Prepare release 1.7.0 rc2

Fix docs to use v1.6 labels rather than v1.5.

.github/ISSUE_TEMPLATE.md

@@ -2,10 +2,10 @@
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 
 The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, refer to one of the following:
+For end-user related support questions, please refer to one of the following:
 
 - Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-- the Traefik community Slack channel: https://traefik.herokuapp.com
+- the Traefik community Slack channel: https://slack.traefik.io
 
 -->
 
@@ -23,9 +23,9 @@ If you intend to ask a support question: DO NOT FILE AN ISSUE.
 HOW TO WRITE A GOOD ISSUE?
 
 - Respect the issue template as much as possible.
-- If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
-- The title must be short and descriptive.
-- Explain the conditions which led you to write this issue: the context.
+- If possible, use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
+- The title should be short and descriptive.
+- Explain the conditions which led you to report this issue: the context.
 - The context should lead to something, an idea or a problem that you’re facing.
 - Remain clear and concise.
 - Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -1,72 +1,78 @@
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, refer to one of the following:
-
-- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-- the Traefik community Slack channel: https://traefik.herokuapp.com
-
--->
-
-
-### Do you want to request a *feature* or report a *bug*?
-
-Bug
-
-### What did you do?
-
-<!--
-
-HOW TO WRITE A GOOD ISSUE?
-
-- Respect the issue template as much as possible.
-- If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
-- The title must be short and descriptive.
-- Explain the conditions which led you to write this issue: the context.
-- The context should lead to something, an idea or a problem that you’re facing.
-- Remain clear and concise.
-- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
--->
-
-### What did you expect to see?
-
-
-
-### What did you see instead?
-
-
-
-### Output of `traefik version`: (_What version of Traefik are you using?_)
-
-<!--
-For the Traefik Docker image:
-    docker run [IMAGE] version
-    ex: docker run traefik version
-
-For the alpine Traefik Docker image:
-    docker run [IMAGE] traefik version
-    ex: docker run traefik traefik version
--->
-
-```
-(paste your output here)
-```
-
-### What is your environment & configuration (arguments, toml, provider, platform, ...)?
-
-```toml
-# (paste your configuration here)
-```
-
-<!--
-Add more configuration information here.
--->
-
-
-### If applicable, please paste the log output in DEBUG level (`--logLevel=DEBUG` switch)
-
-```
-(paste your output here)
-```
+---
+name: Bug report
+about: Create a report to help us improve
+
+---
+
+<!--
+DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+
+The issue tracker is for reporting bugs and feature requests only.
+For end-user related support questions, please refer to one of the following:
+
+- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
+- the Traefik community Slack channel: https://slack.traefik.io
+
+-->
+
+
+### Do you want to request a *feature* or report a *bug*?
+
+Bug
+
+### What did you do?
+
+<!--
+
+HOW TO WRITE A GOOD BUG REPORT?
+
+- Respect the issue template as much as possible.
+- If possible, use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
+- The title should be short and descriptive.
+- Explain the conditions which led you to report this issue: the context.
+- The context should lead to something, an idea or a problem that you’re facing.
+- Remain clear and concise.
+- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
+
+-->
+
+### What did you expect to see?
+
+
+
+### What did you see instead?
+
+
+
+### Output of `traefik version`: (_What version of Traefik are you using?_)
+
+<!--
+For the Traefik Docker image:
+    docker run [IMAGE] version
+    ex: docker run traefik version
+
+For the alpine Traefik Docker image:
+    docker run [IMAGE] traefik version
+    ex: docker run traefik traefik version
+-->
+
+```
+(paste your output here)
+```
+
+### What is your environment & configuration (arguments, toml, provider, platform, ...)?
+
+```toml
+# (paste your configuration here)
+```
+
+<!--
+Add more configuration information here.
+-->
+
+
+### If applicable, please paste the log output in DEBUG level (`--logLevel=DEBUG` switch)
+
+```
+(paste your output here)
+```

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -1,32 +1,37 @@
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, refer to one of the following:
-
-- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-- the Traefik community Slack channel: https://traefik.herokuapp.com
-
--->
-
-
-### Do you want to request a *feature* or report a *bug*?
-
-Feature
-
-### What did you expect to see?
-
-<!--
-
-HOW TO WRITE A GOOD ISSUE?
-
-- Respect the issue template as much as possible.
-- If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
-- The title must be short and descriptive.
-- Explain the conditions which led you to write this issue: the context.
-- The context should lead to something, an idea or a problem that you’re facing.
-- Remain clear and concise.
-- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
--->
-
+---
+name: Feature request
+about: Suggest an idea for this project
+
+---
+
+<!--
+DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+
+The issue tracker is for reporting bugs and feature requests only.
+For end-user related support questions, please refer to one of the following:
+
+- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
+- the Traefik community Slack channel: https://slack.traefik.io
+
+-->
+
+
+### Do you want to request a *feature* or report a *bug*?
+
+Feature
+
+### What did you expect to see?
+
+<!--
+
+HOW TO WRITE A GOOD ISSUE?
+
+- Respect the issue template as much as possible.
+- If possible, use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
+- The title should be short and descriptive.
+- Explain the conditions which led you to report this issue: the context.
+- The context should lead to something, an idea or a problem that you’re facing.
+- Remain clear and concise.
+- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
+
+-->

.github/PULL_REQUEST_TEMPLATE.md

@@ -12,7 +12,7 @@ HOW TO WRITE A GOOD PULL REQUEST?
 - Write useful descriptions and titles.
 - Address review comments in terms of additional commits.
 - Do not amend/squash existing ones unless the PR is trivial.
-- Read the contributing guide: https://github.com/containous/traefik/blob/master/.github/CONTRIBUTING.md.
+- Read the contributing guide: https://github.com/containous/traefik/blob/master/CONTRIBUTING.md.
 
 -->
 

.semaphoreci/cleanup.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -e
+
+sudo rm -rf static

.semaphoreci/job1.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -e
+
+if [ -n "$SHOULD_TEST" ]; then ci_retry make pull-images; fi
+
+if [ -n "$SHOULD_TEST" ]; then ci_retry make test-integration; fi

.semaphoreci/job2.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -e
+
+ci_retry make validate
+
+if [ -n "$SHOULD_TEST" ]; then ci_retry make test-unit; fi
+
+if [ -n "$SHOULD_TEST" ]; then make -j${N_MAKE_JOBS} crossbinary-default-parallel; fi

.semaphoreci/setup.sh

@@ -1,11 +1,16 @@
 #!/usr/bin/env bash
 set -e
 
-sudo -E apt-get -yq update
-sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*
-docker version
+export DOCKER_VERSION=17.03.1
 
-pip install --user -r requirements.txt
+source .semaphoreci/vars
 
-make pull-images
-ci_retry make validate
+if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R); fi
+
+if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
+
+if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
+
+if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
+
+if [ -n "$SHOULD_TEST" ]; then  docker version; fi

.semaphoreci/tests.sh

@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-make test-unit
-ci_retry make test-integration
-make -j${N_MAKE_JOBS} crossbinary-default-parallel

.semaphoreci/vars

@@ -10,7 +10,7 @@ else
   export VERSION=''
 fi
 
-export CODENAME=tetedemoine
+export CODENAME=maroilles
 
 export N_MAKE_JOBS=2
 

.travis.yml

@@ -11,11 +11,12 @@ env:
   global:
     - REPO: $TRAVIS_REPO_SLUG
     - VERSION: $TRAVIS_TAG
-    - CODENAME: tetedemoine
+    - CODENAME: maroilles
     - N_MAKE_JOBS: 2
 
 script:
 - echo "Skipping tests... (Tests are executed on SemaphoreCI)"
+- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make docs-verify; fi
 
 before_deploy:
   - >

CHANGELOG.md

@@ -1,5 +1,128 @@
 # Change Log
 
+## [v1.7.0-rc2](https://github.com/containous/traefik/tree/v1.7.0-rc2) (2018-07-17)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.0-rc1...v1.7.0-rc2)
+
+
+**Bug fixes:**
+- **[acme,provider]** Create init method on provider interface ([#3580](https://github.com/containous/traefik/pull/3580) by [Juliens](https://github.com/Juliens))
+- **[acme]** Serve TLS-Challenge certificate in first ([#3605](https://github.com/containous/traefik/pull/3605) by [nmengin](https://github.com/nmengin))
+- **[api,authentication,webui]** Auth section in web UI.  ([#3628](https://github.com/containous/traefik/pull/3628) by [ldez](https://github.com/ldez))
+- **[authentication,middleware,provider]** Don't pass the Authorization header to the backends ([#3606](https://github.com/containous/traefik/pull/3606) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[ecs]** Fix 400 bad request on  AWS ECS API ([#3629](https://github.com/containous/traefik/pull/3629) by [mmatur](https://github.com/mmatur))
+- **[k8s]** Fix rewrite-target Annotation behavior ([#3582](https://github.com/containous/traefik/pull/3582) by [dtomcej](https://github.com/dtomcej))
+- **[k8s]** Correct App-Root kubernetes behavior ([#3592](https://github.com/containous/traefik/pull/3592) by [dtomcej](https://github.com/dtomcej))
+- **[k8s]** Add more K8s Unit Tests ([#3583](https://github.com/containous/traefik/pull/3583) by [dtomcej](https://github.com/dtomcej))
+- **[kv]** KV and authentication ([#3615](https://github.com/containous/traefik/pull/3615) by [ldez](https://github.com/ldez))
+- **[middleware]** Send 'Retry-After' to comply with RFC6585. ([#3593](https://github.com/containous/traefik/pull/3593) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[k8s]** Correct Modifier in Kubernetes Documentation ([#3610](https://github.com/containous/traefik/pull/3610) by [dtomcej](https://github.com/dtomcej))
+
+**Misc:**
+- Merge v1.6.5 into v1.7 ([#3595](https://github.com/containous/traefik/pull/3595) by [ldez](https://github.com/ldez))
+
+## [v1.6.5](https://github.com/containous/traefik/tree/v1.6.5) (2018-07-09)
+[All Commits](https://github.com/containous/traefik/compare/v1.6.4...v1.6.5)
+
+**Bug fixes:**
+- **[acme]** Add a mutex on local store for HTTPChallenges ([#3579](https://github.com/containous/traefik/pull/3579) by [Juliens](https://github.com/Juliens))
+- **[consulcatalog]** Split the error handling from Consul Catalog (deadlock) ([#3560](https://github.com/containous/traefik/pull/3560) by [ortz](https://github.com/ortz))
+- **[docker]** segment labels: multiple frontends for one backend. ([#3511](https://github.com/containous/traefik/pull/3511) by [ldez](https://github.com/ldez))
+- **[kv]** Better support on same prefix at the same level in the KV ([#3532](https://github.com/containous/traefik/pull/3532) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[logs]** Add logs when error is generated in error handler ([#3567](https://github.com/containous/traefik/pull/3567) by [Juliens](https://github.com/Juliens))
+- **[middleware]** Create middleware to be able to handle HTTP pipelining correctly ([#3513](https://github.com/containous/traefik/pull/3513) by [mmatur](https://github.com/mmatur))
+
+**Documentation:**
+- **[acme]** The gandiv5 provider works with wildcard ([#3506](https://github.com/containous/traefik/pull/3506) by [manu5801](https://github.com/manu5801))
+- **[kv]** Update keyFile first/last line comment in kv-config.md ([#3558](https://github.com/containous/traefik/pull/3558) by [madnight](https://github.com/madnight))
+- Minor formatting issue in user-guide ([#3546](https://github.com/containous/traefik/pull/3546) by [Vanuan](https://github.com/Vanuan))
+
+## [v1.7.0-rc1](https://github.com/containous/traefik/tree/v1.7.0-rc1) (2018-07-09)
+[All Commits](https://github.com/containous/traefik/compare/v1.6.0-rc1...v1.7.0-rc1)
+
+**Enhancements:**
+- **[acme]** Simplify get acme client ([#3499](https://github.com/containous/traefik/pull/3499) by [ldez](https://github.com/ldez))
+- **[acme]** Simplify acme e2e tests. ([#3534](https://github.com/containous/traefik/pull/3534) by [ldez](https://github.com/ldez))
+- **[acme]** Add option to select algorithm to generate ACME certificates ([#3319](https://github.com/containous/traefik/pull/3319) by [mmatur](https://github.com/mmatur))
+- **[acme]** Enable to override certificates in key-value store when using storeconfig ([#3202](https://github.com/containous/traefik/pull/3202) by [thomasjpfan](https://github.com/thomasjpfan))
+- **[acme]** ACME TLS ALPN ([#3553](https://github.com/containous/traefik/pull/3553) by [ldez](https://github.com/ldez))
+- **[acme]** Remove acme provider dependency in server ([#3225](https://github.com/containous/traefik/pull/3225) by [Juliens](https://github.com/Juliens))
+- **[api,cluster]** Improved cluster api to include the current leader node ([#3100](https://github.com/containous/traefik/pull/3100) by [aantono](https://github.com/aantono))
+- **[authentication,k8s]** Auth support in frontends for k8s and file ([#3460](https://github.com/containous/traefik/pull/3460) by [Zatte](https://github.com/Zatte))
+- **[authentication,middleware]** Add xforwarded method ([#3424](https://github.com/containous/traefik/pull/3424) by [erik-sjoestedt](https://github.com/erik-sjoestedt))
+- **[authentication,middleware]** Forward auth headers ([#3521](https://github.com/containous/traefik/pull/3521) by [hwhelan-CB](https://github.com/hwhelan-CB))
+- **[consul,consulcatalog,docker,ecs,kv,marathon,mesos,rancher]** Auth support in frontends ([#3559](https://github.com/containous/traefik/pull/3559) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[consulcatalog,docker,ecs,file,k8s,kv,marathon,mesos,rancher]** Add SSLForceHost support. ([#3246](https://github.com/containous/traefik/pull/3246) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Add support for stale reads from Consul catalog ([#3523](https://github.com/containous/traefik/pull/3523) by [marenzo](https://github.com/marenzo))
+- **[docker]** Add a default value for the docker.network configuration ([#3471](https://github.com/containous/traefik/pull/3471) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[ecs]** Support for AWS ECS Fargate ([#3379](https://github.com/containous/traefik/pull/3379) by [mmatur](https://github.com/mmatur))
+- **[ecs]** Add support for ECS constraints ([#3537](https://github.com/containous/traefik/pull/3537) by [andrewstucki](https://github.com/andrewstucki))
+- **[ecs]** Support `traefik.backend` for ECS ([#3510](https://github.com/containous/traefik/pull/3510) by [hwhelan-CB](https://github.com/hwhelan-CB))
+- **[ecs]** Allow binding ECS container port ([#3533](https://github.com/containous/traefik/pull/3533) by [andrewstucki](https://github.com/andrewstucki))
+- **[healthcheck,consul,consulcatalog,docker,ecs,kv,marathon,mesos,rancher]** Override health check scheme ([#3315](https://github.com/containous/traefik/pull/3315) by [ldez](https://github.com/ldez))
+- **[healthcheck]** Support 3xx HTTP status codes for health check ([#3364](https://github.com/containous/traefik/pull/3364) by [SniperCZE](https://github.com/SniperCZE))
+- **[healthcheck]** Support all 2xx HTTP status code for health check. ([#3362](https://github.com/containous/traefik/pull/3362) by [ldez](https://github.com/ldez))
+- **[healthcheck]** Add HTTP headers to healthcheck. ([#3047](https://github.com/containous/traefik/pull/3047) by [zetaab](https://github.com/zetaab))
+- **[k8s]** Add more k8s tests ([#3491](https://github.com/containous/traefik/pull/3491) by [dtomcej](https://github.com/dtomcej))
+- **[k8s]** Substitude hardcoded "<namespace>/<name>" with k8s ListerGetter ([#3470](https://github.com/containous/traefik/pull/3470) by [yue9944882](https://github.com/yue9944882))
+- **[k8s]** Custom frontend name for test helper ([#3444](https://github.com/containous/traefik/pull/3444) by [ldez](https://github.com/ldez))
+- **[k8s]** Add annotation to allow modifiers to be used properly in kubernetes ([#3481](https://github.com/containous/traefik/pull/3481) by [dtomcej](https://github.com/dtomcej))
+- **[k8s]** Create Global Backend Ingress ([#3404](https://github.com/containous/traefik/pull/3404) by [dtomcej](https://github.com/dtomcej))
+- **[k8s]** Specify backend servers' weight via annotation for kubernetes ([#3112](https://github.com/containous/traefik/pull/3112) by [yue9944882](https://github.com/yue9944882))
+- **[k8s]** Support multi-port services. ([#3121](https://github.com/containous/traefik/pull/3121) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Mapping ExternalNames to custom ports ([#3231](https://github.com/containous/traefik/pull/3231) by [gildas](https://github.com/gildas))
+- **[k8s]** Allow any kubernetes ingressClass value ([#3516](https://github.com/containous/traefik/pull/3516) by [rtreffer](https://github.com/rtreffer))
+- **[k8s]** Enable Ingress Status updates ([#3324](https://github.com/containous/traefik/pull/3324) by [dtomcej](https://github.com/dtomcej))
+- **[kv]** Use index-based syntax in KV tests. ([#3352](https://github.com/containous/traefik/pull/3352) by [ldez](https://github.com/ldez))
+- **[logs,middleware]** Make accesslogs.logTheRoundTrip async to get lost performance ([#3152](https://github.com/containous/traefik/pull/3152) by [ryarnyah](https://github.com/ryarnyah))
+- **[logs,middleware]** Added duration filter for logs ([#3463](https://github.com/containous/traefik/pull/3463) by [rodrigodiez](https://github.com/rodrigodiez))
+- **[marathon]** Adding compatibility for marathon 1.5 ([#3505](https://github.com/containous/traefik/pull/3505) by [TrevinTeacutter](https://github.com/TrevinTeacutter))
+- **[marathon]** Sane default and configurable Marathon request timeouts ([#3286](https://github.com/containous/traefik/pull/3286) by [marco-jantke](https://github.com/marco-jantke))
+- **[mesos]** Segments Labels: Mesos ([#3383](https://github.com/containous/traefik/pull/3383) by [drewkerrigan](https://github.com/drewkerrigan))
+- **[metrics]** Metrics: Add support for InfluxDB Database / RetentionPolicy and HTTP client ([#3391](https://github.com/containous/traefik/pull/3391) by [drewkerrigan](https://github.com/drewkerrigan))
+- **[middleware,server]** Extreme Makeover: server refactoring ([#3461](https://github.com/containous/traefik/pull/3461) by [ldez](https://github.com/ldez))
+- **[middleware,tracing]** Added integration support for DataDog APM Tracing ([#3517](https://github.com/containous/traefik/pull/3517) by [aantono](https://github.com/aantono))
+- **[middleware,tracing]** Create a custom logger for jaeger ([#3541](https://github.com/containous/traefik/pull/3541) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Performance enhancements for the rules matchers. ([#3563](https://github.com/containous/traefik/pull/3563) by [ShaneSaww](https://github.com/ShaneSaww))
+- **[middleware]** Extract internal router creation from server ([#3204](https://github.com/containous/traefik/pull/3204) by [Juliens](https://github.com/Juliens))
+- **[rules]** CNAME flattening ([#3403](https://github.com/containous/traefik/pull/3403) by [gamalan](https://github.com/gamalan))
+- **[servicefabric]** Add white list for Service Fabric ([#3079](https://github.com/containous/traefik/pull/3079) by [ldez](https://github.com/ldez))
+- **[servicefabric]** Add HTTP headers to healthcheck. ([#3205](https://github.com/containous/traefik/pull/3205) by [ldez](https://github.com/ldez))
+- **[tls]** Improve TLS Handshake ([#3512](https://github.com/containous/traefik/pull/3512) by [dtomcej](https://github.com/dtomcej))
+- **[tls]** Support TLS MinVersion and CipherSuite as CLI option. ([#3107](https://github.com/containous/traefik/pull/3107) by [ldez](https://github.com/ldez))
+- **[webui]** Add some missing elements in the WebUI ([#3327](https://github.com/containous/traefik/pull/3327) by [ldez](https://github.com/ldez))
+- Minor changes ([#3554](https://github.com/containous/traefik/pull/3554) by [ldez](https://github.com/ldez))
+- h2c server ([#3387](https://github.com/containous/traefik/pull/3387) by [Juliens](https://github.com/Juliens))
+- Fix backend reuse ([#3312](https://github.com/containous/traefik/pull/3312) by [arnested](https://github.com/arnested))
+- Call functions to enable block/mutex pprof profiles. ([#3564](https://github.com/containous/traefik/pull/3564) by [timoreimann](https://github.com/timoreimann))
+- Implement h2c with backend ([#3371](https://github.com/containous/traefik/pull/3371) by [Juliens](https://github.com/Juliens))
+- Upgrade GRPC dependencies ([#3342](https://github.com/containous/traefik/pull/3342) by [gottwald](https://github.com/gottwald))
+- Generated assets file are only mandatory in main ([#3386](https://github.com/containous/traefik/pull/3386) by [Juliens](https://github.com/Juliens))
+
+**Bug fixes:**
+- **[acme]** Does not generate ACME certificate if domain is checked by dynamic certificate ([#3238](https://github.com/containous/traefik/pull/3238) by [Juliens](https://github.com/Juliens))
+- **[k8s]** Fix panic setting ingress status ([#3492](https://github.com/containous/traefik/pull/3492) by [dtomcej](https://github.com/dtomcej))
+- **[logs]** Add logs when error is generated in error handler ([#3571](https://github.com/containous/traefik/pull/3571) by [Juliens](https://github.com/Juliens))
+- **[middleware]** Avoid retries when any data was written to the backend ([#3285](https://github.com/containous/traefik/pull/3285) by [marco-jantke](https://github.com/marco-jantke))
+
+**Documentation:**
+- **[k8s]** Add a k8s guide section on traffic splitting via service weights. ([#3556](https://github.com/containous/traefik/pull/3556) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Change code block of traefik-web-ui to match file ([#3542](https://github.com/containous/traefik/pull/3542) by [drewgwallace](https://github.com/drewgwallace))
+- **[k8s]** Fix typo which breaks k8s example manifest ([#3441](https://github.com/containous/traefik/pull/3441) by [GeertJohan](https://github.com/GeertJohan))
+- **[metrics]** Adding grafana dashboards based on prometheus metrics ([#3393](https://github.com/containous/traefik/pull/3393) by [deimosfr](https://github.com/deimosfr))
+- **[servicefabric]** Fix Service Fabric docs to use v1.6 labels ([#3209](https://github.com/containous/traefik/pull/3209) by [jjcollinge](https://github.com/jjcollinge))
+
+**Misc:**
+- Merge v1.6.4 into master ([#3502](https://github.com/containous/traefik/pull/3502) by [ldez](https://github.com/ldez))
+- Merge v1.6.3 into master ([#3439](https://github.com/containous/traefik/pull/3439) by [ldez](https://github.com/ldez))
+- Merge v1.6.2 into master ([#3367](https://github.com/containous/traefik/pull/3367) by [ldez](https://github.com/ldez))
+- Merge v1.6.1 into master ([#3326](https://github.com/containous/traefik/pull/3326) by [ldez](https://github.com/ldez))
+- Merge v1.6.0 into master ([#3253](https://github.com/containous/traefik/pull/3253) by [ldez](https://github.com/ldez))
+- Merge v1.6.0-rc6 into master ([#3203](https://github.com/containous/traefik/pull/3203) by [ldez](https://github.com/ldez))
+- Merge v1.6.0-rc5 into master  ([#3180](https://github.com/containous/traefik/pull/3180) by [ldez](https://github.com/ldez))
+- Merge v1.6.0-rc4 into master  ([#3129](https://github.com/containous/traefik/pull/3129) by [ldez](https://github.com/ldez))
+
 ## [v1.6.4](https://github.com/containous/traefik/tree/v1.6.4) (2018-06-15)
 [All Commits](https://github.com/containous/traefik/compare/v1.6.3...v1.6.4)
 

CONTRIBUTING.md

@@ -160,9 +160,11 @@ Integration tests must be run from the `integration/` directory and require the
 
 The [documentation site](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/)
 
-### Method 1: `Docker` and `make`
+### Building Documentation
 
-You can test documentation using the `docs` target.
+#### Method 1: `Docker` and `make`
+
+You can build the documentation and serve it locally with livereloading, using the `docs` target:
 
 ```bash
 $ make docs
@@ -177,11 +179,18 @@ docker run  --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000
 
 And go to [http://127.0.0.1:8000](http://127.0.0.1:8000).
 
-### Method 2: `mkdocs`
+If you only want to build the documentation without serving it locally, you can use the following command:
+
+```bash
+$ make docs-build
+...
+```
+
+#### Method 2: `mkdocs`
 
 First make sure you have python and pip installed
 
-```shell
+```bash
 $ python --version
 Python 2.7.2
 $ pip --version
@@ -190,29 +199,49 @@ pip 1.5.2
 
 Then install mkdocs with pip
 
-```shell
+```bash
 pip install --user -r requirements.txt
 ```
 
-To test documentation locally run `mkdocs serve` in the root directory, this should start a server locally to preview your changes.
+To build documentation locally and serve it locally,
+run `mkdocs serve` in the root directory,
+this should start a server locally to preview your changes.
 
