertFile: "web CertFile",
+		KeyFile:  "web KeyFile",
+		ReadOnly: true,
+		Statistics: &types.Statistics{
+			RecentErrors: 666,
+		},
+		Metrics: &types.Metrics{
+			Prometheus: &types.Prometheus{
+				Buckets: types.Buckets{6.5, 6.6, 6.7},
+			},
+			Datadog: &types.Datadog{
+				Address:      "Datadog Address",
+				PushInterval: "Datadog PushInterval",
+			},
+			StatsD: &types.Statsd{
+				Address:      "StatsD Address",
+				PushInterval: "StatsD PushInterval",
+			},
+		},
+		Path: "web Path",
+		Auth: &types.Auth{
+			Basic: &types.Basic{
+				UsersFile: "web Basic UsersFile",
+				Users:     types.Users{"web Basic Users 1", "web Basic Users 2", "web Basic Users 3"},
+			},
+			Digest: &types.Digest{
+				UsersFile: "web Digest UsersFile",
+				Users:     types.Users{"web Digest Users 1", "web Digest Users 2", "web Digest Users 3"},
+			},
+			Forward: &types.Forward{
+				Address: "web Address",
+				TLS: &types.ClientTLS{
+					CA:                 "web CA",
+					Cert:               "web Cert",
+					Key:                "web Key",
+					InsecureSkipVerify: true,
+				},
+				TrustForwardHeader: true,
+			},
+		},
+		Debug: true,
+		CurrentConfigurations: &safe.Safe{},
+		Stats: &thoas_stats.Stats{
+			Uptime:              time.Now(),
+			Pid:                 666,
+			ResponseCounts:      map[string]int{"foo": 1, "fii": 2, "fuu": 3},
+			TotalResponseCounts: map[string]int{"foo": 1, "fii": 2, "fuu": 3},
+			TotalResponseTime:   time.Now(),
+		},
+		StatsRecorder: &middlewares.StatsRecorder{},
+	}
+	config.Marathon = &marathon.Provider{
+		BaseProvider: provider.BaseProvider{
+			Watch:    true,
+			Filename: "marathon Filename",
+			Constraints: types.Constraints{
+				{
+					Key:       "marathon Constraints Key 1",
+					Regex:     "marathon Constraints Regex 2",
+					MustMatch: true,
+				},
+				{
+					Key:       "marathon Constraints Key 1",
+					Regex:     "marathon Constraints Regex 2",
+					MustMatch: true,
+				},
+			},
+			Trace: true,
+			DebugLogGeneratedTemplate: true,
+		},
+		Endpoint:                "",
+		Domain:                  "",
+		ExposedByDefault:        true,
+		GroupsAsSubDomains:      true,
+		DCOSToken:               "",
+		MarathonLBCompatibility: true,
+		TLS: &types.ClientTLS{
+			CA:                 "marathon CA",
+			Cert:               "marathon Cert",
+			Key:                "marathon Key",
+			InsecureSkipVerify: true,
+		},
+		DialerTimeout:     flaeg.Duration(666 * time.Second),
+		KeepAlive:         flaeg.Duration(666 * time.Second),
+		ForceTaskHostname: true,
+		Basic: &marathon.Basic{
+			HTTPBasicAuthUser: "marathon HTTPBasicAuthUser",
+			HTTPBasicPassword: "marathon HTTPBasicPassword",
+		},
+		RespectReadinessChecks: true,
+	}
+	config.ConsulCatalog = &consul.CatalogProvider{
+		BaseProvider: provider.BaseProvider{
+			Watch:    true,
+			Filename: "ConsulCatalog Filename",
+			Constraints: types.Constraints{
+				{
+					Key:       "ConsulCatalog Constraints Key 1",
+					Regex:     "ConsulCatalog Constraints Regex 2",
+					MustMatch: true,
+				},
+				{
+					Key:       "ConsulCatalog Constraints Key 1",
+					Regex:     "ConsulCatalog Constraints Regex 2",
+					MustMatch: true,
+				},
+			},
+			Trace: true,
+			DebugLogGeneratedTemplate: true,
+		},
+		Endpoint:         "ConsulCatalog Endpoint",
+		Domain:           "ConsulCatalog Domain",
+		ExposedByDefault: true,
+		Prefix:           "ConsulCatalog Prefix",
+		FrontEndRule:     "ConsulCatalog FrontEndRule",
+	}
+	config.Kubernetes = &kubernetes.Provider{
+		BaseProvider: provider.BaseProvider{
+			Watch:    true,
+			Filename: "k8s Filename",
+			Constraints: types.Constraints{
+				{
+					Key:       "k8s Constraints Key 1",
+					Regex:     "k8s Constraints Regex 2",
+					MustMatch: true,
+				},
+				{
+					Key:       "k8s Constraints Key 1",
+					Regex:     "k8s Constraints Regex 2",
+					MustMatch: true,
+				},
+			},
+			Trace: true,
+			DebugLogGeneratedTemplate: true,
+		},
+		Endpoint:               "k8s Endpoint",
+		Token:                  "k8s Token",
+		CertAuthFilePath:       "k8s CertAuthFilePath",
+		DisablePassHostHeaders: true,
+		Namespaces:             kubernetes.Namespaces{"k8s Namespaces 1", "k8s Namespaces 2", "k8s Namespaces 3"},
+		LabelSelector:          "k8s LabelSelector",
+	}
+	config.Mesos = &mesos.Provider{
+		BaseProvider: provider.BaseProvider{
+			Watch:    true,
+			Filename: "mesos Filename",
+			Constraints: types.Constraints{
+				{
+					Key:       "mesos Constraints Key 1",
+					Regex:     "mesos Constraints Regex 2",
+					MustMatch: true,
+				},
+				{
+					Key:       "mesos Constraints Key 1",
+					Regex:     "mesos Constraints Regex 2",
+					MustMatch: true,
+				},
+			},
+			Trace: true,
+			DebugLogGeneratedTemplate: true,
+		},
+		Endpoint:           "mesos Endpoint",
+		Domain:             "mesos Domain",
+		ExposedByDefault:   true,
+		GroupsAsSubDomains: true,
+		ZkDetectionTimeout: 666,
+		RefreshSeconds:     666,
+		IPSources:          "mesos IPSources",
+		StateTimeoutSecond: 666,
+		Masters:            []string{"mesos Masters 1", "mesos Masters 2", "mesos Masters 3"},
+	}
+	config.Eureka = &eureka.Provider{
+		BaseProvider: provider.BaseProvider{
+			Watch:    true,
+			Filename: "eureka Filename",
+			Constraints: types.Constraints{
+				{
+					Key:       "eureka Constraints Key 1",
+					Regex:     "eureka Constraints Regex 2",
+					MustMatch: true,
+				},
+				{
+					Key:       "eureka Constraints Key 1",
+					Regex:     "eureka Constraints Regex 2",
+					MustMatch: true,
+				},
+			},
+			Trace: true,
+			DebugLogGeneratedTemplate: true,
+		},
+		Endpoint: "eureka Endpoint",
+		Delay:    "eureka Delay",
+	}
+	config.ECS = &ecs.Provider{
+		BaseProvider: provider.BaseProvider{
+			Watch:    true,
+			Filename: "ecs Filename",
+			Constraints: types.Constraints{
+				{
+					Key:       "ecs Constraints Key 1",
+					Regex:     "ecs Constraints Regex 2",
+					MustMatch: true,
+				},
+				{
+					Key:       "ecs Constraints Key 1",
+					Regex:     "ecs Constraints Regex 2",
+					MustMatch: true,
+				},
+			},
+			Trace: true,
+			DebugLogGeneratedTemplate: true,
+		},
+		Domain:               "ecs Domain",
+		ExposedByDefault:     true,
+		RefreshSeconds:       666,
+		Clusters:             ecs.Clusters{"ecs Clusters 1", "ecs Clusters 2", "ecs Clusters 3"},
+		Cluster:              "ecs Cluster",
+		AutoDiscoverClusters: true,
+		Region:               "ecs Region",
+		AccessKeyID:          "ecs AccessKeyID",
+		SecretAccessKey:      "ecs SecretAccessKey",
+	}
+	config.Rancher = &rancher.Provider{
+		BaseProvider: provider.BaseProvider{
+			Watch:    true,
+			Filename: "rancher Filename",
+			Constraints: types.Constraints{
+				{
+					Key:       "rancher Constraints Key 1",
+					Regex:     "rancher Constraints Regex 2",
+					MustMatch: true,
+				},
+				{
+					Key:       "rancher Constraints Key 1",
+					Regex:     "rancher Constraints Regex 2",
+					MustMatch: true,
+				},
+			},
+			Trace: true,
+			DebugLogGeneratedTemplate: true,
+		},
+		APIConfiguration: rancher.APIConfiguration{
+			Endpoint:  "rancher Endpoint",
+			AccessKey: "rancher AccessKey",
+			SecretKey: "rancher SecretKey",
+		},
+		API: &rancher.APIConfiguration{
+			Endpoint:  "rancher Endpoint",
+			AccessKey: "rancher AccessKey",
+			SecretKey: "rancher SecretKey",
+		},
+		Metadata: &rancher.MetadataConfiguration{
+			IntervalPoll: true,
+			Prefix:       "rancher Metadata Prefix",
+		},
+		Domain:                    "rancher Domain",
+		RefreshSeconds:            666,
+		ExposedByDefault:          true,
+		EnableServiceHealthFilter: true,
+	}
+	config.DynamoDB = &dynamodb.Provider{
+		BaseProvider: provider.BaseProvider{
+			Watch:    true,
+			Filename: "dynamodb Filename",
+			Constraints: types.Constraints{
+				{
+					Key:       "dynamodb Constraints Key 1",
+					Regex:     "dynamodb Constraints Regex 2",
+					MustMatch: true,
+				},
+				{
+					Key:       "dynamodb Constraints Key 1",
+					Regex:     "dynamodb Constraints Regex 2",
+					MustMatch: true,
+				},
+			},
+			Trace: true,
+			DebugLogGeneratedTemplate: true,
+		},
+		AccessKeyID:     "dynamodb AccessKeyID",
+		RefreshSeconds:  666,
+		Region:          "dynamodb Region",
+		SecretAccessKey: "dynamodb SecretAccessKey",
+		TableName:       "dynamodb TableName",
+		Endpoint:        "dynamodb Endpoint",
+	}
+	config.Etcd = &etcd.Provider{
+		Provider: kv.Provider{
+			BaseProvider: provider.BaseProvider{
+				Watch:    true,
+				Filename: "etcd Filename",
+				Constraints: types.Constraints{
+					{
+						Key:       "etcd Constraints Key 1",
+						Regex:     "etcd Constraints Regex 2",
+						MustMatch: true,
+					},
+					{
+						Key:       "etcd Constraints Key 1",
+						Regex:     "etcd Constraints Regex 2",
+						MustMatch: true,
+					},
+				},
+				Trace: true,
+				DebugLogGeneratedTemplate: true,
+			},
+			Endpoint: "etcd Endpoint",
+			Prefix:   "etcd Prefix",
+			TLS: &types.ClientTLS{
+				CA:                 "etcd CA",
+				Cert:               "etcd Cert",
+				Key:                "etcd Key",
+				InsecureSkipVerify: true,
+			},
+			Username: "etcd Username",
+			Password: "etcd Password",
+		},
+	}
+	config.Zookeeper = &zk.Provider{
+		Provider: kv.Provider{
+			BaseProvider: provider.BaseProvider{
+				Watch:    true,
+				Filename: "zk Filename",
+				Constraints: types.Constraints{
+					{
+						Key:       "zk Constraints Key 1",
+						Regex:     "zk Constraints Regex 2",
+						MustMatch: true,
+					},
+					{
+						Key:       "zk Constraints Key 1",
+						Regex:     "zk Constraints Regex 2",
+						MustMatch: true,
+					},
+				},
+				Trace: true,
+				DebugLogGeneratedTemplate: true,
+			},
+			Endpoint: "zk Endpoint",
+			Prefix:   "zk Prefix",
+			TLS: &types.ClientTLS{
+				CA:                 "zk CA",
+				Cert:               "zk Cert",
+				Key:                "zk Key",
+				InsecureSkipVerify: true,
+			},
+			Username: "zk Username",
+			Password: "zk Password",
+		},
+	}
+	config.Boltdb = &boltdb.Provider{
+		Provider: kv.Provider{
+			BaseProvider: provider.BaseProvider{
+				Watch:    true,
+				Filename: "boltdb Filename",
+				Constraints: types.Constraints{
+					{
+						Key:       "boltdb Constraints Key 1",
+						Regex:     "boltdb Constraints Regex 2",
+						MustMatch: true,
+					},
+					{
+						Key:       "boltdb Constraints Key 1",
+						Regex:     "boltdb Constraints Regex 2",
+						MustMatch: true,
+					},
+				},
+				Trace: true,
+				DebugLogGeneratedTemplate: true,
+			},
+			Endpoint: "boltdb Endpoint",
+			Prefix:   "boltdb Prefix",
+			TLS: &types.ClientTLS{
+				CA:                 "boltdb CA",
+				Cert:               "boltdb Cert",
+				Key:                "boltdb Key",
+				InsecureSkipVerify: true,
+			},
+			Username: "boltdb Username",
+			Password: "boltdb Password",
+		},
+	}
+	config.Consul = &consul.Provider{
+		Provider: kv.Provider{
+			BaseProvider: provider.BaseProvider{
+				Watch:    true,
+				Filename: "consul Filename",
+				Constraints: types.Constraints{
+					{
+						Key:       "consul Constraints Key 1",
+						Regex:     "consul Constraints Regex 2",
+						MustMatch: true,
+					},
+					{
+						Key:       "consul Constraints Key 1",
+						Regex:     "consul Constraints Regex 2",
+						MustMatch: true,
+					},
+				},
+				Trace: true,
+				DebugLogGeneratedTemplate: true,
+			},
+			Endpoint: "consul Endpoint",
+			Prefix:   "consul Prefix",
+			TLS: &types.ClientTLS{
+				CA:                 "consul CA",
+				Cert:               "consul Cert",
+				Key:                "consul Key",
+				InsecureSkipVerify: true,
+			},
+			Username: "consul Username",
+			Password: "consul Password",
+		},
+	}
+
+	cleanJSON, err := Do(config, true)
+	if err != nil {
+		t.Fatal(err, cleanJSON)
+	}
+}

cmd/traefik/anonymize/anonymize_doOnJSON_test.go

@@ -0,0 +1,238 @@
+package anonymize
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func Test_doOnJSON(t *testing.T) {
+	baseConfiguration := `
+{
+ "GraceTimeOut": 10000000000,
+ "Debug": false,
+ "CheckNewVersion": true,
+ "AccessLogsFile": "",
+ "TraefikLogsFile": "",
+ "LogLevel": "ERROR",
+ "EntryPoints": {
+  "http": {
+   "Network": "",
+   "Address": ":80",
+   "TLS": null,
+   "Redirect": {
+    "EntryPoint": "https",
+    "Regex": "",
+    "Replacement": ""
+   },
+   "Auth": null,
+   "Compress": false
+  },
+  "https": {
+   "Network": "",
+   "Address": ":443",
+   "TLS": {
+    "MinVersion": "",
+    "CipherSuites": null,
+    "Certificates": null,
+    "ClientCAFiles": null
+   },
+   "Redirect": null,
+   "Auth": null,
+   "Compress": false
+  }
+ },
+ "Cluster": null,
+ "Constraints": [],
+ "ACME": {
+  "Email": "foo@bar.com",
+  "Domains": [
+   {
+    "Main": "foo@bar.com",
+    "SANs": null
+   },
+   {
+    "Main": "foo@bar.com",
+    "SANs": null
+   }
+  ],
+  "Storage": "",
+  "StorageFile": "/acme/acme.json",
+  "OnDemand": true,
+  "OnHostRule": true,
+  "CAServer": "",
+  "EntryPoint": "https",
+  "DNSProvider": "",
+  "DelayDontCheckDNS": 0,
+  "ACMELogging": false,
+  "TLSConfig": null
+ },
+ "DefaultEntryPoints": [
+  "https",
+  "http"
+ ],
+ "ProvidersThrottleDuration": 2000000000,
+ "MaxIdleConnsPerHost": 200,
+ "IdleTimeout": 180000000000,
+ "InsecureSkipVerify": false,
+ "Retry": null,
+ "HealthCheck": {
+  "Interval": 30000000000
+ },
+ "Docker": null,
+ "File": null,
+ "Web": null,
+ "Marathon": null,
+ "Consul": null,
+ "ConsulCatalog": null,
+ "Etcd": null,
+ "Zookeeper": null,
+ "Boltdb": null,
+ "Kubernetes": null,
+ "Mesos": null,
+ "Eureka": null,
+ "ECS": null,
+ "Rancher": null,
+ "DynamoDB": null,
+ "ConfigFile": "/etc/traefik/traefik.toml"
+}
+`
+	expectedConfiguration := `
+{
+ "GraceTimeOut": 10000000000,
+ "Debug": false,
+ "CheckNewVersion": true,
+ "AccessLogsFile": "",
+ "TraefikLogsFile": "",
+ "LogLevel": "ERROR",
+ "EntryPoints": {
+  "http": {
+   "Network": "",
+   "Address": ":80",
+   "TLS": null,
+   "Redirect": {
+    "EntryPoint": "https",
+    "Regex": "",
+    "Replacement": ""
+   },
+   "Auth": null,
+   "Compress": false
+  },
+  "https": {
+   "Network": "",
+   "Address": ":443",
+   "TLS": {
+    "MinVersion": "",
+    "CipherSuites": null,
+    "Certificates": null,
+    "ClientCAFiles": null
+   },
+   "Redirect": null,
+   "Auth": null,
+   "Compress": false
+  }
+ },
+ "Cluster": null,
+ "Constraints": [],
+ "ACME": {
+  "Email": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+  "Domains": [
+   {
+    "Main": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+    "SANs": null
+   },
+   {
+    "Main": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+    "SANs": null
+   }
+  ],
+  "Storage": "",
+  "StorageFile": "/acme/acme.json",
+  "OnDemand": true,
+  "OnHostRule": true,
+  "CAServer": "",
+  "EntryPoint": "https",
+  "DNSProvider": "",
+  "DelayDontCheckDNS": 0,
+  "ACMELogging": false,
+  "TLSConfig": null
+ },
+ "DefaultEntryPoints": [
+  "https",
+  "http"
+ ],
+ "ProvidersThrottleDuration": 2000000000,
+ "MaxIdleConnsPerHost": 200,
+ "IdleTimeout": 180000000000,
+ "InsecureSkipVerify": false,
+ "Retry": null,
+ "HealthCheck": {
+  "Interval": 30000000000
+ },
+ "Docker": null,
+ "File": null,
+ "Web": null,
+ "Marathon": null,
+ "Consul": null,
+ "ConsulCatalog": null,
+ "Etcd": null,
+ "Zookeeper": null,
+ "Boltdb": null,
+ "Kubernetes": null,
+ "Mesos": null,
+ "Eureka": null,
+ "ECS": null,
+ "Rancher": null,
+ "DynamoDB": null,
+ "ConfigFile": "/etc/traefik/traefik.toml"
+}
+`
+	anomConfiguration := doOnJSON(baseConfiguration)
+
+	if anomConfiguration != expectedConfiguration {
+		t.Errorf("Got %s, want %s.", anomConfiguration, expectedConfiguration)
+	}
+}
+
+func Test_doOnJSON_simple(t *testing.T) {
+	testCases := []struct {
+		name           string
+		input          string
+		expectedOutput string
+	}{
+		{
+			name: "email",
+			input: `{
+				"email1": "goo@example.com",
+				"email2": "foo.bargoo@example.com",
+				"email3": "foo.bargoo@example.com.us"
+			}`,
+			expectedOutput: `{
+				"email1": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+				"email2": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+				"email3": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+			}`,
+		},
+		{
+			name: "url",
+			input: `{
+				"URL": "foo domain.com foo",
+				"URL": "foo sub.domain.com foo",
+				"URL": "foo sub.sub.domain.com foo",
+				"URL": "foo sub.sub.sub.domain.com.us foo"
+			}`,
+			expectedOutput: `{
+				"URL": "foo xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx foo",
+				"URL": "foo xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx foo",
+				"URL": "foo xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx foo",
+				"URL": "foo xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx foo"
+			}`,
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.name, func(t *testing.T) {
+			output := doOnJSON(test.input)
+			assert.Equal(t, test.expectedOutput, output)
+		})
+	}
+}

cmd/traefik/anonymize/anonymize_doOnStruct_test.go

@@ -0,0 +1,176 @@
+package anonymize
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type Courgette struct {
+	Ji string
+	Ho string
+}
+type Tomate struct {
+	Ji string
+	Ho string
+}
+
+type Carotte struct {
+	Name        string
+	Value       int
+	Courgette   Courgette
+	ECourgette  Courgette `export:"true"`
+	Pourgette   *Courgette
+	EPourgette  *Courgette `export:"true"`
+	Aubergine   map[string]string
+	EAubergine  map[string]string `export:"true"`
+	SAubergine  map[string]Tomate
+	ESAubergine map[string]Tomate `export:"true"`
+	PSAubergine map[string]*Tomate
+	EPAubergine map[string]*Tomate `export:"true"`
+}
+
+func Test_doOnStruct(t *testing.T) {
+	testCase := []struct {
+		name     string
+		base     *Carotte
+		expected *Carotte
+		hasError bool
+	}{
+		{
+			name: "primitive",
+			base: &Carotte{
+				Name:  "koko",
+				Value: 666,
+			},
+			expected: &Carotte{
+				Name: "xxxx",
+			},
+		},
+		{
+			name: "struct",
+			base: &Carotte{
+				Name: "koko",
+				Courgette: Courgette{
+					Ji: "huu",
+				},
+			},
+			expected: &Carotte{
+				Name: "xxxx",
+			},
+		},
+		{
+			name: "pointer",
+			base: &Carotte{
+				Name: "koko",
+				Pourgette: &Courgette{
+					Ji: "hoo",
+				},
+			},
+			expected: &Carotte{
+				Name:      "xxxx",
+				Pourgette: nil,
+			},
+		},
+		{
+			name: "export struct",
+			base: &Carotte{
+				Name: "koko",
+				ECourgette: Courgette{
+					Ji: "huu",
+				},
+			},
+			expected: &Carotte{
+				Name: "xxxx",
+				ECourgette: Courgette{
+					Ji: "xxxx",
+				},
+			},
+		},
+		{
+			name: "export pointer struct",
+			base: &Carotte{
+				Name: "koko",
+				ECourgette: Courgette{
+					Ji: "huu",
+				},
+			},
+			expected: &Carotte{
+				Name: "xxxx",
+				ECourgette: Courgette{
+					Ji: "xxxx",
+				},
+			},
+		},
+		{
+			name: "export map string/string",
+			base: &Carotte{
+				Name: "koko",
+				EAubergine: map[string]string{
+					"foo": "bar",
+				},
+			},
+			expected: &Carotte{
+				Name: "xxxx",
+				EAubergine: map[string]string{
+					"foo": "bar",
+				},
+			},
+		},
+		{
+			name: "export map string/pointer",
+			base: &Carotte{
+				Name: "koko",
+				EPAubergine: map[string]*Tomate{
+					"foo": {
+						Ji: "fdskljf",
+					},
+				},
+			},
+			expected: &Carotte{
+				Name: "xxxx",
+				EPAubergine: map[string]*Tomate{
+					"foo": {
+						Ji: "xxxx",
+					},
+				},
+			},
+		},
+		{
+			name: "export map string/struct (UNSAFE)",
+			base: &Carotte{
+				Name: "koko",
+				ESAubergine: map[string]Tomate{
+					"foo": {
+						Ji: "JiJiJi",
+					},
+				},
+			},
+			expected: &Carotte{
+				Name: "xxxx",
+				ESAubergine: map[string]Tomate{
+					"foo": {
+						Ji: "JiJiJi",
+					},
+				},
+			},
+			hasError: true,
+		},
+	}
+
+	for _, test := range testCase {
+		t.Run(test.name, func(t *testing.T) {
+			val := reflect.ValueOf(test.base).Elem()
+			err := doOnStruct(val)
+			if !test.hasError && err != nil {
+				t.Fatal(err)
+			}
+			if test.hasError && err == nil {
+				t.Fatal("Got no error but want an error.")
+			}
+
+			assert.EqualValues(t, test.expected, test.base)
+		})
+	}
+}

cmd/traefik/bug.go

@@ -2,20 +2,18 @@ package main
 
 import (
 	"bytes"
-	"encoding/json"
 	"fmt"
 	"net/url"
 	"os/exec"
-	"regexp"
 	"runtime"
 	"text/template"
 
 	"github.com/containous/flaeg"
-	"github.com/mvdan/xurls"
+	"github.com/containous/traefik/cmd/traefik/anonymize"
 )
 
-var (
-	bugtracker  = "https://github.com/containous/traefik/issues/new"
+const (
+	bugTracker  = "https://github.com/containous/traefik/issues/new"
 	bugTemplate = `<!--
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 
@@ -94,50 +92,67 @@ func newBugCmd(traefikConfiguration interface{}, traefikPointersConfiguration in
 		Description:           `Report an issue on Traefik bugtracker`,
 		Config:                traefikConfiguration,
 		DefaultPointersConfig: traefikPointersConfiguration,
-		Run: func() error {
-			var version bytes.Buffer
-			if err := getVersionPrint(&version); err != nil {
-				return err
-			}
-
-			tmpl, err := template.New("").Parse(bugTemplate)
-			if err != nil {
-				return err
-			}
-
-			configJSON, err := json.MarshalIndent(traefikConfiguration, "", " ")
-			if err != nil {
-				return err
-			}
-
-			v := struct {
-				Version       string
-				Configuration string
-			}{
-				Version:       version.String(),
-				Configuration: anonymize(string(configJSON)),
-			}
-
-			var bug bytes.Buffer
-			if err := tmpl.Execute(&bug, v); err != nil {
-				return err
-			}
-
-			body := bug.String()
-			URL := bugtracker + "?body=" + url.QueryEscape(body)
-			if err := openBrowser(URL); err != nil {
-				fmt.Printf("Please file a new issue at %s using this template:\n\n", bugtracker)
-				fmt.Print(body)
-			}
-
-			return nil
-		},
+		Run: runBugCmd(traefikConfiguration),
 		Metadata: map[string]string{
 			"parseAllSources": "true",
 		},
 	}
 }
 
+func runBugCmd(traefikConfiguration interface{}) func() error {
+	return func() error {
+
+		body, err := createBugReport(traefikConfiguration)
+		if err != nil {
+			return err
+		}
+
+		sendBugReport(body)
+
+		return nil
+	}
+}
+
+func createBugReport(traefikConfiguration interface{}) (string, error) {
+	var version bytes.Buffer
+	if err := getVersionPrint(&version); err != nil {
+		return "", err
+	}
+
+	tmpl, err := template.New("bug").Parse(bugTemplate)
+	if err != nil {
+		return "", err
+	}
+
+	config, err := anonymize.Do(&traefikConfiguration, true)
+	if err != nil {
+		return "", err
+	}
+
+	v := struct {
+		Version       string
+		Configuration string
+	}{
+		Version:       version.String(),
+		Configuration: config,
+	}
+
+	var bug bytes.Buffer
+	if err := tmpl.Execute(&bug, v); err != nil {
+		return "", err
+	}
+
+	return bug.String(), nil
+}
+
+func sendBugReport(body string) {
+	URL := bugTracker + "?body=" + url.QueryEscape(body)
+	if err := openBrowser(URL); err != nil {
+		fmt.Printf("Please file a new issue at %s using this template:\n\n", bugTracker)
+		fmt.Print(body)
+	}
+}
+
 func openBrowser(URL string) error {
 	var err error
 	switch runtime.GOOS {
@@ -152,9 +167,3 @@ func openBrowser(URL string) error {
 	}
 	return err
 }
-
-func anonymize(input string) string {
-	replace := "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx\""
-	mailExp := regexp.MustCompile(`\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3}"`)
-	return xurls.Relaxed.ReplaceAllString(mailExp.ReplaceAllString(input, replace), replace)
-}

cmd/traefik/bug_test.go

@@ -2,192 +2,48 @@ package main
 
 import (
 	"testing"
+
+	"github.com/containous/traefik/cmd/traefik/anonymize"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/provider/file"
+	"github.com/stretchr/testify/assert"
 )
 
-func Test_anonymize(t *testing.T) {
-	baseConfiguration := `
-{
- "GraceTimeOut": 10000000000,
- "Debug": false,
- "CheckNewVersion": true,
- "AccessLogsFile": "",
- "TraefikLogsFile": "",
- "LogLevel": "ERROR",
- "EntryPoints": {
-  "http": {
-   "Network": "",
-   "Address": ":80",
-   "TLS": null,
-   "Redirect": {
-    "EntryPoint": "https",
-    "Regex": "",
-    "Replacement": ""
-   },
-   "Auth": null,
-   "Compress": false
-  },
-  "https": {
-   "Network": "",
-   "Address": ":443",
-   "TLS": {
-    "MinVersion": "",
-    "CipherSuites": null,
-    "Certificates": null,
-    "ClientCAFiles": null
-   },
-   "Redirect": null,
-   "Auth": null,
-   "Compress": false
-  }
- },
- "Cluster": null,
- "Constraints": [],
- "ACME": {
-  "Email": "foo@bar.com",
-  "Domains": [
-   {
-    "Main": "foo@bar.com",
-    "SANs": null
-   },
-   {
-    "Main": "foo@bar.com",
-    "SANs": null
-   }
-  ],
-  "Storage": "",
-  "StorageFile": "/acme/acme.json",
-  "OnDemand": true,
-  "OnHostRule": true,
-  "CAServer": "",
-  "EntryPoint": "https",
-  "DNSProvider": "",
-  "DelayDontCheckDNS": 0,
-  "ACMELogging": false,
-  "TLSConfig": null
- },
- "DefaultEntryPoints": [
-  "https",
-  "http"
- ],
- "ProvidersThrottleDuration": 2000000000,
- "MaxIdleConnsPerHost": 200,
- "IdleTimeout": 180000000000,
- "InsecureSkipVerify": false,
- "Retry": null,
- "HealthCheck": {
-  "Interval": 30000000000
- },
- "Docker": null,
- "File": null,
- "Web": null,
- "Marathon": null,
- "Consul": null,
- "ConsulCatalog": null,
- "Etcd": null,
- "Zookeeper": null,
- "Boltdb": null,
- "Kubernetes": null,
- "Mesos": null,
- "Eureka": null,
- "ECS": null,
- "Rancher": null,
- "DynamoDB": null,
- "ConfigFile": "/etc/traefik/traefik.toml"
-}
-`
-	expectedConfiguration := `
-{
- "GraceTimeOut": 10000000000,
- "Debug": false,
- "CheckNewVersion": true,
- "AccessLogsFile": "",
- "TraefikLogsFile": "",
- "LogLevel": "ERROR",
- "EntryPoints": {
-  "http": {
-   "Network": "",
-   "Address": ":80",
-   "TLS": null,
-   "Redirect": {
-    "EntryPoint": "https",
-    "Regex": "",
-    "Replacement": ""
-   },
-   "Auth": null,
-   "Compress": false
-  },
-  "https": {
-   "Network": "",
-   "Address": ":443",
-   "TLS": {
-    "MinVersion": "",
-    "CipherSuites": null,
-    "Certificates": null,
-    "ClientCAFiles": null
-   },
-   "Redirect": null,
-   "Auth": null,
-   "Compress": false
-  }
- },
- "Cluster": null,
- "Constraints": [],
- "ACME": {
-  "Email": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
-  "Domains": [
-   {
-    "Main": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
-    "SANs": null
-   },
-   {
-    "Main": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
-    "SANs": null
-   }
-  ],
-  "Storage": "",
-  "StorageFile": "/acme/acme.json",
-  "OnDemand": true,
-  "OnHostRule": true,
-  "CAServer": "",
-  "EntryPoint": "https",
-  "DNSProvider": "",
-  "DelayDontCheckDNS": 0,
-  "ACMELogging": false,
-  "TLSConfig": null
- },
- "DefaultEntryPoints": [
-  "https",
-  "http"
- ],
- "ProvidersThrottleDuration": 2000000000,
- "MaxIdleConnsPerHost": 200,
- "IdleTimeout": 180000000000,
- "InsecureSkipVerify": false,
- "Retry": null,
- "HealthCheck": {
-  "Interval": 30000000000
- },
- "Docker": null,
- "File": null,
- "Web": null,
- "Marathon": null,
- "Consul": null,
- "ConsulCatalog": null,
- "Etcd": null,
- "Zookeeper": null,
- "Boltdb": null,
- "Kubernetes": null,
- "Mesos": null,
- "Eureka": null,
- "ECS": null,
- "Rancher": null,
- "DynamoDB": null,
- "ConfigFile": "/etc/traefik/traefik.toml"
-}
-`
-	anomConfiguration := anonymize(baseConfiguration)
-
-	if anomConfiguration != expectedConfiguration {
-		t.Errorf("Got %s, want %s.", anomConfiguration, expectedConfiguration)
+func Test_createBugReport(t *testing.T) {
+	traefikConfiguration := TraefikConfiguration{
+		ConfigFile: "FOO",
+		GlobalConfiguration: configuration.GlobalConfiguration{
+			EntryPoints: configuration.EntryPoints{
+				"goo": &configuration.EntryPoint{
+					Address: "hoo.bar",
+				},
+			},
+			File: &file.Provider{
+				Directory: "BAR",
+			},
+			RootCAs: configuration.RootCAs{"fllf"},
+		},
 	}
+
+	report, err := createBugReport(traefikConfiguration)
+	assert.NoError(t, err, report)
+}
+
+func Test_anonymize_traefikConfiguration(t *testing.T) {
+	traefikConfiguration := &TraefikConfiguration{
+		ConfigFile: "FOO",
+		GlobalConfiguration: configuration.GlobalConfiguration{
+			EntryPoints: configuration.EntryPoints{
+				"goo": &configuration.EntryPoint{
+					Address: "hoo.bar",
+				},
+			},
+			File: &file.Provider{
+				Directory: "BAR",
+			},
+		},
+	}
+	_, err := anonymize.Do(traefikConfiguration, true)
+	assert.NoError(t, err)
+	assert.Equal(t, "hoo.bar", traefikConfiguration.GlobalConfiguration.EntryPoints["goo"].Address)
 }

cmd/traefik/configuration.go

@@ -25,8 +25,8 @@ import (
 
 // TraefikConfiguration holds GlobalConfiguration and other stuff
 type TraefikConfiguration struct {
-	configuration.GlobalConfiguration `mapstructure:",squash"`
-	ConfigFile                        string `short:"c" description:"Configuration file to use (TOML)."`
+	configuration.GlobalConfiguration `mapstructure:",squash" export:"true"`
+	ConfigFile                        string `short:"c" description:"Configuration file to use (TOML)." export:"true"`
 }
 
 // NewTraefikDefaultPointersConfiguration creates a TraefikConfiguration with pointers default values
@@ -159,25 +159,42 @@ func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
 		FilePath: "",
 	}
 
