Prepare release v1.6.0

Document custom k8s ingress class usage in guide.
Add redirect section.
2025-09-06 05:44:21 +03:00 · 2018-04-30 23:20:05 +02:00 · 2018-04-30 20:28:03 +02:00 · 2018-04-30 12:28:03 +02:00 · 2018-04-30 12:08:03 +02:00 · 2018-04-30 09:24:04 +02:00
3922 changed files with 622873 additions and 485983 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
+# vendor/github.com/xenolf/lego/providers/dns/cloudxns/cloudxns.go eol=crlf
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -22,7 +22,7 @@ If you intend to ask a support question: DO NOT FILE AN ISSUE.

 HOW TO WRITE A GOOD ISSUE?

- Respect the issue template as more as possible.
+- Respect the issue template as much as possible.
 - If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
 - The title must be short and descriptive.
 - Explain the conditions which led you to write this issue: the context.
@@ -46,6 +46,10 @@ HOW TO WRITE A GOOD ISSUE?
 For the Traefik Docker image:
    docker run [IMAGE] version
    ex: docker run traefik version
+
+For the alpine Traefik Docker image:
+    docker run [IMAGE] traefik version
+    ex: docker run traefik traefik version
 -->

 ```
@@ -62,7 +66,7 @@ Add more configuration information here.
 -->


-### If applicable, please paste the log output in debug mode (`--debug` switch)
+### If applicable, please paste the log output at DEBUG level (`--logLevel=DEBUG` switch)

 ```
 (paste your output here)
--- a/.github/ISSUE_TEMPLATE/bugs.md
+++ b/.github/ISSUE_TEMPLATE/bugs.md
@@ -0,0 +1,72 @@
+<!--
+DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+
+The issue tracker is for reporting bugs and feature requests only.
+For end-user related support questions, refer to one of the following:
+
+- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
+- the Traefik community Slack channel: https://traefik.herokuapp.com
+
+-->
+
+
+### Do you want to request a *feature* or report a *bug*?
+
+Bug
+
+### What did you do?
+
+<!--
+
+HOW TO WRITE A GOOD ISSUE?
+
+- Respect the issue template as much as possible.
+- If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
+- The title must be short and descriptive.
+- Explain the conditions which led you to write this issue: the context.
+- The context should lead to something, an idea or a problem that you’re facing.
+- Remain clear and concise.
+- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
+
+-->
+
+### What did you expect to see?
+
+
+
+### What did you see instead?
+
+
+
+### Output of `traefik version`: (_What version of Traefik are you using?_)
+
+<!--
+For the Traefik Docker image:
+    docker run [IMAGE] version
+    ex: docker run traefik version
+
+For the alpine Traefik Docker image:
+    docker run [IMAGE] traefik version
+    ex: docker run traefik traefik version
+-->
+
+```
+(paste your output here)
+```
+
+### What is your environment & configuration (arguments, toml, provider, platform, ...)?
+
+```toml
+# (paste your configuration here)
+```
+
+<!--
+Add more configuration information here.
+-->
+
+
+### If applicable, please paste the log output in DEBUG level (`--logLevel=DEBUG` switch)
+
+```
+(paste your output here)
+```
--- a/.github/ISSUE_TEMPLATE/features.md
+++ b/.github/ISSUE_TEMPLATE/features.md
@@ -0,0 +1,32 @@
+<!--
+DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+
+The issue tracker is for reporting bugs and feature requests only.
+For end-user related support questions, refer to one of the following:
+
+- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
+- the Traefik community Slack channel: https://traefik.herokuapp.com
+
+-->
+
+
+### Do you want to request a *feature* or report a *bug*?
+
+Feature
+
+### What did you expect to see?
+
+<!--
+
+HOW TO WRITE A GOOD ISSUE?
+
+- Respect the issue template as much as possible.
+- If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
+- The title must be short and descriptive.
+- Explain the conditions which led you to write this issue: the context.
+- The context should lead to something, an idea or a problem that you’re facing.
+- Remain clear and concise.
+- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
+
+-->
+
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -16,8 +16,21 @@ HOW TO WRITE A GOOD PULL REQUEST?

 -->

-### Description
+### What does this PR do?

-<!--
-Briefly describe the pull request in a few paragraphs.
-->
+<!-- A brief description of the change being made with this pull request. -->
+
+
+### Motivation
+
+<!-- What inspired you to submit this pull request? -->
+
+
+### More
+
+- [ ] Added/updated tests
+- [ ] Added/updated documentation
+
+### Additional Notes
+
+<!-- Anything else we should know when reviewing? -->
--- a/.github/PULL_REQUEST_TEMPLATE/mergeback.md
+++ b/.github/PULL_REQUEST_TEMPLATE/mergeback.md
@@ -0,0 +1,7 @@
+### What does this PR do?
+
+Merge v{{.Version}} into master
+
+### Motivation
+
+Be sync.
--- a/.github/PULL_REQUEST_TEMPLATE/release.md
+++ b/.github/PULL_REQUEST_TEMPLATE/release.md
@@ -0,0 +1,7 @@
+### What does this PR do?
+
+Prepare release v{{.Version}}.
+
+### Motivation
+
+Create a new release.
--- a/.gitignore
+++ b/.gitignore
@@ -1,14 +1,15 @@
 /dist
-/autogen/gen.go
-.idea
-.intellij
+/autogen/genstatic/gen.go
+.idea/
+.intellij/
 *.iml
 /traefik
 /traefik.toml
 /static/
+/webui/.tmp/
 .vscode/
 /site/
 *.log
 *.exe
 .DS_Store
-/example/acme/acme.json
+/examples/acme/acme.json
--- a/.gometalinter.json
+++ b/.gometalinter.json
@@ -0,0 +1,42 @@
+{
+  "Vendor": true,
+  "Sort": [
+    "path",
+    "line",
+    "column",
+    "severity",
+    "linter"
+  ],
+  "Test": true,
+  "Cyclo": 15,
+  "Enable": [
+    "gotypex",
+    "nakedret",
+    "vet",
+    "goimports",
+    "golint",
+    "ineffassign",
+    "gotype",
+    "misspell",
+    "structcheck",
+    "gosimple",
+    "unconvert",
+    "varcheck",
+    "errcheck",
+    "unused",
+    "deadcode",
+    "staticcheck"
+  ],
+  "Disable": [
+    "gas",
+    "maligned",
+    "interfacer",
+    "goconst",
+    "gocyclo",
+    "vetshadow"
+  ],
+  "Exclude": [
+    "autogen/.*"
+  ],
+  "Deadline": "5m"
+}
--- a/.semaphoreci/vars
+++ b/.semaphoreci/vars
@@ -10,7 +10,7 @@ else
  export VERSION=''
 fi

-export CODENAME=roquefort
+export CODENAME=tetedemoine

 export N_MAKE_JOBS=2

--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,9 @@
 sudo: required
 dist: trusty

+git:
+  depth: false
+
 services:
  - docker

@@ -8,7 +11,7 @@ env:
  global:
    - REPO: $TRAVIS_REPO_SLUG
    - VERSION: $TRAVIS_TAG
-    - CODENAME: roquefort
+    - CODENAME: tetedemoine
    - N_MAKE_JOBS: 2

 script:
@@ -21,21 +24,16 @@ before_deploy:
      sudo -E apt-get -yq update;
      sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*;
      docker version;
-      pip install --user -r requirements.txt;
-      make -j${N_MAKE_JOBS} crossbinary-parallel;
-      make image-dirty;
-      mkdocs build --clean;
-      tar cfz dist/traefik-${VERSION}.src.tar.gz --exclude-vcs --exclude dist .;
+      make image;
+      if [ "$TRAVIS_TAG" ]; then
+        make -j${N_MAKE_JOBS} crossbinary-parallel;
+        tar cfz dist/traefik-${VERSION}.src.tar.gz --exclude-vcs --exclude dist .;
+      fi;
+      curl -sI https://github.com/containous/structor/releases/latest | grep -Fi Location  | tr -d '\r' | sed "s/tag/download/g" | awk -F " " '{ print $2 "/structor_linux-amd64"}' | wget --output-document=$GOPATH/bin/structor -i -;
+      chmod +x $GOPATH/bin/structor;
+      structor -o containous -r traefik --dockerfile-url="https://raw.githubusercontent.com/containous/traefik/master/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/containous/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/containous/structor/master/requirements-override.txt" --exp-branch=master --debug;
    fi
 deploy:
-  - provider: pages
-    edge: true
-    github_token: ${GITHUB_TOKEN}
-    local_dir: site
-    skip_cleanup: true
-    on:
-      repo: containous/traefik
-      tags: true
  - provider: releases
    api_key: ${GITHUB_TOKEN}
    file: dist/traefik*
@@ -55,3 +53,11 @@ deploy:
    skip_cleanup: true
    on:
      repo: containous/traefik
+  - provider: pages
+    edge: false
+    github_token: ${GITHUB_TOKEN}
+    local_dir: site
+    skip_cleanup: true
+    on:
+      repo: containous/traefik
+      all_branches: true
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,7 +2,8 @@

 ## Building

-You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build Traefik. For changes to its dependencies, the `glide` dependency management tool and `glide-vc` plugin are required.
+You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build Traefik.
+For changes to its dependencies, the `dep` dependency management tool is required.

 ### Method 1: Using `Docker` and `Makefile`

@@ -12,11 +13,11 @@ You need to run the `binary` target. This will create binaries for Linux platfor
 $ make binary
 docker build -t "traefik-dev:no-more-godep-ever" -f build.Dockerfile .
 Sending build context to Docker daemon 295.3 MB
-Step 0 : FROM golang:1.9-alpine
+Step 0 : FROM golang:1.10-alpine
 ---> 8c6473912976
-Step 1 : RUN go get github.com/Masterminds/glide
+Step 1 : RUN go get github.com/golang/dep/cmd/dep
 [...]
-docker run --rm  -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/emile/dev/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:no-more-godep-ever" ./script/make.sh generate binary
+docker run --rm  -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:no-more-godep-ever" ./script/make.sh generate binary
 ---> Making bundle: generate (in .)
 removed 'gen.go'

@@ -63,9 +64,12 @@ Once your environment is set up and the Træfik repository cloned you can build
 cd ~/go/src/github.com/containous/traefik

 # Get go-bindata. Please note, the ellipses are required
-go get github.com/jteeuwen/go-bindata/...
+go get github.com/containous/go-bindata/...

 # Start build
+
+# generate
+# (required to merge non-code components into the final binary, such as the web dashboard and provider's Go templates)
 go generate

 # Standard go build
@@ -75,21 +79,26 @@ go build ./cmd/traefik

 You will find the Træfik executable in the `~/go/src/github.com/containous/traefik` folder as `traefik`.

-### Setting up `glide` and `glide-vc` for dependency management
+### Updating the templates

- Glide is not required for building; however, it is necessary to modify dependencies (i.e., add, update, or remove third-party packages)
- Glide can be installed either via homebrew: `$ brew install glide` or via the official glide script: `$ curl https://glide.sh/get | sh`
- The glide plugin `glide-vc` must be installed from source: `go get github.com/sgotti/glide-vc`
+If you happen to update the provider templates (in `/templates`), you need to run `go generate` to update the `autogen` package.

-If you want to add a dependency, use `$ glide get` to have glide put it into the vendor folder and update the glide manifest/lock files (`glide.yaml` and `glide.lock`, respectively). A following `glide-vc` run should be triggered to trim down the size of the vendor folder. The final result must be committed into VCS.
+### Setting up dependency management

-Care must be taken to choose the right arguments to `glide` when dealing with dependencies, or otherwise risk ending up with a broken build. For that reason, the helper script `script/glide.sh` encapsulates the gory details and conveniently calls `glide-vc` as well. Call it without parameters for basic usage instructions.
+[dep](https://github.com/golang/dep) is not required for building; however, it is necessary to modify dependencies (i.e., add, update, or remove third-party packages)

-Here's a full example using glide to add a new dependency:
+You need to use [dep](https://github.com/golang/dep) >= O.4.1.
+
+If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively).
+
+A following `make dep-prune` run should be triggered to trim down the size of the vendor folder.
+The final result must be committed into VCS.
+
+Here's a full example using dep to add a new dependency:

 ```bash
 # install the new main dependency github.com/foo/bar and minimize vendor size
-$ ./script/glide.sh get github.com/foo/bar
+$ dep ensure -add github.com/foo/bar
 # generate (Only required to integrate other components such as web dashboard)
 $ go generate
 # Standard go build
@@ -108,7 +117,7 @@ integration test using the `test-integration` target.
 $ make test-unit
 docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
 # […]
-docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/vincent/src/github/vdemeester/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
+docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
 ---> Making bundle: generate (in .)
 removed 'gen.go'

@@ -120,6 +129,7 @@ Test success
 ```

 For development purposes, you can specify which tests to run by using:
+
 ```bash
 # Run every tests in the MyTest suite
 TESTFLAGS="-check.f MyTestSuite" make test-integration
@@ -138,15 +148,37 @@ More: https://labix.org/gocheck

 #### Method 2: `go`

- Tests can be run from the cloned directory, by `$ go test ./...` which should return `ok` similar to:
+Unit tests can be run from the cloned directory by `$ go test ./...` which should return `ok` similar to:
+
 ```
-ok      _/home/vincent/src/github/vdemeester/traefik    0.004s
+ok      _/home/user/go/src/github/containous/traefik    0.004s
 ```

+Integration tests must be run from the `integration/` directory and require the `-integration` switch to be passed like this: `$ cd integration && go test -integration ./...`.
+
 ## Documentation

 The [documentation site](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/)

+### Method 1: `Docker` and `make`
+
+You can test documentation using the `docs` target.
+
+```bash
+$ make docs
+docker build -t traefik-docs -f docs.Dockerfile .
+# […]
+docker run  --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
+# […]
+[I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000
+[I 170828 20:47:48 handlers:60] Start watching changes
+[I 170828 20:47:48 handlers:62] Start detecting changes
+```
+
+And go to [http://127.0.0.1:8000](http://127.0.0.1:8000).
+
+### Method 2: `mkdocs`
+
 First make sure you have python and pip installed

 ```shell
@@ -159,7 +191,7 @@ pip 1.5.2
 Then install mkdocs with pip

 ```shell
-$ pip install mkdocs
+pip install --user -r requirements.txt
 ```

 To test documentation locally run `mkdocs serve` in the root directory, this should start a server locally to preview your changes.
--- a/Gopkg.lock
+++ b/Gopkg.lock
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -0,0 +1,258 @@
+# Gopkg.toml example
+#
+# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+#   name = "github.com/user/project"
+#   version = "1.0.0"
+#
+# [[constraint]]
+#   name = "github.com/user/project2"
+#   branch = "dev"
+#   source = "github.com/myfork/project2"
+#
+# [[override]]
+#  name = "github.com/x/y"
+#  version = "2.4.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/ArthurHlt/go-eureka-client"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/BurntSushi/toml"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/BurntSushi/ty"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/NYTimes/gziphandler"
+
+[[constraint]]
+  branch = "containous-fork"
+  name = "github.com/abbot/go-http-auth"
+  source = "github.com/containous/go-http-auth"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/armon/go-proxyproto"
+
+[[constraint]]
+  name = "github.com/aws/aws-sdk-go"
+  version = "1.13.1"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/cenk/backoff"
+
+[[constraint]]
+  name = "github.com/containous/flaeg"
+  version = "1.0.1"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/containous/mux"
+
+[[constraint]]
+  name = "github.com/containous/staert"
+  version = "3.1.0"
+
+[[constraint]]
+  name = "github.com/containous/traefik-extra-service-fabric"
+  version = "1.1.5"
+
+[[constraint]]
+  name = "github.com/coreos/go-systemd"
+  version = "14.0.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/docker/leadership"
+  source = "github.com/containous/leadership"
+
+[[constraint]]
+  name = "github.com/eapache/channels"
+  version = "1.1.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/elazarl/go-bindata-assetfs"
+
+[[constraint]]
+  branch = "fork-containous"
+  name = "github.com/go-check/check"
+  source = "github.com/containous/check"
+
+[[override]]
+  branch = "fork-containous"
+  name = "github.com/go-check/check"
+  source = "github.com/containous/check"
+
+[[constraint]]
+  name = "github.com/go-kit/kit"
+  version = "0.7.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/gorilla/websocket"
+
+[[constraint]]
+  name = "github.com/hashicorp/consul"
+  version = "1.0.6"
+
+[[constraint]]
+  name = "github.com/influxdata/influxdb"
+  version = "1.3.7"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/jjcollinge/servicefabric"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/abronan/valkeyrie"
+
+[[constraint]]
+  name = "github.com/mesosphere/mesos-dns"
+  source = "https://github.com/containous/mesos-dns.git"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/mitchellh/copystructure"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/mitchellh/hashstructure"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/mitchellh/mapstructure"
+
+[[constraint]]
+  name = "github.com/opentracing/opentracing-go"
+  version = "1.0.2"
+
+[[constraint]]
+  branch = "containous-fork"
+  name = "github.com/rancher/go-rancher-metadata"
+  source = "github.com/containous/go-rancher-metadata"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/ryanuber/go-glob"
+
+[[constraint]]
+  name = "github.com/satori/go.uuid"
+  version = "1.1.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/stvp/go-udp-testing"
+
+[[constraint]]
+  name = "github.com/stretchr/testify"
+  version = "1.2.1"
+
+[[constraint]]
+  name = "github.com/uber/jaeger-client-go"
+  version = "2.9.0"
+
+[[constraint]]
+  name = "github.com/uber/jaeger-lib"
+  version = "1.1.0"
+
+[[constraint]]
+  branch = "v1"
+  name = "github.com/unrolled/secure"
+
+[[constraint]]
+  name = "github.com/vdemeester/shakers"
+  version = "0.1.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/vulcand/oxy"
+
+[[constraint]]
+  branch = "containous-fork"
+  name = "github.com/xenolf/lego"
+  source = "github.com/containous/lego"
+
+[[constraint]]
+  name = "google.golang.org/grpc"
+  version = "1.5.2"
+
+[[constraint]]
+  name = "gopkg.in/fsnotify.v1"
+  source = "github.com/fsnotify/fsnotify"
+  version = "1.4.2"
+
+[[constraint]]
+  name = "k8s.io/client-go"
+  version = "6.0.0"
+
+[[constraint]]
+  name = "k8s.io/api"
+  version = "kubernetes-1.9.0"
+
+[[constraint]]
+  name = "k8s.io/apimachinery"
+  version = "kubernetes-1.9.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/libkermit/docker"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/libkermit/docker-check"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/libkermit/compose"
+
+[[constraint]]
+ name = "github.com/docker/docker"
+ revision = "7848b8beb9d38a98a78b75f78e05f8d2255f9dfe"
+
+[[override]]
+ name = "github.com/docker/docker"
+ revision = "7848b8beb9d38a98a78b75f78e05f8d2255f9dfe"
+
+[[override]]
+ name = "github.com/docker/cli"
+ revision = "6b63d7b96a41055baddc3fa71f381c7f60bd5d8e"
+
+[[override]]
+ name = "github.com/docker/distribution"
+ revision = "edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c"
+
+[[override]]
+  branch = "master"
+  name = "github.com/docker/libcompose"
+
+[[override]]
+  name = "github.com/Nvveen/Gotty"
+  revision = "a8b993ba6abdb0e0c12b0125c603323a71c7790c"
+  source = "github.com/ijc25/Gotty"
+
+[[override]]
+  # ALWAYS keep this override
+  name = "github.com/mailgun/timetools"
+  revision = "7e6055773c5137efbeb3bd2410d705fe10ab6bfd"
+
+[[override]]
+  branch = "master"
+  name = "github.com/miekg/dns"
+
+[prune]
+  non-go = true
+  go-tests = true
+  unused-packages = true
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,6 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2016-2017 Containous SAS
+Copyright (c) 2016-2018 Containous SAS

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/MAINTAINER.md
+++ b/MAINTAINER.md
@@ -12,6 +12,7 @@
 * Julien Salleyron [@juliens](https://github.com/juliens)
 * Nicolas Mengin [@nmengin](https://github.com/nmengin)
 * Marco Jantke [@marco-jantke](https://github.com/marco-jantke)
+* Michaël Matur [@mmatur](https://github.com/mmatur)


 ## PR review process:
@@ -40,6 +41,14 @@ The status `status/4-merge-in-progress` is only for the bot.
 If the bot is not able to perform the merge, the label `bot/need-human-merge` is added.  
 In this case you must solve conflicts/CI/... and after you only need to remove `bot/need-human-merge`.

+A maintainer can add `bot/no-merge` on a PR if he want (temporarily) prevent a merge by the bot.
+
+`bot/light-review` can be used to decrease required LGTM from 3 to 1 when:
+
+- vendor updates from previously reviewed PRs
+- merges branches into master
+- prepare release
+

 ### [Myrmica Bibikoffi](https://github.com/containous/bibikoffi/)

@@ -52,19 +61,20 @@ In this case you must solve conflicts/CI/... and after you only need to remove `
 **Manage GitHub labels**

 * Add labels on new PR [GitHub WebHook]
+* Add milestone to a new PR based on a branch version (1.4, 1.3, ...) [GitHub WebHook]
 * Add and remove `contributor/waiting-for-corrections` label when a review request changes [GitHub WebHook]
 * Weekly report of PR status on Slack (CaptainPR) [cron]


 ## Labels

-If we open/look an issue/PR, we must add a `kind/*` and an `area/*`.
+If we open/look an issue/PR, we must add a `kind/*`, an `area/*` and a `status/*`.

 ### Contributor

 * `contributor/need-more-information`: we need more information from the contributor in order to analyze a problem.
 * `contributor/waiting-for-feedback`: we need the contributor to give us feedback.
-* `contributor/waiting-for-corrections`: we need the contributor to take actions in order to move forward with a PR. **(only for PR)**
+* `contributor/waiting-for-corrections`: we need the contributor to take actions in order to move forward with a PR. **(only for PR)** _[bot, humans]_
 * `contributor/needs-resolve-conflicts`: use it only when there is some conflicts (and an automatic rebase is not possible). **(only for PR)** _[bot, humans]_

 ### Kind
@@ -75,7 +85,7 @@ If we open/look an issue/PR, we must add a `kind/*` and an `area/*`.
  * _Proposal issues_ are design proposal that need to be refined with multiple contributors.
  * _Proposal PRs_ are technical prototypes that need to be refined with multiple contributors.

-* `kind/bug/possible`: if we need to analyze to understand if it's a bug or not. **(only for issues)** _[bot only]_
+* `kind/bug/possible`: if we need to analyze to understand if it's a bug or not. **(only for issues)**
 * `kind/bug/confirmed`: we are sure, it's a bug. **(only for issues)**
 * `kind/bug/fix`: it's a bug fix. **(only for PR)**

--- a/26
+++ b/26
@@ -20,12 +20,16 @@ GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/nul
 TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
 TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
-INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -v "/var/run/docker.sock:/var/run/docker.sock")
+INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
+TRAEFIK_DOC_IMAGE := traefik-docs

 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
 DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) -it $(DOCKER_RUN_OPTS)
 DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) -i $(DOCKER_RUN_OPTS)
+DOCKER_RUN_DOC_PORT := 8000
+DOCKER_RUN_DOC_MOUNT := -v $(CURDIR):/mkdocs
+DOCKER_RUN_DOC_OPTS := --rm $(DOCKER_RUN_DOC_MOUNT) -p $(DOCKER_RUN_DOC_PORT):8000


 print-%: ; @echo $*=$($*)
@@ -67,9 +71,10 @@ test-unit: build ## run the unit tests

 test-integration: build ## run the integration tests
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate binary test-integration
+	TEST_HOST=1 ./script/make.sh test-integration

-validate: build  ## validate gofmt, golint and go vet
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh  validate-glide validate-gofmt validate-govet validate-golint validate-misspell validate-vendor
+validate: build  ## validate code, vendor and autogen
+	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-gofmt validate-govet validate-golint validate-misspell validate-vendor validate-autogen

 build: dist
 	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
@@ -89,6 +94,12 @@ image-dirty: binary ## build a docker traefik image
 image: clear-static binary ## clean up static directory and build a docker traefik image
 	docker build -t $(TRAEFIK_IMAGE) .

+docs: docs-image
+	docker run  $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOC_IMAGE) mkdocs serve
+
+docs-image:
+	docker build -t $(TRAEFIK_DOC_IMAGE) -f docs.Dockerfile .
+
 clear-static:
 	rm -rf static

@@ -97,7 +108,7 @@ dist:

 run-dev:
 	go generate
-	go build
+	go build ./cmd/traefik
 	./traefik

 generate-webui: build-webui
@@ -116,5 +127,12 @@ fmt:
 pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq  | xargs -P 6 -n 1 docker pull

+dep-ensure:
+	dep ensure -v
+	./script/prune-dep.sh
+
+dep-prune:
+	./script/prune-dep.sh
+
 help: ## this help
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
--- a/README.md
+++ b/README.md
@@ -12,8 +12,9 @@
 [![Twitter](https://img.shields.io/twitter/follow/traefikproxy.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefikproxy)


-Træfik (pronounced like [traffic](https://speak-ipa.bearbin.net/speak.cgi?speak=%CB%88tr%C3%A6f%C9%AAk)) is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
-It supports several backends ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), and a lot more) to manage its configuration automatically and dynamically.
+Træfik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
+Træfik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
+Telling Træfik where your orchestrator is could be the _only_ configuration step you need to do.

 ---

@@ -36,60 +37,101 @@ It supports several backends ([Docker](https://www.docker.com/), [Swarm mode](ht

 ## Overview

-Imagine that you have deployed a bunch of microservices on your infrastructure. You probably used a service registry (like etcd or consul) and/or an orchestrator (swarm, Mesos/Marathon) to manage all these services.
-If you want your users to access some of your microservices from the Internet, you will have to use a reverse proxy and configure it using virtual hosts or prefix paths:
+Imagine that you have deployed a bunch of microservices with the help of an orchestrator (like Swarm or Kubernetes) or a service registry (like etcd or consul).
+Now you want users to access these microservices, and you need a reverse proxy.

- domain `api.domain.com` will point the microservice `api` in your private network
- path `domain.com/web` will point the microservice `web` in your private network
- domain `backoffice.domain.com` will point the microservices `backoffice` in your private network, load-balancing between your multiple instances
+Traditional reverse-proxies require that you configure _each_ route that will connect paths and subdomains to _each_ microservice. 
+In an environment where you add, remove, kill, upgrade, or scale your services _many_ times a day, the task of keeping the routes up to date becomes tedious. 

-But a microservices architecture is dynamic... Services are added, removed, killed or upgraded often, eventually several times a day.
+**This is when Træfik can help you!**

-Traditional reverse-proxies are not natively dynamic. You can't change their configuration and hot-reload easily.
+Træfik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part. 

-Here enters Træfik.
+**Run Træfik and let it do the work for you!** 
+_(But if you'd rather configure some of your routes manually, Træfik supports that too!)_

 ![Architecture](docs/img/architecture.png)

-Træfik can listen to your service registry/orchestrator API, and knows each time a microservice is added, removed, killed or upgraded, and can generate its configuration automatically.
-Routes to your services will be created instantly.
-
-Run it and forget it!
-
-
 ## Features

- [It's fast](https://docs.traefik.io/benchmarks)
- No dependency hell, single binary made with go
- [Tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image
- Rest API
- Hot-reloading of configuration. No need to restart the process
+- Continuously updates its configuration (No restarts!)
+- Supports multiple load balancing algorithms
+- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
 - Circuit breakers, retry
- Round Robin, rebalancer load-balancers
- Metrics (Rest, Prometheus, Datadog, Statd)
- Clean AngularJS Web UI
- Websocket, HTTP/2, GRPC ready
- Access Logs (JSON, CLF)
- [Let's Encrypt](https://letsencrypt.org) support (Automatic HTTPS with renewal)
- [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support
 - High Availability with cluster mode (beta)
+- See the magic through its clean web UI
+- Websocket, HTTP/2, GRPC ready
+- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
+- Keeps access logs (JSON, CLF)
+- [Fast](https://docs.traefik.io/benchmarks) ... which is nice
+- Exposes a Rest API
+- Packaged as a single binary file (made with :heart: with go) and available as a [tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image

-## Supported backends

- [Docker](https://www.docker.com/) / [Swarm mode](https://docs.docker.com/engine/swarm/)
- [Kubernetes](https://kubernetes.io)
- [Mesos](https://github.com/apache/mesos) / [Marathon](https://mesosphere.github.io/marathon/)
- [Rancher](https://rancher.com) (API, Metadata)
- [Consul](https://www.consul.io/) / [Etcd](https://coreos.com/etcd/) / [Zookeeper](https://zookeeper.apache.org) / [BoltDB](https://github.com/boltdb/bolt)
- [Eureka](https://github.com/Netflix/eureka)
- [Amazon ECS](https://aws.amazon.com/ecs)
- [Amazon DynamoDB](https://aws.amazon.com/dynamodb)
- File
- Rest API
+## Supported Backends
+
+- [Docker](https://docs.traefik.io/configuration/backends/docker) / [Swarm mode](https://docs.traefik.io/configuration/backends/docker#docker-swarm-mode)
+- [Kubernetes](https://docs.traefik.io/configuration/backends/kubernetes)
+- [Mesos](https://docs.traefik.io/configuration/backends/mesos) / [Marathon](https://docs.traefik.io/configuration/backends/marathon)
+- [Rancher](https://docs.traefik.io/configuration/backends/rancher) (API, Metadata)
+- [Azure Service Fabric](https://docs.traefik.io/configuration/backends/servicefabric)
+- [Consul Catalog](https://docs.traefik.io/configuration/backends/consulcatalog)
+- [Consul](https://docs.traefik.io/configuration/backends/consul) / [Etcd](https://docs.traefik.io/configuration/backends/etcd) / [Zookeeper](https://docs.traefik.io/configuration/backends/zookeeper) / [BoltDB](https://docs.traefik.io/configuration/backends/boltdb)
+- [Eureka](https://docs.traefik.io/configuration/backends/eureka)
+- [Amazon ECS](https://docs.traefik.io/configuration/backends/ecs)
+- [Amazon DynamoDB](https://docs.traefik.io/configuration/backends/dynamodb)
+- [File](https://docs.traefik.io/configuration/backends/file)
+- [Rest](https://docs.traefik.io/configuration/backends/rest)

 ## Quickstart

-You can have a quick look at Træfik in this [Katacoda tutorial](https://www.katacoda.com/courses/traefik/deploy-load-balancer) that shows how to load balance requests between multiple Docker containers. If you are looking for a more comprehensive and real use-case example, you can also check [Play-With-Docker](http://training.play-with-docker.com/traefik-load-balancing/) to see how to load balance between multiple nodes.
+To get your hands on Træfik, you can use the [5-Minute Quickstart](http://docs.traefik.io/#the-trfik-quickstart-using-docker) in our documentation (you will need Docker).
+
+Alternatively, if you don't want to install anything on your computer, you can try Træfik online in this great [Katacoda tutorial](https://www.katacoda.com/courses/traefik/deploy-load-balancer) that shows how to load balance requests between multiple Docker containers. 
+
+If you are looking for a more comprehensive and real use-case example, you can also check [Play-With-Docker](http://training.play-with-docker.com/traefik-load-balancing/) to see how to load balance between multiple nodes.
+
+## Web UI
+
+You can access the simple HTML frontend of Træfik.
+
+![Web UI Providers](docs/img/web.frontend.png)
+![Web UI Health](docs/img/traefik-health.png)
+
+## Documentation
+
+You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
+A collection of contributions around Træfik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
+
+## Support
+
+To get community support, you can:
+- join the Træfik community Slack channel: [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
+- use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
+
+If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
+
+## Download
+
+- Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+
+```shell
+./traefik --configFile=traefik.toml
+```
+
+- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+
+```shell
+docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
+```
+
+- Or get the sources:
+
+```shell
+git clone https://github.com/containous/traefik
+```
+
+## Introductory Videos

 Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at [GopherCon 2017](https://gophercon.com/).
 You will learn Træfik basics in less than 10 minutes.
@@ -101,81 +143,26 @@ You will learn fundamental Træfik features and see some demos with Kubernetes.

 [![Traefik ContainerCamp UK](https://img.youtube.com/vi/aFtpIShV60I/0.jpg)](https://www.youtube.com/watch?v=aFtpIShV60I)

-
-## Web UI
-
-You can access the simple HTML frontend of Træfik.
-
-![Web UI Providers](docs/img/web.frontend.png)
-![Web UI Health](docs/img/traefik-health.png)
-
-
-## Test it
-
- The simple way: grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and just run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
-
-```shell
-./traefik --configFile=traefik.toml
-```
-
- Use the tiny Docker image and just run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
-
-```shell
-docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
-```
-
- From sources:
-
-```shell
-git clone https://github.com/containous/traefik
-```
-
-
-## Documentation
-
-You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
-A collection of contributions around Træfik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
-
-
-## Support
-
-To get basic support, you can:
- join the Træfik community Slack channel: [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
- use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
-
-If you prefer commercial support, please contact [containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
-
-
-## Release cycle
-
- Release: We try to release a new version every 2 months
-  - i.e.: 1.3.0, 1.4.0, 1.5.0
- Release candidate: we do RC (1.**x**.0-rc**y**) before the final release (1.**x**.0)
-  - i.e.: 1.1.0-rc1 -> 1.1.0-rc2 -> 1.1.0-rc3 -> 1.1.0-rc4 -> 1.1.0
- Bug-fixes: For each version we release bug fixes
-  - i.e.: 1.1.1, 1.1.2, 1.1.3
-  - those versions contain only bug-fixes
-  - no additional features are delivered in those versions
- Each version is supported until the next one is released
-  - i.e.: 1.1.x will be supported until 1.2.0 is out
- We use [Semantic Versioning](http://semver.org/)
-
-
-## Contributing
-
-Please refer to [contributing documentation](CONTRIBUTING.md).
-
-
-### Code of Conduct
-
-Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md).
-By participating in this project you agree to abide by its terms.
-
-
 ## Maintainers

 [Information about process and maintainers](MAINTAINER.md)

+## Contributing
+
+If you'd like to contribute to the project, refer to the [contributing documentation](CONTRIBUTING.md).
+
+Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md).
+By participating in this project, you agree to abide by its terms.
+
+## Release Cycle
+
+- We release a new version (e.g. 1.1.0, 1.2.0, 1.3.0) every other month.
+- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0)
+- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only)
+
+Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out)
+
+We use [Semantic Versioning](http://semver.org/)

 ## Plumbing

@@ -184,11 +171,11 @@ By participating in this project you agree to abide by its terms.
 - [Negroni](https://github.com/urfave/negroni): web middlewares made simple
 - [Lego](https://github.com/xenolf/lego): the best [Let's Encrypt](https://letsencrypt.org) library in go

-
 ## Credits

 Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the logo ![logo](docs/img/traefik.icon.png).
-Traefik's logo licensed under the Creative Commons 3.0 Attributions license.
+
+Traefik's logo is licensed under the Creative Commons 3.0 Attributions license.

 Traefik's logo was inspired by the gopher stickers made by Takuya Ueda (https://twitter.com/tenntenn).
-The original Go gopher was designed by Renee French (http://reneefrench.blogspot.com/).
+The original Go gopher was designed by Renee French (http://reneefrench.blogspot.com/).
--- a/acme/account.go
+++ b/acme/account.go
@@ -14,7 +14,8 @@ import (
 	"time"

 	"github.com/containous/traefik/log"
-	"github.com/xenolf/lego/acme"
+	"github.com/containous/traefik/types"
+	acme "github.com/xenolf/lego/acmev2"
 )

 // Account is used to store lets encrypt registration info
@@ -24,6 +25,7 @@ type Account struct {
 	PrivateKey         []byte
 	DomainsCertificate DomainsCertificates
 	ChallengeCerts     map[string]*ChallengeCert
+	HTTPChallenge      map[string]map[string][]byte
 }

 // ChallengeCert stores a challenge certificate
@@ -33,7 +35,7 @@ type ChallengeCert struct {
 	certificate *tls.Certificate
 }

-// Init inits account struct
+// Init account struct
 func (a *Account) Init() error {
 	err := a.DomainsCertificate.Init()
 	if err != nil {
@@ -48,6 +50,7 @@ func (a *Account) Init() error {
 			}
 			cert.certificate = &certificate
 		}
+
 		if cert.certificate.Leaf == nil {
 			leaf, err := x509.ParseCertificate(cert.certificate.Certificate[0])
 			if err != nil {
@@ -60,14 +63,19 @@ func (a *Account) Init() error {
 }

 // NewAccount creates an account
-func NewAccount(email string) (*Account, error) {
+func NewAccount(email string, certs []*DomainsCertificate) (*Account, error) {
 	// Create a user. New accounts need an email and private key to start
 	privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return nil, err
 	}
-	domainsCerts := DomainsCertificates{Certs: []*DomainsCertificate{}}
-	domainsCerts.Init()
+
+	domainsCerts := DomainsCertificates{Certs: certs}
+	err = domainsCerts.Init()
+	if err != nil {
+		return nil, err
+	}
+
 	return &Account{
 		Email:              email,
 		PrivateKey:         x509.MarshalPKCS1PrivateKey(privateKey),
@@ -90,6 +98,7 @@ func (a *Account) GetPrivateKey() crypto.PrivateKey {
 	if privateKey, err := x509.ParsePKCS1PrivateKey(a.PrivateKey); err == nil {
 		return privateKey
 	}
+
 	log.Errorf("Cannot unmarshall private key %+v", a.PrivateKey)
 	return nil
 }
@@ -121,9 +130,11 @@ func (dc *DomainsCertificates) Less(i, j int) bool {
 	if reflect.DeepEqual(dc.Certs[i].Domains, dc.Certs[j].Domains) {
 		return dc.Certs[i].tlsCert.Leaf.NotAfter.After(dc.Certs[j].tlsCert.Leaf.NotAfter)
 	}
+
 	if dc.Certs[i].Domains.Main == dc.Certs[j].Domains.Main {
 		return strings.Join(dc.Certs[i].Domains.SANs, ",") < strings.Join(dc.Certs[j].Domains.SANs, ",")
 	}
+
 	return dc.Certs[i].Domains.Main < dc.Certs[j].Domains.Main
 }

@@ -141,29 +152,34 @@ func (dc *DomainsCertificates) removeDuplicates() {
 	}
 }

-// Init inits DomainsCertificates
+// Init DomainsCertificates
 func (dc *DomainsCertificates) Init() error {
 	dc.lock.Lock()
 	defer dc.lock.Unlock()
+
 	for _, domainsCertificate := range dc.Certs {
 		tlsCert, err := tls.X509KeyPair(domainsCertificate.Certificate.Certificate, domainsCertificate.Certificate.PrivateKey)
 		if err != nil {
 			return err
 		}
+
 		domainsCertificate.tlsCert = &tlsCert
+
 		if domainsCertificate.tlsCert.Leaf == nil {
 			leaf, err := x509.ParseCertificate(domainsCertificate.tlsCert.Certificate[0])
 			if err != nil {
 				return err
 			}
+
 			domainsCertificate.tlsCert.Leaf = leaf
 		}
 	}
+
 	dc.removeDuplicates()
 	return nil
 }

-func (dc *DomainsCertificates) renewCertificates(acmeCert *Certificate, domain Domain) error {
+func (dc *DomainsCertificates) renewCertificates(acmeCert *Certificate, domain types.Domain) error {
 	dc.lock.Lock()
 	defer dc.lock.Unlock()

@@ -173,15 +189,17 @@ func (dc *DomainsCertificates) renewCertificates(acmeCert *Certificate, domain D
 			if err != nil {
 				return err
 			}
+
 			domainsCertificate.Certificate = acmeCert
 			domainsCertificate.tlsCert = &tlsCert
 			return nil
 		}
 	}
+
 	return fmt.Errorf("certificate to renew not found for domain %s", domain.Main)
 }

-func (dc *DomainsCertificates) addCertificateForDomains(acmeCert *Certificate, domain Domain) (*DomainsCertificate, error) {
+func (dc *DomainsCertificates) addCertificateForDomains(acmeCert *Certificate, domain types.Domain) (*DomainsCertificate, error) {
 	dc.lock.Lock()
 	defer dc.lock.Unlock()

@@ -189,6 +207,7 @@ func (dc *DomainsCertificates) addCertificateForDomains(acmeCert *Certificate, d
 	if err != nil {
 		return nil, err
 	}
+
 	cert := DomainsCertificate{Domains: domain, Certificate: acmeCert, tlsCert: &tlsCert}
 	dc.Certs = append(dc.Certs, &cert)
 	return &cert, nil
@@ -197,11 +216,12 @@ func (dc *DomainsCertificates) addCertificateForDomains(acmeCert *Certificate, d
 func (dc *DomainsCertificates) getCertificateForDomain(domainToFind string) (*DomainsCertificate, bool) {
 	dc.lock.RLock()
 	defer dc.lock.RUnlock()
+
 	for _, domainsCertificate := range dc.Certs {
-		domains := []string{}
-		domains = append(domains, domainsCertificate.Domains.Main)
-		domains = append(domains, domainsCertificate.Domains.SANs...)
-		for _, domain := range domains {
+		for _, domain := range domainsCertificate.Domains.ToStrArray() {
+			if strings.HasPrefix(domain, "*.") && types.MatchDomain(domainToFind, domain) {
+				return domainsCertificate, true
+			}
 			if domain == domainToFind {
 				return domainsCertificate, true
 			}
@@ -210,9 +230,10 @@ func (dc *DomainsCertificates) getCertificateForDomain(domainToFind string) (*Do
 	return nil, false
 }

-func (dc *DomainsCertificates) exists(domainToFind Domain) (*DomainsCertificate, bool) {
+func (dc *DomainsCertificates) exists(domainToFind types.Domain) (*DomainsCertificate, bool) {
 	dc.lock.RLock()
 	defer dc.lock.RUnlock()
+
 	for _, domainsCertificate := range dc.Certs {
 		if reflect.DeepEqual(domainToFind, domainsCertificate.Domains) {
 			return domainsCertificate, true
@@ -221,9 +242,29 @@ func (dc *DomainsCertificates) exists(domainToFind Domain) (*DomainsCertificate,
 	return nil, false
 }

+func (dc *DomainsCertificates) toDomainsMap() map[string]*tls.Certificate {
+	domainsCertificatesMap := make(map[string]*tls.Certificate)
+
+	for _, domainCertificate := range dc.Certs {
+		certKey := domainCertificate.Domains.Main
+
+		if domainCertificate.Domains.SANs != nil {
+			sort.Strings(domainCertificate.Domains.SANs)
+
+			for _, dnsName := range domainCertificate.Domains.SANs {
+				if dnsName != domainCertificate.Domains.Main {
+					certKey += fmt.Sprintf(",%s", dnsName)
+				}
+			}
+		}
+		domainsCertificatesMap[certKey] = domainCertificate.tlsCert
+	}
+	return domainsCertificatesMap
+}
+
 // DomainsCertificate contains a certificate for multiple domains
 type DomainsCertificate struct {
-	Domains     Domain
+	Domains     types.Domain
 	Certificate *Certificate
 	tlsCert     *tls.Certificate
 }
@@ -235,8 +276,9 @@ func (dc *DomainsCertificate) needRenew() bool {
 			// If there's an error, we assume the cert is broken, and needs update
 			return true
 		}
+
 		// <= 30 days left, renew certificate
-		if crt.NotAfter.Before(time.Now().Add(time.Duration(24 * 30 * time.Hour))) {
+		if crt.NotAfter.Before(time.Now().Add(24 * 30 * time.Hour)) {
 			return true
 		}
 	}
--- a/acme/acme.go
+++ b/acme/acme.go
@@ -7,20 +7,26 @@ import (
 	"fmt"
 	"io/ioutil"
 	fmtlog "log"
+	"net"
+	"net/http"
 	"os"
-	"regexp"
+	"reflect"
 	"strings"
 	"time"

 	"github.com/BurntSushi/ty/fun"
 	"github.com/cenk/backoff"
+	"github.com/containous/flaeg"
+	"github.com/containous/mux"
 	"github.com/containous/staert"
 	"github.com/containous/traefik/cluster"
 	"github.com/containous/traefik/log"
+	acmeprovider "github.com/containous/traefik/provider/acme"
 	"github.com/containous/traefik/safe"
+	"github.com/containous/traefik/tls/generate"
 	"github.com/containous/traefik/types"
 	"github.com/eapache/channels"
-	"github.com/xenolf/lego/acme"
+	acme "github.com/xenolf/lego/acmev2"
 	"github.com/xenolf/lego/providers/dns"
 )

@@ -30,66 +36,29 @@ var (
 )

 // ACME allows to connect to lets encrypt and retrieve certs
+// Deprecated Please use provider/acme/Provider
 type ACME struct {
-	Email               string   `description:"Email address used for registration"`
-	Domains             []Domain `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"`
-	Storage             string   `description:"File or key used for certificates storage."`
-	StorageFile         string   // deprecated
-	OnDemand            bool     `description:"Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."`
-	OnHostRule          bool     `description:"Enable certificate generation on frontends Host rules."`
-	CAServer            string   `description:"CA server to use."`
-	EntryPoint          string   `description:"Entrypoint to proxy acme challenge to."`
-	DNSProvider         string   `description:"Use a DNS based challenge provider rather than HTTPS."`
-	DelayDontCheckDNS   int      `description:"Assume DNS propagates after a delay in seconds rather than finding and querying nameservers."`
-	ACMELogging         bool     `description:"Enable debug logging of ACME actions."`
-	client              *acme.Client
-	defaultCertificate  *tls.Certificate
-	store               cluster.Store
-	challengeProvider   *challengeProvider
-	checkOnDemandDomain func(domain string) bool
-	jobs                *channels.InfiniteChannel
-	TLSConfig           *tls.Config `description:"TLS config in case wildcard certs are used"`
-}
-
-//Domains parse []Domain
-type Domains []Domain
-
-//Set []Domain
-func (ds *Domains) Set(str string) error {
-	fargs := func(c rune) bool {
-		return c == ',' || c == ';'
-	}
-	// get function
-	slice := strings.FieldsFunc(str, fargs)
-	if len(slice) < 1 {
-		return fmt.Errorf("Parse error ACME.Domain. Imposible to parse %s", str)
-	}
-	d := Domain{
-		Main: slice[0],
-		SANs: []string{},
-	}
-	if len(slice) > 1 {
-		d.SANs = slice[1:]
-	}
-	*ds = append(*ds, d)
-	return nil
-}
-
-//Get []Domain
-func (ds *Domains) Get() interface{} { return []Domain(*ds) }
-
-//String returns []Domain in string
-func (ds *Domains) String() string { return fmt.Sprintf("%+v", *ds) }
-
-//SetValue sets []Domain into the parser
-func (ds *Domains) SetValue(val interface{}) {
-	*ds = Domains(val.([]Domain))
-}
-
-// Domain holds a domain name with SANs
-type Domain struct {
-	Main string
-	SANs []string
+	Email                 string                      `description:"Email address used for registration"`
+	Domains               []types.Domain              `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"`
+	Storage               string                      `description:"File or key used for certificates storage."`
+	StorageFile           string                      // deprecated
+	OnDemand              bool                        `description:"Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` //deprecated
+	OnHostRule            bool                        `description:"Enable certificate generation on frontends Host rules."`
+	CAServer              string                      `description:"CA server to use."`
+	EntryPoint            string                      `description:"Entrypoint to proxy acme challenge to."`
+	DNSChallenge          *acmeprovider.DNSChallenge  `description:"Activate DNS-01 Challenge"`
+	HTTPChallenge         *acmeprovider.HTTPChallenge `description:"Activate HTTP-01 Challenge"`
+	DNSProvider           string                      `description:"Activate DNS-01 Challenge (Deprecated)"`                                                       // deprecated
+	DelayDontCheckDNS     flaeg.Duration              `description:"Assume DNS propagates after a delay in seconds rather than finding and querying nameservers."` // deprecated
+	ACMELogging           bool                        `description:"Enable debug logging of ACME actions."`
+	client                *acme.Client
+	defaultCertificate    *tls.Certificate
+	store                 cluster.Store
+	challengeHTTPProvider *challengeHTTPProvider
+	checkOnDemandDomain   func(domain string) bool
+	jobs                  *channels.InfiniteChannel
+	TLSConfig             *tls.Config `description:"TLS config in case wildcard certs are used"`
+	dynamicCerts          *safe.Safe
 }

 func (a *ACME) init() error {
@@ -99,22 +68,46 @@ func (a *ACME) init() error {
 		acme.Logger = fmtlog.New(ioutil.Discard, "", 0)
 	}
 	// no certificates in TLS config, so we add a default one
-	cert, err := generateDefaultCertificate()
+	cert, err := generate.DefaultCertificate()
 	if err != nil {
 		return err
 	}
 	a.defaultCertificate = cert
-	// TODO: to remove in the futurs
-	if len(a.StorageFile) > 0 && len(a.Storage) == 0 {
-		log.Warn("ACME.StorageFile is deprecated, use ACME.Storage instead")
-		a.Storage = a.StorageFile
-	}
+
 	a.jobs = channels.NewInfiniteChannel()
 	return nil
 }

+// AddRoutes add routes on internal router
+func (a *ACME) AddRoutes(router *mux.Router) {
+	router.Methods(http.MethodGet).
+		Path(acme.HTTP01ChallengePath("{token}")).
+		Handler(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+			if a.challengeHTTPProvider == nil {
+				rw.WriteHeader(http.StatusNotFound)
+				return
+			}
+
+			vars := mux.Vars(req)
+			if token, ok := vars["token"]; ok {
+				domain, _, err := net.SplitHostPort(req.Host)
+				if err != nil {
+					log.Debugf("Unable to split host and port: %v. Fallback to request host.", err)
+					domain = req.Host
+				}
+				tokenValue := a.challengeHTTPProvider.getTokenValue(token, domain)
+				if len(tokenValue) > 0 {
+					rw.WriteHeader(http.StatusOK)
+					rw.Write(tokenValue)
+					return
+				}
+			}
+			rw.WriteHeader(http.StatusNotFound)
+		}))
+}
+
 // CreateClusterConfig creates a tls.config using ACME configuration in cluster mode
-func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tls.Config, checkOnDemandDomain func(domain string) bool) error {
+func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tls.Config, certs *safe.Safe, checkOnDemandDomain func(domain string) bool) error {
 	err := a.init()
 	if err != nil {
 		return err
@@ -123,6 +116,7 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 		return errors.New("Empty Store, please provide a key for certs storage")
 	}
 	a.checkOnDemandDomain = checkOnDemandDomain
+	a.dynamicCerts = certs
 	tlsConfig.Certificates = append(tlsConfig.Certificates, *a.defaultCertificate)
 	tlsConfig.GetCertificate = a.getCertificate
 	a.TLSConfig = tlsConfig
@@ -151,7 +145,6 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 	}

 	a.store = datastore
-	a.challengeProvider = &challengeProvider{store: a.store}

 	ticker := time.NewTicker(24 * time.Hour)
 	leadership.Pool.AddGoCtx(func(ctx context.Context) {
@@ -167,160 +160,65 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 		}
 	})

-	leadership.AddListener(func(elected bool) error {
-		if elected {
-			_, err := a.store.Load()
-			if err != nil {
-				return err
-			}
-			transaction, object, err := a.store.Begin()
-			if err != nil {
-				return err
-			}
-			account := object.(*Account)
-			account.Init()
-			var needRegister bool
-			if account == nil || len(account.Email) == 0 {
-				account, err = NewAccount(a.Email)
-				if err != nil {
-					return err
-				}
-				needRegister = true
-			}
-			if err != nil {
-				return err
-			}
-			a.client, err = a.buildACMEClient(account)
-			if err != nil {
-				return err
-			}
-			if needRegister {
-				// New users will need to register; be sure to save it
-				log.Debug("Register...")
-				reg, err := a.client.Register()
-				if err != nil {
-					return err
-				}
-				account.Registration = reg
-			}
-			// The client has a URL to the current Let's Encrypt Subscriber
-			// Agreement. The user will need to agree to it.
-			log.Debug("AgreeToTOS...")
-			err = a.client.AgreeToTOS()
-			if err != nil {
-				// Let's Encrypt Subscriber Agreement renew ?
-				reg, err := a.client.QueryRegistration()
-				if err != nil {
-					return err
-				}
-				account.Registration = reg
-				err = a.client.AgreeToTOS()
-				if err != nil {
-					log.Errorf("Error sending ACME agreement to TOS: %+v: %s", account, err.Error())
-				}
-			}
-			err = transaction.Commit(account)
-			if err != nil {
-				return err
-			}
-
-			a.retrieveCertificates()
-			a.renewCertificates()
-			a.runJobs()
-		}
-		return nil
-	})
+	leadership.AddListener(a.leadershipListener)
 	return nil
 }

-// CreateLocalConfig creates a tls.config using local ACME configuration
-func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, checkOnDemandDomain func(domain string) bool) error {
-	err := a.init()
-	if err != nil {
-		return err
-	}
-	if len(a.Storage) == 0 {
-		return errors.New("Empty Store, please provide a filename for certs storage")
-	}
-	a.checkOnDemandDomain = checkOnDemandDomain
-	tlsConfig.Certificates = append(tlsConfig.Certificates, *a.defaultCertificate)
-	tlsConfig.GetCertificate = a.getCertificate
-	a.TLSConfig = tlsConfig
-	localStore := NewLocalStore(a.Storage)
-	a.store = localStore
-	a.challengeProvider = &challengeProvider{store: a.store}
-
-	var needRegister bool
-	var account *Account
-
-	if fileInfo, fileErr := os.Stat(a.Storage); fileErr == nil && fileInfo.Size() != 0 {
-		log.Info("Loading ACME Account...")
-		// load account
-		object, err := localStore.Load()
+func (a *ACME) leadershipListener(elected bool) error {
+	if elected {
+		_, err := a.store.Load()
 		if err != nil {
 			return err
 		}
-		account = object.(*Account)
-	} else {
-		log.Info("Generating ACME Account...")
-		account, err = NewAccount(a.Email)
+
+		transaction, object, err := a.store.Begin()
 		if err != nil {
 			return err
 		}
-		needRegister = true
-	}

-	a.client, err = a.buildACMEClient(account)
-	if err != nil {
-		return err
-	}
+		account := object.(*Account)
+		account.Init()

-	if needRegister {
-		// New users will need to register; be sure to save it
-		log.Info("Register...")
-		reg, err := a.client.Register()
+		var needRegister bool
+		if account == nil || len(account.Email) == 0 {
+			domainsCerts := DomainsCertificates{Certs: []*DomainsCertificate{}}
+			if account != nil {
+				domainsCerts = account.DomainsCertificate
+			}
+
+			account, err = NewAccount(a.Email, domainsCerts.Certs)
+			if err != nil {
+				return err
+			}
+
+			needRegister = true
+		}
+
+		a.client, err = a.buildACMEClient(account)
 		if err != nil {
 			return err
 		}
-		account.Registration = reg
-	}
+		if needRegister {
+			// New users will need to register; be sure to save it
+			log.Debug("Register...")

-	// The client has a URL to the current Let's Encrypt Subscriber
-	// Agreement. The user will need to agree to it.
-	log.Debug("AgreeToTOS...")
-	err = a.client.AgreeToTOS()
-	if err != nil {
-		// Let's Encrypt Subscriber Agreement renew ?
-		reg, err := a.client.QueryRegistration()
+			reg, err := a.client.Register(true)
+			if err != nil {
+				return err
+			}
+
+			account.Registration = reg
+		}
+
+		err = transaction.Commit(account)
 		if err != nil {
 			return err
 		}
-		account.Registration = reg
-		err = a.client.AgreeToTOS()
-		if err != nil {
-			log.Errorf("Error sending ACME agreement to TOS: %+v: %s", account, err.Error())
-		}
-	}
-	// save account
-	transaction, _, err := a.store.Begin()
-	if err != nil {
-		return err
-	}
-	err = transaction.Commit(account)
-	if err != nil {
-		return err
-	}

-	a.retrieveCertificates()
-	a.renewCertificates()
-	a.runJobs()
-
-	ticker := time.NewTicker(24 * time.Hour)
-	safe.Go(func() {
-		for range ticker.C {
-			a.renewCertificates()
-		}
-	})
+		a.retrieveCertificates()
+		a.renewCertificates()
+		a.runJobs()
+	}
 	return nil
 }

@@ -328,14 +226,10 @@ func (a *ACME) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificat
 	domain := types.CanonicalDomain(clientHello.ServerName)
 	account := a.store.Get().(*Account)

-	if providedCertificate := a.getProvidedCertificate([]string{domain}); providedCertificate != nil {
+	if providedCertificate := a.getProvidedCertificate(domain); providedCertificate != nil {
 		return providedCertificate, nil
 	}

-	if challengeCert, ok := a.challengeProvider.getCertificate(domain); ok {
-		log.Debugf("ACME got challenge %s", domain)
-		return challengeCert, nil
-	}
 	if domainCert, ok := account.DomainsCertificate.getCertificateForDomain(domain); ok {
 		log.Debugf("ACME got domain cert %s", domain)
 		return domainCert.tlsCert, nil
@@ -346,87 +240,84 @@ func (a *ACME) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificat
 		}
 		return a.loadCertificateOnDemand(clientHello)
 	}
-	log.Debugf("ACME got nothing %s", domain)
+	log.Debugf("No certificate found or generated for %s", domain)
 	return nil, nil
 }

 func (a *ACME) retrieveCertificates() {
 	a.jobs.In() <- func() {
 		log.Info("Retrieving ACME certificates...")
-		for _, domain := range a.Domains {
+
+		a.deleteUnnecessaryDomains()
+
+		for i := 0; i < len(a.Domains); i++ {
+			domain := a.Domains[i]
+
 			// check if cert isn't already loaded
 			account := a.store.Get().(*Account)
 			if _, exists := account.DomainsCertificate.exists(domain); !exists {
-				domains := []string{}
+				var domains []string
 				domains = append(domains, domain.Main)
 				domains = append(domains, domain.SANs...)
+				domains, err := a.getValidDomains(domains, true)
+				if err != nil {
+					log.Errorf("Error validating ACME certificate for domain %q: %s", domains, err)
+					continue
+				}
+
 				certificateResource, err := a.getDomainsCertificates(domains)
 				if err != nil {
-					log.Errorf("Error getting ACME certificate for domain %s: %s", domains, err.Error())
+					log.Errorf("Error getting ACME certificate for domain %q: %s", domains, err)
 					continue
 				}
+
 				transaction, object, err := a.store.Begin()
 				if err != nil {
-					log.Errorf("Error creating ACME store transaction from domain %s: %s", domain, err.Error())
+					log.Errorf("Error creating ACME store transaction from domain %q: %s", domain, err)
 					continue
 				}
+
 				account = object.(*Account)
 				_, err = account.DomainsCertificate.addCertificateForDomains(certificateResource, domain)
 				if err != nil {
-					log.Errorf("Error adding ACME certificate for domain %s: %s", domains, err.Error())
+					log.Errorf("Error adding ACME certificate for domain %q: %s", domains, err)
 					continue
 				}

 				if err = transaction.Commit(account); err != nil {
-					log.Errorf("Error Saving ACME account %+v: %s", account, err.Error())
+					log.Errorf("Error Saving ACME account %+v: %s", account, err)
 					continue
 				}
 			}
 		}
+
 		log.Info("Retrieved ACME certificates")
 	}
 }

 func (a *ACME) renewCertificates() {
 	a.jobs.In() <- func() {
-		log.Debug("Testing certificate renew...")
+		log.Info("Testing certificate renew...")
 		account := a.store.Get().(*Account)
 		for _, certificateResource := range account.DomainsCertificate.Certs {
 			if certificateResource.needRenew() {
-				log.Debugf("Renewing certificate %+v", certificateResource.Domains)
-				renewedCert, err := a.client.RenewCertificate(acme.CertificateResource{
-					Domain:        certificateResource.Certificate.Domain,
-					CertURL:       certificateResource.Certificate.CertURL,
-					CertStableURL: certificateResource.Certificate.CertStableURL,
-					PrivateKey:    certificateResource.Certificate.PrivateKey,
-					Certificate:   certificateResource.Certificate.Certificate,
-				}, true, OSCPMustStaple)
+				log.Infof("Renewing certificate from LE : %+v", certificateResource.Domains)
+				renewedACMECert, err := a.renewACMECertificate(certificateResource)
 				if err != nil {
-					log.Errorf("Error renewing certificate: %v", err)
+					log.Errorf("Error renewing certificate from LE: %v", err)
 					continue
 				}
-				log.Debugf("Renewed certificate %+v", certificateResource.Domains)
-				renewedACMECert := &Certificate{
-					Domain:        renewedCert.Domain,
-					CertURL:       renewedCert.CertURL,
-					CertStableURL: renewedCert.CertStableURL,
-					PrivateKey:    renewedCert.PrivateKey,
-					Certificate:   renewedCert.Certificate,
+				operation := func() error {
+					return a.storeRenewedCertificate(certificateResource, renewedACMECert)
 				}
-				transaction, object, err := a.store.Begin()
+				notify := func(err error, time time.Duration) {
+					log.Warnf("Renewed certificate storage error: %v, retrying in %s", err, time)
+				}
+				ebo := backoff.NewExponentialBackOff()
+				ebo.MaxElapsedTime = 60 * time.Second
+				err = backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
 				if err != nil {
-					log.Errorf("Error renewing certificate: %v", err)
-					continue
-				}
-				account = object.(*Account)
-				err = account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains)
-				if err != nil {
-					log.Errorf("Error renewing certificate: %v", err)
-					continue
-				}
-
-				if err = transaction.Commit(account); err != nil {
-					log.Errorf("Error Saving ACME account %+v: %s", account, err.Error())
+					log.Errorf("Datastore cannot sync: %v", err)
 					continue
 				}
 			}
@@ -434,23 +325,73 @@ func (a *ACME) renewCertificates() {
 	}
 }

-func dnsOverrideDelay(delay int) error {
+func (a *ACME) renewACMECertificate(certificateResource *DomainsCertificate) (*Certificate, error) {
+	renewedCert, err := a.client.RenewCertificate(acme.CertificateResource{
+		Domain:        certificateResource.Certificate.Domain,
+		CertURL:       certificateResource.Certificate.CertURL,
+		CertStableURL: certificateResource.Certificate.CertStableURL,
+		PrivateKey:    certificateResource.Certificate.PrivateKey,
+		Certificate:   certificateResource.Certificate.Certificate,
+	}, true, OSCPMustStaple)
+	if err != nil {
+		return nil, err
+	}
+	log.Infof("Renewed certificate from  LE: %+v", certificateResource.Domains)
+	return &Certificate{
+		Domain:        renewedCert.Domain,
+		CertURL:       renewedCert.CertURL,
+		CertStableURL: renewedCert.CertStableURL,
+		PrivateKey:    renewedCert.PrivateKey,
+		Certificate:   renewedCert.Certificate,
+	}, nil
+}
+
+func (a *ACME) storeRenewedCertificate(certificateResource *DomainsCertificate, renewedACMECert *Certificate) error {
+	transaction, object, err := a.store.Begin()
+	if err != nil {
+		return fmt.Errorf("error during transaction initialization for renewing certificate: %v", err)
+	}
+
+	log.Infof("Renewing certificate in data store : %+v ", certificateResource.Domains)
+	account := object.(*Account)
+	err = account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains)
+	if err != nil {
+		return fmt.Errorf("error renewing certificate in datastore: %v ", err)
+	}
+
+	log.Infof("Commit certificate renewed in data store : %+v", certificateResource.Domains)
+	if err = transaction.Commit(account); err != nil {
+		return fmt.Errorf("error saving ACME account %+v: %v", account, err)
+	}
+
+	oldAccount := a.store.Get().(*Account)
+	for _, oldCertificateResource := range oldAccount.DomainsCertificate.Certs {
+		if oldCertificateResource.Domains.Main == certificateResource.Domains.Main && strings.Join(oldCertificateResource.Domains.SANs, ",") == strings.Join(certificateResource.Domains.SANs, ",") && certificateResource.Certificate != renewedACMECert {
+			return fmt.Errorf("renewed certificate not stored: %+v", certificateResource.Domains)
+		}
+	}
+
+	log.Infof("Certificate successfully renewed in data store: %+v", certificateResource.Domains)
+	return nil
+}
+
+func dnsOverrideDelay(delay flaeg.Duration) error {
 	var err error
 	if delay > 0 {
-		log.Debugf("Delaying %d seconds rather than validating DNS propagation", delay)
+		log.Debugf("Delaying %d rather than validating DNS propagation", delay)
 		acme.PreCheckDNS = func(_, _ string) (bool, error) {
-			time.Sleep(time.Duration(delay) * time.Second)
+			time.Sleep(time.Duration(delay))
 			return true, nil
 		}
 	} else if delay < 0 {
-		err = fmt.Errorf("Invalid negative DelayDontCheckDNS: %d", delay)
+		err = fmt.Errorf("invalid negative DelayBeforeCheck: %d", delay)
 	}
 	return err
 }

 func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
 	log.Debug("Building ACME client...")
-	caServer := "https://acme-v01.api.letsencrypt.org/directory"
+	caServer := "https://acme-v02.api.letsencrypt.org/directory"
 	if len(a.CAServer) > 0 {
 		caServer = a.CAServer
 	}
@@ -459,25 +400,29 @@ func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
 		return nil, err
 	}

-	if len(a.DNSProvider) > 0 {
-		log.Debugf("Using DNS Challenge provider: %s", a.DNSProvider)
+	if a.DNSChallenge != nil && len(a.DNSChallenge.Provider) > 0 {
+		log.Debugf("Using DNS Challenge provider: %s", a.DNSChallenge.Provider)

-		err = dnsOverrideDelay(a.DelayDontCheckDNS)
+		err = dnsOverrideDelay(a.DNSChallenge.DelayBeforeCheck)
 		if err != nil {
 			return nil, err
 		}

 		var provider acme.ChallengeProvider
-		provider, err = dns.NewDNSChallengeProviderByName(a.DNSProvider)
+		provider, err = dns.NewDNSChallengeProviderByName(a.DNSChallenge.Provider)
 		if err != nil {
 			return nil, err
 		}

-		client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.TLSSNI01})
+		client.ExcludeChallenges([]acme.Challenge{acme.HTTP01})
 		err = client.SetChallengeProvider(acme.DNS01, provider)
+	} else if a.HTTPChallenge != nil && len(a.HTTPChallenge.EntryPoint) > 0 {
+		log.Debug("Using HTTP Challenge provider.")
+		client.ExcludeChallenges([]acme.Challenge{acme.DNS01})
+		a.challengeHTTPProvider = &challengeHTTPProvider{store: a.store}
+		err = client.SetChallengeProvider(acme.HTTP01, a.challengeHTTPProvider)
 	} else {
-		client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.DNS01})
-		err = client.SetChallengeProvider(acme.TLSSNI01, a.challengeProvider)
+		return nil, errors.New("ACME challenge not specified, please select HTTP or DNS Challenge")
 	}

 	if err != nil {
@@ -503,7 +448,7 @@ func (a *ACME) loadCertificateOnDemand(clientHello *tls.ClientHelloInfo) (*tls.C
 		return nil, err
 	}
 	account = object.(*Account)
-	cert, err := account.DomainsCertificate.addCertificateForDomains(certificate, Domain{Main: domain})
+	cert, err := account.DomainsCertificate.addCertificateForDomains(certificate, types.Domain{Main: domain})
 	if err != nil {
 		return nil, err
 	}
@@ -518,15 +463,9 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 	a.jobs.In() <- func() {
 		log.Debugf("LoadCertificateForDomains %v...", domains)

-		if len(domains) == 0 {
-			// no domain
-			return
-		}
-
-		domains = fun.Map(types.CanonicalDomain, domains).([]string)
-
-		// Check provided certificates
-		if a.getProvidedCertificate(domains) != nil {
+		domains, err := a.getValidDomains(domains, false)
+		if err != nil {
+			log.Errorf("Error getting valid domain: %v", err)
 			return
 		}

@@ -541,38 +480,40 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 		}
 		ebo := backoff.NewExponentialBackOff()
 		ebo.MaxElapsedTime = 30 * time.Second
-		err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
+		err = backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
 		if err != nil {
 			log.Errorf("Error getting ACME client: %v", err)
 			return
 		}
 		account := a.store.Get().(*Account)
-		var domain Domain
-		if len(domains) > 1 {
-			domain = Domain{Main: domains[0], SANs: domains[1:]}
-		} else {
-			domain = Domain{Main: domains[0]}
-		}
-		if _, exists := account.DomainsCertificate.exists(domain); exists {
-			// domain already exists
+
+		// Check provided certificates
+		uncheckedDomains := a.getUncheckedDomains(domains, account)
+		if len(uncheckedDomains) == 0 {
 			return
 		}
-		certificate, err := a.getDomainsCertificates(domains)
+		certificate, err := a.getDomainsCertificates(uncheckedDomains)
 		if err != nil {
-			log.Errorf("Error getting ACME certificates %+v : %v", domains, err)
+			log.Errorf("Error getting ACME certificates %+v : %v", uncheckedDomains, err)
 			return
 		}
-		log.Debugf("Got certificate for domains %+v", domains)
+		log.Debugf("Got certificate for domains %+v", uncheckedDomains)
 		transaction, object, err := a.store.Begin()

 		if err != nil {
-			log.Errorf("Error creating transaction %+v : %v", domains, err)
+			log.Errorf("Error creating transaction %+v : %v", uncheckedDomains, err)
 			return
 		}
+		var domain types.Domain
+		if len(uncheckedDomains) > 1 {
+			domain = types.Domain{Main: uncheckedDomains[0], SANs: uncheckedDomains[1:]}
+		} else {
+			domain = types.Domain{Main: uncheckedDomains[0]}
+		}
 		account = object.(*Account)
 		_, err = account.DomainsCertificate.addCertificateForDomains(certificate, domain)
 		if err != nil {
-			log.Errorf("Error adding ACME certificates %+v : %v", domains, err)
+			log.Errorf("Error adding ACME certificates %+v : %v", uncheckedDomains, err)
 			return
 		}
 		if err = transaction.Commit(account); err != nil {
@@ -583,28 +524,89 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 }