-```shell
+```bash
 $ mkdocs serve
 INFO    -  Building documentation...
-WARNING -  Config value: 'theme'. Warning: The theme 'united' will be removed in an upcoming MkDocs release. See http://www.mkdocs.org/about/release-notes/ for more details
 INFO    -  Cleaning site directory
 [I 160505 22:31:24 server:281] Serving on http://127.0.0.1:8000
 [I 160505 22:31:24 handlers:59] Start watching changes
 [I 160505 22:31:24 handlers:61] Start detecting changes
 ```
 
+### Verify Documentation
+
+You can verify that the documentation meets some expectations, as checking for dead links, html markup validity.
+
+```bash
+$ make docs-verify
+docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image
+...
+docker run --rm -v /home/travis/build/containous/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
+=== Checking HTML content...
+Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html...
+```
+
+If you recently changed the documentation, do not forget to clean it to have it rebuilt:
+
+```bash
+$ make docs-clean docs-verify
+...
+```
 
 ## How to Write a Good Issue
 
 Please keep in mind that the GitHub issue tracker is not intended as a general support forum, but for reporting bugs and feature requests.
 
 For end-user related support questions, refer to one of the following:
-- the Traefik community Slack channel: [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
+- the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
 - [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
 
 ### Title

Gopkg.lock

@@ -3,12 +3,15 @@
 
 [[projects]]
   name = "cloud.google.com/go"
-  packages = [
-    "compute/metadata",
-    "internal"
-  ]
-  revision = "2e6a95edb1071d750f6d7db777bf66cd2997af6c"
-  version = "v0.7.0"
+  packages = ["compute/metadata"]
+  revision = "056a55f54a6cc77b440b31a56a5e7c3982d32811"
+  version = "v0.22.0"
+
+[[projects]]
+  branch = "master"
+  name = "code.cloudfoundry.org/clock"
+  packages = ["."]
+  revision = "02e53af36e6c978af692887ed449b74026d76fec"
 
 [[projects]]
   branch = "master"
@@ -83,6 +86,11 @@
   packages = ["."]
   revision = "e039e20e500c2c025d9145be375e27cf42a94174"
 
+[[projects]]
+  name = "github.com/Microsoft/ApplicationInsights-Go"
+  packages = ["appinsights"]
+  revision = "98ac7ca026c26818888600ea0d966987aa56f043"
+
 [[projects]]
   name = "github.com/Microsoft/go-winio"
   packages = ["."]
@@ -101,6 +109,12 @@
   revision = "a8b993ba6abdb0e0c12b0125c603323a71c7790c"
   source = "github.com/ijc25/Gotty"
 
+[[projects]]
+  branch = "master"
+  name = "github.com/OpenDNS/vegadns2client"
+  packages = ["."]
+  revision = "a3fa4a771d87bda2514a90a157e1fed1b6897d2e"
+
 [[projects]]
   name = "github.com/PuerkitoBio/purell"
   packages = ["."]
@@ -192,6 +206,7 @@
     "aws/request",
     "aws/session",
     "aws/signer/v4",
+    "internal/sdkio",
     "internal/sdkrand",
     "internal/shareddefaults",
     "private/protocol",
@@ -212,8 +227,8 @@
     "service/route53",
     "service/sts"
   ]
-  revision = "f9a6880d84e16e2a37055793e17164a228d637f4"
-  version = "v1.13.1"
+  revision = "fad131ddc707880428615dc8bc1587b55fb46d74"
+  version = "v1.13.54"
 
 [[projects]]
   branch = "master"
@@ -257,14 +272,14 @@
 [[projects]]
   name = "github.com/containous/staert"
   packages = ["."]
-  revision = "cc00c303ccbd2491ddc1dccc9eb7ccadd807557e"
-  version = "v3.1.0"
+  revision = "66717a0e0ca950c4b6dc8c87b46da0b8495c6e41"
+  version = "v3.1.1"
 
 [[projects]]
   name = "github.com/containous/traefik-extra-service-fabric"
   packages = ["."]
-  revision = "2889df8d4f84315e6e527588554ed0ce9d062305"
-  version = "v1.1.5"
+  revision = "6e90a9eef2ac9d320e55d6e994d169673a8d8b0f"
+  version = "v1.3.0"
 
 [[projects]]
   name = "github.com/coreos/bbolt"
@@ -286,8 +301,8 @@
     "pkg/types",
     "version"
   ]
-  revision = "f1d7dd87da3e8feab4aaf675b8e29c6a5ed5f58b"
-  version = "v3.2.9"
+  revision = "70c8726202dd91e482fb4029fd14af1d4ed1d5af"
+  version = "v3.3.5"
 
 [[projects]]
   name = "github.com/coreos/go-semver"
@@ -536,7 +551,7 @@
 [[projects]]
   name = "github.com/gambol99/go-marathon"
   packages = ["."]
-  revision = "03b46169666c53b9cc953b875ac5714e5103e064"
+  revision = "99a156b96fb2f9dbe6465affa51bbdccdd37174d"
 
 [[projects]]
   name = "github.com/ghodss/yaml"
@@ -608,7 +623,9 @@
 [[projects]]
   name = "github.com/gogo/protobuf"
   packages = [
+    "gogoproto",
     "proto",
+    "protoc-gen-gogo/descriptor",
     "sortkeys"
   ]
   revision = "909568be09de550ed094403c2bf8a261b5bb730a"
@@ -628,7 +645,8 @@
     "ptypes/duration",
     "ptypes/timestamp"
   ]
-  revision = "4bd1920723d7b7c925de087aa32e2187708897f7"
+  revision = "b4deda0973fb4c70b50d226b1af49f3da59f5265"
+  version = "v1.1.0"
 
 [[projects]]
   branch = "master"
@@ -658,11 +676,6 @@
   packages = ["."]
   revision = "bbcb9da2d746f8bdbd6a936686a0a6067ada0ec5"
 
-[[projects]]
-  name = "github.com/googleapis/gax-go"
-  packages = ["."]
-  revision = "9af46dd5a1713e8b5cd71106287eba3cefdde50b"
-
 [[projects]]
   name = "github.com/googleapis/gnostic"
   packages = [
@@ -761,6 +774,12 @@
   revision = "2d474a3089bcfce6b472779be9470a1f0ef3d5e4"
   version = "v1.3.7"
 
+[[projects]]
+  branch = "master"
+  name = "github.com/jjcollinge/logrus-appinsights"
+  packages = ["."]
+  revision = "9b66602d496a139e4722bdde32f0f1ac1c12d4a8"
+
 [[projects]]
   name = "github.com/jjcollinge/servicefabric"
   packages = ["."]
@@ -997,6 +1016,12 @@
   packages = ["ovh"]
   revision = "91b7eb631d2eced3e706932a0b36ee8b5ee22e92"
 
+[[projects]]
+  name = "github.com/patrickmn/go-cache"
+  packages = ["."]
+  revision = "a3647f8e31d79543b2d0f0ae2fe5c379d72cedc0"
+  version = "v2.1.0"
+
 [[projects]]
   branch = "master"
   name = "github.com/petar/GoLLRB"
@@ -1009,6 +1034,12 @@
   revision = "5f041e8faa004a95c88a202771f4cc3e991971e6"
   version = "v2.0.1"
 
+[[projects]]
+  name = "github.com/philhofer/fwd"
+  packages = ["."]
+  revision = "bb6d471dc95d4fe11e432687f8b70ff496cf3136"
+  version = "v1.0.0"
+
 [[projects]]
   name = "github.com/pierrec/lz4"
   packages = ["."]
@@ -1085,6 +1116,17 @@
   packages = ["."]
   revision = "256dc444b735e061061cf46c809487313d5b0065"
 
+[[projects]]
+  branch = "master"
+  name = "github.com/sacloud/libsacloud"
+  packages = [
+    ".",
+    "api",
+    "sacloud",
+    "sacloud/ostype"
+  ]
+  revision = "306ea89b6ef19334614f7b0fc5aa19595022bb8c"
+
 [[projects]]
   name = "github.com/samuel/go-zookeeper"
   packages = ["zk"]
@@ -1143,6 +1185,12 @@
   ]
   revision = "37e84520dcf74488f67654f9c775b9752c232dc1"
 
+[[projects]]
+  name = "github.com/tinylib/msgp"
+  packages = ["msgp"]
+  revision = "b2b6a672cf1e5b90748f79b8b81fc8c5cf0571a1"
+  version = "1.0.2"
+
 [[projects]]
   branch = "master"
   name = "github.com/tuvistavie/securerandom"
@@ -1180,7 +1228,8 @@
 [[projects]]
   name = "github.com/ugorji/go"
   packages = ["codec"]
-  revision = "ea9cd21fa0bc41ee4bdd50ac7ed8cbc7ea2ed960"
+  revision = "b4c50a2b199d93b13dc15e78929cfb23bfdf21ab"
+  version = "v1.1.1"
 
 [[projects]]
   name = "github.com/unrolled/render"
@@ -1191,7 +1240,7 @@
   branch = "v1"
   name = "github.com/unrolled/secure"
   packages = ["."]
-  revision = "88720c9cbecfcf2eceb9bb4311ad6e398a8381ed"
+  revision = "a1cf62cc2159fff407728f118c41aece76c397fa"
 
 [[projects]]
   name = "github.com/urfave/negroni"
@@ -1217,7 +1266,7 @@
     "roundrobin",
     "utils"
   ]
-  revision = "d5b73186eed4aa34b52748699ad19e90f61d4059"
+  revision = "f0cbb9d6b797d92d168b95b5c443a31dfa67ccd0"
 
 [[projects]]
   name = "github.com/vulcand/predicate"
@@ -1248,6 +1297,7 @@
   packages = [
     "acme",
     "log",
+    "platform/config/env",
     "providers/dns",
     "providers/dns/auroradns",
     "providers/dns/azure",
@@ -1272,6 +1322,7 @@
     "providers/dns/linode",
     "providers/dns/namecheap",
     "providers/dns/namedotcom",
+    "providers/dns/nifcloud",
     "providers/dns/ns1",
     "providers/dns/otc",
     "providers/dns/ovh",
@@ -1279,9 +1330,11 @@
     "providers/dns/rackspace",
     "providers/dns/rfc2136",
     "providers/dns/route53",
+    "providers/dns/sakuracloud",
+    "providers/dns/vegadns",
     "providers/dns/vultr"
   ]
-  revision = "7fedfd1388f016c7ca7ed92a7f2024d06a7e20d8"
+  revision = "e0d512138c43e3f056a41cd7a5beff662ec130d3"
 
 [[projects]]
   branch = "master"
@@ -1305,20 +1358,21 @@
     "bpf",
     "context",
     "context/ctxhttp",
+    "http/httpguts",
     "http2",
     "http2/hpack",
     "idna",
     "internal/iana",
     "internal/socket",
+    "internal/socks",
     "internal/timeseries",
     "ipv4",
     "ipv6",
-    "lex/httplex",
     "proxy",
     "trace",
     "websocket"
   ]
-  revision = "22ae77b79946ea320088417e4d50825671d82d57"
+  revision = "e514e69ffb8bc3c76a71ae40de0118d794855992"
 
 [[projects]]
   branch = "master"
@@ -1404,23 +1458,45 @@
   name = "google.golang.org/grpc"
   packages = [
     ".",
+    "balancer",
+    "balancer/base",
+    "balancer/roundrobin",
+    "channelz",
     "codes",
     "connectivity",
     "credentials",
-    "grpclb/grpc_lb_v1",
+    "encoding",
+    "encoding/proto",
+    "grpclb/grpc_lb_v1/messages",
     "grpclog",
+    "health/grpc_health_v1",
     "internal",
     "keepalive",
     "metadata",
     "naming",
     "peer",
+    "resolver",
+    "resolver/dns",
+    "resolver/passthrough",
     "stats",
     "status",
     "tap",
     "transport"
   ]
-  revision = "b3ddf786825de56a4178401b7e174ee332173b66"
-  version = "v1.5.2"
+  revision = "41344da2231b913fa3d983840a57a6b1b7b631a1"
+  version = "v1.12.0"
+
+[[projects]]
+  name = "gopkg.in/DataDog/dd-trace-go.v1"
+  packages = [
+    "ddtrace",
+    "ddtrace/ext",
+    "ddtrace/internal",
+    "ddtrace/opentracer",
+    "ddtrace/tracer"
+  ]
+  revision = "d052956664af54dbcff2712d10c67c76fbfc299f"
+  version = "v1.0.0"
 
 [[projects]]
   name = "gopkg.in/fsnotify.v1"
@@ -1679,6 +1755,6 @@
 [solve-meta]
   analyzer-name = "dep"
   analyzer-version = 1
-  inputs-digest = "ac06fad81167510635546d4e5500b938d61f2eb999bf04d5520d7967b9621f0d"
+  inputs-digest = "2b7ffb1d01d8a14224fcc9964900fb5a39fbf38cfacba45f49b931136e4fee9b"
   solver-name = "gps-cdcl"
   solver-version = 1

Gopkg.toml

@@ -46,7 +46,7 @@
 
 [[constraint]]
   name = "github.com/aws/aws-sdk-go"
-  version = "1.13.1"
+  version = "1.13.11"
 
 [[constraint]]
   branch = "master"
@@ -62,11 +62,11 @@
 
 [[constraint]]
   name = "github.com/containous/staert"
-  version = "3.1.0"
+  version = "3.1.1"
 
 [[constraint]]
   name = "github.com/containous/traefik-extra-service-fabric"
-  version = "1.1.5"
+  version = "1.3.0"
 
 [[constraint]]
   name = "github.com/coreos/go-systemd"
@@ -256,3 +256,11 @@
   non-go = true
   go-tests = true
   unused-packages = true
+
+[[constraint]]
+  name = "github.com/patrickmn/go-cache"
+  version = "2.1.0"
+
+[[constraint]]
+  name = "gopkg.in/DataDog/dd-trace-go.v1"
+  version = "1.0.0"

Makefile

@@ -1,4 +1,4 @@
-.PHONY: all
+.PHONY: all docs-verify docs docs-clean docs-build
 
 TRAEFIK_ENVS := \
 	-e OS_ARCH_ARG \
@@ -22,6 +22,7 @@ REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
 TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
 INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
 TRAEFIK_DOC_IMAGE := traefik-docs
+TRAEFIK_DOC_VERIFY_IMAGE := $(TRAEFIK_DOC_IMAGE)-verify
 
 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
@@ -94,11 +95,23 @@ image-dirty: binary ## build a docker traefik image
 image: clear-static binary ## clean up static directory and build a docker traefik image
 	docker build -t $(TRAEFIK_IMAGE) .
 
+docs-image:
+	docker build -t $(TRAEFIK_DOC_IMAGE) -f docs.Dockerfile .
+
 docs: docs-image
 	docker run  $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOC_IMAGE) mkdocs serve
 
-docs-image:
-	docker build -t $(TRAEFIK_DOC_IMAGE) -f docs.Dockerfile .
+docs-build: site
+
+docs-verify: site
+	docker build -t $(TRAEFIK_DOC_VERIFY_IMAGE) ./script/docs-verify-docker-image ## Build Validator image
+	docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOC_VERIFY_IMAGE) ## Check for dead links and w3c compliance
+
+site: docs-image
+	docker run  $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOC_IMAGE) mkdocs build
+
+docs-clean:
+	rm -rf $(CURDIR)/site
 
 clear-static:
 	rm -rf static

README.md

@@ -8,7 +8,7 @@
 [![Go Report Card](https://goreportcard.com/badge/containous/traefik)](http://goreportcard.com/report/containous/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
-[![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
+[![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
 [![Twitter](https://img.shields.io/twitter/follow/traefikproxy.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefikproxy)
 
 
@@ -106,7 +106,7 @@ A collection of contributions around Træfik can be found at [https://awesome.tr
 ## Support
 
 To get community support, you can:
-- join the Træfik community Slack channel: [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
+- join the Træfik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
 - use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
 
 If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.

acme/account.go

@@ -25,6 +25,7 @@ type Account struct {
 	Email              string
 	Registration       *acme.RegistrationResource
 	PrivateKey         []byte
+	KeyType            acme.KeyType
 	DomainsCertificate DomainsCertificates
 	ChallengeCerts     map[string]*ChallengeCert
 	HTTPChallenge      map[string]map[string][]byte
@@ -70,7 +71,9 @@ func (a *Account) Init() error {
 }
 
 // NewAccount creates an account
-func NewAccount(email string, certs []*DomainsCertificate) (*Account, error) {
+func NewAccount(email string, certs []*DomainsCertificate, keyTypeValue string) (*Account, error) {
+	keyType := acmeprovider.GetKeyType(keyTypeValue)
+
 	// Create a user. New accounts need an email and private key to start
 	privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
@@ -86,6 +89,7 @@ func NewAccount(email string, certs []*DomainsCertificate) (*Account, error) {
 	return &Account{
 		Email:              email,
 		PrivateKey:         x509.MarshalPKCS1PrivateKey(privateKey),
+		KeyType:            keyType,
 		DomainsCertificate: DomainsCertificates{Certs: domainsCerts.Certs},
 		ChallengeCerts:     map[string]*ChallengeCert{}}, nil
 }
@@ -183,7 +187,7 @@ func (dc *DomainsCertificates) removeDuplicates() {
 }
 
 func (dc *DomainsCertificates) removeEmpty() {
-	certs := []*DomainsCertificate{}
+	var certs []*DomainsCertificate
 	for _, cert := range dc.Certs {
 		if cert.Certificate != nil && len(cert.Certificate.Certificate) > 0 && len(cert.Certificate.PrivateKey) > 0 {
 			certs = append(certs, cert)

acme/acme.go

@@ -22,7 +22,6 @@ import (
 	"github.com/containous/traefik/log"
 	acmeprovider "github.com/containous/traefik/provider/acme"
 	"github.com/containous/traefik/safe"
-	"github.com/containous/traefik/tls/generate"
 	"github.com/containous/traefik/types"
 	"github.com/containous/traefik/version"
 	"github.com/eapache/channels"
@@ -48,15 +47,18 @@ type ACME struct {
 	OnHostRule            bool                        `description:"Enable certificate generation on frontends Host rules."`
 	CAServer              string                      `description:"CA server to use."`
 	EntryPoint            string                      `description:"Entrypoint to proxy acme challenge to."`
+	KeyType               string                      `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'"`
 	DNSChallenge          *acmeprovider.DNSChallenge  `description:"Activate DNS-01 Challenge"`
 	HTTPChallenge         *acmeprovider.HTTPChallenge `description:"Activate HTTP-01 Challenge"`
+	TLSChallenge          *acmeprovider.TLSChallenge  `description:"Activate TLS-ALPN-01 Challenge"`
 	DNSProvider           string                      `description:"(Deprecated) Activate DNS-01 Challenge"`                                                                    // Deprecated
 	DelayDontCheckDNS     flaeg.Duration              `description:"(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers."` // Deprecated
 	ACMELogging           bool                        `description:"Enable debug logging of ACME actions."`
+	OverrideCertificates  bool                        `description:"Enable to override certificates in key-value store when using storeconfig"`
 	client                *acme.Client
-	defaultCertificate    *tls.Certificate
 	store                 cluster.Store
 	challengeHTTPProvider *challengeHTTPProvider
+	challengeTLSProvider  *challengeTLSProvider
 	checkOnDemandDomain   func(domain string) bool
 	jobs                  *channels.InfiniteChannel
 	TLSConfig             *tls.Config `description:"TLS config in case wildcard certs are used"`
@@ -67,19 +69,11 @@ func (a *ACME) init() error {
 	acme.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version)
 
 	if a.ACMELogging {
-		legolog.Logger = fmtlog.New(log.WriterLevel(logrus.DebugLevel), "legolog: ", 0)
+		legolog.Logger = fmtlog.New(log.WriterLevel(logrus.InfoLevel), "legolog: ", 0)
 	} else {
 		legolog.Logger = fmtlog.New(ioutil.Discard, "", 0)
 	}
 
-	// no certificates in TLS config, so we add a default one
-	cert, err := generate.DefaultCertificate()
-	if err != nil {
-		return err
-	}
-
-	a.defaultCertificate = cert
-
 	a.jobs = channels.NewInfiniteChannel()
 	return nil
 }
@@ -118,14 +112,18 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 	if err != nil {
 		return err
 	}
+
 	if len(a.Storage) == 0 {
-		return errors.New("Empty Store, please provide a key for certs storage")
+		return errors.New("empty Store, please provide a key for certs storage")
 	}
+
 	a.checkOnDemandDomain = checkOnDemandDomain
 	a.dynamicCerts = certs
-	tlsConfig.Certificates = append(tlsConfig.Certificates, *a.defaultCertificate)
+	a.challengeTLSProvider = &challengeTLSProvider{store: a.store}
+
 	tlsConfig.GetCertificate = a.getCertificate
 	a.TLSConfig = tlsConfig
+
 	listener := func(object cluster.Object) error {
 		account := object.(*Account)
 		account.Init()
@@ -196,7 +194,7 @@ func (a *ACME) leadershipListener(elected bool) error {
 				domainsCerts = account.DomainsCertificate
 			}
 
-			account, err = NewAccount(a.Email, domainsCerts.Certs)
+			account, err = NewAccount(a.Email, domainsCerts.Certs, a.KeyType)
 			if err != nil {
 				return err
 			}
@@ -236,6 +234,11 @@ func (a *ACME) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificat
 	domain := types.CanonicalDomain(clientHello.ServerName)
 	account := a.store.Get().(*Account)
 
+	if challengeCert, ok := a.challengeTLSProvider.getCertificate(domain); ok {
+		log.Debugf("ACME got challenge %s", domain)
+		return challengeCert, nil
+	}
+
 	if providedCertificate := a.getProvidedCertificate(domain); providedCertificate != nil {
 		return providedCertificate, nil
 	}
@@ -244,12 +247,14 @@ func (a *ACME) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificat
 		log.Debugf("ACME got domain cert %s", domain)
 		return domainCert.tlsCert, nil
 	}
+
 	if a.OnDemand {
 		if a.checkOnDemandDomain != nil && !a.checkOnDemandDomain(domain) {
 			return nil, nil
 		}
 		return a.loadCertificateOnDemand(clientHello)
 	}
+
 	log.Debugf("No certificate found or generated for %s", domain)
 	return nil, nil
 }
@@ -405,11 +410,13 @@ func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
 	if len(a.CAServer) > 0 {
 		caServer = a.CAServer
 	}
-	client, err := acme.NewClient(caServer, account, acme.RSA4096)
+
+	client, err := acme.NewClient(caServer, account, account.KeyType)
 	if err != nil {
 		return nil, err
 	}
 
+	// DNS challenge
 	if a.DNSChallenge != nil && len(a.DNSChallenge.Provider) > 0 {
 		log.Debugf("Using DNS Challenge provider: %s", a.DNSChallenge.Provider)
 
@@ -424,21 +431,30 @@ func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
 			return nil, err
 		}
 
-		client.ExcludeChallenges([]acme.Challenge{acme.HTTP01})
+		client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.TLSALPN01})
 		err = client.SetChallengeProvider(acme.DNS01, provider)
-	} else if a.HTTPChallenge != nil && len(a.HTTPChallenge.EntryPoint) > 0 {
-		log.Debug("Using HTTP Challenge provider.")
-		client.ExcludeChallenges([]acme.Challenge{acme.DNS01})
-		a.challengeHTTPProvider = &challengeHTTPProvider{store: a.store}
-		err = client.SetChallengeProvider(acme.HTTP01, a.challengeHTTPProvider)
-	} else {
-		return nil, errors.New("ACME challenge not specified, please select HTTP or DNS Challenge")
+		return client, err
 	}
 
-	if err != nil {
-		return nil, err
+	// HTTP challenge
+	if a.HTTPChallenge != nil && len(a.HTTPChallenge.EntryPoint) > 0 {
+		log.Debug("Using HTTP Challenge provider.")
+
+		client.ExcludeChallenges([]acme.Challenge{acme.DNS01, acme.TLSALPN01})
+		a.challengeHTTPProvider = &challengeHTTPProvider{store: a.store}
+		err = client.SetChallengeProvider(acme.HTTP01, a.challengeHTTPProvider)
+		return client, err
 	}
-	return client, nil
+
+	// TLS Challenge
+	if a.TLSChallenge != nil {
+		log.Debug("Using TLS Challenge provider.")
+		client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.DNS01})
+		err = client.SetChallengeProvider(acme.TLSALPN01, a.challengeTLSProvider)
+		return client, err
+	}
+
+	return nil, errors.New("ACME challenge not specified, please select TLS or HTTP or DNS Challenge")
 }
 
 func (a *ACME) loadCertificateOnDemand(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
@@ -624,7 +640,6 @@ func (a *ACME) getDomainsCertificates(domains []string) (*Certificate, error) {
 
 	certificate, err := a.client.ObtainCertificate(domains, bundle, nil, OSCPMustStaple)
 	if err != nil {
-		log.Error(err)
 		return nil, fmt.Errorf("cannot obtain certificates: %+v", err)
 	}
 

acme/challenge_http_provider.go

@@ -23,10 +23,12 @@ func (c *challengeHTTPProvider) getTokenValue(token, domain string) []byte {
 	log.Debugf("Looking for an existing ACME challenge for token %v...", token)
 	c.lock.RLock()
 	defer c.lock.RUnlock()
+
 	account := c.store.Get().(*Account)
 	if account.HTTPChallenge == nil {
 		return []byte{}
 	}
+
 	var result []byte
 	operation := func() error {
 		var ok bool
@@ -35,9 +37,11 @@ func (c *challengeHTTPProvider) getTokenValue(token, domain string) []byte {
 		}
 		return nil
 	}
+
 	notify := func(err error, time time.Duration) {
 		log.Errorf("Error getting challenge for token retrying in %s", time)
 	}
+
 	ebo := backoff.NewExponentialBackOff()
 	ebo.MaxElapsedTime = 60 * time.Second
 	err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
@@ -52,18 +56,23 @@ func (c *challengeHTTPProvider) Present(domain, token, keyAuth string) error {
 	log.Debugf("Challenge Present %s", domain)
 	c.lock.Lock()
 	defer c.lock.Unlock()
+
 	transaction, object, err := c.store.Begin()
 	if err != nil {
 		return err
 	}
+
 	account := object.(*Account)
 	if account.HTTPChallenge == nil {
 		account.HTTPChallenge = map[string]map[string][]byte{}
 	}
+
 	if _, ok := account.HTTPChallenge[token]; !ok {
 		account.HTTPChallenge[token] = map[string][]byte{}
 	}
+
 	account.HTTPChallenge[token][domain] = []byte(keyAuth)
+
 	return transaction.Commit(account)
 }
 
@@ -71,10 +80,12 @@ func (c *challengeHTTPProvider) CleanUp(domain, token, keyAuth string) error {
 	log.Debugf("Challenge CleanUp %s", domain)
 	c.lock.Lock()
 	defer c.lock.Unlock()
+
 	transaction, object, err := c.store.Begin()
 	if err != nil {
 		return err
 	}
+
 	account := object.(*Account)
 	if _, ok := account.HTTPChallenge[token]; ok {
 		if _, domainOk := account.HTTPChallenge[token][domain]; domainOk {
@@ -84,6 +95,7 @@ func (c *challengeHTTPProvider) CleanUp(domain, token, keyAuth string) error {
 			delete(account.HTTPChallenge, token)
 		}
 	}
+
 	return transaction.Commit(account)
 }
 

acme/challenge_tls_provider.go

@@ -0,0 +1,127 @@
+package acme
+
+import (
+	"crypto/tls"
+	"fmt"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/cenk/backoff"
+	"github.com/containous/traefik/cluster"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/safe"
+	"github.com/xenolf/lego/acme"
+)
+
+var _ acme.ChallengeProviderTimeout = (*challengeTLSProvider)(nil)
+
+type challengeTLSProvider struct {
+	store cluster.Store
+	lock  sync.RWMutex
+}
+
+func (c *challengeTLSProvider) getCertificate(domain string) (cert *tls.Certificate, exists bool) {
+	log.Debugf("Looking for an existing ACME challenge for %s...", domain)
+
+	if !strings.HasSuffix(domain, ".acme.invalid") {
+		return nil, false
+	}
+
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+
+	account := c.store.Get().(*Account)
+	if account.ChallengeCerts == nil {
+		return nil, false
+	}
+
+	account.Init()
+
+	var result *tls.Certificate
+	operation := func() error {
+		for _, cert := range account.ChallengeCerts {
+			for _, dns := range cert.certificate.Leaf.DNSNames {
+				if domain == dns {
+					result = cert.certificate
+					return nil
+				}
+			}
+		}
+		return fmt.Errorf("cannot find challenge cert for domain %s", domain)
+	}
+
+	notify := func(err error, time time.Duration) {
+		log.Errorf("Error getting cert: %v, retrying in %s", err, time)
+	}
+	ebo := backoff.NewExponentialBackOff()
+	ebo.MaxElapsedTime = 60 * time.Second
+
+	err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
+	if err != nil {
+		log.Errorf("Error getting cert: %v", err)
+		return nil, false
+
+	}
+	return result, true
+}
+
+func (c *challengeTLSProvider) Present(domain, token, keyAuth string) error {
+	log.Debugf("Challenge Present %s", domain)
+
+	cert, err := tlsALPN01ChallengeCert(domain, keyAuth)
+	if err != nil {
+		return err
+	}
+
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	transaction, object, err := c.store.Begin()
+	if err != nil {
+		return err
+	}
+
+	account := object.(*Account)
+	if account.ChallengeCerts == nil {
+		account.ChallengeCerts = map[string]*ChallengeCert{}
+	}
+	account.ChallengeCerts[domain] = cert
+
+	return transaction.Commit(account)
+}
+
+func (c *challengeTLSProvider) CleanUp(domain, token, keyAuth string) error {
+	log.Debugf("Challenge CleanUp %s", domain)
+
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	transaction, object, err := c.store.Begin()
+	if err != nil {
+		return err
+	}
+
+	account := object.(*Account)
+	delete(account.ChallengeCerts, domain)
+
+	return transaction.Commit(account)
+}
+
+func (c *challengeTLSProvider) Timeout() (timeout, interval time.Duration) {
+	return 60 * time.Second, 5 * time.Second
+}
+
+func tlsALPN01ChallengeCert(domain, keyAuth string) (*ChallengeCert, error) {
+	tempCertPEM, rsaPrivPEM, err := acme.TLSALPNChallengeBlocks(domain, keyAuth)
+	if err != nil {
+		return nil, err
+	}
+
+	certificate, err := tls.X509KeyPair(tempCertPEM, rsaPrivPEM)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChallengeCert{Certificate: tempCertPEM, PrivateKey: rsaPrivPEM, certificate: &certificate}, nil
+}

acme/localStore.go

@@ -94,6 +94,7 @@ func ConvertToNewFormat(fileName string) {
 				PrivateKey:   account.PrivateKey,
 				Registration: account.Registration,
 				Email:        account.Email,
+				KeyType:      account.KeyType,
 			}
 
 			var newCertificates []*acme.Certificate
@@ -148,6 +149,7 @@ func FromNewToOldFormat(fileName string) (*Account, error) {
 			PrivateKey:         storeAccount.PrivateKey,
 			Registration:       storeAccount.Registration,
 			DomainsCertificate: DomainsCertificates{},
+			KeyType:            storeAccount.KeyType,
 		}
 	}
 

api/dashboard.go

@@ -4,15 +4,22 @@ import (
 	"net/http"
 
 	"github.com/containous/mux"
-	"github.com/containous/traefik/autogen/genstatic"
+	"github.com/containous/traefik/log"
 	"github.com/elazarl/go-bindata-assetfs"
 )
 
 // DashboardHandler expose dashboard routes
-type DashboardHandler struct{}
+type DashboardHandler struct {
+	Assets *assetfs.AssetFS
+}
 
 // AddRoutes add dashboard routes on a router
 func (g DashboardHandler) AddRoutes(router *mux.Router) {
+	if g.Assets == nil {
+		log.Error("No assets for dashboard")
+		return
+	}
+
 	// Expose dashboard
 	router.Methods(http.MethodGet).
 		Path("/").
@@ -28,5 +35,5 @@ func (g DashboardHandler) AddRoutes(router *mux.Router) {
 
 	router.Methods(http.MethodGet).
 		PathPrefix("/dashboard/").
-		Handler(http.StripPrefix("/dashboard/", http.FileServer(&assetfs.AssetFS{Asset: genstatic.Asset, AssetInfo: genstatic.AssetInfo, AssetDir: genstatic.AssetDir, Prefix: "static"})))
+		Handler(http.StripPrefix("/dashboard/", http.FileServer(g.Assets)))
 }

api/debug.go

@@ -38,6 +38,8 @@ func (g DebugHandler) AddRoutes(router *mux.Router) {
 			fmt.Fprint(w, "\n}\n")
 		})
 
+	runtime.SetBlockProfileRate(1)
+	runtime.SetMutexProfileFraction(5)
 	router.Methods(http.MethodGet).PathPrefix("/debug/pprof/cmdline").HandlerFunc(pprof.Cmdline)
 	router.Methods(http.MethodGet).PathPrefix("/debug/pprof/profile").HandlerFunc(pprof.Profile)
 	router.Methods(http.MethodGet).PathPrefix("/debug/pprof/symbol").HandlerFunc(pprof.Symbol)

api/handler.go

@@ -9,6 +9,7 @@ import (
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/containous/traefik/version"
+	"github.com/elazarl/go-bindata-assetfs"
 	thoas_stats "github.com/thoas/stats"
 	"github.com/unrolled/render"
 )
@@ -22,6 +23,7 @@ type Handler struct {
 	Statistics            *types.Statistics          `description:"Enable more detailed statistics" export:"true"`
 	Stats                 *thoas_stats.Stats         `json:"-"`
 	StatsRecorder         *middlewares.StatsRecorder `json:"-"`
+	DashboardAssets       *assetfs.AssetFS
 }
 
 var (
@@ -54,7 +56,7 @@ func (p Handler) AddRoutes(router *mux.Router) {
 	version.Handler{}.AddRoutes(router)
 
 	if p.Dashboard {
-		DashboardHandler{}.AddRoutes(router)
+		DashboardHandler{Assets: p.DashboardAssets}.AddRoutes(router)
 	}
 }
 

autogen/gentemplates/gen.go

@@ -164,9 +164,17 @@ var _templatesConsul_catalogTmpl = []byte(`[backends]
   {{ $healthCheck := getHealthCheck $service.TraefikLabels }}
   {{if $healthCheck }}
   [backends."backend-{{ $backendName }}".healthCheck]
+    scheme = "{{ $healthCheck.Scheme }}"
     path = "{{ $healthCheck.Path }}"
     port = {{ $healthCheck.Port }}
     interval = "{{ $healthCheck.Interval }}"
+    hostname = "{{ $healthCheck.Hostname }}"
+    {{if $healthCheck.Headers }}
+    [backends."backend-{{ $backendName }}".healthCheck.headers]
+      {{range $k, $v := $healthCheck.Headers }}
+      {{$k}} = "{{$v}}"
+      {{end}}
+    {{end}}
   {{end}}
 
   {{ $buffering := getBuffering $service.TraefikLabels }}
@@ -201,9 +209,49 @@ var _templatesConsul_catalogTmpl = []byte(`[backends]
       "{{.}}",
       {{end}}]
 
-    basicAuth = [{{range getBasicAuth $service.TraefikLabels }}
-      "{{.}}",
-      {{end}}]
+    {{ $auth := getAuth $service.TraefikLabels }}
+
+    {{if $auth }}
+    [frontends."frontend-{{ $service.ServiceName }}".auth]
+      headerField = "{{ $auth.HeaderField }}"
+
+      {{if $auth.Forward }}
+      [frontends."frontend-{{ $service.ServiceName }}".auth.forward]
+        address = "{{ $auth.Forward.Address }}"
+        trustForwardHeader = {{ $auth.Forward.TrustForwardHeader }}
+
+        {{if $auth.Forward.TLS }}
+        [frontends."frontend-{{ $service.ServiceName }}".auth.forward.tls]
+          ca = "{{ $auth.Forward.TLS.CA }}"
+          caOptional = {{ $auth.Forward.TLS.CAOptional }}
+          cert = "{{ $auth.Forward.TLS.Cert }}"
+          key = "{{ $auth.Forward.TLS.Key }}"
+          insecureSkipVerify = {{ $auth.Forward.TLS.InsecureSkipVerify }}
+        {{end}}
+      {{end}}
+
+      {{if $auth.Basic }}
+      [frontends."frontend-{{ $service.ServiceName }}".auth.basic]
+        removeHeader = {{ $auth.Basic.RemoveHeader }}
+        {{if $auth.Basic.Users }}
+        users = [{{range $auth.Basic.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Basic.UsersFile }}"
+      {{end}}
+
+      {{if $auth.Digest }}
+      [frontends."frontend-{{ $service.ServiceName }}".auth.digest]
+        removeHeader = {{ $auth.Digest.RemoveHeader }}
+        {{if $auth.Digest.Users }}
+        users = [{{range $auth.Digest.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Digest.UsersFile }}"
+      {{end}}
+    {{end}}
 
     {{ $whitelist := getWhiteList $service.TraefikLabels }}
     {{if $whitelist }}
@@ -255,6 +303,7 @@ var _templatesConsul_catalogTmpl = []byte(`[backends]
       SSLRedirect = {{ $headers.SSLRedirect }}
       SSLTemporaryRedirect = {{ $headers.SSLTemporaryRedirect }}
       SSLHost = "{{ $headers.SSLHost }}"
+      SSLForceHost = {{ $headers.SSLForceHost }}
       STSSeconds = {{ $headers.STSSeconds }}
       STSIncludeSubdomains = {{ $headers.STSIncludeSubdomains }}
       STSPreload = {{ $headers.STSPreload }}
@@ -565,9 +614,17 @@ var _templatesDockerTmpl = []byte(`{{$backendServers := .Servers}}
   {{ $healthCheck := getHealthCheck $backend.SegmentLabels }}
   {{if $healthCheck }}
   [backends."backend-{{ $backendName }}".healthCheck]
+    scheme = "{{ $healthCheck.Scheme }}"
     path = "{{ $healthCheck.Path }}"
     port = {{ $healthCheck.Port }}
     interval = "{{ $healthCheck.Interval }}"
+    hostname = "{{ $healthCheck.Hostname }}"
+    {{if $healthCheck.Headers }}
+    [backends."backend-{{ $backendName }}".healthCheck.headers]
+      {{range $k, $v := $healthCheck.Headers }}
+      {{$k}} = "{{$v}}"
+      {{end}}
+    {{end}}
   {{end}}
 
   {{ $buffering := getBuffering $backend.SegmentLabels }}
@@ -602,9 +659,48 @@ var _templatesDockerTmpl = []byte(`{{$backendServers := .Servers}}
       "{{.}}",
       {{end}}]
 
-    basicAuth = [{{range getBasicAuth $container.SegmentLabels }}
-      "{{.}}",
-      {{end}}]
+    {{ $auth := getAuth $container.SegmentLabels }}
+    {{if $auth }}
+    [frontends."frontend-{{ $frontendName }}".auth]
+      headerField = "{{ $auth.HeaderField }}"
+
+      {{if $auth.Forward }}
+      [frontends."frontend-{{ $frontendName }}".auth.forward]
+        address = "{{ $auth.Forward.Address }}"
+        trustForwardHeader = {{ $auth.Forward.TrustForwardHeader }}
+
+        {{if $auth.Forward.TLS }}
+        [frontends."frontend-{{ $frontendName }}".auth.forward.tls]
+          ca = "{{ $auth.Forward.TLS.CA }}"
+          caOptional = {{ $auth.Forward.TLS.CAOptional }}
+          cert = "{{ $auth.Forward.TLS.Cert }}"
+          key = "{{ $auth.Forward.TLS.Key }}"
+          insecureSkipVerify = {{ $auth.Forward.TLS.InsecureSkipVerify }}
+        {{end}}
+      {{end}}
+
+      {{if $auth.Basic }}
+      [frontends."frontend-{{ $frontendName }}".auth.basic]
+        removeHeader = {{ $auth.Basic.RemoveHeader }}
+        {{if $auth.Basic.Users }}
+        users = [{{range $auth.Basic.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Basic.UsersFile }}"
+      {{end}}
+
+      {{if $auth.Digest }}
+      [frontends."frontend-{{ $frontendName }}".auth.digest]
+        removeHeader = {{ $auth.Digest.RemoveHeader }}
+        {{if $auth.Digest.Users }}
+        users = [{{range $auth.Digest.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Digest.UsersFile }}"
+      {{end}}
+    {{end}}
 
     {{ $whitelist := getWhiteList $container.SegmentLabels }}
     {{if $whitelist }}
@@ -656,6 +752,7 @@ var _templatesDockerTmpl = []byte(`{{$backendServers := .Servers}}
       SSLRedirect = {{ $headers.SSLRedirect }}
       SSLTemporaryRedirect = {{ $headers.SSLTemporaryRedirect }}
       SSLHost = "{{ $headers.SSLHost }}"
+      SSLForceHost = {{ $headers.SSLForceHost }}
       STSSeconds = {{ $headers.STSSeconds }}
       STSIncludeSubdomains = {{ $headers.STSIncludeSubdomains }}
       STSPreload = {{ $headers.STSPreload }}
@@ -744,7 +841,7 @@ var _templatesEcsV1Tmpl = []byte(`[backends]
     {{end}}
 
     {{range $index, $i := $instances }}
-    [backends."backend-{{ $i.Name }}".servers."server-{{ $i.Name }}{{ $i.ID }}"]
+    [backends."backend-{{ $serviceName }}".servers."server-{{ $i.Name }}{{ $i.ID }}"]
       url = "{{ getProtocol $i }}://{{ getHost $i }}:{{ getPort $i }}"
       weight = {{ getWeight $i }}
     {{end}}
@@ -817,9 +914,17 @@ var _templatesEcsTmpl = []byte(`[backends]
   {{ $healthCheck := getHealthCheck $firstInstance.TraefikLabels }}
   {{if $healthCheck }}
   [backends."backend-{{ $serviceName }}".healthCheck]
+    scheme = "{{ $healthCheck.Scheme }}"
     path = "{{ $healthCheck.Path }}"
     port = {{ $healthCheck.Port }}
     interval = "{{ $healthCheck.Interval }}"
+    hostname = "{{ $healthCheck.Hostname }}"
+    {{if $healthCheck.Headers }}
+    [backends."backend-{{ $serviceName }}".healthCheck.headers]
+      {{range $k, $v := $healthCheck.Headers }}
+      {{$k}} = "{{$v}}"
+      {{end}}
+    {{end}}
   {{end}}
 
   {{ $buffering := getBuffering $firstInstance.TraefikLabels }}
@@ -854,9 +959,48 @@ var _templatesEcsTmpl = []byte(`[backends]
       "{{.}}",
       {{end}}]
 
-    basicAuth = [{{range getBasicAuth $instance.TraefikLabels }}
-      "{{.}}",
-      {{end}}]
+    {{ $auth := getAuth $instance.TraefikLabels }}
+    {{if $auth }}
+    [frontends."frontend-{{ $serviceName }}".auth]
+      headerField = "{{ $auth.HeaderField }}"
+
+      {{if $auth.Forward }}
+      [frontends."frontend-{{ $serviceName }}".auth.forward]
+        address = "{{ $auth.Forward.Address }}"
+        trustForwardHeader = {{ $auth.Forward.TrustForwardHeader }}
+
+        {{if $auth.Forward.TLS }}
+        [frontends."frontend-{{ $serviceName }}".auth.forward.tls]
+          ca = "{{ $auth.Forward.TLS.CA }}"
+          caOptional = {{ $auth.Forward.TLS.CAOptional }}
+          cert = "{{ $auth.Forward.TLS.Cert }}"
+          key = "{{ $auth.Forward.TLS.Key }}"
+          insecureSkipVerify = {{ $auth.Forward.TLS.InsecureSkipVerify }}
+        {{end}}
+      {{end}}
+
+      {{if $auth.Basic }}
+      [frontends."frontend-{{ $serviceName }}".auth.basic]
+        removeHeader = {{ $auth.Basic.RemoveHeader }}
+        {{if $auth.Basic.Users }}
+        users = [{{range $auth.Basic.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Basic.UsersFile }}"
+      {{end}}
+
+      {{if $auth.Digest }}
+      [frontends."frontend-{{ $serviceName }}".auth.digest]
+        removeHeader = {{ $auth.Digest.RemoveHeader }}
+        {{if $auth.Digest.Users }}
+        users = [{{range $auth.Digest.Users }}
+         "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Digest.UsersFile }}"
+      {{end}}
+    {{end}}
 
     {{ $whitelist := getWhiteList $instance.TraefikLabels }}
     {{if $whitelist }}
@@ -908,6 +1052,7 @@ var _templatesEcsTmpl = []byte(`[backends]
       SSLRedirect = {{ $headers.SSLRedirect }}
       SSLTemporaryRedirect = {{ $headers.SSLTemporaryRedirect }}
       SSLHost = "{{ $headers.SSLHost }}"
+      SSLForceHost = {{ $headers.SSLForceHost }}
       STSSeconds = {{ $headers.STSSeconds }}
       STSIncludeSubdomains = {{ $headers.STSIncludeSubdomains }}
       STSPreload = {{ $headers.STSPreload }}
@@ -1072,9 +1217,42 @@ var _templatesKubernetesTmpl = []byte(`[backends]
       "{{.}}",
       {{end}}]
 
-    basicAuth = [{{range $frontend.BasicAuth }}
-      "{{.}}",
-      {{end}}]
+    {{if $frontend.Auth }}
+    [frontends."{{ $frontendName }}".auth]
+      headerField = "X-WebAuth-User"
+
+      {{if $frontend.Auth.Basic }}
+      [frontends."{{ $frontendName }}".auth.basic]
+        removeHeader = {{$frontend.Auth.Basic.RemoveHeader}}
+        users = [{{range $frontend.Auth.Basic.Users }}
+          "{{.}}",
+          {{end}}]
+      {{end}}
+
+      {{if $frontend.Auth.Digest }}
+      [frontends."{{ $frontendName }}".auth.digest]
+        removeHeader = {{$frontend.Auth.Digest.RemoveHeader}}
+        users = [{{range $frontend.Auth.Digest.Users }}
+          "{{.}}",
+          {{end}}]
+      {{end}}
+
+      {{if $frontend.Auth.Forward }}
+        [frontends."{{ $frontendName }}".auth.forward]
+          address = "{{ $frontend.Auth.Forward.Address }}"
+          authResponseHeaders = [{{range $frontend.Auth.Forward.AuthResponseHeaders }}
+            "{{.}}",
+            {{end}}]
+          trustForwardHeader = {{ $frontend.Auth.Forward.TrustForwardHeader }}
+          {{if $frontend.Auth.Forward.TLS }}
+          [frontends."{{ $frontendName }}".auth.forward.tls]
+            cert = "{{ $frontend.Auth.Forward.TLS.Cert }}"
+            key = "{{ $frontend.Auth.Forward.TLS.Key }}"
+            insecureSkipVerify = {{ $frontend.Auth.Forward.TLS.InsecureSkipVerify }}
+          {{end}}
+      {{end}}
+
+    {{end}}
 
     {{if $frontend.WhiteList }}
     [frontends."{{ $frontendName }}".whiteList]
@@ -1121,6 +1299,7 @@ var _templatesKubernetesTmpl = []byte(`[backends]
     SSLRedirect = {{ $frontend.Headers.SSLRedirect }}
     SSLTemporaryRedirect = {{ $frontend.Headers.SSLTemporaryRedirect }}
     SSLHost = "{{ $frontend.Headers.SSLHost }}"
+    SSLForceHost = {{ $frontend.Headers.SSLForceHost }}
     STSSeconds = {{ $frontend.Headers.STSSeconds }}
     STSIncludeSubdomains = {{ $frontend.Headers.STSIncludeSubdomains }}
     STSPreload = {{ $frontend.Headers.STSPreload }}
@@ -1228,9 +1407,17 @@ var _templatesKvTmpl = []byte(`[backends]
   {{ $healthCheck := getHealthCheck $backend }}
   {{if $healthCheck }}
   [backends.{{ $backendName }}.healthCheck]
+    scheme = "{{ $healthCheck.Scheme }}"
     path = "{{ $healthCheck.Path }}"
     port = {{ $healthCheck.Port }}
     interval = "{{ $healthCheck.Interval }}"
+    hostname = "{{ $healthCheck.Hostname }}"
+    {{if $healthCheck.Headers }}
+    [backends.{{ $backendName }}.healthCheck.headers]
+      {{range $k, $v := $healthCheck.Headers }}
+      {{$k}} = "{{$v}}"
+      {{end}}
+    {{end}}
   {{end}}
 
   {{ $buffering := getBuffering $backend }}
@@ -1265,9 +1452,48 @@ var _templatesKvTmpl = []byte(`[backends]
       "{{.}}",
       {{end}}]
 
-    basicAuth = [{{range getBasicAuth $frontend }}
-      "{{.}}",
-      {{end}}]
+    {{ $auth := getAuth $frontend }}
+    {{if $auth }}
+    [frontends."{{ $frontendName }}".auth]
+      headerField = "{{ $auth.HeaderField }}"
+
+      {{if $auth.Forward }}
+      [frontends."{{ $frontendName }}".auth.forward]
+        address = "{{ $auth.Forward.Address }}"
+        trustForwardHeader = {{ $auth.Forward.TrustForwardHeader }}
+
+        {{if $auth.Forward.TLS }}
+        [frontends."{{ $frontendName }}".auth.forward.tls]
+          ca = "{{ $auth.Forward.TLS.CA }}"
+          caOptional = {{ $auth.Forward.TLS.CAOptional }}
+          cert = "{{ $auth.Forward.TLS.Cert }}"
+          key = "{{ $auth.Forward.TLS.Key }}"
+          insecureSkipVerify = {{ $auth.Forward.TLS.InsecureSkipVerify }}
+        {{end}}
+      {{end}}
+
+      {{if $auth.Basic }}
+      [frontends."{{ $frontendName }}".auth.basic]
+        removeHeader = {{ $auth.Basic.RemoveHeader }}
+        {{if $auth.Basic.Users }}
+        users = [{{range $auth.Basic.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Basic.UsersFile }}"
+      {{end}}
+
+      {{if $auth.Digest }}
+      [frontends."{{ $frontendName }}".auth.digest]
+        removeHeader = {{ $auth.Digest.RemoveHeader }}
+        {{if $auth.Digest.Users }}
+        users = [{{range $auth.Digest.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Digest.UsersFile }}"
+      {{end}}
+    {{end}}
 
     {{ $whitelist := getWhiteList $frontend }}
     {{if $whitelist }}
@@ -1319,6 +1545,7 @@ var _templatesKvTmpl = []byte(`[backends]
       SSLRedirect = {{ $headers.SSLRedirect }}
       SSLTemporaryRedirect = {{ $headers.SSLTemporaryRedirect }}
       SSLHost = "{{ $headers.SSLHost }}"
+      SSLForceHost = {{ $headers.SSLForceHost }}
       STSSeconds = {{ $headers.STSSeconds }}
       STSIncludeSubdomains = {{ $headers.STSIncludeSubdomains }}
       STSPreload = {{ $headers.STSPreload }}
@@ -1522,9 +1749,17 @@ var _templatesMarathonTmpl = []byte(`{{ $apps := .Applications }}
     {{ $healthCheck := getHealthCheck $app.SegmentLabels }}
     {{if $healthCheck }}
     [backends."{{ $backendName }}".healthCheck]
+      scheme = "{{ $healthCheck.Scheme }}"
       path = "{{ $healthCheck.Path }}"
       port = {{ $healthCheck.Port }}
       interval = "{{ $healthCheck.Interval }}"
+      hostname = "{{ $healthCheck.Hostname }}"
+      {{if $healthCheck.Headers }}
+      [backends.{{ $backendName }}.healthCheck.headers]
+        {{range $k, $v := $healthCheck.Headers }}
+        {{$k}} = "{{$v}}"
+        {{end}}
+      {{end}}
     {{end}}
 
     {{ $buffering := getBuffering $app.SegmentLabels }}
@@ -1559,9 +1794,48 @@ var _templatesMarathonTmpl = []byte(`{{ $apps := .Applications }}
       "{{.}}",
       {{end}}]
 
-    basicAuth = [{{range getBasicAuth $app.SegmentLabels }}
-      "{{.}}",
-      {{end}}]
+    {{ $auth := getAuth $app.SegmentLabels }}
+    {{if $auth }}
+    [frontends."{{ $frontendName }}".auth]
+      headerField = "{{ $auth.HeaderField }}"
+
+      {{if $auth.Forward }}
+      [frontends."{{ $frontendName }}".auth.forward]
+        address = "{{ $auth.Forward.Address }}"
+        trustForwardHeader = {{ $auth.Forward.TrustForwardHeader }}
+
+        {{if $auth.Forward.TLS }}
+        [frontends."{{ $frontendName }}".auth.forward.tls]
+          ca = "{{ $auth.Forward.TLS.CA }}"
+          caOptional = {{ $auth.Forward.TLS.CAOptional }}
+          cert = "{{ $auth.Forward.TLS.Cert }}"
+          key = "{{ $auth.Forward.TLS.Key }}"
+          insecureSkipVerify = {{ $auth.Forward.TLS.InsecureSkipVerify }}
+        {{end}}
+      {{end}}
+
+      {{if $auth.Basic }}
+      [frontends."{{ $frontendName }}".auth.basic]
+        removeHeader = {{ $auth.Basic.RemoveHeader }}
+        {{if $auth.Basic.Users }}
+        users = [{{range $auth.Basic.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Basic.UsersFile }}"
+      {{end}}
+
+      {{if $auth.Digest }}
+      [frontends."{{ $frontendName }}".auth.digest]
+        removeHeader = {{ $auth.Digest.RemoveHeader }}
+        {{if $auth.Digest.Users }}
+        users = [{{range $auth.Digest.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Digest.UsersFile }}"
+      {{end}}
+    {{end}}
 
     {{ $whitelist := getWhiteList $app.SegmentLabels }}
     {{if $whitelist }}
@@ -1613,6 +1887,7 @@ var _templatesMarathonTmpl = []byte(`{{ $apps := .Applications }}
       SSLRedirect = {{ $headers.SSLRedirect }}
       SSLTemporaryRedirect = {{ $headers.SSLTemporaryRedirect }}
       SSLHost = "{{ $headers.SSLHost }}"
+      SSLForceHost = {{ $headers.SSLForceHost }}
       STSSeconds = {{ $headers.STSSeconds }}
       STSIncludeSubdomains = {{ $headers.STSIncludeSubdomains }}
       STSPreload = {{ $headers.STSPreload }}
@@ -1760,9 +2035,17 @@ var _templatesMesosTmpl = []byte(`[backends]
   {{ $healthCheck := getHealthCheck $app.TraefikLabels }}
   {{if $healthCheck }}
   [backends."backend-{{ $backendName }}".healthCheck]
+    scheme = "{{ $healthCheck.Scheme }}"
     path = "{{ $healthCheck.Path }}"
     port = {{ $healthCheck.Port }}
     interval = "{{ $healthCheck.Interval }}"
+    hostname = "{{ $healthCheck.Hostname }}"
+    {{if $healthCheck.Headers }}
+    [backends."backend-{{ $backendName }}".healthCheck.headers]
+      {{range $k, $v := $healthCheck.Headers }}
+      {{$k}} = "{{$v}}"
+      {{end}}
+    {{end}}
   {{end}}
 
   {{ $buffering := getBuffering $app.TraefikLabels }}
@@ -1797,10 +2080,49 @@ var _templatesMesosTmpl = []byte(`[backends]
       "{{.}}",
       {{end}}]
 
-    basicAuth = [{{range getBasicAuth $app.TraefikLabels }}
-      "{{.}}",
-      {{end}}]
+    {{ $auth := getAuth $app.TraefikLabels }}
+    {{if $auth }}
+    [frontends."frontend-{{ $frontendName }}".auth]
+      headerField = "{{ $auth.HeaderField }}"
 
+      {{if $auth.Forward }}
+      [frontends."frontend-{{ $frontendName }}".auth.forward]
+        address = "{{ $auth.Forward.Address }}"
+        trustForwardHeader = {{ $auth.Forward.TrustForwardHeader }}
+
+        {{if $auth.Forward.TLS }}
+        [frontends."frontend-{{ $frontendName }}".auth.forward.tls]
+          ca = "{{ $auth.Forward.TLS.CA }}"
+          caOptional = {{ $auth.Forward.TLS.CAOptional }}
+          cert = "{{ $auth.Forward.TLS.Cert }}"
+          key = "{{ $auth.Forward.TLS.Key }}"
+          insecureSkipVerify = {{ $auth.Forward.TLS.InsecureSkipVerify }}
+        {{end}}
+      {{end}}
+
+      {{if $auth.Basic }}
+      [frontends."frontend-{{ $frontendName }}".auth.basic]
+        removeHeader = {{ $auth.Basic.RemoveHeader}}
+        {{if $auth.Basic.Users }}
+        users = [{{range $auth.Basic.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Basic.UsersFile }}"
+      {{end}}
+
+      {{if $auth.Digest }}
+      [frontends."frontend-{{ $frontendName }}".auth.digest]
+        removeHeader = {{ $auth.Digest.RemoveHeader}}
+        {{if $auth.Digest.Users }}
+        users = [{{range $auth.Digest.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Digest.UsersFile }}"
+      {{end}}
+    {{end}}
+          
     {{ $whitelist := getWhiteList $app.TraefikLabels }}
     {{if $whitelist }}
     [frontends."frontend-{{ $frontendName }}".whiteList]
@@ -1851,6 +2173,7 @@ var _templatesMesosTmpl = []byte(`[backends]
       SSLRedirect = {{ $headers.SSLRedirect }}
       SSLTemporaryRedirect = {{ $headers.SSLTemporaryRedirect }}
       SSLHost = "{{ $headers.SSLHost }}"
+      SSLForceHost = {{ $headers.SSLForceHost }}
       STSSeconds = {{ $headers.STSSeconds }}
       STSIncludeSubdomains = {{ $headers.STSIncludeSubdomains }}
       STSPreload = {{ $headers.STSPreload }}
@@ -2052,9 +2375,17 @@ var _templatesRancherTmpl = []byte(`{{ $backendServers := .Backends }}
   {{ $healthCheck := getHealthCheck $backend.SegmentLabels }}
   {{if $healthCheck }}
   [backends."backend-{{ $backendName }}".healthCheck]
+    scheme = "{{ $healthCheck.Scheme }}"
     path = "{{ $healthCheck.Path }}"
     port = {{ $healthCheck.Port }}
     interval = "{{ $healthCheck.Interval }}"
+    hostname = "{{ $healthCheck.Hostname }}"
+    {{if $healthCheck.Headers }}
+    [backends."backend-{{ $backendName }}".healthCheck.headers]
+      {{range $k, $v := $healthCheck.Headers }}
+      {{$k}} = "{{$v}}"
+      {{end}}
+    {{end}}
   {{end}}
 
