chore: fix PyYAML version

.dockerignore

@@ -1,5 +1,3 @@
 dist/
 !dist/traefik
 site/
-vendor/
-/traefik

.gitattributes

@@ -1 +0,0 @@
-# vendor/github.com/go-acme/lego/providers/dns/cloudxns/cloudxns.go eol=crlf

.github/CODEOWNERS

@@ -0,0 +1,24 @@
+provider/kubernetes/**  @containous/kubernetes
+provider/rancher/**     @containous/rancher
+provider/marathon/**    @containous/marathon
+provider/docker/**      @containous/docker
+
+docs/user-guide/kubernetes.md       @containous/kubernetes
+docs/user-guide/marathon.md         @containous/marathon
+docs/user-guide/swarm.md            @containous/docker
+docs/user-guide/swarm-mode.md       @containous/docker
+
+docs/configuration/backends/docker.md       @containous/docker
+docs/configuration/backends/kubernetes.md   @containous/kubernetes
+docs/configuration/backends/marathon.md     @containous/marathon
+docs/configuration/backends/rancher.md      @containous/rancher
+
+examples/k8s/                   @containous/kubernetes
+examples/compose-k8s.yaml       @containous/kubernetes
+examples/k8s.namespace.yaml     @containous/kubernetes
+examples/compose-rancher.yml    @containous/rancher
+examples/compose-marathon.yml   @containous/marathon
+
+vendor/github.com/gambol99/go-marathon  @containous/marathon
+vendor/github.com/rancher               @containous/rancher
+vendor/k8s.io/                          @containous/kubernetes

.github/ISSUE_TEMPLATE.md

@@ -2,10 +2,10 @@
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 
 The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
+For end-user related support questions, refer to one of the following:
 
 - Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-- the Traefik community Slack channel: https://slack.traefik.io
+- the Traefik community Slack channel: https://traefik.herokuapp.com
 
 -->
 
@@ -23,9 +23,9 @@ If you intend to ask a support question: DO NOT FILE AN ISSUE.
 HOW TO WRITE A GOOD ISSUE?
 
 - Respect the issue template as much as possible.
-- If possible, use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
-- The title should be short and descriptive.
-- Explain the conditions which led you to report this issue: the context.
+- If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
+- The title must be short and descriptive.
+- Explain the conditions which led you to write this issue: the context.
 - The context should lead to something, an idea or a problem that you’re facing.
 - Remain clear and concise.
 - Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
@@ -46,10 +46,6 @@ HOW TO WRITE A GOOD ISSUE?
 For the Traefik Docker image:
     docker run [IMAGE] version
     ex: docker run traefik version
-
-For the alpine Traefik Docker image:
-    docker run [IMAGE] traefik version
-    ex: docker run traefik traefik version
 -->
 
 ```
@@ -66,7 +62,7 @@ Add more configuration information here.
 -->
 
 
-### If applicable, please paste the log output at DEBUG level (`--logLevel=DEBUG` switch)
+### If applicable, please paste the log output in debug mode (`--debug` switch)
 
 ```
 (paste your output here)

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -1,78 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-
----
-
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
-
-- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-- the Traefik community Slack channel: https://slack.traefik.io
-
--->
-
-
-### Do you want to request a *feature* or report a *bug*?
-
-Bug
-
-### What did you do?
-
-<!--
-
-HOW TO WRITE A GOOD BUG REPORT?
-
-- Respect the issue template as much as possible.
-- If possible, use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
-- The title should be short and descriptive.
-- Explain the conditions which led you to report this issue: the context.
-- The context should lead to something, an idea or a problem that you’re facing.
-- Remain clear and concise.
-- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
--->
-
-### What did you expect to see?
-
-
-
-### What did you see instead?
-
-
-
-### Output of `traefik version`: (_What version of Traefik are you using?_)
-
-<!--
-For the Traefik Docker image:
-    docker run [IMAGE] version
-    ex: docker run traefik version
-
-For the alpine Traefik Docker image:
-    docker run [IMAGE] traefik version
-    ex: docker run traefik traefik version
--->
-
-```
-(paste your output here)
-```
-
-### What is your environment & configuration (arguments, toml, provider, platform, ...)?
-
-```toml
-# (paste your configuration here)
-```
-
-<!--
-Add more configuration information here.
--->
-
-
-### If applicable, please paste the log output in DEBUG level (`--logLevel=DEBUG` switch)
-
-```
-(paste your output here)
-```

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -1,37 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-
----
-
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
-
-- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-- the Traefik community Slack channel: https://slack.traefik.io
-
--->
-
-
-### Do you want to request a *feature* or report a *bug*?
-
-Feature
-
-### What did you expect to see?
-
-<!--
-
-HOW TO WRITE A GOOD ISSUE?
-
-- Respect the issue template as much as possible.
-- If possible, use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
-- The title should be short and descriptive.
-- Explain the conditions which led you to report this issue: the context.
-- The context should lead to something, an idea or a problem that you’re facing.
-- Remain clear and concise.
-- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
--->

.github/ISSUE_TEMPLATE/bugs.md

@@ -0,0 +1,68 @@
+<!--
+DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+
+The issue tracker is for reporting bugs and feature requests only.
+For end-user related support questions, refer to one of the following:
+
+- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
+- the Traefik community Slack channel: https://traefik.herokuapp.com
+
+-->
+
+
+### Do you want to request a *feature* or report a *bug*?
+
+Bug
+
+### What did you do?
+
+<!--
+
+HOW TO WRITE A GOOD ISSUE?
+
+- Respect the issue template as much as possible.
+- If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
+- The title must be short and descriptive.
+- Explain the conditions which led you to write this issue: the context.
+- The context should lead to something, an idea or a problem that you’re facing.
+- Remain clear and concise.
+- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
+
+-->
+
+### What did you expect to see?
+
+
+
+### What did you see instead?
+
+
+
+### Output of `traefik version`: (_What version of Traefik are you using?_)
+
+<!--
+For the Traefik Docker image:
+    docker run [IMAGE] version
+    ex: docker run traefik version
+-->
+
+```
+(paste your output here)
+```
+
+### What is your environment & configuration (arguments, toml, provider, platform, ...)?
+
+```toml
+# (paste your configuration here)
+```
+
+<!--
+Add more configuration information here.
+-->
+
+
+### If applicable, please paste the log output in debug mode (`--debug` switch)
+
+```
+(paste your output here)
+```

.github/ISSUE_TEMPLATE/features.md

@@ -0,0 +1,32 @@
+<!--
+DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+
+The issue tracker is for reporting bugs and feature requests only.
+For end-user related support questions, refer to one of the following:
+
+- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
+- the Traefik community Slack channel: https://traefik.herokuapp.com
+
+-->
+
+
+### Do you want to request a *feature* or report a *bug*?
+
+Feature
+
+### What did you expect to see?
+
+<!--
+
+HOW TO WRITE A GOOD ISSUE?
+
+- Respect the issue template as much as possible.
+- If it's possible use the command `traefik bug`. See https://www.youtube.com/watch?v=Lyz62L8m93I.
+- The title must be short and descriptive.
+- Explain the conditions which led you to write this issue: the context.
+- The context should lead to something, an idea or a problem that you’re facing.
+- Remain clear and concise.
+- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
+
+-->
+

.github/PULL_REQUEST_TEMPLATE.md

@@ -12,7 +12,7 @@ HOW TO WRITE A GOOD PULL REQUEST?
 - Write useful descriptions and titles.
 - Address review comments in terms of additional commits.
 - Do not amend/squash existing ones unless the PR is trivial.
-- Read the contributing guide: https://github.com/traefik/traefik/blob/master/CONTRIBUTING.md.
+- Read the contributing guide: https://github.com/containous/traefik/blob/master/.github/CONTRIBUTING.md.
 
 -->
 

.gitignore

@@ -1,21 +1,14 @@
+/dist
+/autogen/genstatic/gen.go
 .idea/
 .intellij/
 *.iml
-.vscode/
-.DS_Store
-/static/
-/autogen/genstatic/gen.go
-/webui/.tmp/
-/examples/acme/acme.json
-/site/
-/docs/site/
-/traefik.toml
-/traefik.yml
-/dist
 /traefik
+/traefik.toml
+/static/
+.vscode/
+/site/
 *.log
 *.exe
-cover.out
-vendor/
-plugins-storage/
-traefik_changelog.md
+.DS_Store
+/examples/acme/acme.json

.semaphoreci/cleanup.sh

@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-sudo rm -rf static

.semaphoreci/golang.sh

@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-curl -O https://dl.google.com/go/go1.14.linux-amd64.tar.gz
-
-tar -xvf go1.14.linux-amd64.tar.gz
-rm -rf go1.14.linux-amd64.tar.gz
-
-sudo mkdir -p /usr/local/golang/1.14/go
-sudo mv go /usr/local/golang/1.14/
-
-sudo rm /usr/local/bin/go
-sudo chmod +x /usr/local/golang/1.14/go/bin/go
-sudo ln -s /usr/local/golang/1.14/go/bin/go /usr/local/bin/go
-
-export GOROOT="/usr/local/golang/1.14/go"
-export GOTOOLDIR="/usr/local/golang/1.14/go/pkg/tool/linux_amd64"
-
-go version

.semaphoreci/job1.sh

@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make pull-images; fi
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make test-integration; fi

.semaphoreci/job2.sh

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-ci_retry make validate
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make test-unit; fi
-
-if [ -n "$SHOULD_TEST" ]; then make -j${N_MAKE_JOBS} crossbinary-default-parallel; fi

.semaphoreci/setup.sh

@@ -1,16 +1,11 @@
 #!/usr/bin/env bash
 set -e
 
-export DOCKER_VERSION=18.09.7
+sudo -E apt-get -yq update
+sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*
+docker version
 
-source .semaphoreci/vars
+pip install --user -r requirements.txt
 
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/traefik/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R); fi
-
-if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
-
-if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
-
-if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
-
-if [ -n "$SHOULD_TEST" ]; then  docker version; fi
+make pull-images
+ci_retry make validate

.semaphoreci/tests.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -e
+
+make test-unit
+ci_retry make test-integration
+make -j${N_MAKE_JOBS} crossbinary-default-parallel

.semaphoreci/vars

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -e
 
-export REPO='traefik/traefik'
+export REPO='containous/traefik'
 
 if VERSION=$(git describe --exact-match --abbrev=0 --tags);
 then
@@ -10,7 +10,7 @@ else
   export VERSION=''
 fi
 
-export CODENAME=maroilles
+export CODENAME=cancoillotte
 
 export N_MAKE_JOBS=2
 

.travis.yml

@@ -11,13 +11,11 @@ env:
   global:
     - REPO: $TRAVIS_REPO_SLUG
     - VERSION: $TRAVIS_TAG
-    - CODENAME: maroilles
+    - CODENAME: cancoillotte
     - N_MAKE_JOBS: 2
-    - DOCS_VERIFY_SKIP: true
 
 script:
 - echo "Skipping tests... (Tests are executed on SemaphoreCI)"
-- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make docs-verify; fi
 
 before_deploy:
   - >
@@ -26,15 +24,14 @@ before_deploy:
       sudo -E apt-get -yq update;
       sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*;
       docker version;
-      echo "${DOCKERHUB_PASSWORD}" | docker login -u "${DOCKERHUB_USERNAME}" --password-stdin;
       make image;
       if [ "$TRAVIS_TAG" ]; then
         make -j${N_MAKE_JOBS} crossbinary-parallel;
         tar cfz dist/traefik-${VERSION}.src.tar.gz --exclude-vcs --exclude dist .;
       fi;
-      curl -sfL https://raw.githubusercontent.com/traefik/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" ${STRUCTOR_VERSION}
-      curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b "${GOPATH}/bin" ${MIXTUS_VERSION}
-      structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --exp-branch=master --force-edit-url --debug;
+      curl -sI https://github.com/containous/structor/releases/latest | grep -Fi Location  | tr -d '\r' | sed "s/tag/download/g" | awk -F " " '{ print $2 "/structor_linux-amd64"}' | wget --output-document=$GOPATH/bin/structor -i -;
+      chmod +x $GOPATH/bin/structor;
+      structor -o containous -r traefik --dockerfile-url="https://raw.githubusercontent.com/containous/traefik/master/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/containous/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/containous/structor/master/requirements-override.txt" --exp-branch=master --debug;
     fi
 deploy:
   - provider: releases
@@ -43,17 +40,24 @@ deploy:
     skip_cleanup: true
     file_glob: true
     on:
-      repo: traefik/traefik
+      repo: containous/traefik
       tags: true
   - provider: script
     script: sh script/deploy.sh
     skip_cleanup: true
     on:
-      repo: traefik/traefik
+      repo: containous/traefik
       tags: true
   - provider: script
-    script: mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
+    script: sh script/deploy-docker.sh
     skip_cleanup: true
     on:
-      repo: traefik/traefik
+      repo: containous/traefik
+  - provider: pages
+    edge: false
+    github_token: ${GITHUB_TOKEN}
+    local_dir: site
+    skip_cleanup: true
+    on:
+      repo: containous/traefik
       all_branches: true

CODE_OF_CONDUCT.md

@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at contact@traefik.io
+reported by contacting the project team at contact@containo.us
 All complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

CONTRIBUTING.md

@@ -13,11 +13,11 @@ You need to run the `binary` target. This will create binaries for Linux platfor
 $ make binary
 docker build -t "traefik-dev:no-more-godep-ever" -f build.Dockerfile .
 Sending build context to Docker daemon 295.3 MB
-Step 0 : FROM golang:1.14-alpine
+Step 0 : FROM golang:1.9-alpine
  ---> 8c6473912976
 Step 1 : RUN go get github.com/golang/dep/cmd/dep
 [...]
-docker run --rm  -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github.com/traefik/traefik/"dist":/go/src/github.com/traefik/traefik/"dist"" "traefik-dev:no-more-godep-ever" ./script/make.sh generate binary
+docker run --rm  -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:no-more-godep-ever" ./script/make.sh generate binary
 ---> Making bundle: generate (in .)
 removed 'gen.go'
 
@@ -32,7 +32,7 @@ traefik*
 ##### Setting up your `go` environment
 
 - You need `go` v1.9+
-- It is recommended you clone Traefik into a directory like `~/go/src/github.com/traefik/traefik` (This is the official golang workspace hierarchy, and will allow dependencies to resolve properly)
+- It is recommended you clone Træfik into a directory like `~/go/src/github.com/containous/traefik` (This is the official golang workspace hierarchy, and will allow dependencies to resolve properly)
 - Set your `GOPATH` and `PATH` variable to be set to `~/go` via:
 
 ```bash
@@ -56,12 +56,12 @@ GORACE=""
 ## more go env's will be listed
 ```
 
-##### Build Traefik
+##### Build Træfik
 
-Once your environment is set up and the Traefik repository cloned you can build Traefik. You need get `go-bindata` once to be able to use `go generate` command as part of the build.  The steps to build are:
+Once your environment is set up and the Træfik repository cloned you can build Træfik. You need get `go-bindata` once to be able to use `go generate` command as part of the build.  The steps to build are:
 
 ```bash
-cd ~/go/src/github.com/traefik/traefik
+cd ~/go/src/github.com/containous/traefik
 
 # Get go-bindata. Please note, the ellipses are required
 go get github.com/containous/go-bindata/...
@@ -77,7 +77,7 @@ go build ./cmd/traefik
 # run other commands like tests
 ```
 
-You will find the Traefik executable in the `~/go/src/github.com/traefik/traefik` folder as `traefik`.
+You will find the Træfik executable in the `~/go/src/github.com/containous/traefik` folder as `traefik`.
 
 ### Updating the templates
 
@@ -87,7 +87,7 @@ If you happen to update the provider templates (in `/templates`), you need to ru
 
 [dep](https://github.com/golang/dep) is not required for building; however, it is necessary to modify dependencies (i.e., add, update, or remove third-party packages)
 
-You need to use [dep](https://github.com/golang/dep) >= 0.5.0.
+You need to use [dep](https://github.com/golang/dep) >= O.4.1.
 
 If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively).
 
@@ -117,13 +117,13 @@ integration test using the `test-integration` target.
 $ make test-unit
 docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
 # […]
-docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/traefik/traefik/dist:/go/src/github.com/traefik/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
+docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
 ---> Making bundle: generate (in .)
 removed 'gen.go'
 
 ---> Making bundle: test-unit (in .)
 + go test -cover -coverprofile=cover.out .
-ok      github.com/traefik/traefik   0.005s  coverage: 4.1% of statements
+ok      github.com/containous/traefik   0.005s  coverage: 4.1% of statements
 
 Test success
 ```
@@ -151,26 +151,24 @@ More: https://labix.org/gocheck
 Unit tests can be run from the cloned directory by `$ go test ./...` which should return `ok` similar to:
 
 ```
-ok      _/home/user/go/src/github/traefik/traefik    0.004s
+ok      _/home/user/go/src/github/containous/traefik    0.004s
 ```
 
 Integration tests must be run from the `integration/` directory and require the `-integration` switch to be passed like this: `$ cd integration && go test -integration ./...`.
 
 ## Documentation
 
-The [documentation site](https://doc.traefik.io/traefik/v1.7/) is built with [mkdocs](https://mkdocs.org/)
+The [documentation site](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/)
 
-### Building Documentation
+### Method 1: `Docker` and `make`
 
-#### Method 1: `Docker` and `make`
-
-You can build the documentation and serve it locally with livereloading, using the `docs` target:
+You can test documentation using the `docs` target.
 
 ```bash
 $ make docs
 docker build -t traefik-docs -f docs.Dockerfile .
 # […]
-docker run  --rm -v /home/user/go/github/traefik/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
+docker run  --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
 # […]
 [I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000
 [I 170828 20:47:48 handlers:60] Start watching changes
@@ -179,18 +177,11 @@ docker run  --rm -v /home/user/go/github/traefik/traefik:/mkdocs -p 8000:8000 tr
 
 And go to [http://127.0.0.1:8000](http://127.0.0.1:8000).
 
-If you only want to build the documentation without serving it locally, you can use the following command:
-
-```bash
-$ make docs-build
-...
-```
-
-#### Method 2: `mkdocs`
+### Method 2: `mkdocs`
 
 First make sure you have python and pip installed
 
-```bash
+```shell
 $ python --version
 Python 2.7.2
 $ pip --version
@@ -199,57 +190,29 @@ pip 1.5.2
 
 Then install mkdocs with pip
 
-```bash
+```shell
 pip install --user -r requirements.txt
 ```
 
-To build documentation locally and serve it locally,
-run `mkdocs serve` in the root directory,
-this should start a server locally to preview your changes.
+To test documentation locally run `mkdocs serve` in the root directory, this should start a server locally to preview your changes.
 
-```bash
+```shell
 $ mkdocs serve
 INFO    -  Building documentation...
+WARNING -  Config value: 'theme'. Warning: The theme 'united' will be removed in an upcoming MkDocs release. See http://www.mkdocs.org/about/release-notes/ for more details
 INFO    -  Cleaning site directory
 [I 160505 22:31:24 server:281] Serving on http://127.0.0.1:8000
 [I 160505 22:31:24 handlers:59] Start watching changes
 [I 160505 22:31:24 handlers:61] Start detecting changes
 ```
 
-### Verify Documentation
-
-You can verify that the documentation meets some expectations, as checking for dead links, html markup validity.
-
-```bash
-$ make docs-verify
-docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image
-...
-docker run --rm -v /home/travis/build/traefik/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
-=== Checking HTML content...
-Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html...
-```
-
-If you recently changed the documentation, do not forget to clean it to have it rebuilt:
-
-```bash
-$ make docs-clean docs-verify
-...
-```
-
-Please note that verification can be disabled by setting the environment variable `DOCS_VERIFY_SKIP` to `true`:
-
-```shell
-DOCS_VERIFY_SKIP=true make docs-verify
-...
-DOCS_LINT_SKIP is true: no linting done.
-```
 
 ## How to Write a Good Issue
 
 Please keep in mind that the GitHub issue tracker is not intended as a general support forum, but for reporting bugs and feature requests.
 
 For end-user related support questions, refer to one of the following:
-- the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
+- the Traefik community Slack channel: [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
 - [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
 
 ### Title

Dockerfile

@@ -2,5 +2,4 @@ FROM scratch
 COPY script/ca-certificates.crt /etc/ssl/certs/
 COPY dist/traefik /
 EXPOSE 80
-VOLUME ["/tmp"]
 ENTRYPOINT ["/traefik"]

Gopkg.toml

@@ -0,0 +1,206 @@
+# Gopkg.toml example
+#
+# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+#   name = "github.com/user/project"
+#   version = "1.0.0"
+#
+# [[constraint]]
+#   name = "github.com/user/project2"
+#   branch = "dev"
+#   source = "github.com/myfork/project2"
+#
+# [[override]]
+#  name = "github.com/x/y"
+#  version = "2.4.0"
+
+ignored = ["github.com/sirupsen/logrus"]
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/ArthurHlt/go-eureka-client"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/BurntSushi/toml"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/BurntSushi/ty"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/NYTimes/gziphandler"
+
+[[constraint]]
+  branch = "containous-fork"
+  name = "github.com/abbot/go-http-auth"
+  source = "github.com/containous/go-http-auth"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/armon/go-proxyproto"
+
+[[constraint]]
+  name = "github.com/aws/aws-sdk-go"
+  version = "1.6.18"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/cenk/backoff"
+
+[[constraint]]
+  name = "github.com/containous/flaeg"
+  version = "1.0.1"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/containous/mux"
+
+[[constraint]]
+  name = "github.com/containous/staert"
+  version = "2.1.0"
+
+[[constraint]]
+  name = "github.com/containous/traefik-extra-service-fabric"
+  version = "1.0.6"
+
+[[constraint]]
+  name = "github.com/coreos/go-systemd"
+  version = "14.0.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/docker/leadership"
+  source = "github.com/containous/leadership"
+
+[[constraint]]
+  name = "github.com/docker/libkv"
+  source = "github.com/abronan/libkv"
+
+[[constraint]]
+  name = "github.com/eapache/channels"
+  version = "1.1.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/elazarl/go-bindata-assetfs"
+
+[[constraint]]
+  name = "github.com/go-check/check"
+  source = "github.com/containous/check"
+
+[[constraint]]
+  name = "github.com/go-kit/kit"
+  version = "0.3.0"
+
+[[constraint]]
+  name = "github.com/influxdata/influxdb"
+  version = "1.3.7"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/jjcollinge/servicefabric"
+
+[[constraint]]
+  name = "github.com/mattn/go-shellwords"
+  version = "1.0.3"
+
+[[constraint]]
+  name = "github.com/mesosphere/mesos-dns"
+  source = "https://github.com/containous/mesos-dns.git"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/mitchellh/copystructure"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/mitchellh/hashstructure"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/mitchellh/mapstructure"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/rancher/go-rancher-metadata"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/ryanuber/go-glob"
+
+[[constraint]]
+  name = "github.com/satori/go.uuid"
+  version = "1.1.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/stvp/go-udp-testing"
+
+[[constraint]]
+  name = "github.com/vdemeester/shakers"
+  version = "0.1.0"
+
+[[constraint]]
+  branch = "containous-fork"
+  name = "github.com/vulcand/oxy"
+  source = "https://github.com/containous/oxy.git"
+
+[[constraint]]
+  name = "github.com/xenolf/lego"
+  version = "0.4.1"
+
+[[constraint]]
+  name = "google.golang.org/grpc"
+  version = "1.5.2"
+
+[[constraint]]
+  name = "gopkg.in/fsnotify.v1"
+  source = "github.com/fsnotify/fsnotify"
+  version = "1.4.2"
+
+[[constraint]]
+  name = "k8s.io/client-go"
+  version = "2.0.0"
+
+[[override]]
+  name = "github.com/Nvveen/Gotty"
+  revision = "6018b68f96b839edfbe3fb48668853f5dbad88a3"
+  source = "github.com/ijc25/Gotty"
+
+[[override]]
+  # always keep this override
+  name = "github.com/mailgun/timetools"
+  revision = "7e6055773c5137efbeb3bd2410d705fe10ab6bfd"
+
+[[override]]
+  name = "github.com/vulcand/predicate"
+  revision = "19b9dde14240d94c804ae5736ad0e1de10bf8fe6"
+
+[[override]]
+  # remove override on master
+  name = "github.com/coreos/bbolt"
+  revision = "32c383e75ce054674c53b5a07e55de85332aee14"
+
+[[override]]
+  branch = "master"
+  name = "github.com/miekg/dns"
+
+[[override]]
+  name = "golang.org/x/crypto"
+  revision = "b080dc9a8c480b08e698fb1219160d598526310f"
+
+[[override]]
+  name = "golang.org/x/net"
+  revision = "894f8ed5849b15b810ae41e9590a0d05395bba27"
+
+[prune]
+  non-go = true
+  go-tests = true
+  unused-packages = true

LICENSE.md

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016-2018 Containous SAS; 2020-2021 Traefik Labs
+Copyright (c) 2016-2018 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

MAINTAINER.md

@@ -18,8 +18,8 @@
 ## PR review process:
 
 * The status `needs-design-review` is only used in complex/heavy/tricky PRs.
-* From `1` to `2`: 1 comment that says “design LGTM” (by a senior maintainer).
-* From `2` to `3`: 3 LGTM approvals by any maintainer.
+* From `1` to `2`: 1 design LGTM in comment, by a senior maintainer, if needed.
+* From `2` to `3`: 3 LGTM by any maintainer.
 * If needed, a specific maintainer familiar with a particular domain can be requested for the review.
 
 We use [PRM](https://github.com/ldez/prm) to manage locally pull requests.
@@ -27,37 +27,36 @@ We use [PRM](https://github.com/ldez/prm) to manage locally pull requests.
 
 ## Bots
 
-### [Myrmica Lobicornis](https://github.com/traefik/lobicornis/)
+### [Myrmica Lobicornis](https://github.com/containous/lobicornis/)
 
 **Update and Merge Pull Request**
 
 The maintainer giving the final LGTM must add the `status/3-needs-merge` label to trigger the merge bot.
 
 By default, a squash-rebase merge will be carried out.
-To preserve commits, add `bot/merge-method-rebase` before `status/3-needs-merge`.
+If you want to preserve commits you must add `bot/merge-method-rebase` before `status/3-needs-merge`.
 
-The status `status/4-merge-in-progress` is only used by the bot.
+The status `status/4-merge-in-progress` is only for the bot.
 
 If the bot is not able to perform the merge, the label `bot/need-human-merge` is added.  
-In such a situation, solve the conflicts/CI/... and then remove the label `bot/need-human-merge`.
+In this case you must solve conflicts/CI/... and after you only need to remove `bot/need-human-merge`.
 
-To prevent the bot from automatically merging a PR, add the label `bot/no-merge`.
+A maintainer can add `bot/no-merge` on a PR if he want (temporarily) prevent a merge by the bot.
 
-The label `bot/light-review` decreases the number of required LGTM from 3 to 1.
+`bot/light-review` can be used to decrease required LGTM from 3 to 1 when:
 
-This label is used when:
-- Updating the vendors from previously reviewed PRs
-- Merging branches into the master
-- Preparing the release
+- vendor updates from previously reviewed PRs
+- merges branches into master
+- prepare release
 
 
-### [Myrmica Bibikoffi](https://github.com/traefik/bibikoffi/)
+### [Myrmica Bibikoffi](https://github.com/containous/bibikoffi/)
 
 * closes stale issues [cron]
     * use some criterion as number of days between creation, last update, labels, ...
 
 
-### [Myrmica Aloba](https://github.com/traefik/aloba)
+### [Myrmica Aloba](https://github.com/containous/aloba)
 
 **Manage GitHub labels**
 
@@ -69,7 +68,7 @@ This label is used when:
 
 ## Labels
 
-A maintainer that looks at an issue/PR must define its `kind/*`, `area/*`, and `status/*`.
+If we open/look an issue/PR, we must add a `kind/*`, an `area/*` and a `status/*`.
 
 ### Contributor
 
@@ -81,19 +80,19 @@ A maintainer that looks at an issue/PR must define its `kind/*`, `area/*`, and `
 ### Kind
 
 * `kind/enhancement`: a new or improved feature.
-* `kind/question`: a question. **(only for issue)**
-* `kind/proposal`: a proposal that needs to be discussed.
-  * _Proposal issues_ are design proposals
+* `kind/question`: It's a question. **(only for issue)**
+* `kind/proposal`: proposal PR/issues need a public debate.
+  * _Proposal issues_ are design proposal that need to be refined with multiple contributors.
   * _Proposal PRs_ are technical prototypes that need to be refined with multiple contributors.
 
-* `kind/bug/possible`: a possible bug that needs analysis before it is confirmed or fixed. **(only for issues)**
-* `kind/bug/confirmed`: a confirmed bug (reproducible). **(only for issues)**
-* `kind/bug/fix`: a bug fix. **(only for PR)**
+* `kind/bug/possible`: if we need to analyze to understand if it's a bug or not. **(only for issues)**
+* `kind/bug/confirmed`: we are sure, it's a bug. **(only for issues)**
+* `kind/bug/fix`: it's a bug fix. **(only for PR)**
 
 ### Resolution
 
-* `resolution/duplicate`: a duplicate issue/PR.
-* `resolution/declined`: declined (Rule #1 of open-source: no is temporary, yes is forever).
+* `resolution/duplicate`: it's a duplicate issue/PR.
+* `resolution/declined`: Rule #1 of open-source: no is temporary, yes is forever.
 * `WIP`: Work In Progress. **(only for PR)**
 
 ### Platform
@@ -106,10 +105,10 @@ A maintainer that looks at an issue/PR must define its `kind/*`, `area/*`, and `
 * `area/api`: Traefik API related.
 * `area/authentication`: Authentication related.
 * `area/cluster`: Traefik clustering related.
-* `area/documentation`: Documentation related.
-* `area/infrastructure`: CI or Traefik building scripts related.
+* `area/documentation`: regards improving/adding documentation.
+* `area/infrastructure`: related to CI or Traefik building scripts.
 * `area/healthcheck`: Health-check related.
-* `area/logs`: Logs related.
+* `area/logs`: Traefik logs related.
 * `area/middleware`: Middleware related.
 * `area/middleware/metrics`: Metrics related. (Prometheus, StatsD, ...)
 * `area/oxy`: Oxy related.
@@ -133,23 +132,23 @@ A maintainer that looks at an issue/PR must define its `kind/*`, `area/*`, and `
 
 ### Priority
 
-* `priority/P0`: needs a hot fix. **(only for issue)**
-* `priority/P1`: needs to be fixed the next release. **(only for issue)**
-* `priority/P2`: needs to be fixed in the future. **(only for issue)**
+* `priority/P0`: needs hot fix. **(only for issue)**
+* `priority/P1`: need to be fixed in next release. **(only for issue)**
+* `priority/P2`: need to be fixed in the future. **(only for issue)**
 * `priority/P3`: maybe. **(only for issue)**
 
 ### PR size
 
 * `size/S`: small PR. **(only for PR)** _[bot only]_
 * `size/M`: medium PR. **(only for PR)** _[bot only]_
-* `size/L`: large PR. **(only for PR)** _[bot only]_
+* `size/L`: Large PR. **(only for PR)** _[bot only]_
 
 ### Status - Workflow
 
 The `status/*` labels represent the desired state in the workflow.
 
-* `status/0-needs-triage`: all the new issues and PRs have this status. _[bot only]_
-* `status/1-needs-design-review`: needs a design review. **(only for PR)**
-* `status/2-needs-review`: needs a code/documentation review. **(only for PR)**
+* `status/0-needs-triage`: all new issue or PR have this status. _[bot only]_
+* `status/1-needs-design-review`: need a design review. **(only for PR)**
+* `status/2-needs-review`: need a code/documentation review. **(only for PR)**
 * `status/3-needs-merge`: ready to merge. **(only for PR)**
-* `status/4-merge-in-progress`: merge is in progress. _[bot only]_
+* `status/4-merge-in-progress`: merge in progress. _[bot only]_

Makefile

@@ -1,4 +1,4 @@
-.PHONY: all docs-verify docs docs-clean docs-build
+.PHONY: all
 
 TRAEFIK_ENVS := \
 	-e OS_ARCH_ARG \
@@ -14,16 +14,14 @@ TRAEFIK_ENVS := \
 SRCS = $(shell git ls-files '*.go' | grep -v '^vendor/')
 
 BIND_DIR := "dist"
-TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/traefik/traefik/$(BIND_DIR)"
+TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/containous/traefik/$(BIND_DIR)"
 
 GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
 TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
-TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"traefik/traefik")
+TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
 INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
 TRAEFIK_DOC_IMAGE := traefik-docs
-TRAEFIK_DOC_VERIFY_IMAGE := $(TRAEFIK_DOC_IMAGE)-verify
-DOCS_VERIFY_SKIP ?= false
 
 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
@@ -75,8 +73,8 @@ test-integration: build ## run the integration tests
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate binary test-integration
 	TEST_HOST=1 ./script/make.sh test-integration
 
-validate: build  ## validate code, vendor and autogen
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-gofmt validate-golint validate-misspell validate-vendor validate-autogen
+validate: build  ## validate gofmt, golint and go vet
+	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-gofmt validate-govet validate-golint validate-misspell validate-vendor validate-autogen
 
 build: dist
 	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
@@ -96,27 +94,11 @@ image-dirty: binary ## build a docker traefik image
 image: clear-static binary ## clean up static directory and build a docker traefik image
 	docker build -t $(TRAEFIK_IMAGE) .
 
-docs-image:
-	docker build -t $(TRAEFIK_DOC_IMAGE) -f docs.Dockerfile .
-
 docs: docs-image
 	docker run  $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOC_IMAGE) mkdocs serve
 
-docs-build: site
-
-docs-verify: site
-ifeq ($(DOCS_VERIFY_SKIP),false)
-	docker build -t $(TRAEFIK_DOC_VERIFY_IMAGE) ./script/docs-verify-docker-image
-	docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOC_VERIFY_IMAGE)
-else
-	@echo "DOCS_LINT_SKIP is true: no linting done."
-endif
-
-site: docs-image
-	docker run  $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOC_IMAGE) mkdocs build
-
-docs-clean:
-	rm -rf $(CURDIR)/site
+docs-image:
+	docker build -t $(TRAEFIK_DOC_IMAGE) -f docs.Dockerfile .
 
 clear-static:
 	rm -rf static
@@ -133,7 +115,7 @@ generate-webui: build-webui
 	if [ ! -d "static" ]; then \
 		mkdir -p static; \
 		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build; \
-		echo 'For more information show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
+		echo 'For more informations show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
 	fi
 
 lint:
@@ -145,5 +127,12 @@ fmt:
 pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq  | xargs -P 6 -n 1 docker pull
 
+dep-ensure:
+	dep ensure -v
+	./script/prune-dep.sh
+
+dep-prune:
+	./script/prune-dep.sh
+
 help: ## this help
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)

README.md

@@ -1,20 +1,20 @@
 
 <p align="center">
-<img src="docs/img/traefik.logo.png" alt="Traefik" title="Traefik" />
+<img src="docs/img/traefik.logo.png" alt="Træfik" title="Træfik" />
 </p>
 
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
-[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik/v1.7)
-[![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](http://goreportcard.com/report/traefik/traefik)
+[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
+[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](http://goreportcard.com/report/containous/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
-[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
-[![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
-[![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
+[![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
+[![Twitter](https://img.shields.io/twitter/follow/traefikproxy.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefikproxy)
 
 
-Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
-Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
-Pointing Traefik at your orchestrator should be the _only_ configuration step you need.
+Træfik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
+Træfik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
+Telling Træfik where your orchestrator is could be the _only_ configuration step you need to do.
 
 ---
 
@@ -43,12 +43,12 @@ Now you want users to access these microservices, and you need a reverse proxy.
 Traditional reverse-proxies require that you configure _each_ route that will connect paths and subdomains to _each_ microservice. 
 In an environment where you add, remove, kill, upgrade, or scale your services _many_ times a day, the task of keeping the routes up to date becomes tedious. 
 
-**This is when Traefik can help you!**
+**This is when Træfik can help you!**
 
-Traefik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part. 
+Træfik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part. 
 
-**Run Traefik and let it do the work for you!** 
-_(But if you'd rather configure some of your routes manually, Traefik supports that too!)_
+**Run Træfik and let it do the work for you!** 
+_(But if you'd rather configure some of your routes manually, Træfik supports that too!)_
 
 ![Architecture](docs/img/architecture.png)
 
@@ -56,70 +56,70 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 - Continuously updates its configuration (No restarts!)
 - Supports multiple load balancing algorithms
-- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
+- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)
 - Circuit breakers, retry
 - High Availability with cluster mode (beta)
 - See the magic through its clean web UI
 - Websocket, HTTP/2, GRPC ready
 - Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
 - Keeps access logs (JSON, CLF)
-- Fast
+- [Fast](https://docs.traefik.io/benchmarks) ... which is nice
 - Exposes a Rest API
 - Packaged as a single binary file (made with :heart: with go) and available as a [tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image
 
 
 ## Supported Backends
 
-- [Docker](https://doc.traefik.io/traefik/v1.7/configuration/backends/docker) / [Swarm mode](https://doc.traefik.io/traefik/v1.7/configuration/backends/docker#docker-swarm-mode)
-- [Kubernetes](https://doc.traefik.io/traefik/v1.7/configuration/backends/kubernetes)
-- [Mesos](https://doc.traefik.io/traefik/v1.7/configuration/backends/mesos) / [Marathon](https://doc.traefik.io/traefik/v1.7/configuration/backends/marathon)
-- [Rancher](https://doc.traefik.io/traefik/v1.7/configuration/backends/rancher) (API, Metadata)
-- [Azure Service Fabric](https://doc.traefik.io/traefik/v1.7/configuration/backends/servicefabric)
-- [Consul Catalog](https://doc.traefik.io/traefik/v1.7/configuration/backends/consulcatalog)
-- [Consul](https://doc.traefik.io/traefik/v1.7/configuration/backends/consul) / [Etcd](https://doc.traefik.io/traefik/v1.7/configuration/backends/etcd) / [Zookeeper](https://doc.traefik.io/traefik/v1.7/configuration/backends/zookeeper) / [BoltDB](https://doc.traefik.io/traefik/v1.7/configuration/backends/boltdb)
-- [Eureka](https://doc.traefik.io/traefik/v1.7/configuration/backends/eureka)
-- [Amazon ECS](https://doc.traefik.io/traefik/v1.7/configuration/backends/ecs)
-- [Amazon DynamoDB](https://doc.traefik.io/traefik/v1.7/configuration/backends/dynamodb)
-- [File](https://doc.traefik.io/traefik/v1.7/configuration/backends/file)
-- [Rest](https://doc.traefik.io/traefik/v1.7/configuration/backends/rest)
+- [Docker](docs/configuration/backends/docker/) / [Swarm mode](docs/configuration/backends/docker/#docker-swarm-mode)
+- [Kubernetes](docs/configuration/backends/kubernetes/)
+- [Mesos](docs/configuration/backends/mesos/) / [Marathon](docs/configuration/backends/marathon/)
+- [Rancher](docs/configuration/backends/rancher/) (API, Metadata)
+- [Azure Service Fabric](docs/configuration/backends/servicefabric/)
+- [Consul Catalog](docs/configuration/backends/consulcatalog/)
+- [Consul](docs/configuration/backends/consul/) / [Etcd](docs/configuration/backends/etcd/) / [Zookeeper](docs/configuration/backends/zookeeper/) / [BoltDB](docs/configuration/backends/boltdb/)
+- [Eureka](docs/configuration/backends/eureka/)
+- [Amazon ECS](docs/configuration/backends/ecs/)
+- [Amazon DynamoDB](docs/configuration/backends/dynamodb/)
+- [File](docs/configuration/backends/file/)
+- [Rest](docs/configuration/backends/rest/)
 
 ## Quickstart
 
-To get your hands on Traefik, you can use the [5-Minute Quickstart](http://doc.traefik.io/traefik/v1.7/#the-traefik-quickstart-using-docker) in our documentation (you will need Docker).
+To get your hands on Træfik, you can use the [5-Minute Quickstart](http://docs.traefik.io/#the-trfik-quickstart-using-docker) in our documentation (you will need Docker).
 
-Alternatively, if you don't want to install anything on your computer, you can try Traefik online in this great [Katacoda tutorial](https://www.katacoda.com/courses/traefik/deploy-load-balancer) that shows how to load balance requests between multiple Docker containers. 
+Alternatively, if you don't want to install anything on your computer, you can try Træfik online in this great [Katacoda tutorial](https://www.katacoda.com/courses/traefik/deploy-load-balancer) that shows how to load balance requests between multiple Docker containers. 
 
 If you are looking for a more comprehensive and real use-case example, you can also check [Play-With-Docker](http://training.play-with-docker.com/traefik-load-balancing/) to see how to load balance between multiple nodes.
 
 ## Web UI
 
-You can access the simple HTML frontend of Traefik.
+You can access the simple HTML frontend of Træfik.
 
 ![Web UI Providers](docs/img/web.frontend.png)
 ![Web UI Health](docs/img/traefik-health.png)
 
 ## Documentation
 
-You can find the complete documentation at [https://doc.traefik.io/traefik/v1.7](https://doc.traefik.io/traefik/v1.7).
-A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
+You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
+A collection of contributions around Træfik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
 ## Support
 
 To get community support, you can:
-- join the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
+- join the Træfik community Slack channel: [![Join the chat at https://traefik.herokuapp.com](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://traefik.herokuapp.com)
 - use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
 
-If you need commercial support, please contact [Traefik.io](https://traefik.io) by mail: <mailto:support@traefik.io>.
+If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
 
 ## Download
 
-- Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/v1.7/traefik.sample.toml):
+- Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
 
 ```shell
 ./traefik --configFile=traefik.toml
 ```
 
-- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/v1.7/traefik.sample.toml):
+- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
@@ -128,18 +128,18 @@ docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.to
 - Or get the sources:
 
 ```shell
-git clone https://github.com/traefik/traefik
+git clone https://github.com/containous/traefik
 ```
 
 ## Introductory Videos
 
-Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at GopherCon 2017.
-You will learn Traefik basics in less than 10 minutes.
+Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at [GopherCon 2017](https://gophercon.com/).
+You will learn Træfik basics in less than 10 minutes.
 
 [![Traefik GopherCon 2017](https://img.youtube.com/vi/RgudiksfL-k/0.jpg)](https://www.youtube.com/watch?v=RgudiksfL-k)
 
 Here is a talk given by [Ed Robinson](https://github.com/errm) at [ContainerCamp UK](https://container.camp) conference.
-You will learn fundamental Traefik features and see some demos with Kubernetes.
+You will learn fundamental Træfik features and see some demos with Kubernetes.
 
