Prepare release v1.4.4

Fix raw path handling in strip prefix
Remove GzipHandler Fork
2025-09-20 05:44:23 +03:00 · 2017-11-23 11:48:03 +01:00 · 2017-11-21 14:28:03 +01:00 · 2017-11-20 18:32:03 +01:00 · 2017-11-20 15:16:03 +01:00 · 2017-11-20 11:42:03 +01:00
59 changed files with 1707 additions and 411 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -16,8 +16,21 @@ HOW TO WRITE A GOOD PULL REQUEST?

 -->

-### Description
+### What does this PR do?

-<!--
-Briefly describe the pull request in a few paragraphs.
-->
+<!-- A brief description of the change being made with this pull request. -->
+
+
+### Motivation
+
+<!-- What inspired you to submit this pull request? -->
+
+
+### More
+
+- [ ] Added/updated tests
+- [ ] Added/updated documentation
+
+### Additional Notes
+
+<!-- Anything else we should know when reviewing? -->
--- a/.travis.yml
+++ b/.travis.yml
@@ -36,6 +36,7 @@ deploy:
    on:
      repo: containous/traefik
      tags: true
+      condition: ${TRAVIS_TAG} =~ ^v[0-9]+\.[0-9]+\.[0-9]+$
  - provider: releases
    api_key: ${GITHUB_TOKEN}
    file: dist/traefik*
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,68 @@
 # Change Log

-## [v1.4.0](https://github.com/containous/traefik/tree/v1.4.0) (2017-05-31)
+## [v1.4.4](https://github.com/containous/traefik/tree/v1.4.4) (2017-11-21)
+[All Commits](https://github.com/containous/traefik/compare/v1.4.3...v1.4.4)
+
+**Enhancements:**
+- **[middleware]** Remove GzipHandler Fork ([#2436](https://github.com/containous/traefik/pull/2436) by [ldez](https://github.com/ldez))
+
+**Bug fixes:**
+- **[docker]** Fix problems about duplicated and missing Docker backends/frontends. ([#2434](https://github.com/containous/traefik/pull/2434) by [nmengin](https://github.com/nmengin))
+- **[middleware]** Fix raw path handling in strip prefix ([#2382](https://github.com/containous/traefik/pull/2382) by [marco-jantke](https://github.com/marco-jantke))
+- **[rancher]** Fix issue with label traefik.backend.loadbalancer.stickiness.cookieName ([#2423](https://github.com/containous/traefik/pull/2423) by [rawmind0](https://github.com/rawmind0))
+- http.Server log goes to Debug level. ([#2420](https://github.com/containous/traefik/pull/2420) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- Documentation archive ([#2405](https://github.com/containous/traefik/pull/2405) by [ldez](https://github.com/ldez))
+
+## [v1.4.3](https://github.com/containous/traefik/tree/v1.4.3) (2017-11-14)
+[All Commits](https://github.com/containous/traefik/compare/v1.4.2...v1.4.3)
+
+**Bug fixes:**
+- **[consulcatalog]** Fix Traefik reload if Consul Catalog tags change ([#2389](https://github.com/containous/traefik/pull/2389) by [mmatur](https://github.com/mmatur))
+- **[kv]** Add Traefik prefix to the KV key ([#2400](https://github.com/containous/traefik/pull/2400) by [nmengin](https://github.com/nmengin))
+- **[middleware]** Flush and Status code ([#2403](https://github.com/containous/traefik/pull/2403) by [ldez](https://github.com/ldez))
+- **[middleware]** Exclude GRPC from compress ([#2391](https://github.com/containous/traefik/pull/2391) by [ldez](https://github.com/ldez))
+- **[middleware]** Keep status when stream mode and compress ([#2380](https://github.com/containous/traefik/pull/2380) by [Juliens](https://github.com/Juliens))
+
+**Documentation:**
+- **[acme]** Fix some typos ([#2363](https://github.com/containous/traefik/pull/2363) by [tomsaleeba](https://github.com/tomsaleeba))
+- **[docker]** Minor fix for docker volume vs created directory ([#2372](https://github.com/containous/traefik/pull/2372) by [visibilityspots](https://github.com/visibilityspots))
+- **[k8s]** Link corrected ([#2385](https://github.com/containous/traefik/pull/2385) by [xlazex](https://github.com/xlazex))
+
+**Misc:**
+- **[k8s]** Add secret creation to docs for kubernetes backend ([#2374](https://github.com/containous/traefik/pull/2374) by [shadycuz](https://github.com/shadycuz))
+
+## [v1.4.2](https://github.com/containous/traefik/tree/v1.4.2) (2017-11-02)
+[All Commits](https://github.com/containous/traefik/compare/v1.4.1...v1.4.2)
+
+**Bug fixes:**
+- **[cluster]** Fix datastore corruption on reload due to shrinking config size ([#2340](https://github.com/containous/traefik/pull/2340) by [else](https://github.com/else))
+- **[docker,docker/swarm]** Make frontend names differents for similar routes ([#2338](https://github.com/containous/traefik/pull/2338) by [nmengin](https://github.com/nmengin))
+- **[docker]** Fix IP address when Docker container network mode is container ([#2331](https://github.com/containous/traefik/pull/2331) by [nmengin](https://github.com/nmengin))
+- **[docker]** Make the traefik.port label optional when using service labels in Docker containers. ([#2330](https://github.com/containous/traefik/pull/2330) by [nmengin](https://github.com/nmengin))
+- **[docker]** Add unique ID to Docker services replicas ([#2314](https://github.com/containous/traefik/pull/2314) by [nmengin](https://github.com/nmengin))
+- **[marathon]** Missing Backend key in configuration when application has no tasks ([#2333](https://github.com/containous/traefik/pull/2333) by [aantono](https://github.com/aantono))
+- Remove hardcoded runtime.GOMAXPROCS. ([#2317](https://github.com/containous/traefik/pull/2317) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[k8s]** fixed dead link in kubernetes backend config docs ([#2337](https://github.com/containous/traefik/pull/2337) by [perplexa](https://github.com/perplexa))
+- **[k8s]** Fix the k8s docs example deployment yaml ([#2308](https://github.com/containous/traefik/pull/2308) by [gnur](https://github.com/gnur))
+- Minor grammar change ([#2350](https://github.com/containous/traefik/pull/2350) by [haxorjim](https://github.com/haxorjim))
+- Minor typo ([#2343](https://github.com/containous/traefik/pull/2343) by [burningTyger](https://github.com/burningTyger))
+
+## [v1.4.1](https://github.com/containous/traefik/tree/v1.4.1) (2017-10-24)
+[All Commits](https://github.com/containous/traefik/compare/v1.4.0...v1.4.1)
+
+**Bug fixes:**
+- **[docker]** Network filter ([#2301](https://github.com/containous/traefik/pull/2301) by [ldez](https://github.com/ldez))
+- **[healthcheck]** Fix healthcheck path ([#2295](https://github.com/containous/traefik/pull/2295) by [emilevauge](https://github.com/emilevauge))
+- **[rules]** Regex capturing group. ([#2296](https://github.com/containous/traefik/pull/2296) by [ldez](https://github.com/ldez))
+- **[websocket]** Force http/1.1 for websocket ([#2292](https://github.com/containous/traefik/pull/2292) by [Juliens](https://github.com/Juliens))
+- Stream mode when http2 ([#2309](https://github.com/containous/traefik/pull/2309) by [Juliens](https://github.com/Juliens))
+- Enhance Trust Forwarded Headers ([#2302](https://github.com/containous/traefik/pull/2302) by [ldez](https://github.com/ldez))
+
+## [v1.4.0](https://github.com/containous/traefik/tree/v1.4.0) (2017-10-16)
 [All Commits](https://github.com/containous/traefik/compare/v1.3.0-rc1...v1.4.0)

 **Enhancements:**
--- a/cluster/datastore.go
+++ b/cluster/datastore.go
@@ -119,19 +119,8 @@ func (d *Datastore) watchChanges() error {

 func (d *Datastore) reload() error {
 	log.Debug("Datastore reload")
-	d.localLock.Lock()
-	err := d.kv.LoadConfig(d.meta)
-	if err != nil {
-		d.localLock.Unlock()
-		return err
-	}
-	err = d.meta.unmarshall()
-	if err != nil {
-		d.localLock.Unlock()
-		return err
-	}
-	d.localLock.Unlock()
-	return nil
+	_, err := d.Load()
+	return err
 }

 // Begin creates a transaction with the KV store.
--- a/cmd/traefik/anonymize/anonymize_doOnJSON_test.go
+++ b/cmd/traefik/anonymize/anonymize_doOnJSON_test.go
@@ -1,8 +1,9 @@
 package anonymize

 import (
-	"github.com/stretchr/testify/assert"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )

 func Test_doOnJSON(t *testing.T) {
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -9,7 +9,6 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
-	"runtime"
 	"strings"
 	"time"

@@ -24,7 +23,6 @@ import (
 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/provider/ecs"
 	"github.com/containous/traefik/provider/kubernetes"
-	"github.com/containous/traefik/provider/rancher"
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/server"
 	"github.com/containous/traefik/server/uuid"
@@ -35,8 +33,6 @@ import (
 )

 func main() {
-	runtime.GOMAXPROCS(runtime.NumCPU())
-
 	//traefik config inits
 	traefikConfiguration := NewTraefikConfiguration()
 	traefikPointersConfiguration := NewTraefikDefaultPointersConfiguration()
@@ -121,6 +117,8 @@ Complete documentation is available at https://traefik.io`,
 		Config:                traefikConfiguration,
 		DefaultPointersConfig: traefikPointersConfiguration,
 		Run: func() error {
+			traefikConfiguration.GlobalConfiguration.SetEffectiveConfiguration()
+
 			if traefikConfiguration.Web == nil {
 				fmt.Println("Please enable the web provider to use healtcheck.")
 				os.Exit(1)
@@ -134,7 +132,8 @@ Complete documentation is available at https://traefik.io`,
 				}
 				client.Transport = tr
 			}
-			resp, err := client.Head(protocol + "://" + traefikConfiguration.Web.Address + "/ping")
+
+			resp, err := client.Head(protocol + "://" + traefikConfiguration.Web.Address + traefikConfiguration.Web.Path + "ping")
 			if err != nil {
 				fmt.Printf("Error calling healthcheck: %s\n", err)
 				os.Exit(1)
@@ -238,47 +237,7 @@ func run(globalConfiguration *configuration.GlobalConfiguration) {

 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment

-	if len(globalConfiguration.EntryPoints) == 0 {
-		globalConfiguration.EntryPoints = map[string]*configuration.EntryPoint{"http": {
-			Address:          ":80",
-			ForwardedHeaders: &configuration.ForwardedHeaders{Insecure: true},
-		}}
-		globalConfiguration.DefaultEntryPoints = []string{"http"}
-	}
-
-	if globalConfiguration.Rancher != nil {
-		// Ensure backwards compatibility for now
-		if len(globalConfiguration.Rancher.AccessKey) > 0 ||
-			len(globalConfiguration.Rancher.Endpoint) > 0 ||
-			len(globalConfiguration.Rancher.SecretKey) > 0 {
-
-			if globalConfiguration.Rancher.API == nil {
-				globalConfiguration.Rancher.API = &rancher.APIConfiguration{
-					AccessKey: globalConfiguration.Rancher.AccessKey,
-					SecretKey: globalConfiguration.Rancher.SecretKey,
-					Endpoint:  globalConfiguration.Rancher.Endpoint,
-				}
-			}
-			log.Warn("Deprecated configuration found: rancher.[accesskey|secretkey|endpoint]. " +
-				"Please use rancher.api.[accesskey|secretkey|endpoint] instead.")
-		}
-
-		if globalConfiguration.Rancher.Metadata != nil && len(globalConfiguration.Rancher.Metadata.Prefix) == 0 {
-			globalConfiguration.Rancher.Metadata.Prefix = "latest"
-		}
-	}
-
-	if globalConfiguration.Debug {
-		globalConfiguration.LogLevel = "DEBUG"
-	}
-
-	// ForwardedHeaders must be remove in the next breaking version
-	for entryPointName := range globalConfiguration.EntryPoints {
-		entryPoint := globalConfiguration.EntryPoints[entryPointName]
-		if entryPoint.ForwardedHeaders == nil {
-			entryPoint.ForwardedHeaders = &configuration.ForwardedHeaders{Insecure: true}
-		}
-	}
+	globalConfiguration.SetEffectiveConfiguration()

 	// logging
 	level, err := logrus.ParseLevel(strings.ToLower(globalConfiguration.LogLevel))
@@ -286,6 +245,7 @@ func run(globalConfiguration *configuration.GlobalConfiguration) {
 		log.Error("Error getting level", err)
 	}
 	log.SetLevel(level)
+
 	if len(globalConfiguration.TraefikLogsFile) > 0 {
 		dir := filepath.Dir(globalConfiguration.TraefikLogsFile)

--- a/configuration/configuration.go
+++ b/configuration/configuration.go
@@ -80,6 +80,56 @@ type GlobalConfiguration struct {
 	DynamoDB                  *dynamodb.Provider      `description:"Enable DynamoDB backend with default settings" export:"true"`
 }

+// SetEffectiveConfiguration adds missing configuration parameters derived from existing ones.
+// It also takes care of maintaining backwards compatibility.
+func (gc *GlobalConfiguration) SetEffectiveConfiguration() {
+	if len(gc.EntryPoints) == 0 {
+		gc.EntryPoints = map[string]*EntryPoint{"http": {
+			Address:          ":80",
+			ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+		}}
+		gc.DefaultEntryPoints = []string{"http"}
+	}
+
+	// ForwardedHeaders must be remove in the next breaking version
+	for entryPointName := range gc.EntryPoints {
+		entryPoint := gc.EntryPoints[entryPointName]
+		if entryPoint.ForwardedHeaders == nil {
+			entryPoint.ForwardedHeaders = &ForwardedHeaders{Insecure: true}
+		}
+	}
+
+	if gc.Rancher != nil {
+		// Ensure backwards compatibility for now
+		if len(gc.Rancher.AccessKey) > 0 ||
+			len(gc.Rancher.Endpoint) > 0 ||
+			len(gc.Rancher.SecretKey) > 0 {
+
+			if gc.Rancher.API == nil {
+				gc.Rancher.API = &rancher.APIConfiguration{
+					AccessKey: gc.Rancher.AccessKey,
+					SecretKey: gc.Rancher.SecretKey,
+					Endpoint:  gc.Rancher.Endpoint,
+				}
+			}
+			log.Warn("Deprecated configuration found: rancher.[accesskey|secretkey|endpoint]. " +
+				"Please use rancher.api.[accesskey|secretkey|endpoint] instead.")
+		}
+
+		if gc.Rancher.Metadata != nil && len(gc.Rancher.Metadata.Prefix) == 0 {
+			gc.Rancher.Metadata.Prefix = "latest"
+		}
+	}
+
+	if gc.Debug {
+		gc.LogLevel = "DEBUG"
+	}
+
+	if gc.Web != nil && (gc.Web.Path == "" || !strings.HasSuffix(gc.Web.Path, "/")) {
+		gc.Web.Path += "/"
+	}
+}
+
 // DefaultEntryPoints holds default entry points
 type DefaultEntryPoints []string

--- a/docs/archive.md
+++ b/docs/archive.md
@@ -0,0 +1,17 @@
+## Previous documentation
+
+- [Latest stable](https://docs.traefik.io)
+
+- [Experimental](https://master--traefik-docs.netlify.com/)
+
+- [v1.4 aka Roquefort](http://v1-4.archive.docs.traefik.io/) 
+
+- [v1.3 aka Raclette](http://v1-3.archive.docs.traefik.io/)
+
+- [v1.2 aka Morbier](http://v1-2.archive.docs.traefik.io/)
+
+- [v1.1 aka Camembert](http://v1-1.archive.docs.traefik.io/)
+
+## More
+
+[Change log](https://github.com/containous/traefik/blob/master/CHANGELOG.md)
--- a/docs/configuration/backends/docker.md
+++ b/docs/configuration/backends/docker.md
@@ -187,6 +187,12 @@ Services labels can be used for overriding default behaviour
 | `traefik.<service-name>.frontend.priority`        | Overrides `traefik.frontend.priority`.                                                           |
 | `traefik.<service-name>.frontend.rule`            | Overrides `traefik.frontend.rule`.                                                               |

+
+!!! note
+    if a label is defined both as a `container label` and a `service label` (for example `traefik.<service-name>.port=PORT` and `traefik.port=PORT` ), the `service label` is used to defined the `<service-name>` property (`port` in the example).
+    It's possible to mix `container labels` and `service labels`, in this case `container labels` are used as default value for missing `service labels` but no frontends are going to be created with the `container labels`.
+    More details in this [example](/user-guide/docker-and-lets-encrypt/#labels).
+
 !!! warning
    when running inside a container, Træfik will need network access through:

--- a/docs/configuration/backends/kubernetes.md
+++ b/docs/configuration/backends/kubernetes.md
@@ -118,10 +118,10 @@ If one of the Net-Specifications are invalid, the whole list is invalid and allo
 ### Authentication

 Is possible to add additional authentication annotations in the Ingress rule.
-The source of the authentication is a secret that contains usernames and passwords inside the the key auth.
+The source of the authentication is a secret that contains usernames and passwords inside the key auth.

 - `ingress.kubernetes.io/auth-type`: `basic`
- `ingress.kubernetes.io/auth-secret`  
+- `ingress.kubernetes.io/auth-secret`: `mysecret`  
    Contains the usernames and passwords with access to the paths defined in the Ingress Rule.