   {{ $buffering := getBuffering $backend.SegmentLabels }}
@@ -2088,9 +2419,48 @@ var _templatesRancherTmpl = []byte(`{{ $backendServers := .Backends }}
       "{{.}}",
       {{end}}]
 
-    basicAuth = [{{range getBasicAuth $service.SegmentLabels }}
-      "{{.}}",
-      {{end}}]
+    {{ $auth := getAuth $service.SegmentLabels }}
+    {{if $auth }}
+    [frontends."frontend-{{ $frontendName }}".auth]
+      headerField = "{{ $auth.HeaderField }}"
+
+      {{if $auth.Forward }}
+      [frontends."frontend-{{ $frontendName }}".auth.forward]
+        address = "{{ $auth.Forward.Address }}"
+        trustForwardHeader = {{ $auth.Forward.TrustForwardHeader }}
+
+        {{if $auth.Forward.TLS }}
+        [frontends."frontend-{{ $frontendName }}".auth.forward.tls]
+          ca = "{{ $auth.Forward.TLS.CA }}"
+          caOptional = {{ $auth.Forward.TLS.CAOptional }}
+          cert = "{{ $auth.Forward.TLS.Cert }}"
+          key = "{{ $auth.Forward.TLS.Key }}"
+          insecureSkipVerify = {{ $auth.Forward.TLS.InsecureSkipVerify }}
+        {{end}}
+      {{end}}
+
+      {{if $auth.Basic }}
+      [frontends."frontend-{{ $frontendName }}".auth.basic]
+        removeHeader = {{ $auth.Basic.RemoveHeader }}
+        {{if $auth.Basic.Users }}
+        users = [{{range $auth.Basic.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Basic.UsersFile }}"
+      {{end}}
+
+      {{if $auth.Digest }}
+      [frontends."frontend-{{ $frontendName }}".auth.digest]
+        removeHeader = {{ $auth.Digest.RemoveHeader }}
+        {{if $auth.Digest.Users }}
+        users = [{{range $auth.Digest.Users }}
+          "{{.}}",
+          {{end}}]
+        {{end}}
+        usersFile = "{{ $auth.Digest.UsersFile }}"
+      {{end}}
+    {{end}}
 
     {{ $whitelist := getWhiteList $service.SegmentLabels }}
     {{if $whitelist }}
@@ -2142,6 +2512,7 @@ var _templatesRancherTmpl = []byte(`{{ $backendServers := .Backends }}
       SSLRedirect = {{ $headers.SSLRedirect }}
       SSLTemporaryRedirect = {{ $headers.SSLTemporaryRedirect }}
       SSLHost = "{{ $headers.SSLHost }}"
+      SSLForceHost = {{ $headers.SSLForceHost }}
       STSSeconds = {{ $headers.STSSeconds }}
       STSIncludeSubdomains = {{ $headers.STSIncludeSubdomains }}
       STSPreload = {{ $headers.STSPreload }}

cluster/datastore.go

@@ -152,7 +152,7 @@ func (d *Datastore) Begin() (Transaction, Object, error) {
 	operation := func() error {
 		meta := d.get()
 		if meta.Lock != id {
-			return fmt.Errorf("Object lock value: expected %s, got %s", id, meta.Lock)
+			return fmt.Errorf("object lock value: expected %s, got %s", id, meta.Lock)
 		}
 		return nil
 	}
@@ -167,7 +167,7 @@ func (d *Datastore) Begin() (Transaction, Object, error) {
 	ebo.MaxElapsedTime = 60 * time.Second
 	err = backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
 	if err != nil {
-		return nil, nil, fmt.Errorf("Datastore cannot sync: %v", err)
+		return nil, nil, fmt.Errorf("datastore cannot sync: %v", err)
 	}
 
 	// we synced with KV store, we can now return Setter
@@ -224,12 +224,12 @@ func (s *datastoreTransaction) Commit(object Object) error {
 	s.localLock.Lock()
 	defer s.localLock.Unlock()
 	if s.dirty {
-		return fmt.Errorf("Transaction already used, please begin a new one")
+		return fmt.Errorf("transaction already used, please begin a new one")
 	}
 	s.Datastore.meta.object = object
 	err := s.Datastore.meta.Marshall()
 	if err != nil {
-		return fmt.Errorf("Marshall error: %s", err)
+		return fmt.Errorf("marshall error: %s", err)
 	}
 	err = s.kv.StoreConfig(s.Datastore.meta)
 	if err != nil {
@@ -238,7 +238,7 @@ func (s *datastoreTransaction) Commit(object Object) error {
 
 	err = s.remoteLock.Unlock()
 	if err != nil {
-		return fmt.Errorf("Unlock error: %s", err)
+		return fmt.Errorf("unlock error: %s", err)
 	}
 
 	s.dirty = true

cluster/leadership.go

@@ -14,6 +14,8 @@ import (
 	"github.com/unrolled/render"
 )
 
+const clusterLeaderKeySuffix = "/leader"
+
 var templatesRenderer = render.New(render.Options{
 	Directory: "nowhere",
 })
@@ -32,7 +34,7 @@ func NewLeadership(ctx context.Context, cluster *types.Cluster) *Leadership {
 	return &Leadership{
 		Pool:      safe.NewPool(ctx),
 		Cluster:   cluster,
-		candidate: leadership.NewCandidate(cluster.Store, cluster.Store.Prefix+"/leader", cluster.Node, 20*time.Second),
+		candidate: leadership.NewCandidate(cluster.Store, cluster.Store.Prefix+clusterLeaderKeySuffix, cluster.Node, 20*time.Second),
 		listeners: []LeaderListener{},
 		leader:    safe.New(false),
 	}
@@ -106,11 +108,19 @@ func (l *Leadership) onElection(elected bool) {
 }
 
 type leaderResponse struct {
-	Leader bool `json:"leader"`
+	Leader     bool   `json:"leader"`
+	LeaderNode string `json:"leader_node"`
 }
 
 func (l *Leadership) getLeaderHandler(response http.ResponseWriter, request *http.Request) {
-	leader := &leaderResponse{Leader: l.IsLeader()}
+	leaderNode := ""
+	leaderKv, err := l.Cluster.Store.Get(l.Cluster.Store.Prefix+clusterLeaderKeySuffix, nil)
+	if err != nil {
+		log.Error(err)
+	} else {
+		leaderNode = string(leaderKv.Value)
+	}
+	leader := &leaderResponse{Leader: l.IsLeader(), LeaderNode: leaderNode}
 
 	status := http.StatusOK
 	if !leader.Leader {
@@ -118,7 +128,7 @@ func (l *Leadership) getLeaderHandler(response http.ResponseWriter, request *htt
 		status = http.StatusTooManyRequests
 	}
 
-	err := templatesRenderer.JSON(response, status, leader)
+	err = templatesRenderer.JSON(response, status, leader)
 	if err != nil {
 		log.Error(err)
 	}

cmd/bug/bug.go

@@ -23,7 +23,7 @@ The issue tracker is for reporting bugs and feature requests only.
 For end-user related support questions, refer to one of the following:
 
 - Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-- the Traefik community Slack channel: https://traefik.herokuapp.com
+- the Traefik community Slack channel: https://slack.traefik.io
 
 -->
 
@@ -31,7 +31,7 @@ For end-user related support questions, refer to one of the following:
 
 (If you intend to ask a support question: **DO NOT FILE AN ISSUE**.
 Use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik)
-or [Slack](https://traefik.herokuapp.com) instead.)
+or [Slack](https://slack.traefik.io) instead.)
 
 
 
@@ -88,7 +88,7 @@ Add more configuration information here.
 // NewCmd builds a new Bug command
 func NewCmd(traefikConfiguration *cmd.TraefikConfiguration, traefikPointersConfiguration *cmd.TraefikConfiguration) *flaeg.Command {
 
-	//version Command init
+	// version Command init
 	return &flaeg.Command{
 		Name:                  "bug",
 		Description:           `Report an issue on Traefik bugtracker`,

cmd/configuration.go

@@ -78,6 +78,7 @@ func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
 		},
 		InfluxDB: &types.InfluxDB{
 			Address:      "localhost:8089",
+			Protocol:     "udp",
 			PushInterval: "10s",
 		},
 	}
@@ -88,7 +89,9 @@ func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
 	defaultMarathon.Endpoint = "http://127.0.0.1:8080"
 	defaultMarathon.ExposedByDefault = true
 	defaultMarathon.Constraints = types.Constraints{}
-	defaultMarathon.DialerTimeout = flaeg.Duration(60 * time.Second)
+	defaultMarathon.DialerTimeout = flaeg.Duration(5 * time.Second)
+	defaultMarathon.ResponseHeaderTimeout = flaeg.Duration(60 * time.Second)
+	defaultMarathon.TLSHandshakeTimeout = flaeg.Duration(5 * time.Second)
 	defaultMarathon.KeepAlive = flaeg.Duration(10 * time.Second)
 
 	// default Consul
@@ -105,6 +108,7 @@ func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
 	defaultConsulCatalog.Constraints = types.Constraints{}
 	defaultConsulCatalog.Prefix = "traefik"
 	defaultConsulCatalog.FrontEndRule = "Host:{{.ServiceName}}.{{.Domain}}"
+	defaultConsulCatalog.Stale = false
 
 	// default Etcd
 	var defaultEtcd etcd.Provider
@@ -260,10 +264,17 @@ func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
 		},
 		InfluxDB: &types.InfluxDB{
 			Address:      "localhost:8089",
+			Protocol:     "udp",
 			PushInterval: "10s",
 		},
 	}
 
+	defaultResolver := configuration.HostResolverConfig{
+		CnameFlattening: false,
+		ResolvConfig:    "/etc/resolv.conf",
+		ResolvDepth:     5,
+	}
+
 	defaultConfiguration := configuration.GlobalConfiguration{
 		Docker:             &defaultDocker,
 		File:               &defaultFile,
@@ -292,6 +303,7 @@ func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
 		API:                &defaultAPI,
 		Metrics:            &defaultMetrics,
 		Tracing:            &defaultTracing,
+		HostResolver:       &defaultResolver,
 	}
 
 	return &TraefikConfiguration{

cmd/storeconfig/storeconfig.go

@@ -85,21 +85,26 @@ func Run(kv *staert.KvSource, traefikConfiguration *cmd.TraefikConfiguration) fu
 				}
 			}
 
-			// Store the ACME Account into the KV Store
-			meta := cluster.NewMetadata(account)
-			err = meta.Marshall()
-			if err != nil {
-				return err
-			}
+			// Check to see if ACME account object is already in kv store
+			if traefikConfiguration.GlobalConfiguration.ACME.OverrideCertificates {
 
-			source := staert.KvSource{
-				Store:  kv,
-				Prefix: traefikConfiguration.GlobalConfiguration.ACME.Storage,
-			}
+				// Store the ACME Account into the KV Store
+				// Certificates in KV Store will be overridden
+				meta := cluster.NewMetadata(account)
+				err = meta.Marshall()
+				if err != nil {
+					return err
+				}
 
-			err = source.StoreConfig(meta)
-			if err != nil {
-				return err
+				source := staert.KvSource{
+					Store:  kv,
+					Prefix: traefikConfiguration.GlobalConfiguration.ACME.Storage,
+				}
+
+				err = source.StoreConfig(meta)
+				if err != nil {
+					return err
+				}
 			}
 
 			// Force to delete storagefile

cmd/traefik/traefik.go

@@ -14,6 +14,7 @@ import (
 	"github.com/cenk/backoff"
 	"github.com/containous/flaeg"
 	"github.com/containous/staert"
+	"github.com/containous/traefik/autogen/genstatic"
 	"github.com/containous/traefik/cmd"
 	"github.com/containous/traefik/cmd/bug"
 	"github.com/containous/traefik/cmd/healthcheck"
@@ -21,9 +22,9 @@ import (
 	cmdVersion "github.com/containous/traefik/cmd/version"
 	"github.com/containous/traefik/collector"
 	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/configuration/router"
 	"github.com/containous/traefik/job"
 	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/provider/acme"
 	"github.com/containous/traefik/provider/ecs"
 	"github.com/containous/traefik/provider/kubernetes"
 	"github.com/containous/traefik/safe"
@@ -33,6 +34,7 @@ import (
 	"github.com/containous/traefik/types"
 	"github.com/containous/traefik/version"
 	"github.com/coreos/go-systemd/daemon"
+	"github.com/elazarl/go-bindata-assetfs"
 	"github.com/ogier/pflag"
 	"github.com/sirupsen/logrus"
 	"github.com/vulcand/oxy/roundrobin"
@@ -163,6 +165,10 @@ func runCmd(globalConfiguration *configuration.GlobalConfiguration, configFile s
 	globalConfiguration.SetEffectiveConfiguration(configFile)
 	globalConfiguration.ValidateConfiguration()
 
+	if globalConfiguration.API != nil && globalConfiguration.API.Dashboard {
+		globalConfiguration.API.DashboardAssets = &assetfs.AssetFS{Asset: genstatic.Asset, AssetInfo: genstatic.AssetInfo, AssetDir: genstatic.AssetDir, Prefix: "static"}
+	}
+
 	jsonConf, _ := json.Marshal(globalConfiguration)
 	log.Infof("Traefik version %s built on %s", version.Version, version.BuildDate)
 
@@ -173,16 +179,60 @@ func runCmd(globalConfiguration *configuration.GlobalConfiguration, configFile s
 	stats(globalConfiguration)
 
 	log.Debugf("Global configuration loaded %s", string(jsonConf))
-	if acme.IsEnabled() {
-		store := acme.NewLocalStore(acme.Get().Storage)
-		acme.Get().Store = &store
+
+	providerAggregator := configuration.NewProviderAggregator(globalConfiguration)
+
+	acmeprovider := globalConfiguration.InitACMEProvider()
+	if acmeprovider != nil {
+		err := providerAggregator.AddProvider(acmeprovider)
+		if err != nil {
+			log.Errorf("Error initializing provider ACME: %v", err)
+			acmeprovider = nil
+		}
 	}
-	svr := server.NewServer(*globalConfiguration, configuration.NewProviderAggregator(globalConfiguration))
-	if acme.IsEnabled() && acme.Get().OnHostRule {
-		acme.Get().SetConfigListenerChan(make(chan types.Configuration))
-		svr.AddListener(acme.Get().ListenConfiguration)
+
+	entryPoints := map[string]server.EntryPoint{}
+	for entryPointName, config := range globalConfiguration.EntryPoints {
+
+		entryPoint := server.EntryPoint{
+			Configuration: config,
+		}
+
+		internalRouter := router.NewInternalRouterAggregator(*globalConfiguration, entryPointName)
+		if acmeprovider != nil {
+			if acmeprovider.HTTPChallenge != nil && acmeprovider.HTTPChallenge.EntryPoint == entryPointName {
+				internalRouter.AddRouter(acmeprovider)
+			}
+
+			// TLS ALPN 01
+			if acmeprovider.HTTPChallenge == nil && acmeprovider.DNSChallenge == nil && acmeprovider.TLSChallenge != nil {
+				entryPoint.TLSALPNGetter = acmeprovider.GetTLSALPNCertificate
+			}
+
+			if acmeprovider.EntryPoint == entryPointName && acmeprovider.OnDemand {
+				entryPoint.OnDemandListener = acmeprovider.ListenRequest
+			}
+
+			entryPoint.CertificateStore = traefiktls.NewCertificateStore()
+			acmeprovider.SetCertificateStore(entryPoint.CertificateStore)
+
+		}
+
+		entryPoint.InternalRouter = internalRouter
+		entryPoints[entryPointName] = entryPoint
+	}
+
+	svr := server.NewServer(*globalConfiguration, providerAggregator, entryPoints)
+	if acmeprovider != nil && acmeprovider.OnHostRule {
+		acmeprovider.SetConfigListenerChan(make(chan types.Configuration))
+		svr.AddListener(acmeprovider.ListenConfiguration)
 	}
 	ctx := cmd.ContextWithSignal(context.Background())
+
+	if globalConfiguration.Ping != nil {
+		globalConfiguration.Ping.WithContext(ctx)
+	}
+
 	svr.StartWithContext(ctx)
 	defer svr.Close()
 

configuration/configuration.go

@@ -58,19 +58,19 @@ const (
 // GlobalConfiguration holds global configuration (with providers, etc.).
 // It's populated from the traefik configuration file passed as an argument to the binary.
 type GlobalConfiguration struct {
-	LifeCycle                 *LifeCycle              `description:"Timeouts influencing the server life cycle" export:"true"`
-	GraceTimeOut              flaeg.Duration          `short:"g" description:"(Deprecated) Duration to give active requests a chance to finish before Traefik stops" export:"true"` // Deprecated
-	Debug                     bool                    `short:"d" description:"Enable debug mode" export:"true"`
-	CheckNewVersion           bool                    `description:"Periodically check if a new version has been released" export:"true"`
-	SendAnonymousUsage        bool                    `description:"send periodically anonymous usage statistics" export:"true"`
-	AccessLogsFile            string                  `description:"(Deprecated) Access logs file" export:"true"` // Deprecated
-	AccessLog                 *types.AccessLog        `description:"Access log settings" export:"true"`
-	TraefikLogsFile           string                  `description:"(Deprecated) Traefik logs file. Stdout is used when omitted or empty" export:"true"` // Deprecated
-	TraefikLog                *types.TraefikLog       `description:"Traefik log settings" export:"true"`
-	Tracing                   *tracing.Tracing        `description:"OpenTracing configuration" export:"true"`
-	LogLevel                  string                  `short:"l" description:"Log level" export:"true"`
-	EntryPoints               EntryPoints             `description:"Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'" export:"true"`
-	Cluster                   *types.Cluster          `description:"Enable clustering" export:"true"`
+	LifeCycle                 *LifeCycle        `description:"Timeouts influencing the server life cycle" export:"true"`
+	GraceTimeOut              flaeg.Duration    `short:"g" description:"(Deprecated) Duration to give active requests a chance to finish before Traefik stops" export:"true"` // Deprecated
+	Debug                     bool              `short:"d" description:"Enable debug mode" export:"true"`
+	CheckNewVersion           bool              `description:"Periodically check if a new version has been released" export:"true"`
+	SendAnonymousUsage        bool              `description:"send periodically anonymous usage statistics" export:"true"`
+	AccessLogsFile            string            `description:"(Deprecated) Access logs file" export:"true"` // Deprecated
+	AccessLog                 *types.AccessLog  `description:"Access log settings" export:"true"`
+	TraefikLogsFile           string            `description:"(Deprecated) Traefik logs file. Stdout is used when omitted or empty" export:"true"` // Deprecated
+	TraefikLog                *types.TraefikLog `description:"Traefik log settings" export:"true"`
+	Tracing                   *tracing.Tracing  `description:"OpenTracing configuration" export:"true"`
+	LogLevel                  string            `short:"l" description:"Log level" export:"true"`
+	EntryPoints               EntryPoints       `description:"Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'" export:"true"`
+	Cluster                   *types.Cluster
 	Constraints               types.Constraints       `description:"Filter services by constraint, matching with service tags" export:"true"`
 	ACME                      *acme.ACME              `description:"Enable ACME (Let's Encrypt): automatic SSL" export:"true"`
 	DefaultEntryPoints        DefaultEntryPoints      `description:"Entrypoints to be used by frontends that do not specify any entrypoint" export:"true"`
@@ -104,6 +104,7 @@ type GlobalConfiguration struct {
 	API                       *api.Handler            `description:"Enable api/dashboard" export:"true"`
 	Metrics                   *types.Metrics          `description:"Enable a metrics exporter" export:"true"`
 	Ping                      *ping.Handler           `description:"Enable ping" export:"true"`
+	HostResolver              *HostResolverConfig     `description:"Enable CNAME Flattening" export:"true"`
 }
 
 // WebCompatibility is a configuration to handle compatibility with deprecated web provider options
@@ -360,6 +361,16 @@ func (gc *GlobalConfiguration) initACMEProvider() {
 			gc.ACME.HTTPChallenge = nil
 		}
 
+		if gc.ACME.DNSChallenge != nil && gc.ACME.TLSChallenge != nil {
+			log.Warn("Unable to use DNS challenge and TLS challenge at the same time. Fallback to DNS challenge.")
+			gc.ACME.TLSChallenge = nil
+		}
+
+		if gc.ACME.HTTPChallenge != nil && gc.ACME.TLSChallenge != nil {
+			log.Warn("Unable to use HTTP challenge and TLS challenge at the same time. Fallback to TLS challenge.")
+			gc.ACME.HTTPChallenge = nil
+		}
+
 		// TODO: to remove in the future
 		if len(gc.ACME.StorageFile) > 0 && len(gc.ACME.Storage) == 0 {
 			log.Warn("ACME.StorageFile is deprecated, use ACME.Storage instead")
@@ -374,25 +385,39 @@ func (gc *GlobalConfiguration) initACMEProvider() {
 		if gc.ACME.OnDemand {
 			log.Warn("ACME.OnDemand is deprecated")
 		}
+	}
+}
 
+// InitACMEProvider create an acme provider from the ACME part of globalConfiguration
+func (gc *GlobalConfiguration) InitACMEProvider() *acmeprovider.Provider {
+	if gc.ACME != nil {
 		// TODO: Remove when Provider ACME will replace totally ACME
 		// If provider file, use Provider ACME instead of ACME
 		if gc.Cluster == nil {
-			acmeprovider.Get().Configuration = &acmeprovider.Configuration{
+			provider := &acmeprovider.Provider{}
+			provider.Configuration = &acmeprovider.Configuration{
+				KeyType:       gc.ACME.KeyType,
 				OnHostRule:    gc.ACME.OnHostRule,
 				OnDemand:      gc.ACME.OnDemand,
 				Email:         gc.ACME.Email,
 				Storage:       gc.ACME.Storage,
 				HTTPChallenge: gc.ACME.HTTPChallenge,
 				DNSChallenge:  gc.ACME.DNSChallenge,
+				TLSChallenge:  gc.ACME.TLSChallenge,
 				Domains:       gc.ACME.Domains,
 				ACMELogging:   gc.ACME.ACMELogging,
 				CAServer:      gc.ACME.CAServer,
 				EntryPoint:    gc.ACME.EntryPoint,
 			}
+
+			store := acmeprovider.NewLocalStore(provider.Storage)
+			provider.Store = store
+			acme.ConvertToNewFormat(provider.Storage)
 			gc.ACME = nil
+			return provider
 		}
 	}
+	return nil
 }
 
 func getSafeACMECAServer(caServerSrc string) string {
@@ -425,14 +450,6 @@ func (gc *GlobalConfiguration) ValidateConfiguration() {
 				log.Fatalf("Entrypoint %q has no TLS configuration for ACME configuration", gc.ACME.EntryPoint)
 			}
 		}
-	} else if acmeprovider.IsEnabled() {
-		if _, ok := gc.EntryPoints[acmeprovider.Get().EntryPoint]; !ok {
-			log.Fatalf("Unknown entrypoint %q for provider ACME configuration", acmeprovider.Get().EntryPoint)
-		} else {
-			if gc.EntryPoints[acmeprovider.Get().EntryPoint].TLS == nil {
-				log.Fatalf("Entrypoint %q has no TLS configuration for provider ACME configuration", acmeprovider.Get().EntryPoint)
-			}
-		}
 	}
 }
 
@@ -503,3 +520,10 @@ type LifeCycle struct {
 	RequestAcceptGraceTimeout flaeg.Duration `description:"Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure"`
 	GraceTimeOut              flaeg.Duration `description:"Duration to give active requests a chance to finish before Traefik stops"`
 }
+
+// HostResolverConfig contain configuration for CNAME Flattening
+type HostResolverConfig struct {
+	CnameFlattening bool   `description:"A flag to enable/disable CNAME flattening" export:"true"`
+	ResolvConfig    string `description:"resolv.conf used for DNS resolving" export:"true"`
+	ResolvDepth     int    `description:"The maximal depth of DNS recursive resolving" export:"true"`
+}

configuration/configuration_test.go

@@ -58,7 +58,6 @@ func TestSetEffectiveConfigurationGraceTimeout(t *testing.T) {
 			gc.SetEffectiveConfiguration(defaultConfigFile)
 
 			assert.Equal(t, test.wantGraceTimeout, time.Duration(gc.LifeCycle.GraceTimeOut))
-
 		})
 	}
 }

configuration/entrypoints.go

@@ -106,14 +106,16 @@ func makeEntryPointAuth(result map[string]string) *types.Auth {
 	var basic *types.Basic
 	if v, ok := result["auth_basic_users"]; ok {
 		basic = &types.Basic{
-			Users: strings.Split(v, ","),
+			Users:        strings.Split(v, ","),
+			RemoveHeader: toBool(result, "auth_basic_removeheader"),
 		}
 	}
 
 	var digest *types.Digest
 	if v, ok := result["auth_digest_users"]; ok {
 		digest = &types.Digest{
-			Users: strings.Split(v, ","),
+			Users:        strings.Split(v, ","),
+			RemoveHeader: toBool(result, "auth_digest_removeheader"),
 		}
 	}
 
@@ -135,10 +137,16 @@ func makeEntryPointAuth(result map[string]string) *types.Auth {
 			}
 		}
 
+		var authResponseHeaders []string
+		if v, ok := result["auth_forward_authresponseheaders"]; ok {
+			authResponseHeaders = strings.Split(v, ",")
+		}
+
 		forward = &types.Forward{
-			Address:            address,
-			TLS:                clientTLS,
-			TrustForwardHeader: toBool(result, "auth_forward_trustforwardheader"),
+			Address:             address,
+			TLS:                 clientTLS,
+			TrustForwardHeader:  toBool(result, "auth_forward_trustforwardheader"),
+			AuthResponseHeaders: authResponseHeaders,
 		}
 	}
 
@@ -224,12 +232,33 @@ func makeEntryPointTLS(result map[string]string) (*tls.TLS, error) {
 		}
 	}
 
-	if len(result["ca"]) > 0 {
-		files := strings.Split(result["ca"], ",")
-		optional := toBool(result, "ca_optional")
-		configTLS.ClientCA = tls.ClientCA{
-			Files:    files,
-			Optional: optional,
+	if configTLS != nil {
+		if len(result["ca"]) > 0 {
+			files := strings.Split(result["ca"], ",")
+			optional := toBool(result, "ca_optional")
+			configTLS.ClientCA = tls.ClientCA{
+				Files:    files,
+				Optional: optional,
+			}
+		}
+
+		if len(result["tls_minversion"]) > 0 {
+			configTLS.MinVersion = result["tls_minversion"]
+		}
+
+		if len(result["tls_ciphersuites"]) > 0 {
+			configTLS.CipherSuites = strings.Split(result["tls_ciphersuites"], ",")
+		}
+
+		if len(result["tls_snistrict"]) > 0 {
+			configTLS.SniStrict = toBool(result, "tls_snistrict")
+		}
+
+		if len(result["tls_defaultcertificate_cert"]) > 0 && len(result["tls_defaultcertificate_key"]) > 0 {
+			configTLS.DefaultCertificate = &tls.Certificate{
+				CertFile: tls.FileOrContent(result["tls_defaultcertificate_cert"]),
+				KeyFile:  tls.FileOrContent(result["tls_defaultcertificate_key"]),
+			}
 		}
 	}
 

configuration/entrypoints_test.go

@@ -21,6 +21,8 @@ func Test_parseEntryPointsConfiguration(t *testing.T) {
 				"Address::8000 " +
 				"TLS:goo,gii " +
 				"TLS " +
+				"TLS.MinVersion:VersionTLS11 " +
+				"TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA " +
 				"CA:car " +
 				"CA.Optional:true " +
 				"Redirect.EntryPoint:https " +
@@ -31,9 +33,12 @@ func Test_parseEntryPointsConfiguration(t *testing.T) {
 				"ProxyProtocol.TrustedIPs:192.168.0.1 " +
 				"ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 " +
 				"Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 " +
+				"Auth.Basic.RemoveHeader:true " +
 				"Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e " +
+				"Auth.Digest.RemoveHeader:true " +
 				"Auth.HeaderField:X-WebAuth-User " +
 				"Auth.Forward.Address:https://authserver.com/auth " +
+				"Auth.Forward.AuthResponseHeaders:X-Auth,X-Test,X-Secret " +
 				"Auth.Forward.TrustForwardHeader:true " +
 				"Auth.Forward.TLS.CA:path/to/local.crt " +
 				"Auth.Forward.TLS.CAOptional:true " +
@@ -46,8 +51,11 @@ func Test_parseEntryPointsConfiguration(t *testing.T) {
 			expectedResult: map[string]string{
 				"address":                             ":8000",
 				"auth_basic_users":                    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+				"auth_basic_removeheader":             "true",
 				"auth_digest_users":                   "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+				"auth_digest_removeheader":            "true",
 				"auth_forward_address":                "https://authserver.com/auth",
+				"auth_forward_authresponseheaders":    "X-Auth,X-Test,X-Secret",
 				"auth_forward_tls_ca":                 "path/to/local.crt",
 				"auth_forward_tls_caoptional":         "true",
 				"auth_forward_tls_cert":               "path/to/foo.cert",
@@ -67,6 +75,8 @@ func Test_parseEntryPointsConfiguration(t *testing.T) {
 				"redirect_replacement":     "http://mydomain/$1",
 				"tls":                        "goo,gii",
 				"tls_acme":                   "TLS",
+				"tls_ciphersuites":           "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+				"tls_minversion":             "VersionTLS11",
 				"whitelistsourcerange":       "10.42.0.0/16,152.89.1.33/32,afed:be44::/16",
 				"whitelist_sourcerange":      "10.42.0.0/16,152.89.1.33/32,afed:be44::/16",
 				"whitelist_usexforwardedfor": "true",
@@ -172,6 +182,8 @@ func TestEntryPoints_Set(t *testing.T) {
 				"Address::8000 " +
 				"TLS:goo,gii;foo,fii " +
 				"TLS " +
+				"TLS.MinVersion:VersionTLS11 " +
+				"TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA " +
 				"CA:car " +
 				"CA.Optional:true " +
 				"Redirect.EntryPoint:https " +
@@ -182,9 +194,12 @@ func TestEntryPoints_Set(t *testing.T) {
 				"ProxyProtocol.TrustedIPs:192.168.0.1 " +
 				"ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 " +
 				"Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 " +
+				"Auth.Basic.RemoveHeader:true " +
 				"Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e " +
+				"Auth.Digest.RemoveHeader:true " +
 				"Auth.HeaderField:X-WebAuth-User " +
 				"Auth.Forward.Address:https://authserver.com/auth " +
+				"Auth.Forward.AuthResponseHeaders:X-Auth,X-Test,X-Secret " +
 				"Auth.Forward.TrustForwardHeader:true " +
 				"Auth.Forward.TLS.CA:path/to/local.crt " +
 				"Auth.Forward.TLS.CAOptional:true " +
@@ -198,6 +213,8 @@ func TestEntryPoints_Set(t *testing.T) {
 			expectedEntryPoint: &EntryPoint{
 				Address: ":8000",
 				TLS: &tls.TLS{
+					MinVersion:   "VersionTLS11",
+					CipherSuites: []string{"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"},
 					Certificates: tls.Certificates{
 						{
 							CertFile: tls.FileOrContent("goo"),
@@ -221,19 +238,22 @@ func TestEntryPoints_Set(t *testing.T) {
 				},
 				Auth: &types.Auth{
 					Basic: &types.Basic{
+						RemoveHeader: true,
 						Users: types.Users{
 							"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
 							"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
 						},
 					},
 					Digest: &types.Digest{
+						RemoveHeader: true,
 						Users: types.Users{
 							"test:traefik:a2688e031edb4be6a3797f3882655c05",
 							"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
 						},
 					},
 					Forward: &types.Forward{
-						Address: "https://authserver.com/auth",
+						Address:             "https://authserver.com/auth",
+						AuthResponseHeaders: []string{"X-Auth", "X-Test", "X-Secret"},
 						TLS: &types.ClientTLS{
 							CA:                 "path/to/local.crt",
 							CAOptional:         true,
@@ -278,6 +298,8 @@ func TestEntryPoints_Set(t *testing.T) {
 				"address::8000 " +
 				"tls:goo,gii;foo,fii " +
 				"tls " +
+				"tls.minversion:VersionTLS11 " +
+				"tls.ciphersuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA " +
 				"ca:car " +
 				"ca.Optional:true " +
 				"redirect.entryPoint:https " +
@@ -292,6 +314,7 @@ func TestEntryPoints_Set(t *testing.T) {
 				"auth.digest.users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e " +
 				"auth.headerField:X-WebAuth-User " +
 				"auth.forward.address:https://authserver.com/auth " +
+				"auth.forward.authResponseHeaders:X-Auth,X-Test,X-Secret " +
 				"auth.forward.trustForwardHeader:true " +
 				"auth.forward.tls.ca:path/to/local.crt " +
 				"auth.forward.tls.caOptional:true " +
@@ -302,6 +325,8 @@ func TestEntryPoints_Set(t *testing.T) {
 			expectedEntryPoint: &EntryPoint{
 				Address: ":8000",
 				TLS: &tls.TLS{
+					MinVersion:   "VersionTLS11",
+					CipherSuites: []string{"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"},
 					Certificates: tls.Certificates{
 						{
 							CertFile: tls.FileOrContent("goo"),
@@ -337,7 +362,8 @@ func TestEntryPoints_Set(t *testing.T) {
 						},
 					},
 					Forward: &types.Forward{
-						Address: "https://authserver.com/auth",
+						Address:             "https://authserver.com/auth",
+						AuthResponseHeaders: []string{"X-Auth", "X-Test", "X-Secret"},
 						TLS: &types.ClientTLS{
 							CA:                 "path/to/local.crt",
 							CAOptional:         true,

configuration/provider_aggregator.go

@@ -2,94 +2,110 @@ package configuration
 
 import (
 	"encoding/json"
-	"reflect"
 
-	"github.com/containous/traefik/acme"
 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/provider"
-	acmeprovider "github.com/containous/traefik/provider/acme"
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 )
 
-type providerAggregator struct {
-	providers []provider.Provider
+// ProviderAggregator aggregate providers
+type ProviderAggregator struct {
+	providers   []provider.Provider
+	constraints types.Constraints
 }
 
 // NewProviderAggregator return an aggregate of all the providers configured in GlobalConfiguration
-func NewProviderAggregator(gc *GlobalConfiguration) provider.Provider {
-	provider := providerAggregator{}
+func NewProviderAggregator(gc *GlobalConfiguration) ProviderAggregator {
+	provider := ProviderAggregator{
+		constraints: gc.Constraints,
+	}
 	if gc.Docker != nil {
-		provider.providers = append(provider.providers, gc.Docker)
+		provider.quietAddProvider(gc.Docker)
 	}
 	if gc.Marathon != nil {
-		provider.providers = append(provider.providers, gc.Marathon)
+		provider.quietAddProvider(gc.Marathon)
 	}
 	if gc.File != nil {
-		provider.providers = append(provider.providers, gc.File)
+		provider.quietAddProvider(gc.File)
 	}
 	if gc.Rest != nil {
-		provider.providers = append(provider.providers, gc.Rest)
+		provider.quietAddProvider(gc.Rest)
 	}
 	if gc.Consul != nil {
-		provider.providers = append(provider.providers, gc.Consul)
+		provider.quietAddProvider(gc.Consul)
 	}
 	if gc.ConsulCatalog != nil {
-		provider.providers = append(provider.providers, gc.ConsulCatalog)
+		provider.quietAddProvider(gc.ConsulCatalog)
 	}
 	if gc.Etcd != nil {
-		provider.providers = append(provider.providers, gc.Etcd)
+		provider.quietAddProvider(gc.Etcd)
 	}
 	if gc.Zookeeper != nil {
-		provider.providers = append(provider.providers, gc.Zookeeper)
+		provider.quietAddProvider(gc.Zookeeper)
 	}
 	if gc.Boltdb != nil {
-		provider.providers = append(provider.providers, gc.Boltdb)
+		provider.quietAddProvider(gc.Boltdb)
 	}
 	if gc.Kubernetes != nil {
-		provider.providers = append(provider.providers, gc.Kubernetes)
+		provider.quietAddProvider(gc.Kubernetes)
 	}
 	if gc.Mesos != nil {
-		provider.providers = append(provider.providers, gc.Mesos)
+		provider.quietAddProvider(gc.Mesos)
 	}
 	if gc.Eureka != nil {
-		provider.providers = append(provider.providers, gc.Eureka)
+		provider.quietAddProvider(gc.Eureka)
 	}
 	if gc.ECS != nil {
-		provider.providers = append(provider.providers, gc.ECS)
+		provider.quietAddProvider(gc.ECS)
 	}
 	if gc.Rancher != nil {
-		provider.providers = append(provider.providers, gc.Rancher)
+		provider.quietAddProvider(gc.Rancher)
 	}
 	if gc.DynamoDB != nil {
-		provider.providers = append(provider.providers, gc.DynamoDB)
+		provider.quietAddProvider(gc.DynamoDB)
 	}
 	if gc.ServiceFabric != nil {
-		provider.providers = append(provider.providers, gc.ServiceFabric)
-	}
-	if acmeprovider.IsEnabled() {
-		provider.providers = append(provider.providers, acmeprovider.Get())
-		acme.ConvertToNewFormat(acmeprovider.Get().Storage)
-	}
-	if len(provider.providers) == 1 {
-		return provider.providers[0]
+		provider.quietAddProvider(gc.ServiceFabric)
 	}
 	return provider
 }
 
-func (p providerAggregator) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints types.Constraints) error {
+func (p *ProviderAggregator) quietAddProvider(provider provider.Provider) {
+	err := p.AddProvider(provider)
+	if err != nil {
+		log.Errorf("Error initializing provider %T: %v", provider, err)
+	}
+}
+
+// AddProvider add a provider in the providers map
+func (p *ProviderAggregator) AddProvider(provider provider.Provider) error {
+	err := provider.Init(p.constraints)
+	if err != nil {
+		return err
+	}
+	p.providers = append(p.providers, provider)
+	return nil
+}
+
+// Init the provider
+func (p ProviderAggregator) Init(_ types.Constraints) error {
+	return nil
+}
+
+// Provide call the provide method of every providers
+func (p ProviderAggregator) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool) error {
 	for _, p := range p.providers {
-		providerType := reflect.TypeOf(p)
 		jsonConf, err := json.Marshal(p)
 		if err != nil {
-			log.Debugf("Unable to marshal provider conf %v with error: %v", providerType, err)
+			log.Debugf("Unable to marshal provider conf %T with error: %v", p, err)
 		}
-		log.Infof("Starting provider %v %s", providerType, jsonConf)
+		log.Infof("Starting provider %T %s", p, jsonConf)
 		currentProvider := p
 		safe.Go(func() {
-			err := currentProvider.Provide(configurationChan, pool, constraints)
+			err := currentProvider.Provide(configurationChan, pool)
 			if err != nil {
-				log.Errorf("Error starting provider %v: %s", providerType, err)
+				log.Errorf("Error starting provider %T: %v", p, err)
 			}
 		})
 	}

configuration/router/internal_router.go

@@ -0,0 +1,132 @@
+package router
+
+import (
+	"github.com/containous/mux"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/metrics"
+	"github.com/containous/traefik/middlewares"
+	mauth "github.com/containous/traefik/middlewares/auth"
+	"github.com/containous/traefik/types"
+	"github.com/urfave/negroni"
+)
+
+// NewInternalRouterAggregator Create a new internalRouterAggregator
+func NewInternalRouterAggregator(globalConfiguration configuration.GlobalConfiguration, entryPointName string) *InternalRouterAggregator {
+	var serverMiddlewares []negroni.Handler
+
+	if globalConfiguration.EntryPoints[entryPointName].WhiteList != nil {
+		ipWhitelistMiddleware, err := middlewares.NewIPWhiteLister(
+			globalConfiguration.EntryPoints[entryPointName].WhiteList.SourceRange,
+			globalConfiguration.EntryPoints[entryPointName].WhiteList.UseXForwardedFor)
+		if err != nil {
+			log.Fatalf("Error creating whitelist middleware: %s", err)
+		}
+		if ipWhitelistMiddleware != nil {
+			serverMiddlewares = append(serverMiddlewares, ipWhitelistMiddleware)
+		}
+	}
+
+	if globalConfiguration.EntryPoints[entryPointName].Auth != nil {
+		authMiddleware, err := mauth.NewAuthenticator(globalConfiguration.EntryPoints[entryPointName].Auth, nil)
+		if err != nil {
+			log.Fatalf("Error creating authenticator middleware: %s", err)
+		}
+		serverMiddlewares = append(serverMiddlewares, authMiddleware)
+	}
+
+	router := InternalRouterAggregator{}
+	routerWithPrefix := InternalRouterAggregator{}
+	routerWithPrefixAndMiddleware := InternalRouterAggregator{}
+
+	if globalConfiguration.Metrics != nil && globalConfiguration.Metrics.Prometheus != nil && globalConfiguration.Metrics.Prometheus.EntryPoint == entryPointName {
+		routerWithPrefixAndMiddleware.AddRouter(metrics.PrometheusHandler{})
+	}
+
+	if globalConfiguration.Rest != nil && globalConfiguration.Rest.EntryPoint == entryPointName {
+		routerWithPrefixAndMiddleware.AddRouter(globalConfiguration.Rest)
+	}
+
+	if globalConfiguration.API != nil && globalConfiguration.API.EntryPoint == entryPointName {
+		routerWithPrefixAndMiddleware.AddRouter(globalConfiguration.API)
+	}
+
+	if globalConfiguration.Ping != nil && globalConfiguration.Ping.EntryPoint == entryPointName {
+		routerWithPrefix.AddRouter(globalConfiguration.Ping)
+	}
+
+	if globalConfiguration.ACME != nil && globalConfiguration.ACME.HTTPChallenge != nil && globalConfiguration.ACME.HTTPChallenge.EntryPoint == entryPointName {
+		router.AddRouter(globalConfiguration.ACME)
+	}
+
+	realRouterWithMiddleware := WithMiddleware{router: &routerWithPrefixAndMiddleware, routerMiddlewares: serverMiddlewares}
+	if globalConfiguration.Web != nil && globalConfiguration.Web.Path != "" {
+		router.AddRouter(&WithPrefix{PathPrefix: globalConfiguration.Web.Path, Router: &routerWithPrefix})
+		router.AddRouter(&WithPrefix{PathPrefix: globalConfiguration.Web.Path, Router: &realRouterWithMiddleware})
+	} else {
+		router.AddRouter(&routerWithPrefix)
+		router.AddRouter(&realRouterWithMiddleware)
+	}
+
+	return &router
+}
+
+// WithMiddleware router with internal middleware
+type WithMiddleware struct {
+	router            types.InternalRouter
+	routerMiddlewares []negroni.Handler
+}
+
+// AddRoutes Add routes to the router
+func (wm *WithMiddleware) AddRoutes(systemRouter *mux.Router) {
+	realRouter := systemRouter.PathPrefix("/").Subrouter()
+
+	wm.router.AddRoutes(realRouter)
+
+	if len(wm.routerMiddlewares) > 0 {
+		realRouter.Walk(wrapRoute(wm.routerMiddlewares))
+	}
+}
+
+// WithPrefix router which add a prefix
+type WithPrefix struct {
+	Router     types.InternalRouter
+	PathPrefix string
+}
+
+// AddRoutes Add routes to the router
+func (wp *WithPrefix) AddRoutes(systemRouter *mux.Router) {
+	realRouter := systemRouter.PathPrefix("/").Subrouter()
+	if wp.PathPrefix != "" {
+		realRouter = systemRouter.PathPrefix(wp.PathPrefix).Subrouter()
+		realRouter.StrictSlash(true)
+		realRouter.SkipClean(true)
+	}
+	wp.Router.AddRoutes(realRouter)
+}
+
+// InternalRouterAggregator InternalRouter that aggregate other internalRouter
+type InternalRouterAggregator struct {
+	internalRouters []types.InternalRouter
+}
+
+// AddRouter add a router in the aggregator
+func (r *InternalRouterAggregator) AddRouter(router types.InternalRouter) {
+	r.internalRouters = append(r.internalRouters, router)
+}
+
+// AddRoutes Add routes to the router
+func (r *InternalRouterAggregator) AddRoutes(systemRouter *mux.Router) {
+	for _, router := range r.internalRouters {
+		router.AddRoutes(systemRouter)
+	}
+}
+
+// wrapRoute with middlewares
+func wrapRoute(middlewares []negroni.Handler) func(*mux.Route, *mux.Router, []*mux.Route) error {
+	return func(route *mux.Route, router *mux.Router, ancestors []*mux.Route) error {
+		middles := append(middlewares, negroni.Wrap(route.GetHandler()))
+		route.Handler(negroni.New(middles...))
+		return nil
+	}
+}

configuration/router/internal_router_test.go

@@ -0,0 +1,346 @@
+package router
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/containous/mux"
+	"github.com/containous/traefik/acme"
+	"github.com/containous/traefik/api"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/ping"
+	acmeprovider "github.com/containous/traefik/provider/acme"
+	"github.com/containous/traefik/safe"
+	"github.com/containous/traefik/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/urfave/negroni"
+)
+
+func TestNewInternalRouterAggregatorWithWebPath(t *testing.T) {
+	currentConfiguration := &safe.Safe{}
+	currentConfiguration.Set(types.Configurations{})
+
+	globalConfiguration := configuration.GlobalConfiguration{
+		Web: &configuration.WebCompatibility{
+			Path: "/prefix",
+		},
+		API: &api.Handler{
+			EntryPoint:            "traefik",
+			CurrentConfigurations: currentConfiguration,
+		},
+		Ping: &ping.Handler{
+			EntryPoint: "traefik",
+		},
+		ACME: &acme.ACME{
+			HTTPChallenge: &acmeprovider.HTTPChallenge{
+				EntryPoint: "traefik",
+			},
+		},
+		EntryPoints: configuration.EntryPoints{
+			"traefik": &configuration.EntryPoint{},
+		},
+	}
+
+	testCases := []struct {
+		desc               string
+		testedURL          string
+		expectedStatusCode int
+	}{
+		{
+			desc:               "Ping without prefix",
+			testedURL:          "/ping",
+			expectedStatusCode: 502,
+		},
+		{
+			desc:               "Ping with prefix",
+			testedURL:          "/prefix/ping",
+			expectedStatusCode: 200,
+		},
+		{
+			desc:               "acme without prefix",
+			testedURL:          "/.well-known/acme-challenge/token",
+			expectedStatusCode: 404,
+		},
+		{
+			desc:               "api without prefix",
+			testedURL:          "/api",
+			expectedStatusCode: 502,
+		},
+		{
+			desc:               "api with prefix",
+			testedURL:          "/prefix/api",
+			expectedStatusCode: 200,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			router := NewInternalRouterAggregator(globalConfiguration, "traefik")
+
+			internalMuxRouter := mux.NewRouter()
+			router.AddRoutes(internalMuxRouter)
+			internalMuxRouter.NotFoundHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusBadGateway)
+			})
+
+			recorder := httptest.NewRecorder()
+			request := httptest.NewRequest(http.MethodGet, test.testedURL, nil)
+			internalMuxRouter.ServeHTTP(recorder, request)
+
+			assert.Equal(t, test.expectedStatusCode, recorder.Code)
+		})
+	}
+}
+
+func TestNewInternalRouterAggregatorWithAuth(t *testing.T) {
+	currentConfiguration := &safe.Safe{}
+	currentConfiguration.Set(types.Configurations{})
+
+	globalConfiguration := configuration.GlobalConfiguration{
+		API: &api.Handler{
+			EntryPoint:            "traefik",
+			CurrentConfigurations: currentConfiguration,
+		},
+		Ping: &ping.Handler{
+			EntryPoint: "traefik",
+		},
+		ACME: &acme.ACME{
+			HTTPChallenge: &acmeprovider.HTTPChallenge{
+				EntryPoint: "traefik",
+			},
+		},
+		EntryPoints: configuration.EntryPoints{
+			"traefik": &configuration.EntryPoint{
+				Auth: &types.Auth{
+					Basic: &types.Basic{
+						Users: types.Users{"test:test"},
+					},
+				},
+			},
+		},
+	}
+
+	testCases := []struct {
+		desc               string
+		testedURL          string
+		expectedStatusCode int
+	}{
+		{
+			desc:               "Wrong url",
+			testedURL:          "/wrong",
+			expectedStatusCode: 502,
+		},
+		{
+			desc:               "Ping without auth",
+			testedURL:          "/ping",
+			expectedStatusCode: 200,
+		},
+		{
+			desc:               "acme without auth",
+			testedURL:          "/.well-known/acme-challenge/token",
+			expectedStatusCode: 404,
+		},
+		{
+			desc:               "api with auth",
+			testedURL:          "/api",
+			expectedStatusCode: 401,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			router := NewInternalRouterAggregator(globalConfiguration, "traefik")
+
+			internalMuxRouter := mux.NewRouter()
+			router.AddRoutes(internalMuxRouter)
+			internalMuxRouter.NotFoundHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusBadGateway)
+			})
+
+			recorder := httptest.NewRecorder()
+			request := httptest.NewRequest(http.MethodGet, test.testedURL, nil)
+			internalMuxRouter.ServeHTTP(recorder, request)
+
+			assert.Equal(t, test.expectedStatusCode, recorder.Code)
+		})
+	}
+}
+
+func TestNewInternalRouterAggregatorWithAuthAndPrefix(t *testing.T) {
+	currentConfiguration := &safe.Safe{}
+	currentConfiguration.Set(types.Configurations{})
+
+	globalConfiguration := configuration.GlobalConfiguration{
+		Web: &configuration.WebCompatibility{
+			Path: "/prefix",
+		},
+		API: &api.Handler{
+			EntryPoint:            "traefik",
+			CurrentConfigurations: currentConfiguration,
+		},
+		Ping: &ping.Handler{
+			EntryPoint: "traefik",
+		},
+		ACME: &acme.ACME{
+			HTTPChallenge: &acmeprovider.HTTPChallenge{
+				EntryPoint: "traefik",
+			},
+		},
+		EntryPoints: configuration.EntryPoints{
+			"traefik": &configuration.EntryPoint{
+				Auth: &types.Auth{
+					Basic: &types.Basic{
+						Users: types.Users{"test:test"},
+					},
+				},
+			},
+		},
+	}
+
+	testCases := []struct {
+		desc               string
+		testedURL          string
+		expectedStatusCode int
+	}{
+		{
+			desc:               "Ping without prefix",
+			testedURL:          "/ping",
+			expectedStatusCode: 502,
+		},
+		{
+			desc:               "Ping without auth and with prefix",
+			testedURL:          "/prefix/ping",
+			expectedStatusCode: 200,
+		},
+		{
+			desc:               "acme without auth and without prefix",
+			testedURL:          "/.well-known/acme-challenge/token",
+			expectedStatusCode: 404,
+		},
+		{
+			desc:               "api with auth and prefix",
+			testedURL:          "/prefix/api",
+			expectedStatusCode: 401,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			router := NewInternalRouterAggregator(globalConfiguration, "traefik")
+
+			internalMuxRouter := mux.NewRouter()
+			router.AddRoutes(internalMuxRouter)
+			internalMuxRouter.NotFoundHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusBadGateway)
+			})
+
+			recorder := httptest.NewRecorder()
+			request := httptest.NewRequest(http.MethodGet, test.testedURL, nil)
+			internalMuxRouter.ServeHTTP(recorder, request)
+
+			assert.Equal(t, test.expectedStatusCode, recorder.Code)
+		})
+	}
+}
+
+type MockInternalRouterFunc func(systemRouter *mux.Router)
+
+func (m MockInternalRouterFunc) AddRoutes(systemRouter *mux.Router) {
+	m(systemRouter)
+}
+
+func TestWithMiddleware(t *testing.T) {
+	router := WithMiddleware{
+		router: MockInternalRouterFunc(func(systemRouter *mux.Router) {
+			systemRouter.Handle("/test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.Write([]byte("router"))
+			}))
+		}),
+		routerMiddlewares: []negroni.Handler{
+			negroni.HandlerFunc(func(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+				rw.Write([]byte("before middleware1|"))
+				next.ServeHTTP(rw, r)
+				rw.Write([]byte("|after middleware1"))
+
+			}),
+			negroni.HandlerFunc(func(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+				rw.Write([]byte("before middleware2|"))
+				next.ServeHTTP(rw, r)
+				rw.Write([]byte("|after middleware2"))
+			}),
+		},
+	}
+
+	internalMuxRouter := mux.NewRouter()
+	router.AddRoutes(internalMuxRouter)
+
+	recorder := httptest.NewRecorder()
+	request := httptest.NewRequest(http.MethodGet, "/test", nil)
+	internalMuxRouter.ServeHTTP(recorder, request)
+
+	obtained := recorder.Body.String()
+
+	assert.Equal(t, "before middleware1|before middleware2|router|after middleware2|after middleware1", obtained)
+}
+
+func TestWithPrefix(t *testing.T) {
+	testCases := []struct {
+		desc               string
+		prefix             string
+		testedURL          string
+		expectedStatusCode int
+	}{
+		{
+			desc:               "No prefix",
+			testedURL:          "/test",
+			expectedStatusCode: 200,
+		},
+		{
+			desc:               "With prefix and wrong url",
+			prefix:             "/prefix",
+			testedURL:          "/test",
+			expectedStatusCode: 404,
+		},
+		{
+			desc:               "With prefix",
+			prefix:             "/prefix",
+			testedURL:          "/prefix/test",
+			expectedStatusCode: 200,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			router := WithPrefix{
+				Router: MockInternalRouterFunc(func(systemRouter *mux.Router) {
+					systemRouter.Handle("/test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+						w.WriteHeader(http.StatusOK)
+					}))
+				}),
+
+				PathPrefix: test.prefix,
+			}
+			internalMuxRouter := mux.NewRouter()
+			router.AddRoutes(internalMuxRouter)
+
+			recorder := httptest.NewRecorder()
+			request := httptest.NewRequest(http.MethodGet, test.testedURL, nil)
+			internalMuxRouter.ServeHTTP(recorder, request)
+
+			assert.Equal(t, test.expectedStatusCode, recorder.Code)
+		})
+	}
+}

docs.Dockerfile

@@ -1,11 +1,10 @@
-FROM alpine
+FROM alpine:3.7
 
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/.local/bin
 
 COPY requirements.txt /mkdocs/
 WORKDIR /mkdocs
+VOLUME /mkdocs
 
-RUN apk --update upgrade \
-&& apk --no-cache --no-progress add py-pip \
-&& rm -rf /var/cache/apk/* \
-&& pip install --user -r requirements.txt
+RUN apk --no-cache --no-progress add py-pip \
+  && pip install --user -r requirements.txt

docs/basics.md

@@ -345,16 +345,22 @@ Here is an example of backends and servers definition:
   [backends.backend2]
     # ...
     [backends.backend2.servers.server1]
-    url = "http://172.17.0.4:80"
+    url = "https://172.17.0.4:443"
     weight = 1
     [backends.backend2.servers.server2]
-    url = "http://172.17.0.5:80"
+    url = "https://172.17.0.5:443"
     weight = 2
+  [backends.backend3]
+    # ...
+    [backends.backend3.servers.server1]
+    url = "h2c://172.17.0.6:80"
+    weight = 1
 ```
 