 [![Traefik ContainerCamp UK](https://img.youtube.com/vi/aFtpIShV60I/0.jpg)](https://www.youtube.com/watch?v=aFtpIShV60I)
 
@@ -164,10 +164,12 @@ Each version is supported until the next one is released (e.g. 1.1.x will be sup
 
 We use [Semantic Versioning](http://semver.org/)
 
-## Mailing lists
+## Plumbing
 
-- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news)
-- Security announcements: mail at security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+- [Oxy](https://github.com/vulcand/oxy): an awesome proxy library made by Mailgun folks
+- [Gorilla mux](https://github.com/gorilla/mux): famous request router
+- [Negroni](https://github.com/urfave/negroni): web middlewares made simple
+- [Lego](https://github.com/xenolf/lego): the best [Let's Encrypt](https://letsencrypt.org) library in go
 
 ## Credits
 

acme/account.go

@@ -8,25 +8,20 @@ import (
 	"crypto/x509"
 	"fmt"
 	"reflect"
-	"regexp"
 	"sort"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/go-acme/lego/v3/certcrypto"
-	"github.com/go-acme/lego/v3/registration"
-	"github.com/traefik/traefik/log"
-	acmeprovider "github.com/traefik/traefik/provider/acme"
-	"github.com/traefik/traefik/types"
+	"github.com/containous/traefik/log"
+	"github.com/xenolf/lego/acme"
 )
 
 // Account is used to store lets encrypt registration info
 type Account struct {
 	Email              string
-	Registration       *registration.Resource
+	Registration       *acme.RegistrationResource
 	PrivateKey         []byte
-	KeyType            certcrypto.KeyType
 	DomainsCertificate DomainsCertificates
 	ChallengeCerts     map[string]*ChallengeCert
 	HTTPChallenge      map[string]map[string][]byte
@@ -39,18 +34,13 @@ type ChallengeCert struct {
 	certificate *tls.Certificate
 }
 
-// Init account struct
+// Init inits account struct
 func (a *Account) Init() error {
 	err := a.DomainsCertificate.Init()
 	if err != nil {
 		return err
 	}
 
-	err = a.RemoveAccountV1Values()
-	if err != nil {
-		log.Errorf("Unable to remove ACME Account V1 values during account initialization: %v", err)
-	}
-
 	for _, cert := range a.ChallengeCerts {
 		if cert.certificate == nil {
 			certificate, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
@@ -59,7 +49,6 @@ func (a *Account) Init() error {
 			}
 			cert.certificate = &certificate
 		}
-
 		if cert.certificate.Leaf == nil {
 			leaf, err := x509.ParseCertificate(cert.certificate.Certificate[0])
 			if err != nil {
@@ -72,25 +61,17 @@ func (a *Account) Init() error {
 }
 
 // NewAccount creates an account
-func NewAccount(email string, certs []*DomainsCertificate, keyTypeValue string) (*Account, error) {
-	keyType := acmeprovider.GetKeyType(keyTypeValue)
-
+func NewAccount(email string) (*Account, error) {
 	// Create a user. New accounts need an email and private key to start
 	privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return nil, err
 	}
-
-	domainsCerts := DomainsCertificates{Certs: certs}
-	err = domainsCerts.Init()
-	if err != nil {
-		return nil, err
-	}
-
+	domainsCerts := DomainsCertificates{Certs: []*DomainsCertificate{}}
+	domainsCerts.Init()
 	return &Account{
 		Email:              email,
 		PrivateKey:         x509.MarshalPKCS1PrivateKey(privateKey),
-		KeyType:            keyType,
 		DomainsCertificate: DomainsCertificates{Certs: domainsCerts.Certs},
 		ChallengeCerts:     map[string]*ChallengeCert{}}, nil
 }
@@ -101,7 +82,7 @@ func (a *Account) GetEmail() string {
 }
 
 // GetRegistration returns lets encrypt registration resource
-func (a *Account) GetRegistration() *registration.Resource {
+func (a *Account) GetRegistration() *acme.RegistrationResource {
 	return a.Registration
 }
 
@@ -110,39 +91,10 @@ func (a *Account) GetPrivateKey() crypto.PrivateKey {
 	if privateKey, err := x509.ParsePKCS1PrivateKey(a.PrivateKey); err == nil {
 		return privateKey
 	}
-
-	keySnippet := ""
-	if len(a.PrivateKey) >= 16 {
-		keySnippet = string(a.PrivateKey[:16])
-	}
-
-	log.Errorf("Cannot unmarshall private key beginning with %s", keySnippet)
+	log.Errorf("Cannot unmarshall private key %+v", a.PrivateKey)
 	return nil
 }
 
-// RemoveAccountV1Values removes ACME account V1 values
-func (a *Account) RemoveAccountV1Values() error {
-	// Check if ACME Account is in ACME V1 format
-	if a.Registration != nil {
-		isOldRegistration, err := regexp.MatchString(acmeprovider.RegistrationURLPathV1Regexp, a.Registration.URI)
-		if err != nil {
-			return err
-		}
-
-		if isOldRegistration {
-			a.reset()
-		}
-	}
-	return nil
-}
-
-func (a *Account) reset() {
-	log.Debug("Reset ACME account object.")
-	a.Email = ""
-	a.Registration = nil
-	a.PrivateKey = nil
-}
-
 // Certificate is used to store certificate info
 type Certificate struct {
 	Domain        string
@@ -170,11 +122,9 @@ func (dc *DomainsCertificates) Less(i, j int) bool {
 	if reflect.DeepEqual(dc.Certs[i].Domains, dc.Certs[j].Domains) {
 		return dc.Certs[i].tlsCert.Leaf.NotAfter.After(dc.Certs[j].tlsCert.Leaf.NotAfter)
 	}
-
 	if dc.Certs[i].Domains.Main == dc.Certs[j].Domains.Main {
 		return strings.Join(dc.Certs[i].Domains.SANs, ",") < strings.Join(dc.Certs[j].Domains.SANs, ",")
 	}
-
 	return dc.Certs[i].Domains.Main < dc.Certs[j].Domains.Main
 }
 
@@ -192,46 +142,29 @@ func (dc *DomainsCertificates) removeDuplicates() {
 	}
 }
 
-func (dc *DomainsCertificates) removeEmpty() {
-	var certs []*DomainsCertificate
-	for _, cert := range dc.Certs {
-		if cert.Certificate != nil && len(cert.Certificate.Certificate) > 0 && len(cert.Certificate.PrivateKey) > 0 {
-			certs = append(certs, cert)
-		}
-	}
-	dc.Certs = certs
-}
-
-// Init DomainsCertificates
+// Init inits DomainsCertificates
 func (dc *DomainsCertificates) Init() error {
 	dc.lock.Lock()
 	defer dc.lock.Unlock()
-
-	dc.removeEmpty()
-
 	for _, domainsCertificate := range dc.Certs {
 		tlsCert, err := tls.X509KeyPair(domainsCertificate.Certificate.Certificate, domainsCertificate.Certificate.PrivateKey)
 		if err != nil {
 			return err
 		}
-
 		domainsCertificate.tlsCert = &tlsCert
-
 		if domainsCertificate.tlsCert.Leaf == nil {
 			leaf, err := x509.ParseCertificate(domainsCertificate.tlsCert.Certificate[0])
 			if err != nil {
 				return err
 			}
-
 			domainsCertificate.tlsCert.Leaf = leaf
 		}
 	}
-
 	dc.removeDuplicates()
 	return nil
 }
 
-func (dc *DomainsCertificates) renewCertificates(acmeCert *Certificate, domain types.Domain) error {
+func (dc *DomainsCertificates) renewCertificates(acmeCert *Certificate, domain Domain) error {
 	dc.lock.Lock()
 	defer dc.lock.Unlock()
 
@@ -241,17 +174,15 @@ func (dc *DomainsCertificates) renewCertificates(acmeCert *Certificate, domain t
 			if err != nil {
 				return err
 			}
-
 			domainsCertificate.Certificate = acmeCert
 			domainsCertificate.tlsCert = &tlsCert
 			return nil
 		}
 	}
-
 	return fmt.Errorf("certificate to renew not found for domain %s", domain.Main)
 }
 
-func (dc *DomainsCertificates) addCertificateForDomains(acmeCert *Certificate, domain types.Domain) (*DomainsCertificate, error) {
+func (dc *DomainsCertificates) addCertificateForDomains(acmeCert *Certificate, domain Domain) (*DomainsCertificate, error) {
 	dc.lock.Lock()
 	defer dc.lock.Unlock()
 
@@ -259,7 +190,6 @@ func (dc *DomainsCertificates) addCertificateForDomains(acmeCert *Certificate, d
 	if err != nil {
 		return nil, err
 	}
-
 	cert := DomainsCertificate{Domains: domain, Certificate: acmeCert, tlsCert: &tlsCert}
 	dc.Certs = append(dc.Certs, &cert)
 	return &cert, nil
@@ -268,12 +198,11 @@ func (dc *DomainsCertificates) addCertificateForDomains(acmeCert *Certificate, d
 func (dc *DomainsCertificates) getCertificateForDomain(domainToFind string) (*DomainsCertificate, bool) {
 	dc.lock.RLock()
 	defer dc.lock.RUnlock()
-
 	for _, domainsCertificate := range dc.Certs {
-		for _, domain := range domainsCertificate.Domains.ToStrArray() {
-			if strings.HasPrefix(domain, "*.") && types.MatchDomain(domainToFind, domain) {
-				return domainsCertificate, true
-			}
+		domains := []string{}
+		domains = append(domains, domainsCertificate.Domains.Main)
+		domains = append(domains, domainsCertificate.Domains.SANs...)
+		for _, domain := range domains {
 			if domain == domainToFind {
 				return domainsCertificate, true
 			}
@@ -282,10 +211,9 @@ func (dc *DomainsCertificates) getCertificateForDomain(domainToFind string) (*Do
 	return nil, false
 }
 
-func (dc *DomainsCertificates) exists(domainToFind types.Domain) (*DomainsCertificate, bool) {
+func (dc *DomainsCertificates) exists(domainToFind Domain) (*DomainsCertificate, bool) {
 	dc.lock.RLock()
 	defer dc.lock.RUnlock()
-
 	for _, domainsCertificate := range dc.Certs {
 		if reflect.DeepEqual(domainToFind, domainsCertificate.Domains) {
 			return domainsCertificate, true
@@ -296,18 +224,16 @@ func (dc *DomainsCertificates) exists(domainToFind types.Domain) (*DomainsCertif
 
 func (dc *DomainsCertificates) toDomainsMap() map[string]*tls.Certificate {
 	domainsCertificatesMap := make(map[string]*tls.Certificate)
-
 	for _, domainCertificate := range dc.Certs {
 		certKey := domainCertificate.Domains.Main
-
 		if domainCertificate.Domains.SANs != nil {
 			sort.Strings(domainCertificate.Domains.SANs)
-
 			for _, dnsName := range domainCertificate.Domains.SANs {
 				if dnsName != domainCertificate.Domains.Main {
 					certKey += fmt.Sprintf(",%s", dnsName)
 				}
 			}
+
 		}
 		domainsCertificatesMap[certKey] = domainCertificate.tlsCert
 	}
@@ -316,7 +242,7 @@ func (dc *DomainsCertificates) toDomainsMap() map[string]*tls.Certificate {
 
 // DomainsCertificate contains a certificate for multiple domains
 type DomainsCertificate struct {
-	Domains     types.Domain
+	Domains     Domain
 	Certificate *Certificate
 	tlsCert     *tls.Certificate
 }
@@ -328,9 +254,8 @@ func (dc *DomainsCertificate) needRenew() bool {
 			// If there's an error, we assume the cert is broken, and needs update
 			return true
 		}
-
 		// <= 30 days left, renew certificate
-		if crt.NotAfter.Before(time.Now().Add(24 * 30 * time.Hour)) {
+		if crt.NotAfter.Before(time.Now().Add(time.Duration(24 * 30 * time.Hour))) {
 			return true
 		}
 	}

acme/acme.go

@@ -9,10 +9,9 @@ import (
 	fmtlog "log"
 	"net"
 	"net/http"
-	"net/url"
-	"reflect"
+	"os"
+	"regexp"
 	"strings"
-	"sync"
 	"time"
 
 	"github.com/BurntSushi/ty/fun"
@@ -20,79 +19,135 @@ import (
 	"github.com/containous/flaeg"
 	"github.com/containous/mux"
 	"github.com/containous/staert"
+	"github.com/containous/traefik/cluster"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/safe"
+	traefikTls "github.com/containous/traefik/tls"
+	"github.com/containous/traefik/tls/generate"
+	"github.com/containous/traefik/types"
 	"github.com/eapache/channels"
-	"github.com/go-acme/lego/v3/certificate"
-	"github.com/go-acme/lego/v3/challenge"
-	"github.com/go-acme/lego/v3/challenge/dns01"
-	"github.com/go-acme/lego/v3/challenge/http01"
-	"github.com/go-acme/lego/v3/lego"
-	legolog "github.com/go-acme/lego/v3/log"
-	"github.com/go-acme/lego/v3/providers/dns"
-	"github.com/go-acme/lego/v3/registration"
-	"github.com/sirupsen/logrus"
-	"github.com/traefik/traefik/cluster"
-	"github.com/traefik/traefik/log"
-	acmeprovider "github.com/traefik/traefik/provider/acme"
-	"github.com/traefik/traefik/safe"
-	"github.com/traefik/traefik/types"
-	"github.com/traefik/traefik/version"
+	"github.com/xenolf/lego/acme"
+	"github.com/xenolf/lego/providers/dns"
 )
 
 var (
-	// OSCPMustStaple enables OSCP stapling as from https://github.com/go-acme/lego/issues/270
+	// OSCPMustStaple enables OSCP stapling as from https://github.com/xenolf/lego/issues/270
 	OSCPMustStaple = false
 )
 
 // ACME allows to connect to lets encrypt and retrieve certs
-// Deprecated Please use provider/acme/Provider
 type ACME struct {
-	Email                 string                      `description:"Email address used for registration"`
-	Domains               []types.Domain              `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"`
-	Storage               string                      `description:"File or key used for certificates storage."`
-	StorageFile           string                      // Deprecated
-	OnDemand              bool                        `description:"(Deprecated) Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` // Deprecated
-	OnHostRule            bool                        `description:"Enable certificate generation on frontends Host rules."`
-	CAServer              string                      `description:"CA server to use."`
-	EntryPoint            string                      `description:"Entrypoint to proxy acme challenge to."`
-	KeyType               string                      `description:"KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'"`
-	DNSChallenge          *acmeprovider.DNSChallenge  `description:"Activate DNS-01 Challenge"`
-	HTTPChallenge         *acmeprovider.HTTPChallenge `description:"Activate HTTP-01 Challenge"`
-	TLSChallenge          *acmeprovider.TLSChallenge  `description:"Activate TLS-ALPN-01 Challenge"`
-	DNSProvider           string                      `description:"(Deprecated) Activate DNS-01 Challenge"`                                                                    // Deprecated
-	DelayDontCheckDNS     flaeg.Duration              `description:"(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers."` // Deprecated
-	ACMELogging           bool                        `description:"Enable debug logging of ACME actions."`
-	OverrideCertificates  bool                        `description:"Enable to override certificates in key-value store when using storeconfig"`
-	client                *lego.Client
+	Email                 string         `description:"Email address used for registration"`
+	Domains               []Domain       `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"`
+	Storage               string         `description:"File or key used for certificates storage."`
+	StorageFile           string         // deprecated
+	OnDemand              bool           `description:"Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` //deprecated
+	OnHostRule            bool           `description:"Enable certificate generation on frontends Host rules."`
+	CAServer              string         `description:"CA server to use."`
+	EntryPoint            string         `description:"Entrypoint to proxy acme challenge to."`
+	DNSChallenge          *DNSChallenge  `description:"Activate DNS-01 Challenge"`
+	HTTPChallenge         *HTTPChallenge `description:"Activate HTTP-01 Challenge"`
+	DNSProvider           string         `description:"Use a DNS-01 acme challenge rather than TLS-SNI-01 challenge."`                                // deprecated
+	DelayDontCheckDNS     flaeg.Duration `description:"Assume DNS propagates after a delay in seconds rather than finding and querying nameservers."` // deprecated
+	ACMELogging           bool           `description:"Enable debug logging of ACME actions."`
+	client                *acme.Client
+	defaultCertificate    *tls.Certificate
 	store                 cluster.Store
-	challengeHTTPProvider *challengeHTTPProvider
 	challengeTLSProvider  *challengeTLSProvider
+	challengeHTTPProvider *challengeHTTPProvider
 	checkOnDemandDomain   func(domain string) bool
 	jobs                  *channels.InfiniteChannel
 	TLSConfig             *tls.Config `description:"TLS config in case wildcard certs are used"`
 	dynamicCerts          *safe.Safe
-	resolvingDomains      map[string]struct{}
-	resolvingDomainsMutex sync.RWMutex
+}
+
+// DNSChallenge contains DNS challenge Configuration
+type DNSChallenge struct {
+	Provider         string         `description:"Use a DNS-01 based challenge provider rather than HTTPS."`
+	DelayBeforeCheck flaeg.Duration `description:"Assume DNS propagates after a delay in seconds rather than finding and querying nameservers."`
+}
+
+// HTTPChallenge contains HTTP challenge Configuration
+type HTTPChallenge struct {
+	EntryPoint string `description:"HTTP challenge EntryPoint"`
+}
+
+//Domains parse []Domain
+type Domains []Domain
+
+//Set []Domain
+func (ds *Domains) Set(str string) error {
+	fargs := func(c rune) bool {
+		return c == ',' || c == ';'
+	}
+	// get function
+	slice := strings.FieldsFunc(str, fargs)
+	if len(slice) < 1 {
+		return fmt.Errorf("Parse error ACME.Domain. Imposible to parse %s", str)
+	}
+	d := Domain{
+		Main: slice[0],
+		SANs: []string{},
+	}
+	if len(slice) > 1 {
+		d.SANs = slice[1:]
+	}
+	*ds = append(*ds, d)
+	return nil
+}
+
+//Get []Domain
+func (ds *Domains) Get() interface{} { return []Domain(*ds) }
+
+//String returns []Domain in string
+func (ds *Domains) String() string { return fmt.Sprintf("%+v", *ds) }
+
+//SetValue sets []Domain into the parser
+func (ds *Domains) SetValue(val interface{}) {
+	*ds = Domains(val.([]Domain))
+}
+
+// Domain holds a domain name with SANs
+type Domain struct {
+	Main string
+	SANs []string
 }
 
 func (a *ACME) init() error {
-	if a.ACMELogging {
-		legolog.Logger = fmtlog.New(log.WriterLevel(logrus.InfoLevel), "legolog: ", 0)
-	} else {
-		legolog.Logger = fmtlog.New(ioutil.Discard, "", 0)
+	// FIXME temporary fix, waiting for https://github.com/xenolf/lego/pull/478
+	acme.HTTPClient = http.Client{
+		Transport: &http.Transport{
+			Proxy: http.ProxyFromEnvironment,
+			Dial: (&net.Dialer{
+				Timeout:   30 * time.Second,
+				KeepAlive: 30 * time.Second,
+			}).Dial,
+			TLSHandshakeTimeout:   15 * time.Second,
+			ResponseHeaderTimeout: 15 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
+		},
 	}
 
+	if a.ACMELogging {
+		acme.Logger = fmtlog.New(os.Stderr, "legolog: ", fmtlog.LstdFlags)
+	} else {
+		acme.Logger = fmtlog.New(ioutil.Discard, "", 0)
+	}
+	// no certificates in TLS config, so we add a default one
+	cert, err := generate.DefaultCertificate()
+	if err != nil {
+		return err
+	}
+	a.defaultCertificate = cert
+
 	a.jobs = channels.NewInfiniteChannel()
-
-	// Init the currently resolved domain map
-	a.resolvingDomains = make(map[string]struct{})
-
 	return nil
 }
 
 // AddRoutes add routes on internal router
 func (a *ACME) AddRoutes(router *mux.Router) {
 	router.Methods(http.MethodGet).
-		Path(http01.ChallengePath("{token}")).
+		Path(acme.HTTP01ChallengePath("{token}")).
 		Handler(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 			if a.challengeHTTPProvider == nil {
 				rw.WriteHeader(http.StatusNotFound)
@@ -123,17 +178,14 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 	if err != nil {
 		return err
 	}
-
 	if len(a.Storage) == 0 {
-		return errors.New("empty Store, please provide a key for certs storage")
+		return errors.New("Empty Store, please provide a key for certs storage")
 	}
-
 	a.checkOnDemandDomain = checkOnDemandDomain
 	a.dynamicCerts = certs
-
+	tlsConfig.Certificates = append(tlsConfig.Certificates, *a.defaultCertificate)
 	tlsConfig.GetCertificate = a.getCertificate
 	a.TLSConfig = tlsConfig
-
 	listener := func(object cluster.Object) error {
 		account := object.(*Account)
 		account.Init()
@@ -185,38 +237,20 @@ func (a *ACME) leadershipListener(elected bool) error {
 		if err != nil {
 			return err
 		}
-
 		transaction, object, err := a.store.Begin()
 		if err != nil {
 			return err
 		}
-
 		account := object.(*Account)
 		account.Init()
-		// Reset Account values if caServer changed, thus registration URI can be updated
-		if account != nil && account.Registration != nil && !isAccountMatchingCaServer(account.Registration.URI, a.CAServer) {
-			log.Info("Account URI does not match the current CAServer. The account will be reset")
-			account.reset()
-		}
-
 		var needRegister bool
 		if account == nil || len(account.Email) == 0 {
-			domainsCerts := DomainsCertificates{Certs: []*DomainsCertificate{}}
-			if account != nil {
-				domainsCerts = account.DomainsCertificate
-			}
-
-			account, err = NewAccount(a.Email, domainsCerts.Certs, a.KeyType)
+			account, err = NewAccount(a.Email)
 			if err != nil {
 				return err
 			}
-
 			needRegister = true
-		} else if len(account.KeyType) == 0 {
-			// Set the KeyType if not already defined in the account
-			account.KeyType = acmeprovider.GetKeyType(a.KeyType)
 		}
-
 		a.client, err = a.buildACMEClient(account)
 		if err != nil {
 			return err
@@ -224,15 +258,29 @@ func (a *ACME) leadershipListener(elected bool) error {
 		if needRegister {
 			// New users will need to register; be sure to save it
 			log.Debug("Register...")
-
-			reg, err := a.client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+			reg, err := a.client.Register()
 			if err != nil {
 				return err
 			}
-
 			account.Registration = reg
 		}
-
+		// The client has a URL to the current Let's Encrypt Subscriber
+		// Agreement. The user will need to agree to it.
+		log.Debug("AgreeToTOS...")
+		err = a.client.AgreeToTOS()
+		if err != nil {
+			log.Debug(err)
+			// Let's Encrypt Subscriber Agreement renew ?
+			reg, err := a.client.QueryRegistration()
+			if err != nil {
+				return err
+			}
+			account.Registration = reg
+			err = a.client.AgreeToTOS()
+			if err != nil {
+				log.Errorf("Error sending ACME agreement to TOS: %+v: %s", account, err.Error())
+			}
+		}
 		err = transaction.Commit(account)
 		if err != nil {
 			return err
@@ -245,45 +293,126 @@ func (a *ACME) leadershipListener(elected bool) error {
 	return nil
 }
 
-func isAccountMatchingCaServer(accountURI string, serverURI string) bool {
-	aru, err := url.Parse(accountURI)
+// CreateLocalConfig creates a tls.config using local ACME configuration
+func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, certs *safe.Safe, checkOnDemandDomain func(domain string) bool) error {
+	defer a.runJobs()
+	err := a.init()
 	if err != nil {
-		log.Infof("Unable to parse account.Registration URL : %v", err)
-		return false
+		return err
 	}
-	cau, err := url.Parse(serverURI)
+	if len(a.Storage) == 0 {
+		return errors.New("Empty Store, please provide a filename for certs storage")
+	}
+	a.checkOnDemandDomain = checkOnDemandDomain
+	a.dynamicCerts = certs
+	tlsConfig.Certificates = append(tlsConfig.Certificates, *a.defaultCertificate)
+	tlsConfig.GetCertificate = a.getCertificate
+	a.TLSConfig = tlsConfig
+	localStore := NewLocalStore(a.Storage)
+	a.store = localStore
+	a.challengeTLSProvider = &challengeTLSProvider{store: a.store}
+
+	var needRegister bool
+	var account *Account
+
+	if fileInfo, fileErr := os.Stat(a.Storage); fileErr == nil && fileInfo.Size() != 0 {
+		log.Info("Loading ACME Account...")
+		// load account
+		object, err := localStore.Load()
+		if err != nil {
+			return err
+		}
+		account = object.(*Account)
+	} else {
+		log.Info("Generating ACME Account...")
+		account, err = NewAccount(a.Email)
+		if err != nil {
+			return err
+		}
+		needRegister = true
+	}
+
+	a.client, err = a.buildACMEClient(account)
 	if err != nil {
-		log.Infof("Unable to parse CAServer URL : %v", err)
-		return false
+		log.Errorf(`Failed to build ACME client: %s
+Let's Encrypt functionality will be limited until Traefik is restarted.`, err)
+		return nil
 	}
-	return cau.Hostname() == aru.Hostname()
+
+	if needRegister {
+		// New users will need to register; be sure to save it
+		log.Info("Register...")
+		reg, err := a.client.Register()
+		if err != nil {
+			log.Errorf(`Failed to register user: %s
+Let's Encrypt functionality will be limited until Traefik is restarted.`, err)
+			return nil
+		}
+		account.Registration = reg
+	}
+
+	// The client has a URL to the current Let's Encrypt Subscriber
+	// Agreement. The user will need to agree to it.
+	log.Debug("AgreeToTOS...")
+	err = a.client.AgreeToTOS()
+	if err != nil {
+		// Let's Encrypt Subscriber Agreement renew ?
+		reg, err := a.client.QueryRegistration()
+		if err != nil {
+			log.Errorf(`Failed to renew subscriber agreement: %s
+Let's Encrypt functionality will be limited until Traefik is restarted.`, err)
+			return nil
+		}
+		account.Registration = reg
+		err = a.client.AgreeToTOS()
+		if err != nil {
+			log.Errorf("Error sending ACME agreement to TOS: %+v: %s", account, err.Error())
+		}
+	}
+	// save account
+	transaction, _, err := a.store.Begin()
+	if err != nil {
+		return err
+	}
+	err = transaction.Commit(account)
+	if err != nil {
+		return err
+	}
+
+	a.retrieveCertificates()
+	a.renewCertificates()
+
+	ticker := time.NewTicker(24 * time.Hour)
+	safe.Go(func() {
+		for range ticker.C {
+			a.renewCertificates()
+		}
+	})
+	return nil
 }
 
 func (a *ACME) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	domain := types.CanonicalDomain(clientHello.ServerName)
 	account := a.store.Get().(*Account)
 
-	if challengeCert, ok := a.challengeTLSProvider.getCertificate(domain); ok {
-		log.Debugf("ACME got challenge %s", domain)
-		return challengeCert, nil
-	}
-
 	if providedCertificate := a.getProvidedCertificate(domain); providedCertificate != nil {
 		return providedCertificate, nil
 	}
 
+	if challengeCert, ok := a.challengeTLSProvider.getCertificate(domain); ok {
+		log.Debugf("ACME got challenge %s", domain)
+		return challengeCert, nil
+	}
 	if domainCert, ok := account.DomainsCertificate.getCertificateForDomain(domain); ok {
 		log.Debugf("ACME got domain cert %s", domain)
 		return domainCert.tlsCert, nil
 	}
-
 	if a.OnDemand {
 		if a.checkOnDemandDomain != nil && !a.checkOnDemandDomain(domain) {
 			return nil, nil
 		}
 		return a.loadCertificateOnDemand(clientHello)
 	}
-
 	log.Debugf("No certificate found or generated for %s", domain)
 	return nil, nil
 }
@@ -291,50 +420,36 @@ func (a *ACME) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificat
 func (a *ACME) retrieveCertificates() {
 	a.jobs.In() <- func() {
 		log.Info("Retrieving ACME certificates...")
-
-		a.deleteUnnecessaryDomains()
-
-		for i := 0; i < len(a.Domains); i++ {
-			domain := a.Domains[i]
-
+		for _, domain := range a.Domains {
 			// check if cert isn't already loaded
 			account := a.store.Get().(*Account)
 			if _, exists := account.DomainsCertificate.exists(domain); !exists {
-				var domains []string
+				domains := []string{}
 				domains = append(domains, domain.Main)
 				domains = append(domains, domain.SANs...)
-				domains, err := a.getValidDomains(domains, true)
-				if err != nil {
-					log.Errorf("Error validating ACME certificate for domain %q: %s", domains, err)
-					continue
-				}
-
 				certificateResource, err := a.getDomainsCertificates(domains)
 				if err != nil {
-					log.Errorf("Error getting ACME certificate for domain %q: %s", domains, err)
+					log.Errorf("Error getting ACME certificate for domain %s: %s", domains, err.Error())
 					continue
 				}
-
 				transaction, object, err := a.store.Begin()
 				if err != nil {
-					log.Errorf("Error creating ACME store transaction from domain %q: %s", domain, err)
+					log.Errorf("Error creating ACME store transaction from domain %s: %s", domain, err.Error())
 					continue
 				}
-
 				account = object.(*Account)
 				_, err = account.DomainsCertificate.addCertificateForDomains(certificateResource, domain)
 				if err != nil {
-					log.Errorf("Error adding ACME certificate for domain %q: %s", domains, err)
+					log.Errorf("Error adding ACME certificate for domain %s: %s", domains, err.Error())
 					continue
 				}
 
 				if err = transaction.Commit(account); err != nil {
-					log.Errorf("Error Saving ACME account %+v: %s", account, err)
+					log.Errorf("Error Saving ACME account %+v: %s", account, err.Error())
 					continue
 				}
 			}
 		}
-
 		log.Info("Retrieved ACME certificates")
 	}
 }
@@ -352,7 +467,7 @@ func (a *ACME) renewCertificates() {
 					continue
 				}
 				operation := func() error {
-					return a.storeRenewedCertificate(certificateResource, renewedACMECert)
+					return a.storeRenewedCertificate(account, certificateResource, renewedACMECert)
 				}
 				notify := func(err error, time time.Duration) {
 					log.Warnf("Renewed certificate storage error: %v, retrying in %s", err, time)
@@ -370,7 +485,7 @@ func (a *ACME) renewCertificates() {
 }
 
 func (a *ACME) renewACMECertificate(certificateResource *DomainsCertificate) (*Certificate, error) {
-	renewedCert, err := a.client.Certificate.Renew(certificate.Resource{
+	renewedCert, err := a.client.RenewCertificate(acme.CertificateResource{
 		Domain:        certificateResource.Certificate.Domain,
 		CertURL:       certificateResource.Certificate.CertURL,
 		CertStableURL: certificateResource.Certificate.CertStableURL,
@@ -390,14 +505,14 @@ func (a *ACME) renewACMECertificate(certificateResource *DomainsCertificate) (*C
 	}, nil
 }
 
-func (a *ACME) storeRenewedCertificate(certificateResource *DomainsCertificate, renewedACMECert *Certificate) error {
+func (a *ACME) storeRenewedCertificate(account *Account, certificateResource *DomainsCertificate, renewedACMECert *Certificate) error {
 	transaction, object, err := a.store.Begin()
 	if err != nil {
 		return fmt.Errorf("error during transaction initialization for renewing certificate: %v", err)
 	}
 
 	log.Infof("Renewing certificate in data store : %+v ", certificateResource.Domains)
-	account := object.(*Account)
+	account = object.(*Account)
 	err = account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains)
 	if err != nil {
 		return fmt.Errorf("error renewing certificate in datastore: %v ", err)
@@ -419,65 +534,60 @@ func (a *ACME) storeRenewedCertificate(certificateResource *DomainsCertificate,
 	return nil
 }
 
-func (a *ACME) buildACMEClient(account *Account) (*lego.Client, error) {
+func dnsOverrideDelay(delay flaeg.Duration) error {
+	var err error
+	if delay > 0 {
+		log.Debugf("Delaying %d rather than validating DNS propagation", delay)
+		acme.PreCheckDNS = func(_, _ string) (bool, error) {
+			time.Sleep(time.Duration(delay))
+			return true, nil
+		}
+	} else if delay < 0 {
+		err = fmt.Errorf("invalid negative DelayBeforeCheck: %d", delay)
+	}
+	return err
+}
+
+func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
 	log.Debug("Building ACME client...")
-	caServer := "https://acme-v02.api.letsencrypt.org/directory"
+	caServer := "https://acme-v01.api.letsencrypt.org/directory"
 	if len(a.CAServer) > 0 {
 		caServer = a.CAServer
 	}
-
-	config := lego.NewConfig(account)
-	config.CADirURL = caServer
-	config.Certificate.KeyType = account.KeyType
-	config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version)
-
-	client, err := lego.NewClient(config)
+	client, err := acme.NewClient(caServer, account, acme.RSA4096)
 	if err != nil {
 		return nil, err
 	}
 
-	// DNS challenge
 	if a.DNSChallenge != nil && len(a.DNSChallenge.Provider) > 0 {
 		log.Debugf("Using DNS Challenge provider: %s", a.DNSChallenge.Provider)
 
-		var provider challenge.Provider
+		err = dnsOverrideDelay(a.DNSChallenge.DelayBeforeCheck)
+		if err != nil {
+			return nil, err
+		}
+
+		var provider acme.ChallengeProvider
 		provider, err = dns.NewDNSChallengeProviderByName(a.DNSChallenge.Provider)
 		if err != nil {
 			return nil, err
 		}
 
-		err = client.Challenge.SetDNS01Provider(provider,
-			dns01.CondOption(len(a.DNSChallenge.Resolvers) > 0, dns01.AddRecursiveNameservers(a.DNSChallenge.Resolvers)),
-			dns01.CondOption(a.DNSChallenge.DisablePropagationCheck || a.DNSChallenge.DelayBeforeCheck > 0,
-				dns01.AddPreCheck(func(_, _ string) (bool, error) {
-					if a.DNSChallenge.DelayBeforeCheck > 0 {
-						log.Debugf("Delaying %d rather than validating DNS propagation now.", a.DNSChallenge.DelayBeforeCheck)
-						time.Sleep(time.Duration(a.DNSChallenge.DelayBeforeCheck))
-					}
-					return true, nil
-				})),
-		)
-		return client, err
-	}
-
-	// HTTP challenge
-	if a.HTTPChallenge != nil && len(a.HTTPChallenge.EntryPoint) > 0 {
-		log.Debug("Using HTTP Challenge provider.")
-
+		client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.TLSSNI01})
+		err = client.SetChallengeProvider(acme.DNS01, provider)
+	} else if a.HTTPChallenge != nil && len(a.HTTPChallenge.EntryPoint) > 0 {
+		client.ExcludeChallenges([]acme.Challenge{acme.DNS01, acme.TLSSNI01})
 		a.challengeHTTPProvider = &challengeHTTPProvider{store: a.store}
-		err = client.Challenge.SetHTTP01Provider(a.challengeHTTPProvider)
-		return client, err
+		err = client.SetChallengeProvider(acme.HTTP01, a.challengeHTTPProvider)
+	} else {
+		client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.DNS01})
+		err = client.SetChallengeProvider(acme.TLSSNI01, a.challengeTLSProvider)
 	}
 
-	// TLS Challenge
-	if a.TLSChallenge != nil {
-		log.Debug("Using TLS Challenge provider.")
-
-		err = client.Challenge.SetTLSALPN01Provider(a.challengeTLSProvider)
-		return client, err
+	if err != nil {
+		return nil, err
 	}
-
-	return nil, errors.New("ACME challenge not specified, please select TLS or HTTP or DNS Challenge")
+	return client, nil
 }
 
 func (a *ACME) loadCertificateOnDemand(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
@@ -497,7 +607,7 @@ func (a *ACME) loadCertificateOnDemand(clientHello *tls.ClientHelloInfo) (*tls.C
 		return nil, err
 	}
 	account = object.(*Account)
-	cert, err := account.DomainsCertificate.addCertificateForDomains(certificate, types.Domain{Main: domain})
+	cert, err := account.DomainsCertificate.addCertificateForDomains(certificate, Domain{Main: domain})
 	if err != nil {
 		return nil, err
 	}
@@ -512,12 +622,13 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 	a.jobs.In() <- func() {
 		log.Debugf("LoadCertificateForDomains %v...", domains)
 
-		domains, err := a.getValidDomains(domains, false)
-		if err != nil {
-			log.Errorf("Error getting valid domain: %v", err)
+		if len(domains) == 0 {
+			// no domain
 			return
 		}
 
+		domains = fun.Map(types.CanonicalDomain, domains).([]string)
+
 		operation := func() error {
 			if a.client == nil {
 				return errors.New("ACME client still not built")
@@ -529,7 +640,7 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 		}
 		ebo := backoff.NewExponentialBackOff()
 		ebo.MaxElapsedTime = 30 * time.Second
-		err = backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
+		err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
 		if err != nil {
 			log.Errorf("Error getting ACME client: %v", err)
 			return
@@ -541,11 +652,7 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 		if len(uncheckedDomains) == 0 {
 			return
 		}
-
-		a.addResolvingDomains(uncheckedDomains)
-		defer a.removeResolvingDomains(uncheckedDomains)
-
-		cert, err := a.getDomainsCertificates(uncheckedDomains)
+		certificate, err := a.getDomainsCertificates(uncheckedDomains)
 		if err != nil {
 			log.Errorf("Error getting ACME certificates %+v : %v", uncheckedDomains, err)
 			return
@@ -557,14 +664,14 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 			log.Errorf("Error creating transaction %+v : %v", uncheckedDomains, err)
 			return
 		}
-		var domain types.Domain
+		var domain Domain
 		if len(uncheckedDomains) > 1 {
-			domain = types.Domain{Main: uncheckedDomains[0], SANs: uncheckedDomains[1:]}
+			domain = Domain{Main: uncheckedDomains[0], SANs: uncheckedDomains[1:]}
 		} else {
-			domain = types.Domain{Main: uncheckedDomains[0]}
+			domain = Domain{Main: uncheckedDomains[0]}
 		}
 		account = object.(*Account)
-		_, err = account.DomainsCertificate.addCertificateForDomains(cert, domain)
+		_, err = account.DomainsCertificate.addCertificateForDomains(certificate, domain)
 		if err != nil {
 			log.Errorf("Error adding ACME certificates %+v : %v", uncheckedDomains, err)
 			return
@@ -576,31 +683,13 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 	}
 }
 
-func (a *ACME) addResolvingDomains(resolvingDomains []string) {
-	a.resolvingDomainsMutex.Lock()
-	defer a.resolvingDomainsMutex.Unlock()
-
-	for _, domain := range resolvingDomains {
-		a.resolvingDomains[domain] = struct{}{}
-	}
-}
-
-func (a *ACME) removeResolvingDomains(resolvingDomains []string) {
-	a.resolvingDomainsMutex.Lock()
-	defer a.resolvingDomainsMutex.Unlock()
-
-	for _, domain := range resolvingDomains {
-		delete(a.resolvingDomains, domain)
-	}
-}
-
 // Get provided certificate which check a domains list (Main and SANs)
 // from static and dynamic provided certificates
 func (a *ACME) getProvidedCertificate(domains string) *tls.Certificate {
 	log.Debugf("Looking for provided certificate to validate %s...", domains)
 	cert := searchProvidedCertificateForDomains(domains, a.TLSConfig.NameToCertificate)
 	if cert == nil && a.dynamicCerts != nil && a.dynamicCerts.Get() != nil {
-		cert = searchProvidedCertificateForDomains(domains, a.dynamicCerts.Get().(map[string]*tls.Certificate))
+		cert = searchProvidedCertificateForDomains(domains, a.dynamicCerts.Get().(*traefikTls.DomainsCertificates).Get().(map[string]*tls.Certificate))
 	}
 	if cert == nil {
 		log.Debugf("No provided certificate found for domains %s, get ACME certificate.", domains)
@@ -611,14 +700,15 @@ func (a *ACME) getProvidedCertificate(domains string) *tls.Certificate {
 func searchProvidedCertificateForDomains(domain string, certs map[string]*tls.Certificate) *tls.Certificate {
 	// Use regex to test for provided certs that might have been added into TLSConfig
 	for certDomains := range certs {
-		domainChecked := false
+		domainCheck := false
 		for _, certDomain := range strings.Split(certDomains, ",") {
-			domainChecked = types.MatchDomain(domain, certDomain)
-			if domainChecked {
+			selector := "^" + strings.Replace(certDomain, "*.", "[^\\.]*\\.?", -1) + "$"
+			domainCheck, _ = regexp.MatchString(selector, domain)
+			if domainCheck {
 				break
 			}
 		}
-		if domainChecked {
+		if domainCheck {
 			log.Debugf("Domain %q checked by provided certificate %q", domain, certDomains)
 			return certs[certDomains]
 		}
@@ -629,9 +719,6 @@ func searchProvidedCertificateForDomains(domain string, certs map[string]*tls.Ce
 // Get provided certificate which check a domains list (Main and SANs)
 // from static and dynamic provided certificates
 func (a *ACME) getUncheckedDomains(domains []string, account *Account) []string {
-	a.resolvingDomainsMutex.RLock()
-	defer a.resolvingDomainsMutex.RUnlock()
-
 	log.Debugf("Looking for provided certificate to validate %s...", domains)
 	allCerts := make(map[string]*tls.Certificate)
 
@@ -642,7 +729,7 @@ func (a *ACME) getUncheckedDomains(domains []string, account *Account) []string
 
 	// Get dynamic certificates
 	if a.dynamicCerts != nil && a.dynamicCerts.Get() != nil {
-		for domains, certificate := range a.dynamicCerts.Get().(map[string]*tls.Certificate) {
+		for domains, certificate := range a.dynamicCerts.Get().(*traefikTls.DomainsCertificates).Get().(map[string]*tls.Certificate) {
 			allCerts[domains] = certificate
 		}
 	}
@@ -654,32 +741,31 @@ func (a *ACME) getUncheckedDomains(domains []string, account *Account) []string
 		}
 	}
 