+	// default HealthCheckConfig
+	healthCheck := configuration.HealthCheckConfig{
+		Interval: flaeg.Duration(configuration.DefaultHealthCheckInterval),
+	}
+
+	// default RespondingTimeouts
+	respondingTimeouts := configuration.RespondingTimeouts{
+		IdleTimeout: flaeg.Duration(configuration.DefaultIdleTimeout),
+	}
+
+	// default ForwardingTimeouts
+	forwardingTimeouts := configuration.ForwardingTimeouts{
+		DialTimeout: flaeg.Duration(configuration.DefaultDialTimeout),
+	}
+
 	defaultConfiguration := configuration.GlobalConfiguration{
-		Docker:        &defaultDocker,
-		File:          &defaultFile,
-		Web:           &defaultWeb,
-		Marathon:      &defaultMarathon,
-		Consul:        &defaultConsul,
-		ConsulCatalog: &defaultConsulCatalog,
-		Etcd:          &defaultEtcd,
-		Zookeeper:     &defaultZookeeper,
-		Boltdb:        &defaultBoltDb,
-		Kubernetes:    &defaultKubernetes,
-		Mesos:         &defaultMesos,
-		ECS:           &defaultECS,
-		Rancher:       &defaultRancher,
-		Eureka:        &defaultEureka,
-		DynamoDB:      &defaultDynamoDB,
-		Retry:         &configuration.Retry{},
-		HealthCheck:   &configuration.HealthCheckConfig{},
-		AccessLog:     &defaultAccessLog,
+		Docker:             &defaultDocker,
+		File:               &defaultFile,
+		Web:                &defaultWeb,
+		Marathon:           &defaultMarathon,
+		Consul:             &defaultConsul,
+		ConsulCatalog:      &defaultConsulCatalog,
+		Etcd:               &defaultEtcd,
+		Zookeeper:          &defaultZookeeper,
+		Boltdb:             &defaultBoltDb,
+		Kubernetes:         &defaultKubernetes,
+		Mesos:              &defaultMesos,
+		ECS:                &defaultECS,
+		Rancher:            &defaultRancher,
+		Eureka:             &defaultEureka,
+		DynamoDB:           &defaultDynamoDB,
+		Retry:              &configuration.Retry{},
+		HealthCheck:        &healthCheck,
+		AccessLog:          &defaultAccessLog,
+		RespondingTimeouts: &respondingTimeouts,
+		ForwardingTimeouts: &forwardingTimeouts,
 	}
 
 	return &TraefikConfiguration{
@@ -202,12 +219,6 @@ func NewTraefikConfiguration() *TraefikConfiguration {
 			HealthCheck: &configuration.HealthCheckConfig{
 				Interval: flaeg.Duration(configuration.DefaultHealthCheckInterval),
 			},
-			RespondingTimeouts: &configuration.RespondingTimeouts{
-				IdleTimeout: flaeg.Duration(configuration.DefaultIdleTimeout),
-			},
-			ForwardingTimeouts: &configuration.ForwardingTimeouts{
-				DialTimeout: flaeg.Duration(configuration.DefaultDialTimeout),
-			},
 			CheckNewVersion: true,
 		},
 		ConfigFile: "",

cmd/traefik/traefik.go

@@ -14,22 +14,24 @@ import (
 	"time"
 
 	"github.com/Sirupsen/logrus"
+	"github.com/cenk/backoff"
 	"github.com/containous/flaeg"
 	"github.com/containous/staert"
 	"github.com/containous/traefik/acme"
 	"github.com/containous/traefik/cluster"
 	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/job"
 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/provider/ecs"
 	"github.com/containous/traefik/provider/kubernetes"
 	"github.com/containous/traefik/provider/rancher"
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/server"
+	"github.com/containous/traefik/server/uuid"
 	"github.com/containous/traefik/types"
 	"github.com/containous/traefik/version"
 	"github.com/coreos/go-systemd/daemon"
 	"github.com/docker/libkv/store"
-	"github.com/satori/go.uuid"
 )
 
 func main() {
@@ -188,7 +190,7 @@ Complete documentation is available at https://traefik.io`,
 	s.AddSource(toml)
 	s.AddSource(f)
 	if _, err := s.LoadConfig(); err != nil {
-		fmtlog.Println(fmt.Errorf("Error reading TOML config file %s : %s", toml.ConfigFileUsed(), err))
+		fmtlog.Printf("Error reading TOML config file %s : %s\n", toml.ConfigFileUsed(), err)
 		os.Exit(-1)
 	}
 
@@ -203,13 +205,21 @@ Complete documentation is available at https://traefik.io`,
 	// IF a KV Store is enable and no sub-command called in args
 	if kv != nil && usedCmd == traefikCmd {
 		if traefikConfiguration.Cluster == nil {
-			traefikConfiguration.Cluster = &types.Cluster{Node: uuid.NewV4().String()}
+			traefikConfiguration.Cluster = &types.Cluster{Node: uuid.Get()}
 		}
 		if traefikConfiguration.Cluster.Store == nil {
 			traefikConfiguration.Cluster.Store = &types.Store{Prefix: kv.Prefix, Store: kv.Store}
 		}
 		s.AddSource(kv)
-		if _, err := s.LoadConfig(); err != nil {
+		operation := func() error {
+			_, err := s.LoadConfig()
+			return err
+		}
+		notify := func(err error, time time.Duration) {
+			log.Errorf("Load config error: %+v, retrying in %s", err, time)
+		}
+		err := backoff.RetryNotify(safe.OperationWithRecover(operation), job.NewBackOff(backoff.NewExponentialBackOff()), notify)
+		if err != nil {
 			fmtlog.Printf("Error loading configuration: %s\n", err)
 			os.Exit(-1)
 		}
@@ -229,7 +239,10 @@ func run(globalConfiguration *configuration.GlobalConfiguration) {
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
 	if len(globalConfiguration.EntryPoints) == 0 {
-		globalConfiguration.EntryPoints = map[string]*configuration.EntryPoint{"http": {Address: ":80"}}
+		globalConfiguration.EntryPoints = map[string]*configuration.EntryPoint{"http": {
+			Address:          ":80",
+			ForwardedHeaders: &configuration.ForwardedHeaders{Insecure: true},
+		}}
 		globalConfiguration.DefaultEntryPoints = []string{"http"}
 	}
 
@@ -259,6 +272,14 @@ func run(globalConfiguration *configuration.GlobalConfiguration) {
 		globalConfiguration.LogLevel = "DEBUG"
 	}
 
+	// ForwardedHeaders must be remove in the next breaking version
+	for entryPointName := range globalConfiguration.EntryPoints {
+		entryPoint := globalConfiguration.EntryPoints[entryPointName]
+		if entryPoint.ForwardedHeaders == nil {
+			entryPoint.ForwardedHeaders = &configuration.ForwardedHeaders{Insecure: true}
+		}
+	}
+
 	// logging
 	level, err := logrus.ParseLevel(strings.ToLower(globalConfiguration.LogLevel))
 	if err != nil {
@@ -291,16 +312,7 @@ func run(globalConfiguration *configuration.GlobalConfiguration) {
 	log.Infof("Traefik version %s built on %s", version.Version, version.BuildDate)
 
 	if globalConfiguration.CheckNewVersion {
-		ticker := time.NewTicker(24 * time.Hour)
-		safe.Go(func() {
-			version.CheckNewVersion()
-			for {
-				select {
-				case <-ticker.C:
-					version.CheckNewVersion()
-				}
-			}
-		})
+		checkNewVersion()
 	}
 
 	log.Debugf("Global configuration loaded %s", string(jsonConf))
@@ -366,3 +378,17 @@ func CreateKvSource(traefikConfiguration *TraefikConfiguration) (*staert.KvSourc
 	}
 	return kv, err
 }
+
+func checkNewVersion() {
+	ticker := time.NewTicker(24 * time.Hour)
+	safe.Go(func() {
+		time.Sleep(10 * time.Minute)
+		version.CheckNewVersion()
+		for {
+			select {
+			case <-ticker.C:
+				version.CheckNewVersion()
+			}
+		}
+	})
+}

configuration/configuration.go

@@ -5,12 +5,12 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"regexp"
 	"strings"
 	"time"
 
 	"github.com/containous/flaeg"
 	"github.com/containous/traefik/acme"
+	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/provider/boltdb"
 	"github.com/containous/traefik/provider/consul"
 	"github.com/containous/traefik/provider/docker"
@@ -42,42 +42,42 @@ const (
 // GlobalConfiguration holds global configuration (with providers, etc.).
 // It's populated from the traefik configuration file passed as an argument to the binary.
 type GlobalConfiguration struct {
-	GraceTimeOut              flaeg.Duration          `short:"g" description:"Duration to give active requests a chance to finish before Traefik stops"`
-	Debug                     bool                    `short:"d" description:"Enable debug mode"`
-	CheckNewVersion           bool                    `description:"Periodically check if a new version has been released"`
-	AccessLogsFile            string                  `description:"(Deprecated) Access logs file"` // Deprecated
-	AccessLog                 *types.AccessLog        `description:"Access log settings"`
-	TraefikLogsFile           string                  `description:"Traefik logs file. Stdout is used when omitted or empty"`
-	LogLevel                  string                  `short:"l" description:"Log level"`
-	EntryPoints               EntryPoints             `description:"Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'"`
-	Cluster                   *types.Cluster          `description:"Enable clustering"`
-	Constraints               types.Constraints       `description:"Filter services by constraint, matching with service tags"`
-	ACME                      *acme.ACME              `description:"Enable ACME (Let's Encrypt): automatic SSL"`
-	DefaultEntryPoints        DefaultEntryPoints      `description:"Entrypoints to be used by frontends that do not specify any entrypoint"`
-	ProvidersThrottleDuration flaeg.Duration          `description:"Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time."`
-	MaxIdleConnsPerHost       int                     `description:"If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, DefaultMaxIdleConnsPerHost is used"`
-	IdleTimeout               flaeg.Duration          `description:"(Deprecated) maximum amount of time an idle (keep-alive) connection will remain idle before closing itself."` // Deprecated
-	InsecureSkipVerify        bool                    `description:"Disable SSL certificate verification"`
-	RootCAs                   RootCAs                 `description:"Add cert file for self-signed certicate"`
-	Retry                     *Retry                  `description:"Enable retry sending request if network error"`
-	HealthCheck               *HealthCheckConfig      `description:"Health check parameters"`
-	RespondingTimeouts        *RespondingTimeouts     `description:"Timeouts for incoming requests to the Traefik instance"`
-	ForwardingTimeouts        *ForwardingTimeouts     `description:"Timeouts for requests forwarded to the backend servers"`
-	Docker                    *docker.Provider        `description:"Enable Docker backend with default settings"`
-	File                      *file.Provider          `description:"Enable File backend with default settings"`
-	Web                       *web.Provider           `description:"Enable Web backend with default settings"`
-	Marathon                  *marathon.Provider      `description:"Enable Marathon backend with default settings"`
-	Consul                    *consul.Provider        `description:"Enable Consul backend with default settings"`
-	ConsulCatalog             *consul.CatalogProvider `description:"Enable Consul catalog backend with default settings"`
-	Etcd                      *etcd.Provider          `description:"Enable Etcd backend with default settings"`
-	Zookeeper                 *zk.Provider            `description:"Enable Zookeeper backend with default settings"`
-	Boltdb                    *boltdb.Provider        `description:"Enable Boltdb backend with default settings"`
-	Kubernetes                *kubernetes.Provider    `description:"Enable Kubernetes backend with default settings"`
-	Mesos                     *mesos.Provider         `description:"Enable Mesos backend with default settings"`
-	Eureka                    *eureka.Provider        `description:"Enable Eureka backend with default settings"`
-	ECS                       *ecs.Provider           `description:"Enable ECS backend with default settings"`
-	Rancher                   *rancher.Provider       `description:"Enable Rancher backend with default settings"`
-	DynamoDB                  *dynamodb.Provider      `description:"Enable DynamoDB backend with default settings"`
+	GraceTimeOut              flaeg.Duration          `short:"g" description:"Duration to give active requests a chance to finish before Traefik stops" export:"true"`
+	Debug                     bool                    `short:"d" description:"Enable debug mode" export:"true"`
+	CheckNewVersion           bool                    `description:"Periodically check if a new version has been released" export:"true"`
+	AccessLogsFile            string                  `description:"(Deprecated) Access logs file" export:"true"` // Deprecated
+	AccessLog                 *types.AccessLog        `description:"Access log settings" export:"true"`
+	TraefikLogsFile           string                  `description:"Traefik logs file. Stdout is used when omitted or empty" export:"true"`
+	LogLevel                  string                  `short:"l" description:"Log level" export:"true"`
+	EntryPoints               EntryPoints             `description:"Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'" export:"true"`
+	Cluster                   *types.Cluster          `description:"Enable clustering" export:"true"`
+	Constraints               types.Constraints       `description:"Filter services by constraint, matching with service tags" export:"true"`
+	ACME                      *acme.ACME              `description:"Enable ACME (Let's Encrypt): automatic SSL" export:"true"`
+	DefaultEntryPoints        DefaultEntryPoints      `description:"Entrypoints to be used by frontends that do not specify any entrypoint" export:"true"`
+	ProvidersThrottleDuration flaeg.Duration          `description:"Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time." export:"true"`
+	MaxIdleConnsPerHost       int                     `description:"If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, DefaultMaxIdleConnsPerHost is used" export:"true"`
+	IdleTimeout               flaeg.Duration          `description:"(Deprecated) maximum amount of time an idle (keep-alive) connection will remain idle before closing itself." export:"true"` // Deprecated
+	InsecureSkipVerify        bool                    `description:"Disable SSL certificate verification" export:"true"`
+	RootCAs                   RootCAs                 `description:"Add cert file for self-signed certificate"`
+	Retry                     *Retry                  `description:"Enable retry sending request if network error" export:"true"`
+	HealthCheck               *HealthCheckConfig      `description:"Health check parameters" export:"true"`
+	RespondingTimeouts        *RespondingTimeouts     `description:"Timeouts for incoming requests to the Traefik instance" export:"true"`
+	ForwardingTimeouts        *ForwardingTimeouts     `description:"Timeouts for requests forwarded to the backend servers" export:"true"`
+	Docker                    *docker.Provider        `description:"Enable Docker backend with default settings" export:"true"`
+	File                      *file.Provider          `description:"Enable File backend with default settings" export:"true"`
+	Web                       *web.Provider           `description:"Enable Web backend with default settings" export:"true"`
+	Marathon                  *marathon.Provider      `description:"Enable Marathon backend with default settings" export:"true"`
+	Consul                    *consul.Provider        `description:"Enable Consul backend with default settings" export:"true"`
+	ConsulCatalog             *consul.CatalogProvider `description:"Enable Consul catalog backend with default settings" export:"true"`
+	Etcd                      *etcd.Provider          `description:"Enable Etcd backend with default settings" export:"true"`
+	Zookeeper                 *zk.Provider            `description:"Enable Zookeeper backend with default settings" export:"true"`
+	Boltdb                    *boltdb.Provider        `description:"Enable Boltdb backend with default settings" export:"true"`
+	Kubernetes                *kubernetes.Provider    `description:"Enable Kubernetes backend with default settings" export:"true"`
+	Mesos                     *mesos.Provider         `description:"Enable Mesos backend with default settings" export:"true"`
+	Eureka                    *eureka.Provider        `description:"Enable Eureka backend with default settings" export:"true"`
+	ECS                       *ecs.Provider           `description:"Enable ECS backend with default settings" export:"true"`
+	Rancher                   *rancher.Provider       `description:"Enable Rancher backend with default settings" export:"true"`
+	DynamoDB                  *dynamodb.Provider      `description:"Enable DynamoDB backend with default settings" export:"true"`
 }
 
 // DefaultEntryPoints holds default entry points
@@ -193,72 +193,101 @@ func (ep *EntryPoints) String() string {
 // Set's argument is a string to be parsed to set the flag.
 // It's a comma-separated list, so we split it.
 func (ep *EntryPoints) Set(value string) error {
-	result, err := parseEntryPointsConfiguration(value)
-	if err != nil {
-		return err
-	}
+	result := parseEntryPointsConfiguration(value)
 
 	var configTLS *TLS
-	if len(result["TLS"]) > 0 {
+	if len(result["tls"]) > 0 {
 		certs := Certificates{}
-		if err := certs.Set(result["TLS"]); err != nil {
+		if err := certs.Set(result["tls"]); err != nil {
 			return err
 		}
 		configTLS = &TLS{
 			Certificates: certs,
 		}
-	} else if len(result["TLSACME"]) > 0 {
+	} else if len(result["tls_acme"]) > 0 {
 		configTLS = &TLS{
 			Certificates: Certificates{},
 		}
 	}
-	if len(result["CA"]) > 0 {
-		files := strings.Split(result["CA"], ",")
+	if len(result["ca"]) > 0 {
+		files := strings.Split(result["ca"], ",")
 		configTLS.ClientCAFiles = files
 	}
 	var redirect *Redirect
-	if len(result["RedirectEntryPoint"]) > 0 || len(result["RedirectRegex"]) > 0 || len(result["RedirectReplacement"]) > 0 {
+	if len(result["redirect_entrypoint"]) > 0 || len(result["redirect_regex"]) > 0 || len(result["redirect_replacement"]) > 0 {
 		redirect = &Redirect{
-			EntryPoint:  result["RedirectEntryPoint"],
-			Regex:       result["RedirectRegex"],
-			Replacement: result["RedirectReplacement"],
+			EntryPoint:  result["redirect_entrypoint"],
+			Regex:       result["redirect_regex"],
+			Replacement: result["redirect_replacement"],
 		}
 	}
 
 	whiteListSourceRange := []string{}
-	if len(result["WhiteListSourceRange"]) > 0 {
-		whiteListSourceRange = strings.Split(result["WhiteListSourceRange"], ",")
+	if len(result["whitelistsourcerange"]) > 0 {
+		whiteListSourceRange = strings.Split(result["whitelistsourcerange"], ",")
 	}
 
-	compress := toBool(result, "Compress")
-	proxyProtocol := toBool(result, "ProxyProtocol")
+	compress := toBool(result, "compress")
 
-	(*ep)[result["Name"]] = &EntryPoint{
-		Address:              result["Address"],
+	var proxyProtocol *ProxyProtocol
+	ppTrustedIPs := result["proxyprotocol_trustedips"]
+	if len(result["proxyprotocol_insecure"]) > 0 || len(ppTrustedIPs) > 0 {
+		proxyProtocol = &ProxyProtocol{
+			Insecure: toBool(result, "proxyprotocol_insecure"),
+		}
+		if len(ppTrustedIPs) > 0 {
+			proxyProtocol.TrustedIPs = strings.Split(ppTrustedIPs, ",")
+		}
+	}
+
+	// TODO must be changed to false by default in the next breaking version.
+	forwardedHeaders := &ForwardedHeaders{Insecure: true}
+	if _, ok := result["forwardedheaders_insecure"]; ok {
+		forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
+	}
+
+	fhTrustedIPs := result["forwardedheaders_trustedips"]
+	if len(fhTrustedIPs) > 0 {
+		// TODO must be removed in the next breaking version.
+		forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
+		forwardedHeaders.TrustedIPs = strings.Split(fhTrustedIPs, ",")
+	}
+
+	if proxyProtocol != nil && proxyProtocol.Insecure {
+		log.Warn("ProxyProtocol.Insecure:true is dangerous. Please use 'ProxyProtocol.TrustedIPs:IPs' and remove 'ProxyProtocol.Insecure:true'")
+	}
+
+	(*ep)[result["name"]] = &EntryPoint{
+		Address:              result["address"],
 		TLS:                  configTLS,
 		Redirect:             redirect,
 		Compress:             compress,
 		WhitelistSourceRange: whiteListSourceRange,
 		ProxyProtocol:        proxyProtocol,
+		ForwardedHeaders:     forwardedHeaders,
 	}
 
 	return nil
 }
 
-func parseEntryPointsConfiguration(value string) (map[string]string, error) {
-	regex := regexp.MustCompile(`(?:Name:(?P<Name>\S*))\s*(?:Address:(?P<Address>\S*))?\s*(?:TLS:(?P<TLS>\S*))?\s*(?P<TLSACME>TLS)?\s*(?:CA:(?P<CA>\S*))?\s*(?:Redirect\.EntryPoint:(?P<RedirectEntryPoint>\S*))?\s*(?:Redirect\.Regex:(?P<RedirectRegex>\S*))?\s*(?:Redirect\.Replacement:(?P<RedirectReplacement>\S*))?\s*(?:Compress:(?P<Compress>\S*))?\s*(?:WhiteListSourceRange:(?P<WhiteListSourceRange>\S*))?\s*(?:ProxyProtocol:(?P<ProxyProtocol>\S*))?`)
-	match := regex.FindAllStringSubmatch(value, -1)
-	if match == nil {
-		return nil, fmt.Errorf("bad EntryPoints format: %s", value)
-	}
-	matchResult := match[0]
-	result := make(map[string]string)
-	for i, name := range regex.SubexpNames() {
-		if i != 0 && len(matchResult[i]) != 0 {
-			result[name] = matchResult[i]
+func parseEntryPointsConfiguration(raw string) map[string]string {
+	sections := strings.Fields(raw)
+
+	config := make(map[string]string)
+	for _, part := range sections {
+		field := strings.SplitN(part, ":", 2)
+		name := strings.ToLower(strings.Replace(field[0], ".", "_", -1))
+		if len(field) > 1 {
+			config[name] = field[1]
+		} else {
+			if strings.EqualFold(name, "TLS") {
+				config["tls_acme"] = "TLS"
+			} else {
+				config[name] = ""
+			}
 		}
 	}
-	return result, nil
+	return config
 }
 
 func toBool(conf map[string]string, key string) bool {
@@ -289,12 +318,13 @@ func (ep *EntryPoints) Type() string {
 type EntryPoint struct {
 	Network              string
 	Address              string
-	TLS                  *TLS
-	Redirect             *Redirect
-	Auth                 *types.Auth
+	TLS                  *TLS        `export:"true"`
+	Redirect             *Redirect   `export:"true"`
+	Auth                 *types.Auth `export:"true"`
 	WhitelistSourceRange []string
-	Compress             bool
-	ProxyProtocol        bool
+	Compress             bool              `export:"true"`
+	ProxyProtocol        *ProxyProtocol    `export:"true"`
+	ForwardedHeaders     *ForwardedHeaders `export:"true"`
 }
 
 // Redirect configures a redirection of an entry point to another, or to an URL
@@ -306,7 +336,7 @@ type Redirect struct {
 
 // TLS configures TLS for an entry point
 type TLS struct {
-	MinVersion    string
+	MinVersion    string `export:"true"`
 	CipherSuites  []string
 	Certificates  Certificates
 	ClientCAFiles []string
@@ -356,8 +386,6 @@ func (certs *Certificates) CreateTLSConfig() (*tls.Config, error) {
 	config.Certificates = []tls.Certificate{}
 	certsSlice := []Certificate(*certs)
 	for _, v := range certsSlice {
-		cert := tls.Certificate{}
-
 		var err error
 
 		certContent, err := v.CertFile.Read()
@@ -370,7 +398,7 @@ func (certs *Certificates) CreateTLSConfig() (*tls.Config, error) {
 			return nil, err
 		}
 
-		cert, err = tls.X509KeyPair(certContent, keyContent)
+		cert, err := tls.X509KeyPair(certContent, keyContent)
 		if err != nil {
 			return nil, err
 		}
@@ -425,23 +453,35 @@ type Certificate struct {
 
 // Retry contains request retry config
 type Retry struct {
-	Attempts int `description:"Number of attempts"`
+	Attempts int `description:"Number of attempts" export:"true"`
 }
 
 // HealthCheckConfig contains health check configuration parameters.
 type HealthCheckConfig struct {
-	Interval flaeg.Duration `description:"Default periodicity of enabled health checks"`
+	Interval flaeg.Duration `description:"Default periodicity of enabled health checks" export:"true"`
 }
 
 // RespondingTimeouts contains timeout configurations for incoming requests to the Traefik instance.
 type RespondingTimeouts struct {
-	ReadTimeout  flaeg.Duration `description:"ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set"`
-	WriteTimeout flaeg.Duration `description:"WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set"`
-	IdleTimeout  flaeg.Duration `description:"IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. Defaults to 180 seconds. If zero, no timeout is set"`
+	ReadTimeout  flaeg.Duration `description:"ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set" export:"true"`
+	WriteTimeout flaeg.Duration `description:"WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set" export:"true"`
+	IdleTimeout  flaeg.Duration `description:"IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. Defaults to 180 seconds. If zero, no timeout is set" export:"true"`
 }
 
 // ForwardingTimeouts contains timeout configurations for forwarding requests to the backend servers.
 type ForwardingTimeouts struct {
-	DialTimeout           flaeg.Duration `description:"The amount of time to wait until a connection to a backend server can be established. Defaults to 30 seconds. If zero, no timeout exists"`
-	ResponseHeaderTimeout flaeg.Duration `description:"The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists"`
+	DialTimeout           flaeg.Duration `description:"The amount of time to wait until a connection to a backend server can be established. Defaults to 30 seconds. If zero, no timeout exists" export:"true"`
+	ResponseHeaderTimeout flaeg.Duration `description:"The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists" export:"true"`
+}
+
+// ProxyProtocol contains Proxy-Protocol configuration
+type ProxyProtocol struct {
+	Insecure   bool
+	TrustedIPs []string
+}
+
+// ForwardedHeaders Trust client forwarding headers
+type ForwardedHeaders struct {
+	Insecure   bool
+	TrustedIPs []string
 }

configuration/configuration_test.go

@@ -1,7 +1,6 @@
 package configuration
 
 import (
-	"fmt"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -16,44 +15,37 @@ func Test_parseEntryPointsConfiguration(t *testing.T) {
 	}{
 		{
 			name:  "all parameters",
-			value: "Name:foo Address:bar TLS:goo TLS CA:car Redirect.EntryPoint:RedirectEntryPoint Redirect.Regex:RedirectRegex Redirect.Replacement:RedirectReplacement Compress:true WhiteListSourceRange:WhiteListSourceRange ProxyProtocol:true",
+			value: "Name:foo TLS:goo TLS CA:car Redirect.EntryPoint:RedirectEntryPoint Redirect.Regex:RedirectRegex Redirect.Replacement:RedirectReplacement Compress:true WhiteListSourceRange:WhiteListSourceRange ProxyProtocol.TrustedIPs:192.168.0.1 ProxyProtocol.Insecure:false Address::8000",
 			expectedResult: map[string]string{
-				"Name":                 "foo",
-				"Address":              "bar",
-				"CA":                   "car",
-				"TLS":                  "goo",
-				"TLSACME":              "TLS",
-				"RedirectEntryPoint":   "RedirectEntryPoint",
-				"RedirectRegex":        "RedirectRegex",
-				"RedirectReplacement":  "RedirectReplacement",
-				"WhiteListSourceRange": "WhiteListSourceRange",
-				"ProxyProtocol":        "true",
-				"Compress":             "true",
-			},
-		},
-		{
-			name:  "proxy protocol on",
-			value: "Name:foo ProxyProtocol:on",
-			expectedResult: map[string]string{
-				"Name":          "foo",
-				"ProxyProtocol": "on",
+				"name":                     "foo",
+				"address":                  ":8000",
+				"ca":                       "car",
+				"tls":                      "goo",
+				"tls_acme":                 "TLS",
+				"redirect_entrypoint":      "RedirectEntryPoint",
+				"redirect_regex":           "RedirectRegex",
+				"redirect_replacement":     "RedirectReplacement",
+				"whitelistsourcerange":     "WhiteListSourceRange",
+				"proxyprotocol_trustedips": "192.168.0.1",
+				"proxyprotocol_insecure":   "false",
+				"compress":                 "true",
 			},
 		},
 		{
 			name:  "compress on",
-			value: "Name:foo Compress:on",
+			value: "name:foo Compress:on",
 			expectedResult: map[string]string{
-				"Name":     "foo",
-				"Compress": "on",
+				"name":     "foo",
+				"compress": "on",
 			},
 		},
 		{
 			name:  "TLS",
 			value: "Name:foo TLS:goo TLS",
 			expectedResult: map[string]string{
-				"Name":    "foo",
-				"TLS":     "goo",
-				"TLSACME": "TLS",
+				"name":     "foo",
+				"tls":      "goo",
+				"tls_acme": "TLS",
 			},
 		},
 	}
@@ -63,14 +55,7 @@ func Test_parseEntryPointsConfiguration(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			t.Parallel()
 
-			conf, err := parseEntryPointsConfiguration(test.value)
-			if err != nil {
-				t.Error(err)
-			}
-
-			for key, value := range conf {
-				fmt.Println(key, value)
-			}
+			conf := parseEntryPointsConfiguration(test.value)
 
 			assert.Len(t, conf, len(test.expectedResult))
 			assert.Equal(t, test.expectedResult, conf)
@@ -141,18 +126,23 @@ func TestEntryPoints_Set(t *testing.T) {
 		expectedEntryPoint     *EntryPoint
 	}{
 		{
-			name:                   "all parameters",
-			expression:             "Name:foo Address:bar TLS:goo,gii TLS CA:car Redirect.EntryPoint:RedirectEntryPoint Redirect.Regex:RedirectRegex Redirect.Replacement:RedirectReplacement Compress:true WhiteListSourceRange:Range ProxyProtocol:true",
+			name:                   "all parameters camelcase",
+			expression:             "Name:foo Address::8000 TLS:goo,gii TLS CA:car Redirect.EntryPoint:RedirectEntryPoint Redirect.Regex:RedirectRegex Redirect.Replacement:RedirectReplacement Compress:true WhiteListSourceRange:Range ProxyProtocol.TrustedIPs:192.168.0.1 ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24",
 			expectedEntryPointName: "foo",
 			expectedEntryPoint: &EntryPoint{
-				Address: "bar",
+				Address: ":8000",
 				Redirect: &Redirect{
 					EntryPoint:  "RedirectEntryPoint",
 					Regex:       "RedirectRegex",
 					Replacement: "RedirectReplacement",
 				},
-				Compress:             true,
-				ProxyProtocol:        true,
+				Compress: true,
+				ProxyProtocol: &ProxyProtocol{
+					TrustedIPs: []string{"192.168.0.1"},
+				},
+				ForwardedHeaders: &ForwardedHeaders{
+					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
+				},
 				WhitelistSourceRange: []string{"Range"},
 				TLS: &TLS{
 					ClientCAFiles: []string{"car"},
@@ -165,6 +155,106 @@ func TestEntryPoints_Set(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:                   "all parameters lowercase",
+			expression:             "name:foo address::8000 tls:goo,gii tls ca:car redirect.entryPoint:RedirectEntryPoint redirect.regex:RedirectRegex redirect.replacement:RedirectReplacement compress:true whiteListSourceRange:Range proxyProtocol.trustedIPs:192.168.0.1 forwardedHeaders.trustedIPs:10.0.0.3/24,20.0.0.3/24",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				Address: ":8000",
+				Redirect: &Redirect{
+					EntryPoint:  "RedirectEntryPoint",
+					Regex:       "RedirectRegex",
+					Replacement: "RedirectReplacement",
+				},
+				Compress: true,
+				ProxyProtocol: &ProxyProtocol{
+					TrustedIPs: []string{"192.168.0.1"},
+				},
+				ForwardedHeaders: &ForwardedHeaders{
+					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
+				},
+				WhitelistSourceRange: []string{"Range"},
+				TLS: &TLS{
+					ClientCAFiles: []string{"car"},
+					Certificates: Certificates{
+						{
+							CertFile: FileOrContent("goo"),
+							KeyFile:  FileOrContent("gii"),
+						},
+					},
+				},
+			},
+		},
+		{
+			name:                   "default",
+			expression:             "Name:foo",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
+			},
+		},
+		{
+			name:                   "ForwardedHeaders insecure true",
+			expression:             "Name:foo ForwardedHeaders.Insecure:true",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
+			},
+		},
+		{
+			name:                   "ForwardedHeaders insecure false",
+			expression:             "Name:foo ForwardedHeaders.Insecure:false",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: false},
+			},
+		},
+		{
+			name:                   "ForwardedHeaders TrustedIPs",
+			expression:             "Name:foo ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders: &ForwardedHeaders{
+					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
+				},
+			},
+		},
+		{
+			name:                   "ProxyProtocol insecure true",
+			expression:             "Name:foo ProxyProtocol.Insecure:true",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
+				ProxyProtocol:        &ProxyProtocol{Insecure: true},
+			},
+		},
+		{
+			name:                   "ProxyProtocol insecure false",
+			expression:             "Name:foo ProxyProtocol.Insecure:false",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
+				ProxyProtocol:        &ProxyProtocol{},
+			},
+		},
+		{
+			name:                   "ProxyProtocol TrustedIPs",
+			expression:             "Name:foo ProxyProtocol.TrustedIPs:10.0.0.3/24,20.0.0.3/24",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
+				ProxyProtocol: &ProxyProtocol{
+					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
+				},
+			},
+		},
 		{
 			name:                   "compress on",
 			expression:             "Name:foo Compress:on",
@@ -172,6 +262,7 @@ func TestEntryPoints_Set(t *testing.T) {
 			expectedEntryPoint: &EntryPoint{
 				Compress:             true,
 				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
 			},
 		},
 		{
@@ -181,6 +272,7 @@ func TestEntryPoints_Set(t *testing.T) {
 			expectedEntryPoint: &EntryPoint{
 				Compress:             true,
 				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
 			},
 		},
 	}

docs/basics.md

@@ -346,12 +346,31 @@ For example:
 - Another possible value for `extractorfunc` is `client.ip` which will categorize requests based on client source ip.
 - Lastly `extractorfunc` can take the value of `request.header.ANY_HEADER` which will categorize requests based on `ANY_HEADER` that you provide.
 
+### Sticky sessions
+
 Sticky sessions are supported with both load balancers.  
-When sticky sessions are enabled, a cookie called `_TRAEFIK_BACKEND` is set on the initial request.
+When sticky sessions are enabled, a cookie is set on the initial request.
+The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).
 On subsequent requests, the client will be directed to the backend stored in the cookie if it is still healthy.
 If not, a new backend will be assigned.
 
-For example:
+
+```toml
+[backends]
+  [backends.backend1]
+    # Enable sticky session
+    [backends.backend1.loadbalancer.stickiness]
+
+    # Customize the cookie name
+    #
+    # Optional
+    # Default: a sha1 (6 chars)
+    #
+    #  cookieName = "my_cookie"
+```
+
+The deprecated way:
+
 ```toml
 [backends]
   [backends.backend1]
@@ -359,6 +378,8 @@ For example:
       sticky = true
 ```
 
+### Health Check
+
 A health check can be configured in order to remove a backend from LB rotation as long as it keeps returning HTTP status codes other than `200 OK` to HTTP GET requests periodically carried out by Traefik.  
 The check is defined by a pathappended to the backend URL and an interval (given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)) specifying how often the health check should be executed (the default being 30 seconds).
 Each backend must respond to the health check within 5 seconds.  

docs/configuration/acme.md

@@ -177,7 +177,7 @@ Enable on demand certificate.
 This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate.
 