 - Two backends are defined: `backend1` and `backend2`
-- `backend1` will forward the traffic to two servers: `http://172.17.0.2:80"` with weight `10` and `http://172.17.0.3:80` with weight `1`.
-- `backend2` will forward the traffic to two servers: `http://172.17.0.4:80"` with weight `1` and `http://172.17.0.5:80` with weight `2`.
+- `backend1` will forward the traffic to two servers: `172.17.0.2:80` with weight `10` and `172.17.0.3:80` with weight `1`.
+- `backend2` will forward the traffic to two servers: `172.17.0.4:443` with weight `1` and `172.17.0.5:443` with weight `2` both using TLS.
+- `backend3` will forward the traffic to: `172.17.0.6:80` with weight `1` using HTTP2 without TLS.
 
 #### Load-balancing
 
@@ -454,13 +460,12 @@ The deprecated way:
 
 #### Health Check
 
-A health check can be configured in order to remove a backend from LB rotation as long as it keeps returning HTTP status codes other than `200 OK` to HTTP GET requests periodically carried out by Traefik.  
+A health check can be configured in order to remove a backend from LB rotation as long as it keeps returning HTTP status codes other than `2xx` or `3xx` to HTTP GET requests periodically carried out by Traefik.  
 The check is defined by a path appended to the backend URL and an interval (given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)) specifying how often the health check should be executed (the default being 30 seconds).
 Each backend must respond to the health check within 5 seconds.  
 By default, the port of the backend server is used, however, this may be overridden.
 
-A recovering backend returning 200 OK responses again is being returned to the
-LB rotation pool.
+A recovering backend returning `2xx` or `3xx` responses again is being returned to the LB rotation pool.
 
 For example:
 ```toml
@@ -471,7 +476,7 @@ For example:
     interval = "10s"
 ```
 
-To use a different port for the healthcheck:
+To use a different port for the health check:
 ```toml
 [backends]
   [backends.backend1]
@@ -481,6 +486,31 @@ To use a different port for the healthcheck:
     port = 8080
 ```
 
+
+To use a different scheme for the health check:
+```toml
+[backends]
+  [backends.backend1]
+    [backends.backend1.healthcheck]
+    path = "/health"
+    interval = "10s"
+    scheme = "http"
+```
+
+Additional http headers and hostname to health check request can be specified, for instance:
+```toml
+[backends]
+  [backends.backend1]
+    [backends.backend1.healthcheck]
+    path = "/health"
+    interval = "10s"
+    hostname = "myhost.com"
+    port = 8080
+      [backends.backend1.healthcheck.headers]
+      My-Custom-Header = "foo"
+      My-Header = "bar"
+```
+
 ## Configuration
 
 Træfik's configuration has two parts:

docs/configuration/acme.md

@@ -63,6 +63,13 @@ entryPoint = "https"
 #
 # acmeLogging = true
 
+# If true, override certificates in key-value store when using storeconfig.
+#
+# Optional
+# Default: false
+#
+# overrideCertificates = true
+
 # Deprecated. Enable on demand certificate generation.
 #
 # Optional
@@ -86,6 +93,15 @@ entryPoint = "https"
 #
 # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
 
+# KeyType to use.
+#
+# Optional
+# Default: "RSA4096"
+#
+# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
+#
+# KeyType = "RSA4096"
+
 # Domains list.
 # Only domains defined here can generate wildcard certificates.
 #
@@ -146,7 +162,63 @@ caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
 # ...
 ```
 
-### `dnsChallenge`
+### ACME Challenge
+
+#### TLS Challenge
+
+Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate.
+
+```toml
+[acme]
+# ...
+entryPoint = "https"
+[acme.tlsChallenge]
+```
+
+#### `httpChallenge`
+
+Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning a HTTP resource under a well-known URI.
+
+Redirection is fully compatible with the `HTTP-01` challenge.
+
+```toml
+[acme]
+# ...
+entryPoint = "https"
+[acme.httpChallenge]
+  entryPoint = "http"
+```
+
+!!! note
+    If the `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through port 80.
+    This is a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
+
+##### `entryPoint`
+
+Specify the entryPoint to use during the challenges.
+
+```toml
+defaultEntryPoints = ["http", "https"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+# ...
+
+[acme]
+  # ...
+  entryPoint = "https"
+  [acme.httpChallenge]
+    entryPoint = "http"
+```
+
+!!! note
+    `acme.httpChallenge.entryPoint` has to be reachable through port 80. It's a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
+
+#### `dnsChallenge`
 
 Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
 
@@ -159,7 +231,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 # ...
 ```
 
-#### `delayBeforeCheck`
+##### `delayBeforeCheck`
 
 By default, the `provider` will verify the TXT DNS challenge record before letting ACME verify.
 If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds.
@@ -169,7 +241,7 @@ Useful if internal networks block external DNS queries.
 !!! note
     A `provider` is mandatory.
 
-#### `provider`
+##### `provider`
 
 Here is a list of supported `provider`s, that can automate the DNS verification, along with the required environment variables and their [wildcard & root domain support](/configuration/acme/#wildcard-domains) for each. Do not hesitate to complete it.
 
@@ -187,10 +259,10 @@ Here is a list of supported `provider`s, that can automate the DNS verification,
 | [Duck DNS](https://www.duckdns.org/)                   | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                             | Not tested yet                 |
 | [Dyn](https://dyn.com)                                 | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                        | Not tested yet                 |
 | External Program                                       | `exec`         | `EXEC_PATH`                                                                                                                 | Not tested yet                 |
-| [Exoscale](https://www.exoscale.ch)                    | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                              | YES                 |
+| [Exoscale](https://www.exoscale.ch)                    | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                              | YES                            |
 | [Fast DNS](https://www.akamai.com/)                    | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                      | Not tested yet                 |
 | [Gandi](https://www.gandi.net)                         | `gandi`        | `GANDI_API_KEY`                                                                                                             | Not tested yet                 |
-| [Gandi V5](http://doc.livedns.gandi.net)               | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                           | Not tested yet                 |
+| [Gandi V5](http://doc.livedns.gandi.net)               | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                           | YES                            |
 | [Glesys](https://glesys.com/)                          | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                        | Not tested yet                 |
 | [GoDaddy](https://godaddy.com/domains)                 | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                     | Not tested yet                 |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud`       | `GCE_PROJECT`, `GCE_SERVICE_ACCOUNT_FILE`                                                                                   | YES                            |
@@ -199,6 +271,7 @@ Here is a list of supported `provider`s, that can automate the DNS verification,
 | manual                                                 | -              | none, but you need to run Træfik interactively, turn on `acmeLogging` to see instructions and press <kbd>Enter</kbd>.       | YES                            |
 | [Namecheap](https://www.namecheap.com)                 | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                   | Not tested yet                 |
 | [name.com](https://www.name.com/)                      | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                   | Not tested yet                 |
+| [NIFCloud](https://cloud.nifty.com/service/dns.htm)    | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                      | Not tested yet                 |
 | [Ns1](https://ns1.com/)                                | `ns1`          | `NS1_API_KEY`                                                                                                               | Not tested yet                 |
 | [Open Telekom Cloud](https://cloud.telekom.de/en/)     | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                             | Not tested yet                 |
 | [OVH](https://www.ovh.com)                             | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                         | YES                            |
@@ -206,8 +279,11 @@ Here is a list of supported `provider`s, that can automate the DNS verification,
 | [Rackspace](https://www.rackspace.com/cloud/dns)       | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                       | Not tested yet                 |
 | [RFC2136](https://tools.ietf.org/html/rfc2136)         | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                   | Not tested yet                 |
 | [Route 53](https://aws.amazon.com/route53/)            | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_HOSTED_ZONE_ID` or a configured user/instance IAM profile. | YES                            |
+| [Sakura Cloud](https://cloud.sakura.ad.jp/)            | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                               | Not tested yet                 |
+| [VegaDNS](https://github.com/shupp/VegaDNS-API)        | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                | Not tested yet                 |
 | [VULTR](https://www.vultr.com)                         | `vultr`        | `VULTR_API_KEY`                                                                                                             | Not tested yet                 |
 
+
 ### `domains`
 
 You can provide SANs (alternative domains) to each main domain.
@@ -256,49 +332,6 @@ Eventhough this behaviour is [DNS RFC](https://community.letsencrypt.org/t/wildc
 The Træfik ACME client library [LEGO](https://github.com/xenolf/lego) supports some but not all DNS providers to work around this issue.
 The [`provider` table](/configuration/acme/#provider) indicates if they allow generating certificates for a wildcard domain and its root domain.
 
-### `httpChallenge`
-
-Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning a HTTP resource under a well-known URI.
-
-Redirection is fully compatible with the `HTTP-01` challenge.
-
-```toml
-[acme]
-# ...
-entryPoint = "https"
-[acme.httpChallenge]
-  entryPoint = "http"
-```
-
-!!! note
-    If the `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through port 80.
-    This is a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
-
-#### `entryPoint`
-
-Specify the entryPoint to use during the challenges.
-
-```toml
-defaultEntryPoints = ["http", "https"]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.tls]
-# ...
-
-[acme]
-  # ...
-  entryPoint = "https"
-  [acme.httpChallenge]
-    entryPoint = "http"
-```
-
-!!! note
-    `acme.httpChallenge.entryPoint` has to be reachable through port 80. It's a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
-
 ### `onDemand` (Deprecated)
 
 !!! danger "DEPRECATED"
@@ -338,7 +371,7 @@ For example, the rule `Host:test1.traefik.io,test2.traefik.io` will request a ce
 
 !!! warning
     `onHostRule` option can not be used to generate wildcard certificates.
-    Refer to [wildcard generation](/configuration/acme/#wildcard-domain) for further information.
+    Refer to [wildcard generation](/configuration/acme/#wildcard-domains) for further information.
 
 ### `storage`
 

docs/configuration/api.md

@@ -21,7 +21,7 @@
 
   # Enable debug mode.
   # This will install HTTP handlers to expose Go expvars under /debug/vars and
-  # pprof profiling data under /debug/pprof.
+  # pprof profiling data under /debug/pprof/.
   # Additionally, the log level will be set to DEBUG.
   #
   # Optional
@@ -30,7 +30,7 @@
   debug = true
 ```
 
-For more customization, see [entry points](/configuration/entrypoints/) documentation and [examples](/user-guide/examples/#ping-health-check).
+For more customization, see [entry points](/configuration/entrypoints/) documentation and the examples below.
 
 ## Web UI
 

docs/configuration/backends/consulcatalog.md

@@ -24,6 +24,13 @@ endpoint = "127.0.0.1:8500"
 #
 exposedByDefault = false
 
+# Allow Consul server to serve the catalog reads regardless of whether it is the leader.
+#
+# Optional
+# Default: false
+#
+stale = false
+
 # Default domain used.
 #
 # Optional
@@ -87,45 +94,62 @@ Additional settings can be defined using Consul Catalog tags.
 !!! note
     The default prefix is `traefik`.
 
-| Label                                                       | Description                                                                                                                                                                                                            |
-|-------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `<prefix>.enable=false`                                     | Disable this container in Træfik.                                                                                                                                                                                      |
-| `<prefix>.protocol=https`                                   | Override the default `http` protocol.                                                                                                                                                                                  |
-| `<prefix>.weight=10`                                        | Assign this weight to the container.                                                                                                                                                                                   |
-| `traefik.backend.buffering.maxRequestBodyBytes=0`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.maxResponseBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.memRequestBodyBytes=0`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.memResponseBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.retryExpression=EXPR`            | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `<prefix>.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend. ex: `NetworkErrorRatio() > 0.`                                                                                                           |
-| `<prefix>.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                  |
-| `<prefix>.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                    |
-| `<prefix>.backend.healthcheck.interval=1s`                  | Define the health check interval.                                                                                                                                                                                      |
-| `<prefix>.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm.                                                                                                                                                                    |
-| `<prefix>.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions.                                                                                                                                                                                        |
-| `<prefix>.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions.                                                                                                                                                                      |
-| `<prefix>.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions. (DEPRECATED)                                                                                                                                                                           |
-| `<prefix>.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                |
-| `<prefix>.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                  |
-| `<prefix>.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                       |
-| `<prefix>.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                             |
-| `<prefix>.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
-| `<prefix>.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
-| `<prefix>.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
-| `<prefix>.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                           |
-| `<prefix>.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                        |
-| `<prefix>.frontend.priority=10`                             | Override default frontend priority.                                                                                                                                                                                    |
-| `<prefix>.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `<prefix>.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `<prefix>.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `<prefix>.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `<prefix>.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS).                                                                                                                                                 |
-| `<prefix>.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                |
-| `<prefix>.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                      |
-| `<prefix>.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                             |
-| `<prefix>.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{{.ServiceName}}.{{.Domain}}`.                                                                                                                                      |
-| `<prefix>.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `<prefix>.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                 |
+| Label                                                       | Description                                                                                                                                                                                                                   |
+|-------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `<prefix>.enable=false`                                     | Disables this container in Træfik.                                                                                                                                                                                            |
+| `<prefix>.protocol=https`                                   | Overrides the default `http` protocol.                                                                                                                                                                                        |
+| `<prefix>.weight=10`                                        | Assigns this weight to the container.                                                                                                                                                                                         |
+| `traefik.backend.buffering.maxRequestBodyBytes=0`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.maxResponseBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.memRequestBodyBytes=0`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.memResponseBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.retryExpression=EXPR`            | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `<prefix>.backend.circuitbreaker.expression=EXPR`           | Creates a [circuit breaker](/basics/#backends) to be used against the backend. ex: `NetworkErrorRatio() > 0.`                                                                                                                 |
+| `<prefix>.backend.healthcheck.path=/health`                 | Enables health check for the backend, hitting the container at `path`.                                                                                                                                                        |
+| `<prefix>.backend.healthcheck.interval=1s`                  | Defines the health check interval.                                                                                                                                                                                            |
+| `<prefix>.backend.healthcheck.port=8080`                    | Sets a different port for the health check.                                                                                                                                                                                   |
+| `traefik.backend.healthcheck.scheme=http`                   | Overrides the server URL scheme.                                                                                                                                                                                              |
+| `<prefix>.backend.healthcheck.hostname=foobar.com`          | Defines the health check hostname.                                                                                                                                                                                            |
+| `<prefix>.backend.healthcheck.headers=EXPR`                 | Defines the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                     |
+| `<prefix>.backend.loadbalancer.method=drr`                  | Overrides the default `wrr` load balancer algorithm.                                                                                                                                                                          |
+| `<prefix>.backend.loadbalancer.stickiness=true`             | Enables backend sticky sessions.                                                                                                                                                                                              |
+| `<prefix>.backend.loadbalancer.stickiness.cookieName=NAME`  | Sets the cookie name manually for sticky sessions.                                                                                                                                                                            |
+| `<prefix>.backend.loadbalancer.sticky=true`                 | Enables backend sticky sessions. (DEPRECATED)                                                                                                                                                                                 |
+| `<prefix>.backend.maxconn.amount=10`                        | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                      |
+| `<prefix>.backend.maxconn.extractorfunc=client.ip`          | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                        |
+| `<prefix>.frontend.auth.basic=EXPR`                         | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED).                                                                                                                                 |
+| `<prefix>.frontend.auth.basic.removeHeader=true`            | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
+| `<prefix>.frontend.auth.basic.users=EXPR`                   | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`.                                                                                                                                              |
+| `<prefix>.frontend.auth.basic.usersfile=/path/.htpasswd`    | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                         |
+| `<prefix>.frontend.auth.digest.removeHeader=true`           | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
+| `<prefix>.frontend.auth.digest.users=EXPR`                  | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                 |
+| `<prefix>.frontend.auth.digest.usersfile=/path/.htdigest`   | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
+| `<prefix>.frontend.auth.forward.address=https://example.com`| Sets the URL of the authentication server.                                                                                                                                                                                    |
+| `<prefix>.frontend.auth.forward.tls.ca=/path/ca.pem`        | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                    |
+| `<prefix>.frontend.auth.forward.tls.caOptional=true`        | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA).                                                                                                                   |
+| `<prefix>.frontend.auth.forward.tls.cert=/path/server.pem`  | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
+| `<prefix>.frontend.auth.forward.tls.insecureSkipVerify=true`| If set to true invalid SSL certificates are accepted.                                                                                                                                                                         |
+| `<prefix>.frontend.auth.forward.tls.key=/path/server.key`   | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
+| `<prefix>.frontend.auth.forward.trustForwardHeader=true`    | Trusts X-Forwarded-* headers.                                                                                                                                                                                                 |
+| `<prefix>.frontend.auth.headerField=X-WebAuth-User`         | Sets the header used to pass the authenticated user to the application.                                                                                                                                                       |
+| `<prefix>.frontend.entryPoints=http,https`                  | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                   |
+| `<prefix>.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
+| `<prefix>.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
+| `<prefix>.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
+| `<prefix>.frontend.passHostHeader=true`                     | Forwards client `Host` header to the backend.                                                                                                                                                                                 |
+| `<prefix>.frontend.passTLSCert=true`                        | Forwards TLS Client certificates to the backend.                                                                                                                                                                              |
+| `<prefix>.frontend.priority=10`                             | Overrides default frontend priority.                                                                                                                                                                                          |
+| `<prefix>.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `<prefix>.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `<prefix>.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `<prefix>.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `<prefix>.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS).                                                                                                                                                         |
+| `<prefix>.frontend.redirect.regex=^http://localhost/(.*)`   | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                       |
+| `<prefix>.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                             |
+| `<prefix>.frontend.redirect.permanent=true`                 | Returns 301 instead of 302.                                                                                                                                                                                                   |
+| `<prefix>.frontend.rule=EXPR`                               | Overrides the default frontend rule. Default: `Host:{{.ServiceName}}.{{.Domain}}`.                                                                                                                                            |
+| `<prefix>.frontend.whiteList.sourceRange=RANGE`             | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `<prefix>.frontend.whiteList.useXForwardedFor=true`         | Uses `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                       |
 
 ### Custom Headers
 
@@ -159,11 +183,13 @@ Additional settings can be defined using Consul Catalog tags.
 | `<prefix>.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
 | `<prefix>.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `<prefix>.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `<prefix>.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
 | `<prefix>.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
 | `<prefix>.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `<prefix>.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
 | `<prefix>.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
 
+	
 ### Examples
 
 If you want that Træfik uses Consul tags correctly you need to defined them like that:

docs/configuration/backends/docker.md

@@ -71,6 +71,13 @@ usebindportip = true
 #
 swarmMode = false
 
+# Define a default docker network to use for connections to all containers.
+# Can be overridden by the traefik.docker.network label.
+#
+# Optional
+#
+network = "web"
+
 # Enable docker TLS connection.
 #
 # Optional
@@ -125,6 +132,13 @@ watch = true
 #
 swarmMode = true
 
+# Define a default docker network to use for connections to all containers.
+# Can be overridden by the traefik.docker.network label.
+#
+# Optional
+#
+network = "web"
+
 # Override default configuration template.
 # For advanced users :)
 #
@@ -193,60 +207,79 @@ services:
 
 Labels can be used on containers to override default behavior.
 
-| Label                                                      | Description                                                                                                                                                                                                               |
-|------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.docker.network`                                   | Set the docker network to use for connections to this container. [1]                                                                                                                                                      |
-| `traefik.domain`                                           | Default domain used for frontend rules.                                                                                                                                                                                   |
-| `traefik.enable=false`                                     | Disable this container in Træfik                                                                                                                                                                                          |
-| `traefik.port=80`                                          | Register this port. Useful when the container exposes multiples ports.                                                                                                                                                    |
-| `traefik.protocol=https`                                   | Override the default `http` protocol                                                                                                                                                                                      |
-| `traefik.weight=10`                                        | Assign this weight to the container                                                                                                                                                                                       |
-| `traefik.backend=foo`                                      | Give the name `foo` to the generated backend for this container.                                                                                                                                                          |
-| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
-| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
-| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
-| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
-| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
-| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                              |
-| `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                     |
-| `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                       |
-| `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval.                                                                                                                                                                                         |
-| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                        |
-| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                            |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                          |
-| `traefik.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                               |
-| `traefik.backend.loadbalancer.swarm=true`                  | Use Swarm's inbuilt load balancer (only relevant under Swarm Mode).                                                                                                                                                       |
-| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                   |
-| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                     |
-| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash` [2]                                                                                                                                      |
-| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                |
-| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                             |
-| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                             |
-| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                             |
-| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                              |
-| `traefik.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                           |
-| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                        |
-| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
-| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
-| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
-| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
-| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                                     |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                   |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                         |
-| `traefik.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                                |
-| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`.                                                               |
-| `traefik.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                    |
+| Label                                                      | Description                                                                                                                                                                                                                      |
+|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.docker.network`                                   | Overrides the default docker network to use for connections to the container. [1]                                                                                                                                                |
+| `traefik.domain`                                           | Sets the default domain for the frontend rules.                                                                                                                                                                                  |
+| `traefik.enable=false`                                     | Disables this container in Træfik.                                                                                                                                                                                               |
+| `traefik.port=80`                                          | Registers this port. Useful when the container exposes multiples ports.                                                                                                                                                          |
+| `traefik.protocol=https`                                   | Overrides the default `http` protocol                                                                                                                                                                                            |
+| `traefik.weight=10`                                        | Assigns this weight to the container                                                                                                                                                                                             |
+| `traefik.backend=foo`                                      | Gives the name `foo` to the generated backend for this container.                                                                                                                                                                |
+| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
+| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
+| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
+| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
+| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
+| `traefik.backend.circuitbreaker.expression=EXPR`           | Creates a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                    |
+| `traefik.backend.healthcheck.path=/health`                 | Enables health check for the backend, hitting the container at `path`.                                                                                                                                                           |
+| `traefik.backend.healthcheck.interval=1s`                  | Defines the health check interval.                                                                                                                                                                                               |
+| `traefik.backend.healthcheck.port=8080`                    | Sets a different port for the health check.                                                                                                                                                                                      |
+| `traefik.backend.healthcheck.scheme=http`                  | Overrides the server URL scheme.                                                                                                                                                                                                 |
+| `traefik.backend.healthcheck.hostname=foobar.com`          | Defines the health check hostname.                                                                                                                                                                                               |
+| `traefik.backend.healthcheck.headers=EXPR`                 | Defines the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                        |
+| `traefik.backend.loadbalancer.method=drr`                  | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                              |
+| `traefik.backend.loadbalancer.stickiness=true`             | Enables backend sticky sessions                                                                                                                                                                                                  |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Sets the cookie name manually for sticky sessions                                                                                                                                                                                |
+| `traefik.backend.loadbalancer.sticky=true`                 | Enables backend sticky sessions (DEPRECATED)                                                                                                                                                                                     |
+| `traefik.backend.loadbalancer.swarm=true`                  | Uses Swarm's inbuilt load balancer (only relevant under Swarm Mode).                                                                                                                                                             |
+| `traefik.backend.maxconn.amount=10`                        | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                         |
+| `traefik.backend.maxconn.extractorfunc=client.ip`          | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                           |
+| `traefik.frontend.auth.basic=EXPR`                         | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` [2] (DEPRECATED).                                                                                                                            |
+| `traefik.frontend.auth.basic.removeHeader=true`            | If set to `true`, removes the `Authorization` header.                                                                                                                                                                            |
+| `traefik.frontend.auth.basic.users=EXPR`                   | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` [2].                                                                                                                                         |
+| `traefik.frontend.auth.basic.usersfile=/path/.htpasswd`    | Sets the basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
+| `traefik.frontend.auth.digest.removeHeader=true`           | If set to `true`, removes the `Authorization` header.                                                                                                                                                                            |
+| `traefik.frontend.auth.digest.users=EXPR`                  | Sets the digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                |
+| `traefik.frontend.auth.digest.usersfile=/path/.htdigest`   | Sets the digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                       |
+| `traefik.frontend.auth.forward.address=https://example.com`| Sets the URL of the authentication server.                                                                                                                                                                                       |
+| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem`        | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                       |
+| `traefik.frontend.auth.forward.tls.caOptional=true`        | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA).                                                                                                                      |
+| `traefik.frontend.auth.forward.tls.cert=/path/server.pem`  | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                      |
+| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true`| If set to true invalid SSL certificates are accepted.                                                                                                                                                                            |
+| `traefik.frontend.auth.forward.tls.key=/path/server.key`   | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                      |
+| `traefik.frontend.auth.forward.trustForwardHeader=true`    | Trusts X-Forwarded-* headers.                                                                                                                                                                                                    |
+| `traefik.frontend.auth.headerField=X-WebAuth-User`         | Sets the header user to pass the authenticated user to the application.                                                                                                                                                          |
+| `traefik.frontend.entryPoints=http,https`                  | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                      |
+| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                    |
+| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                    |
+| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                    |
+| `traefik.frontend.passHostHeader=true`                     | Forwards client `Host` header to the backend.                                                                                                                                                                                    |
+| `traefik.frontend.passTLSCert=true`                        | Forwards TLS Client certificates to the backend.                                                                                                                                                                                 |
+| `traefik.frontend.priority=10`                             | Overrides default frontend priority                                                                                                                                                                                              |
+| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
+| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
+| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
+| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
+| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS)                                                                                                                                                             |
+| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                          |
+| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                                |
+| `traefik.frontend.redirect.permanent=true`                 | Returns 301 instead of 302.                                                                                                                                                                                                      |
+| `traefik.frontend.rule=EXPR`                               | Overrides the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`.                                                                     |
+| `traefik.frontend.whiteList.sourceRange=RANGE`             | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.frontend.whiteList.useXForwardedFor=true`         | Uses `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                          |
 
 [1] `traefik.docker.network`:
 If a container is linked to several networks, be sure to set the proper network name (you can check with `docker inspect <container_id>`) otherwise it will randomly pick one (depending on how docker is returning them).
 For instance when deploying docker `stack` from compose files, the compose defined networks will be prefixed with the `stack` name.
 Or if your service references external network use it's name instead.
 
-[2] `traefik.frontend.auth.basic=EXPR`:
-To create `user:password` pair, it's possible to use this command `echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g`.
+[2] `traefik.frontend.auth.basic.users=EXPR `:  
+To create `user:password` pair, it's possible to use this command:  
+`echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g`.  
 The result will be `user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/`, note additional symbol `$` makes escaping.
 
+
 #### Custom Headers
 
 | Label                                                 | Description                                                                                                                                                                         |
@@ -273,6 +306,7 @@ The result will be `user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/`, note additio
 | `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
 | `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
 | `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
 | `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
@@ -286,32 +320,46 @@ You can define as many segments as ports exposed in a container.
 
 Segment labels override the default behavior.
 
-| Label                                                                     | Description                                                 |
-|---------------------------------------------------------------------------|-------------------------------------------------------------|
-| `traefik.<segment_name>.backend=BACKEND`                                  | Same as `traefik.backend`                                   |
-| `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                    |
-| `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                      |
-| `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                  |
-| `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                    |
-| `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                       |
-| `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                      |
-| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`            |
-| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`              |
-| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`              | Same as `traefik.frontend.errors.<name>.status`             |
-| `traefik.<segment_name>.frontend.passHostHeader=true`                     | Same as `traefik.frontend.passHostHeader`                   |
-| `traefik.<segment_name>.frontend.passTLSCert=true`                        | Same as `traefik.frontend.passTLSCert`                      |
-| `traefik.<segment_name>.frontend.priority=10`                             | Same as `traefik.frontend.priority`                         |
-| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`             | Same as `traefik.frontend.rateLimit.extractorFunc`          |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`       | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`  |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`      | Same as `traefik.frontend.rateLimit.rateSet.<name>.average` |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`        | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`   |
-| `traefik.<segment_name>.frontend.redirect.entryPoint=https`               | Same as `traefik.frontend.redirect.entryPoint`              |
-| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`   | Same as `traefik.frontend.redirect.regex`                   |
-| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement`             |
-| `traefik.<segment_name>.frontend.redirect.permanent=true`                 | Same as `traefik.frontend.redirect.permanent`               |
-| `traefik.<segment_name>.frontend.rule=EXP`                                | Same as `traefik.frontend.rule`                             |
-| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`             | Same as `traefik.frontend.whiteList.sourceRange`            |
-| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`         | Same as `traefik.frontend.whiteList.useXForwardedFor`       |
+| Label                                                                     | Description                                                   |
+|---------------------------------------------------------------------------|---------------------------------------------------------------|
+| `traefik.<segment_name>.backend=BACKEND`                                  | Same as `traefik.backend`                                     |
+| `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                      |
+| `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                        |
+| `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                    |
+| `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                      |
+| `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                         |
+| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true`            | Same as `traefik.frontend.auth.basic.removeHeader`            |
+| `traefik.<segment_name>.frontend.auth.basic.users=EXPR`                   | Same as `traefik.frontend.auth.basic.users`                   |
+| `traefik.<segment_name>.frontend.auth.basic.usersfile=/path/.htpasswd`    | Same as `traefik.frontend.auth.basic.usersfile`               |
+| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true`           | Same as `traefik.frontend.auth.digest.removeHeader`           |
+| `traefik.<segment_name>.frontend.auth.digest.users=EXPR`                  | Same as `traefik.frontend.auth.digest.users`                  |
+| `traefik.<segment_name>.frontend.auth.digest.usersfile=/path/.htdigest`   | Same as `traefik.frontend.auth.digest.usersfile`              |
+| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com`| Same as `traefik.frontend.auth.forward.address`               |
+| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem`        | Same as `traefik.frontend.auth.forward.tls.ca`                |
+| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true`        | Same as `traefik.frontend.auth.forward.tls.caOptional`        |
+| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem`  | Same as `traefik.frontend.auth.forward.tls.cert`              |
+| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true`| Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify`|
+| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key`   | Same as `traefik.frontend.auth.forward.tls.key`               |
+| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true`    | Same as `traefik.frontend.auth.forward.trustForwardHeader`    |
+| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User`         | Same as `traefik.frontend.auth.headerField`                   |
+| `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                        |
+| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`              |
+| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`                |
+| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`              | Same as `traefik.frontend.errors.<name>.status`               |
+| `traefik.<segment_name>.frontend.passHostHeader=true`                     | Same as `traefik.frontend.passHostHeader`                     |
+| `traefik.<segment_name>.frontend.passTLSCert=true`                        | Same as `traefik.frontend.passTLSCert`                        |
+| `traefik.<segment_name>.frontend.priority=10`                             | Same as `traefik.frontend.priority`                           |
+| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`             | Same as `traefik.frontend.rateLimit.extractorFunc`            |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`       | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`    |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`      | Same as `traefik.frontend.rateLimit.rateSet.<name>.average`   |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`        | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`     |
+| `traefik.<segment_name>.frontend.redirect.entryPoint=https`               | Same as `traefik.frontend.redirect.entryPoint`                |
+| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`   | Same as `traefik.frontend.redirect.regex`                     |
+| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement`               |
+| `traefik.<segment_name>.frontend.redirect.permanent=true`                 | Same as `traefik.frontend.redirect.permanent`                 |
+| `traefik.<segment_name>.frontend.rule=EXP`                                | Same as `traefik.frontend.rule`                               |
+| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`             | Same as `traefik.frontend.whiteList.sourceRange`              |
+| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`         | Same as `traefik.frontend.whiteList.useXForwardedFor`         |
 
 #### Custom Headers
 
@@ -339,6 +387,7 @@ Segment labels override the default behavior.
 | `traefik.<segment_name>.frontend.headers.SSLRedirect=true`              | Same as `traefik.frontend.headers.SSLRedirect`               |
 | `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true`     | Same as `traefik.frontend.headers.SSLTemporaryRedirect`      |
 | `traefik.<segment_name>.frontend.headers.SSLHost=HOST`                  | Same as `traefik.frontend.headers.SSLHost`                   |
+| `traefik.<segment_name>.frontend.headers.SSLForceHost=true`             | Same as `traefik.frontend.headers.SSLForceHost`              |
 | `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR`          | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR`      |
 | `traefik.<segment_name>.frontend.headers.STSSeconds=315360000`          | Same as `traefik.frontend.headers.STSSeconds=315360000`      |
 | `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true`     | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |

docs/configuration/backends/ecs.md

@@ -102,6 +102,8 @@ If `accessKeyID`/`secretAccessKey` is not given credentials will be resolved in
 - Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.
 - EC2 instance role or ECS task role
 
+To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
+
 ## Policy
 
 Træfik needs the following policy to read ECS information:
@@ -134,48 +136,66 @@ Træfik needs the following policy to read ECS information:
 
 Labels can be used on task containers to override default behaviour:
 
-| Label                                                      | Description                                                                                                                                                                                                            |
-|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.domain`                                           | Default domain used for frontend rules.                                                                                                                                                                                |
-| `traefik.enable=false`                                     | Disable this container in Træfik                                                                                                                                                                                       |
-| `traefik.port=80`                                          | Override the default `port` value. Overrides `NetworkBindings` from Docker Container                                                                                                                                   |
-| `traefik.protocol=https`                                   | Override the default `http` protocol                                                                                                                                                                                   |
-| `traefik.weight=10`                                        | Assign this weight to the container                                                                                                                                                                                    |
-| `traefik.backend=foo`                                      | Give the name `foo` to the generated backend for this container.                                                                                                                                                       |
-| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                           |
-| `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                  |
-| `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                    |
-| `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval. (Default: 30s)                                                                                                                                                                       |
-| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                     |
-| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                         |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                       |
-| `traefik.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                            |
-| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                |
-| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                  |
-| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                       |
-| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                             |
-| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
-| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
-| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
-| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                           |
-| `traefik.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                        |
-| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                     |
-| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                                  |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                      |
-| `traefik.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                             |
-| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{instance_name}.{domain}`.                                                                                                                                          |
-| `traefik.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                 |
+| Label                                                      | Description                                                                                                                                                                                                                   |
+|------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.domain`                                           | Sets the default domain for frontend rules.                                                                                                                                                                                   |
+| `traefik.enable=false`                                     | Disables this container in Træfik.                                                                                                                                                                                            |
+| `traefik.port=80`                                          | Overrides the default `port` value. Overrides `NetworkBindings` from Docker Container                                                                                                                                         |
+| `traefik.protocol=https`                                   | Overrides the default `http` protocol                                                                                                                                                                                         |
+| `traefik.weight=10`                                        | Assigns this weight to the container                                                                                                                                                                                          |
+| `traefik.backend=foo`                                      | Gives the name `foo` to the generated backend for this container.                                                                                                                                                             |
+| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.circuitbreaker.expression=EXPR`           | Creates a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                 |
+| `traefik.backend.healthcheck.path=/health`                 | Enables health check for the backend, hitting the container at `path`.                                                                                                                                                        |
+| `traefik.backend.healthcheck.interval=1s`                  | Defines the health check interval. (Default: 30s)                                                                                                                                                                             |
+| `traefik.backend.healthcheck.scheme=http`                  | Overrides the server URL scheme.                                                                                                                                                                                              |
+| `traefik.backend.healthcheck.port=8080`                    | Sets a different port for the health check.                                                                                                                                                                                   |
+| `traefik.backend.healthcheck.hostname=foobar.com`          | Defines the health check hostname.                                                                                                                                                                                            |
+| `traefik.backend.healthcheck.headers=EXPR`                 | Defines the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                     |
+| `traefik.backend.loadbalancer.method=drr`                  | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                           |
+| `traefik.backend.loadbalancer.stickiness=true`             | Enables backend sticky sessions                                                                                                                                                                                               |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Sets the cookie manually  name for sticky sessions                                                                                                                                                                            |
+| `traefik.backend.loadbalancer.sticky=true`                 | Enables backend sticky sessions (DEPRECATED)                                                                                                                                                                                  |
+| `traefik.backend.maxconn.amount=10`                        | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                      |
+| `traefik.backend.maxconn.extractorfunc=client.ip`          | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                        |
+| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED).                                                                                                                                 |
+| `traefik.frontend.auth.basic.removeHeader=true`            | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
+| `traefik.frontend.auth.basic.users=EXPR`                   | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`.                                                                                                                                              |
+| `traefik.frontend.auth.basic.usersfile=/path/.htpasswd`    | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                         |
+| `traefik.frontend.auth.digest.removeHeader=true`           | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
+| `traefik.frontend.auth.digest.users=EXPR`                  | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                 |
+| `traefik.frontend.auth.digest.usersfile=/path/.htdigest`   | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
+| `traefik.frontend.auth.forward.address=https://example.com`| Sets the URL of the authentication server.                                                                                                                                                                                    |
+| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem`        | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                    |
+| `traefik.frontend.auth.forward.tls.caOptional=true`        | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA).                                                                                                                   |
+| `traefik.frontend.auth.forward.tls.cert=/path/server.pem`  | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
+| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true`| If set to true invalid SSL certificates are accepted.                                                                                                                                                                         |
+| `traefik.frontend.auth.forward.tls.key=/path/server.key`   | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
+| `traefik.frontend.auth.forward.trustForwardHeader=true`    | Trusts X-Forwarded-* headers.                                                                                                                                                                                                 |
+| `traefik.frontend.auth.headerField=X-WebAuth-User`         | Sets the header used to pass the authenticated user to the application.                                                                                                                                                       |
+| `traefik.frontend.auth.removeHeader=true`                  | If set to true, removes the Authorization header.                                                                                                                                                                             |
+| `traefik.frontend.entryPoints=http,https`                  | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                   |
+| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
+| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
+| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
+| `traefik.frontend.passHostHeader=true`                     | Forwards client `Host` header to the backend.                                                                                                                                                                                 |
+| `traefik.frontend.passTLSCert=true`                        | Forwards TLS Client certificates to the backend.                                                                                                                                                                              |
+| `traefik.frontend.priority=10`                             | Overrides default frontend priority                                                                                                                                                                                           |
+| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS)                                                                                                                                                          |
+| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                       |
+| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                             |
+| `traefik.frontend.redirect.permanent=true`                 | Returns 301 instead of 302.                                                                                                                                                                                                   |
+| `traefik.frontend.rule=EXPR`                               | Overrides the default frontend rule. Default: `Host:{instance_name}.{domain}`.                                                                                                                                                |
+| `traefik.frontend.whiteList.sourceRange=RANGE`             | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.frontend.whiteList.useXForwardedFor=true`         | Uses `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                       |
 
 ### Custom Headers
 
@@ -203,6 +223,7 @@ Labels can be used on task containers to override default behaviour:
 | `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
 | `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
 | `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
 | `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |

docs/configuration/backends/file.md

@@ -37,6 +37,11 @@ Træfik can be configured with a file.
       path = "/health"
       port = 88
       interval = "30s"
+      scheme = "http"
+      hostname = "myhost.com"
+      [backends.backend1.healthcheck.headers]
+        My-Custom-Header = "foo"
+        My-Header = "bar"
 
   [backends.backend2]
     # ...
@@ -50,11 +55,40 @@ Træfik can be configured with a file.
     passHostHeader = true
     passTLSCert = true
     priority = 42
+
+    # Use frontends.frontend1.auth.basic below instead
     basicAuth = [
       "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
       "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
     ]
 
+    [frontends.frontend1.auth]
+      headerField = "X-WebAuth-User"
+      [frontends.frontend1.auth.basic]
+        removeHeader = true
+        users = [
+          "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+          "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+        ]
+        usersFile = "/path/to/.htpasswd"
+      [frontends.frontend1.auth.digest]
+        removeHeader = true
+        users = [
+          "test:traefik:a2688e031edb4be6a3797f3882655c05",
+          "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+        ]
+        usersFile = "/path/to/.htdigest"
+      [frontends.frontend1.auth.forward]
+        address = "https://authserver.com/auth"
+        trustForwardHeader = true
+        authResponseHeaders = ["X-Auth-User"]
+        [frontends.frontend1.auth.forward.tls]
+          ca = "path/to/local.crt"
+          caOptional = true
+          cert = "path/to/foo.cert"
+          key = "path/to/foo.key"
+          insecureSkipVerify = true
+
     [frontends.frontend1.whiteList]
       sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
       useXForwardedFor = true

docs/configuration/backends/kubernetes.md

@@ -54,8 +54,6 @@ See also [Kubernetes user guide](/user-guide/kubernetes).
 # If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
 # Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
 #
-# Note : `ingressClass` option must begin with the "traefik" prefix.
-#
 # Optional
 # Default: empty
 #
@@ -81,6 +79,20 @@ See also [Kubernetes user guide](/user-guide/kubernetes).
 # Default: <built-in template>
 #
 # filename = "kubernetes.tmpl"
+
+# Enable IngressEndpoint configuration.
+# This will allow Traefik to update the status section of ingress objects, if desired.
+#
+# Optional
+#
+# [kubernetes.ingressEndpoint]
+#
+# At least one must be configured.
+# `publishedservice` will override the `hostname` and `ip` settings if configured.
+#
+# hostname = "localhost"
+# ip = "127.0.0.1"
+# publishedService = "namespace/servicename"
 ```
 