 The secret must be created in the same namespace as the Ingress rule.
--- a/docs/configuration/entrypoints.md
+++ b/docs/configuration/entrypoints.md
@@ -118,10 +118,10 @@ Otherwise, the response from the auth server is returned.

 ```toml
 [entryPoints]
-  [entrypoints.http]
+  [entryPoints.http]
    # ...
    # To enable forward auth on an entrypoint
-    [entrypoints.http.auth.forward]
+    [entryPoints.http.auth.forward]
    address = "https://authserver.com/auth"
    
    # Trust existing X-Forwarded-* headers.
@@ -136,7 +136,7 @@ Otherwise, the response from the auth server is returned.
    #
    # Optional
    #
-    [entrypoints.http.auth.forward.tls]
+    [entryPoints.http.auth.forward.tls]
    cert = "authserver.crt"
    key = "authserver.key"
 ```
@@ -221,7 +221,7 @@ Only IPs in `trustedIPs` will lead to remote client address replacement: you sho

 ## Forwarded Header

-Only IPs in `trustedIPs` will be authorize to trust the client forwarded headers (`X-Forwarded-*`).
+Only IPs in `trustedIPs` will be authorized to trust the client forwarded headers (`X-Forwarded-*`).

 ```toml
 [entryPoints]
--- a/docs/user-guide/docker-and-lets-encrypt.md
+++ b/docs/user-guide/docker-and-lets-encrypt.md
@@ -1,8 +1,8 @@
 # Docker & Traefik

-In this use case, we want to use Traefik as a _layer-7_ load balancer with SSL termination for a set of micro-services used to run a web application.
+In this use case, we want to use Træfik as a _layer-7_ load balancer with SSL termination for a set of micro-services used to run a web application.

-We also want to automatically _discover any services_ on the Docker host and let Traefik reconfigure itself automatically when containers get created (or shut down) so HTTP traffic can be routed accordingly.
+We also want to automatically _discover any services_ on the Docker host and let Træfik reconfigure itself automatically when containers get created (or shut down) so HTTP traffic can be routed accordingly.

 In addition, we want to use Let's Encrypt to automatically generate and renew SSL certificates per hostname.

@@ -19,7 +19,7 @@ In real-life, you'll want to use your own domain and have the DNS configured acc
 Docker containers can only communicate with each other over TCP when they share at least one network.
 This makes sense from a topological point of view in the context of networking, since Docker under the hood creates IPTable rules so containers can't reach other containers _unless you'd want to_.

-In this example, we're going to use a single network called `web` where all containers that are handling HTTP traffic (including Traefik) will reside in.
+In this example, we're going to use a single network called `web` where all containers that are handling HTTP traffic (including Træfik) will reside in.

 On the Docker host, run the following command:

@@ -27,7 +27,7 @@ On the Docker host, run the following command:
 docker network create web
 ```

-Now, let's create a directory on the server where we will configure the rest of Traefik:
+Now, let's create a directory on the server where we will configure the rest of Træfik:

 ```shell
 mkdir -p /opt/traefik
@@ -41,7 +41,7 @@ touch /opt/traefik/acme.json && chmod 600 /opt/traefik/acme.json
 touch /opt/traefik/traefik.toml
 ```

-The `docker-compose.yml` file will provide us with a simple, consistent and more importantly, a deterministic way to create Traefik.
+The `docker-compose.yml` file will provide us with a simple, consistent and more importantly, a deterministic way to create Træfik.

 The contents of the file is as follows:

@@ -59,8 +59,8 @@ services:
      - web
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
-      - /srv/traefik/traefik.toml:/traefik.toml
-      - /srv/traefik/acme.json:/acme.json
+      - /opt/traefik/traefik.toml:/traefik.toml
+      - /opt/traefik/acme.json:/acme.json
    container_name: traefik

 networks:
@@ -69,12 +69,12 @@ networks:
 ```

 As you can see, we're mounting the `traefik.toml` file as well as the (empty) `acme.json` file in the container.  
-Also, we're mounting the `/var/run/docker.sock` Docker socket in the container as well, so Traefik can listen to Docker events and reconfigure it's own internal configuration when containers are created (or shut down).  
+Also, we're mounting the `/var/run/docker.sock` Docker socket in the container as well, so Træfik can listen to Docker events and reconfigure it's own internal configuration when containers are created (or shut down).  
 Also, we're making sure the container is automatically restarted by the Docker engine in case of problems (or: if the server is rebooted).
 We're publishing the default HTTP ports `80` and `443` on the host, and making sure the container is placed within the `web` network we've created earlier on.  
 Finally, we're giving this container a static name called `traefik`.

-Let's take a look at a simple `traefik.toml` configuration as well before we'll create the Traefik container:
+Let's take a look at a simple `traefik.toml` configuration as well before we'll create the Træfik container:

 ```toml
 debug = false
@@ -109,17 +109,17 @@ OnHostRule = true
 This is the minimum configuration required to do the following:

 - Log `ERROR`-level messages (or more severe) to the console, but silence `DEBUG`-level messagse
- Check for new versions of Traefik periodically
+- Check for new versions of Træfik periodically
 - Create two entry points, namely an `HTTP` endpoint on port `80`, and an `HTTPS` endpoint on port `443` where all incoming traffic on port `80` will immediately get redirected to `HTTPS`.
- Enable the Docker configuration backend and listen for container events on the Docker unix socket we've mounted earlier. However, **new containers will not be exposed by Traefik by default, we'll get into this in a bit!**
+- Enable the Docker configuration backend and listen for container events on the Docker unix socket we've mounted earlier. However, **new containers will not be exposed by Træfik by default, we'll get into this in a bit!**
 - Enable automatic request and configuration of SSL certificates using Let's Encrypt.
    These certificates will be stored in the `acme.json` file, which you can back-up yourself and store off-premises.

-Alright, let's boot the container. From the `/opt/traefik` directory, run `docker-compose up -d` which will create and start the Traefik container.
+Alright, let's boot the container. From the `/opt/traefik` directory, run `docker-compose up -d` which will create and start the Træfik container.

 ## Exposing Web Services to the Outside World

-Now that we've fully configured and started Traefik, it's time to get our applications running!
+Now that we've fully configured and started Træfik, it's time to get our applications running!

 Let's take a simple example of a micro-service project consisting of various services, where some will be exposed to the outside world and some will not. 

@@ -148,6 +148,10 @@ services:
      - "traefik.frontend.rule=Host:app.my-awesome-app.org"
      - "traefik.enable=true"
      - "traefik.port=9000"
+      - "traefik.default.protocol=http"
+      - "traefik.admin.frontend.rule=Host:admin-app.my-awesome-app.org"
+      - "traefik.admin.protocol=https"
+      - "traefik.admin.port=9443"

  db:
    image: my-docker-registry.com/back-end/5.7
@@ -190,10 +194,10 @@ Since the `traefik` container we've created and started earlier is also attached

 ### Labels

-As mentioned earlier, we don't want containers exposed automatically by Traefik.
+As mentioned earlier, we don't want containers exposed automatically by Træfik.

 The reason behind this is simple: we want to have control over this process ourselves.
-Thanks to Docker labels, we can tell Traefik how to create it's internal routing configuration.
+Thanks to Docker labels, we can tell Træfik how to create it's internal routing configuration.

 Let's take a look at the labels themselves for the `app` service, which is a HTTP webservice listing on port 9000:

@@ -203,31 +207,56 @@ Let's take a look at the labels themselves for the `app` service, which is a HTT
 - "traefik.frontend.rule=Host:app.my-awesome-app.org"
 - "traefik.enable=true"
 - "traefik.port=9000"
+- "traefik.default.protocol=http"
+- "traefik.admin.frontend.rule=Host:admin-app.my-awesome-app.org"
+- "traefik.admin.protocol=https"
+- "traefik.admin.port=9443"
 ```

+We use both `container labels` and `service labels`.
+
+#### Container labels
+
 First, we specify the `backend` name which corresponds to the actual service we're routing **to**.

-We also tell Traefik to use the `web` network to route HTTP traffic to this container.  
-With the `frontend.rule` label, we tell Traefik that we want to route to this container if the incoming HTTP request contains the `Host` `app.my-awesome-app.org`.
-Essentially, this is the actual rule used for Layer-7 load balancing.  
-With the `traefik.enable` label, we tell Traefik to include this container in it's internal configuration.
+We also tell Træfik to use the `web` network to route HTTP traffic to this container. 
+With the `traefik.enable` label, we tell Træfik to include this container in it's internal configuration.

-Finally but not unimportantly, we tell Traefik to route **to** port `9000`, since that is the actual TCP/IP port the container actually listens on.
+With the `frontend.rule` label, we tell Træfik that we want to route to this container if the incoming HTTP request contains the `Host` `app.my-awesome-app.org`.
+Essentially, this is the actual rule used for Layer-7 load balancing. 
+
+Finally but not unimportantly, we tell Træfik to route **to** port `9000`, since that is the actual TCP/IP port the container actually listens on.
+
+### Service labels
+
+`Service labels` allow managing many routes for the same container.
+
+When both `container labels` and `service labels` are defined, `container labels` are just used as default values for missing `service labels` but no frontend/backend are going to be defined only with these labels.
+Obviously, labels `traefik.frontend.rule` and `traefik.port` described above, will only be used to complete information set in `service labels` during the container frontends/bakends creation.
+
+In the example, two service names are defined : `default` and `admin`.
+They allow creating two frontends and two backends.
+
+- `default` has only one `service label` : `traefik.default.protocol`.
+Træfik will use values set in `traefik.frontend.rule` and `traefik.port` to create the `default` frontend and backend.
+The frontend listens to incoming HTTP requests which contain the `Host` `app.my-awesome-app.org` and redirect them in `HTTP` to the port `9000` of the backend.
+- `admin` has all the `services labels` needed to create the `admin` frontend and backend (`traefik.admin.frontend.rule`, `traefik.admin.protocol`, `traefik.admin.port`).
+Træfik will create a frontend to listen to incoming HTTP requests which contain the `Host` `admin-app.my-awesome-app.org` and redirect them in `HTTPS` to the port `9443` of the backend.

 #### Gotchas and tips

 - Always specify the correct port where the container expects HTTP traffic using `traefik.port` label.  
-    If a container exposes multiple ports, Traefik may forward traffic to the wrong port.
+    If a container exposes multiple ports, Træfik may forward traffic to the wrong port.
    Even if a container only exposes one port, you should always write configuration defensively and explicitly.
- Should you choose to enable the `exposedbydefault` flag in the `traefik.toml` configuration, be aware that all containers that are placed in the same network as Traefik will automatically be reachable from the outside world, for everyone and everyone to see.
+- Should you choose to enable the `exposedbydefault` flag in the `traefik.toml` configuration, be aware that all containers that are placed in the same network as Træfik will automatically be reachable from the outside world, for everyone and everyone to see.
    Usually, this is a bad idea.
- With the `traefik.frontend.auth.basic` label, it's possible for Traefik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.
- Traefik has built-in support to automatically export [Prometheus](https://prometheus.io) metrics
- Traefik supports websockets out of the box. In the example above, the `events`-service could be a NodeJS-based application which allows clients to connect using websocket protocol.
+- With the `traefik.frontend.auth.basic` label, it's possible for Træfik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.
+- Træfik has built-in support to automatically export [Prometheus](https://prometheus.io) metrics
+- Træfik supports websockets out of the box. In the example above, the `events`-service could be a NodeJS-based application which allows clients to connect using websocket protocol.
    Thanks to the fact that HTTPS in our example is enforced, these websockets are automatically secure as well (WSS)

 ### Final thoughts

-Using Traefik as a Layer-7 load balancer in combination with both Docker and Let's Encrypt provides you with an extremely flexible, powerful and self-configuring solution for your projects.
+Using Træfik as a Layer-7 load balancer in combination with both Docker and Let's Encrypt provides you with an extremely flexible, powerful and self-configuring solution for your projects.

 With Let's Encrypt, your endpoints are automatically secured with production-ready SSL certificates that are renewed automatically as well.
--- a/docs/user-guide/examples.md
+++ b/docs/user-guide/examples.md
@@ -137,7 +137,7 @@ This configuration allows generating a Let's Encrypt certificate during the firs
    * TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DDoS attacks.
    * Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits

-    That's why, it's better to use the `onHostRule` optin if possible.
+    That's why, it's better to use the `onHostRule` option if possible.

 ### DNS challenge

@@ -170,7 +170,7 @@ entryPoint = "https"
 DNS challenge needs environment variables to be executed.
 This variables have to be set on the machine/container which host Traefik.

-These variables has described [in this section](/configuration/acme/#dnsprovider).
+These variables are described [in this section](/configuration/acme/#dnsprovider).

 ### OnHostRule option and provided certificates

@@ -198,7 +198,7 @@ Traefik will only try to generate a Let's encrypt certificate if the domain cann

 #### Prerequisites

-Before to use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations](/user-guide/kv-config) and more precisely to [this section](/user-guide/kv-config/#store-configuration-in-key-value-store) in the way to know how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.
+Before you use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations](/user-guide/kv-config) and more precisely at [this section](/user-guide/kv-config/#store-configuration-in-key-value-store), which will describe how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.

 #### Configuration

--- a/docs/user-guide/kubernetes.md
+++ b/docs/user-guide/kubernetes.md
@@ -79,7 +79,7 @@ It is possible to use Træfik with a [Deployment](https://kubernetes.io/docs/con

 The Deployment objects looks like this:

-```yml
+```yaml
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -118,6 +118,7 @@ kind: Service
 apiVersion: v1
 metadata:
  name: traefik-ingress-service
+  namespace: kube-system
 spec:
  selector:
    k8s-app: traefik-ingress-lb
@@ -182,6 +183,7 @@ kind: Service
 apiVersion: v1
 metadata:
  name: traefik-ingress-service
+  namespace: kube-system
 spec:
  selector:
    k8s-app: traefik-ingress-lb
@@ -325,6 +327,72 @@ echo "$(minikube ip) traefik-ui.minikube" | sudo tee -a /etc/hosts

 We should now be able to visit [traefik-ui.minikube](http://traefik-ui.minikube) in the browser and view the Træfik Web UI.

+## Basic Authentication
+
+It's possible to add additional authentication annotations in the Ingress rule.
+The source of the authentication is a secret that contains usernames and passwords inside the key auth.
+To read about basic auth limitations see the [Kubernetes Ingress](/configuration/backends/kubernetes) configuration page.
+
+#### Creating the Secret
+
+A. Use `htpasswd` to create a file containing the username and the base64-encoded password:
+
+```shell
+htpasswd -c ./auth myusername
+```
+
+You will be prompted for a password which you will have to enter twice.
+`htpasswd` will create a file with the following:
+
+```shell
+cat auth
+```
+```
+myusername:$apr1$78Jyn/1K$ERHKVRPPlzAX8eBtLuvRZ0
+```
+
+B. Now use `kubectl` to create a secret in the monitoring namespace using the file created by `htpasswd`.
+
+```shell
+kubectl create secret generic mysecret --from-file auth --namespace=monitoring
+```
+
+!!! note
+    Secret must be in same namespace as the ingress rule.
+
+C. Create the ingress using the following annotations to specify basic auth and that the username and password is stored in `mysecret`.
+
+- `ingress.kubernetes.io/auth-type: "basic"`
+- `ingress.kubernetes.io/auth-secret: "mysecret"`
+
+Following is a full ingress example based on Prometheus:
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: prometheus-dashboard
+ namespace: monitoring
+ annotations:
+   kubernetes.io/ingress.class: traefik
+   ingress.kubernetes.io/auth-type: "basic"
+   ingress.kubernetes.io/auth-secret: "mysecret"
+spec:
+ rules:
+ - host: dashboard.prometheus.example.com
+   http:
+     paths:
+     - backend:
+         serviceName: prometheus
+         servicePort: 9090
+```
+
+You can apply the example ingress as following:
+
+```shell
+kubectl create -f prometheus-ingress.yaml -n monitoring
+```
+
 ## Name based routing

 In this example we are going to setup websites for 3 of the United Kingdoms best loved cheeses, Cheddar, Stilton and Wensleydale.
--- a/docs/user-guide/kv-config.md
+++ b/docs/user-guide/kv-config.md
@@ -148,6 +148,37 @@ This variable must be initialized with the ACL token value.

 If Traefik is launched into a Docker container, the variable `CONSUL_HTTP_TOKEN` can be initialized with the `-e` Docker option : `-e "CONSUL_HTTP_TOKEN=[consul-acl-token-value]"`

+If a Consul ACL is used to restrict Træfik read/write access, one of the following configurations is needed.
+
+- HCL format :
+
+```
+    key "traefik" {
+        policy = "write"
+    },
+    
+    session "" {
+        policy = "write"
+    }
+```
+
+- JSON format :
+
+```json
+{
+    "key": {
+        "traefik": {
+          "policy": "write"
+        }
+    },
+    "session": {
+        "": {
+        "policy": "write"
+        }
+    }
+}
+```
+
 ### TLS support

 To connect to a Consul endpoint using SSL, simply specify `https://` in the `consul.endpoint` property
--- a/glide.lock
+++ b/glide.lock
@@ -1,5 +1,5 @@
-hash: d87c01b4b8f802c81e1f3ae34a09c7001dc392654703b53fe0e6722041183abc
-updated: 2017-09-30T18:32:16.848940186+02:00
+hash: de7e6a0069090a5811c003db434da19fe31efcf0c9429d3ccb676295708f0d2b
+updated: 2017-10-24T14:08:11.364720581+02:00
 imports:
 - name: cloud.google.com/go
  version: 2e6a95edb1071d750f6d7db777bf66cd2997af6c
@@ -89,7 +89,7 @@ imports:
 - name: github.com/containous/flaeg
  version: b5d2dc5878df07c2d74413348186982e7b865871
 - name: github.com/containous/mux
-  version: af6ea922f7683d9706834157e6b0610e22ccb2db
+  version: 06ccd3e75091eb659b1d720cda0e16bc7057954c
 - name: github.com/containous/staert
  version: 1e26a71803e428fd933f5f9c8e50a26878f53147
 - name: github.com/coreos/etcd
@@ -383,7 +383,7 @@ imports:
  repo: https://github.com/ijc25/Gotty.git
  vcs: git
 - name: github.com/NYTimes/gziphandler
-  version: 97ae7fbaf81620fe97840685304a78a306a39c64
+  version: d6f46609c7629af3a02d791a4666866eed3cbd3e
 - name: github.com/ogier/pflag
  version: 45c278ab3607870051a2ea9040bb85fcb8557481
 - name: github.com/opencontainers/go-digest
@@ -481,7 +481,7 @@ imports:
 - name: github.com/urfave/negroni
  version: 490e6a555d47ca891a89a150d0c1ef3922dfffe9
 - name: github.com/vulcand/oxy
-  version: c024a22700b56debed9a9c8dbb297210a7ece02d
+  version: 7e9763c4dc71b9758379da3581e6495c145caaab
  repo: https://github.com/containous/oxy.git
  vcs: git
  subpackages:
--- a/glide.yaml
+++ b/glide.yaml
@@ -12,7 +12,7 @@ import:
 - package: github.com/cenk/backoff
 - package: github.com/containous/flaeg
 - package: github.com/vulcand/oxy
-  version: c024a22700b56debed9a9c8dbb297210a7ece02d
+  version: 7e9763c4dc71b9758379da3581e6495c145caaab
  repo: https://github.com/containous/oxy.git
  vcs: git
  subpackages:
--- a/integration/consul_catalog_test.go
+++ b/integration/consul_catalog_test.go
@@ -36,7 +36,7 @@ func (s *ConsulCatalogSuite) SetUpSuite(c *check.C) {
 }

 func (s *ConsulCatalogSuite) waitToElectConsulLeader() error {
-	return try.Do(3*time.Second, func() error {
+	return try.Do(15*time.Second, func() error {
 		leader, err := s.consulClient.Status().Leader()

 		if err != nil || len(leader) == 0 {
@@ -344,8 +344,82 @@ func (s *ConsulCatalogSuite) TestBasicAuthSimpleService(c *check.C) {
 	c.Assert(err, checker.IsNil)
 }

-func (s *ConsulCatalogSuite) TestRetryWithConsulServer(c *check.C) {
+func (s *ConsulCatalogSuite) TestRefreshConfigTagChange(c *check.C) {
+	cmd, display := s.traefikCmd(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.exposedByDefault=false",
+		"--consulCatalog.watch=true",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost")
+	defer display(c)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()

+	nginx := s.composeProject.Container(c, "nginx1")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{"name=nginx1", "traefik.enable=false", "traefik.backend.circuitbreaker=NetworkErrorRatio() > 0.5"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers/consul_catalog/backends", 5*time.Second, try.BodyContains("nginx1"))
+	c.Assert(err, checker.NotNil)
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{"name=nginx1", "traefik.enable=true", "traefik.backend.circuitbreaker=ResponseCodeRatio(500, 600, 0, 600) > 0.5"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+
+	err = try.Request(req, 20*time.Second, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers/consul_catalog/backends", 60*time.Second, try.BodyContains("nginx1"))
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *ConsulCatalogSuite) TestCircuitBreaker(c *check.C) {
+	cmd, display := s.traefikCmd(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--retry",
+		"--retry.attempts=1",
+		"--forwardingTimeouts.dialTimeout=5s",
+		"--forwardingTimeouts.responseHeaderTimeout=10s",
+		"--consulCatalog",
+		"--consulCatalog.exposedByDefault=false",
+		"--consulCatalog.watch=true",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost")
+	defer display(c)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	nginx := s.composeProject.Container(c, "nginx1")
+	nginx2 := s.composeProject.Container(c, "nginx2")
+	nginx3 := s.composeProject.Container(c, "nginx3")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{"name=nginx1", "traefik.enable=true", "traefik.backend.circuitbreaker=NetworkErrorRatio() > 0.5"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+	err = s.registerService("test", nginx2.NetworkSettings.IPAddress, 42, []string{"name=nginx2", "traefik.enable=true", "traefik.backend.circuitbreaker=NetworkErrorRatio() > 0.5"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx2.NetworkSettings.IPAddress)
+	err = s.registerService("test", nginx3.NetworkSettings.IPAddress, 42, []string{"name=nginx3", "traefik.enable=true", "traefik.backend.circuitbreaker=NetworkErrorRatio() > 0.5"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx3.NetworkSettings.IPAddress)
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+
+	err = try.Request(req, 20*time.Second, try.StatusCodeIs(http.StatusServiceUnavailable), try.HasBody())
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *ConsulCatalogSuite) TestRetryWithConsulServer(c *check.C) {
 	//Scale consul to 0 to be able to start traefik before and test retry
 	s.composeProject.Scale(c, "consul", 0)

--- a/integration/docker_test.go
+++ b/integration/docker_test.go
@@ -129,6 +129,11 @@ func (s *DockerSuite) TestDockerContainersWithLabels(c *check.C) {
 	}
 	s.startContainerWithLabels(c, "swarm:1.0.0", labels, "manage", "token://blabla")

+	// Start another container by replacing a '.' by a '-'
+	labels = map[string]string{
+		types.LabelFrontendRule: "Host:my-super.host",
+	}
+	s.startContainerWithLabels(c, "swarm:1.0.0", labels, "manage", "token://blablabla")
 	// Start traefik
 	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
@@ -138,12 +143,20 @@ func (s *DockerSuite) TestDockerContainersWithLabels(c *check.C) {

 	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/version", nil)
 	c.Assert(err, checker.IsNil)
-	req.Host = "my.super.host"
+	req.Host = "my-super.host"

 	// FIXME Need to wait than 500 milliseconds more (for swarm or traefik to boot up ?)
 	resp, err := try.ResponseUntilStatusCode(req, 1500*time.Millisecond, http.StatusOK)
 	c.Assert(err, checker.IsNil)

+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/version", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "my.super.host"
+
+	// FIXME Need to wait than 500 milliseconds more (for swarm or traefik to boot up ?)
+	resp, err = try.ResponseUntilStatusCode(req, 1500*time.Millisecond, http.StatusOK)
+	c.Assert(err, checker.IsNil)
+
 	body, err := ioutil.ReadAll(resp.Body)
 	c.Assert(err, checker.IsNil)

@@ -179,3 +192,40 @@ func (s *DockerSuite) TestDockerContainersWithOneMissingLabels(c *check.C) {
 	err = try.Request(req, 1500*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
 }
+
+// TestDockerContainersWithServiceLabels allows cheking the labels behavior
+// Use service label if defined and compete information with container labels.
+func (s *DockerSuite) TestDockerContainersWithServiceLabels(c *check.C) {
+	file := s.adaptFileForHost(c, "fixtures/docker/simple.toml")
+	defer os.Remove(file)
+	// Start a container with some labels
+	labels := map[string]string{
+		types.LabelPrefix + "servicename.frontend.rule": "Host:my.super.host",
+		types.LabelFrontendRule:                         "Host:my.wrong.host",
+		types.LabelPort:                                 "2375",
+	}
+	s.startContainerWithLabels(c, "swarm:1.0.0", labels, "manage", "token://blabla")
+
+	// Start traefik
+	cmd, display := s.traefikCmd(withConfigFile(file))
+	defer display(c)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/version", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "my.super.host"
+
+	// FIXME Need to wait than 500 milliseconds more (for swarm or traefik to boot up ?)