-	// Get currently resolved domains
-	for domain := range a.resolvingDomains {
-		if _, ok := allCerts[domain]; !ok {
-			allCerts[domain] = &tls.Certificate{}
-		}
-	}
-
-	// Get Configuration Domains
-	for i := 0; i < len(a.Domains); i++ {
-		allCerts[a.Domains[i].Main] = &tls.Certificate{}
-		for _, san := range a.Domains[i].SANs {
-			allCerts[san] = &tls.Certificate{}
-		}
-	}
-
 	return searchUncheckedDomains(domains, allCerts)
 }
 
 func searchUncheckedDomains(domains []string, certs map[string]*tls.Certificate) []string {
-	var uncheckedDomains []string
+	uncheckedDomains := []string{}
 	for _, domainToCheck := range domains {
-		if !isDomainAlreadyChecked(domainToCheck, certs) {
+		domainCheck := false
+		for certDomains := range certs {
+			domainCheck = false
+			for _, certDomain := range strings.Split(certDomains, ",") {
+				// Use regex to test for provided certs that might have been added into TLSConfig
+				selector := "^" + strings.Replace(certDomain, "*.", "[^\\.]*\\.?", -1) + "$"
+				domainCheck, _ = regexp.MatchString(selector, domainToCheck)
+				if domainCheck {
+					break
+				}
+			}
+			if domainCheck {
+				break
+			}
+		}
+		if !domainCheck {
 			uncheckedDomains = append(uncheckedDomains, domainToCheck)
 		}
 	}
-
 	if len(uncheckedDomains) == 0 {
 		log.Debugf("No ACME certificate to generate for domains %q.", domains)
 	} else {
@@ -689,37 +775,21 @@ func searchUncheckedDomains(domains []string, certs map[string]*tls.Certificate)
 }
 
 func (a *ACME) getDomainsCertificates(domains []string) (*Certificate, error) {
-	var cleanDomains []string
-	for _, domain := range domains {
-		canonicalDomain := types.CanonicalDomain(domain)
-		cleanDomain := dns01.UnFqdn(canonicalDomain)
-		if canonicalDomain != cleanDomain {
-			log.Warnf("FQDN detected, please remove the trailing dot: %s", canonicalDomain)
-		}
-		cleanDomains = append(cleanDomains, cleanDomain)
-	}
-
-	log.Debugf("Loading ACME certificates %s...", cleanDomains)
+	domains = fun.Map(types.CanonicalDomain, domains).([]string)
+	log.Debugf("Loading ACME certificates %s...", domains)
 	bundle := true
-
-	request := certificate.ObtainRequest{
-		Domains:    cleanDomains,
-		Bundle:     bundle,
-		MustStaple: OSCPMustStaple,
+	certificate, failures := a.client.ObtainCertificate(domains, bundle, nil, OSCPMustStaple)
+	if len(failures) > 0 {
+		log.Error(failures)
+		return nil, fmt.Errorf("cannot obtain certificates %+v", failures)
 	}
-
-	cert, err := a.client.Certificate.Obtain(request)
-	if err != nil {
-		return nil, fmt.Errorf("cannot obtain certificates: %+v", err)
-	}
-
-	log.Debugf("Loaded ACME certificates %s", cleanDomains)
+	log.Debugf("Loaded ACME certificates %s", domains)
 	return &Certificate{
-		Domain:        cert.Domain,
-		CertURL:       cert.CertURL,
-		CertStableURL: cert.CertStableURL,
-		PrivateKey:    cert.PrivateKey,
-		Certificate:   cert.Certificate,
+		Domain:        certificate.Domain,
+		CertURL:       certificate.CertURL,
+		CertStableURL: certificate.CertStableURL,
+		PrivateKey:    certificate.PrivateKey,
+		Certificate:   certificate.Certificate,
 	}, nil
 }
 
@@ -731,99 +801,3 @@ func (a *ACME) runJobs() {
 		}
 	})
 }
-
-// getValidDomains checks if given domain is allowed to generate a ACME certificate and return it
-func (a *ACME) getValidDomains(domains []string, wildcardAllowed bool) ([]string, error) {
-	// Check if the domains array is empty or contains only one empty value
-	if len(domains) == 0 || (len(domains) == 1 && len(domains[0]) == 0) {
-		return nil, errors.New("unable to generate a certificate when no domain is given")
-	}
-
-	if strings.HasPrefix(domains[0], "*") {
-		if !wildcardAllowed {
-			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q from a 'Host' rule", strings.Join(domains, ","))
-		}
-
-		if a.DNSChallenge == nil && len(a.DNSProvider) == 0 {
-			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q : ACME needs a DNSChallenge", strings.Join(domains, ","))
-		}
-		if strings.HasPrefix(domains[0], "*.*") {
-			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q : ACME does not allow '*.*' wildcard domain", strings.Join(domains, ","))
-		}
-	}
-
-	domains = fun.Map(types.CanonicalDomain, domains).([]string)
-	return domains, nil
-}
-
-func isDomainAlreadyChecked(domainToCheck string, existentDomains map[string]*tls.Certificate) bool {
-	for certDomains := range existentDomains {
-		for _, certDomain := range strings.Split(certDomains, ",") {
-			if types.MatchDomain(domainToCheck, certDomain) {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// deleteUnnecessaryDomains deletes from the configuration :
-// - Duplicated domains
-// - Domains which are checked by wildcard domain
-func (a *ACME) deleteUnnecessaryDomains() {
-	var newDomains []types.Domain
-
-	for idxDomainToCheck, domainToCheck := range a.Domains {
-		keepDomain := true
-
-		for idxDomain, domain := range a.Domains {
-			if idxDomainToCheck == idxDomain {
-				continue
-			}
-
-			if reflect.DeepEqual(domain, domainToCheck) {
-				if idxDomainToCheck > idxDomain {
-					log.Warnf("The domain %v is duplicated in the configuration but will be process by ACME only once.", domainToCheck)
-					keepDomain = false
-				}
-				break
-			}
-
-			var newDomainsToCheck []string
-
-			// Check if domains can be validated by the wildcard domain
-			domainsMap := make(map[string]*tls.Certificate)
-			domainsMap[domain.Main] = &tls.Certificate{}
-			if len(domain.SANs) > 0 {
-				domainsMap[strings.Join(domain.SANs, ",")] = &tls.Certificate{}
-			}
-
-			for _, domainProcessed := range domainToCheck.ToStrArray() {
-				if idxDomain < idxDomainToCheck && isDomainAlreadyChecked(domainProcessed, domainsMap) {
-					// The domain is duplicated in a CN
-					log.Warnf("Domain %q is duplicated in the configuration or validated by the domain %v. It will be processed once.", domainProcessed, domain)
-					continue
-				} else if domain.Main != domainProcessed && strings.HasPrefix(domain.Main, "*") && types.MatchDomain(domainProcessed, domain.Main) {
-					// Check if a wildcard can validate the domain
-					log.Warnf("Domain %q will not be processed by ACME provider because it is validated by the wildcard %q", domainProcessed, domain.Main)
-					continue
-				}
-				newDomainsToCheck = append(newDomainsToCheck, domainProcessed)
-			}
-
-			// Delete the domain if both Main and SANs can be validated by the wildcard domain
-			// otherwise keep the unchecked values
-			if newDomainsToCheck == nil {
-				keepDomain = false
-				break
-			}
-			domainToCheck.Set(newDomainsToCheck)
-		}
-
-		if keepDomain {
-			newDomains = append(newDomains, domainToCheck)
-		}
-	}
-
-	a.Domains = newDomains
-}

acme/acme_test.go

@@ -6,126 +6,80 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"reflect"
-	"sort"
 	"sync"
 	"testing"
 	"time"
 
+	"github.com/containous/traefik/tls/generate"
 	"github.com/stretchr/testify/assert"
-	acmeprovider "github.com/traefik/traefik/provider/acme"
-	"github.com/traefik/traefik/tls/generate"
-	"github.com/traefik/traefik/types"
+	"github.com/xenolf/lego/acme"
 )
 
 func TestDomainsSet(t *testing.T) {
-	testCases := []struct {
-		input    string
-		expected types.Domains
-	}{
-		{
-			input:    "",
-			expected: types.Domains{},
-		},
-		{
-			input: "foo1.com",
-			expected: types.Domains{
-				types.Domain{Main: "foo1.com"},
-			},
-		},
-		{
-			input: "foo2.com,bar.net",
-			expected: types.Domains{
-				types.Domain{
-					Main: "foo2.com",
-					SANs: []string{"bar.net"},
-				},
-			},
-		},
-		{
-			input: "foo3.com,bar1.net,bar2.net,bar3.net",
-			expected: types.Domains{
-				types.Domain{
-					Main: "foo3.com",
-					SANs: []string{"bar1.net", "bar2.net", "bar3.net"},
-				},
-			},
-		},
+	checkMap := map[string]Domains{
+		"":                                   {},
+		"foo.com":                            {Domain{Main: "foo.com", SANs: []string{}}},
+		"foo.com,bar.net":                    {Domain{Main: "foo.com", SANs: []string{"bar.net"}}},
+		"foo.com,bar1.net,bar2.net,bar3.net": {Domain{Main: "foo.com", SANs: []string{"bar1.net", "bar2.net", "bar3.net"}}},
 	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.input, func(t *testing.T) {
-			t.Parallel()
-
-			domains := types.Domains{}
-			domains.Set(test.input)
-			assert.Exactly(t, test.expected, domains)
-		})
+	for in, check := range checkMap {
+		ds := Domains{}
+		ds.Set(in)
+		if !reflect.DeepEqual(check, ds) {
+			t.Errorf("Expected %+v\nGot %+v", check, ds)
+		}
 	}
 }
 
 func TestDomainsSetAppend(t *testing.T) {
-	testCases := []struct {
-		input    string
-		expected types.Domains
-	}{
-		{
-			input:    "",
-			expected: types.Domains{},
-		},
-		{
-			input: "foo1.com",
-			expected: types.Domains{
-				types.Domain{Main: "foo1.com"},
-			},
-		},
-		{
-			input: "foo2.com,bar.net",
-			expected: types.Domains{
-				types.Domain{Main: "foo1.com"},
-				types.Domain{
-					Main: "foo2.com",
-					SANs: []string{"bar.net"},
-				},
-			},
-		},
-		{
-			input: "foo3.com,bar1.net,bar2.net,bar3.net",
-			expected: types.Domains{
-				types.Domain{Main: "foo1.com"},
-				types.Domain{
-					Main: "foo2.com",
-					SANs: []string{"bar.net"},
-				},
-				types.Domain{
-					Main: "foo3.com",
-					SANs: []string{"bar1.net", "bar2.net", "bar3.net"},
-				},
-			},
-		},
+	inSlice := []string{
+		"",
+		"foo1.com",
+		"foo2.com,bar.net",
+		"foo3.com,bar1.net,bar2.net,bar3.net",
 	}
-
-	// append to
-	domains := types.Domains{}
-	for _, test := range testCases {
-		t.Run(test.input, func(t *testing.T) {
-
-			domains.Set(test.input)
-			assert.Exactly(t, test.expected, domains)
-		})
+	checkSlice := []Domains{
+		{},
+		{
+			Domain{
+				Main: "foo1.com",
+				SANs: []string{}}},
+		{
+			Domain{
+				Main: "foo1.com",
+				SANs: []string{}},
+			Domain{
+				Main: "foo2.com",
+				SANs: []string{"bar.net"}}},
+		{
+			Domain{
+				Main: "foo1.com",
+				SANs: []string{}},
+			Domain{
+				Main: "foo2.com",
+				SANs: []string{"bar.net"}},
+			Domain{Main: "foo3.com",
+				SANs: []string{"bar1.net", "bar2.net", "bar3.net"}}},
+	}
+	ds := Domains{}
+	for i, in := range inSlice {
+		ds.Set(in)
+		if !reflect.DeepEqual(checkSlice[i], ds) {
+			t.Errorf("Expected  %s %+v\nGot %+v", in, checkSlice[i], ds)
+		}
 	}
 }
 
 func TestCertificatesRenew(t *testing.T) {
 	foo1Cert, foo1Key, _ := generate.KeyPair("foo1.com", time.Now())
 	foo2Cert, foo2Key, _ := generate.KeyPair("foo2.com", time.Now())
-
 	domainsCertificates := DomainsCertificates{
 		lock: sync.RWMutex{},
 		Certs: []*DomainsCertificate{
 			{
-				Domains: types.Domain{
-					Main: "foo1.com"},
+				Domains: Domain{
+					Main: "foo1.com",
+					SANs: []string{}},
 				Certificate: &Certificate{
 					Domain:        "foo1.com",
 					CertURL:       "url",
@@ -135,8 +89,9 @@ func TestCertificatesRenew(t *testing.T) {
 				},
 			},
 			{
-				Domains: types.Domain{
-					Main: "foo2.com"},
+				Domains: Domain{
+					Main: "foo2.com",
+					SANs: []string{}},
 				Certificate: &Certificate{
 					Domain:        "foo2.com",
 					CertURL:       "url",
@@ -147,7 +102,6 @@ func TestCertificatesRenew(t *testing.T) {
 			},
 		},
 	}
-
 	foo1Cert, foo1Key, _ = generate.KeyPair("foo1.com", time.Now())
 	newCertificate := &Certificate{
 		Domain:        "foo1.com",
@@ -157,15 +111,17 @@ func TestCertificatesRenew(t *testing.T) {
 		Certificate:   foo1Cert,
 	}
 
-	err := domainsCertificates.renewCertificates(newCertificate, types.Domain{Main: "foo1.com"})
+	err := domainsCertificates.renewCertificates(
+		newCertificate,
+		Domain{
+			Main: "foo1.com",
+			SANs: []string{}})
 	if err != nil {
 		t.Errorf("Error in renewCertificates :%v", err)
 	}
-
 	if len(domainsCertificates.Certs) != 2 {
 		t.Errorf("Expected domainsCertificates length %d %+v\nGot %+v", 2, domainsCertificates.Certs, len(domainsCertificates.Certs))
 	}
-
 	if !reflect.DeepEqual(domainsCertificates.Certs[0].Certificate, newCertificate) {
 		t.Errorf("Expected new certificate %+v \nGot %+v", newCertificate, domainsCertificates.Certs[0].Certificate)
 	}
@@ -181,8 +137,9 @@ func TestRemoveDuplicates(t *testing.T) {
 		lock: sync.RWMutex{},
 		Certs: []*DomainsCertificate{
 			{
-				Domains: types.Domain{
-					Main: "foo.com"},
+				Domains: Domain{
+					Main: "foo.com",
+					SANs: []string{}},
 				Certificate: &Certificate{
 					Domain:        "foo.com",
 					CertURL:       "url",
@@ -192,8 +149,9 @@ func TestRemoveDuplicates(t *testing.T) {
 				},
 			},
 			{
-				Domains: types.Domain{
-					Main: "foo.com"},
+				Domains: Domain{
+					Main: "foo.com",
+					SANs: []string{}},
 				Certificate: &Certificate{
 					Domain:        "foo.com",
 					CertURL:       "url",
@@ -203,8 +161,9 @@ func TestRemoveDuplicates(t *testing.T) {
 				},
 			},
 			{
-				Domains: types.Domain{
-					Main: "foo.com"},
+				Domains: Domain{
+					Main: "foo.com",
+					SANs: []string{}},
 				Certificate: &Certificate{
 					Domain:        "foo.com",
 					CertURL:       "url",
@@ -214,8 +173,9 @@ func TestRemoveDuplicates(t *testing.T) {
 				},
 			},
 			{
-				Domains: types.Domain{
-					Main: "bar.com"},
+				Domains: Domain{
+					Main: "bar.com",
+					SANs: []string{}},
 				Certificate: &Certificate{
 					Domain:        "bar.com",
 					CertURL:       "url",
@@ -225,8 +185,9 @@ func TestRemoveDuplicates(t *testing.T) {
 				},
 			},
 			{
-				Domains: types.Domain{
-					Main: "foo.com"},
+				Domains: Domain{
+					Main: "foo.com",
+					SANs: []string{}},
 				Certificate: &Certificate{
 					Domain:        "foo.com",
 					CertURL:       "url",
@@ -257,10 +218,39 @@ func TestRemoveDuplicates(t *testing.T) {
 	}
 }
 
+func TestNoPreCheckOverride(t *testing.T) {
+	acme.PreCheckDNS = nil // Irreversable - but not expecting real calls into this during testing process
+	err := dnsOverrideDelay(0)
+	if err != nil {
+		t.Errorf("Error in dnsOverrideDelay :%v", err)
+	}
+	if acme.PreCheckDNS != nil {
+		t.Error("Unexpected change to acme.PreCheckDNS when leaving DNS verification as is.")
+	}
+}
+
+func TestSillyPreCheckOverride(t *testing.T) {
+	err := dnsOverrideDelay(-5)
+	if err == nil {
+		t.Error("Missing expected error in dnsOverrideDelay!")
+	}
+}
+
+func TestPreCheckOverride(t *testing.T) {
+	acme.PreCheckDNS = nil // Irreversable - but not expecting real calls into this during testing process
+	err := dnsOverrideDelay(5)
+	if err != nil {
+		t.Errorf("Error in dnsOverrideDelay :%v", err)
+	}
+	if acme.PreCheckDNS == nil {
+		t.Error("No change to acme.PreCheckDNS when meant to be adding enforcing override function.")
+	}
+}
+
 func TestAcmeClientCreation(t *testing.T) {
+	acme.PreCheckDNS = nil // Irreversable - but not expecting real calls into this during testing process
 	// Lengthy setup to avoid external web requests - oh for easier golang testing!
 	account := &Account{Email: "f@f"}
-
 	account.PrivateKey, _ = base64.StdEncoding.DecodeString(`
 MIIBPAIBAAJBAMp2Ni92FfEur+CAvFkgC12LT4l9D53ApbBpDaXaJkzzks+KsLw9zyAxvlrfAyTCQ
 7tDnEnIltAXyQ0uOFUUdcMCAwEAAQJAK1FbipATZcT9cGVa5x7KD7usytftLW14heQUPXYNV80r/3
@@ -268,33 +258,16 @@ lmnpvjL06dffRpwkYeN8DATQF/QOcy3NNNGDw/4QIhAPAKmiZFxA/qmRXsuU8Zhlzf16WrNZ68K64
 asn/h3qZrAiEA1+wFR3WXCPIolOvd7AHjfgcTKQNkoMPywU4FYUNQ1AkCIQDv8yk0qPjckD6HVCPJ
 llJh9MC0svjevGtNlxJoE3lmEQIhAKXy1wfZ32/XtcrnENPvi6lzxI0T94X7s5pP3aCoPPoJAiEAl
 cijFkALeQp/qyeXdFld2v9gUN3eCgljgcl0QweRoIc=---`)
-
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		_, err := w.Write([]byte(`{
-  "GPHhmRVEDas": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
-  "keyChange": "https://foo/acme/key-change",
-  "meta": {
-    "termsOfService": "https://boulder:4431/terms/v7"
-  },
-  "newAccount": "https://foo/acme/new-acct",
-  "newNonce": "https://foo/acme/new-nonce",
-  "newOrder": "https://foo/acme/new-order",
-  "revokeCert": "https://foo/acme/revoke-cert"
+		w.Write([]byte(`{
+"new-authz": "https://foo/acme/new-authz",
+"new-cert": "https://foo/acme/new-cert",
+"new-reg": "https://foo/acme/new-reg",
+"revoke-cert": "https://foo/acme/revoke-cert"
 }`))
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-		}
 	}))
 	defer ts.Close()
-
-	a := ACME{
-		CAServer: ts.URL,
-		DNSChallenge: &acmeprovider.DNSChallenge{
-			Provider:                "manual",
-			DelayBeforeCheck:        10,
-			DisablePropagationCheck: true,
-		},
-	}
+	a := ACME{DNSChallenge: &DNSChallenge{Provider: "manual", DelayBeforeCheck: 10}, CAServer: ts.URL}
 
 	client, err := a.buildACMEClient(account)
 	if err != nil {
@@ -303,6 +276,9 @@ cijFkALeQp/qyeXdFld2v9gUN3eCgljgcl0QweRoIc=---`)
 	if client == nil {
 		t.Error("No client from buildACMEClient!")
 	}
+	if acme.PreCheckDNS == nil {
+		t.Error("No change to acme.PreCheckDNS when meant to be adding enforcing override function.")
+	}
 }
 
 func TestAcme_getUncheckedCertificates(t *testing.T) {
@@ -310,12 +286,9 @@ func TestAcme_getUncheckedCertificates(t *testing.T) {
 	mm["*.containo.us"] = &tls.Certificate{}
 	mm["traefik.acme.io"] = &tls.Certificate{}
 
-	dm := make(map[string]struct{})
-	dm["*.traefik.wtf"] = struct{}{}
+	a := ACME{TLSConfig: &tls.Config{NameToCertificate: mm}}
 
-	a := ACME{TLSConfig: &tls.Config{NameToCertificate: mm}, resolvingDomains: dm}
-
-	domains := []string{"traefik.containo.us", "trae.containo.us", "foo.traefik.wtf"}
+	domains := []string{"traefik.containo.us", "trae.containo.us"}
 	uncheckedDomains := a.getUncheckedDomains(domains, nil)
 	assert.Empty(t, uncheckedDomains)
 	domains = []string{"traefik.acme.io", "trae.acme.io"}
@@ -324,7 +297,7 @@ func TestAcme_getUncheckedCertificates(t *testing.T) {
 	domainsCertificates := DomainsCertificates{Certs: []*DomainsCertificate{
 		{
 			tlsCert: &tls.Certificate{},
-			Domains: types.Domain{
+			Domains: Domain{
 				Main: "*.acme.wtf",
 				SANs: []string{"trae.acme.io"},
 			},
@@ -333,9 +306,6 @@ func TestAcme_getUncheckedCertificates(t *testing.T) {
 	account := Account{DomainsCertificate: domainsCertificates}
 	uncheckedDomains = a.getUncheckedDomains(domains, &account)
 	assert.Empty(t, uncheckedDomains)
-	domains = []string{"traefik.containo.us", "trae.containo.us", "traefik.wtf"}
-	uncheckedDomains = a.getUncheckedDomains(domains, nil)
-	assert.Len(t, uncheckedDomains, 1)
 }
 
 func TestAcme_getProvidedCertificate(t *testing.T) {
@@ -352,452 +322,3 @@ func TestAcme_getProvidedCertificate(t *testing.T) {
 	certificate = a.getProvidedCertificate(domain)
 	assert.Nil(t, certificate)
 }
-
-func TestAcme_getValidDomain(t *testing.T) {
-	testCases := []struct {
-		desc            string
-		domains         []string
-		wildcardAllowed bool
-		dnsChallenge    *acmeprovider.DNSChallenge
-		expectedErr     string
-		expectedDomains []string
-	}{
-		{
-			desc:            "valid wildcard",
-			domains:         []string{"*.traefik.wtf"},
-			dnsChallenge:    &acmeprovider.DNSChallenge{},
-			wildcardAllowed: true,
-			expectedErr:     "",
-			expectedDomains: []string{"*.traefik.wtf"},
-		},
-		{
-			desc:            "no wildcard",
-			domains:         []string{"traefik.wtf", "foo.traefik.wtf"},
-			dnsChallenge:    &acmeprovider.DNSChallenge{},
-			expectedErr:     "",
-			wildcardAllowed: true,
-			expectedDomains: []string{"traefik.wtf", "foo.traefik.wtf"},
-		},
-		{
-			desc:            "unauthorized wildcard",
-			domains:         []string{"*.traefik.wtf"},
-			dnsChallenge:    &acmeprovider.DNSChallenge{},
-			wildcardAllowed: false,
-			expectedErr:     "unable to generate a wildcard certificate for domain \"*.traefik.wtf\" from a 'Host' rule",
-			expectedDomains: nil,
-		},
-		{
-			desc:            "no domain",
-			domains:         []string{},
-			dnsChallenge:    nil,
-			wildcardAllowed: true,
-			expectedErr:     "unable to generate a certificate when no domain is given",
-			expectedDomains: nil,
-		},
-		{
-			desc:            "no DNSChallenge",
-			domains:         []string{"*.traefik.wtf", "foo.traefik.wtf"},
-			dnsChallenge:    nil,
-			wildcardAllowed: true,
-			expectedErr:     "unable to generate a wildcard certificate for domain \"*.traefik.wtf,foo.traefik.wtf\" : ACME needs a DNSChallenge",
-			expectedDomains: nil,
-		},
-		{
-			desc:            "unauthorized wildcard with SAN",
-			domains:         []string{"*.*.traefik.wtf", "foo.traefik.wtf"},
-			dnsChallenge:    &acmeprovider.DNSChallenge{},
-			wildcardAllowed: true,
-			expectedErr:     "unable to generate a wildcard certificate for domain \"*.*.traefik.wtf,foo.traefik.wtf\" : ACME does not allow '*.*' wildcard domain",
-			expectedDomains: nil,
-		},
-		{
-			desc:            "wildcard with SANs",
-			domains:         []string{"*.traefik.wtf", "traefik.wtf"},
-			dnsChallenge:    &acmeprovider.DNSChallenge{},
-			wildcardAllowed: true,
-			expectedErr:     "",
-			expectedDomains: []string{"*.traefik.wtf", "traefik.wtf"},
-		},
-		{
-			desc:            "wildcard SANs",
-			domains:         []string{"*.traefik.wtf", "*.acme.wtf"},
-			dnsChallenge:    &acmeprovider.DNSChallenge{},
-			wildcardAllowed: true,
-			expectedErr:     "",
-			expectedDomains: []string{"*.traefik.wtf", "*.acme.wtf"},
-		},
-	}
-	for _, test := range testCases {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			a := ACME{}
-			if test.dnsChallenge != nil {
-				a.DNSChallenge = test.dnsChallenge
-			}
-			domains, err := a.getValidDomains(test.domains, test.wildcardAllowed)
-
-			if len(test.expectedErr) > 0 {
-				assert.EqualError(t, err, test.expectedErr, "Unexpected error.")
-			} else {
-				assert.Equal(t, len(test.expectedDomains), len(domains), "Unexpected domains.")
-			}
-		})
-	}
-}
-
-func TestAcme_getCertificateForDomain(t *testing.T) {
-	testCases := []struct {
-		desc          string
-		domain        string
-		dc            *DomainsCertificates
-		expected      *DomainsCertificate
-		expectedFound bool
-	}{
-		{
-			desc:   "non-wildcard exact match",
-			domain: "foo.traefik.wtf",
-			dc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Domains: types.Domain{
-							Main: "foo.traefik.wtf",
-						},
-					},
-				},
-			},
-			expected: &DomainsCertificate{
-				Domains: types.Domain{
-					Main: "foo.traefik.wtf",
-				},
-			},
-			expectedFound: true,
-		},
-		{
-			desc:   "non-wildcard no match",
-			domain: "bar.traefik.wtf",
-			dc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Domains: types.Domain{
-							Main: "foo.traefik.wtf",
-						},
-					},
-				},
-			},
-			expected:      nil,
-			expectedFound: false,
-		},
-		{
-			desc:   "wildcard match",
-			domain: "foo.traefik.wtf",
-			dc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Domains: types.Domain{
-							Main: "*.traefik.wtf",
-						},
-					},
-				},
-			},
-			expected: &DomainsCertificate{
-				Domains: types.Domain{
-					Main: "*.traefik.wtf",
-				},
-			},
-			expectedFound: true,
-		},
-		{
-			desc:   "wildcard no match",
-			domain: "foo.traefik.wtf",
-			dc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Domains: types.Domain{
-							Main: "*.bar.traefik.wtf",
-						},
-					},
-				},
-			},
-			expected:      nil,
-			expectedFound: false,
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			got, found := test.dc.getCertificateForDomain(test.domain)
-			assert.Equal(t, test.expectedFound, found)
-			assert.Equal(t, test.expected, got)
-		})
-	}
-}
-
-func TestRemoveEmptyCertificates(t *testing.T) {
-	now := time.Now()
-	fooCert, fooKey, _ := generate.KeyPair("foo.com", now)
-	acmeCert, acmeKey, _ := generate.KeyPair("acme.wtf", now.Add(24*time.Hour))
-	barCert, barKey, _ := generate.KeyPair("bar.com", now)
-	testCases := []struct {
-		desc       string
-		dc         *DomainsCertificates
-		expectedDc *DomainsCertificates
-	}{
-		{
-			desc: "No empty certificate",
-			dc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Certificate: &Certificate{
-							Certificate: fooCert,
-							PrivateKey:  fooKey,
-						},
-						Domains: types.Domain{
-							Main: "foo.com",
-						},
-					},
-					{
-						Certificate: &Certificate{
-							Certificate: acmeCert,
-							PrivateKey:  acmeKey,
-						},
-						Domains: types.Domain{
-							Main: "acme.wtf",
-						},
-					},
-					{
-						Certificate: &Certificate{
-							Certificate: barCert,
-							PrivateKey:  barKey,
-						},
-						Domains: types.Domain{
-							Main: "bar.com",
-						},
-					},
-				},
-			},
-			expectedDc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Certificate: &Certificate{
-							Certificate: fooCert,
-							PrivateKey:  fooKey,
-						},
-						Domains: types.Domain{
-							Main: "foo.com",
-						},
-					},
-					{
-						Certificate: &Certificate{
-							Certificate: acmeCert,
-							PrivateKey:  acmeKey,
-						},
-						Domains: types.Domain{
-							Main: "acme.wtf",
-						},
-					},
-					{
-						Certificate: &Certificate{
-							Certificate: barCert,
-							PrivateKey:  barKey,
-						},
-						Domains: types.Domain{
-							Main: "bar.com",
-						},
-					},
-				},
-			},
-		},
-		{
-			desc: "First certificate is nil",
-			dc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Domains: types.Domain{
-							Main: "foo.com",
-						},
-					},
-					{
-						Certificate: &Certificate{
-							Certificate: acmeCert,
-							PrivateKey:  acmeKey,
-						},
-						Domains: types.Domain{
-							Main: "acme.wtf",
-						},
-					},
-					{
-						Certificate: &Certificate{
-							Certificate: barCert,
-							PrivateKey:  barKey,
-						},
-						Domains: types.Domain{
-							Main: "bar.com",
-						},
-					},
-				},
-			},
-			expectedDc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Certificate: &Certificate{
-							Certificate: acmeCert,
-							PrivateKey:  acmeKey,
-						},
-						Domains: types.Domain{
-							Main: "acme.wtf",
-						},
-					},
-					{
-						Certificate: &Certificate{
-							Certificate: nil,
-							PrivateKey:  barKey,
-						},
-						Domains: types.Domain{
-							Main: "bar.com",
-						},
-					},
-				},
-			},
-		},
-		{
-			desc: "Last certificate is empty",
-			dc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Certificate: &Certificate{
-							Certificate: fooCert,
-							PrivateKey:  fooKey,
-						},
-						Domains: types.Domain{
-							Main: "foo.com",
-						},
-					},
-					{
-						Certificate: &Certificate{
-							Certificate: acmeCert,
-							PrivateKey:  acmeKey,
-						},
-						Domains: types.Domain{
-							Main: "acme.wtf",
-						},
-					},
-					{
-						Certificate: &Certificate{},
-						Domains: types.Domain{
-							Main: "bar.com",
-						},
-					},
-				},
-			},
-			expectedDc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Certificate: &Certificate{
-							Certificate: fooCert,
-							PrivateKey:  fooKey,
-						},
-						Domains: types.Domain{
-							Main: "foo.com",
-						},
-					},
-					{
-						Certificate: &Certificate{
-							Certificate: acmeCert,
-							PrivateKey:  acmeKey,
-						},
-						Domains: types.Domain{
-							Main: "acme.wtf",
-						},
-					},
-				},
-			},
-		},
-		{
-			desc: "First and last certificates are nil or empty",
-			dc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Domains: types.Domain{
-							Main: "foo.com",
-						},
-					},
-					{
-						Certificate: &Certificate{
-							Certificate: acmeCert,
-							PrivateKey:  acmeKey,
-						},
-						Domains: types.Domain{
-							Main: "acme.wtf",
-						},
-					},
-					{
-						Certificate: &Certificate{},
-						Domains: types.Domain{
-							Main: "bar.com",
-						},
-					},
-				},
-			},
-			expectedDc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Certificate: &Certificate{
-							Certificate: acmeCert,
-							PrivateKey:  acmeKey,
-						},
-						Domains: types.Domain{
-							Main: "acme.wtf",
-						},
-					},
-				},
-			},
-		},
-		{
-			desc: "All certificates are nil or empty",
-			dc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{
-					{
-						Domains: types.Domain{
-							Main: "foo.com",
-						},
-					},
-					{
-						Domains: types.Domain{
-							Main: "foo24.com",
-						},
-					},
-					{
-						Certificate: &Certificate{},
-						Domains: types.Domain{
-							Main: "bar.com",
-						},
-					},
-				},
-			},
-			expectedDc: &DomainsCertificates{
-				Certs: []*DomainsCertificate{},
-			},
-		},
-	}
-	for _, test := range testCases {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			a := &Account{DomainsCertificate: *test.dc}
-			a.Init()
-
-			assert.Equal(t, len(test.expectedDc.Certs), len(a.DomainsCertificate.Certs))
-			sort.Sort(&a.DomainsCertificate)
-			sort.Sort(test.expectedDc)
-			for key, value := range test.expectedDc.Certs {
-				assert.Equal(t, value.Domains.Main, a.DomainsCertificate.Certs[key].Domains.Main)
-			}
-		})
-	}
-}

acme/challenge_http_provider.go

@@ -6,13 +6,13 @@ import (
 	"time"
 
 	"github.com/cenk/backoff"
-	"github.com/go-acme/lego/v3/challenge"
-	"github.com/traefik/traefik/cluster"
-	"github.com/traefik/traefik/log"
-	"github.com/traefik/traefik/safe"
+	"github.com/containous/traefik/cluster"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/safe"
+	"github.com/xenolf/lego/acme"
 )
 
-var _ challenge.ProviderTimeout = (*challengeHTTPProvider)(nil)
+var _ acme.ChallengeProviderTimeout = (*challengeHTTPProvider)(nil)
 
 type challengeHTTPProvider struct {
 	store cluster.Store
@@ -23,12 +23,10 @@ func (c *challengeHTTPProvider) getTokenValue(token, domain string) []byte {
 	log.Debugf("Looking for an existing ACME challenge for token %v...", token)
 	c.lock.RLock()
 	defer c.lock.RUnlock()
-
 	account := c.store.Get().(*Account)
 	if account.HTTPChallenge == nil {
 		return []byte{}
 	}
-
 	var result []byte
 	operation := func() error {
 		var ok bool
@@ -37,11 +35,9 @@ func (c *challengeHTTPProvider) getTokenValue(token, domain string) []byte {
 		}
 		return nil
 	}
-
 	notify := func(err error, time time.Duration) {
 		log.Errorf("Error getting challenge for token retrying in %s", time)
 	}
-
 	ebo := backoff.NewExponentialBackOff()
 	ebo.MaxElapsedTime = 60 * time.Second
 	err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
@@ -56,23 +52,18 @@ func (c *challengeHTTPProvider) Present(domain, token, keyAuth string) error {
 	log.Debugf("Challenge Present %s", domain)
 	c.lock.Lock()
 	defer c.lock.Unlock()
-
 	transaction, object, err := c.store.Begin()
 	if err != nil {
 		return err
 	}
-
 	account := object.(*Account)
 	if account.HTTPChallenge == nil {
 		account.HTTPChallenge = map[string]map[string][]byte{}
 	}
-
 	if _, ok := account.HTTPChallenge[token]; !ok {
 		account.HTTPChallenge[token] = map[string][]byte{}
 	}
-
 	account.HTTPChallenge[token][domain] = []byte(keyAuth)
-
 	return transaction.Commit(account)
 }
 
@@ -80,12 +71,10 @@ func (c *challengeHTTPProvider) CleanUp(domain, token, keyAuth string) error {
 	log.Debugf("Challenge CleanUp %s", domain)
 	c.lock.Lock()
 	defer c.lock.Unlock()
-
 	transaction, object, err := c.store.Begin()
 	if err != nil {
 		return err
 	}
-
 	account := object.(*Account)
 	if _, ok := account.HTTPChallenge[token]; ok {
 		if _, domainOk := account.HTTPChallenge[token][domain]; domainOk {
@@ -95,7 +84,6 @@ func (c *challengeHTTPProvider) CleanUp(domain, token, keyAuth string) error {
 			delete(account.HTTPChallenge, token)
 		}
 	}
-
 	return transaction.Commit(account)
 }
 

acme/challenge_tls_provider.go

@@ -1,21 +1,29 @@
 package acme
 
 import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/tls"
+	"crypto/x509"
+	"encoding/hex"
+	"encoding/pem"
 	"fmt"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/cenk/backoff"
-	"github.com/go-acme/lego/v3/challenge"
-	"github.com/go-acme/lego/v3/challenge/tlsalpn01"
-	"github.com/traefik/traefik/cluster"
-	"github.com/traefik/traefik/log"
-	"github.com/traefik/traefik/safe"
+	"github.com/containous/traefik/cluster"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/safe"
+	"github.com/containous/traefik/tls/generate"
+	"github.com/xenolf/lego/acme"
 )
 
-var _ challenge.ProviderTimeout = (*challengeTLSProvider)(nil)
+var _ acme.ChallengeProviderTimeout = (*challengeTLSProvider)(nil)
 
 type challengeTLSProvider struct {
 	store cluster.Store
@@ -24,21 +32,16 @@ type challengeTLSProvider struct {
 
 func (c *challengeTLSProvider) getCertificate(domain string) (cert *tls.Certificate, exists bool) {
 	log.Debugf("Looking for an existing ACME challenge for %s...", domain)
-
 	if !strings.HasSuffix(domain, ".acme.invalid") {
 		return nil, false
 	}
-
 	c.lock.RLock()
 	defer c.lock.RUnlock()
-
 	account := c.store.Get().(*Account)
 	if account.ChallengeCerts == nil {
 		return nil, false
 	}
-
 	account.Init()
-
 	var result *tls.Certificate
 	operation := func() error {
 		for _, cert := range account.ChallengeCerts {
@@ -51,61 +54,50 @@ func (c *challengeTLSProvider) getCertificate(domain string) (cert *tls.Certific
 		}
 		return fmt.Errorf("cannot find challenge cert for domain %s", domain)
 	}
-
 	notify := func(err error, time time.Duration) {
 		log.Errorf("Error getting cert: %v, retrying in %s", err, time)
 	}
 	ebo := backoff.NewExponentialBackOff()
 	ebo.MaxElapsedTime = 60 * time.Second
-
 	err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
 	if err != nil {
 		log.Errorf("Error getting cert: %v", err)
 		return nil, false
-
 	}
 	return result, true
 }
 
 func (c *challengeTLSProvider) Present(domain, token, keyAuth string) error {
 	log.Debugf("Challenge Present %s", domain)
-
-	cert, err := tlsALPN01ChallengeCert(domain, keyAuth)
+	cert, _, err := tlsSNI01ChallengeCert(keyAuth)
 	if err != nil {
 		return err
 	}
 
 	c.lock.Lock()
 	defer c.lock.Unlock()
-
 	transaction, object, err := c.store.Begin()
 	if err != nil {
 		return err
 	}
-
 	account := object.(*Account)
 	if account.ChallengeCerts == nil {
 		account.ChallengeCerts = map[string]*ChallengeCert{}
 	}
-	account.ChallengeCerts[domain] = cert
-
+	account.ChallengeCerts[domain] = &cert
 	return transaction.Commit(account)
 }
 
 func (c *challengeTLSProvider) CleanUp(domain, token, keyAuth string) error {
 	log.Debugf("Challenge CleanUp %s", domain)
-
 	c.lock.Lock()
 	defer c.lock.Unlock()
-
 	transaction, object, err := c.store.Begin()
 	if err != nil {
 		return err
 	}
-
 	account := object.(*Account)
 	delete(account.ChallengeCerts, domain)
-
 	return transaction.Commit(account)
 }
 
@@ -113,16 +105,46 @@ func (c *challengeTLSProvider) Timeout() (timeout, interval time.Duration) {
 	return 60 * time.Second, 5 * time.Second
 }
 
-func tlsALPN01ChallengeCert(domain, keyAuth string) (*ChallengeCert, error) {
-	tempCertPEM, rsaPrivPEM, err := tlsalpn01.ChallengeBlocks(domain, keyAuth)
+// tlsSNI01ChallengeCert returns a certificate and target domain for the `tls-sni-01` challenge
+func tlsSNI01ChallengeCert(keyAuth string) (ChallengeCert, string, error) {
+	// generate a new RSA key for the certificates
+	var tempPrivKey crypto.PrivateKey
+	tempPrivKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
-		return nil, err
+		return ChallengeCert{}, "", err
+	}
+	rsaPrivKey := tempPrivKey.(*rsa.PrivateKey)
+	rsaPrivPEM := pemEncode(rsaPrivKey)
+
+	zBytes := sha256.Sum256([]byte(keyAuth))
+	z := hex.EncodeToString(zBytes[:sha256.Size])
+	domain := fmt.Sprintf("%s.%s.acme.invalid", z[:32], z[32:])
+	tempCertPEM, err := generate.PemCert(rsaPrivKey, domain, time.Time{})
+	if err != nil {
+		return ChallengeCert{}, "", err
 	}
 
 	certificate, err := tls.X509KeyPair(tempCertPEM, rsaPrivPEM)
 	if err != nil {
-		return nil, err
+		return ChallengeCert{}, "", err
 	}
 
-	return &ChallengeCert{Certificate: tempCertPEM, PrivateKey: rsaPrivPEM, certificate: &certificate}, nil
+	return ChallengeCert{Certificate: tempCertPEM, PrivateKey: rsaPrivPEM, certificate: &certificate}, domain, nil
+}
+
+func pemEncode(data interface{}) []byte {
+	var pemBlock *pem.Block
+	switch key := data.(type) {
+	case *ecdsa.PrivateKey:
+		keyBytes, _ := x509.MarshalECPrivateKey(key)
+		pemBlock = &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes}
+	case *rsa.PrivateKey:
+		pemBlock = &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}
+	case *x509.CertificateRequest:
+		pemBlock = &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: key.Raw}
+	case []byte:
+		pemBlock = &pem.Block{Type: "CERTIFICATE", Bytes: []byte(data.([]byte))}
+	}
+
+	return pem.EncodeToMemory(pemBlock)
 }

acme/localStore.go

@@ -2,16 +2,22 @@ package acme
 
 import (
 	"encoding/json"
+	"fmt"
 	"io/ioutil"
 	"os"
+	"sync"
 
-	"github.com/traefik/traefik/log"
-	"github.com/traefik/traefik/provider/acme"
+	"github.com/containous/traefik/cluster"
+	"github.com/containous/traefik/log"
 )
 
+var _ cluster.Store = (*LocalStore)(nil)
+
 // LocalStore is a store using a file as storage
 type LocalStore struct {
-	file string
+	file        string
+	storageLock sync.RWMutex
+	account     *Account
 }
 
 // NewLocalStore create a LocalStore
@@ -21,157 +27,71 @@ func NewLocalStore(file string) *LocalStore {
 	}
 }
 
-// Get loads file into store and returns the Account
-func (s *LocalStore) Get() (*Account, error) {
+// Get atomically a struct from the file storage
+func (s *LocalStore) Get() cluster.Object {
+	s.storageLock.RLock()
+	defer s.storageLock.RUnlock()
+	return s.account
+}
+
+// Load loads file into store
+func (s *LocalStore) Load() (cluster.Object, error) {
+	s.storageLock.Lock()
+	defer s.storageLock.Unlock()
 	account := &Account{}
 