 ### `endpoint`
@@ -105,6 +117,12 @@ A label selector can be defined to filter on specific Ingress objects only.
 
 See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
 
+### `ingressEndpoint`
+
+You can configure a static hostname or IP address that Traefik will add to the status section of Ingress objects that it manages.
+If you prefer, you can provide a service, which traefik will copy the status spec from.
+This will give more flexibility in cloud/dynamic environments.
+
 ### TLS communication between Traefik and backend pods
 
 Traefik automatically requests endpoint information based on the service provided in the ingress spec.
@@ -122,24 +140,27 @@ If the service port defined in the ingress spec is 443, then the backend communi
 
 The following general annotations are applicable on the Ingress object:
 
-| Annotation                                                                      | Description                                                                                                                                     |
-|---------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.ingress.kubernetes.io/buffering: <YML>`                                | (3) See [buffering](/configuration/commons/#buffering) section.                                                                                 |
-| `traefik.ingress.kubernetes.io/error-pages: <YML>`                              | (1) See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                               |
-| `traefik.ingress.kubernetes.io/frontend-entry-points: http,https`               | Override the default frontend endpoints.                                                                                                        |
-| `traefik.ingress.kubernetes.io/pass-tls-cert: "true"`                           | Override the default frontend PassTLSCert value. Default: `false`.                                                                              |
-| `traefik.ingress.kubernetes.io/preserve-host: "true"`                           | Forward client `Host` header to the backend.                                                                                                    |
-| `traefik.ingress.kubernetes.io/priority: "3"`                                   | Override the default frontend rule priority.                                                                                                    |
-| `traefik.ingress.kubernetes.io/rate-limit: <YML>`                               | (2) See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                         |
-| `traefik.ingress.kubernetes.io/redirect-entry-point: https`                     | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS).                                                                          |
-| `traefik.ingress.kubernetes.io/redirect-permanent: "true"`                      | Return 301 instead of 302.                                                                                                                      |
-| `traefik.ingress.kubernetes.io/redirect-regex: ^http://localhost/(.*)`          | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-replacement`.                               |
-| `traefik.ingress.kubernetes.io/redirect-replacement: http://mydomain/$1`        | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-regex`.                                     |
-| `traefik.ingress.kubernetes.io/rewrite-target: /users`                          | Replaces each matched Ingress path with the specified one, and adds the old path to the `X-Replaced-Path` header.                               |
-| `traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip`                      | Override the default frontend rule type. Default: `PathPrefix`.                                                                                 |
-| `traefik.ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"` | A comma-separated list of IP ranges permitted for access. all source IPs are permitted if the list is empty or a single range is ill-formatted. Please note, you may have to set `service.spec.externalTrafficPolicy` to the value `Local` to preserve the source IP of the request for filtering. Please see [this link](https://kubernetes.io/docs/tutorials/services/source-ip/) for more information.|
-| `ingress.kubernetes.io/whitelist-x-forwarded-for: "true"`                       | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                          |
-| `traefik.ingress.kubernetes.io/app-root: "/index.html"`                         | Redirects all requests for `/` to the defined path. (4)                                                                                         |
+| Annotation                                                                      | Description                                                                                                       |
+|---------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|
+| `traefik.ingress.kubernetes.io/buffering: <YML>`                                | (3) See [buffering](/configuration/commons/#buffering) section.                                                   |
+| `traefik.ingress.kubernetes.io/error-pages: <YML>`                              | (1) See [custom error pages](/configuration/commons/#custom-error-pages) section.                                 |
+| `traefik.ingress.kubernetes.io/frontend-entry-points: http,https`               | Override the default frontend endpoints.                                                                          |
+| `traefik.ingress.kubernetes.io/pass-tls-cert: "true"`                           | Override the default frontend PassTLSCert value. Default: `false`.                                                |
+| `traefik.ingress.kubernetes.io/preserve-host: "true"`                           | Forward client `Host` header to the backend.                                                                      |
+| `traefik.ingress.kubernetes.io/priority: "3"`                                   | Override the default frontend rule priority.                                                                      |
+| `traefik.ingress.kubernetes.io/rate-limit: <YML>`                               | (2) See [rate limiting](/configuration/commons/#rate-limiting) section.                                           |
+| `traefik.ingress.kubernetes.io/redirect-entry-point: https`                     | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS).                                            |
+| `traefik.ingress.kubernetes.io/redirect-permanent: "true"`                      | Return 301 instead of 302.                                                                                        |
+| `traefik.ingress.kubernetes.io/redirect-regex: ^http://localhost/(.*)`          | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-replacement`. |
+| `traefik.ingress.kubernetes.io/redirect-replacement: http://mydomain/$1`        | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-regex`.       |
+| `traefik.ingress.kubernetes.io/rewrite-target: /users`                          | Replaces each matched Ingress path with the specified one, and adds the old path to the `X-Replaced-Path` header. |
+| `traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip`                      | Override the default frontend rule type. Only path related matchers can be used [(`Path`, `PathPrefix`, `PathStrip`, `PathPrefixStrip`)](/basics/#path-matcher-usage-guidelines). Note: ReplacePath is deprecated in this annotation, use the `traefik.ingress.kubernetes.io/request-modifier` annotation instead. Default: `PathPrefix`.                                                                                 |
+| `traefik.ingress.kubernetes.io/request-modifier: AddPrefix: /users`               | Add a [request modifier](/basics/#modifiers) to the backend request.                                                                                                  |
+| `traefik.ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"` | A comma-separated list of IP ranges permitted for access (6).                                                     |
+| `ingress.kubernetes.io/whitelist-x-forwarded-for: "true"`                       | Use `X-Forwarded-For` header as valid source of IP for the white list.                                            |
+| `traefik.ingress.kubernetes.io/app-root: "/index.html"`                         | Redirects all requests for `/` to the defined path. (4)                                                           |
+| `traefik.ingress.kubernetes.io/service-weights: <YML>`                          | Set ingress backend weights specified as percentage or decimal numbers in YAML. (5)                               |
+
 
 <1> `traefik.ingress.kubernetes.io/error-pages` example:
 
@@ -184,8 +205,43 @@ retryexpression: IsNetworkError() && Attempts() <= 2
 
 <4> `traefik.ingress.kubernetes.io/app-root`:
 Non-root paths will not be affected by this annotation and handled normally.
-This annotation may not be combined with the `ReplacePath` rule type or any other annotation leveraging that rule type.
-Trying to do so leads to an error and the corresponding Ingress object being ignored.
+This annotation may not be combined with other redirect annotations.
+Trying to do so will result in the other redirects being ignored.
+This annotation can be used in combination with `traefik.ingress.kubernetes.io/redirect-permanent` to configure whether the `app-root` redirect is a 301 or a 302.
+
+<5> `traefik.ingress.kubernetes.io/service-weights`:
+Service weights enable to split traffic across multiple backing services in a fine-grained manner.
+
+Example:
+
+```yaml
+service_backend1: 12.50%
+service_backend2: 12.50%
+service_backend3: 75 # Same as 75%, the percentage sign is optional
+```
+
+A single service backend definition may be omitted; in this case, Traefik auto-completes that service backend to 100% automatically.
+Conveniently, users need not bother to compute the percentage remainder for a main service backend.
+For instance, in the example above `service_backend3` does not need to be specified to be assigned 75%.
+
+!!! note
+    For each service weight given, the Ingress specification must include a backend item with the corresponding `serviceName` and (if given) matching path.
+
+Currently, 3 decimal places for the weight are supported.
+An attempt to exceed the precision should be avoided as it may lead to percentage computation flaws and, in consequence, Ingress parsing errors.
+
+For each path definition, this annotation will fail if:
+
+- the sum of backend weights exceeds 100% or
+- the sum of backend weights is less than 100% without one or more omitted backends
+
+See also the [user guide section traffic splitting](/user-guide/kubernetes/#traffic-splitting).
+
+<6> `traefik.ingress.kubernetes.io/whitelist-source-range`:
+All source IPs are permitted if the list is empty or a single range is ill-formatted.
+Please note, you may have to set `service.spec.externalTrafficPolicy` to the value `Local` to preserve the source IP of the request for filtering.
+Please see [this link](https://kubernetes.io/docs/tutorials/services/source-ip/) for more information.
+
 
 !!! note
     Please note that `traefik.ingress.kubernetes.io/redirect-regex` and `traefik.ingress.kubernetes.io/redirect-replacement` do not have to be set if `traefik.ingress.kubernetes.io/redirect-entry-point` is defined for the redirection (they will not be used in this case).
@@ -236,6 +292,7 @@ The following security annotations are applicable on the Ingress object:
 | `ingress.kubernetes.io/ssl-redirect: "true"`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
 | `ingress.kubernetes.io/ssl-temporary-redirect: "true"`    | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `ingress.kubernetes.io/ssl-host: HOST`                    | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `ingress.kubernetes.io/ssl-force-host: "true"`            | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
 | `ingress.kubernetes.io/ssl-proxy-headers: EXPR`           | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`). Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                          |
 
 ### Authentication
@@ -243,14 +300,21 @@ The following security annotations are applicable on the Ingress object:
 Additional authentication annotations can be added to the Ingress object.
 The source of the authentication is a Secret object that contains the credentials.
 
-| Annotation                                    | Description                                                                                                 |
-|-----------------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| `ingress.kubernetes.io/auth-type: basic`      | Contains the authentication type. The only permitted type is `basic`.                                       |
-| `ingress.kubernetes.io/auth-secret: mysecret` | Name of Secret containing the username and password with access to the paths defined in the Ingress object. |
+| Annotation                                                           | basic | digest | forward | Description                                                                                                 |
+|----------------------------------------------------------------------|-------|--------|---------|-------------------------------------------------------------------------------------------------------------|
+| `ingress.kubernetes.io/auth-type: basic`                             |   x   |   x    |    x    | Contains the authentication type: `basic`, `digest`, `forward`.                                             |
+| `ingress.kubernetes.io/auth-secret: mysecret`                        |   x   |   x    |         | Name of Secret containing the username and password with access to the paths defined in the Ingress object. |
+| `ingress.kubernetes.io/auth-remove-header: true`                     |   x   |   x    |         | If set to `true` removes the `Authorization` header.                                                        |
+| `ingress.kubernetes.io/auth-header-field: X-WebAuth-User`            |   x   |   x    |         | Pass Authenticated user to application via headers.                                                         |
+| `ingress.kubernetes.io/auth-url: https://example.com`                |       |        |    x    | [The URL of the authentication server](/configuration/entrypoints/#forward-authentication).                 |
+| `ingress.kubernetes.io/auth-trust-headers: false`                    |       |        |    x    | Trust `X-Forwarded-*` headers.                                                                              |
+| `ingress.kubernetes.io/auth-response-headers: X-Auth-User, X-Secret` |       |        |    x    | Copy headers from the authentication server to the request.                                                 |
+| `ingress.kubernetes.io/auth-tls-secret: secret`                      |       |        |    x    | Name of Secret containing the certificate and key for the forward auth.                                     |
+| `ingress.kubernetes.io/auth-tls-insecure`                            |       |        |    x    | If set to `true` invalid SSL certificates are accepted.                                                     |
 
 The secret must be created in the same namespace as the Ingress object.
 
-The following limitations hold:
+The following limitations hold for basic/digest auth:
 
 - The realm is not configurable; the only supported (and default) value is `traefik`.
 - The Secret must contain a single file only.
@@ -263,3 +327,25 @@ More information are available in the  [User Guide](/user-guide/kubernetes/#add-
 !!! note
     Only TLS certificates provided by users can be stored in Kubernetes Secrets.
     [Let's Encrypt](https://letsencrypt.org) certificates cannot be managed in Kubernets Secrets yet.
+
+### Global Default Backend Ingresses
+
+Ingresses can be created that look like the following:
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: cheese
+spec:
+  backend:
+    serviceName: stilton
+    servicePort: 80
+```
+
+This ingress follows the [Global Default Backend](https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource) property of ingresses.
+This will allow users to create a "default backend" that will match all unmatched requests.
+
+!!! note
+    Due to Træfik's use of priorities, you may have to set this ingress priority lower than other ingresses in your environment, to avoid this global ingress from satisfying requests that _could_ match other ingresses.
+    To do this, use the `traefik.ingress.kubernetes.io/priority` annotation (as seen in [General Annotations](/configuration/backends/kubernetes/#general-annotations)) on your ingresses accordingly.

docs/configuration/backends/marathon.md

@@ -120,9 +120,33 @@ domain = "marathon.localhost"
 # If no units are provided, the value is parsed assuming seconds.
 #
 # Optional
+# Default: "5s"
+#
+# dialerTimeout = "5s"
+
+# Override ResponseHeaderTimeout.
+# Amount of time to allow the Marathon provider to wait until the first response
+# header from the Marathon master is received.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
+# values (digits).
+# If no units are provided, the value is parsed assuming seconds.
+#
+# Optional
 # Default: "60s"
 #
-# dialerTimeout = "60s"
+# responseHeaderTimeout = "60s"
+
+# Override TLSHandshakeTimeout.
+# Amount of time to allow the Marathon provider to wait until the TLS
+# handshake completes.
+# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
+# values (digits).
+# If no units are provided, the value is parsed assuming seconds.
+#
+# Optional
+# Default: "5s"
+#
+# TLSHandshakeTimeout = "5s"
 
 # Set the TCP Keep Alive interval for the Marathon HTTP Client.
 # Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
@@ -169,49 +193,67 @@ They may be specified on one of two levels: Application or service.
 
 The following labels can be defined on Marathon applications. They adjust the behavior for the entire application.
 
-| Label                                                      | Description                                                                                                                                                                                                            |
-|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.domain`                                           | Default domain used for frontend rules.                                                                                                                                                                                |
-| `traefik.enable=false`                                     | Disable this container in Træfik                                                                                                                                                                                       |
-| `traefik.port=80`                                          | Register this port. Useful when the container exposes multiples ports.                                                                                                                                                 |
-| `traefik.portIndex=1`                                      | Register port by index in the application's ports array. Useful when the application exposes multiple ports.                                                                                                           |
-| `traefik.protocol=https`                                   | Override the default `http` protocol                                                                                                                                                                                   |
-| `traefik.weight=10`                                        | Assign this weight to the container                                                                                                                                                                                    |
-| `traefik.backend=foo`                                      | Give the name `foo` to the generated backend for this container.                                                                                                                                                       |
-| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                           |
-| `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                  |
-| `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                    |
-| `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval. (Default: 30s)                                                                                                                                                                       |
-| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                     |
-| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                         |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                       |
-| `traefik.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                            |
-| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                |
-| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                  |
-| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                       |
-| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                             |
-| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
-| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
-| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
-| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                           |
-| `traefik.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                        |
-| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                     |
-| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                                  |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                      |
-| `traefik.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                             |
-| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{sub_domain}.{domain}`.                                                                                                                                             |
-| `traefik.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                 |
+| Label                                                      | Description                                                                                                                                                                                                                   |
+|------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.domain`                                           | Sets the default domain used for the frontend rules.                                                                                                                                                                          |
+| `traefik.enable=false`                                     | Disables this container in Træfik.                                                                                                                                                                                            |
+| `traefik.port=80`                                          | Registers this port. Useful when the container exposes multiples ports.                                                                                                                                                       |
+| `traefik.portIndex=1`                                      | Registers port by index in the application's ports array. Useful when the application exposes multiple ports.                                                                                                                 |
+| `traefik.protocol=https`                                   | Overrides the default `http` protocol.                                                                                                                                                                                        |
+| `traefik.weight=10`                                        | Assigns this weight to the container.                                                                                                                                                                                         |
+| `traefik.backend=foo`                                      | Gives the name `foo` to the generated backend for this container.                                                                                                                                                             |
+| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.circuitbreaker.expression=EXPR`           | Creates a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                 |
+| `traefik.backend.healthcheck.path=/health`                 | Enables health check for the backend, hitting the container at `path`.                                                                                                                                                        |
+| `traefik.backend.healthcheck.interval=1s`                  | Defines the health check interval. (Default: 30s)                                                                                                                                                                             |
+| `traefik.backend.healthcheck.port=8080`                    | Sets a different port for the health check.                                                                                                                                                                                   |
+| `traefik.backend.healthcheck.scheme=http`                  | Overrides the server URL scheme.                                                                                                                                                                                              |
+| `traefik.backend.healthcheck.hostname=foobar.com`          | Defines the health check hostname.                                                                                                                                                                                            |
+| `traefik.backend.healthcheck.headers=EXPR`                 | Defines the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                     |
+| `traefik.backend.loadbalancer.method=drr`                  | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                           |
+| `traefik.backend.loadbalancer.stickiness=true`             | Enables backend sticky sessions                                                                                                                                                                                               |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Sets the cookie name manually for sticky sessions                                                                                                                                                                             |
+| `traefik.backend.loadbalancer.sticky=true`                 | Enables backend sticky sessions (DEPRECATED)                                                                                                                                                                                  |
+| `traefik.backend.maxconn.amount=10`                        | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                      |
+| `traefik.backend.maxconn.extractorfunc=client.ip`          | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                        |
+| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED).                                                                                                                                 |
+| `traefik.frontend.auth.basic.removeHeader=true`            | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
+| `traefik.frontend.auth.basic.users=EXPR`                   | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`.                                                                                                                                              |
+| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd`    | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                         |
+| `traefik.frontend.auth.digest.removeHeader=true`           | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
+| `traefik.frontend.auth.digest.users=EXPR`                  | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                 |
+| `traefik.frontend.auth.digest.usersFile=/path/.htdigest`   | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
+| `traefik.frontend.auth.forward.address=https://example.com`| Sets the URL of the authentication server.                                                                                                                                                                                    |
+| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem`        | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                    |
+| `traefik.frontend.auth.forward.tls.caOptional=true`        | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA).                                                                                                                   |
+| `traefik.frontend.auth.forward.tls.cert=/path/server.pem`  | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
+| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true`| If set to true invalid SSL certificates are accepted.                                                                                                                                                                         |
+| `traefik.frontend.auth.forward.tls.key=/path/server.key`   | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
+| `traefik.frontend.auth.forward.trustForwardHeader=true`    | Trusts X-Forwarded-* headers.                                                                                                                                                                                                 |
+| `traefik.frontend.auth.headerField=X-WebAuth-User`         | Sets the header used to pass the authenticated user to the application.                                                                                                                                                       |
+| `traefik.frontend.auth.removeHeader=true`                  | If set to true, removes the Authorization header.                                                                                                                                                                             |
+| `traefik.frontend.entryPoints=http,https`                  | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                   |
+| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
+| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
+| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
+| `traefik.frontend.passHostHeader=true`                     | Forwards client `Host` header to the backend.                                                                                                                                                                                 |
+| `traefik.frontend.passTLSCert=true`                        | Forwards TLS Client certificates to the backend.                                                                                                                                                                              |
+| `traefik.frontend.priority=10`                             | Overrides default frontend priority                                                                                                                                                                                           |
+| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS)                                                                                                                                                          |
+| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                       |
+| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                             |
+| `traefik.frontend.redirect.permanent=true`                 | Returns 301 instead of 302.                                                                                                                                                                                                   |
+| `traefik.frontend.rule=EXPR`                               | Overrides the default frontend rule. Default: `Host:{sub_domain}.{domain}`.                                                                                                                                                   |
+| `traefik.frontend.whiteList.sourceRange=RANGE`             | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.frontend.whiteList.useXForwardedFor=true`         | Uses `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                       |
 
 #### Custom Headers
 
@@ -240,6 +282,7 @@ The following labels can be defined on Marathon applications. They adjust the be
 | `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
 | `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
 | `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
 | `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
@@ -253,33 +296,48 @@ You can define as many segments as ports exposed in an application.
 
 Segment labels override the default behavior.
 
-| Label                                                                     | Description                                                 |
-|---------------------------------------------------------------------------|-------------------------------------------------------------|
-| `traefik.<segment_name>.backend=BACKEND`                                  | Same as `traefik.backend`                                   |
-| `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                    |
-| `traefik.<segment_name>.portIndex=1`                                      | Same as `traefik.portIndex`                                 |
-| `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                      |
-| `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                  |
-| `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                    |
-| `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                       |
-| `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                      |
-| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`            |
-| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`              |
-| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`              | Same as `traefik.frontend.errors.<name>.status`             |
-| `traefik.<segment_name>.frontend.passHostHeader=true`                     | Same as `traefik.frontend.passHostHeader`                   |
-| `traefik.<segment_name>.frontend.passTLSCert=true`                        | Same as `traefik.frontend.passTLSCert`                      |
-| `traefik.<segment_name>.frontend.priority=10`                             | Same as `traefik.frontend.priority`                         |
-| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`             | Same as `traefik.frontend.rateLimit.extractorFunc`          |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`       | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`  |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`      | Same as `traefik.frontend.rateLimit.rateSet.<name>.average` |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`        | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`   |
-| `traefik.<segment_name>.frontend.redirect.entryPoint=https`               | Same as `traefik.frontend.redirect.entryPoint`              |
-| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`   | Same as `traefik.frontend.redirect.regex`                   |
-| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement`             |
-| `traefik.<segment_name>.frontend.redirect.permanent=true`                 | Same as `traefik.frontend.redirect.permanent`               |
-| `traefik.<segment_name>.frontend.rule=EXP`                                | Same as `traefik.frontend.rule`                             |
-| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`             | Same as `traefik.frontend.whiteList.sourceRange`            |
-| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`         | Same as `traefik.frontend.whiteList.useXForwardedFor`       |
+| Label                                                                     | Description                                                    |
+|---------------------------------------------------------------------------|----------------------------------------------------------------|
+| `traefik.<segment_name>.backend=BACKEND`                                  | Same as `traefik.backend`                                      |
+| `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                       |
+| `traefik.<segment_name>.portIndex=1`                                      | Same as `traefik.portIndex`                                    |
+| `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                         |
+| `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                     |
+| `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                       |
+| `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                          |
+| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true`            | Same as `traefik.frontend.auth.basic.removeHeader`             |
+| `traefik.<segment_name>.frontend.auth.basic.users=EXPR`                   | Same as `traefik.frontend.auth.basic.users`                    |
+| `traefik.<segment_name>.frontend.auth.basic.usersFile=/path/.htpasswd`    | Same as `traefik.frontend.auth.basic.usersFile`                |
+| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true`           | Same as `traefik.frontend.auth.digest.removeHeader`            |
+| `traefik.<segment_name>.frontend.auth.digest.users=EXPR`                  | Same as `traefik.frontend.auth.digest.users`                   |
+| `traefik.<segment_name>.frontend.auth.digest.usersFile=/path/.htdigest`   | Same as `traefik.frontend.auth.digest.usersFile`               |
+| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com`| Same as `traefik.frontend.auth.forward.address`                |
+| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem`        | Same as `traefik.frontend.auth.forward.tls.ca`                 |
+| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true`        | Same as `traefik.frontend.auth.forward.tls.caOptional`         |
+| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem`  | Same as `traefik.frontend.auth.forward.tls.cert`               |
+| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true`| Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify` |
+| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key`   | Same as `traefik.frontend.auth.forward.tls.key`                |
+| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true`    | Same as `traefik.frontend.auth.forward.trustForwardHeader`     |
+| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User`         | Same as `traefik.frontend.auth.headerField`                    |
+| `traefik.<segment_name>.frontend.auth.removeHeader=true`                  | Same as `traefik.frontend.auth.removeHeader`                   |
+| `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                         |
+| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`               |
+| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`                 |
+| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`              | Same as `traefik.frontend.errors.<name>.status`                |
+| `traefik.<segment_name>.frontend.passHostHeader=true`                     | Same as `traefik.frontend.passHostHeader`                      |
+| `traefik.<segment_name>.frontend.passTLSCert=true`                        | Same as `traefik.frontend.passTLSCert`                         |
+| `traefik.<segment_name>.frontend.priority=10`                             | Same as `traefik.frontend.priority`                            |
+| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`             | Same as `traefik.frontend.rateLimit.extractorFunc`             |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`       | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`     |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`      | Same as `traefik.frontend.rateLimit.rateSet.<name>.average`    |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`        | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`      |
+| `traefik.<segment_name>.frontend.redirect.entryPoint=https`               | Same as `traefik.frontend.redirect.entryPoint`                 |
+| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`   | Same as `traefik.frontend.redirect.regex`                      |
+| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement`                |
+| `traefik.<segment_name>.frontend.redirect.permanent=true`                 | Same as `traefik.frontend.redirect.permanent`                  |
+| `traefik.<segment_name>.frontend.rule=EXP`                                | Same as `traefik.frontend.rule`                                |
+| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`             | Same as `traefik.frontend.whiteList.sourceRange`               |
+| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`         | Same as `traefik.frontend.whiteList.useXForwardedFor`          |
 
 #### Custom Headers
 
@@ -307,6 +365,7 @@ Segment labels override the default behavior.
 | `traefik.<segment_name>.frontend.headers.SSLRedirect=true`              | Same as `traefik.frontend.headers.SSLRedirect`               |
 | `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true`     | Same as `traefik.frontend.headers.SSLTemporaryRedirect`      |
 | `traefik.<segment_name>.frontend.headers.SSLHost=HOST`                  | Same as `traefik.frontend.headers.SSLHost`                   |
+| `traefik.<segment_name>.frontend.headers.SSLForceHost=true`             | Same as `traefik.frontend.headers.SSLForceHost`              |
 | `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR`          | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR`      |
 | `traefik.<segment_name>.frontend.headers.STSSeconds=315360000`          | Same as `traefik.frontend.headers.STSSeconds=315360000`      |
 | `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true`     | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |

docs/configuration/backends/mesos.md

@@ -106,48 +106,67 @@ domain = "mesos.localhost"
 
 The following labels can be defined on Mesos tasks. They adjust the behavior for the entire application.
 
-| Label                                                      | Description                                                                                                                                                                                                            |
-|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.domain`                                           | Default domain used for frontend rules.                                                                                                                                                                                |
-| `traefik.enable=false`                                     | Disable this container in Træfik                                                                                                                                                                                       |
-| `traefik.port=80`                                          | Register this port. Useful when the container exposes multiples ports.                                                                                                                                                 |
-| `traefik.portIndex=1`                                      | Register port by index in the application's ports array. Useful when the application exposes multiple ports.                                                                                                           |
-| `traefik.protocol=https`                                   | Override the default `http` protocol                                                                                                                                                                                   |
-| `traefik.weight=10`                                        | Assign this weight to the container                                                                                                                                                                                    |
-| `traefik.backend=foo`                                      | Give the name `foo` to the generated backend for this container.                                                                                                                                                       |
-| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                            |
-| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                           |
-| `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                  |
-| `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                    |
-| `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval. (Default: 30s)                                                                                                                                                                       |
-| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                     |
-| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                         |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                       |
-| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                |
-| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                  |
-| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                       |
-| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                             |
-| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
-| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
-| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                          |
-| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                           |
-| `traefik.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                        |
-| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                     |
-| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                    |
-| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                                  |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                      |
-| `traefik.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                             |
-| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{discovery_name}.{domain}`.                                                                                                                                         |
-| `traefik.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                 |
+| Label                                                      | Description                                                                                                                                                                                                                   |
+|------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.domain`                                           | Sets the default domain for the frontend rules.                                                                                                                                                                               |
+| `traefik.enable=false`                                     | Disables this container in Træfik.                                                                                                                                                                                            |
+| `traefik.port=80`                                          | Registers this port. Useful when the application exposes multiple ports.                                                                                                                                                      |
+| `traefik.portName=web`                                     | Registers port by name in the application's ports array. Useful when the application exposes multiple ports.                                                                                                                  |
+| `traefik.portIndex=1`                                      | Registers port by index in the application's ports array. Useful when the application exposes multiple ports.                                                                                                                 |
+| `traefik.protocol=https`                                   | Overrides the default `http` protocol                                                                                                                                                                                         |
+| `traefik.weight=10`                                        | Assigns this weight to the container                                                                                                                                                                                          |
+| `traefik.backend=foo`                                      | Gives the name `foo` to the generated backend for this container.                                                                                                                                                             |
+| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
+| `traefik.backend.circuitbreaker.expression=EXPR`           | Creates a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                 |
+| `traefik.backend.healthcheck.path=/health`                 | Enables health check for the backend, hitting the container at `path`.                                                                                                                                                        |
+| `traefik.backend.healthcheck.interval=1s`                  | Defines the health check interval. (Default: 30s)                                                                                                                                                                             |
+| `traefik.backend.healthcheck.scheme=http`                  | Overrides the server URL scheme.                                                                                                                                                                                              |
+| `traefik.backend.healthcheck.port=8080`                    | Sets a different port for the health check.                                                                                                                                                                                   |
+| `traefik.backend.healthcheck.hostname=foobar.com`          | Defines the health check hostname.                                                                                                                                                                                            |
+| `traefik.backend.healthcheck.headers=EXPR`                 | Defines the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                     |
+| `traefik.backend.loadbalancer.method=drr`                  | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                           |
+| `traefik.backend.loadbalancer.stickiness=true`             | Enables backend sticky sessions                                                                                                                                                                                               |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Sets the cookie manually name for sticky sessions                                                                                                                                                                             |
+| `traefik.backend.maxconn.amount=10`                        | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                      |
+| `traefik.backend.maxconn.extractorfunc=client.ip`          | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                        |
+| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED).                                                                                                                                 |
+| `traefik.frontend.auth.basic.users=EXPR`                   | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`.                                                                                                                                              |
+| `traefik.frontend.auth.basic.removeHeader=true`            | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
+| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd`    | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                         |
+| `traefik.frontend.auth.digest.removeHeader=true`           | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
+| `traefik.frontend.auth.digest.users=EXPR`                  | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                 |
+| `traefik.frontend.auth.digest.usersFile=/path/.htdigest`   | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
+| `traefik.frontend.auth.forward.address=https://example.com`| Sets the URL of the authentication server.                                                                                                                                                                                    |
+| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem`        | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                    |
+| `traefik.frontend.auth.forward.tls.caOptional=true`        | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA).                                                                                                                   |
+| `traefik.frontend.auth.forward.tls.cert=/path/server.pem`  | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
+| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true`| If set to true invalid SSL certificates are accepted.                                                                                                                                                                         |
+| `traefik.frontend.auth.forward.tls.key=/path/server.key`   | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
+| `traefik.frontend.auth.forward.trustForwardHeader=true`    | Trusts X-Forwarded-* headers.                                                                                                                                                                                                 |
+| `traefik.frontend.auth.headerField=X-WebAuth-User`         | Sets the header used to pass the authenticated user to the application.                                                                                                                                                       |
+| `traefik.frontend.auth.removeHeader=true`                  | If set to true, removes the Authorization header.                                                                                                                                                                             |
+| `traefik.frontend.entryPoints=http,https`                  | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                   |
+| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
+| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
+| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
+| `traefik.frontend.passHostHeader=true`                     | Forwards client `Host` header to the backend.                                                                                                                                                                                 |
+| `traefik.frontend.passTLSCert=true`                        | Forwards TLS Client certificates to the backend.                                                                                                                                                                              |
+| `traefik.frontend.priority=10`                             | Overrides default frontend priority                                                                                                                                                                                           |
+| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
+| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS)                                                                                                                                                          |
+| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                       |
+| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                             |
+| `traefik.frontend.redirect.permanent=true`                 | Returns 301 instead of 302.                                                                                                                                                                                                   |
+| `traefik.frontend.rule=EXPR`                               | Overrides the default frontend rule. Default: `Host:{discovery_name}.{domain}`.                                                                                                                                               |
+| `traefik.frontend.whiteList.sourceRange=RANGE`             | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.frontend.whiteList.useXForwardedFor=true`         | Uses `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                       |
 