 !!! warning
-    TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DoS attacks.
+    TLS handshakes will be slow when requesting a hostname certificate for the first time, this can lead to DoS attacks.
     
 !!! warning
     Take note that Let's Encrypt have [rate limiting](https://letsencrypt.org/docs/rate-limits)

docs/configuration/backends/consul.md

@@ -117,17 +117,20 @@ To enable constraints see [backend-specific constraints section](/configuration/
 
 Additional settings can be defined using Consul Catalog tags.
 
-| Tag                                               | Description                                                                                                                                                                        |
-|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.enable=false`                            | Disable this container in Træfik                                                                                                                                                   |
-| `traefik.protocol=https`                          | Override the default `http` protocol                                                                                                                                               |
-| `traefik.backend.weight=10`                       | Assign this weight to the container                                                                                                                                                |
-| `traefik.backend.circuitbreaker=EXPR`             | Create a [circuit breaker](/basics/#backends) to be used against the backend, ex: `NetworkErrorRatio() > 0.`                                                                       |
-| `traefik.backend.loadbalancer=drr`                | Override the default load balancing mode                                                                                                                                           |
-| `traefik.backend.maxconn.amount=10`               | Set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                               |
-| `traefik.backend.maxconn.extractorfunc=client.ip` | Set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect. |
-| `traefik.frontend.rule=Host:test.traefik.io`      | Override the default frontend rule (Default: `Host:{{.ServiceName}}.{{.Domain}}`).                                                                                                 |
-| `traefik.frontend.passHostHeader=true`            | Forward client `Host` header to the backend.                                                                                                                                       |
-| `traefik.frontend.priority=10`                    | Override default frontend priority                                                                                                                                                 |
-| `traefik.frontend.entryPoints=http,https`         | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.                                                                                           |
-| `traefik.frontend.auth.basic=EXPR`                | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                   |
+| Tag                                                       | Description                                                                                                                                                                        |
+|-----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.enable=false`                                    | Disable this container in Træfik                                                                                                                                                   |
+| `traefik.protocol=https`                                  | Override the default `http` protocol                                                                                                                                               |
+| `traefik.backend.weight=10`                               | Assign this weight to the container                                                                                                                                                |
+| `traefik.backend.circuitbreaker=EXPR`                     | Create a [circuit breaker](/basics/#backends) to be used against the backend, ex: `NetworkErrorRatio() > 0.`                                                                       |
+| `traefik.backend.maxconn.amount=10`                       | Set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                               |
+| `traefik.backend.maxconn.extractorfunc=client.ip`         | Set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect. |
+| `traefik.frontend.rule=Host:test.traefik.io`              | Override the default frontend rule (Default: `Host:{{.ServiceName}}.{{.Domain}}`).                                                                                                 |
+| `traefik.frontend.passHostHeader=true`                    | Forward client `Host` header to the backend.                                                                                                                                       |
+| `traefik.frontend.priority=10`                            | Override default frontend priority                                                                                                                                                 |
+| `traefik.frontend.entryPoints=http,https`                 | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.                                                                                           |
+| `traefik.frontend.auth.basic=EXPR`                        | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                   |
+| `traefik.backend.loadbalancer=drr`                        | override the default `wrr` load balancer algorithm                                                                                                                                 |
+| `traefik.backend.loadbalancer.stickiness=true`            | enable backend sticky sessions                                                                                                                                                     |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Manually set the cookie name for sticky sessions                                                                                                                                   |
+| `traefik.backend.loadbalancer.sticky=true`                | enable backend sticky sessions (DEPRECATED)                                                                                                                                        |

docs/configuration/backends/docker.md

@@ -148,26 +148,28 @@ To enable constraints see [backend-specific constraints section](/configuration/
 
 Labels can be used on containers to override default behaviour.
 
-| Label                                             | Description                                                                                                                                                                                                                                                                                                                                                                                                                   |
-|---------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.backend=foo`                             | Give the name `foo` to the generated backend for this container.                                                                                                                                                                                                                                                                                                                                                              |
-| `traefik.backend.maxconn.amount=10`               | Set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                                                                                                                                                                                                                                                                          |
-| `traefik.backend.maxconn.extractorfunc=client.ip` | Set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect.                                                                                                                                                                                                                                            |
-| `traefik.backend.loadbalancer.method=drr`         | Override the default `wrr` load balancer algorithm                                                                                                                                                                                                                                                                                                                                                                            |
-| `traefik.backend.loadbalancer.sticky=true`        | Enable backend sticky sessions                                                                                                                                                                                                                                                                                                                                                                                                |
-| `traefik.backend.loadbalancer.swarm=true`         | Use Swarm's inbuilt load balancer (only relevant under Swarm Mode).                                                                                                                                                                                                                                                                                                                                                           |
-| `traefik.backend.circuitbreaker.expression=EXPR`  | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                                                                                                                                                                                                                  |
-| `traefik.port=80`                                 | Register this port. Useful when the container exposes multiples ports.                                                                                                                                                                                                                                                                                                                                                        |
-| `traefik.protocol=https`                          | Override the default `http` protocol                                                                                                                                                                                                                                                                                                                                                                                          |
-| `traefik.weight=10`                               | Assign this weight to the container                                                                                                                                                                                                                                                                                                                                                                                           |
-| `traefik.enable=false`                            | Disable this container in Træfik                                                                                                                                                                                                                                                                                                                                                                                              |
-| `traefik.frontend.rule=EXPR`                      | Override the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`.                                                                                                                                                                                                                                                                   |
-| `traefik.frontend.passHostHeader=true`            | Forward client `Host` header to the backend.                                                                                                                                                                                                                                                                                                                                                                                  |
-| `traefik.frontend.priority=10`                    | Override default frontend priority                                                                                                                                                                                                                                                                                                                                                                                            |
-| `traefik.frontend.entryPoints=http,https`         | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`                                                                                                                                                                                                                                                                                                                                       |
-| `traefik.frontend.auth.basic=EXPR`                | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                                                                                                                                                                                                                              |
-| `traefik.frontend.whitelistSourceRange:RANGE`     | List of IP-Ranges which are allowed to access. An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access.                                                                                                                                                                                                           |
-| `traefik.docker.network`                          | Set the docker network to use for connections to this container. If a container is linked to several networks, be sure to set the proper network name (you can check with `docker inspect <container_id>`) otherwise it will randomly pick one (depending on how docker is returning them). For instance when deploying docker `stack` from compose files, the compose defined networks will be prefixed with the `stack` name. |
+| Label                                                     | Description                                                                                                                                                                                                                                                                                                                                                                                                                     |
+|-----------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.backend=foo`                                     | Give the name `foo` to the generated backend for this container.                                                                                                                                                                                                                                                                                                                                                                |
+| `traefik.backend.maxconn.amount=10`                       | Set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                                                                                                                                                                                                                                                                            |
+| `traefik.backend.maxconn.extractorfunc=client.ip`         | Set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect.                                                                                                                                                                                                                                              |
+| `traefik.backend.loadbalancer.method=drr`                 | Override the default `wrr` load balancer algorithm                                                                                                                                                                                                                                                                                                                                                                              |
+| `traefik.backend.loadbalancer.stickiness=true`            | Enable backend sticky sessions                                                                                                                                                                                                                                                                                                                                                                                                  |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Manually set the cookie name for sticky sessions                                                                                                                                                                                                                                                                                                                                                                                |
+| `traefik.backend.loadbalancer.sticky=true`                | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                                                                                                                                                                                                                                     |
+| `traefik.backend.loadbalancer.swarm=true`                 | Use Swarm's inbuilt load balancer (only relevant under Swarm Mode).                                                                                                                                                                                                                                                                                                                                                             |
+| `traefik.backend.circuitbreaker.expression=EXPR`          | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                                                                                                                                                                                                                    |
+| `traefik.port=80`                                         | Register this port. Useful when the container exposes multiples ports.                                                                                                                                                                                                                                                                                                                                                          |
+| `traefik.protocol=https`                                  | Override the default `http` protocol                                                                                                                                                                                                                                                                                                                                                                                            |
+| `traefik.weight=10`                                       | Assign this weight to the container                                                                                                                                                                                                                                                                                                                                                                                             |
+| `traefik.enable=false`                                    | Disable this container in Træfik                                                                                                                                                                                                                                                                                                                                                                                                |
+| `traefik.frontend.rule=EXPR`                              | Override the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`.                                                                                                                                                                                                                                                                     |
+| `traefik.frontend.passHostHeader=true`                    | Forward client `Host` header to the backend.                                                                                                                                                                                                                                                                                                                                                                                    |
+| `traefik.frontend.priority=10`                            | Override default frontend priority                                                                                                                                                                                                                                                                                                                                                                                              |
+| `traefik.frontend.entryPoints=http,https`                 | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`                                                                                                                                                                                                                                                                                                                                         |
+| `traefik.frontend.auth.basic=EXPR`                        | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                                                                                                                                                                                                                                |
+| `traefik.frontend.whitelistSourceRange:RANGE`             | List of IP-Ranges which are allowed to access. An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access.                                                                                                                                                                                                             |
+| `traefik.docker.network`                                  | Set the docker network to use for connections to this container. If a container is linked to several networks, be sure to set the proper network name (you can check with `docker inspect <container_id>`) otherwise it will randomly pick one (depending on how docker is returning them). For instance when deploying docker `stack` from compose files, the compose defined networks will be prefixed with the `stack` name. |
 
 ### On Service
 

docs/configuration/backends/ecs.md

@@ -124,15 +124,17 @@ Træfik needs the following policy to read ECS information:
 
 Labels can be used on task containers to override default behaviour:
 
-| Label                                             | Description                                                                              |
-|---------------------------------------------------|------------------------------------------------------------------------------------------|
-| `traefik.protocol=https`                          | override the default `http` protocol                                                     |
-| `traefik.weight=10`                               | assign this weight to the container                                                      |
-| `traefik.enable=false`                            | disable this container in Træfik                                                         |
-| `traefik.backend.loadbalancer.method=drr`         | override the default `wrr` load balancer algorithm                                       |
-| `traefik.backend.loadbalancer.sticky=true`        | enable backend sticky sessions                                                           |
-| `traefik.frontend.rule=Host:test.traefik.io`      | override the default frontend rule (Default: `Host:{containerName}.{domain}`).           |
-| `traefik.frontend.passHostHeader=true`            | forward client `Host` header to the backend.                                             |
-| `traefik.frontend.priority=10`                    | override default frontend priority                                                       |
-| `traefik.frontend.entryPoints=http,https`         | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. |
-| `traefik.frontend.auth.basic=EXPR`                | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`         |
+| Label                                                     | Description                                                                              |
+|-----------------------------------------------------------|------------------------------------------------------------------------------------------|
+| `traefik.protocol=https`                                  | override the default `http` protocol                                                     |
+| `traefik.weight=10`                                       | assign this weight to the container                                                      |
+| `traefik.enable=false`                                    | disable this container in Træfik                                                         |
+| `traefik.backend.loadbalancer.method=drr`                 | override the default `wrr` load balancer algorithm                                       |
+| `traefik.backend.loadbalancer.stickiness=true`            | enable backend sticky sessions                                                           |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Manually set the cookie name for sticky sessions                                         |
+| `traefik.backend.loadbalancer.sticky=true`                | enable backend sticky sessions (DEPRECATED)                                              |
+| `traefik.frontend.rule=Host:test.traefik.io`              | override the default frontend rule (Default: `Host:{containerName}.{domain}`).           |
+| `traefik.frontend.passHostHeader=true`                    | forward client `Host` header to the backend.                                             |
+| `traefik.frontend.priority=10`                            | override default frontend priority                                                       |
+| `traefik.frontend.entryPoints=http,https`                 | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. |
+| `traefik.frontend.auth.basic=EXPR`                        | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`         |

docs/configuration/backends/kubernetes.md

@@ -86,15 +86,19 @@ Annotations can be used on containers to override default behaviour for the whol
 
 - `traefik.frontend.rule.type: PathPrefixStrip`  
     Override the default frontend rule type. Default: `PathPrefix`.
-- `traefik.frontend.priority: 3`  
+- `traefik.frontend.priority: "3"`
     Override the default frontend rule priority.
 
 Annotations can be used on the Kubernetes service to override default behaviour:
 
 - `traefik.backend.loadbalancer.method=drr`  
     Override the default `wrr` load balancer algorithm
-- `traefik.backend.loadbalancer.sticky=true`      
+- `traefik.backend.loadbalancer.stickiness=true`      
     Enable backend sticky sessions
+- `traefik.backend.loadbalancer.stickiness.cookieName=NAME`      
+    Manually set the cookie name for sticky sessions
+- `traefik.backend.loadbalancer.sticky=true`      
+    Enable backend sticky sessions (DEPRECATED)
 
 You can find here an example [ingress](https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-ingress.yaml) and [replication controller](https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik.yaml).
 

docs/configuration/backends/marathon.md

@@ -153,7 +153,9 @@ Labels can be used on containers to override default behaviour:
 | `traefik.backend.maxconn.amount=10`                                   | set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                               |
 | `traefik.backend.maxconn.extractorfunc=client.ip`                     | set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect. |
 | `traefik.backend.loadbalancer.method=drr`                             | override the default `wrr` load balancer algorithm                                                                                                                                 |
-| `traefik.backend.loadbalancer.sticky=true`                            | enable backend sticky sessions                                                                                                                                                     |
+| `traefik.backend.loadbalancer.sticky=true`                            | enable backend sticky sessions (DEPRECATED)                                                                                                                                        |
+| `traefik.backend.loadbalancer.stickiness=true`                        | enable backend sticky sessions                                                                                                                                                     |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`             | Manually set the cookie name for sticky sessions                                                                                                                                   |
 | `traefik.backend.circuitbreaker.expression=NetworkErrorRatio() > 0.5` | create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                       |
 | `traefik.backend.healthcheck.path=/health`                            | set the Traefik health check path [default: no health checks]                                                                                                                      |
 | `traefik.backend.healthcheck.interval=5s`                             | sets a custom health check interval in Go-parseable (`time.ParseDuration`) format [default: 30s]                                                                                   |

docs/configuration/backends/rancher.md

@@ -114,13 +114,18 @@ secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 
 Labels can be used on task containers to override default behaviour:
 
-| Label                                        | Description                                                                              |
-|----------------------------------------------|------------------------------------------------------------------------------------------|
-| `traefik.protocol=https`                     | override the default `http` protocol                                                     |
-| `traefik.weight=10`                          | assign this weight to the container                                                      |
-| `traefik.enable=false`                       | disable this container in Træfik                                                         |
-| `traefik.frontend.rule=Host:test.traefik.io` | override the default frontend rule (Default: `Host:{containerName}.{domain}`).           |
-| `traefik.frontend.passHostHeader=true`       | forward client `Host` header to the backend.                                             |
-| `traefik.frontend.priority=10`               | override default frontend priority                                                       |
-| `traefik.frontend.entryPoints=http,https`    | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. |
-| `traefik.frontend.auth.basic=EXPR`           | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`.        |
+| Label                                                                 | Description                                                                              |
+|-----------------------------------------------------------------------|------------------------------------------------------------------------------------------|
+| `traefik.protocol=https`                                              | Override the default `http` protocol                                                     |
+| `traefik.weight=10`                                                   | Assign this weight to the container                                                      |
+| `traefik.enable=false`                                                | Disable this container in Træfik                                                         |
+| `traefik.frontend.rule=Host:test.traefik.io`                          | Override the default frontend rule (Default: `Host:{containerName}.{domain}`).           |
+| `traefik.frontend.passHostHeader=true`                                | Forward client `Host` header to the backend.                                             |
+| `traefik.frontend.priority=10`                                        | Override default frontend priority                                                       |
+| `traefik.frontend.entryPoints=http,https`                             | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. |
+| `traefik.frontend.auth.basic=EXPR`                                    | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`.        |
+| `traefik.backend.circuitbreaker.expression=NetworkErrorRatio() > 0.5` | Create a [circuit breaker](/basics/#backends) to be used against the backend             |
+| `traefik.backend.loadbalancer.method=drr`                             | Override the default `wrr` load balancer algorithm                                       |
+| `traefik.backend.loadbalancer.stickiness=true`                        | Enable backend sticky sessions                                                           |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`             | Manually set the cookie name for sticky sessions                                         |
+| `traefik.backend.loadbalancer.sticky=true`                            | Enable backend sticky sessions (DEPRECATED)                                              |

docs/configuration/backends/web.md

@@ -29,7 +29,9 @@ address = ":8080"
 # Set REST API to read-only mode.
 #
 # Optional
-# readOnly = false
+# Default: false
+#
+readOnly = true
 ```
 
 ## Web UI

docs/configuration/entrypoints.md

@@ -171,6 +171,12 @@ To enable compression support using gzip format.
   compress = true
 ```
 
+Responses are compressed when:
+
+* The response body is larger than `512` bytes
+* And the `Accept-Encoding` request header contains `gzip`
+* And the response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
+
 ## Whitelisting
 
 To enable IP whitelisting at the entrypoint level.
@@ -179,16 +185,55 @@ To enable IP whitelisting at the entrypoint level.
 [entryPoints]
   [entryPoints.http]
   address = ":80"
-  whiteListSourceRange = ["127.0.0.1/32"]
+  whiteListSourceRange = ["127.0.0.1/32", "192.168.1.7"]
 ```
 
-## ProxyProtocol Support
+## ProxyProtocol
 
 To enable [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support.
+Only IPs in `trustedIPs` will lead to remote client address replacement: you should declare your load-balancer IP or CIDR range here (in testing environment, you can trust everyone using `insecure = true`).
+
+!!! danger
+    When queuing Træfik behind another load-balancer, be sure to carefully configure Proxy Protocol on both sides.
+    Otherwise, it could introduce a security risk in your system by forging requests. 
 
 ```toml
 [entryPoints]
   [entryPoints.http]
-  address = ":80"
-  proxyprotocol = true
+    address = ":80"
+
+    # Enable ProxyProtocol
+    [entryPoints.http.proxyProtocol]
+      # List of trusted IPs
+      #
+      # Required
+      # Default: []
+      #
+      trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
+
+      # Insecure mode FOR TESTING ENVIRONNEMENT ONLY
+      #
+      # Optional
+      # Default: false
+      #
+      # insecure = true
+```
+
+## Forwarded Header
+
+Only IPs in `trustedIPs` will be authorize to trust the client forwarded headers (`X-Forwarded-*`).
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+    address = ":80"
+
+    # Enable Forwarded Headers
+    [entryPoints.http.forwardedHeaders]
+      # List of trusted IPs
+      #
+      # Required
+      # Default: []
+      #
+      trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```

docs/user-guide/docker-and-lets-encrypt.md

@@ -74,7 +74,7 @@ Also, we're making sure the container is automatically restarted by the Docker e
 We're publishing the default HTTP ports `80` and `443` on the host, and making sure the container is placed within the `web` network we've created earlier on.  
 Finally, we're giving this container a static name called `traefik`.
 
-Let's take a look at a simply `traefik.toml` configuration as well before we'll create the Traefik container:
+Let's take a look at a simple `traefik.toml` configuration as well before we'll create the Traefik container:
 
 ```toml
 debug = false

docs/user-guide/grpc.md

@@ -3,7 +3,7 @@
 This section explains how to use Traefik as reverse proxy for gRPC application with self-signed certificates.
 
 !!! warning
-    As gRPC needs HTTP2, we need valid HTTPS certificates on both gRPC Server and Træfik.
+    As gRPC needs HTTP2, we need HTTPS certificates on both gRPC Server and Træfik.
 
 <p align="center">
 <img src="/img/grpc.svg" alt="gRPC architecture" title="gRPC architecture" />
@@ -14,7 +14,7 @@ This section explains how to use Traefik as reverse proxy for gRPC application w
 In order to secure the gRPC server, we generate a self-signed certificate for backend url:
 
 ```bash
-openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./backend.key -out ./backend.crt
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./backend.key -out ./backend.cert
 ```
 
 That will prompt for information, the important answer is:
@@ -28,7 +28,7 @@ Common Name (e.g. server FQDN or YOUR name) []: backend.local
 Generate your self-signed certificate for frontend url:
 
 ```bash
-openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./frontend.key -out ./frontend.crt
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./frontend.key -out ./frontend.cert
 ```
 
 with
@@ -76,9 +76,12 @@ RootCAs = [ "./backend.cert" ]
     rule = "Host:frontend.local"
 ```
 
+!!! warning
+    With some backends, the server URLs use the IP, so you may need to configure `InsecureSkipVerify` instead of the `RootCAS` to activate HTTPS without hostname verification.
+
 ## Conclusion
 
-We don't need specific configuration to use gRPC in Træfik, we just need to be careful that all the exchanges (between client and Træfik, and between Træfik and backend) are valid HTTPS communications (without `InsecureSkipVerify` enabled) because gRPC use HTTP2.
+We don't need specific configuration to use gRPC in Træfik, we just need to be careful that all the exchanges (between client and Træfik, and between Træfik and backend) are HTTPS communications because gRPC uses HTTP2.
 
 ## A gRPC example in go
 
@@ -93,13 +96,13 @@ So we modify the "gRPC server example" to use our own self-signed certificate:
 // ...
 
 // Read cert and key file
-BackendCert := ioutil.ReadFile("./backend.cert")
-BackendKey := ioutil.ReadFile("./backend.key")
+BackendCert, _ := ioutil.ReadFile("./backend.cert")
+BackendKey, _ := ioutil.ReadFile("./backend.key")
 
 // Generate Certificate struct
 cert, err := tls.X509KeyPair(BackendCert, BackendKey)
 if err != nil {
-  return err
+  log.Fatalf("failed to parse certificate: %v", err)
 }
 
 // Create credentials
@@ -110,7 +113,7 @@ serverOption := grpc.Creds(creds)
 var s *grpc.Server = grpc.NewServer(serverOption)
 defer s.Stop()
 
-helloworld.RegisterGreeterServer(s, &myserver{})
+pb.RegisterGreeterServer(s, &server{})
 err := s.Serve(lis)
 
 // ...
@@ -122,7 +125,7 @@ Next we will modify gRPC Client to use our Træfik self-signed certificate:
 // ...
 
 // Read cert file
-FrontendCert := ioutil.ReadFile("./frontend.cert")
+FrontendCert, _ := ioutil.ReadFile("./frontend.cert")
 
 // Create CertPool
 roots := x509.NewCertPool()
@@ -132,16 +135,16 @@ roots.AppendCertsFromPEM(FrontendCert)
 credsClient := credentials.NewClientTLSFromCert(roots, "")
 
 // Dial with specific Transport (with credentials)
-conn, err := grpc.Dial("https://frontend:4443", grpc.WithTransportCredentials(credsClient))
+conn, err := grpc.Dial("frontend.local:4443", grpc.WithTransportCredentials(credsClient))
 if err != nil {
-  return err
+    log.Fatalf("did not connect: %v", err)
 }
 
 defer conn.Close()
-client := helloworld.NewGreeterClient(conn)
+client := pb.NewGreeterClient(conn)
 
 name := "World"
-r, err := client.SayHello(context.Background(), &helloworld.HelloRequest{Name: name})
+r, err := client.SayHello(context.Background(), &pb.HelloRequest{Name: name})
 
 // ...
 ```

docs/user-guide/kubernetes.md

@@ -32,7 +32,6 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - pods
       - services
       - endpoints
       - secrets
@@ -591,7 +590,7 @@ kind: Ingress
 metadata:
   name: wildcard-cheeses
   annotations:
-    traefik.frontend.priority: 1
+    traefik.frontend.priority: "1"
 spec:
   rules:
   - host: *.minikube
@@ -606,7 +605,7 @@ kind: Ingress
 metadata:
   name: specific-cheeses
   annotations:
-    traefik.frontend.priority: 2
+    traefik.frontend.priority: "2"
 spec:
   rules:
   - host: specific.minikube
@@ -618,6 +617,7 @@ spec:
           servicePort: http
 ```
 
+Note that priority values must be quoted to avoid them being interpreted as numbers (which are illegal for annotations).
 
 ## Forwarding to ExternalNames
 
@@ -687,13 +687,23 @@ If you were to visit `example.com/static` the request would then be passed onto
     So you could set `disablePassHostHeaders` to `true` in your toml file and then enable passing
     the host header per ingress if you wanted.
 
-## Excluding an ingress from Træfik
+## Partitioning the Ingress object space
 
-You can control which ingress Træfik cares about by using the `kubernetes.io/ingress.class` annotation.
+By default, Træfik processes every Ingress objects it observes. At times, however, it may be desirable to ignore certain objects. The following sub-sections describe common use cases and how they can be handled with Træfik.
 
-By default if the annotation is not set at all Træfik will include the ingress.
-If the annotation is set to anything other than traefik or a blank string Træfik will ignore it.
+### Between Træfik and other Ingress controller implementations
 
+Sometimes Træfik runs along other Ingress controller implementations. One such example is when both Træfik and a cloud provider Ingress controller are active.
+
+The `kubernetes.io/ingress.class` annotation can be attached to any Ingress object in order to control whether Træfik should handle it.
+
+If the annotation is missing, contains an empty value, or the value `traefik`, then the Træfik controller will take responsibility and process the associated Ingress object. If the annotation contains any other value (usually the name of a different Ingress controller), Træfik will ignore the object.
+
+### Between multiple Træfik Deployments
+
+Sometimes multiple Træfik Deployments are supposed to run concurrently. For instance, it is conceivable to have one Deployment deal with internal and another one with external traffic.
+
+For such cases, it is advisable to classify Ingress objects through a label and configure the `labelSelector` option per each Træfik Deployment accordingly. To stick with the internal/external example above, all Ingress objects meant for internal traffic could receive a `traffic-type: internal` label while objects designated for external traffic receive a `traffic-type: external` label. The label selectors on the Træfik Deployments would then be `traffic-type=internal` and `traffic-type=external`, respectively.
 
 ## Production advice
 

docs/user-guide/kv-config.md

@@ -20,7 +20,7 @@ We will see the steps to set it up with an easy example.
 
 ### docker-compose file for Consul
 
-The Træfik global configuration will be getted from a [Consul](https://consul.io) store.
+The Træfik global configuration will be retrieved from a [Consul](https://consul.io) store.
 
 First we have to launch Consul in a container.
 

docs/user-guide/swarm-mode.md

@@ -7,14 +7,15 @@ The cluster consists of:
 - 3 servers
 - 1 manager
 - 2 workers
-- 1 [overlay](https://docs.docker.com/engine/userguide/networking/dockernetworks/#an-overlay-network) network
-(multi-host networking)
+- 1 [overlay](https://docs.docker.com/engine/userguide/networking/dockernetworks/#an-overlay-network) network (multi-host networking)
+
 
 ## Prerequisites
 
 1. You will need to install [docker-machine](https://docs.docker.com/machine/)
 2. You will need the latest [VirtualBox](https://www.virtualbox.org/wiki/Downloads)
 
+
 ## Cluster provisioning
 
 First, let's create all the required nodes.
@@ -26,7 +27,7 @@ docker-machine create -d virtualbox worker1
 docker-machine create -d virtualbox worker2
 ```
 
-Then, let's setup the cluster, in order :
+Then, let's setup the cluster, in order:
 
 1. initialize the cluster
 1. get the token for other host to join
@@ -60,9 +61,9 @@ docker-machine ssh manager docker node ls
 ```
 ```
 ID                           HOSTNAME  STATUS  AVAILABILITY  MANAGER STATUS
-2a770ov9vixeadep674265u1n    worker1   Ready   Active
-dbi3or4q8ii8elbws70g4hkdh *  manager   Ready   Active        Leader
-esbhhy6vnqv90xomjaomdgy46    worker2   Ready   Active
+013v16l1sbuwjqcn7ucbu4jwt    worker1   Ready   Active
+8buzkquycd17jqjber0mo2gn8    worker2   Ready   Active
+fnpj8ozfc85zvahx2r540xfcf *  manager   Ready   Active        Leader
 ```
 
 Finally, let's create a network for Træfik to use.
@@ -71,11 +72,11 @@ Finally, let's create a network for Træfik to use.
 docker-machine ssh manager "docker network create --driver=overlay traefik-net"
 ```
 
+
 ## Deploy Træfik
 
 Let's deploy Træfik as a docker service in our cluster.
-The only requirement for Træfik to work with swarm mode is that it needs to run on a manager node — we are going to use a
-[constraint](https://docs.docker.com/engine/reference/commandline/service_create/#/specify-service-constraints-constraint) for that.
+The only requirement for Træfik to work with swarm mode is that it needs to run on a manager node - we are going to use a [constraint](https://docs.docker.com/engine/reference/commandline/service_create/#/specify-service-constraints-constraint) for that.
 
 ```shell
 docker-machine ssh manager "docker service create \
@@ -103,6 +104,7 @@ Let's explain this command:
 | `--docker`                                                                  | enable docker backend, and `--docker.swarmmode` to enable the swarm mode on Træfik.            |
 | `--web`                                                                     | activate the webUI on port 8080                                                                |
 
+
 ## Deploy your apps
 
 We can now deploy our app on the cluster, here [whoami](https://github.com/emilevauge/whoami), a simple web server in Go.
@@ -124,7 +126,7 @@ docker-machine ssh manager "docker service create \
 ```
 
 !!! note
-    We set whoami1 to use sticky sessions (`--label traefik.backend.loadbalancer.sticky=true`).  
+    We set `whoami1` to use sticky sessions (`--label traefik.backend.loadbalancer.stickiness=true`).
     We'll demonstrate that later.
 
 !!! note
@@ -136,55 +138,52 @@ Check that everything is scheduled and started:
 docker-machine ssh manager "docker service ls"
 ```
 ```
-ID            NAME     REPLICAS  IMAGE              COMMAND
-ab046gpaqtln  whoami0  1/1       emilevauge/whoami
-cgfg5ifzrpgm  whoami1  1/1       emilevauge/whoami
-dtpl249tfghc  traefik  1/1       traefik            --docker --docker.swarmmode --docker.domain=traefik --docker.watch --web
+ID            NAME     MODE        REPLICAS  IMAGE                     PORTS
+moq3dq4xqv6t  traefik  replicated  1/1       traefik:latest            *:80->80/tcp,*:8080->8080/tcp
+ysil6oto1wim  whoami0  replicated  1/1       emilevauge/whoami:latest
+z9re2mnl34k4  whoami1  replicated  1/1       emilevauge/whoami:latest
 ```
 
+
 ## Access to your apps through Træfik
 
 ```shell
 curl -H Host:whoami0.traefik http://$(docker-machine ip manager)
 ```
 ```yaml
-Hostname: 8147a7746e7a
+Hostname: 5b0b3d148359
 IP: 127.0.0.1
-IP: ::1
-IP: 10.0.9.3
-IP: fe80::42:aff:fe00:903
-IP: 172.18.0.3
-IP: fe80::42:acff:fe12:3
+IP: 10.0.0.8
+IP: 10.0.0.4
+IP: 172.18.0.5
 GET / HTTP/1.1
-Host: 10.0.9.3:80
-User-Agent: curl/7.35.0
+Host: whoami0.traefik
+User-Agent: curl/7.55.1
 Accept: */*
 Accept-Encoding: gzip
-X-Forwarded-For: 192.168.99.1
-X-Forwarded-Host: 10.0.9.3:80
+X-Forwarded-For: 10.255.0.2
+X-Forwarded-Host: whoami0.traefik
 X-Forwarded-Proto: http
-X-Forwarded-Server: 8fbc39271b4c
+X-Forwarded-Server: 77fc29c69fe4
 ```
 ```shell
 curl -H Host:whoami1.traefik http://$(docker-machine ip manager)
 ```
 ```yaml
-Hostname: ba2c21488299
+Hostname: 3633163970f6
 IP: 127.0.0.1
-IP: ::1
-IP: 10.0.9.4
-IP: fe80::42:aff:fe00:904
-IP: 172.18.0.2
-IP: fe80::42:acff:fe12:2
+IP: 10.0.0.14
+IP: 10.0.0.6
+IP: 172.18.0.5
 GET / HTTP/1.1
-Host: 10.0.9.4:80
-User-Agent: curl/7.35.0
+Host: whoami1.traefik
+User-Agent: curl/7.55.1
 Accept: */*
 Accept-Encoding: gzip
-X-Forwarded-For: 192.168.99.1
-X-Forwarded-Host: 10.0.9.4:80
+X-Forwarded-For: 10.255.0.2
+X-Forwarded-Host: whoami1.traefik
 X-Forwarded-Proto: http
-X-Forwarded-Server: 8fbc39271b4c
+X-Forwarded-Server: 77fc29c69fe4
 ```
 
 !!! note
@@ -194,43 +193,39 @@ X-Forwarded-Server: 8fbc39271b4c
 curl -H Host:whoami0.traefik http://$(docker-machine ip worker1)
 ```
 ```yaml
-Hostname: 8147a7746e7a
+Hostname: 5b0b3d148359
 IP: 127.0.0.1
-IP: ::1
-IP: 10.0.9.3
-IP: fe80::42:aff:fe00:903
-IP: 172.18.0.3
-IP: fe80::42:acff:fe12:3
+IP: 10.0.0.8
+IP: 10.0.0.4
+IP: 172.18.0.5
 GET / HTTP/1.1
-Host: 10.0.9.3:80
-User-Agent: curl/7.35.0
+Host: whoami0.traefik
+User-Agent: curl/7.55.1
 Accept: */*
 Accept-Encoding: gzip
-X-Forwarded-For: 192.168.99.1
-X-Forwarded-Host: 10.0.9.3:80
+X-Forwarded-For: 10.255.0.3
+X-Forwarded-Host: whoami0.traefik
 X-Forwarded-Proto: http
-X-Forwarded-Server: 8fbc39271b4c
+X-Forwarded-Server: 77fc29c69fe4
 ```
 ```shell
 curl -H Host:whoami1.traefik http://$(docker-machine ip worker2)
 ```
 ```yaml
-Hostname: ba2c21488299
+Hostname: 3633163970f6
 IP: 127.0.0.1
-IP: ::1
-IP: 10.0.9.4
-IP: fe80::42:aff:fe00:904
-IP: 172.18.0.2
-IP: fe80::42:acff:fe12:2
+IP: 10.0.0.14
+IP: 10.0.0.6
+IP: 172.18.0.5
 GET / HTTP/1.1
-Host: 10.0.9.4:80
-User-Agent: curl/7.35.0
+Host: whoami1.traefik
+User-Agent: curl/7.55.1
 Accept: */*
 Accept-Encoding: gzip
-X-Forwarded-For: 192.168.99.1
-X-Forwarded-Host: 10.0.9.4:80
+X-Forwarded-For: 10.255.0.4
+X-Forwarded-Host: whoami1.traefik
 X-Forwarded-Proto: http
-X-Forwarded-Server: 8fbc39271b4c
+X-Forwarded-Server: 77fc29c69fe4
 ```
 
 ## Scale both services
@@ -246,79 +241,93 @@ Check that we now have 5 replicas of each `whoami` service:
 docker-machine ssh manager "docker service ls"
 ```
 ```
-ID            NAME     REPLICAS  IMAGE              COMMAND
-ab046gpaqtln  whoami0  5/5       emilevauge/whoami
-cgfg5ifzrpgm  whoami1  5/5       emilevauge/whoami
-dtpl249tfghc  traefik  1/1       traefik            --docker --docker.swarmmode --docker.domain=traefik --docker.watch --web
+ID            NAME     MODE        REPLICAS  IMAGE                     PORTS
+moq3dq4xqv6t  traefik  replicated  1/1       traefik:latest            *:80->80/tcp,*:8080->8080/tcp
+ysil6oto1wim  whoami0  replicated  5/5       emilevauge/whoami:latest
+z9re2mnl34k4  whoami1  replicated  5/5       emilevauge/whoami:latest
 ```
-## Access to your whoami0 through Træfik multiple times.
+
+## Access to your `whoami0` through Træfik multiple times.
 