-	hasData, err := acme.CheckFile(s.file)
+	err := checkPermissions(s.file)
 	if err != nil {
 		return nil, err
 	}
-
-	if hasData {
-		f, err := os.Open(s.file)
-		if err != nil {
-			return nil, err
-		}
-		defer f.Close()
-
-		file, err := ioutil.ReadAll(f)
-		if err != nil {
-			return nil, err
-		}
-
-		if err := json.Unmarshal(file, &account); err != nil {
-			return nil, err
-		}
+	f, err := os.Open(s.file)
+	if err != nil {
+		return nil, err
 	}
-
+	defer f.Close()
+	file, err := ioutil.ReadAll(f)
+	if err != nil {
+		return nil, err
+	}
+	if err := json.Unmarshal(file, &account); err != nil {
+		return nil, err
+	}
+	account.Init()
+	s.account = account
+	log.Infof("Loaded ACME config from store %s", s.file)
 	return account, nil
 }
 
-// ConvertToNewFormat converts old acme.json format to the new one and store the result into the file (used for the backward compatibility)
-func ConvertToNewFormat(fileName string) {
-	localStore := acme.NewLocalStore(fileName)
-
-	storeAccount, err := localStore.GetAccount()
-	if err != nil {
-		log.Errorf("Failed to read new account, ACME data conversion is not available : %v", err)
-		return
-	}
-
-	storeCertificates, err := localStore.GetCertificates()
-	if err != nil {
-		log.Errorf("Failed to read new certificates, ACME data conversion is not available : %v", err)
-		return
-	}
-
-	if storeAccount == nil {
-		localStore := NewLocalStore(fileName)
-
-		account, err := localStore.Get()
-		if err != nil {
-			log.Errorf("Failed to read old account, ACME data conversion is not available : %v", err)
-			return
-		}
-
-		// Convert ACME data from old to new format
-		newAccount := &acme.Account{}
-		if account != nil && len(account.Email) > 0 {
-			err = backupACMEFile(fileName, account)
-			if err != nil {
-				log.Errorf("Unable to create a backup for the V1 formatted ACME file: %v", err)
-				return
-			}
-
-			err = account.RemoveAccountV1Values()
-			if err != nil {
-				log.Errorf("Unable to remove ACME Account V1 values during format conversion: %v", err)
-				return
-			}
-
-			newAccount = &acme.Account{
-				PrivateKey:   account.PrivateKey,
-				Registration: account.Registration,
-				Email:        account.Email,
-				KeyType:      account.KeyType,
-			}
-
-			var newCertificates []*acme.Certificate
-			for _, cert := range account.DomainsCertificate.Certs {
-				newCertificates = append(newCertificates, &acme.Certificate{
-					Certificate: cert.Certificate.Certificate,
-					Key:         cert.Certificate.PrivateKey,
-					Domain:      cert.Domains,
-				})
-			}
-
-			// If account is in the old format, storeCertificates is nil or empty and has to be initialized
-			storeCertificates = newCertificates
-		}
-
-		// Store the data in new format into the file even if account is nil
-		// to delete Account in ACME v1 format and keeping the certificates
-		newLocalStore := acme.NewLocalStore(fileName)
-		newLocalStore.SaveDataChan <- &acme.StoredData{Account: newAccount, Certificates: storeCertificates}
-	}
+// Begin creates a transaction with the KV store.
+func (s *LocalStore) Begin() (cluster.Transaction, cluster.Object, error) {
+	s.storageLock.Lock()
+	return &localTransaction{LocalStore: s}, s.account, nil
 }
 
-func backupACMEFile(originalFileName string, account interface{}) error {
+var _ cluster.Transaction = (*localTransaction)(nil)
+
+type localTransaction struct {
+	*LocalStore
+	dirty bool
+}
+
+// Commit allows to set an object in the file storage
+func (t *localTransaction) Commit(object cluster.Object) error {
+	t.LocalStore.account = object.(*Account)
+	defer t.storageLock.Unlock()
+	if t.dirty {
+		return fmt.Errorf("transaction already used, please begin a new one")
+	}
+
 	// write account to file
-	data, err := json.MarshalIndent(account, "", "  ")
+	data, err := json.MarshalIndent(object, "", "  ")
 	if err != nil {
 		return err
 	}
-	return ioutil.WriteFile(originalFileName+".bak", data, 0600)
-}
-
-// FromNewToOldFormat converts new acme account to the old one (used for the backward compatibility)
-func FromNewToOldFormat(fileName string) (*Account, error) {
-	localStore := acme.NewLocalStore(fileName)
-
-	storeAccount, err := localStore.GetAccount()
+	err = ioutil.WriteFile(t.file, data, 0600)
 	if err != nil {
-		return nil, err
+		return err
 	}
-
-	storeCertificates, err := localStore.GetCertificates()
-	if err != nil {
-		return nil, err
-	}
-
-	// Convert ACME Account from new to old format
-	// (Needed by the KV stores)
-	var account *Account
-	if storeAccount != nil {
-		account = &Account{
-			Email:              storeAccount.Email,
-			PrivateKey:         storeAccount.PrivateKey,
-			Registration:       storeAccount.Registration,
-			DomainsCertificate: DomainsCertificates{},
-			KeyType:            storeAccount.KeyType,
-		}
-	}
-
-	// Convert ACME Certificates from new to old format
-	// (Needed by the KV stores)
-	if len(storeCertificates) > 0 {
-		// Account can be nil if data are migrated from new format
-		// with a ACME V1 Account
-		if account == nil {
-			account = &Account{}
-		}
-		for _, cert := range storeCertificates {
-			_, err := account.DomainsCertificate.addCertificateForDomains(&Certificate{
-				Domain:      cert.Domain.Main,
-				Certificate: cert.Certificate,
-				PrivateKey:  cert.Key,
-			}, cert.Domain)
-			if err != nil {
-				return nil, err
-			}
-		}
-	}
-
-	return account, nil
+	t.dirty = true
+	return nil
 }

acme/localStore_test.go

@@ -5,27 +5,37 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
-
-	"github.com/stretchr/testify/assert"
 )
 
-func TestGet(t *testing.T) {
+func TestLoad(t *testing.T) {
 	acmeFile := "./acme_example.json"
 
 	folder, prefix := filepath.Split(acmeFile)
 	tmpFile, err := ioutil.TempFile(folder, prefix)
 	defer os.Remove(tmpFile.Name())
 
-	assert.NoError(t, err)
+	if err != nil {
+		t.Error(err)
+	}
 
 	fileContent, err := ioutil.ReadFile(acmeFile)
-	assert.NoError(t, err)
+	if err != nil {
+		t.Error(err)
+	}
 
 	tmpFile.Write(fileContent)
 
 	localStore := NewLocalStore(tmpFile.Name())
-	account, err := localStore.Get()
-	assert.NoError(t, err)
+	obj, err := localStore.Load()
+	if err != nil {
+		t.Error(err)
+	}
+	account, ok := obj.(*Account)
+	if !ok {
+		t.Error("Object is not an ACME Account")
+	}
 
-	assert.Len(t, account.DomainsCertificate.Certs, 1)
+	if len(account.DomainsCertificate.Certs) != 1 {
+		t.Errorf("Must found %d and found %d certificates in Account", 3, len(account.DomainsCertificate.Certs))
+	}
 }

acme/localStore_unix.go

@@ -0,0 +1,25 @@
+// +build !windows
+
+package acme
+
+import (
+	"fmt"
+	"os"
+)
+
+// Check file permissions
+func checkPermissions(name string) error {
+	f, err := os.Open(name)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	fi, err := f.Stat()
+	if err != nil {
+		return err
+	}
+	if fi.Mode().Perm()&0077 != 0 {
+		return fmt.Errorf("permissions %o for %s are too open, please use 600", fi.Mode().Perm(), name)
+	}
+	return nil
+}

acme/localStore_windows.go

@@ -0,0 +1,6 @@
+package acme
+
+// Do not check file permissions on Windows right now
+func checkPermissions(name string) error {
+	return nil
+}

api/dashboard.go

@@ -2,57 +2,21 @@ package api
 
 import (
 	"net/http"
-	"net/url"
 
 	"github.com/containous/mux"
-	assetfs "github.com/elazarl/go-bindata-assetfs"
-	"github.com/traefik/traefik/log"
+	"github.com/containous/traefik/autogen/genstatic"
+	"github.com/elazarl/go-bindata-assetfs"
 )
 
 // DashboardHandler expose dashboard routes
-type DashboardHandler struct {
-	Assets *assetfs.AssetFS
-}
+type DashboardHandler struct{}
 
 // AddRoutes add dashboard routes on a router
 func (g DashboardHandler) AddRoutes(router *mux.Router) {
-	if g.Assets == nil {
-		log.Error("No assets for dashboard")
-		return
-	}
-
 	// Expose dashboard
-	router.Methods(http.MethodGet).
-		Path("/").
-		HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
-			http.Redirect(resp, req, safePrefix(req)+"/dashboard/", 302)
-		})
-
-	router.Methods(http.MethodGet).
-		Path("/dashboard/status").
-		HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
-			http.Redirect(resp, req, "/dashboard/", 302)
-		})
-
-	router.Methods(http.MethodGet).
-		PathPrefix("/dashboard/").
-		Handler(http.StripPrefix("/dashboard/", http.FileServer(g.Assets)))
-}
-
-func safePrefix(req *http.Request) string {
-	prefix := req.Header.Get("X-Forwarded-Prefix")
-	if prefix == "" {
-		return ""
-	}
-
-	parse, err := url.Parse(prefix)
-	if err != nil {
-		return ""
-	}
-
-	if parse.Host != "" {
-		return ""
-	}
-
-	return parse.Path
+	router.Methods(http.MethodGet).Path("/").HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
+		http.Redirect(response, request, request.Header.Get("X-Forwarded-Prefix")+"/dashboard/", 302)
+	})
+	router.Methods(http.MethodGet).PathPrefix("/dashboard/").
+		Handler(http.StripPrefix("/dashboard/", http.FileServer(&assetfs.AssetFS{Asset: genstatic.Asset, AssetInfo: genstatic.AssetInfo, AssetDir: genstatic.AssetDir, Prefix: "static"})))
 }

api/dashboard_test.go

@@ -1,54 +0,0 @@
-package api
-
-import (
-	"net/http"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func Test_safePrefix(t *testing.T) {
-	testCases := []struct {
-		desc     string
-		value    string
-		expected string
-	}{
-		{
-			desc:     "host",
-			value:    "https://example.com",
-			expected: "",
-		},
-		{
-			desc:     "host with path",
-			value:    "https://example.com/foo/bar?test",
-			expected: "",
-		},
-		{
-			desc:     "path",
-			value:    "/foo/bar",
-			expected: "/foo/bar",
-		},
-		{
-			desc:     "path without leading slash",
-			value:    "foo/bar",
-			expected: "foo/bar",
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			req, err := http.NewRequest(http.MethodGet, "http://localhost", nil)
-			require.NoError(t, err)
-
-			req.Header.Set("X-Forwarded-Prefix", test.value)
-
-			prefix := safePrefix(req)
-
-			assert.Equal(t, test.expected, prefix)
-		})
-	}
-}

api/debug.go

@@ -38,8 +38,6 @@ func (g DebugHandler) AddRoutes(router *mux.Router) {
 			fmt.Fprint(w, "\n}\n")
 		})
 
-	runtime.SetBlockProfileRate(1)
-	runtime.SetMutexProfileFraction(5)
 	router.Methods(http.MethodGet).PathPrefix("/debug/pprof/cmdline").HandlerFunc(pprof.Cmdline)
 	router.Methods(http.MethodGet).PathPrefix("/debug/pprof/profile").HandlerFunc(pprof.Profile)
 	router.Methods(http.MethodGet).PathPrefix("/debug/pprof/symbol").HandlerFunc(pprof.Symbol)

api/handler.go

@@ -4,13 +4,12 @@ import (
 	"net/http"
 
 	"github.com/containous/mux"
-	assetfs "github.com/elazarl/go-bindata-assetfs"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/middlewares"
+	"github.com/containous/traefik/safe"
+	"github.com/containous/traefik/types"
+	"github.com/containous/traefik/version"
 	thoas_stats "github.com/thoas/stats"
-	"github.com/traefik/traefik/log"
-	"github.com/traefik/traefik/middlewares"
-	"github.com/traefik/traefik/safe"
-	"github.com/traefik/traefik/types"
-	"github.com/traefik/traefik/version"
 	"github.com/unrolled/render"
 )
 
@@ -23,7 +22,6 @@ type Handler struct {
 	Statistics            *types.Statistics          `description:"Enable more detailed statistics" export:"true"`
 	Stats                 *thoas_stats.Stats         `json:"-"`
 	StatsRecorder         *middlewares.StatsRecorder `json:"-"`
-	DashboardAssets       *assetfs.AssetFS           `json:"-"`
 }
 
 var (
@@ -56,7 +54,7 @@ func (p Handler) AddRoutes(router *mux.Router) {
 	version.Handler{}.AddRoutes(router)
 
 	if p.Dashboard {
-		DashboardHandler{Assets: p.DashboardAssets}.AddRoutes(router)
+		DashboardHandler{}.AddRoutes(router)
 	}
 }
 

build.Dockerfile

@@ -1,34 +1,27 @@
-FROM golang:1.16-alpine
+FROM golang:1.9-alpine
 
 RUN apk --update upgrade \
-    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
-    && update-ca-certificates \
-    && rm -rf /var/cache/apk/*
+&& apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar \
+&& rm -rf /var/cache/apk/*
 
-RUN go get golang.org/x/lint/golint \
+RUN go get github.com/containous/go-bindata/... \
+&& go get github.com/golang/lint/golint \
+&& go get github.com/kisielk/errcheck \
 && go get github.com/client9/misspell/cmd/misspell
 
 # Which docker version to test on
-ARG DOCKER_VERSION=18.09.7
+ARG DOCKER_VERSION=17.03.2
+ARG DEP_VERSION=0.4.1
+
+# Download dep binary to bin folder in $GOPATH
+RUN mkdir -p /usr/local/bin \
+    && curl -fsSL -o /usr/local/bin/dep https://github.com/golang/dep/releases/download/v${DEP_VERSION}/dep-linux-amd64 \
+    && chmod +x /usr/local/bin/dep
 
 # Download docker
 RUN mkdir -p /usr/local/bin \
-    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz \
+    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}-ce.tgz \
     | tar -xzC /usr/local/bin --transform 's#^.+/##x'
 
-# Download go-bindata binary to bin folder in $GOPATH
-RUN mkdir -p /usr/local/bin \
-    && curl -fsSL -o /usr/local/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata \
-    && chmod +x /usr/local/bin/go-bindata
-
-# Download misspell binary to bin folder in $GOPATH
-RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
-
-WORKDIR /go/src/github.com/traefik/traefik
-
-# Download go modules
-COPY go.mod .
-COPY go.sum .
-RUN GO111MODULE=on GOPROXY=https://proxy.golang.org go mod download
-
-COPY . /go/src/github.com/traefik/traefik
+WORKDIR /go/src/github.com/containous/traefik
+COPY . /go/src/github.com/containous/traefik

cluster/datastore.go

@@ -7,13 +7,13 @@ import (
 	"sync"
 	"time"
 
-	"github.com/abronan/valkeyrie/store"
 	"github.com/cenk/backoff"
 	"github.com/containous/staert"
-	"github.com/google/uuid"
-	"github.com/traefik/traefik/job"
-	"github.com/traefik/traefik/log"
-	"github.com/traefik/traefik/safe"
+	"github.com/containous/traefik/job"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/safe"
+	"github.com/docker/libkv/store"
+	"github.com/satori/go.uuid"
 )
 
 // Metadata stores Object plus metadata
@@ -78,7 +78,7 @@ func (d *Datastore) watchChanges() error {
 	stopCh := make(chan struct{})
 	kvCh, err := d.kv.Watch(d.lockKey, stopCh, nil)
 	if err != nil {
-		return fmt.Errorf("error while watching key %s: %v", d.lockKey, err)
+		return err
 	}
 	safe.Go(func() {
 		ctx, cancel := context.WithCancel(d.ctx)
@@ -125,7 +125,7 @@ func (d *Datastore) reload() error {
 
 // Begin creates a transaction with the KV store.
 func (d *Datastore) Begin() (Transaction, Object, error) {
-	id := uuid.New().String()
+	id := uuid.NewV4().String()
 	log.Debugf("Transaction %s begins", id)
 	remoteLock, err := d.kv.NewLock(d.lockKey, &store.LockOptions{TTL: 20 * time.Second, Value: []byte(id)})
 	if err != nil {
@@ -152,7 +152,7 @@ func (d *Datastore) Begin() (Transaction, Object, error) {
 	operation := func() error {
 		meta := d.get()
 		if meta.Lock != id {
-			return fmt.Errorf("object lock value: expected %s, got %s", id, meta.Lock)
+			return fmt.Errorf("Object lock value: expected %s, got %s", id, meta.Lock)
 		}
 		return nil
 	}
@@ -167,7 +167,7 @@ func (d *Datastore) Begin() (Transaction, Object, error) {
 	ebo.MaxElapsedTime = 60 * time.Second
 	err = backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
 	if err != nil {
-		return nil, nil, fmt.Errorf("datastore cannot sync: %v", err)
+		return nil, nil, fmt.Errorf("Datastore cannot sync: %v", err)
 	}
 
 	// we synced with KV store, we can now return Setter
@@ -224,12 +224,12 @@ func (s *datastoreTransaction) Commit(object Object) error {
 	s.localLock.Lock()
 	defer s.localLock.Unlock()
 	if s.dirty {
-		return fmt.Errorf("transaction already used, please begin a new one")
+		return fmt.Errorf("Transaction already used, please begin a new one")
 	}
 	s.Datastore.meta.object = object
 	err := s.Datastore.meta.Marshall()
 	if err != nil {
-		return fmt.Errorf("marshall error: %s", err)
+		return fmt.Errorf("Marshall error: %s", err)
 	}
 	err = s.kv.StoreConfig(s.Datastore.meta)
 	if err != nil {
@@ -238,7 +238,7 @@ func (s *datastoreTransaction) Commit(object Object) error {
 
 	err = s.remoteLock.Unlock()
 	if err != nil {
-		return fmt.Errorf("unlock error: %s", err)
+		return fmt.Errorf("Unlock error: %s", err)
 	}
 
 	s.dirty = true

cluster/leadership.go

@@ -2,24 +2,15 @@ package cluster
 
 import (
 	"context"
-	"net/http"
 	"time"
 
 	"github.com/cenk/backoff"
-	"github.com/containous/mux"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/safe"
+	"github.com/containous/traefik/types"
 	"github.com/docker/leadership"
-	"github.com/traefik/traefik/log"
-	"github.com/traefik/traefik/safe"
-	"github.com/traefik/traefik/types"
-	"github.com/unrolled/render"
 )
 
-const clusterLeaderKeySuffix = "/leader"
-
-var templatesRenderer = render.New(render.Options{
-	Directory: "nowhere",
-})
-
 // Leadership allows leadership election using a KV store
 type Leadership struct {
 	*safe.Pool
@@ -34,7 +25,7 @@ func NewLeadership(ctx context.Context, cluster *types.Cluster) *Leadership {
 	return &Leadership{
 		Pool:      safe.NewPool(ctx),
 		Cluster:   cluster,
-		candidate: leadership.NewCandidate(cluster.Store, cluster.Store.Prefix+clusterLeaderKeySuffix, cluster.Node, 20*time.Second),
+		candidate: leadership.NewCandidate(cluster.Store, cluster.Store.Prefix+"/leader", cluster.Node, 20*time.Second),
 		listeners: []LeaderListener{},
 		leader:    safe.New(false),
 	}
@@ -107,40 +98,7 @@ func (l *Leadership) onElection(elected bool) {
 	}
 }
 
-type leaderResponse struct {
-	Leader     bool   `json:"leader"`
-	LeaderNode string `json:"leader_node"`
-}
-
-func (l *Leadership) getLeaderHandler(response http.ResponseWriter, request *http.Request) {
-	leaderNode := ""
-	leaderKv, err := l.Cluster.Store.Get(l.Cluster.Store.Prefix+clusterLeaderKeySuffix, nil)
-	if err != nil {
-		log.Error(err)
-	} else {
-		leaderNode = string(leaderKv.Value)
-	}
-	leader := &leaderResponse{Leader: l.IsLeader(), LeaderNode: leaderNode}
-
-	status := http.StatusOK
-	if !leader.Leader {
-		// Set status to be `429`, as this will typically cause load balancers to stop sending requests to the instance without removing them from rotation.
-		status = http.StatusTooManyRequests
-	}
-
-	err = templatesRenderer.JSON(response, status, leader)
-	if err != nil {
-		log.Error(err)
-	}
-}
-
 // IsLeader returns true if current node is leader
 func (l *Leadership) IsLeader() bool {
 	return l.leader.Get().(bool)
 }
-
-// AddRoutes add dashboard routes on a router
-func (l *Leadership) AddRoutes(router *mux.Router) {
-	// Expose cluster leader
-	router.Methods(http.MethodGet).Path("/api/cluster/leader").HandlerFunc(l.getLeaderHandler)
-}

cmd/bug/bug.go

@@ -1,171 +0,0 @@
-package bug
-
-import (
-	"bytes"
-	"fmt"
-	"net/url"
-	"os/exec"
-	"runtime"
-	"text/template"
-
-	"github.com/containous/flaeg"
-	"github.com/traefik/traefik/anonymize"
-	"github.com/traefik/traefik/cmd"
-	"github.com/traefik/traefik/cmd/version"
-)
-
-const (
-	bugTracker  = "https://github.com/traefik/traefik/issues/new"
-	bugTemplate = `<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, refer to one of the following:
-
-- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-- the Traefik community Slack channel: https://slack.traefik.io
-
--->
-
-### Do you want to request a *feature* or report a *bug*?
-
-(If you intend to ask a support question: **DO NOT FILE AN ISSUE**.
-Use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik)
-or [Slack](https://slack.traefik.io) instead.)
-
-
-
-### What did you do?
-
-<!--
-
-HOW TO WRITE A GOOD ISSUE?
-
-- Respect the issue template as more as possible.
-- If it's possible use the command ` + "`" + "traefik bug" + "`" + `. See https://www.youtube.com/watch?v=Lyz62L8m93I.
-- The title must be short and descriptive.
-- Explain the conditions which led you to write this issue: the context.
-- The context should lead to something, an idea or a problem that you’re facing.
-- Remain clear and concise.
-- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
--->
-
-
-### What did you expect to see?
-
-
-
-### What did you see instead?
-
-
-
-### Output of ` + "`" + `traefik version` + "`" + `: (_What version of Traefik are you using?_)
-
-` + "```" + `
-{{.Version}}
-` + "```" + `
-
-### What is your environment & configuration (arguments, toml, provider, platform, ...)?
-
-` + "```" + `json
-{{.Configuration}}
-` + "```" + `
-
-<!--
-Add more configuration information here.
--->
-
-### If applicable, please paste the log output at DEBUG level (` + "`" + `--logLevel=DEBUG` + "`" + ` switch)
-
-` + "```" + `
-(paste your output here)
-` + "```" + `
-
-`
-)
-
-// NewCmd builds a new Bug command
-func NewCmd(traefikConfiguration *cmd.TraefikConfiguration, traefikPointersConfiguration *cmd.TraefikConfiguration) *flaeg.Command {
-
-	// version Command init
-	return &flaeg.Command{
-		Name:                  "bug",
-		Description:           `Report an issue on Traefik bugtracker`,
-		Config:                traefikConfiguration,
-		DefaultPointersConfig: traefikPointersConfiguration,
-		Run:                   runCmd(traefikConfiguration),
-		Metadata: map[string]string{
-			"parseAllSources": "true",
-		},
-	}
-}
-
-func runCmd(traefikConfiguration *cmd.TraefikConfiguration) func() error {
-	return func() error {
-
-		body, err := createReport(traefikConfiguration)
-		if err != nil {
-			return err
-		}
-
-		sendReport(body)
-
-		return nil
-	}
-}
-
-func createReport(traefikConfiguration *cmd.TraefikConfiguration) (string, error) {
-	var versionPrint bytes.Buffer
-	if err := version.GetPrint(&versionPrint); err != nil {
-		return "", err
-	}
-
-	tmpl, err := template.New("bug").Parse(bugTemplate)
-	if err != nil {
-		return "", err
-	}
-
-	config, err := anonymize.Do(traefikConfiguration, true)
-	if err != nil {
-		return "", err
-	}
-
-	v := struct {
-		Version       string
-		Configuration string
-	}{
-		Version:       versionPrint.String(),
-		Configuration: config,
-	}
-
-	var bug bytes.Buffer
-	if err := tmpl.Execute(&bug, v); err != nil {
-		return "", err
-	}
-
-	return bug.String(), nil
-}
-
-func sendReport(body string) {
-	URL := bugTracker + "?body=" + url.QueryEscape(body)
-	if err := openBrowser(URL); err != nil {
-		fmt.Printf("Please file a new issue at %s using this template:\n\n", bugTracker)
-		fmt.Print(body)
-	}
-}
-
-func openBrowser(URL string) error {
-	var err error
-	switch runtime.GOOS {
-	case "linux":
-		err = exec.Command("xdg-open", URL).Start()
-	case "windows":
-		err = exec.Command("rundll32", "url.dll,FileProtocolHandler", URL).Start()
-	case "darwin":
-		err = exec.Command("open", URL).Start()
-	default:
-		err = fmt.Errorf("unsupported platform")
-	}
-	return err
-}

cmd/bug/bug_test.go

@@ -1,67 +0,0 @@
-package bug
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/traefik/traefik/anonymize"
-	"github.com/traefik/traefik/cmd"
-	"github.com/traefik/traefik/configuration"
-	"github.com/traefik/traefik/provider/file"
-	"github.com/traefik/traefik/tls"
-	"github.com/traefik/traefik/types"
-)
-
-func Test_createReport(t *testing.T) {
-	traefikConfiguration := &cmd.TraefikConfiguration{
-		ConfigFile: "FOO",
-		GlobalConfiguration: configuration.GlobalConfiguration{
-			EntryPoints: configuration.EntryPoints{
-				"goo": &configuration.EntryPoint{
-					Address: "hoo.bar",
-					Auth: &types.Auth{
-						Basic: &types.Basic{
-							UsersFile: "foo Basic UsersFile",
-							Users:     types.Users{"foo Basic Users 1", "foo Basic Users 2", "foo Basic Users 3"},
-						},
-						Digest: &types.Digest{
-							UsersFile: "foo Digest UsersFile",
-							Users:     types.Users{"foo Digest Users 1", "foo Digest Users 2", "foo Digest Users 3"},
-						},
-					},
-				},
-			},
-			File: &file.Provider{
-				Directory: "BAR",
-			},
-			RootCAs: tls.FilesOrContents{"fllf"},
-		},
-	}
-
-	report, err := createReport(traefikConfiguration)
-	assert.NoError(t, err, report)
-
-	// exported anonymous configuration
-	assert.NotContains(t, "web Basic Users ", report)
-	assert.NotContains(t, "foo Digest Users ", report)
-	assert.NotContains(t, "hoo.bar", report)
-}
-
-func Test_anonymize_traefikConfiguration(t *testing.T) {
-	traefikConfiguration := &cmd.TraefikConfiguration{
-		ConfigFile: "FOO",
-		GlobalConfiguration: configuration.GlobalConfiguration{
-			EntryPoints: configuration.EntryPoints{
-				"goo": &configuration.EntryPoint{
-					Address: "hoo.bar",
-				},
-			},
-			File: &file.Provider{
-				Directory: "BAR",
-			},
-		},
-	}
-	_, err := anonymize.Do(traefikConfiguration, true)
-	assert.NoError(t, err)
-	assert.Equal(t, "hoo.bar", traefikConfiguration.GlobalConfiguration.EntryPoints["goo"].Address)
-}

cmd/configuration.go

@@ -1,347 +0,0 @@
-package cmd
-
-import (
-	"time"
-
-	"github.com/containous/flaeg"
-	servicefabric "github.com/containous/traefik-extra-service-fabric"
-	sf "github.com/jjcollinge/servicefabric"
-	"github.com/traefik/traefik/api"
-	"github.com/traefik/traefik/configuration"
-	"github.com/traefik/traefik/middlewares/accesslog"
-	"github.com/traefik/traefik/middlewares/tracing"
-	"github.com/traefik/traefik/middlewares/tracing/datadog"
-	"github.com/traefik/traefik/middlewares/tracing/jaeger"
-	"github.com/traefik/traefik/middlewares/tracing/zipkin"
-	"github.com/traefik/traefik/ping"
-	"github.com/traefik/traefik/provider/boltdb"
-	"github.com/traefik/traefik/provider/consul"
-	"github.com/traefik/traefik/provider/consulcatalog"
-	"github.com/traefik/traefik/provider/docker"
-	"github.com/traefik/traefik/provider/dynamodb"
-	"github.com/traefik/traefik/provider/ecs"
-	"github.com/traefik/traefik/provider/etcd"
-	"github.com/traefik/traefik/provider/eureka"
-	"github.com/traefik/traefik/provider/file"
-	"github.com/traefik/traefik/provider/kubernetes"
-	"github.com/traefik/traefik/provider/marathon"
-	"github.com/traefik/traefik/provider/mesos"
-	"github.com/traefik/traefik/provider/rancher"
-	"github.com/traefik/traefik/provider/rest"
-	"github.com/traefik/traefik/provider/zk"
-	"github.com/traefik/traefik/types"
-)
-
-// TraefikConfiguration holds GlobalConfiguration and other stuff
-type TraefikConfiguration struct {
-	configuration.GlobalConfiguration `mapstructure:",squash" export:"true"`
-	ConfigFile                        string `short:"c" description:"Configuration file to use (TOML)." export:"true"`
-}
-
-// NewTraefikDefaultPointersConfiguration creates a TraefikConfiguration with pointers default values
-func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
-	// default Docker
-	var defaultDocker docker.Provider
-	defaultDocker.Watch = true
-	defaultDocker.ExposedByDefault = true
-	defaultDocker.Endpoint = "unix:///var/run/docker.sock"
-	defaultDocker.SwarmMode = false
-	defaultDocker.SwarmModeRefreshSeconds = 15
-
-	// default File
-	var defaultFile file.Provider
-	defaultFile.Watch = true
-	defaultFile.Filename = "" // needs equivalent to  viper.ConfigFileUsed()
-
-	// default Rest
-	var defaultRest rest.Provider
-	defaultRest.EntryPoint = configuration.DefaultInternalEntryPointName
-
-	// TODO: Deprecated - Web provider, use REST provider instead
-	var defaultWeb configuration.WebCompatibility
-	defaultWeb.Address = ":8080"
-	defaultWeb.Statistics = &types.Statistics{
-		RecentErrors: 10,
-	}
-
-	// TODO: Deprecated - default Metrics
-	defaultWeb.Metrics = &types.Metrics{
-		Prometheus: &types.Prometheus{
-			Buckets:    types.Buckets{0.1, 0.3, 1.2, 5},
-			EntryPoint: configuration.DefaultInternalEntryPointName,
-		},
-		Datadog: &types.Datadog{
-			Address:      "localhost:8125",
-			PushInterval: "10s",
-		},
-		StatsD: &types.Statsd{
-			Address:      "localhost:8125",
-			PushInterval: "10s",
-		},
-		InfluxDB: &types.InfluxDB{
-			Address:      "localhost:8089",
-			Protocol:     "udp",
-			PushInterval: "10s",
-		},
-	}
-
-	// default Marathon
-	var defaultMarathon marathon.Provider
-	defaultMarathon.Watch = true
-	defaultMarathon.Endpoint = "http://127.0.0.1:8080"
-	defaultMarathon.ExposedByDefault = true
-	defaultMarathon.Constraints = types.Constraints{}
-	defaultMarathon.DialerTimeout = flaeg.Duration(5 * time.Second)
-	defaultMarathon.ResponseHeaderTimeout = flaeg.Duration(60 * time.Second)
-	defaultMarathon.TLSHandshakeTimeout = flaeg.Duration(5 * time.Second)
-	defaultMarathon.KeepAlive = flaeg.Duration(10 * time.Second)
-
-	// default Consul
-	var defaultConsul consul.Provider
-	defaultConsul.Watch = true
-	defaultConsul.Endpoint = "127.0.0.1:8500"
-	defaultConsul.Prefix = "traefik"
-	defaultConsul.Constraints = types.Constraints{}
-
-	// default CatalogProvider
-	var defaultConsulCatalog consulcatalog.Provider
-	defaultConsulCatalog.Endpoint = "127.0.0.1:8500"
-	defaultConsulCatalog.ExposedByDefault = true
-	defaultConsulCatalog.Constraints = types.Constraints{}
-	defaultConsulCatalog.Prefix = "traefik"
-	defaultConsulCatalog.FrontEndRule = "Host:{{.ServiceName}}.{{.Domain}}"
-	defaultConsulCatalog.Stale = false
-	defaultConsulCatalog.StrictChecks = true
-
-	// default Etcd
-	var defaultEtcd etcd.Provider
-	defaultEtcd.Watch = true
-	defaultEtcd.Endpoint = "127.0.0.1:2379"
-	defaultEtcd.Prefix = "/traefik"
-	defaultEtcd.Constraints = types.Constraints{}
-
-	// default Zookeeper
-	var defaultZookeeper zk.Provider
-	defaultZookeeper.Watch = true
-	defaultZookeeper.Endpoint = "127.0.0.1:2181"
-	defaultZookeeper.Prefix = "traefik"
-	defaultZookeeper.Constraints = types.Constraints{}
-
-	// default Boltdb
-	var defaultBoltDb boltdb.Provider
-	defaultBoltDb.Watch = true
-	defaultBoltDb.Endpoint = "127.0.0.1:4001"
-	defaultBoltDb.Prefix = "/traefik"
-	defaultBoltDb.Constraints = types.Constraints{}
-
-	// default Kubernetes
-	var defaultKubernetes kubernetes.Provider
-	defaultKubernetes.Watch = true
-	defaultKubernetes.Constraints = types.Constraints{}
-
-	// default Mesos
-	var defaultMesos mesos.Provider
-	defaultMesos.Watch = true
-	defaultMesos.Endpoint = "http://127.0.0.1:5050"
-	defaultMesos.ExposedByDefault = true
-	defaultMesos.Constraints = types.Constraints{}
-	defaultMesos.RefreshSeconds = 30
-	defaultMesos.ZkDetectionTimeout = 30
-	defaultMesos.StateTimeoutSecond = 30
-
-	// default ECS
-	var defaultECS ecs.Provider
-	defaultECS.Watch = true
-	defaultECS.ExposedByDefault = true
-	defaultECS.AutoDiscoverClusters = false
-	defaultECS.Clusters = ecs.Clusters{"default"}
-	defaultECS.RefreshSeconds = 15
-	defaultECS.Constraints = types.Constraints{}
-
-	// default Rancher
-	var defaultRancher rancher.Provider
-	defaultRancher.Watch = true
-	defaultRancher.ExposedByDefault = true
-	defaultRancher.RefreshSeconds = 15
-
-	// default DynamoDB
-	var defaultDynamoDB dynamodb.Provider
-	defaultDynamoDB.Constraints = types.Constraints{}
-	defaultDynamoDB.RefreshSeconds = 15
-	defaultDynamoDB.TableName = "traefik"
-	defaultDynamoDB.Watch = true
-
-	// default Eureka
-	var defaultEureka eureka.Provider
-	defaultEureka.RefreshSeconds = flaeg.Duration(30 * time.Second)
-
-	// default ServiceFabric
-	var defaultServiceFabric servicefabric.Provider
-	defaultServiceFabric.APIVersion = sf.DefaultAPIVersion
-	defaultServiceFabric.RefreshSeconds = 10
-
-	// default Ping
-	var defaultPing = ping.Handler{
-		EntryPoint: "traefik",
-	}
-
-	// default TraefikLog
-	defaultTraefikLog := types.TraefikLog{
-		Format:   "common",
-		FilePath: "",
-	}
-
-	// default AccessLog
-	defaultAccessLog := types.AccessLog{
-		Format:   accesslog.CommonFormat,
-		FilePath: "",
-		Filters:  &types.AccessLogFilters{},
-		Fields: &types.AccessLogFields{
-			DefaultMode: types.AccessLogKeep,
-			Headers: &types.FieldHeaders{
-				DefaultMode: types.AccessLogKeep,
-			},
-		},
-	}
-
-	// default HealthCheckConfig
-	healthCheck := configuration.HealthCheckConfig{
-		Interval: flaeg.Duration(configuration.DefaultHealthCheckInterval),
-	}
-
-	// default RespondingTimeouts
-	respondingTimeouts := configuration.RespondingTimeouts{
-		IdleTimeout: flaeg.Duration(configuration.DefaultIdleTimeout),
-	}
-
-	// default ForwardingTimeouts
-	forwardingTimeouts := configuration.ForwardingTimeouts{
-		DialTimeout: flaeg.Duration(configuration.DefaultDialTimeout),
-	}
-
-	// default Tracing
-	defaultTracing := tracing.Tracing{
-		Backend:       "jaeger",
-		ServiceName:   "traefik",
-		SpanNameLimit: 0,
-		Jaeger: &jaeger.Config{
-			SamplingServerURL:      "http://localhost:5778/sampling",
-			SamplingType:           "const",
-			SamplingParam:          1.0,
-			LocalAgentHostPort:     "127.0.0.1:6831",
-			TraceContextHeaderName: "uber-trace-id",
-		},
-		Zipkin: &zipkin.Config{
-			HTTPEndpoint: "http://localhost:9411/api/v1/spans",
-			SameSpan:     false,
-			ID128Bit:     true,
-			Debug:        false,
-		},
-		DataDog: &datadog.Config{
-			LocalAgentHostPort: "localhost:8126",
-			GlobalTag:          "",
-			Debug:              false,
-			PrioritySampling:   false,
-		},
-	}
-
-	// default LifeCycle
-	defaultLifeCycle := configuration.LifeCycle{
-		GraceTimeOut: flaeg.Duration(configuration.DefaultGraceTimeout),
-	}
-
-	// default ApiConfiguration
-	defaultAPI := api.Handler{
-		EntryPoint: "traefik",
-		Dashboard:  true,
-	}
-	defaultAPI.Statistics = &types.Statistics{
-		RecentErrors: 10,
-	}
-
-	// default Metrics
-	defaultMetrics := types.Metrics{
-		Prometheus: &types.Prometheus{
-			Buckets:    types.Buckets{0.1, 0.3, 1.2, 5},
-			EntryPoint: configuration.DefaultInternalEntryPointName,
-		},
-		Datadog: &types.Datadog{
-			Address:      "localhost:8125",
-			PushInterval: "10s",
-		},
-		StatsD: &types.Statsd{
-			Address:      "localhost:8125",
-			PushInterval: "10s",
-		},
-		InfluxDB: &types.InfluxDB{
-			Address:      "localhost:8089",
-			Protocol:     "udp",
-			PushInterval: "10s",
-		},
-	}
-
-	defaultResolver := configuration.HostResolverConfig{
-		CnameFlattening: false,
-		ResolvConfig:    "/etc/resolv.conf",
-		ResolvDepth:     5,
-	}
-
-	defaultConfiguration := configuration.GlobalConfiguration{
-		Docker:             &defaultDocker,
-		File:               &defaultFile,
-		Web:                &defaultWeb,
-		Rest:               &defaultRest,
-		Marathon:           &defaultMarathon,
-		Consul:             &defaultConsul,
-		ConsulCatalog:      &defaultConsulCatalog,
-		Etcd:               &defaultEtcd,
-		Zookeeper:          &defaultZookeeper,
-		Boltdb:             &defaultBoltDb,
-		Kubernetes:         &defaultKubernetes,
-		Mesos:              &defaultMesos,
-		ECS:                &defaultECS,
-		Rancher:            &defaultRancher,
-		Eureka:             &defaultEureka,
-		DynamoDB:           &defaultDynamoDB,
-		Retry:              &configuration.Retry{},
-		HealthCheck:        &healthCheck,
-		RespondingTimeouts: &respondingTimeouts,
-		ForwardingTimeouts: &forwardingTimeouts,
-		TraefikLog:         &defaultTraefikLog,
-		AccessLog:          &defaultAccessLog,
-		LifeCycle:          &defaultLifeCycle,
-		Ping:               &defaultPing,
-		API:                &defaultAPI,
-		Metrics:            &defaultMetrics,
-		Tracing:            &defaultTracing,
-		HostResolver:       &defaultResolver,
-	}
-
-	return &TraefikConfiguration{
-		GlobalConfiguration: defaultConfiguration,
-	}
-}
-
-// NewTraefikConfiguration creates a TraefikConfiguration with default values
-func NewTraefikConfiguration() *TraefikConfiguration {
-	return &TraefikConfiguration{
-		GlobalConfiguration: configuration.GlobalConfiguration{
-			AccessLogsFile:            "",
-			TraefikLogsFile:           "",
-			EntryPoints:               map[string]*configuration.EntryPoint{},
-			Constraints:               types.Constraints{},
-			DefaultEntryPoints:        []string{"http"},
-			ProvidersThrottleDuration: flaeg.Duration(2 * time.Second),
-			MaxIdleConnsPerHost:       200,
-			IdleTimeout:               flaeg.Duration(0),
-			HealthCheck: &configuration.HealthCheckConfig{
-				Interval: flaeg.Duration(configuration.DefaultHealthCheckInterval),
-			},
-			LifeCycle: &configuration.LifeCycle{
-				GraceTimeOut: flaeg.Duration(configuration.DefaultGraceTimeout),
-			},
-			CheckNewVersion: true,
-		},
-		ConfigFile: "",
-	}
-}

cmd/context.go

@@ -1,22 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"syscall"
-)
-
-// ContextWithSignal create a context cancelled when SIGINT or SIGTERM are notified
-func ContextWithSignal(ctx context.Context) context.Context {
-	newCtx, cancel := context.WithCancel(ctx)
-	signals := make(chan os.Signal)
-	signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		select {
-		case <-signals:
-			cancel()
-		}
-	}()
-	return newCtx
-}