 ### Custom Headers
 
@@ -175,7 +194,94 @@ The following labels can be defined on Mesos tasks. They adjust the behavior for
 | `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
 | `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
 | `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
 | `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
 | `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
+
+### Applications with Multiple Ports (segment labels)
+
+Segment labels are used to define routes to an application exposing multiple ports.
+A segment is a group of labels that apply to a port exposed by an application.
+You can define as many segments as ports exposed in an application.
+
+Additionally, if a segment name matches a named port, that port will be used unless `portIndex`, `portName`, or `port` labels are specified for that segment.
+
+Segment labels override the default behavior.
+
+| Label                                                                     | Description                                                    |
+|---------------------------------------------------------------------------|----------------------------------------------------------------|
+| `traefik.<segment_name>.backend=BACKEND`                                  | Same as `traefik.backend`                                      |
+| `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                       |
+| `traefik.<segment_name>.portIndex=1`                                      | Same as `traefik.portIndex`                                    |
+| `traefik.<segment_name>.portName=web`                                     | Same as `traefik.portName`                                     |
+| `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                         |
+| `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                     |
+| `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                       |
+| `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                          |
+| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true`            | Same as `traefik.frontend.auth.basic.removeHeader`             |
+| `traefik.<segment_name>.frontend.auth.basic.users=EXPR`                   | Same as `traefik.frontend.auth.basic.users`                    |
+| `traefik.<segment_name>.frontend.auth.basic.usersFile=/path/.htpasswd`    | Same as `traefik.frontend.auth.basic.usersFile`                |
+| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true`           | Same as `traefik.frontend.auth.digest.removeHeader`            |
+| `traefik.<segment_name>.frontend.auth.digest.users=EXPR`                  | Same as `traefik.frontend.auth.digest.users`                   |
+| `traefik.<segment_name>.frontend.auth.digest.usersFile=/path/.htdigest`   | Same as `traefik.frontend.auth.digest.usersFile`               |
+| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com`| Same as `traefik.frontend.auth.forward.address`                |
+| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem`        | Same as `traefik.frontend.auth.forward.tls.ca`                 |
+| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true`        | Same as `traefik.frontend.auth.forward.tls.caOptional`         |
+| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem`  | Same as `traefik.frontend.auth.forward.tls.cert`               |
+| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true`| Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify` |
+| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key`   | Same as `traefik.frontend.auth.forward.tls.key`                |
+| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true`    | Same as `traefik.frontend.auth.forward.trustForwardHeader`     |
+| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User`         | Same as `traefik.frontend.auth.headerField`                    |
+| `traefik.<segment_name>.frontend.auth.removeHeader=true`                  | Same as `traefik.frontend.auth.removeHeader`                   |
+| `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                         |
+| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`               |
+| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`                 |
+| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`              | Same as `traefik.frontend.errors.<name>.status`                |
+| `traefik.<segment_name>.frontend.passHostHeader=true`                     | Same as `traefik.frontend.passHostHeader`                      |
+| `traefik.<segment_name>.frontend.passTLSCert=true`                        | Same as `traefik.frontend.passTLSCert`                         |
+| `traefik.<segment_name>.frontend.priority=10`                             | Same as `traefik.frontend.priority`                            |
+| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`             | Same as `traefik.frontend.rateLimit.extractorFunc`             |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`       | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`     |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`      | Same as `traefik.frontend.rateLimit.rateSet.<name>.average`    |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`        | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`      |
+| `traefik.<segment_name>.frontend.redirect.entryPoint=https`               | Same as `traefik.frontend.redirect.entryPoint`                 |
+| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`   | Same as `traefik.frontend.redirect.regex`                      |
+| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement`                |
+| `traefik.<segment_name>.frontend.redirect.permanent=true`                 | Same as `traefik.frontend.redirect.permanent`                  |
+| `traefik.<segment_name>.frontend.rule=EXP`                                | Same as `traefik.frontend.rule`                                |
+| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`             | Same as `traefik.frontend.whiteList.sourceRange`               |
+| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`         | Same as `traefik.frontend.whiteList.useXForwardedFor`          |
+
+#### Custom Headers
+
+| Label                                                                | Description                                              |
+|----------------------------------------------------------------------|----------------------------------------------------------|
+| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR ` | Same as `traefik.frontend.headers.customRequestHeaders`  |
+| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` |
+
+#### Security Headers
+
+| Label                                                                   | Description                                                  |
+|-------------------------------------------------------------------------|--------------------------------------------------------------|
+| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR`             | Same as `traefik.frontend.headers.allowedHosts`              |
+| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true`         | Same as `traefik.frontend.headers.browserXSSFilter`          |
+| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE`   | Same as `traefik.frontend.headers.contentSecurityPolicy`     |
+| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true`       | Same as `traefik.frontend.headers.contentTypeNosniff`        |
+| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE`   | Same as `traefik.frontend.headers.customBrowserXSSValue`     |
+| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue`   |
+| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false`          | Same as `traefik.frontend.headers.forceSTSHeader`            |
+| `traefik.<segment_name>.frontend.headers.frameDeny=false`               | Same as `traefik.frontend.headers.frameDeny`                 |
+| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR`        | Same as `traefik.frontend.headers.hostsProxyHeaders`         |
+| `traefik.<segment_name>.frontend.headers.isDevelopment=false`           | Same as `traefik.frontend.headers.isDevelopment`             |
+| `traefik.<segment_name>.frontend.headers.publicKey=VALUE`               | Same as `traefik.frontend.headers.publicKey`                 |
+| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE`          | Same as `traefik.frontend.headers.referrerPolicy`            |
+| `traefik.<segment_name>.frontend.headers.SSLRedirect=true`              | Same as `traefik.frontend.headers.SSLRedirect`               |
+| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true`     | Same as `traefik.frontend.headers.SSLTemporaryRedirect`      |
+| `traefik.<segment_name>.frontend.headers.SSLHost=HOST`                  | Same as `traefik.frontend.headers.SSLHost`                   |
+| `traefik.<segment_name>.frontend.headers.SSLForceHost=true`             | Same as `traefik.frontend.headers.SSLForceHost`              |
+| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR`          | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR`      |
+| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000`          | Same as `traefik.frontend.headers.STSSeconds=315360000`      |
+| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true`     | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |
+| `traefik.<segment_name>.frontend.headers.STSPreload=true`               | Same as `traefik.frontend.headers.STSPreload=true`           |

docs/configuration/backends/rancher.md

@@ -138,48 +138,65 @@ secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 
 Labels can be used on task containers to override default behavior:
 
-| Label                                                      | Description                                                                                                                                                                                                               |
-|------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.domain`                                           | Default domain used for frontend rules.                                                                                                                                                                                   |
-| `traefik.enable=false`                                     | Disable this container in Træfik                                                                                                                                                                                          |
-| `traefik.port=80`                                          | Register this port. Useful when the container exposes multiples ports.                                                                                                                                                    |
-| `traefik.protocol=https`                                   | Override the default `http` protocol                                                                                                                                                                                      |
-| `traefik.weight=10`                                        | Assign this weight to the container                                                                                                                                                                                       |
-| `traefik.backend=foo`                                      | Give the name `foo` to the generated backend for this container.                                                                                                                                                          |
-| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
-| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
-| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
-| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
-| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                               |
-| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                              |
-| `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                     |
-| `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                       |
-| `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval.                                                                                                                                                                                         |
-| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                        |
-| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                            |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                          |
-| `traefik.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                               |
-| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                   |
-| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                     |
-| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                          |
-| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                |
-| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                             |
-| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                             |
-| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                             |
-| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                              |
-| `traefik.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                           |
-| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                        |
-| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
-| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
-| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
-| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                       |
-| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                                     |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                   |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                         |
-| `traefik.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                                |
-| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{service_name}.{stack_name}.{domain}`.                                                                                                                                 |
-| `traefik.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                    |
+| Label                                                      | Description                                                                                                                                                                                                                      |
+|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.domain`                                           | Sets the default domain for the frontend rules.                                                                                                                                                                                  |
+| `traefik.enable=false`                                     | Disables this container in Træfik.                                                                                                                                                                                               |
+| `traefik.port=80`                                          | Registers this port. Useful when the container exposes multiple ports.                                                                                                                                                           |
+| `traefik.protocol=https`                                   | Overrides the default `http` protocol.                                                                                                                                                                                           |
+| `traefik.weight=10`                                        | Assigns this weight to the container.                                                                                                                                                                                            |
+| `traefik.backend=foo`                                      | Gives the name `foo` to the generated backend for this container.                                                                                                                                                                |
+| `traefik.backend.buffering.maxRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
+| `traefik.backend.buffering.maxResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
+| `traefik.backend.buffering.memRequestBodyBytes=0`          | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
+| `traefik.backend.buffering.memResponseBodyBytes=0`         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
+| `traefik.backend.buffering.retryExpression=EXPR`           | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
+| `traefik.backend.circuitbreaker.expression=EXPR`           | Creates a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                    |
+| `traefik.backend.healthcheck.path=/health`                 | Enables health check for the backend, hitting the container at `path`.                                                                                                                                                           |
+| `traefik.backend.healthcheck.interval=1s`                  | Defines the health check interval.                                                                                                                                                                                               |
+| `traefik.backend.healthcheck.port=8080`                    | Sets a different port for the health check.                                                                                                                                                                                      |
+| `traefik.backend.healthcheck.scheme=http`                  | Overrides the server URL scheme.                                                                                                                                                                                                 |
+| `traefik.backend.healthcheck.hostname=foobar.com`          | Defines the health check hostname.                                                                                                                                                                                               |
+| `traefik.backend.healthcheck.headers=EXPR`                 | Defines the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                        |
+| `traefik.backend.loadbalancer.method=drr`                  | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                              |
+| `traefik.backend.loadbalancer.stickiness=true`             | Enables backend sticky sessions                                                                                                                                                                                                  |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Sets the cookie name manually for sticky sessions                                                                                                                                                                                |
+| `traefik.backend.loadbalancer.sticky=true`                 | Enables backend sticky sessions (DEPRECATED)                                                                                                                                                                                     |
+| `traefik.backend.maxconn.amount=10`                        | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                         |
+| `traefik.backend.maxconn.extractorfunc=client.ip`          | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                           |
+| `traefik.frontend.auth.basic=EXPR`                         | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED).                                                                                                                                |
+| `traefik.frontend.auth.basic.removeHeader=true`            | If set to `true`, removes the `Authorization` header.                                                                                                                                                                            |
+| `traefik.frontend.auth.basic.users=EXPR`                   | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` .                                                                                                                                            |
+| `traefik.frontend.auth.basic.usersfile=/path/.htpasswd`    | Sets the basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
+| `traefik.frontend.auth.digest.removeHeader=true`           | If set to `true`, removes the `Authorization` header.                                                                                                                                                                            |
+| `traefik.frontend.auth.digest.users=EXPR`                  | Sets the digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                |
+| `traefik.frontend.auth.digest.usersfile=/path/.htdigest`   | Sets the digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                       |
+| `traefik.frontend.auth.forward.address=https://example.com`| Sets the URL of the authentication server.                                                                                                                                                                                       |
+| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem`        | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                       |
+| `traefik.frontend.auth.forward.tls.caOptional=true`        | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA).                                                                                                                      |
+| `traefik.frontend.auth.forward.tls.cert=/path/server.pem`  | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                      |
+| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true`| If set to true invalid SSL certificates are accepted.                                                                                                                                                                            |
+| `traefik.frontend.auth.forward.tls.key=/path/server.key`   | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                      |
+| `traefik.frontend.auth.forward.trustForwardHeader=true`    | Trusts X-Forwarded-* headers.                                                                                                                                                                                                    |
+| `traefik.frontend.auth.headerField=X-WebAuth-User`         | Sets the header used to pass the authenticated user to the application.                                                                                                                                                          |
+| `traefik.frontend.entryPoints=http,https`                  | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                      |
+| `traefik.frontend.errors.<name>.backend=NAME`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                    |
+| `traefik.frontend.errors.<name>.query=PATH`                | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                    |
+| `traefik.frontend.errors.<name>.status=RANGE`              | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                    |
+| `traefik.frontend.passHostHeader=true`                     | Forwards client `Host` header to the backend.                                                                                                                                                                                    |
+| `traefik.frontend.passTLSCert=true`                        | Forwards TLS Client certificates to the backend.                                                                                                                                                                                 |
+| `traefik.frontend.priority=10`                             | Overrides default frontend priority                                                                                                                                                                                              |
+| `traefik.frontend.rateLimit.extractorFunc=EXP`             | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
+| `traefik.frontend.rateLimit.rateSet.<name>.period=6`       | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
+| `traefik.frontend.rateLimit.rateSet.<name>.average=6`      | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
+| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`        | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
+| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS)                                                                                                                                                             |
+| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                          |
+| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                                |
+| `traefik.frontend.redirect.permanent=true`                 | Returns 301 instead of 302.                                                                                                                                                                                                      |
+| `traefik.frontend.rule=EXPR`                               | Overrides the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`.                                                                     |
+| `traefik.frontend.whiteList.sourceRange=RANGE`             | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.frontend.whiteList.useXForwardedFor=true`         | Uses `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                          |
 
 #### Custom Headers
 
@@ -207,6 +224,7 @@ Labels can be used on task containers to override default behavior:
 | `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
 | `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
 | `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
 | `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
@@ -220,32 +238,46 @@ You can define as many segments as ports exposed in a container.
 
 Segment labels override the default behavior.
 
-| Label                                                                     | Description                                                 |
-|---------------------------------------------------------------------------|-------------------------------------------------------------|
-| `traefik.<segment_name>.backend=BACKEND`                                  | Same as `traefik.backend`                                   |
-| `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                    |
-| `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                      |
-| `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                  |
-| `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                    |
-| `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                       |
-| `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                      |
-| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`            |
-| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`              |
-| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`              | Same as `traefik.frontend.errors.<name>.status`             |
-| `traefik.<segment_name>.frontend.passHostHeader=true`                     | Same as `traefik.frontend.passHostHeader`                   |
-| `traefik.<segment_name>.frontend.passTLSCert=true`                        | Same as `traefik.frontend.passTLSCert`                      |
-| `traefik.<segment_name>.frontend.priority=10`                             | Same as `traefik.frontend.priority`                         |
-| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`             | Same as `traefik.frontend.rateLimit.extractorFunc`          |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`       | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`  |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`      | Same as `traefik.frontend.rateLimit.rateSet.<name>.average` |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`        | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`   |
-| `traefik.<segment_name>.frontend.redirect.entryPoint=https`               | Same as `traefik.frontend.redirect.entryPoint`              |
-| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`   | Same as `traefik.frontend.redirect.regex`                   |
-| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement`             |
-| `traefik.<segment_name>.frontend.redirect.permanent=true`                 | Same as `traefik.frontend.redirect.permanent`               |
-| `traefik.<segment_name>.frontend.rule=EXP`                                | Same as `traefik.frontend.rule`                             |
-| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`             | Same as `traefik.frontend.whiteList.sourceRange`            |
-| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`         | Same as `traefik.frontend.whiteList.useXForwardedFor`       |
+| Label                                                                     | Description                                                   |
+|---------------------------------------------------------------------------|---------------------------------------------------------------|
+| `traefik.<segment_name>.backend=BACKEND`                                  | Same as `traefik.backend`                                     |
+| `traefik.<segment_name>.domain=DOMAIN`                                    | Same as `traefik.domain`                                      |
+| `traefik.<segment_name>.port=PORT`                                        | Same as `traefik.port`                                        |
+| `traefik.<segment_name>.protocol=http`                                    | Same as `traefik.protocol`                                    |
+| `traefik.<segment_name>.weight=10`                                        | Same as `traefik.weight`                                      |
+| `traefik.<segment_name>.frontend.auth.basic=EXPR`                         | Same as `traefik.frontend.auth.basic`                         |
+| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true`            | Same as `traefik.frontend.auth.basic.removeHeader`            |
+| `traefik.<segment_name>.frontend.auth.basic.users=EXPR`                   | Same as `traefik.frontend.auth.basic.users`                   |
+| `traefik.<segment_name>.frontend.auth.basic.usersfile=/path/.htpasswd`    | Same as `traefik.frontend.auth.basic.usersfile`               |
+| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true`           | Same as `traefik.frontend.auth.digest.removeHeader`           |
+| `traefik.<segment_name>.frontend.auth.digest.users=EXPR`                  | Same as `traefik.frontend.auth.digest.users`                  |
+| `traefik.<segment_name>.frontend.auth.digest.usersfile=/path/.htdigest`   | Same as `traefik.frontend.auth.digest.usersfile`              |
+| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com`| Same as `traefik.frontend.auth.forward.address`               |
+| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem`        | Same as `traefik.frontend.auth.forward.tls.ca`                |
+| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true`        | Same as `traefik.frontend.auth.forward.tls.caOptional`        |
+| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem`  | Same as `traefik.frontend.auth.forward.tls.cert`              |
+| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true`| Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify`|
+| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key`   | Same as `traefik.frontend.auth.forward.tls.key`               |
+| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true`    | Same as `traefik.frontend.auth.forward.trustForwardHeader`    |
+| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User`         | Same as `traefik.frontend.auth.headerField`                   |
+| `traefik.<segment_name>.frontend.entryPoints=https`                       | Same as `traefik.frontend.entryPoints`                        |
+| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`              | Same as `traefik.frontend.errors.<name>.backend`              |
+| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                | Same as `traefik.frontend.errors.<name>.query`                |
+| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`              | Same as `traefik.frontend.errors.<name>.status`               |
+| `traefik.<segment_name>.frontend.passHostHeader=true`                     | Same as `traefik.frontend.passHostHeader`                     |
+| `traefik.<segment_name>.frontend.passTLSCert=true`                        | Same as `traefik.frontend.passTLSCert`                        |
+| `traefik.<segment_name>.frontend.priority=10`                             | Same as `traefik.frontend.priority`                           |
+| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`             | Same as `traefik.frontend.rateLimit.extractorFunc`            |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`       | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`    |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`      | Same as `traefik.frontend.rateLimit.rateSet.<name>.average`   |
+| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`        | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`     |
+| `traefik.<segment_name>.frontend.redirect.entryPoint=https`               | Same as `traefik.frontend.redirect.entryPoint`                |
+| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`   | Same as `traefik.frontend.redirect.regex`                     |
+| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1` | Same as `traefik.frontend.redirect.replacement`               |
+| `traefik.<segment_name>.frontend.redirect.permanent=true`                 | Same as `traefik.frontend.redirect.permanent`                 |
+| `traefik.<segment_name>.frontend.rule=EXP`                                | Same as `traefik.frontend.rule`                               |
+| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`             | Same as `traefik.frontend.whiteList.sourceRange`              |
+| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`         | Same as `traefik.frontend.whiteList.useXForwardedFor`         |
 
 #### Custom Headers
 
@@ -273,6 +305,7 @@ Segment labels override the default behavior.
 | `traefik.<segment_name>.frontend.headers.SSLRedirect=true`              | overrides `traefik.frontend.headers.SSLRedirect`             |
 | `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true`     | overrides `traefik.frontend.headers.SSLTemporaryRedirect`    |
 | `traefik.<segment_name>.frontend.headers.SSLHost=HOST`                  | overrides `traefik.frontend.headers.SSLHost`                 |
+| `traefik.<segment_name>.frontend.headers.SSLForceHost=true`             | overrides `traefik.frontend.headers.SSLForceHost`            |
 | `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR`          | overrides `traefik.frontend.headers.SSLProxyHeaders`         |
 | `traefik.<segment_name>.frontend.headers.STSSeconds=315360000`          | overrides `traefik.frontend.headers.STSSeconds`              |
 | `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true`     | overrides `traefik.frontend.headers.STSIncludeSubdomains`    |

docs/configuration/backends/servicefabric.md

@@ -104,6 +104,8 @@ Labels, set through extensions or the property manager, can be used on services
 | `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                     |
 | `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                       |
 | `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval.                                                                                                                                                                                         |
+| `traefik.backend.healthcheck.hostname=foobar.com`          | Define the health check hostname.                                                                                                                                                                                         |
+| `traefik.backend.healthcheck.headers=EXPR`                 | Define the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                  |
 | `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                        |
 | `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                            |
 | `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                          |

docs/configuration/backends/web.md

@@ -185,6 +185,13 @@ pushinterval = "10s"
 #
 address = "localhost:8089"
 
+# InfluxDB's address protocol (udp or http)
+#
+# Required
+# Default: "udp"
+#
+protocol = "udp"
+
 # InfluxDB push interval
 #
 # Optional
@@ -192,6 +199,20 @@ address = "localhost:8089"
 #
 pushinterval = "10s"
 
+# InfluxDB database used when protocol is http
+#
+# Optional
+# Default: ""
+#
+database = ""
+
+# InfluxDB retention policy used when protocol is http
+#
+# Optional
+# Default: ""
+#
+retentionpolicy = ""
+
 # ...
 ```
 

docs/configuration/commons.md

@@ -18,7 +18,7 @@
 
 # Enable debug mode.
 # This will install HTTP handlers to expose Go expvars under /debug/vars and
-# pprof profiling data under /debug/pprof.
+# pprof profiling data under /debug/pprof/.
 # The log level will be set to DEBUG unless `logLevel` is specified.
 #
 # Optional
@@ -144,6 +144,7 @@ Supported Providers:
 - Consul K/V
 - BoltDB
 - Zookeeper
+- ECS
 - Etcd
 - Consul Catalog
 - Rancher
@@ -415,6 +416,38 @@ If no units are provided, the value is parsed assuming seconds.
 idleTimeout = "360s"
 ```
 
+## Host Resolver
+
+`hostResolver` are used for request host matching process.
+
+```toml
+[hostResolver]
+
+# cnameFlattening is a trigger to flatten request host, assuming it is a CNAME record
+#
+# Optional
+# Default : false
+#
+cnameFlattening = true
+
+# resolvConf is dns resolving configuration file, the default is /etc/resolv.conf
+#
+# Optional
+# Default : "/etc/resolv.conf"
+#
+# resolvConf = "/etc/resolv.conf"
+
+# resolvDepth is the maximum CNAME recursive lookup
+#
+# Optional
+# Default : 5
+#
+# resolvDepth = 5
+```
+
+- To allow serving secure https request and generate the SSL using ACME while `cnameFlattening` is active. 
+The `acme` configuration for `HTTP-01` challenge and `onDemand` is mandatory. 
+Refer to [ACME configuration](/configuration/acme) for more information.
 
 ## Override Default Configuration Template
 

docs/configuration/entrypoints.md

@@ -5,6 +5,11 @@
 ### TOML
 
 ```toml
+defaultEntryPoints = ["http", "https"]
+
+# ...
+# ...
+
 [entryPoints]
   [entryPoints.http]
     address = ":80"
@@ -40,12 +45,14 @@
     [entryPoints.http.auth]
       headerField = "X-WebAuth-User"
       [entryPoints.http.auth.basic]
+        removeHeader = true
         users = [
           "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
           "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
         ]
         usersFile = "/path/to/.htpasswd"
       [entryPoints.http.auth.digest]
+        removeHeader = true
         users = [
           "test:traefik:a2688e031edb4be6a3797f3882655c05",
           "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
@@ -54,8 +61,9 @@
       [entryPoints.http.auth.forward]
         address = "https://authserver.com/auth"
         trustForwardHeader = true
+        authResponseHeaders = ["X-Auth-User"]
         [entryPoints.http.auth.forward.tls]
-          ca =  [ "path/to/local.crt"]
+          ca = "path/to/local.crt"
           caOptional = true
           cert = "path/to/foo.cert"
           key = "path/to/foo.key"
@@ -108,6 +116,11 @@ Name:foo
 Address::80
 TLS:/my/path/foo.cert,/my/path/foo.key;/my/path/goo.cert,/my/path/goo.key;/my/path/hoo.cert,/my/path/hoo.key
 TLS
+TLS.MinVersion:VersionTLS11
+TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384
+TLS.SniStrict:true
+TLS.DefaultCertificate.Cert:path/to/foo.cert
+TLS.DefaultCertificate.Key:path/to/foo.key
 CA:car
 CA.Optional:true
 Redirect.EntryPoint:https
@@ -121,9 +134,12 @@ ProxyProtocol.TrustedIPs:192.168.0.1
 ProxyProtocol.Insecure:true
 ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24
 Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
+Auth.Basic.Removeheader:true
 Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e
+Auth.Digest.Removeheader:true
 Auth.HeaderField:X-WebAuth-User
 Auth.Forward.Address:https://authserver.com/auth
+Auth.Forward.AuthResponseHeaders:X-Auth,X-Test,X-Secret
 Auth.Forward.TrustForwardHeader:true
 Auth.Forward.TLS.CA:path/to/local.crt
 Auth.Forward.TLS.CAOptional:true
@@ -208,7 +224,7 @@ Define an entrypoint with SNI support.
 ```
 
 !!! note
-    If an empty TLS configuration is done, default self-signed certificates are generated.
+    If an empty TLS configuration is provided, default self-signed certificates are generated.
 
 
 ### Dynamic Certificates
@@ -268,6 +284,32 @@ Users can be specified directly in the TOML file, or indirectly by referencing a
   usersFile = "/path/to/.htpasswd"
 ```
 
+Optionally, you can:
+
+- pass authenticated user to application via headers
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.http.auth]
+    headerField = "X-WebAuth-User" # <-- header for the authenticated user
+    [entryPoints.http.auth.basic]
+    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
+```
+
+- remove the Authorization header
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.http.auth]
+    [entryPoints.http.auth.basic]
+    removeHeader = true # <-- remove the Authorization header
+    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
+```
+
 ### Digest Authentication
 
 You can use `htdigest` to generate them.
@@ -285,6 +327,32 @@ Users can be specified directly in the TOML file, or indirectly by referencing a
   usersFile = "/path/to/.htdigest"
 ```
 
+Optionally, you can!
+
+- pass authenticated user to application via headers.
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.http.auth]
+    headerField = "X-WebAuth-User" # <-- header for the authenticated user
+    [entryPoints.http.auth.digest]
+    users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
+```
+
+- remove the Authorization header.
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+  [entryPoints.http.auth]
+    [entryPoints.http.auth.digest]
+    removeHeader = true # <-- remove the Authorization header
+    users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
+```
+
 ### Forward Authentication
 
 This configuration will first forward the request to `http://authserver.com/auth`.
@@ -308,13 +376,21 @@ Otherwise, the response from the authentication server is returned.
     #
     trustForwardHeader = true
 
-    # Enable forward auth TLS connection.
+    # Copy headers from the authentication server to the request.
     #
     # Optional
     #
-    [entryPoints.http.auth.forward.tls]
-    cert = "authserver.crt"
-    key = "authserver.key"
+    authResponseHeaders = ["X-Auth-User", "X-Secret"]
+
+      # Enable forward auth TLS connection.
+      #
+      # Optional
+      #
+      [entryPoints.http.auth.forward.tls]
+      ca = "path/to/local.crt"
+      caOptional = true
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
 ```
 
 ## Specify Minimum TLS Version
@@ -339,6 +415,40 @@ To specify an https entry point with a minimum TLS version, and specifying an ar
       keyFile = "integration/fixtures/https/snitest.org.key"
 ```
 
+## Strict SNI Checking
+
+To enable strict SNI checking, so that connections cannot be made if a matching certificate does not exist.
+
+```toml
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+    sniStrict = true
+      [[entryPoints.https.tls.certificates]]
+      certFile = "integration/fixtures/https/snitest.com.cert"
+      keyFile = "integration/fixtures/https/snitest.com.key"
+```
+
+## Default Certificate
+
+To enable a default certificate to serve, so that connections without SNI or without a matching domain will be served this certificate.
+
+```toml
+[entryPoints]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+    [entryPoints.https.tls.defaultCertificate]
+      certFile = "integration/fixtures/https/snitest.com.cert"
+      keyFile = "integration/fixtures/https/snitest.com.key"
+```
+
+!!! note
+    There can only be one `defaultCertificate` set per entrypoint.
+    Use a single set of square brackets `[ ]`, instead of the two needed for normal certificates.
+    If no default certificate is provided, a self-signed certificate will be generated by Traefik, and used instead.
+
 ## Compression
 
 To enable compression support using gzip format.

docs/configuration/logs.md

@@ -18,6 +18,7 @@ logLevel = "INFO"
   [accessLog.filters]
     statusCodes = ["200", "300-302"]
     retryAttempts = true
+    minDuration = "10ms"
 
   [accessLog.fields]
     defaultMode = "keep"
@@ -46,6 +47,7 @@ For more information about the CLI, see the documentation about [Traefik command
 --accessLog.format="json"
 --accessLog.filters.statusCodes="200,300-302"
 --accessLog.filters.retryAttempts="true"
+--accessLog.filters.minDuration="10ms"
 --accessLog.fields.defaultMode="keep"
 --accessLog.fields.names="Username=drop Hostname=drop"
 --accessLog.fields.headers.defaultMode="keep"
@@ -124,6 +126,20 @@ filePath = "/path/to/access.log"
 format = "json"
 ```
 
+To write the logs in async, specify `bufferingSize` as the format (must be >0):
+```toml
+[accessLog]
+filePath = "/path/to/access.log"
+# Buffering Size
+#
+# Optional
+# Default: 0
+#
+# Number of access log lines to process in a buffered way.
+#
+bufferingSize = 100
+```
+
 To filter logs you can specify a set of filters which are logically "OR-connected". Thus, specifying multiple filters will keep more access logs than specifying only one:
 ```toml
 [accessLog]
@@ -132,19 +148,26 @@ format = "json"
 
   [accessLog.filters]
 
-  # statusCodes keep access logs with status codes in the specified range
+  # statusCodes: keep access logs with status codes in the specified range
   #
   # Optional
   # Default: []
   #
   statusCodes = ["200", "300-302"]
 
-  # retryAttempts keep access logs when at least one retry happened
+  # retryAttempts: keep access logs when at least one retry happened
   #
   # Optional
   # Default: false
   #
   retryAttempts = true
+
+  # minDuration: keep access logs when request took longer than the specified duration
+  #
+  # Optional
+  # Default: 0
+  #
+  minDuration = "10ms"
 ```
 
 To customize logs format:

docs/configuration/metrics.md

@@ -97,6 +97,13 @@
     #
     address = "localhost:8089"
 
+    # InfluxDB's address protocol (udp or http)
+    #
+    # Required
+    # Default: "udp"
+    #
+    protocol = "udp"
+
     # InfluxDB push interval
     #
     # Optional
@@ -104,5 +111,19 @@
     #
     pushinterval = "10s"
 
+    # InfluxDB database used when protocol is http
+    #
+    # Optional
+    # Default: ""
+    #
+    database = ""
+
+    # InfluxDB retention policy used when protocol is http
+    #
+    # Optional
+    # Default: ""
+    #
+    retentionpolicy = ""
+
   # ...
 ```

docs/configuration/tracing.md

@@ -98,3 +98,41 @@ Træfik supports two backends: Jaeger and Zipkin.
     #
     id128Bit = true
 ```
+
+## DataDog
+
+```toml
+# Tracing definition
+[tracing]
+  # Backend name used to send tracing data
+  #
+  # Default: "jaeger"
+  #
+  backend = "datadog"
+
+  # Service name used in DataDog backend
+  #
+  # Default: "traefik"
+  #
+  serviceName = "traefik"
+
+  [tracing.datadog]
+    # Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address
+    #
+    # Default: "127.0.0.1:8126"
+    #
+    localAgentHostPort = "127.0.0.1:8126"
+
+    # Enable DataDog debug
+    #
+    # Default: false
+    #
+    debug = false
+
+    # Apply shared tag in a form of Key:Value to all the traces
+    #
+    # Default: ""
+    #
+    globalTag = ""
+
+```

docs/index.md

@@ -3,10 +3,10 @@
 </p>
 
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
-[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
+[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](/)
 [![Go Report Card](https://goreportcard.com/badge/github.com/containous/traefik)](https://goreportcard.com/report/github.com/containous/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
-[![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
+[![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
 [![Twitter](https://img.shields.io/twitter/follow/traefikproxy.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefikproxy)
 
 

docs/user-guide/cluster.md

@@ -26,8 +26,8 @@ If this instance fails, another manager will be automatically elected.
 
 ## Træfik cluster and Let's Encrypt
 
-**In cluster mode, ACME certificates have to be stored in [a KV Store entry](/configuration/acme/#storage-kv-entry).**
+**In cluster mode, ACME certificates have to be stored in [a KV Store entry](/configuration/acme/#as-a-key-value-store-entry).**
 
 Thanks to the Træfik cluster mode algorithm (based on [the Raft Consensus Algorithm](https://raft.github.io/)), only one instance will contact Let's encrypt to solve the challenges.
 
-The others instances will get ACME certificate from the KV Store entry.
+The others instances will get ACME certificate from the KV Store entry.

docs/user-guide/examples.md

@@ -223,7 +223,7 @@ These variables have to be set on the machine/container that host Træfik.
 
 These variables are described [in this section](/configuration/acme/#provider).
 
-More information about wildcard certificates are available [in this section](/configuration/acme/#wildcard-domain).
+More information about wildcard certificates are available [in this section](/configuration/acme/#wildcard-domains).
 
 ### onHostRule option and provided certificates (with HTTP challenge)
 
@@ -322,42 +322,6 @@ The `consul` provider contains the configuration.
   rule = "Path:/test"
 ```
 
-## Enable Basic authentication in an entry point
-
-With two user/pass:
-
-- `test`:`test`
-- `test2`:`test2`
-
-Passwords are encoded in MD5: you can use `htpasswd` to generate them.
-
-```toml
-defaultEntryPoints = ["http"]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-  [entryPoints.http.auth.basic]
-  users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
-```
-
-## Pass Authenticated user to application via headers
-
-Providing an authentication method as described above, it is possible to pass the user to the application
-via a configurable header value.
-
-```toml
-defaultEntryPoints = ["http"]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-  [entryPoints.http.auth]
-    headerField = "X-WebAuth-User"
-    [entryPoints.http.auth.basic]
-    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
-```
-
 ## Override the Traefik HTTP server idleTimeout and/or throttle configurations from re-loading too quickly
 
 ```toml

docs/user-guide/grpc.md

@@ -1,15 +1,53 @@
-# gRPC example
+# gRPC examples
+
+## With HTTP (h2c)
+
+This section explains how to use Traefik as reverse proxy for gRPC application.
+
+### Træfik configuration
+
+At last, we configure our Træfik instance to use both self-signed certificates.
+
+```toml
+defaultEntryPoints = ["https"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http]
+
+[api]
+
+[file]
+
+[backends]
+  [backends.backend1]
+    [backends.backend1.servers.server1]
+    # Access on backend with h2c
+    url = "h2c://backend.local:8080"
+
+
+[frontends]
+  [frontends.frontend1]
+  backend = "backend1"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host:frontend.local"
+```
+
+!!! warning
+    For provider with label, you will have to specify the `traefik.protocol=h2c`
+
+### Conclusion
+
+We don't need specific configuration to use gRPC in Træfik, we just need to use `h2c` protocol, or use HTTPS communications to have HTTP2 with the backend.
+
+## With HTTPS
 
 This section explains how to use Traefik as reverse proxy for gRPC application with self-signed certificates.
 
-!!! warning
-    As gRPC needs HTTP2, we need HTTPS certificates on both gRPC Server and Træfik.
+![gRPC architecture](/img/grpc.svg)
 
-<p align="center">
-<img src="/img/grpc.svg" alt="gRPC architecture" title="gRPC architecture" />
-</p>
-
-## gRPC Server certificate
+### gRPC Server certificate
 
 In order to secure the gRPC server, we generate a self-signed certificate for backend url:
 
@@ -23,7 +61,7 @@ That will prompt for information, the important answer is:
 Common Name (e.g. server FQDN or YOUR name) []: backend.local
 ```
 
-## gRPC Client certificate
+### gRPC Client certificate
 
 Generate your self-signed certificate for frontend url:
 
@@ -37,7 +75,7 @@ with
 Common Name (e.g. server FQDN or YOUR name) []: frontend.local
 ```
 
-## Træfik configuration
+### Træfik configuration
 
 At last, we configure our Træfik instance to use both self-signed certificates.
 
@@ -78,13 +116,9 @@ rootCAs = [ "./backend.cert" ]
 !!! warning
     With some backends, the server URLs use the IP, so you may need to configure `insecureSkipVerify` instead of the `rootCAS` to activate HTTPS without hostname verification.
 
-## Conclusion
+### A gRPC example in go (modify for https)
 
-We don't need specific configuration to use gRPC in Træfik, we just need to be careful that all the exchanges (between client and Træfik, and between Træfik and backend) are HTTPS communications because gRPC uses HTTP2.
-
-## A gRPC example in go
-
-We will use the gRPC greeter example in [grpc-go](https://github.com/grpc/grpc-go/tree/master/examples/helloworld)
+We use the gRPC greeter example in [grpc-go](https://github.com/grpc/grpc-go/tree/master/examples/helloworld)
 
 !!! warning
     In order to use this gRPC example, we need to modify it to use HTTPS
@@ -147,4 +181,3 @@ r, err := client.SayHello(context.Background(), &pb.HelloRequest{Name: name})
 
 // ...
 ```
-

docs/user-guide/kubernetes.md

@@ -332,7 +332,8 @@ spec:
   selector:
     k8s-app: traefik-ingress-lb
   ports:
-  - port: 80
+  - name: web
+    port: 80
     targetPort: 8080
 ---
 apiVersion: extensions/v1beta1
@@ -340,16 +341,15 @@ kind: Ingress
 metadata:
   name: traefik-web-ui
   namespace: kube-system
-  annotations:
-    kubernetes.io/ingress.class: traefik
 spec:
   rules:
   - host: traefik-ui.minikube
     http:
       paths:
-      - backend:
+      - path: /
+        backend:
           serviceName: traefik-web-ui
-          servicePort: 80
+          servicePort: web
 ```
 
 [examples/k8s/ui.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/ui.yaml)
@@ -859,12 +859,14 @@ Sometimes Træfik runs along other Ingress controller implementations. One such
 The `kubernetes.io/ingress.class` annotation can be attached to any Ingress object in order to control whether Træfik should handle it.
 
 If the annotation is missing, contains an empty value, or the value `traefik`, then the Træfik controller will take responsibility and process the associated Ingress object.
-If the annotation contains any other value (usually the name of a different Ingress controller), Træfik will ignore the object.
 
-It is also possible to set the `ingressClass` option in Træfik to a particular value.
-If that's the case and the value contains a `traefik` prefix, then only those Ingress objects matching the same value will be processed.
+It is also possible to set the `ingressClass` option in Træfik to a particular value. Træfik will only process matching Ingress objects.
 For instance, setting the option to `traefik-internal` causes Træfik to process Ingress objects with the same `kubernetes.io/ingress.class` annotation value, ignoring all other objects (including those with a `traefik` value, empty value, and missing annotation).
 
+!!! note
+    Letting multiple ingress controllers handle the same ingress objects can lead to unintended behavior.
+    It is recommended to prefix all ingressClass values with `traefik` to avoid unintended collisions with other ingress implementations.
+
 ### Between multiple Træfik Deployments
 
 Sometimes multiple Træfik Deployments are supposed to run concurrently.
@@ -874,6 +876,89 @@ For such cases, it is advisable to classify Ingress objects through a label and
 To stick with the internal/external example above, all Ingress objects meant for internal traffic could receive a `traffic-type: internal` label while objects designated for external traffic receive a `traffic-type: external` label.
 The label selectors on the Træfik Deployments would then be `traffic-type=internal` and `traffic-type=external`, respectively.
 
+## Traffic Splitting
+
+It is possible to split Ingress traffic in a fine-grained manner between multiple deployments using _service weights_.
+
+One canonical use case is canary releases where a deployment representing a newer release is to receive an initially small but ever-increasing fraction of the requests over time.
+The way this can be done in Træfik is to specify a percentage of requests that should go into each deployment.
+
+For instance, say that an application `my-app` runs in version 1.
+A newer version 2 is about to be released, but confidence in the robustness and reliability of new version running in production can only be gained gradually.
+Thus, a new deployment `my-app-canary` is created and scaled to a replica count that suffices for a 1% traffic share.
+Along with it, a Service object is created as usual.
+
+The Ingress specification would look like this:
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    traefik.ingress.kubernetes.io/service-weights: |
+      my-app: 99%
+      my-app-canary: 1%
+  name: my-app
+spec:
+  rules:
+  - http:
+      paths:
+      - backend:
+          serviceName: my-app
+          servicePort: 80
+        path: /
+      - backend:
+          serviceName: my-app-canary
+          servicePort: 80
+        path: /
+```
+
+Take note of the `traefik.ingress.kubernetes.io/service-weights` annotation: It specifies the distribution of requests among the referenced backend services, `my-app` and `my-app-canary`.
+With this definition, Træfik will route 99% of the requests to the pods backed by the `my-app` deployment, and 1% to those backed by `my-app-canary`.
+Over time, the ratio may slowly shift towards the canary deployment until it is deemed to replace the previous main application, in steps such as 5%/95%, 10%/90%, 50%/50%, and finally 100%/0%.
+
+A few conditions must hold for service weights to be applied correctly:
+
+- The associated service backends must share the same path and host.
+- The total percentage shared across all service backends must yield 100% (see the section on [omitting the final service](#omitting-the-final-service), however).
+- The percentage values are interpreted as floating point numbers to a supported precision as defined in the [annotation documentation](/configuration/backends/kubernetes#general-annotations).
+
+### Omitting the Final Service
+
+When specifying service weights, it is possible to omit exactly one service for convenience reasons.
+
+For instance, the following definition shows how to split requests in a scenario where a canary release is accompanied by a baseline deployment for easier metrics comparison or automated canary analysis:
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    traefik.ingress.kubernetes.io/service-weights: |
+      my-app-canary: 10%
+      my-app-baseline: 10%
+  name: app
+spec:
+  rules:
+  - http:
+      paths:
+      - backend:
+          serviceName: my-app-canary
+          servicePort: 80
+        path: /
+      - backend:
+          serviceName: my-app-baseline
+          servicePort: 80
+        path: /
+      - backend:
+          serviceName: my-app-main
+          servicePort: 80
+        path: /
+```
+
+This configuration assigns 80% of traffic to `my-app-main` automatically, thus freeing the user from having to complete percentage values manually.
+This becomes handy when increasing shares for canary releases continuously.
+
 ## Production advice
 
 ### Resource limitations

docs/user-guide/kv-config.md

@@ -56,7 +56,7 @@ whoami4:
 
 ### Upload the configuration in the Key-value store
 
-We should now fill the store with the Træfik global configuration, as we do with a [TOML file configuration](/toml).  
+We should now fill the store with the Træfik global configuration.  
 To do that, we can send the Key-value pairs via [curl commands](https://www.consul.io/intro/getting-started/kv.html) or via the [Web UI](https://www.consul.io/intro/getting-started/ui.html).
 
 Fortunately, Træfik allows automation of this process using the `storeconfig` subcommand.  
@@ -85,9 +85,9 @@ defaultEntryPoints = ["http", "https"]
       certFile = """-----BEGIN CERTIFICATE-----
                       <cert file content>
                       -----END CERTIFICATE-----"""
-      keyFile = """-----BEGIN CERTIFICATE-----
+      keyFile = """-----BEGIN PRIVATE KEY-----
                       <key file content>
-                      -----END CERTIFICATE-----"""
+                      -----END PRIVATE KEY-----"""
     [entryPoints.other-https]
     address = ":4443"
       [entryPoints.other-https.tls]
@@ -266,10 +266,11 @@ Here is the toml configuration we would like to store in the store :
   backend = "backend1"
   passHostHeader = true
   priority = 10
-  basicAuth = [
-    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-  ]
+      [frontends.frontend2.auth.basic]
+      users = [
+        "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+        "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+      ]
   entrypoints = ["https"] # overrides defaultEntryPoints
     [frontends.frontend2.routes.test_1]
     rule = "Host:{subdomain:[a-z]+}.localhost"
@@ -334,8 +335,8 @@ And there, the same dynamic configuration in a KV Store (using `prefix = "traefi
 | `/traefik/frontends/frontend2/backend`             | `backend1`                                    |
 | `/traefik/frontends/frontend2/passhostheader`      | `true`                                        |
 | `/traefik/frontends/frontend2/priority`            | `10`                                          |
-| `/traefik/frontends/frontend2/basicauth/0`         | `test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/`  |
-| `/traefik/frontends/frontend2/basicauth/1`         | `test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0` |
+| `/traefik/frontends/frontend2/auth/basic/users/0`  | `test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/`  |
+| `/traefik/frontends/frontend2/auth/basic/users/1`  | `test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0` |
 | `/traefik/frontends/frontend2/entrypoints`         | `http,https`                                  |
 | `/traefik/frontends/frontend2/routes/test_2/rule`  | `PathPrefix:/test`                            |
 
@@ -444,4 +445,4 @@ Then remove the line `storageFile = "acme.json"` from your TOML config file.
 
 That's it!
 
-![](https://i.giphy.com/ujUdrdpX7Ok5W.gif)
+![GIF Magica](https://i.giphy.com/ujUdrdpX7Ok5W.gif)

docs/user-guide/marathon.md

@@ -30,7 +30,7 @@ Following is the order by which Traefik tries to identify the port (the first on
 
 ## Applications with multiple ports
 
-Some Marathon applications may expose multiple ports. Traefik supports creating one so-called _service_ per port using [specific labels](/configuration/backends/marathon#service-level).
+Some Marathon applications may expose multiple ports. Traefik supports creating one so-called _segment_ per port using [segment labels](/configuration/backends/marathon#applications-with-multiple-ports-segment-labels).
 
 For instance, assume that a Marathon application exposes a web API on port 80 and an admin interface on port 8080. It would then be possible to make each service available by specifying the following Marathon labels:
 

docs/user-guide/swarm-mode.md

@@ -102,7 +102,7 @@ Let's explain this command:
 | `--mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock` | we bind mount the docker socket where Træfik is scheduled to be able to speak to the daemon.   |
 | `--network traefik-net`                                                     | we attach the Træfik service (and thus the underlying container) to the `traefik-net` network. |
 | `--docker`                                                                  | enable docker provider, and `--docker.swarmMode` to enable the swarm mode on Træfik.            |
-| `--api                                                                      | activate the webUI on port 8080                                                                |
+| `--api`                                                                      | activate the webUI on port 8080                                                                |
 
 
 ## Deploy your apps
@@ -330,4 +330,4 @@ X-Forwarded-Proto: http
 X-Forwarded-Server: 77fc29c69fe4
 ```
 