 Repeat the following command multiple times and note that the Hostname changes each time as Traefik load balances each request against the 5 tasks:
 
 ```shell
 curl -H Host:whoami0.traefik http://$(docker-machine ip manager)
 ```
-
 ```yaml
-Hostname: 8147a7746e7a
+Hostname: f3138d15b567
 IP: 127.0.0.1
-IP: ::1
-IP: 10.0.9.3
-IP: fe80::42:aff:fe00:903
+IP: 10.0.0.5
+IP: 10.0.0.4
 IP: 172.18.0.3
-IP: fe80::42:acff:fe12:3
 GET / HTTP/1.1
-Host: 10.0.9.3:80
-User-Agent: curl/7.35.0
+Host: whoami0.traefik
+User-Agent: curl/7.55.1
 Accept: */*
 Accept-Encoding: gzip
-X-Forwarded-For: 192.168.99.1
-X-Forwarded-Host: 10.0.9.3:80
+X-Forwarded-For: 10.255.0.2
+X-Forwarded-Host: whoami0.traefik
 X-Forwarded-Proto: http
-X-Forwarded-Server: 8fbc39271b4c
+X-Forwarded-Server: 77fc29c69fe4
 ```
 
-Do the same against whoami1:
+Do the same against `whoami1`:
 
 ```shell
-curl -H Host:whoami1.traefik http://$(docker-machine ip manager)
+curl -c cookies.txt -H Host:whoami1.traefik http://$(docker-machine ip manager)
 ```
-
 ```yaml
-Hostname: ba2c21488299
+Hostname: 348e2f7bf432
 IP: 127.0.0.1
-IP: ::1
-IP: 10.0.9.4
-IP: fe80::42:aff:fe00:904
-IP: 172.18.0.2
-IP: fe80::42:acff:fe12:2
+IP: 10.0.0.15
+IP: 10.0.0.6
+IP: 172.18.0.6
 GET / HTTP/1.1
-Host: 10.0.9.4:80
-User-Agent: curl/7.35.0
+Host: whoami1.traefik
+User-Agent: curl/7.55.1
 Accept: */*
 Accept-Encoding: gzip
-X-Forwarded-For: 192.168.99.1
-X-Forwarded-Host: 10.0.9.4:80
+X-Forwarded-For: 10.255.0.2
+X-Forwarded-Host: whoami1.traefik
 X-Forwarded-Proto: http
-X-Forwarded-Server: 8fbc39271b4c
+X-Forwarded-Server: 77fc29c69fe4
 ```
 
-Wait, I thought we added the sticky flag to `whoami1`?  
-Traefik relies on a cookie to maintain stickyness so you'll need to test this with a browser.
-
-First you need to add `whoami1.traefik` to your hosts file:
+Because the sticky sessions require cookies to work, we used the `-c cookies.txt` option to store the cookie into a file.
+The cookie contains the IP of the container to which the session sticks:
 
 ```shell
-if [ -n "$(grep whoami1.traefik /etc/hosts)" ];
-then
-    echo "whoami1.traefik already exists (make sure the ip is current)";
-else
-    sudo -- sh -c -e "echo '$(docker-machine ip manager)\twhoami1.traefik' >> /etc/hosts";
-fi
+cat ./cookies.txt
+```
+```
+# Netscape HTTP Cookie File
+# https://curl.haxx.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+whoami1.traefik FALSE  /  FALSE  0  _TRAEFIK_BACKEND  http://10.0.0.15:80
 ```
 
-Now open your browser and go to http://whoami1.traefik/
+If you load the cookies file (`-b cookies.txt`) for the next request, you will see that stickiness is maintained:
 
-You will now see that stickyness is maintained.
+```shell
+curl -b cookies.txt -H Host:whoami1.traefik http://$(docker-machine ip manager)
+```
+```yaml
+Hostname: 348e2f7bf432
+IP: 127.0.0.1
+IP: 10.0.0.15
+IP: 10.0.0.6
+IP: 172.18.0.6
+GET / HTTP/1.1
+Host: whoami1.traefik
+User-Agent: curl/7.55.1
+Accept: */*
+Accept-Encoding: gzip
+Cookie: _TRAEFIK_BACKEND=http://10.0.0.15:80
+X-Forwarded-For: 10.255.0.2
+X-Forwarded-Host: whoami1.traefik
+X-Forwarded-Proto: http
+X-Forwarded-Server: 77fc29c69fe4
+```
 
 ![](https://i.giphy.com/ujUdrdpX7Ok5W.gif)

examples/k8s/traefik-rbac.yaml

@@ -7,7 +7,6 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - pods
       - services
       - endpoints
       - secrets

glide.lock

@@ -1,5 +1,5 @@
-hash: 123a0f00c37d07cd6d0583437b70092176e8d5c2445e127afef40acdc4e5aa32
-updated: 2017-09-18T11:52:16.848940186+02:00
+hash: d87c01b4b8f802c81e1f3ae34a09c7001dc392654703b53fe0e6722041183abc
+updated: 2017-09-30T18:32:16.848940186+02:00
 imports:
 - name: cloud.google.com/go
   version: 2e6a95edb1071d750f6d7db777bf66cd2997af6c
@@ -370,8 +370,12 @@ imports:
   version: f533f7a102197536779ea3a8cb881d639e21ec5a
 - name: github.com/miekg/dns
   version: 8060d9f51305bbe024b99679454e62f552cd0b0b
+- name: github.com/mitchellh/copystructure
+  version: d23ffcb85de31694d6ccaa23ccb4a03e55c1303f
 - name: github.com/mitchellh/mapstructure
   version: d0303fe809921458f417bcf828397a65db30a7e4
+- name: github.com/mitchellh/reflectwalk
+  version: 63d60e9d0dbc60cf9164e6510889b0db6683d98c
 - name: github.com/mvdan/xurls
   version: db96455566f05ffe42bd6ac671f05eeb1152b45d
 - name: github.com/Nvveen/Gotty
@@ -477,7 +481,7 @@ imports:
 - name: github.com/urfave/negroni
   version: 490e6a555d47ca891a89a150d0c1ef3922dfffe9
 - name: github.com/vulcand/oxy
-  version: 6c94d2888dba2b1a15a89b8a2ca515fc85e07477
+  version: c024a22700b56debed9a9c8dbb297210a7ece02d
   repo: https://github.com/containous/oxy.git
   vcs: git
   subpackages:

glide.yaml

@@ -12,7 +12,7 @@ import:
 - package: github.com/cenk/backoff
 - package: github.com/containous/flaeg
 - package: github.com/vulcand/oxy
-  version: 6c94d2888dba2b1a15a89b8a2ca515fc85e07477
+  version: c024a22700b56debed9a9c8dbb297210a7ece02d
   repo: https://github.com/containous/oxy.git
   vcs: git
   subpackages:
@@ -200,6 +200,7 @@ import:
   version: e039e20e500c2c025d9145be375e27cf42a94174
 - package: github.com/armon/go-proxyproto
   version: 48572f11356f1843b694f21a290d4f1006bc5e47
+- package: github.com/mitchellh/copystructure
 testImport:
 - package: github.com/stvp/go-udp-testing
 - package: github.com/docker/libcompose

integration/consul_catalog_test.go

@@ -24,19 +24,20 @@ func (s *ConsulCatalogSuite) SetUpSuite(c *check.C) {
 	s.composeProject.Start(c)
 
 	consul := s.composeProject.Container(c, "consul")
-
 	s.consulIP = consul.NetworkSettings.IPAddress
 	config := api.DefaultConfig()
 	config.Address = s.consulIP + ":8500"
-	consulClient, err := api.NewClient(config)
-	if err != nil {
-		c.Fatalf("Error creating consul client. %v", err)
-	}
-	s.consulClient = consulClient
+	s.createConsulClient(config, c)
 
 	// Wait for consul to elect itself leader
-	err = try.Do(3*time.Second, func() error {
-		leader, err := consulClient.Status().Leader()
+	err := s.waitToElectConsulLeader()
+	c.Assert(err, checker.IsNil)
+
+}
+
+func (s *ConsulCatalogSuite) waitToElectConsulLeader() error {
+	return try.Do(3*time.Second, func() error {
+		leader, err := s.consulClient.Status().Leader()
 
 		if err != nil || len(leader) == 0 {
 			return fmt.Errorf("Leader not found. %v", err)
@@ -44,7 +45,17 @@ func (s *ConsulCatalogSuite) SetUpSuite(c *check.C) {
 
 		return nil
 	})
-	c.Assert(err, checker.IsNil)
+}
+func (s *ConsulCatalogSuite) createConsulClient(config *api.Config, c *check.C) *api.Client {
+	consulClient, err := api.NewClient(config)
+	if err != nil {
+		c.Fatalf("Error creating consul client. %v", err)
+	}
+	s.consulClient = consulClient
+	return consulClient
+}
+func (s *ConsulCatalogSuite) startConsulService(c *check.C) {
+
 }
 
 func (s *ConsulCatalogSuite) registerService(name string, address string, port int, tags []string) error {
@@ -138,7 +149,6 @@ func (s *ConsulCatalogSuite) TestSingleService(c *check.C) {
 
 	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{})
 	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
-	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
 
 	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
@@ -146,6 +156,11 @@ func (s *ConsulCatalogSuite) TestSingleService(c *check.C) {
 
 	err = try.Request(req, 10*time.Second, try.StatusCodeIs(http.StatusOK), try.HasBody())
 	c.Assert(err, checker.IsNil)
+
+	s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+	err = try.Request(req, 10*time.Second, try.StatusCodeIs(http.StatusNotFound), try.HasBody())
+	c.Assert(err, checker.IsNil)
+
 }
 
 func (s *ConsulCatalogSuite) TestExposedByDefaultFalseSingleService(c *check.C) {
@@ -261,6 +276,7 @@ func (s *ConsulCatalogSuite) TestRefreshConfigWithMultipleNodeWithoutHealthCheck
 
 	err = s.registerAgentService("test", nginx.NetworkSettings.IPAddress, 80, []string{"name=nginx1"})
 	c.Assert(err, checker.IsNil, check.Commentf("Error registering agent service"))
+	defer s.deregisterAgentService(nginx.NetworkSettings.IPAddress)
 
 	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
@@ -327,3 +343,50 @@ func (s *ConsulCatalogSuite) TestBasicAuthSimpleService(c *check.C) {
 	err = try.Request(req, 5*time.Second, try.StatusCodeIs(http.StatusOK), try.HasBody())
 	c.Assert(err, checker.IsNil)
 }
+
+func (s *ConsulCatalogSuite) TestRetryWithConsulServer(c *check.C) {
+
+	//Scale consul to 0 to be able to start traefik before and test retry
+	s.composeProject.Scale(c, "consul", 0)
+
+	cmd, display := s.traefikCmd(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.watch=false",
+		"--consulCatalog.exposedByDefault=true",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost")
+	defer display(c)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	// Wait for Traefik to turn ready.
+	err = try.GetRequest("http://127.0.0.1:8000/", 2*time.Second, try.StatusCodeIs(http.StatusNotFound))
+	c.Assert(err, checker.IsNil)
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+
+	// Request should fail
+	err = try.Request(req, 2*time.Second, try.StatusCodeIs(http.StatusNotFound), try.HasBody())
+	c.Assert(err, checker.IsNil)
+
+	// Scale consul to 1
+	s.composeProject.Scale(c, "consul", 1)
+	s.waitToElectConsulLeader()
+
+	nginx := s.composeProject.Container(c, "nginx1")
+	// Register service
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+
+	// Provider consul catalog should be present
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 10*time.Second, try.BodyContains("consul_catalog"))
+	c.Assert(err, checker.IsNil)
+
+	// Should be ok
+	err = try.Request(req, 10*time.Second, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	c.Assert(err, checker.IsNil)
+}

integration/fixtures/access_log_config.toml

@@ -9,6 +9,8 @@ defaultEntryPoints = ["http"]
   [entryPoints.http]
   address = ":8000"
 
+checkNewVersion = false
+
 ################################################################
 # Web configuration backend
 ################################################################

integration/fixtures/grpc/config_insecure.toml

@@ -0,0 +1,29 @@
+defaultEntryPoints = ["https"]
+
+InsecureSkipVerify = true
+
+[entryPoints]
+  [entryPoints.https]
+  address = ":4443"
+    [entryPoints.https.tls]
+     [[entryPoints.https.tls.certificates]]
+     CertFile = """{{ .CertContent }}"""
+     KeyFile  = """{{ .KeyContent }}"""
+
+
+[web]
+  address = ":8080"
+
+[file]
+
+[backends]
+  [backends.backend1]
+    [backends.backend1.servers.server1]
+    url = "https://127.0.0.1:{{ .GRPCServerPort }}"
+
+
+[frontends]
+  [frontends.frontend1]
+  backend = "backend1"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host:127.0.0.1"

integration/fixtures/log_rotation_config.toml

@@ -9,6 +9,8 @@ defaultEntryPoints = ["http"]
   [entryPoints.http]
   address = ":8000"
 
+checkNewVersion = false
+
 ################################################################
 # Web configuration backend
 ################################################################

integration/fixtures/traefik_log_config.toml

@@ -4,8 +4,10 @@
 traefikLogsFile = "traefik.log"
 accessLogsFile = "access.log"
 logLevel = "DEBUG"
-checkNewVersion = false
 defaultEntryPoints = ["http"]
+
+checkNewVersion = false
+
 [entryPoints]
   [entryPoints.http]
   address = ":8000"

integration/fixtures/websocket/config.toml

@@ -21,4 +21,4 @@ logLevel = "DEBUG"
   [frontends.frontend1]
   backend = "backend1"
     [frontends.frontend1.routes.test_1]
-    rule = "Path:/ws"
+    rule = "PathPrefix:/ws"

integration/grpc_test.go

@@ -113,3 +113,45 @@ func (s *GRPCSuite) TestGRPC(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(response, check.Equals, "Hello World")
 }
+
+func (s *GRPCSuite) TestGRPCInsecure(c *check.C) {
+	lis, err := net.Listen("tcp", ":0")
+	_, port, err := net.SplitHostPort(lis.Addr().String())
+	c.Assert(err, check.IsNil)
+
+	go func() {
+		err := startGRPCServer(lis)
+		c.Log(err)
+		c.Assert(err, check.IsNil)
+	}()
+
+	file := s.adaptFile(c, "fixtures/grpc/config_insecure.toml", struct {
+		CertContent    string
+		KeyContent     string
+		GRPCServerPort string
+	}{
+		CertContent:    string(LocalhostCert),
+		KeyContent:     string(LocalhostKey),
+		GRPCServerPort: port,
+	})
+
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
+	defer display(c)
+
+	err = cmd.Start()
+	c.Assert(err, check.IsNil)
+	defer cmd.Process.Kill()
+
+	// wait for Traefik
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1*time.Second, try.BodyContains("Host:127.0.0.1"))
+	c.Assert(err, check.IsNil)
+	var response string
+	err = try.Do(1*time.Second, func() error {
+		response, err = callHelloClientGRPC()
+		return err
+	})
+
+	c.Assert(err, check.IsNil)
+	c.Assert(response, check.Equals, "Hello World")
+}

integration/log_rotation_test.go

@@ -57,10 +57,19 @@ func (s *LogRotationSuite) TestAccessLogRotation(c *check.C) {
 	c.Assert(err, checker.IsNil)
 
 	// Verify access.log.rotated output as expected
+	logAccessLogFile(c, traefikTestAccessLogFile+".rotated")
 	lineCount := verifyLogLines(c, traefikTestAccessLogFile+".rotated", 0, true)
 	c.Assert(lineCount, checker.GreaterOrEqualThan, 1)
 
+	// make sure that the access log file is at least created before we do assertions on it
+	err = try.Do(1*time.Second, func() error {
+		_, err := os.Stat(traefikTestAccessLogFile)
+		return err
+	})
+	c.Assert(err, checker.IsNil, check.Commentf("access log file was not created in time"))
+
 	// Verify access.log output as expected
+	logAccessLogFile(c, traefikTestAccessLogFile)
 	lineCount = verifyLogLines(c, traefikTestAccessLogFile, lineCount, true)
 	c.Assert(lineCount, checker.Equals, 3)
 
@@ -111,6 +120,12 @@ func (s *LogRotationSuite) TestTraefikLogRotation(c *check.C) {
 	c.Assert(lineCount, checker.GreaterOrEqualThan, 7)
 }
 
+func logAccessLogFile(c *check.C, fileName string) {
+	output, err := ioutil.ReadFile(fileName)
+	c.Assert(err, checker.IsNil)
+	c.Logf("Contents of file %s\n%s", fileName, string(output))
+}
+
 func verifyEmptyErrorLog(c *check.C, name string) {
 	err := try.Do(5*time.Second, func() error {
 		traefikLog, e2 := ioutil.ReadFile(name)
@@ -130,7 +145,6 @@ func verifyLogLines(c *check.C, fileName string, countInit int, accessLog bool)
 	count := countInit
 	for rotatedLog.Scan() {
 		line := rotatedLog.Text()
-		c.Log(line)
 		if accessLog {
 			if len(line) > 0 {
 				CheckAccessLogFormat(c, line, count)

integration/websocket_test.go

@@ -3,6 +3,7 @@ package integration
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/base64"
 	"io/ioutil"
 	"net"
 	"net/http"
@@ -295,3 +296,148 @@ func (s *WebsocketSuite) TestSSLTermination(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	c.Assert(string(msg), checker.Equals, "OK")
 }
+
+func (s *WebsocketSuite) TestBasicAuth(c *check.C) {
+	var upgrader = gorillawebsocket.Upgrader{} // use default options
+
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		conn, err := upgrader.Upgrade(w, r, nil)
+
+		if err != nil {
+			return
+		}
+		defer conn.Close()
+
+		user, password, _ := r.BasicAuth()
+		c.Assert(user, check.Equals, "traefiker")
+		c.Assert(password, check.Equals, "secret")
+
+		for {
+			mt, message, err := conn.ReadMessage()
+			if err != nil {
+				break
+			}
+			err = conn.WriteMessage(mt, message)
+			if err != nil {
+				break
+			}
+		}
+	}))
+	file := s.adaptFile(c, "fixtures/websocket/config.toml", struct {
+		WebsocketServer string
+	}{
+		WebsocketServer: srv.URL,
+	})
+
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file), "--debug")
+	defer display(c)
+
+	err := cmd.Start()
+	c.Assert(err, check.IsNil)
+	defer cmd.Process.Kill()
+
+	// wait for traefik
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 10*time.Second, try.BodyContains("127.0.0.1"))
+	c.Assert(err, checker.IsNil)
+
+	config, err := websocket.NewConfig("ws://127.0.0.1:8000/ws", "ws://127.0.0.1:8000")
+	auth := "traefiker:secret"
+	config.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(auth)))
+
+	c.Assert(err, check.IsNil)
+
+	conn, err := net.DialTimeout("tcp", "127.0.0.1:8000", time.Second)
+	c.Assert(err, checker.IsNil)
+	client, err := websocket.NewClient(config, conn)
+	c.Assert(err, checker.IsNil)
+
+	n, err := client.Write([]byte("OK"))
+	c.Assert(err, checker.IsNil)
+	c.Assert(n, checker.Equals, 2)
+
+	msg := make([]byte, 2)
+	n, err = client.Read(msg)
+	c.Assert(err, checker.IsNil)
+	c.Assert(n, checker.Equals, 2)
+	c.Assert(string(msg), checker.Equals, "OK")
+}
+
+func (s *WebsocketSuite) TestSpecificResponseFromBackend(c *check.C) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(401)
+	}))
+	file := s.adaptFile(c, "fixtures/websocket/config.toml", struct {
+		WebsocketServer string
+	}{
+		WebsocketServer: srv.URL,
+	})
+
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file), "--debug")
+	defer display(c)
+
+	err := cmd.Start()
+	c.Assert(err, check.IsNil)
+	defer cmd.Process.Kill()
+
+	// wait for traefik
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 10*time.Second, try.BodyContains("127.0.0.1"))
+	c.Assert(err, checker.IsNil)
+
+	_, resp, err := gorillawebsocket.DefaultDialer.Dial("ws://127.0.0.1:8000/ws", nil)
+	c.Assert(err, checker.NotNil)
+	c.Assert(resp.StatusCode, check.Equals, 401)
+
+}
+
+func (s *WebsocketSuite) TestURLWithURLEncodedChar(c *check.C) {
+	var upgrader = gorillawebsocket.Upgrader{} // use default options
+
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c.Assert(r.URL.Path, check.Equals, "/ws/http%3A%2F%2Ftest")
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			return
+		}
+		defer conn.Close()
+		for {
+			mt, message, err := conn.ReadMessage()
+			if err != nil {
+				break
+			}
+			err = conn.WriteMessage(mt, message)
+			if err != nil {
+				break
+			}
+		}
+	}))
+
+	file := s.adaptFile(c, "fixtures/websocket/config.toml", struct {
+		WebsocketServer string
+	}{
+		WebsocketServer: srv.URL,
+	})
+
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file), "--debug")
+	defer display(c)
+
+	err := cmd.Start()
+	c.Assert(err, check.IsNil)
+	defer cmd.Process.Kill()
+
+	// wait for traefik
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 10*time.Second, try.BodyContains("127.0.0.1"))
+	c.Assert(err, checker.IsNil)
+
+	conn, _, err := gorillawebsocket.DefaultDialer.Dial("ws://127.0.0.1:8000/ws/http%3A%2F%2Ftest", nil)
+	c.Assert(err, checker.IsNil)
+
+	err = conn.WriteMessage(gorillawebsocket.TextMessage, []byte("OK"))
+	c.Assert(err, checker.IsNil)
+
+	_, msg, err := conn.ReadMessage()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(msg), checker.Equals, "OK")
+}

middlewares/auth/authenticator.go

@@ -18,7 +18,7 @@ type Authenticator struct {
 	users   map[string]string
 }
 
-// NewAuthenticator builds a new Autenticator given a config
+// NewAuthenticator builds a new Authenticator given a config
 func NewAuthenticator(authConfig *types.Auth) (*Authenticator, error) {
 	if authConfig == nil {
 		return nil, fmt.Errorf("Error creating Authenticator: auth is nil")

middlewares/ip_whitelister.go

@@ -6,80 +6,70 @@ import (
 	"net/http"
 
 	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/whitelist"
 	"github.com/pkg/errors"
 	"github.com/urfave/negroni"
 )
 
-// IPWhitelister is a middleware that provides Checks of the Requesting IP against a set of Whitelists
-type IPWhitelister struct {
-	handler    negroni.Handler
-	whitelists []*net.IPNet
+// IPWhiteLister is a middleware that provides Checks of the Requesting IP against a set of Whitelists
+type IPWhiteLister struct {
+	handler     negroni.Handler
+	whiteLister *whitelist.IP
 }
 
-// NewIPWhitelister builds a new IPWhitelister given a list of CIDR-Strings to whitelist
-func NewIPWhitelister(whitelistStrings []string) (*IPWhitelister, error) {
+// NewIPWhitelister builds a new IPWhiteLister given a list of CIDR-Strings to whitelist
+func NewIPWhitelister(whitelistStrings []string) (*IPWhiteLister, error) {
 
 	if len(whitelistStrings) == 0 {
 		return nil, errors.New("no whitelists provided")
 	}
 
-	whitelister := IPWhitelister{}
+	whiteLister := IPWhiteLister{}
 
-	for _, whitelistString := range whitelistStrings {
-		_, whitelist, err := net.ParseCIDR(whitelistString)
-		if err != nil {
-			return nil, fmt.Errorf("parsing CIDR whitelist %s: %v", whitelist, err)
-		}
-		whitelister.whitelists = append(whitelister.whitelists, whitelist)
+	ip, err := whitelist.NewIP(whitelistStrings, false)
+	if err != nil {
+		return nil, fmt.Errorf("parsing CIDR whitelist %s: %v", whitelistStrings, err)
 	}
+	whiteLister.whiteLister = ip
 
-	whitelister.handler = negroni.HandlerFunc(whitelister.handle)
-	log.Debugf("configured %u IP whitelists: %s", len(whitelister.whitelists), whitelister.whitelists)
+	whiteLister.handler = negroni.HandlerFunc(whiteLister.handle)
+	log.Debugf("configured %u IP whitelists: %s", len(whitelistStrings), whitelistStrings)
 
-	return &whitelister, nil
+	return &whiteLister, nil
 }
 
-func (whitelister *IPWhitelister) handle(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
-	remoteIP, err := ipFromRemoteAddr(r.RemoteAddr)
+func (wl *IPWhiteLister) handle(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+	ipAddress, _, err := net.SplitHostPort(r.RemoteAddr)
 	if err != nil {
 		log.Warnf("unable to parse remote-address from header: %s - rejecting", r.RemoteAddr)
 		reject(w)
 		return
 	}
 
-	for _, whitelist := range whitelister.whitelists {
-		if whitelist.Contains(*remoteIP) {
-			log.Debugf("source-IP %s matched whitelist %s - passing", remoteIP, whitelist)
-			next.ServeHTTP(w, r)
-			return
-		}
+	allowed, ip, err := wl.whiteLister.Contains(ipAddress)
+	if err != nil {
+		log.Debugf("source-IP %s matched none of the whitelists - rejecting", ipAddress)
+		reject(w)
+		return
 	}
 
-	log.Debugf("source-IP %s matched none of the whitelists - rejecting", remoteIP)
+	if allowed {
+		log.Debugf("source-IP %s matched whitelist %s - passing", ipAddress, wl.whiteLister)
+		next.ServeHTTP(w, r)
+		return
+	}
+
+	log.Debugf("source-IP %s matched none of the whitelists - rejecting", ip)
 	reject(w)
 }
 
+func (wl *IPWhiteLister) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+	wl.handler.ServeHTTP(rw, r, next)
+}
+
 func reject(w http.ResponseWriter) {
 	statusCode := http.StatusForbidden
 
 	w.WriteHeader(statusCode)
 	w.Write([]byte(http.StatusText(statusCode)))
 }
-
-func ipFromRemoteAddr(addr string) (*net.IP, error) {
-	ip, _, err := net.SplitHostPort(addr)
-	if err != nil {
-		return nil, fmt.Errorf("can't extract IP/Port from address %s: %s", addr, err)
-	}
-
-	userIP := net.ParseIP(ip)
-	if userIP == nil {
-		return nil, fmt.Errorf("can't parse IP from address %s", ip)
-	}
-
-	return &userIP, nil
-}
-
-func (whitelister *IPWhitelister) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
-	whitelister.handler.ServeHTTP(rw, r, next)
-}

middlewares/metrics.go

@@ -38,7 +38,7 @@ func (m *MetricsWrapper) ServeHTTP(rw http.ResponseWriter, r *http.Request, next
 	m.registry.ReqsCounter().With(reqLabels...).Add(1)
 
 	reqDurationLabels := []string{"service", m.serviceName, "code", strconv.Itoa(prw.statusCode)}
-	m.registry.ReqDurationHistogram().With(reqDurationLabels...).Observe(float64(time.Since(start).Seconds()))
+	m.registry.ReqDurationHistogram().With(reqDurationLabels...).Observe(time.Since(start).Seconds())
 }
 
 type retryMetrics interface {

middlewares/retry.go

@@ -52,6 +52,13 @@ func (retry *Retry) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 		recorder.responseWriter = rw
 
 		retry.next.ServeHTTP(recorder, r.WithContext(newCtx))
+
+		// It's a stream request and the body gets already sent to the client.
+		// Therefore we should not send the response a second time.
+		if recorder.streamingResponseStarted {
+			break
+		}
+
 		if !netErrorOccurred || attempts >= retry.attempts {
 			utils.CopyHeaders(rw.Header(), recorder.Header())
 			rw.WriteHeader(recorder.Code)
@@ -114,8 +121,9 @@ type retryResponseRecorder struct {
 	HeaderMap http.Header   // the HTTP response headers
 	Body      *bytes.Buffer // if non-nil, the bytes.Buffer to append written data to
 
-	responseWriter http.ResponseWriter
-	err            error
+	responseWriter           http.ResponseWriter
+	err                      error
+	streamingResponseStarted bool
 }
 
 // newRetryResponseRecorder returns an initialized retryResponseRecorder.
@@ -164,6 +172,12 @@ func (rw *retryResponseRecorder) CloseNotify() <-chan bool {
 
 // Flush sends any buffered data to the client.
 func (rw *retryResponseRecorder) Flush() {
+	if !rw.streamingResponseStarted {
+		utils.CopyHeaders(rw.responseWriter.Header(), rw.Header())
+		rw.responseWriter.WriteHeader(rw.Code)
+		rw.streamingResponseStarted = true
+	}
+
 	_, err := rw.responseWriter.Write(rw.Body.Bytes())
 	if err != nil {
 		log.Errorf("Error writing response in retryResponseRecorder: %s", err)

middlewares/stripPrefix.go

@@ -16,17 +16,9 @@ type StripPrefix struct {
 
 func (s *StripPrefix) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	for _, prefix := range s.Prefixes {
-		origPrefix := strings.TrimSpace(prefix)
-		if origPrefix == r.URL.Path {
-			r.URL.Path = "/"
-			s.serveRequest(w, r, origPrefix)
-			return
-		}
-
-		prefix = strings.TrimSuffix(origPrefix, "/") + "/"
 		if p := strings.TrimPrefix(r.URL.Path, prefix); len(p) < len(r.URL.Path) {
 			r.URL.Path = "/" + strings.TrimPrefix(p, "/")
-			s.serveRequest(w, r, origPrefix)
+			s.serveRequest(w, r, strings.TrimSpace(prefix))
 			return
 		}
 	}

middlewares/stripPrefix_test.go

@@ -86,6 +86,14 @@ func TestStripPrefix(t *testing.T) {
 			expectedPath:       "/",
 			expectedHeader:     "/stat",
 		},
+		{
+			desc:               "prefix matching within slash boundaries",
+			prefixes:           []string{"/stat"},
+			path:               "/status",
+			expectedStatusCode: http.StatusOK,
+			expectedPath:       "/us",
+			expectedHeader:     "/stat",
+		},
 	}
 
 	for _, test := range tests {

provider/boltdb/boltdb.go

@@ -15,7 +15,7 @@ var _ provider.Provider = (*Provider)(nil)
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	kv.Provider `mapstructure:",squash"`
+	kv.Provider `mapstructure:",squash" export:"true"`
 }
 
 // Provide allows the boltdb provider to Provide configurations to traefik

provider/consul/consul.go

@@ -15,7 +15,7 @@ var _ provider.Provider = (*Provider)(nil)
 
 // Provider holds configurations of the p.
 type Provider struct {
-	kv.Provider `mapstructure:",squash"`
+	kv.Provider `mapstructure:",squash" export:"true"`
 }
 
 // Provide allows the consul provider to provide configurations to traefik

provider/consul/consul_catalog.go

@@ -28,12 +28,12 @@ var _ provider.Provider = (*CatalogProvider)(nil)
 
 // CatalogProvider holds configurations of the Consul catalog provider.
 type CatalogProvider struct {
-	provider.BaseProvider `mapstructure:",squash"`
+	provider.BaseProvider `mapstructure:",squash" export:"true"`
 	Endpoint              string `description:"Consul server endpoint"`
 	Domain                string `description:"Default domain used"`
-	ExposedByDefault      bool   `description:"Expose Consul services by default"`
-	Prefix                string `description:"Prefix used for Consul catalog tags"`
-	FrontEndRule          string `description:"Frontend rule used for Consul services"`
+	ExposedByDefault      bool   `description:"Expose Consul services by default" export:"true"`
+	Prefix                string `description:"Prefix used for Consul catalog tags" export:"true"`
+	FrontEndRule          string `description:"Frontend rule used for Consul services" export:"true"`
 	client                *api.Client
 	frontEndRuleTemplate  *template.Template
 }
@@ -110,7 +110,7 @@ func getChangedHealthyKeys(currState []string, prevState []string) ([]string, []
 	return fun.Keys(addedKeys).([]string), fun.Keys(removedKeys).([]string)
 }
 
-func (p *CatalogProvider) watchHealthState(stopCh <-chan struct{}, watchCh chan<- map[string][]string) {
+func (p *CatalogProvider) watchHealthState(stopCh <-chan struct{}, watchCh chan<- map[string][]string, errorCh chan<- error) {
 	health := p.client.Health()
 	catalog := p.client.Catalog()
 
@@ -131,6 +131,7 @@ func (p *CatalogProvider) watchHealthState(stopCh <-chan struct{}, watchCh chan<
 			healthyState, meta, err := health.State("passing", options)
 			if err != nil {
 				log.WithError(err).Error("Failed to retrieve health checks")
+				errorCh <- err
 				return
 			}
 
@@ -154,6 +155,7 @@ func (p *CatalogProvider) watchHealthState(stopCh <-chan struct{}, watchCh chan<
 			data, _, err := catalog.Services(&api.QueryOptions{})
 			if err != nil {
 				log.Errorf("Failed to list services: %s", err)
+				errorCh <- err
 				return
 			}
 
@@ -186,11 +188,10 @@ type Service struct {
 	Nodes []string
 }
 
-func (p *CatalogProvider) watchCatalogServices(stopCh <-chan struct{}, watchCh chan<- map[string][]string) {
+func (p *CatalogProvider) watchCatalogServices(stopCh <-chan struct{}, watchCh chan<- map[string][]string, errorCh chan<- error) {
 	catalog := p.client.Catalog()
 
 	safe.Go(func() {
-		current := make(map[string]Service)
 		// variable to hold previous state
 		var flashback map[string]Service
 
@@ -206,6 +207,7 @@ func (p *CatalogProvider) watchCatalogServices(stopCh <-chan struct{}, watchCh c
 			data, meta, err := catalog.Services(options)
 			if err != nil {
 				log.Errorf("Failed to list services: %s", err)
+				errorCh <- err
 				return
 			}
 