cmd/healthcheck/healthcheck.go

@@ -1,73 +0,0 @@
-package healthcheck
-
-import (
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"net/http"
-	"os"
-	"time"
-
-	"github.com/containous/flaeg"
-	"github.com/traefik/traefik/cmd"
-	"github.com/traefik/traefik/configuration"
-)
-
-// NewCmd builds a new HealthCheck command
-func NewCmd(traefikConfiguration *cmd.TraefikConfiguration, traefikPointersConfiguration *cmd.TraefikConfiguration) *flaeg.Command {
-	return &flaeg.Command{
-		Name:                  "healthcheck",
-		Description:           `Calls traefik /ping to check health (web provider must be enabled)`,
-		Config:                traefikConfiguration,
-		DefaultPointersConfig: traefikPointersConfiguration,
-		Run:                   runCmd(traefikConfiguration),
-		Metadata: map[string]string{
-			"parseAllSources": "true",
-		},
-	}
-}
-
-func runCmd(traefikConfiguration *cmd.TraefikConfiguration) func() error {
-	return func() error {
-		traefikConfiguration.GlobalConfiguration.SetEffectiveConfiguration(traefikConfiguration.ConfigFile)
-
-		resp, errPing := Do(traefikConfiguration.GlobalConfiguration)
-		if errPing != nil {
-			fmt.Printf("Error calling healthcheck: %s\n", errPing)
-			os.Exit(1)
-		}
-		if resp.StatusCode != http.StatusOK {
-			fmt.Printf("Bad healthcheck status: %s\n", resp.Status)
-			os.Exit(1)
-		}
-		fmt.Printf("OK: %s\n", resp.Request.URL)
-		os.Exit(0)
-		return nil
-	}
-}
-
-// Do try to do a healthcheck
-func Do(globalConfiguration configuration.GlobalConfiguration) (*http.Response, error) {
-	if globalConfiguration.Ping == nil {
-		return nil, errors.New("please enable `ping` to use health check")
-	}
-	pingEntryPoint, ok := globalConfiguration.EntryPoints[globalConfiguration.Ping.EntryPoint]
-	if !ok {
-		return nil, errors.New("missing `ping` entrypoint")
-	}
-
-	client := &http.Client{Timeout: 5 * time.Second}
-	protocol := "http"
-	if pingEntryPoint.TLS != nil {
-		protocol = "https"
-		tr := &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-		}
-		client.Transport = tr
-	}
-	path := "/"
-	if globalConfiguration.Web != nil {
-		path = globalConfiguration.Web.Path
-	}
-	return client.Head(protocol + "://" + pingEntryPoint.Address + path + "ping")
-}

cmd/storeconfig/storeconfig.go

@@ -1,211 +0,0 @@
-package storeconfig
-
-import (
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	stdlog "log"
-	"os"
-
-	"github.com/abronan/valkeyrie/store"
-	"github.com/containous/flaeg"
-	"github.com/containous/staert"
-	"github.com/traefik/traefik/acme"
-	"github.com/traefik/traefik/cluster"
-	"github.com/traefik/traefik/cmd"
-	"github.com/traefik/traefik/log"
-)
-
-// NewCmd builds a new StoreConfig command
-func NewCmd(traefikConfiguration *cmd.TraefikConfiguration, traefikPointersConfiguration *cmd.TraefikConfiguration) *flaeg.Command {
-	return &flaeg.Command{
-		Name:                  "storeconfig",
-		Description:           `Store the static traefik configuration into a Key-value stores. Traefik will not start.`,
-		Config:                traefikConfiguration,
-		DefaultPointersConfig: traefikPointersConfiguration,
-		Metadata: map[string]string{
-			"parseAllSources": "true",
-		},
-	}
-}
-
-// Run store config in KV
-func Run(kv *staert.KvSource, traefikConfiguration *cmd.TraefikConfiguration) func() error {
-	return func() error {
-		if kv == nil {
-			return fmt.Errorf("error using command storeconfig, no Key-value store defined")
-		}
-
-		fileConfig := traefikConfiguration.GlobalConfiguration.File
-		if fileConfig != nil {
-			traefikConfiguration.GlobalConfiguration.File = nil
-			if len(fileConfig.Filename) == 0 && len(fileConfig.Directory) == 0 {
-				fileConfig.Filename = traefikConfiguration.ConfigFile
-			}
-		}
-
-		jsonConf, err := json.Marshal(traefikConfiguration.GlobalConfiguration)
-		if err != nil {
-			return err
-		}
-		stdlog.Printf("Storing configuration: %s\n", jsonConf)
-
-		err = kv.StoreConfig(traefikConfiguration.GlobalConfiguration)
-		if err != nil {
-			return err
-		}
-
-		if fileConfig != nil {
-			jsonConf, err = json.Marshal(fileConfig)
-			if err != nil {
-				return err
-			}
-
-			stdlog.Printf("Storing file configuration: %s\n", jsonConf)
-			config, err := fileConfig.BuildConfiguration()
-			if err != nil {
-				return err
-			}
-
-			stdlog.Print("Writing config to KV")
-			err = kv.StoreConfig(config)
-			if err != nil {
-				return err
-			}
-		}
-
-		if traefikConfiguration.GlobalConfiguration.ACME != nil {
-			account := &acme.Account{}
-
-			// Migrate ACME data from file to KV store if needed
-			if len(traefikConfiguration.GlobalConfiguration.ACME.StorageFile) > 0 {
-				account, err = migrateACMEData(traefikConfiguration.GlobalConfiguration.ACME.StorageFile)
-				if err != nil {
-					return err
-				}
-			}
-
-			accountInitialized, err := keyExists(kv, traefikConfiguration.GlobalConfiguration.ACME.Storage)
-			if err != nil && err != store.ErrKeyNotFound {
-				return err
-			}
-
-			// Check to see if ACME account object is already in kv store
-			if traefikConfiguration.GlobalConfiguration.ACME.OverrideCertificates || !accountInitialized {
-
-				// Store the ACME Account into the KV Store
-				// Certificates in KV Store will be overridden
-				meta := cluster.NewMetadata(account)
-				err = meta.Marshall()
-				if err != nil {
-					return err
-				}
-
-				source := staert.KvSource{
-					Store:  kv,
-					Prefix: traefikConfiguration.GlobalConfiguration.ACME.Storage,
-				}
-
-				err = source.StoreConfig(meta)
-				if err != nil {
-					return err
-				}
-			}
-
-			// Force to delete storagefile
-			return kv.Delete(kv.Prefix + "/acme/storagefile")
-		}
-		return nil
-	}
-}
-
-func keyExists(source *staert.KvSource, key string) (bool, error) {
-	list, err := source.List(key, nil)
-	if err != nil {
-		return false, err
-	}
-
-	return len(list) > 0, nil
-}
-
-// migrateACMEData allows migrating data from acme.json file to KV store in function of the file format
-func migrateACMEData(fileName string) (*acme.Account, error) {
-
-	f, err := os.Open(fileName)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	file, err := ioutil.ReadAll(f)
-	if err != nil {
-		return nil, err
-	}
-
-	// Check if the storage file is not empty before to get data
-	account := &acme.Account{}
-	if len(file) > 0 {
-		accountFromNewFormat, err := acme.FromNewToOldFormat(fileName)
-		if err != nil {
-			return nil, err
-		}
-
-		if accountFromNewFormat == nil {
-			// convert ACME json file to KV store (used for backward compatibility)
-			localStore := acme.NewLocalStore(fileName)
-
-			account, err = localStore.Get()
-			if err != nil {
-				return nil, err
-			}
-
-			err = account.RemoveAccountV1Values()
-			if err != nil {
-				return nil, err
-			}
-		} else {
-			account = accountFromNewFormat
-		}
-	} else {
-		log.Warnf("No data will be imported from the storageFile %q because it is empty.", fileName)
-	}
-
-	err = account.Init()
-	return account, err
-}
-
-// CreateKvSource creates KvSource
-// TLS support is enable for Consul and Etcd backends
-func CreateKvSource(traefikConfiguration *cmd.TraefikConfiguration) (*staert.KvSource, error) {
-	var kv *staert.KvSource
-	var kvStore store.Store
-	var err error
-
-	switch {
-	case traefikConfiguration.Consul != nil:
-		kvStore, err = traefikConfiguration.Consul.CreateStore()
-		kv = &staert.KvSource{
-			Store:  kvStore,
-			Prefix: traefikConfiguration.Consul.Prefix,
-		}
-	case traefikConfiguration.Etcd != nil:
-		kvStore, err = traefikConfiguration.Etcd.CreateStore()
-		kv = &staert.KvSource{
-			Store:  kvStore,
-			Prefix: traefikConfiguration.Etcd.Prefix,
-		}
-	case traefikConfiguration.Zookeeper != nil:
-		kvStore, err = traefikConfiguration.Zookeeper.CreateStore()
-		kv = &staert.KvSource{
-			Store:  kvStore,
-			Prefix: traefikConfiguration.Zookeeper.Prefix,
-		}
-	case traefikConfiguration.Boltdb != nil:
-		kvStore, err = traefikConfiguration.Boltdb.CreateStore()
-		kv = &staert.KvSource{
-			Store:  kvStore,
-			Prefix: traefikConfiguration.Boltdb.Prefix,
-		}
-	}
-	return kv, err
-}

cmd/traefik/anonymize/anonymize_config_test.go

@@ -2,37 +2,29 @@ package anonymize
 
 import (
 	"crypto/tls"
-	"os"
 	"testing"
 	"time"
 
 	"github.com/containous/flaeg"
-	assetfs "github.com/elazarl/go-bindata-assetfs"
-	"github.com/thoas/stats"
-	"github.com/traefik/traefik/acme"
-	"github.com/traefik/traefik/api"
-	"github.com/traefik/traefik/configuration"
-	"github.com/traefik/traefik/middlewares"
-	"github.com/traefik/traefik/provider"
-	acmeprovider "github.com/traefik/traefik/provider/acme"
-	"github.com/traefik/traefik/provider/boltdb"
-	"github.com/traefik/traefik/provider/consul"
-	"github.com/traefik/traefik/provider/consulcatalog"
-	"github.com/traefik/traefik/provider/docker"
-	"github.com/traefik/traefik/provider/dynamodb"
-	"github.com/traefik/traefik/provider/ecs"
-	"github.com/traefik/traefik/provider/etcd"
-	"github.com/traefik/traefik/provider/eureka"
-	"github.com/traefik/traefik/provider/file"
-	"github.com/traefik/traefik/provider/kubernetes"
-	"github.com/traefik/traefik/provider/kv"
-	"github.com/traefik/traefik/provider/marathon"
-	"github.com/traefik/traefik/provider/mesos"
-	"github.com/traefik/traefik/provider/rancher"
-	"github.com/traefik/traefik/provider/zk"
-	"github.com/traefik/traefik/safe"
-	traefiktls "github.com/traefik/traefik/tls"
-	"github.com/traefik/traefik/types"
+	"github.com/containous/traefik/acme"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/provider"
+	"github.com/containous/traefik/provider/boltdb"
+	"github.com/containous/traefik/provider/consul"
+	"github.com/containous/traefik/provider/docker"
+	"github.com/containous/traefik/provider/dynamodb"
+	"github.com/containous/traefik/provider/ecs"
+	"github.com/containous/traefik/provider/etcd"
+	"github.com/containous/traefik/provider/eureka"
+	"github.com/containous/traefik/provider/file"
+	"github.com/containous/traefik/provider/kubernetes"
+	"github.com/containous/traefik/provider/kv"
+	"github.com/containous/traefik/provider/marathon"
+	"github.com/containous/traefik/provider/mesos"
+	"github.com/containous/traefik/provider/rancher"
+	"github.com/containous/traefik/provider/zk"
+	traefikTls "github.com/containous/traefik/tls"
+	"github.com/containous/traefik/types"
 )
 
 func TestDo_globalConfiguration(t *testing.T) {
@@ -51,16 +43,17 @@ func TestDo_globalConfiguration(t *testing.T) {
 	config.LogLevel = "LogLevel"
 	config.EntryPoints = configuration.EntryPoints{
 		"foo": {
+			Network: "foo Network",
 			Address: "foo Address",
-			TLS: &traefiktls.TLS{
+			TLS: &traefikTls.TLS{
 				MinVersion:   "foo MinVersion",
 				CipherSuites: []string{"foo CipherSuites 1", "foo CipherSuites 2", "foo CipherSuites 3"},
-				Certificates: traefiktls.Certificates{
+				Certificates: traefikTls.Certificates{
 					{CertFile: "CertFile 1", KeyFile: "KeyFile 1"},
 					{CertFile: "CertFile 2", KeyFile: "KeyFile 2"},
 				},
-				ClientCA: traefiktls.ClientCA{
-					Files:    traefiktls.FilesOrContents{"foo ClientCAFiles 1", "foo ClientCAFiles 2", "foo ClientCAFiles 3"},
+				ClientCA: traefikTls.ClientCA{
+					Files:    []string{"foo ClientCAFiles 1", "foo ClientCAFiles 2", "foo ClientCAFiles 3"},
 					Optional: false,
 				},
 			},
@@ -96,16 +89,17 @@ func TestDo_globalConfiguration(t *testing.T) {
 			},
 		},
 		"fii": {
+			Network: "fii Network",
 			Address: "fii Address",
-			TLS: &traefiktls.TLS{
+			TLS: &traefikTls.TLS{
 				MinVersion:   "fii MinVersion",
 				CipherSuites: []string{"fii CipherSuites 1", "fii CipherSuites 2", "fii CipherSuites 3"},
-				Certificates: traefiktls.Certificates{
+				Certificates: traefikTls.Certificates{
 					{CertFile: "CertFile 1", KeyFile: "KeyFile 1"},
 					{CertFile: "CertFile 2", KeyFile: "KeyFile 2"},
 				},
-				ClientCA: traefiktls.ClientCA{
-					Files:    traefiktls.FilesOrContents{"fii ClientCAFiles 1", "fii ClientCAFiles 2", "fii ClientCAFiles 3"},
+				ClientCA: traefikTls.ClientCA{
+					Files:    []string{"fii ClientCAFiles 1", "fii ClientCAFiles 2", "fii ClientCAFiles 3"},
 					Optional: false,
 				},
 			},
@@ -162,7 +156,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 	}
 	config.ACME = &acme.ACME{
 		Email: "acme Email",
-		Domains: []types.Domain{
+		Domains: []acme.Domain{
 			{
 				Main: "Domains Main",
 				SANs: []string{"Domains acme SANs 1", "Domains acme SANs 2", "Domains acme SANs 3"},
@@ -174,7 +168,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 		OnHostRule:        true,
 		CAServer:          "CAServer",
 		EntryPoint:        "EntryPoint",
-		DNSChallenge:      &acmeprovider.DNSChallenge{Provider: "DNSProvider"},
+		DNSChallenge:      &acme.DNSChallenge{Provider: "DNSProvider"},
 		DelayDontCheckDNS: 666,
 		ACMELogging:       true,
 		TLSConfig: &tls.Config{
@@ -187,42 +181,13 @@ func TestDo_globalConfiguration(t *testing.T) {
 	config.MaxIdleConnsPerHost = 666
 	config.IdleTimeout = flaeg.Duration(666 * time.Second)
 	config.InsecureSkipVerify = true
-	config.RootCAs = traefiktls.FilesOrContents{"RootCAs 1", "RootCAs 2", "RootCAs 3"}
+	config.RootCAs = traefikTls.RootCAs{"RootCAs 1", "RootCAs 2", "RootCAs 3"}
 	config.Retry = &configuration.Retry{
 		Attempts: 666,
 	}
 	config.HealthCheck = &configuration.HealthCheckConfig{
 		Interval: flaeg.Duration(666 * time.Second),
 	}
-	config.API = &api.Handler{
-		EntryPoint:            "traefik",
-		Dashboard:             true,
-		Debug:                 true,
-		CurrentConfigurations: &safe.Safe{},
-		Statistics: &types.Statistics{
-			RecentErrors: 666,
-		},
-		Stats: &stats.Stats{
-			Uptime:              time.Now(),
-			Pid:                 666,
-			ResponseCounts:      map[string]int{"foo": 1},
-			TotalResponseCounts: map[string]int{"bar": 1},
-			TotalResponseTime:   time.Now(),
-		},
-		StatsRecorder: &middlewares.StatsRecorder{},
-		DashboardAssets: &assetfs.AssetFS{
-			Asset: func(path string) ([]byte, error) {
-				return nil, nil
-			},
-			AssetDir: func(path string) ([]string, error) {
-				return nil, nil
-			},
-			AssetInfo: func(path string) (os.FileInfo, error) {
-				return nil, nil
-			},
-			Prefix: "fii",
-		},
-	}
 	config.RespondingTimeouts = &configuration.RespondingTimeouts{
 		ReadTimeout:  flaeg.Duration(666 * time.Second),
 		WriteTimeout: flaeg.Duration(666 * time.Second),
@@ -248,7 +213,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 					MustMatch: true,
 				},
 			},
-			Trace:                     true,
+			Trace: true,
 			DebugLogGeneratedTemplate: true,
 		},
 		Endpoint: "docker Endpoint",
@@ -279,7 +244,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 					MustMatch: true,
 				},
 			},
-			Trace:                     true,
+			Trace: true,
 			DebugLogGeneratedTemplate: true,
 		},
 		Directory: "file Directory",
@@ -344,7 +309,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 					MustMatch: true,
 				},
 			},
-			Trace:                     true,
+			Trace: true,
 			DebugLogGeneratedTemplate: true,
 		},
 		Endpoint:                "",
@@ -368,7 +333,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 		},
 		RespectReadinessChecks: true,
 	}
-	config.ConsulCatalog = &consulcatalog.Provider{
+	config.ConsulCatalog = &consul.CatalogProvider{
 		BaseProvider: provider.BaseProvider{
 			Watch:    true,
 			Filename: "ConsulCatalog Filename",
@@ -384,7 +349,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 					MustMatch: true,
 				},
 			},
-			Trace:                     true,
+			Trace: true,
 			DebugLogGeneratedTemplate: true,
 		},
 		Endpoint:         "ConsulCatalog Endpoint",
@@ -409,7 +374,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 					MustMatch: true,
 				},
 			},
-			Trace:                     true,
+			Trace: true,
 			DebugLogGeneratedTemplate: true,
 		},
 		Endpoint:               "k8s Endpoint",
@@ -435,7 +400,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 					MustMatch: true,
 				},
 			},
-			Trace:                     true,
+			Trace: true,
 			DebugLogGeneratedTemplate: true,
 		},
 		Endpoint:           "mesos Endpoint",
@@ -464,12 +429,11 @@ func TestDo_globalConfiguration(t *testing.T) {
 					MustMatch: true,
 				},
 			},
-			Trace:                     true,
+			Trace: true,
 			DebugLogGeneratedTemplate: true,
 		},
-		Endpoint:       "eureka Endpoint",
-		Delay:          flaeg.Duration(30 * time.Second),
-		RefreshSeconds: flaeg.Duration(30 * time.Second),
+		Endpoint: "eureka Endpoint",
+		Delay:    "eureka Delay",
 	}
 	config.ECS = &ecs.Provider{
 		BaseProvider: provider.BaseProvider{
@@ -487,7 +451,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 					MustMatch: true,
 				},
 			},
-			Trace:                     true,
+			Trace: true,
 			DebugLogGeneratedTemplate: true,
 		},
 		Domain:               "ecs Domain",
@@ -516,7 +480,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 					MustMatch: true,
 				},
 			},
-			Trace:                     true,
+			Trace: true,
 			DebugLogGeneratedTemplate: true,
 		},
 		APIConfiguration: rancher.APIConfiguration{
@@ -554,7 +518,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 					MustMatch: true,
 				},
 			},
-			Trace:                     true,
+			Trace: true,
 			DebugLogGeneratedTemplate: true,
 		},
 		AccessKeyID:     "dynamodb AccessKeyID",
@@ -581,7 +545,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 						MustMatch: true,
 					},
 				},
-				Trace:                     true,
+				Trace: true,
 				DebugLogGeneratedTemplate: true,
 			},
 			Endpoint: "etcd Endpoint",
@@ -613,7 +577,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 						MustMatch: true,
 					},
 				},
-				Trace:                     true,
+				Trace: true,
 				DebugLogGeneratedTemplate: true,
 			},
 			Endpoint: "zk Endpoint",
@@ -645,7 +609,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 						MustMatch: true,
 					},
 				},
-				Trace:                     true,
+				Trace: true,
 				DebugLogGeneratedTemplate: true,
 			},
 			Endpoint: "boltdb Endpoint",
@@ -677,7 +641,7 @@ func TestDo_globalConfiguration(t *testing.T) {
 						MustMatch: true,
 					},
 				},
-				Trace:                     true,
+				Trace: true,
 				DebugLogGeneratedTemplate: true,
 			},
 			Endpoint: "consul Endpoint",

cmd/traefik/anonymize/anonymize_doOnJSON_test.go

@@ -29,6 +29,7 @@ func Test_doOnJSON(t *testing.T) {
    "Compress": false
   },
   "https": {
+   "Network": "",
    "Address": ":443",
    "TLS": {
     "MinVersion": "",
@@ -118,6 +119,7 @@ func Test_doOnJSON(t *testing.T) {
    "Compress": false
   },
   "https": {
+   "Network": "",
    "Address": ":443",
    "TLS": {
     "MinVersion": "",

cmd/traefik/bug.go

@@ -0,0 +1,169 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"net/url"
+	"os/exec"
+	"runtime"
+	"text/template"
+
+	"github.com/containous/flaeg"
+	"github.com/containous/traefik/cmd/traefik/anonymize"
+)
+
+const (
+	bugTracker  = "https://github.com/containous/traefik/issues/new"
+	bugTemplate = `<!--
+DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+
+The issue tracker is for reporting bugs and feature requests only.
+For end-user related support questions, refer to one of the following:
+
+- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
+- the Traefik community Slack channel: https://traefik.herokuapp.com
+
+-->
+
+### Do you want to request a *feature* or report a *bug*?
+
+(If you intend to ask a support question: **DO NOT FILE AN ISSUE**.
+Use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik)
+or [Slack](https://traefik.herokuapp.com) instead.)
+
+
+
+### What did you do?
+
+<!--
+
+HOW TO WRITE A GOOD ISSUE?
+
+- Respect the issue template as more as possible.
+- If it's possible use the command ` + "`" + "traefik bug" + "`" + `. See https://www.youtube.com/watch?v=Lyz62L8m93I.
+- The title must be short and descriptive.
+- Explain the conditions which led you to write this issue: the context.
+- The context should lead to something, an idea or a problem that you’re facing.
+- Remain clear and concise.
+- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
+
+-->
+
+
+### What did you expect to see?
+
+
+
+### What did you see instead?
+
+
+
+### Output of ` + "`" + `traefik version` + "`" + `: (_What version of Traefik are you using?_)
+
+` + "```" + `
+{{.Version}}
+` + "```" + `
+
+### What is your environment & configuration (arguments, toml, provider, platform, ...)?
+
+` + "```" + `json
+{{.Configuration}}
+` + "```" + `
+
+<!--
+Add more configuration information here.
+-->
+
+### If applicable, please paste the log output in debug mode (` + "`" + `--debug` + "`" + ` switch)
+
+` + "```" + `
+(paste your output here)
+` + "```" + `
+
+`
+)
+
+// newBugCmd builds a new Bug command
+func newBugCmd(traefikConfiguration *TraefikConfiguration, traefikPointersConfiguration *TraefikConfiguration) *flaeg.Command {
+
+	//version Command init
+	return &flaeg.Command{
+		Name:                  "bug",
+		Description:           `Report an issue on Traefik bugtracker`,
+		Config:                traefikConfiguration,
+		DefaultPointersConfig: traefikPointersConfiguration,
+		Run: runBugCmd(traefikConfiguration),
+		Metadata: map[string]string{
+			"parseAllSources": "true",
+		},
+	}
+}
+
+func runBugCmd(traefikConfiguration *TraefikConfiguration) func() error {
+	return func() error {
+
+		body, err := createBugReport(traefikConfiguration)
+		if err != nil {
+			return err
+		}
+
+		sendBugReport(body)
+
+		return nil
+	}
+}
+
+func createBugReport(traefikConfiguration *TraefikConfiguration) (string, error) {
+	var version bytes.Buffer
+	if err := getVersionPrint(&version); err != nil {
+		return "", err
+	}
+
+	tmpl, err := template.New("bug").Parse(bugTemplate)
+	if err != nil {
+		return "", err
+	}
+
+	config, err := anonymize.Do(traefikConfiguration, true)
+	if err != nil {
+		return "", err
+	}
+
+	v := struct {
+		Version       string
+		Configuration string
+	}{
+		Version:       version.String(),
+		Configuration: config,
+	}
+
+	var bug bytes.Buffer
+	if err := tmpl.Execute(&bug, v); err != nil {
+		return "", err
+	}
+
+	return bug.String(), nil
+}
+
+func sendBugReport(body string) {
+	URL := bugTracker + "?body=" + url.QueryEscape(body)
+	if err := openBrowser(URL); err != nil {
+		fmt.Printf("Please file a new issue at %s using this template:\n\n", bugTracker)
+		fmt.Print(body)
+	}
+}
+
+func openBrowser(URL string) error {
+	var err error
+	switch runtime.GOOS {
+	case "linux":
+		err = exec.Command("xdg-open", URL).Start()
+	case "windows":
+		err = exec.Command("rundll32", "url.dll,FileProtocolHandler", URL).Start()
+	case "darwin":
+		err = exec.Command("open", URL).Start()
+	default:
+		err = fmt.Errorf("unsupported platform")
+	}
+	return err
+}

cmd/traefik/bug_test.go

@@ -0,0 +1,66 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/containous/traefik/cmd/traefik/anonymize"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/provider/file"
+	"github.com/containous/traefik/tls"
+	"github.com/containous/traefik/types"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_createBugReport(t *testing.T) {
+	traefikConfiguration := &TraefikConfiguration{
+		ConfigFile: "FOO",
+		GlobalConfiguration: configuration.GlobalConfiguration{
+			EntryPoints: configuration.EntryPoints{
+				"goo": &configuration.EntryPoint{
+					Address: "hoo.bar",
+					Auth: &types.Auth{
+						Basic: &types.Basic{
+							UsersFile: "foo Basic UsersFile",
+							Users:     types.Users{"foo Basic Users 1", "foo Basic Users 2", "foo Basic Users 3"},
+						},
+						Digest: &types.Digest{
+							UsersFile: "foo Digest UsersFile",
+							Users:     types.Users{"foo Digest Users 1", "foo Digest Users 2", "foo Digest Users 3"},
+						},
+					},
+				},
+			},
+			File: &file.Provider{
+				Directory: "BAR",
+			},
+			RootCAs: tls.RootCAs{"fllf"},
+		},
+	}
+
+	report, err := createBugReport(traefikConfiguration)
+	assert.NoError(t, err, report)
+
+	// exported anonymous configuration
+	assert.NotContains(t, "web Basic Users ", report)
+	assert.NotContains(t, "foo Digest Users ", report)
+	assert.NotContains(t, "hoo.bar", report)
+}
+
+func Test_anonymize_traefikConfiguration(t *testing.T) {
+	traefikConfiguration := &TraefikConfiguration{
+		ConfigFile: "FOO",
+		GlobalConfiguration: configuration.GlobalConfiguration{
+			EntryPoints: configuration.EntryPoints{
+				"goo": &configuration.EntryPoint{
+					Address: "hoo.bar",
+				},
+			},
+			File: &file.Provider{
+				Directory: "BAR",
+			},
+		},
+	}
+	_, err := anonymize.Do(traefikConfiguration, true)
+	assert.NoError(t, err)
+	assert.Equal(t, "hoo.bar", traefikConfiguration.GlobalConfiguration.EntryPoints["goo"].Address)
+}

cmd/traefik/configuration.go

@@ -0,0 +1,297 @@
+package main
+
+import (
+	"time"
+
+	"github.com/containous/flaeg"
+	"github.com/containous/traefik-extra-service-fabric"
+	"github.com/containous/traefik/api"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/middlewares/accesslog"
+	"github.com/containous/traefik/ping"
+	"github.com/containous/traefik/provider/boltdb"
+	"github.com/containous/traefik/provider/consul"
+	"github.com/containous/traefik/provider/docker"
+	"github.com/containous/traefik/provider/dynamodb"
+	"github.com/containous/traefik/provider/ecs"
+	"github.com/containous/traefik/provider/etcd"
+	"github.com/containous/traefik/provider/eureka"
+	"github.com/containous/traefik/provider/file"
+	"github.com/containous/traefik/provider/kubernetes"
+	"github.com/containous/traefik/provider/marathon"
+	"github.com/containous/traefik/provider/mesos"
+	"github.com/containous/traefik/provider/rancher"
+	"github.com/containous/traefik/provider/rest"
+	"github.com/containous/traefik/provider/zk"
+	"github.com/containous/traefik/types"
+	sf "github.com/jjcollinge/servicefabric"
+)
+
+// TraefikConfiguration holds GlobalConfiguration and other stuff
+type TraefikConfiguration struct {
+	configuration.GlobalConfiguration `mapstructure:",squash" export:"true"`
+	ConfigFile                        string `short:"c" description:"Configuration file to use (TOML)." export:"true"`
+}
+
+// NewTraefikDefaultPointersConfiguration creates a TraefikConfiguration with pointers default values
+func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
+	//default Docker
+	var defaultDocker docker.Provider
+	defaultDocker.Watch = true
+	defaultDocker.ExposedByDefault = true
+	defaultDocker.Endpoint = "unix:///var/run/docker.sock"
+	defaultDocker.SwarmMode = false
+
+	// default File
+	var defaultFile file.Provider
+	defaultFile.Watch = true
+	defaultFile.Filename = "" //needs equivalent to  viper.ConfigFileUsed()
+
+	// default Rest
+	var defaultRest rest.Provider
+	defaultRest.EntryPoint = configuration.DefaultInternalEntryPointName
+
+	// TODO: Deprecated - Web provider, use REST provider instead
+	var defaultWeb configuration.WebCompatibility
+	defaultWeb.Address = ":8080"
+	defaultWeb.Statistics = &types.Statistics{
+		RecentErrors: 10,
+	}
+
+	// TODO: Deprecated - default Metrics
+	defaultWeb.Metrics = &types.Metrics{
+		Prometheus: &types.Prometheus{
+			Buckets:    types.Buckets{0.1, 0.3, 1.2, 5},
+			EntryPoint: configuration.DefaultInternalEntryPointName,
+		},
+		Datadog: &types.Datadog{
+			Address:      "localhost:8125",
+			PushInterval: "10s",
+		},
+		StatsD: &types.Statsd{
+			Address:      "localhost:8125",
+			PushInterval: "10s",
+		},
+		InfluxDB: &types.InfluxDB{
+			Address:      "localhost:8089",
+			PushInterval: "10s",
+		},
+	}
+
+	// default Marathon
+	var defaultMarathon marathon.Provider
+	defaultMarathon.Watch = true
+	defaultMarathon.Endpoint = "http://127.0.0.1:8080"
+	defaultMarathon.ExposedByDefault = true
+	defaultMarathon.Constraints = types.Constraints{}
+	defaultMarathon.DialerTimeout = flaeg.Duration(60 * time.Second)
+	defaultMarathon.KeepAlive = flaeg.Duration(10 * time.Second)
+
+	// default Consul
+	var defaultConsul consul.Provider
+	defaultConsul.Watch = true
+	defaultConsul.Endpoint = "127.0.0.1:8500"
+	defaultConsul.Prefix = "traefik"
+	defaultConsul.Constraints = types.Constraints{}
+
+	// default CatalogProvider
+	var defaultConsulCatalog consul.CatalogProvider
+	defaultConsulCatalog.Endpoint = "127.0.0.1:8500"
+	defaultConsulCatalog.ExposedByDefault = true
+	defaultConsulCatalog.Constraints = types.Constraints{}
+	defaultConsulCatalog.Prefix = "traefik"
+	defaultConsulCatalog.FrontEndRule = "Host:{{.ServiceName}}.{{.Domain}}"
+
+	// default Etcd
+	var defaultEtcd etcd.Provider
+	defaultEtcd.Watch = true
+	defaultEtcd.Endpoint = "127.0.0.1:2379"
+	defaultEtcd.Prefix = "/traefik"
+	defaultEtcd.Constraints = types.Constraints{}
+
+	//default Zookeeper
+	var defaultZookeeper zk.Provider
+	defaultZookeeper.Watch = true
+	defaultZookeeper.Endpoint = "127.0.0.1:2181"
+	defaultZookeeper.Prefix = "traefik"
+	defaultZookeeper.Constraints = types.Constraints{}
+
+	//default Boltdb
+	var defaultBoltDb boltdb.Provider
+	defaultBoltDb.Watch = true
+	defaultBoltDb.Endpoint = "127.0.0.1:4001"
+	defaultBoltDb.Prefix = "/traefik"
+	defaultBoltDb.Constraints = types.Constraints{}
+
+	//default Kubernetes
+	var defaultKubernetes kubernetes.Provider
+	defaultKubernetes.Watch = true
+	defaultKubernetes.Endpoint = ""
+	defaultKubernetes.LabelSelector = ""
+	defaultKubernetes.Constraints = types.Constraints{}
+
+	// default Mesos
+	var defaultMesos mesos.Provider
+	defaultMesos.Watch = true
+	defaultMesos.Endpoint = "http://127.0.0.1:5050"
+	defaultMesos.ExposedByDefault = true
+	defaultMesos.Constraints = types.Constraints{}
+	defaultMesos.RefreshSeconds = 30
+	defaultMesos.ZkDetectionTimeout = 30
+	defaultMesos.StateTimeoutSecond = 30
+
+	//default ECS
+	var defaultECS ecs.Provider
+	defaultECS.Watch = true
+	defaultECS.ExposedByDefault = true
+	defaultECS.AutoDiscoverClusters = false
+	defaultECS.Clusters = ecs.Clusters{"default"}
+	defaultECS.RefreshSeconds = 15
+	defaultECS.Constraints = types.Constraints{}
+
+	//default Rancher
+	var defaultRancher rancher.Provider
+	defaultRancher.Watch = true
+	defaultRancher.ExposedByDefault = true
+	defaultRancher.RefreshSeconds = 15
+
+	// default DynamoDB
+	var defaultDynamoDB dynamodb.Provider
+	defaultDynamoDB.Constraints = types.Constraints{}
+	defaultDynamoDB.RefreshSeconds = 15
+	defaultDynamoDB.TableName = "traefik"
+	defaultDynamoDB.Watch = true
+
+	// default Eureka
+	var defaultEureka eureka.Provider
+	defaultEureka.Delay = "30s"
+
+	// default ServiceFabric
+	var defaultServiceFabric servicefabric.Provider
+	defaultServiceFabric.APIVersion = sf.DefaultAPIVersion
+	defaultServiceFabric.RefreshSeconds = 10
+
+	// default Ping
+	var defaultPing = ping.Handler{
+		EntryPoint: "traefik",
+	}
+
+	// default TraefikLog
+	defaultTraefikLog := types.TraefikLog{
+		Format:   "common",
+		FilePath: "",
+	}
+
+	// default AccessLog
+	defaultAccessLog := types.AccessLog{
+		Format:   accesslog.CommonFormat,
+		FilePath: "",
+	}
+
+	// default HealthCheckConfig
+	healthCheck := configuration.HealthCheckConfig{
+		Interval: flaeg.Duration(configuration.DefaultHealthCheckInterval),
+	}
+
+	// default RespondingTimeouts
+	respondingTimeouts := configuration.RespondingTimeouts{
+		IdleTimeout: flaeg.Duration(configuration.DefaultIdleTimeout),
+	}
+
+	// default ForwardingTimeouts
+	forwardingTimeouts := configuration.ForwardingTimeouts{
+		DialTimeout: flaeg.Duration(configuration.DefaultDialTimeout),
+	}
+
+	// default LifeCycle
+	defaultLifeCycle := configuration.LifeCycle{
+		GraceTimeOut: flaeg.Duration(configuration.DefaultGraceTimeout),
+	}
+
+	// default ApiConfiguration
+	defaultAPI := api.Handler{
+		EntryPoint: "traefik",
+		Dashboard:  true,
+	}
+	defaultAPI.Statistics = &types.Statistics{
+		RecentErrors: 10,
+	}
+
+	// default Metrics
+	defaultMetrics := types.Metrics{
+		Prometheus: &types.Prometheus{
+			Buckets:    types.Buckets{0.1, 0.3, 1.2, 5},
+			EntryPoint: configuration.DefaultInternalEntryPointName,
+		},
+		Datadog: &types.Datadog{
+			Address:      "localhost:8125",
+			PushInterval: "10s",
+		},
+		StatsD: &types.Statsd{
+			Address:      "localhost:8125",
+			PushInterval: "10s",
+		},
+		InfluxDB: &types.InfluxDB{
+			Address:      "localhost:8089",
+			PushInterval: "10s",
+		},
+	}
+
+	defaultConfiguration := configuration.GlobalConfiguration{
+		Docker:             &defaultDocker,
+		File:               &defaultFile,
+		Web:                &defaultWeb,
+		Rest:               &defaultRest,
+		Marathon:           &defaultMarathon,
+		Consul:             &defaultConsul,
+		ConsulCatalog:      &defaultConsulCatalog,
+		Etcd:               &defaultEtcd,
+		Zookeeper:          &defaultZookeeper,
+		Boltdb:             &defaultBoltDb,
+		Kubernetes:         &defaultKubernetes,
+		Mesos:              &defaultMesos,
+		ECS:                &defaultECS,
+		Rancher:            &defaultRancher,
+		Eureka:             &defaultEureka,
+		DynamoDB:           &defaultDynamoDB,
+		Retry:              &configuration.Retry{},
+		HealthCheck:        &healthCheck,
+		RespondingTimeouts: &respondingTimeouts,
+		ForwardingTimeouts: &forwardingTimeouts,
+		TraefikLog:         &defaultTraefikLog,
+		AccessLog:          &defaultAccessLog,
+		LifeCycle:          &defaultLifeCycle,
+		Ping:               &defaultPing,
+		API:                &defaultAPI,
+		Metrics:            &defaultMetrics,
+	}
+
+	return &TraefikConfiguration{
+		GlobalConfiguration: defaultConfiguration,
+	}
+}
+
+// NewTraefikConfiguration creates a TraefikConfiguration with default values
+func NewTraefikConfiguration() *TraefikConfiguration {
+	return &TraefikConfiguration{
+		GlobalConfiguration: configuration.GlobalConfiguration{
+			AccessLogsFile:            "",
+			TraefikLogsFile:           "",
+			LogLevel:                  "ERROR",
+			EntryPoints:               map[string]*configuration.EntryPoint{},
+			Constraints:               types.Constraints{},
+			DefaultEntryPoints:        []string{"http"},
+			ProvidersThrottleDuration: flaeg.Duration(2 * time.Second),
+			MaxIdleConnsPerHost:       200,
+			IdleTimeout:               flaeg.Duration(0),
+			HealthCheck: &configuration.HealthCheckConfig{
+				Interval: flaeg.Duration(configuration.DefaultHealthCheckInterval),
+			},
+			LifeCycle: &configuration.LifeCycle{
+				GraceTimeOut: flaeg.Duration(configuration.DefaultGraceTimeout),
+			},
+			CheckNewVersion: true,
+		},
+		ConfigFile: "",
+	}
+}

cmd/traefik/healthcheck.go

@@ -0,0 +1,71 @@
+package main
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/containous/flaeg"
+	"github.com/containous/traefik/configuration"
+)
+
+func newHealthCheckCmd(traefikConfiguration *TraefikConfiguration, traefikPointersConfiguration *TraefikConfiguration) *flaeg.Command {
+	return &flaeg.Command{
+		Name:                  "healthcheck",
+		Description:           `Calls traefik /ping to check health (web provider must be enabled)`,
+		Config:                traefikConfiguration,
+		DefaultPointersConfig: traefikPointersConfiguration,
+		Run: runHealthCheck(traefikConfiguration),
+		Metadata: map[string]string{
+			"parseAllSources": "true",
+		},
+	}
+}
+
+func runHealthCheck(traefikConfiguration *TraefikConfiguration) func() error {
+	return func() error {
+		traefikConfiguration.GlobalConfiguration.SetEffectiveConfiguration(traefikConfiguration.ConfigFile)
+
+		resp, errPing := healthCheck(traefikConfiguration.GlobalConfiguration)
+		if errPing != nil {
+			fmt.Printf("Error calling healthcheck: %s\n", errPing)
+			os.Exit(1)
+		}
+		if resp.StatusCode != http.StatusOK {
+			fmt.Printf("Bad healthcheck status: %s\n", resp.Status)
+			os.Exit(1)
+		}
+		fmt.Printf("OK: %s\n", resp.Request.URL)
+		os.Exit(0)
+		return nil
+	}
+}
+
+func healthCheck(globalConfiguration configuration.GlobalConfiguration) (*http.Response, error) {
+	if globalConfiguration.Ping == nil {
+		return nil, errors.New("please enable `ping` to use health check")
+	}
+
+	pingEntryPoint, ok := globalConfiguration.EntryPoints[globalConfiguration.Ping.EntryPoint]
+	if !ok {
+		return nil, errors.New("missing `ping` entrypoint")
+	}
+
+	client := &http.Client{Timeout: 5 * time.Second}
+	protocol := "http"
+	if pingEntryPoint.TLS != nil {
+		protocol = "https"
+		tr := &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+		client.Transport = tr
+	}
+	path := "/"
+	if globalConfiguration.Web != nil {
+		path = globalConfiguration.Web.Path
+	}
+	return client.Head(protocol + "://" + pingEntryPoint.Address + path + "ping")
+}

cmd/traefik/storeconfig.go

@@ -0,0 +1,145 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	stdlog "log"
+
+	"github.com/containous/flaeg"
+	"github.com/containous/staert"
+	"github.com/containous/traefik/acme"
+	"github.com/containous/traefik/cluster"
+	"github.com/docker/libkv/store"
+)
+
+func newStoreConfigCmd(traefikConfiguration *TraefikConfiguration, traefikPointersConfiguration *TraefikConfiguration) *flaeg.Command {
+	return &flaeg.Command{
+		Name:                  "storeconfig",
+		Description:           `Store the static traefik configuration into a Key-value stores. Traefik will not start.`,
+		Config:                traefikConfiguration,
+		DefaultPointersConfig: traefikPointersConfiguration,
+		Metadata: map[string]string{
+			"parseAllSources": "true",
+		},
+	}
+}
+
+func runStoreConfig(kv *staert.KvSource, traefikConfiguration *TraefikConfiguration) func() error {
+	return func() error {
+		if kv == nil {
+			return fmt.Errorf("error using command storeconfig, no Key-value store defined")
+		}
+
+		fileConfig := traefikConfiguration.GlobalConfiguration.File
+		if fileConfig != nil {
+			traefikConfiguration.GlobalConfiguration.File = nil
+			if len(fileConfig.Filename) == 0 && len(fileConfig.Directory) == 0 {
+				fileConfig.Filename = traefikConfiguration.ConfigFile
+			}
+		}
+
+		jsonConf, err := json.Marshal(traefikConfiguration.GlobalConfiguration)
+		if err != nil {
+			return err
+		}
+		stdlog.Printf("Storing configuration: %s\n", jsonConf)
+
+		err = kv.StoreConfig(traefikConfiguration.GlobalConfiguration)
+		if err != nil {
+			return err
+		}
+
+		if fileConfig != nil {
+			jsonConf, err = json.Marshal(fileConfig)
+			if err != nil {
+				return err
+			}
+
+			stdlog.Printf("Storing file configuration: %s\n", jsonConf)
+			config, err := fileConfig.LoadConfig()
+			if err != nil {
+				return err
+			}
+
+			stdlog.Print("Writing config to KV")
+			err = kv.StoreConfig(config)
+			if err != nil {
+				return err
+			}
+		}
+		if traefikConfiguration.GlobalConfiguration.ACME != nil {
+			var object cluster.Object
+			if len(traefikConfiguration.GlobalConfiguration.ACME.StorageFile) > 0 {
+				// convert ACME json file to KV store
+				localStore := acme.NewLocalStore(traefikConfiguration.GlobalConfiguration.ACME.StorageFile)
+				object, err = localStore.Load()
+				if err != nil {
+					return err
+				}
+
+			} else {
+				// Create an empty account to create all the keys into the KV store
+				account := &acme.Account{}
+				account.Init()
+				object = account
+			}
+
+			meta := cluster.NewMetadata(object)
+			err = meta.Marshall()
+			if err != nil {
+				return err
+			}
+
+			source := staert.KvSource{
+				Store:  kv,
+				Prefix: traefikConfiguration.GlobalConfiguration.ACME.Storage,
+			}
+			err = source.StoreConfig(meta)
+			if err != nil {
+				return err
+			}
+			// Force to delete storagefile
+			err = kv.Delete(kv.Prefix + "/acme/storagefile")
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+// createKvSource creates KvSource
+// TLS support is enable for Consul and Etcd backends
+func createKvSource(traefikConfiguration *TraefikConfiguration) (*staert.KvSource, error) {
+	var kv *staert.KvSource
+	var kvStore store.Store
+	var err error
+
+	switch {
+	case traefikConfiguration.Consul != nil:
+		kvStore, err = traefikConfiguration.Consul.CreateStore()
+		kv = &staert.KvSource{
+			Store:  kvStore,
+			Prefix: traefikConfiguration.Consul.Prefix,
+		}
+	case traefikConfiguration.Etcd != nil:
+		kvStore, err = traefikConfiguration.Etcd.CreateStore()
+		kv = &staert.KvSource{
+			Store:  kvStore,
+			Prefix: traefikConfiguration.Etcd.Prefix,
+		}
+	case traefikConfiguration.Zookeeper != nil:
+		kvStore, err = traefikConfiguration.Zookeeper.CreateStore()
+		kv = &staert.KvSource{
+			Store:  kvStore,
+			Prefix: traefikConfiguration.Zookeeper.Prefix,
+		}
+	case traefikConfiguration.Boltdb != nil:
+		kvStore, err = traefikConfiguration.Boltdb.CreateStore()
+		kv = &staert.KvSource{
+			Store:  kvStore,
+			Prefix: traefikConfiguration.Boltdb.Prefix,
+		}
+	}
+	return kv, err
+}

cmd/traefik/traefik.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"context"
 	"encoding/json"
 	fmtlog "log"
 	"net/http"
@@ -11,41 +10,32 @@ import (
 	"strings"
 	"time"
 