+	resp, err := try.ResponseUntilStatusCode(req, 1500*time.Millisecond, http.StatusOK)
+	c.Assert(err, checker.IsNil)
+
+	body, err := ioutil.ReadAll(resp.Body)
+	c.Assert(err, checker.IsNil)
+
+	var version map[string]interface{}
+
+	c.Assert(json.Unmarshal(body, &version), checker.IsNil)
+	c.Assert(version["Version"], checker.Equals, "swarm/1.0.0")
+}
--- a/integration/fixtures/websocket/config_https.toml
+++ b/integration/fixtures/websocket/config_https.toml
@@ -1,6 +1,7 @@
 defaultEntryPoints = ["wss"]

 logLevel = "DEBUG"
+InsecureSkipVerify=true

 [entryPoints]
  [entryPoints.wss]
@@ -24,4 +25,4 @@ logLevel = "DEBUG"
  [frontends.frontend1]
  backend = "backend1"
    [frontends.frontend1.routes.test_1]
-    rule = "Path:/ws"
+    rule = "Path:/echo,/ws"
--- a/integration/grpc_test.go
+++ b/integration/grpc_test.go
@@ -1,8 +1,10 @@
 package integration

 import (
+	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"io/ioutil"
 	"net"
 	"os"
@@ -22,7 +24,9 @@ var LocalhostKey []byte
 // GRPCSuite
 type GRPCSuite struct{ BaseSuite }

-type myserver struct{}
+type myserver struct {
+	stopStreamExample chan bool
+}

 func (s *GRPCSuite) SetUpSuite(c *check.C) {
 	var err error
@@ -36,7 +40,15 @@ func (s *myserver) SayHello(ctx context.Context, in *helloworld.HelloRequest) (*
 	return &helloworld.HelloReply{Message: "Hello " + in.Name}, nil
 }

-func startGRPCServer(lis net.Listener) error {
+func (s *myserver) StreamExample(in *helloworld.StreamExampleRequest, server helloworld.Greeter_StreamExampleServer) error {
+	data := make([]byte, 512)
+	rand.Read(data)
+	server.Send(&helloworld.StreamExampleReply{Data: string(data)})
+	<-s.stopStreamExample
+	return nil
+}
+
+func startGRPCServer(lis net.Listener, server *myserver) error {
 	cert, err := tls.X509KeyPair(LocalhostCert, LocalhostKey)
 	if err != nil {
 		return err
@@ -45,26 +57,30 @@ func startGRPCServer(lis net.Listener) error {
 	creds := credentials.NewServerTLSFromCert(&cert)
 	serverOption := grpc.Creds(creds)

-	var s *grpc.Server = grpc.NewServer(serverOption)
+	s := grpc.NewServer(serverOption)
 	defer s.Stop()

-	helloworld.RegisterGreeterServer(s, &myserver{})
+	helloworld.RegisterGreeterServer(s, server)
 	return s.Serve(lis)
 }
-
-func callHelloClientGRPC() (string, error) {
+func getHelloClientGRPC() (helloworld.GreeterClient, func() error, error) {
 	roots := x509.NewCertPool()
 	roots.AppendCertsFromPEM(LocalhostCert)
 	credsClient := credentials.NewClientTLSFromCert(roots, "")
 	conn, err := grpc.Dial("127.0.0.1:4443", grpc.WithTransportCredentials(credsClient))
+	if err != nil {
+		return nil, func() error { return nil }, err
+	}
+	return helloworld.NewGreeterClient(conn), conn.Close, nil
+
+}
+
+func callHelloClientGRPC(name string) (string, error) {
+	client, closer, err := getHelloClientGRPC()
+	defer closer()
 	if err != nil {
 		return "", err
 	}
-
-	defer conn.Close()
-	client := helloworld.NewGreeterClient(conn)
-
-	name := "World"
 	r, err := client.SayHello(context.Background(), &helloworld.HelloRequest{Name: name})
 	if err != nil {
 		return "", err
@@ -72,13 +88,26 @@ func callHelloClientGRPC() (string, error) {
 	return r.Message, nil
 }

+func callStreamExampleClientGRPC() (helloworld.Greeter_StreamExampleClient, func() error, error) {
+	client, closer, err := getHelloClientGRPC()
+	if err != nil {
+		return nil, closer, err
+	}
+	t, err := client.StreamExample(context.Background(), &helloworld.StreamExampleRequest{})
+	if err != nil {
+		return nil, closer, err
+	}
+
+	return t, closer, nil
+}
+
 func (s *GRPCSuite) TestGRPC(c *check.C) {
 	lis, err := net.Listen("tcp", ":0")
 	_, port, err := net.SplitHostPort(lis.Addr().String())
 	c.Assert(err, check.IsNil)

 	go func() {
-		err := startGRPCServer(lis)
+		err := startGRPCServer(lis, &myserver{})
 		c.Log(err)
 		c.Assert(err, check.IsNil)
 	}()
@@ -106,7 +135,7 @@ func (s *GRPCSuite) TestGRPC(c *check.C) {
 	c.Assert(err, check.IsNil)
 	var response string
 	err = try.Do(1*time.Second, func() error {
-		response, err = callHelloClientGRPC()
+		response, err = callHelloClientGRPC("World")
 		return err
 	})

@@ -120,7 +149,7 @@ func (s *GRPCSuite) TestGRPCInsecure(c *check.C) {
 	c.Assert(err, check.IsNil)

 	go func() {
-		err := startGRPCServer(lis)
+		err := startGRPCServer(lis, &myserver{})
 		c.Log(err)
 		c.Assert(err, check.IsNil)
 	}()
@@ -148,10 +177,68 @@ func (s *GRPCSuite) TestGRPCInsecure(c *check.C) {
 	c.Assert(err, check.IsNil)
 	var response string
 	err = try.Do(1*time.Second, func() error {
-		response, err = callHelloClientGRPC()
+		response, err = callHelloClientGRPC("World")
 		return err
 	})

 	c.Assert(err, check.IsNil)
 	c.Assert(response, check.Equals, "Hello World")
 }
+
+func (s *GRPCSuite) TestGRPCBuffer(c *check.C) {
+	stopStreamExample := make(chan bool)
+	defer func() { stopStreamExample <- true }()
+	lis, err := net.Listen("tcp", ":0")
+	_, port, err := net.SplitHostPort(lis.Addr().String())
+	c.Assert(err, check.IsNil)
+
+	go func() {
+		err := startGRPCServer(lis, &myserver{
+			stopStreamExample: stopStreamExample,
+		})
+		c.Log(err)
+		c.Assert(err, check.IsNil)
+	}()
+
+	file := s.adaptFile(c, "fixtures/grpc/config.toml", struct {
+		CertContent    string
+		KeyContent     string
+		GRPCServerPort string
+	}{
+		CertContent:    string(LocalhostCert),
+		KeyContent:     string(LocalhostKey),
+		GRPCServerPort: port,
+	})
+
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
+	defer display(c)
+
+	err = cmd.Start()
+	c.Assert(err, check.IsNil)
+	defer cmd.Process.Kill()
+
+	// wait for Traefik
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1*time.Second, try.BodyContains("Host:127.0.0.1"))
+	c.Assert(err, check.IsNil)
+	var client helloworld.Greeter_StreamExampleClient
+	client, closer, err := callStreamExampleClientGRPC()
+	defer closer()
+
+	received := make(chan bool)
+	go func() {
+		tr, _ := client.Recv()
+		c.Assert(len(tr.Data), check.Equals, 512)
+		received <- true
+	}()
+
+	err = try.Do(time.Second*10, func() error {
+		select {
+		case <-received:
+			return nil
+		default:
+			return errors.New("failed to receive stream data")
+		}
+	})
+	c.Assert(err, check.IsNil)
+}
--- a/integration/helloworld/helloworld.pb.go
+++ b/integration/helloworld/helloworld.pb.go
@@ -10,6 +10,8 @@ It is generated from these files:
 It has these top-level messages:
 	HelloRequest
 	HelloReply
+	StreamExampleRequest
+	StreamExampleReply
 */
 package helloworld

@@ -67,9 +69,35 @@ func (m *HelloReply) GetMessage() string {
 	return ""
 }

+type StreamExampleRequest struct {
+}
+
+func (m *StreamExampleRequest) Reset()                    { *m = StreamExampleRequest{} }
+func (m *StreamExampleRequest) String() string            { return proto.CompactTextString(m) }
+func (*StreamExampleRequest) ProtoMessage()               {}
+func (*StreamExampleRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} }
+
+type StreamExampleReply struct {
+	Data string `protobuf:"bytes,1,opt,name=data" json:"data,omitempty"`
+}
+
+func (m *StreamExampleReply) Reset()                    { *m = StreamExampleReply{} }
+func (m *StreamExampleReply) String() string            { return proto.CompactTextString(m) }
+func (*StreamExampleReply) ProtoMessage()               {}
+func (*StreamExampleReply) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} }
+
+func (m *StreamExampleReply) GetData() string {
+	if m != nil {
+		return m.Data
+	}
+	return ""
+}
+
 func init() {
 	proto.RegisterType((*HelloRequest)(nil), "helloworld.HelloRequest")
 	proto.RegisterType((*HelloReply)(nil), "helloworld.HelloReply")
+	proto.RegisterType((*StreamExampleRequest)(nil), "helloworld.StreamExampleRequest")
+	proto.RegisterType((*StreamExampleReply)(nil), "helloworld.StreamExampleReply")
 }

 // Reference imports to suppress errors if they are not otherwise used.
@@ -85,6 +113,8 @@ const _ = grpc.SupportPackageIsVersion4
 type GreeterClient interface {
 	// Sends a greeting
 	SayHello(ctx context.Context, in *HelloRequest, opts ...grpc.CallOption) (*HelloReply, error)
+	// Tick me
+	StreamExample(ctx context.Context, in *StreamExampleRequest, opts ...grpc.CallOption) (Greeter_StreamExampleClient, error)
 }

 type greeterClient struct {
@@ -104,11 +134,45 @@ func (c *greeterClient) SayHello(ctx context.Context, in *HelloRequest, opts ...
 	return out, nil
 }

+func (c *greeterClient) StreamExample(ctx context.Context, in *StreamExampleRequest, opts ...grpc.CallOption) (Greeter_StreamExampleClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_Greeter_serviceDesc.Streams[0], c.cc, "/helloworld.Greeter/StreamExample", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &greeterStreamExampleClient{stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+type Greeter_StreamExampleClient interface {
+	Recv() (*StreamExampleReply, error)
+	grpc.ClientStream
+}
+
+type greeterStreamExampleClient struct {
+	grpc.ClientStream
+}
+
+func (x *greeterStreamExampleClient) Recv() (*StreamExampleReply, error) {
+	m := new(StreamExampleReply)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
 // Server API for Greeter service

 type GreeterServer interface {
 	// Sends a greeting
 	SayHello(context.Context, *HelloRequest) (*HelloReply, error)
+	// Tick me
+	StreamExample(*StreamExampleRequest, Greeter_StreamExampleServer) error
 }

 func RegisterGreeterServer(s *grpc.Server, srv GreeterServer) {
@@ -133,6 +197,27 @@ func _Greeter_SayHello_Handler(srv interface{}, ctx context.Context, dec func(in
 	return interceptor(ctx, in, info, handler)
 }

+func _Greeter_StreamExample_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(StreamExampleRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(GreeterServer).StreamExample(m, &greeterStreamExampleServer{stream})
+}
+
+type Greeter_StreamExampleServer interface {
+	Send(*StreamExampleReply) error
+	grpc.ServerStream
+}
+
+type greeterStreamExampleServer struct {
+	grpc.ServerStream
+}
+
+func (x *greeterStreamExampleServer) Send(m *StreamExampleReply) error {
+	return x.ServerStream.SendMsg(m)
+}
+
 var _Greeter_serviceDesc = grpc.ServiceDesc{
 	ServiceName: "helloworld.Greeter",
 	HandlerType: (*GreeterServer)(nil),
@@ -142,23 +227,33 @@ var _Greeter_serviceDesc = grpc.ServiceDesc{
 			Handler:    _Greeter_SayHello_Handler,
 		},
 	},
-	Streams:  []grpc.StreamDesc{},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "StreamExample",
+			Handler:       _Greeter_StreamExample_Handler,
+			ServerStreams: true,
+		},
+	},
 	Metadata: "helloworld.proto",
 }

 func init() { proto.RegisterFile("helloworld.proto", fileDescriptor0) }

 var fileDescriptor0 = []byte{
-	// 175 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x12, 0xc8, 0x48, 0xcd, 0xc9,
-	0xc9, 0x2f, 0xcf, 0x2f, 0xca, 0x49, 0xd1, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0xe2, 0x42, 0x88,
-	0x28, 0x29, 0x71, 0xf1, 0x78, 0x80, 0x78, 0x41, 0xa9, 0x85, 0xa5, 0xa9, 0xc5, 0x25, 0x42, 0x42,
-	0x5c, 0x2c, 0x79, 0x89, 0xb9, 0xa9, 0x12, 0x8c, 0x0a, 0x8c, 0x1a, 0x9c, 0x41, 0x60, 0xb6, 0x92,
-	0x1a, 0x17, 0x17, 0x54, 0x4d, 0x41, 0x4e, 0xa5, 0x90, 0x04, 0x17, 0x7b, 0x6e, 0x6a, 0x71, 0x71,
-	0x62, 0x3a, 0x4c, 0x11, 0x8c, 0x6b, 0xe4, 0xc9, 0xc5, 0xee, 0x5e, 0x94, 0x9a, 0x5a, 0x92, 0x5a,
-	0x24, 0x64, 0xc7, 0xc5, 0x11, 0x9c, 0x58, 0x09, 0xd6, 0x25, 0x24, 0xa1, 0x87, 0xe4, 0x02, 0x64,
-	0xcb, 0xa4, 0xc4, 0xb0, 0xc8, 0x14, 0xe4, 0x54, 0x2a, 0x31, 0x38, 0x19, 0x70, 0x49, 0x67, 0xe6,
-	0xeb, 0xa5, 0x17, 0x15, 0x24, 0xeb, 0xa5, 0x56, 0x24, 0xe6, 0x16, 0xe4, 0xa4, 0x16, 0x23, 0xa9,
-	0x75, 0xe2, 0x07, 0x2b, 0x0e, 0x07, 0xb1, 0x03, 0x40, 0x5e, 0x0a, 0x60, 0x4c, 0x62, 0x03, 0xfb,
-	0xcd, 0x18, 0x10, 0x00, 0x00, 0xff, 0xff, 0x0f, 0xb7, 0xcd, 0xf2, 0xef, 0x00, 0x00, 0x00,
+	// 231 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x50, 0xc1, 0x4a, 0xc4, 0x30,
+	0x10, 0x35, 0xb0, 0xb8, 0x3a, 0x28, 0xca, 0x20, 0x4b, 0x59, 0x41, 0x96, 0x1c, 0x64, 0x4f, 0xa1,
+	0xe8, 0xdd, 0x43, 0x41, 0xf4, 0x58, 0x5a, 0xc4, 0x73, 0xb4, 0x43, 0x15, 0x12, 0x13, 0x93, 0x88,
+	0xf6, 0x6f, 0xfc, 0x54, 0x49, 0x6c, 0x31, 0x4a, 0xf1, 0xf6, 0x66, 0xe6, 0xe5, 0xbd, 0x97, 0x07,
+	0xc7, 0x4f, 0xa4, 0x94, 0x79, 0x37, 0x4e, 0x75, 0xc2, 0x3a, 0x13, 0x0c, 0xc2, 0xcf, 0x86, 0x73,
+	0x38, 0xb8, 0x8d, 0x53, 0x43, 0xaf, 0x6f, 0xe4, 0x03, 0x22, 0x2c, 0x5e, 0xa4, 0xa6, 0x82, 0x6d,
+	0xd8, 0x76, 0xbf, 0x49, 0x98, 0x9f, 0x03, 0x8c, 0x1c, 0xab, 0x06, 0x2c, 0x60, 0xa9, 0xc9, 0x7b,
+	0xd9, 0x4f, 0xa4, 0x69, 0xe4, 0x2b, 0x38, 0x69, 0x83, 0x23, 0xa9, 0xaf, 0x3f, 0xa4, 0xb6, 0x8a,
+	0x46, 0x4d, 0xbe, 0x05, 0xfc, 0xb3, 0x8f, 0x3a, 0x08, 0x8b, 0x4e, 0x06, 0x39, 0x39, 0x45, 0x7c,
+	0xf1, 0xc9, 0x60, 0x79, 0xe3, 0x88, 0x02, 0x39, 0xbc, 0x82, 0xbd, 0x56, 0x0e, 0xc9, 0x18, 0x0b,
+	0x91, 0x7d, 0x22, 0xcf, 0xbb, 0x5e, 0xcd, 0x5c, 0xac, 0x1a, 0xf8, 0x0e, 0xde, 0xc1, 0xe1, 0x2f,
+	0x57, 0xdc, 0xe4, 0xd4, 0xb9, 0xa0, 0xeb, 0xb3, 0x7f, 0x18, 0x49, 0xb4, 0x64, 0x55, 0x09, 0xa7,
+	0xcf, 0x46, 0xf4, 0xce, 0x3e, 0x0a, 0xfa, 0xbe, 0xf9, 0xec, 0x55, 0x75, 0x94, 0x32, 0xdc, 0x47,
+	0x5c, 0xc7, 0xb2, 0x6b, 0xf6, 0xb0, 0x9b, 0x5a, 0xbf, 0xfc, 0x0a, 0x00, 0x00, 0xff, 0xff, 0x6f,
+	0x5f, 0xae, 0xb8, 0x89, 0x01, 0x00, 0x00,
 }
--- a/integration/helloworld/helloworld.proto
+++ b/integration/helloworld/helloworld.proto
@@ -9,7 +9,10 @@ package helloworld;
 // The greeting service definition.
 service Greeter {
  // Sends a greeting
-  rpc SayHello (HelloRequest) returns (HelloReply) {}
+  rpc SayHello (HelloRequest) returns (HelloReply) {};
+
+  rpc StreamExample (StreamExampleRequest) returns (stream StreamExampleReply) {};
+
 }

 // The request message containing the user's name.
@@ -21,3 +24,9 @@ message HelloRequest {
 message HelloReply {
  string message = 1;
 }
+
+message StreamExampleRequest {}
+
+message StreamExampleReply {
+    string data = 1;
+}
--- a/integration/resources/compose/consul_catalog.yml
+++ b/integration/resources/compose/consul_catalog.yml
@@ -1,6 +1,6 @@
 consul:
-  image: progrium/consul
-  command: -server -bootstrap -log-level debug -ui-dir /ui
+  image: consul
+  command: agent -server -bootstrap-expect 1 -client 0.0.0.0 -log-level debug -ui
  ports:
    - "8400:8400"
    - "8500:8500"
@@ -15,3 +15,5 @@ nginx1:
  image: nginx:alpine
 nginx2:
  image: nginx:alpine
+nginx3:
+  image: nginx:alpine
--- a/integration/websocket_test.go
+++ b/integration/websocket_test.go
@@ -441,3 +441,65 @@ func (s *WebsocketSuite) TestURLWithURLEncodedChar(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	c.Assert(string(msg), checker.Equals, "OK")
 }
+
+func (s *WebsocketSuite) TestSSLhttp2(c *check.C) {
+	var upgrader = gorillawebsocket.Upgrader{} // use default options
+
+	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			return
+		}
+		defer c.Close()
+		for {
+			mt, message, err := c.ReadMessage()
+			if err != nil {
+				break
+			}
+			err = c.WriteMessage(mt, message)
+			if err != nil {
+				break
+			}
+		}
+	}))
+
+	ts.TLS = &tls.Config{}
+	ts.TLS.NextProtos = append(ts.TLS.NextProtos, `h2`)
+	ts.TLS.NextProtos = append(ts.TLS.NextProtos, `http/1.1`)
+	ts.StartTLS()
+
+	file := s.adaptFile(c, "fixtures/websocket/config_https.toml", struct {
+		WebsocketServer string
+	}{
+		WebsocketServer: ts.URL,
+	})
+
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file), "--debug", "--accesslog")
+	defer display(c)
+
+	err := cmd.Start()
+	c.Assert(err, check.IsNil)
+	defer cmd.Process.Kill()
+
+	// wait for traefik
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 10*time.Second, try.BodyContains("127.0.0.1"))
+	c.Assert(err, checker.IsNil)
+
+	//Add client self-signed cert
+	roots := x509.NewCertPool()
+	certContent, err := ioutil.ReadFile("./resources/tls/local.cert")
+	roots.AppendCertsFromPEM(certContent)
+	gorillawebsocket.DefaultDialer.TLSClientConfig = &tls.Config{
+		RootCAs: roots,
+	}
+	conn, _, err := gorillawebsocket.DefaultDialer.Dial("wss://127.0.0.1:8000/echo", nil)
+	c.Assert(err, checker.IsNil)
+
+	err = conn.WriteMessage(gorillawebsocket.TextMessage, []byte("OK"))
+	c.Assert(err, checker.IsNil)
+
+	_, msg, err := conn.ReadMessage()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(msg), checker.Equals, "OK")
+}
--- a/middlewares/compress.go
+++ b/middlewares/compress.go
@@ -3,6 +3,7 @@ package middlewares
 import (
 	"compress/gzip"
 	"net/http"
+	"strings"

 	"github.com/NYTimes/gziphandler"
 	"github.com/containous/traefik/log"
@@ -13,7 +14,12 @@ type Compress struct{}

 // ServerHTTP is a function used by Negroni
 func (c *Compress) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
-	gzipHandler(next).ServeHTTP(rw, r)
+	contentType := r.Header.Get("Content-Type")
+	if strings.HasPrefix(contentType, "application/grpc") {
+		next.ServeHTTP(rw, r)
+	} else {
+		gzipHandler(next).ServeHTTP(rw, r)
+	}
 }

 func gzipHandler(h http.Handler) http.Handler {
--- a/middlewares/compress_test.go
+++ b/middlewares/compress_test.go
@@ -16,6 +16,7 @@ import (
 const (
 	acceptEncodingHeader  = "Accept-Encoding"
 	contentEncodingHeader = "Content-Encoding"
+	contentTypeHeader     = "Content-Type"
 	varyHeader            = "Vary"
 	gzipValue             = "gzip"
 )
@@ -81,6 +82,26 @@ func TestShouldNotCompressWhenNoAcceptEncodingHeader(t *testing.T) {
 	assert.EqualValues(t, rw.Body.Bytes(), fakeBody)
 }

+func TestShouldNotCompressWhenGRPC(t *testing.T) {
+	handler := &Compress{}
+
+	req := testhelpers.MustNewRequest(http.MethodGet, "http://localhost", nil)
+	req.Header.Add(acceptEncodingHeader, gzipValue)
+	req.Header.Add(contentTypeHeader, "application/grpc")
+
+	baseBody := generateBytes(gziphandler.DefaultMinSize)
+	next := func(rw http.ResponseWriter, r *http.Request) {
+		rw.Write(baseBody)
+	}
+
+	rw := httptest.NewRecorder()
+	handler.ServeHTTP(rw, req, next)
+
+	assert.Empty(t, rw.Header().Get(acceptEncodingHeader))
+	assert.Empty(t, rw.Header().Get(contentEncodingHeader))
+	assert.EqualValues(t, rw.Body.Bytes(), baseBody)
+}
+
 func TestIntegrationShouldNotCompress(t *testing.T) {
 	fakeCompressedBody := generateBytes(100000)
 	comp := &Compress{}
@@ -137,6 +158,31 @@ func TestIntegrationShouldNotCompress(t *testing.T) {
 	}
 }

+func TestShouldWriteHeaderWhenFlush(t *testing.T) {
+	comp := &Compress{}
+	negro := negroni.New(comp)
+	negro.UseHandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		rw.Header().Add(contentEncodingHeader, gzipValue)
+		rw.Header().Add(varyHeader, acceptEncodingHeader)
+		rw.WriteHeader(http.StatusUnauthorized)
+		rw.(http.Flusher).Flush()
+		rw.Write([]byte("short"))
+	})
+	ts := httptest.NewServer(negro)
+	defer ts.Close()
+
+	req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
+	req.Header.Add(acceptEncodingHeader, gzipValue)
+
+	resp, err := http.DefaultClient.Do(req)
+	require.NoError(t, err)