@@ -216,11 +218,12 @@ func (p *CatalogProvider) watchCatalogServices(stopCh <-chan struct{}, watchCh c
 			options.WaitIndex = meta.LastIndex
 
 			if data != nil {
-
+				current := make(map[string]Service)
 				for key, value := range data {
-					nodes, _, err := catalog.Service(key, "", options)
+					nodes, _, err := catalog.Service(key, "", &api.QueryOptions{})
 					if err != nil {
 						log.Errorf("Failed to get detail of service %s: %s", key, err)
+						errorCh <- err
 						return
 					}
 					nodesID := getServiceIds(nodes)
@@ -243,14 +246,8 @@ func (p *CatalogProvider) watchCatalogServices(stopCh <-chan struct{}, watchCh c
 
 				addedServiceNodeKeys, removedServiceNodeKeys := getChangedServiceNodeKeys(current, flashback)
 
-				if len(addedServiceKeys) > 0 || len(addedServiceNodeKeys) > 0 {
-					log.WithField("DiscoveredServices", addedServiceKeys).Debug("Catalog Services change detected.")
-					watchCh <- data
-					flashback = current
-				}
-
-				if len(removedServiceKeys) > 0 || len(removedServiceNodeKeys) > 0 {
-					log.WithField("MissingServices", removedServiceKeys).Debug("Catalog Services change detected.")
+				if len(removedServiceKeys) > 0 || len(removedServiceNodeKeys) > 0 || len(addedServiceKeys) > 0 || len(addedServiceNodeKeys) > 0 {
+					log.WithField("MissingServices", removedServiceKeys).WithField("DiscoveredServices", addedServiceKeys).Debug("Catalog Services change detected.")
 					watchCh <- data
 					flashback = current
 				}
@@ -392,10 +389,6 @@ func (p *CatalogProvider) getBackendName(node *api.ServiceEntry, index int) stri
 	return serviceName
 }
 
-func (p *CatalogProvider) getAttribute(name string, tags []string, defaultValue string) string {
-	return p.getTag(p.getPrefixedName(name), tags, defaultValue)
-}
-
 func (p *CatalogProvider) getBasicAuth(tags []string) []string {
 	list := p.getAttribute("frontend.auth.basic", tags, "")
 	if list != "" {
@@ -404,6 +397,29 @@ func (p *CatalogProvider) getBasicAuth(tags []string) []string {
 	return []string{}
 }
 
+func (p *CatalogProvider) getSticky(tags []string) string {
+	stickyTag := p.getTag(types.LabelBackendLoadbalancerSticky, tags, "")
+	if len(stickyTag) > 0 {
+		log.Warnf("Deprecated configuration found: %s. Please use %s.", types.LabelBackendLoadbalancerSticky, types.LabelBackendLoadbalancerStickiness)
+	} else {
+		stickyTag = "false"
+	}
+	return stickyTag
+}
+
+func (p *CatalogProvider) hasStickinessLabel(tags []string) bool {
+	stickinessTag := p.getTag(types.LabelBackendLoadbalancerStickiness, tags, "")
+	return len(stickinessTag) > 0 && strings.EqualFold(strings.TrimSpace(stickinessTag), "true")
+}
+
+func (p *CatalogProvider) getStickinessCookieName(tags []string) string {
+	return p.getTag(types.LabelBackendLoadbalancerStickinessCookieName, tags, "")
+}
+
+func (p *CatalogProvider) getAttribute(name string, tags []string, defaultValue string) string {
+	return p.getTag(p.getPrefixedName(name), tags, defaultValue)
+}
+
 func (p *CatalogProvider) hasTag(name string, tags []string) bool {
 	// Very-very unlikely that a Consul tag would ever start with '=!='
 	tag := p.getTag(name, tags, "=!=")
@@ -446,16 +462,19 @@ func (p *CatalogProvider) getConstraintTags(tags []string) []string {
 
 func (p *CatalogProvider) buildConfig(catalog []catalogUpdate) *types.Configuration {
 	var FuncMap = template.FuncMap{
-		"getBackend":           p.getBackend,
-		"getFrontendRule":      p.getFrontendRule,
-		"getBackendName":       p.getBackendName,
-		"getBackendAddress":    p.getBackendAddress,
-		"getAttribute":         p.getAttribute,
-		"getBasicAuth":         p.getBasicAuth,
-		"getTag":               p.getTag,
-		"hasTag":               p.hasTag,
-		"getEntryPoints":       p.getEntryPoints,
-		"hasMaxconnAttributes": p.hasMaxconnAttributes,
+		"getBackend":              p.getBackend,
+		"getFrontendRule":         p.getFrontendRule,
+		"getBackendName":          p.getBackendName,
+		"getBackendAddress":       p.getBackendAddress,
+		"getBasicAuth":            p.getBasicAuth,
+		"getSticky":               p.getSticky,
+		"hasStickinessLabel":      p.hasStickinessLabel,
+		"getStickinessCookieName": p.getStickinessCookieName,
+		"getAttribute":            p.getAttribute,
+		"getTag":                  p.getTag,
+		"hasTag":                  p.hasTag,
+		"getEntryPoints":          p.getEntryPoints,
+		"hasMaxconnAttributes":    p.hasMaxconnAttributes,
 	}
 
 	allNodes := []*api.ServiceEntry{}
@@ -519,9 +538,10 @@ func (p *CatalogProvider) getNodes(index map[string][]string) ([]catalogUpdate,
 func (p *CatalogProvider) watch(configurationChan chan<- types.ConfigMessage, stop chan bool) error {
 	stopCh := make(chan struct{})
 	watchCh := make(chan map[string][]string)
+	errorCh := make(chan error)
 
-	p.watchHealthState(stopCh, watchCh)
-	p.watchCatalogServices(stopCh, watchCh)
+	p.watchHealthState(stopCh, watchCh, errorCh)
+	p.watchCatalogServices(stopCh, watchCh, errorCh)
 
 	defer close(stopCh)
 	defer close(watchCh)
@@ -544,6 +564,8 @@ func (p *CatalogProvider) watch(configurationChan chan<- types.ConfigMessage, st
 				ProviderName:  "consul_catalog",
 				Configuration: configuration,
 			}
+		case err := <-errorCh:
+			return err
 		}
 	}
 }

provider/consul/consul_catalog_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/BurntSushi/ty/fun"
 	"github.com/containous/traefik/types"
 	"github.com/hashicorp/consul/api"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestConsulCatalogGetFrontendRule(t *testing.T) {
@@ -891,3 +892,45 @@ func TestConsulCatalogGetBasicAuth(t *testing.T) {
 		})
 	}
 }
+
+func TestConsulCatalogHasStickinessLabel(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		tags     []string
+		expected bool
+	}{
+		{
+			desc:     "label missing",
+			tags:     []string{},
+			expected: false,
+		},
+		{
+			desc: "stickiness=true",
+			tags: []string{
+				types.LabelBackendLoadbalancerStickiness + "=true",
+			},
+			expected: true,
+		},
+		{
+			desc: "stickiness=false",
+			tags: []string{
+				types.LabelBackendLoadbalancerStickiness + "=false",
+			},
+			expected: false,
+		},
+	}
+
+	provider := &CatalogProvider{
+		Prefix: "traefik",
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := provider.hasStickinessLabel(test.tags)
+			assert.Equal(t, actual, test.expected)
+		})
+	}
+}

provider/docker/docker.go

@@ -46,13 +46,13 @@ var _ provider.Provider = (*Provider)(nil)
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	provider.BaseProvider `mapstructure:",squash"`
+	provider.BaseProvider `mapstructure:",squash" export:"true"`
 	Endpoint              string           `description:"Docker server endpoint. Can be a tcp or a unix socket endpoint"`
 	Domain                string           `description:"Default domain used"`
-	TLS                   *types.ClientTLS `description:"Enable Docker TLS support"`
-	ExposedByDefault      bool             `description:"Expose containers by default"`
-	UseBindPortIP         bool             `description:"Use the ip address from the bound port, rather than from the inner network"`
-	SwarmMode             bool             `description:"Use Docker on Swarm Mode"`
+	TLS                   *types.ClientTLS `description:"Enable Docker TLS support" export:"true"`
+	ExposedByDefault      bool             `description:"Expose containers by default" export:"true"`
+	UseBindPortIP         bool             `description:"Use the ip address from the bound port, rather than from the inner network" export:"true"`
+	SwarmMode             bool             `description:"Use Docker on Swarm Mode" export:"true"`
 }
 
 // dockerData holds the need data to the Provider p
@@ -276,6 +276,8 @@ func (p *Provider) loadDockerConfig(containersInspected []dockerData) *types.Con
 		"getMaxConnAmount":            p.getMaxConnAmount,
 		"getMaxConnExtractorFunc":     p.getMaxConnExtractorFunc,
 		"getSticky":                   p.getSticky,
+		"getStickinessCookieName":     p.getStickinessCookieName,
+		"hasStickinessLabel":          p.hasStickinessLabel,
 		"getIsBackendLBSwarm":         p.getIsBackendLBSwarm,
 		"hasServices":                 p.hasServices,
 		"getServiceNames":             p.getServiceNames,
@@ -328,10 +330,8 @@ func (p *Provider) loadDockerConfig(containersInspected []dockerData) *types.Con
 }
 
 func (p *Provider) hasCircuitBreakerLabel(container dockerData) bool {
-	if _, err := getLabel(container, types.LabelBackendCircuitbreakerExpression); err != nil {
-		return false
-	}
-	return true
+	_, err := getLabel(container, types.LabelBackendCircuitbreakerExpression)
+	return err == nil
 }
 
 // Regexp used to extract the name of the service and the name of the property for this service
@@ -466,10 +466,10 @@ func (p *Provider) getServiceProtocol(container dockerData, serviceName string)
 func (p *Provider) hasLoadBalancerLabel(container dockerData) bool {
 	_, errMethod := getLabel(container, types.LabelBackendLoadbalancerMethod)
 	_, errSticky := getLabel(container, types.LabelBackendLoadbalancerSticky)
-	if errMethod != nil && errSticky != nil {
-		return false
-	}
-	return true
+	_, errStickiness := getLabel(container, types.LabelBackendLoadbalancerStickiness)
+	_, errCookieName := getLabel(container, types.LabelBackendLoadbalancerStickinessCookieName)
+
+	return errMethod == nil || errSticky == nil || errStickiness == nil || errCookieName == nil
 }
 
 func (p *Provider) hasMaxConnLabels(container dockerData) bool {
@@ -645,13 +645,28 @@ func (p *Provider) getWeight(container dockerData) string {
 	return "0"
 }
 
+func (p *Provider) hasStickinessLabel(container dockerData) bool {
+	labelStickiness, errStickiness := getLabel(container, types.LabelBackendLoadbalancerStickiness)
+	return errStickiness == nil && len(labelStickiness) > 0 && strings.EqualFold(strings.TrimSpace(labelStickiness), "true")
+}
+
 func (p *Provider) getSticky(container dockerData) string {
 	if label, err := getLabel(container, types.LabelBackendLoadbalancerSticky); err == nil {
+		if len(label) > 0 {
+			log.Warnf("Deprecated configuration found: %s. Please use %s.", types.LabelBackendLoadbalancerSticky, types.LabelBackendLoadbalancerStickiness)
+		}
 		return label
 	}
 	return "false"
 }
 
+func (p *Provider) getStickinessCookieName(container dockerData) string {
+	if label, err := getLabel(container, types.LabelBackendLoadbalancerStickinessCookieName); err == nil {
+		return label
+	}
+	return ""
+}
+
 func (p *Provider) getIsBackendLBSwarm(container dockerData) string {
 	if label, err := getLabel(container, labelBackendLoadbalancerSwarm); err == nil {
 		return label
@@ -813,7 +828,7 @@ func (p *Provider) listServices(ctx context.Context, dockerClient client.APIClie
 		return []dockerData{}, err
 	}
 	networkListArgs := filters.NewArgs()
-	networkListArgs.Add("driver", "overlay")
+	networkListArgs.Add("scope", "swarm")
 
 	networkList, err := dockerClient.NetworkList(ctx, dockertypes.NetworkListOptions{Filters: networkListArgs})
 

provider/docker/docker_test.go

@@ -10,6 +10,7 @@ import (
 	docker "github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/go-connections/nat"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestDockerGetFrontendName(t *testing.T) {
@@ -1051,3 +1052,42 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 		})
 	}
 }
+
+func TestDockerHasStickinessLabel(t *testing.T) {
+	testCases := []struct {
+		desc      string
+		container docker.ContainerJSON
+		expected  bool
+	}{
+		{
+			desc:      "no stickiness-label",
+			container: containerJSON(),
+			expected:  false,
+		},
+		{
+			desc: "stickiness true",
+			container: containerJSON(labels(map[string]string{
+				types.LabelBackendLoadbalancerStickiness: "true",
+			})),
+			expected: true,
+		},
+		{
+			desc: "stickiness false",
+			container: containerJSON(labels(map[string]string{
+				types.LabelBackendLoadbalancerStickiness: "false",
+			})),
+			expected: false,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+			dockerData := parseContainer(test.container)
+			provider := &Provider{}
+			actual := provider.hasStickinessLabel(dockerData)
+			assert.Equal(t, actual, test.expected)
+		})
+	}
+}

provider/dynamodb/dynamodb.go

@@ -24,14 +24,13 @@ var _ provider.Provider = (*Provider)(nil)
 
 // Provider holds configuration for provider.
 type Provider struct {
-	provider.BaseProvider `mapstructure:",squash"`
-
-	AccessKeyID     string `description:"The AWS credentials access key to use for making requests"`
-	RefreshSeconds  int    `description:"Polling interval (in seconds)"`
-	Region          string `description:"The AWS region to use for requests"`
-	SecretAccessKey string `description:"The AWS credentals secret key to use for making requests"`
-	TableName       string `description:"The AWS dynamodb table that stores configuration for traefik"`
-	Endpoint        string `description:"The endpoint of a dynamodb. Used for testing with a local dynamodb"`
+	provider.BaseProvider `mapstructure:",squash" export:"true"`
+	AccessKeyID           string `description:"The AWS credentials access key to use for making requests"`
+	RefreshSeconds        int    `description:"Polling interval (in seconds)" export:"true"`
+	Region                string `description:"The AWS region to use for requests" export:"true"`
+	SecretAccessKey       string `description:"The AWS credentials secret key to use for making requests"`
+	TableName             string `description:"The AWS dynamodb table that stores configuration for traefik" export:"true"`
+	Endpoint              string `description:"The endpoint of a dynamodb. Used for testing with a local dynamodb"`
 }
 
 type dynamoClient struct {
@@ -163,12 +162,12 @@ func (p *Provider) Provide(configurationChan chan<- types.ConfigMessage, pool *s
 		})
 
 		operation := func() error {
-			aws, err := p.createClient()
+			awsClient, err := p.createClient()
 			if err != nil {
 				return handleCanceled(ctx, err)
 			}
 
-			configuration, err := p.loadDynamoConfig(aws)
+			configuration, err := p.loadDynamoConfig(awsClient)
 			if err != nil {
 				return handleCanceled(ctx, err)
 			}
@@ -185,7 +184,7 @@ func (p *Provider) Provide(configurationChan chan<- types.ConfigMessage, pool *s
 					log.Debug("Watching Provider...")
 					select {
 					case <-reload.C:
-						configuration, err := p.loadDynamoConfig(aws)
+						configuration, err := p.loadDynamoConfig(awsClient)
 						if err != nil {
 							return handleCanceled(ctx, err)
 						}

provider/ecs/ecs.go

@@ -29,17 +29,17 @@ var _ provider.Provider = (*Provider)(nil)
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	provider.BaseProvider `mapstructure:",squash"`
+	provider.BaseProvider `mapstructure:",squash" export:"true"`
 
 	Domain           string `description:"Default domain used"`
-	ExposedByDefault bool   `description:"Expose containers by default"`
-	RefreshSeconds   int    `description:"Polling interval (in seconds)"`
+	ExposedByDefault bool   `description:"Expose containers by default" export:"true"`
+	RefreshSeconds   int    `description:"Polling interval (in seconds)" export:"true"`
 
 	// Provider lookup parameters
 	Clusters             Clusters `description:"ECS Clusters name"`
 	Cluster              string   `description:"deprecated - ECS Cluster name"` // deprecated
-	AutoDiscoverClusters bool     `description:"Auto discover cluster"`
-	Region               string   `description:"The AWS region to use for requests"`
+	AutoDiscoverClusters bool     `description:"Auto discover cluster" export:"true"`
+	Region               string   `description:"The AWS region to use for requests" export:"true"`
 	AccessKeyID          string   `description:"The AWS credentials access key to use for making requests"`
 	SecretAccessKey      string   `description:"The AWS credentials access key to use for making requests"`
 }
@@ -122,12 +122,12 @@ func (p *Provider) Provide(configurationChan chan<- types.ConfigMessage, pool *s
 		})
 
 		operation := func() error {
-			aws, err := p.createClient()
+			awsClient, err := p.createClient()
 			if err != nil {
 				return err
 			}
 
-			configuration, err := p.loadECSConfig(ctx, aws)
+			configuration, err := p.loadECSConfig(ctx, awsClient)
 			if err != nil {
 				return handleCanceled(ctx, err)
 			}
@@ -143,7 +143,7 @@ func (p *Provider) Provide(configurationChan chan<- types.ConfigMessage, pool *s
 				for {
 					select {
 					case <-reload.C:
-						configuration, err := p.loadECSConfig(ctx, aws)
+						configuration, err := p.loadECSConfig(ctx, awsClient)
 						if err != nil {
 							return handleCanceled(ctx, err)
 						}
@@ -180,11 +180,13 @@ func wrapAws(ctx context.Context, req *request.Request) error {
 
 func (p *Provider) loadECSConfig(ctx context.Context, client *awsClient) (*types.Configuration, error) {
 	var ecsFuncMap = template.FuncMap{
-		"filterFrontends":       p.filterFrontends,
-		"getFrontendRule":       p.getFrontendRule,
-		"getBasicAuth":          p.getBasicAuth,
-		"getLoadBalancerSticky": p.getLoadBalancerSticky,
-		"getLoadBalancerMethod": p.getLoadBalancerMethod,
+		"filterFrontends":         p.filterFrontends,
+		"getFrontendRule":         p.getFrontendRule,
+		"getBasicAuth":            p.getBasicAuth,
+		"getLoadBalancerMethod":   p.getLoadBalancerMethod,
+		"getLoadBalancerSticky":   p.getLoadBalancerSticky,
+		"hasStickinessLabel":      p.hasStickinessLabel,
+		"getStickinessCookieName": p.getStickinessCookieName,
 	}
 
 	instances, err := p.listInstances(ctx, client)
@@ -214,7 +216,6 @@ func (p *Provider) loadECSConfig(ctx context.Context, client *awsClient) (*types
 // Find all running Provider tasks in a cluster, also collect the task definitions (for docker labels)
 // and the EC2 instance data
 func (p *Provider) listInstances(ctx context.Context, client *awsClient) ([]ecsInstance, error) {
-	var taskArns []*string
 	var instances []ecsInstance
 	var clustersArn []*string
 	var clusters Clusters
@@ -255,6 +256,8 @@ func (p *Provider) listInstances(ctx context.Context, client *awsClient) ([]ecsI
 			DesiredStatus: aws.String(ecs.DesiredStatusRunning),
 		})
 
+		var taskArns []*string
+
 		for ; req != nil; req = req.NextPage() {
 			if err := wrapAws(ctx, req); err != nil {
 				return nil, err
@@ -263,12 +266,10 @@ func (p *Provider) listInstances(ctx context.Context, client *awsClient) ([]ecsI
 			taskArns = append(taskArns, req.Data.(*ecs.ListTasksOutput).TaskArns...)
 		}
 
-		// Early return: if we can't list tasks we have nothing to
-		// describe below - likely empty cluster/permissions are bad.  This
-		// stops the AWS API from returning a 401 when you DescribeTasks
-		// with no input.
+		// Skip to the next cluster if there are no tasks found on
+		// this cluster.
 		if len(taskArns) == 0 {
-			return []ecsInstance{}, nil
+			continue
 		}
 
 		chunkedTaskArns := p.chunkedTaskArns(taskArns)
@@ -478,16 +479,33 @@ func (p *Provider) getBasicAuth(i ecsInstance) []string {
 	return []string{}
 }
 
+func getFirstInstanceLabel(instances []ecsInstance, labelName string) string {
+	if len(instances) > 0 {
+		return instances[0].label(labelName)
+	}
+	return ""
+}
+
 func (p *Provider) getLoadBalancerSticky(instances []ecsInstance) string {
 	if len(instances) > 0 {
-		label := instances[0].label(types.LabelBackendLoadbalancerSticky)
+		label := getFirstInstanceLabel(instances, types.LabelBackendLoadbalancerSticky)
 		if label != "" {
+			log.Warnf("Deprecated configuration found: %s. Please use %s.", types.LabelBackendLoadbalancerSticky, types.LabelBackendLoadbalancerStickiness)
 			return label
 		}
 	}
 	return "false"
 }
 
+func (p *Provider) hasStickinessLabel(instances []ecsInstance) bool {
+	stickinessLabel := getFirstInstanceLabel(instances, types.LabelBackendLoadbalancerStickiness)
+	return len(stickinessLabel) > 0 && strings.EqualFold(strings.TrimSpace(stickinessLabel), "true")
+}
+
+func (p *Provider) getStickinessCookieName(instances []ecsInstance) string {
+	return getFirstInstanceLabel(instances, types.LabelBackendLoadbalancerStickinessCookieName)
+}
+
 func (p *Provider) getLoadBalancerMethod(instances []ecsInstance) string {
 	if len(instances) > 0 {
 		label := instances[0].label(types.LabelBackendLoadbalancerMethod)

provider/etcd/etcd.go

@@ -15,7 +15,7 @@ var _ provider.Provider = (*Provider)(nil)
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	kv.Provider `mapstructure:",squash"`
+	kv.Provider `mapstructure:",squash" export:"true"`
 }
 
 // Provide allows the etcd provider to Provide configurations to traefik

provider/eureka/eureka.go

@@ -18,9 +18,9 @@ import (
 
 // Provider holds configuration of the Provider provider.
 type Provider struct {
-	provider.BaseProvider `mapstructure:",squash"`
+	provider.BaseProvider `mapstructure:",squash" export:"true"`
 	Endpoint              string `description:"Eureka server endpoint"`
-	Delay                 string `description:"Override default configuration time between refresh"`
+	Delay                 string `description:"Override default configuration time between refresh" export:"true"`
 }
 
 // Provide allows the eureka provider to provide configurations to traefik

provider/file/file.go

@@ -18,8 +18,8 @@ var _ provider.Provider = (*Provider)(nil)
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	provider.BaseProvider `mapstructure:",squash"`
-	Directory             string `description:"Load configuration from one or more .toml files in a directory"`
+	provider.BaseProvider `mapstructure:",squash" export:"true"`
+	Directory             string `description:"Load configuration from one or more .toml files in a directory" export:"true"`
 }
 
 // Provide allows the file provider to provide configurations to traefik

provider/kubernetes/kubernetes.go

@@ -42,13 +42,13 @@ const traefikDefaultRealm = "traefik"
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	provider.BaseProvider  `mapstructure:",squash"`
+	provider.BaseProvider  `mapstructure:",squash" export:"true"`
 	Endpoint               string     `description:"Kubernetes server endpoint (required for external cluster client)"`
 	Token                  string     `description:"Kubernetes bearer token (not needed for in-cluster client)"`
 	CertAuthFilePath       string     `description:"Kubernetes certificate authority file path (not needed for in-cluster client)"`
-	DisablePassHostHeaders bool       `description:"Kubernetes disable PassHost Headers"`
-	Namespaces             Namespaces `description:"Kubernetes namespaces"`
-	LabelSelector          string     `description:"Kubernetes api label selector to use"`
+	DisablePassHostHeaders bool       `description:"Kubernetes disable PassHost Headers" export:"true"`
+	Namespaces             Namespaces `description:"Kubernetes namespaces" export:"true"`
+	LabelSelector          string     `description:"Kubernetes api label selector to use" export:"true"`
 	lastConfiguration      safe.Safe
 }
 
@@ -160,7 +160,6 @@ func (p *Provider) loadIngresses(k8sClient Client) (*types.Configuration, error)
 					templateObjects.Backends[r.Host+pa.Path] = &types.Backend{
 						Servers: make(map[string]types.Server),
 						LoadBalancer: &types.LoadBalancer{
-							Sticky: false,
 							Method: "wrr",
 						},
 					}
@@ -180,11 +179,13 @@ func (p *Provider) loadIngresses(k8sClient Client) (*types.Configuration, error)
 					log.Warnf("Unknown value '%s' for %s, falling back to %s", passHostHeaderAnnotation, types.LabelFrontendPassHostHeader, PassHostHeader)
 				}
 				if realm := i.Annotations[annotationKubernetesAuthRealm]; realm != "" && realm != traefikDefaultRealm {
-					return nil, errors.New("no realm customization supported")
+					log.Errorf("Value for annotation %q on ingress %s/%s invalid: no realm customization supported", annotationKubernetesAuthRealm, i.ObjectMeta.Namespace, i.ObjectMeta.Name)
+					delete(templateObjects.Backends, r.Host+pa.Path)
+					continue
 				}
 
-				witelistSourceRangeAnnotation := i.Annotations[annotationKubernetesWhitelistSourceRange]
-				whitelistSourceRange := provider.SplitAndTrimString(witelistSourceRangeAnnotation)
+				whitelistSourceRangeAnnotation := i.Annotations[annotationKubernetesWhitelistSourceRange]
+				whitelistSourceRange := provider.SplitAndTrimString(whitelistSourceRangeAnnotation)
 
 				if _, exists := templateObjects.Frontends[r.Host+pa.Path]; !exists {
 					basicAuthCreds, err := handleBasicAuthConfig(i, k8sClient)
@@ -247,8 +248,16 @@ func (p *Provider) loadIngresses(k8sClient Client) (*types.Configuration, error)
 					templateObjects.Backends[r.Host+pa.Path].LoadBalancer.Method = "drr"
 				}
 
-				if service.Annotations[types.LabelBackendLoadbalancerSticky] == "true" {
-					templateObjects.Backends[r.Host+pa.Path].LoadBalancer.Sticky = true
+				if sticky := service.Annotations[types.LabelBackendLoadbalancerSticky]; len(sticky) > 0 {
+					log.Warnf("Deprecated configuration found: %s. Please use %s.", types.LabelBackendLoadbalancerSticky, types.LabelBackendLoadbalancerStickiness)
+					templateObjects.Backends[r.Host+pa.Path].LoadBalancer.Sticky = strings.EqualFold(strings.TrimSpace(sticky), "true")
+				}
+
+				if service.Annotations[types.LabelBackendLoadbalancerStickiness] == "true" {
+					templateObjects.Backends[r.Host+pa.Path].LoadBalancer.Stickiness = &types.Stickiness{}
+					if cookieName := service.Annotations[types.LabelBackendLoadbalancerStickinessCookieName]; len(cookieName) > 0 {
+						templateObjects.Backends[r.Host+pa.Path].LoadBalancer.Stickiness.CookieName = cookieName
+					}
 				}
 
 				protocol := "http"

provider/kubernetes/kubernetes_test.go

@@ -243,7 +243,6 @@ func TestLoadIngresses(t *testing.T) {
 				},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -256,7 +255,6 @@ func TestLoadIngresses(t *testing.T) {
 				},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -273,7 +271,6 @@ func TestLoadIngresses(t *testing.T) {
 				},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -489,7 +486,6 @@ func TestGetPassHostHeader(t *testing.T) {
 				Servers:        map[string]types.Server{},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -591,7 +587,6 @@ func TestOnlyReferencesServicesFromOwnNamespace(t *testing.T) {
 				Servers:        map[string]types.Server{},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -771,7 +766,6 @@ func TestLoadNamespacedIngresses(t *testing.T) {
 				Servers:        map[string]types.Server{},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -779,7 +773,6 @@ func TestLoadNamespacedIngresses(t *testing.T) {
 				Servers:        map[string]types.Server{},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -996,7 +989,6 @@ func TestLoadMultipleNamespacedIngresses(t *testing.T) {
 				Servers:        map[string]types.Server{},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -1004,7 +996,6 @@ func TestLoadMultipleNamespacedIngresses(t *testing.T) {
 				Servers:        map[string]types.Server{},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -1012,7 +1003,6 @@ func TestLoadMultipleNamespacedIngresses(t *testing.T) {
 				Servers:        map[string]types.Server{},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -1118,7 +1108,6 @@ func TestHostlessIngress(t *testing.T) {
 				Servers:        map[string]types.Server{},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -1320,7 +1309,6 @@ func TestServiceAnnotations(t *testing.T) {
 				},
 				LoadBalancer: &types.LoadBalancer{
 					Method: "drr",
-					Sticky: false,
 				},
 			},
 			"bar": {
@@ -1366,7 +1354,7 @@ func TestServiceAnnotations(t *testing.T) {
 		},
 	}
 
-	assert.Equal(t, expected, actual)
+	assert.EqualValues(t, expected, actual)
 }
 
 func TestIngressAnnotations(t *testing.T) {
@@ -1541,6 +1529,34 @@ func TestIngressAnnotations(t *testing.T) {
 				},
 			},
 		},
+		{
+			ObjectMeta: v1.ObjectMeta{
+				Namespace: "testing",
+				Annotations: map[string]string{
+					"ingress.kubernetes.io/auth-realm": "customized",
+				},
+			},
+			Spec: v1beta1.IngressSpec{
+				Rules: []v1beta1.IngressRule{
+					{
+						Host: "auth-realm-customized",
+						IngressRuleValue: v1beta1.IngressRuleValue{
+							HTTP: &v1beta1.HTTPIngressRuleValue{
+								Paths: []v1beta1.HTTPIngressPath{
+									{
+										Path: "/auth-realm-customized",
+										Backend: v1beta1.IngressBackend{
+											ServiceName: "service1",
+											ServicePort: intstr.FromInt(80),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 	services := []*v1.Service{
 		{
@@ -1601,7 +1617,6 @@ func TestIngressAnnotations(t *testing.T) {
 				},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -1614,7 +1629,6 @@ func TestIngressAnnotations(t *testing.T) {
 				},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -1627,7 +1641,6 @@ func TestIngressAnnotations(t *testing.T) {
 				},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -1640,7 +1653,6 @@ func TestIngressAnnotations(t *testing.T) {
 				},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -1653,7 +1665,6 @@ func TestIngressAnnotations(t *testing.T) {
 				},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -1807,7 +1818,6 @@ func TestPriorityHeaderValue(t *testing.T) {
 				},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -1909,7 +1919,6 @@ func TestInvalidPassHostHeaderValue(t *testing.T) {
 				},
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
-					Sticky: false,
 					Method: "wrr",
 				},
 			},
@@ -2192,14 +2201,12 @@ func TestMissingResources(t *testing.T) {
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
 					Method: "wrr",
-					Sticky: false,
 				},
 			},
 			"missing_service": {
 				Servers: map[string]types.Server{},
 				LoadBalancer: &types.LoadBalancer{
 					Method: "wrr",
-					Sticky: false,
 				},
 			},
 			"missing_endpoints": {
@@ -2207,7 +2214,6 @@ func TestMissingResources(t *testing.T) {
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
 					Method: "wrr",
-					Sticky: false,
 				},
 			},
 			"missing_endpoint_subsets": {
@@ -2215,7 +2221,6 @@ func TestMissingResources(t *testing.T) {
 				CircuitBreaker: nil,
 				LoadBalancer: &types.LoadBalancer{
 					Method: "wrr",
-					Sticky: false,
 				},
 			},
 		},

provider/kv/kv.go

@@ -20,10 +20,10 @@ import (
 
 // Provider holds common configurations of key-value providers.
 type Provider struct {
-	provider.BaseProvider `mapstructure:",squash"`
+	provider.BaseProvider `mapstructure:",squash" export:"true"`
 	Endpoint              string           `description:"Comma separated server endpoints"`
-	Prefix                string           `description:"Prefix used for KV store"`
-	TLS                   *types.ClientTLS `description:"Enable TLS support"`
+	Prefix                string           `description:"Prefix used for KV store" export:"true"`
+	TLS                   *types.ClientTLS `description:"Enable TLS support" export:"true"`
 	Username              string           `description:"KV Username"`
 	Password              string           `description:"KV Password"`
 	storeType             store.Backend
@@ -139,11 +139,14 @@ func (p *Provider) loadConfig() *types.Configuration {
 	}
 
 	var KvFuncMap = template.FuncMap{
-		"List":        p.list,
-		"ListServers": p.listServers,
-		"Get":         p.get,
-		"SplitGet":    p.splitGet,
-		"Last":        p.last,
+		"List":                    p.list,
+		"ListServers":             p.listServers,
+		"Get":                     p.get,
+		"SplitGet":                p.splitGet,
+		"Last":                    p.last,
+		"getSticky":               p.getSticky,
+		"hasStickinessLabel":      p.hasStickinessLabel,
+		"getStickinessCookieName": p.getStickinessCookieName,
 	}
 
 	configuration, err := p.GetConfiguration("templates/kv.tmpl", KvFuncMap, templateObjects)
@@ -239,3 +242,22 @@ func (p *Provider) checkConstraints(keys ...string) bool {
 	}
 	return true
 }
+
+func (p *Provider) getSticky(rootPath string) string {
+	stickyValue := p.get("", rootPath, "/loadbalancer", "/sticky")
+	if len(stickyValue) > 0 {
+		log.Warnf("Deprecated configuration found: %s. Please use %s.", "loadbalancer/sticky", "loadbalancer/stickiness")
+	} else {
+		stickyValue = "false"
+	}
+	return stickyValue
+}
+
+func (p *Provider) hasStickinessLabel(rootPath string) bool {
+	stickinessValue := p.get("false", rootPath, "/loadbalancer", "/stickiness")
+	return len(stickinessValue) > 0 && strings.EqualFold(strings.TrimSpace(stickinessValue), "true")
+}
+
+func (p *Provider) getStickinessCookieName(rootPath string) string {
+	return p.get("", rootPath, "/loadbalancer", "/stickiness", "/cookiename")
+}

provider/kv/kv_mock_test.go

@@ -0,0 +1,110 @@
+package kv
+
+import (
+	"errors"
+	"strings"
+
+	"github.com/containous/traefik/types"
+	"github.com/docker/libkv/store"
+)
+
+type KvMock struct {
+	Provider
+}
+
+func (provider *KvMock) loadConfig() *types.Configuration {
+	return nil
+}
+
+// Override Get/List to return a error
+type KvError struct {
+	Get  error
+	List error
+}
+
+// Extremely limited mock store so we can test initialization
+type Mock struct {
+	Error           KvError
+	KVPairs         []*store.KVPair
+	WatchTreeMethod func() <-chan []*store.KVPair
+}
+
+func (s *Mock) Put(key string, value []byte, opts *store.WriteOptions) error {
+	return errors.New("Put not supported")
+}
+
+func (s *Mock) Get(key string) (*store.KVPair, error) {
+	if err := s.Error.Get; err != nil {
+		return nil, err
+	}
+	for _, kvPair := range s.KVPairs {
+		if kvPair.Key == key {
+			return kvPair, nil
+		}
+	}
+	return nil, store.ErrKeyNotFound
+}
+
+func (s *Mock) Delete(key string) error {
+	return errors.New("Delete not supported")
+}
+
+// Exists mock
+func (s *Mock) Exists(key string) (bool, error) {
+	if err := s.Error.Get; err != nil {
+		return false, err
+	}
+	for _, kvPair := range s.KVPairs {
+		if strings.HasPrefix(kvPair.Key, key) {
+			return true, nil
+		}
+	}
+	return false, store.ErrKeyNotFound
+}
+
+// Watch mock
+func (s *Mock) Watch(key string, stopCh <-chan struct{}) (<-chan *store.KVPair, error) {
+	return nil, errors.New("Watch not supported")
+}
+
+// WatchTree mock
+func (s *Mock) WatchTree(prefix string, stopCh <-chan struct{}) (<-chan []*store.KVPair, error) {
+	return s.WatchTreeMethod(), nil
+}
+
+// NewLock mock
+func (s *Mock) NewLock(key string, options *store.LockOptions) (store.Locker, error) {
+	return nil, errors.New("NewLock not supported")
+}
+
+// List mock
+func (s *Mock) List(prefix string) ([]*store.KVPair, error) {
+	if err := s.Error.List; err != nil {
+		return nil, err
+	}
+	kv := []*store.KVPair{}
+	for _, kvPair := range s.KVPairs {
+		if strings.HasPrefix(kvPair.Key, prefix) && !strings.ContainsAny(strings.TrimPrefix(kvPair.Key, prefix), "/") {
+			kv = append(kv, kvPair)
+		}
+	}
+	return kv, nil
+}
+
+// DeleteTree mock
+func (s *Mock) DeleteTree(prefix string) error {
+	return errors.New("DeleteTree not supported")
+}
+
+// AtomicPut mock
+func (s *Mock) AtomicPut(key string, value []byte, previous *store.KVPair, opts *store.WriteOptions) (bool, *store.KVPair, error) {
+	return false, nil, errors.New("AtomicPut not supported")
+}
+
+// AtomicDelete mock
+func (s *Mock) AtomicDelete(key string, previous *store.KVPair) (bool, error) {
+	return false, errors.New("AtomicDelete not supported")
+}
+
+// Close mock
+func (s *Mock) Close() {}

provider/kv/kv_test.go

@@ -1,10 +1,8 @@
 package kv
 
 import (
-	"errors"
 	"reflect"
 	"sort"
-	"strings"
 	"testing"
 	"time"
 