 // Get provided certificate which check a domains list (Main and SANs)
-func (a *ACME) getProvidedCertificate(domains []string) *tls.Certificate {
+// from static and dynamic provided certificates
+func (a *ACME) getProvidedCertificate(domains string) *tls.Certificate {
+	log.Debugf("Looking for provided certificate to validate %s...", domains)
+	cert := searchProvidedCertificateForDomains(domains, a.TLSConfig.NameToCertificate)
+	if cert == nil && a.dynamicCerts != nil && a.dynamicCerts.Get() != nil {
+		cert = searchProvidedCertificateForDomains(domains, a.dynamicCerts.Get().(map[string]*tls.Certificate))
+	}
+	if cert == nil {
+		log.Debugf("No provided certificate found for domains %s, get ACME certificate.", domains)
+	}
+	return cert
+}
+
+func searchProvidedCertificateForDomains(domain string, certs map[string]*tls.Certificate) *tls.Certificate {
 	// Use regex to test for provided certs that might have been added into TLSConfig
-	providedCertMatch := false
-	log.Debugf("Look for provided certificate to validate %s...", domains)
-	for k := range a.TLSConfig.NameToCertificate {
-		selector := "^" + strings.Replace(k, "*.", "[^\\.]*\\.?", -1) + "$"
-		for _, domainToCheck := range domains {
-			providedCertMatch, _ = regexp.MatchString(selector, domainToCheck)
-			if !providedCertMatch {
+	for certDomains := range certs {
+		domainChecked := false
+		for _, certDomain := range strings.Split(certDomains, ",") {
+			domainChecked = types.MatchDomain(domain, certDomain)
+			if domainChecked {
 				break
 			}
 		}
-		if providedCertMatch {
-			log.Debugf("Got provided certificate for domains %s", domains)
-			return a.TLSConfig.NameToCertificate[k]
-
+		if domainChecked {
+			log.Debugf("Domain %q checked by provided certificate %q", domain, certDomains)
+			return certs[certDomains]
 		}
 	}
-	log.Debugf("No provided certificate found for domains %s, get ACME certificate.", domains)
 	return nil
 }

+// Get provided certificate which check a domains list (Main and SANs)
+// from static and dynamic provided certificates
+func (a *ACME) getUncheckedDomains(domains []string, account *Account) []string {
+	log.Debugf("Looking for provided certificate to validate %s...", domains)
+	allCerts := make(map[string]*tls.Certificate)
+
+	// Get static certificates
+	for domains, certificate := range a.TLSConfig.NameToCertificate {
+		allCerts[domains] = certificate
+	}
+
+	// Get dynamic certificates
+	if a.dynamicCerts != nil && a.dynamicCerts.Get() != nil {
+		for domains, certificate := range a.dynamicCerts.Get().(map[string]*tls.Certificate) {
+			allCerts[domains] = certificate
+		}
+	}
+
+	// Get ACME certificates
+	if account != nil {
+		for domains, certificate := range account.DomainsCertificate.toDomainsMap() {
+			allCerts[domains] = certificate
+		}
+	}
+
+	// Get Configuration Domains
+	for i := 0; i < len(a.Domains); i++ {
+		allCerts[a.Domains[i].Main] = &tls.Certificate{}
+		for _, san := range a.Domains[i].SANs {
+			allCerts[san] = &tls.Certificate{}
+		}
+	}
+
+	return searchUncheckedDomains(domains, allCerts)
+}
+
+func searchUncheckedDomains(domains []string, certs map[string]*tls.Certificate) []string {
+	var uncheckedDomains []string
+	for _, domainToCheck := range domains {
+		if !isDomainAlreadyChecked(domainToCheck, certs) {
+			uncheckedDomains = append(uncheckedDomains, domainToCheck)
+		}
+	}
+
+	if len(uncheckedDomains) == 0 {
+		log.Debugf("No ACME certificate to generate for domains %q.", domains)
+	} else {
+		log.Debugf("Domains %q need ACME certificates generation for domains %q.", domains, strings.Join(uncheckedDomains, ","))
+	}
+	return uncheckedDomains
+}
+
 func (a *ACME) getDomainsCertificates(domains []string) (*Certificate, error) {
 	domains = fun.Map(types.CanonicalDomain, domains).([]string)
 	log.Debugf("Loading ACME certificates %s...", domains)
@@ -612,7 +614,7 @@ func (a *ACME) getDomainsCertificates(domains []string) (*Certificate, error) {
 	certificate, failures := a.client.ObtainCertificate(domains, bundle, nil, OSCPMustStaple)
 	if len(failures) > 0 {
 		log.Error(failures)
-		return nil, fmt.Errorf("Cannot obtain certificates %s+v", failures)
+		return nil, fmt.Errorf("cannot obtain certificates %+v", failures)
 	}
 	log.Debugf("Loaded ACME certificates %s", domains)
 	return &Certificate{
@@ -632,3 +634,105 @@ func (a *ACME) runJobs() {
 		}
 	})
 }
+
+// getValidDomains checks if given domain is allowed to generate a ACME certificate and return it
+func (a *ACME) getValidDomains(domains []string, wildcardAllowed bool) ([]string, error) {
+	// Check if the domains array is empty or contains only one empty value
+	if len(domains) == 0 || (len(domains) == 1 && len(domains[0]) == 0) {
+		return nil, errors.New("unable to generate a certificate when no domain is given")
+	}
+
+	if strings.HasPrefix(domains[0], "*") {
+		if !wildcardAllowed {
+			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q from a 'Host' rule", strings.Join(domains, ","))
+		}
+
+		if a.DNSChallenge == nil && len(a.DNSProvider) == 0 {
+			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q : ACME needs a DNSChallenge", strings.Join(domains, ","))
+		}
+		if strings.HasPrefix(domains[0], "*.*") {
+			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q : ACME does not allow '*.*' wildcard domain", strings.Join(domains, ","))
+		}
+	}
+	for _, san := range domains[1:] {
+		if strings.HasPrefix(san, "*") {
+			return nil, fmt.Errorf("unable to generate a certificate for domains %q: SANs can not be a wildcard domain", strings.Join(domains, ","))
+
+		}
+	}
+
+	domains = fun.Map(types.CanonicalDomain, domains).([]string)
+	return domains, nil
+}
+
+func isDomainAlreadyChecked(domainToCheck string, existentDomains map[string]*tls.Certificate) bool {
+	for certDomains := range existentDomains {
+		for _, certDomain := range strings.Split(certDomains, ",") {
+			if types.MatchDomain(domainToCheck, certDomain) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// deleteUnnecessaryDomains deletes from the configuration :
+// - Duplicated domains
+// - Domains which are checked by wildcard domain
+func (a *ACME) deleteUnnecessaryDomains() {
+	var newDomains []types.Domain
+
+	for idxDomainToCheck, domainToCheck := range a.Domains {
+		keepDomain := true
+
+		for idxDomain, domain := range a.Domains {
+			if idxDomainToCheck == idxDomain {
+				continue
+			}
+
+			if reflect.DeepEqual(domain, domainToCheck) {
+				if idxDomainToCheck > idxDomain {
+					log.Warnf("The domain %v is duplicated in the configuration but will be process by ACME only once.", domainToCheck)
+					keepDomain = false
+				}
+				break
+			}
+
+			var newDomainsToCheck []string
+
+			// Check if domains can be validated by the wildcard domain
+			domainsMap := make(map[string]*tls.Certificate)
+			domainsMap[domain.Main] = &tls.Certificate{}
+			if len(domain.SANs) > 0 {
+				domainsMap[strings.Join(domain.SANs, ",")] = &tls.Certificate{}
+			}
+
+			for _, domainProcessed := range domainToCheck.ToStrArray() {
+				if idxDomain < idxDomainToCheck && isDomainAlreadyChecked(domainProcessed, domainsMap) {
+					// The domain is duplicated in a CN
+					log.Warnf("Domain %q is duplicated in the configuration or validated by the domain %v. It will be processed once.", domainProcessed, domain)
+					continue
+				} else if domain.Main != domainProcessed && strings.HasPrefix(domain.Main, "*") && types.MatchDomain(domainProcessed, domain.Main) {
+					// Check if a wildcard can validate the domain
+					log.Warnf("Domain %q will not be processed by ACME provider because it is validated by the wildcard %q", domainProcessed, domain.Main)
+					continue
+				}
+				newDomainsToCheck = append(newDomainsToCheck, domainProcessed)
+			}
+
+			// Delete the domain if both Main and SANs can be validated by the wildcard domain
+			// otherwise keep the unchecked values
+			if newDomainsToCheck == nil {
+				keepDomain = false
+				break
+			}
+			domainToCheck.Set(newDomainsToCheck)
+		}
+
+		if keepDomain {
+			newDomains = append(newDomains, domainToCheck)
+		}
+	}
+
+	a.Domains = newDomains
+}
--- a/acme/acme_example.json
+++ b/acme/acme_example.json
@@ -0,0 +1,43 @@
+{
+  "Email": "test@traefik.io",
+  "Registration": {
+    "body": {
+      "resource": "reg",
+      "id": 3,
+      "key": {
+        "kty": "RSA",
+        "n": "y5a71suIqvEtovDmDVQ3SSNagk5IVCFI_TvqWpEXSrdbcDE2C-PTEtEUJuLkYwygcpiWYbPmXgdS628vQCw5Uo4DeDyHiuysJOWBLaWow3p9goOdhnPbGBq0liIR9xXyRoctdipVk8UiO9scWsu4jMBM3sMr7_yBWPfYYiLEQmZGFO3iE7Oqr55h_kncHIj5lUQY1j_jkftqxlxUB5_0quyJ7l915j5QY--eY7h4GEhRvx0TlUpi-CnRtRblGeDDDilXZD6bQN2962WdKecsmRaYx-ttLz6jCPXz2VDJRWNcIS501ne2Zh3hzw_DS6IRd2GIia1Wg4sisi9epC9sumXPHi6xzR6-_i_nsFjdtTkUcV8HmorOYoc820KQVZaLScxa8e7-ixpOd6mr6AIbEf7dBAkb9f_iK3GwpqKD8yNcaj1EQgNSyJSjnKSulXI_GwkGnuXe00Qpb1a8ha5Z8yWg7XmZZnJyAZrmK60RfwRNQ1rO5ioerNUBJ2KYTYNzVjBdob9Ug6Cjh4bEKNNjqcbjQ50_Z97Vw40xzpDQ_fYllc6n92eSuv6olxFJTmK7EhHuanDzITngaqei3zL9RwQ7P-1jfEZ03qmGrQYYqXcsS46PQ8cE-frzY2mKp16pRNCG7-03gKVGV0JHyW1aYbevNUk7OumCAXhC2YOigBk",
+        "e": "AQAB"
+      },
+      "contact": [
+        "mailto:test@traefik.io"
+      ],
+      "agreement": "http://boulder:4000/terms/v1"
+    },
+    "uri": "http://127.0.0.1:4000/acme/reg/3",
+    "new_authzr_uri": "http://127.0.0.1:4000/acme/new-authz",
+    "terms_of_service": "http://boulder:4000/terms/v1"
+  },
+  "PrivateKey": "MIIJJwIBAAKCAgEAy5a71suIqvEtovDmDVQ3SSNagk5IVCFI/TvqWpEXSrdbcDE2C+PTEtEUJuLkYwygcpiWYbPmXgdS628vQCw5Uo4DeDyHiuysJOWBLaWow3p9goOdhnPbGBq0liIR9xXyRoctdipVk8UiO9scWsu4jMBM3sMr7/yBWPfYYiLEQmZGFO3iE7Oqr55h/kncHIj5lUQY1j/jkftqxlxUB5/0quyJ7l915j5QY++eY7h4GEhRvx0TlUpi+CnRtRblGeDDDilXZD6bQN2962WdKecsmRaYx+ttLz6jCPXz2VDJRWNcIS501ne2Zh3hzw/DS6IRd2GIia1Wg4sisi9epC9sumXPHi6xzR6+/i/nsFjdtTkUcV8HmorOYoc820KQVZaLScxa8e7+ixpOd6mr6AIbEf7dBAkb9f/iK3GwpqKD8yNcaj1EQgNSyJSjnKSulXI/GwkGnuXe00Qpb1a8ha5Z8yWg7XmZZnJyAZrmK60RfwRNQ1rO5ioerNUBJ2KYTYNzVjBdob9Ug6Cjh4bEKNNjqcbjQ50/Z97Vw40xzpDQ/fYllc6n92eSuv6olxFJTmK7EhHuanDzITngaqei3zL9RwQ7P+1jfEZ03qmGrQYYqXcsS46PQ8cE+frzY2mKp16pRNCG7+03gKVGV0JHyW1aYbevNUk7OumCAXhC2YOigBkCAwEAAQKCAgA8XW1EuwTC6tAFSDhuK1JZNUpY6K05hMUHkQRj5jFpzgQmt/C2hc7H/YZkIVJmrA/G6sdsINNlffZwKH9yH6q/d6w/snLeFl7UcdhjmIL5sxAT6sKCY0fLVd/FxERfZvp3Pw2Tw+mr7v+/j7BQm6cU1M/2HRiiB9SydIqMTpKyvXB6NC6ceOFbQTL9GxlQvKyEPbS/kiH/3vRB7I5d1GfPZmNfcp6ark9X0my8VK4HRSo36H8t/OhrfLrZXvh/O82aHVf0OTv/d8AgU/jNu+XVXoXegUfWglQFDChJf1KuaE+g5w1tqgFDNgkGRD475soXA6xgZi0Iw/B9tN3zALzT4IiAW1q72feeTgKOMA2zGtKXxQZZSOV+DuWFZNz/tT7XqGQThqxM09CHv2WGOe80vobtegXYTUt90hysrqIZmBW5XYdzQlJh1KWTtfCaTrWd47kbGvhkEPc8aA3Ji4/AqfkVXiqwaLu+MSlgzPpRj7U7UAIDqnpZjgttgLp74Ujnk3bTaUzdyyNqYDBG3IFGr/Sv+2GQDAUn/PYRJKWr0BteqOzX9zvW3zY8g9CYVXfK/AW3RMWLV8ly6vH/gWqa9gEuzRNRlzjUU6/HCVbUx3UT8RMWH2TQ0uuQZr5JX1iTwjeeT0dEIly1NnRQC92wcrE4UUTBEF3krGVpDBf0AQKCAQEA4jB8w+2fwzbF8X+gCODcY7sTeJRunzGy+jbdaLkcThuylga+6W3ZgWx0BD30ql9K2mouCVu86fCTnBeXXEC3QoTdgw/EzJ83+4JU3QSDdzs9Ta9vLHyvrpUkQfZ8UZpeLLmFsmsBMbBbnfw0S1TzXDsgrAc+G4tia8nO/Iqu75kEMGzmHQAvmN3iSqc1aTS4qumbB19g+v+csq9NEht4F9jt39KotG+OD3MxCxtMu7vxAkJRjFFcgcbb2Rtqe/kQEKA1vLEAJg27lV4k8XibCSerVUR6IzT8WZHrNiXmpRguTLl2k8uFUdCOOx6aLGyRVJ6+8SgIsMR540vnxwQzEQKCAQEA5mu2wtWT19mvXopC3easPsXIPzc5oaRkqfWZYT1KHcVQ7NIXsE3vCjcf/3igZ8l/FVQ4G4fpk/GoTqlpV5Aq/JHCpVOR2O69uB+W4kWgliejpHvF9gszzAYnC8lIXqDbWiinBhmm3ii8sDGAoBaSDw5NMUq3mI+nd8zZ+jx1bLBczDafmQ0YKr8k0YaROxIgoBgDOQDdSqG387lwzpza2DKI5Al3HfS42zjT0RmBahPiuT2aEoUZmIYuvFY0fEjfkpbdvLyexHfZCILRUGlG1nAwASFg86lp+mFSBJ3E3cvbP0CpbFGxon5u4Ao3/7htoOh6huh7MQ91h41fv1hsiQKCAQAe7WRR4e7jYVzlbX7zV9Oqq0y5QwpxJ/mB7viNNiphn7Xmf5uhDU0dPjgK0HHgzdDNVpFe5DVLg4KbaDpg+dRU+xfSsNhG5kpgUGzMH67eIbJ7Kc64tX/MDkZ74nkTK1lPIjrer3TlV2jfjDmWR1JTPR51hzP9ziwx8tEjhM7woeqJuIoqUvkvHL+xV3WdIgFSFUkGVAtNpp/FauTN4gWktRupbAN3UH2LLUP6ccwnK0aD+Y9u8T0F3av33qDLvL1umIlgeI89pMkOXmYMwmHoeY0axpcwszECCkqwB7SmxEyoXv+Qq9ZZ3ntkKAYKpvmkKWSQUtoFWYgVBS727mMRAoIBABLdwusU/bPwuPEutObiWjwRiaHTbb6UbUGVQGe70vO5EjUxxorC9s2JUe9i+w9EakleyfFHIZLheHxoVp26yio/7QYIX6q5cYM/4uTH+qwQts9i6wSISkdsQYovguNsnEk3huVy+Dy8bSaoBvYUowTkkOF2Uq4FJRskBLz+ckbh8dcuqcaoUdA+Mk+NixqhE1bIYIssTPItZ5hnGJtyMGD/UkIJnF0ximk4r+8w/W2oDypHpvPZPg1E/1KgZE/Az7166NDpSL6haX3O6ECDPi+Uo/mTuBJ7TpgXm9WQ7WuTo3H8Y2LhFYBOhdmGPKuNeDxyjIW7R0rvDxp4MtzB6rECggEAJIl7/qp1lxUQPQJRTsEYBkOtdRw0IGG1Rcj0emhHaBN05c9opCy+Osb7mVeU5ZiULe5kD02phL+36pEumprz7QzN46Y5pZc8AQ2W/QkeL4Wo9U9QzczvQQzc1EqrBkzvQTZtBhn4DRzz0IuTn1beVyHtBZeNpBFgMQFv9VYQuUNwFoTOkkQrBRnYbXH6KEnhF3c/1Hzi4KHVdHdfZ3LH7KFQJ34xio0q2tWQSQYeybmwOXdd9sxpz/Y4KBS9fqm7UrwnPK8yuOc05HLEaws+1iam5YyJprlQo3mGKe0wRztwn44HDeQr70LlFm0lzigVAv0hSiWO1Q5hJL7nDu8m/Q==",
+  "DomainsCertificate": {
+    "Certs": [
+      {
+        "Domains": {
+          "Main": "local1.com",
+          "SANs": [
+            "test1.local1.com",
+            "test2.local1.com"
+          ]
+        },
+        "Certificate": {
+          "Domain": "local1.com",
+          "CertURL": "http://127.0.0.1:4000/acme/cert/ffc4f3f14def9ee6ec6a0522b5c0baa3379d",
+          "CertStableURL": "",
+          "PrivateKey": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBdVNoTTR4enF6cE5YcFNaNnAvZnQrRmt5VmgyK1BSZXJUelV0OERRSng2UkVjQS9FCnN2RnNIVmNOSkZMS2twYTNlOEd3SUZBakJQNnJPK3hoR1JjWlJrdENON1gyOW5LZFhGbHZkYzJxd0hyTFF5WWkKTTB3ODhTck41VERiNi96TWU2dTB0dERiYWtDbDd6ZEJKUXJ6a1h5ZU1MeVkzTUs3aVkrMHpwL2JqMVhvbk5DdQpaQStkZ3hsMVNrV01DVUYvQk9HNWFyT1hwb0x4S0dQWGdzV3hOTVNLVmJKSHczL3ZqNTViZU92Um5lT3BNWlhvCmMwOWpZT3VBakNka1Z5czBSWHJLNWNCRDRMbVRXdnN4MFdTK2VMVHlGTTdQTHVZM3lEWkNNWEhjVmlqRHhnbFMKYjB1ZVRQcGFUWEQwYkxqZ0RNOUVEdE15ZEJzMUNPWlpPWG9ickN5Q2I1eWxTOFdVd1NzVXM1UldxZnlVbnAvcgpSNGx2c2RZOWRVZjRPdkNMVnJvWWk5NWFGc1Zxa0xLOExuL0Eyc3kxYWlDTnR4RmpKOXRXbWU0V0NhdzRoU0YvCkR4NWVNNWNYR2JSYXduVlZJQlZXeHhzNTBPMFJlUWRvbXBQZEFNS1RDWk9SRmxYaDdOWTdxQVdWRGtpdzhyam8Kekd3Ni9XdjlOR3hTNTliKzc0YVAxcjBxOTZ2RS9Rdi8zTCtjbjhiN0lBLytPYmFKdzhIT3RGbXc4RjBxQkN3MAprYWVVSloxb1JueGFYQUo4RHhHREpFOVdNUzh0QmJtVm16YkxoRkMzeDdVc0xGeTBrSzh1SFBFT3dQb2NKNUFUCkE1UHBvclNEMmFleHA0Z3VqYVp5c1JManpmY0dnaTdva0JFNlZVNWVqRE1iYS9lNERQNEJQUVg5VmtVQ0F3RUEKQVFLQ0FnQmZjMWdYcUp1ZmZMT3REcVlpbXh4UmIrSVVKT2NpWldaSndmZDVvY244NGtEcHFDZFZ2RUZvNnF4NgpzamQ5MURhb2xOUHdCSC9aSGxRMTR3aTNQNEluQzdzS0wwTXVEeTN5SXFUa0RPOWVwSzdPWWdVMWZyTFgvS0lCCjZlc2x2Ny9HYldFTzhhSjdKdktqM0U4NEFtcEg4UDgzenJIYTlJUnJTT3NEcmNNcEpEZHpSOXp1OW1IVDZMYmYKWC9UdC9KYTNkSW42YUxUZ0FSYkRKSjAvN0J3TFFOcXpqT0dUOWdzUWRhbGdMK2x5eEo4L1ViRndhRmVwNmgzdApvbzBHcHQ0ZWgwdTdueDhlNVd3Q2RnWmJsTnpnS3grMC9Gd3dLRHhQZVRFc2ZpOEJONmlkR2NjbVdzd3prTWdtCnJmbERaeGNSWTNRSlZIVHBCL0dTTWZXRFBPQ3dRdGltQk1WN3kxM2hPMTdPWXpSNDBMZnpUalJBbmtna2V2eWYKcFowb3dLR3o4QS9haHhRWWJmYVQ5VEhXV0wrYUpYeUhFanBKckp5aTg3UExVbzhsOFVydU56MDRWNXpLOFJPbgo2cG9EWmVtbm1EYWRlU09pK3hZRWlGT1NwSXNWbzlpcm9jUGFKN2YzYWpiNUU4RHpuN1o1MmhzL2R6akpLcFZJCm5mVDFkUU9SZEowSXRUNlRlQ2RTL0dpS25IS1RtNjR2T21IbmlJcm8rUGRhUmFjV0IrTUJ0VytRd0cyUStyRGkKc3g4NlpQbHRpTVpLMDZ5TVlyVHZUdGk2aFVGaUY5cWh4b3RGazdNQkNrZlIwYUVhaUREQUpKNm1jb1lpRUQ2QgpBVGJhVmpVaGNaUiswYkRST25PN0ozRk5rZmx3K2dMaVhvcXFRRW9pU2ZWb2h5SWY3UUtDQVFFQThjYTM5K0g4CjN3L2Qrcm0yUGNhM0RMQnBYaWU4Z3ZYcGpjazVYSkpvSGVmbnJjZWQrcFpXaTZEYncwYld0MEdtYkxmVjJNSlAKV2I1aTZzSXhmdkN3YlFqbHY0UnExMVA5ZEswT3poMnVpKzZ6cXVBMG5YTVcrN0lJS0cvdDhmS2NJZGRRNnRGcwpFclFVTFBDak56ODA2cHBiSlhPRmVvMW1BK293TGhHNlA3dDhCdlZHSk1NaTNxejNlSUNuVVE2eDNFY01ITXNuClhrM21DUzI1WUZaNk96cytFK254cGVraTAzZmQwblp3UE1jdElHZys1c3hleE9zREsrTHlvb2FqQnc5N0oyUzIKcUNNWXFtT0tLcmxEQ3Y1WmQ4dlZLN3hXVmpKRVhGTTNMZ2pieHBRcCtuVXNVVWxwS01LOVlGS0lRREl0RU9aMApWcWExTXJaOElzN1l5d0tDQVFFQXhBemZIa2pIVGlvTHdZbG5EcEk0MWlOTDh5Y0ZBallrTC94dWhPU2tlVkE4CjdRWDZPZUpDekR3Z0FUYXVqOWR6Y0wwby9yTndWV0xWcnQ3OXk3YnJvVDdFREZKWVNTY25GRXNMTlVWSXRncGkKckNSUXJTL1F2TkVGTmE5K0pRc1dmYkdBNHdIUTFaSjI4MFp1cWMvNlEyUi9kZVh3cUZBQVBHN2NIcEhHWlR6ZQoyRmFRUHFLRkV4WlEyZkpvRys0SVBRNHVQVERybXlGMmVUWXk2T3BaaDBHbWJRYlVTa1dFWDlQRmF1cHJIWVdGCk8wK25DaVVPNVRaMFZoaGR2dUNKMWdPclZHYzhBUlJtUVZ1aUNEWTZCaGlvVTU0ZmZsSXlDTXZ5a3MwcmRXZ3MKWVJ2TmN4TXNlRGJpTDRKSURkMHhiN1d4VUdmVjRVNHZPMks5Vms1N0x3S0NBUUVBMkd1eE1jcXd1RnRUc0tPYwpaaUFDcXZFZTRKRmhSVGtySHlnSW1MelZSaS9ZU3M1c3MycnZmWDA0T3N5bVZ0UUZUVHdoeUMzbktjWXFkVW52ClZGblBFMHJyblV2Qzk0elBUQ205SHZPaTBzK1JORndOdlFMUWgrME5NR1ZBOFZyaU44aXRQZ1RJWU5XaFdianQKNFA1TE45V0QwVHBmT1J4cFBRZmNxT0JsZjdjcmhtNzNvdUNwemZtMmE3OStCaWpKUFF5NzR1cFhDeXRmeHNlUApNSlU0Uk56NjdJaDFMclpKM2xGbDFvYitZT2xKazhDOHpZd1RLT0hWck9zeGxobyt4SXN2Q2t3MDFMelZ6Mi9hCnRmT3Y5NTlHSnQzbXE0ZWpJUFZPQy9iUlpmdTMvMEdSY2dpQTZ5SnpaM0VxWTVaOU1EbTU3VzdjcE5RRlRxZmEKNXEyUmtRS0NBUUErNGhZSzQ3TXg2aUNkTWxKaEJSdS82OUJucktOWm96NFdPalRFNFlXejk3MmpGU0Mrd2tsRQpzeUJjNDBvNGp4WFRHb2wwc04rZU03WndnY3dNTko3OXVHRXZ4cFhVMlA4YTdqc3BHaEVKZXVsTlo5U015R0orCnZkaWE4TEJZZDJiK2FCbjhOay9pd1Rqd0xTNC92NXI1Vk5uaFdpRElDK2tYZVVPWGRwQ1pWbDN3TEV2V0cxRHQKMzJHTmxzZzM5VENsVE5BZUJudjc1VTdYOEQrQ0gvRVpoa0E0aGxFL2hXN0JRZTczclRzd1creHhLc3BjWWFpVwpjdEg3NzVMYUw3Rm1lUVRTYk01OVZpcTZXZ2J0OVY3Rko5R09DSkQzZHF2ZjBITDlEVndjSzQ3WWt3OWlFc3RYCnY5cnEvREhhYUpGNzBGNlFlTTNNbDhSa212WTZJYkEzQW9JQkFRRGt6RmZLeG9HQ3dWUDlua3k4NmFQSjFvd2kKc2FDZEx6RjRWTENRZzkrUXJITzEyY0p5MFFQUnJ2cUQyMGp1cDFlOWJhWVZzbkdYc1FZTFg2NVR6UzJSSCtlSAp6S0NPTTdnMVE3djMxNWpjMDMvN1lQck4rb3RrV0VBOUkyaDZjUE1vY3c0aERTNk02OFlxQVlKTS9RclVhenZhCnhBTFJaZEVkQW1xWDA4VHhuY1hRUEVxYkk0ZnlSZ2pVM1BYR3RRaFFFbERpR2kwbThjQTJNTXdsR1RmbTdOSXgKaENjZ2ZkL296TEp2VUhiMkxLRi82cXEySmJVRHlOMkVoK0xSZUJjdnp6Y1grZE5MdGQxY0Uvcm1SM2hMbWxmNgo3KzRpTVMxK0t1eWV3VlJVUEE1c1F1aUYyVUVoeEs1MUpZK1FpOG9HbERKdGRrOXB3QlZNN1F0WW9KVEwKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K",
+          "Certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZvakNDQklxZ0F3SUJBZ0lUQVAvRTgvRk43NTdtN0dvRklyWEF1cU0zblRBTkJna3Foa2lHOXcwQkFRc0YKQURBZk1SMHdHd1lEVlFRRERCUm9NbkJ3ZVNCb01tTnJaWElnWm1GclpTQkRRVEFlRncweE9EQXhNVFV3TnpJNQpNREJhRncweE9EQTBNVFV3TnpJNU1EQmFNRVF4RXpBUkJnTlZCQU1UQ214dlkyRnNNUzVqYjIweExUQXJCZ05WCkJBVVRKR1ptWXpSbU0yWXhOR1JsWmpsbFpUWmxZelpoTURVeU1tSTFZekJpWVdFek16YzVaRENDQWlJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUJBTGtvVE9NYzZzNlRWNlVtZXFmMzdmaFpNbFlkdmowWApxMDgxTGZBMENjZWtSSEFQeExMeGJCMVhEU1JTeXBLV3QzdkJzQ0JRSXdUK3F6dnNZUmtYR1VaTFFqZTE5dlp5Cm5WeFpiM1hOcXNCNnkwTW1Jak5NUFBFcXplVXcyK3Y4ekh1cnRMYlEyMnBBcGU4M1FTVUs4NUY4bmpDOG1OekMKdTRtUHRNNmYyNDlWNkp6UXJtUVBuWU1aZFVwRmpBbEJmd1RodVdxemw2YUM4U2hqMTRMRnNUVEVpbFd5UjhOLwo3NCtlVzNqcjBaM2pxVEdWNkhOUFkyRHJnSXduWkZjck5FVjZ5dVhBUStDNWsxcjdNZEZrdm5pMDhoVE96eTdtCk44ZzJRakZ4M0ZZb3c4WUpVbTlMbmt6NldrMXc5R3k0NEF6UFJBN1RNblFiTlFqbVdUbDZHNndzZ20rY3BVdkYKbE1FckZMT1VWcW44bEo2ZjYwZUpiN0hXUFhWSCtEcndpMWE2R0l2ZVdoYkZhcEN5dkM1L3dOck10V29namJjUgpZeWZiVnBudUZnbXNPSVVoZnc4ZVhqT1hGeG0wV3NKMVZTQVZWc2NiT2REdEVYa0hhSnFUM1FEQ2t3bVRrUlpWCjRleldPNmdGbFE1SXNQSzQ2TXhzT3Yxci9UUnNVdWZXL3UrR2o5YTlLdmVyeFAwTC85eS9uSi9HK3lBUC9qbTIKaWNQQnpyUlpzUEJkS2dRc05KR25sQ1dkYUVaOFdsd0NmQThSZ3lSUFZqRXZMUVc1bFpzMnk0UlF0OGUxTEN4Ywp0SkN2TGh6eERzRDZIQ2VRRXdPVDZhSzBnOW1uc2FlSUxvMm1jckVTNDgzM0JvSXU2SkFST2xWT1hvd3pHMnYzCnVBeitBVDBGL1ZaRkFnTUJBQUdqZ2dHd01JSUJyREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEVlIwbEJCWXcKRkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SFFZRFZSME9CQllFRk5LZQpBVUZYc2Z2N2lML0lYVVBXdzY2ZU5jQnhNQjhHQTFVZEl3UVlNQmFBRlB0NFR4TDVZQldETEo4WGZ6UVpzeTQyCjZrR0pNR1lHQ0NzR0FRVUZCd0VCQkZvd1dEQWlCZ2dyQmdFRkJRY3dBWVlXYUhSMGNEb3ZMekV5Tnk0d0xqQXUKTVRvME1EQXlMekF5QmdnckJnRUZCUWN3QW9ZbWFIUjBjRG92THpFeU55NHdMakF1TVRvME1EQXdMMkZqYldVdgphWE56ZFdWeUxXTmxjblF3T1FZRFZSMFJCREl3TUlJS2JHOWpZV3d4TG1OdmJZSVFkR1Z6ZERFdWJHOWpZV3d4CkxtTnZiWUlRZEdWemRESXViRzlqWVd3eExtTnZiVEFuQmdOVkhSOEVJREFlTUJ5Z0dxQVloaFpvZEhSd09pOHYKWlhoaGJYQnNaUzVqYjIwdlkzSnNNR0VHQTFVZElBUmFNRmd3Q0FZR1o0RU1BUUlCTUV3R0F5b0RCREJGTUNJRwpDQ3NHQVFVRkJ3SUJGaFpvZEhSd09pOHZaWGhoYlhCc1pTNWpiMjB2WTNCek1COEdDQ3NHQVFVRkJ3SUNNQk1NCkVVUnZJRmRvWVhRZ1ZHaHZkU0JYYVd4ME1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ3A0Q2FxZlR4THNQTzQKS2JueDJZdEc4bTN3MC9keTVVR1VRNjZHbGxPVTk0L2I0MmNhbTRuNUZrTWlpZ01IaUx4c2JZVXh0cDZKQ3R5cQpLKzFNcDFWWEtSTTVKbFBTNWRIaWhxdHk1U3BrTUhjampwQSs3U2YyVWtoNmpKRWYxTUVJY2JnWnpJRk5IT0hYClVUUUppVFhKcno3blJDZnlQWFZtbWErUGtIRlU4R0VEVzJGOVptU1kzVFBiQWhiWkV2UkZubjUrR1lxbkZuancKWWw3Y0I2MXYwRzVpOGQwbnVvbTB4a2hiNTU3Y3BiZHhLblhsaFU4N2RZSTR5SUdPdUFGUWpYcXFXN2NIZCtXUQpWSDB2dFA3cEgrRmt2YnY4WkkxMHMrNU5ZcCtzZjFQZGQxekJsRmdNSGF3dnFFYUg3SU9sejdkajlCdmtVc0dpClhxQWVqQnFPCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVpakNDQTNLZ0F3SUJBZ0lDRWswd0RRWUpLb1pJaHZjTkFRRUxCUUF3S3pFcE1DY0dBMVVFQXd3Z1kyRmoKYTJ4cGJtY2dZM0o1Y0hSdlozSmhjR2hsY2lCbVlXdGxJRkpQVDFRd0hoY05NVFV4TURJeE1qQXhNVFV5V2hjTgpNakF4TURFNU1qQXhNVFV5V2pBZk1SMHdHd1lEVlFRREV4Um9ZWEJ3ZVNCb1lXTnJaWElnWm1GclpTQkRRVENDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUlLUjNtYUJjVVNzbmNYWXpRVDEzRDUKTnIrWjNtTHhNTWgzVFVkdDZzQUNtcWJKMGJ0UmxnWGZNdE5MTTJPVTFJNmEzSnUrdElaU2RuMnYyMUpCd3Z4VQp6cFpRNHp5MmNpbUlpTVFEWkNRSEp3ekM5R1puOEhhVzA5MWl6OUgwR28zQTdXRFh3WU5tc2RMTlJpMDBvMTRVCmpvYVZxYVBzWXJaV3ZSS2FJUnFhVTBoSG1TMEFXd1FTdk4vOTNpTUlYdXlpd3l3bWt3S2JXbm54Q1EvZ3NjdEsKRlV0Y05yd0V4OVdnajZLbGh3RFR5STFRV1NCYnhWWU55VWdQRnpLeHJTbXdNTzB5TmZmN2hvK1FUOXg1K1kvNwpYRTU5UzRNYzRaWHhjWEtldy9nU2xOOVU1bXZUK0QyQmhEdGtDdXBkZnNaTkNRV3AyN0ErYi9EbXJGSTlOcXNDCkF3RUFBYU9DQWNJd2dnRytNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUF3UXdZRFZSMGVCRHd3T3FFNE1BYUMKQkM1dGFXd3dDb2NJQUFBQUFBQUFBQUF3SW9jZ0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQpBQUFBQUFBd0RnWURWUjBQQVFIL0JBUURBZ0dHTUg4R0NDc0dBUVVGQndFQkJITXdjVEF5QmdnckJnRUZCUWN3CkFZWW1hSFIwY0RvdkwybHpjbWN1ZEhKMWMzUnBaQzV2WTNOd0xtbGtaVzUwY25WemRDNWpiMjB3T3dZSUt3WUIKQlFVSE1BS0dMMmgwZEhBNkx5OWhjSEJ6TG1sa1pXNTBjblZ6ZEM1amIyMHZjbTl2ZEhNdlpITjBjbTl2ZEdOaAplRE11Y0Rkak1COEdBMVVkSXdRWU1CYUFGT21rUCs2ZXBlYnkxZGQ1WUR5VHBpNGtqcGVxTUZRR0ExVWRJQVJOCk1Fc3dDQVlHWjRFTUFRSUJNRDhHQ3lzR0FRUUJndDhUQVFFQk1EQXdMZ1lJS3dZQkJRVUhBZ0VXSW1oMGRIQTYKTHk5amNITXVjbTl2ZEMxNE1TNXNaWFJ6Wlc1amNubHdkQzV2Y21jd1BBWURWUjBmQkRVd016QXhvQytnTFlZcgphSFIwY0RvdkwyTnliQzVwWkdWdWRISjFjM1F1WTI5dEwwUlRWRkpQVDFSRFFWZ3pRMUpNTG1OeWJEQWRCZ05WCkhRNEVGZ1FVKzNoUEV2bGdGWU1zbnhkL05CbXpMamJxUVlrd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBMFkKQWVMWE9rbHg0aGhDaWtVVWwrQmRuRmZuMWcwVzVBaVFMVk5JT0w2UG5xWHUwd2puaE55aHFkd25maFlNbm95NAppZFJoNGxCNnB6OEdmOXBubExkL0RuV1NWM2dTKy9JL21BbDFkQ2tLYnk2SDJWNzkwZTZJSG1JSzJLWW0zam0rClUrK0ZJZEdwQmRzUVRTZG1pWC9yQXl1eE1ETTBhZE1rTkJ3VGZRbVpRQ3o2bkdIdzFRY1NQWk12WnBzQzhTa3YKZWt6eHNqRjFvdE9yTVVQTlBRdnRUV3JWeDhHbFIycWZ4LzR4YlFhMXYyZnJOdkZCQ21PNTlnb3oram5XdmZUdApqMk5qd0RaN3ZsTUJzUG0xNmRiS1lDODQwdXZSb1pqeHFzZGMzQ2hDWmpxaW1GcWxORy94b1BBOCtkVGljWnpDClhFOWlqUEljdlc2eTFhYTNiR3c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+        }
+      }
+    ]
+  },
+  "ChallengeCerts": {}
+}
--- a/acme/acme_test.go
+++ b/acme/acme_test.go
@@ -10,75 +10,122 @@ import (
 	"testing"
 	"time"

+	acmeprovider "github.com/containous/traefik/provider/acme"
+	"github.com/containous/traefik/tls/generate"
+	"github.com/containous/traefik/types"
 	"github.com/stretchr/testify/assert"
-	"github.com/xenolf/lego/acme"
+	acme "github.com/xenolf/lego/acmev2"
 )

 func TestDomainsSet(t *testing.T) {
-	checkMap := map[string]Domains{
-		"":                                   {},
-		"foo.com":                            {Domain{Main: "foo.com", SANs: []string{}}},
-		"foo.com,bar.net":                    {Domain{Main: "foo.com", SANs: []string{"bar.net"}}},
-		"foo.com,bar1.net,bar2.net,bar3.net": {Domain{Main: "foo.com", SANs: []string{"bar1.net", "bar2.net", "bar3.net"}}},
+	testCases := []struct {
+		input    string
+		expected types.Domains
+	}{
+		{
+			input:    "",
+			expected: types.Domains{},
+		},
+		{
+			input: "foo1.com",
+			expected: types.Domains{
+				types.Domain{Main: "foo1.com"},
+			},
+		},
+		{
+			input: "foo2.com,bar.net",
+			expected: types.Domains{
+				types.Domain{
+					Main: "foo2.com",
+					SANs: []string{"bar.net"},
+				},
+			},
+		},
+		{
+			input: "foo3.com,bar1.net,bar2.net,bar3.net",
+			expected: types.Domains{
+				types.Domain{
+					Main: "foo3.com",
+					SANs: []string{"bar1.net", "bar2.net", "bar3.net"},
+				},
+			},
+		},
 	}
-	for in, check := range checkMap {
-		ds := Domains{}
-		ds.Set(in)
-		if !reflect.DeepEqual(check, ds) {
-			t.Errorf("Expected %+v\nGot %+v", check, ds)
-		}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.input, func(t *testing.T) {
+			t.Parallel()
+
+			domains := types.Domains{}
+			domains.Set(test.input)
+			assert.Exactly(t, test.expected, domains)
+		})
 	}
 }

 func TestDomainsSetAppend(t *testing.T) {
-	inSlice := []string{
-		"",
-		"foo1.com",
-		"foo2.com,bar.net",
-		"foo3.com,bar1.net,bar2.net,bar3.net",
+	testCases := []struct {
+		input    string
+		expected types.Domains
+	}{
+		{
+			input:    "",
+			expected: types.Domains{},
+		},
+		{
+			input: "foo1.com",
+			expected: types.Domains{
+				types.Domain{Main: "foo1.com"},
+			},
+		},
+		{
+			input: "foo2.com,bar.net",
+			expected: types.Domains{
+				types.Domain{Main: "foo1.com"},
+				types.Domain{
+					Main: "foo2.com",
+					SANs: []string{"bar.net"},
+				},
+			},
+		},
+		{
+			input: "foo3.com,bar1.net,bar2.net,bar3.net",
+			expected: types.Domains{
+				types.Domain{Main: "foo1.com"},
+				types.Domain{
+					Main: "foo2.com",
+					SANs: []string{"bar.net"},
+				},
+				types.Domain{
+					Main: "foo3.com",
+					SANs: []string{"bar1.net", "bar2.net", "bar3.net"},
+				},
+			},
+		},
 	}
-	checkSlice := []Domains{
-		{},
-		{
-			Domain{
-				Main: "foo1.com",
-				SANs: []string{}}},
-		{
-			Domain{
-				Main: "foo1.com",
-				SANs: []string{}},
-			Domain{
-				Main: "foo2.com",
-				SANs: []string{"bar.net"}}},
-		{
-			Domain{
-				Main: "foo1.com",
-				SANs: []string{}},
-			Domain{
-				Main: "foo2.com",
-				SANs: []string{"bar.net"}},
-			Domain{Main: "foo3.com",
-				SANs: []string{"bar1.net", "bar2.net", "bar3.net"}}},
-	}
-	ds := Domains{}
-	for i, in := range inSlice {
-		ds.Set(in)
-		if !reflect.DeepEqual(checkSlice[i], ds) {
-			t.Errorf("Expected  %s %+v\nGot %+v", in, checkSlice[i], ds)
-		}
+
+	// append to
+	domains := types.Domains{}
+	for _, test := range testCases {
+		t.Run(test.input, func(t *testing.T) {
+
+			domains.Set(test.input)
+			assert.Exactly(t, test.expected, domains)
+		})
 	}
 }

 func TestCertificatesRenew(t *testing.T) {
-	foo1Cert, foo1Key, _ := generateKeyPair("foo1.com", time.Now())
-	foo2Cert, foo2Key, _ := generateKeyPair("foo2.com", time.Now())
+	foo1Cert, foo1Key, _ := generate.KeyPair("foo1.com", time.Now())
+	foo2Cert, foo2Key, _ := generate.KeyPair("foo2.com", time.Now())
+
 	domainsCertificates := DomainsCertificates{
 		lock: sync.RWMutex{},
 		Certs: []*DomainsCertificate{
 			{
-				Domains: Domain{
-					Main: "foo1.com",
-					SANs: []string{}},
+				Domains: types.Domain{
+					Main: "foo1.com"},
 				Certificate: &Certificate{
 					Domain:        "foo1.com",
 					CertURL:       "url",
@@ -88,9 +135,8 @@ func TestCertificatesRenew(t *testing.T) {
 				},
 			},
 			{
-				Domains: Domain{
-					Main: "foo2.com",
-					SANs: []string{}},
+				Domains: types.Domain{
+					Main: "foo2.com"},
 				Certificate: &Certificate{
 					Domain:        "foo2.com",
 					CertURL:       "url",
@@ -101,7 +147,8 @@ func TestCertificatesRenew(t *testing.T) {
 			},
 		},
 	}
-	foo1Cert, foo1Key, _ = generateKeyPair("foo1.com", time.Now())
+
+	foo1Cert, foo1Key, _ = generate.KeyPair("foo1.com", time.Now())
 	newCertificate := &Certificate{
 		Domain:        "foo1.com",
 		CertURL:       "url",
@@ -110,17 +157,15 @@ func TestCertificatesRenew(t *testing.T) {
 		Certificate:   foo1Cert,
 	}

-	err := domainsCertificates.renewCertificates(
-		newCertificate,
-		Domain{
-			Main: "foo1.com",
-			SANs: []string{}})
+	err := domainsCertificates.renewCertificates(newCertificate, types.Domain{Main: "foo1.com"})
 	if err != nil {
 		t.Errorf("Error in renewCertificates :%v", err)
 	}
+
 	if len(domainsCertificates.Certs) != 2 {
 		t.Errorf("Expected domainsCertificates length %d %+v\nGot %+v", 2, domainsCertificates.Certs, len(domainsCertificates.Certs))
 	}
+
 	if !reflect.DeepEqual(domainsCertificates.Certs[0].Certificate, newCertificate) {
 		t.Errorf("Expected new certificate %+v \nGot %+v", newCertificate, domainsCertificates.Certs[0].Certificate)
 	}
@@ -128,17 +173,16 @@ func TestCertificatesRenew(t *testing.T) {

 func TestRemoveDuplicates(t *testing.T) {
 	now := time.Now()
-	fooCert, fooKey, _ := generateKeyPair("foo.com", now)
-	foo24Cert, foo24Key, _ := generateKeyPair("foo.com", now.Add(24*time.Hour))
-	foo48Cert, foo48Key, _ := generateKeyPair("foo.com", now.Add(48*time.Hour))
-	barCert, barKey, _ := generateKeyPair("bar.com", now)
+	fooCert, fooKey, _ := generate.KeyPair("foo.com", now)
+	foo24Cert, foo24Key, _ := generate.KeyPair("foo.com", now.Add(24*time.Hour))
+	foo48Cert, foo48Key, _ := generate.KeyPair("foo.com", now.Add(48*time.Hour))
+	barCert, barKey, _ := generate.KeyPair("bar.com", now)
 	domainsCertificates := DomainsCertificates{
 		lock: sync.RWMutex{},
 		Certs: []*DomainsCertificate{
 			{
-				Domains: Domain{
-					Main: "foo.com",
-					SANs: []string{}},
+				Domains: types.Domain{
+					Main: "foo.com"},
 				Certificate: &Certificate{
 					Domain:        "foo.com",
 					CertURL:       "url",
@@ -148,9 +192,8 @@ func TestRemoveDuplicates(t *testing.T) {
 				},
 			},
 			{
-				Domains: Domain{
-					Main: "foo.com",
-					SANs: []string{}},
+				Domains: types.Domain{
+					Main: "foo.com"},
 				Certificate: &Certificate{
 					Domain:        "foo.com",
 					CertURL:       "url",
@@ -160,9 +203,8 @@ func TestRemoveDuplicates(t *testing.T) {
 				},
 			},
 			{
-				Domains: Domain{
-					Main: "foo.com",
-					SANs: []string{}},
+				Domains: types.Domain{
+					Main: "foo.com"},
 				Certificate: &Certificate{
 					Domain:        "foo.com",
 					CertURL:       "url",
@@ -172,9 +214,8 @@ func TestRemoveDuplicates(t *testing.T) {
 				},
 			},
 			{
-				Domains: Domain{
-					Main: "bar.com",
-					SANs: []string{}},
+				Domains: types.Domain{
+					Main: "bar.com"},
 				Certificate: &Certificate{
 					Domain:        "bar.com",
 					CertURL:       "url",
@@ -184,9 +225,8 @@ func TestRemoveDuplicates(t *testing.T) {
 				},
 			},
 			{
-				Domains: Domain{
-					Main: "foo.com",
-					SANs: []string{}},
+				Domains: types.Domain{
+					Main: "foo.com"},
 				Certificate: &Certificate{
 					Domain:        "foo.com",
 					CertURL:       "url",
@@ -259,14 +299,19 @@ llJh9MC0svjevGtNlxJoE3lmEQIhAKXy1wfZ32/XtcrnENPvi6lzxI0T94X7s5pP3aCoPPoJAiEAl
 cijFkALeQp/qyeXdFld2v9gUN3eCgljgcl0QweRoIc=---`)
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Write([]byte(`{
-"new-authz": "https://foo/acme/new-authz",
-"new-cert": "https://foo/acme/new-cert",
-"new-reg": "https://foo/acme/new-reg",
-"revoke-cert": "https://foo/acme/revoke-cert"
+  "GPHhmRVEDas": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
+  "keyChange": "https://foo/acme/key-change",
+  "meta": {
+    "termsOfService": "https://boulder:4431/terms/v7"
+  },
+  "newAccount": "https://foo/acme/new-acct",
+  "newNonce": "https://foo/acme/new-nonce",
+  "newOrder": "https://foo/acme/new-order",
+  "revokeCert": "https://foo/acme/revoke-cert"
 }`))
 	}))
 	defer ts.Close()
-	a := ACME{DNSProvider: "manual", DelayDontCheckDNS: 10, CAServer: ts.URL}
+	a := ACME{DNSChallenge: &acmeprovider.DNSChallenge{Provider: "manual", DelayBeforeCheck: 10}, CAServer: ts.URL}

 	client, err := a.buildACMEClient(account)
 	if err != nil {
@@ -280,7 +325,7 @@ cijFkALeQp/qyeXdFld2v9gUN3eCgljgcl0QweRoIc=---`)
 	}
 }

-func TestAcme_getProvidedCertificate(t *testing.T) {
+func TestAcme_getUncheckedCertificates(t *testing.T) {
 	mm := make(map[string]*tls.Certificate)
 	mm["*.containo.us"] = &tls.Certificate{}
 	mm["traefik.acme.io"] = &tls.Certificate{}
@@ -288,9 +333,220 @@ func TestAcme_getProvidedCertificate(t *testing.T) {
 	a := ACME{TLSConfig: &tls.Config{NameToCertificate: mm}}

 	domains := []string{"traefik.containo.us", "trae.containo.us"}
-	certificate := a.getProvidedCertificate(domains)
-	assert.NotNil(t, certificate)
+	uncheckedDomains := a.getUncheckedDomains(domains, nil)
+	assert.Empty(t, uncheckedDomains)
 	domains = []string{"traefik.acme.io", "trae.acme.io"}
-	certificate = a.getProvidedCertificate(domains)
+	uncheckedDomains = a.getUncheckedDomains(domains, nil)
+	assert.Len(t, uncheckedDomains, 1)
+	domainsCertificates := DomainsCertificates{Certs: []*DomainsCertificate{
+		{
+			tlsCert: &tls.Certificate{},
+			Domains: types.Domain{
+				Main: "*.acme.wtf",
+				SANs: []string{"trae.acme.io"},
+			},
+		},
+	}}
+	account := Account{DomainsCertificate: domainsCertificates}
+	uncheckedDomains = a.getUncheckedDomains(domains, &account)
+	assert.Empty(t, uncheckedDomains)
+}
+
+func TestAcme_getProvidedCertificate(t *testing.T) {
+	mm := make(map[string]*tls.Certificate)
+	mm["*.containo.us"] = &tls.Certificate{}
+	mm["traefik.acme.io"] = &tls.Certificate{}
+
+	a := ACME{TLSConfig: &tls.Config{NameToCertificate: mm}}
+
+	domain := "traefik.containo.us"
+	certificate := a.getProvidedCertificate(domain)
+	assert.NotNil(t, certificate)
+	domain = "trae.acme.io"
+	certificate = a.getProvidedCertificate(domain)
 	assert.Nil(t, certificate)
 }
+
+func TestAcme_getValidDomain(t *testing.T) {
+	testCases := []struct {
+		desc            string
+		domains         []string
+		wildcardAllowed bool
+		dnsChallenge    *acmeprovider.DNSChallenge
+		expectedErr     string
+		expectedDomains []string
+	}{
+		{
+			desc:            "valid wildcard",
+			domains:         []string{"*.traefik.wtf"},
+			dnsChallenge:    &acmeprovider.DNSChallenge{},
+			wildcardAllowed: true,
+			expectedErr:     "",
+			expectedDomains: []string{"*.traefik.wtf"},
+		},
+		{
+			desc:            "no wildcard",
+			domains:         []string{"traefik.wtf", "foo.traefik.wtf"},
+			dnsChallenge:    &acmeprovider.DNSChallenge{},
+			expectedErr:     "",
+			wildcardAllowed: true,
+			expectedDomains: []string{"traefik.wtf", "foo.traefik.wtf"},
+		},
+		{
+			desc:            "unauthorized wildcard",
+			domains:         []string{"*.traefik.wtf"},
+			dnsChallenge:    &acmeprovider.DNSChallenge{},
+			wildcardAllowed: false,
+			expectedErr:     "unable to generate a wildcard certificate for domain \"*.traefik.wtf\" from a 'Host' rule",
+			expectedDomains: nil,
+		},
+		{
+			desc:            "no domain",
+			domains:         []string{},
+			dnsChallenge:    nil,
+			wildcardAllowed: true,
+			expectedErr:     "unable to generate a certificate when no domain is given",
+			expectedDomains: nil,
+		},
+		{
+			desc:            "no DNSChallenge",
+			domains:         []string{"*.traefik.wtf", "foo.traefik.wtf"},
+			dnsChallenge:    nil,
+			wildcardAllowed: true,
+			expectedErr:     "unable to generate a wildcard certificate for domain \"*.traefik.wtf,foo.traefik.wtf\" : ACME needs a DNSChallenge",
+			expectedDomains: nil,
+		},
+		{
+			desc:            "unauthorized wildcard with SAN",
+			domains:         []string{"*.*.traefik.wtf", "foo.traefik.wtf"},
+			dnsChallenge:    &acmeprovider.DNSChallenge{},
+			wildcardAllowed: true,
+			expectedErr:     "unable to generate a wildcard certificate for domain \"*.*.traefik.wtf,foo.traefik.wtf\" : ACME does not allow '*.*' wildcard domain",
+			expectedDomains: nil,
+		},
+		{
+			desc:            "wildcard with SANs",
+			domains:         []string{"*.traefik.wtf", "traefik.wtf"},
+			dnsChallenge:    &acmeprovider.DNSChallenge{},
+			wildcardAllowed: true,
+			expectedErr:     "",
+			expectedDomains: []string{"*.traefik.wtf", "traefik.wtf"},
+		},
+		{
+			desc:            "unexpected SANs",
+			domains:         []string{"*.traefik.wtf", "*.acme.wtf"},
+			dnsChallenge:    &acmeprovider.DNSChallenge{},
+			wildcardAllowed: true,
+			expectedErr:     "unable to generate a certificate for domains \"*.traefik.wtf,*.acme.wtf\": SANs can not be a wildcard domain",
+			expectedDomains: nil,
+		},
+	}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			a := ACME{}
+			if test.dnsChallenge != nil {
+				a.DNSChallenge = test.dnsChallenge
+			}
+			domains, err := a.getValidDomains(test.domains, test.wildcardAllowed)
+
+			if len(test.expectedErr) > 0 {
+				assert.EqualError(t, err, test.expectedErr, "Unexpected error.")
+			} else {
+				assert.Equal(t, len(test.expectedDomains), len(domains), "Unexpected domains.")
+			}
+		})
+	}
+}
+
+func TestAcme_getCertificateForDomain(t *testing.T) {
+	testCases := []struct {
+		desc          string
+		domain        string
+		dc            *DomainsCertificates
+		expected      *DomainsCertificate
+		expectedFound bool
+	}{
+		{
+			desc:   "non-wildcard exact match",
+			domain: "foo.traefik.wtf",
+			dc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Domains: types.Domain{
+							Main: "foo.traefik.wtf",
+						},
+					},
+				},
+			},
+			expected: &DomainsCertificate{
+				Domains: types.Domain{
+					Main: "foo.traefik.wtf",
+				},
+			},
+			expectedFound: true,
+		},
+		{
+			desc:   "non-wildcard no match",
+			domain: "bar.traefik.wtf",
+			dc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Domains: types.Domain{
+							Main: "foo.traefik.wtf",
+						},
+					},
+				},
+			},
+			expected:      nil,
+			expectedFound: false,
+		},
+		{
+			desc:   "wildcard match",
+			domain: "foo.traefik.wtf",
+			dc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Domains: types.Domain{
+							Main: "*.traefik.wtf",
+						},
+					},
+				},
+			},
+			expected: &DomainsCertificate{
+				Domains: types.Domain{
+					Main: "*.traefik.wtf",
+				},
+			},
+			expectedFound: true,
+		},
+		{
+			desc:   "wildcard no match",
+			domain: "foo.traefik.wtf",
+			dc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Domains: types.Domain{
+							Main: "*.bar.traefik.wtf",
+						},
+					},
+				},
+			},
+			expected:      nil,
+			expectedFound: false,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			got, found := test.dc.getCertificateForDomain(test.domain)
+			assert.Equal(t, test.expectedFound, found)
+			assert.Equal(t, test.expected, got)
+		})
+	}
+}
--- a/acme/challengeProvider.go
+++ b/acme/challengeProvider.go
@@ -1,97 +0,0 @@
-package acme
-
-import (
-	"crypto/tls"
-	"fmt"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/cenk/backoff"
-	"github.com/containous/traefik/cluster"
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/safe"
-	"github.com/xenolf/lego/acme"
-)
-
-var _ acme.ChallengeProviderTimeout = (*challengeProvider)(nil)
-
-type challengeProvider struct {
-	store cluster.Store
-	lock  sync.RWMutex
-}
-
-func (c *challengeProvider) getCertificate(domain string) (cert *tls.Certificate, exists bool) {
-	log.Debugf("Challenge GetCertificate %s", domain)
-	if !strings.HasSuffix(domain, ".acme.invalid") {
-		return nil, false
-	}
-	c.lock.RLock()
-	defer c.lock.RUnlock()
-	account := c.store.Get().(*Account)
-	if account.ChallengeCerts == nil {
-		return nil, false
-	}
-	account.Init()
-	var result *tls.Certificate
-	operation := func() error {
-		for _, cert := range account.ChallengeCerts {
-			for _, dns := range cert.certificate.Leaf.DNSNames {
-				if domain == dns {
-					result = cert.certificate
-					return nil
-				}
-			}
-		}
-		return fmt.Errorf("cannot find challenge cert for domain %s", domain)
-	}
-	notify := func(err error, time time.Duration) {
-		log.Errorf("Error getting cert: %v, retrying in %s", err, time)
-	}
-	ebo := backoff.NewExponentialBackOff()
-	ebo.MaxElapsedTime = 60 * time.Second
-	err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
-	if err != nil {
-		log.Errorf("Error getting cert: %v", err)
-		return nil, false
-	}
-	return result, true
-}
-
-func (c *challengeProvider) Present(domain, token, keyAuth string) error {
-	log.Debugf("Challenge Present %s", domain)
-	cert, _, err := TLSSNI01ChallengeCert(keyAuth)
-	if err != nil {
-		return err
-	}
-
-	c.lock.Lock()
-	defer c.lock.Unlock()
-	transaction, object, err := c.store.Begin()
-	if err != nil {
-		return err
-	}
-	account := object.(*Account)
-	if account.ChallengeCerts == nil {
-		account.ChallengeCerts = map[string]*ChallengeCert{}
-	}
-	account.ChallengeCerts[domain] = &cert
-	return transaction.Commit(account)
-}
-
-func (c *challengeProvider) CleanUp(domain, token, keyAuth string) error {
-	log.Debugf("Challenge CleanUp %s", domain)
-	c.lock.Lock()
-	defer c.lock.Unlock()
-	transaction, object, err := c.store.Begin()
-	if err != nil {
-		return err
-	}
-	account := object.(*Account)
-	delete(account.ChallengeCerts, domain)
-	return transaction.Commit(account)
-}
-
-func (c *challengeProvider) Timeout() (timeout, interval time.Duration) {
-	return 60 * time.Second, 5 * time.Second
-}
--- a/acme/challenge_http_provider.go
+++ b/acme/challenge_http_provider.go
@@ -0,0 +1,92 @@
+package acme
+
+import (
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/cenk/backoff"
+	"github.com/containous/traefik/cluster"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/safe"
+	acme "github.com/xenolf/lego/acmev2"
+)
+
+var _ acme.ChallengeProviderTimeout = (*challengeHTTPProvider)(nil)
+
+type challengeHTTPProvider struct {
+	store cluster.Store
+	lock  sync.RWMutex
+}
+
+func (c *challengeHTTPProvider) getTokenValue(token, domain string) []byte {
+	log.Debugf("Looking for an existing ACME challenge for token %v...", token)
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	account := c.store.Get().(*Account)
+	if account.HTTPChallenge == nil {
+		return []byte{}
+	}
+	var result []byte
+	operation := func() error {
+		var ok bool
+		if result, ok = account.HTTPChallenge[token][domain]; !ok {
+			return fmt.Errorf("cannot find challenge for token %v", token)
+		}
+		return nil
+	}
+	notify := func(err error, time time.Duration) {
+		log.Errorf("Error getting challenge for token retrying in %s", time)
+	}
+	ebo := backoff.NewExponentialBackOff()
+	ebo.MaxElapsedTime = 60 * time.Second
+	err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
+	if err != nil {
+		log.Errorf("Error getting challenge for token: %v", err)
+		return []byte{}
+	}
+	return result
+}
+
+func (c *challengeHTTPProvider) Present(domain, token, keyAuth string) error {
+	log.Debugf("Challenge Present %s", domain)
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	transaction, object, err := c.store.Begin()
+	if err != nil {
+		return err
+	}
+	account := object.(*Account)
+	if account.HTTPChallenge == nil {
+		account.HTTPChallenge = map[string]map[string][]byte{}
+	}
+	if _, ok := account.HTTPChallenge[token]; !ok {
+		account.HTTPChallenge[token] = map[string][]byte{}
+	}
+	account.HTTPChallenge[token][domain] = []byte(keyAuth)
+	return transaction.Commit(account)
+}
+
+func (c *challengeHTTPProvider) CleanUp(domain, token, keyAuth string) error {
+	log.Debugf("Challenge CleanUp %s", domain)
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	transaction, object, err := c.store.Begin()
+	if err != nil {
+		return err
+	}
+	account := object.(*Account)
+	if _, ok := account.HTTPChallenge[token]; ok {
+		if _, domainOk := account.HTTPChallenge[token][domain]; domainOk {
+			delete(account.HTTPChallenge[token], domain)
+		}
+		if len(account.HTTPChallenge[token]) == 0 {
+			delete(account.HTTPChallenge, token)
+		}
+	}
+	return transaction.Commit(account)
+}
+
+func (c *challengeHTTPProvider) Timeout() (timeout, interval time.Duration) {
+	return 60 * time.Second, 5 * time.Second
+}
--- a/acme/crypto.go
+++ b/acme/crypto.go
@@ -1,133 +0,0 @@
-package acme
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/hex"
-	"encoding/pem"
-	"fmt"
-	"math/big"
-	"time"
-)
-
-func generateDefaultCertificate() (*tls.Certificate, error) {
-	randomBytes := make([]byte, 100)
-	_, err := rand.Read(randomBytes)
-	if err != nil {
-		return nil, err
-	}
-	zBytes := sha256.Sum256(randomBytes)
-	z := hex.EncodeToString(zBytes[:sha256.Size])
-	domain := fmt.Sprintf("%s.%s.traefik.default", z[:32], z[32:])
-
-	certPEM, keyPEM, err := generateKeyPair(domain, time.Time{})
-	if err != nil {
-		return nil, err
-	}
-
-	certificate, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, err
-	}
-
-	return &certificate, nil
-}
-
-func generateKeyPair(domain string, expiration time.Time) ([]byte, []byte, error) {
-	rsaPrivKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return nil, nil, err
-	}
-	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(rsaPrivKey)})
-
-	certPEM, err := generatePemCert(rsaPrivKey, domain, expiration)
-	if err != nil {
-		return nil, nil, err
-	}
-	return certPEM, keyPEM, nil
-}
-
-func generatePemCert(privKey *rsa.PrivateKey, domain string, expiration time.Time) ([]byte, error) {
-	derBytes, err := generateDerCert(privKey, expiration, domain)
-	if err != nil {
-		return nil, err
-	}
-
-	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}), nil
-}
-
-func generateDerCert(privKey *rsa.PrivateKey, expiration time.Time, domain string) ([]byte, error) {
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		return nil, err
-	}
-
-	if expiration.IsZero() {
-		expiration = time.Now().Add(365)
-	}
-
-	template := x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			CommonName: "TRAEFIK DEFAULT CERT",
-		},
-		NotBefore: time.Now(),
-		NotAfter:  expiration,
-
-		KeyUsage:              x509.KeyUsageKeyEncipherment,
-		BasicConstraintsValid: true,
-		DNSNames:              []string{domain},
-	}
-
-	return x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
-}
-
-// TLSSNI01ChallengeCert returns a certificate and target domain for the `tls-sni-01` challenge
-func TLSSNI01ChallengeCert(keyAuth string) (ChallengeCert, string, error) {
-	// generate a new RSA key for the certificates
-	var tempPrivKey crypto.PrivateKey
-	tempPrivKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return ChallengeCert{}, "", err
-	}
-	rsaPrivKey := tempPrivKey.(*rsa.PrivateKey)
-	rsaPrivPEM := pemEncode(rsaPrivKey)
-
-	zBytes := sha256.Sum256([]byte(keyAuth))
-	z := hex.EncodeToString(zBytes[:sha256.Size])
-	domain := fmt.Sprintf("%s.%s.acme.invalid", z[:32], z[32:])
-	tempCertPEM, err := generatePemCert(rsaPrivKey, domain, time.Time{})
-	if err != nil {
-		return ChallengeCert{}, "", err
-	}
-
-	certificate, err := tls.X509KeyPair(tempCertPEM, rsaPrivPEM)
-	if err != nil {
-		return ChallengeCert{}, "", err
-	}
-
-	return ChallengeCert{Certificate: tempCertPEM, PrivateKey: rsaPrivPEM, certificate: &certificate}, domain, nil
-}
-func pemEncode(data interface{}) []byte {
-	var pemBlock *pem.Block
-	switch key := data.(type) {
-	case *ecdsa.PrivateKey:
-		keyBytes, _ := x509.MarshalECPrivateKey(key)
-		pemBlock = &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes}
-	case *rsa.PrivateKey:
-		pemBlock = &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}
-	case *x509.CertificateRequest:
-		pemBlock = &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: key.Raw}
-	case []byte:
-		pemBlock = &pem.Block{Type: "CERTIFICATE", Bytes: []byte(data.([]byte))}
-	}
-
-	return pem.EncodeToMemory(pemBlock)
-}
--- a/acme/localStore.go
+++ b/acme/localStore.go
@@ -2,22 +2,17 @@ package acme

 import (
 	"encoding/json"
-	"fmt"
 	"io/ioutil"
 	"os"
-	"sync"
+	"regexp"

-	"github.com/containous/traefik/cluster"
 	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/provider/acme"
 )

-var _ cluster.Store = (*LocalStore)(nil)
-
 // LocalStore is a store using a file as storage
 type LocalStore struct {
-	file        string
-	storageLock sync.RWMutex
-	account     *Account
+	file string
 }

 // NewLocalStore create a LocalStore
@@ -27,71 +22,173 @@ func NewLocalStore(file string) *LocalStore {
 	}
 }

-// Get atomically a struct from the file storage
-func (s *LocalStore) Get() cluster.Object {
-	s.storageLock.RLock()
-	defer s.storageLock.RUnlock()
-	return s.account
-}
-
-// Load loads file into store
-func (s *LocalStore) Load() (cluster.Object, error) {
-	s.storageLock.Lock()
-	defer s.storageLock.Unlock()
+// Get loads file into store and returns the Account
+func (s *LocalStore) Get() (*Account, error) {
 	account := &Account{}