-![](https://i.giphy.com/ujUdrdpX7Ok5W.gif)
+![GIF Magica](https://i.giphy.com/ujUdrdpX7Ok5W.gif)

docs/user-guide/swarm.md

@@ -178,4 +178,4 @@ X-Forwarded-Proto: http
 X-Forwarded-Server: 8fbc39271b4c
 ```
 
-![](https://i.giphy.com/ujUdrdpX7Ok5W.gif)
+![GIF Magica](https://i.giphy.com/ujUdrdpX7Ok5W.gif)

examples/acme/manage_acme_docker_environment.sh

@@ -9,7 +9,7 @@ readonly doc_file=$basedir"/docker-compose.yml"
 down_environment() {
     echo "STOP Docker environment"
     ! docker-compose -f $doc_file down -v &>/dev/null && \
-        echo "[ERROR] Impossible to stop the Docker environment" && exit 11
+        echo "[ERROR] Unable to stop the Docker environment" && exit 11
 }
 
 # Create and start Docker-compose environment or subpart of its services (if services are listed)
@@ -17,7 +17,7 @@ down_environment() {
 up_environment() {
     echo "START Docker environment"
     ! docker-compose -f $doc_file up -d $@ &>/dev/null && \
-        echo "[ERROR] Impossible to start Docker environment" && exit 21
+        echo "[ERROR] Unable to start Docker environment" && exit 21
 }
 
 # Init the environment : get IP address and create needed files
@@ -40,7 +40,7 @@ start_boulder() {
         sleep 5
         let waiting_counter-=1
         if [[ $waiting_counter -eq 0 ]]; then
-            echo "[ERROR] Impossible to start boulder container in the allowed time, the Docker environment will be stopped"
+            echo "[ERROR] Unable to start boulder container in the allowed time, the Docker environment will be stopped"
             down_environment
             exit 41
         fi

examples/k8s/cheese-default-ingress.yaml

@@ -0,0 +1,8 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: cheese-default
+spec:
+  backend:
+    serviceName: stilton
+    servicePort: 80

examples/k8s/traefik-ds.yaml

@@ -30,7 +30,7 @@ spec:
           hostPort: 80
         - name: admin
           containerPort: 8080
-          hostport: 8080
+          hostPort: 8080
         securityContext:
           capabilities:
             drop:

h2c/h2c.go

@@ -0,0 +1,477 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package h2c implements the h2c part of HTTP/2.
+//
+// The h2c protocol is the non-TLS secured version of HTTP/2 which is not
+// available from net/http.
+package h2c
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/base64"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/textproto"
+	"os"
+	"strings"
+
+	"github.com/containous/traefik/log"
+
+	"golang.org/x/net/http/httpguts"
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/hpack"
+)
+
+var (
+	http2VerboseLogs bool
+)
+
+func init() {
+	e := os.Getenv("GODEBUG")
+	if strings.Contains(e, "http2debug=1") || strings.Contains(e, "http2debug=2") {
+		http2VerboseLogs = true
+	}
+	http2VerboseLogs = true
+}
+
+// Server implements net.Handler and enables h2c. Users who want h2c just need
+// to provide an http.Server.
+type Server struct {
+	*http.Server
+}
+
+// Serve Put a middleware around the original handler to handle h2c
+func (s Server) Serve(l net.Listener) error {
+	originalHandler := s.Server.Handler
+	if originalHandler == nil {
+		originalHandler = http.DefaultServeMux
+	}
+	s.Server.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method == "PRI" && r.URL.Path == "*" && r.Proto == "HTTP/2.0" {
+			if http2VerboseLogs {
+				log.Debugf("Attempting h2c with prior knowledge.")
+			}
+			conn, err := initH2CWithPriorKnowledge(w)
+			if err != nil {
+				if http2VerboseLogs {
+					log.Debugf("Error h2c with prior knowledge: %v", err)
+				}
+				return
+			}
+			defer conn.Close()
+			h2cSrv := &http2.Server{}
+			h2cSrv.ServeConn(conn, &http2.ServeConnOpts{Handler: originalHandler})
+			return
+		}
+		if conn, err := h2cUpgrade(w, r); err == nil {
+			defer conn.Close()
+			h2cSrv := &http2.Server{}
+			h2cSrv.ServeConn(conn, &http2.ServeConnOpts{Handler: originalHandler})
+			return
+		}
+		originalHandler.ServeHTTP(w, r)
+	})
+	return s.Server.Serve(l)
+}
+
+// initH2CWithPriorKnowledge implements creating a h2c connection with prior
+// knowledge (Section 3.4) and creates a net.Conn suitable for http2.ServeConn.
+// All we have to do is look for the client preface that is suppose to be part
+// of the body, and reforward the client preface on the net.Conn this function
+// creates.
+func initH2CWithPriorKnowledge(w http.ResponseWriter) (net.Conn, error) {
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		return nil, errors.New("hijack not supported")
+	}
+	conn, rw, err := hijacker.Hijack()
+	if err != nil {
+		return nil, fmt.Errorf("hijack failed: %v", err)
+	}
+
+	expectedBody := "SM\r\n\r\n"
+
+	buf := make([]byte, len(expectedBody))
+	n, err := io.ReadFull(rw, buf)
+	if err != nil {
+		return nil, fmt.Errorf("fail to read body: %v", err)
+	}
+
+	if bytes.Equal(buf[0:n], []byte(expectedBody)) {
+		c := &rwConn{
+			Conn:      conn,
+			Reader:    io.MultiReader(bytes.NewBuffer([]byte(http2.ClientPreface)), rw),
+			BufWriter: rw.Writer,
+		}
+		return c, nil
+	}
+
+	conn.Close()
+	if http2VerboseLogs {
+		log.Printf(
+			"Missing the request body portion of the client preface. Wanted: %v Got: %v",
+			[]byte(expectedBody),
+			buf[0:n],
+		)
+	}
+	return nil, errors.New("invalid client preface")
+}
+
+// drainClientPreface reads a single instance of the HTTP/2 client preface from
+// the supplied reader.
+func drainClientPreface(r io.Reader) error {
+	var buf bytes.Buffer
+	prefaceLen := int64(len([]byte(http2.ClientPreface)))
+	n, err := io.CopyN(&buf, r, prefaceLen)
+	if err != nil {
+		return err
+	}
+	if n != prefaceLen || buf.String() != http2.ClientPreface {
+		return fmt.Errorf("client never sent: %s", http2.ClientPreface)
+	}
+	return nil
+}
+
+// h2cUpgrade establishes a h2c connection using the HTTP/1 upgrade (Section 3.2).
+func h2cUpgrade(w http.ResponseWriter, r *http.Request) (net.Conn, error) {
+	if !isH2CUpgrade(r.Header) {
+		return nil, errors.New("non-conforming h2c headers")
+	}
+
+	// Initial bytes we put into conn to fool http2 server
+	initBytes, _, err := convertH1ReqToH2(r)
+	if err != nil {
+		return nil, err
+	}
+
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		return nil, errors.New("hijack not supported")
+	}
+	conn, rw, err := hijacker.Hijack()
+	if err != nil {
+		return nil, fmt.Errorf("hijack failed: %v", err)
+	}
+
+	rw.Write([]byte("HTTP/1.1 101 Switching Protocols\r\n" +
+		"Connection: Upgrade\r\n" +
+		"Upgrade: h2c\r\n\r\n"))
+	rw.Flush()
+
+	// A conforming client will now send an H2 client preface which need to drain
+	// since we already sent this.
+	if err := drainClientPreface(rw); err != nil {
+		return nil, err
+	}
+
+	c := &rwConn{
+		Conn:      conn,
+		Reader:    io.MultiReader(initBytes, rw),
+		BufWriter: newSettingsAckSwallowWriter(rw.Writer),
+	}
+	return c, nil
+}
+
+// convert the data contained in the HTTP/1 upgrade request into the HTTP/2
+// version in byte form.
+func convertH1ReqToH2(r *http.Request) (*bytes.Buffer, []http2.Setting, error) {
+	h2Bytes := bytes.NewBuffer([]byte((http2.ClientPreface)))
+	framer := http2.NewFramer(h2Bytes, nil)
+	settings, err := getH2Settings(r.Header)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if err := framer.WriteSettings(settings...); err != nil {
+		return nil, nil, err
+	}
+
+	headerBytes, err := getH2HeaderBytes(r, getMaxHeaderTableSize(settings))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	maxFrameSize := int(getMaxFrameSize(settings))
+	needOneHeader := len(headerBytes) < maxFrameSize
+	err = framer.WriteHeaders(http2.HeadersFrameParam{
+		StreamID:      1,
+		BlockFragment: headerBytes,
+		EndHeaders:    needOneHeader,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for i := maxFrameSize; i < len(headerBytes); i += maxFrameSize {
+		if len(headerBytes)-i > maxFrameSize {
+			if err := framer.WriteContinuation(1,
+				false, // endHeaders
+				headerBytes[i:maxFrameSize]); err != nil {
+				return nil, nil, err
+			}
+		} else {
+			if err := framer.WriteContinuation(1,
+				true, // endHeaders
+				headerBytes[i:]); err != nil {
+				return nil, nil, err
+			}
+		}
+	}
+
+	return h2Bytes, settings, nil
+}
+
+// getMaxFrameSize returns the SETTINGS_MAX_FRAME_SIZE. If not present default
+// value is 16384 as specified by RFC 7540 Section 6.5.2.
+func getMaxFrameSize(settings []http2.Setting) uint32 {
+	for _, setting := range settings {
+		if setting.ID == http2.SettingMaxFrameSize {
+			return setting.Val
+		}
+	}
+	return 16384
+}
+
+// getMaxHeaderTableSize returns the SETTINGS_HEADER_TABLE_SIZE. If not present
+// default value is 4096 as specified by RFC 7540 Section 6.5.2.
+func getMaxHeaderTableSize(settings []http2.Setting) uint32 {
+	for _, setting := range settings {
+		if setting.ID == http2.SettingHeaderTableSize {
+			return setting.Val
+		}
+	}
+	return 4096
+}
+
+// bufWriter is a Writer interface that also has a Flush method.
+type bufWriter interface {
+	io.Writer
+	Flush() error
+}
+
+// rwConn implements net.Conn but overrides Read and Write so that reads and
+// writes are forwarded to the provided io.Reader and bufWriter.
+type rwConn struct {
+	net.Conn
+	io.Reader
+	BufWriter bufWriter
+}
+
+// Read forwards reads to the underlying Reader.
+func (c *rwConn) Read(p []byte) (int, error) {
+	return c.Reader.Read(p)
+}
+
+// Write forwards writes to the underlying bufWriter and immediately flushes.
+func (c *rwConn) Write(p []byte) (int, error) {
+	n, err := c.BufWriter.Write(p)
+	if err := c.BufWriter.Flush(); err != nil {
+		return 0, err
+	}
+	return n, err
+}
+
+// settingsAckSwallowWriter is a writer that normally forwards bytes to it's
+// underlying Writer, but swallows the first SettingsAck frame that it sees.
+type settingsAckSwallowWriter struct {
+	Writer     *bufio.Writer
+	buf        []byte
+	didSwallow bool
+}
+
+// newSettingsAckSwallowWriter returns a new settingsAckSwallowWriter.
+func newSettingsAckSwallowWriter(w *bufio.Writer) *settingsAckSwallowWriter {
+	return &settingsAckSwallowWriter{
+		Writer:     w,
+		buf:        make([]byte, 0),
+		didSwallow: false,
+	}
+}
+
+// Write implements io.Writer interface. Normally forwards bytes to w.Writer,
+// except for the first Settings ACK frame that it sees.
+func (w *settingsAckSwallowWriter) Write(p []byte) (int, error) {
+	if !w.didSwallow {
+		w.buf = append(w.buf, p...)
+		// Process all the frames we have collected into w.buf
+		for {
+			// Append until we get full frame header which is 9 bytes
+			if len(w.buf) < 9 {
+				break
+			}
+			// Check if we have collected a whole frame.
+			fh, err := http2.ReadFrameHeader(bytes.NewBuffer(w.buf))
+			if err != nil {
+				// Corrupted frame, fail current Write
+				return 0, err
+			}
+			fSize := fh.Length + 9
+			if uint32(len(w.buf)) < fSize {
+				// Have not collected whole frame. Stop processing buf, and withhold on
+				// forward bytes to w.Writer until we get the full frame.
+				break
+			}
+
+			// We have now collected a whole frame.
+			if fh.Type == http2.FrameSettings && fh.Flags.Has(http2.FlagSettingsAck) {
+				// If Settings ACK frame, do not forward to underlying writer, remove
+				// bytes from w.buf, and record that we have swallowed Settings Ack
+				// frame.
+				w.didSwallow = true
+				w.buf = w.buf[fSize:]
+				continue
+			}
+
+			// Not settings ack frame. Forward bytes to w.Writer.
+			if _, err := w.Writer.Write(w.buf[:fSize]); err != nil {
+				// Couldn't forward bytes. Fail current Write.
+				return 0, err
+			}
+			w.buf = w.buf[fSize:]
+		}
+		return len(p), nil
+	}
+	return w.Writer.Write(p)
+}
+
+// Flush calls w.Writer.Flush.
+func (w *settingsAckSwallowWriter) Flush() error {
+	return w.Writer.Flush()
+}
+
+// isH2CUpgrade returns true if the header properly request an upgrade to h2c
+// as specified by Section 3.2.
+func isH2CUpgrade(h http.Header) bool {
+	return httpguts.HeaderValuesContainsToken(h[textproto.CanonicalMIMEHeaderKey("Upgrade")], "h2c") &&
+		httpguts.HeaderValuesContainsToken(h[textproto.CanonicalMIMEHeaderKey("Connection")], "HTTP2-Settings")
+}
+
+// getH2Settings returns the []http2.Setting that are encoded in the
+// HTTP2-Settings header.
+func getH2Settings(h http.Header) ([]http2.Setting, error) {
+	vals, ok := h[textproto.CanonicalMIMEHeaderKey("HTTP2-Settings")]
+	if !ok {
+		return nil, errors.New("missing HTTP2-Settings header")
+	}
+	if len(vals) != 1 {
+		return nil, fmt.Errorf("expected 1 HTTP2-Settings. Got: %v", vals)
+	}
+	settings, err := decodeSettings(vals[0])
+	if err != nil {
+		return nil, fmt.Errorf("invalid HTTP2-Settings: %q", vals[0])
+	}
+	return settings, nil
+}
+
+// decodeSettings decodes the base64url header value of the HTTP2-Settings
+// header. RFC 7540 Section 3.2.1.
+func decodeSettings(headerVal string) ([]http2.Setting, error) {
+	b, err := base64.RawURLEncoding.DecodeString(headerVal)
+	if err != nil {
+		return nil, err
+	}
+	if len(b)%6 != 0 {
+		return nil, err
+	}
+	settings := make([]http2.Setting, 0)
+	for i := 0; i < len(b)/6; i++ {
+		settings = append(settings, http2.Setting{
+			ID:  http2.SettingID(binary.BigEndian.Uint16(b[i*6 : i*6+2])),
+			Val: binary.BigEndian.Uint32(b[i*6+2 : i*6+6]),
+		})
+	}
+
+	return settings, nil
+}
+
+// getH2HeaderBytes return the headers in r a []bytes encoded by HPACK.
+func getH2HeaderBytes(r *http.Request, maxHeaderTableSize uint32) ([]byte, error) {
+	headerBytes := bytes.NewBuffer(nil)
+	hpackEnc := hpack.NewEncoder(headerBytes)
+	hpackEnc.SetMaxDynamicTableSize(maxHeaderTableSize)
+
+	// Section 8.1.2.3
+	err := hpackEnc.WriteField(hpack.HeaderField{
+		Name:  ":method",
+		Value: r.Method,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	err = hpackEnc.WriteField(hpack.HeaderField{
+		Name:  ":scheme",
+		Value: "http",
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	err = hpackEnc.WriteField(hpack.HeaderField{
+		Name:  ":authority",
+		Value: r.Host,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	path := r.URL.Path
+	if r.URL.RawQuery != "" {
+		path = strings.Join([]string{path, r.URL.RawQuery}, "?")
+	}
+	err = hpackEnc.WriteField(hpack.HeaderField{
+		Name:  ":path",
+		Value: path,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO Implement Section 8.3
+
+	for header, values := range r.Header {
+		// Skip non h2 headers
+		if isNonH2Header(header) {
+			continue
+		}
+		for _, v := range values {
+			err := hpackEnc.WriteField(hpack.HeaderField{
+				Name:  strings.ToLower(header),
+				Value: v,
+			})
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+	return headerBytes.Bytes(), nil
+}
+
+// Connection specific headers listed in RFC 7540 Section 8.1.2.2 that are not
+// suppose to be transferred to HTTP/2. The Http2-Settings header is skipped
+// since already use to create the HTTP/2 SETTINGS frame.
+var nonH2Headers = []string{
+	"Connection",
+	"Keep-Alive",
+	"Proxy-Connection",
+	"Transfer-Encoding",
+	"Upgrade",
+	"Http2-Settings",
+}
+
+// isNonH2Header returns true if header should not be transferred to HTTP/2.
+func isNonH2Header(header string) bool {
+	for _, nonH2h := range nonH2Headers {
+		if header == nonH2h {
+			return true
+		}
+	}
+	return false
+}

healthcheck/healthcheck.go

@@ -19,73 +19,82 @@ import (
 var singleton *HealthCheck
 var once sync.Once
 
-// GetHealthCheck returns the health check which is guaranteed to be a singleton.
-func GetHealthCheck(metrics metricsRegistry) *HealthCheck {
-	once.Do(func() {
-		singleton = newHealthCheck(metrics)
-	})
-	return singleton
+// BalancerHandler includes functionality for load-balancing management.
+type BalancerHandler interface {
+	ServeHTTP(w http.ResponseWriter, req *http.Request)
+	Servers() []*url.URL
+	RemoveServer(u *url.URL) error
+	UpsertServer(u *url.URL, options ...roundrobin.ServerOption) error
+}
+
+// metricsRegistry is a local interface in the health check package, exposing only the required metrics
+// necessary for the health check package. This makes it easier for the tests.
+type metricsRegistry interface {
+	BackendServerUpGauge() metrics.Gauge
 }
 
 // Options are the public health check options.
 type Options struct {
+	Headers   map[string]string
+	Hostname  string
+	Scheme    string
 	Path      string
 	Port      int
 	Transport http.RoundTripper
 	Interval  time.Duration
-	LB        LoadBalancer
+	LB        BalancerHandler
 }
 
 func (opt Options) String() string {
-	return fmt.Sprintf("[Path: %s Port: %d Interval: %s]", opt.Path, opt.Port, opt.Interval)
+	return fmt.Sprintf("[Hostname: %s Headers: %v Path: %s Port: %d Interval: %s]", opt.Hostname, opt.Headers, opt.Path, opt.Port, opt.Interval)
 }
 
-// BackendHealthCheck HealthCheck configuration for a backend
-type BackendHealthCheck struct {
+// BackendConfig HealthCheck configuration for a backend
+type BackendConfig struct {
 	Options
 	name           string
 	disabledURLs   []*url.URL
 	requestTimeout time.Duration
 }
 
-//HealthCheck struct
+func (b *BackendConfig) newRequest(serverURL *url.URL) (*http.Request, error) {
+	u := &url.URL{}
+	*u = *serverURL
+
+	if len(b.Scheme) > 0 {
+		u.Scheme = b.Scheme
+	}
+
+	if b.Port != 0 {
+		u.Host = net.JoinHostPort(u.Hostname(), strconv.Itoa(b.Port))
+	}
+
+	u.Path += b.Path
+
+	return http.NewRequest(http.MethodGet, u.String(), nil)
+}
+
+// this function adds additional http headers and hostname to http.request
+func (b *BackendConfig) addHeadersAndHost(req *http.Request) *http.Request {
+	if b.Options.Hostname != "" {
+		req.Host = b.Options.Hostname
+	}
+
+	for k, v := range b.Options.Headers {
+		req.Header.Set(k, v)
+	}
+	return req
+}
+
+// HealthCheck struct
 type HealthCheck struct {
-	Backends map[string]*BackendHealthCheck
+	Backends map[string]*BackendConfig
 	metrics  metricsRegistry
 	cancel   context.CancelFunc
 }
 
-// LoadBalancer includes functionality for load-balancing management.
-type LoadBalancer interface {
-	RemoveServer(u *url.URL) error
-	UpsertServer(u *url.URL, options ...roundrobin.ServerOption) error
-	Servers() []*url.URL
-}
-
-func newHealthCheck(metrics metricsRegistry) *HealthCheck {
-	return &HealthCheck{
-		Backends: make(map[string]*BackendHealthCheck),
-		metrics:  metrics,
-	}
-}
-
-// metricsRegistry is a local interface in the healthcheck package, exposing only the required metrics
-// necessary for the healthcheck package. This makes it easier for the tests.
-type metricsRegistry interface {
-	BackendServerUpGauge() metrics.Gauge
-}
-
-// NewBackendHealthCheck Instantiate a new BackendHealthCheck
-func NewBackendHealthCheck(options Options, backendName string) *BackendHealthCheck {
-	return &BackendHealthCheck{
-		Options:        options,
-		name:           backendName,
-		requestTimeout: 5 * time.Second,
-	}
-}
-
-//SetBackendsConfiguration set backends configuration
-func (hc *HealthCheck) SetBackendsConfiguration(parentCtx context.Context, backends map[string]*BackendHealthCheck) {
+// SetBackendsConfiguration set backends configuration
+func (hc *HealthCheck) SetBackendsConfiguration(parentCtx context.Context, backends map[string]*BackendConfig) {
 	hc.Backends = backends
 	if hc.cancel != nil {
 		hc.cancel()
@@ -101,7 +110,7 @@ func (hc *HealthCheck) SetBackendsConfiguration(parentCtx context.Context, backe
 	}
 }
 
-func (hc *HealthCheck) execute(ctx context.Context, backend *BackendHealthCheck) {
+func (hc *HealthCheck) execute(ctx context.Context, backend *BackendConfig) {
 	log.Debugf("Initial health check for backend: %q", backend.name)
 	hc.checkBackend(backend)
 	ticker := time.NewTicker(backend.Interval)
@@ -118,7 +127,7 @@ func (hc *HealthCheck) execute(ctx context.Context, backend *BackendHealthCheck)
 	}
 }
 
-func (hc *HealthCheck) checkBackend(backend *BackendHealthCheck) {
+func (hc *HealthCheck) checkBackend(backend *BackendConfig) {
 	enabledURLs := backend.LB.Servers()
 	var newDisabledURLs []*url.URL
 	for _, url := range backend.disabledURLs {
@@ -149,42 +158,55 @@ func (hc *HealthCheck) checkBackend(backend *BackendHealthCheck) {
 	}
 }
 
-func (backend *BackendHealthCheck) newRequest(serverURL *url.URL) (*http.Request, error) {
-	if backend.Port == 0 {
-		return http.NewRequest(http.MethodGet, serverURL.String()+backend.Path, nil)
+// GetHealthCheck returns the health check which is guaranteed to be a singleton.
+func GetHealthCheck(metrics metricsRegistry) *HealthCheck {
+	once.Do(func() {
+		singleton = newHealthCheck(metrics)
+	})
+	return singleton
+}
+
+func newHealthCheck(metrics metricsRegistry) *HealthCheck {
+	return &HealthCheck{
+		Backends: make(map[string]*BackendConfig),
+		metrics:  metrics,
 	}
+}
 
-	// copy the url and add the port to the host
-	u := &url.URL{}
-	*u = *serverURL
-	u.Host = net.JoinHostPort(u.Hostname(), strconv.Itoa(backend.Port))
-	u.Path = u.Path + backend.Path
-
-	return http.NewRequest(http.MethodGet, u.String(), nil)
+// NewBackendConfig Instantiate a new BackendConfig
+func NewBackendConfig(options Options, backendName string) *BackendConfig {
+	return &BackendConfig{
+		Options:        options,
+		name:           backendName,
+		requestTimeout: 5 * time.Second,
+	}
 }
 
 // checkHealth returns a nil error in case it was successful and otherwise
 // a non-nil error with a meaningful description why the health check failed.
-func checkHealth(serverURL *url.URL, backend *BackendHealthCheck) error {
-	client := http.Client{
-		Timeout:   backend.requestTimeout,
-		Transport: backend.Options.Transport,
-	}
+func checkHealth(serverURL *url.URL, backend *BackendConfig) error {
 	req, err := backend.newRequest(serverURL)
 	if err != nil {
 		return fmt.Errorf("failed to create HTTP request: %s", err)
 	}
 
-	resp, err := client.Do(req)
-	if err == nil {
-		defer resp.Body.Close()
+	req = backend.addHeadersAndHost(req)
+
+	client := http.Client{
+		Timeout:   backend.requestTimeout,
+		Transport: backend.Options.Transport,
 	}
 
-	switch {
-	case err != nil:
+	resp, err := client.Do(req)
+	if err != nil {
 		return fmt.Errorf("HTTP request failed: %s", err)
-	case resp.StatusCode != http.StatusOK:
-		return fmt.Errorf("received non-200 status code: %v", resp.StatusCode)
 	}
+
+	defer resp.Body.Close()
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusBadRequest {
+		return fmt.Errorf("received error status code: %v", resp.StatusCode)
+	}
+
 	return nil
 }

healthcheck/healthcheck_test.go

@@ -10,6 +10,8 @@ import (
 	"time"
 
 	"github.com/containous/traefik/testhelpers"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/vulcand/oxy/roundrobin"
 )
 
@@ -17,64 +19,81 @@ const healthCheckInterval = 100 * time.Millisecond
 
 type testHandler struct {
 	done           func()
-	healthSequence []bool
+	healthSequence []int
 }
 
 func TestSetBackendsConfiguration(t *testing.T) {
-	tests := []struct {
-		desc                   string
-		startHealthy           bool
-		healthSequence         []bool
-		wantNumRemovedServers  int
-		wantNumUpsertedServers int
-		wantGaugeValue         float64
+	testCases := []struct {
+		desc                       string
+		startHealthy               bool
+		healthSequence             []int
+		expectedNumRemovedServers  int
+		expectedNumUpsertedServers int
+		expectedGaugeValue         float64
 	}{
 		{
-			desc:                   "healthy server staying healthy",
-			startHealthy:           true,
-			healthSequence:         []bool{true},
-			wantNumRemovedServers:  0,
-			wantNumUpsertedServers: 0,
-			wantGaugeValue:         1,
+			desc:                       "healthy server staying healthy",
+			startHealthy:               true,
+			healthSequence:             []int{http.StatusOK},
+			expectedNumRemovedServers:  0,
+			expectedNumUpsertedServers: 0,
+			expectedGaugeValue:         1,
 		},
 		{
-			desc:                   "healthy server becoming sick",
-			startHealthy:           true,
-			healthSequence:         []bool{false},
-			wantNumRemovedServers:  1,
-			wantNumUpsertedServers: 0,
-			wantGaugeValue:         0,
+			desc:                       "healthy server staying healthy (StatusNoContent)",
+			startHealthy:               true,
+			healthSequence:             []int{http.StatusNoContent},
+			expectedNumRemovedServers:  0,
+			expectedNumUpsertedServers: 0,
+			expectedGaugeValue:         1,
 		},
 		{
-			desc:                   "sick server becoming healthy",
-			startHealthy:           false,
-			healthSequence:         []bool{true},
-			wantNumRemovedServers:  0,
-			wantNumUpsertedServers: 1,
-			wantGaugeValue:         1,
+			desc:                       "healthy server staying healthy (StatusPermanentRedirect)",
+			startHealthy:               true,
+			healthSequence:             []int{http.StatusPermanentRedirect},
+			expectedNumRemovedServers:  0,
+			expectedNumUpsertedServers: 0,
+			expectedGaugeValue:         1,
 		},
 		{
-			desc:                   "sick server staying sick",
-			startHealthy:           false,
-			healthSequence:         []bool{false},
-			wantNumRemovedServers:  0,
-			wantNumUpsertedServers: 0,
-			wantGaugeValue:         0,
+			desc:                       "healthy server becoming sick",
+			startHealthy:               true,
+			healthSequence:             []int{http.StatusServiceUnavailable},
+			expectedNumRemovedServers:  1,
+			expectedNumUpsertedServers: 0,
+			expectedGaugeValue:         0,
 		},
 		{
-			desc:                   "healthy server toggling to sick and back to healthy",
-			startHealthy:           true,
-			healthSequence:         []bool{false, true},
-			wantNumRemovedServers:  1,
-			wantNumUpsertedServers: 1,
-			wantGaugeValue:         1,
+			desc:                       "sick server becoming healthy",
+			startHealthy:               false,
+			healthSequence:             []int{http.StatusOK},
+			expectedNumRemovedServers:  0,
+			expectedNumUpsertedServers: 1,
+			expectedGaugeValue:         1,
+		},
+		{
+			desc:                       "sick server staying sick",
+			startHealthy:               false,
+			healthSequence:             []int{http.StatusServiceUnavailable},
+			expectedNumRemovedServers:  0,
+			expectedNumUpsertedServers: 0,
+			expectedGaugeValue:         0,
+		},
+		{
+			desc:                       "healthy server toggling to sick and back to healthy",
+			startHealthy:               true,
+			healthSequence:             []int{http.StatusServiceUnavailable, http.StatusOK},
+			expectedNumRemovedServers:  1,
+			expectedNumUpsertedServers: 1,
+			expectedGaugeValue:         1,
 		},
 	}
 
-	for _, test := range tests {
+	for _, test := range testCases {
 		test := test
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
+
 			// The context is passed to the health check and canonically cancelled by
 			// the test server once all expected requests have been received.
 			ctx, cancel := context.WithCancel(context.Background())
@@ -83,11 +102,12 @@ func TestSetBackendsConfiguration(t *testing.T) {
 			defer ts.Close()
 
 			lb := &testLoadBalancer{RWMutex: &sync.RWMutex{}}
-			backend := NewBackendHealthCheck(Options{
+			backend := NewBackendConfig(Options{
 				Path:     "/path",
 				Interval: healthCheckInterval,
 				LB:       lb,
 			}, "backendName")
+
 			serverURL := testhelpers.MustParseURL(ts.URL)
 			if test.startHealthy {
 				lb.servers = append(lb.servers, serverURL)
@@ -97,11 +117,13 @@ func TestSetBackendsConfiguration(t *testing.T) {
 
 			collectingMetrics := testhelpers.NewCollectingHealthCheckMetrics()
 			check := HealthCheck{
-				Backends: make(map[string]*BackendHealthCheck),
+				Backends: make(map[string]*BackendConfig),
 				metrics:  collectingMetrics,
 			}
+
 			wg := sync.WaitGroup{}
 			wg.Add(1)
+
 			go func() {
 				check.execute(ctx, backend)
 				wg.Done()
@@ -119,83 +141,157 @@ func TestSetBackendsConfiguration(t *testing.T) {
 
 			lb.Lock()
 			defer lb.Unlock()
-			if lb.numRemovedServers != test.wantNumRemovedServers {
-				t.Errorf("got %d removed servers, wanted %d", lb.numRemovedServers, test.wantNumRemovedServers)
-			}
 
-			if lb.numUpsertedServers != test.wantNumUpsertedServers {
-				t.Errorf("got %d upserted servers, wanted %d", lb.numUpsertedServers, test.wantNumUpsertedServers)
-			}
-
-			if collectingMetrics.Gauge.GaugeValue != test.wantGaugeValue {
-				t.Errorf("got %v ServerUp Gauge, want %v", collectingMetrics.Gauge.GaugeValue, test.wantGaugeValue)
-			}
+			assert.Equal(t, test.expectedNumRemovedServers, lb.numRemovedServers, "removed servers")
+			assert.Equal(t, test.expectedNumUpsertedServers, lb.numUpsertedServers, "upserted servers")
+			assert.Equal(t, test.expectedGaugeValue, collectingMetrics.Gauge.GaugeValue, "ServerUp Gauge")
 		})
 	}
 }
 
 func TestNewRequest(t *testing.T) {
-	tests := []struct {
-		desc     string
-		host     string
-		port     int
-		path     string
-		expected string
+	testCases := []struct {
+		desc      string
+		serverURL string
+		options   Options
+		expected  string
 	}{
 		{
-			desc:     "no port override",
-			host:     "backend1:80",
-			port:     0,
-			path:     "/test",
+			desc:      "no port override",
+			serverURL: "http://backend1:80",
+			options: Options{
+				Path: "/test",
+				Port: 0,
+			},
 			expected: "http://backend1:80/test",
 		},
 		{
-			desc:     "port override",
-			host:     "backend2:80",
-			port:     8080,
-			path:     "/test",
+			desc:      "port override",
+			serverURL: "http://backend2:80",
+			options: Options{
+				Path: "/test",
+				Port: 8080,
+			},
 			expected: "http://backend2:8080/test",
 		},
 		{
-			desc:     "no port override with no port in host",
-			host:     "backend1",
-			port:     0,
-			path:     "/health",
+			desc:      "no port override with no port in server URL",
+			serverURL: "http://backend1",
+			options: Options{
+				Path: "/health",
+				Port: 0,
+			},
 			expected: "http://backend1/health",
 		},
 		{
-			desc:     "port override with no port in host",
-			host:     "backend2",
-			port:     8080,
-			path:     "/health",
+			desc:      "port override with no port in server URL",
+			serverURL: "http://backend2",
+			options: Options{
+				Path: "/health",
+				Port: 8080,
+			},
 			expected: "http://backend2:8080/health",
 		},
+		{
+			desc:      "scheme override",
+			serverURL: "https://backend1:80",
+			options: Options{
+				Scheme: "http",
+				Path:   "/test",
+				Port:   0,
+			},
+			expected: "http://backend1:80/test",
+		},
 	}
 
-	for _, test := range tests {
+	for _, test := range testCases {
 		test := test
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
-			backend := NewBackendHealthCheck(
-				Options{
-					Path: test.path,
-					Port: test.port,
-				}, "backendName")
 
-			u := &url.URL{
-				Scheme: "http",
-				Host:   test.host,
-			}
+			backend := NewBackendConfig(test.options, "backendName")
+
+			u, err := url.Parse(test.serverURL)
+			require.NoError(t, err)
 
 			req, err := backend.newRequest(u)
-			if err != nil {
-				t.Fatalf("failed to create new backend request: %s", err)
-			}
+			require.NoError(t, err, "failed to create new backend request")
 
-			actual := req.URL.String()
-			if actual != test.expected {
-				t.Fatalf("got %s for healthcheck URL, wanted %s", actual, test.expected)
-			}
+			assert.Equal(t, test.expected, req.URL.String())
+		})
+	}
+}
+
+func TestAddHeadersAndHost(t *testing.T) {
+	testCases := []struct {
+		desc             string
+		serverURL        string
+		options          Options
+		expectedHostname string
+		expectedHeader   string
+	}{
+		{
+			desc:      "override hostname",
+			serverURL: "http://backend1:80",
+			options: Options{
+				Hostname: "myhost",
+				Path:     "/",
+			},
+			expectedHostname: "myhost",
+			expectedHeader:   "",
+		},
+		{
+			desc:      "not override hostname",
+			serverURL: "http://backend1:80",
+			options: Options{
+				Hostname: "",
+				Path:     "/",
+			},
+			expectedHostname: "backend1:80",
+			expectedHeader:   "",
+		},
+		{
+			desc:      "custom header",
+			serverURL: "http://backend1:80",
+			options: Options{
+				Headers:  map[string]string{"Custom-Header": "foo"},
+				Hostname: "",
+				Path:     "/",
+			},
+			expectedHostname: "backend1:80",
+			expectedHeader:   "foo",
+		},
+		{
+			desc:      "custom header with hostname override",
+			serverURL: "http://backend1:80",
+			options: Options{
+				Headers:  map[string]string{"Custom-Header": "foo"},
+				Hostname: "myhost",
+				Path:     "/",
+			},
+			expectedHostname: "myhost",
+			expectedHeader:   "foo",
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			backend := NewBackendConfig(test.options, "backendName")
+
+			u, err := url.Parse(test.serverURL)
+			require.NoError(t, err)
+
+			req, err := backend.newRequest(u)
+			require.NoError(t, err, "failed to create new backend request")
+
+			req = backend.addHeadersAndHost(req)
+
+			assert.Equal(t, "http://backend1:80/", req.URL.String())
+			assert.Equal(t, test.expectedHostname, req.Host)
+			assert.Equal(t, test.expectedHeader, req.Header.Get("Custom-Header"))
 		})
 	}
 }
@@ -209,6 +305,10 @@ type testLoadBalancer struct {
 	servers            []*url.URL
 }
 
+func (lb *testLoadBalancer) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+	// noop
+}
+
 func (lb *testLoadBalancer) RemoveServer(u *url.URL) error {
 	lb.Lock()
 	defer lb.Unlock()
@@ -241,7 +341,7 @@ func (lb *testLoadBalancer) removeServer(u *url.URL) {
 	lb.servers = append(lb.servers[:i], lb.servers[i+1:]...)
 }
 
-func newTestServer(done func(), healthSequence []bool) *httptest.Server {
+func newTestServer(done func(), healthSequence []int) *httptest.Server {
 	handler := &testHandler{
 		done:           done,
 		healthSequence: healthSequence,
@@ -249,21 +349,14 @@ func newTestServer(done func(), healthSequence []bool) *httptest.Server {
 	return httptest.NewServer(handler)
 }
 
-// ServeHTTP returns 200 or 503 HTTP response codes depending on whether the
-// current request is marked as healthy or not.
-// It calls the given 'done' function once all request health indicators have
-// been depleted.
+// ServeHTTP returns HTTP response codes following a status sequences.
+// It calls the given 'done' function once all request health indicators have been depleted.
 func (th *testHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if len(th.healthSequence) == 0 {
 		panic("received unexpected request")
 	}
 
-	healthy := th.healthSequence[0]
-	if healthy {
-		w.WriteHeader(http.StatusOK)
-	} else {
-		w.WriteHeader(http.StatusServiceUnavailable)
-	}
+	w.WriteHeader(th.healthSequence[0])
 
 	th.healthSequence = th.healthSequence[1:]
 	if len(th.healthSequence) == 0 {

hostresolver/hostresolver.go

@@ -0,0 +1,121 @@
+package hostresolver
+
+import (
+	"fmt"
+	"net"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/containous/traefik/log"
+	"github.com/miekg/dns"
+	"github.com/patrickmn/go-cache"
+)
+
+type cnameResolv struct {
+	TTL    time.Duration
+	Record string
+}
+
+type byTTL []*cnameResolv
+
+func (a byTTL) Len() int           { return len(a) }
+func (a byTTL) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a byTTL) Less(i, j int) bool { return a[i].TTL > a[j].TTL }
+
+// Resolver used for host resolver
+type Resolver struct {
+	CnameFlattening bool
+	ResolvConfig    string
+	ResolvDepth     int
+	cache           *cache.Cache
+}
+
+// CNAMEFlatten check if CNAME record exists, flatten if possible
+func (hr *Resolver) CNAMEFlatten(host string) (string, string) {
+	if hr.cache == nil {
+		hr.cache = cache.New(30*time.Minute, 5*time.Minute)
+	}
+
+	result := []string{host}
+	request := host
+
+	value, found := hr.cache.Get(host)
+	if found {
+		result = strings.Split(value.(string), ",")
+	} else {
+		var cacheDuration = 0 * time.Second
+
+		for depth := 0; depth < hr.ResolvDepth; depth++ {
+			resolv, err := cnameResolve(request, hr.ResolvConfig)
+			if err != nil {
+				log.Error(err)
+				break
+			}
+			if resolv == nil {
+				break
+			}
+
+			result = append(result, resolv.Record)
+			if depth == 0 {
+				cacheDuration = resolv.TTL
+			}
+			request = resolv.Record
+		}
+
+		hr.cache.Add(host, strings.Join(result, ","), cacheDuration)
+	}
+
+	return result[0], result[len(result)-1]
+}
+
+// cnameResolve resolves CNAME if exists, and return with the highest TTL
+func cnameResolve(host string, resolvPath string) (*cnameResolv, error) {
+	config, err := dns.ClientConfigFromFile(resolvPath)
+	if err != nil {
+		return nil, fmt.Errorf("invalid resolver configuration file: %s", resolvPath)
+	}
+
+	client := &dns.Client{Timeout: 30 * time.Second}
+
+	m := &dns.Msg{}
+	m.SetQuestion(dns.Fqdn(host), dns.TypeCNAME)
+
+	var result []*cnameResolv
+	for _, server := range config.Servers {
+		tempRecord, err := getRecord(client, m, server, config.Port)
+		if err != nil {
+			log.Errorf("Failed to resolve host %s: %v", host, err)
+			continue
+		}
+		result = append(result, tempRecord)
+	}
+
+	if len(result) <= 0 {
+		return nil, nil
+	}
+
+	sort.Sort(byTTL(result))