+	"github.com/Sirupsen/logrus"
 	"github.com/cenk/backoff"
 	"github.com/containous/flaeg"
 	"github.com/containous/staert"
+	"github.com/containous/traefik/acme"
+	"github.com/containous/traefik/collector"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/job"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/provider/ecs"
+	"github.com/containous/traefik/provider/kubernetes"
+	"github.com/containous/traefik/safe"
+	"github.com/containous/traefik/server"
+	"github.com/containous/traefik/server/uuid"
+	traefikTls "github.com/containous/traefik/tls"
+	"github.com/containous/traefik/types"
+	"github.com/containous/traefik/version"
 	"github.com/coreos/go-systemd/daemon"
-	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/ogier/pflag"
-	"github.com/sirupsen/logrus"
-	"github.com/traefik/traefik/autogen/genstatic"
-	"github.com/traefik/traefik/cmd"
-	"github.com/traefik/traefik/cmd/bug"
-	"github.com/traefik/traefik/cmd/healthcheck"
-	"github.com/traefik/traefik/cmd/storeconfig"
-	cmdVersion "github.com/traefik/traefik/cmd/version"
-	"github.com/traefik/traefik/collector"
-	"github.com/traefik/traefik/configuration"
-	"github.com/traefik/traefik/configuration/router"
-	"github.com/traefik/traefik/job"
-	"github.com/traefik/traefik/log"
-	"github.com/traefik/traefik/provider/ecs"
-	"github.com/traefik/traefik/provider/kubernetes"
-	"github.com/traefik/traefik/safe"
-	"github.com/traefik/traefik/server"
-	"github.com/traefik/traefik/server/uuid"
-	traefiktls "github.com/traefik/traefik/tls"
-	"github.com/traefik/traefik/types"
-	"github.com/traefik/traefik/version"
-	"github.com/vulcand/oxy/roundrobin"
 )
 
 func main() {
-	// traefik config inits
-	traefikConfiguration := cmd.NewTraefikConfiguration()
-	traefikPointersConfiguration := cmd.NewTraefikDefaultPointersConfiguration()
-
-	// traefik Command init
+	//traefik config inits
+	traefikConfiguration := NewTraefikConfiguration()
+	traefikPointersConfiguration := NewTraefikDefaultPointersConfiguration()
+	//traefik Command init
 	traefikCmd := &flaeg.Command{
 		Name: "traefik",
 		Description: `traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
@@ -53,40 +43,36 @@ Complete documentation is available at https://traefik.io`,
 		Config:                traefikConfiguration,
 		DefaultPointersConfig: traefikPointersConfiguration,
 		Run: func() error {
-			runCmd(&traefikConfiguration.GlobalConfiguration, traefikConfiguration.ConfigFile)
+			run(&traefikConfiguration.GlobalConfiguration, traefikConfiguration.ConfigFile)
 			return nil
 		},
 	}
 
-	// storeconfig Command init
-	storeConfigCmd := storeconfig.NewCmd(traefikConfiguration, traefikPointersConfiguration)
+	//storeconfig Command init
+	storeConfigCmd := newStoreConfigCmd(traefikConfiguration, traefikPointersConfiguration)
 
-	// init flaeg source
+	//init flaeg source
 	f := flaeg.New(traefikCmd, os.Args[1:])
-	// add custom parsers
+	//add custom parsers
 	f.AddParser(reflect.TypeOf(configuration.EntryPoints{}), &configuration.EntryPoints{})
 	f.AddParser(reflect.TypeOf(configuration.DefaultEntryPoints{}), &configuration.DefaultEntryPoints{})
-	f.AddParser(reflect.TypeOf(traefiktls.FilesOrContents{}), &traefiktls.FilesOrContents{})
+	f.AddParser(reflect.TypeOf(traefikTls.RootCAs{}), &traefikTls.RootCAs{})
 	f.AddParser(reflect.TypeOf(types.Constraints{}), &types.Constraints{})
 	f.AddParser(reflect.TypeOf(kubernetes.Namespaces{}), &kubernetes.Namespaces{})
 	f.AddParser(reflect.TypeOf(ecs.Clusters{}), &ecs.Clusters{})
-	f.AddParser(reflect.TypeOf([]types.Domain{}), &types.Domains{})
-	f.AddParser(reflect.TypeOf(types.DNSResolvers{}), &types.DNSResolvers{})
+	f.AddParser(reflect.TypeOf([]acme.Domain{}), &acme.Domains{})
 	f.AddParser(reflect.TypeOf(types.Buckets{}), &types.Buckets{})
-	f.AddParser(reflect.TypeOf(types.StatusCodes{}), &types.StatusCodes{})
-	f.AddParser(reflect.TypeOf(types.FieldNames{}), &types.FieldNames{})
-	f.AddParser(reflect.TypeOf(types.FieldHeaderNames{}), &types.FieldHeaderNames{})
 
-	// add commands
-	f.AddCommand(cmdVersion.NewCmd())
-	f.AddCommand(bug.NewCmd(traefikConfiguration, traefikPointersConfiguration))
+	//add commands
+	f.AddCommand(newVersionCmd())
+	f.AddCommand(newBugCmd(traefikConfiguration, traefikPointersConfiguration))
 	f.AddCommand(storeConfigCmd)
-	f.AddCommand(healthcheck.NewCmd(traefikConfiguration, traefikPointersConfiguration))
+	f.AddCommand(newHealthCheckCmd(traefikConfiguration, traefikPointersConfiguration))
 
 	usedCmd, err := f.GetCommand()
 	if err != nil {
 		fmtlog.Println(err)
-		os.Exit(1)
+		os.Exit(-1)
 	}
 
 	if _, err := f.Parse(usedCmd); err != nil {
@@ -94,32 +80,32 @@ Complete documentation is available at https://traefik.io`,
 			os.Exit(0)
 		}
 		fmtlog.Printf("Error parsing command: %s\n", err)
-		os.Exit(1)
+		os.Exit(-1)
 	}
 
-	// staert init
+	//staert init
 	s := staert.NewStaert(traefikCmd)
-	// init TOML source
+	//init toml source
 	toml := staert.NewTomlSource("traefik", []string{traefikConfiguration.ConfigFile, "/etc/traefik/", "$HOME/.traefik/", "."})
 
-	// add sources to staert
+	//add sources to staert
 	s.AddSource(toml)
 	s.AddSource(f)
 	if _, err := s.LoadConfig(); err != nil {
 		fmtlog.Printf("Error reading TOML config file %s : %s\n", toml.ConfigFileUsed(), err)
-		os.Exit(1)
+		os.Exit(-1)
 	}
 
 	traefikConfiguration.ConfigFile = toml.ConfigFileUsed()
 
-	kv, err := storeconfig.CreateKvSource(traefikConfiguration)
+	kv, err := createKvSource(traefikConfiguration)
 	if err != nil {
 		fmtlog.Printf("Error creating kv store: %s\n", err)
-		os.Exit(1)
+		os.Exit(-1)
 	}
-	storeConfigCmd.Run = storeconfig.Run(kv, traefikConfiguration)
+	storeConfigCmd.Run = runStoreConfig(kv, traefikConfiguration)
 
-	// if a KV Store is enable and no sub-command called in args
+	// IF a KV Store is enable and no sub-command called in args
 	if kv != nil && usedCmd == traefikCmd {
 		if traefikConfiguration.Cluster == nil {
 			traefikConfiguration.Cluster = &types.Cluster{Node: uuid.Get()}
@@ -138,19 +124,19 @@ Complete documentation is available at https://traefik.io`,
 		err := backoff.RetryNotify(safe.OperationWithRecover(operation), job.NewBackOff(backoff.NewExponentialBackOff()), notify)
 		if err != nil {
 			fmtlog.Printf("Error loading configuration: %s\n", err)
-			os.Exit(1)
+			os.Exit(-1)
 		}
 	}
 
 	if err := s.Run(); err != nil {
 		fmtlog.Printf("Error running traefik: %s\n", err)
-		os.Exit(1)
+		os.Exit(-1)
 	}
 
 	os.Exit(0)
 }
 
-func runCmd(globalConfiguration *configuration.GlobalConfiguration, configFile string) {
+func run(globalConfiguration *configuration.GlobalConfiguration, configFile string) {
 	configureLogging(globalConfiguration)
 
 	if len(configFile) > 0 {
@@ -159,91 +145,21 @@ func runCmd(globalConfiguration *configuration.GlobalConfiguration, configFile s
 
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
-	if globalConfiguration.AllowMinWeightZero {
-		roundrobin.SetDefaultWeight(0)
-	}
-
 	globalConfiguration.SetEffectiveConfiguration(configFile)
 	globalConfiguration.ValidateConfiguration()
 
+	jsonConf, _ := json.Marshal(globalConfiguration)
 	log.Infof("Traefik version %s built on %s", version.Version, version.BuildDate)
 
-	jsonConf, err := json.Marshal(globalConfiguration)
-	if err != nil {
-		log.Error(err)
-		log.Debugf("Global configuration loaded [struct] %#v", globalConfiguration)
-	} else {
-		log.Debugf("Global configuration loaded %s", string(jsonConf))
-	}
-
-	if globalConfiguration.API != nil && globalConfiguration.API.Dashboard {
-		globalConfiguration.API.DashboardAssets = &assetfs.AssetFS{Asset: genstatic.Asset, AssetInfo: genstatic.AssetInfo, AssetDir: genstatic.AssetDir, Prefix: "static"}
-	}
-
 	if globalConfiguration.CheckNewVersion {
 		checkNewVersion()
 	}
 
 	stats(globalConfiguration)
 
-	providerAggregator := configuration.NewProviderAggregator(globalConfiguration)
-
-	acmeprovider, err := globalConfiguration.InitACMEProvider()
-	if err != nil {
-		log.Errorf("Unable to initialize ACME provider: %v", err)
-	} else if acmeprovider != nil {
-		err = providerAggregator.AddProvider(acmeprovider)
-		if err != nil {
-			log.Errorf("Unable to add ACME provider to the providers list: %v", err)
-			acmeprovider = nil
-		}
-	}
-
-	entryPoints := map[string]server.EntryPoint{}
-	for entryPointName, config := range globalConfiguration.EntryPoints {
-
-		entryPoint := server.EntryPoint{
-			Configuration: config,
-		}
-
-		internalRouter := router.NewInternalRouterAggregator(*globalConfiguration, entryPointName)
-		if acmeprovider != nil {
-			if acmeprovider.HTTPChallenge != nil && entryPointName == acmeprovider.HTTPChallenge.EntryPoint {
-				internalRouter.AddRouter(acmeprovider)
-			}
-
-			// TLS ALPN 01
-			if acmeprovider.TLSChallenge != nil && acmeprovider.HTTPChallenge == nil && acmeprovider.DNSChallenge == nil {
-				entryPoint.TLSALPNGetter = acmeprovider.GetTLSALPNCertificate
-			}
-
-			if acmeprovider.OnDemand && entryPointName == acmeprovider.EntryPoint {
-				entryPoint.OnDemandListener = acmeprovider.ListenRequest
-			}
-
-			if entryPointName == acmeprovider.EntryPoint {
-				entryPoint.CertificateStore = traefiktls.NewCertificateStore()
-				acmeprovider.SetCertificateStore(entryPoint.CertificateStore)
-				log.Debugf("Setting Acme Certificate store from Entrypoint: %s", entryPointName)
-			}
-		}
-
-		entryPoint.InternalRouter = internalRouter
-		entryPoints[entryPointName] = entryPoint
-	}
-
-	svr := server.NewServer(*globalConfiguration, providerAggregator, entryPoints)
-	if acmeprovider != nil && acmeprovider.OnHostRule {
-		acmeprovider.SetConfigListenerChan(make(chan types.Configuration))
-		svr.AddListener(acmeprovider.ListenConfiguration)
-	}
-	ctx := cmd.ContextWithSignal(context.Background())
-
-	if globalConfiguration.Ping != nil {
-		globalConfiguration.Ping.WithContext(ctx)
-	}
-
-	svr.StartWithContext(ctx)
+	log.Debugf("Global configuration loaded %s", string(jsonConf))
+	svr := server.NewServer(*globalConfiguration)
+	svr.Start()
 	defer svr.Close()
 
 	sent, err := daemon.SdNotify(false, "READY=1")
@@ -261,7 +177,7 @@ func runCmd(globalConfiguration *configuration.GlobalConfiguration, configFile s
 		safe.Go(func() {
 			tick := time.Tick(t)
 			for range tick {
-				_, errHealthCheck := healthcheck.Do(*globalConfiguration)
+				_, errHealthCheck := healthCheck(*globalConfiguration)
 				if globalConfiguration.Ping == nil || errHealthCheck == nil {
 					if ok, _ := daemon.SdNotify(false, "WATCHDOG=1"); !ok {
 						log.Error("Fail to tick watchdog")
@@ -282,18 +198,12 @@ func configureLogging(globalConfiguration *configuration.GlobalConfiguration) {
 	// configure default log flags
 	fmtlog.SetFlags(fmtlog.Lshortfile | fmtlog.LstdFlags)
 
-	// configure log level
-	// an explicitly defined log level always has precedence. if none is
-	// given and debug mode is disabled, the default is ERROR, and DEBUG
-	// otherwise.
-	levelStr := strings.ToLower(globalConfiguration.LogLevel)
-	if levelStr == "" {
-		levelStr = "error"
-		if globalConfiguration.Debug {
-			levelStr = "debug"
-		}
+	if globalConfiguration.Debug {
+		globalConfiguration.LogLevel = "DEBUG"
 	}
-	level, err := logrus.ParseLevel(levelStr)
+
+	// configure log level
+	level, err := logrus.ParseLevel(strings.ToLower(globalConfiguration.LogLevel))
 	if err != nil {
 		log.Error("Error getting level", err)
 	}
@@ -313,7 +223,10 @@ func configureLogging(globalConfiguration *configuration.GlobalConfiguration) {
 	if globalConfiguration.TraefikLog != nil && globalConfiguration.TraefikLog.Format == "json" {
 		formatter = &logrus.JSONFormatter{}
 	} else {
-		disableColors := len(logFile) > 0
+		disableColors := false
+		if len(logFile) > 0 {
+			disableColors = true
+		}
 		formatter = &logrus.TextFormatter{DisableColors: disableColors, FullTimestamp: true, DisableSorting: true}
 	}
 	log.SetFormatter(formatter)
@@ -321,7 +234,8 @@ func configureLogging(globalConfiguration *configuration.GlobalConfiguration) {
 	if len(logFile) > 0 {
 		dir := filepath.Dir(logFile)
 
-		if err := os.MkdirAll(dir, 0755); err != nil {
+		err := os.MkdirAll(dir, 0755)
+		if err != nil {
 			log.Errorf("Failed to create log path %s: %s", dir, err)
 		}
 
@@ -352,14 +266,14 @@ func stats(globalConfiguration *configuration.GlobalConfiguration) {
 Stats collection is enabled.
 Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.
 Help us improve Traefik by leaving this feature on :)
-More details on: https://doc.traefik.io/traefik/v1.7/basics/#collected-data
+More details on: https://docs.traefik.io/basics/#collected-data
 `)
 		collect(globalConfiguration)
 	} else {
 		log.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
-More details on: https://doc.traefik.io/traefik/v1.7/basics/#collected-data
+More details on: https://docs.traefik.io/basics/#collected-data
 `)
 	}
 }

cmd/traefik/version.go

@@ -0,0 +1,63 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"runtime"
+	"text/template"
+
+	"github.com/containous/flaeg"
+	"github.com/containous/traefik/version"
+)
+
+var versionTemplate = `Version:      {{.Version}}
+Codename:     {{.Codename}}
+Go version:   {{.GoVersion}}
+Built:        {{.BuildTime}}
+OS/Arch:      {{.Os}}/{{.Arch}}`
+
+// newVersionCmd builds a new Version command
+func newVersionCmd() *flaeg.Command {
+
+	//version Command init
+	return &flaeg.Command{
+		Name:                  "version",
+		Description:           `Print version`,
+		Config:                struct{}{},
+		DefaultPointersConfig: struct{}{},
+		Run: func() error {
+			if err := getVersionPrint(os.Stdout); err != nil {
+				return err
+			}
+			fmt.Print("\n")
+			return nil
+
+		},
+	}
+}
+
+func getVersionPrint(wr io.Writer) error {
+	tmpl, err := template.New("").Parse(versionTemplate)
+	if err != nil {
+		return err
+	}
+
+	v := struct {
+		Version   string
+		Codename  string
+		GoVersion string
+		BuildTime string
+		Os        string
+		Arch      string
+	}{
+		Version:   version.Version,
+		Codename:  version.Codename,
+		GoVersion: runtime.Version(),
+		BuildTime: version.BuildDate,
+		Os:        runtime.GOOS,
+		Arch:      runtime.GOARCH,
+	}
+
+	return tmpl.Execute(wr, v)
+}

cmd/version/version.go

@@ -1,62 +0,0 @@
-package version
-
-import (
-	"fmt"
-	"io"
-	"os"
-	"runtime"
-	"text/template"
-
-	"github.com/containous/flaeg"
-	"github.com/traefik/traefik/version"
-)
-
-var versionTemplate = `Version:      {{.Version}}
-Codename:     {{.Codename}}
-Go version:   {{.GoVersion}}
-Built:        {{.BuildTime}}
-OS/Arch:      {{.Os}}/{{.Arch}}`
-
-// NewCmd builds a new Version command
-func NewCmd() *flaeg.Command {
-	return &flaeg.Command{
-		Name:                  "version",
-		Description:           `Print version`,
-		Config:                struct{}{},
-		DefaultPointersConfig: struct{}{},
-		Run: func() error {
-			if err := GetPrint(os.Stdout); err != nil {
-				return err
-			}
-			fmt.Print("\n")
-			return nil
-
-		},
-	}
-}
-
-// GetPrint write Printable version
-func GetPrint(wr io.Writer) error {
-	tmpl, err := template.New("").Parse(versionTemplate)
-	if err != nil {
-		return err
-	}
-
-	v := struct {
-		Version   string
-		Codename  string
-		GoVersion string
-		BuildTime string
-		Os        string
-		Arch      string
-	}{
-		Version:   version.Version,
-		Codename:  version.Codename,
-		GoVersion: runtime.Version(),
-		BuildTime: version.BuildDate,
-		Os:        runtime.GOOS,
-		Arch:      runtime.GOARCH,
-	}
-
-	return tmpl.Execute(wr, v)
-}

collector/collector.go

@@ -9,11 +9,11 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/containous/traefik/cmd/traefik/anonymize"
+	"github.com/containous/traefik/configuration"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/version"
 	"github.com/mitchellh/hashstructure"
-	"github.com/traefik/traefik/anonymize"
-	"github.com/traefik/traefik/configuration"
-	"github.com/traefik/traefik/log"
-	"github.com/traefik/traefik/version"
 )
 
 // collectorURL URL where the stats are send

configuration/configuration.go

@@ -1,41 +1,32 @@
 package configuration
 
 import (
-	"errors"
 	"fmt"
 	"strings"
 	"time"
 
 	"github.com/containous/flaeg"
-	servicefabric "github.com/containous/traefik-extra-service-fabric"
-	"github.com/go-acme/lego/v3/challenge/dns01"
-	"github.com/traefik/traefik/acme"
-	"github.com/traefik/traefik/api"
-	"github.com/traefik/traefik/log"
-	"github.com/traefik/traefik/middlewares/tracing"
-	"github.com/traefik/traefik/middlewares/tracing/datadog"
-	"github.com/traefik/traefik/middlewares/tracing/jaeger"
-	"github.com/traefik/traefik/middlewares/tracing/zipkin"
-	"github.com/traefik/traefik/ping"
-	acmeprovider "github.com/traefik/traefik/provider/acme"
-	"github.com/traefik/traefik/provider/boltdb"
-	"github.com/traefik/traefik/provider/consul"
-	"github.com/traefik/traefik/provider/consulcatalog"
-	"github.com/traefik/traefik/provider/docker"
-	"github.com/traefik/traefik/provider/dynamodb"
-	"github.com/traefik/traefik/provider/ecs"
-	"github.com/traefik/traefik/provider/etcd"
-	"github.com/traefik/traefik/provider/eureka"
-	"github.com/traefik/traefik/provider/file"
-	"github.com/traefik/traefik/provider/kubernetes"
-	"github.com/traefik/traefik/provider/marathon"
-	"github.com/traefik/traefik/provider/mesos"
-	"github.com/traefik/traefik/provider/rancher"
-	"github.com/traefik/traefik/provider/rest"
-	"github.com/traefik/traefik/provider/zk"
-	"github.com/traefik/traefik/tls"
-	"github.com/traefik/traefik/types"
-	jaegercli "github.com/uber/jaeger-client-go"
+	"github.com/containous/traefik-extra-service-fabric"
+	"github.com/containous/traefik/acme"
+	"github.com/containous/traefik/api"
+	"github.com/containous/traefik/log"
+	"github.com/containous/traefik/ping"
+	"github.com/containous/traefik/provider/boltdb"
+	"github.com/containous/traefik/provider/consul"
+	"github.com/containous/traefik/provider/docker"
+	"github.com/containous/traefik/provider/dynamodb"
+	"github.com/containous/traefik/provider/ecs"
+	"github.com/containous/traefik/provider/etcd"
+	"github.com/containous/traefik/provider/eureka"
+	"github.com/containous/traefik/provider/file"
+	"github.com/containous/traefik/provider/kubernetes"
+	"github.com/containous/traefik/provider/marathon"
+	"github.com/containous/traefik/provider/mesos"
+	"github.com/containous/traefik/provider/rancher"
+	"github.com/containous/traefik/provider/rest"
+	"github.com/containous/traefik/provider/zk"
+	"github.com/containous/traefik/tls"
+	"github.com/containous/traefik/types"
 )
 
 const (
@@ -54,27 +45,23 @@ const (
 	// DefaultGraceTimeout controls how long Traefik serves pending requests
 	// prior to shutting down.
 	DefaultGraceTimeout = 10 * time.Second
-
-	// DefaultAcmeCAServer is the default ACME API endpoint
-	DefaultAcmeCAServer = "https://acme-v02.api.letsencrypt.org/directory"
 )
 
 // GlobalConfiguration holds global configuration (with providers, etc.).
 // It's populated from the traefik configuration file passed as an argument to the binary.
 type GlobalConfiguration struct {
-	LifeCycle                 *LifeCycle        `description:"Timeouts influencing the server life cycle" export:"true"`
-	GraceTimeOut              flaeg.Duration    `short:"g" description:"(Deprecated) Duration to give active requests a chance to finish before Traefik stops" export:"true"` // Deprecated
-	Debug                     bool              `short:"d" description:"Enable debug mode" export:"true"`
-	CheckNewVersion           bool              `description:"Periodically check if a new version has been released" export:"true"`
-	SendAnonymousUsage        bool              `description:"send periodically anonymous usage statistics" export:"true"`
-	AccessLogsFile            string            `description:"(Deprecated) Access logs file" export:"true"` // Deprecated
-	AccessLog                 *types.AccessLog  `description:"Access log settings" export:"true"`
-	TraefikLogsFile           string            `description:"(Deprecated) Traefik logs file. Stdout is used when omitted or empty" export:"true"` // Deprecated
-	TraefikLog                *types.TraefikLog `description:"Traefik log settings" export:"true"`
-	Tracing                   *tracing.Tracing  `description:"OpenTracing configuration" export:"true"`
-	LogLevel                  string            `short:"l" description:"Log level" export:"true"`
-	EntryPoints               EntryPoints       `description:"Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'" export:"true"`
-	Cluster                   *types.Cluster
+	LifeCycle                 *LifeCycle              `description:"Timeouts influencing the server life cycle" export:"true"`
+	GraceTimeOut              flaeg.Duration          `short:"g" description:"(Deprecated) Duration to give active requests a chance to finish before Traefik stops" export:"true"` // Deprecated
+	Debug                     bool                    `short:"d" description:"Enable debug mode" export:"true"`
+	CheckNewVersion           bool                    `description:"Periodically check if a new version has been released" export:"true"`
+	SendAnonymousUsage        bool                    `description:"send periodically anonymous usage statistics" export:"true"`
+	AccessLogsFile            string                  `description:"(Deprecated) Access logs file" export:"true"` // Deprecated
+	AccessLog                 *types.AccessLog        `description:"Access log settings" export:"true"`
+	TraefikLogsFile           string                  `description:"(Deprecated) Traefik logs file. Stdout is used when omitted or empty" export:"true"` // Deprecated
+	TraefikLog                *types.TraefikLog       `description:"Traefik log settings" export:"true"`
+	LogLevel                  string                  `short:"l" description:"Log level" export:"true"`
+	EntryPoints               EntryPoints             `description:"Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'" export:"true"`
+	Cluster                   *types.Cluster          `description:"Enable clustering" export:"true"`
 	Constraints               types.Constraints       `description:"Filter services by constraint, matching with service tags" export:"true"`
 	ACME                      *acme.ACME              `description:"Enable ACME (Let's Encrypt): automatic SSL" export:"true"`
 	DefaultEntryPoints        DefaultEntryPoints      `description:"Entrypoints to be used by frontends that do not specify any entrypoint" export:"true"`
@@ -82,19 +69,17 @@ type GlobalConfiguration struct {
 	MaxIdleConnsPerHost       int                     `description:"If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, DefaultMaxIdleConnsPerHost is used" export:"true"`
 	IdleTimeout               flaeg.Duration          `description:"(Deprecated) maximum amount of time an idle (keep-alive) connection will remain idle before closing itself." export:"true"` // Deprecated
 	InsecureSkipVerify        bool                    `description:"Disable SSL certificate verification" export:"true"`
-	RootCAs                   tls.FilesOrContents     `description:"Add cert file for self-signed certificate"`
+	RootCAs                   tls.RootCAs             `description:"Add cert file for self-signed certificate"`
 	Retry                     *Retry                  `description:"Enable retry sending request if network error" export:"true"`
 	HealthCheck               *HealthCheckConfig      `description:"Health check parameters" export:"true"`
 	RespondingTimeouts        *RespondingTimeouts     `description:"Timeouts for incoming requests to the Traefik instance" export:"true"`
 	ForwardingTimeouts        *ForwardingTimeouts     `description:"Timeouts for requests forwarded to the backend servers" export:"true"`
-	AllowMinWeightZero        bool                    `description:"Allow weight to take 0 as minimum real value." export:"true"`         // Deprecated
-	KeepTrailingSlash         bool                    `description:"Do not remove trailing slash." export:"true"`                         // Deprecated
 	Web                       *WebCompatibility       `description:"(Deprecated) Enable Web backend with default settings" export:"true"` // Deprecated
 	Docker                    *docker.Provider        `description:"Enable Docker backend with default settings" export:"true"`
 	File                      *file.Provider          `description:"Enable File backend with default settings" export:"true"`
 	Marathon                  *marathon.Provider      `description:"Enable Marathon backend with default settings" export:"true"`
 	Consul                    *consul.Provider        `description:"Enable Consul backend with default settings" export:"true"`
-	ConsulCatalog             *consulcatalog.Provider `description:"Enable Consul catalog backend with default settings" export:"true"`
+	ConsulCatalog             *consul.CatalogProvider `description:"Enable Consul catalog backend with default settings" export:"true"`
 	Etcd                      *etcd.Provider          `description:"Enable Etcd backend with default settings" export:"true"`
 	Zookeeper                 *zk.Provider            `description:"Enable Zookeeper backend with default settings" export:"true"`
 	Boltdb                    *boltdb.Provider        `description:"Enable Boltdb backend with default settings" export:"true"`
@@ -109,18 +94,17 @@ type GlobalConfiguration struct {
 	API                       *api.Handler            `description:"Enable api/dashboard" export:"true"`
 	Metrics                   *types.Metrics          `description:"Enable a metrics exporter" export:"true"`
 	Ping                      *ping.Handler           `description:"Enable ping" export:"true"`
-	HostResolver              *HostResolverConfig     `description:"Enable CNAME Flattening" export:"true"`
 }
 
 // WebCompatibility is a configuration to handle compatibility with deprecated web provider options
 type WebCompatibility struct {
-	Address    string            `description:"(Deprecated) Web administration port" export:"true"`
-	CertFile   string            `description:"(Deprecated) SSL certificate" export:"true"`
-	KeyFile    string            `description:"(Deprecated) SSL certificate" export:"true"`
-	ReadOnly   bool              `description:"(Deprecated) Enable read only API" export:"true"`
-	Statistics *types.Statistics `description:"(Deprecated) Enable more detailed statistics" export:"true"`
-	Metrics    *types.Metrics    `description:"(Deprecated) Enable a metrics exporter" export:"true"`
-	Path       string            `description:"(Deprecated) Root path for dashboard and API" export:"true"`
+	Address    string            `description:"Web administration port" export:"true"`
+	CertFile   string            `description:"SSL certificate" export:"true"`
+	KeyFile    string            `description:"SSL certificate" export:"true"`
+	ReadOnly   bool              `description:"Enable read only API" export:"true"`
+	Statistics *types.Statistics `description:"Enable more detailed statistics" export:"true"`
+	Metrics    *types.Metrics    `description:"Enable a metrics exporter" export:"true"`
+	Path       string            `description:"Root path for dashboard and API" export:"true"`
 	Auth       *types.Auth       `export:"true"`
 	Debug      bool              `export:"true"`
 }
@@ -194,28 +178,12 @@ func (gc *GlobalConfiguration) SetEffectiveConfiguration(configFile string) {
 		}
 	}
 
+	// ForwardedHeaders must be remove in the next breaking version
 	for entryPointName := range gc.EntryPoints {
 		entryPoint := gc.EntryPoints[entryPointName]
-		// ForwardedHeaders must be remove in the next breaking version
 		if entryPoint.ForwardedHeaders == nil {
 			entryPoint.ForwardedHeaders = &ForwardedHeaders{Insecure: true}
 		}
-
-		if len(entryPoint.WhitelistSourceRange) > 0 {
-			log.Warnf("Deprecated configuration found: %s. Please use %s.", "whiteListSourceRange", "whiteList.sourceRange")
-
-			if entryPoint.WhiteList == nil {
-				entryPoint.WhiteList = &types.WhiteList{
-					SourceRange: entryPoint.WhitelistSourceRange,
-				}
-				entryPoint.WhitelistSourceRange = nil
-			}
-		}
-
-		if entryPoint.TLS != nil && entryPoint.TLS.DefaultCertificate == nil && len(entryPoint.TLS.Certificates) > 0 {
-			log.Infof("No tls.defaultCertificate given for %s: using the first item in tls.certificates as a fallback.", entryPointName)
-			entryPoint.TLS.DefaultCertificate = &entryPoint.TLS.Certificates[0]
-		}
 	}
 
 	// Make sure LifeCycle isn't nil to spare nil checks elsewhere.
@@ -229,70 +197,7 @@ func (gc *GlobalConfiguration) SetEffectiveConfiguration(configFile string) {
 		gc.LifeCycle.GraceTimeOut = gc.GraceTimeOut
 	}
 
-	if gc.Docker != nil {
-		if len(gc.Docker.Filename) != 0 && gc.Docker.TemplateVersion != 2 {
-			log.Warn("Template version 1 is deprecated, please use version 2, see TemplateVersion.")
-			gc.Docker.TemplateVersion = 1
-		} else {
-			gc.Docker.TemplateVersion = 2
-		}
-
-		if gc.Docker.SwarmModeRefreshSeconds <= 0 {
-			gc.Docker.SwarmModeRefreshSeconds = 15
-		}
-	}
-
-	if gc.Marathon != nil {
-		if len(gc.Marathon.Filename) != 0 && gc.Marathon.TemplateVersion != 2 {
-			log.Warn("Template version 1 is deprecated, please use version 2, see TemplateVersion.")
-			gc.Marathon.TemplateVersion = 1
-		} else {
-			gc.Marathon.TemplateVersion = 2
-		}
-	}
-
-	if gc.Mesos != nil {
-		if len(gc.Mesos.Filename) != 0 && gc.Mesos.TemplateVersion != 2 {
-			log.Warn("Template version 1 is deprecated, please use version 2, see TemplateVersion.")
-			gc.Mesos.TemplateVersion = 1
-		} else {
-			gc.Mesos.TemplateVersion = 2
-		}
-	}
-
-	if gc.Eureka != nil {
-		if gc.Eureka.Delay != 0 {
-			log.Warn("Delay has been deprecated -- please use RefreshSeconds")
-			gc.Eureka.RefreshSeconds = gc.Eureka.Delay
-		}
-	}
-
-	if gc.ECS != nil {
-		if len(gc.ECS.Filename) != 0 && gc.ECS.TemplateVersion != 2 {
-			log.Warn("Template version 1 is deprecated, please use version 2, see TemplateVersion.")
-			gc.ECS.TemplateVersion = 1
-		} else {
-			gc.ECS.TemplateVersion = 2
-		}
-	}
-
-	if gc.ConsulCatalog != nil {
-		if len(gc.ConsulCatalog.Filename) != 0 && gc.ConsulCatalog.TemplateVersion != 2 {
-			log.Warn("Template version 1 is deprecated, please use version 2, see TemplateVersion.")
-			gc.ConsulCatalog.TemplateVersion = 1
-		} else {
-			gc.ConsulCatalog.TemplateVersion = 2
-		}
-	}
-
 	if gc.Rancher != nil {
-		if len(gc.Rancher.Filename) != 0 && gc.Rancher.TemplateVersion != 2 {
-			log.Warn("Template version 1 is deprecated, please use version 2, see TemplateVersion.")
-			gc.Rancher.TemplateVersion = 1
-		} else {
-			gc.Rancher.TemplateVersion = 2
-		}
-
 		// Ensure backwards compatibility for now
 		if len(gc.Rancher.AccessKey) > 0 ||
 			len(gc.Rancher.Endpoint) > 0 ||
@@ -318,111 +223,26 @@ func (gc *GlobalConfiguration) SetEffectiveConfiguration(configFile string) {
 		gc.API.Debug = gc.Debug
 	}
 
+	if gc.Debug {
+		gc.LogLevel = "DEBUG"
+	}
+
 	if gc.Web != nil && (gc.Web.Path == "" || !strings.HasSuffix(gc.Web.Path, "/")) {
 		gc.Web.Path += "/"
 	}
 
-	if gc.File != nil {
-		gc.File.TraefikFile = configFile
-	}
-
-	gc.initACMEProvider()
-	gc.initTracing()
-}
-
-func (gc *GlobalConfiguration) initTracing() {
-	if gc.Tracing != nil {
-		switch gc.Tracing.Backend {
-		case jaeger.Name:
-			if gc.Tracing.Jaeger == nil {
-				gc.Tracing.Jaeger = &jaeger.Config{
-					SamplingServerURL:      "http://localhost:5778/sampling",
-					SamplingType:           "const",
-					SamplingParam:          1.0,
-					LocalAgentHostPort:     "127.0.0.1:6831",
-					TraceContextHeaderName: jaegercli.TraceContextHeaderName,
-				}
-			}
-			if gc.Tracing.Zipkin != nil {
-				log.Warn("Zipkin configuration will be ignored")
-				gc.Tracing.Zipkin = nil
-			}
-			if gc.Tracing.DataDog != nil {
-				log.Warn("DataDog configuration will be ignored")
-				gc.Tracing.DataDog = nil
-			}
-		case zipkin.Name:
-			if gc.Tracing.Zipkin == nil {
-				gc.Tracing.Zipkin = &zipkin.Config{
-					HTTPEndpoint: "http://localhost:9411/api/v1/spans",
-					SameSpan:     false,
-					ID128Bit:     true,
-					Debug:        false,
-				}
-			}
-			if gc.Tracing.Jaeger != nil {
-				log.Warn("Jaeger configuration will be ignored")
-				gc.Tracing.Jaeger = nil
-			}
-			if gc.Tracing.DataDog != nil {
-				log.Warn("DataDog configuration will be ignored")
-				gc.Tracing.DataDog = nil
-			}
-		case datadog.Name:
-			if gc.Tracing.DataDog == nil {
-				gc.Tracing.DataDog = &datadog.Config{
-					LocalAgentHostPort: "localhost:8126",
-					GlobalTag:          "",
-					Debug:              false,
-					PrioritySampling:   false,
-				}
-			}
-			if gc.Tracing.Zipkin != nil {
-				log.Warn("Zipkin configuration will be ignored")
-				gc.Tracing.Zipkin = nil
-			}
-			if gc.Tracing.Jaeger != nil {
-				log.Warn("Jaeger configuration will be ignored")
-				gc.Tracing.Jaeger = nil
-			}
-		default:
-			log.Warnf("Unknown tracer %q", gc.Tracing.Backend)
-			return
+	// Try to fallback to traefik config file in case the file provider is enabled
+	// but has no file name configured.
+	if gc.File != nil && len(gc.File.Filename) == 0 {
+		if len(configFile) > 0 {
+			gc.File.Filename = configFile
+		} else {
+			log.Errorln("Error using file configuration backend, no filename defined")
 		}
 	}
-}
 
-func (gc *GlobalConfiguration) initACMEProvider() {
 	if gc.ACME != nil {
-		gc.ACME.CAServer = getSafeACMECAServer(gc.ACME.CAServer)
-
-		if gc.ACME.DNSChallenge != nil && gc.ACME.HTTPChallenge != nil {
-			log.Warn("Unable to use DNS challenge and HTTP challenge at the same time. Fallback to DNS challenge.")
-			gc.ACME.HTTPChallenge = nil
-		}
-
-		if gc.ACME.DNSChallenge != nil && gc.ACME.TLSChallenge != nil {
-			log.Warn("Unable to use DNS challenge and TLS challenge at the same time. Fallback to DNS challenge.")
-			gc.ACME.TLSChallenge = nil
-		}
-
-		if gc.ACME.HTTPChallenge != nil && gc.ACME.TLSChallenge != nil {
-			log.Warn("Unable to use HTTP challenge and TLS challenge at the same time. Fallback to TLS challenge.")
-			gc.ACME.HTTPChallenge = nil
-		}
-
-		for _, domain := range gc.ACME.Domains {
-			if domain.Main != dns01.UnFqdn(domain.Main) {
-				log.Warnf("FQDN detected, please remove the trailing dot: %s", domain.Main)
-			}
-			for _, san := range domain.SANs {
-				if san != dns01.UnFqdn(san) {
-					log.Warnf("FQDN detected, please remove the trailing dot: %s", san)
-				}
-			}
-		}
-
-		// TODO: to remove in the future
+		// TODO: to remove in the futurs
 		if len(gc.ACME.StorageFile) > 0 && len(gc.ACME.Storage) == 0 {
 			log.Warn("ACME.StorageFile is deprecated, use ACME.Storage instead")
 			gc.ACME.Storage = gc.ACME.StorageFile
@@ -430,7 +250,7 @@ func (gc *GlobalConfiguration) initACMEProvider() {
 
 		if len(gc.ACME.DNSProvider) > 0 {
 			log.Warn("ACME.DNSProvider is deprecated, use ACME.DNSChallenge instead")
-			gc.ACME.DNSChallenge = &acmeprovider.DNSChallenge{Provider: gc.ACME.DNSProvider, DelayBeforeCheck: gc.ACME.DelayDontCheckDNS}
+			gc.ACME.DNSChallenge = &acme.DNSChallenge{Provider: gc.ACME.DNSProvider, DelayBeforeCheck: gc.ACME.DelayDontCheckDNS}
 		}
 
 		if gc.ACME.OnDemand {
@@ -439,63 +259,6 @@ func (gc *GlobalConfiguration) initACMEProvider() {
 	}
 }
 