+
+	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+
+	assert.Equal(t, gzipValue, resp.Header.Get(contentEncodingHeader))
+	assert.Equal(t, acceptEncodingHeader, resp.Header.Get(varyHeader))
+}
+
 func TestIntegrationShouldCompress(t *testing.T) {
 	fakeBody := generateBytes(100000)

--- a/middlewares/headers.go
+++ b/middlewares/headers.go
@@ -3,8 +3,9 @@ package middlewares
 //Middleware based on https://github.com/unrolled/secure

 import (
-	"github.com/containous/traefik/types"
 	"net/http"
+
+	"github.com/containous/traefik/types"
 )

 // HeaderOptions is a struct for specifying configuration options for the headers middleware.
--- a/middlewares/headers_test.go
+++ b/middlewares/headers_test.go
@@ -3,11 +3,12 @@ package middlewares
 //Middleware tests based on https://github.com/unrolled/secure

 import (
-	"github.com/containous/traefik/testhelpers"
-	"github.com/stretchr/testify/assert"
 	"net/http"
 	"net/http/httptest"
 	"testing"
+
+	"github.com/containous/traefik/testhelpers"
+	"github.com/stretchr/testify/assert"
 )

 var myHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
--- a/middlewares/stripPrefix.go
+++ b/middlewares/stripPrefix.go
@@ -16,8 +16,11 @@ type StripPrefix struct {

 func (s *StripPrefix) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	for _, prefix := range s.Prefixes {
-		if p := strings.TrimPrefix(r.URL.Path, prefix); len(p) < len(r.URL.Path) {
-			r.URL.Path = "/" + strings.TrimPrefix(p, "/")
+		if strings.HasPrefix(r.URL.Path, prefix) {
+			r.URL.Path = stripPrefix(r.URL.Path, prefix)
+			if r.URL.RawPath != "" {
+				r.URL.RawPath = stripPrefix(r.URL.RawPath, prefix)
+			}
 			s.serveRequest(w, r, strings.TrimSpace(prefix))
 			return
 		}
@@ -35,3 +38,11 @@ func (s *StripPrefix) serveRequest(w http.ResponseWriter, r *http.Request, prefi
 func (s *StripPrefix) SetHandler(Handler http.Handler) {
 	s.Handler = Handler
 }
+
+func stripPrefix(s, prefix string) string {
+	return ensureLeadingSlash(strings.TrimPrefix(s, prefix))
+}
+
+func ensureLeadingSlash(str string) string {
+	return "/" + strings.TrimPrefix(str, "/")
+}
--- a/middlewares/stripPrefixRegex.go
+++ b/middlewares/stripPrefixRegex.go
@@ -40,6 +40,9 @@ func (s *StripPrefixRegex) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}

 		r.URL.Path = r.URL.Path[len(prefix.Path):]
+		if r.URL.RawPath != "" {
+			r.URL.RawPath = r.URL.RawPath[len(prefix.Path):]
+		}
 		r.Header.Add(ForwardedPrefixHeader, prefix.Path)
 		r.RequestURI = r.URL.RequestURI()
 		s.Handler.ServeHTTP(w, r)
--- a/middlewares/stripPrefixRegex_test.go
+++ b/middlewares/stripPrefixRegex_test.go
@@ -10,13 +10,13 @@ import (
 )

 func TestStripPrefixRegex(t *testing.T) {
-
 	testPrefixRegex := []string{"/a/api/", "/b/{regex}/", "/c/{category}/{id:[0-9]+}/"}

 	tests := []struct {
 		path               string
 		expectedStatusCode int
 		expectedPath       string
+		expectedRawPath    string
 		expectedHeader     string
 	}{
 		{
@@ -61,6 +61,13 @@ func TestStripPrefixRegex(t *testing.T) {
 			path:               "/c/api/abc/test4",
 			expectedStatusCode: http.StatusNotFound,
 		},
+		{
+			path:               "/a/api/a%2Fb",
+			expectedStatusCode: http.StatusOK,
+			expectedPath:       "a/b",
+			expectedRawPath:    "a%2Fb",
+			expectedHeader:     "/a/api/",
+		},
 	}

 	for _, test := range tests {
@@ -68,9 +75,10 @@ func TestStripPrefixRegex(t *testing.T) {
 		t.Run(test.path, func(t *testing.T) {
 			t.Parallel()

-			var actualPath, actualHeader string
+			var actualPath, actualRawPath, actualHeader string
 			handlerPath := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				actualPath = r.URL.Path
+				actualRawPath = r.URL.RawPath
 				actualHeader = r.Header.Get(ForwardedPrefixHeader)
 			})
 			handler := NewStripPrefixRegex(handlerPath, testPrefixRegex)
@@ -82,6 +90,7 @@ func TestStripPrefixRegex(t *testing.T) {

 			assert.Equal(t, test.expectedStatusCode, resp.Code, "Unexpected status code.")
 			assert.Equal(t, test.expectedPath, actualPath, "Unexpected path.")
+			assert.Equal(t, test.expectedRawPath, actualRawPath, "Unexpected raw path.")
 			assert.Equal(t, test.expectedHeader, actualHeader, "Unexpected '%s' header.", ForwardedPrefixHeader)
 		})
 	}
--- a/middlewares/stripPrefix_test.go
+++ b/middlewares/stripPrefix_test.go
@@ -16,6 +16,7 @@ func TestStripPrefix(t *testing.T) {
 		path               string
 		expectedStatusCode int
 		expectedPath       string
+		expectedRawPath    string
 		expectedHeader     string
 	}{
 		{
@@ -94,6 +95,15 @@ func TestStripPrefix(t *testing.T) {
 			expectedPath:       "/us",
 			expectedHeader:     "/stat",
 		},
+		{
+			desc:               "raw path is also stripped",
+			prefixes:           []string{"/stat"},
+			path:               "/stat/a%2Fb",
+			expectedStatusCode: http.StatusOK,
+			expectedPath:       "/a/b",
+			expectedRawPath:    "/a%2Fb",
+			expectedHeader:     "/stat",
+		},
 	}

 	for _, test := range tests {
@@ -101,11 +111,12 @@ func TestStripPrefix(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()

-			var actualPath, actualHeader, requestURI string
+			var actualPath, actualRawPath, actualHeader, requestURI string
 			handler := &StripPrefix{
 				Prefixes: test.prefixes,
 				Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 					actualPath = r.URL.Path
+					actualRawPath = r.URL.RawPath
 					actualHeader = r.Header.Get(ForwardedPrefixHeader)
 					requestURI = r.RequestURI
 				}),
@@ -118,8 +129,15 @@ func TestStripPrefix(t *testing.T) {

 			assert.Equal(t, test.expectedStatusCode, resp.Code, "Unexpected status code.")
 			assert.Equal(t, test.expectedPath, actualPath, "Unexpected path.")
+			assert.Equal(t, test.expectedRawPath, actualRawPath, "Unexpected raw path.")
 			assert.Equal(t, test.expectedHeader, actualHeader, "Unexpected '%s' header.", ForwardedPrefixHeader)
-			assert.Equal(t, test.expectedPath, requestURI, "Unexpected request URI.")
+
+			expectedURI := test.expectedPath
+			if test.expectedRawPath != "" {
+				// go HTTP uses the raw path when existent in the RequestURI
+				expectedURI = test.expectedRawPath
+			}
+			assert.Equal(t, expectedURI, requestURI, "Unexpected request URI.")
 		})
 	}
 }
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -95,3 +95,4 @@ pages:
    - 'Clustering/HA': 'user-guide/cluster.md'
    - 'gRPC Example': 'user-guide/grpc.md'
  - Benchmarks: benchmarks.md
+  - 'Archive': 'archive.md'
--- a/provider/consul/consul_catalog.go
+++ b/provider/consul/consul_catalog.go
@@ -77,9 +77,14 @@ func (a nodeSorter) Less(i int, j int) bool {
 	return lentr.Service.Port < rentr.Service.Port
 }

-func getChangedServiceKeys(currState map[string]Service, prevState map[string]Service) ([]string, []string) {
-	currKeySet := fun.Set(fun.Keys(currState).([]string)).(map[string]bool)
-	prevKeySet := fun.Set(fun.Keys(prevState).([]string)).(map[string]bool)
+func hasChanged(current map[string]Service, previous map[string]Service) bool {
+	addedServiceKeys, removedServiceKeys := getChangedServiceKeys(current, previous)
+	return len(removedServiceKeys) > 0 || len(addedServiceKeys) > 0 || hasNodeOrTagsChanged(current, previous)
+}
+
+func getChangedServiceKeys(current map[string]Service, previous map[string]Service) ([]string, []string) {
+	currKeySet := fun.Set(fun.Keys(current).([]string)).(map[string]bool)
+	prevKeySet := fun.Set(fun.Keys(previous).([]string)).(map[string]bool)

 	addedKeys := fun.Difference(currKeySet, prevKeySet).(map[string]bool)
 	removedKeys := fun.Difference(prevKeySet, currKeySet).(map[string]bool)
@@ -87,20 +92,23 @@ func getChangedServiceKeys(currState map[string]Service, prevState map[string]Se
 	return fun.Keys(addedKeys).([]string), fun.Keys(removedKeys).([]string)
 }

-func getChangedServiceNodeKeys(currState map[string]Service, prevState map[string]Service) ([]string, []string) {
-	var addedNodeKeys []string
-	var removedNodeKeys []string
-	for key, value := range currState {
-		if prevValue, ok := prevState[key]; ok {
-			addedKeys, removedKeys := getChangedHealthyKeys(value.Nodes, prevValue.Nodes)
-			addedNodeKeys = append(addedKeys)
-			removedNodeKeys = append(removedKeys)
+func hasNodeOrTagsChanged(current map[string]Service, previous map[string]Service) bool {
+	var added []string
+	var removed []string
+	for key, value := range current {
+		if prevValue, ok := previous[key]; ok {
+			addedNodesKeys, removedNodesKeys := getChangedStringKeys(value.Nodes, prevValue.Nodes)
+			added = append(added, addedNodesKeys...)
+			removed = append(removed, removedNodesKeys...)
+			addedTagsKeys, removedTagsKeys := getChangedStringKeys(value.Tags, prevValue.Tags)
+			added = append(added, addedTagsKeys...)
+			removed = append(removed, removedTagsKeys...)
 		}
 	}
-	return addedNodeKeys, removedNodeKeys
+	return len(added) > 0 || len(removed) > 0
 }

-func getChangedHealthyKeys(currState []string, prevState []string) ([]string, []string) {
+func getChangedStringKeys(currState []string, prevState []string) ([]string, []string) {
 	currKeySet := fun.Set(currState).(map[string]bool)
 	prevKeySet := fun.Set(prevState).(map[string]bool)

@@ -163,7 +171,7 @@ func (p *CatalogProvider) watchHealthState(stopCh <-chan struct{}, watchCh chan<
 				// A critical note is that the return of a blocking request is no guarantee of a change.
 				// It is possible that there was an idempotent write that does not affect the result of the query.
 				// Thus it is required to do extra check for changes...
-				addedKeys, removedKeys := getChangedHealthyKeys(current, flashback)
+				addedKeys, removedKeys := getChangedStringKeys(current, flashback)

 				if len(addedKeys) > 0 {
 					log.WithField("DiscoveredServices", addedKeys).Debug("Health State change detected.")
@@ -242,12 +250,7 @@ func (p *CatalogProvider) watchCatalogServices(stopCh <-chan struct{}, watchCh c
 				// A critical note is that the return of a blocking request is no guarantee of a change.
 				// It is possible that there was an idempotent write that does not affect the result of the query.
 				// Thus it is required to do extra check for changes...
-				addedServiceKeys, removedServiceKeys := getChangedServiceKeys(current, flashback)
-
-				addedServiceNodeKeys, removedServiceNodeKeys := getChangedServiceNodeKeys(current, flashback)
-
-				if len(removedServiceKeys) > 0 || len(removedServiceNodeKeys) > 0 || len(addedServiceKeys) > 0 || len(addedServiceNodeKeys) > 0 {
-					log.WithField("MissingServices", removedServiceKeys).WithField("DiscoveredServices", addedServiceKeys).Debug("Catalog Services change detected.")
+				if hasChanged(current, flashback) {
 					watchCh <- data
 					flashback = current
 				}
@@ -255,6 +258,7 @@ func (p *CatalogProvider) watchCatalogServices(stopCh <-chan struct{}, watchCh c
 		}
 	})
 }
+
 func getServiceIds(services []*api.CatalogService) []string {
 	var serviceIds []string
 	for _, service := range services {
@@ -271,7 +275,6 @@ func (p *CatalogProvider) healthyNodes(service string) (catalogUpdate, error) {
 		log.WithError(err).Errorf("Failed to fetch details of %s", service)
 		return catalogUpdate{}, err
 	}
-
 	nodes := fun.Filter(func(node *api.ServiceEntry) bool {
 		return p.nodeFilter(service, node)
 	}, data).([]*api.ServiceEntry)
--- a/provider/consul/consul_catalog_test.go
+++ b/provider/consul/consul_catalog_test.go
@@ -1,7 +1,6 @@
 package consul

 import (
-	"reflect"
 	"sort"
 	"testing"
 	"text/template"
@@ -21,11 +20,13 @@ func TestConsulCatalogGetFrontendRule(t *testing.T) {
 	}
 	provider.setupFrontEndTemplate()

-	services := []struct {
+	testCases := []struct {
+		desc     string
 		service  serviceUpdate
 		expected string
 	}{
 		{
+			desc: "Should return default host foo.localhost",
 			service: serviceUpdate{
 				ServiceName: "foo",
 				Attributes:  []string{},
@@ -33,6 +34,7 @@ func TestConsulCatalogGetFrontendRule(t *testing.T) {
 			expected: "Host:foo.localhost",
 		},
 		{
+			desc: "Should return host *.example.com",
 			service: serviceUpdate{
 				ServiceName: "foo",
 				Attributes: []string{
@@ -42,6 +44,7 @@ func TestConsulCatalogGetFrontendRule(t *testing.T) {
 			expected: "Host:*.example.com",
 		},
 		{
+			desc: "Should return host foo.example.com",
 			service: serviceUpdate{
 				ServiceName: "foo",
 				Attributes: []string{
@@ -51,6 +54,7 @@ func TestConsulCatalogGetFrontendRule(t *testing.T) {
 			expected: "Host:foo.example.com",
 		},
 		{
+			desc: "Should return path prefix /bar",
 			service: serviceUpdate{
 				ServiceName: "foo",
 				Attributes: []string{
@@ -62,11 +66,14 @@ func TestConsulCatalogGetFrontendRule(t *testing.T) {
 		},
 	}

-	for _, e := range services {
-		actual := provider.getFrontendRule(e.service)
-		if actual != e.expected {
-			t.Fatalf("expected %s, got %s", e.expected, actual)
-		}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := provider.getFrontendRule(test.service)
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -76,13 +83,15 @@ func TestConsulCatalogGetTag(t *testing.T) {
 		Prefix: "traefik",
 	}

-	services := []struct {
+	testCases := []struct {
+		desc         string
 		tags         []string
 		key          string
 		defaultValue string
 		expected     string
 	}{
 		{
+			desc: "Should return value of foo.bar key",
 			tags: []string{
 				"foo.bar=random",
 				"traefik.backend.weight=42",
@@ -94,21 +103,17 @@ func TestConsulCatalogGetTag(t *testing.T) {
 		},
 	}

-	actual := provider.hasTag("management", []string{"management"})
-	if !actual {
-		t.Fatalf("expected %v, got %v", true, actual)
-	}
+	assert.Equal(t, true, provider.hasTag("management", []string{"management"}))
+	assert.Equal(t, true, provider.hasTag("management", []string{"management=yes"}))

-	actual = provider.hasTag("management", []string{"management=yes"})
-	if !actual {
-		t.Fatalf("expected %v, got %v", true, actual)
-	}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()

-	for _, e := range services {
-		actual := provider.getTag(e.key, e.tags, e.defaultValue)
-		if actual != e.expected {
-			t.Fatalf("expected %s, got %s", e.expected, actual)
-		}
+			actual := provider.getTag(test.key, test.tags, test.defaultValue)
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -118,13 +123,15 @@ func TestConsulCatalogGetAttribute(t *testing.T) {
 		Prefix: "traefik",
 	}

-	services := []struct {
+	testCases := []struct {
+		desc         string
 		tags         []string
 		key          string
 		defaultValue string
 		expected     string
 	}{
 		{
+			desc: "Should return tag value 42",
 			tags: []string{
 				"foo.bar=ramdom",
 				"traefik.backend.weight=42",
@@ -134,6 +141,7 @@ func TestConsulCatalogGetAttribute(t *testing.T) {
 			expected:     "42",
 		},
 		{
+			desc: "Should return tag default value 0",
 			tags: []string{
 				"foo.bar=ramdom",
 				"traefik.backend.wei=42",
@@ -144,17 +152,16 @@ func TestConsulCatalogGetAttribute(t *testing.T) {
 		},
 	}

-	expected := provider.Prefix + ".foo"
-	actual := provider.getPrefixedName("foo")
-	if actual != expected {
-		t.Fatalf("expected %s, got %s", expected, actual)
-	}
+	assert.Equal(t, provider.Prefix+".foo", provider.getPrefixedName("foo"))

-	for _, e := range services {
-		actual := provider.getAttribute(e.key, e.tags, e.defaultValue)
-		if actual != e.expected {
-			t.Fatalf("expected %s, got %s", e.expected, actual)
-		}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := provider.getAttribute(test.key, test.tags, test.defaultValue)
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -164,13 +171,15 @@ func TestConsulCatalogGetAttributeWithEmptyPrefix(t *testing.T) {
 		Prefix: "",
 	}

-	services := []struct {
+	testCases := []struct {
+		desc         string
 		tags         []string
 		key          string
 		defaultValue string
 		expected     string
 	}{
 		{
+			desc: "Should return tag value 42",
 			tags: []string{
 				"foo.bar=ramdom",
 				"backend.weight=42",
@@ -180,6 +189,7 @@ func TestConsulCatalogGetAttributeWithEmptyPrefix(t *testing.T) {
 			expected:     "42",
 		},
 		{
+			desc: "Should return default value 0",
 			tags: []string{
 				"foo.bar=ramdom",
 				"backend.wei=42",
@@ -189,6 +199,7 @@ func TestConsulCatalogGetAttributeWithEmptyPrefix(t *testing.T) {
 			expected:     "0",
 		},
 		{
+			desc: "Should return for.bar key value random",
 			tags: []string{
 				"foo.bar=ramdom",
 				"backend.wei=42",
@@ -199,17 +210,16 @@ func TestConsulCatalogGetAttributeWithEmptyPrefix(t *testing.T) {
 		},
 	}

-	expected := "foo"
-	actual := provider.getPrefixedName("foo")
-	if actual != expected {
-		t.Fatalf("expected %s, got %s", expected, actual)
-	}
+	assert.Equal(t, "foo", provider.getPrefixedName("foo"))

-	for _, e := range services {
-		actual := provider.getAttribute(e.key, e.tags, e.defaultValue)
-		if actual != e.expected {
-			t.Fatalf("expected %s, got %s", e.expected, actual)
-		}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := provider.getAttribute(test.key, test.tags, test.defaultValue)
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -219,11 +229,13 @@ func TestConsulCatalogGetBackendAddress(t *testing.T) {
 		Prefix: "traefik",
 	}

-	services := []struct {
+	testCases := []struct {
+		desc     string
 		node     *api.ServiceEntry
 		expected string
 	}{
 		{
+			desc: "Should return the address of the service",
 			node: &api.ServiceEntry{
 				Node: &api.Node{
 					Address: "10.1.0.1",
@@ -235,6 +247,7 @@ func TestConsulCatalogGetBackendAddress(t *testing.T) {
 			expected: "10.2.0.1",
 		},
 		{
+			desc: "Should return the address of the node",
 			node: &api.ServiceEntry{
 				Node: &api.Node{
 					Address: "10.1.0.1",
@@ -247,11 +260,14 @@ func TestConsulCatalogGetBackendAddress(t *testing.T) {
 		},
 	}

-	for _, e := range services {
-		actual := provider.getBackendAddress(e.node)
-		if actual != e.expected {
-			t.Fatalf("expected %s, got %s", e.expected, actual)
-		}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := provider.getBackendAddress(test.node)
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -261,11 +277,13 @@ func TestConsulCatalogGetBackendName(t *testing.T) {
 		Prefix: "traefik",
 	}

-	services := []struct {
+	testCases := []struct {
+		desc     string
 		node     *api.ServiceEntry
 		expected string
 	}{
 		{
+			desc: "Should create backend name without tags",
 			node: &api.ServiceEntry{
 				Service: &api.AgentService{
 					Service: "api",
@@ -277,6 +295,7 @@ func TestConsulCatalogGetBackendName(t *testing.T) {
 			expected: "api--10-0-0-1--80--0",
 		},
 		{
+			desc: "Should create backend name with multiple tags",
 			node: &api.ServiceEntry{
 				Service: &api.AgentService{
 					Service: "api",