-	err := checkPermissions(s.file)
+	hasData, err := acme.CheckFile(s.file)
 	if err != nil {
 		return nil, err
 	}
-	f, err := os.Open(s.file)
-	if err != nil {
-		return nil, err
+
+	if hasData {
+		f, err := os.Open(s.file)
+		if err != nil {
+			return nil, err
+		}
+		defer f.Close()
+
+		file, err := ioutil.ReadAll(f)
+		if err != nil {
+			return nil, err
+		}
+
+		if err := json.Unmarshal(file, &account); err != nil {
+			return nil, err
+		}
 	}
-	defer f.Close()
-	file, err := ioutil.ReadAll(f)
-	if err != nil {
-		return nil, err
-	}
-	if err := json.Unmarshal(file, &account); err != nil {
-		return nil, err
-	}
-	account.Init()
-	s.account = account
-	log.Infof("Loaded ACME config from store %s", s.file)
+
 	return account, nil
 }

-// Begin creates a transaction with the KV store.
-func (s *LocalStore) Begin() (cluster.Transaction, cluster.Object, error) {
-	s.storageLock.Lock()
-	return &localTransaction{LocalStore: s}, s.account, nil
-}
+// RemoveAccountV1Values removes ACME account V1 values
+func RemoveAccountV1Values(account *Account) error {
+	// Check if ACME Account is in ACME V1 format
+	if account != nil && account.Registration != nil {
+		isOldRegistration, err := regexp.MatchString(acme.RegistrationURLPathV1Regexp, account.Registration.URI)
+		if err != nil {
+			return err
+		}

-var _ cluster.Transaction = (*localTransaction)(nil)
-
-type localTransaction struct {
-	*LocalStore
-	dirty bool
-}
-
-// Commit allows to set an object in the file storage
-func (t *localTransaction) Commit(object cluster.Object) error {
-	t.LocalStore.account = object.(*Account)
-	defer t.storageLock.Unlock()
-	if t.dirty {
-		return fmt.Errorf("transaction already used, please begin a new one")
+		if isOldRegistration {
+			account.Email = ""
+			account.Registration = nil
+			account.PrivateKey = nil
+		}
 	}
-
-	// write account to file
-	data, err := json.MarshalIndent(object, "", "  ")
-	if err != nil {
-		return err
-	}
-	err = ioutil.WriteFile(t.file, data, 0600)
-	if err != nil {
-		return err
-	}
-	t.dirty = true
 	return nil
 }
+
+// ConvertToNewFormat converts old acme.json format to the new one and store the result into the file (used for the backward compatibility)
+func ConvertToNewFormat(fileName string) {
+	localStore := acme.NewLocalStore(fileName)
+
+	storeAccount, err := localStore.GetAccount()
+	if err != nil {
+		log.Errorf("Failed to read new account, ACME data conversion is not available : %v", err)
+		return
+	}
+
+	storeCertificates, err := localStore.GetCertificates()
+	if err != nil {
+		log.Errorf("Failed to read new certificates, ACME data conversion is not available : %v", err)
+		return
+	}
+
+	if storeAccount == nil {
+		localStore := NewLocalStore(fileName)
+
+		account, err := localStore.Get()
+		if err != nil {
+			log.Errorf("Failed to read old account, ACME data conversion is not available : %v", err)
+			return
+		}
+
+		// Convert ACME data from old to new format
+		newAccount := &acme.Account{}
+		if account != nil && len(account.Email) > 0 {
+			err = backupACMEFile(fileName, account)
+			if err != nil {
+				log.Errorf("Unable to create a backup for the V1 formatted ACME file: %s", err.Error())
+				return
+			}
+
+			err = RemoveAccountV1Values(account)
+			if err != nil {
+				log.Errorf("Unable to remove ACME Account V1 values: %s", err.Error())
+				return
+			}
+
+			newAccount = &acme.Account{
+				PrivateKey:   account.PrivateKey,
+				Registration: account.Registration,
+				Email:        account.Email,
+			}
+
+			var newCertificates []*acme.Certificate
+			for _, cert := range account.DomainsCertificate.Certs {
+				newCertificates = append(newCertificates, &acme.Certificate{
+					Certificate: cert.Certificate.Certificate,
+					Key:         cert.Certificate.PrivateKey,
+					Domain:      cert.Domains,
+				})
+			}
+
+			// If account is in the old format, storeCertificates is nil or empty and has to be initialized
+			storeCertificates = newCertificates
+		}
+
+		// Store the data in new format into the file even if account is nil
+		// to delete Account in ACME v1 format and keeping the certificates
+		newLocalStore := acme.NewLocalStore(fileName)
+		newLocalStore.SaveDataChan <- &acme.StoredData{Account: newAccount, Certificates: storeCertificates}
+	}
+}
+
+func backupACMEFile(originalFileName string, account interface{}) error {
+	// write account to file
+	data, err := json.MarshalIndent(account, "", "  ")
+	if err != nil {
+		return err
+	}
+	return ioutil.WriteFile(originalFileName+".bak", data, 0600)
+}
+
+// FromNewToOldFormat converts new acme account to the old one (used for the backward compatibility)
+func FromNewToOldFormat(fileName string) (*Account, error) {
+	localStore := acme.NewLocalStore(fileName)
+
+	storeAccount, err := localStore.GetAccount()
+	if err != nil {
+		return nil, err
+	}
+
+	storeCertificates, err := localStore.GetCertificates()
+	if err != nil {
+		return nil, err
+	}
+
+	// Convert ACME Account from new to old format
+	// (Needed by the KV stores)
+	var account *Account
+	if storeAccount != nil {
+		account = &Account{
+			Email:              storeAccount.Email,
+			PrivateKey:         storeAccount.PrivateKey,
+			Registration:       storeAccount.Registration,
+			DomainsCertificate: DomainsCertificates{},
+		}
+	}
+
+	// Convert ACME Certificates from new to old format
+	// (Needed by the KV stores)
+	if len(storeCertificates) > 0 {
+		// Account can be nil if data are migrated from new format
+		// with a ACME V1 Account
+		if account == nil {
+			account = &Account{}
+		}
+		for _, cert := range storeCertificates {
+			_, err := account.DomainsCertificate.addCertificateForDomains(&Certificate{
+				Domain:      cert.Domain.Main,
+				Certificate: cert.Certificate,
+				PrivateKey:  cert.Key,
+			}, cert.Domain)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	return account, nil
+}
--- a/acme/localStore_test.go
+++ b/acme/localStore_test.go
@@ -0,0 +1,31 @@
+package acme
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGet(t *testing.T) {
+	acmeFile := "./acme_example.json"
+
+	folder, prefix := filepath.Split(acmeFile)
+	tmpFile, err := ioutil.TempFile(folder, prefix)
+	defer os.Remove(tmpFile.Name())
+
+	assert.NoError(t, err)
+
+	fileContent, err := ioutil.ReadFile(acmeFile)
+	assert.NoError(t, err)
+
+	tmpFile.Write(fileContent)
+
+	localStore := NewLocalStore(tmpFile.Name())
+	account, err := localStore.Get()
+	assert.NoError(t, err)
+
+	assert.Len(t, account.DomainsCertificate.Certs, 1)
+}
--- a/acme/localStore_unix.go
+++ b/acme/localStore_unix.go
@@ -1,25 +0,0 @@
-// +build !windows
-
-package acme
-
-import (
-	"fmt"
-	"os"
-)
-
-// Check file permissions
-func checkPermissions(name string) error {
-	f, err := os.Open(name)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	fi, err := f.Stat()
-	if err != nil {
-		return err
-	}
-	if fi.Mode().Perm()&0077 != 0 {
-		return fmt.Errorf("permissions %o for %s are too open, please use 600", fi.Mode().Perm(), name)
-	}
-	return nil
-}
--- a/acme/localStore_windows.go
+++ b/acme/localStore_windows.go
@@ -1,6 +0,0 @@
-package acme
-
-// Do not check file permissions on Windows right now
-func checkPermissions(name string) error {
-	return nil
-}
--- a/cmd/traefik/anonymize/anonymize.go
+++ b/cmd/traefik/anonymize/anonymize.go
--- a/cmd/traefik/anonymize/anonymize_config_test.go
+++ b/cmd/traefik/anonymize/anonymize_config_test.go
@@ -8,10 +8,11 @@ import (
 	"github.com/containous/flaeg"
 	"github.com/containous/traefik/acme"
 	"github.com/containous/traefik/configuration"
-	"github.com/containous/traefik/middlewares"
 	"github.com/containous/traefik/provider"
+	acmeprovider "github.com/containous/traefik/provider/acme"
 	"github.com/containous/traefik/provider/boltdb"
 	"github.com/containous/traefik/provider/consul"
+	"github.com/containous/traefik/provider/consulcatalog"
 	"github.com/containous/traefik/provider/docker"
 	"github.com/containous/traefik/provider/dynamodb"
 	"github.com/containous/traefik/provider/ecs"
@@ -23,11 +24,9 @@ import (
 	"github.com/containous/traefik/provider/marathon"
 	"github.com/containous/traefik/provider/mesos"
 	"github.com/containous/traefik/provider/rancher"
-	"github.com/containous/traefik/provider/web"
 	"github.com/containous/traefik/provider/zk"
-	"github.com/containous/traefik/safe"
+	traefiktls "github.com/containous/traefik/tls"
 	"github.com/containous/traefik/types"
-	thoas_stats "github.com/thoas/stats"
 )

 func TestDo_globalConfiguration(t *testing.T) {
@@ -46,18 +45,20 @@ func TestDo_globalConfiguration(t *testing.T) {
 	config.LogLevel = "LogLevel"
 	config.EntryPoints = configuration.EntryPoints{
 		"foo": {
-			Network: "foo Network",
 			Address: "foo Address",
-			TLS: &configuration.TLS{
+			TLS: &traefiktls.TLS{
 				MinVersion:   "foo MinVersion",
 				CipherSuites: []string{"foo CipherSuites 1", "foo CipherSuites 2", "foo CipherSuites 3"},
-				Certificates: configuration.Certificates{
+				Certificates: traefiktls.Certificates{
 					{CertFile: "CertFile 1", KeyFile: "KeyFile 1"},
 					{CertFile: "CertFile 2", KeyFile: "KeyFile 2"},
 				},
-				ClientCAFiles: []string{"foo ClientCAFiles 1", "foo ClientCAFiles 2", "foo ClientCAFiles 3"},
+				ClientCA: traefiktls.ClientCA{
+					Files:    []string{"foo ClientCAFiles 1", "foo ClientCAFiles 2", "foo ClientCAFiles 3"},
+					Optional: false,
+				},
 			},
-			Redirect: &configuration.Redirect{
+			Redirect: &types.Redirect{
 				Replacement: "foo Replacement",
 				Regex:       "foo Regex",
 				EntryPoint:  "foo EntryPoint",
@@ -84,21 +85,25 @@ func TestDo_globalConfiguration(t *testing.T) {
 			},
 			WhitelistSourceRange: []string{"foo WhitelistSourceRange 1", "foo WhitelistSourceRange 2", "foo WhitelistSourceRange 3"},
 			Compress:             true,
-			ProxyProtocol:        true,
+			ProxyProtocol: &configuration.ProxyProtocol{
+				TrustedIPs: []string{"127.0.0.1/32", "192.168.0.1"},
+			},
 		},
 		"fii": {
-			Network: "fii Network",
 			Address: "fii Address",
-			TLS: &configuration.TLS{
+			TLS: &traefiktls.TLS{
 				MinVersion:   "fii MinVersion",
 				CipherSuites: []string{"fii CipherSuites 1", "fii CipherSuites 2", "fii CipherSuites 3"},
-				Certificates: configuration.Certificates{
+				Certificates: traefiktls.Certificates{
 					{CertFile: "CertFile 1", KeyFile: "KeyFile 1"},
 					{CertFile: "CertFile 2", KeyFile: "KeyFile 2"},
 				},
-				ClientCAFiles: []string{"fii ClientCAFiles 1", "fii ClientCAFiles 2", "fii ClientCAFiles 3"},
+				ClientCA: traefiktls.ClientCA{
+					Files:    []string{"fii ClientCAFiles 1", "fii ClientCAFiles 2", "fii ClientCAFiles 3"},
+					Optional: false,
+				},
 			},
-			Redirect: &configuration.Redirect{
+			Redirect: &types.Redirect{
 				Replacement: "fii Replacement",
 				Regex:       "fii Regex",
 				EntryPoint:  "fii EntryPoint",
@@ -125,7 +130,9 @@ func TestDo_globalConfiguration(t *testing.T) {
 			},
 			WhitelistSourceRange: []string{"fii WhitelistSourceRange 1", "fii WhitelistSourceRange 2", "fii WhitelistSourceRange 3"},
 			Compress:             true,
-			ProxyProtocol:        true,
+			ProxyProtocol: &configuration.ProxyProtocol{
+				TrustedIPs: []string{"127.0.0.1/32", "192.168.0.1"},
+			},
 		},
 	}
 	config.Cluster = &types.Cluster{
@@ -149,7 +156,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 	}
 	config.ACME = &acme.ACME{
 		Email: "acme Email",
-		Domains: []acme.Domain{
+		Domains: []types.Domain{
 			{
 				Main: "Domains Main",
 				SANs: []string{"Domains acme SANs 1", "Domains acme SANs 2", "Domains acme SANs 3"},
@@ -161,7 +168,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 		OnHostRule:        true,
 		CAServer:          "CAServer",
 		EntryPoint:        "EntryPoint",
-		DNSProvider:       "DNSProvider",
+		DNSChallenge:      &acmeprovider.DNSChallenge{Provider: "DNSProvider"},
 		DelayDontCheckDNS: 666,
 		ACMELogging:       true,
 		TLSConfig: &tls.Config{
@@ -174,7 +181,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 	config.MaxIdleConnsPerHost = 666
 	config.IdleTimeout = flaeg.Duration(666 * time.Second)
 	config.InsecureSkipVerify = true
-	config.RootCAs = configuration.RootCAs{"RootCAs 1", "RootCAs 2", "RootCAs 3"}
+	config.RootCAs = traefiktls.RootCAs{"RootCAs 1", "RootCAs 2", "RootCAs 3"}
 	config.Retry = &configuration.Retry{
 		Attempts: 666,
 	}
@@ -242,7 +249,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 		},
 		Directory: "file Directory",
 	}
-	config.Web = &web.Provider{
+	config.Web = &configuration.WebCompatibility{
 		Address:  "web Address",
 		CertFile: "web CertFile",
 		KeyFile:  "web KeyFile",
@@ -285,15 +292,6 @@ func TestDo_globalConfiguration(t *testing.T) {
 			},
 		},
 		Debug: true,
-		CurrentConfigurations: &safe.Safe{},
-		Stats: &thoas_stats.Stats{
-			Uptime:              time.Now(),
-			Pid:                 666,
-			ResponseCounts:      map[string]int{"foo": 1, "fii": 2, "fuu": 3},
-			TotalResponseCounts: map[string]int{"foo": 1, "fii": 2, "fuu": 3},
-			TotalResponseTime:   time.Now(),
-		},
-		StatsRecorder: &middlewares.StatsRecorder{},
 	}
 	config.Marathon = &marathon.Provider{
 		BaseProvider: provider.BaseProvider{
@@ -335,7 +333,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 		},
 		RespectReadinessChecks: true,
 	}
-	config.ConsulCatalog = &consul.CatalogProvider{
+	config.ConsulCatalog = &consulcatalog.Provider{
 		BaseProvider: provider.BaseProvider{
 			Watch:    true,
 			Filename: "ConsulCatalog Filename",
@@ -434,8 +432,9 @@ func TestDo_globalConfiguration(t *testing.T) {
 			Trace: true,
 			DebugLogGeneratedTemplate: true,
 		},
-		Endpoint: "eureka Endpoint",
-		Delay:    "eureka Delay",
+		Endpoint:       "eureka Endpoint",
+		Delay:          flaeg.Duration(30 * time.Second),
+		RefreshSeconds: flaeg.Duration(30 * time.Second),
 	}
 	config.ECS = &ecs.Provider{
 		BaseProvider: provider.BaseProvider{
--- a/cmd/traefik/anonymize/anonymize_doOnJSON_test.go
+++ b/cmd/traefik/anonymize/anonymize_doOnJSON_test.go
@@ -1,8 +1,9 @@
 package anonymize

 import (
-	"github.com/stretchr/testify/assert"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )

 func Test_doOnJSON(t *testing.T) {
@@ -28,7 +29,6 @@ func Test_doOnJSON(t *testing.T) {
   "Compress": false
  },
  "https": {
-   "Network": "",
   "Address": ":443",
   "TLS": {
    "MinVersion": "",
@@ -118,7 +118,6 @@ func Test_doOnJSON(t *testing.T) {
   "Compress": false
  },
  "https": {
-   "Network": "",
   "Address": ":443",
   "TLS": {
    "MinVersion": "",
--- a/cmd/traefik/anonymize/anonymize_doOnStruct_test.go
+++ b/cmd/traefik/anonymize/anonymize_doOnStruct_test.go
--- a/api/dashboard.go
+++ b/api/dashboard.go
@@ -0,0 +1,32 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/containous/mux"
+	"github.com/containous/traefik/autogen/genstatic"
+	"github.com/elazarl/go-bindata-assetfs"
+)
+
+// DashboardHandler expose dashboard routes
+type DashboardHandler struct{}
+
+// AddRoutes add dashboard routes on a router
+func (g DashboardHandler) AddRoutes(router *mux.Router) {
+	// Expose dashboard
+	router.Methods(http.MethodGet).
+		Path("/").
+		HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
+			http.Redirect(response, request, request.Header.Get("X-Forwarded-Prefix")+"/dashboard/", 302)
+		})
+
+	router.Methods(http.MethodGet).
+		Path("/dashboard/status").
+		HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
+			http.Redirect(response, request, "/dashboard/", 302)
+		})
+
+	router.Methods(http.MethodGet).
+		PathPrefix("/dashboard/").
+		Handler(http.StripPrefix("/dashboard/", http.FileServer(&assetfs.AssetFS{Asset: genstatic.Asset, AssetInfo: genstatic.AssetInfo, AssetDir: genstatic.AssetDir, Prefix: "static"})))
+}
--- a/api/debug.go
+++ b/api/debug.go
@@ -0,0 +1,46 @@
+package api
+
+import (
+	"expvar"
+	"fmt"
+	"net/http"
+	"net/http/pprof"
+	"runtime"
+
+	"github.com/containous/mux"
+)
+
+func init() {
+	expvar.Publish("Goroutines", expvar.Func(goroutines))
+}
+
+func goroutines() interface{} {
+	return runtime.NumGoroutine()
+}
+
+// DebugHandler expose debug routes
+type DebugHandler struct{}
+
+// AddRoutes add debug routes on a router
+func (g DebugHandler) AddRoutes(router *mux.Router) {
+	router.Methods(http.MethodGet).Path("/debug/vars").
+		HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			w.Header().Set("Content-Type", "application/json; charset=utf-8")
+			fmt.Fprint(w, "{\n")
+			first := true
+			expvar.Do(func(kv expvar.KeyValue) {
+				if !first {
+					fmt.Fprint(w, ",\n")
+				}
+				first = false
+				fmt.Fprintf(w, "%q: %s", kv.Key, kv.Value)
+			})
+			fmt.Fprint(w, "\n}\n")
+		})
+
+	router.Methods(http.MethodGet).PathPrefix("/debug/pprof/cmdline").HandlerFunc(pprof.Cmdline)
+	router.Methods(http.MethodGet).PathPrefix("/debug/pprof/profile").HandlerFunc(pprof.Profile)
+	router.Methods(http.MethodGet).PathPrefix("/debug/pprof/symbol").HandlerFunc(pprof.Symbol)
+	router.Methods(http.MethodGet).PathPrefix("/debug/pprof/trace").HandlerFunc(pprof.Trace)
+	router.Methods(http.MethodGet).PathPrefix("/debug/pprof/").HandlerFunc(pprof.Index)
+}
--- a/api/handler.go
+++ b/api/handler.go
@@ -0,0 +1,250 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/containous/mux"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/middlewares"
+	"github.com/containous/traefik/safe"
+	"github.com/containous/traefik/types"
+	"github.com/containous/traefik/version"
+	thoas_stats "github.com/thoas/stats"
+	"github.com/unrolled/render"
+)
+
+// Handler expose api routes
+type Handler struct {
+	EntryPoint            string `description:"EntryPoint" export:"true"`
+	Dashboard             bool   `description:"Activate dashboard" export:"true"`
+	Debug                 bool   `export:"true"`
+	CurrentConfigurations *safe.Safe
+	Statistics            *types.Statistics          `description:"Enable more detailed statistics" export:"true"`
+	Stats                 *thoas_stats.Stats         `json:"-"`
+	StatsRecorder         *middlewares.StatsRecorder `json:"-"`
+}
+
+var (
+	templatesRenderer = render.New(render.Options{
+		Directory: "nowhere",
+	})
+)
+
+// AddRoutes add api routes on a router
+func (p Handler) AddRoutes(router *mux.Router) {
+	if p.Debug {
+		DebugHandler{}.AddRoutes(router)
+	}
+
+	router.Methods(http.MethodGet).Path("/api").HandlerFunc(p.getConfigHandler)
+	router.Methods(http.MethodGet).Path("/api/providers").HandlerFunc(p.getConfigHandler)
+	router.Methods(http.MethodGet).Path("/api/providers/{provider}").HandlerFunc(p.getProviderHandler)
+	router.Methods(http.MethodGet).Path("/api/providers/{provider}/backends").HandlerFunc(p.getBackendsHandler)
+	router.Methods(http.MethodGet).Path("/api/providers/{provider}/backends/{backend}").HandlerFunc(p.getBackendHandler)
+	router.Methods(http.MethodGet).Path("/api/providers/{provider}/backends/{backend}/servers").HandlerFunc(p.getServersHandler)
+	router.Methods(http.MethodGet).Path("/api/providers/{provider}/backends/{backend}/servers/{server}").HandlerFunc(p.getServerHandler)
+	router.Methods(http.MethodGet).Path("/api/providers/{provider}/frontends").HandlerFunc(p.getFrontendsHandler)
+	router.Methods(http.MethodGet).Path("/api/providers/{provider}/frontends/{frontend}").HandlerFunc(p.getFrontendHandler)
+	router.Methods(http.MethodGet).Path("/api/providers/{provider}/frontends/{frontend}/routes").HandlerFunc(p.getRoutesHandler)
+	router.Methods(http.MethodGet).Path("/api/providers/{provider}/frontends/{frontend}/routes/{route}").HandlerFunc(p.getRouteHandler)
+
+	// health route
+	router.Methods(http.MethodGet).Path("/health").HandlerFunc(p.getHealthHandler)
+
+	version.Handler{}.AddRoutes(router)
+
+	if p.Dashboard {
+		DashboardHandler{}.AddRoutes(router)
+	}
+}
+
+func getProviderIDFromVars(vars map[string]string) string {
+	providerID := vars["provider"]
+	// TODO: Deprecated
+	if providerID == "rest" {
+		providerID = "web"
+	}
+	return providerID
+}
+
+func (p Handler) getConfigHandler(response http.ResponseWriter, request *http.Request) {
+	currentConfigurations := p.CurrentConfigurations.Get().(types.Configurations)
+	err := templatesRenderer.JSON(response, http.StatusOK, currentConfigurations)
+	if err != nil {
+		log.Error(err)
+	}
+}
+
+func (p Handler) getProviderHandler(response http.ResponseWriter, request *http.Request) {
+	providerID := getProviderIDFromVars(mux.Vars(request))
+
+	currentConfigurations := p.CurrentConfigurations.Get().(types.Configurations)
+	if provider, ok := currentConfigurations[providerID]; ok {
+		err := templatesRenderer.JSON(response, http.StatusOK, provider)
+		if err != nil {
+			log.Error(err)
+		}
+	} else {
+		http.NotFound(response, request)
+	}
+}
+
+func (p Handler) getBackendsHandler(response http.ResponseWriter, request *http.Request) {
+	providerID := getProviderIDFromVars(mux.Vars(request))
+
+	currentConfigurations := p.CurrentConfigurations.Get().(types.Configurations)
+	if provider, ok := currentConfigurations[providerID]; ok {
+		err := templatesRenderer.JSON(response, http.StatusOK, provider.Backends)
+		if err != nil {
+			log.Error(err)
+		}
+	} else {
+		http.NotFound(response, request)
+	}
+}
+
+func (p Handler) getBackendHandler(response http.ResponseWriter, request *http.Request) {
+	vars := mux.Vars(request)
+	providerID := getProviderIDFromVars(vars)
+	backendID := vars["backend"]
+
+	currentConfigurations := p.CurrentConfigurations.Get().(types.Configurations)
+	if provider, ok := currentConfigurations[providerID]; ok {
+		if backend, ok := provider.Backends[backendID]; ok {
+			err := templatesRenderer.JSON(response, http.StatusOK, backend)
+			if err != nil {
+				log.Error(err)
+			}
+			return
+		}
+	}
+	http.NotFound(response, request)
+}
+
+func (p Handler) getServersHandler(response http.ResponseWriter, request *http.Request) {
+	vars := mux.Vars(request)
+	providerID := getProviderIDFromVars(vars)
+	backendID := vars["backend"]
+
+	currentConfigurations := p.CurrentConfigurations.Get().(types.Configurations)
+	if provider, ok := currentConfigurations[providerID]; ok {
+		if backend, ok := provider.Backends[backendID]; ok {
+			err := templatesRenderer.JSON(response, http.StatusOK, backend.Servers)
+			if err != nil {
+				log.Error(err)
+			}
+			return
+		}
+	}
+	http.NotFound(response, request)
+}
+
+func (p Handler) getServerHandler(response http.ResponseWriter, request *http.Request) {
+	vars := mux.Vars(request)
+	providerID := getProviderIDFromVars(vars)
+	backendID := vars["backend"]
+	serverID := vars["server"]
+
+	currentConfigurations := p.CurrentConfigurations.Get().(types.Configurations)
+	if provider, ok := currentConfigurations[providerID]; ok {
+		if backend, ok := provider.Backends[backendID]; ok {
+			if server, ok := backend.Servers[serverID]; ok {
+				err := templatesRenderer.JSON(response, http.StatusOK, server)
+				if err != nil {
+					log.Error(err)
+				}
+				return
+			}
+		}
+	}
+	http.NotFound(response, request)
+}
+
+func (p Handler) getFrontendsHandler(response http.ResponseWriter, request *http.Request) {
+	providerID := getProviderIDFromVars(mux.Vars(request))
+
+	currentConfigurations := p.CurrentConfigurations.Get().(types.Configurations)
+	if provider, ok := currentConfigurations[providerID]; ok {
+		err := templatesRenderer.JSON(response, http.StatusOK, provider.Frontends)
+		if err != nil {
+			log.Error(err)
+		}
+	} else {
+		http.NotFound(response, request)
+	}
+}
+
+func (p Handler) getFrontendHandler(response http.ResponseWriter, request *http.Request) {
+	vars := mux.Vars(request)
+	providerID := getProviderIDFromVars(vars)
+	frontendID := vars["frontend"]
+
+	currentConfigurations := p.CurrentConfigurations.Get().(types.Configurations)
+	if provider, ok := currentConfigurations[providerID]; ok {
+		if frontend, ok := provider.Frontends[frontendID]; ok {
+			err := templatesRenderer.JSON(response, http.StatusOK, frontend)
+			if err != nil {
+				log.Error(err)
+			}
+			return
+		}
+	}
+	http.NotFound(response, request)
+}
+
+func (p Handler) getRoutesHandler(response http.ResponseWriter, request *http.Request) {
+	vars := mux.Vars(request)
+	providerID := getProviderIDFromVars(vars)
+	frontendID := vars["frontend"]
+
+	currentConfigurations := p.CurrentConfigurations.Get().(types.Configurations)
+	if provider, ok := currentConfigurations[providerID]; ok {
+		if frontend, ok := provider.Frontends[frontendID]; ok {
+			err := templatesRenderer.JSON(response, http.StatusOK, frontend.Routes)
+			if err != nil {
+				log.Error(err)
+			}
+			return
+		}
+	}
+	http.NotFound(response, request)
+}
+
+func (p Handler) getRouteHandler(response http.ResponseWriter, request *http.Request) {
+	vars := mux.Vars(request)
+	providerID := getProviderIDFromVars(vars)
+	frontendID := vars["frontend"]
+	routeID := vars["route"]
+
+	currentConfigurations := p.CurrentConfigurations.Get().(types.Configurations)
+	if provider, ok := currentConfigurations[providerID]; ok {
+		if frontend, ok := provider.Frontends[frontendID]; ok {
+			if route, ok := frontend.Routes[routeID]; ok {
+				err := templatesRenderer.JSON(response, http.StatusOK, route)
+				if err != nil {
+					log.Error(err)
+				}
+				return
+			}
+		}
+	}
+	http.NotFound(response, request)
+}
+
+// healthResponse combines data returned by thoas/stats with statistics (if
+// they are enabled).
+type healthResponse struct {
+	*thoas_stats.Data
+	*middlewares.Stats
+}
+
+func (p *Handler) getHealthHandler(response http.ResponseWriter, request *http.Request) {
+	health := &healthResponse{Data: p.Stats.Data()}
+	if p.StatsRecorder != nil {
+		health.Stats = p.StatsRecorder.Data()
+	}
+	err := templatesRenderer.JSON(response, http.StatusOK, health)
+	if err != nil {
+		log.Error(err)
+	}
+}
--- a/autogen/gentemplates/gen.go
+++ b/autogen/gentemplates/gen.go
--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -1,26 +1,22 @@
-FROM golang:1.9-alpine
+FROM golang:1.10-alpine

 RUN apk --update upgrade \
 && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar \
 && rm -rf /var/cache/apk/*

-RUN go get github.com/jteeuwen/go-bindata/... \
+RUN go get github.com/containous/go-bindata/... \
 && go get github.com/golang/lint/golint \
 && go get github.com/kisielk/errcheck \
-&& go get github.com/client9/misspell/cmd/misspell \
-&& go get github.com/mattfarina/glide-hash \
-&& go get github.com/sgotti/glide-vc
+&& go get github.com/client9/misspell/cmd/misspell

 # Which docker version to test on
 ARG DOCKER_VERSION=17.03.2
+ARG DEP_VERSION=0.4.1

-# Which glide version to test on
-ARG GLIDE_VERSION=v0.12.3
-
-# Download glide
+# Download dep binary to bin folder in $GOPATH
 RUN mkdir -p /usr/local/bin \
-    && curl -fL https://github.com/Masterminds/glide/releases/download/${GLIDE_VERSION}/glide-${GLIDE_VERSION}-linux-amd64.tar.gz \
-    | tar -xzC /usr/local/bin --transform 's#^.+/##x'
+    && curl -fsSL -o /usr/local/bin/dep https://github.com/golang/dep/releases/download/v${DEP_VERSION}/dep-linux-amd64 \
+    && chmod +x /usr/local/bin/dep

 # Download docker
 RUN mkdir -p /usr/local/bin \
--- a/cluster/datastore.go
+++ b/cluster/datastore.go
@@ -7,12 +7,12 @@ import (
 	"sync"
 	"time"

+	"github.com/abronan/valkeyrie/store"
 	"github.com/cenk/backoff"
 	"github.com/containous/staert"
 	"github.com/containous/traefik/job"
 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/safe"
-	"github.com/docker/libkv/store"
 	"github.com/satori/go.uuid"
 )

@@ -76,7 +76,7 @@ func NewDataStore(ctx context.Context, kvSource staert.KvSource, object Object,

 func (d *Datastore) watchChanges() error {
 	stopCh := make(chan struct{})
-	kvCh, err := d.kv.Watch(d.lockKey, stopCh)
+	kvCh, err := d.kv.Watch(d.lockKey, stopCh, nil)
 	if err != nil {
 		return err
 	}
@@ -119,19 +119,8 @@ func (d *Datastore) watchChanges() error {

 func (d *Datastore) reload() error {
 	log.Debug("Datastore reload")
-	d.localLock.Lock()
-	err := d.kv.LoadConfig(d.meta)
-	if err != nil {
-		d.localLock.Unlock()
-		return err
-	}
-	err = d.meta.unmarshall()
-	if err != nil {
-		d.localLock.Unlock()
-		return err
-	}
-	d.localLock.Unlock()
-	return nil
+	_, err := d.Load()
+	return err
 }

 // Begin creates a transaction with the KV store.
--- a/cluster/leadership.go
+++ b/cluster/leadership.go
@@ -2,15 +2,22 @@ package cluster

 import (
 	"context"
+	"net/http"
 	"time"

 	"github.com/cenk/backoff"
+	"github.com/containous/mux"
 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/docker/leadership"
+	"github.com/unrolled/render"
 )

+var templatesRenderer = render.New(render.Options{
+	Directory: "nowhere",
+})
+
 // Leadership allows leadership election using a KV store
 type Leadership struct {
 	*safe.Pool
@@ -98,7 +105,32 @@ func (l *Leadership) onElection(elected bool) {
 	}
 }

+type leaderResponse struct {
+	Leader bool `json:"leader"`
+}
+
+func (l *Leadership) getLeaderHandler(response http.ResponseWriter, request *http.Request) {
+	leader := &leaderResponse{Leader: l.IsLeader()}
+
+	status := http.StatusOK
+	if !leader.Leader {
+		// Set status to be `429`, as this will typically cause load balancers to stop sending requests to the instance without removing them from rotation.
+		status = http.StatusTooManyRequests
+	}
+
+	err := templatesRenderer.JSON(response, status, leader)
+	if err != nil {
+		log.Error(err)
+	}
+}
+
 // IsLeader returns true if current node is leader
 func (l *Leadership) IsLeader() bool {
 	return l.leader.Get().(bool)
 }
+
+// AddRoutes add dashboard routes on a router
+func (l *Leadership) AddRoutes(router *mux.Router) {
+	// Expose cluster leader
+	router.Methods(http.MethodGet).Path("/api/cluster/leader").HandlerFunc(l.getLeaderHandler)
+}
--- a/cmd/traefik/bug.go
+++ b/cmd/traefik/bug.go
@@ -1,4 +1,4 @@
-package main
+package bug

 import (
 	"bytes"
@@ -9,7 +9,9 @@ import (
 	"text/template"

 	"github.com/containous/flaeg"
-	"github.com/containous/traefik/cmd/traefik/anonymize"
+	"github.com/containous/traefik/anonymize"
+	"github.com/containous/traefik/cmd"
+	"github.com/containous/traefik/cmd/version"
 )

 const (
@@ -74,7 +76,7 @@ HOW TO WRITE A GOOD ISSUE?
 Add more configuration information here.
 -->

-### If applicable, please paste the log output in debug mode (` + "`" + `--debug` + "`" + ` switch)
+### If applicable, please paste the log output at DEBUG level (` + "`" + `--logLevel=DEBUG` + "`" + ` switch)

 ` + "```" + `
 (paste your output here)
@@ -83,8 +85,8 @@ Add more configuration information here.
 `
 )

-// newBugCmd builds a new Bug command
-func newBugCmd(traefikConfiguration interface{}, traefikPointersConfiguration interface{}) *flaeg.Command {
+// NewCmd builds a new Bug command
+func NewCmd(traefikConfiguration *cmd.TraefikConfiguration, traefikPointersConfiguration *cmd.TraefikConfiguration) *flaeg.Command {

 	//version Command init
 	return &flaeg.Command{
@@ -92,30 +94,30 @@ func newBugCmd(traefikConfiguration interface{}, traefikPointersConfiguration in
 		Description:           `Report an issue on Traefik bugtracker`,
 		Config:                traefikConfiguration,
 		DefaultPointersConfig: traefikPointersConfiguration,
-		Run: runBugCmd(traefikConfiguration),
+		Run: runCmd(traefikConfiguration),
 		Metadata: map[string]string{
 			"parseAllSources": "true",
 		},
 	}
 }

-func runBugCmd(traefikConfiguration interface{}) func() error {
+func runCmd(traefikConfiguration *cmd.TraefikConfiguration) func() error {
 	return func() error {

-		body, err := createBugReport(traefikConfiguration)
+		body, err := createReport(traefikConfiguration)
 		if err != nil {
 			return err
 		}

-		sendBugReport(body)
+		sendReport(body)

 		return nil
 	}
 }

-func createBugReport(traefikConfiguration interface{}) (string, error) {
-	var version bytes.Buffer
-	if err := getVersionPrint(&version); err != nil {
+func createReport(traefikConfiguration *cmd.TraefikConfiguration) (string, error) {
+	var versionPrint bytes.Buffer
+	if err := version.GetPrint(&versionPrint); err != nil {
 		return "", err
 	}

@@ -124,7 +126,7 @@ func createBugReport(traefikConfiguration interface{}) (string, error) {
 		return "", err
 	}

-	config, err := anonymize.Do(&traefikConfiguration, true)
+	config, err := anonymize.Do(traefikConfiguration, true)
 	if err != nil {
 		return "", err
 	}
@@ -133,7 +135,7 @@ func createBugReport(traefikConfiguration interface{}) (string, error) {
 		Version       string
 		Configuration string
 	}{
-		Version:       version.String(),
+		Version:       versionPrint.String(),
 		Configuration: config,
 	}

@@ -145,7 +147,7 @@ func createBugReport(traefikConfiguration interface{}) (string, error) {
 	return bug.String(), nil
 }

-func sendBugReport(body string) {
+func sendReport(body string) {
 	URL := bugTracker + "?body=" + url.QueryEscape(body)
 	if err := openBrowser(URL); err != nil {
 		fmt.Printf("Please file a new issue at %s using this template:\n\n", bugTracker)
--- a/cmd/bug/bug_test.go
+++ b/cmd/bug/bug_test.go
@@ -0,0 +1,67 @@
+package bug
+
+import (
+	"testing"
+
+	"github.com/containous/traefik/anonymize"
+	"github.com/containous/traefik/cmd"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/provider/file"
+	"github.com/containous/traefik/tls"
+	"github.com/containous/traefik/types"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_createReport(t *testing.T) {
+	traefikConfiguration := &cmd.TraefikConfiguration{
+		ConfigFile: "FOO",
+		GlobalConfiguration: configuration.GlobalConfiguration{
+			EntryPoints: configuration.EntryPoints{
+				"goo": &configuration.EntryPoint{
+					Address: "hoo.bar",
+					Auth: &types.Auth{
+						Basic: &types.Basic{
+							UsersFile: "foo Basic UsersFile",
+							Users:     types.Users{"foo Basic Users 1", "foo Basic Users 2", "foo Basic Users 3"},
+						},
+						Digest: &types.Digest{
+							UsersFile: "foo Digest UsersFile",
+							Users:     types.Users{"foo Digest Users 1", "foo Digest Users 2", "foo Digest Users 3"},
+						},
+					},
+				},
+			},
+			File: &file.Provider{
+				Directory: "BAR",
+			},
+			RootCAs: tls.RootCAs{"fllf"},
+		},
+	}
+
+	report, err := createReport(traefikConfiguration)
+	assert.NoError(t, err, report)
+
+	// exported anonymous configuration
+	assert.NotContains(t, "web Basic Users ", report)
+	assert.NotContains(t, "foo Digest Users ", report)
+	assert.NotContains(t, "hoo.bar", report)
+}
+
+func Test_anonymize_traefikConfiguration(t *testing.T) {
+	traefikConfiguration := &cmd.TraefikConfiguration{
+		ConfigFile: "FOO",
+		GlobalConfiguration: configuration.GlobalConfiguration{
+			EntryPoints: configuration.EntryPoints{
+				"goo": &configuration.EntryPoint{
+					Address: "hoo.bar",
+				},
+			},
+			File: &file.Provider{
+				Directory: "BAR",
+			},
+		},
+	}
+	_, err := anonymize.Do(traefikConfiguration, true)
+	assert.NoError(t, err)
+	assert.Equal(t, "hoo.bar", traefikConfiguration.GlobalConfiguration.EntryPoints["goo"].Address)
+}
--- a/cmd/configuration.go
+++ b/cmd/configuration.go
@@ -0,0 +1,324 @@
+package cmd
+
+import (
+	"time"
+
+	"github.com/containous/flaeg"
+	"github.com/containous/traefik-extra-service-fabric"
+	"github.com/containous/traefik/api"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/middlewares/accesslog"
+	"github.com/containous/traefik/middlewares/tracing"
+	"github.com/containous/traefik/middlewares/tracing/jaeger"
+	"github.com/containous/traefik/middlewares/tracing/zipkin"
+	"github.com/containous/traefik/ping"
+	"github.com/containous/traefik/provider/boltdb"
+	"github.com/containous/traefik/provider/consul"
+	"github.com/containous/traefik/provider/consulcatalog"
+	"github.com/containous/traefik/provider/docker"
+	"github.com/containous/traefik/provider/dynamodb"
+	"github.com/containous/traefik/provider/ecs"
+	"github.com/containous/traefik/provider/etcd"
+	"github.com/containous/traefik/provider/eureka"
+	"github.com/containous/traefik/provider/file"
+	"github.com/containous/traefik/provider/kubernetes"
+	"github.com/containous/traefik/provider/marathon"
+	"github.com/containous/traefik/provider/mesos"
+	"github.com/containous/traefik/provider/rancher"
+	"github.com/containous/traefik/provider/rest"
+	"github.com/containous/traefik/provider/zk"
+	"github.com/containous/traefik/types"
+	sf "github.com/jjcollinge/servicefabric"
+)
+
+// TraefikConfiguration holds GlobalConfiguration and other stuff
+type TraefikConfiguration struct {
+	configuration.GlobalConfiguration `mapstructure:",squash" export:"true"`
+	ConfigFile                        string `short:"c" description:"Configuration file to use (TOML)." export:"true"`
+}
+
+// NewTraefikDefaultPointersConfiguration creates a TraefikConfiguration with pointers default values
+func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
+	// default Docker
+	var defaultDocker docker.Provider
+	defaultDocker.Watch = true
+	defaultDocker.ExposedByDefault = true
+	defaultDocker.Endpoint = "unix:///var/run/docker.sock"
+	defaultDocker.SwarmMode = false
+
+	// default File
+	var defaultFile file.Provider
+	defaultFile.Watch = true
+	defaultFile.Filename = "" // needs equivalent to  viper.ConfigFileUsed()
+
+	// default Rest
+	var defaultRest rest.Provider
+	defaultRest.EntryPoint = configuration.DefaultInternalEntryPointName
+
+	// TODO: Deprecated - Web provider, use REST provider instead
+	var defaultWeb configuration.WebCompatibility
+	defaultWeb.Address = ":8080"
+	defaultWeb.Statistics = &types.Statistics{
+		RecentErrors: 10,
+	}
+
+	// TODO: Deprecated - default Metrics
+	defaultWeb.Metrics = &types.Metrics{
+		Prometheus: &types.Prometheus{
+			Buckets:    types.Buckets{0.1, 0.3, 1.2, 5},
+			EntryPoint: configuration.DefaultInternalEntryPointName,
+		},
+		Datadog: &types.Datadog{
+			Address:      "localhost:8125",
+			PushInterval: "10s",
+		},
+		StatsD: &types.Statsd{
+			Address:      "localhost:8125",
+			PushInterval: "10s",
+		},
+		InfluxDB: &types.InfluxDB{
+			Address:      "localhost:8089",
+			PushInterval: "10s",
+		},
+	}
+
+	// default Marathon
+	var defaultMarathon marathon.Provider
+	defaultMarathon.Watch = true
+	defaultMarathon.Endpoint = "http://127.0.0.1:8080"
+	defaultMarathon.ExposedByDefault = true
+	defaultMarathon.Constraints = types.Constraints{}
+	defaultMarathon.DialerTimeout = flaeg.Duration(60 * time.Second)
+	defaultMarathon.KeepAlive = flaeg.Duration(10 * time.Second)
+
+	// default Consul
+	var defaultConsul consul.Provider
+	defaultConsul.Watch = true
+	defaultConsul.Endpoint = "127.0.0.1:8500"
+	defaultConsul.Prefix = "traefik"
+	defaultConsul.Constraints = types.Constraints{}
+
+	// default CatalogProvider
+	var defaultConsulCatalog consulcatalog.Provider
+	defaultConsulCatalog.Endpoint = "127.0.0.1:8500"
+	defaultConsulCatalog.ExposedByDefault = true
+	defaultConsulCatalog.Constraints = types.Constraints{}
+	defaultConsulCatalog.Prefix = "traefik"
+	defaultConsulCatalog.FrontEndRule = "Host:{{.ServiceName}}.{{.Domain}}"
+
+	// default Etcd
+	var defaultEtcd etcd.Provider
+	defaultEtcd.Watch = true
+	defaultEtcd.Endpoint = "127.0.0.1:2379"
+	defaultEtcd.Prefix = "/traefik"
+	defaultEtcd.Constraints = types.Constraints{}
+
+	// default Zookeeper
+	var defaultZookeeper zk.Provider
+	defaultZookeeper.Watch = true
+	defaultZookeeper.Endpoint = "127.0.0.1:2181"
+	defaultZookeeper.Prefix = "traefik"
+	defaultZookeeper.Constraints = types.Constraints{}
+
+	// default Boltdb
+	var defaultBoltDb boltdb.Provider
+	defaultBoltDb.Watch = true
+	defaultBoltDb.Endpoint = "127.0.0.1:4001"
+	defaultBoltDb.Prefix = "/traefik"
+	defaultBoltDb.Constraints = types.Constraints{}
+
+	// default Kubernetes
+	var defaultKubernetes kubernetes.Provider
+	defaultKubernetes.Watch = true
+	defaultKubernetes.Constraints = types.Constraints{}
+
+	// default Mesos
+	var defaultMesos mesos.Provider
+	defaultMesos.Watch = true
+	defaultMesos.Endpoint = "http://127.0.0.1:5050"
+	defaultMesos.ExposedByDefault = true
+	defaultMesos.Constraints = types.Constraints{}
+	defaultMesos.RefreshSeconds = 30
+	defaultMesos.ZkDetectionTimeout = 30
+	defaultMesos.StateTimeoutSecond = 30
+
+	// default ECS
+	var defaultECS ecs.Provider
+	defaultECS.Watch = true
+	defaultECS.ExposedByDefault = true
+	defaultECS.AutoDiscoverClusters = false
+	defaultECS.Clusters = ecs.Clusters{"default"}
+	defaultECS.RefreshSeconds = 15
+	defaultECS.Constraints = types.Constraints{}
+
+	// default Rancher
+	var defaultRancher rancher.Provider
+	defaultRancher.Watch = true
+	defaultRancher.ExposedByDefault = true
+	defaultRancher.RefreshSeconds = 15
+
+	// default DynamoDB
+	var defaultDynamoDB dynamodb.Provider
+	defaultDynamoDB.Constraints = types.Constraints{}
+	defaultDynamoDB.RefreshSeconds = 15
+	defaultDynamoDB.TableName = "traefik"
+	defaultDynamoDB.Watch = true
+
+	// default Eureka
+	var defaultEureka eureka.Provider
+	defaultEureka.RefreshSeconds = flaeg.Duration(30 * time.Second)
+
+	// default ServiceFabric
+	var defaultServiceFabric servicefabric.Provider
+	defaultServiceFabric.APIVersion = sf.DefaultAPIVersion
+	defaultServiceFabric.RefreshSeconds = 10
+
+	// default Ping
+	var defaultPing = ping.Handler{
+		EntryPoint: "traefik",
+	}
+
+	// default TraefikLog
+	defaultTraefikLog := types.TraefikLog{
+		Format:   "common",
+		FilePath: "",
+	}
+
+	// default AccessLog
+	defaultAccessLog := types.AccessLog{
+		Format:   accesslog.CommonFormat,
+		FilePath: "",
+		Filters:  &types.AccessLogFilters{},
+		Fields: &types.AccessLogFields{
+			DefaultMode: types.AccessLogKeep,
+			Headers: &types.FieldHeaders{
+				DefaultMode: types.AccessLogKeep,
+			},
+		},
+	}
+
+	// default HealthCheckConfig
+	healthCheck := configuration.HealthCheckConfig{
+		Interval: flaeg.Duration(configuration.DefaultHealthCheckInterval),
+	}
+
+	// default RespondingTimeouts
+	respondingTimeouts := configuration.RespondingTimeouts{
+		IdleTimeout: flaeg.Duration(configuration.DefaultIdleTimeout),
+	}
+
+	// default ForwardingTimeouts
+	forwardingTimeouts := configuration.ForwardingTimeouts{
+		DialTimeout: flaeg.Duration(configuration.DefaultDialTimeout),
+	}
+
+	// default Tracing
+	defaultTracing := tracing.Tracing{
+		Backend:     "jaeger",
+		ServiceName: "traefik",
+		Jaeger: &jaeger.Config{
+			SamplingServerURL:  "http://localhost:5778/sampling",
+			SamplingType:       "const",
+			SamplingParam:      1.0,
+			LocalAgentHostPort: "127.0.0.1:6831",
+		},
+		Zipkin: &zipkin.Config{
+			HTTPEndpoint: "http://localhost:9411/api/v1/spans",
+			SameSpan:     false,
+			ID128Bit:     true,
+			Debug:        false,
+		},
+	}
+
+	// default LifeCycle
+	defaultLifeCycle := configuration.LifeCycle{
+		GraceTimeOut: flaeg.Duration(configuration.DefaultGraceTimeout),
+	}
+
+	// default ApiConfiguration
+	defaultAPI := api.Handler{
+		EntryPoint: "traefik",
+		Dashboard:  true,
+	}
+	defaultAPI.Statistics = &types.Statistics{
+		RecentErrors: 10,
+	}
+
+	// default Metrics
+	defaultMetrics := types.Metrics{
+		Prometheus: &types.Prometheus{
+			Buckets:    types.Buckets{0.1, 0.3, 1.2, 5},
+			EntryPoint: configuration.DefaultInternalEntryPointName,
+		},
+		Datadog: &types.Datadog{
+			Address:      "localhost:8125",
+			PushInterval: "10s",
+		},
+		StatsD: &types.Statsd{
+			Address:      "localhost:8125",
+			PushInterval: "10s",
+		},
+		InfluxDB: &types.InfluxDB{
+			Address:      "localhost:8089",
+			PushInterval: "10s",
+		},
+	}
+
+	defaultConfiguration := configuration.GlobalConfiguration{
+		Docker:             &defaultDocker,
+		File:               &defaultFile,
+		Web:                &defaultWeb,
+		Rest:               &defaultRest,
+		Marathon:           &defaultMarathon,
+		Consul:             &defaultConsul,
+		ConsulCatalog:      &defaultConsulCatalog,
+		Etcd:               &defaultEtcd,
+		Zookeeper:          &defaultZookeeper,
+		Boltdb:             &defaultBoltDb,
+		Kubernetes:         &defaultKubernetes,
+		Mesos:              &defaultMesos,
+		ECS:                &defaultECS,
+		Rancher:            &defaultRancher,
+		Eureka:             &defaultEureka,
+		DynamoDB:           &defaultDynamoDB,
+		Retry:              &configuration.Retry{},
+		HealthCheck:        &healthCheck,
+		RespondingTimeouts: &respondingTimeouts,
+		ForwardingTimeouts: &forwardingTimeouts,
+		TraefikLog:         &defaultTraefikLog,
+		AccessLog:          &defaultAccessLog,
+		LifeCycle:          &defaultLifeCycle,
+		Ping:               &defaultPing,
+		API:                &defaultAPI,
+		Metrics:            &defaultMetrics,
+		Tracing:            &defaultTracing,
+	}
+
+	return &TraefikConfiguration{
+		GlobalConfiguration: defaultConfiguration,
+	}
+}
+
+// NewTraefikConfiguration creates a TraefikConfiguration with default values
+func NewTraefikConfiguration() *TraefikConfiguration {
+	return &TraefikConfiguration{
+		GlobalConfiguration: configuration.GlobalConfiguration{
+			AccessLogsFile:            "",
+			TraefikLogsFile:           "",
+			EntryPoints:               map[string]*configuration.EntryPoint{},
+			Constraints:               types.Constraints{},
+			DefaultEntryPoints:        []string{"http"},
+			ProvidersThrottleDuration: flaeg.Duration(2 * time.Second),
+			MaxIdleConnsPerHost:       200,
+			IdleTimeout:               flaeg.Duration(0),
+			HealthCheck: &configuration.HealthCheckConfig{
+				Interval: flaeg.Duration(configuration.DefaultHealthCheckInterval),
+			},
+			LifeCycle: &configuration.LifeCycle{
+				GraceTimeOut: flaeg.Duration(configuration.DefaultGraceTimeout),
+			},
+			CheckNewVersion: true,
+		},
+		ConfigFile: "",
+	}
+}
--- a/cmd/context.go
+++ b/cmd/context.go
@@ -0,0 +1,22 @@
+package cmd
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+)
+
+// ContextWithSignal create a context cancelled when SIGINT or SIGTERM are notified
+func ContextWithSignal(ctx context.Context) context.Context {
+	newCtx, cancel := context.WithCancel(ctx)
+	signals := make(chan os.Signal)
+	signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		select {
+		case <-signals:
+			cancel()
+		}
+	}()
+	return newCtx
+}
--- a/cmd/healthcheck/healthcheck.go
+++ b/cmd/healthcheck/healthcheck.go
@@ -0,0 +1,73 @@
+package healthcheck
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/containous/flaeg"
+	"github.com/containous/traefik/cmd"
+	"github.com/containous/traefik/configuration"
+)
+
+// NewCmd builds a new HealthCheck command
+func NewCmd(traefikConfiguration *cmd.TraefikConfiguration, traefikPointersConfiguration *cmd.TraefikConfiguration) *flaeg.Command {
+	return &flaeg.Command{
+		Name:                  "healthcheck",
+		Description:           `Calls traefik /ping to check health (web provider must be enabled)`,
+		Config:                traefikConfiguration,
+		DefaultPointersConfig: traefikPointersConfiguration,
+		Run: runCmd(traefikConfiguration),
+		Metadata: map[string]string{
+			"parseAllSources": "true",
+		},
+	}
+}
+
+func runCmd(traefikConfiguration *cmd.TraefikConfiguration) func() error {
+	return func() error {
+		traefikConfiguration.GlobalConfiguration.SetEffectiveConfiguration(traefikConfiguration.ConfigFile)
+
+		resp, errPing := Do(traefikConfiguration.GlobalConfiguration)
+		if errPing != nil {
+			fmt.Printf("Error calling healthcheck: %s\n", errPing)
+			os.Exit(1)
+		}
+		if resp.StatusCode != http.StatusOK {
+			fmt.Printf("Bad healthcheck status: %s\n", resp.Status)
+			os.Exit(1)
+		}
+		fmt.Printf("OK: %s\n", resp.Request.URL)
+		os.Exit(0)
+		return nil
+	}
+}
+
+// Do try to do a healthcheck
+func Do(globalConfiguration configuration.GlobalConfiguration) (*http.Response, error) {
+	if globalConfiguration.Ping == nil {
+		return nil, errors.New("please enable `ping` to use health check")
+	}
+	pingEntryPoint, ok := globalConfiguration.EntryPoints[globalConfiguration.Ping.EntryPoint]
+	if !ok {
+		return nil, errors.New("missing `ping` entrypoint")
+	}
+
+	client := &http.Client{Timeout: 5 * time.Second}
+	protocol := "http"
+	if pingEntryPoint.TLS != nil {
+		protocol = "https"
+		tr := &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+		client.Transport = tr
+	}
+	path := "/"
+	if globalConfiguration.Web != nil {
+		path = globalConfiguration.Web.Path
+	}
+	return client.Head(protocol + "://" + pingEntryPoint.Address + path + "ping")
+}
--- a/cmd/storeconfig/storeconfig.go
+++ b/cmd/storeconfig/storeconfig.go
@@ -0,0 +1,192 @@
+package storeconfig
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	stdlog "log"
+	"os"
+
+	"github.com/abronan/valkeyrie/store"
+	"github.com/containous/flaeg"
+	"github.com/containous/staert"
+	"github.com/containous/traefik/acme"
+	"github.com/containous/traefik/cluster"
+	"github.com/containous/traefik/cmd"
+	"github.com/containous/traefik/log"
+)
+
+// NewCmd builds a new StoreConfig command
+func NewCmd(traefikConfiguration *cmd.TraefikConfiguration, traefikPointersConfiguration *cmd.TraefikConfiguration) *flaeg.Command {
+	return &flaeg.Command{
+		Name:                  "storeconfig",
+		Description:           `Store the static traefik configuration into a Key-value stores. Traefik will not start.`,
+		Config:                traefikConfiguration,
+		DefaultPointersConfig: traefikPointersConfiguration,
+		Metadata: map[string]string{
+			"parseAllSources": "true",
+		},
+	}
+}
+
+// Run store config in KV
+func Run(kv *staert.KvSource, traefikConfiguration *cmd.TraefikConfiguration) func() error {
+	return func() error {
+		if kv == nil {
+			return fmt.Errorf("error using command storeconfig, no Key-value store defined")
+		}
+
+		fileConfig := traefikConfiguration.GlobalConfiguration.File
+		if fileConfig != nil {
+			traefikConfiguration.GlobalConfiguration.File = nil
+			if len(fileConfig.Filename) == 0 && len(fileConfig.Directory) == 0 {
+				fileConfig.Filename = traefikConfiguration.ConfigFile
+			}
+		}
+
+		jsonConf, err := json.Marshal(traefikConfiguration.GlobalConfiguration)
+		if err != nil {
+			return err
+		}
+		stdlog.Printf("Storing configuration: %s\n", jsonConf)
+
+		err = kv.StoreConfig(traefikConfiguration.GlobalConfiguration)
+		if err != nil {
+			return err
+		}
+
+		if fileConfig != nil {
+			jsonConf, err = json.Marshal(fileConfig)
+			if err != nil {
+				return err
+			}
+
+			stdlog.Printf("Storing file configuration: %s\n", jsonConf)
+			config, err := fileConfig.BuildConfiguration()
+			if err != nil {
+				return err
+			}
+
+			stdlog.Print("Writing config to KV")
+			err = kv.StoreConfig(config)
+			if err != nil {
+				return err
+			}
+		}
+
+		if traefikConfiguration.GlobalConfiguration.ACME != nil {
+			account := &acme.Account{}
+
+			// Migrate ACME data from file to KV store if needed
+			if len(traefikConfiguration.GlobalConfiguration.ACME.StorageFile) > 0 {
+				account, err = migrateACMEData(traefikConfiguration.GlobalConfiguration.ACME.StorageFile)
+				if err != nil {
+					return err
+				}
+			}
+
+			// Store the ACME Account into the KV Store
+			meta := cluster.NewMetadata(account)
+			err = meta.Marshall()
+			if err != nil {
+				return err
+			}
+
+			source := staert.KvSource{
+				Store:  kv,
+				Prefix: traefikConfiguration.GlobalConfiguration.ACME.Storage,
+			}
+
+			err = source.StoreConfig(meta)
+			if err != nil {
+				return err
+			}
+
+			// Force to delete storagefile
+			return kv.Delete(kv.Prefix + "/acme/storagefile")
+		}
+		return nil
+	}
+}
+
+// migrateACMEData allows migrating data from acme.json file to KV store in function of the file format
+func migrateACMEData(fileName string) (*acme.Account, error) {
+
+	f, err := os.Open(fileName)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	file, err := ioutil.ReadAll(f)
+	if err != nil {
+		return nil, err
+	}
+
+	// Check if the storage file is not empty before to get data
+	account := &acme.Account{}
+	if len(file) > 0 {
+		accountFromNewFormat, err := acme.FromNewToOldFormat(fileName)
+		if err != nil {
+			return nil, err
+		}
+
+		if accountFromNewFormat == nil {
+			// convert ACME json file to KV store (used for backward compatibility)
+			localStore := acme.NewLocalStore(fileName)
+
+			account, err = localStore.Get()
+			if err != nil {
+				return nil, err
+			}
+
+			err = acme.RemoveAccountV1Values(account)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			account = accountFromNewFormat
+		}
+	} else {
+		log.Warnf("No data will be imported from the storageFile %q because it is empty.", fileName)
+	}
+
+	err = account.Init()
+	return account, err
+}
+
+// CreateKvSource creates KvSource
+// TLS support is enable for Consul and Etcd backends
+func CreateKvSource(traefikConfiguration *cmd.TraefikConfiguration) (*staert.KvSource, error) {
+	var kv *staert.KvSource
+	var kvStore store.Store
+	var err error
+
+	switch {
+	case traefikConfiguration.Consul != nil:
+		kvStore, err = traefikConfiguration.Consul.CreateStore()
+		kv = &staert.KvSource{
+			Store:  kvStore,
+			Prefix: traefikConfiguration.Consul.Prefix,
+		}
+	case traefikConfiguration.Etcd != nil:
+		kvStore, err = traefikConfiguration.Etcd.CreateStore()
+		kv = &staert.KvSource{
+			Store:  kvStore,
+			Prefix: traefikConfiguration.Etcd.Prefix,
+		}
+	case traefikConfiguration.Zookeeper != nil:
+		kvStore, err = traefikConfiguration.Zookeeper.CreateStore()
+		kv = &staert.KvSource{
+			Store:  kvStore,
+			Prefix: traefikConfiguration.Zookeeper.Prefix,
+		}
+	case traefikConfiguration.Boltdb != nil:
+		kvStore, err = traefikConfiguration.Boltdb.CreateStore()
+		kv = &staert.KvSource{
+			Store:  kvStore,
+			Prefix: traefikConfiguration.Boltdb.Prefix,
+		}
+	}
+	return kv, err
+}
--- a/cmd/traefik/bug_test.go
+++ b/cmd/traefik/bug_test.go
@@ -1,49 +0,0 @@
-package main
-
-import (
-	"testing"
-
-	"github.com/containous/traefik/cmd/traefik/anonymize"
-	"github.com/containous/traefik/configuration"
-	"github.com/containous/traefik/provider/file"
-	"github.com/stretchr/testify/assert"
-)
-
-func Test_createBugReport(t *testing.T) {
-	traefikConfiguration := TraefikConfiguration{
-		ConfigFile: "FOO",
-		GlobalConfiguration: configuration.GlobalConfiguration{
-			EntryPoints: configuration.EntryPoints{
-				"goo": &configuration.EntryPoint{
-					Address: "hoo.bar",
-				},
-			},
-			File: &file.Provider{
-				Directory: "BAR",
-			},
-			RootCAs: configuration.RootCAs{"fllf"},
-		},
-	}
-
-	report, err := createBugReport(traefikConfiguration)
-	assert.NoError(t, err, report)
-}
-
-func Test_anonymize_traefikConfiguration(t *testing.T) {
-	traefikConfiguration := &TraefikConfiguration{
-		ConfigFile: "FOO",
-		GlobalConfiguration: configuration.GlobalConfiguration{
-			EntryPoints: configuration.EntryPoints{
-				"goo": &configuration.EntryPoint{
-					Address: "hoo.bar",
-				},
-			},
-			File: &file.Provider{
-				Directory: "BAR",
-			},
-		},
-	}
-	_, err := anonymize.Do(traefikConfiguration, true)
-	assert.NoError(t, err)
-	assert.Equal(t, "hoo.bar", traefikConfiguration.GlobalConfiguration.EntryPoints["goo"].Address)
-}
--- a/cmd/traefik/configuration.go
+++ b/cmd/traefik/configuration.go
@@ -1,226 +0,0 @@
-package main
-
-import (
-	"time"
-
-	"github.com/containous/flaeg"
-	"github.com/containous/traefik/configuration"
-	"github.com/containous/traefik/middlewares/accesslog"
-	"github.com/containous/traefik/provider/boltdb"
-	"github.com/containous/traefik/provider/consul"
-	"github.com/containous/traefik/provider/docker"
-	"github.com/containous/traefik/provider/dynamodb"
-	"github.com/containous/traefik/provider/ecs"
-	"github.com/containous/traefik/provider/etcd"
-	"github.com/containous/traefik/provider/eureka"
-	"github.com/containous/traefik/provider/file"
-	"github.com/containous/traefik/provider/kubernetes"
-	"github.com/containous/traefik/provider/marathon"
-	"github.com/containous/traefik/provider/mesos"
-	"github.com/containous/traefik/provider/rancher"
-	"github.com/containous/traefik/provider/web"
-	"github.com/containous/traefik/provider/zk"
-	"github.com/containous/traefik/types"
-)
-
-// TraefikConfiguration holds GlobalConfiguration and other stuff
-type TraefikConfiguration struct {
-	configuration.GlobalConfiguration `mapstructure:",squash" export:"true"`
-	ConfigFile                        string `short:"c" description:"Configuration file to use (TOML)." export:"true"`
-}
-
-// NewTraefikDefaultPointersConfiguration creates a TraefikConfiguration with pointers default values
-func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
-	//default Docker
-	var defaultDocker docker.Provider
-	defaultDocker.Watch = true
-	defaultDocker.ExposedByDefault = true
-	defaultDocker.Endpoint = "unix:///var/run/docker.sock"
-	defaultDocker.SwarmMode = false
-
-	// default File
-	var defaultFile file.Provider
-	defaultFile.Watch = true
-	defaultFile.Filename = "" //needs equivalent to  viper.ConfigFileUsed()
-
-	// default Web
-	var defaultWeb web.Provider
-	defaultWeb.Address = ":8080"
-	defaultWeb.Statistics = &types.Statistics{
-		RecentErrors: 10,
-	}
-
-	// default Metrics
-	defaultWeb.Metrics = &types.Metrics{
-		Prometheus: &types.Prometheus{
-			Buckets: types.Buckets{0.1, 0.3, 1.2, 5},
-		},
-		Datadog: &types.Datadog{
-			Address:      "localhost:8125",
-			PushInterval: "10s",
-		},
-		StatsD: &types.Statsd{
-			Address:      "localhost:8125",
-			PushInterval: "10s",
-		},
-	}
-
-	// default Marathon
-	var defaultMarathon marathon.Provider
-	defaultMarathon.Watch = true
-	defaultMarathon.Endpoint = "http://127.0.0.1:8080"
-	defaultMarathon.ExposedByDefault = true
-	defaultMarathon.Constraints = types.Constraints{}
-	defaultMarathon.DialerTimeout = flaeg.Duration(60 * time.Second)
-	defaultMarathon.KeepAlive = flaeg.Duration(10 * time.Second)
-
-	// default Consul
-	var defaultConsul consul.Provider
-	defaultConsul.Watch = true
-	defaultConsul.Endpoint = "127.0.0.1:8500"
-	defaultConsul.Prefix = "traefik"
-	defaultConsul.Constraints = types.Constraints{}
-
-	// default CatalogProvider
-	var defaultConsulCatalog consul.CatalogProvider
-	defaultConsulCatalog.Endpoint = "127.0.0.1:8500"
-	defaultConsulCatalog.ExposedByDefault = true
-	defaultConsulCatalog.Constraints = types.Constraints{}
-	defaultConsulCatalog.Prefix = "traefik"
-	defaultConsulCatalog.FrontEndRule = "Host:{{.ServiceName}}.{{.Domain}}"
-
-	// default Etcd
-	var defaultEtcd etcd.Provider
-	defaultEtcd.Watch = true
-	defaultEtcd.Endpoint = "127.0.0.1:2379"
-	defaultEtcd.Prefix = "/traefik"
-	defaultEtcd.Constraints = types.Constraints{}
-
-	//default Zookeeper
-	var defaultZookeeper zk.Provider
-	defaultZookeeper.Watch = true
-	defaultZookeeper.Endpoint = "127.0.0.1:2181"
-	defaultZookeeper.Prefix = "/traefik"
-	defaultZookeeper.Constraints = types.Constraints{}
-
-	//default Boltdb
-	var defaultBoltDb boltdb.Provider
-	defaultBoltDb.Watch = true
-	defaultBoltDb.Endpoint = "127.0.0.1:4001"
-	defaultBoltDb.Prefix = "/traefik"
-	defaultBoltDb.Constraints = types.Constraints{}
-
-	//default Kubernetes
-	var defaultKubernetes kubernetes.Provider
-	defaultKubernetes.Watch = true
-	defaultKubernetes.Endpoint = ""
-	defaultKubernetes.LabelSelector = ""
-	defaultKubernetes.Constraints = types.Constraints{}
-
-	// default Mesos
-	var defaultMesos mesos.Provider
-	defaultMesos.Watch = true
-	defaultMesos.Endpoint = "http://127.0.0.1:5050"
-	defaultMesos.ExposedByDefault = true
-	defaultMesos.Constraints = types.Constraints{}
-	defaultMesos.RefreshSeconds = 30
-	defaultMesos.ZkDetectionTimeout = 30
-	defaultMesos.StateTimeoutSecond = 30
-
-	//default ECS
-	var defaultECS ecs.Provider
-	defaultECS.Watch = true
-	defaultECS.ExposedByDefault = true
-	defaultECS.AutoDiscoverClusters = false
-	defaultECS.Clusters = ecs.Clusters{"default"}
-	defaultECS.RefreshSeconds = 15
-	defaultECS.Constraints = types.Constraints{}
-
-	//default Rancher
-	var defaultRancher rancher.Provider
-	defaultRancher.Watch = true
-	defaultRancher.ExposedByDefault = true
-	defaultRancher.RefreshSeconds = 15
-
-	// default DynamoDB
-	var defaultDynamoDB dynamodb.Provider
-	defaultDynamoDB.Constraints = types.Constraints{}
-	defaultDynamoDB.RefreshSeconds = 15
-	defaultDynamoDB.TableName = "traefik"
-	defaultDynamoDB.Watch = true
-
-	// default Eureka
-	var defaultEureka eureka.Provider
-	defaultEureka.Delay = "30s"
-
-	// default AccessLog
-	defaultAccessLog := types.AccessLog{
-		Format:   accesslog.CommonFormat,
-		FilePath: "",
-	}
-
-	// default HealthCheckConfig
-	healthCheck := configuration.HealthCheckConfig{
-		Interval: flaeg.Duration(configuration.DefaultHealthCheckInterval),
-	}
-
-	// default RespondingTimeouts
-	respondingTimeouts := configuration.RespondingTimeouts{
-		IdleTimeout: flaeg.Duration(configuration.DefaultIdleTimeout),
-	}
-
-	// default ForwardingTimeouts
-	forwardingTimeouts := configuration.ForwardingTimeouts{
-		DialTimeout: flaeg.Duration(configuration.DefaultDialTimeout),
-	}
-
-	defaultConfiguration := configuration.GlobalConfiguration{
-		Docker:             &defaultDocker,
-		File:               &defaultFile,
-		Web:                &defaultWeb,
-		Marathon:           &defaultMarathon,
-		Consul:             &defaultConsul,
-		ConsulCatalog:      &defaultConsulCatalog,
-		Etcd:               &defaultEtcd,
-		Zookeeper:          &defaultZookeeper,
-		Boltdb:             &defaultBoltDb,
-		Kubernetes:         &defaultKubernetes,
-		Mesos:              &defaultMesos,
-		ECS:                &defaultECS,
-		Rancher:            &defaultRancher,
-		Eureka:             &defaultEureka,
-		DynamoDB:           &defaultDynamoDB,
-		Retry:              &configuration.Retry{},
-		HealthCheck:        &healthCheck,
-		AccessLog:          &defaultAccessLog,
-		RespondingTimeouts: &respondingTimeouts,
-		ForwardingTimeouts: &forwardingTimeouts,
-	}
-
-	return &TraefikConfiguration{
-		GlobalConfiguration: defaultConfiguration,
-	}
-}
-
-// NewTraefikConfiguration creates a TraefikConfiguration with default values
-func NewTraefikConfiguration() *TraefikConfiguration {
-	return &TraefikConfiguration{
-		GlobalConfiguration: configuration.GlobalConfiguration{
-			GraceTimeOut:              flaeg.Duration(10 * time.Second),
-			AccessLogsFile:            "",
-			TraefikLogsFile:           "",
-			LogLevel:                  "ERROR",
-			EntryPoints:               map[string]*configuration.EntryPoint{},
-			Constraints:               types.Constraints{},
-			DefaultEntryPoints:        []string{},
-			ProvidersThrottleDuration: flaeg.Duration(2 * time.Second),
-			MaxIdleConnsPerHost:       200,
-			IdleTimeout:               flaeg.Duration(0),
-			HealthCheck: &configuration.HealthCheckConfig{
-				Interval: flaeg.Duration(configuration.DefaultHealthCheckInterval),
-			},
-			CheckNewVersion: true,
-		},
-		ConfigFile: "",
-	}
-}
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -1,44 +1,49 @@
 package main

 import (
-	"crypto/tls"
+	"context"
 	"encoding/json"
-	"fmt"
 	fmtlog "log"
 	"net/http"
 	"os"
 	"path/filepath"
 	"reflect"
-	"runtime"
 	"strings"
 	"time"