-// InitACMEProvider create an acme provider from the ACME part of globalConfiguration
-func (gc *GlobalConfiguration) InitACMEProvider() (*acmeprovider.Provider, error) {
-	if gc.ACME != nil {
-		if len(gc.ACME.Storage) == 0 {
-			// Delete the ACME configuration to avoid starting ACME in cluster mode
-			gc.ACME = nil
-			return nil, errors.New("unable to initialize ACME provider with no storage location for the certificates")
-		}
-		// TODO: Remove when Provider ACME will replace totally ACME
-		// If provider file, use Provider ACME instead of ACME
-		if gc.Cluster == nil {
-			provider := &acmeprovider.Provider{}
-			provider.Configuration = &acmeprovider.Configuration{
-				KeyType:       gc.ACME.KeyType,
-				OnHostRule:    gc.ACME.OnHostRule,
-				OnDemand:      gc.ACME.OnDemand,
-				Email:         gc.ACME.Email,
-				Storage:       gc.ACME.Storage,
-				HTTPChallenge: gc.ACME.HTTPChallenge,
-				DNSChallenge:  gc.ACME.DNSChallenge,
-				TLSChallenge:  gc.ACME.TLSChallenge,
-				Domains:       gc.ACME.Domains,
-				ACMELogging:   gc.ACME.ACMELogging,
-				CAServer:      gc.ACME.CAServer,
-				EntryPoint:    gc.ACME.EntryPoint,
-			}
-
-			store := acmeprovider.NewLocalStore(provider.Storage)
-			provider.Store = store
-			acme.ConvertToNewFormat(provider.Storage)
-			gc.ACME = nil
-			return provider, nil
-		}
-	}
-	return nil, nil
-}
-
-func getSafeACMECAServer(caServerSrc string) string {
-	if len(caServerSrc) == 0 {
-		return DefaultAcmeCAServer
-	}
-
-	if strings.HasPrefix(caServerSrc, "https://acme-v01.api.letsencrypt.org") {
-		caServer := strings.Replace(caServerSrc, "v01", "v02", 1)
-		log.Warnf("The CA server %[1]q refers to a v01 endpoint of the ACME API, please change to %[2]q. Fallback to %[2]q.", caServerSrc, caServer)
-		return caServer
-	}
-
-	if strings.HasPrefix(caServerSrc, "https://acme-staging.api.letsencrypt.org") {
-		caServer := strings.Replace(caServerSrc, "https://acme-staging.api.letsencrypt.org", "https://acme-staging-v02.api.letsencrypt.org", 1)
-		log.Warnf("The CA server %[1]q refers to a v01 endpoint of the ACME API, please change to %[2]q. Fallback to %[2]q.", caServerSrc, caServer)
-		return caServer
-	}
-
-	return caServerSrc
-}
-
 // ValidateConfiguration validate that configuration is coherent
 func (gc *GlobalConfiguration) ValidateConfiguration() {
 	if gc.ACME != nil {
@@ -503,7 +266,7 @@ func (gc *GlobalConfiguration) ValidateConfiguration() {
 			log.Fatalf("Unknown entrypoint %q for ACME configuration", gc.ACME.EntryPoint)
 		} else {
 			if gc.EntryPoints[gc.ACME.EntryPoint].TLS == nil {
-				log.Fatalf("Entrypoint %q has no TLS configuration for ACME configuration", gc.ACME.EntryPoint)
+				log.Fatalf("Entrypoint without TLS %q for ACME configuration", gc.ACME.EntryPoint)
 			}
 		}
 	}
@@ -534,12 +297,12 @@ func (dep *DefaultEntryPoints) Set(value string) error {
 
 // Get return the EntryPoints map
 func (dep *DefaultEntryPoints) Get() interface{} {
-	return *dep
+	return DefaultEntryPoints(*dep)
 }
 
 // SetValue sets the EntryPoints map with val
 func (dep *DefaultEntryPoints) SetValue(val interface{}) {
-	*dep = val.(DefaultEntryPoints)
+	*dep = DefaultEntryPoints(val.(DefaultEntryPoints))
 }
 
 // Type is type of the struct
@@ -547,6 +310,157 @@ func (dep *DefaultEntryPoints) Type() string {
 	return "defaultentrypoints"
 }
 
+// EntryPoints holds entry points configuration of the reverse proxy (ip, port, TLS...)
+type EntryPoints map[string]*EntryPoint
+
+// String is the method to format the flag's value, part of the flag.Value interface.
+// The String method's output will be used in diagnostics.
+func (ep *EntryPoints) String() string {
+	return fmt.Sprintf("%+v", *ep)
+}
+
+// Set is the method to set the flag value, part of the flag.Value interface.
+// Set's argument is a string to be parsed to set the flag.
+// It's a comma-separated list, so we split it.
+func (ep *EntryPoints) Set(value string) error {
+	result := parseEntryPointsConfiguration(value)
+
+	var configTLS *tls.TLS
+	if len(result["tls"]) > 0 {
+		certs := tls.Certificates{}
+		if err := certs.Set(result["tls"]); err != nil {
+			return err
+		}
+		configTLS = &tls.TLS{
+			Certificates: certs,
+		}
+	} else if len(result["tls_acme"]) > 0 {
+		configTLS = &tls.TLS{
+			Certificates: tls.Certificates{},
+		}
+	}
+	if len(result["ca"]) > 0 {
+		files := strings.Split(result["ca"], ",")
+		optional := toBool(result, "ca_optional")
+		configTLS.ClientCA = tls.ClientCA{
+			Files:    files,
+			Optional: optional,
+		}
+	}
+	var redirect *types.Redirect
+	if len(result["redirect_entrypoint"]) > 0 || len(result["redirect_regex"]) > 0 || len(result["redirect_replacement"]) > 0 {
+		redirect = &types.Redirect{
+			EntryPoint:  result["redirect_entrypoint"],
+			Regex:       result["redirect_regex"],
+			Replacement: result["redirect_replacement"],
+		}
+	}
+
+	whiteListSourceRange := []string{}
+	if len(result["whitelistsourcerange"]) > 0 {
+		whiteListSourceRange = strings.Split(result["whitelistsourcerange"], ",")
+	}
+
+	compress := toBool(result, "compress")
+
+	var proxyProtocol *ProxyProtocol
+	ppTrustedIPs := result["proxyprotocol_trustedips"]
+	if len(result["proxyprotocol_insecure"]) > 0 || len(ppTrustedIPs) > 0 {
+		proxyProtocol = &ProxyProtocol{
+			Insecure: toBool(result, "proxyprotocol_insecure"),
+		}
+		if len(ppTrustedIPs) > 0 {
+			proxyProtocol.TrustedIPs = strings.Split(ppTrustedIPs, ",")
+		}
+	}
+
+	// TODO must be changed to false by default in the next breaking version.
+	forwardedHeaders := &ForwardedHeaders{Insecure: true}
+	if _, ok := result["forwardedheaders_insecure"]; ok {
+		forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
+	}
+
+	fhTrustedIPs := result["forwardedheaders_trustedips"]
+	if len(fhTrustedIPs) > 0 {
+		// TODO must be removed in the next breaking version.
+		forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
+		forwardedHeaders.TrustedIPs = strings.Split(fhTrustedIPs, ",")
+	}
+
+	if proxyProtocol != nil && proxyProtocol.Insecure {
+		log.Warn("ProxyProtocol.Insecure:true is dangerous. Please use 'ProxyProtocol.TrustedIPs:IPs' and remove 'ProxyProtocol.Insecure:true'")
+	}
+
+	(*ep)[result["name"]] = &EntryPoint{
+		Address:              result["address"],
+		TLS:                  configTLS,
+		Redirect:             redirect,
+		Compress:             compress,
+		WhitelistSourceRange: whiteListSourceRange,
+		ProxyProtocol:        proxyProtocol,
+		ForwardedHeaders:     forwardedHeaders,
+	}
+
+	return nil
+}
+
+func parseEntryPointsConfiguration(raw string) map[string]string {
+	sections := strings.Fields(raw)
+
+	config := make(map[string]string)
+	for _, part := range sections {
+		field := strings.SplitN(part, ":", 2)
+		name := strings.ToLower(strings.Replace(field[0], ".", "_", -1))
+		if len(field) > 1 {
+			config[name] = field[1]
+		} else {
+			if strings.EqualFold(name, "TLS") {
+				config["tls_acme"] = "TLS"
+			} else {
+				config[name] = ""
+			}
+		}
+	}
+	return config
+}
+
+func toBool(conf map[string]string, key string) bool {
+	if val, ok := conf[key]; ok {
+		return strings.EqualFold(val, "true") ||
+			strings.EqualFold(val, "enable") ||
+			strings.EqualFold(val, "on")
+	}
+	return false
+}
+
+// Get return the EntryPoints map
+func (ep *EntryPoints) Get() interface{} {
+	return EntryPoints(*ep)
+}
+
+// SetValue sets the EntryPoints map with val
+func (ep *EntryPoints) SetValue(val interface{}) {
+	*ep = EntryPoints(val.(EntryPoints))
+}
+
+// Type is type of the struct
+func (ep *EntryPoints) Type() string {
+	return "entrypoints"
+}
+
+// EntryPoint holds an entry point configuration of the reverse proxy (ip, port, TLS...)
+type EntryPoint struct {
+	Network              string
+	Address              string
+	TLS                  *tls.TLS        `export:"true"`
+	Redirect             *types.Redirect `export:"true"`
+	Auth                 *types.Auth     `export:"true"`
+	WhitelistSourceRange []string
+	Compress             bool              `export:"true"`
+	ProxyProtocol        *ProxyProtocol    `export:"true"`
+	ForwardedHeaders     *ForwardedHeaders `export:"true"`
+}
+
 // Retry contains request retry config
 type Retry struct {
 	Attempts int `description:"Number of attempts" export:"true"`
@@ -570,16 +484,21 @@ type ForwardingTimeouts struct {
 	ResponseHeaderTimeout flaeg.Duration `description:"The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists" export:"true"`
 }
 
+// ProxyProtocol contains Proxy-Protocol configuration
+type ProxyProtocol struct {
+	Insecure   bool
+	TrustedIPs []string
+}
+
+// ForwardedHeaders Trust client forwarding headers
+type ForwardedHeaders struct {
+	Insecure   bool
+	TrustedIPs []string
+}
+
 // LifeCycle contains configurations relevant to the lifecycle (such as the
 // shutdown phase) of Traefik.
 type LifeCycle struct {
 	RequestAcceptGraceTimeout flaeg.Duration `description:"Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure"`
 	GraceTimeOut              flaeg.Duration `description:"Duration to give active requests a chance to finish before Traefik stops"`
 }
-
-// HostResolverConfig contain configuration for CNAME Flattening
-type HostResolverConfig struct {
-	CnameFlattening bool   `description:"A flag to enable/disable CNAME flattening" export:"true"`
-	ResolvConfig    string `description:"resolv.conf used for DNS resolving" export:"true"`
-	ResolvDepth     int    `description:"The maximal depth of DNS recursive resolving" export:"true"`
-}

configuration/configuration_test.go

@@ -5,21 +5,309 @@ import (
 	"time"
 
 	"github.com/containous/flaeg"
+	"github.com/containous/traefik/provider"
+	"github.com/containous/traefik/provider/file"
+	"github.com/containous/traefik/tls"
+	"github.com/containous/traefik/types"
 	"github.com/stretchr/testify/assert"
-	"github.com/traefik/traefik/acme"
-	"github.com/traefik/traefik/middlewares/tracing"
-	"github.com/traefik/traefik/middlewares/tracing/jaeger"
-	"github.com/traefik/traefik/middlewares/tracing/zipkin"
-	"github.com/traefik/traefik/provider"
-	acmeprovider "github.com/traefik/traefik/provider/acme"
-	"github.com/traefik/traefik/provider/file"
-	"github.com/traefik/traefik/tls"
+	"github.com/stretchr/testify/require"
 )
 
 const defaultConfigFile = "traefik.toml"
 
-func TestSetEffectiveConfigurationGraceTimeout(t *testing.T) {
+func Test_parseEntryPointsConfiguration(t *testing.T) {
 	testCases := []struct {
+		name           string
+		value          string
+		expectedResult map[string]string
+	}{
+		{
+			name:  "all parameters",
+			value: "Name:foo TLS:goo TLS CA:car Redirect.EntryPoint:RedirectEntryPoint Redirect.Regex:RedirectRegex Redirect.Replacement:RedirectReplacement Compress:true WhiteListSourceRange:WhiteListSourceRange ProxyProtocol.TrustedIPs:192.168.0.1 ProxyProtocol.Insecure:false Address::8000",
+			expectedResult: map[string]string{
+				"name":                     "foo",
+				"address":                  ":8000",
+				"ca":                       "car",
+				"tls":                      "goo",
+				"tls_acme":                 "TLS",
+				"redirect_entrypoint":      "RedirectEntryPoint",
+				"redirect_regex":           "RedirectRegex",
+				"redirect_replacement":     "RedirectReplacement",
+				"whitelistsourcerange":     "WhiteListSourceRange",
+				"proxyprotocol_trustedips": "192.168.0.1",
+				"proxyprotocol_insecure":   "false",
+				"compress":                 "true",
+			},
+		},
+		{
+			name:  "compress on",
+			value: "name:foo Compress:on",
+			expectedResult: map[string]string{
+				"name":     "foo",
+				"compress": "on",
+			},
+		},
+		{
+			name:  "TLS",
+			value: "Name:foo TLS:goo TLS",
+			expectedResult: map[string]string{
+				"name":     "foo",
+				"tls":      "goo",
+				"tls_acme": "TLS",
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			conf := parseEntryPointsConfiguration(test.value)
+
+			assert.Len(t, conf, len(test.expectedResult))
+			assert.Equal(t, test.expectedResult, conf)
+		})
+	}
+}
+
+func Test_toBool(t *testing.T) {
+	testCases := []struct {
+		name         string
+		value        string
+		key          string
+		expectedBool bool
+	}{
+		{
+			name:         "on",
+			value:        "on",
+			key:          "foo",
+			expectedBool: true,
+		},
+		{
+			name:         "true",
+			value:        "true",
+			key:          "foo",
+			expectedBool: true,
+		},
+		{
+			name:         "enable",
+			value:        "enable",
+			key:          "foo",
+			expectedBool: true,
+		},
+		{
+			name:         "arbitrary string",
+			value:        "bar",
+			key:          "foo",
+			expectedBool: false,
+		},
+		{
+			name:         "no existing entry",
+			value:        "bar",
+			key:          "fii",
+			expectedBool: false,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			conf := map[string]string{
+				"foo": test.value,
+			}
+
+			result := toBool(conf, test.key)
+
+			assert.Equal(t, test.expectedBool, result)
+		})
+	}
+}
+
+func TestEntryPoints_Set(t *testing.T) {
+	testCases := []struct {
+		name                   string
+		expression             string
+		expectedEntryPointName string
+		expectedEntryPoint     *EntryPoint
+	}{
+		{
+			name:                   "all parameters camelcase",
+			expression:             "Name:foo Address::8000 TLS:goo,gii TLS CA:car CA.Optional:false Redirect.EntryPoint:RedirectEntryPoint Redirect.Regex:RedirectRegex Redirect.Replacement:RedirectReplacement Compress:true WhiteListSourceRange:Range ProxyProtocol.TrustedIPs:192.168.0.1 ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				Address: ":8000",
+				Redirect: &types.Redirect{
+					EntryPoint:  "RedirectEntryPoint",
+					Regex:       "RedirectRegex",
+					Replacement: "RedirectReplacement",
+				},
+				Compress: true,
+				ProxyProtocol: &ProxyProtocol{
+					TrustedIPs: []string{"192.168.0.1"},
+				},
+				ForwardedHeaders: &ForwardedHeaders{
+					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
+				},
+				WhitelistSourceRange: []string{"Range"},
+				TLS: &tls.TLS{
+					ClientCA: tls.ClientCA{
+						Files:    []string{"car"},
+						Optional: false,
+					},
+					Certificates: tls.Certificates{
+						{
+							CertFile: tls.FileOrContent("goo"),
+							KeyFile:  tls.FileOrContent("gii"),
+						},
+					},
+				},
+			},
+		},
+		{
+			name:                   "all parameters lowercase",
+			expression:             "name:foo address::8000 tls:goo,gii tls ca:car ca.optional:true redirect.entryPoint:RedirectEntryPoint redirect.regex:RedirectRegex redirect.replacement:RedirectReplacement compress:true whiteListSourceRange:Range proxyProtocol.trustedIPs:192.168.0.1 forwardedHeaders.trustedIPs:10.0.0.3/24,20.0.0.3/24",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				Address: ":8000",
+				Redirect: &types.Redirect{
+					EntryPoint:  "RedirectEntryPoint",
+					Regex:       "RedirectRegex",
+					Replacement: "RedirectReplacement",
+				},
+				Compress: true,
+				ProxyProtocol: &ProxyProtocol{
+					TrustedIPs: []string{"192.168.0.1"},
+				},
+				ForwardedHeaders: &ForwardedHeaders{
+					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
+				},
+				WhitelistSourceRange: []string{"Range"},
+				TLS: &tls.TLS{
+					ClientCA: tls.ClientCA{
+						Files:    []string{"car"},
+						Optional: true,
+					},
+					Certificates: tls.Certificates{
+						{
+							CertFile: tls.FileOrContent("goo"),
+							KeyFile:  tls.FileOrContent("gii"),
+						},
+					},
+				},
+			},
+		},
+		{
+			name:                   "default",
+			expression:             "Name:foo",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
+			},
+		},
+		{
+			name:                   "ForwardedHeaders insecure true",
+			expression:             "Name:foo ForwardedHeaders.Insecure:true",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
+			},
+		},
+		{
+			name:                   "ForwardedHeaders insecure false",
+			expression:             "Name:foo ForwardedHeaders.Insecure:false",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: false},
+			},
+		},
+		{
+			name:                   "ForwardedHeaders TrustedIPs",
+			expression:             "Name:foo ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders: &ForwardedHeaders{
+					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
+				},
+			},
+		},
+		{
+			name:                   "ProxyProtocol insecure true",
+			expression:             "Name:foo ProxyProtocol.Insecure:true",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
+				ProxyProtocol:        &ProxyProtocol{Insecure: true},
+			},
+		},
+		{
+			name:                   "ProxyProtocol insecure false",
+			expression:             "Name:foo ProxyProtocol.Insecure:false",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
+				ProxyProtocol:        &ProxyProtocol{},
+			},
+		},
+		{
+			name:                   "ProxyProtocol TrustedIPs",
+			expression:             "Name:foo ProxyProtocol.TrustedIPs:10.0.0.3/24,20.0.0.3/24",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
+				ProxyProtocol: &ProxyProtocol{
+					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
+				},
+			},
+		},
+		{
+			name:                   "compress on",
+			expression:             "Name:foo Compress:on",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				Compress:             true,
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
+			},
+		},
+		{
+			name:                   "compress true",
+			expression:             "Name:foo Compress:true",
+			expectedEntryPointName: "foo",
+			expectedEntryPoint: &EntryPoint{
+				Compress:             true,
+				WhitelistSourceRange: []string{},
+				ForwardedHeaders:     &ForwardedHeaders{Insecure: true},
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			eps := EntryPoints{}
+			err := eps.Set(test.expression)
+			require.NoError(t, err)
+
+			ep := eps[test.expectedEntryPointName]
+			assert.EqualValues(t, test.expectedEntryPoint, ep)
+		})
+	}
+}
+
+func TestSetEffectiveConfigurationGraceTimeout(t *testing.T) {
+	tests := []struct {
 		desc                  string
 		legacyGraceTimeout    time.Duration
 		lifeCycleGraceTimeout time.Duration
@@ -44,11 +332,10 @@ func TestSetEffectiveConfigurationGraceTimeout(t *testing.T) {
 		},
 	}
 
-	for _, test := range testCases {
+	for _, test := range tests {
 		test := test
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
-
 			gc := &GlobalConfiguration{
 				GraceTimeOut: flaeg.Duration(test.legacyGraceTimeout),
 			}
@@ -60,277 +347,47 @@ func TestSetEffectiveConfigurationGraceTimeout(t *testing.T) {
 
 			gc.SetEffectiveConfiguration(defaultConfigFile)
 
-			assert.Equal(t, test.wantGraceTimeout, time.Duration(gc.LifeCycle.GraceTimeOut))
+			gotGraceTimeout := time.Duration(gc.LifeCycle.GraceTimeOut)
+			if gotGraceTimeout != test.wantGraceTimeout {
+				t.Fatalf("got effective grace timeout %d, want %d", gotGraceTimeout, test.wantGraceTimeout)
+			}
+
 		})
 	}
 }
 
 func TestSetEffectiveConfigurationFileProviderFilename(t *testing.T) {
-	testCases := []struct {
-		desc                        string
-		fileProvider                *file.Provider
-		wantFileProviderFilename    string
-		wantFileProviderTraefikFile string
+	tests := []struct {
+		desc                     string
+		fileProvider             *file.Provider
+		wantFileProviderFilename string
 	}{
 		{
-			desc:                        "no filename for file provider given",
-			fileProvider:                &file.Provider{},
-			wantFileProviderFilename:    "",
-			wantFileProviderTraefikFile: defaultConfigFile,
+			desc:                     "no filename for file provider given",
+			fileProvider:             &file.Provider{},
+			wantFileProviderFilename: defaultConfigFile,
 		},
 		{
-			desc:                        "filename for file provider given",
-			fileProvider:                &file.Provider{BaseProvider: provider.BaseProvider{Filename: "other.toml"}},
-			wantFileProviderFilename:    "other.toml",
-			wantFileProviderTraefikFile: defaultConfigFile,
-		},
-		{
-			desc:                        "directory for file provider given",
-			fileProvider:                &file.Provider{Directory: "/"},
-			wantFileProviderFilename:    "",
-			wantFileProviderTraefikFile: defaultConfigFile,
+			desc:                     "filename for file provider given",
+			fileProvider:             &file.Provider{BaseProvider: provider.BaseProvider{Filename: "other.toml"}},
+			wantFileProviderFilename: "other.toml",
 		},
 	}
 
-	for _, test := range testCases {
+	for _, test := range tests {
 		test := test
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
-
 			gc := &GlobalConfiguration{
 				File: test.fileProvider,
 			}
 
 			gc.SetEffectiveConfiguration(defaultConfigFile)
 
-			assert.Equal(t, test.wantFileProviderFilename, gc.File.Filename)
-			assert.Equal(t, test.wantFileProviderTraefikFile, gc.File.TraefikFile)
-		})
-	}
-}
-
-func TestSetEffectiveConfigurationTracing(t *testing.T) {
-	testCases := []struct {
-		desc     string
-		tracing  *tracing.Tracing
-		expected *tracing.Tracing
-	}{
-		{
-			desc:     "no tracing configuration",
-			tracing:  &tracing.Tracing{},
-			expected: &tracing.Tracing{},
-		},
-		{
-			desc: "tracing bad backend name",
-			tracing: &tracing.Tracing{
-				Backend: "powpow",
-			},
-			expected: &tracing.Tracing{
-				Backend: "powpow",
-			},
-		},
-		{
-			desc: "tracing jaeger backend name",
-			tracing: &tracing.Tracing{
-				Backend: "jaeger",
-				Zipkin: &zipkin.Config{
-					HTTPEndpoint: "http://localhost:9411/api/v1/spans",
-					SameSpan:     false,
-					ID128Bit:     true,
-					Debug:        false,
-				},
-			},
-			expected: &tracing.Tracing{
-				Backend: "jaeger",
-				Jaeger: &jaeger.Config{
-					SamplingServerURL:      "http://localhost:5778/sampling",
-					SamplingType:           "const",
-					SamplingParam:          1.0,
-					LocalAgentHostPort:     "127.0.0.1:6831",
-					TraceContextHeaderName: "uber-trace-id",
-				},
-				Zipkin: nil,
-			},
-		},
-		{
-			desc: "tracing zipkin backend name",
-			tracing: &tracing.Tracing{
-				Backend: "zipkin",
-				Jaeger: &jaeger.Config{
-					SamplingServerURL:      "http://localhost:5778/sampling",
-					SamplingType:           "const",
-					SamplingParam:          1.0,
-					LocalAgentHostPort:     "127.0.0.1:6831",
-					TraceContextHeaderName: "uber-trace-id",
-				},
-			},
-			expected: &tracing.Tracing{
-				Backend: "zipkin",
-				Jaeger:  nil,
-				Zipkin: &zipkin.Config{
-					HTTPEndpoint: "http://localhost:9411/api/v1/spans",
-					SameSpan:     false,
-					ID128Bit:     true,
-					Debug:        false,
-				},
-			},
-		},
-		{
-			desc: "tracing zipkin backend name value override",
-			tracing: &tracing.Tracing{
-				Backend: "zipkin",
-				Jaeger: &jaeger.Config{
-					SamplingServerURL:      "http://localhost:5778/sampling",
-					SamplingType:           "const",
-					SamplingParam:          1.0,
-					LocalAgentHostPort:     "127.0.0.1:6831",
-					TraceContextHeaderName: "uber-trace-id",
-				},
-				Zipkin: &zipkin.Config{
-					HTTPEndpoint: "http://powpow:9411/api/v1/spans",
-					SameSpan:     true,
-					ID128Bit:     true,
-					Debug:        true,
-				},
-			},
-			expected: &tracing.Tracing{
-				Backend: "zipkin",
-				Jaeger:  nil,
-				Zipkin: &zipkin.Config{
-					HTTPEndpoint: "http://powpow:9411/api/v1/spans",
-					SameSpan:     true,
-					ID128Bit:     true,
-					Debug:        true,
-				},
-			},
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			gc := &GlobalConfiguration{
-				Tracing: test.tracing,
-			}
-
-			gc.SetEffectiveConfiguration(defaultConfigFile)
-
-			assert.Equal(t, test.expected, gc.Tracing)
-		})
-	}
-}
-
-func TestInitACMEProvider(t *testing.T) {
-	testCases := []struct {
-		desc                  string
-		acmeConfiguration     *acme.ACME
-		expectedConfiguration *acmeprovider.Provider
-		noError               bool
-	}{
-		{
-			desc:                  "No ACME configuration",
-			acmeConfiguration:     nil,
-			expectedConfiguration: nil,
-			noError:               true,
-		},
-		{
-			desc:                  "ACME configuration with storage",
-			acmeConfiguration:     &acme.ACME{Storage: "foo/acme.json"},
-			expectedConfiguration: &acmeprovider.Provider{Configuration: &acmeprovider.Configuration{Storage: "foo/acme.json"}},
-			noError:               true,
-		},
-		{
-			desc:                  "ACME configuration with no storage",
-			acmeConfiguration:     &acme.ACME{},
-			expectedConfiguration: nil,
-			noError:               false,
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			gc := &GlobalConfiguration{
-				ACME: test.acmeConfiguration,
-			}
-
-			configuration, err := gc.InitACMEProvider()
-
-			assert.True(t, (err == nil) == test.noError)
-
-			if test.expectedConfiguration == nil {
-				assert.Nil(t, configuration)
-			} else {
-				assert.Equal(t, test.expectedConfiguration.Storage, configuration.Storage)
+			gotFileProviderFilename := gc.File.Filename
+			if gotFileProviderFilename != test.wantFileProviderFilename {
+				t.Fatalf("got file provider file name %q, want %q", gotFileProviderFilename, test.wantFileProviderFilename)
 			}
 		})
 	}
 }
-
-func TestSetEffectiveConfigurationTLSMinVersion(t *testing.T) {
-	testCases := []struct {
-		desc     string
-		provided EntryPoint
-		expected EntryPoint
-	}{
-		{
-			desc: "Entrypoint with no TLS",
-			provided: EntryPoint{
-				Address: ":80",
-			},
-			expected: EntryPoint{
-				Address:          ":80",
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
-			},
-		},
-		{
-			desc: "Entrypoint with TLS Specifying MinVersion",
-			provided: EntryPoint{
-				Address: ":443",
-				TLS: &tls.TLS{
-					MinVersion: "VersionTLS12",
-				},
-			},
-			expected: EntryPoint{
-				Address:          ":443",
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
-				TLS: &tls.TLS{
-					MinVersion: "VersionTLS12",
-				},
-			},
-		},
-		{
-			desc: "Entrypoint with TLS without Specifying MinVersion",
-			provided: EntryPoint{
-				Address: ":443",
-				TLS:     &tls.TLS{},
-			},
-			expected: EntryPoint{
-				Address:          ":443",
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
-				TLS:              &tls.TLS{},
-			},
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			gc := &GlobalConfiguration{
-				EntryPoints: map[string]*EntryPoint{
-					"foo": &test.provided,
-				},
-			}
-
-			gc.SetEffectiveConfiguration(defaultConfigFile)
-
-			assert.Equal(t, &test.expected, gc.EntryPoints["foo"])
-		})
-	}
-}

configuration/entrypoints.go

@@ -1,296 +0,0 @@
-package configuration
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/traefik/traefik/log"
-	"github.com/traefik/traefik/tls"
-	"github.com/traefik/traefik/types"
-)
-
-// EntryPoint holds an entry point configuration of the reverse proxy (ip, port, TLS...)
-type EntryPoint struct {
-	Address              string
-	TLS                  *tls.TLS          `export:"true"`
-	Redirect             *types.Redirect   `export:"true"`
-	Auth                 *types.Auth       `export:"true"`
-	WhitelistSourceRange []string          // Deprecated
-	WhiteList            *types.WhiteList  `export:"true"`
-	Compress             bool              `export:"true"`
-	ProxyProtocol        *ProxyProtocol    `export:"true"`
-	ForwardedHeaders     *ForwardedHeaders `export:"true"`
-}
-
-// ProxyProtocol contains Proxy-Protocol configuration
-type ProxyProtocol struct {
-	Insecure   bool `export:"true"`
-	TrustedIPs []string
-}
-
-// ForwardedHeaders Trust client forwarding headers
-type ForwardedHeaders struct {
-	Insecure   bool `export:"true"`
-	TrustedIPs []string
-}
-
-// EntryPoints holds entry points configuration of the reverse proxy (ip, port, TLS...)
-type EntryPoints map[string]*EntryPoint
-
-// String is the method to format the flag's value, part of the flag.Value interface.
-// The String method's output will be used in diagnostics.
-func (ep EntryPoints) String() string {
-	return fmt.Sprintf("%+v", map[string]*EntryPoint(ep))
-}
-
-// Get return the EntryPoints map
-func (ep *EntryPoints) Get() interface{} {
-	return *ep
-}
-
-// SetValue sets the EntryPoints map with val
-func (ep *EntryPoints) SetValue(val interface{}) {
-	*ep = val.(EntryPoints)
-}
-
-// Type is type of the struct
-func (ep *EntryPoints) Type() string {
-	return "entrypoints"
-}
-
-// Set is the method to set the flag value, part of the flag.Value interface.
-// Set's argument is a string to be parsed to set the flag.
-// It's a comma-separated list, so we split it.
-func (ep *EntryPoints) Set(value string) error {
-	result := parseEntryPointsConfiguration(value)
-
-	var whiteListSourceRange []string
-	if len(result["whitelistsourcerange"]) > 0 {
-		whiteListSourceRange = strings.Split(result["whitelistsourcerange"], ",")
-	}
-
-	compress := toBool(result, "compress")
-
-	configTLS, err := makeEntryPointTLS(result)
-	if err != nil {
-		return err
-	}
-
-	(*ep)[result["name"]] = &EntryPoint{
-		Address:              result["address"],
-		TLS:                  configTLS,
-		Auth:                 makeEntryPointAuth(result),
-		Redirect:             makeEntryPointRedirect(result),
-		Compress:             compress,
-		WhitelistSourceRange: whiteListSourceRange,
-		WhiteList:            makeWhiteList(result),
-		ProxyProtocol:        makeEntryPointProxyProtocol(result),
-		ForwardedHeaders:     makeEntryPointForwardedHeaders(result),
-	}
-
-	return nil
-}
-
-func makeWhiteList(result map[string]string) *types.WhiteList {
-	var wl *types.WhiteList
-	if rawRange, ok := result["whitelist_sourcerange"]; ok {
-		wl = &types.WhiteList{
-			SourceRange:      strings.Split(rawRange, ","),
-			UseXForwardedFor: toBool(result, "whitelist_usexforwardedfor"),
-		}
-	}
-	return wl
-}
-
-func makeEntryPointAuth(result map[string]string) *types.Auth {
-	var basic *types.Basic
-	if v, ok := result["auth_basic_users"]; ok {
-		basic = &types.Basic{
-			Users:        strings.Split(v, ","),
-			RemoveHeader: toBool(result, "auth_basic_removeheader"),
-		}
-	}
-
-	var digest *types.Digest
-	if v, ok := result["auth_digest_users"]; ok {
-		digest = &types.Digest{
-			Users:        strings.Split(v, ","),
-			RemoveHeader: toBool(result, "auth_digest_removeheader"),
-		}
-	}
-
-	var forward *types.Forward
-	if address, ok := result["auth_forward_address"]; ok {
-		var clientTLS *types.ClientTLS
-
-		cert := result["auth_forward_tls_cert"]
-		key := result["auth_forward_tls_key"]
-		insecureSkipVerify := toBool(result, "auth_forward_tls_insecureskipverify")
-
-		if len(cert) > 0 && len(key) > 0 || insecureSkipVerify {
-			clientTLS = &types.ClientTLS{
-				CA:                 result["auth_forward_tls_ca"],
-				CAOptional:         toBool(result, "auth_forward_tls_caoptional"),
-				Cert:               cert,
-				Key:                key,
-				InsecureSkipVerify: insecureSkipVerify,
-			}
-		}
-
-		var authResponseHeaders []string
-		if v, ok := result["auth_forward_authresponseheaders"]; ok {
-			authResponseHeaders = strings.Split(v, ",")
-		}
-
-		forward = &types.Forward{
-			Address:             address,
-			TLS:                 clientTLS,
-			TrustForwardHeader:  toBool(result, "auth_forward_trustforwardheader"),
-			AuthResponseHeaders: authResponseHeaders,
-		}
-	}
-
-	var auth *types.Auth
-	if basic != nil || digest != nil || forward != nil {
-		auth = &types.Auth{
-			Basic:       basic,
-			Digest:      digest,
-			Forward:     forward,
-			HeaderField: result["auth_headerfield"],
-		}
-	}
-
-	return auth
-}
-
-func makeEntryPointProxyProtocol(result map[string]string) *ProxyProtocol {
-	var proxyProtocol *ProxyProtocol
-
-	ppTrustedIPs := result["proxyprotocol_trustedips"]
-	if len(result["proxyprotocol_insecure"]) > 0 || len(ppTrustedIPs) > 0 {
-		proxyProtocol = &ProxyProtocol{
-			Insecure: toBool(result, "proxyprotocol_insecure"),
-		}
-		if len(ppTrustedIPs) > 0 {
-			proxyProtocol.TrustedIPs = strings.Split(ppTrustedIPs, ",")
-		}
-	}
-
-	if proxyProtocol != nil && proxyProtocol.Insecure {
-		log.Warn("ProxyProtocol.Insecure:true is dangerous. Please use 'ProxyProtocol.TrustedIPs:IPs' and remove 'ProxyProtocol.Insecure:true'")
-	}
-
-	return proxyProtocol
-}
-
-func makeEntryPointForwardedHeaders(result map[string]string) *ForwardedHeaders {
-	// TODO must be changed to false by default in the next breaking version.
-	forwardedHeaders := &ForwardedHeaders{Insecure: true}
-	if _, ok := result["forwardedheaders_insecure"]; ok {
-		forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
-	}
-
-	fhTrustedIPs := result["forwardedheaders_trustedips"]
-	if len(fhTrustedIPs) > 0 {
-		// TODO must be removed in the next breaking version.
-		forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
-		forwardedHeaders.TrustedIPs = strings.Split(fhTrustedIPs, ",")
-	}
-
-	return forwardedHeaders
-}
-
-func makeEntryPointRedirect(result map[string]string) *types.Redirect {
-	var redirect *types.Redirect
-
-	if len(result["redirect_entrypoint"]) > 0 || len(result["redirect_regex"]) > 0 || len(result["redirect_replacement"]) > 0 {
-		redirect = &types.Redirect{
-			EntryPoint:  result["redirect_entrypoint"],
-			Regex:       result["redirect_regex"],
-			Replacement: result["redirect_replacement"],
-			Permanent:   toBool(result, "redirect_permanent"),
-		}
-	}
-
-	return redirect
-}
-
-func makeEntryPointTLS(result map[string]string) (*tls.TLS, error) {
-	var configTLS *tls.TLS
-
-	if len(result["tls"]) > 0 {
-		certs := tls.Certificates{}
-		if err := certs.Set(result["tls"]); err != nil {
-			return nil, err
-		}
-		configTLS = &tls.TLS{
-			Certificates: certs,
-		}
-	} else if len(result["tls_acme"]) > 0 {
-		configTLS = &tls.TLS{
-			Certificates: tls.Certificates{},
-		}
-	}
-
-	if configTLS != nil {
-		if len(result["ca"]) > 0 {
-			files := tls.FilesOrContents{}
-			files.Set(result["ca"])
-			optional := toBool(result, "ca_optional")
-			configTLS.ClientCA = tls.ClientCA{
-				Files:    files,
-				Optional: optional,
-			}
-		}
-
-		if len(result["tls_minversion"]) > 0 {
-			configTLS.MinVersion = result["tls_minversion"]
-		}
-
-		if len(result["tls_ciphersuites"]) > 0 {
-			configTLS.CipherSuites = strings.Split(result["tls_ciphersuites"], ",")
-		}
-
-		if len(result["tls_snistrict"]) > 0 {
-			configTLS.SniStrict = toBool(result, "tls_snistrict")
-		}
-
-		if len(result["tls_defaultcertificate_cert"]) > 0 && len(result["tls_defaultcertificate_key"]) > 0 {
-			configTLS.DefaultCertificate = &tls.Certificate{
-				CertFile: tls.FileOrContent(result["tls_defaultcertificate_cert"]),
-				KeyFile:  tls.FileOrContent(result["tls_defaultcertificate_key"]),
-			}
-		}
-	}
-
-	return configTLS, nil
-}
-
-func parseEntryPointsConfiguration(raw string) map[string]string {
-	sections := strings.Fields(raw)
-
-	config := make(map[string]string)
-	for _, part := range sections {
-		field := strings.SplitN(part, ":", 2)
-		name := strings.ToLower(strings.Replace(field[0], ".", "_", -1))
-		if len(field) > 1 {
-			config[name] = field[1]
-		} else {
-			if strings.EqualFold(name, "TLS") {
-				config["tls_acme"] = "TLS"
-			} else {
-				config[name] = ""
-			}
-		}
-	}
-	return config
-}
-
-func toBool(conf map[string]string, key string) bool {
-	if val, ok := conf[key]; ok {
-		return strings.EqualFold(val, "true") ||
-			strings.EqualFold(val, "enable") ||
-			strings.EqualFold(val, "on")
-	}
-	return false
-}