@@ -288,6 +307,7 @@ func TestConsulCatalogGetBackendName(t *testing.T) {
 			expected: "api--10-0-0-1--80--traefik-weight-42--traefik-enable-true--1",
 		},
 		{
+			desc: "Should create backend name with one tag",
 			node: &api.ServiceEntry{
 				Service: &api.AgentService{
 					Service: "api",
@@ -300,11 +320,15 @@ func TestConsulCatalogGetBackendName(t *testing.T) {
 		},
 	}

-	for i, e := range services {
-		actual := provider.getBackendName(e.node, i)
-		if actual != e.expected {
-			t.Fatalf("expected %s, got %s", e.expected, actual)
-		}
+	for i, test := range testCases {
+		test := test
+		i := i
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := provider.getBackendName(test.node, i)
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -317,17 +341,20 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 		frontEndRuleTemplate: template.New("consul catalog frontend rule"),
 	}

-	cases := []struct {
+	testCases := []struct {
+		desc              string
 		nodes             []catalogUpdate
 		expectedFrontends map[string]*types.Frontend
 		expectedBackends  map[string]*types.Backend
 	}{
 		{
+			desc:              "Should build config of nothing",
 			nodes:             []catalogUpdate{},
 			expectedFrontends: map[string]*types.Frontend{},
 			expectedBackends:  map[string]*types.Backend{},
 		},
 		{
+			desc: "Should build config with no frontend and backend",
 			nodes: []catalogUpdate{
 				{
 					Service: &serviceUpdate{
@@ -339,6 +366,7 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 			expectedBackends:  map[string]*types.Backend{},
 		},
 		{
+			desc: "Should build config who contains one frontend and one backend",
 			nodes: []catalogUpdate{
 				{
 					Service: &serviceUpdate{
@@ -408,28 +436,31 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 		},
 	}

-	for _, c := range cases {
-		actualConfig := provider.buildConfig(c.nodes)
-		if !reflect.DeepEqual(actualConfig.Backends, c.expectedBackends) {
-			t.Fatalf("expected %#v, got %#v", c.expectedBackends, actualConfig.Backends)
-		}
-		if !reflect.DeepEqual(actualConfig.Frontends, c.expectedFrontends) {
-			t.Fatalf("expected %#v, got %#v", c.expectedFrontends["frontend-test"].BasicAuth, actualConfig.Frontends["frontend-test"].BasicAuth)
-			t.Fatalf("expected %#v, got %#v", c.expectedFrontends, actualConfig.Frontends)
-		}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actualConfig := provider.buildConfig(test.nodes)
+			assert.Equal(t, test.expectedBackends, actualConfig.Backends)
+			assert.Equal(t, test.expectedFrontends, actualConfig.Frontends)
+		})
 	}
 }

 func TestConsulCatalogNodeSorter(t *testing.T) {
-	cases := []struct {
+	testCases := []struct {
+		desc     string
 		nodes    []*api.ServiceEntry
 		expected []*api.ServiceEntry
 	}{
 		{
+			desc:     "Should sort nothing",
 			nodes:    []*api.ServiceEntry{},
 			expected: []*api.ServiceEntry{},
 		},
 		{
+			desc: "Should sort by node address",
 			nodes: []*api.ServiceEntry{
 				{
 					Service: &api.AgentService{
@@ -458,6 +489,7 @@ func TestConsulCatalogNodeSorter(t *testing.T) {
 			},
 		},
 		{
+			desc: "Should sort by service name",
 			nodes: []*api.ServiceEntry{
 				{
 					Service: &api.AgentService{
@@ -552,6 +584,7 @@ func TestConsulCatalogNodeSorter(t *testing.T) {
 			},
 		},
 		{
+			desc: "Should sort by node address",
 			nodes: []*api.ServiceEntry{
 				{
 					Service: &api.AgentService{
@@ -603,12 +636,15 @@ func TestConsulCatalogNodeSorter(t *testing.T) {
 		},
 	}

-	for _, c := range cases {
-		sort.Sort(nodeSorter(c.nodes))
-		actual := c.nodes
-		if !reflect.DeepEqual(actual, c.expected) {
-			t.Fatalf("expected %q, got %q", c.expected, actual)
-		}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			sort.Sort(nodeSorter(test.nodes))
+			actual := test.nodes
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -623,11 +659,13 @@ func TestConsulCatalogGetChangedKeys(t *testing.T) {
 		removedKeys []string
 	}

-	cases := []struct {
+	testCases := []struct {
+		desc   string
 		input  Input
 		output Output
 	}{
 		{
+			desc: "Should add 0 services and removed 0",
 			input: Input{
 				currState: map[string]Service{
 					"foo-service":    {Name: "v1"},
@@ -668,6 +706,7 @@ func TestConsulCatalogGetChangedKeys(t *testing.T) {
 			},
 		},
 		{
+			desc: "Should add 3 services and removed 0",
 			input: Input{
 				currState: map[string]Service{
 					"foo-service":    {Name: "v1"},
@@ -705,6 +744,7 @@ func TestConsulCatalogGetChangedKeys(t *testing.T) {
 			},
 		},
 		{
+			desc: "Should add 2 services and removed 2",
 			input: Input{
 				currState: map[string]Service{
 					"foo-service":    {Name: "v1"},
@@ -742,21 +782,20 @@ func TestConsulCatalogGetChangedKeys(t *testing.T) {
 		},
 	}

-	for _, c := range cases {
-		addedKeys, removedKeys := getChangedServiceKeys(c.input.currState, c.input.prevState)
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()

-		if !reflect.DeepEqual(fun.Set(addedKeys), fun.Set(c.output.addedKeys)) {
-			t.Fatalf("Added keys comparison results: got %q, want %q", addedKeys, c.output.addedKeys)
-		}
-
-		if !reflect.DeepEqual(fun.Set(removedKeys), fun.Set(c.output.removedKeys)) {
-			t.Fatalf("Removed keys comparison results: got %q, want %q", removedKeys, c.output.removedKeys)
-		}
+			addedKeys, removedKeys := getChangedServiceKeys(test.input.currState, test.input.prevState)
+			assert.Equal(t, fun.Set(test.output.addedKeys), fun.Set(addedKeys), "Added keys comparison results: got %q, want %q", addedKeys, test.output.addedKeys)
+			assert.Equal(t, fun.Set(test.output.removedKeys), fun.Set(removedKeys), "Removed keys comparison results: got %q, want %q", removedKeys, test.output.removedKeys)
+		})
 	}
 }

 func TestConsulCatalogFilterEnabled(t *testing.T) {
-	cases := []struct {
+	testCases := []struct {
 		desc             string
 		exposedByDefault bool
 		node             *api.ServiceEntry
@@ -842,24 +881,23 @@ func TestConsulCatalogFilterEnabled(t *testing.T) {
 		},
 	}

-	for _, c := range cases {
-		c := c
-		t.Run(c.desc, func(t *testing.T) {
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 			provider := &CatalogProvider{
 				Domain:           "localhost",
 				Prefix:           "traefik",
-				ExposedByDefault: c.exposedByDefault,
-			}
-			if provider.nodeFilter("test", c.node) != c.expected {
-				t.Errorf("got unexpected filtering = %t", !c.expected)
+				ExposedByDefault: test.exposedByDefault,
 			}
+			actual := provider.nodeFilter("test", test.node)
+			assert.Equal(t, test.expected, actual)
 		})
 	}
 }

 func TestConsulCatalogGetBasicAuth(t *testing.T) {
-	cases := []struct {
+	testCases := []struct {
 		desc     string
 		tags     []string
 		expected []string
@@ -878,17 +916,15 @@ func TestConsulCatalogGetBasicAuth(t *testing.T) {
 		},
 	}

-	for _, c := range cases {
-		c := c
-		t.Run(c.desc, func(t *testing.T) {
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 			provider := &CatalogProvider{
 				Prefix: "traefik",
 			}
-			actual := provider.getBasicAuth(c.tags)
-			if !reflect.DeepEqual(actual, c.expected) {
-				t.Errorf("actual %q, expected %q", actual, c.expected)
-			}
+			actual := provider.getBasicAuth(test.tags)
+			assert.Equal(t, test.expected, actual)
 		})
 	}
 }
@@ -930,7 +966,276 @@ func TestConsulCatalogHasStickinessLabel(t *testing.T) {
 			t.Parallel()

 			actual := provider.hasStickinessLabel(test.tags)
-			assert.Equal(t, actual, test.expected)
+			assert.Equal(t, test.expected, actual)
+		})
+	}
+}
+
+func TestConsulCatalogGetChangedStringKeys(t *testing.T) {
+	testCases := []struct {
+		desc            string
+		current         []string
+		previous        []string
+		expectedAdded   []string
+		expectedRemoved []string
+	}{
+		{
+			desc:            "1 element added, 0 removed",
+			current:         []string{"chou"},
+			previous:        []string{},
+			expectedAdded:   []string{"chou"},
+			expectedRemoved: []string{},
+		}, {
+			desc:            "0 element added, 0 removed",
+			current:         []string{"chou"},
+			previous:        []string{"chou"},
+			expectedAdded:   []string{},
+			expectedRemoved: []string{},
+		},
+		{
+			desc:            "0 element added, 1 removed",
+			current:         []string{},
+			previous:        []string{"chou"},
+			expectedAdded:   []string{},
+			expectedRemoved: []string{"chou"},
+		},
+		{
+			desc:            "1 element added, 1 removed",
+			current:         []string{"carotte"},
+			previous:        []string{"chou"},
+			expectedAdded:   []string{"carotte"},
+			expectedRemoved: []string{"chou"},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actualAdded, actualRemoved := getChangedStringKeys(test.current, test.previous)
+			assert.Equal(t, test.expectedAdded, actualAdded)
+			assert.Equal(t, test.expectedRemoved, actualRemoved)
+		})
+	}
+}
+
+func TestConsulCatalogHasNodeOrTagschanged(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		current  map[string]Service
+		previous map[string]Service
+		expected bool
+	}{
+		{
+			desc: "Change detected due to change of nodes",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node2"},
+					Tags:  []string{},
+				},
+			},
+			expected: true,
+		},
+		{
+			desc:    "No change missing current service",
+			current: make(map[string]Service),
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "No change on nodes",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "No change on nodes and tags",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo=bar"},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo=bar"},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "Change detected con tags",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo=bar"},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo"},
+				},
+			},
+			expected: true,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := hasNodeOrTagsChanged(test.current, test.previous)
+			assert.Equal(t, test.expected, actual)
+		})
+	}
+}
+
+func TestConsulCatalogHasChanged(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		current  map[string]Service
+		previous map[string]Service
+		expected bool
+	}{
+		{
+			desc: "Change detected due to change new service",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			previous: make(map[string]Service),
+			expected: true,
+		},
+		{
+			desc:    "Change detected due to change service removed",
+			current: make(map[string]Service),
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			expected: true,
+		},
+		{
+			desc: "Change detected due to change of nodes",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node2"},
+					Tags:  []string{},
+				},
+			},
+			expected: true,
+		},
+		{
+			desc: "No change on nodes",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "No change on nodes and tags",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo=bar"},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo=bar"},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "Change detected on tags",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo=bar"},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo"},
+				},
+			},
+			expected: true,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := hasChanged(test.current, test.previous)
+			assert.Equal(t, test.expected, actual)
 		})
 	}
 }
--- a/provider/docker/docker.go
+++ b/provider/docker/docker.go
@@ -25,9 +25,11 @@ import (
 	eventtypes "github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
 	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/client"
 	"github.com/docker/go-connections/nat"
 	"github.com/docker/go-connections/sockets"
+	"github.com/pkg/errors"
 )

 const (
@@ -300,9 +302,15 @@ func (p *Provider) loadDockerConfig(containersInspected []dockerData) *types.Con
 	frontends := map[string][]dockerData{}
 	backends := map[string]dockerData{}
 	servers := map[string][]dockerData{}
-	for _, container := range filteredContainers {
-		frontendName := p.getFrontendName(container)
-		frontends[frontendName] = append(frontends[frontendName], container)
+	serviceNames := make(map[string]struct{})
+	for idx, container := range filteredContainers {
+		if _, exists := serviceNames[container.ServiceName]; !exists {
+			frontendName := p.getFrontendName(container, idx)
+			frontends[frontendName] = append(frontends[frontendName], container)
+			if len(container.ServiceName) > 0 {
+				serviceNames[container.ServiceName] = struct{}{}
+			}
+		}
 		backendName := p.getBackend(container)
 		backends[backendName] = container
 		servers[backendName] = append(servers[backendName], container)
@@ -425,9 +433,9 @@ func (p *Provider) getServicePriority(container dockerData, serviceName string)
 // Extract backend from labels for a given service and a given docker container
 func (p *Provider) getServiceBackend(container dockerData, serviceName string) string {
 	if value, ok := getContainerServiceLabel(container, serviceName, "frontend.backend"); ok {
-		return value
+		return container.ServiceName + "-" + value
 	}
-	return p.getBackend(container) + "-" + provider.Normalize(serviceName)
+	return strings.TrimPrefix(container.ServiceName, "/") + "-" + p.getBackend(container) + "-" + provider.Normalize(serviceName)
 }

 // Extract rule from labels for a given service and a given docker container
@@ -516,9 +524,16 @@ func (p *Provider) getMaxConnExtractorFunc(container dockerData) string {
 }

 func (p *Provider) containerFilter(container dockerData) bool {
-	_, err := strconv.Atoi(container.Labels[types.LabelPort])
+	var err error
+	portLabel := "traefik.port label"
+	if p.hasServices(container) {
+		portLabel = "traefik.<serviceName>.port or " + portLabel + "s"
+		err = checkServiceLabelPort(container)
+	} else {
+		_, err = strconv.Atoi(container.Labels[types.LabelPort])
+	}
 	if len(container.NetworkSettings.Ports) == 0 && err != nil {
-		log.Debugf("Filtering container without port and no traefik.port label %s", container.Name)
+		log.Debugf("Filtering container without port and no %s %s : %s", portLabel, container.Name, err.Error())
 		return false
 	}

@@ -548,9 +563,46 @@ func (p *Provider) containerFilter(container dockerData) bool {
 	return true
 }

-func (p *Provider) getFrontendName(container dockerData) string {
+// checkServiceLabelPort checks if all service names have a port service label
+// or if port container label exists for default value
+func checkServiceLabelPort(container dockerData) error {
+	// If port container label is present, there is a default values for all ports, use it for the check
+	_, err := strconv.Atoi(container.Labels[types.LabelPort])
+	if err != nil {
+		serviceLabelPorts := make(map[string]struct{})
+		serviceLabels := make(map[string]struct{})
+		portRegexp := regexp.MustCompile(`^traefik\.(?P<service_name>.+?)\.port$`)
+		for label := range container.Labels {
+			// Get all port service labels
+			portLabel := portRegexp.FindStringSubmatch(label)
+			if portLabel != nil && len(portLabel) > 0 {
+				serviceLabelPorts[portLabel[0]] = struct{}{}
+			}
+			// Get only one instance of all service names from service labels
+			servicesLabelNames := servicesPropertiesRegexp.FindStringSubmatch(label)
+			if servicesLabelNames != nil && len(servicesLabelNames) > 0 {
+				serviceLabels[strings.Split(servicesLabelNames[0], ".")[1]] = struct{}{}
+			}
+		}
+		// If the number of service labels is different than the number of port services label
+		// there is an error
+		if len(serviceLabels) == len(serviceLabelPorts) {
+			for labelPort := range serviceLabelPorts {
+				_, err = strconv.Atoi(container.Labels[labelPort])
+				if err != nil {
+					break
+				}
+			}
+		} else {
+			err = errors.New("Port service labels missing, please use traefik.port as default value or define all port service labels")
+		}
+	}
+	return err
+}
+
+func (p *Provider) getFrontendName(container dockerData, idx int) string {
 	// Replace '.' with '-' in quoted keys because of this issue https://github.com/BurntSushi/toml/issues/78
-	return provider.Normalize(p.getFrontendRule(container))
+	return provider.Normalize(p.getFrontendRule(container) + "-" + strconv.Itoa(idx))
 }

 // GetFrontendRule returns the frontend rule for the specified container, using
@@ -560,10 +612,10 @@ func (p *Provider) getFrontendRule(container dockerData) string {
 		return label
 	}
 	if labels, err := getLabels(container, []string{labelDockerComposeProject, labelDockerComposeService}); err == nil {
-		return "Host:" + p.getSubDomain(labels[labelDockerComposeService]+"."+labels[labelDockerComposeProject]) + "." + p.Domain
+		return "Host:" + getSubDomain(labels[labelDockerComposeService]+"."+labels[labelDockerComposeProject]) + "." + p.Domain
 	}
 	if len(p.Domain) > 0 {
-		return "Host:" + p.getSubDomain(container.ServiceName) + "." + p.Domain
+		return "Host:" + getSubDomain(container.ServiceName) + "." + p.Domain
 	}
 	return ""
 }
@@ -593,10 +645,25 @@ func (p *Provider) getIPAddress(container dockerData) string {

 	// If net==host, quick n' dirty, we return 127.0.0.1
 	// This will work locally, but will fail with swarm.
-	if "host" == container.NetworkSettings.NetworkMode {
+	if container.NetworkSettings.NetworkMode.IsHost() {
 		return "127.0.0.1"
 	}

+	if container.NetworkSettings.NetworkMode.IsContainer() {
+		dockerClient, err := p.createClient()
+		if err != nil {
+			log.Warnf("Unable to get IP address for container %s, error: %s", container.Name, err)
+			return ""
+		}
+		ctx := context.Background()
+		containerInspected, err := dockerClient.ContainerInspect(ctx, container.NetworkSettings.NetworkMode.ConnectedContainer())
+		if err != nil {
+			log.Warnf("Unable to get IP address for container %s : Failed to inspect container ID %s, error: %s", container.Name, container.NetworkSettings.NetworkMode.ConnectedContainer(), err)
+			return ""
+		}
+		return p.getIPAddress(parseContainer(containerInspected))
+	}
+
 	if p.UseBindPortIP {
 		port := p.getPort(container)
 		for netport, portBindings := range container.NetworkSettings.Ports {
@@ -818,7 +885,7 @@ func parseContainer(container dockertypes.ContainerJSON) dockerData {
 }

 // Escape beginning slash "/", convert all others to dash "-", and convert underscores "_" to dash "-"
-func (p *Provider) getSubDomain(name string) string {
+func getSubDomain(name string) string {
 	return strings.Replace(strings.Replace(strings.TrimPrefix(name, "/"), "/", "-", -1), "_", "-", -1)
 }

@@ -827,8 +894,16 @@ func (p *Provider) listServices(ctx context.Context, dockerClient client.APIClie
 	if err != nil {
 		return []dockerData{}, err
 	}
+
+	serverVersion, err := dockerClient.ServerVersion(ctx)
+
 	networkListArgs := filters.NewArgs()
-	networkListArgs.Add("scope", "swarm")