-	"github.com/Sirupsen/logrus"
+	"github.com/cenk/backoff"
 	"github.com/containous/flaeg"
 	"github.com/containous/staert"
-	"github.com/containous/traefik/acme"
-	"github.com/containous/traefik/cluster"
+	"github.com/containous/traefik/cmd"
+	"github.com/containous/traefik/cmd/bug"
+	"github.com/containous/traefik/cmd/healthcheck"
+	"github.com/containous/traefik/cmd/storeconfig"
+	cmdVersion "github.com/containous/traefik/cmd/version"
+	"github.com/containous/traefik/collector"
 	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/job"
 	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/provider/acme"
 	"github.com/containous/traefik/provider/ecs"
 	"github.com/containous/traefik/provider/kubernetes"
-	"github.com/containous/traefik/provider/rancher"
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/server"
 	"github.com/containous/traefik/server/uuid"
+	traefiktls "github.com/containous/traefik/tls"
 	"github.com/containous/traefik/types"
 	"github.com/containous/traefik/version"
 	"github.com/coreos/go-systemd/daemon"
-	"github.com/docker/libkv/store"
+	"github.com/ogier/pflag"
+	"github.com/sirupsen/logrus"
+	"github.com/vulcand/oxy/roundrobin"
 )

 func main() {
-	runtime.GOMAXPROCS(runtime.NumCPU())
+	// traefik config inits
+	traefikConfiguration := cmd.NewTraefikConfiguration()
+	traefikPointersConfiguration := cmd.NewTraefikDefaultPointersConfiguration()

-	//traefik config inits
-	traefikConfiguration := NewTraefikConfiguration()
-	traefikPointersConfiguration := NewTraefikDefaultPointersConfiguration()
-	//traefik Command init
+	// traefik Command init
 	traefikCmd := &flaeg.Command{
 		Name: "traefik",
 		Description: `traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
@@ -46,161 +51,72 @@ Complete documentation is available at https://traefik.io`,
 		Config:                traefikConfiguration,
 		DefaultPointersConfig: traefikPointersConfiguration,
 		Run: func() error {
-			globalConfiguration := traefikConfiguration.GlobalConfiguration
-			if globalConfiguration.File != nil && len(globalConfiguration.File.Filename) == 0 {
-				// no filename, setting to global config file
-				if len(traefikConfiguration.ConfigFile) != 0 {
-					globalConfiguration.File.Filename = traefikConfiguration.ConfigFile
-				} else {
-					log.Errorln("Error using file configuration backend, no filename defined")
-				}
-			}
-			if len(traefikConfiguration.ConfigFile) != 0 {
-				log.Infof("Using TOML configuration file %s", traefikConfiguration.ConfigFile)
-			}
-			run(&globalConfiguration)
+			runCmd(&traefikConfiguration.GlobalConfiguration, traefikConfiguration.ConfigFile)
 			return nil
 		},
 	}

-	//storeconfig Command init
-	var kv *staert.KvSource
-	var err error
+	// storeconfig Command init
+	storeConfigCmd := storeconfig.NewCmd(traefikConfiguration, traefikPointersConfiguration)

-	storeConfigCmd := &flaeg.Command{
-		Name:                  "storeconfig",
-		Description:           `Store the static traefik configuration into a Key-value stores. Traefik will not start.`,
-		Config:                traefikConfiguration,
-		DefaultPointersConfig: traefikPointersConfiguration,
-		Run: func() error {
-			if kv == nil {
-				return fmt.Errorf("Error using command storeconfig, no Key-value store defined")
-			}
-			jsonConf, err := json.Marshal(traefikConfiguration.GlobalConfiguration)
-			if err != nil {
-				return err
-			}
-			fmtlog.Printf("Storing configuration: %s\n", jsonConf)
-			err = kv.StoreConfig(traefikConfiguration.GlobalConfiguration)
-			if err != nil {
-				return err
-			}
-			if traefikConfiguration.GlobalConfiguration.ACME != nil && len(traefikConfiguration.GlobalConfiguration.ACME.StorageFile) > 0 {
-				// convert ACME json file to KV store
-				localStore := acme.NewLocalStore(traefikConfiguration.GlobalConfiguration.ACME.StorageFile)
-				object, err := localStore.Load()
-				if err != nil {
-					return err
-				}
-				meta := cluster.NewMetadata(object)
-				err = meta.Marshall()
-				if err != nil {
-					return err
-				}
-				source := staert.KvSource{
-					Store:  kv,
-					Prefix: traefikConfiguration.GlobalConfiguration.ACME.Storage,
-				}
-				err = source.StoreConfig(meta)
-				if err != nil {
-					return err
-				}
-			}
-			return nil
-		},
-		Metadata: map[string]string{
-			"parseAllSources": "true",
-		},
-	}
-
-	healthCheckCmd := &flaeg.Command{
-		Name:                  "healthcheck",
-		Description:           `Calls traefik /ping to check health (web provider must be enabled)`,
-		Config:                traefikConfiguration,
-		DefaultPointersConfig: traefikPointersConfiguration,
-		Run: func() error {
-			if traefikConfiguration.Web == nil {
-				fmt.Println("Please enable the web provider to use healtcheck.")
-				os.Exit(1)
-			}
-			client := &http.Client{Timeout: 5 * time.Second}
-			protocol := "http"
-			if len(traefikConfiguration.Web.CertFile) > 0 {
-				protocol = "https"
-				tr := &http.Transport{
-					TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-				}
-				client.Transport = tr
-			}
-			resp, err := client.Head(protocol + "://" + traefikConfiguration.Web.Address + "/ping")
-			if err != nil {
-				fmt.Printf("Error calling healthcheck: %s\n", err)
-				os.Exit(1)
-			}
-			if resp.StatusCode != http.StatusOK {
-				fmt.Printf("Bad healthcheck status: %s\n", resp.Status)
-				os.Exit(1)
-			}
-			fmt.Printf("OK: %s\n", resp.Request.URL)
-			os.Exit(0)
-			return nil
-		},
-		Metadata: map[string]string{
-			"parseAllSources": "true",
-		},
-	}
-
-	//init flaeg source
+	// init flaeg source
 	f := flaeg.New(traefikCmd, os.Args[1:])
-	//add custom parsers
+	// add custom parsers
 	f.AddParser(reflect.TypeOf(configuration.EntryPoints{}), &configuration.EntryPoints{})
 	f.AddParser(reflect.TypeOf(configuration.DefaultEntryPoints{}), &configuration.DefaultEntryPoints{})
-	f.AddParser(reflect.TypeOf(configuration.RootCAs{}), &configuration.RootCAs{})
+	f.AddParser(reflect.TypeOf(traefiktls.RootCAs{}), &traefiktls.RootCAs{})
 	f.AddParser(reflect.TypeOf(types.Constraints{}), &types.Constraints{})
 	f.AddParser(reflect.TypeOf(kubernetes.Namespaces{}), &kubernetes.Namespaces{})
 	f.AddParser(reflect.TypeOf(ecs.Clusters{}), &ecs.Clusters{})
-	f.AddParser(reflect.TypeOf([]acme.Domain{}), &acme.Domains{})
+	f.AddParser(reflect.TypeOf([]types.Domain{}), &types.Domains{})
 	f.AddParser(reflect.TypeOf(types.Buckets{}), &types.Buckets{})
+	f.AddParser(reflect.TypeOf(types.StatusCodes{}), &types.StatusCodes{})
+	f.AddParser(reflect.TypeOf(types.FieldNames{}), &types.FieldNames{})
+	f.AddParser(reflect.TypeOf(types.FieldHeaderNames{}), &types.FieldHeaderNames{})

-	//add commands
-	f.AddCommand(newVersionCmd())
-	f.AddCommand(newBugCmd(traefikConfiguration, traefikPointersConfiguration))
+	// add commands
+	f.AddCommand(cmdVersion.NewCmd())
+	f.AddCommand(bug.NewCmd(traefikConfiguration, traefikPointersConfiguration))
 	f.AddCommand(storeConfigCmd)
-	f.AddCommand(healthCheckCmd)
+	f.AddCommand(healthcheck.NewCmd(traefikConfiguration, traefikPointersConfiguration))

 	usedCmd, err := f.GetCommand()
 	if err != nil {
 		fmtlog.Println(err)
-		os.Exit(-1)
+		os.Exit(1)
 	}

 	if _, err := f.Parse(usedCmd); err != nil {
+		if err == pflag.ErrHelp {
+			os.Exit(0)
+		}
 		fmtlog.Printf("Error parsing command: %s\n", err)
-		os.Exit(-1)
+		os.Exit(1)
 	}

-	//staert init
+	// staert init
 	s := staert.NewStaert(traefikCmd)
-	//init toml source
+	// init TOML source
 	toml := staert.NewTomlSource("traefik", []string{traefikConfiguration.ConfigFile, "/etc/traefik/", "$HOME/.traefik/", "."})

-	//add sources to staert
+	// add sources to staert
 	s.AddSource(toml)
 	s.AddSource(f)
 	if _, err := s.LoadConfig(); err != nil {
 		fmtlog.Printf("Error reading TOML config file %s : %s\n", toml.ConfigFileUsed(), err)
-		os.Exit(-1)
+		os.Exit(1)
 	}

 	traefikConfiguration.ConfigFile = toml.ConfigFileUsed()

-	kv, err = CreateKvSource(traefikConfiguration)
+	kv, err := storeconfig.CreateKvSource(traefikConfiguration)
 	if err != nil {
 		fmtlog.Printf("Error creating kv store: %s\n", err)
-		os.Exit(-1)
+		os.Exit(1)
 	}
+	storeConfigCmd.Run = storeconfig.Run(kv, traefikConfiguration)

-	// IF a KV Store is enable and no sub-command called in args
+	// if a KV Store is enable and no sub-command called in args
 	if kv != nil && usedCmd == traefikCmd {
 		if traefikConfiguration.Cluster == nil {
 			traefikConfiguration.Cluster = &types.Cluster{Node: uuid.Get()}
@@ -209,84 +125,44 @@ Complete documentation is available at https://traefik.io`,
 			traefikConfiguration.Cluster.Store = &types.Store{Prefix: kv.Prefix, Store: kv.Store}
 		}
 		s.AddSource(kv)
-		if _, err := s.LoadConfig(); err != nil {
+		operation := func() error {
+			_, err := s.LoadConfig()
+			return err
+		}
+		notify := func(err error, time time.Duration) {
+			log.Errorf("Load config error: %+v, retrying in %s", err, time)
+		}
+		err := backoff.RetryNotify(safe.OperationWithRecover(operation), job.NewBackOff(backoff.NewExponentialBackOff()), notify)
+		if err != nil {
 			fmtlog.Printf("Error loading configuration: %s\n", err)
-			os.Exit(-1)
+			os.Exit(1)
 		}
 	}

 	if err := s.Run(); err != nil {
 		fmtlog.Printf("Error running traefik: %s\n", err)
-		os.Exit(-1)
+		os.Exit(1)
 	}

 	os.Exit(0)
 }

-func run(globalConfiguration *configuration.GlobalConfiguration) {
-	fmtlog.SetFlags(fmtlog.Lshortfile | fmtlog.LstdFlags)
+func runCmd(globalConfiguration *configuration.GlobalConfiguration, configFile string) {
+	configureLogging(globalConfiguration)
+
+	if len(configFile) > 0 {
+		log.Infof("Using TOML configuration file %s", configFile)
+	}

 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment

-	if len(globalConfiguration.EntryPoints) == 0 {
-		globalConfiguration.EntryPoints = map[string]*configuration.EntryPoint{"http": {Address: ":80"}}
-		globalConfiguration.DefaultEntryPoints = []string{"http"}
+	if globalConfiguration.AllowMinWeightZero {
+		roundrobin.SetDefaultWeight(0)
 	}

-	if globalConfiguration.Rancher != nil {
-		// Ensure backwards compatibility for now
-		if len(globalConfiguration.Rancher.AccessKey) > 0 ||
-			len(globalConfiguration.Rancher.Endpoint) > 0 ||
-			len(globalConfiguration.Rancher.SecretKey) > 0 {
+	globalConfiguration.SetEffectiveConfiguration(configFile)
+	globalConfiguration.ValidateConfiguration()

-			if globalConfiguration.Rancher.API == nil {
-				globalConfiguration.Rancher.API = &rancher.APIConfiguration{
-					AccessKey: globalConfiguration.Rancher.AccessKey,
-					SecretKey: globalConfiguration.Rancher.SecretKey,
-					Endpoint:  globalConfiguration.Rancher.Endpoint,
-				}
-			}
-			log.Warn("Deprecated configuration found: rancher.[accesskey|secretkey|endpoint]. " +
-				"Please use rancher.api.[accesskey|secretkey|endpoint] instead.")
-		}
-
-		if globalConfiguration.Rancher.Metadata != nil && len(globalConfiguration.Rancher.Metadata.Prefix) == 0 {
-			globalConfiguration.Rancher.Metadata.Prefix = "latest"
-		}
-	}
-
-	if globalConfiguration.Debug {
-		globalConfiguration.LogLevel = "DEBUG"
-	}
-
-	// logging
-	level, err := logrus.ParseLevel(strings.ToLower(globalConfiguration.LogLevel))
-	if err != nil {
-		log.Error("Error getting level", err)
-	}
-	log.SetLevel(level)
-	if len(globalConfiguration.TraefikLogsFile) > 0 {
-		dir := filepath.Dir(globalConfiguration.TraefikLogsFile)
-
-		err := os.MkdirAll(dir, 0755)
-		if err != nil {
-			log.Errorf("Failed to create log path %s: %s", dir, err)
-		}
-
-		err = log.OpenFile(globalConfiguration.TraefikLogsFile)
-		defer func() {
-			if err := log.CloseFile(); err != nil {
-				log.Error("Error closing log", err)
-			}
-		}()
-		if err != nil {
-			log.Error("Error opening file", err)
-		} else {
-			log.SetFormatter(&logrus.TextFormatter{DisableColors: true, FullTimestamp: true, DisableSorting: true})
-		}
-	} else {
-		log.SetFormatter(&logrus.TextFormatter{FullTimestamp: true, DisableSorting: true})
-	}
 	jsonConf, _ := json.Marshal(globalConfiguration)
 	log.Infof("Traefik version %s built on %s", version.Version, version.BuildDate)

@@ -294,14 +170,27 @@ func run(globalConfiguration *configuration.GlobalConfiguration) {
 		checkNewVersion()
 	}

+	stats(globalConfiguration)
+
 	log.Debugf("Global configuration loaded %s", string(jsonConf))
-	svr := server.NewServer(*globalConfiguration)
-	svr.Start()
+	if acme.IsEnabled() {
+		store := acme.NewLocalStore(acme.Get().Storage)
+		acme.Get().Store = &store
+	}
+	svr := server.NewServer(*globalConfiguration, configuration.NewProviderAggregator(globalConfiguration))
+	if acme.IsEnabled() && acme.Get().OnHostRule {
+		acme.Get().SetConfigListenerChan(make(chan types.Configuration))
+		svr.AddListener(acme.Get().ListenConfiguration)
+	}
+	ctx := cmd.ContextWithSignal(context.Background())
+	svr.StartWithContext(ctx)
 	defer svr.Close()
+
 	sent, err := daemon.SdNotify(false, "READY=1")
 	if !sent && err != nil {
 		log.Error("Fail to notify", err)
 	}
+
 	t, err := daemon.SdWatchdogEnabled(false)
 	if err != nil {
 		log.Error("Problem with watchdog", err)
@@ -312,60 +201,115 @@ func run(globalConfiguration *configuration.GlobalConfiguration) {
 		safe.Go(func() {
 			tick := time.Tick(t)
 			for range tick {
-				if ok, _ := daemon.SdNotify(false, "WATCHDOG=1"); !ok {
-					log.Error("Fail to tick watchdog")
+				_, errHealthCheck := healthcheck.Do(*globalConfiguration)
+				if globalConfiguration.Ping == nil || errHealthCheck == nil {
+					if ok, _ := daemon.SdNotify(false, "WATCHDOG=1"); !ok {
+						log.Error("Fail to tick watchdog")
+					}
+				} else {
+					log.Error(errHealthCheck)
 				}
 			}
 		})
 	}
+
 	svr.Wait()
 	log.Info("Shutting down")
+	logrus.Exit(0)
 }

-// CreateKvSource creates KvSource
-// TLS support is enable for Consul and Etcd backends
-func CreateKvSource(traefikConfiguration *TraefikConfiguration) (*staert.KvSource, error) {
-	var kv *staert.KvSource
-	var kvStore store.Store
-	var err error
+func configureLogging(globalConfiguration *configuration.GlobalConfiguration) {
+	// configure default log flags
+	fmtlog.SetFlags(fmtlog.Lshortfile | fmtlog.LstdFlags)

-	switch {
-	case traefikConfiguration.Consul != nil:
-		kvStore, err = traefikConfiguration.Consul.CreateStore()
-		kv = &staert.KvSource{
-			Store:  kvStore,
-			Prefix: traefikConfiguration.Consul.Prefix,
-		}
-	case traefikConfiguration.Etcd != nil:
-		kvStore, err = traefikConfiguration.Etcd.CreateStore()
-		kv = &staert.KvSource{
-			Store:  kvStore,
-			Prefix: traefikConfiguration.Etcd.Prefix,
-		}
-	case traefikConfiguration.Zookeeper != nil:
-		kvStore, err = traefikConfiguration.Zookeeper.CreateStore()
-		kv = &staert.KvSource{
-			Store:  kvStore,
-			Prefix: traefikConfiguration.Zookeeper.Prefix,
-		}
-	case traefikConfiguration.Boltdb != nil:
-		kvStore, err = traefikConfiguration.Boltdb.CreateStore()
-		kv = &staert.KvSource{
-			Store:  kvStore,
-			Prefix: traefikConfiguration.Boltdb.Prefix,
+	// configure log level
+	// an explicitly defined log level always has precedence. if none is
+	// given and debug mode is disabled, the default is ERROR, and DEBUG
+	// otherwise.
+	levelStr := strings.ToLower(globalConfiguration.LogLevel)
+	if levelStr == "" {
+		levelStr = "error"
+		if globalConfiguration.Debug {
+			levelStr = "debug"
+		}
+	}
+	level, err := logrus.ParseLevel(levelStr)
+	if err != nil {
+		log.Error("Error getting level", err)
+	}
+	log.SetLevel(level)
+
+	// configure log output file
+	logFile := globalConfiguration.TraefikLogsFile
+	if len(logFile) > 0 {
+		log.Warn("top-level traefikLogsFile has been deprecated -- please use traefiklog.filepath")
+	}
+	if globalConfiguration.TraefikLog != nil && len(globalConfiguration.TraefikLog.FilePath) > 0 {
+		logFile = globalConfiguration.TraefikLog.FilePath
+	}
+
+	// configure log format
+	var formatter logrus.Formatter
+	if globalConfiguration.TraefikLog != nil && globalConfiguration.TraefikLog.Format == "json" {
+		formatter = &logrus.JSONFormatter{}
+	} else {
+		disableColors := len(logFile) > 0
+		formatter = &logrus.TextFormatter{DisableColors: disableColors, FullTimestamp: true, DisableSorting: true}
+	}
+	log.SetFormatter(formatter)
+
+	if len(logFile) > 0 {
+		dir := filepath.Dir(logFile)
+
+		if err := os.MkdirAll(dir, 0755); err != nil {
+			log.Errorf("Failed to create log path %s: %s", dir, err)
+		}
+
+		err = log.OpenFile(logFile)
+		logrus.RegisterExitHandler(func() {
+			if err := log.CloseFile(); err != nil {
+				log.Error("Error closing log", err)
+			}
+		})
+		if err != nil {
+			log.Error("Error opening file", err)
 		}
 	}
-	return kv, err
 }

 func checkNewVersion() {
-	ticker := time.NewTicker(24 * time.Hour)
+	ticker := time.Tick(24 * time.Hour)
 	safe.Go(func() {
-		version.CheckNewVersion()
-		for {
-			select {
-			case <-ticker.C:
-				version.CheckNewVersion()
+		for time.Sleep(10 * time.Minute); ; <-ticker {
+			version.CheckNewVersion()
+		}
+	})
+}
+
+func stats(globalConfiguration *configuration.GlobalConfiguration) {
+	if globalConfiguration.SendAnonymousUsage {
+		log.Info(`
+Stats collection is enabled.
+Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.
+Help us improve Traefik by leaving this feature on :)
+More details on: https://docs.traefik.io/basics/#collected-data
+`)
+		collect(globalConfiguration)
+	} else {
+		log.Info(`
+Stats collection is disabled.
+Help us improve Traefik by turning this feature on :)
+More details on: https://docs.traefik.io/basics/#collected-data
+`)
+	}
+}
+
+func collect(globalConfiguration *configuration.GlobalConfiguration) {
+	ticker := time.Tick(24 * time.Hour)
+	safe.Go(func() {
+		for time.Sleep(10 * time.Minute); ; <-ticker {
+			if err := collector.Collect(globalConfiguration); err != nil {
+				log.Debug(err)
 			}
 		}
 	})
--- a/cmd/traefik/version.go
+++ b/cmd/traefik/version.go
@@ -1,63 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"io"
-	"os"
-	"runtime"
-	"text/template"
-
-	"github.com/containous/flaeg"
-	"github.com/containous/traefik/version"
-)
-
-var versionTemplate = `Version:      {{.Version}}
-Codename:     {{.Codename}}
-Go version:   {{.GoVersion}}
-Built:        {{.BuildTime}}
-OS/Arch:      {{.Os}}/{{.Arch}}`
-
-// newVersionCmd builds a new Version command
-func newVersionCmd() *flaeg.Command {
-
-	//version Command init
-	return &flaeg.Command{
-		Name:                  "version",
-		Description:           `Print version`,
-		Config:                struct{}{},
-		DefaultPointersConfig: struct{}{},
-		Run: func() error {
-			if err := getVersionPrint(os.Stdout); err != nil {
-				return err
-			}
-			fmt.Print("\n")
-			return nil
-
-		},
-	}
-}
-
-func getVersionPrint(wr io.Writer) error {
-	tmpl, err := template.New("").Parse(versionTemplate)
-	if err != nil {
-		return err
-	}
-
-	v := struct {
-		Version   string
-		Codename  string
-		GoVersion string
-		BuildTime string
-		Os        string
-		Arch      string
-	}{
-		Version:   version.Version,
-		Codename:  version.Codename,
-		GoVersion: runtime.Version(),
-		BuildTime: version.BuildDate,
-		Os:        runtime.GOOS,
-		Arch:      runtime.GOARCH,
-	}
-
-	return tmpl.Execute(wr, v)
-}
--- a/cmd/version/version.go
+++ b/cmd/version/version.go
@@ -0,0 +1,62 @@
+package version
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"runtime"
+	"text/template"
+
+	"github.com/containous/flaeg"
+	"github.com/containous/traefik/version"
+)
+
+var versionTemplate = `Version:      {{.Version}}
+Codename:     {{.Codename}}
+Go version:   {{.GoVersion}}
+Built:        {{.BuildTime}}
+OS/Arch:      {{.Os}}/{{.Arch}}`
+
+// NewCmd builds a new Version command
+func NewCmd() *flaeg.Command {
+	return &flaeg.Command{
+		Name:                  "version",
+		Description:           `Print version`,
+		Config:                struct{}{},
+		DefaultPointersConfig: struct{}{},
+		Run: func() error {
+			if err := GetPrint(os.Stdout); err != nil {
+				return err
+			}
+			fmt.Print("\n")
+			return nil
+
+		},
+	}
+}
+
+// GetPrint write Printable version
+func GetPrint(wr io.Writer) error {
+	tmpl, err := template.New("").Parse(versionTemplate)
+	if err != nil {
+		return err
+	}
+
+	v := struct {
+		Version   string
+		Codename  string
+		GoVersion string
+		BuildTime string
+		Os        string
+		Arch      string
+	}{
+		Version:   version.Version,
+		Codename:  version.Codename,
+		GoVersion: runtime.Version(),
+		BuildTime: version.BuildDate,
+		Os:        runtime.GOOS,
+		Arch:      runtime.GOARCH,
+	}
+
+	return tmpl.Execute(wr, v)
+}
--- a/collector/collector.go
+++ b/collector/collector.go
@@ -0,0 +1,79 @@
+package collector
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"net"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/containous/traefik/anonymize"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/version"
+	"github.com/mitchellh/hashstructure"
+)
+
+// collectorURL URL where the stats are send
+const collectorURL = "https://collect.traefik.io/619df80498b60f985d766ce62f912b7c"
+
+// Collected data
+type data struct {
+	Version       string
+	Codename      string
+	BuildDate     string
+	Configuration string
+	Hash          string
+}
+
+// Collect anonymous data.
+func Collect(globalConfiguration *configuration.GlobalConfiguration) error {
+	anonConfig, err := anonymize.Do(globalConfiguration, false)
+	if err != nil {
+		return err
+	}
+
+	log.Infof("Anonymous stats sent to %s: %s", collectorURL, anonConfig)
+
+	hashConf, err := hashstructure.Hash(globalConfiguration, nil)
+	if err != nil {
+		return err
+	}
+
+	data := &data{
+		Version:       version.Version,
+		Codename:      version.Codename,
+		BuildDate:     version.BuildDate,
+		Hash:          strconv.FormatUint(hashConf, 10),
+		Configuration: base64.StdEncoding.EncodeToString([]byte(anonConfig)),
+	}
+
+	buf := new(bytes.Buffer)
+	err = json.NewEncoder(buf).Encode(data)
+	if err != nil {
+		return err
+	}
+
+	_, err = makeHTTPClient().Post(collectorURL, "application/json; charset=utf-8", buf)
+	return err
+}
+
+func makeHTTPClient() *http.Client {
+	dialer := &net.Dialer{
+		Timeout:   configuration.DefaultDialTimeout,
+		KeepAlive: 30 * time.Second,
+		DualStack: true,
+	}
+
+	transport := &http.Transport{
+		Proxy:                 http.ProxyFromEnvironment,
+		DialContext:           dialer.DialContext,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+
+	return &http.Client{Transport: transport}
+}
--- a/configuration/configuration.go
+++ b/configuration/configuration.go
@@ -1,18 +1,23 @@
 package configuration

 import (
-	"crypto/tls"
 	"fmt"
-	"io/ioutil"
-	"os"
-	"regexp"
 	"strings"
 	"time"

 	"github.com/containous/flaeg"
+	"github.com/containous/traefik-extra-service-fabric"
 	"github.com/containous/traefik/acme"
+	"github.com/containous/traefik/api"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/middlewares/tracing"
+	"github.com/containous/traefik/middlewares/tracing/jaeger"
+	"github.com/containous/traefik/middlewares/tracing/zipkin"
+	"github.com/containous/traefik/ping"
+	acmeprovider "github.com/containous/traefik/provider/acme"
 	"github.com/containous/traefik/provider/boltdb"
 	"github.com/containous/traefik/provider/consul"
+	"github.com/containous/traefik/provider/consulcatalog"
 	"github.com/containous/traefik/provider/docker"
 	"github.com/containous/traefik/provider/dynamodb"
 	"github.com/containous/traefik/provider/ecs"
@@ -23,12 +28,16 @@ import (
 	"github.com/containous/traefik/provider/marathon"
 	"github.com/containous/traefik/provider/mesos"
 	"github.com/containous/traefik/provider/rancher"
-	"github.com/containous/traefik/provider/web"
+	"github.com/containous/traefik/provider/rest"
 	"github.com/containous/traefik/provider/zk"
+	"github.com/containous/traefik/tls"
 	"github.com/containous/traefik/types"
 )

 const (
+	// DefaultInternalEntryPointName the name of the default internal entry point
+	DefaultInternalEntryPointName = "traefik"
+
 	// DefaultHealthCheckInterval is the default health check interval.
 	DefaultHealthCheckInterval = 30 * time.Second

@@ -37,17 +46,25 @@ const (

 	// DefaultIdleTimeout before closing an idle connection.
 	DefaultIdleTimeout = 180 * time.Second
+
+	// DefaultGraceTimeout controls how long Traefik serves pending requests
+	// prior to shutting down.
+	DefaultGraceTimeout = 10 * time.Second
 )

 // GlobalConfiguration holds global configuration (with providers, etc.).
 // It's populated from the traefik configuration file passed as an argument to the binary.
 type GlobalConfiguration struct {
-	GraceTimeOut              flaeg.Duration          `short:"g" description:"Duration to give active requests a chance to finish before Traefik stops" export:"true"`
+	LifeCycle                 *LifeCycle              `description:"Timeouts influencing the server life cycle" export:"true"`
+	GraceTimeOut              flaeg.Duration          `short:"g" description:"(Deprecated) Duration to give active requests a chance to finish before Traefik stops" export:"true"` // Deprecated
 	Debug                     bool                    `short:"d" description:"Enable debug mode" export:"true"`
 	CheckNewVersion           bool                    `description:"Periodically check if a new version has been released" export:"true"`
+	SendAnonymousUsage        bool                    `description:"send periodically anonymous usage statistics" export:"true"`
 	AccessLogsFile            string                  `description:"(Deprecated) Access logs file" export:"true"` // Deprecated
 	AccessLog                 *types.AccessLog        `description:"Access log settings" export:"true"`
-	TraefikLogsFile           string                  `description:"Traefik logs file. Stdout is used when omitted or empty" export:"true"`
+	TraefikLogsFile           string                  `description:"(Deprecated) Traefik logs file. Stdout is used when omitted or empty" export:"true"` // Deprecated
+	TraefikLog                *types.TraefikLog       `description:"Traefik log settings" export:"true"`
+	Tracing                   *tracing.Tracing        `description:"OpenTracing configuration" export:"true"`
 	LogLevel                  string                  `short:"l" description:"Log level" export:"true"`
 	EntryPoints               EntryPoints             `description:"Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'" export:"true"`
 	Cluster                   *types.Cluster          `description:"Enable clustering" export:"true"`
@@ -58,17 +75,18 @@ type GlobalConfiguration struct {
 	MaxIdleConnsPerHost       int                     `description:"If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, DefaultMaxIdleConnsPerHost is used" export:"true"`
 	IdleTimeout               flaeg.Duration          `description:"(Deprecated) maximum amount of time an idle (keep-alive) connection will remain idle before closing itself." export:"true"` // Deprecated
 	InsecureSkipVerify        bool                    `description:"Disable SSL certificate verification" export:"true"`
-	RootCAs                   RootCAs                 `description:"Add cert file for self-signed certificate"`
+	RootCAs                   tls.RootCAs             `description:"Add cert file for self-signed certificate"`
 	Retry                     *Retry                  `description:"Enable retry sending request if network error" export:"true"`
 	HealthCheck               *HealthCheckConfig      `description:"Health check parameters" export:"true"`
 	RespondingTimeouts        *RespondingTimeouts     `description:"Timeouts for incoming requests to the Traefik instance" export:"true"`
 	ForwardingTimeouts        *ForwardingTimeouts     `description:"Timeouts for requests forwarded to the backend servers" export:"true"`
+	AllowMinWeightZero        bool                    `description:"Allow weight to take 0 as minimum real value." export:"true"`         // Deprecated
+	Web                       *WebCompatibility       `description:"(Deprecated) Enable Web backend with default settings" export:"true"` // Deprecated
 	Docker                    *docker.Provider        `description:"Enable Docker backend with default settings" export:"true"`
 	File                      *file.Provider          `description:"Enable File backend with default settings" export:"true"`
-	Web                       *web.Provider           `description:"Enable Web backend with default settings" export:"true"`
 	Marathon                  *marathon.Provider      `description:"Enable Marathon backend with default settings" export:"true"`
 	Consul                    *consul.Provider        `description:"Enable Consul backend with default settings" export:"true"`
-	ConsulCatalog             *consul.CatalogProvider `description:"Enable Consul catalog backend with default settings" export:"true"`
+	ConsulCatalog             *consulcatalog.Provider `description:"Enable Consul catalog backend with default settings" export:"true"`
 	Etcd                      *etcd.Provider          `description:"Enable Etcd backend with default settings" export:"true"`
 	Zookeeper                 *zk.Provider            `description:"Enable Zookeeper backend with default settings" export:"true"`
 	Boltdb                    *boltdb.Provider        `description:"Enable Boltdb backend with default settings" export:"true"`
@@ -78,6 +96,320 @@ type GlobalConfiguration struct {
 	ECS                       *ecs.Provider           `description:"Enable ECS backend with default settings" export:"true"`
 	Rancher                   *rancher.Provider       `description:"Enable Rancher backend with default settings" export:"true"`
 	DynamoDB                  *dynamodb.Provider      `description:"Enable DynamoDB backend with default settings" export:"true"`
+	ServiceFabric             *servicefabric.Provider `description:"Enable Service Fabric backend with default settings" export:"true"`
+	Rest                      *rest.Provider          `description:"Enable Rest backend with default settings" export:"true"`
+	API                       *api.Handler            `description:"Enable api/dashboard" export:"true"`
+	Metrics                   *types.Metrics          `description:"Enable a metrics exporter" export:"true"`
+	Ping                      *ping.Handler           `description:"Enable ping" export:"true"`
+}
+
+// WebCompatibility is a configuration to handle compatibility with deprecated web provider options
+type WebCompatibility struct {
+	Address    string            `description:"Web administration port" export:"true"`
+	CertFile   string            `description:"SSL certificate" export:"true"`
+	KeyFile    string            `description:"SSL certificate" export:"true"`
+	ReadOnly   bool              `description:"Enable read only API" export:"true"`
+	Statistics *types.Statistics `description:"Enable more detailed statistics" export:"true"`
+	Metrics    *types.Metrics    `description:"Enable a metrics exporter" export:"true"`
+	Path       string            `description:"Root path for dashboard and API" export:"true"`
+	Auth       *types.Auth       `export:"true"`
+	Debug      bool              `export:"true"`
+}
+
+func (gc *GlobalConfiguration) handleWebDeprecation() {
+	if gc.Web != nil {
+		log.Warn("web provider configuration is deprecated, you should use these options : api, rest provider, ping and metrics")
+
+		if gc.API != nil || gc.Metrics != nil || gc.Ping != nil || gc.Rest != nil {
+			log.Warn("web option is ignored if you use it with one of these options : api, rest provider, ping or metrics")
+			return
+		}
+		gc.EntryPoints[DefaultInternalEntryPointName] = &EntryPoint{
+			Address: gc.Web.Address,
+			Auth:    gc.Web.Auth,
+		}
+		if gc.Web.CertFile != "" {
+			gc.EntryPoints[DefaultInternalEntryPointName].TLS = &tls.TLS{
+				Certificates: []tls.Certificate{
+					{
+						CertFile: tls.FileOrContent(gc.Web.CertFile),
+						KeyFile:  tls.FileOrContent(gc.Web.KeyFile),
+					},
+				},
+			}
+		}
+
+		if gc.API == nil {
+			gc.API = &api.Handler{
+				EntryPoint: DefaultInternalEntryPointName,
+				Statistics: gc.Web.Statistics,
+				Dashboard:  true,
+			}
+		}
+
+		if gc.Ping == nil {
+			gc.Ping = &ping.Handler{
+				EntryPoint: DefaultInternalEntryPointName,
+			}
+		}
+
+		if gc.Metrics == nil {
+			gc.Metrics = gc.Web.Metrics
+		}
+
+		if !gc.Debug {
+			gc.Debug = gc.Web.Debug
+		}
+	}
+}
+
+// SetEffectiveConfiguration adds missing configuration parameters derived from existing ones.
+// It also takes care of maintaining backwards compatibility.
+func (gc *GlobalConfiguration) SetEffectiveConfiguration(configFile string) {
+	if len(gc.EntryPoints) == 0 {
+		gc.EntryPoints = map[string]*EntryPoint{"http": {
+			Address:          ":80",
+			ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+		}}
+		gc.DefaultEntryPoints = []string{"http"}
+	}
+
+	gc.handleWebDeprecation()
+
+	if (gc.API != nil && gc.API.EntryPoint == DefaultInternalEntryPointName) ||
+		(gc.Ping != nil && gc.Ping.EntryPoint == DefaultInternalEntryPointName) ||
+		(gc.Metrics != nil && gc.Metrics.Prometheus != nil && gc.Metrics.Prometheus.EntryPoint == DefaultInternalEntryPointName) ||
+		(gc.Rest != nil && gc.Rest.EntryPoint == DefaultInternalEntryPointName) {
+		if _, ok := gc.EntryPoints[DefaultInternalEntryPointName]; !ok {
+			gc.EntryPoints[DefaultInternalEntryPointName] = &EntryPoint{Address: ":8080"}
+		}
+	}
+
+	for entryPointName := range gc.EntryPoints {
+		entryPoint := gc.EntryPoints[entryPointName]
+		// ForwardedHeaders must be remove in the next breaking version
+		if entryPoint.ForwardedHeaders == nil {
+			entryPoint.ForwardedHeaders = &ForwardedHeaders{Insecure: true}
+		}
+
+		if len(entryPoint.WhitelistSourceRange) > 0 {
+			log.Warnf("Deprecated configuration found: %s. Please use %s.", "whiteListSourceRange", "whiteList.sourceRange")
+
+			if entryPoint.WhiteList == nil {
+				entryPoint.WhiteList = &types.WhiteList{
+					SourceRange: entryPoint.WhitelistSourceRange,
+				}
+				entryPoint.WhitelistSourceRange = nil
+			}
+		}
+	}
+
+	// Make sure LifeCycle isn't nil to spare nil checks elsewhere.
+	if gc.LifeCycle == nil {
+		gc.LifeCycle = &LifeCycle{}
+	}
+
+	// Prefer legacy grace timeout parameter for backwards compatibility reasons.
+	if gc.GraceTimeOut > 0 {
+		log.Warn("top-level grace period configuration has been deprecated -- please use lifecycle grace period")
+		gc.LifeCycle.GraceTimeOut = gc.GraceTimeOut
+	}
+
+	if gc.Docker != nil {
+		if len(gc.Docker.Filename) != 0 && gc.Docker.TemplateVersion != 2 {
+			log.Warn("Template version 1 is deprecated, please use version 2, see TemplateVersion.")
+			gc.Docker.TemplateVersion = 1
+		} else {
+			gc.Docker.TemplateVersion = 2
+		}
+	}
+
+	if gc.Marathon != nil {
+		if len(gc.Marathon.Filename) != 0 && gc.Marathon.TemplateVersion != 2 {
+			log.Warn("Template version 1 is deprecated, please use version 2, see TemplateVersion.")
+			gc.Marathon.TemplateVersion = 1
+		} else {
+			gc.Marathon.TemplateVersion = 2
+		}
+	}
+
+	if gc.Mesos != nil {
+		if len(gc.Mesos.Filename) != 0 && gc.Mesos.TemplateVersion != 2 {
+			log.Warn("Template version 1 is deprecated, please use version 2, see TemplateVersion.")
+			gc.Mesos.TemplateVersion = 1
+		} else {
+			gc.Mesos.TemplateVersion = 2
+		}
+	}
+
+	if gc.Eureka != nil {
+		if gc.Eureka.Delay != 0 {
+			log.Warn("Delay has been deprecated -- please use RefreshSeconds")
+			gc.Eureka.RefreshSeconds = gc.Eureka.Delay
+		}
+	}
+
+	if gc.ECS != nil {
+		if len(gc.ECS.Filename) != 0 && gc.ECS.TemplateVersion != 2 {
+			log.Warn("Template version 1 is deprecated, please use version 2, see TemplateVersion.")
+			gc.ECS.TemplateVersion = 1
+		} else {
+			gc.ECS.TemplateVersion = 2
+		}
+	}
+
+	if gc.ConsulCatalog != nil {
+		if len(gc.ConsulCatalog.Filename) != 0 && gc.ConsulCatalog.TemplateVersion != 2 {
+			log.Warn("Template version 1 is deprecated, please use version 2, see TemplateVersion.")
+			gc.ConsulCatalog.TemplateVersion = 1
+		} else {
+			gc.ConsulCatalog.TemplateVersion = 2
+		}
+	}
+
+	if gc.Rancher != nil {
+		if len(gc.Rancher.Filename) != 0 && gc.Rancher.TemplateVersion != 2 {
+			log.Warn("Template version 1 is deprecated, please use version 2, see TemplateVersion.")
+			gc.Rancher.TemplateVersion = 1
+		} else {
+			gc.Rancher.TemplateVersion = 2
+		}
+
+		// Ensure backwards compatibility for now
+		if len(gc.Rancher.AccessKey) > 0 ||
+			len(gc.Rancher.Endpoint) > 0 ||
+			len(gc.Rancher.SecretKey) > 0 {
+
+			if gc.Rancher.API == nil {
+				gc.Rancher.API = &rancher.APIConfiguration{
+					AccessKey: gc.Rancher.AccessKey,
+					SecretKey: gc.Rancher.SecretKey,
+					Endpoint:  gc.Rancher.Endpoint,
+				}
+			}
+			log.Warn("Deprecated configuration found: rancher.[accesskey|secretkey|endpoint]. " +
+				"Please use rancher.api.[accesskey|secretkey|endpoint] instead.")
+		}
+
+		if gc.Rancher.Metadata != nil && len(gc.Rancher.Metadata.Prefix) == 0 {
+			gc.Rancher.Metadata.Prefix = "latest"
+		}
+	}
+
+	if gc.API != nil {
+		gc.API.Debug = gc.Debug
+	}
+
+	if gc.Web != nil && (gc.Web.Path == "" || !strings.HasSuffix(gc.Web.Path, "/")) {
+		gc.Web.Path += "/"
+	}
+
+	// Try to fallback to traefik config file in case the file provider is enabled
+	// but has no file name configured and is not in a directory mode.
+	if gc.File != nil && len(gc.File.Filename) == 0 && len(gc.File.Directory) == 0 {
+		if len(configFile) > 0 {
+			gc.File.Filename = configFile
+		} else {
+			log.Errorln("Error using file configuration backend, no filename defined")
+		}
+	}
+
+	gc.initACMEProvider()
+	gc.initTracing()
+}
+
+func (gc *GlobalConfiguration) initTracing() {
+	if gc.Tracing != nil {
+		switch gc.Tracing.Backend {
+		case jaeger.Name:
+			if gc.Tracing.Jaeger == nil {
+				gc.Tracing.Jaeger = &jaeger.Config{
+					SamplingServerURL:  "http://localhost:5778/sampling",
+					SamplingType:       "const",
+					SamplingParam:      1.0,
+					LocalAgentHostPort: "127.0.0.1:6831",
+				}
+			}
+			if gc.Tracing.Zipkin != nil {
+				log.Warn("Zipkin configuration will be ignored")
+				gc.Tracing.Zipkin = nil
+			}
+		case zipkin.Name:
+			if gc.Tracing.Zipkin == nil {
+				gc.Tracing.Zipkin = &zipkin.Config{
+					HTTPEndpoint: "http://localhost:9411/api/v1/spans",
+					SameSpan:     false,
+					ID128Bit:     true,
+					Debug:        false,
+				}
+			}
+			if gc.Tracing.Jaeger != nil {
+				log.Warn("Jaeger configuration will be ignored")
+				gc.Tracing.Jaeger = nil
+			}
+		default:
+			log.Warnf("Unknown tracer %q", gc.Tracing.Backend)
+			return
+		}
+	}
+}
+
+func (gc *GlobalConfiguration) initACMEProvider() {
+	if gc.ACME != nil {
+		// TODO: to remove in the futurs
+		if len(gc.ACME.StorageFile) > 0 && len(gc.ACME.Storage) == 0 {
+			log.Warn("ACME.StorageFile is deprecated, use ACME.Storage instead")
+			gc.ACME.Storage = gc.ACME.StorageFile
+		}
+
+		if len(gc.ACME.DNSProvider) > 0 {
+			log.Warn("ACME.DNSProvider is deprecated, use ACME.DNSChallenge instead")
+			gc.ACME.DNSChallenge = &acmeprovider.DNSChallenge{Provider: gc.ACME.DNSProvider, DelayBeforeCheck: gc.ACME.DelayDontCheckDNS}
+		}
+
+		if gc.ACME.OnDemand {
+			log.Warn("ACME.OnDemand is deprecated")
+		}
+
+		// TODO: Remove when Provider ACME will replace totally ACME
+		// If provider file, use Provider ACME instead of ACME
+		if gc.Cluster == nil {
+			acmeprovider.Get().Configuration = &acmeprovider.Configuration{
+				OnHostRule:    gc.ACME.OnHostRule,
+				OnDemand:      gc.ACME.OnDemand,
+				Email:         gc.ACME.Email,
+				Storage:       gc.ACME.Storage,
+				HTTPChallenge: gc.ACME.HTTPChallenge,
+				DNSChallenge:  gc.ACME.DNSChallenge,
+				Domains:       gc.ACME.Domains,
+				ACMELogging:   gc.ACME.ACMELogging,
+				CAServer:      gc.ACME.CAServer,
+				EntryPoint:    gc.ACME.EntryPoint,
+			}
+			gc.ACME = nil
+		}
+	}
+}
+
+// ValidateConfiguration validate that configuration is coherent
+func (gc *GlobalConfiguration) ValidateConfiguration() {
+	if gc.ACME != nil {
+		if _, ok := gc.EntryPoints[gc.ACME.EntryPoint]; !ok {
+			log.Fatalf("Unknown entrypoint %q for ACME configuration", gc.ACME.EntryPoint)
+		} else {
+			if gc.EntryPoints[gc.ACME.EntryPoint].TLS == nil {
+				log.Fatalf("Entrypoint %q has no TLS configuration for ACME configuration", gc.ACME.EntryPoint)
+			}
+		}
+	} else if acmeprovider.IsEnabled() {
+		if _, ok := gc.EntryPoints[acmeprovider.Get().EntryPoint]; !ok {
+			log.Fatalf("Unknown entrypoint %q for provider ACME configuration", acmeprovider.Get().EntryPoint)
+		} else {
+			if gc.EntryPoints[acmeprovider.Get().EntryPoint].TLS == nil {
+				log.Fatalf("Entrypoint %q has no TLS configuration for provider ACME configuration", acmeprovider.Get().EntryPoint)
+			}
+		}
+	}
 }

 // DefaultEntryPoints holds default entry points
@@ -105,12 +437,12 @@ func (dep *DefaultEntryPoints) Set(value string) error {

 // Get return the EntryPoints map
 func (dep *DefaultEntryPoints) Get() interface{} {
-	return DefaultEntryPoints(*dep)
+	return *dep
 }

 // SetValue sets the EntryPoints map with val
 func (dep *DefaultEntryPoints) SetValue(val interface{}) {
-	*dep = DefaultEntryPoints(val.(DefaultEntryPoints))
+	*dep = val.(DefaultEntryPoints)
 }

 // Type is type of the struct
@@ -118,309 +450,6 @@ func (dep *DefaultEntryPoints) Type() string {
 	return "defaultentrypoints"
 }

-// RootCAs hold the CA we want to have in root
-type RootCAs []FileOrContent
-
-// FileOrContent hold a file path or content
-type FileOrContent string
-
-func (f FileOrContent) String() string {
-	return string(f)
-}
-
-func (f FileOrContent) Read() ([]byte, error) {
-	var content []byte
-	if _, err := os.Stat(f.String()); err == nil {
-		content, err = ioutil.ReadFile(f.String())
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		content = []byte(f)
-	}
-	return content, nil
-}
-
-// String is the method to format the flag's value, part of the flag.Value interface.
-// The String method's output will be used in diagnostics.
-func (r *RootCAs) String() string {
-	sliceOfString := make([]string, len([]FileOrContent(*r)))
-	for key, value := range *r {
-		sliceOfString[key] = value.String()
-	}
-	return strings.Join(sliceOfString, ",")
-}
-
-// Set is the method to set the flag value, part of the flag.Value interface.
-// Set's argument is a string to be parsed to set the flag.
-// It's a comma-separated list, so we split it.
-func (r *RootCAs) Set(value string) error {
-	rootCAs := strings.Split(value, ",")
-	if len(rootCAs) == 0 {
-		return fmt.Errorf("bad RootCAs format: %s", value)
-	}
-	for _, rootCA := range rootCAs {
-		*r = append(*r, FileOrContent(rootCA))
-	}
-	return nil
-}
-
-// Get return the EntryPoints map
-func (r *RootCAs) Get() interface{} {
-	return RootCAs(*r)
-}
-
-// SetValue sets the EntryPoints map with val
-func (r *RootCAs) SetValue(val interface{}) {
-	*r = RootCAs(val.(RootCAs))
-}
-
-// Type is type of the struct
-func (r *RootCAs) Type() string {
-	return "rootcas"
-}
-
-// EntryPoints holds entry points configuration of the reverse proxy (ip, port, TLS...)
-type EntryPoints map[string]*EntryPoint
-
-// String is the method to format the flag's value, part of the flag.Value interface.
-// The String method's output will be used in diagnostics.
-func (ep *EntryPoints) String() string {
-	return fmt.Sprintf("%+v", *ep)
-}
-
-// Set is the method to set the flag value, part of the flag.Value interface.
-// Set's argument is a string to be parsed to set the flag.
-// It's a comma-separated list, so we split it.
-func (ep *EntryPoints) Set(value string) error {
-	result, err := parseEntryPointsConfiguration(value)
-	if err != nil {
-		return err
-	}
-
-	var configTLS *TLS
-	if len(result["TLS"]) > 0 {
-		certs := Certificates{}
-		if err := certs.Set(result["TLS"]); err != nil {
-			return err
-		}
-		configTLS = &TLS{
-			Certificates: certs,
-		}
-	} else if len(result["TLSACME"]) > 0 {
-		configTLS = &TLS{
-			Certificates: Certificates{},
-		}
-	}
-	if len(result["CA"]) > 0 {
-		files := strings.Split(result["CA"], ",")
-		configTLS.ClientCAFiles = files
-	}
-	var redirect *Redirect
-	if len(result["RedirectEntryPoint"]) > 0 || len(result["RedirectRegex"]) > 0 || len(result["RedirectReplacement"]) > 0 {
-		redirect = &Redirect{
-			EntryPoint:  result["RedirectEntryPoint"],
-			Regex:       result["RedirectRegex"],
-			Replacement: result["RedirectReplacement"],
-		}
-	}
-
-	whiteListSourceRange := []string{}
-	if len(result["WhiteListSourceRange"]) > 0 {
-		whiteListSourceRange = strings.Split(result["WhiteListSourceRange"], ",")
-	}
-
-	compress := toBool(result, "Compress")
-	proxyProtocol := toBool(result, "ProxyProtocol")
-
-	(*ep)[result["Name"]] = &EntryPoint{
-		Address:              result["Address"],
-		TLS:                  configTLS,
-		Redirect:             redirect,
-		Compress:             compress,
-		WhitelistSourceRange: whiteListSourceRange,
-		ProxyProtocol:        proxyProtocol,
-	}
-
-	return nil
-}
-
-func parseEntryPointsConfiguration(value string) (map[string]string, error) {
-	regex := regexp.MustCompile(`(?:Name:(?P<Name>\S*))\s*(?:Address:(?P<Address>\S*))?\s*(?:TLS:(?P<TLS>\S*))?\s*(?P<TLSACME>TLS)?\s*(?:CA:(?P<CA>\S*))?\s*(?:Redirect\.EntryPoint:(?P<RedirectEntryPoint>\S*))?\s*(?:Redirect\.Regex:(?P<RedirectRegex>\S*))?\s*(?:Redirect\.Replacement:(?P<RedirectReplacement>\S*))?\s*(?:Compress:(?P<Compress>\S*))?\s*(?:WhiteListSourceRange:(?P<WhiteListSourceRange>\S*))?\s*(?:ProxyProtocol:(?P<ProxyProtocol>\S*))?`)
-	match := regex.FindAllStringSubmatch(value, -1)
-	if match == nil {
-		return nil, fmt.Errorf("bad EntryPoints format: %s", value)
-	}
-	matchResult := match[0]
-	result := make(map[string]string)
-	for i, name := range regex.SubexpNames() {
-		if i != 0 && len(matchResult[i]) != 0 {
-			result[name] = matchResult[i]
-		}
-	}
-	return result, nil
-}
-
-func toBool(conf map[string]string, key string) bool {
-	if val, ok := conf[key]; ok {
-		return strings.EqualFold(val, "true") ||
-			strings.EqualFold(val, "enable") ||
-			strings.EqualFold(val, "on")
-	}
-	return false
-}
-
-// Get return the EntryPoints map
-func (ep *EntryPoints) Get() interface{} {
-	return EntryPoints(*ep)
-}
-
-// SetValue sets the EntryPoints map with val
-func (ep *EntryPoints) SetValue(val interface{}) {
-	*ep = EntryPoints(val.(EntryPoints))
-}
-
-// Type is type of the struct
-func (ep *EntryPoints) Type() string {
-	return "entrypoints"
-}
-
-// EntryPoint holds an entry point configuration of the reverse proxy (ip, port, TLS...)
-type EntryPoint struct {
-	Network              string
-	Address              string
-	TLS                  *TLS        `export:"true"`
-	Redirect             *Redirect   `export:"true"`
-	Auth                 *types.Auth `export:"true"`
-	WhitelistSourceRange []string
-	Compress             bool `export:"true"`
-	ProxyProtocol        bool `export:"true"`
-}
-
-// Redirect configures a redirection of an entry point to another, or to an URL
-type Redirect struct {
-	EntryPoint  string
-	Regex       string
-	Replacement string
-}
-
-// TLS configures TLS for an entry point
-type TLS struct {
-	MinVersion    string `export:"true"`
-	CipherSuites  []string
-	Certificates  Certificates
-	ClientCAFiles []string
-}
-
-// MinVersion Map of allowed TLS minimum versions
-var MinVersion = map[string]uint16{
-	`VersionTLS10`: tls.VersionTLS10,
-	`VersionTLS11`: tls.VersionTLS11,
-	`VersionTLS12`: tls.VersionTLS12,
-}
-
-// CipherSuites Map of TLS CipherSuites from crypto/tls
-// Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants
-var CipherSuites = map[string]uint16{
-	`TLS_RSA_WITH_RC4_128_SHA`:                tls.TLS_RSA_WITH_RC4_128_SHA,
-	`TLS_RSA_WITH_3DES_EDE_CBC_SHA`:           tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-	`TLS_RSA_WITH_AES_128_CBC_SHA`:            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-	`TLS_RSA_WITH_AES_256_CBC_SHA`:            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-	`TLS_RSA_WITH_AES_128_CBC_SHA256`:         tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-	`TLS_RSA_WITH_AES_128_GCM_SHA256`:         tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-	`TLS_RSA_WITH_AES_256_GCM_SHA384`:         tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-	`TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`:        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-	`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`:    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-	`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`:    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-	`TLS_ECDHE_RSA_WITH_RC4_128_SHA`:          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-	`TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`:     tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-	`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`:      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-	`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`:      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-	`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`:   tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-	`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`:   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`:   tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-	`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-	`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`:    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-	`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`:  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-}
-
-// Certificates defines traefik certificates type
-// Certs and Keys could be either a file path, or the file content itself
-type Certificates []Certificate
-
-//CreateTLSConfig creates a TLS config from Certificate structures
-func (certs *Certificates) CreateTLSConfig() (*tls.Config, error) {
-	config := &tls.Config{}
-	config.Certificates = []tls.Certificate{}
-	certsSlice := []Certificate(*certs)
-	for _, v := range certsSlice {
-		var err error
-
-		certContent, err := v.CertFile.Read()
-		if err != nil {
-			return nil, err
-		}
-
-		keyContent, err := v.KeyFile.Read()
-		if err != nil {
-			return nil, err
-		}
-
-		cert, err := tls.X509KeyPair(certContent, keyContent)
-		if err != nil {
-			return nil, err
-		}
-
-		config.Certificates = append(config.Certificates, cert)
-	}
-	return config, nil
-}
-
-// String is the method to format the flag's value, part of the flag.Value interface.
-// The String method's output will be used in diagnostics.
-func (certs *Certificates) String() string {
-	if len(*certs) == 0 {
-		return ""
-	}
-	var result []string
-	for _, certificate := range *certs {
-		result = append(result, certificate.CertFile.String()+","+certificate.KeyFile.String())
-	}
-	return strings.Join(result, ";")
-}
-
-// Set is the method to set the flag value, part of the flag.Value interface.
-// Set's argument is a string to be parsed to set the flag.
-// It's a comma-separated list, so we split it.
-func (certs *Certificates) Set(value string) error {
-	certificates := strings.Split(value, ";")
-	for _, certificate := range certificates {
-		files := strings.Split(certificate, ",")
-		if len(files) != 2 {
-			return fmt.Errorf("bad certificates format: %s", value)
-		}
-		*certs = append(*certs, Certificate{
-			CertFile: FileOrContent(files[0]),
-			KeyFile:  FileOrContent(files[1]),
-		})
-	}
-	return nil
-}
-
-// Type is type of the struct
-func (certs *Certificates) Type() string {
-	return "certificates"
-}
-
-// Certificate holds a SSL cert/key pair
-// Certs and Key could be either a file path, or the file content itself
-type Certificate struct {
-	CertFile FileOrContent
-	KeyFile  FileOrContent
-}
-
 // Retry contains request retry config
 type Retry struct {
 	Attempts int `description:"Number of attempts" export:"true"`
@@ -443,3 +472,10 @@ type ForwardingTimeouts struct {
 	DialTimeout           flaeg.Duration `description:"The amount of time to wait until a connection to a backend server can be established. Defaults to 30 seconds. If zero, no timeout exists" export:"true"`
 	ResponseHeaderTimeout flaeg.Duration `description:"The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists" export:"true"`
 }
+
+// LifeCycle contains configurations relevant to the lifecycle (such as the
+// shutdown phase) of Traefik.
+type LifeCycle struct {
+	RequestAcceptGraceTimeout flaeg.Duration `description:"Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure"`
+	GraceTimeOut              flaeg.Duration `description:"Duration to give active requests a chance to finish before Traefik stops"`
+}
--- a/configuration/configuration_test.go
+++ b/configuration/configuration_test.go
@@ -1,201 +1,213 @@
 package configuration

 import (
-	"fmt"
 	"testing"
+	"time"

+	"github.com/containous/flaeg"
+	"github.com/containous/traefik/middlewares/tracing"
+	"github.com/containous/traefik/middlewares/tracing/jaeger"
+	"github.com/containous/traefik/middlewares/tracing/zipkin"
+	"github.com/containous/traefik/provider"
+	"github.com/containous/traefik/provider/file"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

-func Test_parseEntryPointsConfiguration(t *testing.T) {
+const defaultConfigFile = "traefik.toml"
+
+func TestSetEffectiveConfigurationGraceTimeout(t *testing.T) {
 	testCases := []struct {
-		name           string
-		value          string
-		expectedResult map[string]string
+		desc                  string
+		legacyGraceTimeout    time.Duration
+		lifeCycleGraceTimeout time.Duration
+		wantGraceTimeout      time.Duration
 	}{
 		{
-			name:  "all parameters",
-			value: "Name:foo Address:bar TLS:goo TLS CA:car Redirect.EntryPoint:RedirectEntryPoint Redirect.Regex:RedirectRegex Redirect.Replacement:RedirectReplacement Compress:true WhiteListSourceRange:WhiteListSourceRange ProxyProtocol:true",
-			expectedResult: map[string]string{
-				"Name":                 "foo",
-				"Address":              "bar",
-				"CA":                   "car",
-				"TLS":                  "goo",
-				"TLSACME":              "TLS",
-				"RedirectEntryPoint":   "RedirectEntryPoint",
-				"RedirectRegex":        "RedirectRegex",
-				"RedirectReplacement":  "RedirectReplacement",
-				"WhiteListSourceRange": "WhiteListSourceRange",
-				"ProxyProtocol":        "true",
-				"Compress":             "true",
-			},
+			desc:               "legacy grace timeout given only",
+			legacyGraceTimeout: 5 * time.Second,
+			wantGraceTimeout:   5 * time.Second,
 		},
 		{
-			name:  "proxy protocol on",
-			value: "Name:foo ProxyProtocol:on",
-			expectedResult: map[string]string{
-				"Name":          "foo",
-				"ProxyProtocol": "on",
-			},
+			desc:                  "legacy and life cycle grace timeouts given",
+			legacyGraceTimeout:    5 * time.Second,
+			lifeCycleGraceTimeout: 12 * time.Second,
+			wantGraceTimeout:      5 * time.Second,
 		},
 		{
-			name:  "compress on",
-			value: "Name:foo Compress:on",
-			expectedResult: map[string]string{
-				"Name":     "foo",
-				"Compress": "on",
-			},
-		},
-		{
-			name:  "TLS",
-			value: "Name:foo TLS:goo TLS",
-			expectedResult: map[string]string{
-				"Name":    "foo",
-				"TLS":     "goo",
-				"TLSACME": "TLS",
-			},
+			desc:                  "legacy grace timeout omitted",
+			legacyGraceTimeout:    0,
+			lifeCycleGraceTimeout: 12 * time.Second,
+			wantGraceTimeout:      12 * time.Second,
 		},
 	}

 	for _, test := range testCases {
 		test := test
-		t.Run(test.name, func(t *testing.T) {
+		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()

-			conf, err := parseEntryPointsConfiguration(test.value)
-			if err != nil {
-				t.Error(err)
+			gc := &GlobalConfiguration{
+				GraceTimeOut: flaeg.Duration(test.legacyGraceTimeout),
+			}
+			if test.lifeCycleGraceTimeout > 0 {
+				gc.LifeCycle = &LifeCycle{
+					GraceTimeOut: flaeg.Duration(test.lifeCycleGraceTimeout),
+				}
 			}

-			for key, value := range conf {
-				fmt.Println(key, value)
-			}
+			gc.SetEffectiveConfiguration(defaultConfigFile)
+
+			assert.Equal(t, test.wantGraceTimeout, time.Duration(gc.LifeCycle.GraceTimeOut))

-			assert.Len(t, conf, len(test.expectedResult))
-			assert.Equal(t, test.expectedResult, conf)
 		})
 	}
 }

-func Test_toBool(t *testing.T) {
+func TestSetEffectiveConfigurationFileProviderFilename(t *testing.T) {
 	testCases := []struct {
-		name         string
-		value        string
-		key          string
-		expectedBool bool
+		desc                     string
+		fileProvider             *file.Provider
+		wantFileProviderFilename string
 	}{
 		{
-			name:         "on",
-			value:        "on",
-			key:          "foo",
-			expectedBool: true,
+			desc:                     "no filename for file provider given",
+			fileProvider:             &file.Provider{},
+			wantFileProviderFilename: defaultConfigFile,
 		},
 		{
-			name:         "true",
-			value:        "true",
-			key:          "foo",
-			expectedBool: true,
+			desc:                     "filename for file provider given",
+			fileProvider:             &file.Provider{BaseProvider: provider.BaseProvider{Filename: "other.toml"}},
+			wantFileProviderFilename: "other.toml",
 		},
 		{
-			name:         "enable",
-			value:        "enable",
-			key:          "foo",
-			expectedBool: true,
-		},
-		{
-			name:         "arbitrary string",
-			value:        "bar",
-			key:          "foo",
-			expectedBool: false,
-		},
-		{
-			name:         "no existing entry",
-			value:        "bar",
-			key:          "fii",
-			expectedBool: false,
+			desc:                     "directory for file provider given",
+			fileProvider:             &file.Provider{Directory: "/"},
+			wantFileProviderFilename: "",
 		},
 	}

 	for _, test := range testCases {
 		test := test
-		t.Run(test.name, func(t *testing.T) {
+		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()

-			conf := map[string]string{
-				"foo": test.value,
+			gc := &GlobalConfiguration{
+				File: test.fileProvider,
 			}

-			result := toBool(conf, test.key)
+			gc.SetEffectiveConfiguration(defaultConfigFile)

-			assert.Equal(t, test.expectedBool, result)
+			assert.Equal(t, test.wantFileProviderFilename, gc.File.Filename)
 		})
 	}
 }