@@ -237,14 +235,6 @@ func TestKvLast(t *testing.T) {
 	}
 }
 
-type KvMock struct {
-	Provider
-}
-
-func (provider *KvMock) loadConfig() *types.Configuration {
-	return nil
-}
-
 func TestKvWatchTree(t *testing.T) {
 	returnedChans := make(chan chan []*store.KVPair)
 	provider := &KvMock{
@@ -288,91 +278,6 @@ func TestKvWatchTree(t *testing.T) {
 	}
 }
 
-// Override Get/List to return a error
-type KvError struct {
-	Get  error
-	List error
-}
-
-// Extremely limited mock store so we can test initialization
-type Mock struct {
-	Error           KvError
-	KVPairs         []*store.KVPair
-	WatchTreeMethod func() <-chan []*store.KVPair
-}
-
-func (s *Mock) Put(key string, value []byte, opts *store.WriteOptions) error {
-	return errors.New("Put not supported")
-}
-
-func (s *Mock) Get(key string) (*store.KVPair, error) {
-	if err := s.Error.Get; err != nil {
-		return nil, err
-	}
-	for _, kvPair := range s.KVPairs {
-		if kvPair.Key == key {
-			return kvPair, nil
-		}
-	}
-	return nil, store.ErrKeyNotFound
-}
-
-func (s *Mock) Delete(key string) error {
-	return errors.New("Delete not supported")
-}
-
-// Exists mock
-func (s *Mock) Exists(key string) (bool, error) {
-	return false, errors.New("Exists not supported")
-}
-
-// Watch mock
-func (s *Mock) Watch(key string, stopCh <-chan struct{}) (<-chan *store.KVPair, error) {
-	return nil, errors.New("Watch not supported")
-}
-
-// WatchTree mock
-func (s *Mock) WatchTree(prefix string, stopCh <-chan struct{}) (<-chan []*store.KVPair, error) {
-	return s.WatchTreeMethod(), nil
-}
-
-// NewLock mock
-func (s *Mock) NewLock(key string, options *store.LockOptions) (store.Locker, error) {
-	return nil, errors.New("NewLock not supported")
-}
-
-// List mock
-func (s *Mock) List(prefix string) ([]*store.KVPair, error) {
-	if err := s.Error.List; err != nil {
-		return nil, err
-	}
-	kv := []*store.KVPair{}
-	for _, kvPair := range s.KVPairs {
-		if strings.HasPrefix(kvPair.Key, prefix) && !strings.ContainsAny(strings.TrimPrefix(kvPair.Key, prefix), "/") {
-			kv = append(kv, kvPair)
-		}
-	}
-	return kv, nil
-}
-
-// DeleteTree mock
-func (s *Mock) DeleteTree(prefix string) error {
-	return errors.New("DeleteTree not supported")
-}
-
-// AtomicPut mock
-func (s *Mock) AtomicPut(key string, value []byte, previous *store.KVPair, opts *store.WriteOptions) (bool, *store.KVPair, error) {
-	return false, nil, errors.New("AtomicPut not supported")
-}
-
-// AtomicDelete mock
-func (s *Mock) AtomicDelete(key string, previous *store.KVPair) (bool, error) {
-	return false, errors.New("AtomicDelete not supported")
-}
-
-// Close mock
-func (s *Mock) Close() {}
-
 func TestKVLoadConfig(t *testing.T) {
 	provider := &Provider{
 		Prefix: "traefik",
@@ -463,3 +368,55 @@ func TestKVLoadConfig(t *testing.T) {
 		t.Fatalf("expected %+v, got %+v", expected.Frontends, actual.Frontends)
 	}
 }
+
+func TestKVHasStickinessLabel(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		KVPairs  []*store.KVPair
+		expected bool
+	}{
+		{
+			desc:     "without option",
+			expected: false,
+		},
+		{
+			desc: "with cookie name without stickiness=true",
+			KVPairs: []*store.KVPair{
+				{
+					Key:   "loadbalancer/stickiness/cookiename",
+					Value: []byte("foo"),
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "stickiness=true",
+			KVPairs: []*store.KVPair{
+				{
+					Key:   "loadbalancer/stickiness",
+					Value: []byte("true"),
+				},
+			},
+			expected: true,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			p := &Provider{
+				kvclient: &Mock{
+					KVPairs: test.KVPairs,
+				},
+			}
+
+			actual := p.hasStickinessLabel("")
+
+			if actual != test.expected {
+				t.Fatalf("expected %v, got %v", test.expected, actual)
+			}
+		})
+	}
+}

provider/marathon/marathon.go

@@ -53,18 +53,18 @@ var servicesPropertiesRegexp = regexp.MustCompile(`^traefik\.(?P<service_name>.+
 // Provider holds configuration of the provider.
 type Provider struct {
 	provider.BaseProvider
-	Endpoint                string           `description:"Marathon server endpoint. You can also specify multiple endpoint for Marathon"`
-	Domain                  string           `description:"Default domain used"`
-	ExposedByDefault        bool             `description:"Expose Marathon apps by default"`
-	GroupsAsSubDomains      bool             `description:"Convert Marathon groups to subdomains"`
-	DCOSToken               string           `description:"DCOSToken for DCOS environment, This will override the Authorization header"`
-	MarathonLBCompatibility bool             `description:"Add compatibility with marathon-lb labels"`
-	TLS                     *types.ClientTLS `description:"Enable Docker TLS support"`
-	DialerTimeout           flaeg.Duration   `description:"Set a non-default connection timeout for Marathon"`
-	KeepAlive               flaeg.Duration   `description:"Set a non-default TCP Keep Alive time in seconds"`
-	ForceTaskHostname       bool             `description:"Force to use the task's hostname."`
-	Basic                   *Basic           `description:"Enable basic authentication"`
-	RespectReadinessChecks  bool             `description:"Filter out tasks with non-successful readiness checks during deployments"`
+	Endpoint                string           `description:"Marathon server endpoint. You can also specify multiple endpoint for Marathon" export:"true"`
+	Domain                  string           `description:"Default domain used" export:"true"`
+	ExposedByDefault        bool             `description:"Expose Marathon apps by default" export:"true"`
+	GroupsAsSubDomains      bool             `description:"Convert Marathon groups to subdomains" export:"true"`
+	DCOSToken               string           `description:"DCOSToken for DCOS environment, This will override the Authorization header" export:"true"`
+	MarathonLBCompatibility bool             `description:"Add compatibility with marathon-lb labels" export:"true"`
+	TLS                     *types.ClientTLS `description:"Enable Docker TLS support" export:"true"`
+	DialerTimeout           flaeg.Duration   `description:"Set a non-default connection timeout for Marathon" export:"true"`
+	KeepAlive               flaeg.Duration   `description:"Set a non-default TCP Keep Alive time in seconds" export:"true"`
+	ForceTaskHostname       bool             `description:"Force to use the task's hostname." export:"true"`
+	Basic                   *Basic           `description:"Enable basic authentication" export:"true"`
+	RespectReadinessChecks  bool             `description:"Filter out tasks with non-successful readiness checks during deployments" export:"true"`
 	readyChecker            *readinessChecker
 	marathonClient          marathon.Marathon
 }
@@ -189,6 +189,8 @@ func (p *Provider) loadMarathonConfig() *types.Configuration {
 		"getLoadBalancerMethod":       p.getLoadBalancerMethod,
 		"getCircuitBreakerExpression": p.getCircuitBreakerExpression,
 		"getSticky":                   p.getSticky,
+		"hasStickinessLabel":          p.hasStickinessLabel,
+		"getStickinessCookieName":     p.getStickinessCookieName,
 		"hasHealthCheckLabels":        p.hasHealthCheckLabels,
 		"getHealthCheckPath":          p.getHealthCheckPath,
 		"getHealthCheckInterval":      p.getHealthCheckInterval,
@@ -430,11 +432,24 @@ func (p *Provider) getProtocol(application marathon.Application, serviceName str
 
 func (p *Provider) getSticky(application marathon.Application) string {
 	if sticky, ok := p.getAppLabel(application, types.LabelBackendLoadbalancerSticky); ok {
+		log.Warnf("Deprecated configuration found: %s. Please use %s.", types.LabelBackendLoadbalancerSticky, types.LabelBackendLoadbalancerStickiness)
 		return sticky
 	}
 	return "false"
 }
 
+func (p *Provider) hasStickinessLabel(application marathon.Application) bool {
+	labelStickiness, okStickiness := p.getAppLabel(application, types.LabelBackendLoadbalancerStickiness)
+	return okStickiness && len(labelStickiness) > 0 && strings.EqualFold(strings.TrimSpace(labelStickiness), "true")
+}
+
+func (p *Provider) getStickinessCookieName(application marathon.Application) string {
+	if label, ok := p.getAppLabel(application, types.LabelBackendLoadbalancerStickinessCookieName); ok {
+		return label
+	}
+	return ""
+}
+
 func (p *Provider) getPassHostHeader(application marathon.Application, serviceName string) string {
 	if passHostHeader, ok := p.getLabel(application, types.LabelFrontendPassHostHeader, serviceName); ok {
 		return passHostHeader

provider/marathon/marathon_test.go

@@ -854,9 +854,8 @@ func TestMarathonGetProtocol(t *testing.T) {
 		})
 	}
 }
-
 func TestMarathonGetSticky(t *testing.T) {
-	cases := []struct {
+	testCases := []struct {
 		desc        string
 		application marathon.Application
 		expected    string
@@ -873,14 +872,51 @@ func TestMarathonGetSticky(t *testing.T) {
 		},
 	}
 
-	for _, c := range cases {
-		c := c
-		t.Run(c.desc, func(t *testing.T) {
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 			provider := &Provider{}
-			actual := provider.getSticky(c.application)
-			if actual != c.expected {
-				t.Errorf("actual %q, expected %q", actual, c.expected)
+			actual := provider.getSticky(test.application)
+			if actual != test.expected {
+				t.Errorf("actual %q, expected %q", actual, test.expected)
+			}
+		})
+	}
+}
+
+func TestMarathonHasStickinessLabel(t *testing.T) {
+	testCases := []struct {
+		desc        string
+		application marathon.Application
+		expected    bool
+	}{
+		{
+			desc:        "label missing",
+			application: application(),
+			expected:    false,
+		},
+		{
+			desc:        "stickiness=true",
+			application: application(label(types.LabelBackendLoadbalancerStickiness, "true")),
+			expected:    true,
+		},
+		{
+			desc:        "stickiness=false ",
+			application: application(label(types.LabelBackendLoadbalancerStickiness, "true")),
+			expected:    true,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			provider := &Provider{}
+			actual := provider.hasStickinessLabel(test.application)
+			if actual != test.expected {
+				t.Errorf("actual %q, expected %q", actual, test.expected)
 			}
 		})
 	}

provider/mesos/mesos.go

@@ -32,12 +32,12 @@ type Provider struct {
 	provider.BaseProvider
 	Endpoint           string `description:"Mesos server endpoint. You can also specify multiple endpoint for Mesos"`
 	Domain             string `description:"Default domain used"`
-	ExposedByDefault   bool   `description:"Expose Mesos apps by default"`
-	GroupsAsSubDomains bool   `description:"Convert Mesos groups to subdomains"`
-	ZkDetectionTimeout int    `description:"Zookeeper timeout (in seconds)"`
-	RefreshSeconds     int    `description:"Polling interval (in seconds)"`
-	IPSources          string `description:"IPSources (e.g. host, docker, mesos, rkt)"` // e.g. "host", "docker", "mesos", "rkt"
-	StateTimeoutSecond int    `description:"HTTP Timeout (in seconds)"`
+	ExposedByDefault   bool   `description:"Expose Mesos apps by default" export:"true"`
+	GroupsAsSubDomains bool   `description:"Convert Mesos groups to subdomains" export:"true"`
+	ZkDetectionTimeout int    `description:"Zookeeper timeout (in seconds)" export:"true"`
+	RefreshSeconds     int    `description:"Polling interval (in seconds)" export:"true"`
+	IPSources          string `description:"IPSources (e.g. host, docker, mesos, rkt)" export:"true"`
+	StateTimeoutSecond int    `description:"HTTP Timeout (in seconds)" export:"true"`
 	Masters            []string
 }
 

provider/provider.go

@@ -24,17 +24,17 @@ type Provider interface {
 
 // BaseProvider should be inherited by providers
 type BaseProvider struct {
-	Watch                     bool              `description:"Watch provider"`
-	Filename                  string            `description:"Override default configuration template. For advanced users :)"`
-	Constraints               types.Constraints `description:"Filter services by constraint, matching with Traefik tags."`
-	Trace                     bool              `description:"Display additional provider logs (if available)."`
-	DebugLogGeneratedTemplate bool              `description:"Enable debug logging of generated configuration template."`
+	Watch                     bool              `description:"Watch provider" export:"true"`
+	Filename                  string            `description:"Override default configuration template. For advanced users :)" export:"true"`
+	Constraints               types.Constraints `description:"Filter services by constraint, matching with Traefik tags." export:"true"`
+	Trace                     bool              `description:"Display additional provider logs (if available)." export:"true"`
+	DebugLogGeneratedTemplate bool              `description:"Enable debug logging of generated configuration template." export:"true"`
 }
 
 // MatchConstraints must match with EVERY single contraint
 // returns first constraint that do not match or nil
 func (p *BaseProvider) MatchConstraints(tags []string) (bool, *types.Constraint) {
-	// if there is no tags and no contraints, filtering is disabled
+	// if there is no tags and no constraints, filtering is disabled
 	if len(tags) == 0 && len(p.Constraints) == 0 {
 		return true, nil
 	}

provider/rancher/metadata.go

@@ -85,7 +85,7 @@ func (p *Provider) intervalPoll(client rancher.Client, updateConfiguration func(
 	_, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	ticker := time.NewTicker(time.Duration(p.RefreshSeconds))
+	ticker := time.NewTicker(time.Second * time.Duration(p.RefreshSeconds))
 	defer ticker.Stop()
 
 	var version string

provider/rancher/rancher.go

@@ -18,14 +18,14 @@ var _ provider.Provider = (*Provider)(nil)
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	provider.BaseProvider     `mapstructure:",squash"`
-	APIConfiguration          `mapstructure:",squash"` // Provide backwards compatibility
-	API                       *APIConfiguration        `description:"Enable the Rancher API provider"`
-	Metadata                  *MetadataConfiguration   `description:"Enable the Rancher metadata service provider"`
-	Domain                    string                   `description:"Default domain used"`
-	RefreshSeconds            int                      `description:"Polling interval (in seconds)"`
-	ExposedByDefault          bool                     `description:"Expose services by default"`
-	EnableServiceHealthFilter bool                     `description:"Filter services with unhealthy states and inactive states"`
+	provider.BaseProvider     `mapstructure:",squash" export:"true"`
+	APIConfiguration          `mapstructure:",squash" export:"true"` // Provide backwards compatibility
+	API                       *APIConfiguration                      `description:"Enable the Rancher API provider" export:"true"`
+	Metadata                  *MetadataConfiguration                 `description:"Enable the Rancher metadata service provider" export:"true"`
+	Domain                    string                                 `description:"Default domain used"`
+	RefreshSeconds            int                                    `description:"Polling interval (in seconds)" export:"true"`
+	ExposedByDefault          bool                                   `description:"Expose services by default" export:"true"`
+	EnableServiceHealthFilter bool                                   `description:"Filter services with unhealthy states and inactive states" export:"true"`
 }
 
 type rancherData struct {
@@ -92,10 +92,10 @@ func (p *Provider) getLoadBalancerMethod(service rancherData) string {
 func (p *Provider) hasLoadBalancerLabel(service rancherData) bool {
 	_, errMethod := getServiceLabel(service, types.LabelBackendLoadbalancerMethod)
 	_, errSticky := getServiceLabel(service, types.LabelBackendLoadbalancerSticky)
-	if errMethod != nil && errSticky != nil {
-		return false
-	}
-	return true
+	_, errStickiness := getServiceLabel(service, types.LabelBackendLoadbalancerStickiness)
+	_, errCookieName := getServiceLabel(service, types.LabelBackendLoadbalancerStickinessCookieName)
+
+	return errMethod == nil || errSticky == nil || errStickiness == nil || errCookieName == nil
 }
 
 func (p *Provider) hasCircuitBreakerLabel(service rancherData) bool {
@@ -114,11 +114,25 @@ func (p *Provider) getCircuitBreakerExpression(service rancherData) string {
 
 func (p *Provider) getSticky(service rancherData) string {
 	if _, err := getServiceLabel(service, types.LabelBackendLoadbalancerSticky); err == nil {
+		log.Warnf("Deprecated configuration found: %s. Please use %s.", types.LabelBackendLoadbalancerSticky, types.LabelBackendLoadbalancerStickiness)
 		return "true"
 	}
 	return "false"
 }
 
+func (p *Provider) hasStickinessLabel(service rancherData) bool {
+	labelStickiness, errStickiness := getServiceLabel(service, types.LabelBackendLoadbalancerStickiness)
+
+	return errStickiness == nil && len(labelStickiness) > 0 && strings.EqualFold(strings.TrimSpace(labelStickiness), "true")
+}
+
+func (p *Provider) getStickinessCookieName(service rancherData, backendName string) string {
+	if label, err := getServiceLabel(service, types.LabelBackendLoadbalancerStickinessCookieName); err == nil {
+		return label
+	}
+	return ""
+}
+
 func (p *Provider) getBackend(service rancherData) string {
 	if label, err := getServiceLabel(service, types.LabelBackend); err == nil {
 		return provider.Normalize(label)
@@ -223,6 +237,8 @@ func (p *Provider) loadRancherConfig(services []rancherData) *types.Configuratio
 		"getMaxConnAmount":            p.getMaxConnAmount,
 		"getMaxConnExtractorFunc":     p.getMaxConnExtractorFunc,
 		"getSticky":                   p.getSticky,
+		"hasStickinessLabel":          p.hasStickinessLabel,
+		"getStickinessCookieName":     p.getStickinessCookieName,
 	}
 
 	// filter services

provider/rancher/rancher_test.go

@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/containous/traefik/types"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestRancherServiceFilter(t *testing.T) {
@@ -597,3 +598,53 @@ func TestRancherLoadRancherConfig(t *testing.T) {
 		}
 	}
 }
+
+func TestRancherHasStickinessLabel(t *testing.T) {
+	provider := &Provider{
+		Domain: "rancher.localhost",
+	}
+
+	testCases := []struct {
+		desc     string
+		service  rancherData
+		expected bool
+	}{
+		{
+			desc: "no labels",
+			service: rancherData{
+				Name: "test-service",
+			},
+			expected: false,
+		},
+		{
+			desc: "stickiness=true",
+			service: rancherData{
+				Name: "test-service",
+				Labels: map[string]string{
+					types.LabelBackendLoadbalancerStickiness: "true",
+				},
+			},
+			expected: true,
+		},
+		{
+			desc: "stickiness=true",
+			service: rancherData{
+				Name: "test-service",
+				Labels: map[string]string{
+					types.LabelBackendLoadbalancerStickiness: "false",
+				},
+			},
+			expected: false,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := provider.hasStickinessLabel(test.service)
+			assert.Equal(t, actual, test.expected)
+		})
+	}
+}

provider/web/web.go

@@ -25,15 +25,15 @@ import (
 
 // Provider is a provider.Provider implementation that provides the UI
 type Provider struct {
-	Address               string            `description:"Web administration port"`
-	CertFile              string            `description:"SSL certificate"`
-	KeyFile               string            `description:"SSL certificate"`
-	ReadOnly              bool              `description:"Enable read only API"`
-	Statistics            *types.Statistics `description:"Enable more detailed statistics"`
-	Metrics               *types.Metrics    `description:"Enable a metrics exporter"`
+	Address               string            `description:"Web administration port" export:"true"`
+	CertFile              string            `description:"SSL certificate" export:"true"`
+	KeyFile               string            `description:"SSL certificate" export:"true"`
+	ReadOnly              bool              `description:"Enable read only API" export:"true"`
+	Statistics            *types.Statistics `description:"Enable more detailed statistics" export:"true"`
+	Metrics               *types.Metrics    `description:"Enable a metrics exporter" export:"true"`
 	Path                  string            `description:"Root path for dashboard and API"`
-	Auth                  *types.Auth
-	Debug                 bool
+	Auth                  *types.Auth       `export:"true"`
+	Debug                 bool              `export:"true"`
 	CurrentConfigurations *safe.Safe
 	Stats                 *thoas_stats.Stats
 	StatsRecorder         *middlewares.StatsRecorder

provider/zk/zk.go

@@ -15,7 +15,7 @@ var _ provider.Provider = (*Provider)(nil)
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	kv.Provider `mapstructure:",squash"`
+	kv.Provider `mapstructure:",squash" export:"true"`
 }
 
 // Provide allows the zk provider to Provide configurations to traefik

server/cookie/cookie.go

@@ -0,0 +1,57 @@
+package cookie
+
+import (
+	"crypto/sha1"
+	"fmt"
+	"strings"
+
+	"github.com/containous/traefik/log"
+)
+
+const cookieNameLength = 6
+
+// GetName of a cookie
+func GetName(cookieName string, backendName string) string {
+	if len(cookieName) != 0 {
+		return sanitizeName(cookieName)
+	}
+
+	return GenerateName(backendName)
+}
+
+// GenerateName Generate a hashed name
+func GenerateName(backendName string) string {
+	data := []byte("_TRAEFIK_BACKEND_" + backendName)
+
+	hash := sha1.New()
+	_, err := hash.Write(data)
+	if err != nil {
+		// Impossible case
+		log.Errorf("Fail to create cookie name: %v", err)
+	}
+
+	return fmt.Sprintf("_%x", hash.Sum(nil))[:cookieNameLength]
+}
+
+// sanitizeName According to [RFC 2616](https://www.ietf.org/rfc/rfc2616.txt) section 2.2
+func sanitizeName(backend string) string {
+	sanitizer := func(r rune) rune {
+		switch r {
+		case '!', '#', '$', '%', '&', '\'', '*', '+', '-', '.', '^', '`', '|', '~':
+			return r
+		}
+
+		switch {
+		case 'a' <= r && r <= 'z':
+			fallthrough
+		case 'A' <= r && r <= 'Z':
+			fallthrough
+		case '0' <= r && r <= '9':
+			return r
+		default:
+			return '_'
+		}
+	}
+
+	return strings.Map(sanitizer, backend)
+}

server/cookie/cookie_test.go

@@ -0,0 +1,83 @@
+package cookie
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetName(t *testing.T) {
+	testCases := []struct {
+		desc               string
+		cookieName         string
+		backendName        string
+		expectedCookieName string
+	}{
+		{
+			desc:               "with backend name, without cookie name",
+			cookieName:         "",
+			backendName:        "/my/BACKEND-v1.0~rc1",
+			expectedCookieName: "_5f7bc",
+		},
+		{
+			desc:               "without backend name, with cookie name",
+			cookieName:         "/my/BACKEND-v1.0~rc1",
+			backendName:        "",
+			expectedCookieName: "_my_BACKEND-v1.0~rc1",
+		},
+		{
+			desc:               "with backend name, with cookie name",
+			cookieName:         "containous",
+			backendName:        "treafik",
+			expectedCookieName: "containous",
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			cookieName := GetName(test.cookieName, test.backendName)
+
+			assert.Equal(t, test.expectedCookieName, cookieName)
+		})
+	}
+}
+
+func Test_sanitizeName(t *testing.T) {
+	testCases := []struct {
+		desc         string
+		srcName      string
+		expectedName string
+	}{
+		{
+			desc:         "with /",
+			srcName:      "/my/BACKEND-v1.0~rc1",
+			expectedName: "_my_BACKEND-v1.0~rc1",
+		},
+		{
+			desc:         "some chars",
+			srcName:      "!#$%&'()*+-./:<=>?@[]^_`{|}~",
+			expectedName: "!#$%&'__*+-._________^_`_|_~",
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			cookieName := sanitizeName(test.srcName)
+
+			assert.Equal(t, test.expectedName, cookieName, "Cookie name")
+		})
+	}
+}
+
+func TestGenerateName(t *testing.T) {
+	cookieName := GenerateName("containous")
+
+	assert.Len(t, "_8a7bc", 6)
+	assert.Equal(t, "_8a7bc", cookieName)
+}

server/header_rewriter.go

@@ -0,0 +1,51 @@
+package server
+
+import (
+	"net"
+	"net/http"
+	"os"
+
+	"github.com/containous/traefik/whitelist"
+	"github.com/vulcand/oxy/forward"
+)
+
+// NewHeaderRewriter Create a header rewriter
+func NewHeaderRewriter(trustedIPs []string, insecure bool) (forward.ReqRewriter, error) {
+	IPs, err := whitelist.NewIP(trustedIPs, insecure)
+	if err != nil {
+		return nil, err
+	}
+
+	h, err := os.Hostname()
+	if err != nil {
+		h = "localhost"
+	}
+
+	return &headerRewriter{
+		secureRewriter:   &forward.HeaderRewriter{TrustForwardHeader: true, Hostname: h},
+		insecureRewriter: &forward.HeaderRewriter{TrustForwardHeader: false, Hostname: h},
+		ips:              IPs,
+		insecure:         insecure,
+	}, nil
+}
+
+type headerRewriter struct {
+	secureRewriter   forward.ReqRewriter
+	insecureRewriter forward.ReqRewriter
+	insecure         bool
+	ips              *whitelist.IP
+}
+
+func (h *headerRewriter) Rewrite(req *http.Request) {
+	clientIP, _, err := net.SplitHostPort(req.RemoteAddr)
+	if err != nil {
+		h.secureRewriter.Rewrite(req)
+	}
+
+	authorized, _, err := h.ips.Contains(clientIP)
+	if h.insecure || authorized {
+		h.secureRewriter.Rewrite(req)
+	} else {
+		h.insecureRewriter.Rewrite(req)
+	}
+}

server/server.go

@@ -6,6 +6,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"net"
 	"net/http"
@@ -30,7 +31,9 @@ import (
 	mauth "github.com/containous/traefik/middlewares/auth"
 	"github.com/containous/traefik/provider"
 	"github.com/containous/traefik/safe"
+	"github.com/containous/traefik/server/cookie"
 	"github.com/containous/traefik/types"
+	"github.com/containous/traefik/whitelist"
 	"github.com/streamrail/concurrent-map"
 	thoas_stats "github.com/thoas/stats"
 	"github.com/urfave/negroni"
@@ -127,7 +130,7 @@ func NewServer(globalConfiguration configuration.GlobalConfiguration) *Server {
 // behaviour and backwards compatibility issues.
 func createHTTPTransport(globalConfiguration configuration.GlobalConfiguration) *http.Transport {
 	dialer := &net.Dialer{
-		Timeout:   30 * time.Second,
+		Timeout:   configuration.DefaultDialTimeout,
 		KeepAlive: 30 * time.Second,
 		DualStack: true,
 	}
@@ -153,8 +156,8 @@ func createHTTPTransport(globalConfiguration configuration.GlobalConfiguration)
 		transport.TLSClientConfig = &tls.Config{
 			RootCAs: createRootCACertPool(globalConfiguration.RootCAs),
 		}
-		http2.ConfigureTransport(transport)
 	}
+	http2.ConfigureTransport(transport)
 
 	return transport
 }
@@ -334,11 +337,11 @@ func (server *Server) listenProviders(stop chan bool) {
 				lastReceivedConfigurationValue := lastReceivedConfiguration.Get().(time.Time)
 				providersThrottleDuration := time.Duration(server.globalConfiguration.ProvidersThrottleDuration)
 				if time.Now().After(lastReceivedConfigurationValue.Add(providersThrottleDuration)) {
-					log.Debugf("Last %s config received more than %s, OK", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration.String())
+					log.Debugf("Last %s config received more than %s, OK", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration)
 					// last config received more than n s ago
 					server.configurationValidatedChan <- configMsg
 				} else {
-					log.Debugf("Last %s config received less than %s, waiting...", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration.String())
+					log.Debugf("Last %s config received less than %s, waiting...", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration)
 					safe.Go(func() {
 						<-time.After(providersThrottleDuration)
 						lastReceivedConfigurationValue := lastReceivedConfiguration.Get().(time.Time)
@@ -651,8 +654,22 @@ func (server *Server) prepareServer(entryPointName string, entryPoint *configura
 		return nil, nil, err
 	}
 
-	if entryPoint.ProxyProtocol {
-		listener = &proxyproto.Listener{Listener: listener}
+	if entryPoint.ProxyProtocol != nil {
+		IPs, err := whitelist.NewIP(entryPoint.ProxyProtocol.TrustedIPs, entryPoint.ProxyProtocol.Insecure)
+		if err != nil {
+			return nil, nil, fmt.Errorf("Error creating whitelist: %s", err)
+		}
+		log.Infof("Enabling ProxyProtocol for trusted IPs %v", entryPoint.ProxyProtocol.TrustedIPs)
+		listener = &proxyproto.Listener{
+			Listener: listener,
+			SourceCheck: func(addr net.Addr) (bool, error) {
+				ip, ok := addr.(*net.TCPAddr)
+				if !ok {
+					return false, fmt.Errorf("Type error %v", addr)
+				}
+				return IPs.ContainsIP(ip.IP)
+			},
+		}
 	}
 
 	return &http.Server{
@@ -675,14 +692,13 @@ func buildServerTimeouts(globalConfig configuration.GlobalConfiguration) (readTi
 		writeTimeout = time.Duration(globalConfig.RespondingTimeouts.WriteTimeout)
 	}
 
-	// When RespondingTimeouts.IdleTimout is configured, always use that setting
-	if globalConfig.RespondingTimeouts != nil {
-		idleTimeout = time.Duration(globalConfig.RespondingTimeouts.IdleTimeout)
-	} else if globalConfig.IdleTimeout != 0 {
-		// Backwards compatibility for deprecated IdleTimeout
+	// Prefer legacy idle timeout parameter for backwards compatibility reasons
+	if globalConfig.IdleTimeout > 0 {
 		idleTimeout = time.Duration(globalConfig.IdleTimeout)
+		log.Warn("top-level idle timeout configuration has been deprecated -- please use responding timeouts")
+	} else if globalConfig.RespondingTimeouts != nil {
+		idleTimeout = time.Duration(globalConfig.RespondingTimeouts.IdleTimeout)
 	} else {
-		// Default value if neither the deprecated IdleTimeout nor the new RespondingTimeouts.IdleTimout are configured
 		idleTimeout = time.Duration(configuration.DefaultIdleTimeout)
 	}
 
@@ -790,11 +806,19 @@ func (server *Server) loadConfig(configurations types.Configurations, globalConf
 						continue frontend
 					}
 
+					rewriter, err := NewHeaderRewriter(entryPoint.ForwardedHeaders.TrustedIPs, entryPoint.ForwardedHeaders.Insecure)
+					if err != nil {
+						log.Errorf("Error creating rewriter for frontend %s: %v", frontendName, err)
+						log.Errorf("Skipping frontend %s...", frontendName)
+						continue frontend
+					}
+
 					fwd, err := forward.New(
 						forward.Logger(oxyLogger),
 						forward.PassHostHeader(frontend.PassHostHeader),
 						forward.RoundTripper(roundTripper),
 						forward.ErrorHandler(errorHandler),
+						forward.Rewriter(rewriter),
 					)
 
 					if err != nil {
@@ -826,11 +850,10 @@ func (server *Server) loadConfig(configurations types.Configurations, globalConf
 						continue frontend
 					}
 
-					stickySession := config.Backends[frontend.Backend].LoadBalancer.Sticky
-					cookieName := "_TRAEFIK_BACKEND_" + frontend.Backend
 					var sticky *roundrobin.StickySession
-
-					if stickySession {
+					var cookieName string
+					if stickiness := config.Backends[frontend.Backend].LoadBalancer.Stickiness; stickiness != nil {
+						cookieName = cookie.GetName(stickiness.CookieName, frontend.Backend)
 						sticky = roundrobin.NewStickySession(cookieName)
 					}
 