+	// https://docs.docker.com/engine/api/v1.29/#tag/Network (Docker 17.06)
+	if versions.GreaterThanOrEqualTo(serverVersion.APIVersion, "1.29") {
+		networkListArgs.Add("scope", "swarm")
+	} else {
+		networkListArgs.Add("driver", "overlay")
+	}

 	networkList, err := dockerClient.NetworkList(ctx, dockertypes.NetworkListOptions{Filters: networkListArgs})

--- a/provider/docker/docker_test.go
+++ b/provider/docker/docker_test.go
@@ -20,38 +20,38 @@ func TestDockerGetFrontendName(t *testing.T) {
 	}{
 		{
 			container: containerJSON(name("foo")),
-			expected:  "Host-foo-docker-localhost",
+			expected:  "Host-foo-docker-localhost-0",
 		},
 		{
 			container: containerJSON(labels(map[string]string{
 				types.LabelFrontendRule: "Headers:User-Agent,bat/0.1.0",
 			})),
-			expected: "Headers-User-Agent-bat-0-1-0",
+			expected: "Headers-User-Agent-bat-0-1-0-0",
 		},
 		{
 			container: containerJSON(labels(map[string]string{
 				"com.docker.compose.project": "foo",
 				"com.docker.compose.service": "bar",
 			})),
-			expected: "Host-bar-foo-docker-localhost",
+			expected: "Host-bar-foo-docker-localhost-0",
 		},
 		{
 			container: containerJSON(labels(map[string]string{
 				types.LabelFrontendRule: "Host:foo.bar",
 			})),
-			expected: "Host-foo-bar",
+			expected: "Host-foo-bar-0",
 		},
 		{
 			container: containerJSON(labels(map[string]string{
 				types.LabelFrontendRule: "Path:/test",
 			})),
-			expected: "Path-test",
+			expected: "Path-test-0",
 		},
 		{
 			container: containerJSON(labels(map[string]string{
 				types.LabelFrontendRule: "PathPrefix:/test2",
 			})),
-			expected: "PathPrefix-test2",
+			expected: "PathPrefix-test2-0",
 		},
 	}

@@ -63,7 +63,7 @@ func TestDockerGetFrontendName(t *testing.T) {
 			provider := &Provider{
 				Domain: "docker.localhost",
 			}
-			actual := provider.getFrontendName(dockerData)
+			actual := provider.getFrontendName(dockerData, 0)
 			if actual != e.expected {
 				t.Errorf("expected %q, got %q", e.expected, actual)
 			}
@@ -884,13 +884,13 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 				),
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				"frontend-Host-test-docker-localhost": {
+				"frontend-Host-test-docker-localhost-0": {
 					Backend:        "backend-test",
 					PassHostHeader: true,
 					EntryPoints:    []string{},
 					BasicAuth:      []string{},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test-docker-localhost": {
+						"route-frontend-Host-test-docker-localhost-0": {
 							Rule: "Host:test.docker.localhost",
 						},
 					},
@@ -934,24 +934,24 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 				),
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				"frontend-Host-test1-docker-localhost": {
+				"frontend-Host-test1-docker-localhost-0": {
 					Backend:        "backend-foobar",
 					PassHostHeader: true,
 					EntryPoints:    []string{"http", "https"},
 					BasicAuth:      []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test1-docker-localhost": {
+						"route-frontend-Host-test1-docker-localhost-0": {
 							Rule: "Host:test1.docker.localhost",
 						},
 					},
 				},
-				"frontend-Host-test2-docker-localhost": {
+				"frontend-Host-test2-docker-localhost-1": {
 					Backend:        "backend-foobar",
 					PassHostHeader: true,
 					EntryPoints:    []string{},
 					BasicAuth:      []string{},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test2-docker-localhost": {
+						"route-frontend-Host-test2-docker-localhost-1": {
 							Rule: "Host:test2.docker.localhost",
 						},
 					},
@@ -992,13 +992,13 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 				),
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				"frontend-Host-test1-docker-localhost": {
+				"frontend-Host-test1-docker-localhost-0": {
 					Backend:        "backend-foobar",
 					PassHostHeader: true,
 					EntryPoints:    []string{"http", "https"},
 					BasicAuth:      []string{},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test1-docker-localhost": {
+						"route-frontend-Host-test1-docker-localhost-0": {
 							Rule: "Host:test1.docker.localhost",
 						},
 					},
@@ -1091,3 +1091,53 @@ func TestDockerHasStickinessLabel(t *testing.T) {
 		})
 	}
 }
+
+func TestDockerCheckPortLabels(t *testing.T) {
+	testCases := []struct {
+		container     docker.ContainerJSON
+		expectedError bool
+	}{
+		{
+			container: containerJSON(labels(map[string]string{
+				types.LabelPort: "80",
+			})),
+			expectedError: false,
+		},
+		{
+			container: containerJSON(labels(map[string]string{
+				types.LabelPrefix + "servicename.protocol": "http",
+				types.LabelPrefix + "servicename.port":     "80",
+			})),
+			expectedError: false,
+		},
+		{
+			container: containerJSON(labels(map[string]string{
+				types.LabelPrefix + "servicename.protocol": "http",
+				types.LabelPort:                            "80",
+			})),
+			expectedError: false,
+		},
+		{
+			container: containerJSON(labels(map[string]string{
+				types.LabelPrefix + "servicename.protocol": "http",
+			})),
+			expectedError: true,
+		},
+	}
+
+	for containerID, test := range testCases {
+		test := test
+		t.Run(strconv.Itoa(containerID), func(t *testing.T) {
+			t.Parallel()
+
+			dockerData := parseContainer(test.container)
+			err := checkServiceLabelPort(dockerData)
+
+			if test.expectedError && err == nil {
+				t.Error("expected an error but got nil")
+			} else if !test.expectedError && err != nil {
+				t.Errorf("expected no error, got %q", err)
+			}
+		})
+	}
+}
--- a/provider/docker/service_test.go
+++ b/provider/docker/service_test.go
@@ -171,19 +171,19 @@ func TestDockerGetServiceBackend(t *testing.T) {
 	}{
 		{
 			container: containerJSON(name("foo")),
-			expected:  "foo-myservice",
+			expected:  "foo-foo-myservice",
 		},
 		{
 			container: containerJSON(labels(map[string]string{
 				types.LabelBackend: "another-backend",
 			})),
-			expected: "another-backend-myservice",
+			expected: "fake-another-backend-myservice",
 		},
 		{
 			container: containerJSON(labels(map[string]string{
 				"traefik.myservice.frontend.backend": "custom-backend",
 			})),
-			expected: "custom-backend",
+			expected: "fake-custom-backend",
 		},
 	}

@@ -341,8 +341,8 @@ func TestDockerLoadDockerServiceConfig(t *testing.T) {
 				),
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				"frontend-foo-service": {
-					Backend:        "backend-foo-service",
+				"frontend-foo-foo-service": {
+					Backend:        "backend-foo-foo-service",
 					PassHostHeader: true,
 					EntryPoints:    []string{"http", "https"},
 					BasicAuth:      []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
@@ -354,9 +354,9 @@ func TestDockerLoadDockerServiceConfig(t *testing.T) {
 				},
 			},
 			expectedBackends: map[string]*types.Backend{
-				"backend-foo-service": {
+				"backend-foo-foo-service": {
 					Servers: map[string]types.Server{
-						"service": {
+						"service-0": {
 							URL:    "http://127.0.0.1:2503",
 							Weight: 0,
 						},
@@ -399,8 +399,8 @@ func TestDockerLoadDockerServiceConfig(t *testing.T) {
 				),
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				"frontend-foobar": {
-					Backend:        "backend-foobar",
+				"frontend-test1-foobar": {
+					Backend:        "backend-test1-foobar",
 					PassHostHeader: false,
 					Priority:       5000,
 					EntryPoints:    []string{"http", "https", "ws"},
@@ -411,8 +411,8 @@ func TestDockerLoadDockerServiceConfig(t *testing.T) {
 						},
 					},
 				},
-				"frontend-test2-anotherservice": {
-					Backend:        "backend-test2-anotherservice",
+				"frontend-test2-test2-anotherservice": {
+					Backend:        "backend-test2-test2-anotherservice",
 					PassHostHeader: true,
 					EntryPoints:    []string{},
 					BasicAuth:      []string{},
@@ -424,18 +424,18 @@ func TestDockerLoadDockerServiceConfig(t *testing.T) {
 				},
 			},
 			expectedBackends: map[string]*types.Backend{
-				"backend-foobar": {
+				"backend-test1-foobar": {
 					Servers: map[string]types.Server{
-						"service": {
+						"service-0": {
 							URL:    "https://127.0.0.1:2503",
 							Weight: 80,
 						},
 					},
 					CircuitBreaker: nil,
 				},
-				"backend-test2-anotherservice": {
+				"backend-test2-test2-anotherservice": {
 					Servers: map[string]types.Server{
-						"service": {
+						"service-0": {
 							URL:    "http://127.0.0.1:8079",
 							Weight: 33,
 						},
--- a/provider/docker/swarm_test.go
+++ b/provider/docker/swarm_test.go
@@ -23,28 +23,28 @@ func TestSwarmGetFrontendName(t *testing.T) {
 	}{
 		{
 			service:  swarmService(serviceName("foo")),
-			expected: "Host-foo-docker-localhost",
+			expected: "Host-foo-docker-localhost-0",
 			networks: map[string]*docker.NetworkResource{},
 		},
 		{
 			service: swarmService(serviceLabels(map[string]string{
 				types.LabelFrontendRule: "Headers:User-Agent,bat/0.1.0",
 			})),
-			expected: "Headers-User-Agent-bat-0-1-0",
+			expected: "Headers-User-Agent-bat-0-1-0-0",
 			networks: map[string]*docker.NetworkResource{},
 		},
 		{
 			service: swarmService(serviceLabels(map[string]string{
 				types.LabelFrontendRule: "Host:foo.bar",
 			})),
-			expected: "Host-foo-bar",
+			expected: "Host-foo-bar-0",
 			networks: map[string]*docker.NetworkResource{},
 		},
 		{
 			service: swarmService(serviceLabels(map[string]string{
 				types.LabelFrontendRule: "Path:/test",
 			})),
-			expected: "Path-test",
+			expected: "Path-test-0",
 			networks: map[string]*docker.NetworkResource{},
 		},
 		{
@@ -54,7 +54,7 @@ func TestSwarmGetFrontendName(t *testing.T) {
 					types.LabelFrontendRule: "PathPrefix:/test2",
 				}),
 			),
-			expected: "PathPrefix-test2",
+			expected: "PathPrefix-test2-0",
 			networks: map[string]*docker.NetworkResource{},
 		},
 	}
@@ -68,7 +68,7 @@ func TestSwarmGetFrontendName(t *testing.T) {
 				Domain:    "docker.localhost",
 				SwarmMode: true,
 			}
-			actual := provider.getFrontendName(dockerData)
+			actual := provider.getFrontendName(dockerData, 0)
 			if actual != e.expected {
 				t.Errorf("expected %q, got %q", e.expected, actual)
 			}
@@ -660,13 +660,13 @@ func TestSwarmLoadDockerConfig(t *testing.T) {
 				),
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				"frontend-Host-test-docker-localhost": {
+				"frontend-Host-test-docker-localhost-0": {
 					Backend:        "backend-test",
 					PassHostHeader: true,
 					EntryPoints:    []string{},
 					BasicAuth:      []string{},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test-docker-localhost": {
+						"route-frontend-Host-test-docker-localhost-0": {
 							Rule: "Host:test.docker.localhost",
 						},
 					},
@@ -714,24 +714,24 @@ func TestSwarmLoadDockerConfig(t *testing.T) {
 				),
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				"frontend-Host-test1-docker-localhost": {
+				"frontend-Host-test1-docker-localhost-0": {
 					Backend:        "backend-foobar",
 					PassHostHeader: true,
 					EntryPoints:    []string{"http", "https"},
 					BasicAuth:      []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test1-docker-localhost": {
+						"route-frontend-Host-test1-docker-localhost-0": {
 							Rule: "Host:test1.docker.localhost",
 						},
 					},
 				},
-				"frontend-Host-test2-docker-localhost": {
+				"frontend-Host-test2-docker-localhost-1": {
 					Backend:        "backend-foobar",
 					PassHostHeader: true,
 					EntryPoints:    []string{},
 					BasicAuth:      []string{},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test2-docker-localhost": {
+						"route-frontend-Host-test2-docker-localhost-1": {
 							Rule: "Host:test2.docker.localhost",
 						},
 					},
--- a/provider/kv/kv.go
+++ b/provider/kv/kv.go
@@ -102,7 +102,7 @@ func (p *Provider) watchKv(configurationChan chan<- types.ConfigMessage, prefix
 func (p *Provider) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints types.Constraints) error {
 	p.Constraints = append(p.Constraints, constraints...)
 	operation := func() error {
-		if _, err := p.kvclient.Exists("qmslkjdfmqlskdjfmqlksjazçueznbvbwzlkajzebvkwjdcqmlsfj"); err != nil {
+		if _, err := p.kvclient.Exists(p.Prefix + "/qmslkjdfmqlskdjfmqlksjazçueznbvbwzlkajzebvkwjdcqmlsfj"); err != nil {
 			return fmt.Errorf("Failed to test KV store connection: %v", err)
 		}
 		if p.Watch {
--- a/provider/marathon/marathon_test.go
+++ b/provider/marathon/marathon_test.go
@@ -93,7 +93,9 @@ func TestMarathonLoadConfigNonAPIErrors(t *testing.T) {
 					},
 				},
 			},
-			expectedBackends: nil,
+			expectedBackends: map[string]*types.Backend{
+				"backend-app": {},
+			},
 		},
 		{
 			desc: "load balancer / circuit breaker labels",
--- a/provider/rancher/rancher.go
+++ b/provider/rancher/rancher.go
@@ -126,7 +126,7 @@ func (p *Provider) hasStickinessLabel(service rancherData) bool {
 	return errStickiness == nil && len(labelStickiness) > 0 && strings.EqualFold(strings.TrimSpace(labelStickiness), "true")
 }

-func (p *Provider) getStickinessCookieName(service rancherData, backendName string) string {
+func (p *Provider) getStickinessCookieName(service rancherData) string {
 	if label, err := getServiceLabel(service, types.LabelBackendLoadbalancerStickinessCookieName); err == nil {
 		return label
 	}
--- a/provider/web/web.go
+++ b/provider/web/web.go
@@ -56,17 +56,9 @@ func goroutines() interface{} {
 // Provide allows the provider to provide configurations to traefik
 // using the given configuration channel.
 func (provider *Provider) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, _ types.Constraints) error {
-
 	systemRouter := mux.NewRouter()

-	if provider.Path == "" {
-		provider.Path = "/"
-	}
-
 	if provider.Path != "/" {
-		if provider.Path[len(provider.Path)-1:] != "/" {
-			provider.Path += "/"
-		}
 		systemRouter.Methods("GET").Path("/").HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
 			http.Redirect(response, request, provider.Path, 302)
 		})
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,4 @@
-mkdocs>=0.16.1
+mkdocs==0.16.3
 pymdown-extensions>=1.4
 mkdocs-bootswatch>=0.4.0
-mkdocs-material>=1.8.1
+mkdocs-material==1.12.2
--- a/script/crossbinary-default
+++ b/script/crossbinary-default
@@ -24,13 +24,17 @@ GIT_REPO_URL='github.com/containous/traefik/version'
 GO_BUILD_CMD="go build -ldflags"
 GO_BUILD_OPT="-s -w -X ${GIT_REPO_URL}.Version=${VERSION} -X ${GIT_REPO_URL}.Codename=${CODENAME} -X ${GIT_REPO_URL}.BuildDate=${DATE}"

-# Build 386 amd64 binaries
+# Build amd64 binaries
 OS_PLATFORM_ARG=(linux windows darwin)
 OS_ARCH_ARG=(amd64)
 for OS in ${OS_PLATFORM_ARG[@]}; do
+  BIN_EXT=''
+  if [ "$OS" == "windows" ]; then
+    BIN_EXT='.exe'
+  fi
  for ARCH in ${OS_ARCH_ARG[@]}; do
    echo "Building binary for ${OS}/${ARCH}..."
-    GOARCH=${ARCH} GOOS=${OS} CGO_ENABLED=0 ${GO_BUILD_CMD} "${GO_BUILD_OPT}" -o "dist/traefik_${OS}-${ARCH}" ./cmd/traefik/
+    GOARCH=${ARCH} GOOS=${OS} CGO_ENABLED=0 ${GO_BUILD_CMD} "${GO_BUILD_OPT}" -o "dist/traefik_${OS}-${ARCH}${BIN_EXT}" ./cmd/traefik/
  done
 done

--- a/script/crossbinary-others
+++ b/script/crossbinary-others
@@ -28,9 +28,13 @@ GO_BUILD_OPT="-s -w -X ${GIT_REPO_URL}.Version=${VERSION} -X ${GIT_REPO_URL}.Cod
 OS_PLATFORM_ARG=(linux windows darwin)
 OS_ARCH_ARG=(386)
 for OS in ${OS_PLATFORM_ARG[@]}; do
+  BIN_EXT=''
+  if [ "$OS" == "windows" ]; then
+    BIN_EXT='.exe'
+  fi
  for ARCH in ${OS_ARCH_ARG[@]}; do
-    echo "Building binary for $OS/$ARCH..."
-    GOARCH=${ARCH} GOOS=${OS} CGO_ENABLED=0 ${GO_BUILD_CMD} "$GO_BUILD_OPT" -o "dist/traefik_$OS-$ARCH" ./cmd/traefik/
+    echo "Building binary for ${OS}/${ARCH}..."
+    GOARCH=${ARCH} GOOS=${OS} CGO_ENABLED=0 ${GO_BUILD_CMD} "${GO_BUILD_OPT}" -o "dist/traefik_${OS}-${ARCH}${BIN_EXT}" ./cmd/traefik/
  done
 done

--- a/server/rules_test.go
+++ b/server/rules_test.go
@@ -136,6 +136,57 @@ func TestPriorites(t *testing.T) {
 	assert.NotEqual(t, foobarMatcher.Handler, fooHandler, "Error matching priority")
 }

+func TestHostRegexp(t *testing.T) {
+	testCases := []struct {
+		desc    string
+		hostExp string
+		urls    map[string]bool
+	}{
+		{
+			desc:    "capturing group",
+			hostExp: "{subdomain:(foo\\.)?bar\\.com}",
+			urls: map[string]bool{
+				"http://foo.bar.com": true,
+				"http://bar.com":     true,
+				"http://fooubar.com": false,
+				"http://barucom":     false,
+				"http://barcom":      false,
+			},
+		},
+		{
+			desc:    "non capturing group",
+			hostExp: "{subdomain:(?:foo\\.)?bar\\.com}",
+			urls: map[string]bool{
+				"http://foo.bar.com": true,
+				"http://bar.com":     true,
+				"http://fooubar.com": false,
+				"http://barucom":     false,
+				"http://barcom":      false,
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			rls := &Rules{
+				route: &serverRoute{
+					route: &mux.Route{},
+				},
+			}
+
+			rt := rls.hostRegexp(test.hostExp)
+
+			for testURL, match := range test.urls {
+				req := testhelpers.MustNewRequest(http.MethodGet, testURL, nil)
+				assert.Equal(t, match, rt.Match(req, &mux.RouteMatch{}))
+			}
+		})
+	}
+}
+
 type fakeHandler struct {
 	name string
 }
--- a/server/server.go
+++ b/server/server.go
@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	stdlog "log"
 	"net"
 	"net/http"
 	"net/url"
@@ -19,6 +20,7 @@ import (
 	"sync"
 	"time"

+	"github.com/Sirupsen/logrus"
 	"github.com/armon/go-proxyproto"
 	"github.com/containous/mux"
 	"github.com/containous/traefik/cluster"
@@ -46,7 +48,8 @@ import (
 )

 var (
-	oxyLogger = &OxyLogger{}
+	oxyLogger        = &OxyLogger{}
+	httpServerLogger = stdlog.New(log.WriterLevel(logrus.DebugLevel), "", 0)
 )

 // Server is the reverse-proxy/load-balancer engine
@@ -337,7 +340,7 @@ func (server *Server) listenProviders(stop chan bool) {
 				lastReceivedConfigurationValue := lastReceivedConfiguration.Get().(time.Time)
 				providersThrottleDuration := time.Duration(server.globalConfiguration.ProvidersThrottleDuration)
 				if time.Now().After(lastReceivedConfigurationValue.Add(providersThrottleDuration)) {
-					log.Debugf("Last %s config received more than %s, OK", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration)
+					log.Debugf("Last %s config received more than %s, OK", configMsg.ProviderName, server.globalConfiguration.ProvidersThrottleDuration.String())
 					// last config received more than n s ago
 					server.configurationValidatedChan <- configMsg
 				} else {
@@ -665,7 +668,7 @@ func (server *Server) prepareServer(entryPointName string, entryPoint *configura
 			SourceCheck: func(addr net.Addr) (bool, error) {
 				ip, ok := addr.(*net.TCPAddr)
 				if !ok {
-					return false, fmt.Errorf("Type error %v", addr)