-func TestEntryPoints_Set(t *testing.T) {
+func TestSetEffectiveConfigurationTracing(t *testing.T) {
 	testCases := []struct {
-		name                   string
-		expression             string
-		expectedEntryPointName string
-		expectedEntryPoint     *EntryPoint
+		desc     string
+		tracing  *tracing.Tracing
+		expected *tracing.Tracing
 	}{
 		{
-			name:                   "all parameters",
-			expression:             "Name:foo Address:bar TLS:goo,gii TLS CA:car Redirect.EntryPoint:RedirectEntryPoint Redirect.Regex:RedirectRegex Redirect.Replacement:RedirectReplacement Compress:true WhiteListSourceRange:Range ProxyProtocol:true",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				Address: "bar",
-				Redirect: &Redirect{
-					EntryPoint:  "RedirectEntryPoint",
-					Regex:       "RedirectRegex",
-					Replacement: "RedirectReplacement",
+			desc:     "no tracing configuration",
+			tracing:  &tracing.Tracing{},
+			expected: &tracing.Tracing{},
+		},
+		{
+			desc: "tracing bad backend name",
+			tracing: &tracing.Tracing{
+				Backend: "powpow",
+			},
+			expected: &tracing.Tracing{
+				Backend: "powpow",
+			},
+		},
+		{
+			desc: "tracing jaeger backend name",
+			tracing: &tracing.Tracing{
+				Backend: "jaeger",
+				Zipkin: &zipkin.Config{
+					HTTPEndpoint: "http://localhost:9411/api/v1/spans",
+					SameSpan:     false,
+					ID128Bit:     true,
+					Debug:        false,
 				},
-				Compress:             true,
-				ProxyProtocol:        true,
-				WhitelistSourceRange: []string{"Range"},
-				TLS: &TLS{
-					ClientCAFiles: []string{"car"},
-					Certificates: Certificates{
-						{
-							CertFile: FileOrContent("goo"),
-							KeyFile:  FileOrContent("gii"),
-						},
-					},
+			},
+			expected: &tracing.Tracing{
+				Backend: "jaeger",
+				Jaeger: &jaeger.Config{
+					SamplingServerURL:  "http://localhost:5778/sampling",
+					SamplingType:       "const",
+					SamplingParam:      1.0,
+					LocalAgentHostPort: "127.0.0.1:6831",
+				},
+				Zipkin: nil,
+			},
+		},
+		{
+			desc: "tracing zipkin backend name",
+			tracing: &tracing.Tracing{
+				Backend: "zipkin",
+				Jaeger: &jaeger.Config{
+					SamplingServerURL:  "http://localhost:5778/sampling",
+					SamplingType:       "const",
+					SamplingParam:      1.0,
+					LocalAgentHostPort: "127.0.0.1:6831",
+				},
+			},
+			expected: &tracing.Tracing{
+				Backend: "zipkin",
+				Jaeger:  nil,
+				Zipkin: &zipkin.Config{
+					HTTPEndpoint: "http://localhost:9411/api/v1/spans",
+					SameSpan:     false,
+					ID128Bit:     true,
+					Debug:        false,
 				},
 			},
 		},
 		{
-			name:                   "compress on",
-			expression:             "Name:foo Compress:on",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				Compress:             true,
-				WhitelistSourceRange: []string{},
+			desc: "tracing zipkin backend name value override",
+			tracing: &tracing.Tracing{
+				Backend: "zipkin",
+				Jaeger: &jaeger.Config{
+					SamplingServerURL:  "http://localhost:5778/sampling",
+					SamplingType:       "const",
+					SamplingParam:      1.0,
+					LocalAgentHostPort: "127.0.0.1:6831",
+				},
+				Zipkin: &zipkin.Config{
+					HTTPEndpoint: "http://powpow:9411/api/v1/spans",
+					SameSpan:     true,
+					ID128Bit:     true,
+					Debug:        true,
+				},
 			},
-		},
-		{
-			name:                   "compress true",
-			expression:             "Name:foo Compress:true",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				Compress:             true,
-				WhitelistSourceRange: []string{},
+			expected: &tracing.Tracing{
+				Backend: "zipkin",
+				Jaeger:  nil,
+				Zipkin: &zipkin.Config{
+					HTTPEndpoint: "http://powpow:9411/api/v1/spans",
+					SameSpan:     true,
+					ID128Bit:     true,
+					Debug:        true,
+				},
 			},
 		},
 	}

 	for _, test := range testCases {
 		test := test
-		t.Run(test.name, func(t *testing.T) {
+		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()

-			eps := EntryPoints{}
-			err := eps.Set(test.expression)
-			require.NoError(t, err)
+			gc := &GlobalConfiguration{
+				Tracing: test.tracing,
+			}

-			ep := eps[test.expectedEntryPointName]
-			assert.EqualValues(t, test.expectedEntryPoint, ep)
+			gc.SetEffectiveConfiguration(defaultConfigFile)
+
+			assert.Equal(t, test.expected, gc.Tracing)
 		})
 	}
 }
--- a/configuration/entrypoints.go
+++ b/configuration/entrypoints.go
@@ -0,0 +1,266 @@
+package configuration
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/tls"
+	"github.com/containous/traefik/types"
+)
+
+// EntryPoint holds an entry point configuration of the reverse proxy (ip, port, TLS...)
+type EntryPoint struct {
+	Address              string
+	TLS                  *tls.TLS          `export:"true"`
+	Redirect             *types.Redirect   `export:"true"`
+	Auth                 *types.Auth       `export:"true"`
+	WhitelistSourceRange []string          // Deprecated
+	WhiteList            *types.WhiteList  `export:"true"`
+	Compress             bool              `export:"true"`
+	ProxyProtocol        *ProxyProtocol    `export:"true"`
+	ForwardedHeaders     *ForwardedHeaders `export:"true"`
+}
+
+// ProxyProtocol contains Proxy-Protocol configuration
+type ProxyProtocol struct {
+	Insecure   bool `export:"true"`
+	TrustedIPs []string
+}
+
+// ForwardedHeaders Trust client forwarding headers
+type ForwardedHeaders struct {
+	Insecure   bool `export:"true"`
+	TrustedIPs []string
+}
+
+// EntryPoints holds entry points configuration of the reverse proxy (ip, port, TLS...)
+type EntryPoints map[string]*EntryPoint
+
+// String is the method to format the flag's value, part of the flag.Value interface.
+// The String method's output will be used in diagnostics.
+func (ep EntryPoints) String() string {
+	return fmt.Sprintf("%+v", map[string]*EntryPoint(ep))
+}
+
+// Get return the EntryPoints map
+func (ep *EntryPoints) Get() interface{} {
+	return *ep
+}
+
+// SetValue sets the EntryPoints map with val
+func (ep *EntryPoints) SetValue(val interface{}) {
+	*ep = val.(EntryPoints)
+}
+
+// Type is type of the struct
+func (ep *EntryPoints) Type() string {
+	return "entrypoints"
+}
+
+// Set is the method to set the flag value, part of the flag.Value interface.
+// Set's argument is a string to be parsed to set the flag.
+// It's a comma-separated list, so we split it.
+func (ep *EntryPoints) Set(value string) error {
+	result := parseEntryPointsConfiguration(value)
+
+	var whiteListSourceRange []string
+	if len(result["whitelistsourcerange"]) > 0 {
+		whiteListSourceRange = strings.Split(result["whitelistsourcerange"], ",")
+	}
+
+	compress := toBool(result, "compress")
+
+	configTLS, err := makeEntryPointTLS(result)
+	if err != nil {
+		return err
+	}
+
+	(*ep)[result["name"]] = &EntryPoint{
+		Address:              result["address"],
+		TLS:                  configTLS,
+		Auth:                 makeEntryPointAuth(result),
+		Redirect:             makeEntryPointRedirect(result),
+		Compress:             compress,
+		WhitelistSourceRange: whiteListSourceRange,
+		WhiteList:            makeWhiteList(result),
+		ProxyProtocol:        makeEntryPointProxyProtocol(result),
+		ForwardedHeaders:     makeEntryPointForwardedHeaders(result),
+	}
+
+	return nil
+}
+
+func makeWhiteList(result map[string]string) *types.WhiteList {
+	var wl *types.WhiteList
+	if rawRange, ok := result["whitelist_sourcerange"]; ok {
+		wl = &types.WhiteList{
+			SourceRange:      strings.Split(rawRange, ","),
+			UseXForwardedFor: toBool(result, "whitelist_usexforwardedfor"),
+		}
+	}
+	return wl
+}
+
+func makeEntryPointAuth(result map[string]string) *types.Auth {
+	var basic *types.Basic
+	if v, ok := result["auth_basic_users"]; ok {
+		basic = &types.Basic{
+			Users: strings.Split(v, ","),
+		}
+	}
+
+	var digest *types.Digest
+	if v, ok := result["auth_digest_users"]; ok {
+		digest = &types.Digest{
+			Users: strings.Split(v, ","),
+		}
+	}
+
+	var forward *types.Forward
+	if address, ok := result["auth_forward_address"]; ok {
+		var clientTLS *types.ClientTLS
+
+		cert := result["auth_forward_tls_cert"]
+		key := result["auth_forward_tls_key"]
+		insecureSkipVerify := toBool(result, "auth_forward_tls_insecureskipverify")
+
+		if len(cert) > 0 && len(key) > 0 || insecureSkipVerify {
+			clientTLS = &types.ClientTLS{
+				CA:                 result["auth_forward_tls_ca"],
+				CAOptional:         toBool(result, "auth_forward_tls_caoptional"),
+				Cert:               cert,
+				Key:                key,
+				InsecureSkipVerify: insecureSkipVerify,
+			}
+		}
+
+		forward = &types.Forward{
+			Address:            address,
+			TLS:                clientTLS,
+			TrustForwardHeader: toBool(result, "auth_forward_trustforwardheader"),
+		}
+	}
+
+	var auth *types.Auth
+	if basic != nil || digest != nil || forward != nil {
+		auth = &types.Auth{
+			Basic:       basic,
+			Digest:      digest,
+			Forward:     forward,
+			HeaderField: result["auth_headerfield"],
+		}
+	}
+
+	return auth
+}
+
+func makeEntryPointProxyProtocol(result map[string]string) *ProxyProtocol {
+	var proxyProtocol *ProxyProtocol
+
+	ppTrustedIPs := result["proxyprotocol_trustedips"]
+	if len(result["proxyprotocol_insecure"]) > 0 || len(ppTrustedIPs) > 0 {
+		proxyProtocol = &ProxyProtocol{
+			Insecure: toBool(result, "proxyprotocol_insecure"),
+		}
+		if len(ppTrustedIPs) > 0 {
+			proxyProtocol.TrustedIPs = strings.Split(ppTrustedIPs, ",")
+		}
+	}
+
+	if proxyProtocol != nil && proxyProtocol.Insecure {
+		log.Warn("ProxyProtocol.Insecure:true is dangerous. Please use 'ProxyProtocol.TrustedIPs:IPs' and remove 'ProxyProtocol.Insecure:true'")
+	}
+
+	return proxyProtocol
+}
+
+func makeEntryPointForwardedHeaders(result map[string]string) *ForwardedHeaders {
+	// TODO must be changed to false by default in the next breaking version.
+	forwardedHeaders := &ForwardedHeaders{Insecure: true}
+	if _, ok := result["forwardedheaders_insecure"]; ok {
+		forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
+	}
+
+	fhTrustedIPs := result["forwardedheaders_trustedips"]
+	if len(fhTrustedIPs) > 0 {
+		// TODO must be removed in the next breaking version.
+		forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
+		forwardedHeaders.TrustedIPs = strings.Split(fhTrustedIPs, ",")
+	}
+
+	return forwardedHeaders
+}
+
+func makeEntryPointRedirect(result map[string]string) *types.Redirect {
+	var redirect *types.Redirect
+
+	if len(result["redirect_entrypoint"]) > 0 || len(result["redirect_regex"]) > 0 || len(result["redirect_replacement"]) > 0 {
+		redirect = &types.Redirect{
+			EntryPoint:  result["redirect_entrypoint"],
+			Regex:       result["redirect_regex"],
+			Replacement: result["redirect_replacement"],
+			Permanent:   toBool(result, "redirect_permanent"),
+		}
+	}
+
+	return redirect
+}
+
+func makeEntryPointTLS(result map[string]string) (*tls.TLS, error) {
+	var configTLS *tls.TLS
+
+	if len(result["tls"]) > 0 {
+		certs := tls.Certificates{}
+		if err := certs.Set(result["tls"]); err != nil {
+			return nil, err
+		}
+		configTLS = &tls.TLS{
+			Certificates: certs,
+		}
+	} else if len(result["tls_acme"]) > 0 {
+		configTLS = &tls.TLS{
+			Certificates: tls.Certificates{},
+		}
+	}
+
+	if len(result["ca"]) > 0 {
+		files := strings.Split(result["ca"], ",")
+		optional := toBool(result, "ca_optional")
+		configTLS.ClientCA = tls.ClientCA{
+			Files:    files,
+			Optional: optional,
+		}
+	}
+
+	return configTLS, nil
+}
+
+func parseEntryPointsConfiguration(raw string) map[string]string {
+	sections := strings.Fields(raw)
+
+	config := make(map[string]string)
+	for _, part := range sections {
+		field := strings.SplitN(part, ":", 2)
+		name := strings.ToLower(strings.Replace(field[0], ".", "_", -1))
+		if len(field) > 1 {
+			config[name] = field[1]
+		} else {
+			if strings.EqualFold(name, "TLS") {
+				config["tls_acme"] = "TLS"
+			} else {
+				config[name] = ""
+			}
+		}
+	}
+	return config
+}
+
+func toBool(conf map[string]string, key string) bool {
+	if val, ok := conf[key]; ok {
+		return strings.EqualFold(val, "true") ||
+			strings.EqualFold(val, "enable") ||
+			strings.EqualFold(val, "on")
+	}
+	return false
+}
--- a/configuration/entrypoints_test.go
+++ b/configuration/entrypoints_test.go
@@ -0,0 +1,459 @@
+package configuration
+
+import (
+	"testing"
+
+	"github.com/containous/traefik/tls"
+	"github.com/containous/traefik/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_parseEntryPointsConfiguration(t *testing.T) {
+	testCases := []struct {
+		name           string
+		value          string
+		expectedResult map[string]string
+	}{
+		{
+			name: "all parameters",
+			value: "Name:foo " +
+				"Address::8000 " +
+				"TLS:goo,gii " +
+				"TLS " +
+				"CA:car " +
+				"CA.Optional:true " +
+				"Redirect.EntryPoint:https " +
+				"Redirect.Regex:http://localhost/(.*) " +
+				"Redirect.Replacement:http://mydomain/$1 " +
+				"Redirect.Permanent:true " +
+				"Compress:true " +
+				"ProxyProtocol.TrustedIPs:192.168.0.1 " +
+				"ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 " +
+				"Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 " +
+				"Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e " +
+				"Auth.HeaderField:X-WebAuth-User " +
+				"Auth.Forward.Address:https://authserver.com/auth " +
+				"Auth.Forward.TrustForwardHeader:true " +
+				"Auth.Forward.TLS.CA:path/to/local.crt " +
+				"Auth.Forward.TLS.CAOptional:true " +
+				"Auth.Forward.TLS.Cert:path/to/foo.cert " +
+				"Auth.Forward.TLS.Key:path/to/foo.key " +
+				"Auth.Forward.TLS.InsecureSkipVerify:true " +
+				"WhiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
+				"whiteList.sourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
+				"whiteList.useXForwardedFor:true ",
+			expectedResult: map[string]string{
+				"address":                             ":8000",
+				"auth_basic_users":                    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+				"auth_digest_users":                   "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+				"auth_forward_address":                "https://authserver.com/auth",
+				"auth_forward_tls_ca":                 "path/to/local.crt",
+				"auth_forward_tls_caoptional":         "true",
+				"auth_forward_tls_cert":               "path/to/foo.cert",
+				"auth_forward_tls_insecureskipverify": "true",
+				"auth_forward_tls_key":                "path/to/foo.key",
+				"auth_forward_trustforwardheader":     "true",
+				"auth_headerfield":                    "X-WebAuth-User",
+				"ca":                                  "car",
+				"ca_optional":                         "true",
+				"compress":                            "true",
+				"forwardedheaders_trustedips":         "10.0.0.3/24,20.0.0.3/24",
+				"name": "foo",
+				"proxyprotocol_trustedips": "192.168.0.1",
+				"redirect_entrypoint":      "https",
+				"redirect_permanent":       "true",
+				"redirect_regex":           "http://localhost/(.*)",
+				"redirect_replacement":     "http://mydomain/$1",
+				"tls":                        "goo,gii",
+				"tls_acme":                   "TLS",
+				"whitelistsourcerange":       "10.42.0.0/16,152.89.1.33/32,afed:be44::/16",
+				"whitelist_sourcerange":      "10.42.0.0/16,152.89.1.33/32,afed:be44::/16",
+				"whitelist_usexforwardedfor": "true",
+			},
+		},
+		{
+			name:  "compress on",
+			value: "name:foo Compress:on",
+			expectedResult: map[string]string{
+				"name":     "foo",
+				"compress": "on",
+			},
+		},
+		{
+			name:  "TLS",
+			value: "Name:foo TLS:goo TLS",
+			expectedResult: map[string]string{
+				"name":     "foo",
+				"tls":      "goo",
+				"tls_acme": "TLS",
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			conf := parseEntryPointsConfiguration(test.value)
+
+			assert.Len(t, conf, len(test.expectedResult))
+			assert.Equal(t, test.expectedResult, conf)
+		})
+	}
+}
+
+func Test_toBool(t *testing.T) {
+	testCases := []struct {
+		name         string
+		value        string
+		key          string
+		expectedBool bool
+	}{
+		{
+			name:         "on",
+			value:        "on",
+			key:          "foo",
+			expectedBool: true,
+		},
+		{
+			name:         "true",
+			value:        "true",
+			key:          "foo",
+			expectedBool: true,
+		},
+		{
+			name:         "enable",
+			value:        "enable",
+			key:          "foo",
+			expectedBool: true,
+		},
+		{
+			name:         "arbitrary string",
+			value:        "bar",
+			key:          "foo",
+			expectedBool: false,
+		},
+		{
+			name:         "no existing entry",
+			value:        "bar",
+			key:          "fii",
+			expectedBool: false,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			conf := map[string]string{
+				"foo": test.value,
+			}
+
+			result := toBool(conf, test.key)
+
+			assert.Equal(t, test.expectedBool, result)
+		})
+	}
+}
+
+func TestEntryPoints_Set(t *testing.T) {
+	testCases := []struct {
+		name                   string
+		expression             string
+		expectedEntryPointName string
+		expectedEntryPoint     *EntryPoint
+	}{
+		{
+			name: "all parameters camelcase",
+			expression: "Name:foo " +
+				"Address::8000 " +
+				"TLS:goo,gii " +
+				"TLS " +
+				"CA:car " +
+				"CA.Optional:true " +
+				"Redirect.EntryPoint:https " +
+				"Redirect.Regex:http://localhost/(.*) " +
+				"Redirect.Replacement:http://mydomain/$1 " +
+				"Redirect.Permanent:true " +
+				"Compress:true " +
+				"ProxyProtocol.TrustedIPs:192.168.0.1 " +
+				"ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 " +
+				"Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 " +
+				"Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e " +
+				"Auth.HeaderField:X-WebAuth-User " +
+				"Auth.Forward.Address:https://authserver.com/auth " +
+				"Auth.Forward.TrustForwardHeader:true " +
+				"Auth.Forward.TLS.CA:path/to/local.crt " +
+				"Auth.Forward.TLS.CAOptional:true " +
+				"Auth.Forward.TLS.Cert:path/to/foo.cert " +
+				"Auth.Forward.TLS.Key:path/to/foo.key " +
+				"Auth.Forward.TLS.InsecureSkipVerify:true " +
+				"WhiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
+				"whiteList.sourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
+				"whiteList.useXForwardedFor:true ",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				Address: ":8000",
+				TLS: &tls.TLS{
+					Certificates: tls.Certificates{
+						{
+							CertFile: tls.FileOrContent("goo"),
+							KeyFile:  tls.FileOrContent("gii"),
+						},
+					},
+					ClientCA: tls.ClientCA{
+						Files:    []string{"car"},
+						Optional: true,
+					},
+				},
+				Redirect: &types.Redirect{
+					EntryPoint:  "https",
+					Regex:       "http://localhost/(.*)",
+					Replacement: "http://mydomain/$1",
+					Permanent:   true,
+				},
+				Auth: &types.Auth{
+					Basic: &types.Basic{
+						Users: types.Users{
+							"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+							"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+						},
+					},
+					Digest: &types.Digest{
+						Users: types.Users{
+							"test:traefik:a2688e031edb4be6a3797f3882655c05",
+							"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+						},
+					},
+					Forward: &types.Forward{
+						Address: "https://authserver.com/auth",
+						TLS: &types.ClientTLS{
+							CA:                 "path/to/local.crt",
+							CAOptional:         true,
+							Cert:               "path/to/foo.cert",
+							Key:                "path/to/foo.key",
+							InsecureSkipVerify: true,
+						},
+						TrustForwardHeader: true,
+					},
+					HeaderField: "X-WebAuth-User",
+				},
+				WhitelistSourceRange: []string{
+					"10.42.0.0/16",
+					"152.89.1.33/32",
+					"afed:be44::/16",
+				},
+				WhiteList: &types.WhiteList{
+					SourceRange: []string{
+						"10.42.0.0/16",
+						"152.89.1.33/32",
+						"afed:be44::/16",
+					},
+					UseXForwardedFor: true,
+				},
+				Compress: true,
+				ProxyProtocol: &ProxyProtocol{
+					Insecure:   false,
+					TrustedIPs: []string{"192.168.0.1"},
+				},
+				ForwardedHeaders: &ForwardedHeaders{
+					Insecure: false,
+					TrustedIPs: []string{
+						"10.0.0.3/24",
+						"20.0.0.3/24",
+					},
+				},
+			},
+		},
+		{
+			name: "all parameters lowercase",
+			expression: "Name:foo " +
+				"address::8000 " +
+				"tls:goo,gii " +
+				"tls " +
+				"ca:car " +
+				"ca.Optional:true " +
+				"redirect.entryPoint:https " +
+				"redirect.regex:http://localhost/(.*) " +
+				"redirect.replacement:http://mydomain/$1 " +
+				"redirect.permanent:true " +
+				"compress:true " +
+				"whiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
+				"proxyProtocol.TrustedIPs:192.168.0.1 " +
+				"forwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 " +
+				"auth.basic.users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 " +
+				"auth.digest.users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e " +
+				"auth.headerField:X-WebAuth-User " +
+				"auth.forward.address:https://authserver.com/auth " +
+				"auth.forward.trustForwardHeader:true " +
+				"auth.forward.tls.ca:path/to/local.crt " +
+				"auth.forward.tls.caOptional:true " +
+				"auth.forward.tls.cert:path/to/foo.cert " +
+				"auth.forward.tls.key:path/to/foo.key " +
+				"auth.forward.tls.insecureSkipVerify:true ",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				Address: ":8000",
+				TLS: &tls.TLS{
+					Certificates: tls.Certificates{
+						{
+							CertFile: tls.FileOrContent("goo"),
+							KeyFile:  tls.FileOrContent("gii"),
+						},
+					},
+					ClientCA: tls.ClientCA{
+						Files:    []string{"car"},
+						Optional: true,
+					},
+				},
+				Redirect: &types.Redirect{
+					EntryPoint:  "https",
+					Regex:       "http://localhost/(.*)",
+					Replacement: "http://mydomain/$1",
+					Permanent:   true,
+				},
+				Auth: &types.Auth{
+					Basic: &types.Basic{
+						Users: types.Users{
+							"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+							"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+						},
+					},
+					Digest: &types.Digest{
+						Users: types.Users{
+							"test:traefik:a2688e031edb4be6a3797f3882655c05",
+							"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+						},
+					},
+					Forward: &types.Forward{
+						Address: "https://authserver.com/auth",
+						TLS: &types.ClientTLS{
+							CA:                 "path/to/local.crt",
+							CAOptional:         true,
+							Cert:               "path/to/foo.cert",
+							Key:                "path/to/foo.key",
+							InsecureSkipVerify: true,
+						},
+						TrustForwardHeader: true,
+					},
+					HeaderField: "X-WebAuth-User",
+				},
+				WhitelistSourceRange: []string{
+					"10.42.0.0/16",
+					"152.89.1.33/32",
+					"afed:be44::/16",
+				},
+				Compress: true,
+				ProxyProtocol: &ProxyProtocol{
+					Insecure:   false,
+					TrustedIPs: []string{"192.168.0.1"},
+				},
+				ForwardedHeaders: &ForwardedHeaders{
+					Insecure: false,
+					TrustedIPs: []string{
+						"10.0.0.3/24",
+						"20.0.0.3/24",
+					},
+				},
+			},
+		},
+		{
+			name:                   "default",
+			expression:             "Name:foo",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+			},
+		},
+		{
+			name:                   "ForwardedHeaders insecure true",
+			expression:             "Name:foo ForwardedHeaders.Insecure:true",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+			},
+		},
+		{
+			name:                   "ForwardedHeaders insecure false",
+			expression:             "Name:foo ForwardedHeaders.Insecure:false",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				ForwardedHeaders: &ForwardedHeaders{Insecure: false},
+			},
+		},
+		{
+			name:                   "ForwardedHeaders TrustedIPs",
+			expression:             "Name:foo ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				ForwardedHeaders: &ForwardedHeaders{
+					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
+				},
+			},
+		},
+		{
+			name:                   "ProxyProtocol insecure true",
+			expression:             "Name:foo ProxyProtocol.Insecure:true",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+				ProxyProtocol:    &ProxyProtocol{Insecure: true},
+			},
+		},
+		{
+			name:                   "ProxyProtocol insecure false",
+			expression:             "Name:foo ProxyProtocol.Insecure:false",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+				ProxyProtocol:    &ProxyProtocol{},
+			},
+		},
+		{
+			name:                   "ProxyProtocol TrustedIPs",
+			expression:             "Name:foo ProxyProtocol.TrustedIPs:10.0.0.3/24,20.0.0.3/24",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+				ProxyProtocol: &ProxyProtocol{
+					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
+				},
+			},
+		},
+		{
+			name:                   "compress on",
+			expression:             "Name:foo Compress:on",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				Compress:         true,
+				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+			},
+		},
+		{
+			name:                   "compress true",
+			expression:             "Name:foo Compress:true",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				Compress:         true,
+				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			eps := EntryPoints{}
+			err := eps.Set(test.expression)
+			require.NoError(t, err)
+
+			ep := eps[test.expectedEntryPointName]
+			assert.EqualValues(t, test.expectedEntryPoint, ep)
+		})
+	}
+}
--- a/configuration/provider_aggregator.go
+++ b/configuration/provider_aggregator.go
@@ -0,0 +1,97 @@
+package configuration
+
+import (
+	"encoding/json"
+	"reflect"
+
+	"github.com/containous/traefik/acme"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/provider"
+	acmeprovider "github.com/containous/traefik/provider/acme"
+	"github.com/containous/traefik/safe"
+	"github.com/containous/traefik/types"
+)
+
+type providerAggregator struct {
+	providers []provider.Provider
+}
+
+// NewProviderAggregator return an aggregate of all the providers configured in GlobalConfiguration
+func NewProviderAggregator(gc *GlobalConfiguration) provider.Provider {
+	provider := providerAggregator{}
+	if gc.Docker != nil {
+		provider.providers = append(provider.providers, gc.Docker)
+	}
+	if gc.Marathon != nil {
+		provider.providers = append(provider.providers, gc.Marathon)
+	}
+	if gc.File != nil {
+		provider.providers = append(provider.providers, gc.File)
+	}
+	if gc.Rest != nil {
+		provider.providers = append(provider.providers, gc.Rest)
+	}
+	if gc.Consul != nil {
+		provider.providers = append(provider.providers, gc.Consul)
+	}
+	if gc.ConsulCatalog != nil {
+		provider.providers = append(provider.providers, gc.ConsulCatalog)
+	}
+	if gc.Etcd != nil {
+		provider.providers = append(provider.providers, gc.Etcd)
+	}
+	if gc.Zookeeper != nil {
+		provider.providers = append(provider.providers, gc.Zookeeper)
+	}
+	if gc.Boltdb != nil {
+		provider.providers = append(provider.providers, gc.Boltdb)
+	}
+	if gc.Kubernetes != nil {
+		provider.providers = append(provider.providers, gc.Kubernetes)
+	}
+	if gc.Mesos != nil {
+		provider.providers = append(provider.providers, gc.Mesos)
+	}
+	if gc.Eureka != nil {
+		provider.providers = append(provider.providers, gc.Eureka)
+	}
+	if gc.ECS != nil {
+		provider.providers = append(provider.providers, gc.ECS)
+	}
+	if gc.Rancher != nil {
+		provider.providers = append(provider.providers, gc.Rancher)
+	}
+	if gc.DynamoDB != nil {
+		provider.providers = append(provider.providers, gc.DynamoDB)
+	}
+	if gc.ServiceFabric != nil {
+		provider.providers = append(provider.providers, gc.ServiceFabric)
+	}
+	if acmeprovider.IsEnabled() {
+		provider.providers = append(provider.providers, acmeprovider.Get())
+		acme.ConvertToNewFormat(acmeprovider.Get().Storage)
+	}
+	if len(provider.providers) == 1 {
+		return provider.providers[0]
+	}
+	return provider
+}
+
+func (p providerAggregator) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints types.Constraints) error {
+	for _, p := range p.providers {
+		providerType := reflect.TypeOf(p)
+		jsonConf, err := json.Marshal(p)
+		if err != nil {
+			log.Debugf("Unable to marshal provider conf %v with error: %v", providerType, err)
+		}
+		log.Infof("Starting provider %v %s", providerType, jsonConf)
+		currentProvider := p
+		safe.Go(func() {
+			err := currentProvider.Provide(configurationChan, pool, constraints)
+			if err != nil {
+				log.Errorf("Error starting provider %v: %s", providerType, err)
+			}
+		})
+	}
+	return nil
+}
--- a/contrib/scripts/dumpcerts.sh
+++ b/contrib/scripts/dumpcerts.sh
@@ -42,6 +42,18 @@ set -o nounset

 USAGE="$(basename "$0") <path to acme> <destination cert directory>"

+# Platform variations
+case "$(uname)" in
+	'Linux')
+		# On Linux, -d should always work. --decode does not work with Alpine's busybox-binary
+		CMD_DECODE_BASE64="base64 -d"
+		;;
+	*)
+		# Max OS-X supports --decode and -D, but --decode may be supported by other platforms as well.
+		CMD_DECODE_BASE64="base64 --decode"
+		;;
+esac
+
 # Allow us to exit on a missing jq binary
 exit_jq() {
 	echo "
@@ -92,7 +104,7 @@ fi

 jq=$(command -v jq) || exit_jq

-priv=$(${jq} -e -r '.PrivateKey' "${acmefile}") || bad_acme
+priv=$(${jq} -e -r '.Account.PrivateKey' "${acmefile}") || bad_acme

 if [ ! -n "${priv}" ]; then
 	echo "
@@ -130,9 +142,11 @@ trap 'umask ${oldumask}' EXIT
 #
 # and sed:
 # echo "-----BEGIN RSA PRIVATE KEY-----" > "${pdir}/letsencrypt.key"
-# echo ${priv} | sed 's/(.{64})/\1\n/g' >> "${pdir}/letsencrypt.key"
-# echo "-----END RSA PRIVATE KEY-----" > "${pdir}/letsencrypt.key"
-#
+# echo ${priv} | sed -E 's/(.{64})/\1\n/g' >> "${pdir}/letsencrypt.key"
+# sed -i '$ d' "${pdir}/letsencrypt.key"
+# echo "-----END RSA PRIVATE KEY-----" >> "${pdir}/letsencrypt.key"
+# openssl rsa -noout -in "${pdir}/letsencrypt.key" -check  # To check if the key is valid
+
 # In the end, openssl was chosen because most users will need this script
 # *because* of openssl combined with the fact that it will refuse to write the
 # key if it does not parse out correctly. The other mechanisms were left as
@@ -141,11 +155,16 @@ echo -e "-----BEGIN RSA PRIVATE KEY-----\n${priv}\n-----END RSA PRIVATE KEY-----
   | openssl rsa -inform pem -out "${pdir}/letsencrypt.key"

 # Process the certificates for each of the domains in acme.json
-for domain in $(jq -r '.DomainsCertificate.Certs[].Certificate.Domain' acme.json); do
+for domain in $(jq -r '.Certificates[].Domain.Main' ${acmefile}); do
 	# Traefik stores a cert bundle for each domain.  Within this cert
 	# bundle there is both proper the certificate and the Let's Encrypt CA
 	echo "Extracting cert bundle for ${domain}"
-	cert=$(jq -e -r --arg domain "$domain" '.DomainsCertificate.Certs[].Certificate |
-         	select (.Domain == $domain )| .Certificate' ${acmefile}) || bad_acme
-	echo "${cert}" | base64 --decode > "${cdir}/${domain}.pem"
+	cert=$(jq -e -r --arg domain "$domain" '.Certificates[] |
+         	select (.Domain.Main == $domain )| .Certificate' ${acmefile}) || bad_acme
+	echo "${cert}" | ${CMD_DECODE_BASE64} > "${cdir}/${domain}.crt"
+
+	echo "Extracting private key for ${domain}"
+	key=$(jq -e -r --arg domain "$domain" '.Certificates[] |
+		select (.Domain.Main == $domain )| .Key' ${acmefile}) || bad_acme
+	echo "${key}" | ${CMD_DECODE_BASE64} > "${pdir}/${domain}.key"
 done
--- a/docs.Dockerfile
+++ b/docs.Dockerfile
@@ -0,0 +1,11 @@
+FROM alpine
+
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/.local/bin
+
+COPY requirements.txt /mkdocs/
+WORKDIR /mkdocs
+
+RUN apk --update upgrade \
+&& apk --no-cache --no-progress add py-pip \
+&& rm -rf /var/cache/apk/* \
+&& pip install --user -r requirements.txt
--- a/docs/basics.md
+++ b/docs/basics.md
@@ -62,7 +62,9 @@ And here is another example with client certificate authentication:
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
-  clientCAFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
+    [entryPoints.https.tls.ClientCA]
+    files = ["tests/clientca1.crt", "tests/clientca2.crt"]
+    optional = false
    [[entryPoints.https.tls.certificates]]
    certFile = "tests/traefik.crt"
    keyFile = "tests/traefik.key"
@@ -86,6 +88,7 @@ Following is the list of existing modifier rules:

 - `AddPrefix: /products`: Add path prefix to the existing request path prior to forwarding the request to the backend.
 - `ReplacePath: /serverless-path`: Replaces the path and adds the old path to the `X-Replaced-Path` header. Useful for mapping to AWS Lambda or Google Cloud Functions.
+- `ReplacePathRegex: ^/api/v2/(.*) /api/$1`: Replaces the path with a regular expression and adds the old path to the `X-Replaced-Path` header. Separate the regular expression and the replacement by a space.

 #### Matchers

@@ -167,7 +170,7 @@ Here is an example of frontends definition:

 - Three frontends are defined: `frontend1`, `frontend2` and `frontend3`
 - `frontend1` will forward the traffic to the `backend2` if the rule `Host:test.localhost,test2.localhost` is matched
- `frontend2` will forward the traffic to the `backend1` if the rule `Host:localhost,{subdomain:[a-z]+}.localhost` is matched (forwarding client `Host` header to the backend)
+- `frontend2` will forward the traffic to the `backend1` if the rule `HostRegexp:localhost,{subdomain:[a-z]+}.localhost` is matched (forwarding client `Host` header to the backend)
 - `frontend3` will forward the traffic to the `backend2` if the rules `Host:test3.localhost` **AND** `Path:/test` are matched

 #### Combining multiple rules
@@ -230,33 +233,37 @@ The following rules are both `Matchers` and `Modifiers`, so the `Matcher` portio
 #### Priorities

 By default, routes will be sorted (in descending order) using rules length (to avoid path overlap):
-`PathPrefix:/12345` will be matched before `PathPrefix:/1234` that will be matched before `PathPrefix:/1`.
+`PathPrefix:/foo;Host:foo.com` (length == 28) will be matched before `PathPrefixStrip:/foobar` (length == 23) will be matched before `PathPrefix:/foo,/bar` (length == 20).

-You can customize priority by frontend:
+You can customize priority by frontend. The priority value override the rule length during sorting:

 ```toml
  [frontends]
    [frontends.frontend1]
    backend = "backend1"
-    priority = 10
+    priority = 20
    passHostHeader = true
      [frontends.frontend1.routes.test_1]
      rule = "PathPrefix:/to"
    [frontends.frontend2]
-    priority = 5
    backend = "backend2"
    passHostHeader = true
      [frontends.frontend2.routes.test_1]
      rule = "PathPrefix:/toto"
 ```

-Here, `frontend1` will be matched before `frontend2` (`10 > 5`).
+Here, `frontend1` will be matched before `frontend2` (`20 > 16`).

 #### Custom headers

 Custom headers can be configured through the frontends, to add headers to either requests or responses that match the frontend's rules.
 This allows for setting headers such as `X-Script-Name` to be added to the request, or custom headers to be added to the response.

+!!! warning
+    If the custom header name is the same as one header name of the request or response, it will be replaced.
+
+In this example, all matches to the path `/cheese` will have the `X-Script-Name` header added to the proxied request and the `X-Custom-Response-Header` header added to the response.
+
 ```toml
 [frontends]
  [frontends.frontend1]
@@ -269,7 +276,20 @@ This allows for setting headers such as `X-Script-Name` to be added to the reque
    rule = "PathPrefixStrip:/cheese"
 ```

-In this example, all matches to the path `/cheese` will have the `X-Script-Name` header added to the proxied request, and the `X-Custom-Response-Header` added to the response.
+In this second  example, all matches to the path `/cheese` will have the `X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request, and the `X-Custom-Response-Header` header removed from the response.
+
+```toml
+[frontends]
+  [frontends.frontend1]
+  backend = "backend1"
+    [frontends.frontend1.headers.customresponseheaders]
+    X-Custom-Response-Header = ""
+    [frontends.frontend1.headers.customrequestheaders]
+    X-Script-Name = "test"
+    X-Custom-Request-Header = ""
+    [frontends.frontend1.routes.test_1]
+    rule = "PathPrefixStrip:/cheese"
+```

 #### Security headers

@@ -303,12 +323,49 @@ In this example, traffic routed through the first frontend will have the `X-Fram

 A backend is responsible to load-balance the traffic coming from one or more frontends to a set of http servers.

+#### Servers
+
+Servers are simply defined using a `url`. You can also apply a custom `weight` to each server (this will be used by load-balancing).
+
+!!! note
+    Paths in `url` are ignored. Use `Modifier` to specify paths instead.
+
+Here is an example of backends and servers definition:
+
+```toml
+[backends]
+  [backends.backend1]
+    # ...
+    [backends.backend1.servers.server1]
+    url = "http://172.17.0.2:80"
+    weight = 10
+    [backends.backend1.servers.server2]
+    url = "http://172.17.0.3:80"
+    weight = 1
+  [backends.backend2]
+    # ...
+    [backends.backend2.servers.server1]
+    url = "http://172.17.0.4:80"
+    weight = 1
+    [backends.backend2.servers.server2]
+    url = "http://172.17.0.5:80"
+    weight = 2
+```
+
+- Two backends are defined: `backend1` and `backend2`
+- `backend1` will forward the traffic to two servers: `http://172.17.0.2:80"` with weight `10` and `http://172.17.0.3:80` with weight `1`.
+- `backend2` will forward the traffic to two servers: `http://172.17.0.4:80"` with weight `1` and `http://172.17.0.5:80` with weight `2`.
+
+#### Load-balancing
+
 Various methods of load-balancing are supported:

- `wrr`: Weighted Round Robin
+- `wrr`: Weighted Round Robin.
 - `drr`: Dynamic Round Robin: increases weights on servers that perform better than others.
    It also rolls back to original weights if the servers have changed.

+#### Circuit breakers
+
 A circuit breaker can also be applied to a backend, preventing high loads on failing servers.
 Initial state is Standby. CB observes the statistics and does not modify the request.
 In case the condition matches, CB enters Tripped state, where it responds with predefined code or redirects to another frontend.
@@ -322,16 +379,33 @@ It can be configured using:

 For example:

- `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window for a frontend
+- `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window for a frontend.
 - `LatencyAtQuantileMS(50.0) > 50`:  watch latency at quantile in milliseconds.
- `ResponseCodeRatio(500, 600, 0, 600) > 0.5`: ratio of response codes in range [500-600) to  [0-600)
+- `ResponseCodeRatio(500, 600, 0, 600) > 0.5`: ratio of response codes in ranges [500-600) and [0-600).

-To proactively prevent backends from being overwhelmed with high load, a maximum connection limit can
-also be applied to each backend.
+Here is an example of backends and servers definition:

-Maximum connections can be configured by specifying an integer value for `maxconn.amount` and
-`maxconn.extractorfunc` which is a strategy used to determine how to categorize requests in order to
-evaluate the maximum connections.
+```toml
+[backends]
+  [backends.backend1]
+    [backends.backend1.circuitbreaker]
+    expression = "NetworkErrorRatio() > 0.5"
+    [backends.backend1.servers.server1]
+    url = "http://172.17.0.2:80"
+    weight = 10
+    [backends.backend1.servers.server2]
+    url = "http://172.17.0.3:80"
+    weight = 1
+```
+
+- `backend1` will forward the traffic to two servers: `http://172.17.0.2:80"` with weight `10` and `http://172.17.0.3:80` with weight `1` using default `wrr` load-balancing strategy.
+- a circuit breaker is added on `backend1` using the expression `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window
+
+#### Maximum connections
+
+To proactively prevent backends from being overwhelmed with high load, a maximum connection limit can also be applied to each backend.
+
+Maximum connections can be configured by specifying an integer value for `maxconn.amount` and `maxconn.extractorfunc` which is a strategy used to determine how to categorize requests in order to evaluate the maximum connections.

 For example:
 ```toml
@@ -340,18 +414,37 @@ For example:
    [backends.backend1.maxconn]
       amount = 10
       extractorfunc = "request.host"
+   # ...
 ```

 - `backend1` will return `HTTP code 429 Too Many Requests` if there are already 10 requests in progress for the same Host header.
 - Another possible value for `extractorfunc` is `client.ip` which will categorize requests based on client source ip.
 - Lastly `extractorfunc` can take the value of `request.header.ANY_HEADER` which will categorize requests based on `ANY_HEADER` that you provide.

+#### Sticky sessions
+
 Sticky sessions are supported with both load balancers.  
-When sticky sessions are enabled, a cookie called `_TRAEFIK_BACKEND` is set on the initial request.
+When sticky sessions are enabled, a cookie is set on the initial request.
+The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).
 On subsequent requests, the client will be directed to the backend stored in the cookie if it is still healthy.
 If not, a new backend will be assigned.

-For example:
+```toml
+[backends]
+  [backends.backend1]
+    # Enable sticky session
+    [backends.backend1.loadbalancer.stickiness]
+
+    # Customize the cookie name
+    #
+    # Optional
+    # Default: a sha1 (6 chars)
+    #
+    #  cookieName = "my_cookie"
+```
+
+The deprecated way:
+
 ```toml
 [backends]
  [backends.backend1]
@@ -359,8 +452,10 @@ For example:
      sticky = true
 ```

+#### Health Check
+
 A health check can be configured in order to remove a backend from LB rotation as long as it keeps returning HTTP status codes other than `200 OK` to HTTP GET requests periodically carried out by Traefik.  
-The check is defined by a pathappended to the backend URL and an interval (given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)) specifying how often the health check should be executed (the default being 30 seconds).
+The check is defined by a path appended to the backend URL and an interval (given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)) specifying how often the health check should be executed (the default being 30 seconds).
 Each backend must respond to the health check within 5 seconds.  
 By default, the port of the backend server is used, however, this may be overridden.

@@ -386,49 +481,12 @@ To use a different port for the healthcheck:
    port = 8080
 ```

-### Servers
-
-Servers are simply defined using a `url`. You can also apply a custom `weight` to each server (this will be used by load-balancing).
-
-!!! note
-    Paths in `url` are ignored. Use `Modifier` to specify paths instead.
-
-Here is an example of backends and servers definition:
-
-```toml
-[backends]
-  [backends.backend1]
-    [backends.backend1.circuitbreaker]
-    expression = "NetworkErrorRatio() > 0.5"
-    [backends.backend1.servers.server1]
-    url = "http://172.17.0.2:80"
-    weight = 10
-    [backends.backend1.servers.server2]
-    url = "http://172.17.0.3:80"
-    weight = 1
-  [backends.backend2]
-    [backends.backend2.LoadBalancer]
-    method = "drr"
-    [backends.backend2.servers.server1]
-    url = "http://172.17.0.4:80"
-    weight = 1
-    [backends.backend2.servers.server2]
-    url = "http://172.17.0.5:80"
-    weight = 2
-```
-
- Two backends are defined: `backend1` and `backend2`
- `backend1` will forward the traffic to two servers: `http://172.17.0.2:80"` with weight `10` and `http://172.17.0.3:80` with weight `1` using default `wrr` load-balancing strategy.
- `backend2` will forward the traffic to two servers: `http://172.17.0.4:80"` with weight `1` and `http://172.17.0.5:80` with weight `2` using `drr` load-balancing strategy.
- a circuit breaker is added on `backend1` using the expression `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window
-
-
 ## Configuration

 Træfik's configuration has two parts:

- The [static Træfik configuration](/basics#static-trfk-configuration) which is loaded only at the beginning.
- The [dynamic Træfik configuration](/basics#dynamic-trfk-configuration) which can be hot-reloaded (no need to restart the process).
+- The [static Træfik configuration](/basics#static-trfik-configuration) which is loaded only at the beginning.
+- The [dynamic Træfik configuration](/basics#dynamic-trfik-configuration) which can be hot-reloaded (no need to restart the process).

 ### Static Træfik configuration

@@ -444,7 +502,7 @@ Each item takes precedence over the item below it:

 It means that arguments override configuration file, and key-value store overrides arguments.

-!!! note 
+!!! note
    the provider-enabling argument parameters (e.g., `--docker`) set all default values for the specific provider.  
    It must not be used if a configuration source with less precedence wants to set a non-default provider value.

@@ -492,6 +550,7 @@ The dynamic configuration concerns :
 - [Frontends](/basics/#frontends)
 - [Backends](/basics/#backends)
 - [Servers](/basics/#servers)
+- HTTPS Certificates

 Træfik can hot-reload those rules which could be provided by [multiple configuration backends](/configuration/commons).

@@ -512,7 +571,7 @@ traefik [command] [--flag=flag_argument]
 List of Træfik available commands with description :

 - `version` : Print version
- `storeconfig` : Store the static Traefik configuration into a Key-value stores. Please refer to the [Store Træfik configuration](/user-guide/kv-config/#store-trfk-configuration) section to get documentation on it.
+- `storeconfig` : Store the static Traefik configuration into a Key-value stores. Please refer to the [Store Træfik configuration](/user-guide/kv-config/#store-configuration-in-key-value-store) section to get documentation on it.
 - `bug`: The easiest way to submit a pre-filled issue.
 - `healthcheck`: Calls Traefik `/ping` to check health.

@@ -528,6 +587,11 @@ Each command is described at the beginning of the help section:

 ```bash
 traefik --help
+
+# or
+
+docker run traefik[:version] --help
+# ex: docker run traefik:1.5 --help
 ```

 ### Command: bug
@@ -547,7 +611,7 @@ This command allows to check the health of Traefik. Its exit status is `0` if Tr
 This can be used with Docker [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism.

 !!! note
-    The [`web` provider](/configuration/backends/web) must be enabled to allow `/ping` calls by the `healthcheck` command.
+    The [`ping`](/configuration/ping) must be enabled to allow the `healthcheck` command to call `/ping`.

 ```bash
 traefik healthcheck
@@ -555,3 +619,121 @@ traefik healthcheck
 ```bash
 OK: http://:8082/ping
 ```
+
+
+## Collected Data
+
+**This feature is disabled by default.**
+
+You can read the public proposal on this topic [here](https://github.com/containous/traefik/issues/2369).
+
+### Why ?
+
+In order to help us learn more about how Træfik is being used and improve it, we collect anonymous usage statistics from running instances.
+Those data help us prioritize our developments and focus on what's more important (for example, which configuration backend is used and which is not used).
+
+### What ?
+
+Once a day (the first call begins 10 minutes after the start of Træfik), we collect:
+
+- the Træfik version
+- a hash of the configuration
+- an **anonymous version** of the static configuration:
+    - token, user name, password, URL, IP, domain, email, etc, are removed
+
+!!! note
+    We do not collect the dynamic configuration (frontends & backends).
+
+!!! note
+    We do not collect data behind the scenes to run advertising programs or to sell such data to third-party.
+
+#### Here is an example
+
+- Source configuration:
+
+```toml
+[entryPoints]
+    [entryPoints.http]
+       address = ":80"
+
+[api]
+
+[Docker]
+  endpoint = "tcp://10.10.10.10:2375"
+  domain = "foo.bir"
+  exposedByDefault = true
+  swarmMode = true
+
+  [Docker.TLS]
+    ca = "dockerCA"
+    cert = "dockerCert"
+    key = "dockerKey"
+    insecureSkipVerify = true
+
+[ECS]
+  domain = "foo.bar"
+  exposedByDefault = true
+  clusters = ["foo-bar"]
+  region = "us-west-2"
+  accessKeyID = "AccessKeyID"
+  secretAccessKey = "SecretAccessKey"
+```
+
+- Obfuscated and anonymous configuration:
+
+```toml
+[entryPoints]
+    [entryPoints.http]
+       address = ":80"
+
+[api]
+
+[Docker]
+  endpoint = "xxxx"
+  domain = "xxxx"
+  exposedByDefault = true
+  swarmMode = true
+
+  [Docker.TLS]
+    ca = "xxxx"
+    cert = "xxxx"
+    key = "xxxx"
+    insecureSkipVerify = false
+
+[ECS]
+  domain = "xxxx"
+  exposedByDefault = true
+  clusters = []
+  region = "us-west-2"
+  accessKeyID = "xxxx"
+  secretAccessKey = "xxxx"
+```
+
+### Show me the code !
+
+If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/collector/collector.go)
+
+By default we anonymize all configuration fields, except fields tagged with `export=true`.
+
+You can check all fields in the [godoc](https://godoc.org/github.com/containous/traefik/configuration#GlobalConfiguration).
+
+### How to enable this ?
+
+You can enable the collecting system by:
+
+- adding this line in the configuration TOML file:
+
+```toml
+# Send anonymous usage data
+#
+# Optional
+# Default: false
+#
+sendAnonymousUsage = true
+```
+
+- adding this flag in the CLI:
+
+```bash
+./traefik --sendAnonymousUsage=true
+```
--- a/docs/benchmarks.md
+++ b/docs/benchmarks.md
@@ -118,7 +118,7 @@ server {
 Here is the `traefik.toml` file used:

 ```toml
-MaxIdleConnsPerHost = 100000
+maxIdleConnsPerHost = 100000
 defaultEntryPoints = ["http"]

 [entryPoints]
--- a/docs/configuration/acme.md
+++ b/docs/configuration/acme.md
@@ -7,10 +7,14 @@ See also [Let's Encrypt examples](/user-guide/examples/#lets-encrypt-support) an
 ```toml
 # Sample entrypoint configuration when using ACME.
 [entryPoints]
+  [entryPoints.http]
+  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
+```

+```toml
 # Enable ACME (Let's Encrypt): automatic SSL.
 [acme]

@@ -20,6 +24,12 @@ See also [Let's Encrypt examples](/user-guide/examples/#lets-encrypt-support) an
 #
 email = "test@traefik.io"

+# File used for certificates storage.
+#
+# Optional (Deprecated)
+#
+#storageFile = "acme.json"
+
 # File or key used for certificates storage.
 #
 # Required
@@ -27,43 +37,43 @@ email = "test@traefik.io"
 storage = "acme.json"
 # or `storage = "traefik/acme/account"` if using KV store.

-# Entrypoint to proxy acme challenge/apply certificates to.
-# WARNING, must point to an entrypoint on port 443
+# Entrypoint to proxy acme apply certificates to.
 #
 # Required
 #
 entryPoint = "https"

-# Use a DNS based acme challenge rather than external HTTPS access
+# Deprecated, replaced by [acme.dnsChallenge].
 #
-#
-# Optional
+# Optional.
 #
 # dnsProvider = "digitalocean"

-# By default, the dnsProvider will verify the TXT DNS challenge record before letting ACME verify.
-# If delayDontCheckDNS is greater than zero, avoid this & instead just wait so many seconds.
-# Useful if internal networks block external DNS queries.
+# Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck].
 #
 # Optional
+# Default: 0
 #
 # delayDontCheckDNS = 0

 # If true, display debug log messages from the acme client library.
 #
 # Optional
+# Default: false
 #
 # acmeLogging = true

-# Enable on demand certificate.
+# Enable on demand certificate generation.
 #
-# Optional
+# Optional (Deprecated)
+# Default: false
 #
 # onDemand = true

 # Enable certificate generation on frontends Host rules.
 #
 # Optional
+# Default: false
 #
 # onHostRule = true

@@ -72,23 +82,80 @@ entryPoint = "https"
 # - Leave comment to go to prod.
 #
 # Optional
+# Default: "https://acme-v02.api.letsencrypt.org/directory"
 #
-# caServer = "https://acme-staging.api.letsencrypt.org/directory"
+# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

 # Domains list.
+# Only domains defined here can generate wildcard certificates.
 #
 # [[acme.domains]]
-# main = "local1.com"
-# sans = ["test1.local1.com", "test2.local1.com"]
+#   main = "local1.com"
+#   sans = ["test1.local1.com", "test2.local1.com"]
 # [[acme.domains]]
-# main = "local2.com"
-# sans = ["test1.local2.com", "test2.local2.com"]
+#   main = "local2.com"
+#   sans = ["test1.local2.com", "test2.local2.com"]
 # [[acme.domains]]
-# main = "local3.com"
+#   main = "local3.com"
 # [[acme.domains]]
-# main = "local4.com"
+#   main = "local4.com"
+
+# Use a HTTP-01 acme challenge.
+#
+# Optional but recommend
+#
+[acme.httpChallenge]
+
+  # EntryPoint to use for the HTTP-01 challenges.
+  #
+  # Required
+  #
+  entryPoint = "http"
+
+# Use a DNS-01/DNS-01 acme challenge rather than HTTP-01 challenge.
+# Note : Mandatory for wildcard certificates generation.
+#
+# Optional
+#
+# [acme.dnsChallenge]
+
+  # Provider used.
+  #
+  # Required
+  #
+  # provider = "digitalocean"
+
+  # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
+  # If delayBeforeCheck is greater than zero, avoid this & instead just wait so many seconds.
+  # Useful if internal networks block external DNS queries.
+  #
+  # Optional
+  # Default: 0
+  #
+  # delayBeforeCheck = 0
 ```

+!!! note
+    If `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through the port 80.
+    These are Let's Encrypt limitations as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
+
+!!! note
+    Wildcard certificates can be generated only if `acme.dnsChallenge`
+option is enable.
+
+### Let's Encrypt downtime
+
+Let's Encrypt functionality will be limited until Træfik is restarted.
+
+If Let's Encrypt is not reachable, these certificates will be used :
+
+  - ACME certificates already generated before downtime
+  - Expired ACME certificates
+  - Provided certificates
+
+!!! note
+    Default Træfik certificate will be used instead of ACME certificates for new (sub)domains (which need Let's Encrypt challenge).
+
 ### `storage`

 ```toml
@@ -98,9 +165,27 @@ storage = "acme.json"
 # ...
 ```

-File or key used for certificates storage.
+The `storage` option sets where are stored your ACME certificates.

-**WARNING** If you use Traefik in Docker, you have 2 options:
+There are two kind of `storage` :
+
+- a JSON file,
+- a KV store entry.
+
+!!! danger "DEPRECATED"
+    `storage` replaces `storageFile` which is deprecated.
+
+!!! note
+    During Træfik configuration migration from a configuration file to a KV store (thanks to `storeconfig` subcommand as described [here](/user-guide/kv-config/#store-configuration-in-key-value-store)), if ACME certificates have to be migrated too, use both `storageFile` and `storage`.
+
+    - `storageFile` will contain the path to the `acme.json` file to migrate.
+    - `storage` will contain the key where the certificates will be stored.
+
+#### Store data in a file
+
+ACME certificates can be stored in a JSON file which with the `600` right mode.
+
+There are two ways to store ACME certificates in a file from Docker:

 - create a file on your host and mount it as a volume:
 ```toml
@@ -109,7 +194,6 @@ storage = "acme.json"
 ```bash
 docker run -v "/my/host/acme.json:acme.json" traefik
 ```
-
 - mount the folder containing the file as a volume
 ```toml
 storage = "/etc/traefik/acme/acme.json"
@@ -118,52 +202,135 @@ storage = "/etc/traefik/acme/acme.json"
 docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 ```

-### `dnsProvider`
+!!! warning
+    This file cannot be shared per many instances of Træfik at the same time.
+    If you have to use Træfik cluster mode, please use [a KV Store entry](/configuration/acme/#storage-kv-entry).
+
+#### Store data in a KV store entry
+
+ACME certificates can be stored in a KV Store entry.
+
+```toml
+storage = "traefik/acme/account"
+```
+
+**This kind of storage is mandatory in cluster mode.**
+
+Because KV stores (like Consul) have limited entries size, the certificates list is compressed before to be set in a KV store entry.
+
+!!! note
+    It's possible to store up to approximately 100 ACME certificates in Consul.
+
+### `httpChallenge`
+
+Use `HTTP-01` challenge to generate/renew ACME certificates.
+
+The redirection is fully compatible with the HTTP-01 challenge.
+You can use redirection with HTTP-01 challenge without problem.

 ```toml
 [acme]
 # ...
-dnsProvider = "digitalocean"
-# ...
+entryPoint = "https"
+[acme.httpChallenge]
+  entryPoint = "http"
 ```

-Use a DNS based acme challenge rather than external HTTPS access, e.g. for a firewalled server.
+#### `entryPoint`

-Select the provider that matches the DNS domain that will host the challenge TXT record, and provide environment variables with access keys to enable setting it:
+Specify the entryPoint to use during the challenges.

-| Provider                                     | Configuration                                                                                             |
-|----------------------------------------------|-----------------------------------------------------------------------------------------------------------|
-| [Cloudflare](https://www.cloudflare.com)     | `CLOUDFLARE_EMAIL`, `CLOUDFLARE_API_KEY`                                                                  |
-| [DigitalOcean](https://www.digitalocean.com) | `DO_AUTH_TOKEN`                                                                                           |
-| [DNSimple](https://dnsimple.com)             | `DNSIMPLE_EMAIL`, `DNSIMPLE_OAUTH_TOKEN`                                                                  |
-| [DNS Made Easy](https://dnsmadeeasy.com)     | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`                                                           |
-| [Exoscale](https://www.exoscale.ch)          | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`                                                                 |
-| [Gandi](https://www.gandi.net)               | `GANDI_API_KEY`                                                                                           |
-| [Linode](https://www.linode.com)             | `LINODE_API_KEY`                                                                                          |
-| manual                                       | none, but run Traefik interactively & turn on `acmeLogging` to see instructions & press <kbd>Enter</kbd>. |
-| [Namecheap](https://www.namecheap.com)       | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                 |
-| RFC2136                                      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                 |
-| [Route 53](https://aws.amazon.com/route53/)  | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, or configured user/instance IAM profile.      |
-| [dyn](https://dyn.com)                       | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                      |
-| [VULTR](https://www.vultr.com)               | `VULTR_API_KEY`                                                                                           |
-| [OVH](https://www.ovh.com)                   | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                       |
-| [pdns](https://www.powerdns.com)             | `PDNS_API_KEY`, `PDNS_API_URL`                                                                            |
+```toml
+defaultEntryPoints = ["http", "https"]

-### `delayDontCheckDNS`
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+# ...
+
+[acme]
+  # ...
+  entryPoint = "https"
+  [acme.httpChallenge]
+    entryPoint = "http"
+```
+
+!!! note
+    `acme.httpChallenge.entryPoint` has to be reachable by Let's Encrypt through the port 80.
+    It's a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
+
+### `dnsChallenge`
+
+Use `DNS-01/DNS-01` challenge to generate/renew ACME certificates.

 ```toml
 [acme]
 # ...
-delayDontCheckDNS = 0
+[acme.dnsChallenge]
+  provider = "digitalocean"
+  delayBeforeCheck = 0
 # ...
 ```

-By default, the dnsProvider will verify the TXT DNS challenge record before letting ACME verify.  
-If `delayDontCheckDNS` is greater than zero, avoid this & instead just wait so many seconds.
+!!! note
+    ACME wildcard certificates can only be generated thanks to a `DNS-01` challenge.
+
+#### `provider`
+
+Select the provider that matches the DNS domain that will host the challenge TXT record, and provide environment variables to enable setting it:
+
+| Provider Name                                          | Provider code  | Configuration                                                                                                             |
+|--------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------|
+| [Auroradns](https://www.pcextreme.com/aurora/dns)      | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                         |
+| [Azure](https://azure.microsoft.com/services/dns/)     | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`              |
+| [Blue Cat](https://www.bluecatnetworks.com/)           | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                  |
+| [Cloudflare](https://www.cloudflare.com)               | `cloudflare`   | `CLOUDFLARE_EMAIL`, `CLOUDFLARE_API_KEY` - The Cloudflare `Global API Key` needs to be used and not the `Origin CA Key`   |
+| [CloudXNS](https://www.cloudxns.net)                   | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                 |
+| [DigitalOcean](https://www.digitalocean.com)           | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                           |
+| [DNSimple](https://dnsimple.com)                       | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                               |
+| [DNS Made Easy](https://dnsmadeeasy.com)               | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                    |
+| [DNSPod](http://www.dnspod.net/)                       | `dnspod`       | `DNSPOD_API_KEY`                                                                                                          |
+| [Duck DNS](https://www.duckdns.org/)                   | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                           |
+| [Dyn](https://dyn.com)                                 | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                      |
+| External Program                                       | `exec`         | `EXEC_PATH`                                                                                                               |
+| [Exoscale](https://www.exoscale.ch)                    | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                            |
+| [Fast DNS](https://www.akamai.com/)                    | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                    |
+| [Gandi](https://www.gandi.net)                         | `gandi`        | `GANDI_API_KEY`                                                                                                           |
+| [Gandi V5](http://doc.livedns.gandi.net)               | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                         |
+| [Glesys](https://glesys.com/)                          | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                      |
+| [GoDaddy](https://godaddy.com/domains)                 | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                   |
+| [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud`       | `GCE_PROJECT`, `GCE_SERVICE_ACCOUNT_FILE`                                                                                 |
+| [Lightsail](https://aws.amazon.com/lightsail/)         | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                  |
+| [Linode](https://www.linode.com)                       | `linode`       | `LINODE_API_KEY`                                                                                                          |
+| manual                                                 | -              | none, but run Træfik interactively & turn on `acmeLogging` to see instructions & press <kbd>Enter</kbd>.                  |
+| [Namecheap](https://www.namecheap.com)                 | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                 |
+| [name.com](https://www.name.com/)                      | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                 |
+| [Ns1](https://ns1.com/)                                | `ns1`          | `NS1_API_KEY`                                                                                                             |
+| [Open Telekom Cloud](https://cloud.telekom.de/en/)     | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                           |
+| [OVH](https://www.ovh.com)                             | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                       |
+| [PowerDNS](https://www.powerdns.com)                   | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                            |
+| [Rackspace](https://www.rackspace.com/cloud/dns)       | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                     |
+| [RFC2136](https://tools.ietf.org/html/rfc2136)         | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                 |
+| [Route 53](https://aws.amazon.com/route53/)            | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_HOSTED_ZONE_ID` or configured user/instance IAM profile. |
+| [VULTR](https://www.vultr.com)                         | `vultr`        | `VULTR_API_KEY`                                                                                                           |
+
+#### `delayBeforeCheck`
+
+By default, the `provider` will verify the TXT DNS challenge record before letting ACME verify.  
+If `delayBeforeCheck` is greater than zero, avoid this & instead just wait so many seconds.

 Useful if internal networks block external DNS queries.

-### `onDemand`
+!!! note
+    This field has no sense if a `provider` is not defined.
+
+### `onDemand` (Deprecated)
+
+!!! danger "DEPRECATED"
+    This option is deprecated.

 ```toml
 [acme]
@@ -174,13 +341,13 @@ onDemand = true

 Enable on demand certificate.

-This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate.
+This will request a certificate from Let's Encrypt during the first TLS handshake for a host name that does not yet have a certificate.

 !!! warning
-    TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DoS attacks.
-    
+    TLS handshakes will be slow when requesting a host name certificate for the first time, this can lead to DoS attacks.
+
 !!! warning
-    Take note that Let's Encrypt have [rate limiting](https://letsencrypt.org/docs/rate-limits)
+    Take note that Let's Encrypt have [rate limiting](https://letsencrypt.org/docs/rate-limits).

 ### `onHostRule`

@@ -191,18 +358,22 @@ onHostRule = true
 # ...
 ```

-Enable certificate generation on frontends Host rules.
+Enable certificate generation on frontends `Host` rules (for frontends wired on the `acme.entryPoint`).

 This will request a certificate from Let's Encrypt for each frontend with a Host rule.

 For example, a rule `Host:test1.traefik.io,test2.traefik.io` will request a certificate with main domain `test1.traefik.io` and SAN `test2.traefik.io`.

+!!! warning
+    `onHostRule` option can not be used to generate wildcard certificates.
+    Refer to [the wildcard generation section](/configuration/acme/#wildcard-domain) for more information.
+
 ### `caServer`

 ```toml
 [acme]
 # ...
-caServer = "https://acme-staging.api.letsencrypt.org/directory"
+caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
 # ...
 ```

@@ -217,22 +388,169 @@ CA server to use.
 [acme]
 # ...
 [[acme.domains]]
-main = "local1.com"
-sans = ["test1.local1.com", "test2.local1.com"]
+  main = "local1.com"
+  sans = ["test1.local1.com", "test2.local1.com"]
 [[acme.domains]]
-main = "local2.com"
-sans = ["test1.local2.com", "test2.local2.com"]
+  main = "local2.com"
+  sans = ["test1.local2.com", "test2.local2.com"]
 [[acme.domains]]
-main = "local3.com"
+  main = "local3.com"
 [[acme.domains]]
-main = "local4.com"
+  main = "*.local4.com"
+  sans = ["local4.com", "test1.test1.local4.com"]
 # ...
 ```

+#### Wildcard domains
+
+Wildcard domain has to be defined as a main domain.
+All domains must have A/AAAA records pointing to Træfik.
+
+Due to ACME limitation, it's not possible to define a wildcard as a SAN (alternative domains).
+It's neither possible to define a wildcard on a wildcard domain (for example `*.*.local.com`).
+
+!!! warning
+    Note that Let's Encrypt has [rate limiting](https://letsencrypt.org/docs/rate-limits).
+
+Each domain & SANs will lead to a certificate request.
+
+#### Others domains
+
 You can provide SANs (alternative domains) to each main domain.
-All domains must have A/AAAA records pointing to Traefik.
+All domains must have A/AAAA records pointing to Træfik.

 !!! warning
    Take note that Let's Encrypt have [rate limiting](https://letsencrypt.org/docs/rate-limits).