@@ -839,7 +862,7 @@ func (server *Server) loadConfig(configurations types.Configurations, globalConf
 					case types.Drr:
 						log.Debugf("Creating load-balancer drr")
 						rebalancer, _ := roundrobin.NewRebalancer(rr, roundrobin.RebalancerLogger(oxyLogger))
-						if stickySession {
+						if sticky != nil {
 							log.Debugf("Sticky session with cookie %v", cookieName)
 							rebalancer, _ = roundrobin.NewRebalancer(rr, roundrobin.RebalancerLogger(oxyLogger), roundrobin.RebalancerStickySession(sticky))
 						}
@@ -856,7 +879,7 @@ func (server *Server) loadConfig(configurations types.Configurations, globalConf
 						lb = middlewares.NewEmptyBackendHandler(rebalancer, lb)
 					case types.Wrr:
 						log.Debugf("Creating load-balancer wrr")
-						if stickySession {
+						if sticky != nil {
 							log.Debugf("Sticky session with cookie %v", cookieName)
 							if server.accessLoggerMiddleware != nil {
 								rr, _ = roundrobin.New(saveFrontend, roundrobin.EnableStickySession(sticky))
@@ -1149,17 +1172,37 @@ func (server *Server) configureFrontends(frontends map[string]*types.Frontend) {
 }
 
 func (*Server) configureBackends(backends map[string]*types.Backend) {
-	for backendName, backend := range backends {
+	for backendName := range backends {
+		backend := backends[backendName]
+		if backend.LoadBalancer != nil && backend.LoadBalancer.Sticky {
+			log.Warnf("Deprecated configuration found: %s. Please use %s.", "backend.LoadBalancer.Sticky", "backend.LoadBalancer.Stickiness")
+		}
+
 		_, err := types.NewLoadBalancerMethod(backend.LoadBalancer)
-		if err != nil {
+		if err == nil {
+			if backend.LoadBalancer != nil && backend.LoadBalancer.Stickiness == nil && backend.LoadBalancer.Sticky {
+				backend.LoadBalancer.Stickiness = &types.Stickiness{
+					CookieName: "_TRAEFIK_BACKEND",
+				}
+			}
+		} else {
 			log.Debugf("Validation of load balancer method for backend %s failed: %s. Using default method wrr.", backendName, err)
-			var sticky bool
+
+			var stickiness *types.Stickiness
 			if backend.LoadBalancer != nil {
-				sticky = backend.LoadBalancer.Sticky
+				if backend.LoadBalancer.Stickiness == nil {
+					if backend.LoadBalancer.Sticky {
+						stickiness = &types.Stickiness{
+							CookieName: "_TRAEFIK_BACKEND",
+						}
+					}
+				} else {
+					stickiness = backend.LoadBalancer.Stickiness
+				}
 			}
 			backend.LoadBalancer = &types.LoadBalancer{
-				Method: "wrr",
-				Sticky: sticky,
+				Method:     "wrr",
+				Stickiness: stickiness,
 			}
 		}
 	}

server/server_test.go

@@ -83,7 +83,7 @@ func TestPrepareServerTimeouts(t *testing.T) {
 					IdleTimeout: flaeg.Duration(80 * time.Second),
 				},
 			},
-			wantIdleTimeout:  time.Duration(80 * time.Second),
+			wantIdleTimeout:  time.Duration(45 * time.Second),
 			wantReadTimeout:  time.Duration(0 * time.Second),
 			wantWriteTimeout: time.Duration(0 * time.Second),
 		},
@@ -96,7 +96,10 @@ func TestPrepareServerTimeouts(t *testing.T) {
 			t.Parallel()
 
 			entryPointName := "http"
-			entryPoint := &configuration.EntryPoint{Address: "localhost:0"}
+			entryPoint := &configuration.EntryPoint{
+				Address:          "localhost:0",
+				ForwardedHeaders: &configuration.ForwardedHeaders{Insecure: true},
+			}
 			router := middlewares.NewHandlerSwitcher(mux.NewRouter())
 
 			srv := NewServer(test.globalConfig)
@@ -210,7 +213,9 @@ func TestServerLoadConfigHealthCheckOptions(t *testing.T) {
 			t.Run(fmt.Sprintf("%s/hc=%t", lbMethod, healthCheck != nil), func(t *testing.T) {
 				globalConfig := configuration.GlobalConfiguration{
 					EntryPoints: configuration.EntryPoints{
-						"http": &configuration.EntryPoint{},
+						"http": &configuration.EntryPoint{
+							ForwardedHeaders: &configuration.ForwardedHeaders{Insecure: true},
+						},
 					},
 					HealthCheck: &configuration.HealthCheckConfig{Interval: flaeg.Duration(5 * time.Second)},
 				}
@@ -355,7 +360,7 @@ func TestNewServerWithWhitelistSourceRange(t *testing.T) {
 				"foo",
 			},
 			middlewareConfigured: false,
-			errMessage:           "parsing CIDR whitelist <nil>: invalid CIDR address: foo",
+			errMessage:           "parsing CIDR whitelist [foo]: parsing CIDR whitelist <nil>: invalid CIDR address: foo",
 		},
 	}
 
@@ -383,7 +388,7 @@ func TestNewServerWithWhitelistSourceRange(t *testing.T) {
 func TestServerLoadConfigEmptyBasicAuth(t *testing.T) {
 	globalConfig := configuration.GlobalConfiguration{
 		EntryPoints: configuration.EntryPoints{
-			"http": &configuration.EntryPoint{},
+			"http": &configuration.EntryPoint{ForwardedHeaders: &configuration.ForwardedHeaders{Insecure: true}},
 		},
 	}
 
@@ -422,52 +427,49 @@ func TestConfigureBackends(t *testing.T) {
 	defaultMethod := "wrr"
 
 	tests := []struct {
-		desc       string
-		lb         *types.LoadBalancer
-		wantMethod string
-		wantSticky bool
+		desc           string
+		lb             *types.LoadBalancer
+		wantMethod     string
+		wantStickiness *types.Stickiness
 	}{
 		{
 			desc: "valid load balancer method with sticky enabled",
 			lb: &types.LoadBalancer{
-				Method: validMethod,
-				Sticky: true,
+				Method:     validMethod,
+				Stickiness: &types.Stickiness{},
 			},
-			wantMethod: validMethod,
-			wantSticky: true,
+			wantMethod:     validMethod,
+			wantStickiness: &types.Stickiness{},
 		},
 		{
 			desc: "valid load balancer method with sticky disabled",
 			lb: &types.LoadBalancer{
-				Method: validMethod,
-				Sticky: false,
+				Method:     validMethod,
+				Stickiness: nil,
 			},
 			wantMethod: validMethod,
-			wantSticky: false,
 		},
 		{
 			desc: "invalid load balancer method with sticky enabled",
 			lb: &types.LoadBalancer{
-				Method: "Invalid",
-				Sticky: true,
+				Method:     "Invalid",
+				Stickiness: &types.Stickiness{},
 			},
-			wantMethod: defaultMethod,
-			wantSticky: true,
+			wantMethod:     defaultMethod,
+			wantStickiness: &types.Stickiness{},
 		},
 		{
 			desc: "invalid load balancer method with sticky disabled",
 			lb: &types.LoadBalancer{
-				Method: "Invalid",
-				Sticky: false,
+				Method:     "Invalid",
+				Stickiness: nil,
 			},
 			wantMethod: defaultMethod,
-			wantSticky: false,
 		},
 		{
 			desc:       "missing load balancer",
 			lb:         nil,
 			wantMethod: defaultMethod,
-			wantSticky: false,
 		},
 	}
 
@@ -485,8 +487,8 @@ func TestConfigureBackends(t *testing.T) {
 			})
 
 			wantLB := types.LoadBalancer{
-				Method: test.wantMethod,
-				Sticky: test.wantSticky,
+				Method:     test.wantMethod,
+				Stickiness: test.wantStickiness,
 			}
 			if !reflect.DeepEqual(*backend.LoadBalancer, wantLB) {
 				t.Errorf("got backend load-balancer\n%v\nwant\n%v\n", spew.Sdump(backend.LoadBalancer), spew.Sdump(wantLB))
@@ -495,7 +497,7 @@ func TestConfigureBackends(t *testing.T) {
 	}
 }
 
-func TestServerEntrypointWhitelistConfig(t *testing.T) {
+func TestServerEntryPointWhitelistConfig(t *testing.T) {
 	tests := []struct {
 		desc           string
 		entrypoint     *configuration.EntryPoint
@@ -504,7 +506,8 @@ func TestServerEntrypointWhitelistConfig(t *testing.T) {
 		{
 			desc: "no whitelist middleware if no config on entrypoint",
 			entrypoint: &configuration.EntryPoint{
-				Address: ":0",
+				Address:          ":0",
+				ForwardedHeaders: &configuration.ForwardedHeaders{Insecure: true},
 			},
 			wantMiddleware: false,
 		},
@@ -515,6 +518,7 @@ func TestServerEntrypointWhitelistConfig(t *testing.T) {
 				WhitelistSourceRange: []string{
 					"127.0.0.1/32",
 				},
+				ForwardedHeaders: &configuration.ForwardedHeaders{Insecure: true},
 			},
 			wantMiddleware: true,
 		},
@@ -539,7 +543,7 @@ func TestServerEntrypointWhitelistConfig(t *testing.T) {
 			handler := srvEntryPoint.httpServer.Handler.(*negroni.Negroni)
 			found := false
 			for _, handler := range handler.Handlers() {
-				if reflect.TypeOf(handler) == reflect.TypeOf((*middlewares.IPWhitelister)(nil)) {
+				if reflect.TypeOf(handler) == reflect.TypeOf((*middlewares.IPWhiteLister)(nil)) {
 					found = true
 				}
 			}
@@ -636,7 +640,7 @@ func TestServerResponseEmptyBackend(t *testing.T) {
 
 			globalConfig := configuration.GlobalConfiguration{
 				EntryPoints: configuration.EntryPoints{
-					"http": &configuration.EntryPoint{},
+					"http": &configuration.EntryPoint{ForwardedHeaders: &configuration.ForwardedHeaders{Insecure: true}},
 				},
 			}
 			dynamicConfigs := types.Configurations{"config": test.dynamicConfig(testServer.URL)}
@@ -719,6 +723,10 @@ func withServer(name, url string) func(backend *types.Backend) {
 
 func withLoadBalancer(method string, sticky bool) func(*types.Backend) {
 	return func(be *types.Backend) {
-		be.LoadBalancer = &types.LoadBalancer{Method: method, Sticky: sticky}
+		if sticky {
+			be.LoadBalancer = &types.LoadBalancer{Method: method, Stickiness: &types.Stickiness{CookieName: "test"}}
+		} else {
+			be.LoadBalancer = &types.LoadBalancer{Method: method}
+		}
 	}
 }

server/uuid/uuid.go

@@ -0,0 +1,14 @@
+package uuid
+
+import guuid "github.com/satori/go.uuid"
+
+var uuid string
+
+func init() {
+	uuid = guuid.NewV4().String()
+}
+
+// Get the instance UUID
+func Get() string {
+	return uuid
+}

templates/consul_catalog.tmpl

@@ -17,8 +17,12 @@
   {{end}}
 
   [backends."backend-{{$service}}".loadbalancer]
-    sticky = {{getAttribute "backend.loadbalancer.sticky" .Attributes "false"}}
     method = "{{getAttribute "backend.loadbalancer" .Attributes "wrr"}}"
+    sticky = {{getSticky .Attributes}}
+    {{if hasStickinessLabel .Attributes}}
+    [backends."backend-{{$service}}".loadbalancer.stickiness]
+      cookieName = "{{getStickinessCookieName .Attributes}}"
+    {{end}}
 
   {{if hasMaxconnAttributes .Attributes}}
   [backends."backend-{{$service}}".maxconn]

templates/docker.tmpl

@@ -9,6 +9,10 @@
     [backends.backend-{{$backendName}}.loadbalancer]
       method = "{{getLoadBalancerMethod $backend}}"
       sticky = {{getSticky $backend}}
+      {{if hasStickinessLabel $backend}}
+      [backends.backend-{{$backendName}}.loadBalancer.stickiness]
+        cookieName = "{{getStickinessCookieName $backend}}"
+      {{end}}
     {{end}}
 
     {{if hasMaxConnLabels $backend}}

templates/ecs.tmpl

@@ -1,7 +1,11 @@
 [backends]{{range $serviceName, $instances := .Services}}
   [backends.backend-{{ $serviceName }}.loadbalancer]
-    sticky = {{ getLoadBalancerSticky $instances}}
     method = "{{ getLoadBalancerMethod $instances}}"
+    sticky = {{ getLoadBalancerSticky $instances}}
+    {{if hasStickinessLabel $instances}} 
+    [backends.backend-{{ $serviceName }}.loadbalancer.stickiness]
+      cookieName = "{{getStickinessCookieName $instances}}"
+    {{end}}
 
   {{range $index, $i := $instances}}
     [backends.backend-{{ $i.Name }}.servers.server-{{ $i.Name }}{{ $i.ID }}]

templates/kubernetes.tmpl

@@ -7,7 +7,11 @@
     [backends."{{$backendName}}".loadbalancer]
       method = "{{$backend.LoadBalancer.Method}}"
       {{if $backend.LoadBalancer.Sticky}}
-          sticky = true
+      sticky = true
+      {{end}}
+      {{if $backend.LoadBalancer.Stickiness}}
+      [backends."{{$backendName}}".loadbalancer.stickiness]
+        cookieName = "{{$backend.LoadBalancer.Stickiness.CookieName}}"
       {{end}}
     {{range $serverName, $server := $backend.Servers}}
     [backends."{{$backendName}}".servers."{{$serverName}}"]

templates/kv.tmpl

@@ -3,25 +3,29 @@
 
 [backends]{{range $backends}}
 {{$backend := .}}
+{{$backendName := Last $backend}}
 {{$servers := ListServers $backend }}
 
 {{$circuitBreaker := Get "" . "/circuitbreaker/" "expression"}}
 {{with $circuitBreaker}}
-[backends."{{Last $backend}}".circuitBreaker]
+[backends."{{$backendName}}".circuitBreaker]
     expression = "{{$circuitBreaker}}"
 {{end}}
 
 {{$loadBalancer := Get "" . "/loadbalancer/" "method"}}
-{{$sticky := Get "false" . "/loadbalancer/" "sticky"}}
 {{with $loadBalancer}}
-[backends."{{Last $backend}}".loadBalancer]
+[backends."{{$backendName}}".loadBalancer]
     method = "{{$loadBalancer}}"
-    sticky = {{$sticky}}
+    sticky = {{ getSticky . }}
+    {{if hasStickinessLabel $backend}}
+    [backends."{{$backendName}}".loadBalancer.stickiness]
+      cookieName = {{getStickinessCookieName $backend}}
+    {{end}}
 {{end}}
 
 {{$healthCheck := Get "" . "/healthcheck/" "path"}}
 {{with $healthCheck}}
-[backends."{{Last $backend}}".healthCheck]
+[backends."{{$backendName}}".healthCheck]
     path = "{{$healthCheck}}"
     interval = "{{ Get "30s" $backend "/healthcheck/" "interval" }}"
 {{end}}
@@ -30,14 +34,14 @@
 {{$maxConnExtractorFunc := Get "" . "/maxconn/" "extractorfunc"}}
 {{with $maxConnAmt}}
 {{with $maxConnExtractorFunc}}
-[backends."{{Last $backend}}".maxConn]
+[backends."{{$backendName}}".maxConn]
     amount = {{$maxConnAmt}}
     extractorFunc = "{{$maxConnExtractorFunc}}"
 {{end}}
 {{end}}
 
 {{range $servers}}
-[backends."{{Last $backend}}".servers."{{Last .}}"]
+[backends."{{$backendName}}".servers."{{Last .}}"]
     url = "{{Get "" . "/url"}}"
     weight = {{Get "0"  . "/weight"}}
 {{end}}

templates/marathon.tmpl

@@ -21,6 +21,10 @@
       [backends."backend{{getBackend $app $serviceName }}".loadbalancer]
         method = "{{getLoadBalancerMethod $app }}"
         sticky = {{getSticky $app}}
+        {{if hasStickinessLabel $app}}
+        [backends."backend{{getBackend $app $serviceName }}".loadbalancer.stickiness]
+          cookieName = "{{getStickinessCookieName $app}}"
+        {{end}}
 {{end}}
 {{ if hasCircuitBreakerLabels $app }}
       [backends."backend{{getBackend $app $serviceName }}".circuitbreaker]

templates/rancher.tmpl

@@ -9,6 +9,10 @@
     [backends.backend-{{$backendName}}.loadbalancer]
       method = "{{getLoadBalancerMethod $backend}}"
       sticky = {{getSticky $backend}}
+      {{if hasStickinessLabel $backend}}
+      [backends.backend-{{$backendName}}.loadbalancer.stickiness]
+        cookieName = "{{getStickinessCookieName $backend}}"
+      {{end}}
     {{end}}
 
     {{if hasMaxConnLabels $backend}}

types/common_label.go

@@ -2,59 +2,36 @@ package types
 
 import "strings"
 
+// Traefik labels
 const (
-	// LabelPrefix Traefik label
-	LabelPrefix = "traefik."
-	// LabelDomain Traefik label
-	LabelDomain = LabelPrefix + "domain"
-	// LabelEnable Traefik label
-	LabelEnable = LabelPrefix + "enable"
-	// LabelPort Traefik label
-	LabelPort = LabelPrefix + "port"
-	// LabelPortIndex Traefik label
-	LabelPortIndex = LabelPrefix + "portIndex"
-	// LabelProtocol Traefik label
-	LabelProtocol = LabelPrefix + "protocol"
-	// LabelTags Traefik label
-	LabelTags = LabelPrefix + "tags"
-	// LabelWeight Traefik label
-	LabelWeight = LabelPrefix + "weight"
-	// LabelFrontendAuthBasic Traefik label
-	LabelFrontendAuthBasic = LabelPrefix + "frontend.auth.basic"
-	// LabelFrontendEntryPoints Traefik label
-	LabelFrontendEntryPoints = LabelPrefix + "frontend.entryPoints"
-	// LabelFrontendPassHostHeader Traefik label
-	LabelFrontendPassHostHeader = LabelPrefix + "frontend.passHostHeader"
-	// LabelFrontendPriority Traefik label
-	LabelFrontendPriority = LabelPrefix + "frontend.priority"
-	// LabelFrontendRule Traefik label
-	LabelFrontendRule = LabelPrefix + "frontend.rule"
-	// LabelFrontendRuleType Traefik label
-	LabelFrontendRuleType = LabelPrefix + "frontend.rule.type"
-	// LabelTraefikFrontendValue Traefik label
-	LabelTraefikFrontendValue = LabelPrefix + "frontend.value"
-	// LabelTraefikFrontendWhitelistSourceRange Traefik label
-	LabelTraefikFrontendWhitelistSourceRange = LabelPrefix + "frontend.whitelistSourceRange"
-	// LabelBackend Traefik label
-	LabelBackend = LabelPrefix + "backend"
-	// LabelBackendID Traefik label
-	LabelBackendID = LabelPrefix + "backend.id"
-	// LabelTraefikBackendCircuitbreaker Traefik label
-	LabelTraefikBackendCircuitbreaker = LabelPrefix + "backend.circuitbreaker"
-	// LabelBackendCircuitbreakerExpression Traefik label
-	LabelBackendCircuitbreakerExpression = LabelPrefix + "backend.circuitbreaker.expression"
-	// LabelBackendHealthcheckPath Traefik label
-	LabelBackendHealthcheckPath = LabelPrefix + "backend.healthcheck.path"
-	// LabelBackendHealthcheckInterval Traefik label
-	LabelBackendHealthcheckInterval = LabelPrefix + "backend.healthcheck.interval"
-	// LabelBackendLoadbalancerMethod Traefik label
-	LabelBackendLoadbalancerMethod = LabelPrefix + "backend.loadbalancer.method"
-	// LabelBackendLoadbalancerSticky Traefik label
-	LabelBackendLoadbalancerSticky = LabelPrefix + "backend.loadbalancer.sticky"
-	// LabelBackendMaxconnAmount Traefik label
-	LabelBackendMaxconnAmount = LabelPrefix + "backend.maxconn.amount"
-	// LabelBackendMaxconnExtractorfunc Traefik label
-	LabelBackendMaxconnExtractorfunc = LabelPrefix + "backend.maxconn.extractorfunc"
+	LabelPrefix                                  = "traefik."
+	LabelDomain                                  = LabelPrefix + "domain"
+	LabelEnable                                  = LabelPrefix + "enable"
+	LabelPort                                    = LabelPrefix + "port"
+	LabelPortIndex                               = LabelPrefix + "portIndex"
+	LabelProtocol                                = LabelPrefix + "protocol"
+	LabelTags                                    = LabelPrefix + "tags"
+	LabelWeight                                  = LabelPrefix + "weight"
+	LabelFrontendAuthBasic                       = LabelPrefix + "frontend.auth.basic"
+	LabelFrontendEntryPoints                     = LabelPrefix + "frontend.entryPoints"
+	LabelFrontendPassHostHeader                  = LabelPrefix + "frontend.passHostHeader"
+	LabelFrontendPriority                        = LabelPrefix + "frontend.priority"
+	LabelFrontendRule                            = LabelPrefix + "frontend.rule"
+	LabelFrontendRuleType                        = LabelPrefix + "frontend.rule.type"
+	LabelTraefikFrontendValue                    = LabelPrefix + "frontend.value"
+	LabelTraefikFrontendWhitelistSourceRange     = LabelPrefix + "frontend.whitelistSourceRange"
+	LabelBackend                                 = LabelPrefix + "backend"
+	LabelBackendID                               = LabelPrefix + "backend.id"
+	LabelTraefikBackendCircuitbreaker            = LabelPrefix + "backend.circuitbreaker"
+	LabelBackendCircuitbreakerExpression         = LabelPrefix + "backend.circuitbreaker.expression"
+	LabelBackendHealthcheckPath                  = LabelPrefix + "backend.healthcheck.path"
+	LabelBackendHealthcheckInterval              = LabelPrefix + "backend.healthcheck.interval"
+	LabelBackendLoadbalancerMethod               = LabelPrefix + "backend.loadbalancer.method"
+	LabelBackendLoadbalancerSticky               = LabelPrefix + "backend.loadbalancer.sticky"
+	LabelBackendLoadbalancerStickiness           = LabelPrefix + "backend.loadbalancer.stickiness"
+	LabelBackendLoadbalancerStickinessCookieName = LabelPrefix + "backend.loadbalancer.stickiness.cookieName"
+	LabelBackendMaxconnAmount                    = LabelPrefix + "backend.maxconn.amount"
+	LabelBackendMaxconnExtractorfunc             = LabelPrefix + "backend.maxconn.extractorfunc"
 )
 
 //ServiceLabel converts a key value of Label*, given a serviceName, into a pattern <LabelPrefix>.<serviceName>.<property>

types/types.go

@@ -33,8 +33,14 @@ type MaxConn struct {
 
 // LoadBalancer holds load balancing configuration.
 type LoadBalancer struct {
-	Method string `json:"method,omitempty"`
-	Sticky bool   `json:"sticky,omitempty"`
+	Method     string      `json:"method,omitempty"`
+	Sticky     bool        `json:"sticky,omitempty"` // Deprecated: use Stickiness instead
+	Stickiness *Stickiness `json:"stickiness,omitempty"`
+}
+
+// Stickiness holds sticky session configuration.
+type Stickiness struct {
+	CookieName string `json:"cookieName,omitempty"`
 }
 
 // CircuitBreaker holds circuit breaker configuration.
@@ -177,13 +183,13 @@ type ConfigMessage struct {
 	Configuration *Configuration
 }
 
-// Constraint hold a parsed constraint expresssion
+// Constraint hold a parsed constraint expression
 type Constraint struct {
-	Key string
+	Key string `export:"true"`
 	// MustMatch is true if operator is "==" or false if operator is "!="
-	MustMatch bool
+	MustMatch bool `export:"true"`
 	// TODO: support regex
-	Regex string
+	Regex string `export:"true"`
 }
 
 // NewConstraint receive a string and return a *Constraint, after checking syntax and parsing the constraint expression
@@ -198,14 +204,14 @@ func NewConstraint(exp string) (*Constraint, error) {
 		sep = "!="
 		constraint.MustMatch = false
 	} else {
-		return nil, errors.New("Constraint expression missing valid operator: '==' or '!='")
+		return nil, errors.New("constraint expression missing valid operator: '==' or '!='")
 	}
 
 	kv := strings.SplitN(exp, sep, 2)
 	if len(kv) == 2 {
 		// At the moment, it only supports tags
 		if kv[0] != "tag" {
-			return nil, errors.New("Constraint must be tag-based. Syntax: tag==us-*")
+			return nil, errors.New("constraint must be tag-based. Syntax: tag==us-*")
 		}
 
 		constraint.Key = kv[0]
@@ -213,7 +219,7 @@ func NewConstraint(exp string) (*Constraint, error) {
 		return constraint, nil
 	}
 
-	return nil, errors.New("Incorrect constraint expression: " + exp)
+	return nil, fmt.Errorf("incorrect constraint expression: %s", exp)
 }
 
 func (c *Constraint) String() string {
@@ -258,7 +264,7 @@ func (c *Constraint) MatchConstraintWithAtLeastOneTag(tags []string) bool {
 func (cs *Constraints) Set(str string) error {
 	exps := strings.Split(str, ",")
 	if len(exps) == 0 {
-		return errors.New("Bad Constraint format: " + str)
+		return fmt.Errorf("bad Constraint format: %s", str)
 	}
 	for _, exp := range exps {
 		constraint, err := NewConstraint(exp)
@@ -292,21 +298,22 @@ func (cs *Constraints) Type() string {
 // Store holds KV store cluster config
 type Store struct {
 	store.Store
-	Prefix string // like this "prefix" (without the /)
+	// like this "prefix" (without the /)
+	Prefix string `export:"true"`
 }
 
 // Cluster holds cluster config
 type Cluster struct {
-	Node  string `description:"Node name"`
-	Store *Store
+	Node  string `description:"Node name" export:"true"`
+	Store *Store `export:"true"`
 }
 
 // Auth holds authentication configuration (BASIC, DIGEST, users)
 type Auth struct {
-	Basic       *Basic
-	Digest      *Digest
-	Forward     *Forward
-	HeaderField string
+	Basic       *Basic   `export:"true"`
+	Digest      *Digest  `export:"true"`
+	Forward     *Forward `export:"true"`
+	HeaderField string   `export:"true"`
 }
 
 // Users authentication users
@@ -327,8 +334,8 @@ type Digest struct {
 // Forward authentication
 type Forward struct {
 	Address            string     `description:"Authentication server address"`
-	TLS                *ClientTLS `description:"Enable TLS support"`
-	TrustForwardHeader bool       `description:"Trust X-Forwarded-* headers"`
+	TLS                *ClientTLS `description:"Enable TLS support" export:"true"`
+	TrustForwardHeader bool       `description:"Trust X-Forwarded-* headers" export:"true"`
 }
 
 // CanonicalDomain returns a lower case domain with trim space
@@ -338,31 +345,31 @@ func CanonicalDomain(domain string) string {
 
 // Statistics provides options for monitoring request and response stats
 type Statistics struct {
-	RecentErrors int `description:"Number of recent errors logged"`
+	RecentErrors int `description:"Number of recent errors logged" export:"true"`
 }
 
 // Metrics provides options to expose and send Traefik metrics to different third party monitoring systems
 type Metrics struct {
-	Prometheus *Prometheus `description:"Prometheus metrics exporter type"`
-	Datadog    *Datadog    `description:"DataDog metrics exporter type"`
-	StatsD     *Statsd     `description:"StatsD metrics exporter type"`
+	Prometheus *Prometheus `description:"Prometheus metrics exporter type" export:"true"`
+	Datadog    *Datadog    `description:"DataDog metrics exporter type" export:"true"`
+	StatsD     *Statsd     `description:"StatsD metrics exporter type" export:"true"`
 }
 
 // Prometheus can contain specific configuration used by the Prometheus Metrics exporter
 type Prometheus struct {
-	Buckets Buckets `description:"Buckets for latency metrics"`
+	Buckets Buckets `description:"Buckets for latency metrics" export:"true"`
 }
 
 // Datadog contains address and metrics pushing interval configuration
 type Datadog struct {
 	Address      string `description:"DataDog's address"`
-	PushInterval string `description:"DataDog push interval"`
+	PushInterval string `description:"DataDog push interval" export:"true"`
 }
 
 // Statsd contains address and metrics pushing interval configuration
 type Statsd struct {
 	Address      string `description:"StatsD address"`
-	PushInterval string `description:"DataDog push interval"`
+	PushInterval string `description:"DataDog push interval" export:"true"`
 }
 
 // Buckets holds Prometheus Buckets
@@ -399,8 +406,8 @@ func (b *Buckets) SetValue(val interface{}) {
 
 // AccessLog holds the configuration settings for the access logger (middlewares/accesslog).
 type AccessLog struct {
-	FilePath string `json:"file,omitempty" description:"Access log file path. Stdout is used when omitted or empty"`
-	Format   string `json:"format,omitempty" description:"Access log format: json | common"`
+	FilePath string `json:"file,omitempty" description:"Access log file path. Stdout is used when omitted or empty" export:"true"`
+	Format   string `json:"format,omitempty" description:"Access log format: json | common" export:"true"`
 }
 
 // ClientTLS holds TLS specific configurations as client

vendor/github.com/mitchellh/copystructure/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Mitchell Hashimoto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

vendor/github.com/mitchellh/copystructure/copier_time.go

@@ -0,0 +1,15 @@
+package copystructure
+
+import (
+	"reflect"
+	"time"
+)
+
+func init() {
+	Copiers[reflect.TypeOf(time.Time{})] = timeCopier
+}
+
+func timeCopier(v interface{}) (interface{}, error) {
+	// Just... copy it.
+	return v.(time.Time), nil
+}