+					return false, fmt.Errorf("type error %v", addr)
 				}
 				return IPs.ContainsIP(ip.IP)
 			},
@@ -679,6 +682,7 @@ func (server *Server) prepareServer(entryPointName string, entryPoint *configura
 			ReadTimeout:  readTimeout,
 			WriteTimeout: writeTimeout,
 			IdleTimeout:  idleTimeout,
+			ErrorLog:     httpServerLogger,
 		},
 		listener,
 		nil
--- a/templates/docker.tmpl
+++ b/templates/docker.tmpl
@@ -26,7 +26,7 @@
    {{if hasServices $server}}
      {{$services := getServiceNames $server}}
      {{range $serviceIndex, $serviceName := $services}}
-      [backends.backend-{{getServiceBackend $server $serviceName}}.servers.service]
+      [backends.backend-{{getServiceBackend $server $serviceName}}.servers.service-{{$serverName}}]
      url = "{{getServiceProtocol $server $serviceName}}://{{getIPAddress $server}}:{{getServicePort $server $serviceName}}"
      weight = {{getServiceWeight $server $serviceName}}
      {{end}}
--- a/templates/marathon.tmpl
+++ b/templates/marathon.tmpl
@@ -12,6 +12,7 @@

 {{range $app := $apps}}
 {{range $serviceIndex, $serviceName := getServiceNames $app}}
+[backends."backend{{getBackend $app $serviceName }}"]
 {{ if hasMaxConnLabels $app }}
      [backends."backend{{getBackend $app $serviceName }}".maxconn]
        amount = {{getMaxConnAmount $app }}
--- a/vendor/github.com/NYTimes/gziphandler/gzip.go
+++ b/vendor/github.com/NYTimes/gziphandler/gzip.go
@@ -150,7 +150,9 @@ func (w *GzipResponseWriter) startGzip() error {

 // WriteHeader just saves the response code until close or GZIP effective writes.
 func (w *GzipResponseWriter) WriteHeader(code int) {
-	w.code = code
+	if w.code == 0 {
+		w.code = code
+	}
 }

 // init graps a new gzip writer from the gzipWriterPool and writes the correct
@@ -190,10 +192,16 @@ func (w *GzipResponseWriter) Close() error {
 // http.ResponseWriter if it is an http.Flusher. This makes GzipResponseWriter
 // an http.Flusher.
 func (w *GzipResponseWriter) Flush() {
-	if w.gw != nil {
-		w.gw.Flush()
+	if w.gw == nil {
+		// Only flush once startGzip has been called.
+		//
+		// Flush is thus a no-op until the written body
+		// exceeds minSize.
+		return
 	}

+	w.gw.Flush()
+
 	if fw, ok := w.ResponseWriter.(http.Flusher); ok {
 		fw.Flush()
 	}
--- a/vendor/github.com/containous/mux/doc.go
+++ b/vendor/github.com/containous/mux/doc.go
@@ -57,11 +57,6 @@ calling mux.Vars():
 	vars := mux.Vars(request)
 	category := vars["category"]

-Note that if any capturing groups are present, mux will panic() during parsing. To prevent
-this, convert any capturing groups to non-capturing, e.g. change "/{sort:(asc|desc)}" to
-"/{sort:(?:asc|desc)}". This is a change from prior versions which behaved unpredictably
-when capturing groups were present.
-
 And this is all you need to know about the basic usage. More advanced options
 are explained below.

--- a/vendor/github.com/containous/mux/mux.go
+++ b/vendor/github.com/containous/mux/mux.go
@@ -11,7 +11,10 @@ import (
 	"path"
 	"regexp"
 	"sort"
-	"strings"
+)
+
+var (
+	ErrMethodMismatch = errors.New("method is not allowed")
 )

 // NewRouter returns a new router instance.
@@ -40,6 +43,10 @@ func NewRouter() *Router {
 type Router struct {
 	// Configurable Handler to be used when no route matches.
 	NotFoundHandler http.Handler
+
+	// Configurable Handler to be used when the request method does not match the route.
+	MethodNotAllowedHandler http.Handler
+
 	// Parent route, if this is a subrouter.
 	parent parentRoute
 	// Routes to be matched, in order.
@@ -66,6 +73,11 @@ func (r *Router) Match(req *http.Request, match *RouteMatch) bool {
 		}
 	}

+	if match.MatchErr == ErrMethodMismatch && r.MethodNotAllowedHandler != nil {
+		match.Handler = r.MethodNotAllowedHandler
+		return true
+	}
+
 	// Closest match for a router (includes sub-routers)
 	if r.NotFoundHandler != nil {
 		match.Handler = r.NotFoundHandler
@@ -82,7 +94,7 @@ func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	if !r.skipClean {
 		path := req.URL.Path
 		if r.useEncodedPath {
-			path = getPath(req)
+			path = req.URL.EscapedPath()
 		}
 		// Clean path to canonical form and redirect.
 		if p := cleanPath(path); p != path {
@@ -106,9 +118,15 @@ func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		req = setVars(req, match.Vars)
 		req = setCurrentRoute(req, match.Route)
 	}
+
+	if handler == nil && match.MatchErr == ErrMethodMismatch {
+		handler = methodNotAllowedHandler()
+	}
+
 	if handler == nil {
 		handler = http.NotFoundHandler()
 	}
+
 	if !r.KeepContext {
 		defer contextClear(req)
 	}
@@ -356,6 +374,11 @@ type RouteMatch struct {
 	Route   *Route
 	Handler http.Handler
 	Vars    map[string]string
+
+	// MatchErr is set to appropriate matching error
+	// It is set to ErrMethodMismatch if there is a mismatch in
+	// the request method and route method
+	MatchErr error
 }

 type contextKey int
@@ -397,28 +420,6 @@ func setCurrentRoute(r *http.Request, val interface{}) *http.Request {
 // Helpers
 // ----------------------------------------------------------------------------

-// getPath returns the escaped path if possible; doing what URL.EscapedPath()
-// which was added in go1.5 does
-func getPath(req *http.Request) string {
-	if req.RequestURI != "" {
-		// Extract the path from RequestURI (which is escaped unlike URL.Path)
-		// as detailed here as detailed in https://golang.org/pkg/net/url/#URL
-		// for < 1.5 server side workaround
-		// http://localhost/path/here?v=1 -> /path/here
-		path := req.RequestURI
-		path = strings.TrimPrefix(path, req.URL.Scheme+`://`)
-		path = strings.TrimPrefix(path, req.URL.Host)
-		if i := strings.LastIndex(path, "?"); i > -1 {
-			path = path[:i]
-		}
-		if i := strings.LastIndex(path, "#"); i > -1 {
-			path = path[:i]
-		}
-		return path
-	}
-	return req.URL.Path
-}
-
 // cleanPath returns the canonical path for p, eliminating . and .. elements.
 // Borrowed from the net/http package.
 func cleanPath(p string) string {
@@ -557,3 +558,12 @@ func matchMapWithRegex(toCheck map[string]*regexp.Regexp, toMatch map[string][]s
 	}
 	return true
 }
+
+// methodNotAllowed replies to the request with an HTTP status code 405.
+func methodNotAllowed(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(http.StatusMethodNotAllowed)
+}
+
+// methodNotAllowedHandler returns a simple request handler
+// that replies to each request with a status code 405.
+func methodNotAllowedHandler() http.Handler { return http.HandlerFunc(methodNotAllowed) }
--- a/vendor/github.com/containous/mux/regexp.go
+++ b/vendor/github.com/containous/mux/regexp.go
@@ -109,13 +109,6 @@ func newRouteRegexp(tpl string, matchHost, matchPrefix, matchQuery, strictSlash,
 	if errCompile != nil {
 		return nil, errCompile
 	}
-
-	// Check for capturing groups which used to work in older versions
-	if reg.NumSubexp() != len(idxs)/2 {
-		panic(fmt.Sprintf("route %s contains capture groups in its regexp. ", template) +
-			"Only non-capturing groups are accepted: e.g. (?:pattern) instead of (pattern)")
-	}
-
 	// Done!
 	return &routeRegexp{
 		template:       template,
@@ -141,7 +134,7 @@ type routeRegexp struct {
 	matchQuery bool
 	// The strictSlash value defined on the route, but disabled if PathPrefix was used.
 	strictSlash bool
-	// Determines whether to use encoded path from getPath function or unencoded
+	// Determines whether to use encoded req.URL.EnscapedPath() or unencoded
 	// req.URL.Path for path matching
 	useEncodedPath bool
 	// Expanded regexp.
@@ -162,7 +155,7 @@ func (r *routeRegexp) Match(req *http.Request, match *RouteMatch) bool {
 		}
 		path := req.URL.Path
 		if r.useEncodedPath {
-			path = getPath(req)
+			path = req.URL.EscapedPath()
 		}
 		return r.regexp.MatchString(path)
 	}
@@ -272,7 +265,7 @@ func (v *routeRegexpGroup) setMatch(req *http.Request, m *RouteMatch, r *Route)
 	}
 	path := req.URL.Path
 	if r.useEncodedPath {
-		path = getPath(req)
+		path = req.URL.EscapedPath()
 	}
 	// Store path variables.
 	if v.path != nil {
@@ -320,7 +313,14 @@ func getHost(r *http.Request) string {
 }

 func extractVars(input string, matches []int, names []string, output map[string]string) {
-	for i, name := range names {
-		output[name] = input[matches[2*i+2]:matches[2*i+3]]
+	matchesCount := 0
+	prevEnd := -1
+	for i := 2; i < len(matches) && matchesCount < len(names); i += 2 {
+		if prevEnd < matches[i+1] {
+			value := input[matches[i]:matches[i+1]]
+			output[names[matchesCount]] = value
+			prevEnd = matches[i+1]
+			matchesCount++
+		}
 	}
 }
--- a/vendor/github.com/containous/mux/route.go
+++ b/vendor/github.com/containous/mux/route.go
@@ -54,12 +54,27 @@ func (r *Route) Match(req *http.Request, match *RouteMatch) bool {
 	if r.buildOnly || r.err != nil {
 		return false
 	}
+
+	var matchErr error
+
 	// Match everything.
 	for _, m := range r.matchers {
 		if matched := m.Match(req, match); !matched {
+			if _, ok := m.(methodMatcher); ok {
+				matchErr = ErrMethodMismatch
+				continue
+			}
+			matchErr = nil
 			return false
 		}
 	}
+
+	if matchErr != nil {
+		match.MatchErr = matchErr
+		return false
+	}
+
+	match.MatchErr = nil
 	// Yay, we have a match. Let's collect some info about it.
 	if match.Route == nil {
 		match.Route = r
@@ -70,6 +85,7 @@ func (r *Route) Match(req *http.Request, match *RouteMatch) bool {
 	if match.Vars == nil {
 		match.Vars = make(map[string]string)
 	}
+
 	// Set variables.
 	if r.regexp != nil {
 		r.regexp.setMatch(req, match, r)
@@ -607,6 +623,44 @@ func (r *Route) GetPathRegexp() (string, error) {
 	return r.regexp.path.regexp.String(), nil
 }

+// GetQueriesRegexp returns the expanded regular expressions used to match the
+// route queries.
+// This is useful for building simple REST API documentation and for instrumentation
+// against third-party services.
+// An empty list will be returned if the route does not have queries.
+func (r *Route) GetQueriesRegexp() ([]string, error) {
+	if r.err != nil {
+		return nil, r.err
+	}
+	if r.regexp == nil || r.regexp.queries == nil {
+		return nil, errors.New("mux: route doesn't have queries")
+	}
+	var queries []string
+	for _, query := range r.regexp.queries {
+		queries = append(queries, query.regexp.String())
+	}
+	return queries, nil
+}
+
+// GetQueriesTemplates returns the templates used to build the
+// query matching.
+// This is useful for building simple REST API documentation and for instrumentation
+// against third-party services.
+// An empty list will be returned if the route does not define queries.
+func (r *Route) GetQueriesTemplates() ([]string, error) {
+	if r.err != nil {
+		return nil, r.err
+	}
+	if r.regexp == nil || r.regexp.queries == nil {
+		return nil, errors.New("mux: route doesn't have queries")
+	}
+	var queries []string
+	for _, query := range r.regexp.queries {
+		queries = append(queries, query.template)
+	}
+	return queries, nil
+}
+
 // GetMethods returns the methods the route matches against
 // This is useful for building simple REST API documentation and for instrumentation
 // against third-party services.
--- a/vendor/github.com/vulcand/oxy/forward/fwd.go
+++ b/vendor/github.com/vulcand/oxy/forward/fwd.go
@@ -190,7 +190,9 @@ func (f *httpForwarder) serveHTTP(w http.ResponseWriter, req *http.Request, ctx
 			stream = contentType == "text/event-stream"
 		}
 	}
-	written, err := io.Copy(newResponseFlusher(w, stream), response.Body)
+
+	flush := stream || req.ProtoMajor == 2
+	written, err := io.Copy(newResponseFlusher(w, flush), response.Body)
 	if err != nil {
 		ctx.log.Errorf("Error copying upstream response body: %v", err)
 		ctx.errHandler.ServeHTTP(w, req, err)
@@ -264,7 +266,8 @@ func (f *websocketForwarder) serveHTTP(w http.ResponseWriter, req *http.Request,

 	dialer := websocket.DefaultDialer
 	if outReq.URL.Scheme == "wss" && f.TLSClientConfig != nil {
-		dialer.TLSClientConfig = f.TLSClientConfig
+		dialer.TLSClientConfig = f.TLSClientConfig.Clone()
+		dialer.TLSClientConfig.NextProtos = []string{"http/1.1"}
 	}
 	targetConn, resp, err := dialer.Dial(outReq.URL.String(), outReq.Header)
 	if err != nil {
--- a/vendor/github.com/vulcand/oxy/forward/headers.go
+++ b/vendor/github.com/vulcand/oxy/forward/headers.go
@@ -6,6 +6,7 @@ const (
 	XForwardedHost         = "X-Forwarded-Host"
 	XForwardedPort         = "X-Forwarded-Port"
 	XForwardedServer       = "X-Forwarded-Server"
+	XRealIp                = "X-Real-Ip"
 	Connection             = "Connection"
 	KeepAlive              = "Keep-Alive"
 	ProxyAuthenticate      = "Proxy-Authenticate"
@@ -50,3 +51,12 @@ var WebsocketUpgradeHeaders = []string{
 	Connection,
 	SecWebsocketAccept,
 }
+
+var XHeaders = []string{
+	XForwardedProto,
+	XForwardedFor,
+	XForwardedHost,
+	XForwardedPort,
+	XForwardedServer,
+	XRealIp,
+}
--- a/vendor/github.com/vulcand/oxy/forward/rewrite.go
+++ b/vendor/github.com/vulcand/oxy/forward/rewrite.go
@@ -15,30 +15,36 @@ type HeaderRewriter struct {
 }

 func (rw *HeaderRewriter) Rewrite(req *http.Request) {
+	if !rw.TrustForwardHeader {
+		utils.RemoveHeaders(req.Header, XHeaders...)
+	}
+
 	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
-		if rw.TrustForwardHeader {
-			if prior, ok := req.Header[XForwardedFor]; ok {
-				clientIP = strings.Join(prior, ", ") + ", " + clientIP
-			}
+		if prior, ok := req.Header[XForwardedFor]; ok {
+			req.Header.Set(XForwardedFor, strings.Join(prior, ", ")+", "+clientIP)
+		} else {
+			req.Header.Set(XForwardedFor, clientIP)
+		}
+
+		if req.Header.Get(XRealIp) == "" {
+			req.Header.Set(XRealIp, clientIP)
 		}
-		req.Header.Set(XForwardedFor, clientIP)
 	}

-	if xfp := req.Header.Get(XForwardedProto); xfp != "" && rw.TrustForwardHeader {
-		req.Header.Set(XForwardedProto, xfp)
-	} else if req.TLS != nil {
-		req.Header.Set(XForwardedProto, "https")
-	} else {
-		req.Header.Set(XForwardedProto, "http")
+	xfProto := req.Header.Get(XForwardedProto)
+	if xfProto == "" {
+		if req.TLS != nil {
+			req.Header.Set(XForwardedProto, "https")
+		} else {
+			req.Header.Set(XForwardedProto, "http")
+		}
 	}

-	if xfp := req.Header.Get(XForwardedPort); xfp != "" && rw.TrustForwardHeader {
-		req.Header.Set(XForwardedPort, xfp)
+	if xfp := req.Header.Get(XForwardedPort); xfp == "" {
+		req.Header.Set(XForwardedPort, forwardedPort(req))
 	}

-	if xfh := req.Header.Get(XForwardedHost); xfh != "" && rw.TrustForwardHeader {
-		req.Header.Set(XForwardedHost, xfh)
-	} else if req.Host != "" {
+	if xfHost := req.Header.Get(XForwardedHost); xfHost == "" && req.Host != "" {
 		req.Header.Set(XForwardedHost, req.Host)
 	}

@@ -50,3 +56,19 @@ func (rw *HeaderRewriter) Rewrite(req *http.Request) {
 	// connection, regardless of what the client sent to us.
 	utils.RemoveHeaders(req.Header, HopHeaders...)
 }
+
+func forwardedPort(req *http.Request) string {
+	if req == nil {
+		return ""
+	}
+
+	if _, port, err := net.SplitHostPort(req.Host); err == nil && port != "" {
+		return port
+	}
+
+	if req.TLS != nil {
+		return "443"
+	}
+
+	return "80"
+}
Author	SHA1	Message	Date
SALLEYRON Julien	419d46c958	Prepare release v1.4.4	2017-11-23 11:48:03 +01:00
Marco Jantke	676b79db42	Fix raw path handling in strip prefix	2017-11-21 14:28:03 +01:00
Ludovic Fernandez	c9129b8ecf	Remove GzipHandler Fork	2017-11-20 18:32:03 +01:00
NicoMen	6619a787a3	Fix problems about duplicated and missing Docker backends/frontends.	2017-11-20 15:16:03 +01:00
Raúl Sánchez	aae17c817b	Fix issue with label traefik.backend.loadbalancer.stickiness.cookieName	2017-11-20 11:42:03 +01:00
Ludovic Fernandez	8fe5c22075	Exclude RC from doc publication.	2017-11-20 09:42:02 +01:00
Ludovic Fernandez	1a4564d998	http.Server log goes to Debug level.	2017-11-18 01:10:03 +01:00
Ludovic Fernandez	66be04f39e	Documentation archive	2017-11-16 09:20:03 +01:00
NicoMen	77b111702b	Prepare release v1.4.3	2017-11-14 12:06:03 +01:00
NicoMen	96a7cc483f	Add Traefik prefix to the KV key	2017-11-14 11:38:03 +01:00
Ludovic Fernandez	1e3506848a	Flush and errorcode	2017-11-14 11:16:03 +01:00
Michael	5ee2cae85c	Fix Traefik reload if Consul Catalog tags change	2017-11-13 12:14:02 +01:00
Ludovic Fernandez	5c119fe2d6	Exclude GRPC from compress	2017-11-10 14:12:02 +01:00
Ivan Rogov	2f62ec3632	Link corrected	2017-11-09 15:54:04 +01:00
Levi Blaney	56affb90ae	Add secret creation to docs for kubernetes backend	2017-11-09 10:52:03 +01:00
SALLEYRON Julien	9bd0fff319	Keep status when stream mode and compress	2017-11-09 00:48:03 +01:00
Jan Collijs	58a438167b	Minor fix for docker volume vs created directory	2017-11-08 15:12:03 +01:00
Tom Saleeba	bc8d68bd31	docs: fix some typos	2017-11-07 11:50:03 +01:00
Bernhard Millauer	70812c70fc	Postfix windows binaries with .exe	2017-11-03 17:02:14 +01:00
Ludovic Fernandez	0347537f43	Freeze version of mkdocs-material.	2017-11-02 14:38:03 +01:00
Ludovic Fernandez	db9b18f121	Prepare release v1.4.2	2017-11-02 12:28:03 +01:00
Jim Hribar	fc4d670c88	Minor grammar change	2017-11-02 10:38:03 +01:00
Alex Antonov	02035d4942	Missing Backend key in configuration when application has no tasks	2017-11-01 11:26:03 +01:00
Ludovic Fernandez	d3c7681bc5	New PR template	2017-10-30 16:38:03 +01:00
NicoMen	dc66db4abe	Make the traefik.port label optional when using service labels in Docker containers.	2017-10-30 15:10:05 +01:00
NicoMen	a0e1cf8376	Fix IP address when Docker container network mode is container	2017-10-30 14:36:04 +01:00
Daniel König	5292b84f4f	fixed dead link in kubernetes backend config docs	2017-10-30 14:04:03 +01:00
burningTyger	b27455a36f	entrypoints -> entryPoints	2017-10-30 13:20:03 +01:00
NicoMen	da7b6f0baf	Make frontend names differents for similar routes	2017-10-30 12:06:03 +01:00
Simon Elsbrock	9b5845f1cb	Fix datastore corruption on reload due to shrinking config size	2017-10-30 11:22:04 +01:00
Erwin de Keijzer	1b2cb53d4f	Fix the k8s docs example deployment yaml	2017-10-25 16:58:04 +02:00
Ludovic Fernandez	3158e51c62	Remove hardcoded runtime.GOMAXPROCS.	2017-10-25 16:16:02 +02:00
NicoMen	f0371da838	Add unique ID to Docker services replicas	2017-10-25 10:00:03 +02:00
NicoMen	44b82e6231	Fix mkdocs version	2017-10-24 18:06:03 +02:00
Michael	04f0bf3070	Prepare release v1.4.1	2017-10-24 15:52:04 +02:00
SALLEYRON Julien	7400c39511	Stream mode when http2	2017-10-24 14:38:02 +02:00
Ludovic Fernandez	35ca40c3de	Enhance Trust Forwarded Headers	2017-10-23 16:12:03 +02:00
Emile Vauge	de821fc305	fix healthcheck path	2017-10-23 15:48:03 +02:00
Fernandez Ludovic	e3cac7d0e5	fix(docker): Network filter.	2017-10-23 14:20:03 +02:00
Ludovic Fernandez	81f7aa9df2	Regex capturing group.	2017-10-23 10:20:02 +02:00
SALLEYRON Julien	afbad56012	Force http/1.1 for websocket	2017-10-20 17:38:04 +02:00
Ludovic Fernandez	9c8df8b9ce	Fix 1.4.0 release date	2017-10-16 19:44:02 +02:00