 Each domain & SANs will lead to a certificate request.
+
+### `dnsProvider` (Deprecated)
+
+!!! danger "DEPRECATED"
+    This option is deprecated, use [dnsChallenge.provider](/configuration/acme/#dnschallenge) instead.
+
+### `delayDontCheckDNS` (Deprecated)
+
+!!! danger "DEPRECATED"
+    This option is deprecated, use [dnsChallenge.delayBeforeCheck](/configuration/acme/#dnschallenge) instead.
+
+## Wildcard certificates
+
+[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) allows wildcard certificate support.
+However, this feature needs a specific configuration.
+
+### DNS-01 Challenge
+
+As described in [Let's Encrypt post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605), wildcard certificates can only be generated through a `DNS-01` Challenge.
+This challenge is linked to the Træfik option `acme.dnsChallenge`.
+
+```toml
+[acme]
+# ...
+[acme.dnsChallenge]
+  provider = "digitalocean"
+  delayBeforeCheck = 0
+# ...
+```
+
+For more information about this option, please refer to the [dnsChallenge section](/configuration/acme/#dnschallenge).
+
+### Wildcard domain
+
+Wildcard domains can currently be provided only by to the `acme.domains` option.
+
+```toml
+[acme]
+# ...
+[[acme.domains]]
+  main = "*.local1.com"
+  sans = ["local1.com"]
+[[acme.domains]]
+  main = "*.local2.com"
+# ...
+```
+
+For more information about this option, please refer to the [domains section](/configuration/acme/#domains).
+
+### Limitations
+
+Let's Encrypt wildcard support have some limitations to take into account :
+
+- Wildcard domain can not be a SAN (alternative domain),
+- Wildcard domain on a wildcard domain is forbidden (for example `*.*.local.com`),
+- A DNS-01 Challenge is executed for each domain (CN and SANs), DNS provider can not manage correctly this behavior as explained in the [DNS provider support section](/configuration/acme/#dns-provider-support)
+
+
+### DNS provider support
+
+All DNS providers allow creating ACME wildcard certificates.
+However, many troubles can appear for wildcard domains with SANs.
+
+If a wildcard domain is defined with it root domain as SAN, as described below, 2 DNS-01 Challenges will be executed.
+
+```toml
+[acme]
+# ...
+[[acme.domains]]
+  main = "*.local1.com"
+  sans = ["local1.com"]
+# ...
+```
+
+When a DNS-01 Challenge is done, Let's Encrypt checks if a TXT record is created with a given name and a given value.
+When a certificate is generated for a wildcard domain is defined with it root domain as SAN, the requested TXT record name for both the wildcard domain and the root domain is the same.
+
+The [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) allows this behavior.
+But all DNS providers keep TXT records values in a cache with a TTL.
+In function of the parameters given by the Træfik ACME client library ([LEGO](https://github.com/xenolf/lego)), the TXT record TTL can be superior to challenge Timeout.
+In that event, the DNS-01 Challenge will not work correctly.
+ 
+[LEGO](https://github.com/xenolf/lego) will involve in the way to be adapted to all of DNS providers.
+Meanwhile, the table described below contains all the DNS providers supported by Træfik and indicates if they allow generating certificates for a wildcard domain and its root domain.
+Do not hesitate to complete it.
+
+| Provider Name                                          | Provider code  | Wildcard and Root Domain Support |
+|--------------------------------------------------------|----------------|----------------------------------|
+| [Auroradns](https://www.pcextreme.com/aurora/dns)      | `auroradns`    | Not tested yet                   |
+| [Azure](https://azure.microsoft.com/services/dns/)     | `azure`        | Not tested yet                   |
+| [Blue Cat](https://www.bluecatnetworks.com/)           | `bluecat`      | Not tested yet                   |
+| [Cloudflare](https://www.cloudflare.com)               | `cloudflare`   | YES                              |
+| [CloudXNS](https://www.cloudxns.net)                   | `cloudxns`     | Not tested yet                   |
+| [DigitalOcean](https://www.digitalocean.com)           | `digitalocean` | YES                              |
+| [DNSimple](https://dnsimple.com)                       | `dnsimple`     | Not tested yet                   |
+| [DNS Made Easy](https://dnsmadeeasy.com)               | `dnsmadeeasy`  | Not tested yet                   |
+| [DNSPod](http://www.dnspod.net/)                       | `dnspod`       | Not tested yet                   |
+| [Duck DNS](https://www.duckdns.org/)                   | `duckdns`      | Not tested yet                   |
+| [Dyn](https://dyn.com)                                 | `dyn`          | Not tested yet                   |
+| External Program                                       | `exec`         | Not tested yet                   |
+| [Exoscale](https://www.exoscale.ch)                    | `exoscale`     | Not tested yet                   |
+| [Fast DNS](https://www.akamai.com/)                    | `fastdns`      | Not tested yet                   |
+| [Gandi](https://www.gandi.net)                         | `gandi`        | Not tested yet                   |
+| [Gandi V5](http://doc.livedns.gandi.net)               | `gandiv5`      | Not tested yet                   |
+| [Glesys](https://glesys.com/)                          | `glesys`       | Not tested yet                   |
+| [GoDaddy](https://godaddy.com/domains)                 | `godaddy`      | Not tested yet                   |
+| [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud`       | YES                              |
+| [Lightsail](https://aws.amazon.com/lightsail/)         | `lightsail`    | Not tested yet                   |
+| [Linode](https://www.linode.com)                       | `linode`       | Not tested yet                   |
+| manual                                                 | -              | YES                              |
+| [Namecheap](https://www.namecheap.com)                 | `namecheap`    | Not tested yet                   |
+| [name.com](https://www.name.com/)                      | `namedotcom`   | Not tested yet                   |
+| [Ns1](https://ns1.com/)                                | `ns1`          | Not tested yet                   |
+| [Open Telekom Cloud](https://cloud.telekom.de/en/)     | `otc`          | Not tested yet                   |
+| [OVH](https://www.ovh.com)                             | `ovh`          | YES                              |
+| [PowerDNS](https://www.powerdns.com)                   | `pdns`         | Not tested yet                   |
+| [Rackspace](https://www.rackspace.com/cloud/dns)       | `rackspace`    | Not tested yet                   |
+| [RFC2136](https://tools.ietf.org/html/rfc2136)         | `rfc2136`      | Not tested yet                   |
+| [Route 53](https://aws.amazon.com/route53/)            | `route53`      | YES                              |
+| [VULTR](https://www.vultr.com)                         | `vultr`        | Not tested yet                   |
+
+## ACME V2 migration
+
+During migration from ACME V1 to ACME V2 with a storage file, a backup is created with the content of the ACME V1 file.
+To obtain the name of the backup file, Træfik concatenates the option `acme.storage` and the suffix `.bak`.
+
+For example : if `acme.storage` value is `/etc/traefik/acme/acme.json`, the backup file will be named `/etc/traefik/acme/acme.json.bak`.
+
+!!! note
+    When Træfik is launched in a container, do not forget to create a volume of the parent folder to get the backup file on the host.
+    Otherwise, the backup file will be deleted when the container will be stopped and Træfik will not generate it again.
--- a/docs/configuration/api.md
+++ b/docs/configuration/api.md
@@ -0,0 +1,328 @@
+# API Definition
+
+## Configuration
+
+```toml
+# API definition
+[api]
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+  entryPoint = "traefik"
+
+  # Enabled Dashboard
+  #
+  # Optional
+  # Default: true
+  #
+  dashboard = true
+
+  # Enable debug mode.
+  # This will install HTTP handlers to expose Go expvars under /debug/vars and
+  # pprof profiling data under /debug/pprof.
+  # Additionally, the log level will be set to DEBUG.
+  #
+  # Optional
+  # Default: false
+  #
+  debug = true
+```
+
+For more customization, see [entry points](/configuration/entrypoints/) documentation and [examples](/user-guide/examples/#ping-health-check).
+
+## Web UI
+
+![Web UI Providers](/img/web.frontend.png)
+
+![Web UI Health](/img/traefik-health.png)
+
+## API
+
+| Path                                                            | Method           | Description                               |
+|-----------------------------------------------------------------|------------------|-------------------------------------------|
+| `/`                                                             |     `GET`        | Provides a simple HTML frontend of Træfik |
+| `/cluster/leader`                                               |     `GET`        | JSON leader true/false response           |
+| `/health`                                                       |     `GET`        | JSON health metrics                       |
+| `/api`                                                          |     `GET`        | Configuration for all providers           |
+| `/api/providers`                                                |     `GET`        | Providers                                 |
+| `/api/providers/{provider}`                                     |     `GET`, `PUT` | Get or update provider (1)                |
+| `/api/providers/{provider}/backends`                            |     `GET`        | List backends                             |
+| `/api/providers/{provider}/backends/{backend}`                  |     `GET`        | Get backend                               |
+| `/api/providers/{provider}/backends/{backend}/servers`          |     `GET`        | List servers in backend                   |
+| `/api/providers/{provider}/backends/{backend}/servers/{server}` |     `GET`        | Get a server in a backend                 |
+| `/api/providers/{provider}/frontends`                           |     `GET`        | List frontends                            |
+| `/api/providers/{provider}/frontends/{frontend}`                |     `GET`        | Get a frontend                            |
+| `/api/providers/{provider}/frontends/{frontend}/routes`         |     `GET`        | List routes in a frontend                 |
+| `/api/providers/{provider}/frontends/{frontend}/routes/{route}` |     `GET`        | Get a route in a frontend                 |
+
+<1> See [Rest](/configuration/backends/rest/#api) for more information.
+
+!!! warning
+    For compatibility reason, when you activate the rest provider, you can use `web` or `rest` as `provider` value.
+    But be careful, in the configuration for all providers the key is still `web`.
+
+### Address / Port
+
+You can define a custom address/port like this:
+
+```toml
+defaultEntryPoints = ["http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+
+  [entryPoints.foo]
+  address = ":8082"
+
+  [entryPoints.bar]
+  address = ":8083"
+
+[ping]
+entryPoint = "foo"
+
+[api]
+entryPoint = "bar"
+```
+
+In the above example, you would access a regular path, administration panel, and health-check as follows:
+
+* Regular path: `http://hostname:80/path`
+* Admin Panel: `http://hostname:8083/`
+* Ping URL: `http://hostname:8082/ping`
+
+In the above example, it is _very_ important to create a named dedicated entry point, and do **not** include it in `defaultEntryPoints`.
+Otherwise, you are likely to expose _all_ services via that entry point.
+
+### Custom Path
+
+You can define a custom path like this:
+
+```toml
+defaultEntryPoints = ["http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+
+  [entryPoints.foo]
+  address = ":8080"
+
+  [entryPoints.bar]
+  address = ":8081"
+
+# Activate API and Dashboard
+[api]
+entryPoint = "bar"
+dashboard = true
+
+[file]
+  [backends]
+    [backends.backend1]
+      [backends.backend1.servers.server1]
+      url = "http://127.0.0.1:8081"
+
+  [frontends]
+    [frontends.frontend1]
+    entryPoints = ["foo"]
+    backend = "backend1"
+      [frontends.frontend1.routes.test_1]
+      rule = "PathPrefixStrip:/yourprefix;PathPrefix:/yourprefix"
+```
+
+### Authentication
+
+You can define the authentication like this:
+
+```toml
+defaultEntryPoints = ["http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+
+ [entryPoints.foo]
+   address=":8080"
+   [entryPoints.foo.auth]
+     [entryPoints.foo.auth.basic]
+       users = [
+         "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+         "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+       ]
+
+[api]
+entrypoint="foo"
+```
+
+For more information, see [entry points](/configuration/entrypoints/) .
+
+### Provider call example
+
+```shell
+curl -s "http://localhost:8080/api" | jq .
+```
+```json
+{
+  "file": {
+    "frontends": {
+      "frontend2": {
+        "routes": {
+          "test_2": {
+            "rule": "Path:/test"
+          }
+        },
+        "backend": "backend1"
+      },
+      "frontend1": {
+        "routes": {
+          "test_1": {
+            "rule": "Host:test.localhost"
+          }
+        },
+        "backend": "backend2"
+      }
+    },
+    "backends": {
+      "backend2": {
+        "loadBalancer": {
+          "method": "drr"
+        },
+        "servers": {
+          "server2": {
+            "weight": 2,
+            "URL": "http://172.17.0.5:80"
+          },
+          "server1": {
+            "weight": 1,
+            "url": "http://172.17.0.4:80"
+          }
+        }
+      },
+      "backend1": {
+        "loadBalancer": {
+          "method": "wrr"
+        },
+        "circuitBreaker": {
+          "expression": "NetworkErrorRatio() > 0.5"
+        },
+        "servers": {
+          "server2": {
+            "weight": 1,
+            "url": "http://172.17.0.3:80"
+          },
+          "server1": {
+            "weight": 10,
+            "url": "http://172.17.0.2:80"
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+### Cluster Leadership
+
+```shell
+curl -s "http://localhost:8080/cluster/leader" | jq .
+```
+```shell
+< HTTP/1.1 200 OK
+< Content-Type: application/json; charset=UTF-8
+< Date: xxx
+< Content-Length: 15
+```
+If the given node is not a cluster leader, an HTTP status of `429-Too-Many-Requests` will be returned.
+```json
+{
+  // current leadership status of the queried node
+  "leader": true
+}
+```
+
+### Health
+
+```shell
+curl -s "http://localhost:8080/health" | jq .
+```
+```json
+{
+  // Træfik PID
+  "pid": 2458,
+  // Træfik server uptime (formated time)
+  "uptime": "39m6.885931127s",
+  //  Træfik server uptime in seconds
+  "uptime_sec": 2346.885931127,
+  // current server date
+  "time": "2015-10-07 18:32:24.362238909 +0200 CEST",
+  // current server date in seconds
+  "unixtime": 1444235544,
+  // count HTTP response status code in realtime
+  "status_code_count": {
+    "502": 1
+  },
+  // count HTTP response status code since Træfik started
+  "total_status_code_count": {
+    "200": 7,
+    "404": 21,
+    "502": 13
+  },
+  // count HTTP response
+  "count": 1,
+  // count HTTP response
+  "total_count": 41,
+  // sum of all response time (formated time)
+  "total_response_time": "35.456865605s",
+  // sum of all response time in seconds
+  "total_response_time_sec": 35.456865605,
+  // average response time (formated time)
+  "average_response_time": "864.8016ms",
+  // average response time in seconds
+  "average_response_time_sec": 0.8648016000000001,
+
+  // request statistics [requires --statistics to be set]
+  // ten most recent requests with 4xx and 5xx status codes
+  "recent_errors": [
+    {
+      // status code
+      "status_code": 500,
+      // description of status code
+      "status": "Internal Server Error",
+      // request HTTP method
+      "method": "GET",
+      // request hostname
+      "host": "localhost",
+      // request path
+      "path": "/path",
+      // RFC 3339 formatted date/time
+      "time": "2016-10-21T16:59:15.418495872-07:00"
+    }
+  ]
+}
+```
+
+## Metrics
+
+You can enable Traefik to export internal metrics to different monitoring systems.
+
+```toml
+[api]
+  # ...
+
+  # Enable more detailed statistics.
+  [api.statistics]
+
+    # Number of recent errors logged.
+    #
+    # Default: 10
+    #
+    recentErrors = 10
+
+  # ...
+```
+
+| Path       | Method        | Description             |
+|------------|---------------|-------------------------|
+| `/metrics` |     `GET`     | Export internal metrics |
--- a/docs/configuration/backends/boltdb.md
+++ b/docs/configuration/backends/boltdb.md
@@ -53,7 +53,7 @@ filename = "boltdb.tmpl"
 #    ca = "/etc/ssl/ca.crt"
 #    cert = "/etc/ssl/boltdb.crt"
 #    key = "/etc/ssl/boltdb.key"
-#    insecureskipverify = true
+#    insecureSkipVerify = true
 ```

 To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
--- a/docs/configuration/backends/consul.md
+++ b/docs/configuration/backends/consul.md
@@ -1,6 +1,4 @@
-# Consul Backend
-
-## Consul Key-Value backend
+# Consul Key-Value Backend

 Træfik can be configured to use Consul as a backend configuration.

@@ -55,79 +53,9 @@ prefix = "traefik"
 #    ca = "/etc/ssl/ca.crt"
 #    cert = "/etc/ssl/consul.crt"
 #    key = "/etc/ssl/consul.key"
-#    insecureskipverify = true
+#    insecureSkipVerify = true
 ```

 To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).

 Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on Traefik KV structure.
-
-
-## Consul Catalog backend
-
-Træfik can be configured to use service discovery catalog of Consul as a backend configuration.
-
-```toml
-################################################################
-# Consul Catalog configuration backend
-################################################################
-
-# Enable Consul Catalog configuration backend.
-[consulCatalog]
-
-# Consul server endpoint.
-#
-# Required
-# Default: "127.0.0.1:8500"
-#
-endpoint = "127.0.0.1:8500"
-
-# Expose Consul catalog services by default in Traefik.
-#
-# Optional
-# Default: true
-#
-exposedByDefault = false
-
-# Prefix for Consul catalog tags.
-#
-# Optional
-# Default: "traefik"
-#
-prefix = "traefik"
-
-# Default frontEnd Rule for Consul services.
-#
-# The format is a Go Template with:
-# - ".ServiceName", ".Domain" and ".Attributes" available
-# - "getTag(name, tags, defaultValue)", "hasTag(name, tags)" and "getAttribute(name, tags, defaultValue)" functions are available
-# - "getAttribute(...)" function uses prefixed tag names based on "prefix" value
-#
-# Optional
-# Default: "Host:{{.ServiceName}}.{{.Domain}}"
-#
-#frontEndRule = "Host:{{.ServiceName}}.{{Domain}}"
-```
-
-This backend will create routes matching on hostname based on the service name used in Consul.
-
-To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
-
-### Tags
-
-Additional settings can be defined using Consul Catalog tags.
-
-| Tag                                               | Description                                                                                                                                                                        |
-|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.enable=false`                            | Disable this container in Træfik                                                                                                                                                   |
-| `traefik.protocol=https`                          | Override the default `http` protocol                                                                                                                                               |
-| `traefik.backend.weight=10`                       | Assign this weight to the container                                                                                                                                                |
-| `traefik.backend.circuitbreaker=EXPR`             | Create a [circuit breaker](/basics/#backends) to be used against the backend, ex: `NetworkErrorRatio() > 0.`                                                                       |
-| `traefik.backend.loadbalancer=drr`                | Override the default load balancing mode                                                                                                                                           |
-| `traefik.backend.maxconn.amount=10`               | Set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                               |
-| `traefik.backend.maxconn.extractorfunc=client.ip` | Set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect. |
-| `traefik.frontend.rule=Host:test.traefik.io`      | Override the default frontend rule (Default: `Host:{{.ServiceName}}.{{.Domain}}`).                                                                                                 |
-| `traefik.frontend.passHostHeader=true`            | Forward client `Host` header to the backend.                                                                                                                                       |
-| `traefik.frontend.priority=10`                    | Override default frontend priority                                                                                                                                                 |
-| `traefik.frontend.entryPoints=http,https`         | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.                                                                                           |
-| `traefik.frontend.auth.basic=EXPR`                | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                   |
--- a/docs/configuration/backends/consulcatalog.md
+++ b/docs/configuration/backends/consulcatalog.md
@@ -0,0 +1,183 @@
+# Consul Catalog backend
+
+Træfik can be configured to use service discovery catalog of Consul as a backend configuration.
+
+```toml
+################################################################
+# Consul Catalog configuration backend
+################################################################
+
+# Enable Consul Catalog configuration backend.
+[consulCatalog]
+
+# Consul server endpoint.
+#
+# Required
+# Default: "127.0.0.1:8500"
+#
+endpoint = "127.0.0.1:8500"
+
+# Expose Consul catalog services by default in Traefik.
+#
+# Optional
+# Default: true
+#
+exposedByDefault = false
+
+# Default domain used.
+#
+# Optional
+#
+domain = "consul.localhost"
+
+# Prefix for Consul catalog tags.
+#
+# Optional
+# Default: "traefik"
+#
+prefix = "traefik"
+
+# Default frontEnd Rule for Consul services.
+#
+# The format is a Go Template with:
+# - ".ServiceName", ".Domain" and ".Attributes" available
+# - "getTag(name, tags, defaultValue)", "hasTag(name, tags)" and "getAttribute(name, tags, defaultValue)" functions are available
+# - "getAttribute(...)" function uses prefixed tag names based on "prefix" value
+#
+# Optional
+# Default: "Host:{{.ServiceName}}.{{.Domain}}"
+#
+#frontEndRule = "Host:{{.ServiceName}}.{{.Domain}}"
+
+# Enable Consul catalog TLS connection.
+#
+# Optional
+#
+#    [consulCatalog.tls]
+#    ca = "/etc/ssl/ca.crt"
+#    cert = "/etc/ssl/consul.crt"
+#    key = "/etc/ssl/consul.key"
+#    insecureSkipVerify = true
+
+# Override default configuration template.
+# For advanced users :)
+#
+# Optional
+#
+# filename = "consulcatalog.tmpl"
+
+# Override template version
+# For advanced users :)
+#
+# Optional
+# - "1": previous template version (must be used only with older custom templates, see "filename")
+# - "2": current template version (must be used to force template version when "filename" is used)
+#
+# templateVersion = 2
+```
+
+This backend will create routes matching on hostname based on the service name used in Consul.
+
+To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
+
+## Tags
+
+Additional settings can be defined using Consul Catalog tags.
+
+!!! note
+    The default prefix is `traefik`.
+
+| Label                                                       | Description                                                                                                                                                                                                            |
+|-------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `<prefix>.enable=false`                                     | Disable this container in Træfik.                                                                                                                                                                                      |
+| `<prefix>.protocol=https`                                   | Override the default `http` protocol.                                                                                                                                                                                  |
+| `<prefix>.weight=10`                                        | Assign this weight to the container.                                                                                                                                                                                   |
+| `traefik.backend.buffering.maxRequestBodyBytes=0`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.maxResponseBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.memRequestBodyBytes=0`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.memResponseBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.retryExpression=EXPR`            | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `<prefix>.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend. ex: `NetworkErrorRatio() > 0.`                                                                                                           |
+| `<prefix>.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                  |
+| `<prefix>.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                    |
+| `<prefix>.backend.healthcheck.interval=1s`                  | Define the health check interval.                                                                                                                                                                                      |
+| `<prefix>.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm.                                                                                                                                                                    |
+| `<prefix>.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions.                                                                                                                                                                                        |
+| `<prefix>.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions.                                                                                                                                                                      |
+| `<prefix>.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions. (DEPRECATED)                                                                                                                                                                           |
+| `<prefix>.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                |
+| `<prefix>.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                  |
+| `<prefix>.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                       |
+| `<prefix>.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                             |
+| `<prefix>.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
+| `<prefix>.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
+| `<prefix>.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
+| `<prefix>.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                           |
+| `<prefix>.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                        |
+| `<prefix>.frontend.priority=10`                             | Override default frontend priority.                                                                                                                                                                                    |
+| `<prefix>.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `<prefix>.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `<prefix>.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `<prefix>.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `<prefix>.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS).                                                                                                                                                 |
+| `<prefix>.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                |
+| `<prefix>.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                      |
+| `<prefix>.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                             |
+| `<prefix>.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{{.ServiceName}}.{{.Domain}}`.                                                                                                                                      |
+| `<prefix>.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `<prefix>.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                 |
+
+### Custom Headers
+
+!!! note
+    The default prefix is `traefik`.
+
+| Label                                                  | Description                                                                                                                                                                         |
+|--------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `<prefix>.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
+| `<prefix>.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
+
+### Security Headers
+
+!!! note
+    The default prefix is `traefik`.
+
+| Label                                                     | Description                                                                                                                                                                                         |
+|-----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `<prefix>.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
+| `<prefix>.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
+| `<prefix>.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
+| `<prefix>.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
+| `<prefix>.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
+| `<prefix>.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
+| `<prefix>.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
+| `<prefix>.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
+| `<prefix>.frontend.headers.hostsProxyHeaders=EXPR`        | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
+| `<prefix>.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
+| `<prefix>.frontend.headers.publicKey=VALUE`               | Adds pinned HTST public key header.                                                                                                                                                                 |
+| `<prefix>.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
+| `<prefix>.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
+| `<prefix>.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
+| `<prefix>.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `<prefix>.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `<prefix>.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
+| `<prefix>.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
+| `<prefix>.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
+
+### Examples
+
+If you want that Træfik uses Consul tags correctly you need to defined them like that:
+
+```js
+traefik.enable=true
+traefik.tags=api
+traefik.tags=external
+```
+
+If the prefix defined in Træfik configuration is `bla`, tags need to be defined like that:
+
+```js
+bla.enable=true
+bla.tags=api
+bla.tags=external
+```
--- a/docs/configuration/backends/docker.md
+++ b/docs/configuration/backends/docker.md
@@ -1,3 +1,4 @@
+
 # Docker Backend

 Træfik can be configured to use Docker as a backend configuration.
@@ -38,13 +39,22 @@ watch = true
 #
 # filename = "docker.tmpl"

+# Override template version
+# For advanced users :)
+#
+# Optional
+# - "1": previous template version (must be used only with older custom templates, see "filename")
+# - "2": current template version (must be used to force template version when "filename" is used)
+#
+# templateVersion = 2
+
 # Expose containers by default in Traefik.
 # If set to false, containers that don't have `traefik.enable=true` will be ignored.
 #
 # Optional
 # Default: true
 #
-exposedbydefault = true
+exposedByDefault = true

 # Use the IP address from the binded port instead of the inner network one.
 # For specific use-case :)
@@ -59,7 +69,7 @@ usebindportip = true
 # Optional
 # Default: false
 #
-swarmmode = false
+swarmMode = false

 # Enable docker TLS connection.
 #
@@ -69,7 +79,7 @@ swarmmode = false
 #  ca = "/etc/ssl/ca.crt"
 #  cert = "/etc/ssl/docker.crt"
 #  key = "/etc/ssl/docker.key"
-#  insecureskipverify = true
+#  insecureSkipVerify = true
 ```

 To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
@@ -79,7 +89,7 @@ To enable constraints see [backend-specific constraints section](/configuration/

 ```toml
 ################################################################
-# Docker Swarmmode configuration backend
+# Docker Swarm Mode configuration backend
 ################################################################

 # Enable Docker configuration backend.
@@ -113,7 +123,7 @@ watch = true
 # Optional
 # Default: false
 #
-swarmmode = true
+swarmMode = true

 # Override default configuration template.
 # For advanced users :)
@@ -122,12 +132,21 @@ swarmmode = true
 #
 # filename = "docker.tmpl"

+# Override template version
+# For advanced users :)
+#
+# Optional
+# - "1": previous template version (must be used only with older custom templates, see "filename")
+# - "2": current template version (must be used to force template version when "filename" is used)
+#
+# templateVersion = 2
+
 # Expose services by default in Traefik.
 #
 # Optional
 # Default: true
 #
-exposedbydefault = false
+exposedByDefault = false

 # Enable docker TLS connection.
 #
@@ -137,55 +156,198 @@ exposedbydefault = false
 #  ca = "/etc/ssl/ca.crt"
 #  cert = "/etc/ssl/docker.crt"
 #  key = "/etc/ssl/docker.key"
-#  insecureskipverify = true
+#  insecureSkipVerify = true
 ```

 To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).

-## Labels: overriding default behaviour
+## Labels: overriding default behavior
+
+### Using Docker with Swarm Mode
+
+If you use a compose file with the Swarm mode, labels should be defined in the `deploy` part of your service.
+This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)).
+
+```yaml
+version: "3"
+services:
+  whoami:
+    deploy:
+      labels:
+        traefik.docker.network: traefik
+```
+
+### Using Docker Compose
+
+If you are intending to use only Docker Compose commands (e.g. `docker-compose up --scale whoami=2 -d`), labels should be under your service, otherwise they will be ignored.
+
+```yaml
+version: "3"
+services:
+  whoami:
+    labels:
+      traefik.docker.network: traefik
+```

 ### On Containers

-Labels can be used on containers to override default behaviour.
+Labels can be used on containers to override default behavior.

-| Label                                             | Description                                                                                                                                                                                                                                                                                                                                                                                                                   |
-|---------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.backend=foo`                             | Give the name `foo` to the generated backend for this container.                                                                                                                                                                                                                                                                                                                                                              |
-| `traefik.backend.maxconn.amount=10`               | Set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                                                                                                                                                                                                                                                                          |
-| `traefik.backend.maxconn.extractorfunc=client.ip` | Set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect.                                                                                                                                                                                                                                            |
-| `traefik.backend.loadbalancer.method=drr`         | Override the default `wrr` load balancer algorithm                                                                                                                                                                                                                                                                                                                                                                            |
-| `traefik.backend.loadbalancer.sticky=true`        | Enable backend sticky sessions                                                                                                                                                                                                                                                                                                                                                                                                |
-| `traefik.backend.loadbalancer.swarm=true`         | Use Swarm's inbuilt load balancer (only relevant under Swarm Mode).                                                                                                                                                                                                                                                                                                                                                           |
-| `traefik.backend.circuitbreaker.expression=EXPR`  | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                                                                                                                                                                                                                  |
-| `traefik.port=80`                                 | Register this port. Useful when the container exposes multiples ports.                                                                                                                                                                                                                                                                                                                                                        |
-| `traefik.protocol=https`                          | Override the default `http` protocol                                                                                                                                                                                                                                                                                                                                                                                          |
-| `traefik.weight=10`                               | Assign this weight to the container                                                                                                                                                                                                                                                                                                                                                                                           |
-| `traefik.enable=false`                            | Disable this container in Træfik                                                                                                                                                                                                                                                                                                                                                                                              |
-| `traefik.frontend.rule=EXPR`                      | Override the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`.                                                                                                                                                                                                                                                                   |
-| `traefik.frontend.passHostHeader=true`            | Forward client `Host` header to the backend.                                                                                                                                                                                                                                                                                                                                                                                  |
-| `traefik.frontend.priority=10`                    | Override default frontend priority                                                                                                                                                                                                                                                                                                                                                                                            |
-| `traefik.frontend.entryPoints=http,https`         | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`                                                                                                                                                                                                                                                                                                                                       |
-| `traefik.frontend.auth.basic=EXPR`                | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                                                                                                                                                                                                                              |
-| `traefik.frontend.whitelistSourceRange:RANGE`     | List of IP-Ranges which are allowed to access. An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access.                                                                                                                                                                                                           |
-| `traefik.docker.network`                          | Set the docker network to use for connections to this container. If a container is linked to several networks, be sure to set the proper network name (you can check with `docker inspect <container_id>`) otherwise it will randomly pick one (depending on how docker is returning them). For instance when deploying docker `stack` from compose files, the compose defined networks will be prefixed with the `stack` name. |
+| Label                                                      | Description                                                                                                                                                                                                               |
+|------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.docker.network`                                   | Set the docker network to use for connections to this container. [1]                                                                                                                                                      |
+| `traefik.domain`                                           | Default domain used for frontend rules.                                                                                                                                                                                   |
+| `traefik.enable=false`                                     | Disable this container in Træfik                                                                                                                                                                                          |
+| `traefik.port=80`                                          | Register this port. Useful when the container exposes multiples ports.                                                                                                                                                    |
+| `traefik.protocol=https`                                   | Override the default `http` protocol                                                                                                                                                                                      |
+| `traefik.weight=10`                                        | Assign this weight to the container                                                                                                                                                                                       |
+| `traefik.backend=foo`                                      | Give the name `foo` to the generated backend for this container.                                                                                                                                                          |
+| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
+| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
+| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
+| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
+| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
+| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                              |
+| `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                     |
+| `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                       |
+| `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval.                                                                                                                                                                                         |
+| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                        |
+| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                            |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                          |
+| `traefik.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                               |
+| `traefik.backend.loadbalancer.swarm=true`                  | Use Swarm's inbuilt load balancer (only relevant under Swarm Mode).                                                                                                                                                       |
+| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                   |
+| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                     |
+| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                          |
+| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                |
+| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                             |
+| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                             |
+| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                             |
+| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                              |
+| `traefik.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                           |
+| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                        |
+| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
+| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
+| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
+| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
+| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                                     |
+| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                   |
+| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                         |
+| `traefik.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                                |
+| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`.                                                               |
+| `traefik.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                    |

-### On Service
+[1] `traefik.docker.network`:
+If a container is linked to several networks, be sure to set the proper network name (you can check with `docker inspect <container_id>`) otherwise it will randomly pick one (depending on how docker is returning them).
+For instance when deploying docker `stack` from compose files, the compose defined networks will be prefixed with the `stack` name.
+Or if your service references external network use it's name instead.

-Services labels can be used for overriding default behaviour
+#### Custom Headers

-| Label                                             | Description                                                                                      |
-|---------------------------------------------------|--------------------------------------------------------------------------------------------------|
-| `traefik.<service-name>.port=PORT`                | Overrides `traefik.port`. If several ports need to be exposed, the service labels could be used. |
-| `traefik.<service-name>.protocol`                 | Overrides `traefik.protocol`.                                                                    |
-| `traefik.<service-name>.weight`                   | Assign this service weight. Overrides `traefik.weight`.                                          |
-| `traefik.<service-name>.frontend.backend=BACKEND` | Assign this service frontend to `BACKEND`. Default is to assign to the service backend.          |
-| `traefik.<service-name>.frontend.entryPoints`     | Overrides `traefik.frontend.entrypoints`                                                         |
-| `traefik.<service-name>.frontend.auth.basic`      | Sets a Basic Auth for that frontend                                                              |
-| `traefik.<service-name>.frontend.passHostHeader`  | Overrides `traefik.frontend.passHostHeader`.                                                     |
-| `traefik.<service-name>.frontend.priority`        | Overrides `traefik.frontend.priority`.                                                           |
-| `traefik.<service-name>.frontend.rule`            | Overrides `traefik.frontend.rule`.                                                               |
+| Label                                                 | Description                                                                                                                                                                         |
+|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
+| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
+
+#### Security Headers
+
+| Label                                                    | Description                                                                                                                                                                                         |
+|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
+| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
+| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
+| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
+| `traefik.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
+| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
+| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
+| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
+| `traefik.frontend.headers.hostsProxyHeaders=EXPR `       | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
+| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
+| `traefik.frontend.headers.publicKey=VALUE`               | Adds pinned HTST public key header.                                                                                                                                                                 |
+| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
+| `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
+| `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
+| `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
+| `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
+| `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
+
+### On containers with Multiple Ports (segment labels)
+
+Segment labels are used to define routes to a container exposing multiple ports.
+A segment is a group of labels that apply to a port exposed by a container.
+You can define as many segments as ports exposed in a container.
+
+Segment labels override the default behavior.
+
+| Label                                                                     | Description                                                 |
+|---------------------------------------------------------------------------|-------------------------------------------------------------|
+| `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                    |
+| `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                      |
+| `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                  |
+| `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                    |
+| `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                       |
+| `traefik.<segment_name>.frontend.backend=BACKEND`                         | Same as `traefik.frontend.backend`                          |
+| `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                      |
+| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`            |
+| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`              |
+| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`              | Same as `traefik.frontend.errors.<name>.status`             |
+| `traefik.<segment_name>.frontend.passHostHeader=true`                     | Same as `traefik.frontend.passHostHeader`                   |
+| `traefik.<segment_name>.frontend.passTLSCert=true`                        | Same as `traefik.frontend.passTLSCert`                      |
+| `traefik.<segment_name>.frontend.priority=10`                             | Same as `traefik.frontend.priority`                         |
+| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`             | Same as `traefik.frontend.rateLimit.extractorFunc`          |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`       | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`  |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`      | Same as `traefik.frontend.rateLimit.rateSet.<name>.average` |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`        | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`   |
+| `traefik.<segment_name>.frontend.redirect.entryPoint=https`               | Same as `traefik.frontend.redirect.entryPoint`              |
+| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`   | Same as `traefik.frontend.redirect.regex`                   |
+| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement`             |
+| `traefik.<segment_name>.frontend.redirect.permanent=true`                 | Same as `traefik.frontend.redirect.permanent`               |
+| `traefik.<segment_name>.frontend.rule=EXP`                                | Same as `traefik.frontend.rule`                             |
+| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`             | Same as `traefik.frontend.whiteList.sourceRange`            |
+| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`         | Same as `traefik.frontend.whiteList.useXForwardedFor`       |
+
+#### Custom Headers
+
+| Label                                                                | Description                                              |
+|----------------------------------------------------------------------|----------------------------------------------------------|
+| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR ` | Same as `traefik.frontend.headers.customRequestHeaders`  |
+| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` |
+
+#### Security Headers
+
+| Label                                                                   | Description                                                  |
+|-------------------------------------------------------------------------|--------------------------------------------------------------|
+| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR`             | Same as `traefik.frontend.headers.allowedHosts`              |
+| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true`         | Same as `traefik.frontend.headers.browserXSSFilter`          |
+| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE`   | Same as `traefik.frontend.headers.contentSecurityPolicy`     |
+| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true`       | Same as `traefik.frontend.headers.contentTypeNosniff`        |
+| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE`   | Same as `traefik.frontend.headers.customBrowserXSSValue`     |
+| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue`   |
+| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false`          | Same as `traefik.frontend.headers.forceSTSHeader`            |
+| `traefik.<segment_name>.frontend.headers.frameDeny=false`               | Same as `traefik.frontend.headers.frameDeny`                 |
+| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR`        | Same as `traefik.frontend.headers.hostsProxyHeaders`         |
+| `traefik.<segment_name>.frontend.headers.isDevelopment=false`           | Same as `traefik.frontend.headers.isDevelopment`             |
+| `traefik.<segment_name>.frontend.headers.publicKey=VALUE`               | Same as `traefik.frontend.headers.publicKey`                 |
+| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE`          | Same as `traefik.frontend.headers.referrerPolicy`            |
+| `traefik.<segment_name>.frontend.headers.SSLRedirect=true`              | Same as `traefik.frontend.headers.SSLRedirect`               |
+| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true`     | Same as `traefik.frontend.headers.SSLTemporaryRedirect`      |
+| `traefik.<segment_name>.frontend.headers.SSLHost=HOST`                  | Same as `traefik.frontend.headers.SSLHost`                   |
+| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR`          | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR`      |
+| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000`          | Same as `traefik.frontend.headers.STSSeconds=315360000`      |
+| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true`     | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |
+| `traefik.<segment_name>.frontend.headers.STSPreload=true`               | Same as `traefik.frontend.headers.STSPreload=true`           |
+
+!!! note
+    If a label is defined both as a `container label` and a `segment label` (for example `traefik.<segment_name>.port=PORT` and `traefik.port=PORT` ), the `segment label` is used to defined the `<segment_name>` property (`port` in the example).
+
+    It's possible to mix `container labels` and `segment labels`, in this case `container labels` are used as default value for missing `segment labels` but no frontends are going to be created with the `container labels`.
+
+    More details in this [example](/user-guide/docker-and-lets-encrypt/#labels).

 !!! warning
-    when running inside a container, Træfik will need network access through:
+    When running inside a container, Træfik will need network access through:

    `docker network connect <network> <traefik-container>`
--- a/docs/configuration/backends/dynamodb.md
+++ b/docs/configuration/backends/dynamodb.md
@@ -39,13 +39,13 @@ watch = true
 #
 refreshSeconds = 15

-# AccessKeyID to use when connecting to AWS.
+# Access Key ID to use when connecting to AWS.
 #
 # Optional
 #
 accessKeyID = "abc"

-# SecretAccessKey to use when connecting to AWS.
+# Secret Access Key to use when connecting to AWS.
 #
 # Optional
 #
--- a/docs/configuration/backends/ecs.md
+++ b/docs/configuration/backends/ecs.md
@@ -33,6 +33,7 @@ clusters = ["default"]
 watch = true

 # Default domain used.
+# Can be overridden by setting the "traefik.domain" label.
 #
 # Optional
 # Default: ""
@@ -66,13 +67,13 @@ exposedByDefault = false
 #
 region = "us-east-1"

-# AccessKeyID to use when connecting to AWS.
+# Access Key ID to use when connecting to AWS.
 #
 # Optional
 #
 accessKeyID = "abc"

-# SecretAccessKey to use when connecting to AWS.
+# Secret Access Key to use when connecting to AWS.
 #
 # Optional
 #
@@ -84,9 +85,18 @@ secretAccessKey = "123"
 # Optional
 #
 # filename = "ecs.tmpl"
+
+# Override template version
+# For advanced users :)
+#
+# Optional
+# - "1": previous template version (must be used only with older custom templates, see "filename")
+# - "2": current template version (must be used to force template version when "filename" is used)
+#
+# templateVersion = 2
 ```

-If `AccessKeyID`/`SecretAccessKey` is not given credentials will be resolved in the following order:
+If `accessKeyID`/`secretAccessKey` is not given credentials will be resolved in the following order:

 - From environment variables; `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
 - Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.
@@ -124,15 +134,76 @@ Træfik needs the following policy to read ECS information:

 Labels can be used on task containers to override default behaviour:

-| Label                                             | Description                                                                              |
-|---------------------------------------------------|------------------------------------------------------------------------------------------|
-| `traefik.protocol=https`                          | override the default `http` protocol                                                     |
-| `traefik.weight=10`                               | assign this weight to the container                                                      |
-| `traefik.enable=false`                            | disable this container in Træfik                                                         |
-| `traefik.backend.loadbalancer.method=drr`         | override the default `wrr` load balancer algorithm                                       |
-| `traefik.backend.loadbalancer.sticky=true`        | enable backend sticky sessions                                                           |
-| `traefik.frontend.rule=Host:test.traefik.io`      | override the default frontend rule (Default: `Host:{containerName}.{domain}`).           |
-| `traefik.frontend.passHostHeader=true`            | forward client `Host` header to the backend.                                             |
-| `traefik.frontend.priority=10`                    | override default frontend priority                                                       |
-| `traefik.frontend.entryPoints=http,https`         | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. |
-| `traefik.frontend.auth.basic=EXPR`                | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`         |
+| Label                                                      | Description                                                                                                                                                                                                            |
+|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.domain`                                           | Default domain used for frontend rules.                                                                                                                                                                                |
+| `traefik.enable=false`                                     | Disable this container in Træfik                                                                                                                                                                                       |
+| `traefik.port=80`                                          | Override the default `port` value. Overrides `NetworkBindings` from Docker Container                                                                                                                                   |
+| `traefik.protocol=https`                                   | Override the default `http` protocol                                                                                                                                                                                   |
+| `traefik.weight=10`                                        | Assign this weight to the container                                                                                                                                                                                    |
+| `traefik.backend=foo`                                      | Give the name `foo` to the generated backend for this container.                                                                                                                                                       |
+| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                           |
+| `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                  |
+| `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                    |
+| `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval. (Default: 30s)                                                                                                                                                                       |
+| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                     |
+| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                         |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                       |
+| `traefik.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                            |
+| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                |
+| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                  |
+| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                       |
+| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                             |
+| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
+| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
+| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
+| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                           |
+| `traefik.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                        |
+| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                     |
+| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                                  |
+| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                |
+| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                      |
+| `traefik.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                             |
+| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{instance_name}.{domain}`.                                                                                                                                          |
+| `traefik.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                 |
+
+### Custom Headers
+
+| Label                                                 | Description                                                                                                                                                                         |
+|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
+| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
+
+### Security Headers
+
+| Label                                                    | Description                                                                                                                                                                                         |
+|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
+| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
+| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
+| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
+| `traefik.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
+| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
+| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
+| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
+| `traefik.frontend.headers.hostsProxyHeaders=EXPR `       | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
+| `traefik.frontend.headers.publicKey=VALUE`               | Adds pinned HTST public key header.                                                                                                                                                                 |
+| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
+| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
+| `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
+| `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
+| `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
+| `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
+| `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
--- a/docs/configuration/backends/etcd.md
+++ b/docs/configuration/backends/etcd.md
@@ -31,6 +31,16 @@ watch = true
 #
 prefix = "/traefik"

+# Force to use API V3 (otherwise still use API V2)
+#
+# Deprecated
+#
+# Optional
+# Default: false
+#
+useAPIV3 = true
+
+
 # Override default configuration template.
 # For advanced users :)
 #
@@ -53,9 +63,13 @@ prefix = "/traefik"
 #    ca = "/etc/ssl/ca.crt"
 #    cert = "/etc/ssl/etcd.crt"
 #    key = "/etc/ssl/etcd.key"
-#    insecureskipverify = true
+#    insecureSkipVerify = true
 ```

 To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).

 Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on Traefik KV structure.
+
+!!! note
+    The option `useAPIV3` allows using Etcd API V3 only if it's set to true.
+    This option is **deprecated** and API V2 won't be supported in the future.
--- a/docs/configuration/backends/eureka.md
+++ b/docs/configuration/backends/eureka.md
@@ -21,7 +21,7 @@ endpoint = "http://my.eureka.server/eureka"
 # Optional
 # Default: 30s
 #
-delay = "1m"
+refreshSeconds = "1m"

 # Override default configuration template.
 # For advanced users :)
--- a/docs/configuration/backends/file.md
+++ b/docs/configuration/backends/file.md
@@ -1,14 +1,159 @@
 # File Backends

-Like any other reverse proxy, Træfik can be configured with a file.
+Træfik can be configured with a file.

-You have three choices:
+## Reference

- [Simple](/configuration/backends/file/#simple)
- [Rules in a Separate File](/configuration/backends/file/#rules-in-a-separate-file)
- [Multiple `.toml` Files](/configuration/backends/file/#multiple-toml-files)
+```toml
+[file]

-## Simple
+# Backends
+[backends]
+
+  [backends.backend1]
+
+    [backends.backend1.servers]
+      [backends.backend1.servers.server0]
+        url = "http://10.10.10.1:80"
+        weight = 1
+      [backends.backend1.servers.server1]
+        url = "http://10.10.10.2:80"
+        weight = 2
+      # ...
+
+    [backends.backend1.circuitBreaker]
+      expression = "NetworkErrorRatio() > 0.5"
+
+    [backends.backend1.loadBalancer]
+      method = "drr"
+      [backends.backend1.loadBalancer.stickiness]
+        cookieName = "foobar"
+
+    [backends.backend1.maxConn]
+      amount = 10
+      extractorfunc = "request.host"
+
+    [backends.backend1.healthCheck]
+      path = "/health"
+      port = 88
+      interval = "30s"
+
+  [backends.backend2]
+    # ...
+
+# Frontends
+[frontends]
+
+  [frontends.frontend1]
+    entryPoints = ["http", "https"]
+    backend = "backend1"
+    passHostHeader = true
+    passTLSCert = true
+    priority = 42
+    basicAuth = [
+      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+    ]
+
+    [frontends.frontend1.whiteList]
+      sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
+      useXForwardedFor = true
+
+    [frontends.frontend1.routes]
+      [frontends.frontend1.routes.route0]
+        rule = "Host:test.localhost"
+      [frontends.frontend1.routes.Route1]
+        rule = "Method:GET"
+      # ...
+
+    [frontends.frontend1.headers]
+      allowedHosts = ["foobar", "foobar"]
+      hostsProxyHeaders = ["foobar", "foobar"]
+      SSLRedirect = true
+      SSLTemporaryRedirect = true
+      SSLHost = "foobar"
+      STSSeconds = 42
+      STSIncludeSubdomains = true
+      STSPreload = true
+      forceSTSHeader = true
+      frameDeny = true
+      customFrameOptionsValue = "foobar"
+      contentTypeNosniff = true
+      browserXSSFilter = true
+      contentSecurityPolicy = "foobar"
+      publicKey = "foobar"
+      referrerPolicy = "foobar"
+      isDevelopment = true
+      [frontends.frontend1.headers.customRequestHeaders]
+        X-Foo-Bar-01 = "foobar"
+        X-Foo-Bar-02 = "foobar"
+        # ...
+      [frontends.frontend1.headers.customResponseHeaders]
+        X-Foo-Bar-03 = "foobar"
+        X-Foo-Bar-04 = "foobar"
+        # ...
+      [frontends.frontend1.headers.SSLProxyHeaders]
+        X-Foo-Bar-05 = "foobar"
+        X-Foo-Bar-06 = "foobar"
+        # ...
+
+    [frontends.frontend1.errors]
+      [frontends.frontend1.errors.errorPage0]
+        status = ["500-599"]
+        backend = "error"
+        query = "/{status}.html"
+      [frontends.frontend1.errors.errorPage1]
+        status = ["404", "403"]
+        backend = "error"
+        query = "/{status}.html"
+      # ...
+
+    [frontends.frontend1.ratelimit]
+      extractorfunc = "client.ip"
+        [frontends.frontend1.ratelimit.rateset.rateset1]
+          period = "10s"
+          average = 100
+          burst = 200
+        [frontends.frontend1.ratelimit.rateset.rateset2]
+          period = "3s"
+          average = 5
+          burst = 10
+        # ...
+
+    [frontends.frontend1.redirect]
+      entryPoint = "https"
+      regex = "^http://localhost/(.*)"
+      replacement = "http://mydomain/$1"
+      permanent = true
+
+  [frontends.frontend2]
+    # ...
+
+# HTTPS certificates
+[[tls]]
+  entryPoints = ["https"]
+  [tls.certificate]
+    certFile = "path/to/my.cert"
+    keyFile = "path/to/my.key"
+
+[[tls]]
+  # ...
+```
+
+## Configuration Mode
+
+You have two choices:
+
+- [Rules in Træfik configuration file](/configuration/backends/file/#rules-in-trfik-configuration-file)
+- [Rules in dedicated files](/configuration/backends/file/#rules-in-dedicated-files)
+
+To enable the file backend, you must either pass the `--file` option to the Træfik binary or put the `[file]` section (with or without inner settings) in the configuration file.
+
+The configuration file allows managing both backends/frontends and HTTPS certificates (which are not [Let's Encrypt](https://letsencrypt.org) certificates generated through Træfik).
+
+TOML templating can be used if rules are not defined in the Træfik configuration file.
+
+### Rules in Træfik Configuration File

 Add your configuration at the end of the global configuration file `traefik.toml`:

@@ -17,152 +162,142 @@ defaultEntryPoints = ["http", "https"]

 [entryPoints]
  [entryPoints.http]
-  address = ":80"
-    [entryPoints.http.redirect]
-    entryPoint = "https"
+    # ...
  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.com.cert"
-      KeyFile = "integration/fixtures/https/snitest.com.key"
-      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.org.cert"
-      KeyFile = "integration/fixtures/https/snitest.org.key"
+    # ...

 [file]

 # rules
 [backends]
  [backends.backend1]
-    [backends.backend1.circuitbreaker]
-    expression = "NetworkErrorRatio() > 0.5"
-    [backends.backend1.servers.server1]
-    url = "http://172.17.0.2:80"
-    weight = 10
-    [backends.backend1.servers.server2]
-    url = "http://172.17.0.3:80"
-    weight = 1
+    # ...
  [backends.backend2]
-    [backends.backend2.maxconn]
-    amount = 10
-    extractorfunc = "request.host"
-    [backends.backend2.LoadBalancer]
-    method = "drr"
-    [backends.backend2.servers.server1]
-    url = "http://172.17.0.4:80"
-    weight = 1
-    [backends.backend2.servers.server2]
-    url = "http://172.17.0.5:80"
-    weight = 2
+    # ...

 [frontends]
  [frontends.frontend1]
-  backend = "backend2"
-    [frontends.frontend1.routes.test_1]
-    rule = "Host:test.localhost"
-
+  # ...
  [frontends.frontend2]
-  backend = "backend1"
-  passHostHeader = true
-  priority = 10
-
-  # restrict access to this frontend to the specified list of IPv4/IPv6 CIDR Nets
-  # an unset or empty list allows all Source-IPs to access
-  # if one of the Net-Specifications are invalid, the whole list is invalid
-  # and allows all Source-IPs to access.
-  whitelistSourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
-
-  entrypoints = ["https"] # overrides defaultEntryPoints
-    [frontends.frontend2.routes.test_1]
-    rule = "Host:{subdomain:[a-z]+}.localhost"
-
+  # ...
  [frontends.frontend3]
-  entrypoints = ["http", "https"] # overrides defaultEntryPoints
-  backend = "backend2"
-  rule = "Path:/test"
+  # ...
+
+# HTTPS certificate
+[[tls]]
+  # ...
+
+[[tls]]
+  # ...
 ```

-## Rules in a Separate File
+!!! note
+    If `tls.entryPoints` is not defined, the certificate is attached to all the `defaultEntryPoints` with a TLS configuration.

-Put your rules in a separate file, for example `rules.toml`:
+!!! note
+    Adding certificates directly to the entryPoint is still maintained but certificates declared in this way cannot be managed dynamically.
+    It's recommended to use the file provider to declare certificates.
+
+!!! warning
+    TOML templating cannot be used if rules are defined in the Træfik configuration file.
+
+### Rules in Dedicated Files
+
+Træfik allows defining rules in one or more separate files.
+
+#### One Separate File
+
+You have to specify the file path in the `file.filename` option.

 ```toml
 # traefik.toml
+defaultEntryPoints = ["http", "https"]
+
 [entryPoints]
  [entryPoints.http]
-  address = ":80"
-    [entryPoints.http.redirect]
-      entryPoint = "https"
+    # ...
  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.com.cert"
-      KeyFile = "integration/fixtures/https/snitest.com.key"
-      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.org.cert"
-      KeyFile = "integration/fixtures/https/snitest.org.key"
+    # ...

 [file]
-filename = "rules.toml"
+  filename = "rules.toml"
+  watch = true
 ```

+The option `file.watch` allows Træfik to watch file changes automatically.
+
+#### Multiple Separated Files
+
+You could have multiple `.toml` files in a directory (and recursively in its sub-directories):
+
+```toml
+[file]
+  directory = "/path/to/config/"
+  watch = true
+```
+
+The option `file.watch` allows Træfik to watch file changes automatically.
+
+#### Separate Files Content
+
+If you are defining rules in one or more separate files, you can use two formats.
+
+##### Simple Format
+
+Backends, Frontends and TLS certificates are defined one at time, as described in the file `rules.toml`:
+
 ```toml
 # rules.toml
 [backends]
  [backends.backend1]
-    [backends.backend1.circuitbreaker]
-    expression = "NetworkErrorRatio() > 0.5"
-    [backends.backend1.servers.server1]
-    url = "http://172.17.0.2:80"
-    weight = 10
-    [backends.backend1.servers.server2]
-    url = "http://172.17.0.3:80"
-    weight = 1
+    # ...
  [backends.backend2]
-    [backends.backend2.maxconn]
-    amount = 10
-    extractorfunc = "request.host"
-    [backends.backend2.LoadBalancer]
-    method = "drr"
-    [backends.backend2.servers.server1]
-    url = "http://172.17.0.4:80"
-    weight = 1
-    [backends.backend2.servers.server2]
-    url = "http://172.17.0.5:80"
-    weight = 2
+    # ...

 [frontends]
  [frontends.frontend1]
-  backend = "backend2"
-    [frontends.frontend1.routes.test_1]
-    rule = "Host:test.localhost"
+  # ...
  [frontends.frontend2]
-  backend = "backend1"
-  passHostHeader = true
-  priority = 10
-  entrypoints = ["https"] # overrides defaultEntryPoints
-    [frontends.frontend2.routes.test_1]
-    rule = "Host:{subdomain:[a-z]+}.localhost"
+  # ...
  [frontends.frontend3]
-  entrypoints = ["http", "https"] # overrides defaultEntryPoints
-  backend = "backend2"
-  rule = "Path:/test"
+  # ...
+
+# HTTPS certificate
+[[tls]]
+  # ...
+
+[[tls]]
+  # ...
 ```

-## Multiple `.toml` Files
+##### TOML Templating

-You could have multiple `.toml` files in a directory:
+!!! warning
+    TOML templating can only be used **if rules are defined in one or more separate files**.
+    Templating will not work in the Træfik configuration file.
+
+Træfik allows using TOML templating.
+
+Thus, it's possible to define easily lot of Backends, Frontends and TLS certificates as described in the file `template-rules.toml` :

 ```toml
-[file]
-directory = "/path/to/config/"
-```
+# template-rules.toml
+[backends]
+{{ range $i, $e := until 100 }}
+  [backends.backend{{ $e }}]
+    #...
+{{ end }}

-If you want Træfik to watch file changes automatically, just add:
+[frontends]
+{{ range $i, $e := until 100 }}
+  [frontends.frontend{{ $e }}]
+    #...
+{{ end }}

-```toml
-[file]
-watch = true
+
+# HTTPS certificate
+{{ range $i, $e := until 100 }}
+[[tls]]
+    #...
+{{ end }}
 ```
--- a/docs/configuration/backends/kubernetes.md
+++ b/docs/configuration/backends/kubernetes.md
@@ -2,8 +2,7 @@

 Træfik can be configured to use Kubernetes Ingress as a backend configuration.

-See also [Kubernetes user guide](/user-guide/kubernetes). 
-
+See also [Kubernetes user guide](/user-guide/kubernetes).

 ## Configuration

@@ -44,86 +43,222 @@ See also [Kubernetes user guide](/user-guide/kubernetes).
 #
 # namespaces = ["default", "production"]

-# Ingress label selector to identify Ingress objects that should be processed.
+# Ingress label selector to filter Ingress objects that should be processed.
 #
 # Optional
 # Default: empty (process all Ingresses)
 #
 # labelselector = "A and not B"

+# Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
+# If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
+# Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
+#
+# Note : `ingressClass` option must begin with the "traefik" prefix.
+#
+# Optional
+# Default: empty
+#
+# ingressClass = "traefik-internal"
+
 # Disable PassHost Headers.
 #
 # Optional
 # Default: false
 #
 # disablePassHostHeaders = true
+
+# Enable PassTLSCert Headers.
+#
+# Optional
+# Default: false
+#
+# enablePassTLSCert = true
+
+# Override default configuration template.
+#
+# Optional
+# Default: <built-in template>
+#
+# filename = "kubernetes.tmpl"
 ```

 ### `endpoint`

-The Kubernetes server endpoint.
+The Kubernetes server endpoint as URL.

-When deployed as a replication controller in Kubernetes, Traefik will use the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` to construct the endpoint.
+When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` to construct the endpoint.

-Secure token will be found in `/var/run/secrets/kubernetes.io/serviceaccount/token` and SSL CA cert in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`
+The access token will be looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+Both are provided mounted automatically when deployed inside Kubernetes.

-The endpoint may be given to override the environment variable values.
+The endpoint may be specified to override the environment variable values inside a cluster.

 When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
 In this case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster from localhost.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted autentication and authorization of the associated kubeconfig.

 ### `labelselector`

-Ingress label selector to identify Ingress objects that should be processed.
+By default, Traefik processes all Ingress objects in the configured namespaces.
+A label selector can be defined to filter on specific Ingress objects only.

 See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.

+### TLS communication between Traefik and backend pods
+
+Traefik automatically requests endpoint information based on the service provided in the ingress spec.
+Although traefik will connect directly to the endpoints (pods), it still checks the service port to see if TLS communication is required.
+If the service port defined in the ingress spec is 443, then the backend communication protocol is assumed to be TLS, and will connect via TLS automatically.
+
+!!! note
+    Please note that by enabling TLS communication between traefik and your pods, you will have to have trusted certificates that have the proper trust chain and IP subject name. 
+    If this is not an option, you may need to skip TLS certificate verification.
+    See the [insecureSkipVerify](/configuration/commons/#main-section) setting for more details.

 ## Annotations

-Annotations can be used on containers to override default behaviour for the whole Ingress resource:
+### General annotations

- `traefik.frontend.rule.type: PathPrefixStrip`  
-    Override the default frontend rule type. Default: `PathPrefix`.
- `traefik.frontend.priority: 3`  
-    Override the default frontend rule priority.
+The following general annotations are applicable on the Ingress object:

-Annotations can be used on the Kubernetes service to override default behaviour:
+| Annotation                                                                      | Description                                                                                                                                     |
+|---------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.ingress.kubernetes.io/buffering: <YML>`                                | (3) See [buffering](/configuration/commons/#buffering) section.                                                                                 |
+| `traefik.ingress.kubernetes.io/error-pages: <YML>`                              | (1) See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                               |
+| `traefik.ingress.kubernetes.io/frontend-entry-points: http,https`               | Override the default frontend endpoints.                                                                                                        |
+| `traefik.ingress.kubernetes.io/pass-tls-cert: "true"`                           | Override the default frontend PassTLSCert value. Default: `false`.                                                                              |
+| `traefik.ingress.kubernetes.io/preserve-host: "true"`                           | Forward client `Host` header to the backend.                                                                                                    |
+| `traefik.ingress.kubernetes.io/priority: "3"`                                   | Override the default frontend rule priority.                                                                                                    |
+| `traefik.ingress.kubernetes.io/rate-limit: <YML>`                               | (2) See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                         |
+| `traefik.ingress.kubernetes.io/redirect-entry-point: https`                     | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS).                                                                          |
+| `traefik.ingress.kubernetes.io/redirect-permanent: "true"`                      | Return 301 instead of 302.                                                                                                                      |
+| `traefik.ingress.kubernetes.io/redirect-regex: ^http://localhost/(.*)`          | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-replacement`.                               |
+| `traefik.ingress.kubernetes.io/redirect-replacement: http://mydomain/$1`        | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-regex`.                                     |
+| `traefik.ingress.kubernetes.io/rewrite-target: /users`                          | Replaces each matched Ingress path with the specified one, and adds the old path to the `X-Replaced-Path` header.                               |
+| `traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip`                      | Override the default frontend rule type. Default: `PathPrefix`.                                                                                 |
+| `traefik.ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"` | A comma-separated list of IP ranges permitted for access. all source IPs are permitted if the list is empty or a single range is ill-formatted. |
+| `traefik.ingress.kubernetes.io/app-root: "/index.html"`                         | Redirects all requests for `/` to the defined path. (4)                                                                                         |

- `traefik.backend.loadbalancer.method=drr`  
-    Override the default `wrr` load balancer algorithm
- `traefik.backend.loadbalancer.sticky=true`      
-    Enable backend sticky sessions
+<1> `traefik.ingress.kubernetes.io/error-pages` example:

-You can find here an example [ingress](https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-ingress.yaml) and [replication controller](https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik.yaml).
+```yaml
+foo:
+  status:
+  - "404"
+  backend: bar
+  query: /bar
+fii:
+  status:
+  - "503"
+  - "500"
+  backend: bar
+  query: /bir
+```

-Additionally, an annotation can be used on Kubernetes services to set the [circuit breaker expression](/basics/#backends) for a backend.
+<2> `traefik.ingress.kubernetes.io/rate-limit` example:

- `traefik.backend.circuitbreaker: <expression>`  
-    Set the circuit breaker expression for the backend. Default: `nil`.
+```yaml
+extractorfunc: client.ip
+rateset:
+  bar:
+    period: 3s
+    average: 6
+    burst: 9
+  foo:
+    period: 6s
+    average: 12
+    burst: 18
+```

-As known from nginx when used as Kubernetes Ingress Controller, a list of IP-Ranges which are allowed to access can be configured by using an ingress annotation:
+<3> `traefik.ingress.kubernetes.io/buffering` example:

- `ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"`
+```yaml
+maxrequestbodybytes: 10485760
+memrequestbodybytes: 2097153
+maxresponsebodybytes: 10485761
+memresponsebodybytes: 2097152
+retryexpression: IsNetworkError() && Attempts() <= 2
+```

-An unset or empty list allows all Source-IPs to access.
-If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access.
+<4> `traefik.ingress.kubernetes.io/app-root`:
+Non-root paths will not be affected by this annotation and handled normally.
+This annotation may not be combined with the `ReplacePath` rule type or any other annotation leveraging that rule type.
+Trying to do so leads to an error and the corresponding Ingress object being ignored.

+!!! note
+    Please note that `traefik.ingress.kubernetes.io/redirect-regex` and `traefik.ingress.kubernetes.io/redirect-replacement` do not have to be set if `traefik.ingress.kubernetes.io/redirect-entry-point` is defined for the redirection (they will not be used in this case).
+
+The following annotations are applicable on the Service object associated with a particular Ingress object:
+
+| Annotation                                                               | Description                                                                                                                                                                           |
+|--------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.backend.loadbalancer.sticky: "true"`                            | Enable backend sticky sessions (DEPRECATED).                                                                                                                                          |
+| `traefik.ingress.kubernetes.io/affinity: "true"`                         | Enable backend sticky sessions.                                                                                                                                                       |
+| `traefik.ingress.kubernetes.io/circuit-breaker-expression: <expression>` | Set the circuit breaker expression for the backend.                                                                                                                                   |
+| `traefik.ingress.kubernetes.io/load-balancer-method: drr`                | Override the default `wrr` load balancer algorithm.                                                                                                                                   |
+| `traefik.ingress.kubernetes.io/max-conn-amount: 10`                      | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                               |
+| `traefik.ingress.kubernetes.io/max-conn-extractor-func: client.ip`       | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect. |
+| `traefik.ingress.kubernetes.io/session-cookie-name: <NAME>`              | Manually set the cookie name for sticky sessions.                                                                                                                                     |
+
+!!! note
+    `traefik.ingress.kubernetes.io/` and `ingress.kubernetes.io/` are supported prefixes.
+
+### Custom Headers Annotations
+
+|                        Annotation                     |                                                                                             Description                                                                          |
+| ------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `ingress.kubernetes.io/custom-request-headers: EXPR`  | Provides the container with custom request headers that will be appended to each request forwarded to the container. Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
+| `ingress.kubernetes.io/custom-response-headers: EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client. Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
+
+### Security Headers Annotations
+
+The following security annotations are applicable on the Ingress object:
+
+|                        Annotation                         |                                                                                             Description                                                                                             |
+| ----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `ingress.kubernetes.io/allowed-hosts: EXPR`               | Provides a list of allowed hosts that requests will be processed. Format: `Host1,Host2`                                                                                                             |
+| `ingress.kubernetes.io/browser-xss-filter: "true"`        | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
+| `ingress.kubernetes.io/content-security-policy: VALUE`    | Adds CSP Header with the custom value.                                                                                                                                                              |
+| `ingress.kubernetes.io/content-type-nosniff: "true"`      | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
+| `ingress.kubernetes.io/custom-browser-xss-value: VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
+| `ingress.kubernetes.io/custom-frame-options-value: VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
+| `ingress.kubernetes.io/force-hsts: "false"`               | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
+| `ingress.kubernetes.io/frame-deny: "false"`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
+| `ingress.kubernetes.io/hsts-max-age: "315360000"`         | Sets the max-age of the HSTS header.                                                                                                                                                                |
+| `ingress.kubernetes.io/hsts-include-subdomains: "true"`   | Adds the IncludeSubdomains section of the STS  header.                                                                                                                                              |
+| `ingress.kubernetes.io/hsts-preload: "true"`              | Adds the preload flag to the HSTS  header.                                                                                                                                                          |
+| `ingress.kubernetes.io/is-development: "false"`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
+| `ingress.kubernetes.io/proxy-headers: EXPR`               | Provides a list of headers that the proxied hostname may be stored. Format:  `HEADER1,HEADER2`                                                                                                      |
+| `ingress.kubernetes.io/public-key: VALUE`                 | Adds pinned HTST public key header.                                                                                                                                                                 |
+| `ingress.kubernetes.io/referrer-policy: VALUE`            | Adds referrer policy  header.                                                                                                                                                                       |
+| `ingress.kubernetes.io/ssl-redirect: "true"`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
+| `ingress.kubernetes.io/ssl-temporary-redirect: "true"`    | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
+| `ingress.kubernetes.io/ssl-host: HOST`                    | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `ingress.kubernetes.io/ssl-proxy-headers: EXPR`           | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`). Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                          |

 ### Authentication

-Is possible to add additional authentication annotations in the Ingress rule.
-The source of the authentication is a secret that contains usernames and passwords inside the the key auth.
+Additional authentication annotations can be added to the Ingress object.
+The source of the authentication is a Secret object that contains the credentials.

- `ingress.kubernetes.io/auth-type`: `basic`
- `ingress.kubernetes.io/auth-secret`  
-    Contains the usernames and passwords with access to the paths defined in the Ingress Rule.
+| Annotation                                    | Description                                                                                                 |
+|-----------------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| `ingress.kubernetes.io/auth-type: basic`      | Contains the authentication type. The only permitted type is `basic`.                                       |
+| `ingress.kubernetes.io/auth-secret: mysecret` | Name of Secret containing the username and password with access to the paths defined in the Ingress object. |

-The secret must be created in the same namespace as the Ingress rule.
+The secret must be created in the same namespace as the Ingress object.

-Limitations:
+The following limitations hold:

- Basic authentication only.
- Realm not configurable; only `traefik` default.
- Secret must contain only single file.
+- The realm is not configurable; the only supported (and default) value is `traefik`.
+- The Secret must contain a single file only.
+
+### TLS certificates management
+
+TLS certificates can be managed in Secrets objects.
+More information are available in the  [User Guide](/user-guide/kubernetes/#add-a-tls-certificate-to-the-ingress).
+
+!!! note
+    Only TLS certificates provided by users can be stored in Kubernetes Secrets.
+    [Let's Encrypt](https://letsencrypt.org) certificates cannot be managed in Kubernets Secrets yet. 
--- a/docs/configuration/backends/marathon.md
+++ b/docs/configuration/backends/marathon.md
@@ -3,7 +3,7 @@
 Træfik can be configured to use Marathon as a backend configuration.

 See also [Marathon user guide](/user-guide/marathon).
- 
+

 ## Configuration

@@ -45,6 +45,15 @@ domain = "marathon.localhost"
 #
 # filename = "marathon.tmpl"

+# Override template version
+# For advanced users :)
+#
+# Optional
+# - "1": previous template version (must be used only with older custom templates, see "filename")
+# - "2": current template version (must be used to force template version when "filename" is used)
+#
+# templateVersion = 2
+
 # Expose Marathon apps by default in Traefik.
 #
 # Optional
@@ -68,6 +77,16 @@ domain = "marathon.localhost"
 #
 # marathonLBCompatibility = true

+# Enable filtering using Marathon constraints..
+# If enabled, Traefik will read Marathon constraints, as defined in https://mesosphere.github.io/marathon/docs/constraints.html
+# Each individual constraint will be treated as a verbatim compounded tag.
+# i.e. "rack_id:CLUSTER:rack-1", with all constraint groups concatenated together using ":"
+#
+# Optional
+# Default: false
+#
+# filterMarathonConstraints = true
+
 # Enable Marathon basic authentication.
 #
 # Optional
@@ -84,7 +103,7 @@ domain = "marathon.localhost"
 #    CA = "/etc/ssl/ca.crt"
 #    Cert = "/etc/ssl/marathon.cert"
 #    Key = "/etc/ssl/marathon.key"
-#    InsecureSkipVerify = true
+#    insecureSkipVerify = true

 # DCOSToken for DCOS environment.
 # This will override the Authorization header.
@@ -140,47 +159,155 @@ domain = "marathon.localhost"

 To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).

+## Labels: overriding default behavior

-## Labels: overriding default behaviour
+Marathon labels may be used to dynamically change the routing and forwarding behavior.

-### On Containers
+They may be specified on one of two levels: Application or service.

-Labels can be used on containers to override default behaviour:
+### Application Level

-| Label                                                                 | Description                                                                                                                                                                        |
-|-----------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.backend=foo`                                                 | assign the application to `foo` backend                                                                                                                                            |
-| `traefik.backend.maxconn.amount=10`                                   | set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                               |
-| `traefik.backend.maxconn.extractorfunc=client.ip`                     | set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect. |
-| `traefik.backend.loadbalancer.method=drr`                             | override the default `wrr` load balancer algorithm                                                                                                                                 |
-| `traefik.backend.loadbalancer.sticky=true`                            | enable backend sticky sessions                                                                                                                                                     |
-| `traefik.backend.circuitbreaker.expression=NetworkErrorRatio() > 0.5` | create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                       |
-| `traefik.backend.healthcheck.path=/health`                            | set the Traefik health check path [default: no health checks]                                                                                                                      |
-| `traefik.backend.healthcheck.interval=5s`                             | sets a custom health check interval in Go-parseable (`time.ParseDuration`) format [default: 30s]                                                                                   |
-| `traefik.portIndex=1`                                                 | register port by index in the application's ports array. Useful when the application exposes multiple ports.                                                                       |
-| `traefik.port=80`                                                     | register the explicit application port value. Cannot be used alongside `traefik.portIndex`.                                                                                        |
-| `traefik.protocol=https`                                              | override the default `http` protocol                                                                                                                                               |
-| `traefik.weight=10`                                                   | assign this weight to the application                                                                                                                                              |
-| `traefik.enable=false`                                                | disable this application in Træfik                                                                                                                                                 |
-| `traefik.frontend.rule=Host:test.traefik.io`                          | override the default frontend rule (Default: `Host:{containerName}.{domain}`).                                                                                                     |
-| `traefik.frontend.passHostHeader=true`                                | forward client `Host` header to the backend.                                                                                                                                       |
-| `traefik.frontend.priority=10`                                        | override default frontend priority                                                                                                                                                 |
-| `traefik.frontend.entryPoints=http,https`                             | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.                                                                                           |
-| `traefik.frontend.auth.basic=EXPR`                                    | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`.                                                                                                  |
+The following labels can be defined on Marathon applications. They adjust the behavior for the entire application.

-### On Services
+| Label                                                      | Description                                                                                                                                                                                                            |
+|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.domain`                                           | Default domain used for frontend rules.                                                                                                                                                                                |
+| `traefik.enable=false`                                     | Disable this container in Træfik                                                                                                                                                                                       |
+| `traefik.port=80`                                          | Register this port. Useful when the container exposes multiples ports.                                                                                                                                                 |
+| `traefik.portIndex=1`                                      | Register port by index in the application's ports array. Useful when the application exposes multiple ports.                                                                                                           |
+| `traefik.protocol=https`                                   | Override the default `http` protocol                                                                                                                                                                                   |
+| `traefik.weight=10`                                        | Assign this weight to the container                                                                                                                                                                                    |
+| `traefik.backend=foo`                                      | Give the name `foo` to the generated backend for this container.                                                                                                                                                       |
+| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                           |
+| `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                  |
+| `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                    |
+| `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval. (Default: 30s)                                                                                                                                                                       |
+| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                     |
+| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                         |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                       |
+| `traefik.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                            |
+| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                |
+| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                  |
+| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                       |
+| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                             |
+| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
+| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
+| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
+| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                           |
+| `traefik.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                        |
+| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                     |
+| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                                  |
+| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                |
+| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                      |
+| `traefik.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                             |
+| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{sub_domain}.{domain}`.                                                                                                                                             |
+| `traefik.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                 |

-If several ports need to be exposed from a container, the services labels can be used:
+#### Custom Headers

-| Label                                                  | Description                                                                                          |
-|--------------------------------------------------------|------------------------------------------------------------------------------------------------------|
-| `traefik.<service-name>.port=443`                      | create a service binding with frontend/backend using this port. Overrides `traefik.port`.            |
-| `traefik.<service-name>.portIndex=1`                   | create a service binding with frontend/backend using this port index. Overrides `traefik.portIndex`. |
-| `traefik.<service-name>.protocol=https`                | assign `https` protocol. Overrides `traefik.protocol`.                                               |
-| `traefik.<service-name>.weight=10`                     | assign this service weight. Overrides `traefik.weight`.                                              |
-| `traefik.<service-name>.frontend.backend=fooBackend`   | assign this service frontend to `foobackend`. Default is to assign to the service backend.           |
-| `traefik.<service-name>.frontend.entryPoints=http`     | assign this service entrypoints. Overrides `traefik.frontend.entrypoints`.                           |
-| `traefik.<service-name>.frontend.auth.basic=test:EXPR` | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                     |
-| `traefik.<service-name>.frontend.passHostHeader=true`  | Forward client `Host` header to the backend. Overrides `traefik.frontend.passHostHeader`.            |
-| `traefik.<service-name>.frontend.priority=10`          | assign the service frontend priority. Overrides `traefik.frontend.priority`.                         |
-| `traefik.<service-name>.frontend.rule=Path:/foo`       | assign the service frontend rule. Overrides `traefik.frontend.rule`.                                 |
+| Label                                                 | Description                                                                                                                                                                         |
+|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
+| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
+|
+
+#### Security Headers
+
+| Label                                                    | Description                                                                                                                                                                                         |
+|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
+| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
+| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
+| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
+| `traefik.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
+| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
+| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
+| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
+| `traefik.frontend.headers.hostsProxyHeaders=EXPR `       | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
+| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
+| `traefik.frontend.headers.publicKey=VALUE`               | Adds pinned HTST public key header.                                                                                                                                                                 |
+| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
+| `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
+| `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
+| `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
+| `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
+| `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
+
+### Applications with Multiple Ports (segment labels)
+
+Segment labels are used to define routes to an application exposing multiple ports.
+A segment is a group of labels that apply to a port exposed by an application.
+You can define as many segments as ports exposed in an application.
+
+Segment labels override the default behavior.
+
+| Label                                                                     | Description                                                 |
+|---------------------------------------------------------------------------|-------------------------------------------------------------|
+| `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                    |
+| `traefik.<segment_name>.portIndex=1`                                      | Same as `traefik.portIndex`                                 |
+| `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                      |
+| `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                  |
+| `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                    |
+| `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                       |
+| `traefik.<segment_name>.frontend.backend=BACKEND`                         | Same as `traefik.frontend.backend`                          |
+| `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                      |
+| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`            |
+| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`              |
+| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`              | Same as `traefik.frontend.errors.<name>.status`             |
+| `traefik.<segment_name>.frontend.passHostHeader=true`                     | Same as `traefik.frontend.passHostHeader`                   |
+| `traefik.<segment_name>.frontend.passTLSCert=true`                        | Same as `traefik.frontend.passTLSCert`                      |
+| `traefik.<segment_name>.frontend.priority=10`                             | Same as `traefik.frontend.priority`                         |
+| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`             | Same as `traefik.frontend.rateLimit.extractorFunc`          |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`       | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`  |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`      | Same as `traefik.frontend.rateLimit.rateSet.<name>.average` |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`        | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`   |
+| `traefik.<segment_name>.frontend.redirect.entryPoint=https`               | Same as `traefik.frontend.redirect.entryPoint`              |
+| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`   | Same as `traefik.frontend.redirect.regex`                   |
+| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement`             |
+| `traefik.<segment_name>.frontend.redirect.permanent=true`                 | Same as `traefik.frontend.redirect.permanent`               |
+| `traefik.<segment_name>.frontend.rule=EXP`                                | Same as `traefik.frontend.rule`                             |
+| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`             | Same as `traefik.frontend.whiteList.sourceRange`            |
+| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`         | Same as `traefik.frontend.whiteList.useXForwardedFor`       |
+
+#### Custom Headers
+
+| Label                                                                | Description                                              |
+|----------------------------------------------------------------------|----------------------------------------------------------|
+| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR ` | Same as `traefik.frontend.headers.customRequestHeaders`  |
+| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` |
+
+#### Security Headers
+
+| Label                                                                   | Description                                                  |
+|-------------------------------------------------------------------------|--------------------------------------------------------------|
+| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR`             | Same as `traefik.frontend.headers.allowedHosts`              |
+| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true`         | Same as `traefik.frontend.headers.browserXSSFilter`          |
+| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE`   | Same as `traefik.frontend.headers.contentSecurityPolicy`     |
+| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true`       | Same as `traefik.frontend.headers.contentTypeNosniff`        |
+| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE`   | Same as `traefik.frontend.headers.customBrowserXSSValue`     |
+| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue`   |
+| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false`          | Same as `traefik.frontend.headers.forceSTSHeader`            |
+| `traefik.<segment_name>.frontend.headers.frameDeny=false`               | Same as `traefik.frontend.headers.frameDeny`                 |
+| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR`        | Same as `traefik.frontend.headers.hostsProxyHeaders`         |
+| `traefik.<segment_name>.frontend.headers.isDevelopment=false`           | Same as `traefik.frontend.headers.isDevelopment`             |
+| `traefik.<segment_name>.frontend.headers.publicKey=VALUE`               | Same as `traefik.frontend.headers.publicKey`                 |
+| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE`          | Same as `traefik.frontend.headers.referrerPolicy`            |
+| `traefik.<segment_name>.frontend.headers.SSLRedirect=true`              | Same as `traefik.frontend.headers.SSLRedirect`               |
+| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true`     | Same as `traefik.frontend.headers.SSLTemporaryRedirect`      |
+| `traefik.<segment_name>.frontend.headers.SSLHost=HOST`                  | Same as `traefik.frontend.headers.SSLHost`                   |
+| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR`          | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR`      |
+| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000`          | Same as `traefik.frontend.headers.STSSeconds=315360000`      |
+| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true`     | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |
+| `traefik.<segment_name>.frontend.headers.STSPreload=true`               | Same as `traefik.frontend.headers.STSPreload=true`           |
--- a/docs/configuration/backends/mesos.md
+++ b/docs/configuration/backends/mesos.md
@@ -34,6 +34,13 @@ watch = true
 #
 domain = "mesos.localhost"

+# Expose Mesos apps by default in Traefik.
+#
+# Optional
+# Default: true
+#
+# exposedByDefault = false
+
 # Override default configuration template.
 # For advanced users :)
 #
@@ -41,46 +48,48 @@ domain = "mesos.localhost"
 #
 # filename = "mesos.tmpl"

-# Expose Mesos apps by default in Traefik.
+# Override template version
+# For advanced users :)
 #
 # Optional
-# Default: true
+# - "1": previous template version (must be used only with older custom templates, see "filename")
+# - "2": current template version (must be used to force template version when "filename" is used)
 #
-# ExposedByDefault = false
+# templateVersion = 2

 # TLS client configuration. https://golang.org/pkg/crypto/tls/#Config
 #
 # Optional
 #
 # [mesos.TLS]
-# InsecureSkipVerify = true
+# insecureSkipVerify = true

 # Zookeeper timeout (in seconds).
 #
 # Optional
 # Default: 30
 #
-# ZkDetectionTimeout = 30
+# zkDetectionTimeout = 30

 # Polling interval (in seconds).
 #
 # Optional
 # Default: 30
 #
-# RefreshSeconds = 30
+# refreshSeconds = 30

-# IP sources (e.g. host, docker, mesos, rkt).
+# IP sources (e.g. host, docker, mesos, netinfo).
 #
 # Optional
 #
-# IPSources = "host"
+# ipSources = "host"

 # HTTP Timeout (in seconds).
 #
 # Optional
 # Default: 30
 #
-# StateTimeoutSecond = "30"
+# stateTimeoutSecond = "30"

 # Convert groups to subdomains.
 # Default behavior: /foo/bar/myapp => foo-bar-myapp.{defaultDomain}
@@ -90,4 +99,83 @@ domain = "mesos.localhost"
 # Default: false
 #
 # groupsAsSubDomains = true
+
 ```
+
+## Labels: overriding default behavior
+
+The following labels can be defined on Mesos tasks. They adjust the behavior for the entire application.
+
+| Label                                                      | Description                                                                                                                                                                                                            |
+|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.domain`                                           | Default domain used for frontend rules.                                                                                                                                                                                |
+| `traefik.enable=false`                                     | Disable this container in Træfik                                                                                                                                                                                       |
+| `traefik.port=80`                                          | Register this port. Useful when the container exposes multiples ports.                                                                                                                                                 |
+| `traefik.portIndex=1`                                      | Register port by index in the application's ports array. Useful when the application exposes multiple ports.                                                                                                           |
+| `traefik.protocol=https`                                   | Override the default `http` protocol                                                                                                                                                                                   |
+| `traefik.weight=10`                                        | Assign this weight to the container                                                                                                                                                                                    |
+| `traefik.backend=foo`                                      | Give the name `foo` to the generated backend for this container.                                                                                                                                                       |
+| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
+| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                           |
+| `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                  |
+| `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                    |
+| `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval. (Default: 30s)                                                                                                                                                                       |
+| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                     |
+| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                         |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                       |
+| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                |
+| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                  |
+| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                       |
+| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                             |
+| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
+| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
+| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
+| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                           |
+| `traefik.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                        |
+| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                     |
+| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
+| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                                  |
+| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                |
+| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                      |
+| `traefik.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                             |
+| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{discovery_name}.{domain}`.                                                                                                                                         |
+| `traefik.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                 |
+
+### Custom Headers
+
+| Label                                                 | Description                                                                                                                                                                         |
+|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
+| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
+
+### Security Headers
+
+| Label                                                    | Description                                                                                                                                                                                         |
+|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
+| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
+| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
+| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
+| `traefik.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
+| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
+| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
+| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
+| `traefik.frontend.headers.hostsProxyHeaders=EXPR `       | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
+| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
+| `traefik.frontend.headers.publicKey=VALUE`               | Adds pinned HTST public key header.                                                                                                                                                                 |
+| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
+| `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
+| `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
+| `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
+| `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
+| `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
--- a/docs/configuration/backends/rancher.md
+++ b/docs/configuration/backends/rancher.md
@@ -46,6 +46,22 @@ exposedByDefault = false
 # Default: false
 #
 enableServiceHealthFilter = true
+
+# Override default configuration template.
+# For advanced users :)
+#
+# Optional
+#
+# filename = "rancher.tmpl"
+
+# Override template version
+# For advanced users :)
+#
+# Optional
+# - "1": previous template version (must be used only with older custom templates, see "filename")
+# - "2": current template version (must be used to force template version when "filename" is used)
+#
+# templateVersion = 2
 ```

 To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
@@ -61,7 +77,7 @@ To enable constraints see [backend-specific constraints section](/configuration/
 #
 [rancher.metadata]

-# Poll the Rancher metadata service for changes every `rancher.RefreshSeconds`.
+# Poll the Rancher metadata service for changes every `rancher.refreshSeconds`.
 # NOTE: this is less accurate than the default long polling technique which
 # will provide near instantaneous updates to Traefik
 #
@@ -110,17 +126,154 @@ secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    To enable Traefik to fetch information about the Environment it's deployed in only, you need to create an `Environment API Key`.
    This can be found within the API Key advanced options.

-## Labels: overriding default behaviour
+    Add these labels to traefik docker deployment to autogenerated these values:
+    ```
+    io.rancher.container.agent.role: environment
+    io.rancher.container.create_agent: true
+    ```

-Labels can be used on task containers to override default behaviour:
+## Labels: overriding default behavior

-| Label                                        | Description                                                                              |
-|----------------------------------------------|------------------------------------------------------------------------------------------|
-| `traefik.protocol=https`                     | override the default `http` protocol                                                     |
-| `traefik.weight=10`                          | assign this weight to the container                                                      |
-| `traefik.enable=false`                       | disable this container in Træfik                                                         |
-| `traefik.frontend.rule=Host:test.traefik.io` | override the default frontend rule (Default: `Host:{containerName}.{domain}`).           |
-| `traefik.frontend.passHostHeader=true`       | forward client `Host` header to the backend.                                             |
-| `traefik.frontend.priority=10`               | override default frontend priority                                                       |
-| `traefik.frontend.entryPoints=http,https`    | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. |
-| `traefik.frontend.auth.basic=EXPR`           | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`.        |
+### On Containers
+
+Labels can be used on task containers to override default behavior:
+
+| Label                                                      | Description                                                                                                                                                                                                               |
+|------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.domain`                                           | Default domain used for frontend rules.                                                                                                                                                                                   |
+| `traefik.enable=false`                                     | Disable this container in Træfik                                                                                                                                                                                          |
+| `traefik.port=80`                                          | Register this port. Useful when the container exposes multiples ports.                                                                                                                                                    |
+| `traefik.protocol=https`                                   | Override the default `http` protocol                                                                                                                                                                                      |
+| `traefik.weight=10`                                        | Assign this weight to the container                                                                                                                                                                                       |
+| `traefik.backend=foo`                                      | Give the name `foo` to the generated backend for this container.                                                                                                                                                          |
+| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
+| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
+| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
+| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
+| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
+| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                              |
+| `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                     |
+| `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                       |
+| `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval.                                                                                                                                                                                         |
+| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                        |
+| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                            |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                          |
+| `traefik.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                               |
+| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                   |
+| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                     |
+| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                          |
+| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                |
+| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                             |
+| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                             |
+| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                             |
+| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                              |
+| `traefik.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                           |
+| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                        |
+| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
+| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
+| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
+| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
+| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                                     |
+| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                   |
+| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                         |
+| `traefik.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                                |
+| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{service_name}.{stack_name}.{domain}`.                                                                                                                                 |
+| `traefik.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                    |
+
+#### Custom Headers
+
+| Label                                                 | Description                                                                                                                                                                         |
+|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
+| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
+
+#### Security Headers
+
+| Label                                                    | Description                                                                                                                                                                                         |
+|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
+| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
+| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
+| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
+| `traefik.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
+| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
+| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
+| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
+| `traefik.frontend.headers.hostsProxyHeaders=EXPR `       | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
+| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
+| `traefik.frontend.headers.publicKey=VALUE`               | Adds pinned HTST public key header.                                                                                                                                                                 |
+| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
+| `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
+| `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
+| `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
+| `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
+| `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
+
+### On containers with Multiple Ports (segment labels)
+
+Segment labels are used to define routes to a container exposing multiple ports.
+A segment is a group of labels that apply to a port exposed by a container.
+You can define as many segments as ports exposed in a container.
+
+Segment labels override the default behavior.
+
+| Label                                                                     | Description                                                 |
+|---------------------------------------------------------------------------|-------------------------------------------------------------|
+| `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                    |
+| `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                      |
+| `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                  |
+| `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                    |
+| `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                       |
+| `traefik.<segment_name>.frontend.backend=BACKEND`                         | Same as `traefik.frontend.backend`                          |
+| `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                      |
+| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`            |
+| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`              |
+| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`              | Same as `traefik.frontend.errors.<name>.status`             |
+| `traefik.<segment_name>.frontend.passHostHeader=true`                     | Same as `traefik.frontend.passHostHeader`                   |
+| `traefik.<segment_name>.frontend.passTLSCert=true`                        | Same as `traefik.frontend.passTLSCert`                      |
+| `traefik.<segment_name>.frontend.priority=10`                             | Same as `traefik.frontend.priority`                         |
+| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`             | Same as `traefik.frontend.rateLimit.extractorFunc`          |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`       | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`  |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`      | Same as `traefik.frontend.rateLimit.rateSet.<name>.average` |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`        | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`   |
+| `traefik.<segment_name>.frontend.redirect.entryPoint=https`               | Same as `traefik.frontend.redirect.entryPoint`              |
+| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`   | Same as `traefik.frontend.redirect.regex`                   |
+| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement`             |
+| `traefik.<segment_name>.frontend.redirect.permanent=true`                 | Same as `traefik.frontend.redirect.permanent`               |
+| `traefik.<segment_name>.frontend.rule=EXP`                                | Same as `traefik.frontend.rule`                             |
+| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`             | Same as `traefik.frontend.whiteList.sourceRange`            |
+| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`         | Same as `traefik.frontend.whiteList.useXForwardedFor`       |
+
+#### Custom Headers
+
+| Label                                                                | Description                                                |
+|----------------------------------------------------------------------|------------------------------------------------------------|
+| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR ` | overrides `traefik.frontend.headers.customRequestHeaders`  |
+| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | overrides `traefik.frontend.headers.customResponseHeaders` |
+
+#### Security Headers
+
+| Label                                                                   | Description                                                  |
+|-------------------------------------------------------------------------|--------------------------------------------------------------|
+| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR`             | overrides `traefik.frontend.headers.allowedHosts`            |
+| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true`         | overrides `traefik.frontend.headers.browserXSSFilter`        |
+| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE`   | overrides `traefik.frontend.headers.contentSecurityPolicy`   |
+| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true`       | overrides `traefik.frontend.headers.contentTypeNosniff`      |
+| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE`   | overrides `traefik.frontend.headers.customBrowserXSSValue`   |
+| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | overrides `traefik.frontend.headers.customFrameOptionsValue` |
+| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false`          | overrides `traefik.frontend.headers.forceSTSHeader`          |
+| `traefik.<segment_name>.frontend.headers.frameDeny=false`               | overrides `traefik.frontend.headers.frameDeny`               |
+| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR`        | overrides `traefik.frontend.headers.hostsProxyHeaders`       |
+| `traefik.<segment_name>.frontend.headers.isDevelopment=false`           | overrides `traefik.frontend.headers.isDevelopment`           |
+| `traefik.<segment_name>.frontend.headers.publicKey=VALUE`               | overrides `traefik.frontend.headers.publicKey`               |
+| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE`          | overrides `traefik.frontend.headers.referrerPolicy`          |
+| `traefik.<segment_name>.frontend.headers.SSLRedirect=true`              | overrides `traefik.frontend.headers.SSLRedirect`             |
+| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true`     | overrides `traefik.frontend.headers.SSLTemporaryRedirect`    |
+| `traefik.<segment_name>.frontend.headers.SSLHost=HOST`                  | overrides `traefik.frontend.headers.SSLHost`                 |
+| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR`          | overrides `traefik.frontend.headers.SSLProxyHeaders`         |
+| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000`          | overrides `traefik.frontend.headers.STSSeconds`              |
+| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true`     | overrides `traefik.frontend.headers.STSIncludeSubdomains`    |
+| `traefik.<segment_name>.frontend.headers.STSPreload=true`               | overrides `traefik.frontend.headers.STSPreload`              |
--- a/docs/configuration/backends/rest.md
+++ b/docs/configuration/backends/rest.md
@@ -0,0 +1,92 @@
+# Rest Backend
+
+Træfik can be configured:
+
+- using a RESTful api.
+
+## Configuration
+
+```toml
+# Enable rest backend.
+[rest]
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+  entryPoint = "traefik"
+```
+
+## API
+
+| Path                         | Method | Description     |
+|------------------------------|--------|-----------------|
+| `/api/providers/web`         | `PUT`  | update provider |
+| `/api/providers/rest`        | `PUT`  | update provider |
+
+!!! warning
+    For compatibility reason, when you activate the rest provider, you can use `web` or `rest` as `provider` value.
+
+
+```shell
+curl -XPUT @file "http://localhost:8080/api/providers/rest"
+```
+
+with `@file`:
+```json
+{
+    "frontends": {
+      "frontend2": {
+        "routes": {
+          "test_2": {
+            "rule": "Path:/test"
+          }
+        },
+        "backend": "backend1"
+      },
+      "frontend1": {
+        "routes": {
+          "test_1": {
+            "rule": "Host:test.localhost"
+          }
+        },
+        "backend": "backend2"
+      }
+    },
+    "backends": {
+      "backend2": {
+        "loadBalancer": {
+          "method": "drr"
+        },
+        "servers": {
+          "server2": {
+            "weight": 2,
+            "URL": "http://172.17.0.5:80"
+          },
+          "server1": {
+            "weight": 1,
+            "url": "http://172.17.0.4:80"
+          }
+        }
+      },
+      "backend1": {
+        "loadBalancer": {
+          "method": "wrr"
+        },
+        "circuitBreaker": {
+          "expression": "NetworkErrorRatio() > 0.5"
+        },
+        "servers": {
+          "server2": {
+            "weight": 1,
+            "url": "http://172.17.0.3:80"
+          },
+          "server1": {
+            "weight": 10,
+            "url": "http://172.17.0.2:80"
+          }
+        }
+      }
+    }
+}
+```
--- a/docs/configuration/backends/servicefabric.md
+++ b/docs/configuration/backends/servicefabric.md
@@ -0,0 +1,155 @@
+# Azure Service Fabric Backend
+
+Træfik can be configured to use Azure Service Fabric as a backend configuration.
+
+See [this repository for an example deployment package and further documentation.](https://aka.ms/traefikonsf)
+
+## Azure Service Fabric
+
+```toml
+################################################################
+# Azure Service Fabric provider
+################################################################
+
+# Enable Azure Service Fabric configuration backend
+[serviceFabric]
+
+# Azure Service Fabric Management Endpoint
+#
+# Required
+#
+clusterManagementUrl = "https://localhost:19080"
+
+# Azure Service Fabric Management Endpoint API Version
+#
+# Required
+# Default: "3.0"
+#
+apiVersion = "3.0"
+
+# Azure Service Fabric Polling Interval (in seconds)
+#
+# Required
+# Default: 10
+#
+refreshSeconds = 10
+
+# Enable TLS connection.
+#
+# Optional
+#
+# [serviceFabric.tls]
+#   ca = "/etc/ssl/ca.crt"
+#   cert = "/etc/ssl/servicefabric.crt"
+#   key = "/etc/ssl/servicefabric.key"
+#   insecureSkipVerify = true
+```
+
+## Labels
+
+The provider uses labels to configure how services are exposed through Træfik.
+These can be set using Extensions and the Property Manager API
+
+#### Extensions
+
+Set labels with extensions through the services `ServiceManifest.xml` file.
+Here is an example of an extension setting Træfik labels:
+
+```xml
+<StatelessServiceType ServiceTypeName="WebServiceType">
+  <Extensions>
+      <Extension Name="Traefik">
+        <Labels xmlns="http://schemas.microsoft.com/2015/03/fabact-no-schema">
+          <Label Key="traefik.frontend.rule.example2">PathPrefixStrip: /a/path/to/strip</Label>
+          <Label Key="traefik.enable">true</Label> 
+          <Label Key="traefik.frontend.passHostHeader">true</Label>
+        </Labels>
+      </Extension>
+  </Extensions>
+</StatelessServiceType>
+```
+
+#### Property Manager
+
+Set Labels with the property manager API to overwrite and add labels, while your service is running.
+Here is an example of adding a frontend rule using the property manager API.
+
+```shell
+curl -X PUT \
+  'http://localhost:19080/Names/GettingStartedApplication2/WebService/$/GetProperty?api-version=6.0&IncludeValues=true' \
+  -d '{
+  "PropertyName": "traefik.frontend.rule.default",
+  "Value": {
+    "Kind": "String",
+    "Data": "PathPrefixStrip: /a/path/to/strip"
+  },
+  "CustomTypeId": "LabelType"
+}'
+```
+
+!!! note
+    This functionality will be released in a future version of the [sfctl](https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-lifecycle-sfctl) tool.
+
+## Available Labels
+
+Labels, set through extensions or the property manager, can be used on services to override default behavior.
+
+| Label                                                      | Description                                                                                                                                                                                                               |
+|------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.enable=false`                                     | Disable this container in Træfik                                                                                                                                                                                          |
+| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                              |
+| `traefik.backend.group.name`                               | Group all services with the same name into a single backend in Træfik                                                                                                                                                     |
+| `traefik.backend.group.weight`                             | Set the weighting of the current services nodes in the backend group                                                                                                                                                      |
+| `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                     |
+| `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                       |
+| `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval.                                                                                                                                                                                         |
+| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                        |
+| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                            |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                          |
+| `traefik.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                               |
+| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                   |
+| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                     |
+| `traefik.backend.weight=10`                                | Assign this weight to the container                                                                                                                                                                                       |
+| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                          |
+| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                |
+| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                              |
+| `traefik.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                           |
+| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                        |
+| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                                     |
+| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                   |
+| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                         |
+| `traefik.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                                |
+| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Defaults to SF address.                                                                                                                                                               |
+| `traefik.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                    |
+
+### Custom Headers
+
+| Label                                                 | Description                                                                                                                                                                         |
+|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
+| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
+
+### Security Headers
+
+| Label                                                    | Description                                                                                                                                                                                         |
+|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
+| `traefik.frontend.headers.hostsProxyHeaders=EXPR `       | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
+| `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
+| `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
+| `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
+| `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
+| `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
+| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
+| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
+| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
+| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
+| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
+| `traefik.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
+| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
+| `traefik.frontend.headers.publicKey=VALUE`               | Adds pinned HTST public key header.                                                                                                                                                                 |
+| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
+| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
--- a/docs/configuration/backends/web.md
+++ b/docs/configuration/backends/web.md
@@ -1,5 +1,8 @@
 # Web Backend

+!!! danger "DEPRECATED"
+    The web provider is deprecated, please use the [api](/configuration/api.md), the [ping](/configuration/ping.md), the [metrics](/configuration/metrics) and the [rest](/configuration/backends/rest.md) provider.
+
 Træfik can be configured:

 - using a RESTful api.
@@ -32,6 +35,14 @@ address = ":8080"
 # Default: false
 #
 readOnly = true
+
+# Set the root path for webui and API
+#
+# Deprecated
+# Optional
+#
+# path = "/mypath"
+#
 ```

 ## Web UI
@@ -43,13 +54,13 @@ readOnly = true
 ### Authentication

 !!! note
-    The `/ping` path of the api is excluded from authentication (since 1.4).
+    The `/ping` path of the API is excluded from authentication (since 1.4).

 #### Basic Authentication

 Passwords can be encoded in MD5, SHA1 and BCrypt: you can use `htpasswd` to generate those ones.

-Users can be specified directly in the toml file, or indirectly by referencing an external file;
+Users can be specified directly in the TOML file, or indirectly by referencing an external file;
 if both are provided, the two are merged, with external file contents having precedence.

 ```toml
@@ -68,7 +79,7 @@ usersFile = "/path/to/.htpasswd"

 You can use `htdigest` to generate those ones.

-Users can be specified directly in the toml file, or indirectly by referencing an external file;
+Users can be specified directly in the TOML file, or indirectly by referencing an external file;
 if both are provided, the two are merged, with external file contents having precedence

 ```toml
@@ -77,7 +88,7 @@ Users can be specified directly in the toml file, or indirectly by referencing a

 # To enable digest auth on the webui with 2 user/realm/pass: test:traefik:test and test2:traefik:test2
 [web.auth.digest]
-users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
+users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
 usersFile = "/path/to/.htdigest"

 # ...
@@ -86,7 +97,7 @@ usersFile = "/path/to/.htdigest"

 ## Metrics

-You can enable Traefik to export internal metrics to different monitoring systems.
+You can enable Træfik to export internal metrics to different monitoring systems.

 ### Prometheus

@@ -102,7 +113,7 @@ You can enable Traefik to export internal metrics to different monitoring system
 # Optional
 # Default: [0.1, 0.3, 1.2, 5]
 buckets=[0.1,0.3,1.2,5.0]
-    
+
 # ...
 ```

@@ -158,6 +169,31 @@ pushinterval = "10s"
 # ...
 ```

+### InfluxDB
+
+```toml
+[web]
+# ...
+
+# InfluxDB metrics exporter type
+[web.metrics.influxdb]
+
+# InfluxDB's address.
+#
+# Required
+# Default: "localhost:8089"
+#
+address = "localhost:8089"
+
+# InfluxDB push interval
+#
+# Optional
+# Default: "10s"
+#
+pushinterval = "10s"
+
+# ...
+```

 ## Statistics

@@ -184,7 +220,7 @@ recentErrors = 10
 |-----------------------------------------------------------------|:-------------:|----------------------------------------------------------------------------------------------------|
 | `/`                                                             |     `GET`     | Provides a simple HTML frontend of Træfik                                                          |
 | `/ping`                                                         | `GET`, `HEAD` | A simple endpoint to check for Træfik process liveness. Return a code `200` with the content: `OK` |
-| `/health`                                                       |     `GET`     | json health metrics                                                                                |
+| `/health`                                                       |     `GET`     | JSON health metrics                                                                                |
 | `/api`                                                          |     `GET`     | Configuration for all providers                                                                    |
 | `/api/providers`                                                |     `GET`     | Providers                                                                                          |
 | `/api/providers/{provider}`                                     |  `GET`, `PUT` | Get or update provider                                                                             |
@@ -207,7 +243,7 @@ curl -sv "http://localhost:8080/ping"
 ```
 ```shell
 *   Trying ::1...
-* Connected to localhost (::1) port 8080 (#0)
+* Connected to localhost (::1) port 8080 (\#0)
 > GET /ping HTTP/1.1
 > Host: localhost:8080
 > User-Agent: curl/7.43.0
@@ -218,7 +254,7 @@ curl -sv "http://localhost:8080/ping"
 < Content-Length: 2
 < Content-Type: text/plain; charset=utf-8
 <
-* Connection #0 to host localhost left intact
+* Connection \#0 to host localhost left intact
 OK
 ```

@@ -272,7 +308,7 @@ curl -s "http://localhost:8080/health" | jq .
      "status": "Internal Server Error",
      // request HTTP method
      "method": "GET",
-      // request hostname
+      // request host name
      "host": "localhost",
      // request path
      "path": "/path",
@@ -347,3 +383,100 @@ curl -s "http://localhost:8080/api" | jq .
  }
 }
 ```
+
+### Deprecation compatibility
+
+#### Address
+
+As the web provider is deprecated, you can handle the `Address` option like this:
+
+```toml
+defaultEntryPoints = ["http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+
+  [entryPoints.foo]
+  address = ":8082"
+
+  [entryPoints.bar]
+  address = ":8083"
+
+[ping]
+entryPoint = "foo"
+
+[api]
+entryPoint = "bar"
+```
+
+In the above example, you would access a regular path, administration panel, and health-check as follows:
+
+* Regular path: `http://hostname:80/path`
+* Admin Panel: `http://hostname:8083/`
+* Ping URL: `http://hostname:8082/ping`
+
+In the above example, it is _very_ important to create a named dedicated entry point, and do **not** include it in `defaultEntryPoints`.
+Otherwise, you are likely to expose _all_ services via that entry point.
+
+#### Path
+
+As the web provider is deprecated, you can handle the `Path` option like this:
+
+```toml
+defaultEntryPoints = ["http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+
+  [entryPoints.foo]
+  address = ":8080"
+
+  [entryPoints.bar]
+  address = ":8081"
+
+# Activate API and Dashboard
+[api]
+entryPoint = "bar"
+dashboard = true
+
+[file]
+  [backends]
+    [backends.backend1]
+      [backends.backend1.servers.server1]
+      url = "http://127.0.0.1:8081"
+
+  [frontends]
+    [frontends.frontend1]
+    entryPoints = ["foo"]
+    backend = "backend1"
+      [frontends.frontend1.routes.test_1]
+      rule = "PathPrefixStrip:/yourprefix;PathPrefix:/yourprefix"
+```
+
+#### Authentication
+
+As the web provider is deprecated, you can handle the `auth` option like this:
+
+```toml
+defaultEntryPoints = ["http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+
+ [entryPoints.foo]
+   address=":8080"
+   [entryPoints.foo.auth]
+     [entryPoints.foo.auth.basic]
+       users = [
+         "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+         "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+       ]
+
+[api]
+entrypoint="foo"
+```
+
+For more information, see [entry points](/configuration/entrypoints/) .
--- a/docs/configuration/backends/zookeeper.md
+++ b/docs/configuration/backends/zookeeper.md
@@ -27,9 +27,9 @@ watch = true
 # Prefix used for KV store.
 #
 # Optional
-# Default: "/traefik"
+# Default: "traefik"
 #
-prefix = "/traefik"
+prefix = "traefik"

 # Override default configuration template.
 # For advanced users :)
@@ -53,7 +53,7 @@ prefix = "/traefik"
 #    ca = "/etc/ssl/ca.crt"
 #    cert = "/etc/ssl/zookeeper.crt"
 #    key = "/etc/ssl/zookeeper.key"
-#    insecureskipverify = true
+#    insecureSkipVerify = true
 ```

 To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
--- a/docs/configuration/commons.md
+++ b/docs/configuration/commons.md
@@ -3,14 +3,23 @@
 ## Main Section

 ```toml
-# Duration to give active requests a chance to finish before Traefik stops.
+# DEPRECATED - for general usage instruction see [lifeCycle.graceTimeOut].
+#
+# If both the deprecated option and the new one are given, the deprecated one
+# takes precedence.
+# A value of zero is equivalent to omitting the parameter, causing
+# [lifeCycle.graceTimeOut] to be effective. Pass zero to the new option in
+# order to disable the grace period.
 #
 # Optional
-# Default: "10s"
+# Default: "0s"
 #
 # graceTimeOut = "10s"

 # Enable debug mode.
+# This will install HTTP handlers to expose Go expvars under /debug/vars and
+# pprof profiling data under /debug/pprof.
+# The log level will be set to DEBUG unless `logLevel` is specified.
 #
 # Optional
 # Default: false
@@ -29,14 +38,14 @@
 # Optional
 # Default: "2s"
 #
-# ProvidersThrottleDuration = "2s"
+# providersThrottleDuration = "2s"

 # Controls the maximum idle (keep-alive) connections to keep per-host.
 #
 # Optional
 # Default: 200
 #
-# MaxIdleConnsPerHost = 200
+# maxIdleConnsPerHost = 200

 # If set to true invalid SSL certificates are accepted for backends.
 # This disables detection of man-in-the-middle attacks so should only be used on secure backend networks.
@@ -44,14 +53,14 @@
 # Optional
 # Default: false
 #
-# InsecureSkipVerify = true
+# insecureSkipVerify = true

-# Register Certificates in the RootCA.
+# Register Certificates in the rootCA.
 #
 # Optional
 # Default: []
 #
-# RootCAs = [ "/mycert.cert" ]
+# rootCAs = [ "/mycert.cert" ]

 # Entrypoints to be used by frontends that do not specify any entrypoint.
 # Each frontend can specify its own entrypoints.
@@ -60,6 +69,15 @@
 # Default: ["http"]
 #
 # defaultEntryPoints = ["http", "https"]
+
+# Allow the use of 0 as server weight.
+# - false: a weight 0 means internally a weight of 1.
+# - true: a weight 0 means internally a weight of 0 (a server with a weight of 0 is removed from the available servers).
+#
+# Optional
+# Default: false
+#
+# AllowMinWeightZero = true
 ```

 - `graceTimeOut`: Duration to give active requests a chance to finish before Traefik stops.  
@@ -67,19 +85,19 @@ Can be provided in a format supported by [time.ParseDuration](https://golang.org
 If no units are provided, the value is parsed assuming seconds.  
 **Note:** in this time frame no new requests are accepted.

- `ProvidersThrottleDuration`: Backends throttle duration: minimum duration in seconds between 2 events from providers before applying a new configuration.
+- `providersThrottleDuration`: Backends throttle duration: minimum duration in seconds between 2 events from providers before applying a new configuration.
 It avoids unnecessary reloads if multiples events are sent in a short amount of time.  
 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
 If no units are provided, the value is parsed assuming seconds.

- `MaxIdleConnsPerHost`: Controls the maximum idle (keep-alive) connections to keep per-host.  
+- `maxIdleConnsPerHost`: Controls the maximum idle (keep-alive) connections to keep per-host.  
 If zero, `DefaultMaxIdleConnsPerHost` from the Go standard library net/http module is used.
 If you encounter 'too many open files' errors, you can either increase this value or change the `ulimit`.

- `InsecureSkipVerify` : If set to true invalid SSL certificates are accepted for backends.  
+- `insecureSkipVerify` : If set to true invalid SSL certificates are accepted for backends.  
 **Note:** This disables detection of man-in-the-middle attacks so should only be used on secure backend networks.

- `RootCAs`: Register Certificates in the RootCA. This certificates will be use for backends calls.  
+- `rootCAs`: Register Certificates in the RootCA. This certificates will be use for backends calls.  
 **Note** You can use file path or cert content directly

 - `defaultEntryPoints`: Entrypoints to be used by frontends that do not specify any entrypoint.  
@@ -145,67 +163,6 @@ constraints = ["tag==api", "tag!=v*-beta"]
 ```


-## Logs Definition
-
-### Traefik logs
-
-```toml
-# Traefik logs file
-# If not defined, logs to stdout
-traefikLogsFile = "log/traefik.log"
-
-# Log level
-#
-# Optional
-# Default: "ERROR"
-#
-# Accepted values, in order of severity: "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC"
-# Messages at and above the selected level will be logged.
-#
-logLevel = "ERROR"
-```
-
-### Access Logs
-
-Access logs are written when `[accessLog]` is defined.
-By default it will write to stdout and produce logs in the textual Common Log Format (CLF), extended with additional fields.
-
-To enable access logs using the default settings just add the `[accessLog]` entry.
-```toml
-[accessLog]
-```
-
-To write the logs into a logfile specify the `filePath`.
-```toml
-[accessLog]
-filePath = "/path/to/access.log"
-```
-
-To write JSON format logs, specify `json` as the format:
-```toml
-[accessLog]
-filePath = "/path/to/access.log"
-format = "json"
-```
-
-Deprecated way (before 1.4):
-```toml
-# Access logs file
-#
-# DEPRECATED - see [accessLog] lower down
-#
-accessLogsFile = "log/access.log"
-```
-
-### Log Rotation
-
-Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
-This allows the logs to be rotated and processed by an external program, such as `logrotate`.
-
-!!! note
-    This does not work on Windows due to the lack of USR signals.
-
-
 ## Custom Error pages

 Custom error pages can be returned, in lieu of the default, according to frontend-configured ranges of HTTP Status codes.
@@ -242,9 +199,52 @@ Instead, the query parameter can also be set to some generic error page like so:
 Now the `500s.html` error page is returned for the configured code range.
 The configured status code ranges are inclusive; that is, in the above example, the `500s.html` page will be returned for status codes `500` through, and including, `599`.

-Custom error pages are easiest to implement using the file provider.
-For dynamic providers, the corresponding template file needs to be customized accordingly and referenced in the Traefik configuration.

+## Rate limiting
+
+Rate limiting can be configured per frontend.  
+Multiple sets of rates can be added to each frontend, but the time periods must be unique.
+
+```toml
+[frontends]
+    [frontends.frontend1]
+      # ...
+      [frontends.frontend1.ratelimit]
+        extractorfunc = "client.ip"
+          [frontends.frontend1.ratelimit.rateset.rateset1]
+            period = "10s"
+            average = 100
+            burst = 200
+          [frontends.frontend1.ratelimit.rateset.rateset2]
+            period = "3s"
+            average = 5
+            burst = 10
+```
+
+In the above example, frontend1 is configured to limit requests by the client's ip address.  
+An average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.  
+These can "burst" up to 10 and 200 in each period respectively.
+
+## Buffering
+
+In some cases request/buffering can be enabled for a specific backend.
+By enabling this, Træfik will read the entire request into memory (possibly buffering large requests into disk) and will reject requests that are over a specified limit.
+This may help services deal with large data (multipart/form-data for example) more efficiently and should minimise time spent when sending data to a backend server.
+
+For more information please check [oxy/buffer](http://godoc.org/github.com/vulcand/oxy/buffer) documentation.
+
+Example configuration:
+
+```toml
+[backends]
+  [backends.backend1]
+    [backends.backend1.buffering]
+      maxRequestBodyBytes = 10485760  
+      memRequestBodyBytes = 2097152  
+      maxResponseBodyBytes = 10485760
+      memResponseBodyBytes = 2097152
+      retryExpression = "IsNetworkError() && Attempts() <= 2"
+```

 ## Retry Configuration

@@ -281,6 +281,38 @@ Given provider-specific support, the value may be overridden on a per-backend ba
 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).  
 If no units are provided, the value is parsed assuming seconds.

+## Life Cycle
+
+Controls the behavior of Traefik during the shutdown phase.
+
+```toml
+[lifeCycle]
+
+# Duration to keep accepting requests prior to initiating the graceful
+# termination period (as defined by the `graceTimeOut` option). This
+# option is meant to give downstream load-balancers sufficient time to
+# take Traefik out of rotation.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
+# If no units are provided, the value is parsed assuming seconds.
+# The zero duration disables the request accepting grace period, i.e.,
+# Traefik will immediately proceed to the grace period.
+#
+# Optional
+# Default: 0
+#
+# requestAcceptGraceTimeout = "10s"
+
+# Duration to give active requests a chance to finish before Traefik stops.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
+# If no units are provided, the value is parsed assuming seconds.
+# Note: in this time frame no new requests are accepted.
+#
+# Optional
+# Default: "10s"
+#
+# graceTimeOut = "10s"
+```
+
 ## Timeouts

 ### Responding Timeouts
@@ -363,24 +395,24 @@ If no units are provided, the value is parsed assuming seconds.

 ### Idle Timeout (deprecated)

-Use [respondingTimeouts](/configuration/commons/#responding-timeouts) instead of `IdleTimeout`.
+Use [respondingTimeouts](/configuration/commons/#responding-timeouts) instead of `idleTimeout`.
 In the case both settings are configured, the deprecated option will be overwritten.

-`IdleTimeout` is the maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.
+`idleTimeout` is the maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.
 This is set to enforce closing of stale client connections.

 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
 If no units are provided, the value is parsed assuming seconds.

 ```toml
-# IdleTimeout
+# idleTimeout
 #
 # DEPRECATED - see [respondingTimeouts] section.
 #
 # Optional
 # Default: "180s"
 #
-IdleTimeout = "360s"
+idleTimeout = "360s"
 ```


--- a/docs/configuration/entrypoints.md
+++ b/docs/configuration/entrypoints.md
@@ -1,5 +1,139 @@
 # Entry Points Definition

+## Reference
+
+### TOML
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+    address = ":80"
+    compress = true
+
+    [entryPoints.http.whitelist]
+      sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
+      useXForwardedFor = true
+
+    [entryPoints.http.tls]
+      minVersion = "VersionTLS12"
+      cipherSuites = [
+        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_RSA_WITH_AES_256_GCM_SHA384"
+       ]
+      [[entryPoints.http.tls.certificates]]
+        certFile = "path/to/my.cert"
+        keyFile = "path/to/my.key"
+      [[entryPoints.http.tls.certificates]]
+        certFile = "path/to/other.cert"
+        keyFile = "path/to/other.key"
+      # ...
+      [entryPoints.http.tls.clientCA]
+        files = ["path/to/ca1.crt", "path/to/ca2.crt"]
+        optional = false
+
+    [entryPoints.http.redirect]
+      entryPoint = "https"
+      regex = "^http://localhost/(.*)"
+      replacement = "http://mydomain/$1"
+      permanent = true
+
+    [entryPoints.http.auth]
+      headerField = "X-WebAuth-User"
+      [entryPoints.http.auth.basic]
+        users = [
+          "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+          "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+        ]
+        usersFile = "/path/to/.htpasswd"
+      [entryPoints.http.auth.digest]
+        users = [
+          "test:traefik:a2688e031edb4be6a3797f3882655c05",
+          "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+        ]
+        usersFile = "/path/to/.htdigest"
+      [entryPoints.http.auth.forward]
+        address = "https://authserver.com/auth"
+        trustForwardHeader = true
+        [entryPoints.http.auth.forward.tls]
+          ca =  [ "path/to/local.crt"]
+          caOptional = true
+          cert = "path/to/foo.cert"
+          key = "path/to/foo.key"
+          insecureSkipVerify = true
+
+    [entryPoints.http.proxyProtocol]
+      insecure = true
+      trustedIPs = ["10.10.10.1", "10.10.10.2"]
+
+    [entryPoints.http.forwardedHeaders]
+      trustedIPs = ["10.10.10.1", "10.10.10.2"]
+
+  [entryPoints.https]
+    # ...
+```
+
+### CLI
+
+For more information about the CLI, see the documentation about [Traefik command](/basics/#traefik).
+
+```shell
+--entryPoints='Name:http Address::80'
+--entryPoints='Name:https Address::443 TLS'
+```
+
+!!! note
+    Whitespace is used as option separator and `,` is used as value separator for the list.  
+    The names of the options are case-insensitive.
+
+In compose file the entrypoint syntax is different:
+
+```yaml
+traefik:
+    image: traefik
+    command:
+        - --defaultentrypoints=powpow
+        - "--entryPoints=Name:powpow Address::42 Compress:true"
+```
+or
+```yaml
+traefik:
+    image: traefik
+    command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true'
+```
+
+#### All available options:
+
+```ini
+Name:foo
+Address::80
+TLS:goo,gii
+TLS
+CA:car
+CA.Optional:true
+Redirect.EntryPoint:https
+Redirect.Regex:http://localhost/(.*)
+Redirect.Replacement:http://mydomain/$1
+Redirect.Permanent:true
+Compress:true
+WhiteList.SourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16
+WhiteList.UseXForwardedFor:true
+ProxyProtocol.TrustedIPs:192.168.0.1
+ProxyProtocol.Insecure:true
+ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24
+Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
+Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e
+Auth.HeaderField:X-WebAuth-User
+Auth.Forward.Address:https://authserver.com/auth
+Auth.Forward.TrustForwardHeader:true
+Auth.Forward.TLS.CA:path/to/local.crt
+Auth.Forward.TLS.CAOptional:true
+Auth.Forward.TLS.Cert:path/to/foo.cert
+Auth.Forward.TLS.Key:path/to/foo.key
+Auth.Forward.TLS.InsecureSkipVerify:true
+```
+
+## Basic
+
 ```toml
 # Entrypoints definition
 #
@@ -27,13 +161,16 @@ To redirect an http entrypoint to an https entrypoint (with SNI support).
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.com.cert"
-      KeyFile = "integration/fixtures/https/snitest.com.key"
+      certFile = "integration/fixtures/https/snitest.com.cert"
+      keyFile = "integration/fixtures/https/snitest.com.key"
      [[entryPoints.https.tls.certificates]]
-      CertFile = "integration/fixtures/https/snitest.org.cert"
-      KeyFile = "integration/fixtures/https/snitest.org.key"
+      certFile = "integration/fixtures/https/snitest.org.cert"
+      keyFile = "integration/fixtures/https/snitest.org.key"
 ```

+!!! note
+    Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an entrypoint is defined for the redirection (they will not be used in this case).
+
 ## Rewriting URL

 To redirect an entrypoint rewriting the URL.
@@ -47,13 +184,47 @@ To redirect an entrypoint rewriting the URL.
    replacement = "http://mydomain/$1"
 ```

+!!! note
+    Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an `entrypoint` is defined for the redirection (they will not be used in this case).
+
+Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
+
+Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+## TLS
+
+### Static Certificates
+
+Define an entrypoint with SNI support.
+
+```toml
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      certFile = "integration/fixtures/https/snitest.com.cert"
+      keyFile = "integration/fixtures/https/snitest.com.key"
+```
+
+!!! note
+    If an empty TLS configuration is done, default self-signed certificates are generated.
+
+
+### Dynamic Certificates
+
+If you need to add or remove TLS certificates while Traefik is started, Dynamic TLS certificates are supported using the [file provider](/configuration/backends/file).
+
+
 ## TLS Mutual Authentication

-Only accept clients that present a certificate signed by a specified Certificate Authority (CA).
+TLS Mutual Authentication can be `optional` or not.
+If it's `optional`, Træfik will authorize connection with certificates not signed by a specified Certificate Authority (CA).
+Otherwise, Træfik will only accept clients that present a certificate signed by a specified Certificate Authority (CA).
 `ClientCAFiles` can be configured with multiple `CA:s` in the same file or use multiple files containing one or several `CA:s`.
 The `CA:s` has to be in PEM format.

-All clients will be required to present a valid cert.
+By default, `ClientCAFiles` is not optional, all clients will be required to present a valid cert.
 The requirement will apply to all server certs in the entrypoint.

 In the example below both `snitest.com` and `snitest.org` will require client certs
@@ -63,23 +234,28 @@ In the example below both `snitest.com` and `snitest.org` will require client ce
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
-  ClientCAFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
+    [entryPoints.https.tls.ClientCA]
+    files = ["tests/clientca1.crt", "tests/clientca2.crt"]
+    optional = false
    [[entryPoints.https.tls.certificates]]
-    CertFile = "integration/fixtures/https/snitest.com.cert"
-    KeyFile = "integration/fixtures/https/snitest.com.key"
+    certFile = "integration/fixtures/https/snitest.com.cert"
+    keyFile = "integration/fixtures/https/snitest.com.key"
    [[entryPoints.https.tls.certificates]]
-    CertFile = "integration/fixtures/https/snitest.org.cert"
-    KeyFile = "integration/fixtures/https/snitest.org.key"
+    certFile = "integration/fixtures/https/snitest.org.cert"
+    keyFile = "integration/fixtures/https/snitest.org.key"
 ```

+!!! note
+    The deprecated argument `ClientCAFiles` allows adding Client CA files which are mandatory.
+    If this parameter exists, the new ones are not checked.

 ## Authentication

 ### Basic Authentication

-Passwords can be encoded in MD5, SHA1 and BCrypt: you can use `htpasswd` to generate those ones.
+Passwords can be encoded in MD5, SHA1 and BCrypt: you can use `htpasswd` to generate them.

-Users can be specified directly in the toml file, or indirectly by referencing an external file;
+Users can be specified directly in the TOML file, or indirectly by referencing an external file;
 if both are provided, the two are merged, with external file contents having precedence.

 ```toml
@@ -94,9 +270,9 @@ Users can be specified directly in the toml file, or indirectly by referencing a

 ### Digest Authentication

-You can use `htdigest` to generate those ones.
+You can use `htdigest` to generate them.

-Users can be specified directly in the toml file, or indirectly by referencing an external file;
+Users can be specified directly in the TOML file, or indirectly by referencing an external file;
 if both are provided, the two are merged, with external file contents having precedence

 ```toml
@@ -104,8 +280,8 @@ Users can be specified directly in the toml file, or indirectly by referencing a
 [entryPoints]
  [entryPoints.http]
  address = ":80"
-  [entryPoints.http.auth.basic]
-  users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
+  [entryPoints.http.auth.digest]
+  users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
  usersFile = "/path/to/.htdigest"
 ```

@@ -114,16 +290,16 @@ Users can be specified directly in the toml file, or indirectly by referencing a
 This configuration will first forward the request to `http://authserver.com/auth`.

 If the response code is 2XX, access is granted and the original request is performed.
-Otherwise, the response from the auth server is returned.
+Otherwise, the response from the authentication server is returned.

 ```toml
 [entryPoints]
-  [entrypoints.http]
+  [entryPoints.http]
    # ...
    # To enable forward auth on an entrypoint
-    [entrypoints.http.auth.forward]
+    [entryPoints.http.auth.forward]
    address = "https://authserver.com/auth"
-    
+
    # Trust existing X-Forwarded-* headers.
    # Useful with another reverse proxy in front of Traefik.
    #
@@ -131,19 +307,19 @@ Otherwise, the response from the auth server is returned.
    # Default: false
    #
    trustForwardHeader = true
-    
+
    # Enable forward auth TLS connection.
    #
    # Optional
    #
-    [entrypoints.http.auth.forward.tls]
+    [entryPoints.http.auth.forward.tls]
    cert = "authserver.crt"
    key = "authserver.key"
 ```

 ## Specify Minimum TLS Version

-To specify an https entry point with a minimum TLS version, and specifying an array of cipher suites (from crypto/tls).
+To specify an https entry point with a minimum TLS version, and specifying an array of cipher suites (from [crypto/tls](https://godoc.org/crypto/tls#pkg-constants)).

 ```toml
 [entryPoints]
@@ -151,7 +327,10 @@ To specify an https entry point with a minimum TLS version, and specifying an ar
  address = ":443"
    [entryPoints.https.tls]
    minVersion = "VersionTLS12"
-    cipherSuites = ["TLS_RSA_WITH_AES_256_GCM_SHA384"]
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_RSA_WITH_AES_256_GCM_SHA384"
+    ]
      [[entryPoints.https.tls.certificates]]
      certFile = "integration/fixtures/https/snitest.com.cert"
      keyFile = "integration/fixtures/https/snitest.com.key"
@@ -177,24 +356,66 @@ Responses are compressed when:
 * And the `Accept-Encoding` request header contains `gzip`
 * And the response is not already compressed, i.e. the `Content-Encoding` response header is not already set.

-## Whitelisting
+## White Listing

-To enable IP whitelisting at the entrypoint level.
+To enable IP white listing at the entry point level.

 ```toml
 [entryPoints]
  [entryPoints.http]
-  address = ":80"
-  whiteListSourceRange = ["127.0.0.1/32"]
+    address = ":80"
+
+    [entryPoints.http.whiteList]
+      sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+      # useXForwardedFor = true
 ```

-## ProxyProtocol Support
+## ProxyProtocol

 To enable [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support.
+Only IPs in `trustedIPs` will lead to remote client address replacement: you should declare your load-balancer IP or CIDR range here (in testing environment, you can trust everyone using `insecure = true`).
+
+!!! danger
+    When queuing Træfik behind another load-balancer, be sure to carefully configure Proxy Protocol on both sides.
+    Otherwise, it could introduce a security risk in your system by forging requests.

 ```toml
 [entryPoints]
  [entryPoints.http]
-  address = ":80"
-  proxyprotocol = true
+    address = ":80"
+
+    # Enable ProxyProtocol
+    [entryPoints.http.proxyProtocol]
+      # List of trusted IPs
+      #
+      # Required
+      # Default: []
+      #
+      trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
+
+      # Insecure mode FOR TESTING ENVIRONNEMENT ONLY
+      #
+      # Optional
+      # Default: false
+      #
+      # insecure = true
+```
+
+## Forwarded Header
+
+Only IPs in `trustedIPs` will be authorized to trust the client forwarded headers (`X-Forwarded-*`).
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+    address = ":80"
+
+    # Enable Forwarded Headers
+    [entryPoints.http.forwardedHeaders]
+      # List of trusted IPs
+      #
+      # Required
+      # Default: []
+      #
+      trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
--- a/docs/configuration/logs.md
+++ b/docs/configuration/logs.md
@@ -0,0 +1,252 @@
+# Logs Definition
+
+## Reference
+
+### TOML
+
+```toml
+logLevel = "INFO"
+
+[traefikLog]
+  filePath = "/path/to/traefik.log"
+  format   = "json"
+
+[accessLog]
+  filePath = "/path/to/access.log"
+  format = "json"
+
+  [accessLog.filters]
+    statusCodes = ["200", "300-302"]
+    retryAttempts = true
+
+  [accessLog.fields]
+    defaultMode = "keep"
+    [accessLog.fields.names]
+      "ClientUsername" = "drop"
+      # ...
+
+    [accessLog.fields.headers]
+      defaultMode = "keep"
+      [accessLog.fields.headers.names]
+        "User-Agent" = "redact"
+        "Authorization" = "drop"
+        "Content-Type" = "keep"
+        # ...
+```
+
+### CLI
+
+For more information about the CLI, see the documentation about [Traefik command](/basics/#traefik).
+
+```shell
+--logLevel="DEBUG"
+--traefikLog.filePath="/path/to/traefik.log"
+--traefikLog.format="json"
+--accessLog.filePath="/path/to/access.log"
+--accessLog.format="json"
+--accessLog.filters.statusCodes="200,300-302"
+--accessLog.filters.retryAttempts="true"
+--accessLog.fields.defaultMode="keep"
+--accessLog.fields.names="Username=drop Hostname=drop"
+--accessLog.fields.headers.defaultMode="keep"
+--accessLog.fields.headers.names="User-Agent=redact Authorization=drop Content-Type=keep"
+```
+
+
+## Traefik Logs
+
+By default the Traefik log is written to stdout in text format.
+
+To write the logs into a log file specify the `filePath`:
+```toml
+[traefikLog]
+  filePath = "/path/to/traefik.log"
+```
+
+To write JSON format logs, specify `json` as the format:
+```toml
+[traefikLog]
+  filePath = "/path/to/traefik.log"
+  format   = "json"
+```
+
+
+Deprecated way (before 1.4):
+
+!!! danger "DEPRECATED"
+    `traefikLogsFile` is deprecated, use [traefikLog](/configuration/logs/#traefik-logs) instead.
+
+```toml
+# Traefik logs file
+# If not defined, logs to stdout
+#
+# DEPRECATED - see [traefikLog] lower down
+# In case both traefikLogsFile and traefikLog.filePath are specified, the latter will take precedence.
+# Optional
+#
+traefikLogsFile = "log/traefik.log"
+```
+
+To customize the log level:
+```toml
+# Log level
+#
+# Optional
+# Default: "ERROR"
+#
+# Accepted values, in order of severity: "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC"
+# Messages at and above the selected level will be logged.
+#
+logLevel = "ERROR"
+```
+
+
+## Access Logs
+
+Access logs are written when `[accessLog]` is defined.
+By default it will write to stdout and produce logs in the textual Common Log Format (CLF), extended with additional fields.
+
+To enable access logs using the default settings just add the `[accessLog]` entry:
+```toml
+[accessLog]
+```
+
+To write the logs into a log file specify the `filePath`:
+```toml
+[accessLog]
+filePath = "/path/to/access.log"
+```
+
+To write JSON format logs, specify `json` as the format:
+```toml
+[accessLog]
+filePath = "/path/to/access.log"
+format = "json"
+```
+
+To filter logs you can specify a set of filters which are logically "OR-connected". Thus, specifying multiple filters will keep more access logs than specifying only one:
+```toml
+[accessLog]
+filePath = "/path/to/access.log"
+format = "json"
+
+  [accessLog.filters]
+
+  # statusCodes keep access logs with status codes in the specified range
+  #
+  # Optional
+  # Default: []
+  #
+  statusCodes = ["200", "300-302"]
+
+  # retryAttempts keep access logs when at least one retry happened
+  #
+  # Optional
+  # Default: false
+  #
+  retryAttempts = true
+```
+
+To customize logs format:
+```toml
+[accessLog]
+filePath = "/path/to/access.log"
+format = "json"
+
+  [accessLog.filters]
+
+  # statusCodes keep only access logs with status codes in the specified range
+  #
+  # Optional
+  # Default: []
+  #
+  statusCodes = ["200", "300-302"]
+
+  [accessLog.fields]
+
+  # defaultMode
+  #
+  # Optional
+  # Default: "keep"
+  #
+  # Accepted values "keep", "drop"
+  #
+  defaultMode = "keep"
+
+  # Fields map which is used to override fields defaultMode
+  [accessLog.fields.names]
+    "ClientUsername" = "drop"
+    # ...
+
+  [accessLog.fields.headers]
+    # defaultMode
+    #
+    # Optional
+    # Default: "keep"
+    #
+    # Accepted values "keep", "drop", "redact"
+    #
+    defaultMode = "keep"
+    # Fields map which is used to override headers defaultMode
+    [accessLog.fields.headers.names]
+      "User-Agent" = "redact"
+      "Authorization" = "drop"
+      "Content-Type" = "keep"
+      # ...
+```
+
+#### List of all available fields
+
+```ini
+StartUTC
+StartLocal
+Duration
+FrontendName
+BackendName
+BackendURL
+BackendAddr
+ClientAddr
+ClientHost
+ClientPort
+ClientUsername
+RequestAddr
+RequestHost
+RequestPort
+RequestMethod
+RequestPath
+RequestProtocol
+RequestLine
+RequestContentSize
+OriginDuration
+OriginContentSize
+OriginStatus
+OriginStatusLine
+DownstreamStatus
+DownstreamStatusLine
+DownstreamContentSize
+RequestCount
+GzipRatio
+Overhead
+RetryAttempts
+```
+
+Deprecated way (before 1.4):
+
+!!! danger "DEPRECATED"
+    `accessLogsFile` is deprecated, use [accessLog](/configuration/logs/#access-logs) instead.
+
+```toml
+# Access logs file
+#
+# DEPRECATED - see [accessLog]
+#
+accessLogsFile = "log/access.log"
+```
+
+## Log Rotation
+
+Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
+This allows the logs to be rotated and processed by an external program, such as `logrotate`.
+
+!!! note
+    This does not work on Windows due to the lack of USR signals.
--- a/docs/configuration/metrics.md
+++ b/docs/configuration/metrics.md
@@ -0,0 +1,126 @@
+# Metrics Definition
+
+## Prometheus
+
+```toml
+# Metrics definition
+[metrics]
+  #...
+
+  # To enable Traefik to export internal metrics to Prometheus
+  [metrics.prometheus]
+
+    # Name of the related entry point
+    #
+    # Optional
+    # Default: "traefik"
+    #
+    entryPoint = "traefik"
+
+    # Buckets for latency metrics
+    #
+    # Optional
+    # Default: [0.1, 0.3, 1.2, 5]
+    #
+    buckets = [0.1,0.3,1.2,5.0]
+
+  # ...
+```
+
+## DataDog
+
+```toml
+# Metrics definition
+[metrics]
+  #...
+
+  # DataDog metrics exporter type
+  [metrics.datadog]
+
+    # DataDog's address.
+    #
+    # Required
+    # Default: "localhost:8125"
+    #
+    address = "localhost:8125"
+
+    # DataDog push interval
+    #
+    # Optional
+    # Default: "10s"
+    #
+    pushInterval = "10s"
+
+  # ...
+```
+
+## StatsD
+
+```toml
+# Metrics definition
+[metrics]
+  #...
+
+  # StatsD metrics exporter type
+  [metrics.statsd]
+
+    # StatD's address.
+    #
+    # Required
+    # Default: "localhost:8125"
+    #
+    address = "localhost:8125"
+
+    # StatD push interval
+    #
+    # Optional
+    # Default: "10s"
+    #
+    pushInterval = "10s"
+
+  # ...
+```
+### InfluxDB
+
+```toml
+[metrics]
+  # ...
+
+  # InfluxDB metrics exporter type
+  [metrics.influxdb]
+
+    # InfluxDB's address.
+    #
+    # Required
+    # Default: "localhost:8089"
+    #
+    address = "localhost:8089"
+
+    # InfluxDB push interval
+    #
+    # Optional
+    # Default: "10s"
+    #
+    pushinterval = "10s"
+
+  # ...
+```
+
+## Statistics
+
+```toml
+# Metrics definition
+[metrics]
+  # ...
+
+  # Enable more detailed statistics.
+  [metrics.statistics]
+
+    # Number of recent errors logged.
+    #
+    # Default: 10
+    #
+    recentErrors = 10
+
+  # ...
+```
--- a/docs/configuration/ping.md
+++ b/docs/configuration/ping.md
@@ -0,0 +1,91 @@
+# Ping Definition
+
+## Configuration
+
+```toml
+# Ping definition
+[ping]
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+  entryPoint = "traefik"
+```
+
+| Path    | Method        | Description                                                                                        |
+|---------|---------------|----------------------------------------------------------------------------------------------------|
+| `/ping` | `GET`, `HEAD` | A simple endpoint to check for Træfik process liveness. Return a code `200` with the content: `OK` |
+
+
+!!! warning
+    Even if you have authentication configured on entry point, the `/ping` path of the api is excluded from authentication.
+
+## Examples
+
+The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
+Thus, if you have a regular path for `/foo` and an entrypoint on `:80`, you would access them as follows:
+
+* Regular path: `http://hostname:80/foo`
+* Admin panel: `http://hostname:8080/`
+* Ping URL: `http://hostname:8080/ping`
+
+However, for security reasons, you may want to be able to expose the `/ping` health-check URL to outside health-checkers, e.g. an Internet service or cloud load-balancer, _without_ exposing your administration panel's port.
+In many environments, the security staff may not _allow_ you to expose it.
+
+You have two options:
+
+* Enable `/ping` on a regular entry point
+* Enable `/ping` on a dedicated port
+
+### Ping health check on a regular entry point
+
+To proxy `/ping` from a regular entry point to the administration one without exposing the panel, do the following:
+
+```toml
+defaultEntryPoints = ["http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+
+[ping]
+entryPoint = "http"
+
+```
+
+The above link `ping` on the `http` entry point and then expose it on port `80`
+
+### Enable ping health check on dedicated port
+
+If you do not want to or cannot expose the health-check on a regular entry point - e.g. your security rules do not allow it, or you have a conflicting path - then you can enable health-check on its own entry point.
+Use the following configuration:
+
+```toml
+defaultEntryPoints = ["http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.ping]
+  address = ":8082"
+
+[ping]
+entryPoint = "ping"
+```
+
+The above is similar to the previous example, but instead of enabling `/ping` on the _default_ entry point, we enable it on a _dedicated_ entry point.
+
+In the above example, you would access a regular path and health-check as follows:
+
+* Regular path: `http://hostname:80/foo`
+* Ping URL: `http://hostname:8082/ping`
+
+Note the dedicated port `:8082` for `/ping`.
+
+In the above example, it is _very_ important to create a named dedicated entry point, and do **not** include it in `defaultEntryPoints`.
+Otherwise, you are likely to expose _all_ services via this entry point.
+
+### Using ping for external Load-balancer rotation health check
+
+If you are running traefik behind a external Load-balancer, and want to configure rotation health check on the Load-balancer to take a traefik instance out of rotation gracefully, you can configure [lifecycle.requestAcceptGraceTimeout](/configuration/commons.md#life-cycle) and the ping endpoint will return `503` response on traefik server termination, so that the Load-balancer can take the terminating traefik instance out of rotation, before it stops responding.
--- a/docs/configuration/tracing.md
+++ b/docs/configuration/tracing.md
@@ -0,0 +1,100 @@
+# Tracing
+
+Tracing system allows developers to visualize call flows in there infrastructures.
+
+We use [OpenTracing](http://opentracing.io). It is an open standard designed for distributed tracing.
+
+Træfik supports two backends: Jaeger and Zipkin.
+
+## Jaeger
+
+```toml
+# Tracing definition
+[tracing]
+  # Backend name used to send tracing data
+  #
+  # Default: "jaeger"
+  #
+  backend = "jaeger"
+
+  # Service name used in Jaeger backend
+  #
+  # Default: "traefik"
+  #
+  serviceName = "traefik"
+
+  [tracing.jaeger]
+    # Sampling Server URL is the address of jaeger-agent's HTTP sampling server
+    #
+    # Default: "http://localhost:5778/sampling"
+    #
+    samplingServerURL = "http://localhost:5778/sampling"
+
+    # Sampling Type specifies the type of the sampler: const, probabilistic, rateLimiting
+    #
+    # Default: "const"
+    #
+    samplingType = "const"
+
+    # Sampling Param is a value passed to the sampler.
+    # Valid values for Param field are:
+    #   - for "const" sampler, 0 or 1 for always false/true respectively
+    #   - for "probabilistic" sampler, a probability between 0 and 1
+    #   - for "rateLimiting" sampler, the number of spans per second
+    #
+    # Default: 1.0
+    #
+    samplingParam = 1.0
+
+    # Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address
+    #
+    # Default: "127.0.0.1:6831"
+    #
+    localAgentHostPort = "127.0.0.1:6831"
+```
+
+!!! warning
+    Træfik is only able to send data over compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent). 
+
+## Zipkin
+
+```toml
+# Tracing definition
+[tracing]
+  # Backend name used to send tracing data
+  #
+  # Default: "jaeger"
+  #
+  backend = "zipkin"
+
+  # Service name used in Zipkin backend
+  #
+  # Default: "traefik"
+  #
+  serviceName = "traefik"
+
+  [tracing.zipkin]
+    # Zipking HTTP endpoint used to send data
+    #
+    # Default: "http://localhost:9411/api/v1/spans"
+    #
+    httpEndpoint = "http://localhost:9411/api/v1/spans"
+
+    # Enable Zipkin debug
+    #
+    # Default: false
+    #
+    debug = false
+
+    # Use ZipKin SameSpan RPC style traces
+    #
+    # Default: false
+    #
+    sameSpan = false
+
+    # Use ZipKin 128 bit root span IDs
+    #
+    # Default: true
+    #
+    id128Bit = true
+```
--- a/docs/img/apollo-logo.png
+++ b/docs/img/apollo-logo.png
--- a/docs/img/asteris.logo.png
+++ b/docs/img/asteris.logo.png
--- a/docs/img/mantl-logo.png
+++ b/docs/img/mantl-logo.png
--- a/docs/img/traefik-health.png
+++ b/docs/img/traefik-health.png
--- a/docs/img/web.frontend.png
+++ b/docs/img/web.frontend.png
--- a/docs/index.md
+++ b/docs/index.md
@@ -10,65 +10,167 @@
 [![Twitter](https://img.shields.io/twitter/follow/traefikproxy.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefikproxy)


-Træfik (pronounced like [traffic](https://speak-ipa.bearbin.net/speak.cgi?speak=%CB%88tr%C3%A6f%C9%AAk)) is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
-It supports several backends ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), and a lot more) to manage its configuration automatically and dynamically.
+Træfik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
+Træfik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
+Telling Træfik where your orchestrator is could be the _only_ configuration step you need to do.

 ## Overview

-Imagine that you have deployed a bunch of microservices on your infrastructure. You probably used a service registry (like etcd or consul) and/or an orchestrator (swarm, Mesos/Marathon) to manage all these services.
-If you want your users to access some of your microservices from the Internet, you will have to use a reverse proxy and configure it using virtual hosts or prefix paths:
+Imagine that you have deployed a bunch of microservices with the help of an orchestrator (like Swarm or Kubernetes) or a service registry (like etcd or consul).
+Now you want users to access these microservices, and you need a reverse proxy.

- domain `api.domain.com` will point the microservice `api` in your private network
- path `domain.com/web` will point the microservice `web` in your private network
- domain `backoffice.domain.com` will point the microservices `backoffice` in your private network, load-balancing between your multiple instances
+Traditional reverse-proxies require that you configure _each_ route that will connect paths and subdomains to _each_ microservice.
+In an environment where you add, remove, kill, upgrade, or scale your services _many_ times a day, the task of keeping the routes up to date becomes tedious.

-But a microservices architecture is dynamic... Services are added, removed, killed or upgraded often, eventually several times a day.
+**This is when Træfik can help you!**

-Traditional reverse-proxies are not natively dynamic. You can't change their configuration and hot-reload easily.
+Træfik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part.

-Here enters Træfik.
+**Run Træfik and let it do the work for you!**
+_(But if you'd rather configure some of your routes manually, Træfik supports that too!)_

 ![Architecture](img/architecture.png)

-Træfik can listen to your service registry/orchestrator API, and knows each time a microservice is added, removed, killed or upgraded, and can generate its configuration automatically.
-Routes to your services will be created instantly.
-
-Run it and forget it!
-
 ## Features

- [It's fast](/benchmarks)
- No dependency hell, single binary made with go
- [Tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image
- Rest API
- Hot-reloading of configuration. No need to restart the process
+- Continuously updates its configuration (No restarts!)
+- Supports multiple load balancing algorithms
+- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org) (wildcard certificates support)
 - Circuit breakers, retry
- Round Robin, rebalancer load-balancers
- Metrics (Rest, Prometheus, Datadog, Statd)
- Clean AngularJS Web UI
+- High Availability with cluster mode (beta)
+- See the magic through its clean web UI
 - Websocket, HTTP/2, GRPC ready
- Access Logs (JSON, CLF)
- [Let's Encrypt](https://letsencrypt.org) support (Automatic HTTPS with renewal)
- High Availability with cluster mode
+- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
+- Keeps access logs (JSON, CLF)
+- [Fast](/benchmarks) ... which is nice
+- Exposes a Rest API
+- Packaged as a single binary file (made with :heart: with go) and available as a [tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image


 ## Supported backends

- [Docker](https://www.docker.com/) / [Swarm mode](https://docs.docker.com/engine/swarm/)
- [Kubernetes](https://kubernetes.io)
- [Mesos](https://github.com/apache/mesos) / [Marathon](https://mesosphere.github.io/marathon/)
- [Rancher](https://rancher.com) (API, Metadata)
- [Consul](https://www.consul.io/) / [Etcd](https://coreos.com/etcd/) / [Zookeeper](https://zookeeper.apache.org) / [BoltDB](https://github.com/boltdb/bolt)
- [Eureka](https://github.com/Netflix/eureka)
- [Amazon ECS](https://aws.amazon.com/ecs)
- [Amazon DynamoDB](https://aws.amazon.com/dynamodb)
- File
- Rest API
+- [Docker](/configuration/backends/docker/) / [Swarm mode](/configuration/backends/docker/#docker-swarm-mode)
+- [Kubernetes](/configuration/backends/kubernetes/)
+- [Mesos](/configuration/backends/mesos/) / [Marathon](/configuration/backends/marathon/)
+- [Rancher](/configuration/backends/rancher/) (API, Metadata)
+- [Azure Service Fabric](/configuration/backends/servicefabric/)
+- [Consul Catalog](/configuration/backends/consulcatalog/)
+- [Consul](/configuration/backends/consul/) / [Etcd](/configuration/backends/etcd/) / [Zookeeper](/configuration/backends/zookeeper/) / [BoltDB](/configuration/backends/boltdb/)
+- [Eureka](/configuration/backends/eureka/)
+- [Amazon ECS](/configuration/backends/ecs/)
+- [Amazon DynamoDB](/configuration/backends/dynamodb/)
+- [File](/configuration/backends/file/)
+- [Rest](/configuration/backends/rest/)

+## The Træfik Quickstart (Using Docker)

-## Quickstart
+In this quickstart, we'll use [Docker compose](https://docs.docker.com/compose) to create our demo infrastructure.

-You can have a quick look at Træfik in this [Katacoda tutorial](https://www.katacoda.com/courses/traefik/deploy-load-balancer) that shows how to load balance requests between multiple Docker containers.
+To save some time, you can clone [Træfik's repository](https://github.com/containous/traefik) and use the quickstart files located in the [examples/quickstart](https://github.com/containous/traefik/tree/master/examples/quickstart/) directory.
+
+### 1 — Launch Træfik — Tell It to Listen to Docker
+
+Create a `docker-compose.yml` file where you will define a `reverse-proxy` service that uses the official Træfik image:
+
+```yaml
+version: '3'
+
+services:
+  reverse-proxy:
+    image: traefik # The official Traefik docker image
+    command: --api --docker # Enables the web UI and tells Træfik to listen to docker
+    ports:
+      - "80:80"     # The HTTP port
+      - "8080:8080" # The Web UI (enabled by --api)
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
+```
+
+**That's it. Now you can launch Træfik!**
+
+Start your `reverse-proxy` with the following command:
+
+```shell
+docker-compose up -d reverse-proxy
+```
+
+You can open a browser and go to [http://localhost:8080](http://localhost:8080) to see Træfik's dashboard (we'll go back there once we have launched a service in step 2).
+
+### 2 — Launch a Service — Træfik Detects It and Creates a Route for You
+
+Now that we have a Træfik instance up and running, we will deploy new services.
+
+Edit your `docker-compose.yml` file and add the following at the end of your file.
+
+```yaml
+# ...
+  whoami:
+    image: emilevauge/whoami # A container that exposes an API to show its IP address
+    labels:
+      - "traefik.frontend.rule=Host:whoami.docker.localhost"
+```
+
+The above defines `whoami`: a simple web service that outputs information about the machine it is deployed on (its IP address, host, and so on).
+
+Start the `whoami` service with the following command:
+
+```shell
+docker-compose up -d whoami
+```
+
+Go back to your browser ([http://localhost:8080](http://localhost:8080)) and see that Træfik has automatically detected the new container and updated its own configuration.
+
+When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_  (Here, we're using curl)
+
+```shell
+curl -H Host:whoami.docker.localhost http://127.0.0.1
+```
+
+_Shows the following output:_
+```yaml
+Hostname: 8656c8ddca6c
+IP: 172.27.0.3
+#...
+```
+
+### 3 — Launch More Instances — Traefik Load Balances Them
+
+Run more instances of your `whoami` service with the following command:
+
+```shell
+docker-compose up -d --scale whoami=2
+```
+
+Go back to your browser ([http://localhost:8080](http://localhost:8080)) and see that Træfik has automatically detected the new instance of the container.
+
+Finally, see that Træfik load-balances between the two instances of your services by running twice the following command:
+
+```shell
+curl -H Host:whoami.docker.localhost http://127.0.0.1
+```
+
+The output will show alternatively one of the followings:
+
+```yaml
+Hostname: 8656c8ddca6c
+IP: 172.27.0.3
+#...
+```
+
+```yaml
+Hostname: 8458f154e1f1
+IP: 172.27.0.4
+# ...
+```
+
+### 4 — Enjoy Træfik's Magic
+
+Now that you have a basic understanding of how Træfik can automatically create the routes to your services and load balance them, it might be time to dive into [the documentation](/) and let Træfik work for you!
+Whatever your infrastructure is, there is probably [an available Træfik backend](/#supported-backends) that will do the job.
+
+Our recommendation would be to see for yourself how simple it is to enable HTTPS with [Træfik's let's encrypt integration](/user-guide/examples/#lets-encrypt-support) using the dedicated [user guide](/user-guide/docker-and-lets-encrypt/).
+
+## Resources

 Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at [GopherCon 2017](https://gophercon.com).
 You will learn Træfik basics in less than 10 minutes.
@@ -80,9 +182,9 @@ You will learn fundamental Træfik features and see some demos with Kubernetes.

 [![Traefik ContainerCamp UK](https://img.youtube.com/vi/aFtpIShV60I/0.jpg)](https://www.youtube.com/watch?v=aFtpIShV60I)

-## Get it
+## Downloads

-### Binary
+### The Official Binary File

 You can grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and just run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):

@@ -90,114 +192,10 @@ You can grab the latest binary from the [releases](https://github.com/containous
 ./traefik -c traefik.toml
 ```