vendor/github.com/mitchellh/copystructure/copystructure.go

@@ -0,0 +1,548 @@
+package copystructure
+
+import (
+	"errors"
+	"reflect"
+	"sync"
+
+	"github.com/mitchellh/reflectwalk"
+)
+
+// Copy returns a deep copy of v.
+func Copy(v interface{}) (interface{}, error) {
+	return Config{}.Copy(v)
+}
+
+// CopierFunc is a function that knows how to deep copy a specific type.
+// Register these globally with the Copiers variable.
+type CopierFunc func(interface{}) (interface{}, error)
+
+// Copiers is a map of types that behave specially when they are copied.
+// If a type is found in this map while deep copying, this function
+// will be called to copy it instead of attempting to copy all fields.
+//
+// The key should be the type, obtained using: reflect.TypeOf(value with type).
+//
+// It is unsafe to write to this map after Copies have started. If you
+// are writing to this map while also copying, wrap all modifications to
+// this map as well as to Copy in a mutex.
+var Copiers map[reflect.Type]CopierFunc = make(map[reflect.Type]CopierFunc)
+
+// Must is a helper that wraps a call to a function returning
+// (interface{}, error) and panics if the error is non-nil. It is intended
+// for use in variable initializations and should only be used when a copy
+// error should be a crashing case.
+func Must(v interface{}, err error) interface{} {
+	if err != nil {
+		panic("copy error: " + err.Error())
+	}
+
+	return v
+}
+
+var errPointerRequired = errors.New("Copy argument must be a pointer when Lock is true")
+
+type Config struct {
+	// Lock any types that are a sync.Locker and are not a mutex while copying.
+	// If there is an RLocker method, use that to get the sync.Locker.
+	Lock bool
+
+	// Copiers is a map of types associated with a CopierFunc. Use the global
+	// Copiers map if this is nil.
+	Copiers map[reflect.Type]CopierFunc
+}
+
+func (c Config) Copy(v interface{}) (interface{}, error) {
+	if c.Lock && reflect.ValueOf(v).Kind() != reflect.Ptr {
+		return nil, errPointerRequired
+	}
+
+	w := new(walker)
+	if c.Lock {
+		w.useLocks = true
+	}
+
+	if c.Copiers == nil {
+		c.Copiers = Copiers
+	}
+
+	err := reflectwalk.Walk(v, w)
+	if err != nil {
+		return nil, err
+	}
+
+	// Get the result. If the result is nil, then we want to turn it
+	// into a typed nil if we can.
+	result := w.Result
+	if result == nil {
+		val := reflect.ValueOf(v)
+		result = reflect.Indirect(reflect.New(val.Type())).Interface()
+	}
+
+	return result, nil
+}
+
+// Return the key used to index interfaces types we've seen. Store the number
+// of pointers in the upper 32bits, and the depth in the lower 32bits. This is
+// easy to calculate, easy to match a key with our current depth, and we don't
+// need to deal with initializing and cleaning up nested maps or slices.
+func ifaceKey(pointers, depth int) uint64 {
+	return uint64(pointers)<<32 | uint64(depth)
+}
+
+type walker struct {
+	Result interface{}
+
+	depth       int
+	ignoreDepth int
+	vals        []reflect.Value
+	cs          []reflect.Value
+
+	// This stores the number of pointers we've walked over, indexed by depth.
+	ps []int
+
+	// If an interface is indirected by a pointer, we need to know the type of
+	// interface to create when creating the new value.  Store the interface
+	// types here, indexed by both the walk depth and the number of pointers
+	// already seen at that depth. Use ifaceKey to calculate the proper uint64
+	// value.
+	ifaceTypes map[uint64]reflect.Type
+
+	// any locks we've taken, indexed by depth
+	locks []sync.Locker
+	// take locks while walking the structure
+	useLocks bool
+}
+
+func (w *walker) Enter(l reflectwalk.Location) error {
+	w.depth++
+
+	// ensure we have enough elements to index via w.depth
+	for w.depth >= len(w.locks) {
+		w.locks = append(w.locks, nil)
+	}
+
+	for len(w.ps) < w.depth+1 {
+		w.ps = append(w.ps, 0)
+	}
+
+	return nil
+}
+
+func (w *walker) Exit(l reflectwalk.Location) error {
+	locker := w.locks[w.depth]
+	w.locks[w.depth] = nil
+	if locker != nil {
+		defer locker.Unlock()
+	}
+
+	// clear out pointers and interfaces as we exit the stack
+	w.ps[w.depth] = 0
+
+	for k := range w.ifaceTypes {
+		mask := uint64(^uint32(0))
+		if k&mask == uint64(w.depth) {
+			delete(w.ifaceTypes, k)
+		}
+	}
+
+	w.depth--
+	if w.ignoreDepth > w.depth {
+		w.ignoreDepth = 0
+	}
+
+	if w.ignoring() {
+		return nil
+	}
+
+	switch l {
+	case reflectwalk.Array:
+		fallthrough
+	case reflectwalk.Map:
+		fallthrough
+	case reflectwalk.Slice:
+		w.replacePointerMaybe()
+
+		// Pop map off our container
+		w.cs = w.cs[:len(w.cs)-1]
+	case reflectwalk.MapValue:
+		// Pop off the key and value
+		mv := w.valPop()
+		mk := w.valPop()
+		m := w.cs[len(w.cs)-1]
+
+		// If mv is the zero value, SetMapIndex deletes the key form the map,
+		// or in this case never adds it. We need to create a properly typed
+		// zero value so that this key can be set.
+		if !mv.IsValid() {
+			mv = reflect.Zero(m.Elem().Type().Elem())
+		}
+		m.Elem().SetMapIndex(mk, mv)
+	case reflectwalk.ArrayElem:
+		// Pop off the value and the index and set it on the array
+		v := w.valPop()
+		i := w.valPop().Interface().(int)
+		if v.IsValid() {
+			a := w.cs[len(w.cs)-1]
+			ae := a.Elem().Index(i) // storing array as pointer on stack - so need Elem() call
+			if ae.CanSet() {
+				ae.Set(v)
+			}
+		}
+	case reflectwalk.SliceElem:
+		// Pop off the value and the index and set it on the slice
+		v := w.valPop()
+		i := w.valPop().Interface().(int)
+		if v.IsValid() {
+			s := w.cs[len(w.cs)-1]
+			se := s.Elem().Index(i)
+			if se.CanSet() {
+				se.Set(v)
+			}
+		}
+	case reflectwalk.Struct:
+		w.replacePointerMaybe()
+
+		// Remove the struct from the container stack
+		w.cs = w.cs[:len(w.cs)-1]
+	case reflectwalk.StructField:
+		// Pop off the value and the field
+		v := w.valPop()
+		f := w.valPop().Interface().(reflect.StructField)
+		if v.IsValid() {
+			s := w.cs[len(w.cs)-1]
+			sf := reflect.Indirect(s).FieldByName(f.Name)
+
+			if sf.CanSet() {
+				sf.Set(v)
+			}
+		}
+	case reflectwalk.WalkLoc:
+		// Clear out the slices for GC
+		w.cs = nil
+		w.vals = nil
+	}
+
+	return nil
+}
+
+func (w *walker) Map(m reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+	w.lock(m)
+
+	// Create the map. If the map itself is nil, then just make a nil map
+	var newMap reflect.Value
+	if m.IsNil() {
+		newMap = reflect.New(m.Type())
+	} else {
+		newMap = wrapPtr(reflect.MakeMap(m.Type()))
+	}
+
+	w.cs = append(w.cs, newMap)
+	w.valPush(newMap)
+	return nil
+}
+
+func (w *walker) MapElem(m, k, v reflect.Value) error {
+	return nil
+}
+
+func (w *walker) PointerEnter(v bool) error {
+	if v {
+		w.ps[w.depth]++
+	}
+	return nil
+}
+
+func (w *walker) PointerExit(v bool) error {
+	if v {
+		w.ps[w.depth]--
+	}
+	return nil
+}
+
+func (w *walker) Interface(v reflect.Value) error {
+	if !v.IsValid() {
+		return nil
+	}
+	if w.ifaceTypes == nil {
+		w.ifaceTypes = make(map[uint64]reflect.Type)
+	}
+
+	w.ifaceTypes[ifaceKey(w.ps[w.depth], w.depth)] = v.Type()
+	return nil
+}
+
+func (w *walker) Primitive(v reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+	w.lock(v)
+
+	// IsValid verifies the v is non-zero and CanInterface verifies
+	// that we're allowed to read this value (unexported fields).
+	var newV reflect.Value
+	if v.IsValid() && v.CanInterface() {
+		newV = reflect.New(v.Type())
+		newV.Elem().Set(v)
+	}
+
+	w.valPush(newV)
+	w.replacePointerMaybe()
+	return nil
+}
+
+func (w *walker) Slice(s reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+	w.lock(s)
+
+	var newS reflect.Value
+	if s.IsNil() {
+		newS = reflect.New(s.Type())
+	} else {
+		newS = wrapPtr(reflect.MakeSlice(s.Type(), s.Len(), s.Cap()))
+	}
+
+	w.cs = append(w.cs, newS)
+	w.valPush(newS)
+	return nil
+}
+
+func (w *walker) SliceElem(i int, elem reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+
+	// We don't write the slice here because elem might still be
+	// arbitrarily complex. Just record the index and continue on.
+	w.valPush(reflect.ValueOf(i))
+
+	return nil
+}
+
+func (w *walker) Array(a reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+	w.lock(a)
+
+	newA := reflect.New(a.Type())
+
+	w.cs = append(w.cs, newA)
+	w.valPush(newA)
+	return nil
+}
+
+func (w *walker) ArrayElem(i int, elem reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+
+	// We don't write the array here because elem might still be
+	// arbitrarily complex. Just record the index and continue on.
+	w.valPush(reflect.ValueOf(i))
+
+	return nil
+}
+
+func (w *walker) Struct(s reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+	w.lock(s)
+
+	var v reflect.Value
+	if c, ok := Copiers[s.Type()]; ok {
+		// We have a Copier for this struct, so we use that copier to
+		// get the copy, and we ignore anything deeper than this.
+		w.ignoreDepth = w.depth
+
+		dup, err := c(s.Interface())
+		if err != nil {
+			return err
+		}
+
+		// We need to put a pointer to the value on the value stack,
+		// so allocate a new pointer and set it.
+		v = reflect.New(s.Type())
+		reflect.Indirect(v).Set(reflect.ValueOf(dup))
+	} else {
+		// No copier, we copy ourselves and allow reflectwalk to guide
+		// us deeper into the structure for copying.
+		v = reflect.New(s.Type())
+	}
+
+	// Push the value onto the value stack for setting the struct field,
+	// and add the struct itself to the containers stack in case we walk
+	// deeper so that its own fields can be modified.
+	w.valPush(v)
+	w.cs = append(w.cs, v)
+
+	return nil
+}
+
+func (w *walker) StructField(f reflect.StructField, v reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+
+	// If PkgPath is non-empty, this is a private (unexported) field.
+	// We do not set this unexported since the Go runtime doesn't allow us.
+	if f.PkgPath != "" {
+		return reflectwalk.SkipEntry
+	}
+
+	// Push the field onto the stack, we'll handle it when we exit
+	// the struct field in Exit...
+	w.valPush(reflect.ValueOf(f))
+	return nil
+}
+
+// ignore causes the walker to ignore any more values until we exit this on
+func (w *walker) ignore() {
+	w.ignoreDepth = w.depth
+}
+
+func (w *walker) ignoring() bool {
+	return w.ignoreDepth > 0 && w.depth >= w.ignoreDepth
+}
+
+func (w *walker) pointerPeek() bool {
+	return w.ps[w.depth] > 0
+}
+
+func (w *walker) valPop() reflect.Value {
+	result := w.vals[len(w.vals)-1]
+	w.vals = w.vals[:len(w.vals)-1]
+
+	// If we're out of values, that means we popped everything off. In
+	// this case, we reset the result so the next pushed value becomes
+	// the result.
+	if len(w.vals) == 0 {
+		w.Result = nil
+	}
+
+	return result
+}
+
+func (w *walker) valPush(v reflect.Value) {
+	w.vals = append(w.vals, v)
+
+	// If we haven't set the result yet, then this is the result since
+	// it is the first (outermost) value we're seeing.
+	if w.Result == nil && v.IsValid() {
+		w.Result = v.Interface()
+	}
+}
+
+func (w *walker) replacePointerMaybe() {
+	// Determine the last pointer value. If it is NOT a pointer, then
+	// we need to push that onto the stack.
+	if !w.pointerPeek() {
+		w.valPush(reflect.Indirect(w.valPop()))
+		return
+	}
+
+	v := w.valPop()
+
+	// If the expected type is a pointer to an interface of any depth,
+	// such as *interface{}, **interface{}, etc., then we need to convert
+	// the value "v" from *CONCRETE to *interface{} so types match for
+	// Set.
+	//
+	// Example if v is type *Foo where Foo is a struct, v would become
+	// *interface{} instead. This only happens if we have an interface expectation
+	// at this depth.
+	//
+	// For more info, see GH-16
+	if iType, ok := w.ifaceTypes[ifaceKey(w.ps[w.depth], w.depth)]; ok && iType.Kind() == reflect.Interface {
+		y := reflect.New(iType)           // Create *interface{}
+		y.Elem().Set(reflect.Indirect(v)) // Assign "Foo" to interface{} (dereferenced)
+		v = y                             // v is now typed *interface{} (where *v = Foo)
+	}
+
+	for i := 1; i < w.ps[w.depth]; i++ {
+		if iType, ok := w.ifaceTypes[ifaceKey(w.ps[w.depth]-i, w.depth)]; ok {
+			iface := reflect.New(iType).Elem()
+			iface.Set(v)
+			v = iface
+		}
+
+		p := reflect.New(v.Type())
+		p.Elem().Set(v)
+		v = p
+	}
+
+	w.valPush(v)
+}
+
+// if this value is a Locker, lock it and add it to the locks slice
+func (w *walker) lock(v reflect.Value) {
+	if !w.useLocks {
+		return
+	}
+
+	if !v.IsValid() || !v.CanInterface() {
+		return
+	}
+
+	type rlocker interface {
+		RLocker() sync.Locker
+	}
+
+	var locker sync.Locker
+
+	// We can't call Interface() on a value directly, since that requires
+	// a copy. This is OK, since the pointer to a value which is a sync.Locker
+	// is also a sync.Locker.
+	if v.Kind() == reflect.Ptr {
+		switch l := v.Interface().(type) {
+		case rlocker:
+			// don't lock a mutex directly
+			if _, ok := l.(*sync.RWMutex); !ok {
+				locker = l.RLocker()
+			}
+		case sync.Locker:
+			locker = l
+		}
+	} else if v.CanAddr() {
+		switch l := v.Addr().Interface().(type) {
+		case rlocker:
+			// don't lock a mutex directly
+			if _, ok := l.(*sync.RWMutex); !ok {
+				locker = l.RLocker()
+			}
+		case sync.Locker:
+			locker = l
+		}
+	}
+
+	// still no callable locker
+	if locker == nil {
+		return
+	}
+
+	// don't lock a mutex directly
+	switch locker.(type) {
+	case *sync.Mutex, *sync.RWMutex:
+		return
+	}
+
+	locker.Lock()
+	w.locks[w.depth] = locker
+}
+
+// wrapPtr is a helper that takes v and always make it *v. copystructure
+// stores things internally as pointers until the last moment before unwrapping
+func wrapPtr(v reflect.Value) reflect.Value {
+	if !v.IsValid() {
+		return v
+	}
+	vPtr := reflect.New(v.Type())
+	vPtr.Elem().Set(v)
+	return vPtr
+}

vendor/github.com/mitchellh/reflectwalk/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Mitchell Hashimoto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

vendor/github.com/mitchellh/reflectwalk/location.go

@@ -0,0 +1,19 @@
+package reflectwalk
+
+//go:generate stringer -type=Location location.go
+
+type Location uint
+
+const (
+	None Location = iota
+	Map
+	MapKey
+	MapValue
+	Slice
+	SliceElem
+	Array
+	ArrayElem
+	Struct
+	StructField
+	WalkLoc
+)

vendor/github.com/mitchellh/reflectwalk/location_string.go

@@ -0,0 +1,16 @@
+// Code generated by "stringer -type=Location location.go"; DO NOT EDIT.
+
+package reflectwalk
+
+import "fmt"
+
+const _Location_name = "NoneMapMapKeyMapValueSliceSliceElemArrayArrayElemStructStructFieldWalkLoc"
+
+var _Location_index = [...]uint8{0, 4, 7, 13, 21, 26, 35, 40, 49, 55, 66, 73}
+
+func (i Location) String() string {
+	if i >= Location(len(_Location_index)-1) {
+		return fmt.Sprintf("Location(%d)", i)
+	}
+	return _Location_name[_Location_index[i]:_Location_index[i+1]]
+}

vendor/github.com/mitchellh/reflectwalk/reflectwalk.go

@@ -0,0 +1,401 @@
+// reflectwalk is a package that allows you to "walk" complex structures
+// similar to how you may "walk" a filesystem: visiting every element one
+// by one and calling callback functions allowing you to handle and manipulate
+// those elements.
+package reflectwalk
+
+import (
+	"errors"
+	"reflect"
+)
+
+// PrimitiveWalker implementations are able to handle primitive values
+// within complex structures. Primitive values are numbers, strings,
+// booleans, funcs, chans.
+//
+// These primitive values are often members of more complex
+// structures (slices, maps, etc.) that are walkable by other interfaces.
+type PrimitiveWalker interface {
+	Primitive(reflect.Value) error
+}
+
+// InterfaceWalker implementations are able to handle interface values as they
+// are encountered during the walk.
+type InterfaceWalker interface {
+	Interface(reflect.Value) error
+}
+
+// MapWalker implementations are able to handle individual elements
+// found within a map structure.
+type MapWalker interface {
+	Map(m reflect.Value) error
+	MapElem(m, k, v reflect.Value) error
+}
+
+// SliceWalker implementations are able to handle slice elements found
+// within complex structures.
+type SliceWalker interface {
+	Slice(reflect.Value) error
+	SliceElem(int, reflect.Value) error
+}
+
+// ArrayWalker implementations are able to handle array elements found
+// within complex structures.
+type ArrayWalker interface {
+	Array(reflect.Value) error
+	ArrayElem(int, reflect.Value) error
+}
+
+// StructWalker is an interface that has methods that are called for
+// structs when a Walk is done.
+type StructWalker interface {
+	Struct(reflect.Value) error
+	StructField(reflect.StructField, reflect.Value) error
+}
+
+// EnterExitWalker implementations are notified before and after
+// they walk deeper into complex structures (into struct fields,
+// into slice elements, etc.)
+type EnterExitWalker interface {
+	Enter(Location) error
+	Exit(Location) error
+}
+
+// PointerWalker implementations are notified when the value they're
+// walking is a pointer or not. Pointer is called for _every_ value whether
+// it is a pointer or not.
+type PointerWalker interface {
+	PointerEnter(bool) error
+	PointerExit(bool) error
+}
+
+// SkipEntry can be returned from walk functions to skip walking
+// the value of this field. This is only valid in the following functions:
+//
+//   - Struct: skips all fields from being walked
+//   - StructField: skips walking the struct value
+//
+var SkipEntry = errors.New("skip this entry")
+
+// Walk takes an arbitrary value and an interface and traverses the
+// value, calling callbacks on the interface if they are supported.
+// The interface should implement one or more of the walker interfaces
+// in this package, such as PrimitiveWalker, StructWalker, etc.
+func Walk(data, walker interface{}) (err error) {
+	v := reflect.ValueOf(data)
+	ew, ok := walker.(EnterExitWalker)
+	if ok {
+		err = ew.Enter(WalkLoc)
+	}
+
+	if err == nil {
+		err = walk(v, walker)
+	}
+
+	if ok && err == nil {
+		err = ew.Exit(WalkLoc)
+	}
+
+	return
+}
+
+func walk(v reflect.Value, w interface{}) (err error) {
+	// Determine if we're receiving a pointer and if so notify the walker.
+	// The logic here is convoluted but very important (tests will fail if
+	// almost any part is changed). I will try to explain here.
+	//
+	// First, we check if the value is an interface, if so, we really need
+	// to check the interface's VALUE to see whether it is a pointer.
+	//
+	// Check whether the value is then a pointer. If so, then set pointer
+	// to true to notify the user.
+	//
+	// If we still have a pointer or an interface after the indirections, then
+	// we unwrap another level
+	//
+	// At this time, we also set "v" to be the dereferenced value. This is
+	// because once we've unwrapped the pointer we want to use that value.
+	pointer := false
+	pointerV := v
+
+	for {
+		if pointerV.Kind() == reflect.Interface {
+			if iw, ok := w.(InterfaceWalker); ok {
+				if err = iw.Interface(pointerV); err != nil {
+					return
+				}
+			}
+
+			pointerV = pointerV.Elem()
+		}
+
+		if pointerV.Kind() == reflect.Ptr {
+			pointer = true
+			v = reflect.Indirect(pointerV)
+		}
+		if pw, ok := w.(PointerWalker); ok {
+			if err = pw.PointerEnter(pointer); err != nil {
+				return
+			}
+
+			defer func(pointer bool) {
+				if err != nil {
+					return
+				}
+
+				err = pw.PointerExit(pointer)
+			}(pointer)
+		}
+
+		if pointer {
+			pointerV = v
+		}
+		pointer = false
+
+		// If we still have a pointer or interface we have to indirect another level.
+		switch pointerV.Kind() {
+		case reflect.Ptr, reflect.Interface:
+			continue
+		}
+		break
+	}
+
+	// We preserve the original value here because if it is an interface
+	// type, we want to pass that directly into the walkPrimitive, so that
+	// we can set it.
+	originalV := v
+	if v.Kind() == reflect.Interface {
+		v = v.Elem()
+	}
+
+	k := v.Kind()
+	if k >= reflect.Int && k <= reflect.Complex128 {
+		k = reflect.Int
+	}
+
+	switch k {
+	// Primitives
+	case reflect.Bool, reflect.Chan, reflect.Func, reflect.Int, reflect.String, reflect.Invalid:
+		err = walkPrimitive(originalV, w)
+		return
+	case reflect.Map:
+		err = walkMap(v, w)
+		return
+	case reflect.Slice:
+		err = walkSlice(v, w)
+		return
+	case reflect.Struct:
+		err = walkStruct(v, w)
+		return
+	case reflect.Array:
+		err = walkArray(v, w)
+		return
+	default:
+		panic("unsupported type: " + k.String())
+	}
+}
+
+func walkMap(v reflect.Value, w interface{}) error {
+	ew, ewok := w.(EnterExitWalker)
+	if ewok {
+		ew.Enter(Map)
+	}
+
+	if mw, ok := w.(MapWalker); ok {
+		if err := mw.Map(v); err != nil {
+			return err
+		}
+	}
+
+	for _, k := range v.MapKeys() {
+		kv := v.MapIndex(k)
+
+		if mw, ok := w.(MapWalker); ok {
+			if err := mw.MapElem(v, k, kv); err != nil {
+				return err
+			}
+		}
+
+		ew, ok := w.(EnterExitWalker)
+		if ok {
+			ew.Enter(MapKey)
+		}
+
+		if err := walk(k, w); err != nil {
+			return err
+		}
+
+		if ok {
+			ew.Exit(MapKey)
+			ew.Enter(MapValue)
+		}
+
+		if err := walk(kv, w); err != nil {
+			return err
+		}
+
+		if ok {
+			ew.Exit(MapValue)
+		}
+	}
+
+	if ewok {
+		ew.Exit(Map)
+	}
+
+	return nil
+}
+
+func walkPrimitive(v reflect.Value, w interface{}) error {
+	if pw, ok := w.(PrimitiveWalker); ok {
+		return pw.Primitive(v)
+	}
+
+	return nil
+}
+
+func walkSlice(v reflect.Value, w interface{}) (err error) {
+	ew, ok := w.(EnterExitWalker)
+	if ok {
+		ew.Enter(Slice)
+	}
+
+	if sw, ok := w.(SliceWalker); ok {
+		if err := sw.Slice(v); err != nil {
+			return err
+		}
+	}
+
+	for i := 0; i < v.Len(); i++ {
+		elem := v.Index(i)
+
+		if sw, ok := w.(SliceWalker); ok {
+			if err := sw.SliceElem(i, elem); err != nil {
+				return err
+			}
+		}
+
+		ew, ok := w.(EnterExitWalker)
+		if ok {
+			ew.Enter(SliceElem)
+		}
+
+		if err := walk(elem, w); err != nil {
+			return err
+		}
+
+		if ok {
+			ew.Exit(SliceElem)
+		}
+	}
+
+	ew, ok = w.(EnterExitWalker)
+	if ok {
+		ew.Exit(Slice)
+	}
+
+	return nil
+}
+
+func walkArray(v reflect.Value, w interface{}) (err error) {
+	ew, ok := w.(EnterExitWalker)
+	if ok {
+		ew.Enter(Array)
+	}
+
+	if aw, ok := w.(ArrayWalker); ok {
+		if err := aw.Array(v); err != nil {
+			return err
+		}
+	}
+
+	for i := 0; i < v.Len(); i++ {
+		elem := v.Index(i)
+
+		if aw, ok := w.(ArrayWalker); ok {
+			if err := aw.ArrayElem(i, elem); err != nil {
+				return err
+			}
+		}
+
+		ew, ok := w.(EnterExitWalker)
+		if ok {
+			ew.Enter(ArrayElem)
+		}
+
+		if err := walk(elem, w); err != nil {
+			return err
+		}
+
+		if ok {
+			ew.Exit(ArrayElem)
+		}
+	}
+
+	ew, ok = w.(EnterExitWalker)
+	if ok {
+		ew.Exit(Array)
+	}
+
+	return nil
+}
+
+func walkStruct(v reflect.Value, w interface{}) (err error) {
+	ew, ewok := w.(EnterExitWalker)
+	if ewok {
+		ew.Enter(Struct)
+	}
+
+	skip := false
+	if sw, ok := w.(StructWalker); ok {
+		err = sw.Struct(v)
+		if err == SkipEntry {
+			skip = true
+			err = nil
+		}
+		if err != nil {
+			return
+		}
+	}
+
+	if !skip {
+		vt := v.Type()
+		for i := 0; i < vt.NumField(); i++ {
+			sf := vt.Field(i)
+			f := v.FieldByIndex([]int{i})
+
+			if sw, ok := w.(StructWalker); ok {
+				err = sw.StructField(sf, f)
+
+				// SkipEntry just pretends this field doesn't even exist
+				if err == SkipEntry {
+					continue
+				}
+
+				if err != nil {
+					return
+				}
+			}
+
+			ew, ok := w.(EnterExitWalker)
+			if ok {
+				ew.Enter(StructField)
+			}
+
+			err = walk(f, w)
+			if err != nil {
+				return
+			}
+
+			if ok {
+				ew.Exit(StructField)
+			}
+		}
+	}
+
+	if ewok {
+		ew.Exit(Struct)
+	}
+
+	return nil
+}

vendor/github.com/vulcand/oxy/forward/fwd.go

@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"reflect"
 	"strconv"
 	"strings"
 	"time"
@@ -248,6 +249,12 @@ func (f *httpForwarder) copyRequest(req *http.Request, u *url.URL) *http.Request
 	if f.rewriter != nil {
 		f.rewriter.Rewrite(outReq)
 	}
+
+	if req.ContentLength == 0 {
+		// https://github.com/golang/go/issues/16036: nil Body for http.Transport retries
+		outReq.Body = nil
+	}
+
 	return outReq
 }
 
@@ -261,8 +268,32 @@ func (f *websocketForwarder) serveHTTP(w http.ResponseWriter, req *http.Request,
 	}
 	targetConn, resp, err := dialer.Dial(outReq.URL.String(), outReq.Header)
 	if err != nil {
-		ctx.log.Errorf("Error dialing `%v`: %v", outReq.Host, err)
-		ctx.errHandler.ServeHTTP(w, req, err)
+		if resp == nil {
+			ctx.errHandler.ServeHTTP(w, req, err)
+		} else {
+			ctx.log.Errorf("Error dialing %q: %v with resp: %d %s", outReq.Host, err, resp.StatusCode, resp.Status)
+			hijacker, ok := w.(http.Hijacker)
+			if !ok {
+				ctx.log.Errorf("%s can not be hijack", reflect.TypeOf(w))
+				ctx.errHandler.ServeHTTP(w, req, err)
+				return
+			}
+
+			conn, _, err := hijacker.Hijack()
+			if err != nil {
+				ctx.log.Errorf("Failed to hijack responseWriter")
+				ctx.errHandler.ServeHTTP(w, req, err)
+				return
+			}
+			defer conn.Close()
+
+			err = resp.Write(conn)
+			if err != nil {
+				ctx.log.Errorf("Failed to forward response")
+				ctx.errHandler.ServeHTTP(w, req, err)
+				return
+			}
+		}
 		return
 	}
 

whitelist/ip.go

@@ -0,0 +1,86 @@
+package whitelist
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/pkg/errors"
+)
+
+// IP allows to check that addresses are in a white list
+type IP struct {
+	whiteListsIPs []*net.IP
+	whiteListsNet []*net.IPNet
+	insecure      bool
+}
+
+// NewIP builds a new IP given a list of CIDR-Strings to whitelist
+func NewIP(whitelistStrings []string, insecure bool) (*IP, error) {
+	if len(whitelistStrings) == 0 && !insecure {
+		return nil, errors.New("no whiteListsNet provided")
+	}
+
+	ip := IP{}
+
+	if !insecure {
+		for _, whitelistString := range whitelistStrings {
+			ipAddr := net.ParseIP(whitelistString)
+			if ipAddr != nil {
+				ip.whiteListsIPs = append(ip.whiteListsIPs, &ipAddr)
+			} else {
+				_, whitelist, err := net.ParseCIDR(whitelistString)
+				if err != nil {
+					return nil, fmt.Errorf("parsing CIDR whitelist %s: %v", whitelist, err)
+				}
+				ip.whiteListsNet = append(ip.whiteListsNet, whitelist)
+			}
+		}
+	}
+
+	return &ip, nil
+}
+
+// Contains checks if provided address is in the white list
+func (ip *IP) Contains(addr string) (bool, net.IP, error) {
+	if ip.insecure {
+		return true, nil, nil
+	}
+
+	ipAddr, err := ipFromRemoteAddr(addr)
+	if err != nil {
+		return false, nil, fmt.Errorf("unable to parse address: %s: %s", addr, err)
+	}
+
+	contains, err := ip.ContainsIP(ipAddr)
+	return contains, ipAddr, err
+}
+
+// ContainsIP checks if provided address is in the white list
+func (ip *IP) ContainsIP(addr net.IP) (bool, error) {
+	if ip.insecure {
+		return true, nil
+	}
+
+	for _, whiteListIP := range ip.whiteListsIPs {
+		if whiteListIP.Equal(addr) {
+			return true, nil
+		}
+	}
+
+	for _, whiteListNet := range ip.whiteListsNet {
+		if whiteListNet.Contains(addr) {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func ipFromRemoteAddr(addr string) (net.IP, error) {
+	userIP := net.ParseIP(addr)
+	if userIP == nil {
+		return nil, fmt.Errorf("can't parse IP from address %s", addr)
+	}
+
+	return userIP, nil
+}

whitelist/ip_test.go

@@ -1,19 +1,14 @@
-package middlewares
+package whitelist
 
 import (
-	"fmt"
 	"net"
-	"net/http"
-	"net/http/httptest"
 	"testing"
 
-	"github.com/containous/traefik/testhelpers"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/urfave/negroni"
 )
 
-func TestNewIPWhitelister(t *testing.T) {
+func TestNew(t *testing.T) {
 	cases := []struct {
 		desc               string
 		whitelistStrings   []string
@@ -24,12 +19,12 @@ func TestNewIPWhitelister(t *testing.T) {
 			desc:               "nil whitelist",
 			whitelistStrings:   nil,
 			expectedWhitelists: nil,
-			errMessage:         "no whitelists provided",
+			errMessage:         "no whiteListsNet provided",
 		}, {
 			desc:               "empty whitelist",
 			whitelistStrings:   []string{},
 			expectedWhitelists: nil,
-			errMessage:         "no whitelists provided",
+			errMessage:         "no whiteListsNet provided",
 		}, {
 			desc: "whitelist containing empty string",
 			whitelistStrings: []string{
@@ -80,12 +75,12 @@ func TestNewIPWhitelister(t *testing.T) {
 		test := test
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
-			whitelister, err := NewIPWhitelister(test.whitelistStrings)
+			whitelister, err := NewIP(test.whitelistStrings, false)
 			if test.errMessage != "" {
 				require.EqualError(t, err, test.errMessage)
 			} else {
 				require.NoError(t, err)
-				for index, actual := range whitelister.whitelists {
+				for index, actual := range whitelister.whiteListsNet {
 					expected := test.expectedWhitelists[index]
 					assert.Equal(t, expected.IP, actual.IP)
 					assert.Equal(t, expected.Mask.String(), actual.Mask.String())
@@ -95,7 +90,7 @@ func TestNewIPWhitelister(t *testing.T) {
 	}
 }
 
-func TestIPWhitelisterHandle(t *testing.T) {
+func TestIsAllowed(t *testing.T) {
 	cases := []struct {
 		desc             string
 		whitelistStrings []string
@@ -122,6 +117,23 @@ func TestIPWhitelisterHandle(t *testing.T) {
 		},
 		{
 			desc: "IPv4 single IP",
+			whitelistStrings: []string{
+				"8.8.8.8",
+			},
+			passIPs: []string{
+				"8.8.8.8",
+			},
+			rejectIPs: []string{
+				"8.8.8.7",
+				"8.8.8.9",
+				"8.8.8.0",
+				"8.8.8.255",
+				"4.4.4.4",
+				"127.0.0.1",
+			},
+		},
+		{
+			desc: "IPv4 Net single IP",
 			whitelistStrings: []string{
 				"8.8.8.8/32",
 			},
@@ -167,16 +179,16 @@ func TestIPWhitelisterHandle(t *testing.T) {
 				"2a03:4000:6:d080::/64",
 			},
 			passIPs: []string{
-				"[2a03:4000:6:d080::]",
-				"[2a03:4000:6:d080::1]",
-				"[2a03:4000:6:d080:dead:beef:ffff:ffff]",
-				"[2a03:4000:6:d080::42]",
+				"2a03:4000:6:d080::",
+				"2a03:4000:6:d080::1",
+				"2a03:4000:6:d080:dead:beef:ffff:ffff",
+				"2a03:4000:6:d080::42",
 			},
 			rejectIPs: []string{
-				"[2a03:4000:7:d080::]",
-				"[2a03:4000:7:d080::1]",
-				"[fe80::]",
-				"[4242::1]",
+				"2a03:4000:7:d080::",
+				"2a03:4000:7:d080::1",
+				"fe80::",
+				"4242::1",
 			},
 		},
 		{
@@ -185,12 +197,12 @@ func TestIPWhitelisterHandle(t *testing.T) {
 				"2a03:4000:6:d080::42/128",
 			},
 			passIPs: []string{
-				"[2a03:4000:6:d080::42]",
+				"2a03:4000:6:d080::42",
 			},
 			rejectIPs: []string{
-				"[2a03:4000:6:d080::1]",
-				"[2a03:4000:6:d080:dead:beef:ffff:ffff]",
-				"[2a03:4000:6:d080::43]",
+				"2a03:4000:6:d080::1",
+				"2a03:4000:6:d080:dead:beef:ffff:ffff",
+				"2a03:4000:6:d080::43",
 			},
 		},
 		{
@@ -200,18 +212,18 @@ func TestIPWhitelisterHandle(t *testing.T) {
 				"fe80::/16",
 			},
 			passIPs: []string{
-				"[2a03:4000:6:d080::]",
-				"[2a03:4000:6:d080::1]",
-				"[2a03:4000:6:d080:dead:beef:ffff:ffff]",
-				"[2a03:4000:6:d080::42]",
-				"[fe80::1]",
-				"[fe80:aa00:00bb:4232:ff00:eeee:00ff:1111]",
-				"[fe80::fe80]",
+				"2a03:4000:6:d080::",
+				"2a03:4000:6:d080::1",
+				"2a03:4000:6:d080:dead:beef:ffff:ffff",
+				"2a03:4000:6:d080::42",
+				"fe80::1",
+				"fe80:aa00:00bb:4232:ff00:eeee:00ff:1111",
+				"fe80::fe80",
 			},
 			rejectIPs: []string{
-				"[2a03:4000:7:d080::]",
-				"[2a03:4000:7:d080::1]",
-				"[4242::1]",
+				"2a03:4000:7:d080::",
+				"2a03:4000:7:d080::1",
+				"4242::1",
 			},
 		},
 		{
@@ -223,13 +235,13 @@ func TestIPWhitelisterHandle(t *testing.T) {
 				"8.8.8.8/8",
 			},
 			passIPs: []string{
-				"[2a03:4000:6:d080::]",
-				"[2a03:4000:6:d080::1]",
-				"[2a03:4000:6:d080:dead:beef:ffff:ffff]",
-				"[2a03:4000:6:d080::42]",
-				"[fe80::1]",
-				"[fe80:aa00:00bb:4232:ff00:eeee:00ff:1111]",
-				"[fe80::fe80]",
+				"2a03:4000:6:d080::",
+				"2a03:4000:6:d080::1",
+				"2a03:4000:6:d080:dead:beef:ffff:ffff",
+				"2a03:4000:6:d080::42",
+				"fe80::1",
+				"fe80:aa00:00bb:4232:ff00:eeee:00ff:1111",
+				"fe80::fe80",
 				"1.2.3.1",
 				"1.2.3.32",
 				"1.2.3.156",
@@ -240,9 +252,9 @@ func TestIPWhitelisterHandle(t *testing.T) {
 				"8.255.255.255",
 			},
 			rejectIPs: []string{
-				"[2a03:4000:7:d080::]",
-				"[2a03:4000:7:d080::1]",
-				"[4242::1]",
+				"2a03:4000:7:d080::",
+				"2a03:4000:7:d080::1",
+				"4242::1",
 				"1.2.16.1",
 				"1.2.32.1",
 				"127.0.0.1",
@@ -256,13 +268,6 @@ func TestIPWhitelisterHandle(t *testing.T) {
 				"127.0.0.1/32",
 			},
 			passIPs: nil,
-			rejectIPs: []string{
-				"foo",
-				"10.0.0.350",
-				"fe:::80",
-				"",
-				"\\&$§&/(",
-			},
 		},
 	}
 
@@ -270,38 +275,44 @@ func TestIPWhitelisterHandle(t *testing.T) {
 		test := test
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
-			whitelister, err := NewIPWhitelister(test.whitelistStrings)
+			whiteLister, err := NewIP(test.whitelistStrings, false)
 
 			require.NoError(t, err)
-			require.NotNil(t, whitelister)
-
-			handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				fmt.Fprintln(w, "traefik")
-			})
-			n := negroni.New(whitelister)
-			n.UseHandler(handler)
+			require.NotNil(t, whiteLister)
 
 			for _, testIP := range test.passIPs {
-				req := testhelpers.MustNewRequest(http.MethodGet, "/", nil)
-
-				req.RemoteAddr = testIP + ":2342"
-				recorder := httptest.NewRecorder()
-				n.ServeHTTP(recorder, req)
-
-				assert.Equal(t, http.StatusOK, recorder.Code, testIP+" should have passed "+test.desc)
-				assert.Contains(t, recorder.Body.String(), "traefik")
+				allowed, ip, err := whiteLister.Contains(testIP)
+				require.NoError(t, err)
+				require.NotNil(t, ip, err)
+				assert.True(t, allowed, testIP+" should have passed "+test.desc)
 			}
 
 			for _, testIP := range test.rejectIPs {
-				req := testhelpers.MustNewRequest(http.MethodGet, "/", nil)
-
-				req.RemoteAddr = testIP + ":2342"
-				recorder := httptest.NewRecorder()
-				n.ServeHTTP(recorder, req)
-
-				assert.Equal(t, http.StatusForbidden, recorder.Code, testIP+" should not have passed "+test.desc)
-				assert.NotContains(t, recorder.Body.String(), "traefik")
+				allowed, ip, err := whiteLister.Contains(testIP)
+				require.NoError(t, err)
+				require.NotNil(t, ip, err)
+				assert.False(t, allowed, testIP+" should not have passed "+test.desc)
 			}
 		})
 	}
 }
+
+func TestBrokenIPs(t *testing.T) {
+	brokenIPs := []string{
+		"foo",
+		"10.0.0.350",
+		"fe:::80",
+		"",
+		"\\&$§&/(",
+	}
+
+	whiteLister, err := NewIP([]string{"1.2.3.4/24"}, false)
+	require.NoError(t, err)
+
+	for _, testIP := range brokenIPs {
+		_, ip, err := whiteLister.Contains(testIP)
+		assert.Error(t, err)
+		require.Nil(t, ip, err)
+	}
+
+}