+	return result[0], nil
+}
+
+func getRecord(client *dns.Client, msg *dns.Msg, server string, port string) (*cnameResolv, error) {
+	resp, _, err := client.Exchange(msg, net.JoinHostPort(server, port))
+	if err != nil {
+		return nil, fmt.Errorf("exchange error for server %s: %v", server, err)
+	}
+
+	if resp == nil || len(resp.Answer) == 0 {
+		return nil, fmt.Errorf("empty answer for server %s", server)
+	}
+
+	rr, ok := resp.Answer[0].(*dns.CNAME)
+	if !ok {
+		return nil, fmt.Errorf("invalid response type for server %s", server)
+	}
+
+	return &cnameResolv{
+		TTL:    time.Duration(rr.Hdr.Ttl) * time.Second,
+		Record: strings.TrimSuffix(rr.Target, "."),
+	}, nil
+}

hostresolver/hostresolver_test.go

@@ -0,0 +1,61 @@
+package hostresolver
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCNAMEFlatten(t *testing.T) {
+	testCase := []struct {
+		desc           string
+		resolvFile     string
+		domain         string
+		expectedDomain string
+		isCNAME        bool
+	}{
+		{
+			desc:           "host request is CNAME record",
+			resolvFile:     "/etc/resolv.conf",
+			domain:         "www.github.com",
+			expectedDomain: "github.com",
+			isCNAME:        true,
+		},
+		{
+			desc:           "resolve file not found",
+			resolvFile:     "/etc/resolv.oops",
+			domain:         "www.github.com",
+			expectedDomain: "www.github.com",
+			isCNAME:        false,
+		},
+		{
+			desc:           "host request is not CNAME record",
+			resolvFile:     "/etc/resolv.conf",
+			domain:         "github.com",
+			expectedDomain: "github.com",
+			isCNAME:        false,
+		},
+	}
+
+	for _, test := range testCase {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			hostResolver := &Resolver{
+				ResolvConfig: test.resolvFile,
+				ResolvDepth:  5,
+			}
+
+			reqH, flatH := hostResolver.CNAMEFlatten(test.domain)
+			assert.Equal(t, test.domain, reqH)
+			assert.Equal(t, test.expectedDomain, flatH)
+
+			if test.isCNAME {
+				assert.NotEqual(t, test.expectedDomain, reqH)
+			} else {
+				assert.Equal(t, test.expectedDomain, reqH)
+			}
+		})
+	}
+}

integration/access_log_test.go

@@ -354,7 +354,7 @@ func (s *AccessLogSuite) TestAccessLogEntrypointRedirect(c *check.C) {
 			formatOnly:   false,
 			code:         "302",
 			user:         "-",
-			frontendName: "entrypoint redirect for frontend-",
+			frontendName: "entrypoint redirect for httpRedirect",
 			backendURL:   "/",
 		},
 		{

integration/acme_test.go

@@ -2,28 +2,41 @@ package integration
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"os"
+	"path/filepath"
 	"time"
 
 	"github.com/containous/traefik/integration/try"
+	"github.com/containous/traefik/provider/acme"
 	"github.com/containous/traefik/testhelpers"
+	"github.com/containous/traefik/types"
 	"github.com/go-check/check"
+	"github.com/miekg/dns"
 	checker "github.com/vdemeester/shakers"
 )
 
 // ACME test suites (using libcompose)
 type AcmeSuite struct {
 	BaseSuite
-	boulderIP string
+	pebbleIP      string
+	fakeDNSServer *dns.Server
 }
 
-// Acme tests configuration
-type AcmeTestCase struct {
-	onDemand            bool
+type acmeTestCase struct {
+	template            templateModel
 	traefikConfFilePath string
-	domainToCheck       string
+	expectedCommonName  string
+	expectedAlgorithm   x509.PublicKeyAlgorithm
+}
+
+type templateModel struct {
+	PortHTTP  string
+	PortHTTPS string
+	Acme      acme.Configuration
 }
 
 const (
@@ -32,142 +45,363 @@ const (
 
 	// Wildcard domain to check
 	wildcardDomain = "*.acme.wtf"
-
-	// Traefik default certificate
-	traefikDefaultDomain = "TRAEFIK DEFAULT CERT"
 )
 
+func (s *AcmeSuite) getAcmeURL() string {
+	return fmt.Sprintf("https://%s:14000/dir", s.pebbleIP)
+}
+
+func setupPebbleRootCA() (*http.Transport, error) {
+	path, err := filepath.Abs("fixtures/acme/ssl/pebble.minica.pem")
+	if err != nil {
+		return nil, err
+	}
+
+	os.Setenv("LEGO_CA_CERTIFICATES", path)
+	os.Setenv("LEGO_CA_SERVER_NAME", "pebble")
+
+	customCAs, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	certPool := x509.NewCertPool()
+	if ok := certPool.AppendCertsFromPEM(customCAs); !ok {
+		return nil, fmt.Errorf("error creating x509 cert pool from %q: %v", path, err)
+	}
+
+	return &http.Transport{
+		TLSClientConfig: &tls.Config{
+			ServerName: "pebble",
+			RootCAs:    certPool,
+		},
+	}, nil
+}
+
 func (s *AcmeSuite) SetUpSuite(c *check.C) {
-	s.createComposeProject(c, "boulder")
+	s.createComposeProject(c, "peddle")
 	s.composeProject.Start(c)
 
-	s.boulderIP = s.composeProject.Container(c, "boulder").NetworkSettings.IPAddress
+	s.fakeDNSServer = startFakeDNSServer()
 
-	// wait for boulder
-	err := try.GetRequest("http://"+s.boulderIP+":4001/directory", 120*time.Second, try.StatusCodeIs(http.StatusOK))
+	s.pebbleIP = s.composeProject.Container(c, "pebble").NetworkSettings.IPAddress
+
+	pebbleTransport, err := setupPebbleRootCA()
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	// wait for peddle
+	req := testhelpers.MustNewRequest(http.MethodGet, s.getAcmeURL(), nil)
+
+	client := &http.Client{
+		Transport: pebbleTransport,
+	}
+
+	err = try.Do(5*time.Second, func() error {
+		resp, errGet := client.Do(req)
+		if errGet != nil {
+			return errGet
+		}
+		return try.StatusCodeIs(http.StatusOK)(resp)
+	})
 	c.Assert(err, checker.IsNil)
 }
 
 func (s *AcmeSuite) TearDownSuite(c *check.C) {
+	err := s.fakeDNSServer.Shutdown()
+	if err != nil {
+		c.Log(err)
+	}
+
 	// shutdown and delete compose project
 	if s.composeProject != nil {
 		s.composeProject.Stop(c)
 	}
 }
 
-// Test ACME provider with certificate at start
-func (s *AcmeSuite) TestACMEProviderAtStart(c *check.C) {
-	testCase := AcmeTestCase{
-		traefikConfFilePath: "fixtures/provideracme/acme.toml",
-		onDemand:            false,
-		domainToCheck:       acmeDomain}
+func (s *AcmeSuite) TestHTTP01DomainsAtStart(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
+				Domains: types.Domains{types.Domain{
+					Main: "traefik.acme.wtf",
+				}},
+			},
+		},
+		expectedCommonName: acmeDomain,
+		expectedAlgorithm:  x509.RSA,
+	}
 
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
-// Test ACME provider with certificate at start
-func (s *AcmeSuite) TestACMEProviderAtStartInSAN(c *check.C) {
-	testCase := AcmeTestCase{
-		traefikConfFilePath: "fixtures/provideracme/acme_insan.toml",
-		onDemand:            false,
-		domainToCheck:       "acme.wtf"}
+func (s *AcmeSuite) TestHTTP01DomainsInSANAtStart(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
+				Domains: types.Domains{types.Domain{
+					Main: "acme.wtf",
+					SANs: []string{"traefik.acme.wtf"},
+				}},
+			},
+		},
+		expectedCommonName: "acme.wtf",
+		expectedAlgorithm:  x509.RSA,
+	}
 
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
-// Test ACME provider with certificate at start
-func (s *AcmeSuite) TestACMEProviderOnHost(c *check.C) {
-	testCase := AcmeTestCase{
-		traefikConfFilePath: "fixtures/provideracme/acme_onhost.toml",
-		onDemand:            false,
-		domainToCheck:       acmeDomain}
+func (s *AcmeSuite) TestHTTP01OnHostRule(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
+				OnHostRule:    true,
+			},
+		},
+		expectedCommonName: acmeDomain,
+		expectedAlgorithm:  x509.RSA,
+	}
 
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
-// Test ACME provider with certificate at start and no ACME challenge
-func (s *AcmeSuite) TestACMEProviderOnHostWithNoACMEChallenge(c *check.C) {
-	testCase := AcmeTestCase{
-		traefikConfFilePath: "fixtures/acme/no_challenge_acme.toml",
-		onDemand:            false,
-		domainToCheck:       traefikDefaultDomain}
+func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
+				OnHostRule:    true,
+				KeyType:       "EC384",
+			},
+		},
+		expectedCommonName: acmeDomain,
+		expectedAlgorithm:  x509.ECDSA,
+	}
 
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
-// Test OnDemand option with none provided certificate and challenge HTTP-01
-func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateHTTP01(c *check.C) {
-	testCase := AcmeTestCase{
-		traefikConfFilePath: "fixtures/acme/acme_http01.toml",
-		onDemand:            true,
-		domainToCheck:       acmeDomain}
+func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
+				OnHostRule:    true,
+				KeyType:       "INVALID",
+			},
+		},
+		expectedCommonName: acmeDomain,
+		expectedAlgorithm:  x509.RSA,
+	}
 
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
-// Test OnHostRule option with none provided certificate and challenge HTTP-01
-func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateHTTP01(c *check.C) {
-	testCase := AcmeTestCase{
-		traefikConfFilePath: "fixtures/acme/acme_http01.toml",
-		onDemand:            false,
-		domainToCheck:       acmeDomain}
+func (s *AcmeSuite) TestHTTP01OnHostRuleWithPath(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_http01_web_path.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
+				OnHostRule:    true,
+			},
+		},
+		expectedCommonName: acmeDomain,
+		expectedAlgorithm:  x509.RSA,
+	}
 
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
-// Test OnHostRule option with none provided certificate and challenge HTTP-01 and web path
-func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateHTTP01WithPath(c *check.C) {
-	testCase := AcmeTestCase{
-		traefikConfFilePath: "fixtures/acme/acme_http01_web.toml",
-		onDemand:            false,
-		domainToCheck:       acmeDomain}
+func (s *AcmeSuite) TestHTTP01OnHostRuleStaticCertificatesWithWildcard(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_tls.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
+				OnHostRule:    true,
+			},
+		},
+		expectedCommonName: wildcardDomain,
+		expectedAlgorithm:  x509.RSA,
+	}
 
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
-// Test OnDemand option with a wildcard provided certificate
-func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithWildcard(c *check.C) {
-	testCase := AcmeTestCase{
-		traefikConfFilePath: "fixtures/acme/acme_provided.toml",
-		onDemand:            true,
-		domainToCheck:       wildcardDomain}
+func (s *AcmeSuite) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
+				OnHostRule:    true,
+			},
+		},
+		expectedCommonName: wildcardDomain,
+		expectedAlgorithm:  x509.RSA,
+	}
 
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
-// Test onHostRule option with a wildcard provided certificate
-func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithWildcard(c *check.C) {
-	testCase := AcmeTestCase{
-		traefikConfFilePath: "fixtures/acme/acme_provided.toml",
-		onDemand:            false,
-		domainToCheck:       wildcardDomain}
+func (s *AcmeSuite) TestHTTP01OnDemand(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
+				OnDemand:      true,
+			},
+		},
+		expectedCommonName: acmeDomain,
+		expectedAlgorithm:  x509.RSA,
+	}
 
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
-// Test OnDemand option with a wildcard provided certificate
-func (s *AcmeSuite) TestOnDemandRetrieveAcmeCertificateWithDynamicWildcard(c *check.C) {
-	testCase := AcmeTestCase{
-		traefikConfFilePath: "fixtures/acme/acme_provided_dynamic.toml",
-		onDemand:            true,
-		domainToCheck:       wildcardDomain}
+func (s *AcmeSuite) TestHTTP01OnDemandStaticCertificatesWithWildcard(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_tls.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
+				OnDemand:      true,
+			},
+		},
+		expectedCommonName: wildcardDomain,
+		expectedAlgorithm:  x509.RSA,
+	}
 
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
-// Test onHostRule option with a wildcard provided certificate
-func (s *AcmeSuite) TestOnHostRuleRetrieveAcmeCertificateWithDynamicWildcard(c *check.C) {
-	testCase := AcmeTestCase{
-		traefikConfFilePath: "fixtures/acme/acme_provided_dynamic.toml",
-		onDemand:            false,
-		domainToCheck:       wildcardDomain}
+func (s *AcmeSuite) TestHTTP01OnDemandDynamicCertificatesWithWildcard(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
+				OnDemand:      true,
+			},
+		},
+		expectedCommonName: wildcardDomain,
+		expectedAlgorithm:  x509.RSA,
+	}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
+func (s *AcmeSuite) TestTLSALPN01OnHostRule(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				TLSChallenge: &acme.TLSChallenge{},
+				OnHostRule:   true,
+			},
+		},
+		expectedCommonName: acmeDomain,
+		expectedAlgorithm:  x509.RSA,
+	}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
+func (s *AcmeSuite) TestTLSALPN01OnDemand(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				TLSChallenge: &acme.TLSChallenge{},
+				OnDemand:     true,
+			},
+		},
+		expectedCommonName: acmeDomain,
+		expectedAlgorithm:  x509.RSA,
+	}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
+func (s *AcmeSuite) TestTLSALPN01DomainsAtStart(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				TLSChallenge: &acme.TLSChallenge{},
+				Domains: types.Domains{types.Domain{
+					Main: "traefik.acme.wtf",
+				}},
+			},
+		},
+		expectedCommonName: acmeDomain,
+		expectedAlgorithm:  x509.RSA,
+	}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
+func (s *AcmeSuite) TestTLSALPN01DomainsInSANAtStart(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_base.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				TLSChallenge: &acme.TLSChallenge{},
+				Domains: types.Domains{types.Domain{
+					Main: "acme.wtf",
+					SANs: []string{"traefik.acme.wtf"},
+				}},
+			},
+		},
+		expectedCommonName: "acme.wtf",
+		expectedAlgorithm:  x509.RSA,
+	}
+
+	s.retrieveAcmeCertificate(c, testCase)
+}
+
+func (s *AcmeSuite) TestTLSALPN01DomainsWithProvidedWildcardDomainAtStart(c *check.C) {
+	testCase := acmeTestCase{
+		traefikConfFilePath: "fixtures/acme/acme_tls.toml",
+		template: templateModel{
+			Acme: acme.Configuration{
+				TLSChallenge: &acme.TLSChallenge{},
+				Domains: types.Domains{types.Domain{
+					Main: "traefik.acme.wtf",
+				}},
+			},
+		},
+		expectedCommonName: "traefik.acme.wtf",
+		expectedAlgorithm:  x509.RSA,
+	}
 
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
 // Test Let's encrypt down
 func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
-	cmd, display := s.traefikCmd(withConfigFile("fixtures/acme/wrong_acme.toml"))
+	file := s.adaptFile(c, "fixtures/acme/acme_base.toml", templateModel{
+		Acme: acme.Configuration{
+			CAServer:      "http://wrongurl:4001/directory",
+			HTTPChallenge: &acme.HTTPChallenge{EntryPoint: "http"},
+			OnHostRule:    true,
+		},
+	})
+	defer os.Remove(file)
+
+	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
@@ -179,15 +413,20 @@ func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
 }
 
 // Doing an HTTPS request and test the response certificate
-func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
-	file := s.adaptFile(c, testCase.traefikConfFilePath, struct {
-		BoulderHost          string
-		OnDemand, OnHostRule bool
-	}{
-		BoulderHost: s.boulderIP,
-		OnDemand:    testCase.onDemand,
-		OnHostRule:  !testCase.onDemand,
-	})
+func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase acmeTestCase) {
+	if len(testCase.template.PortHTTP) == 0 {
+		testCase.template.PortHTTP = ":5002"
+	}
+
+	if len(testCase.template.PortHTTPS) == 0 {
+		testCase.template.PortHTTPS = ":5001"
+	}
+
+	if len(testCase.template.Acme.CAServer) == 0 {
+		testCase.template.Acme.CAServer = s.getAcmeURL()
+	}
+
+	file := s.adaptFile(c, testCase.traefikConfFilePath, testCase.template)
 	defer os.Remove(file)
 
 	cmd, display := s.traefikCmd(withConfigFile(file))
@@ -201,10 +440,11 @@ func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
 	backend := startTestServer("9010", http.StatusOK)
 	defer backend.Close()
 
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		},
 	}
-	client := &http.Client{Transport: tr}
 
 	// wait for traefik (generating acme account take some seconds)
 	err = try.Do(90*time.Second, func() error {
@@ -213,13 +453,14 @@ func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
 	})
 	c.Assert(err, checker.IsNil)
 
-	tr = &http.Transport{
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
-			ServerName:         acmeDomain,
+	client = &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+				ServerName:         acmeDomain,
+			},
 		},
 	}
-	client = &http.Client{Transport: tr}
 
 	req := testhelpers.MustNewRequest(http.MethodGet, "https://127.0.0.1:5001/", nil)
 	req.Host = acmeDomain
@@ -240,8 +481,8 @@ func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
 		}
 
 		cn := resp.TLS.PeerCertificates[0].Subject.CommonName
-		if cn != testCase.domainToCheck {
-			return fmt.Errorf("domain %s found instead of %s", cn, testCase.domainToCheck)
+		if cn != testCase.expectedCommonName {
+			return fmt.Errorf("domain %s found instead of %s", cn, testCase.expectedCommonName)
 		}
 
 		return nil
@@ -250,5 +491,6 @@ func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase AcmeTestCase) {
 	c.Assert(err, checker.IsNil)
 	c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
 	// Check Domain into response certificate
-	c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, testCase.domainToCheck)
+	c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Equals, testCase.expectedCommonName)
+	c.Assert(resp.TLS.PeerCertificates[0].PublicKeyAlgorithm, checker.Equals, testCase.expectedAlgorithm)
 }

integration/basic_test.go

@@ -28,7 +28,7 @@ func (s *SimpleSuite) TestInvalidConfigShouldFail(c *check.C) {
 		actual := output.String()
 
 		if !strings.Contains(actual, expected) {
-			return fmt.Errorf("Got %s, wanted %s", actual, expected)
+			return fmt.Errorf("got %s, wanted %s", actual, expected)
 		}
 
 		return nil
@@ -72,7 +72,7 @@ func (s *SimpleSuite) TestDefaultEntryPoints(c *check.C) {
 		actual := output.String()
 
 		if !strings.Contains(actual, expected) {
-			return fmt.Errorf("Got %s, wanted %s", actual, expected)
+			return fmt.Errorf("got %s, wanted %s", actual, expected)
 		}
 
 		return nil
@@ -93,10 +93,10 @@ func (s *SimpleSuite) TestPrintHelp(c *check.C) {
 		actual := output.String()
 
 		if strings.Contains(actual, notExpected) {
-			return fmt.Errorf("Got %s", actual)
+			return fmt.Errorf("got %s", actual)
 		}
 		if !strings.Contains(actual, expected) {
-			return fmt.Errorf("Got %s, wanted %s", actual, expected)
+			return fmt.Errorf("got %s, wanted %s", actual, expected)
 		}
 
 		return nil

integration/consul_catalog_test.go

@@ -501,7 +501,7 @@ func (s *ConsulCatalogSuite) TestRefreshConfigPortChange(c *check.C) {
 }
 
 func (s *ConsulCatalogSuite) TestRetryWithConsulServer(c *check.C) {
-	//Scale consul to 0 to be able to start traefik before and test retry
+	// Scale consul to 0 to be able to start traefik before and test retry
 	s.composeProject.Scale(c, "consul", 0)
 
 	cmd, display := s.traefikCmd(
@@ -547,7 +547,7 @@ func (s *ConsulCatalogSuite) TestRetryWithConsulServer(c *check.C) {
 }
 
 func (s *ConsulCatalogSuite) TestServiceWithMultipleHealthCheck(c *check.C) {
-	//Scale consul to 0 to be able to start traefik before and test retry
+	// Scale consul to 0 to be able to start traefik before and test retry
 	s.composeProject.Scale(c, "consul", 0)
 
 	cmd, display := s.traefikCmd(

integration/consul_test.go

@@ -282,7 +282,7 @@ func (s *ConsulSuite) TestGlobalConfiguration(c *check.C) {
 	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 60*time.Second, try.BodyContains("Path:/test"))
 	c.Assert(err, checker.IsNil)
 
-	//check
+	// check
 	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8001/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.localhost"
@@ -469,7 +469,7 @@ func datastoreContains(datastore *cluster.Datastore, expectedValue string) func(
 	return func() error {
 		kvStruct := datastore.Get().(*TestStruct)
 		if kvStruct.String != expectedValue {
-			return fmt.Errorf("Got %s, wanted %s", kvStruct.String, expectedValue)
+			return fmt.Errorf("got %s, wanted %s", kvStruct.String, expectedValue)
 		}
 		return nil
 	}

integration/docker_compose_test.go

@@ -41,7 +41,7 @@ func (s *DockerComposeSuite) TestComposeScale(c *check.C) {
 
 	s.composeProject.Scale(c, composeService, serviceCount)
 
-	file := s.adaptFileForHost(c, "fixtures/docker/simple.toml")
+	file := s.adaptFileForHost(c, "fixtures/docker/minimal.toml")
 	defer os.Remove(file)
 
 	cmd, display := s.traefikCmd(withConfigFile(file))

integration/error_pages_test.go

@@ -49,7 +49,7 @@ func (s *ErrorPagesSuite) TestSimpleConfiguration(c *check.C) {
 
 func (s *ErrorPagesSuite) TestErrorPage(c *check.C) {
 
-	//error.toml contains a mis-configuration of the backend host
+	// error.toml contains a mis-configuration of the backend host
 	file := s.adaptFile(c, "fixtures/error_pages/error.toml", struct {
 		Server1 string
 		Server2 string

integration/etcd3_test.go

@@ -280,7 +280,7 @@ func (s *Etcd3Suite) TestGlobalConfiguration(c *check.C) {
 	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 60*time.Second, try.BodyContains("Path:/test"))
 	c.Assert(err, checker.IsNil)
 
-	//check
+	// check
 	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8001/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "test.localhost"
@@ -298,7 +298,7 @@ func (s *Etcd3Suite) TestCertificatesContentWithSNIConfigHandshake(c *check.C) {
 		"--etcd.useAPIV3=true")
 	defer display(c)
 
-	//Copy the contents of the certificate files into ETCD
+	// Copy the contents of the certificate files into ETCD
 	snitestComCert, err := ioutil.ReadFile("fixtures/https/snitest.com.cert")
 	c.Assert(err, checker.IsNil)
 	snitestComKey, err := ioutil.ReadFile("fixtures/https/snitest.com.key")
@@ -376,7 +376,7 @@ func (s *Etcd3Suite) TestCertificatesContentWithSNIConfigHandshake(c *check.C) {
 	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 60*time.Second, try.BodyContains("Host:snitest.org"))
 	c.Assert(err, checker.IsNil)
 
-	//check
+	// check
 	tlsConfig := &tls.Config{
 		InsecureSkipVerify: true,
 		ServerName:         "snitest.com",
@@ -406,7 +406,7 @@ func (s *Etcd3Suite) TestCommandStoreConfig(c *check.C) {
 	// wait for traefik finish without error
 	cmd.Wait()
 
-	//CHECK
+	// CHECK
 	checkmap := map[string]string{
 		"/traefik/loglevel":                 "DEBUG",
 		"/traefik/defaultentrypoints/0":     "http",

integration/fake_dns_server.go

@@ -0,0 +1,114 @@
+package integration
+
+import (
+	"fmt"
+	"net"
+	"os"
+
+	"github.com/containous/traefik/log"
+	"github.com/miekg/dns"
+)
+
+type handler struct{}
+
+// ServeDNS a fake DNS server
+// Simplified version of the Challenge Test Server from Boulder
+// https://github.com/letsencrypt/boulder/blob/a6597b9f120207eff192c3e4107a7e49972a0250/test/challtestsrv/dnsone.go#L40
+func (s *handler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	m := new(dns.Msg)
+	m.SetReply(r)
+	m.Compress = false
+
+	fakeDNS := os.Getenv("DOCKER_HOST_IP")
+	if fakeDNS == "" {
+		fakeDNS = "127.0.0.1"
+	}
+	for _, q := range r.Question {
+		log.Printf("Query -- [%s] %s", q.Name, dns.TypeToString[q.Qtype])
+
+		switch q.Qtype {
+		case dns.TypeA:
+			record := new(dns.A)
+			record.Hdr = dns.RR_Header{
+				Name:   q.Name,
+				Rrtype: dns.TypeA,
+				Class:  dns.ClassINET,
+				Ttl:    0,
+			}
+			record.A = net.ParseIP(fakeDNS)
+
+			m.Answer = append(m.Answer, record)
+		case dns.TypeCAA:
+			addCAARecord := true
+
+			var value string
+			switch q.Name {
+			case "bad-caa-reserved.com.":
+				value = "sad-hacker-ca.invalid"
+			case "good-caa-reserved.com.":
+				value = "happy-hacker-ca.invalid"
+			case "accounturi.good-caa-reserved.com.":
+				uri := os.Getenv("ACCOUNT_URI")
+				value = fmt.Sprintf("happy-hacker-ca.invalid; accounturi=%s", uri)
+			case "recheck.good-caa-reserved.com.":
+				// Allow issuance when we're running in the past
+				// (under FAKECLOCK), otherwise deny issuance.
+				if os.Getenv("FAKECLOCK") != "" {
+					value = "happy-hacker-ca.invalid"
+				} else {
+					value = "sad-hacker-ca.invalid"
+				}
+			case "dns-01-only.good-caa-reserved.com.":
+				value = "happy-hacker-ca.invalid; validationmethods=dns-01"
+			case "http-01-only.good-caa-reserved.com.":
+				value = "happy-hacker-ca.invalid; validationmethods=http-01"
+			case "dns-01-or-http-01.good-caa-reserved.com.":
+				value = "happy-hacker-ca.invalid; validationmethods=dns-01,http-01"
+			default:
+				addCAARecord = false
+			}
+			if addCAARecord {
+				record := new(dns.CAA)
+				record.Hdr = dns.RR_Header{
+					Name:   q.Name,
+					Rrtype: dns.TypeCAA,
+					Class:  dns.ClassINET,
+					Ttl:    0,
+				}
+				record.Tag = "issue"
+				record.Value = value
+				m.Answer = append(m.Answer, record)
+			}
+		}
+	}
+
+	auth := new(dns.SOA)
+	auth.Hdr = dns.RR_Header{Name: "boulder.invalid.", Rrtype: dns.TypeSOA, Class: dns.ClassINET, Ttl: 0}
+	auth.Ns = "ns.boulder.invalid."
+	auth.Mbox = "master.boulder.invalid."
+	auth.Serial = 1
+	auth.Refresh = 1
+	auth.Retry = 1
+	auth.Expire = 1
+	auth.Minttl = 1
+	m.Ns = append(m.Ns, auth)
+
+	w.WriteMsg(m)
+}
+
+func startFakeDNSServer() *dns.Server {
+	srv := &dns.Server{
+		Addr:    ":5053",
+		Net:     "udp",
+		Handler: &handler{},
+	}
+
+	go func() {
+		log.Infof("Start a fake DNS server.")
+		if err := srv.ListenAndServe(); err != nil {
+			log.Fatalf("Failed to set udp listener %v", err)
+		}
+	}()
+
+	return srv
+}

integration/fixtures/acme/acme_base.toml

@@ -4,26 +4,37 @@ defaultEntryPoints = ["http", "https"]
 
 [entryPoints]
   [entryPoints.http]
-  address = ":5002"
+  address = "{{ .PortHTTP }}"
   [entryPoints.https]
-  address = ":5001"
+  address = "{{ .PortHTTPS }}"
     [entryPoints.https.tls]
 
-
 [acme]
   email = "test@traefik.io"
   storage = "/tmp/acme.json"
   entryPoint = "https"
   acmeLogging = true
-  onDemand = false
-  onHostRule = false
-  caServer = "http://{{.BoulderHost}}:4001/directory"
-  [acme.httpChallenge]
-  entryPoint="http"
-  [[acme.domains]]
-  main = "acme.wtf"
-  sans = [ "traefik.acme.wtf" ]
+  onDemand = {{ .Acme.OnDemand }}
+  onHostRule = {{ .Acme.OnHostRule }}
+  keyType = "{{ .Acme.KeyType }}"
+  caServer = "{{ .Acme.CAServer }}"
 
+  {{if .Acme.HTTPChallenge }}
+  [acme.httpChallenge]
+    entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
+  {{end}}
+
+  {{if .Acme.TLSChallenge }}
+  [acme.tlsChallenge]
+  {{end}}
+
+  {{range .Acme.Domains}}
+  [[acme.domains]]
+    main = "{{ .Main }}"
+    sans = [{{range .SANs }}
+      "{{.}}",
+      {{end}}]
+  {{end}}
 
 [api]
 
@@ -39,4 +50,4 @@ defaultEntryPoints = ["http", "https"]
   [frontends.frontend]
   backend = "backend"
     [frontends.frontend.routes.test]
-    rule = "Host:traefik.acme.wtf"
+    rule = "Host:traefik.acme.wtf"

integration/fixtures/acme/acme_http01.toml

@@ -1,37 +0,0 @@
-logLevel = "DEBUG"
-
-defaultEntryPoints = ["http", "https"]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":5002"
-  [entryPoints.https]
-  address = ":5001"
-    [entryPoints.https.tls]
-
-
-[acme]
-email = "test@traefik.io"
-storage = "/tmp/acme.json"
-entryPoint = "https"
-acmeLogging = true
-onDemand = {{.OnDemand}}
-onHostRule = {{.OnHostRule}}
-caServer = "http://{{.BoulderHost}}:4001/directory"
-  [acme.httpchallenge]
-  entrypoint="http"
-
-[file]
-
-[backends]
-  [backends.backend]
-    [backends.backend.servers.server1]
-    url = "http://127.0.0.1:9010"
-    weight = 1
-
-
-[frontends]
-  [frontends.frontend]
-  backend = "backend"
-    [frontends.frontend.routes.test]
-    rule = "Host:traefik.acme.wtf"

integration/fixtures/acme/acme_http01_web.toml

@@ -1,38 +0,0 @@
-logLevel = "DEBUG"
-
-defaultEntryPoints = ["http", "https"]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":5002"
-  [entryPoints.https]
-  address = ":5001"
-    [entryPoints.https.tls]
-
-[acme]
-email = "test@traefik.io"
-storage = "/tmp/acme.json"
-entryPoint = "https"
-acmeLogging = true
-onDemand = {{.OnDemand}}
-onHostRule = {{.OnHostRule}}
-caServer = "http://{{.BoulderHost}}:4001/directory"
-  [acme.httpchallenge]
-  entrypoint="http"
-
-[web]
-path="/traefik"
-
-[file]
-
-[backends]
-  [backends.backend]
-    [backends.backend.servers.server1]
-    url = "http://127.0.0.1:9010"
-    weight = 1
-
-[frontends]
-  [frontends.frontend]
-  backend = "backend"
-    [frontends.frontend.routes.test]
-    rule = "Host:traefik.acme.wtf"

integration/fixtures/acme/acme_http01_web_path.toml

@@ -4,27 +4,36 @@ defaultEntryPoints = ["http", "https"]
 
 [entryPoints]
   [entryPoints.http]
-  address = ":5002"
+  address = "{{ .PortHTTP }}"
   [entryPoints.https]
-  address = ":5001"
+  address = "{{ .PortHTTPS }}"
     [entryPoints.https.tls]
 
-
 [acme]
   email = "test@traefik.io"
   storage = "/tmp/acme.json"
   entryPoint = "https"
   acmeLogging = true
-  onDemand = {{.OnDemand}}
-  onHostRule = {{.OnHostRule}}
-  caServer = "http://{{.BoulderHost}}:4001/directory"
+  onDemand = {{ .Acme.OnDemand }}
+  onHostRule = {{ .Acme.OnHostRule }}
+  keyType = "{{ .Acme.KeyType }}"
+  caServer = "{{ .Acme.CAServer }}"
+
+  {{if .Acme.HTTPChallenge }}
   [acme.httpChallenge]
-  entryPoint="http"
+    entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
+  {{end}}
+
+  {{range .Acme.Domains}}
   [[acme.domains]]
-  main = "traefik.acme.wtf"
+    main = "{{ .Main }}"
+    sans = [{{range .SANs }}
+      "{{.}}",
+      {{end}}]
+  {{end}}
 
-
-[api]
+[web]
+path="/traefik"
 
 [file]
 
@@ -38,4 +47,4 @@ defaultEntryPoints = ["http", "https"]
   [frontends.frontend]
   backend = "backend"
     [frontends.frontend.routes.test]
-    rule = "Host:traefik.acme.wtf"
+    rule = "Host:traefik.acme.wtf"

integration/fixtures/acme/acme_provided.toml

@@ -1,39 +0,0 @@
-logLevel = "DEBUG"
-
-defaultEntryPoints = ["http", "https"]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":5002"
-  [entryPoints.https]
-  address = ":5001"
-    [entryPoints.https.tls]
-      [[entryPoints.https.tls.certificates]]
-      certFile = "fixtures/acme/ssl/wildcard.crt"
-      keyFile = "fixtures/acme/ssl/wildcard.key"
-
-[acme]
-email = "test@traefik.io"
-storage = "/tmp/acme.json"
-entryPoint = "https"
-acmeLogging = true
-onDemand = {{.OnDemand}}
-onHostRule = {{.OnHostRule}}
-caServer = "http://{{.BoulderHost}}:4001/directory"
-[acme.httpChallenge]
-entryPoint="http"
-
-[file]
-
-[backends]
-  [backends.backend]
-    [backends.backend.servers.server1]
-    url = "http://127.0.0.1:9010"
-    weight = 1
-
-
-[frontends]
-  [frontends.frontend]
-  backend = "backend"
-    [frontends.frontend.routes.test]
-    rule = "Host:traefik.acme.wtf"

integration/fixtures/acme/acme_provided_dynamic.toml

@@ -1,26 +0,0 @@
-logLevel = "DEBUG"
-
-defaultEntryPoints = ["http", "https"]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":5002"
-  [entryPoints.https]
-  address = ":5001"
-    [entryPoints.https.tls]
-
-
-[acme]
-email = "test@traefik.io"
-storage = "/tmp/acme.json"
-entryPoint = "https"
-acmeLogging = true
-onDemand = {{.OnDemand}}
-onHostRule = {{.OnHostRule}}
-caServer = "http://{{.BoulderHost}}:4001/directory"
-[acme.httpChallenge]
-entryPoint="http"
-
-[file]
-filename = "fixtures/acme/certificates.toml"
-watch = true

integration/fixtures/acme/acme_tls.toml

@@ -0,0 +1,56 @@
+logLevel = "DEBUG"
+
+defaultEntryPoints = ["http", "https"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = "{{ .PortHTTP }}"
+  [entryPoints.https]
+  address = "{{ .PortHTTPS }}"
+    [entryPoints.https.tls]
+      [[entryPoints.https.tls.certificates]]
+      certFile = "fixtures/acme/ssl/wildcard.crt"
+      keyFile = "fixtures/acme/ssl/wildcard.key"
+
+[acme]
+  email = "test@traefik.io"
+  storage = "/tmp/acme.json"
+  entryPoint = "https"
+  acmeLogging = true
+  onDemand = {{ .Acme.OnDemand }}
+  onHostRule = {{ .Acme.OnHostRule }}
+  keyType = "{{ .Acme.KeyType }}"
+  caServer = "{{ .Acme.CAServer }}"
+
+  {{if .Acme.HTTPChallenge }}
+  [acme.httpChallenge]
+    entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
+  {{end}}
+
+  {{if .Acme.TLSChallenge }}
+  [acme.tlsChallenge]
+  {{end}}
+
+  {{range .Acme.Domains}}
+  [[acme.domains]]
+    main = "{{ .Main }}"
+    sans = [{{range .SANs }}
+      "{{.}}",
+      {{end}}]
+  {{end}}
+
+[api]
+
+[file]
+
+[backends]
+  [backends.backend]
+    [backends.backend.servers.server1]
+    url = "http://127.0.0.1:9010"
+    weight = 1
+
+[frontends]
+  [frontends.frontend]
+  backend = "backend"
+    [frontends.frontend.routes.test]
+    rule = "Host:traefik.acme.wtf"

integration/fixtures/acme/acme_tls_dynamic.toml

@@ -0,0 +1,39 @@
+logLevel = "DEBUG"
+
+defaultEntryPoints = ["http", "https"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = "{{ .PortHTTP }}"
+  [entryPoints.https]
+  address = "{{ .PortHTTPS }}"
+    [entryPoints.https.tls]
+
+[acme]
+  email = "test@traefik.io"
+  storage = "/tmp/acme.json"
+  entryPoint = "https"
+  acmeLogging = true
+  onDemand = {{ .Acme.OnDemand }}
+  onHostRule = {{ .Acme.OnHostRule }}
+  keyType = "{{ .Acme.KeyType }}"
+  caServer = "{{ .Acme.CAServer }}"
+
+  {{if .Acme.HTTPChallenge }}
+  [acme.httpChallenge]
+    entryPoint = "{{ .Acme.HTTPChallenge.EntryPoint }}"
+  {{end}}
+
+  {{range .Acme.Domains}}
+  [[acme.domains]]
+    main = "{{ .Main }}"
+    sans = [{{range .SANs }}
+      "{{.}}",
+      {{end}}]
+  {{end}}
+
+[api]
+
+[file]
+filename = "fixtures/acme/certificates.toml"
+watch = true

integration/fixtures/acme/no_challenge_acme.toml

@@ -1,37 +0,0 @@
-logLevel = "DEBUG"
-
-defaultEntryPoints = ["http", "https"]
-
-[api]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":8081"
-  [entryPoints.https]
-  address = ":5001"
-    [entryPoints.https.tls]
-
-
-[acme]
-email = "test@traefik.io"
-storage = "/tmp/acme.json"
-entryPoint = "https"
-onHostRule = true
-acmeLogging = true
-caServer = "http://{{.BoulderHost}}:4001/directory"
-# No challenge defined
-
-[file]
-
-[backends]
-  [backends.backend]
-    [backends.backend.servers.server1]
-    url = "http://127.0.0.1:9010"
-    weight = 1
-
-
-[frontends]
-  [frontends.frontend]
-  backend = "backend"
-    [frontends.frontend.routes.test]
-    rule = "Host:traefik.acme.wtf"

integration/fixtures/acme/ssl/pebble.minica.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIIJOLbes8sTr4wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AxMVbWluaWNhIHJvb3QgY2EgMjRlMmRiMCAXDTE3MTIwNjE5NDIxMFoYDzIxMTcx
+MjA2MTk0MjEwWjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSAyNGUyZGIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5WgZNoVJandj43kkLyU50vzCZ
+alozvdRo3OFiKoDtmqKPNWRNO2hC9AUNxTDJco51Yc42u/WV3fPbbhSznTiOOVtn
+Ajm6iq4I5nZYltGGZetGDOQWr78y2gWY+SG078MuOO2hyDIiKtVc3xiXYA+8Hluu
+9F8KbqSS1h55yxZ9b87eKR+B0zu2ahzBCIHKmKWgc6N13l7aDxxY3D6uq8gtJRU0
+toumyLbdzGcupVvjbjDP11nl07RESDWBLG1/g3ktJvqIa4BWgU2HMh4rND6y8OD3
+Hy3H8MY6CElL+MOCbFJjWqhtOxeFyZZV9q3kYnk9CAuQJKMEGuN4GU6tzhW1AgMB
+AAGjRTBDMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
+BQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAF85v
+d40HK1ouDAtWeO1PbnWfGEmC5Xa478s9ddOd9Clvp2McYzNlAFfM7kdcj6xeiNhF
+WPIfaGAi/QdURSL/6C1KsVDqlFBlTs9zYfh2g0UXGvJtj1maeih7zxFLvet+fqll
+xseM4P9EVJaQxwuK/F78YBt0tCNfivC6JNZMgxKF59h0FBpH70ytUSHXdz7FKwix
+Mfn3qEb9BXSk0Q3prNV5sOV3vgjEtB4THfDxSz9z3+DepVnW3vbbqwEbkXdk3j82
+2muVldgOUgTwK8eT+XdofVdntzU/kzygSAtAQwLJfn51fS1GvEcYGBc1bDryIqmF
+p9BI7gVKtWSZYegicA==
+-----END CERTIFICATE-----

integration/fixtures/acme/wrong_acme.toml

@@ -1,36 +0,0 @@
-logLevel = "DEBUG"
-
-defaultEntryPoints = ["http", "https"]
-
-[api]
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":8081"
-  [entryPoints.https]
-  address = ":5001"
-    [entryPoints.https.tls]
-
-
-[acme]
-email = "test@traefik.io"
-storage = "/tmp/acme.json"
-entryPoint = "https"
-acmeLogging = true
-onHostRule = true
-caServer = "http://wrongurl:4001/directory"
-
-[file]
-
-[backends]
-  [backends.backend]
-    [backends.backend.servers.server1]
-    url = "http://127.0.0.1:9010"
-    weight = 1
-
-
-[frontends]
-  [frontends.frontend]
-  backend = "backend"
-    [frontends.frontend.routes.test]
-    rule = "Host:traefik.acme.wtf"

integration/fixtures/docker/minimal.toml

@@ -0,0 +1,14 @@
+defaultEntryPoints = ["http"]
+
+logLevel = "DEBUG"
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":8000"
+
+[api]
+
+[docker]
+endpoint = "{{.DockerHost}}"
+domain = "docker.localhost"
+exposedByDefault = false

integration/fixtures/docker/simple.toml

@@ -9,9 +9,6 @@ logLevel = "DEBUG"
 [api]
 
 [docker]
-
-# It's dynamagic !
 endpoint = "{{.DockerHost}}"
-
 domain = "docker.localhost"
 exposedByDefault = true

integration/fixtures/grpc/config_h2c.toml

@@ -0,0 +1,24 @@
+defaultEntryPoints = ["http"]
+
+debug=true
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":8081"
+
+[api]
+
+[file]
+
+[backends]
+  [backends.backend1]
+    [backends.backend1.servers.server1]
+    url = "h2c://127.0.0.1:{{ .GRPCServerPort }}"
+    weight = 1
+
+
+[frontends]
+  [frontends.frontend1]
+  backend = "backend1"
+    [frontends.frontend1.routes.test_1]
+    rule = "Host:127.0.0.1"