-### Docker
+### The Official Docker Image

 Using the tiny Docker image:

 ```shell
 docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
 ```
-
-## Test it
-
-You can test Træfik easily using [Docker compose](https://docs.docker.com/compose), with this `docker-compose.yml` file in a folder named `traefik`:
-
-```yaml
-version: '2'
-
-services:
-  proxy:
-    image: traefik
-    command: --web --docker --docker.domain=docker.localhost --logLevel=DEBUG
-    networks:
-      - webgateway
-    ports:
-      - "80:80"
-      - "8080:8080"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - /dev/null:/traefik.toml
-
-networks:
-  webgateway:
-    driver: bridge
-```
-
-Start it from within the `traefik` folder:
-
-```shell
-docker-compose up -d
-```
-
-In a browser you may open [http://localhost:8080](http://localhost:8080) to access Træfik's dashboard and observe the following magic.
-
-Now, create a folder named `test` and create a `docker-compose.yml` in it with this content:
-
-```yaml
-version: '2'
-
-services:
-  whoami:
-    image: emilevauge/whoami
-    networks:
-      - web
-    labels:
-      - "traefik.backend=whoami"
-      - "traefik.frontend.rule=Host:whoami.docker.localhost"
-
-networks:
-  web:
-    external:
-      name: traefik_webgateway
-```
-
-Then, start and scale it in the `test` folder:
-
-```shell
-docker-compose up -d
-docker-compose scale whoami=2
-```
-
-Finally, test load-balancing between the two services `test_whoami_1` and `test_whoami_2`:
-
-```shell
-curl -H Host:whoami.docker.localhost http://127.0.0.1
-```
-
-```yaml
-Hostname: ef194d07634a
-IP: 127.0.0.1
-IP: ::1
-IP: 172.17.0.4
-IP: fe80::42:acff:fe11:4
-GET / HTTP/1.1
-Host: 172.17.0.4:80
-User-Agent: curl/7.35.0
-Accept: */*
-Accept-Encoding: gzip
-X-Forwarded-For: 172.17.0.1
-X-Forwarded-Host: 172.17.0.4:80
-X-Forwarded-Proto: http
-X-Forwarded-Server: dbb60406010d
-```
-
-```shell
-curl -H Host:whoami.docker.localhost http://127.0.0.1
-```
-
-```yaml
-Hostname: 6c3c5df0c79a
-IP: 127.0.0.1
-IP: ::1
-IP: 172.17.0.3
-IP: fe80::42:acff:fe11:3
-GET / HTTP/1.1
-Host: 172.17.0.3:80
-User-Agent: curl/7.35.0
-Accept: */*
-Accept-Encoding: gzip
-X-Forwarded-For: 172.17.0.1
-X-Forwarded-Host: 172.17.0.3:80
-X-Forwarded-Proto: http
-X-Forwarded-Server: dbb60406010d
-```
--- a/docs/theme/partials/footer.html
+++ b/docs/theme/partials/footer.html
@@ -20,7 +20,7 @@
  IN THE SOFTWARE.
 -->

-{% import "partials/language.html" as lang %}
+{% import "partials/language.html" as lang with context %}

 <!-- Application footer -->
 <footer class="md-footer">
@@ -97,7 +97,7 @@

            <!-- Social links -->
            {% block social %}
-            {% include "partials/social.html" %}
+                {% include "partials/social.html" %}
            {% endblock %}
        </div>
    </div>
--- a/docs/user-guide/cluster-docker-consul.md
+++ b/docs/user-guide/cluster-docker-consul.md
@@ -0,0 +1,294 @@
+# Clustering / High Availability on Docker Swarm with Consul
+
+This guide explains how to use Træfik in high availability mode in a Docker Swarm and with Let's Encrypt.
+
+Why do we need Træfik in cluster mode? Running multiple instances should work out of the box?
+
+If you want to use Let's Encrypt with Træfik, sharing configuration or TLS certificates between many Træfik instances, you need Træfik cluster/HA.
+
+Ok, could we mount a shared volume used by all my instances? Yes, you can, but it will not work.
+When you use Let's Encrypt, you need to store certificates, but not only.
+When Træfik generates a new certificate, it configures a challenge and once Let's Encrypt will verify the ownership of the domain, it will ping back the challenge.
+If the challenge is not knowing by other Træfik instances, the validation will fail.
+
+For more information about challenge: [Automatic Certificate Management Environment (ACME)](https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md#http-challenge)
+
+## Prerequisites
+
+You will need a working Docker Swarm cluster.
+
+## Træfik configuration
+
+In this guide, we will not use a TOML configuration file, but only command line flag.
+With that, we can use the base image without mounting configuration file or building custom image.
+
+What Træfik should do:
+
+- Listen to 80 and 443
+- Redirect HTTP traffic to HTTPS
+- Generate SSL certificate when a domain is added
+- Listen to Docker Swarm event
+
+### EntryPoints configuration
+
+TL;DR:
+
+```shell    
+$ traefik \
+    --entrypoints='Name:http Address::80 Redirect.EntryPoint:https' \
+    --entrypoints='Name:https Address::443 TLS' \
+    --defaultentrypoints=http,https
+```
+
+To listen to different ports, we need to create an entry point for each.
+
+The CLI syntax is `--entrypoints='Name:a_name Address:an_ip_or_empty:a_port options'`.
+If you want to redirect traffic from one entry point to another, it's the option `Redirect.EntryPoint:entrypoint_name`.
+
+By default, we don't want to configure all our services to listen on http and https, we add a default entry point configuration: `--defaultentrypoints=http,https`.
+
+### Let's Encrypt configuration
+
+TL;DR:
+
+```shell
+$ traefik \
+    --acme \
+    --acme.storage=/etc/traefik/acme/acme.json \
+    --acme.entryPoint=https \
+    --acme.httpChallenge.entryPoint=http \
+    --acme.email=contact@mydomain.ca
+```
+
+Let's Encrypt needs 4 parameters: an TLS entry point to listen to, a non-TLS entry point to allow HTTP challenges, a storage for certificates, and an email for the registration.
+
+To enable Let's Encrypt support, you need to add `--acme` flag.
+
+Now, Træfik needs to know where to store the certificates, we can choose between a key in a Key-Value store, or a file path: `--acme.storage=my/key` or `--acme.storage=/path/to/acme.json`.
+
+The `acme.httpChallenge.entryPoint` flag enables the `HTTP-01` challenge and specifies the entryPoint to use during the challenges.
+
+For your email and the entry point, it's `--acme.entryPoint` and `--acme.email` flags.
+
+### Docker configuration
+
+TL;DR:
+
+```shell
+$ traefik \
+    --docker \
+    --docker.swarmMode \
+    --docker.domain=mydomain.ca \
+    --docker.watch
+```
+
+To enable docker and swarm-mode support, you need to add `--docker` and `--docker.swarmMode` flags.
+To watch docker events, add `--docker.watch`.
+
+### Full docker-compose file
+
+```yaml
+version: "3"
+services:
+  traefik:
+    image: traefik:1.5
+    command:
+      - "--api"
+      - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
+      - "--entrypoints=Name:https Address::443 TLS"
+      - "--defaultentrypoints=http,https"
+      - "--acme"
+      - "--acme.storage=/etc/traefik/acme/acme.json"
+      - "--acme.entryPoint=https"
+      - "--acme.httpChallenge.entryPoint=http"
+      - "--acme.onHostRule=true"
+      - "--acme.onDemand=false"
+      - "--acme.email=contact@mydomain.ca"
+      - "--docker"
+      - "--docker.swarmMode"
+      - "--docker.domain=mydomain.ca"
+      - "--docker.watch"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - webgateway
+      - traefik
+    ports:
+      - target: 80
+        published: 80
+        mode: host
+      - target: 443
+        published: 443
+        mode: host
+      - target: 8080
+        published: 8080
+        mode: host
+    deploy:
+      mode: global
+      placement:
+        constraints:
+          - node.role == manager
+      update_config:
+        parallelism: 1
+        delay: 10s
+      restart_policy:
+        condition: on-failure
+networks:
+  webgateway:
+    driver: overlay
+    external: true
+  traefik:
+    driver: overlay
+```
+
+## Migrate configuration to Consul
+
+We created a special Træfik command to help configuring your Key Value store from a Træfik TOML configuration file and/or CLI flags.
+
+## Deploy a Træfik cluster
+
+The best way we found is to have an initializer service.
+This service will push the config to Consul via the `storeconfig` sub-command.
+
+This service will retry until finishing without error because Consul may not be ready when the service tries to push the configuration.
+
+The initializer in a docker-compose file will be:
+
+```yaml
+  traefik_init:
+    image: traefik:1.5
+    command:
+      - "storeconfig"
+      - "--api"
+      [...]
+      - "--consul"
+      - "--consul.endpoint=consul:8500"
+      - "--consul.prefix=traefik"
+    networks:
+      - traefik
+    deploy:
+      restart_policy:
+        condition: on-failure
+    depends_on:
+      - consul
+```
+
+And now, the Træfik part will only have the Consul configuration.
+
+```yaml
+  traefik:
+    image: traefik:1.5
+    depends_on:
+      - traefik_init
+      - consul
+    command:
+      - "--consul"
+      - "--consul.endpoint=consul:8500"
+      - "--consul.prefix=traefik"
+    [...]
+```
+
+!!! note
+    For Træfik <1.5.0 add `acme.storage=traefik/acme/account` because Træfik is not reading it from Consul.
+
+If you have some update to do, update the initializer service and re-deploy it.
+The new configuration will be stored in Consul, and you need to restart the Træfik node: `docker service update --force traefik_traefik`.
+
+## Full docker-compose file
+
+```yaml
+version: "3.4"
+services:
+  traefik_init:
+    image: traefik:1.5
+    command:
+      - "storeconfig"
+      - "--api"
+      - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
+      - "--entrypoints=Name:https Address::443 TLS"
+      - "--defaultentrypoints=http,https"
+      - "--acme"
+      - "--acme.storage=traefik/acme/account"
+      - "--acme.entryPoint=https"
+      - "--acme.httpChallenge.entryPoint=http"
+      - "--acme.onHostRule=true"
+      - "--acme.onDemand=false"
+      - "--acme.email=foobar@example.com"
+      - "--docker"
+      - "--docker.swarmMode"
+      - "--docker.domain=example.com"
+      - "--docker.watch"
+      - "--consul"
+      - "--consul.endpoint=consul:8500"
+      - "--consul.prefix=traefik"
+    networks:
+      - traefik
+    deploy:
+      restart_policy:
+        condition: on-failure
+    depends_on:
+      - consul
+  traefik:
+    image: traefik:1.5
+    depends_on:
+      - traefik_init
+      - consul
+    command:
+      - "--consul"
+      - "--consul.endpoint=consul:8500"
+      - "--consul.prefix=traefik"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - webgateway
+      - traefik
+    ports:
+      - target: 80
+        published: 80
+        mode: host
+      - target: 443
+        published: 443
+        mode: host
+      - target: 8080
+        published: 8080
+        mode: host
+    deploy:
+      mode: global
+      placement:
+        constraints:
+          - node.role == manager
+      update_config:
+        parallelism: 1
+        delay: 10s
+      restart_policy:
+        condition: on-failure
+  consul:
+    image: consul
+    command: agent -server -bootstrap-expect=1
+    volumes:
+      - consul-data:/consul/data
+    environment:
+      - CONSUL_LOCAL_CONFIG={"datacenter":"us_east2","server":true}
+      - CONSUL_BIND_INTERFACE=eth0
+      - CONSUL_CLIENT_INTERFACE=eth0
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.role == manager
+      restart_policy:
+        condition: on-failure
+    networks:
+      - traefik
+
+networks:
+  webgateway:
+    driver: overlay
+    external: true
+  traefik:
+    driver: overlay
+
+volumes:
+  consul-data:
+      driver: [not local]
+```
--- a/docs/user-guide/cluster.md
+++ b/docs/user-guide/cluster.md
@@ -23,3 +23,11 @@ A Træfik cluster is based on a manager/worker model.

 When starting, Træfik will elect a manager.
 If this instance fails, another manager will be automatically elected.
+
+## Træfik cluster and Let's Encrypt
+
+**In cluster mode, ACME certificates have to be stored in [a KV Store entry](/configuration/acme/#storage-kv-entry).**
+
+Thanks to the Træfik cluster mode algorithm (based on [the Raft Consensus Algorithm](https://raft.github.io/)), only one instance will contact Let's encrypt to solve the challenges.
+
+The others instances will get ACME certificate from the KV Store entry.
--- a/docs/user-guide/docker-and-lets-encrypt.md
+++ b/docs/user-guide/docker-and-lets-encrypt.md
@@ -1,8 +1,8 @@
 # Docker & Traefik

-In this use case, we want to use Traefik as a _layer-7_ load balancer with SSL termination for a set of micro-services used to run a web application.
+In this use case, we want to use Træfik as a _layer-7_ load balancer with SSL termination for a set of micro-services used to run a web application.

-We also want to automatically _discover any services_ on the Docker host and let Traefik reconfigure itself automatically when containers get created (or shut down) so HTTP traffic can be routed accordingly.
+We also want to automatically _discover any services_ on the Docker host and let Træfik reconfigure itself automatically when containers get created (or shut down) so HTTP traffic can be routed accordingly.

 In addition, we want to use Let's Encrypt to automatically generate and renew SSL certificates per hostname.

@@ -19,7 +19,7 @@ In real-life, you'll want to use your own domain and have the DNS configured acc
 Docker containers can only communicate with each other over TCP when they share at least one network.
 This makes sense from a topological point of view in the context of networking, since Docker under the hood creates IPTable rules so containers can't reach other containers _unless you'd want to_.

-In this example, we're going to use a single network called `web` where all containers that are handling HTTP traffic (including Traefik) will reside in.
+In this example, we're going to use a single network called `web` where all containers that are handling HTTP traffic (including Træfik) will reside in.

 On the Docker host, run the following command:

@@ -27,7 +27,7 @@ On the Docker host, run the following command:
 docker network create web
 ```

-Now, let's create a directory on the server where we will configure the rest of Traefik:
+Now, let's create a directory on the server where we will configure the rest of Træfik:

 ```shell
 mkdir -p /opt/traefik
@@ -41,7 +41,7 @@ touch /opt/traefik/acme.json && chmod 600 /opt/traefik/acme.json
 touch /opt/traefik/traefik.toml
 ```

-The `docker-compose.yml` file will provide us with a simple, consistent and more importantly, a deterministic way to create Traefik.
+The `docker-compose.yml` file will provide us with a simple, consistent and more importantly, a deterministic way to create Træfik.

 The contents of the file is as follows:

@@ -50,7 +50,7 @@ version: '2'

 services:
  traefik:
-    image: traefik:1.3.5
+    image: traefik:1.5.4
    restart: always
    ports:
      - 80:80
@@ -59,8 +59,8 @@ services:
      - web
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
-      - /srv/traefik/traefik.toml:/traefik.toml
-      - /srv/traefik/acme.json:/acme.json
+      - /opt/traefik/traefik.toml:/traefik.toml
+      - /opt/traefik/acme.json:/acme.json
    container_name: traefik

 networks:
@@ -69,16 +69,16 @@ networks:
 ```

 As you can see, we're mounting the `traefik.toml` file as well as the (empty) `acme.json` file in the container.  
-Also, we're mounting the `/var/run/docker.sock` Docker socket in the container as well, so Traefik can listen to Docker events and reconfigure it's own internal configuration when containers are created (or shut down).  
+Also, we're mounting the `/var/run/docker.sock` Docker socket in the container as well, so Træfik can listen to Docker events and reconfigure its own internal configuration when containers are created (or shut down).  
 Also, we're making sure the container is automatically restarted by the Docker engine in case of problems (or: if the server is rebooted).
 We're publishing the default HTTP ports `80` and `443` on the host, and making sure the container is placed within the `web` network we've created earlier on.  
 Finally, we're giving this container a static name called `traefik`.

-Let's take a look at a simply `traefik.toml` configuration as well before we'll create the Traefik container:
+Let's take a look at a simple `traefik.toml` configuration as well before we'll create the Træfik container:

 ```toml
 debug = false
-checkNewVersion = true
+
 logLevel = "ERROR"
 defaultEntryPoints = ["https","http"]

@@ -97,29 +97,31 @@ defaultEntryPoints = ["https","http"]
 endpoint = "unix:///var/run/docker.sock"
 domain = "my-awesome-app.org"
 watch = true
-exposedbydefault = false
+exposedByDefault = false

 [acme]
 email = "your-email-here@my-awesome-app.org"
 storage = "acme.json"
 entryPoint = "https"
-OnHostRule = true
+onHostRule = true
+[acme.httpChallenge]
+entryPoint = "http"
 ```

 This is the minimum configuration required to do the following:

- Log `ERROR`-level messages (or more severe) to the console, but silence `DEBUG`-level messagse
- Check for new versions of Traefik periodically
+- Log `ERROR`-level messages (or more severe) to the console, but silence `DEBUG`-level messages
+- Check for new versions of Træfik periodically
 - Create two entry points, namely an `HTTP` endpoint on port `80`, and an `HTTPS` endpoint on port `443` where all incoming traffic on port `80` will immediately get redirected to `HTTPS`.
- Enable the Docker configuration backend and listen for container events on the Docker unix socket we've mounted earlier. However, **new containers will not be exposed by Traefik by default, we'll get into this in a bit!**
+- Enable the Docker configuration backend and listen for container events on the Docker unix socket we've mounted earlier. However, **new containers will not be exposed by Træfik by default, we'll get into this in a bit!**
 - Enable automatic request and configuration of SSL certificates using Let's Encrypt.
    These certificates will be stored in the `acme.json` file, which you can back-up yourself and store off-premises.

-Alright, let's boot the container. From the `/opt/traefik` directory, run `docker-compose up -d` which will create and start the Traefik container.
+Alright, let's boot the container. From the `/opt/traefik` directory, run `docker-compose up -d` which will create and start the Træfik container.

 ## Exposing Web Services to the Outside World

-Now that we've fully configured and started Traefik, it's time to get our applications running!
+Now that we've fully configured and started Træfik, it's time to get our applications running!

 Let's take a simple example of a micro-service project consisting of various services, where some will be exposed to the outside world and some will not. 

@@ -148,6 +150,10 @@ services:
      - "traefik.frontend.rule=Host:app.my-awesome-app.org"
      - "traefik.enable=true"
      - "traefik.port=9000"
+      - "traefik.default.protocol=http"
+      - "traefik.admin.frontend.rule=Host:admin-app.my-awesome-app.org"
+      - "traefik.admin.protocol=https"
+      - "traefik.admin.port=9443"

  db:
    image: my-docker-registry.com/back-end/5.7
@@ -190,10 +196,10 @@ Since the `traefik` container we've created and started earlier is also attached

 ### Labels

-As mentioned earlier, we don't want containers exposed automatically by Traefik.
+As mentioned earlier, we don't want containers exposed automatically by Træfik.

 The reason behind this is simple: we want to have control over this process ourselves.
-Thanks to Docker labels, we can tell Traefik how to create it's internal routing configuration.
+Thanks to Docker labels, we can tell Træfik how to create its internal routing configuration.

 Let's take a look at the labels themselves for the `app` service, which is a HTTP webservice listing on port 9000:

@@ -203,31 +209,56 @@ Let's take a look at the labels themselves for the `app` service, which is a HTT
 - "traefik.frontend.rule=Host:app.my-awesome-app.org"
 - "traefik.enable=true"
 - "traefik.port=9000"
+- "traefik.default.protocol=http"
+- "traefik.admin.frontend.rule=Host:admin-app.my-awesome-app.org"
+- "traefik.admin.protocol=https"
+- "traefik.admin.port=9443"
 ```

+We use both `container labels` and `service labels`.
+
+#### Container labels
+
 First, we specify the `backend` name which corresponds to the actual service we're routing **to**.

-We also tell Traefik to use the `web` network to route HTTP traffic to this container.  
-With the `frontend.rule` label, we tell Traefik that we want to route to this container if the incoming HTTP request contains the `Host` `app.my-awesome-app.org`.
-Essentially, this is the actual rule used for Layer-7 load balancing.  
-With the `traefik.enable` label, we tell Traefik to include this container in it's internal configuration.
+We also tell Træfik to use the `web` network to route HTTP traffic to this container. 
+With the `traefik.enable` label, we tell Træfik to include this container in its internal configuration.

-Finally but not unimportantly, we tell Traefik to route **to** port `9000`, since that is the actual TCP/IP port the container actually listens on.
+With the `frontend.rule` label, we tell Træfik that we want to route to this container if the incoming HTTP request contains the `Host` `app.my-awesome-app.org`.
+Essentially, this is the actual rule used for Layer-7 load balancing. 
+
+Finally but not unimportantly, we tell Træfik to route **to** port `9000`, since that is the actual TCP/IP port the container actually listens on.
+
+### Service labels
+
+`Service labels` allow managing many routes for the same container.
+
+When both `container labels` and `service labels` are defined, `container labels` are just used as default values for missing `service labels` but no frontend/backend are going to be defined only with these labels.
+Obviously, labels `traefik.frontend.rule` and `traefik.port` described above, will only be used to complete information set in `service labels` during the container frontends/bakends creation.
+
+In the example, two service names are defined : `default` and `admin`.
+They allow creating two frontends and two backends.
+
+- `default` has only one `service label` : `traefik.default.protocol`.
+Træfik will use values set in `traefik.frontend.rule` and `traefik.port` to create the `default` frontend and backend.
+The frontend listens to incoming HTTP requests which contain the `Host` `app.my-awesome-app.org` and redirect them in `HTTP` to the port `9000` of the backend.
+- `admin` has all the `services labels` needed to create the `admin` frontend and backend (`traefik.admin.frontend.rule`, `traefik.admin.protocol`, `traefik.admin.port`).
+Træfik will create a frontend to listen to incoming HTTP requests which contain the `Host` `admin-app.my-awesome-app.org` and redirect them in `HTTPS` to the port `9443` of the backend.

 #### Gotchas and tips

 - Always specify the correct port where the container expects HTTP traffic using `traefik.port` label.  
-    If a container exposes multiple ports, Traefik may forward traffic to the wrong port.
+    If a container exposes multiple ports, Træfik may forward traffic to the wrong port.
    Even if a container only exposes one port, you should always write configuration defensively and explicitly.
- Should you choose to enable the `exposedbydefault` flag in the `traefik.toml` configuration, be aware that all containers that are placed in the same network as Traefik will automatically be reachable from the outside world, for everyone and everyone to see.
+- Should you choose to enable the `exposedByDefault` flag in the `traefik.toml` configuration, be aware that all containers that are placed in the same network as Træfik will automatically be reachable from the outside world, for everyone and everyone to see.
    Usually, this is a bad idea.
- With the `traefik.frontend.auth.basic` label, it's possible for Traefik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.
- Traefik has built-in support to automatically export [Prometheus](https://prometheus.io) metrics
- Traefik supports websockets out of the box. In the example above, the `events`-service could be a NodeJS-based application which allows clients to connect using websocket protocol.
+- With the `traefik.frontend.auth.basic` label, it's possible for Træfik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.
+- Træfik has built-in support to automatically export [Prometheus](https://prometheus.io) metrics
+- Træfik supports websockets out of the box. In the example above, the `events`-service could be a NodeJS-based application which allows clients to connect using websocket protocol.
    Thanks to the fact that HTTPS in our example is enforced, these websockets are automatically secure as well (WSS)

 ### Final thoughts

-Using Traefik as a Layer-7 load balancer in combination with both Docker and Let's Encrypt provides you with an extremely flexible, powerful and self-configuring solution for your projects.
+Using Træfik as a Layer-7 load balancer in combination with both Docker and Let's Encrypt provides you with an extremely flexible, powerful and self-configuring solution for your projects.

 With Let's Encrypt, your endpoints are automatically secured with production-ready SSL certificates that are renewed automatically as well.
--- a/docs/user-guide/examples.md
+++ b/docs/user-guide/examples.md
@@ -6,6 +6,7 @@ You will find here some configuration examples of Træfik.

 ```toml
 defaultEntryPoints = ["http"]
+
 [entryPoints]
  [entryPoints.http]
  address = ":80"
@@ -15,6 +16,7 @@ defaultEntryPoints = ["http"]

 ```toml
 defaultEntryPoints = ["http", "https"]
+
 [entryPoints]
  [entryPoints.http]
  address = ":80"
@@ -34,6 +36,7 @@ Note that we can either give path to certificate file or directly the file conte

 ```toml
 defaultEntryPoints = ["http", "https"]
+
 [entryPoints]
  [entryPoints.http]
  address = ":80"
@@ -47,12 +50,17 @@ defaultEntryPoints = ["http", "https"]
      keyFile = "examples/traefik.key"
 ```

+!!! note
+    Please note that `regex` and `replacement` do not have to be set in the `redirect` structure if an entrypoint is defined for the redirection (they will not be used in this case)
+
 ## Let's Encrypt support

-### Basic example
+### Basic example with HTTP challenge

 ```toml
 [entryPoints]
+  [entryPoints.http]
+  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
@@ -62,6 +70,8 @@ email = "test@traefik.io"
 storage = "acme.json"
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"
+  [acme.httpChallenge]
+  entryPoint = "http"

 [[acme.domains]]
  main = "local1.com"
@@ -75,14 +85,16 @@ entryPoint = "https"
  main = "local4.com"
 ```

-This configuration allows generating Let's Encrypt certificates for the four domains `local[1-4].com` with described SANs.
+This configuration allows generating Let's Encrypt certificates (thanks to `HTTP-01` challenge) for the four domains `local[1-4].com` with described SANs.

-Traefik generates these certificates when it starts and it needs to be restart if new domains are added.
+Træfik generates these certificates when it starts and it needs to be restart if new domains are added.

-### OnHostRule option
+### onHostRule option (with HTTP challenge)

 ```toml
 [entryPoints]
+  [entryPoints.http]
+  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
@@ -93,6 +105,8 @@ storage = "acme.json"
 onHostRule = true
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"
+  [acme.httpChallenge]
+  entryPoint = "http"

 [[acme.domains]]
  main = "local1.com"
@@ -106,16 +120,18 @@ entryPoint = "https"
  main = "local4.com"
 ```

-This configuration allows generating Let's Encrypt certificates for the four domains `local[1-4].com`.
+This configuration allows generating Let's Encrypt certificates (thanks to `HTTP-01` challenge) for the four domains `local[1-4].com`.

-Traefik generates these certificates when it starts.
+Træfik generates these certificates when it starts.

-If a backend is added with a `onHost` rule, Traefik will automatically generate the Let's Encrypt certificate for the new domain.
+If a backend is added with a `onHost` rule, Træfik will automatically generate the Let's Encrypt certificate for the new domain (for frontends wired on the `acme.entryPoint`).

-### OnDemand option
+### OnDemand option (with HTTP challenge)

 ```toml
 [entryPoints]
+  [entryPoints.http]
+  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
@@ -126,18 +142,19 @@ storage = "acme.json"
 onDemand = true
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"
+  [acme.httpChallenge]
+  entryPoint = "http"
 ```

-This configuration allows generating a Let's Encrypt certificate during the first HTTPS request on a new domain.
-
+This configuration allows generating a Let's Encrypt certificate (thanks to `HTTP-01` challenge) during the first HTTPS request on a new domain.

 !!! note
    This option simplifies the configuration but :

-    * TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DDoS attacks.
+    * TLS handshakes will be slow when requesting a hostname certificate for the first time, which can lead to DDoS attacks.
    * Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits

-    That's why, it's better to use the `onHostRule` optin if possible.
+    That's why, it's better to use the `onHostRule` option if possible.

 ### DNS challenge

@@ -150,10 +167,11 @@ This configuration allows generating a Let's Encrypt certificate during the firs
 [acme]
 email = "test@traefik.io"
 storage = "acme.json"
-dnsProvider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
-delayDontCheckDNS = 0
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"
+  [acme.dnsChallenge]
+  provider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
+  delayBeforeCheck = 0

 [[acme.domains]]
  main = "local1.com"
@@ -168,14 +186,51 @@ entryPoint = "https"
 ```

 DNS challenge needs environment variables to be executed.
-This variables have to be set on the machine/container which host Traefik.
+These variables have to be set on the machine/container that host Træfik.

-These variables has described [in this section](/configuration/acme/#dnsprovider).
+These variables are described [in this section](/configuration/acme/#provider).

-### OnHostRule option and provided certificates
+### DNS challenge with wildcard domains

 ```toml
 [entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+
+[acme]
+email = "test@traefik.io"
+storage = "acme.json"
+caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
+entryPoint = "https"
+  [acme.dnsChallenge]
+  provider = "digitalocean" # DNS Provider name (cloudflare, OVH, gandi...)
+  delayBeforeCheck = 0
+
+[[acme.domains]]
+  main = "*.local1.com"
+[[acme.domains]]
+  main = "local2.com"
+  sans = ["test1.local2.com", "test2x.local2.com"]
+[[acme.domains]]
+  main = "*.local3.com"
+[[acme.domains]]
+  main = "*.local4.com"
+```
+
+DNS challenge needs environment variables to be executed.
+These variables have to be set on the machine/container that host Træfik.
+
+These variables are described [in this section](/configuration/acme/#provider).
+
+More information about wildcard certificates are available [in this section](/configuration/acme/#wildcard-domain).
+
+### onHostRule option and provided certificates (with HTTP challenge)
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
@@ -189,21 +244,24 @@ storage = "acme.json"
 onHostRule = true
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"
-
+  [acme.httpChallenge]
+  entryPoint = "http"
 ```

-Traefik will only try to generate a Let's encrypt certificate if the domain cannot be checked by the provided certificates.
+Træfik will only try to generate a Let's encrypt certificate (thanks to `HTTP-01` challenge) if the domain cannot be checked by the provided certificates.

 ### Cluster mode

 #### Prerequisites

-Before to use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations](/user-guide/kv-config) and more precisely to [this section](/user-guide/kv-config/#store-configuration-in-key-value-store) in the way to know how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.
+Before you use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations](/user-guide/kv-config) and more precisely at [this section](/user-guide/kv-config/#store-configuration-in-key-value-store), which will describe how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.

 #### Configuration

 ```toml
 [entryPoints]
+  [entryPoints.http]
+  address = ":80"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
@@ -214,6 +272,9 @@ storage = "traefik/acme/account"
 caServer = "http://172.18.0.1:4000/directory"
 entryPoint = "https"

+[acme.httpChallenge]
+    entryPoint = "http"
+
 [[acme.domains]]
  main = "local1.com"
  sans = ["test1.local1.com", "test2.local1.com"]
@@ -241,10 +302,12 @@ The `consul` provider contains the configuration.

 ```toml
 [frontends]
+
  [frontends.frontend1]
  backend = "backend2"
    [frontends.frontend1.routes.test_1]
    rule = "Host:test.localhost"
+
  [frontends.frontend2]
  backend = "backend1"
  passHostHeader = true
@@ -252,23 +315,25 @@ The `consul` provider contains the configuration.
  entrypoints = ["https"] # overrides defaultEntryPoints
    [frontends.frontend2.routes.test_1]
    rule = "Host:{subdomain:[a-z]+}.localhost"
+
  [frontends.frontend3]
  entrypoints = ["http", "https"] # overrides defaultEntryPoints
  backend = "backend2"
-    rule = "Path:/test"
+  rule = "Path:/test"
 ```

-## Enable Basic authentication in an entrypoint
+## Enable Basic authentication in an entry point

 With two user/pass:

 - `test`:`test`
 - `test2`:`test2`

-Passwords are encoded in MD5: you can use htpasswd to generate those ones.
+Passwords are encoded in MD5: you can use `htpasswd` to generate them.

 ```toml
 defaultEntryPoints = ["http"]
+
 [entryPoints]
  [entryPoints.http]
  address = ":80"
@@ -283,6 +348,7 @@ via a configurable header value.

 ```toml
 defaultEntryPoints = ["http"]
+
 [entryPoints]
  [entryPoints.http]
  address = ":80"
@@ -292,7 +358,7 @@ defaultEntryPoints = ["http"]
    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
 ```

-## Override the Traefik HTTP server IdleTimeout and/or throttle configurations from re-loading too quickly
+## Override the Traefik HTTP server idleTimeout and/or throttle configurations from re-loading too quickly

 ```toml
 providersThrottleDuration = "5s"
@@ -300,86 +366,3 @@ providersThrottleDuration = "5s"
 [respondingTimeouts]
 idleTimeout = "360s"
 ```
-
-## Securing Ping Health Check
-
-The `/ping` health-check URL is enabled together with the web admin panel, enabled with the command-line `--web` or config file option `[web]`.
-Thus, if you have a regular path for `/foo` and an entrypoint on `:80`, you would access them as follows:
-
-* Regular path: `http://hostname:80/foo`
-* Admin panel: `http://hostname:8080/`
-* Ping URL: `http://hostname:8080/ping`
-
-However, for security reasons, you may want to be able to expose the `/ping` health-check URL to outside health-checkers, e.g. an Internet service or cloud load-balancer, _without_ exposing your admin panel's port.
-In many environments, the security staff may not _allow_ you to expose it.
-
-You have two options:
-
-* Enable `/ping` on a regular entrypoint
-* Enable `/ping` on a dedicated port
-
-### Enable ping health check on a regular entrypoint
-
-To proxy `/ping` from a regular entrypoint to the admin one without exposing the panel, do the following:
-
-```toml
-[backends]
-  [backends.traefik]
-    [backends.traefik.servers.server1]
-    url = "http://localhost:8080"
-    weight = 10
-
-[frontends]
-  [frontends.traefikadmin]
-  backend = "traefik"
-    [frontends.traefikadmin.routes.ping]
-    rule = "Path:/ping"
-```
-
-The above creates a new backend called `traefik`, listening on `http://localhost:8080`, i.e. the local admin port.
-We only expose the admin panel via the `frontend` named `traefikadmin`, and only expose the `/ping` Path.
-Be careful with the `traefikadmin` frontend. If you do _not_ specify a `Path:` rule, you would expose the entire dashboard.
-
-### Enable ping health check on dedicated port
-
-If you do not want to or cannot expose the health-check on a regular entrypoint - e.g. your security rules do not allow it, or you have a conflicting path - then you can enable health-check on its own entrypoint.
-Use the following config:
-
-```toml
-defaultEntryPoints = ["http"]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-  [entryPoints.ping]
-  address = ":8082"
-
-[backends]
-  [backends.traefik]
-    [backends.traefik.servers.server1]
-    url = "http://localhost:8080"
-    weight = 10
-
-[frontends]
-  [frontends.traefikadmin]
-  backend = "traefik"
-  entrypoints = ["ping"]
-    [frontends.traefikadmin.routes.ping]
-    rule = "Path:/ping"
-```
-
-The above is similar to the previous example, but instead of enabling `/ping` on the _default_ entrypoint, we enable it on a _dedicated_ entrypoint.
-
-In the above example, you would access a regular path, admin panel and health-check as follows:
-
-* Regular path: `http://hostname:80/foo`
-* Admin panel: `http://hostname:8080/`
-* Ping URL: `http://hostname:8082/ping`
-
-Note the dedicated port `:8082` for `/ping`.
-
-In the above example, it is _very_ important to create a named dedicated entrypoint, and do **not** include it in `defaultEntryPoints`.
-Otherwise, you are likely to expose _all_ services via that entrypoint.
-
-In the above example, we have two entrypoints, `http` and `ping`, but we only included `http` in `defaultEntryPoints`, while explicitly tying `frontend.traefikadmin` to the `ping` entrypoint.
-This ensures that all the "normal" frontends will be exposed via entrypoint `http` and _not_ via entrypoint `ping`.
--- a/docs/user-guide/grpc.md
+++ b/docs/user-guide/grpc.md
@@ -3,7 +3,7 @@
 This section explains how to use Traefik as reverse proxy for gRPC application with self-signed certificates.

 !!! warning
-    As gRPC needs HTTP2, we need valid HTTPS certificates on both gRPC Server and Træfik.
+    As gRPC needs HTTP2, we need HTTPS certificates on both gRPC Server and Træfik.

 <p align="center">
 <img src="/img/grpc.svg" alt="gRPC architecture" title="gRPC architecture" />
@@ -45,7 +45,7 @@ At last, we configure our Træfik instance to use both self-signed certificates.
 defaultEntryPoints = ["https"]

 # For secure connection on backend.local
-RootCAs = [ "./backend.cert" ]
+rootCAs = [ "./backend.cert" ]

 [entryPoints]
  [entryPoints.https]
@@ -57,8 +57,7 @@ RootCAs = [ "./backend.cert" ]
     keyFile  = "./frontend.key"


-[web]
-  address = ":8080"
+[api]

 [file]

@@ -76,9 +75,12 @@ RootCAs = [ "./backend.cert" ]
    rule = "Host:frontend.local"
 ```

+!!! warning
+    With some backends, the server URLs use the IP, so you may need to configure `insecureSkipVerify` instead of the `rootCAS` to activate HTTPS without hostname verification.
+
 ## Conclusion

-We don't need specific configuration to use gRPC in Træfik, we just need to be careful that all the exchanges (between client and Træfik, and between Træfik and backend) are valid HTTPS communications (without `InsecureSkipVerify` enabled) because gRPC use HTTP2.
+We don't need specific configuration to use gRPC in Træfik, we just need to be careful that all the exchanges (between client and Træfik, and between Træfik and backend) are HTTPS communications because gRPC uses HTTP2.

 ## A gRPC example in go

--- a/docs/user-guide/kubernetes.md
+++ b/docs/user-guide/kubernetes.md
@@ -1,6 +1,6 @@
 # Kubernetes Ingress Controller

-This guide explains how to use Træfik as an Ingress controller in a Kubernetes cluster.
+This guide explains how to use Træfik as an Ingress controller for a Kubernetes cluster.

 If you are not familiar with Ingresses in Kubernetes you might want to read the [Kubernetes user guide](https://kubernetes.io/docs/concepts/services-networking/ingress/)

@@ -8,19 +8,25 @@ The config files used in this guide can be found in the [examples directory](htt

 ## Prerequisites

-1. A working Kubernetes cluster. If you want to follow along with this guide, you should setup [minikube](https://kubernetes.io/docs/getting-started-guides/minikube/)
-on your machine, as it is the quickest way to get a local Kubernetes cluster setup for experimentation and development.
+1. A working Kubernetes cluster. If you want to follow along with this guide, you should setup [minikube](https://kubernetes.io/docs/getting-started-guides/minikube/) on your machine, as it is the quickest way to get a local Kubernetes cluster setup for experimentation and development.
+
+!!! note
+    The guide is likely not fully adequate for a production-ready setup.

 2. The `kubectl` binary should be [installed on your workstation](https://kubernetes.io/docs/getting-started-guides/minikube/#download-kubectl).

 ### Role Based Access Control configuration (Kubernetes 1.6+ only)

-Kubernetes introduces [Role Based Access Control (RBAC)](https://kubernetes.io/docs/admin/authorization/rbac/) in 1.6+ to allow fine-grained control of Kubernetes resources and api.
+Kubernetes introduces [Role Based Access Control (RBAC)](https://kubernetes.io/docs/admin/authorization/rbac/) in 1.6+ to allow fine-grained control of Kubernetes resources and API.

-If your cluster is configured with RBAC, you may need to authorize Træfik to use the Kubernetes API using ClusterRole and ClusterRoleBinding resources:
+If your cluster is configured with RBAC, you will need to authorize Træfik to use the Kubernetes API. There are two ways to set up the proper permission: Via namespace-specific RoleBindings or a single, global ClusterRoleBinding.
+
+RoleBindings per namespace enable to restrict granted permissions to the very namespaces only that Træfik is watching over, thereby following the least-privileges principle. This is the preferred approach if Træfik is not supposed to watch all namespaces, and the set of namespaces does not change dynamically. Otherwise, a single ClusterRoleBinding must be employed.

 !!! note
-    your cluster may have suitable ClusterRoles already setup, but the following should work everywhere
+    RoleBindings per namespace are available in Træfik 1.5 and later. Please use ClusterRoleBindings for older versions.
+
+For the sake of simplicity, this guide will use a ClusterRoleBinding:

 ```yaml
 ---
@@ -32,7 +38,6 @@ rules:
  - apiGroups:
      - ""
    resources:
-      - pods
      - services
      - endpoints
      - secrets
@@ -69,18 +74,20 @@ subjects:
 kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml
 ```

+For namespaced restrictions, one RoleBinding is required per watched namespace along with a corresponding configuration of Træfik's `kubernetes.namespaces` parameter.
+
 ## Deploy Træfik using a Deployment or DaemonSet

 It is possible to use Træfik with a [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) or a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) object,
 whereas both options have their own pros and cons:
- 
- The scalability is much better when using a Deployment, because you will have a Single-Pod-per-Node model when using the DeaemonSet.  
- It is possible to exclusively run a Service on a dedicated set of machines using taints and tolerations with a DaemonSet.  
+
+- The scalability is much better when using a Deployment, because you will have a Single-Pod-per-Node model when using the DaemonSet.
+- It is possible to exclusively run a Service on a dedicated set of machines using taints and tolerations with a DaemonSet.
 - On the other hand the DaemonSet allows you to access any Node directly on Port 80 and 443, where you have to setup a [Service](https://kubernetes.io/docs/concepts/services-networking/service/) object with a Deployment.

 The Deployment objects looks like this:

-```yml
+```yaml
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -112,13 +119,15 @@ spec:
      - image: traefik
        name: traefik-ingress-lb
        args:
-        - --web
+        - --api
        - --kubernetes
+        - --logLevel=INFO
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: traefik-ingress-service
+  namespace: kube-system
 spec:
  selector:
    k8s-app: traefik-ingress-lb
@@ -131,6 +140,7 @@ spec:
      name: admin
  type: NodePort
 ```
+
 [examples/k8s/traefik-deployment.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/traefik-deployment.yaml)

 !!! note
@@ -173,16 +183,21 @@ spec:
        - name: admin
          containerPort: 8080
        securityContext:
-          privileged: true
+          capabilities:
+            drop:
+            - ALL
+            add:
+            - NET_BIND_SERVICE
        args:
-        - -d
-        - --web
+        - --api
        - --kubernetes
+        - --logLevel=INFO
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: traefik-ingress-service
+  namespace: kube-system
 spec:
  selector:
    k8s-app: traefik-ingress-lb
@@ -226,7 +241,7 @@ Start by listing the pods in the `kube-system` namespace:
 kubectl --namespace=kube-system get pods
 ```

-```
+```shell
 NAME                                         READY     STATUS    RESTARTS   AGE
 kube-addon-manager-minikubevm                1/1       Running   0          4h
 kubernetes-dashboard-s8krj                   1/1       Running   0          4h
@@ -234,7 +249,7 @@ traefik-ingress-controller-678226159-eqseo   1/1       Running   0          7m
 ```

 You should see that after submitting the Deployment or DaemonSet to Kubernetes it has launched a Pod, and it is now running.
-_It might take a few moments for kubernetes to pull the Træfik image and start the container._
+_It might take a few moments for Kubernetes to pull the Træfik image and start the container._

 !!! note
    You could also check the deployment with the Kubernetes dashboard, run
@@ -243,40 +258,45 @@ _It might take a few moments for kubernetes to pull the Træfik image and start

 You should now be able to access Træfik on port 80 of your Minikube instance when using the DaemonSet:

-```sh
+```shell
 curl $(minikube ip)
 ```
-```
+
+```shell
 404 page not found
 ```

-If you decided to use the deployment, then you need to target the correct NodePort, which can be seen then you execute `kubectl get services --namespace=kube-system`.
+If you decided to use the deployment, then you need to target the correct NodePort, which can be seen when you execute `kubectl get services --namespace=kube-system`.

-```sh
+```shell
 curl $(minikube ip):<NODEPORT>
 ```
-```
+
+```shell
 404 page not found
 ```

 !!! note
    We expect to see a 404 response here as we haven't yet given Træfik any configuration.

+All further examples below assume a DaemonSet installation. Deployment users will need to append the NodePort when constructing requests.
+
 ## Deploy Træfik using Helm Chart

-Instead of installing Træfik via an own object, you can also use the Træfik Helm chart.
+!!! note
+    The Helm Chart is maintained by the community, not the Træfik project maintainers.

-This allows more complex configuration via Kubernetes [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configmap/) and enabled TLS certificates.
+Instead of installing Træfik via Kubernetes object directly, you can also use the Træfik Helm chart.

-Install Træfik chart by:
+Install the Træfik chart by:

 ```shell
 helm install stable/traefik
 ```

-For more information, check out [the doc](https://github.com/kubernetes/charts/tree/master/stable/traefik).
+For more information, check out [the documentation](https://github.com/kubernetes/charts/tree/master/stable/traefik).

-## Submitting An Ingress to the cluster.
+## Submitting an Ingress to the Cluster

 Lets start by creating a Service and an Ingress that will expose the [Træfik Web UI](https://github.com/containous/traefik#web-ui).

@@ -309,28 +329,146 @@ spec:
          serviceName: traefik-web-ui
          servicePort: 80
 ```
+
 [examples/k8s/ui.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/ui.yaml)

 ```shell
 kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/ui.yaml
 ```

-Now lets setup an entry in our /etc/hosts file to route `traefik-ui.minikube` to our cluster.
+Now lets setup an entry in our `/etc/hosts` file to route `traefik-ui.minikube` to our cluster.

-In production you would want to set up real dns entries.  
-You can get the ip address of your minikube instance by running `minikube ip`
+In production you would want to set up real DNS entries.
+You can get the IP address of your minikube instance by running `minikube ip`:

 ```shell
 echo "$(minikube ip) traefik-ui.minikube" | sudo tee -a /etc/hosts
 ```

-We should now be able to visit [traefik-ui.minikube](http://traefik-ui.minikube) in the browser and view the Træfik Web UI.
+We should now be able to visit [traefik-ui.minikube](http://traefik-ui.minikube) in the browser and view the Træfik web UI.

-## Name based routing
+### Add a TLS Certificate to the Ingress

-In this example we are going to setup websites for 3 of the United Kingdoms best loved cheeses, Cheddar, Stilton and Wensleydale.
+!!! note
+    For this example to work you need a TLS entrypoint. You don't have to provide a TLS certificate at this point.
+    For more details see [here](/configuration/entrypoints/).

-First lets start by launching the 3 pods for the cheese websites.
+To setup an HTTPS-protected ingress, you can leverage the TLS feature of the ingress resource.
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: traefik-web-ui
+  namespace: kube-system
+  annotations:
+    kubernetes.io/ingress.class: traefik
+spec:
+  rules:
+  - host: traefik-ui.minikube
+    http:
+      paths:
+      - backend:
+          serviceName: traefik-web-ui
+          servicePort: 80
+  tls:
+   - secretName: traefik-ui-tls-cert
+```
+
+In addition to the modified ingress you need to provide the TLS certificate via a Kubernetes secret in the same namespace as the ingress.
+The following two commands will generate a new certificate and create a secret containing the key and cert files.
+
+```shell
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=traefik-ui.minikube"
+kubectl -n kube-system create secret tls traefik-ui-tls-cert --key=tls.key --cert=tls.crt
+```
+
+If there are any errors while loading the TLS section of an ingress, the whole ingress will be skipped.
+
+!!! note
+    The secret must have two entries named `tls.key`and `tls.crt`.
+    See the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) for more details.
+
+!!! note
+    The TLS certificates will be added to all entrypoints defined by the ingress annotation `traefik.frontend.entryPoints`.
+    If no such annotation is provided, the TLS certificates will be added to all TLS-enabled `defaultEntryPoints`.
+
+!!! note
+    The field `hosts` in the TLS configuration is ignored. Instead, the domains provided by the certificate are used for this purpose.
+    It is recommended to not use wildcard certificates as they will match globally.
+
+## Basic Authentication
+
+It's possible to protect access to Træfik through basic authentication. (See the [Kubernetes Ingress](/configuration/backends/kubernetes) configuration page for syntactical details and restrictions.)
+
+### Creating the Secret
+
+A. Use `htpasswd` to create a file containing the username and the MD5-encoded password:
+
+```shell
+htpasswd -c ./auth myusername
+```
+
+You will be prompted for a password which you will have to enter twice.
+`htpasswd` will create a file with the following:
+
+```shell
+cat auth
+```
+
+```shell
+myusername:$apr1$78Jyn/1K$ERHKVRPPlzAX8eBtLuvRZ0
+```
+
+B. Now use `kubectl` to create a secret in the `monitoring` namespace using the file created by `htpasswd`.
+
+```shell
+kubectl create secret generic mysecret --from-file auth --namespace=monitoring
+```
+
+!!! note
+    Secret must be in same namespace as the Ingress object.
+
+C. Attach the following annotations to the Ingress object:
+
+- `ingress.kubernetes.io/auth-type: "basic"`
+- `ingress.kubernetes.io/auth-secret: "mysecret"`
+
+They specify basic authentication and reference the Secret `mysecret` containing the credentials.
+
+Following is a full Ingress example based on Prometheus:
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: prometheus-dashboard
+ namespace: monitoring
+ annotations:
+   kubernetes.io/ingress.class: traefik
+   ingress.kubernetes.io/auth-type: "basic"
+   ingress.kubernetes.io/auth-secret: "mysecret"
+spec:
+ rules:
+ - host: dashboard.prometheus.example.com
+   http:
+     paths:
+     - backend:
+         serviceName: prometheus
+         servicePort: 9090
+```
+
+You can apply the example as following:
+
+```shell
+kubectl create -f prometheus-ingress.yaml -n monitoring
+```
+
+## Name-based Routing
+
+In this example we are going to setup websites for three of the United Kingdoms best loved cheeses: Cheddar, Stilton, and Wensleydale.
+
+First lets start by launching the pods for the cheese websites.

 ```yaml
 ---
@@ -412,13 +550,14 @@ spec:
        ports:
        - containerPort: 80
 ```
+
 [examples/k8s/cheese-deployments.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/cheese-deployments.yaml)

 ```shell
 kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-deployments.yaml
 ```

-Next we need to setup a service for each of the cheese pods.
+Next we need to setup a Service for each of the cheese pods.

 ```yaml
 ---
@@ -467,7 +606,6 @@ spec:
 !!! note
    We also set a [circuit breaker expression](/basics/#backends) for one of the backends by setting the `traefik.backend.circuitbreaker` annotation on the service.

-
 [examples/k8s/cheese-services.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/cheese-services.yaml)

 ```shell
@@ -507,6 +645,7 @@ spec:
          serviceName: wensleydale
          servicePort: http
 ```
+
 [examples/k8s/cheese-ingress.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/cheese-ingress.yaml)

 !!! note
@@ -517,7 +656,7 @@ kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/exa
 ```

 Now visit the [Træfik dashboard](http://traefik-ui.minikube/) and you should see a frontend for each host.
-Along with a backend listing for each service with a Server set up for each pod.
+Along with a backend listing for each service with a server set up for each pod.

 If you edit your `/etc/hosts` again you should be able to access the cheese websites in your browser.

@@ -525,11 +664,11 @@ If you edit your `/etc/hosts` again you should be able to access the cheese webs
 echo "$(minikube ip) stilton.minikube cheddar.minikube wensleydale.minikube" | sudo tee -a /etc/hosts
 ```

-* [Stilton](http://stilton.minikube/)
-* [Cheddar](http://cheddar.minikube/)
-* [Wensleydale](http://wensleydale.minikube/)
+- [Stilton](http://stilton.minikube/)
+- [Cheddar](http://cheddar.minikube/)
+- [Wensleydale](http://wensleydale.minikube/)

-## Path based routing
+## Path-based Routing

 Now lets suppose that our fictional client has decided that while they are super happy about our cheesy web design, when they asked for 3 websites they had not really bargained on having to buy 3 domain names.

@@ -561,10 +700,11 @@ spec:
          serviceName: wensleydale
          servicePort: http
 ```
+
 [examples/k8s/cheeses-ingress.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/cheeses-ingress.yaml)

 !!! note
-    we are configuring Træfik to strip the prefix from the url path with the `traefik.frontend.rule.type` annotation so that we can use the containers from the previous example without modification.
+    We are configuring Træfik to strip the prefix from the url path with the `traefik.frontend.rule.type` annotation so that we can use the containers from the previous example without modification.

 ```shell
 kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheeses-ingress.yaml
@@ -576,14 +716,14 @@ echo "$(minikube ip) cheeses.minikube" | sudo tee -a /etc/hosts

 You should now be able to visit the websites in your browser.

-* [cheeses.minikube/stilton](http://cheeses.minikube/stilton/)
-* [cheeses.minikube/cheddar](http://cheeses.minikube/cheddar/)
-* [cheeses.minikube/wensleydale](http://cheeses.minikube/wensleydale/)
+- [cheeses.minikube/stilton](http://cheeses.minikube/stilton/)
+- [cheeses.minikube/cheddar](http://cheeses.minikube/cheddar/)
+- [cheeses.minikube/wensleydale](http://cheeses.minikube/wensleydale/)

-## Specifying priority for routing
+## Specifying Routing Priorities

-Sometimes you need to specify priority for ingress route, especially when handling wildcard routes.
-This can be done by adding annotation `traefik.frontend.priority`, i.e.:
+Sometimes you need to specify priority for ingress routes, especially when handling wildcard routes.
+This can be done by adding the `traefik.frontend.priority` annotation, i.e.:

 ```yaml
 apiVersion: extensions/v1beta1
@@ -591,7 +731,7 @@ kind: Ingress
 metadata:
  name: wildcard-cheeses
  annotations:
-    traefik.frontend.priority: 1
+    traefik.frontend.priority: "1"
 spec:
  rules:
  - host: *.minikube
@@ -606,7 +746,7 @@ kind: Ingress
 metadata:
  name: specific-cheeses
  annotations:
-    traefik.frontend.priority: 2
+    traefik.frontend.priority: "2"
 spec:
  rules:
  - host: specific.minikube
@@ -618,33 +758,33 @@ spec:
          servicePort: http
 ```

+Note that priority values must be quoted to avoid numeric interpretation (which are illegal for annotations).

 ## Forwarding to ExternalNames

 When specifying an [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#services-without-selectors),
-Træfik will forward requests to the given host accordingly and use HTTPS when the Service port matches 443.  
+Træfik will forward requests to the given host accordingly and use HTTPS when the Service port matches 443.
 This still requires setting up a proper port mapping on the Service from the Ingress port to the (external) Service port.

-## Disable passing the Host header
+## Disable passing the Host Header

-By default Træfik will pass the incoming Host header on to the upstream resource.
+By default Træfik will pass the incoming Host header to the upstream resource.

-There are times however where you may not want this to be the case.
-For example if your service is of the ExternalName type.
+However, there are times when you may not want this to be the case. For example, if your service is of the ExternalName type.

-### Disable entirely
+### Disable globally

-Add the following to your toml config:
+Add the following to your TOML configuration file:

 ```toml
 disablePassHostHeaders = true
 ```

-### Disable per ingress
+### Disable per Ingress

-To disable passing the Host header per ingress resource set the `traefik.frontend.passHostHeader` annotation on your ingress to `false`.
+To disable passing the Host header per ingress resource set the `traefik.frontend.passHostHeader` annotation on your ingress to `"false"`.

-Here is an example ingress definition:
+Here is an example definition:

 ```yaml
 apiVersion: extensions/v1beta1
@@ -680,20 +820,37 @@ spec:
  externalName: static.otherdomain.com
 ```

-If you were to visit `example.com/static` the request would then be passed onto `static.otherdomain.com/static` and s`tatic.otherdomain.com` would receive the request with the Host header being `static.otherdomain.com`.
+If you were to visit `example.com/static` the request would then be passed on to `static.otherdomain.com/static`, and `static.otherdomain.com` would receive the request with the Host header being `static.otherdomain.com`.

 !!! note
-    The per ingress annotation overides whatever the global value is set to.
-    So you could set `disablePassHostHeaders` to `true` in your toml file and then enable passing
-    the host header per ingress if you wanted.
+    The per-ingress annotation overrides whatever the global value is set to.
+    So you could set `disablePassHostHeaders` to `true` in your TOML configuration file and then enable passing the host header per ingress if you wanted.

-## Excluding an ingress from Træfik
+## Partitioning the Ingress object space

-You can control which ingress Træfik cares about by using the `kubernetes.io/ingress.class` annotation.
+By default, Træfik processes every Ingress objects it observes. At times, however, it may be desirable to ignore certain objects. The following sub-sections describe common use cases and how they can be handled with Træfik.

-By default if the annotation is not set at all Træfik will include the ingress.
-If the annotation is set to anything other than traefik or a blank string Træfik will ignore it.
+### Between Træfik and other Ingress controller implementations

+Sometimes Træfik runs along other Ingress controller implementations. One such example is when both Træfik and a cloud provider Ingress controller are active.
+
+The `kubernetes.io/ingress.class` annotation can be attached to any Ingress object in order to control whether Træfik should handle it.
+
+If the annotation is missing, contains an empty value, or the value `traefik`, then the Træfik controller will take responsibility and process the associated Ingress object.
+If the annotation contains any other value (usually the name of a different Ingress controller), Træfik will ignore the object.
+
+It is also possible to set the `ingressClass` option in Træfik to a particular value.
+If that's the case and the value contains a `traefik` prefix, then only those Ingress objects matching the same value will be processed.
+For instance, setting the option to `traefik-internal` causes Træfik to process Ingress objects with the same `kubernetes.io/ingress.class` annotation value, ignoring all other objects (including those with a `traefik` value, empty value, and missing annotation).
+
+### Between multiple Træfik Deployments
+
+Sometimes multiple Træfik Deployments are supposed to run concurrently.
+For instance, it is conceivable to have one Deployment deal with internal and another one with external traffic.
+
+For such cases, it is advisable to classify Ingress objects through a label and configure the `labelSelector` option per each Træfik Deployment accordingly.
+To stick with the internal/external example above, all Ingress objects meant for internal traffic could receive a `traffic-type: internal` label while objects designated for external traffic receive a `traffic-type: external` label.
+The label selectors on the Træfik Deployments would then be `traffic-type=internal` and `traffic-type=external`, respectively.

 ## Production advice

@@ -703,7 +860,7 @@ The examples shown deliberately do not specify any [resource limitations](https:

 In a production environment, however, it is important to set proper bounds, especially with regards to CPU:

- too strict and Traefik will be throttled while serving requests (as Kubernetes imposes hard quotas)
- too loose and Traefik may waste resources not available for other containers
+- too strict and Træfik will be throttled while serving requests (as Kubernetes imposes hard quotas)
+- too loose and Træfik may waste resources not available for other containers

 When in doubt, you should measure your resource needs, and adjust requests and limits accordingly.
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`# vendor/github.com/xenolf/lego/providers/dns/cloudxns/cloudxns.go eol=crlf`