configuration/entrypoints_test.go

@@ -1,493 +0,0 @@
-package configuration
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"github.com/traefik/traefik/tls"
-	"github.com/traefik/traefik/types"
-)
-
-func Test_parseEntryPointsConfiguration(t *testing.T) {
-	testCases := []struct {
-		name           string
-		value          string
-		expectedResult map[string]string
-	}{
-		{
-			name: "all parameters",
-			value: "Name:foo " +
-				"Address::8000 " +
-				"TLS:goo,gii " +
-				"TLS " +
-				"TLS.MinVersion:VersionTLS11 " +
-				"TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA " +
-				"CA:car " +
-				"CA.Optional:true " +
-				"Redirect.EntryPoint:https " +
-				"Redirect.Regex:http://localhost/(.*) " +
-				"Redirect.Replacement:http://mydomain/$1 " +
-				"Redirect.Permanent:true " +
-				"Compress:true " +
-				"ProxyProtocol.TrustedIPs:192.168.0.1 " +
-				"ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 " +
-				"Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 " +
-				"Auth.Basic.RemoveHeader:true " +
-				"Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e " +
-				"Auth.Digest.RemoveHeader:true " +
-				"Auth.HeaderField:X-WebAuth-User " +
-				"Auth.Forward.Address:https://authserver.com/auth " +
-				"Auth.Forward.AuthResponseHeaders:X-Auth,X-Test,X-Secret " +
-				"Auth.Forward.TrustForwardHeader:true " +
-				"Auth.Forward.TLS.CA:path/to/local.crt " +
-				"Auth.Forward.TLS.CAOptional:true " +
-				"Auth.Forward.TLS.Cert:path/to/foo.cert " +
-				"Auth.Forward.TLS.Key:path/to/foo.key " +
-				"Auth.Forward.TLS.InsecureSkipVerify:true " +
-				"WhiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
-				"whiteList.sourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
-				"whiteList.useXForwardedFor:true ",
-			expectedResult: map[string]string{
-				"address":                             ":8000",
-				"auth_basic_users":                    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-				"auth_basic_removeheader":             "true",
-				"auth_digest_users":                   "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
-				"auth_digest_removeheader":            "true",
-				"auth_forward_address":                "https://authserver.com/auth",
-				"auth_forward_authresponseheaders":    "X-Auth,X-Test,X-Secret",
-				"auth_forward_tls_ca":                 "path/to/local.crt",
-				"auth_forward_tls_caoptional":         "true",
-				"auth_forward_tls_cert":               "path/to/foo.cert",
-				"auth_forward_tls_insecureskipverify": "true",
-				"auth_forward_tls_key":                "path/to/foo.key",
-				"auth_forward_trustforwardheader":     "true",
-				"auth_headerfield":                    "X-WebAuth-User",
-				"ca":                                  "car",
-				"ca_optional":                         "true",
-				"compress":                            "true",
-				"forwardedheaders_trustedips":         "10.0.0.3/24,20.0.0.3/24",
-				"name":                                "foo",
-				"proxyprotocol_trustedips":            "192.168.0.1",
-				"redirect_entrypoint":                 "https",
-				"redirect_permanent":                  "true",
-				"redirect_regex":                      "http://localhost/(.*)",
-				"redirect_replacement":                "http://mydomain/$1",
-				"tls":                                 "goo,gii",
-				"tls_acme":                            "TLS",
-				"tls_ciphersuites":                    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-				"tls_minversion":                      "VersionTLS11",
-				"whitelistsourcerange":                "10.42.0.0/16,152.89.1.33/32,afed:be44::/16",
-				"whitelist_sourcerange":               "10.42.0.0/16,152.89.1.33/32,afed:be44::/16",
-				"whitelist_usexforwardedfor":          "true",
-			},
-		},
-		{
-			name:  "compress on",
-			value: "name:foo Compress:on",
-			expectedResult: map[string]string{
-				"name":     "foo",
-				"compress": "on",
-			},
-		},
-		{
-			name:  "TLS",
-			value: "Name:foo TLS:goo TLS",
-			expectedResult: map[string]string{
-				"name":     "foo",
-				"tls":      "goo",
-				"tls_acme": "TLS",
-			},
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.name, func(t *testing.T) {
-			t.Parallel()
-
-			conf := parseEntryPointsConfiguration(test.value)
-
-			assert.Len(t, conf, len(test.expectedResult))
-			assert.Equal(t, test.expectedResult, conf)
-		})
-	}
-}
-
-func Test_toBool(t *testing.T) {
-	testCases := []struct {
-		name         string
-		value        string
-		key          string
-		expectedBool bool
-	}{
-		{
-			name:         "on",
-			value:        "on",
-			key:          "foo",
-			expectedBool: true,
-		},
-		{
-			name:         "true",
-			value:        "true",
-			key:          "foo",
-			expectedBool: true,
-		},
-		{
-			name:         "enable",
-			value:        "enable",
-			key:          "foo",
-			expectedBool: true,
-		},
-		{
-			name:         "arbitrary string",
-			value:        "bar",
-			key:          "foo",
-			expectedBool: false,
-		},
-		{
-			name:         "no existing entry",
-			value:        "bar",
-			key:          "fii",
-			expectedBool: false,
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.name, func(t *testing.T) {
-			t.Parallel()
-
-			conf := map[string]string{
-				"foo": test.value,
-			}
-
-			result := toBool(conf, test.key)
-
-			assert.Equal(t, test.expectedBool, result)
-		})
-	}
-}
-
-func TestEntryPoints_Set(t *testing.T) {
-	testCases := []struct {
-		name                   string
-		expression             string
-		expectedEntryPointName string
-		expectedEntryPoint     *EntryPoint
-	}{
-		{
-			name: "all parameters camelcase",
-			expression: "Name:foo " +
-				"Address::8000 " +
-				"TLS:goo,gii;foo,fii " +
-				"TLS " +
-				"TLS.MinVersion:VersionTLS11 " +
-				"TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA " +
-				"CA:car " +
-				"CA.Optional:true " +
-				"Redirect.EntryPoint:https " +
-				"Redirect.Regex:http://localhost/(.*) " +
-				"Redirect.Replacement:http://mydomain/$1 " +
-				"Redirect.Permanent:true " +
-				"Compress:true " +
-				"ProxyProtocol.TrustedIPs:192.168.0.1 " +
-				"ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 " +
-				"Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 " +
-				"Auth.Basic.RemoveHeader:true " +
-				"Auth.Digest.Users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e " +
-				"Auth.Digest.RemoveHeader:true " +
-				"Auth.HeaderField:X-WebAuth-User " +
-				"Auth.Forward.Address:https://authserver.com/auth " +
-				"Auth.Forward.AuthResponseHeaders:X-Auth,X-Test,X-Secret " +
-				"Auth.Forward.TrustForwardHeader:true " +
-				"Auth.Forward.TLS.CA:path/to/local.crt " +
-				"Auth.Forward.TLS.CAOptional:true " +
-				"Auth.Forward.TLS.Cert:path/to/foo.cert " +
-				"Auth.Forward.TLS.Key:path/to/foo.key " +
-				"Auth.Forward.TLS.InsecureSkipVerify:true " +
-				"WhiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
-				"whiteList.sourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
-				"whiteList.useXForwardedFor:true ",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				Address: ":8000",
-				TLS: &tls.TLS{
-					MinVersion:   "VersionTLS11",
-					CipherSuites: []string{"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"},
-					Certificates: tls.Certificates{
-						{
-							CertFile: tls.FileOrContent("goo"),
-							KeyFile:  tls.FileOrContent("gii"),
-						},
-						{
-							CertFile: tls.FileOrContent("foo"),
-							KeyFile:  tls.FileOrContent("fii"),
-						},
-					},
-					ClientCA: tls.ClientCA{
-						Files:    tls.FilesOrContents{"car"},
-						Optional: true,
-					},
-				},
-				Redirect: &types.Redirect{
-					EntryPoint:  "https",
-					Regex:       "http://localhost/(.*)",
-					Replacement: "http://mydomain/$1",
-					Permanent:   true,
-				},
-				Auth: &types.Auth{
-					Basic: &types.Basic{
-						RemoveHeader: true,
-						Users: types.Users{
-							"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-							"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-						},
-					},
-					Digest: &types.Digest{
-						RemoveHeader: true,
-						Users: types.Users{
-							"test:traefik:a2688e031edb4be6a3797f3882655c05",
-							"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
-						},
-					},
-					Forward: &types.Forward{
-						Address:             "https://authserver.com/auth",
-						AuthResponseHeaders: []string{"X-Auth", "X-Test", "X-Secret"},
-						TLS: &types.ClientTLS{
-							CA:                 "path/to/local.crt",
-							CAOptional:         true,
-							Cert:               "path/to/foo.cert",
-							Key:                "path/to/foo.key",
-							InsecureSkipVerify: true,
-						},
-						TrustForwardHeader: true,
-					},
-					HeaderField: "X-WebAuth-User",
-				},
-				WhitelistSourceRange: []string{
-					"10.42.0.0/16",
-					"152.89.1.33/32",
-					"afed:be44::/16",
-				},
-				WhiteList: &types.WhiteList{
-					SourceRange: []string{
-						"10.42.0.0/16",
-						"152.89.1.33/32",
-						"afed:be44::/16",
-					},
-					UseXForwardedFor: true,
-				},
-				Compress: true,
-				ProxyProtocol: &ProxyProtocol{
-					Insecure:   false,
-					TrustedIPs: []string{"192.168.0.1"},
-				},
-				ForwardedHeaders: &ForwardedHeaders{
-					Insecure: false,
-					TrustedIPs: []string{
-						"10.0.0.3/24",
-						"20.0.0.3/24",
-					},
-				},
-			},
-		},
-		{
-			name: "all parameters lowercase",
-			expression: "Name:foo " +
-				"address::8000 " +
-				"tls:goo,gii;foo,fii " +
-				"tls " +
-				"tls.minversion:VersionTLS11 " +
-				"tls.ciphersuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA " +
-				"ca:car " +
-				"ca.Optional:true " +
-				"redirect.entryPoint:https " +
-				"redirect.regex:http://localhost/(.*) " +
-				"redirect.replacement:http://mydomain/$1 " +
-				"redirect.permanent:true " +
-				"compress:true " +
-				"whiteListSourceRange:10.42.0.0/16,152.89.1.33/32,afed:be44::/16 " +
-				"proxyProtocol.TrustedIPs:192.168.0.1 " +
-				"forwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24 " +
-				"auth.basic.users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0 " +
-				"auth.digest.users:test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e " +
-				"auth.headerField:X-WebAuth-User " +
-				"auth.forward.address:https://authserver.com/auth " +
-				"auth.forward.authResponseHeaders:X-Auth,X-Test,X-Secret " +
-				"auth.forward.trustForwardHeader:true " +
-				"auth.forward.tls.ca:path/to/local.crt " +
-				"auth.forward.tls.caOptional:true " +
-				"auth.forward.tls.cert:path/to/foo.cert " +
-				"auth.forward.tls.key:path/to/foo.key " +
-				"auth.forward.tls.insecureSkipVerify:true ",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				Address: ":8000",
-				TLS: &tls.TLS{
-					MinVersion:   "VersionTLS11",
-					CipherSuites: []string{"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"},
-					Certificates: tls.Certificates{
-						{
-							CertFile: tls.FileOrContent("goo"),
-							KeyFile:  tls.FileOrContent("gii"),
-						},
-						{
-							CertFile: tls.FileOrContent("foo"),
-							KeyFile:  tls.FileOrContent("fii"),
-						},
-					},
-					ClientCA: tls.ClientCA{
-						Files:    tls.FilesOrContents{"car"},
-						Optional: true,
-					},
-				},
-				Redirect: &types.Redirect{
-					EntryPoint:  "https",
-					Regex:       "http://localhost/(.*)",
-					Replacement: "http://mydomain/$1",
-					Permanent:   true,
-				},
-				Auth: &types.Auth{
-					Basic: &types.Basic{
-						Users: types.Users{
-							"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-							"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-						},
-					},
-					Digest: &types.Digest{
-						Users: types.Users{
-							"test:traefik:a2688e031edb4be6a3797f3882655c05",
-							"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
-						},
-					},
-					Forward: &types.Forward{
-						Address:             "https://authserver.com/auth",
-						AuthResponseHeaders: []string{"X-Auth", "X-Test", "X-Secret"},
-						TLS: &types.ClientTLS{
-							CA:                 "path/to/local.crt",
-							CAOptional:         true,
-							Cert:               "path/to/foo.cert",
-							Key:                "path/to/foo.key",
-							InsecureSkipVerify: true,
-						},
-						TrustForwardHeader: true,
-					},
-					HeaderField: "X-WebAuth-User",
-				},
-				WhitelistSourceRange: []string{
-					"10.42.0.0/16",
-					"152.89.1.33/32",
-					"afed:be44::/16",
-				},
-				Compress: true,
-				ProxyProtocol: &ProxyProtocol{
-					Insecure:   false,
-					TrustedIPs: []string{"192.168.0.1"},
-				},
-				ForwardedHeaders: &ForwardedHeaders{
-					Insecure: false,
-					TrustedIPs: []string{
-						"10.0.0.3/24",
-						"20.0.0.3/24",
-					},
-				},
-			},
-		},
-		{
-			name:                   "default",
-			expression:             "Name:foo",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
-			},
-		},
-		{
-			name:                   "ForwardedHeaders insecure true",
-			expression:             "Name:foo ForwardedHeaders.Insecure:true",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
-			},
-		},
-		{
-			name:                   "ForwardedHeaders insecure false",
-			expression:             "Name:foo ForwardedHeaders.Insecure:false",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				ForwardedHeaders: &ForwardedHeaders{Insecure: false},
-			},
-		},
-		{
-			name:                   "ForwardedHeaders TrustedIPs",
-			expression:             "Name:foo ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				ForwardedHeaders: &ForwardedHeaders{
-					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
-				},
-			},
-		},
-		{
-			name:                   "ProxyProtocol insecure true",
-			expression:             "Name:foo ProxyProtocol.Insecure:true",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
-				ProxyProtocol:    &ProxyProtocol{Insecure: true},
-			},
-		},
-		{
-			name:                   "ProxyProtocol insecure false",
-			expression:             "Name:foo ProxyProtocol.Insecure:false",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
-				ProxyProtocol:    &ProxyProtocol{},
-			},
-		},
-		{
-			name:                   "ProxyProtocol TrustedIPs",
-			expression:             "Name:foo ProxyProtocol.TrustedIPs:10.0.0.3/24,20.0.0.3/24",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
-				ProxyProtocol: &ProxyProtocol{
-					TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
-				},
-			},
-		},
-		{
-			name:                   "compress on",
-			expression:             "Name:foo Compress:on",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				Compress:         true,
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
-			},
-		},
-		{
-			name:                   "compress true",
-			expression:             "Name:foo Compress:true",
-			expectedEntryPointName: "foo",
-			expectedEntryPoint: &EntryPoint{
-				Compress:         true,
-				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
-			},
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.name, func(t *testing.T) {
-			t.Parallel()
-
-			eps := EntryPoints{}
-			err := eps.Set(test.expression)
-			require.NoError(t, err)
-
-			ep := eps[test.expectedEntryPointName]
-			assert.EqualValues(t, test.expectedEntryPoint, ep)
-		})
-	}
-}

configuration/provider_aggregator.go

@@ -1,113 +0,0 @@
-package configuration
-
-import (
-	"encoding/json"
-
-	"github.com/traefik/traefik/log"
-	"github.com/traefik/traefik/provider"
-	"github.com/traefik/traefik/safe"
-	"github.com/traefik/traefik/types"
-)
-
-// ProviderAggregator aggregate providers
-type ProviderAggregator struct {
-	providers   []provider.Provider
-	constraints types.Constraints
-}
-
-// NewProviderAggregator return an aggregate of all the providers configured in GlobalConfiguration
-func NewProviderAggregator(gc *GlobalConfiguration) ProviderAggregator {
-	provider := ProviderAggregator{
-		constraints: gc.Constraints,
-	}
-	if gc.Docker != nil {
-		provider.quietAddProvider(gc.Docker)
-	}
-	if gc.Marathon != nil {
-		provider.quietAddProvider(gc.Marathon)
-	}
-	if gc.File != nil {
-		provider.quietAddProvider(gc.File)
-	}
-	if gc.Rest != nil {
-		provider.quietAddProvider(gc.Rest)
-	}
-	if gc.Consul != nil {
-		provider.quietAddProvider(gc.Consul)
-	}
-	if gc.ConsulCatalog != nil {
-		provider.quietAddProvider(gc.ConsulCatalog)
-	}
-	if gc.Etcd != nil {
-		provider.quietAddProvider(gc.Etcd)
-	}
-	if gc.Zookeeper != nil {
-		provider.quietAddProvider(gc.Zookeeper)
-	}
-	if gc.Boltdb != nil {
-		provider.quietAddProvider(gc.Boltdb)
-	}
-	if gc.Kubernetes != nil {
-		provider.quietAddProvider(gc.Kubernetes)
-	}
-	if gc.Mesos != nil {
-		provider.quietAddProvider(gc.Mesos)
-	}
-	if gc.Eureka != nil {
-		provider.quietAddProvider(gc.Eureka)
-	}
-	if gc.ECS != nil {
-		provider.quietAddProvider(gc.ECS)
-	}
-	if gc.Rancher != nil {
-		provider.quietAddProvider(gc.Rancher)
-	}
-	if gc.DynamoDB != nil {
-		provider.quietAddProvider(gc.DynamoDB)
-	}
-	if gc.ServiceFabric != nil {
-		provider.quietAddProvider(gc.ServiceFabric)
-	}
-	return provider
-}
-
-func (p *ProviderAggregator) quietAddProvider(provider provider.Provider) {
-	err := p.AddProvider(provider)
-	if err != nil {
-		log.Errorf("Error initializing provider %T: %v", provider, err)
-	}
-}
-
-// AddProvider add a provider in the providers map
-func (p *ProviderAggregator) AddProvider(provider provider.Provider) error {
-	err := provider.Init(p.constraints)
-	if err != nil {
-		return err
-	}
-	p.providers = append(p.providers, provider)
-	return nil
-}
-
-// Init the provider
-func (p ProviderAggregator) Init(_ types.Constraints) error {
-	return nil
-}
-
-// Provide call the provide method of every providers
-func (p ProviderAggregator) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool) error {
-	for _, p := range p.providers {
-		jsonConf, err := json.Marshal(p)
-		if err != nil {
-			log.Debugf("Unable to marshal provider conf %T with error: %v", p, err)
-		}
-		log.Infof("Starting provider %T %s", p, jsonConf)
-		currentProvider := p
-		safe.Go(func() {
-			err := currentProvider.Provide(configurationChan, pool)
-			if err != nil {
-				log.Errorf("Error starting provider %T: %v", p, err)
-			}
-		})
-	}
-	return nil
-}

configuration/router/internal_router.go

@@ -1,132 +0,0 @@
-package router
-
-import (
-	"github.com/containous/mux"
-	"github.com/traefik/traefik/configuration"
-	"github.com/traefik/traefik/log"
-	"github.com/traefik/traefik/metrics"
-	"github.com/traefik/traefik/middlewares"
-	mauth "github.com/traefik/traefik/middlewares/auth"
-	"github.com/traefik/traefik/types"
-	"github.com/urfave/negroni"
-)
-
-// NewInternalRouterAggregator Create a new internalRouterAggregator
-func NewInternalRouterAggregator(globalConfiguration configuration.GlobalConfiguration, entryPointName string) *InternalRouterAggregator {
-	var serverMiddlewares []negroni.Handler
-
-	if globalConfiguration.EntryPoints[entryPointName].WhiteList != nil {
-		ipWhitelistMiddleware, err := middlewares.NewIPWhiteLister(
-			globalConfiguration.EntryPoints[entryPointName].WhiteList.SourceRange,
-			globalConfiguration.EntryPoints[entryPointName].WhiteList.UseXForwardedFor)
-		if err != nil {
-			log.Fatalf("Error creating whitelist middleware: %s", err)
-		}
-		if ipWhitelistMiddleware != nil {
-			serverMiddlewares = append(serverMiddlewares, ipWhitelistMiddleware)
-		}
-	}
-
-	if globalConfiguration.EntryPoints[entryPointName].Auth != nil {
-		authMiddleware, err := mauth.NewAuthenticator(globalConfiguration.EntryPoints[entryPointName].Auth, nil)
-		if err != nil {
-			log.Fatalf("Error creating authenticator middleware: %s", err)
-		}
-		serverMiddlewares = append(serverMiddlewares, authMiddleware)
-	}
-
-	router := InternalRouterAggregator{}
-	routerWithPrefix := InternalRouterAggregator{}
-	routerWithPrefixAndMiddleware := InternalRouterAggregator{}
-
-	if globalConfiguration.Metrics != nil && globalConfiguration.Metrics.Prometheus != nil && globalConfiguration.Metrics.Prometheus.EntryPoint == entryPointName {
-		routerWithPrefixAndMiddleware.AddRouter(metrics.PrometheusHandler{})
-	}
-
-	if globalConfiguration.Rest != nil && globalConfiguration.Rest.EntryPoint == entryPointName {
-		routerWithPrefixAndMiddleware.AddRouter(globalConfiguration.Rest)
-	}
-
-	if globalConfiguration.API != nil && globalConfiguration.API.EntryPoint == entryPointName {
-		routerWithPrefixAndMiddleware.AddRouter(globalConfiguration.API)
-	}
-
-	if globalConfiguration.Ping != nil && globalConfiguration.Ping.EntryPoint == entryPointName {
-		routerWithPrefix.AddRouter(globalConfiguration.Ping)
-	}
-
-	if globalConfiguration.ACME != nil && globalConfiguration.ACME.HTTPChallenge != nil && globalConfiguration.ACME.HTTPChallenge.EntryPoint == entryPointName {
-		router.AddRouter(globalConfiguration.ACME)
-	}
-
-	realRouterWithMiddleware := WithMiddleware{router: &routerWithPrefixAndMiddleware, routerMiddlewares: serverMiddlewares}
-	if globalConfiguration.Web != nil && globalConfiguration.Web.Path != "" {
-		router.AddRouter(&WithPrefix{PathPrefix: globalConfiguration.Web.Path, Router: &routerWithPrefix})
-		router.AddRouter(&WithPrefix{PathPrefix: globalConfiguration.Web.Path, Router: &realRouterWithMiddleware})
-	} else {
-		router.AddRouter(&routerWithPrefix)
-		router.AddRouter(&realRouterWithMiddleware)
-	}
-
-	return &router
-}
-
-// WithMiddleware router with internal middleware
-type WithMiddleware struct {
-	router            types.InternalRouter
-	routerMiddlewares []negroni.Handler
-}
-
-// AddRoutes Add routes to the router
-func (wm *WithMiddleware) AddRoutes(systemRouter *mux.Router) {
-	realRouter := systemRouter.PathPrefix("/").Subrouter()
-
-	wm.router.AddRoutes(realRouter)
-
-	if len(wm.routerMiddlewares) > 0 {
-		realRouter.Walk(wrapRoute(wm.routerMiddlewares))
-	}
-}
-
-// WithPrefix router which add a prefix
-type WithPrefix struct {
-	Router     types.InternalRouter
-	PathPrefix string
-}
-
-// AddRoutes Add routes to the router
-func (wp *WithPrefix) AddRoutes(systemRouter *mux.Router) {
-	realRouter := systemRouter.PathPrefix("/").Subrouter()
-	if wp.PathPrefix != "" {
-		realRouter = systemRouter.PathPrefix(wp.PathPrefix).Subrouter()
-		realRouter.StrictSlash(true)
-		realRouter.SkipClean(true)
-	}
-	wp.Router.AddRoutes(realRouter)
-}
-
-// InternalRouterAggregator InternalRouter that aggregate other internalRouter
-type InternalRouterAggregator struct {
-	internalRouters []types.InternalRouter
-}
-
-// AddRouter add a router in the aggregator
-func (r *InternalRouterAggregator) AddRouter(router types.InternalRouter) {
-	r.internalRouters = append(r.internalRouters, router)
-}
-
-// AddRoutes Add routes to the router
-func (r *InternalRouterAggregator) AddRoutes(systemRouter *mux.Router) {
-	for _, router := range r.internalRouters {
-		router.AddRoutes(systemRouter)
-	}
-}
-
-// wrapRoute with middlewares
-func wrapRoute(middlewares []negroni.Handler) func(*mux.Route, *mux.Router, []*mux.Route) error {
-	return func(route *mux.Route, router *mux.Router, ancestors []*mux.Route) error {
-		middles := append(middlewares, negroni.Wrap(route.GetHandler()))
-		route.Handler(negroni.New(middles...))
-		return nil
-	}
-}

configuration/router/internal_router_test.go

@@ -1,346 +0,0 @@
-package router
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/containous/mux"
-	"github.com/stretchr/testify/assert"
-	"github.com/traefik/traefik/acme"
-	"github.com/traefik/traefik/api"
-	"github.com/traefik/traefik/configuration"
-	"github.com/traefik/traefik/ping"
-	acmeprovider "github.com/traefik/traefik/provider/acme"
-	"github.com/traefik/traefik/safe"
-	"github.com/traefik/traefik/types"
-	"github.com/urfave/negroni"
-)
-
-func TestNewInternalRouterAggregatorWithWebPath(t *testing.T) {
-	currentConfiguration := &safe.Safe{}
-	currentConfiguration.Set(types.Configurations{})
-
-	globalConfiguration := configuration.GlobalConfiguration{
-		Web: &configuration.WebCompatibility{
-			Path: "/prefix",
-		},
-		API: &api.Handler{
-			EntryPoint:            "traefik",
-			CurrentConfigurations: currentConfiguration,
-		},
-		Ping: &ping.Handler{
-			EntryPoint: "traefik",
-		},
-		ACME: &acme.ACME{
-			HTTPChallenge: &acmeprovider.HTTPChallenge{
-				EntryPoint: "traefik",
-			},
-		},
-		EntryPoints: configuration.EntryPoints{
-			"traefik": &configuration.EntryPoint{},
-		},
-	}
-
-	testCases := []struct {
-		desc               string
-		testedURL          string
-		expectedStatusCode int
-	}{
-		{
-			desc:               "Ping without prefix",
-			testedURL:          "/ping",
-			expectedStatusCode: 502,
-		},
-		{
-			desc:               "Ping with prefix",
-			testedURL:          "/prefix/ping",
-			expectedStatusCode: 200,
-		},
-		{
-			desc:               "acme without prefix",
-			testedURL:          "/.well-known/acme-challenge/token",
-			expectedStatusCode: 404,
-		},
-		{
-			desc:               "api without prefix",
-			testedURL:          "/api",
-			expectedStatusCode: 502,
-		},
-		{
-			desc:               "api with prefix",
-			testedURL:          "/prefix/api",
-			expectedStatusCode: 200,
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			router := NewInternalRouterAggregator(globalConfiguration, "traefik")
-
-			internalMuxRouter := mux.NewRouter()
-			router.AddRoutes(internalMuxRouter)
-			internalMuxRouter.NotFoundHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				w.WriteHeader(http.StatusBadGateway)
-			})
-
-			recorder := httptest.NewRecorder()
-			request := httptest.NewRequest(http.MethodGet, test.testedURL, nil)
-			internalMuxRouter.ServeHTTP(recorder, request)
-
-			assert.Equal(t, test.expectedStatusCode, recorder.Code)
-		})
-	}
-}
-
-func TestNewInternalRouterAggregatorWithAuth(t *testing.T) {
-	currentConfiguration := &safe.Safe{}
-	currentConfiguration.Set(types.Configurations{})
-
-	globalConfiguration := configuration.GlobalConfiguration{
-		API: &api.Handler{
-			EntryPoint:            "traefik",
-			CurrentConfigurations: currentConfiguration,
-		},
-		Ping: &ping.Handler{
-			EntryPoint: "traefik",
-		},
-		ACME: &acme.ACME{
-			HTTPChallenge: &acmeprovider.HTTPChallenge{
-				EntryPoint: "traefik",
-			},
-		},
-		EntryPoints: configuration.EntryPoints{
-			"traefik": &configuration.EntryPoint{
-				Auth: &types.Auth{
-					Basic: &types.Basic{
-						Users: types.Users{"test:test"},
-					},
-				},
-			},
-		},
-	}
-
-	testCases := []struct {
-		desc               string
-		testedURL          string
-		expectedStatusCode int
-	}{
-		{
-			desc:               "Wrong url",
-			testedURL:          "/wrong",
-			expectedStatusCode: 502,
-		},
-		{
-			desc:               "Ping without auth",
-			testedURL:          "/ping",
-			expectedStatusCode: 200,
-		},
-		{
-			desc:               "acme without auth",
-			testedURL:          "/.well-known/acme-challenge/token",
-			expectedStatusCode: 404,
-		},
-		{
-			desc:               "api with auth",
-			testedURL:          "/api",
-			expectedStatusCode: 401,
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			router := NewInternalRouterAggregator(globalConfiguration, "traefik")
-
-			internalMuxRouter := mux.NewRouter()
-			router.AddRoutes(internalMuxRouter)
-			internalMuxRouter.NotFoundHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				w.WriteHeader(http.StatusBadGateway)
-			})
-
-			recorder := httptest.NewRecorder()
-			request := httptest.NewRequest(http.MethodGet, test.testedURL, nil)
-			internalMuxRouter.ServeHTTP(recorder, request)
-
-			assert.Equal(t, test.expectedStatusCode, recorder.Code)
-		})
-	}
-}
-
-func TestNewInternalRouterAggregatorWithAuthAndPrefix(t *testing.T) {
-	currentConfiguration := &safe.Safe{}
-	currentConfiguration.Set(types.Configurations{})
-
-	globalConfiguration := configuration.GlobalConfiguration{
-		Web: &configuration.WebCompatibility{
-			Path: "/prefix",
-		},
-		API: &api.Handler{
-			EntryPoint:            "traefik",
-			CurrentConfigurations: currentConfiguration,
-		},
-		Ping: &ping.Handler{
-			EntryPoint: "traefik",
-		},
-		ACME: &acme.ACME{
-			HTTPChallenge: &acmeprovider.HTTPChallenge{
-				EntryPoint: "traefik",
-			},
-		},
-		EntryPoints: configuration.EntryPoints{
-			"traefik": &configuration.EntryPoint{
-				Auth: &types.Auth{
-					Basic: &types.Basic{
-						Users: types.Users{"test:test"},
-					},
-				},
-			},
-		},
-	}
-
-	testCases := []struct {
-		desc               string
-		testedURL          string
-		expectedStatusCode int
-	}{
-		{
-			desc:               "Ping without prefix",
-			testedURL:          "/ping",
-			expectedStatusCode: 502,
-		},
-		{
-			desc:               "Ping without auth and with prefix",
-			testedURL:          "/prefix/ping",
-			expectedStatusCode: 200,
-		},
-		{
-			desc:               "acme without auth and without prefix",
-			testedURL:          "/.well-known/acme-challenge/token",
-			expectedStatusCode: 404,
-		},
-		{
-			desc:               "api with auth and prefix",
-			testedURL:          "/prefix/api",
-			expectedStatusCode: 401,
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			router := NewInternalRouterAggregator(globalConfiguration, "traefik")
-
-			internalMuxRouter := mux.NewRouter()
-			router.AddRoutes(internalMuxRouter)
-			internalMuxRouter.NotFoundHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				w.WriteHeader(http.StatusBadGateway)
-			})
-
-			recorder := httptest.NewRecorder()
-			request := httptest.NewRequest(http.MethodGet, test.testedURL, nil)
-			internalMuxRouter.ServeHTTP(recorder, request)
-
-			assert.Equal(t, test.expectedStatusCode, recorder.Code)
-		})
-	}
-}
-
-type MockInternalRouterFunc func(systemRouter *mux.Router)
-
-func (m MockInternalRouterFunc) AddRoutes(systemRouter *mux.Router) {
-	m(systemRouter)
-}
-
-func TestWithMiddleware(t *testing.T) {
-	router := WithMiddleware{
-		router: MockInternalRouterFunc(func(systemRouter *mux.Router) {
-			systemRouter.Handle("/test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				w.Write([]byte("router"))
-			}))
-		}),
-		routerMiddlewares: []negroni.Handler{
-			negroni.HandlerFunc(func(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
-				rw.Write([]byte("before middleware1|"))
-				next.ServeHTTP(rw, r)
-				rw.Write([]byte("|after middleware1"))
-
-			}),
-			negroni.HandlerFunc(func(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
-				rw.Write([]byte("before middleware2|"))
-				next.ServeHTTP(rw, r)
-				rw.Write([]byte("|after middleware2"))
-			}),
-		},
-	}
-
-	internalMuxRouter := mux.NewRouter()
-	router.AddRoutes(internalMuxRouter)
-
-	recorder := httptest.NewRecorder()
-	request := httptest.NewRequest(http.MethodGet, "/test", nil)
-	internalMuxRouter.ServeHTTP(recorder, request)
-
-	obtained := recorder.Body.String()
-
-	assert.Equal(t, "before middleware1|before middleware2|router|after middleware2|after middleware1", obtained)
-}
-
-func TestWithPrefix(t *testing.T) {
-	testCases := []struct {
-		desc               string
-		prefix             string
-		testedURL          string
-		expectedStatusCode int
-	}{
-		{
-			desc:               "No prefix",
-			testedURL:          "/test",
-			expectedStatusCode: 200,
-		},
-		{
-			desc:               "With prefix and wrong url",
-			prefix:             "/prefix",
-			testedURL:          "/test",
-			expectedStatusCode: 404,
-		},
-		{
-			desc:               "With prefix",
-			prefix:             "/prefix",
-			testedURL:          "/prefix/test",
-			expectedStatusCode: 200,
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			router := WithPrefix{
-				Router: MockInternalRouterFunc(func(systemRouter *mux.Router) {
-					systemRouter.Handle("/test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-						w.WriteHeader(http.StatusOK)
-					}))
-				}),
-
-				PathPrefix: test.prefix,
-			}
-			internalMuxRouter := mux.NewRouter()
-			router.AddRoutes(internalMuxRouter)
-
-			recorder := httptest.NewRecorder()
-			request := httptest.NewRequest(http.MethodGet, test.testedURL, nil)
-			internalMuxRouter.ServeHTTP(recorder, request)
-
-			assert.Equal(t, test.expectedStatusCode, recorder.Code)
-		})
-	}
-}

contrib/scripts/dumpcerts.sh

@@ -104,7 +104,7 @@ fi
 
 jq=$(command -v jq) || exit_jq
 
-priv=$(${jq} -e -r '.Account.PrivateKey' "${acmefile}") || bad_acme
+priv=$(${jq} -e -r '.PrivateKey' "${acmefile}") || bad_acme
 
 if [ ! -n "${priv}" ]; then
 	echo "
@@ -155,17 +155,16 @@ echo -e "-----BEGIN RSA PRIVATE KEY-----\n${priv}\n-----END RSA PRIVATE KEY-----
    | openssl rsa -inform pem -out "${pdir}/letsencrypt.key"
 
 # Process the certificates for each of the domains in acme.json
-domains=$(jq -r '.Certificates[].Domain.Main' ${acmefile}) || bad_acme
-for domain in $domains; do
+for domain in $(jq -r '.DomainsCertificate.Certs[].Certificate.Domain' ${acmefile}); do
 	# Traefik stores a cert bundle for each domain.  Within this cert
 	# bundle there is both proper the certificate and the Let's Encrypt CA
 	echo "Extracting cert bundle for ${domain}"
-	cert=$(jq -e -r --arg domain "$domain" '.Certificates[] |
-         	select (.Domain.Main == $domain )| .Certificate' ${acmefile}) || bad_acme
+	cert=$(jq -e -r --arg domain "$domain" '.DomainsCertificate.Certs[].Certificate |
+         	select (.Domain == $domain )| .Certificate' ${acmefile}) || bad_acme
 	echo "${cert}" | ${CMD_DECODE_BASE64} > "${cdir}/${domain}.crt"
 
 	echo "Extracting private key for ${domain}"
-	key=$(jq -e -r --arg domain "$domain" '.Certificates[] |
-		select (.Domain.Main == $domain )| .Key' ${acmefile}) || bad_acme
+	key=$(jq -e -r --arg domain "$domain" '.DomainsCertificate.Certs[].Certificate |
+		select (.Domain == $domain )| .PrivateKey' ${acmefile}) || bad_acme
 	echo "${key}" | ${CMD_DECODE_BASE64} > "${pdir}/${domain}.key"
 done

contrib/systemd/traefik.service

@@ -1,41 +1,11 @@
 [Unit]
 Description=Traefik
-Documentation=https://doc.traefik.io/traefik/v1.7
-#After=network-online.target
-#AssertFileIsExecutable=/usr/bin/traefik
-#AssertPathExists=/etc/traefik/traefik.toml
 
 [Service]
-# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik)
-#User=traefik
-#AmbientCapabilities=CAP_NET_BIND_SERVICE
-
-# configure service behavior
 Type=notify
-#ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.toml
+ExecStart=/usr/bin/traefik --configFile=/etc/traefik.toml
 Restart=always
 WatchdogSec=1s
 
-# lock down system access
-# prohibit any operating system and configuration modification
-#ProtectSystem=strict
-# create separate, new (and empty) /tmp and /var/tmp filesystems
-#PrivateTmp=true
-# make /home directories inaccessible
-#ProtectHome=true
-# turns off access to physical devices (/dev/...)
-#PrivateDevices=true
-# make kernel settings (procfs and sysfs) read-only
-#ProtectKernelTunables=true
-# make cgroups /sys/fs/cgroup read-only
-#ProtectControlGroups=true
-
-# allow writing of acme.json
-#ReadWritePaths=/etc/traefik/acme.json
-# depending on log and entrypoint configuration, you may need to allow writing to other paths, too
-
-# limit number of processes in this unit
-#LimitNPROC=1
-
 [Install]
 WantedBy=multi-user.target

docs.Dockerfile

@@ -1,10 +1,11 @@
-FROM alpine:3.7
+FROM alpine:3.14
 
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/.local/bin
 
 COPY requirements.txt /mkdocs/
 WORKDIR /mkdocs
-VOLUME /mkdocs
 
-RUN apk --no-cache --no-progress add py-pip \
-  && pip install --user -r requirements.txt
+RUN apk --update upgrade \
+&& apk --no-cache --no-progress add py-pip \
+&& rm -rf /var/cache/apk/* \
+&& pip install --user -r requirements.txt

docs/CNAME

@@ -0,0 +1 @@
+docs.traefik.io

docs/basics.md

@@ -14,12 +14,12 @@ Let's take our example from the [overview](/#overview) again:
 
 > ![Architecture](img/architecture.png)
 
-Let's zoom on Traefik and have an overview of its internal architecture:
+Let's zoom on Træfik and have an overview of its internal architecture:
 
 
 ![Architecture](img/internal.png)
 
-- Incoming requests end on [entrypoints](#entrypoints), as the name suggests, they are the network entry points into Traefik (listening port, SSL, traffic redirection...).
+- Incoming requests end on [entrypoints](#entrypoints), as the name suggests, they are the network entry points into Træfik (listening port, SSL, traffic redirection...).
 - Traffic is then forwarded to a matching [frontend](#frontends). A frontend defines routes from [entrypoints](#entrypoints) to [backends](#backends).
 Routes are created using requests fields (`Host`, `Path`, `Headers`...) and can match or not a request.
 - The [frontend](#frontends) will then send the request to a [backend](#backends). A backend can be composed by one or more [servers](#servers), and by a load-balancing strategy.
@@ -27,7 +27,7 @@ Routes are created using requests fields (`Host`, `Path`, `Headers`...) and can
 
 ### Entrypoints
 
-Entrypoints are the network entry points into Traefik.
+Entrypoints are the network entry points into Træfik.
 They can be defined using:
 
 - a port (80, 443...)
@@ -62,17 +62,18 @@ And here is another example with client certificate authentication:
   [entryPoints.https]
   address = ":443"
   [entryPoints.https.tls]
-    [entryPoints.https.tls.ClientCA]
-    files = ["tests/clientca1.crt", "tests/clientca2.crt"]
-    optional = false
-    [[entryPoints.https.tls.certificates]]
-    certFile = "tests/traefik.crt"
-    keyFile = "tests/traefik.key"
+    [entryPoints.https.tls]
+      [entryPoints.https.tls.ClientCA]
+      files = ["tests/clientca1.crt", "tests/clientca2.crt"]
+      optional = false
+      [[entryPoints.https.tls.certificates]]
+      certFile = "tests/traefik.crt"
+      keyFile = "tests/traefik.key"
 ```
 
 - We enable SSL on `https` by giving a certificate and a key.
 - One or several files containing Certificate Authorities in PEM format are added.
-- It is possible to have multiple CA's in the same file or keep them in separate files.
+- It is possible to have multiple CA:s in the same file or keep them in separate files.
 
 ### Frontends
 
@@ -94,13 +95,10 @@ Following is the list of existing modifier rules:
 
 Matcher rules determine if a particular request should be forwarded to a backend.
 
-The associativity rule is the following:
+Separate multiple rule values by `,` (comma) in order to enable ANY semantics (i.e., forward a request if any rule matches).
+Does not work for `Headers` and `HeadersRegexp`.
 
-- `,` is the `OR` operator (works **only inside a matcher**, ex: `Host:foo.com,bar.com`).
-    - i.e., forward a request if any rule matches.
-    - Does not work for `Headers` and `HeadersRegexp`.
-- `;` is the `AND` operator (works **only between matchers**, ex: `Host:foo.com;Path:/bar`) 
-    - i.e., forward a request if all rules match
+Separate multiple rule values by `;` (semicolon) in order to enable ALL semantics (i.e., forward a request if all rules match).
 
 Following is the list of existing matcher rules along with examples:
 
@@ -125,7 +123,7 @@ In order to use regular expressions with Host and Path matchers, you must declar
     The variable has no special meaning; however, it is required by the [gorilla/mux](https://github.com/gorilla/mux) dependency which embeds the regular expression and defines the syntax.
 
 You can optionally enable `passHostHeader` to forward client `Host` header to the backend.
-You can also optionally configure the `passTLSClientCert` option to pass the Client certificates to the backend in a specific header.
+You can also optionally enable `passTLSCert` to forward TLS Client certificates to the backend.
 
 ##### Path Matcher Usage Guidelines
 
@@ -160,8 +158,7 @@ Here is an example of frontends definition:
   [frontends.frontend2]
   backend = "backend1"
   passHostHeader = true
-  [frontends.frontend2.passTLSClientCert]
-    pem = true
+  passTLSCert = true
   priority = 10
   entrypoints = ["https"] # overrides defaultEntryPoints
     [frontends.frontend2.routes.test_1]
@@ -174,7 +171,7 @@ Here is an example of frontends definition:
 
 - Three frontends are defined: `frontend1`, `frontend2` and `frontend3`
 - `frontend1` will forward the traffic to the `backend2` if the rule `Host:test.localhost,test2.localhost` is matched
-- `frontend2` will forward the traffic to the `backend1` if the rule `HostRegexp:localhost,{subdomain:[a-z]+}.localhost` is matched (forwarding client `Host` header to the backend)
+- `frontend2` will forward the traffic to the `backend1` if the rule `Host:localhost,{subdomain:[a-z]+}.localhost` is matched (forwarding client `Host` header to the backend)
 - `frontend3` will forward the traffic to the `backend2` if the rules `Host:test3.localhost` **AND** `Path:/test` are matched
 
 #### Combining multiple rules
@@ -237,8 +234,7 @@ The following rules are both `Matchers` and `Modifiers`, so the `Matcher` portio
 #### Priorities
 
 By default, routes will be sorted (in descending order) using rules length (to avoid path overlap):
-- `PathPrefix:/foo;Host:foo.com` (length == 28) will be matched before `PathPrefixStrip:/foobar` (length == 23) will be matched before `PathPrefix:/foo,/bar` (length == 20).  
-- A priority value of 0 will be ignored, so the default value will be calculated (rules length).
+`PathPrefix:/foo;Host:foo.com` (length == 28) will be matched before `PathPrefixStrip:/foobar` (length == 23) will be matched before `PathPrefix:/foo,/bar` (length == 20).
 
 You can customize priority by frontend. The priority value override the rule length during sorting:
 
@@ -267,7 +263,7 @@ This allows for setting headers such as `X-Script-Name` to be added to the reque
 !!! warning
     If the custom header name is the same as one header name of the request or response, it will be replaced.
 
-In this example, all matches to the path `/cheese` will have the `X-Script-Name` header added to the proxied request and the `X-Custom-Response-Header` header added to the response.
+In this example, all matches to the path `/cheese` will have the `X-Script-Name` header added to the proxied request, and the `X-Custom-Response-Header` added to the response.
 
 ```toml
 [frontends]
@@ -281,7 +277,7 @@ In this example, all matches to the path `/cheese` will have the `X-Script-Name`
     rule = "PathPrefixStrip:/cheese"
 ```
 
-In this second  example, all matches to the path `/cheese` will have the `X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request, and the `X-Custom-Response-Header` header removed from the response.
+In this second  example, all matches to the path `/cheese` will have the `X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` removed to the request and the `X-Custom-Response-Header` removed to the response.
 
 ```toml
 [frontends]
@@ -328,55 +324,12 @@ In this example, traffic routed through the first frontend will have the `X-Fram
 
 A backend is responsible to load-balance the traffic coming from one or more frontends to a set of http servers.
 
-#### Servers
-
-Servers are simply defined using a `url`. You can also apply a custom `weight` to each server (this will be used by load-balancing).
-
-!!! note
-    Paths in `url` are ignored. Use `Modifier` to specify paths instead.
-
-Here is an example of backends and servers definition:
-
-```toml
-[backends]
-  [backends.backend1]
-    # ...
-    [backends.backend1.servers.server1]
-    url = "http://172.17.0.2:80"
-    weight = 10
-    [backends.backend1.servers.server2]
-    url = "http://172.17.0.3:80"
-    weight = 1
-  [backends.backend2]
-    # ...
-    [backends.backend2.servers.server1]
-    url = "https://172.17.0.4:443"
-    weight = 1
-    [backends.backend2.servers.server2]
-    url = "https://172.17.0.5:443"
-    weight = 2
-  [backends.backend3]
-    # ...
-    [backends.backend3.servers.server1]
-    url = "h2c://172.17.0.6:80"
-    weight = 1
-```
-
-- Two backends are defined: `backend1` and `backend2`
-- `backend1` will forward the traffic to two servers: `172.17.0.2:80` with weight `10` and `172.17.0.3:80` with weight `1`.
-- `backend2` will forward the traffic to two servers: `172.17.0.4:443` with weight `1` and `172.17.0.5:443` with weight `2` both using TLS.
-- `backend3` will forward the traffic to: `172.17.0.6:80` with weight `1` using HTTP2 without TLS.
-
-#### Load-balancing
-
 Various methods of load-balancing are supported:
 
 - `wrr`: Weighted Round Robin.
 - `drr`: Dynamic Round Robin: increases weights on servers that perform better than others.
     It also rolls back to original weights if the servers have changed.
 
-#### Circuit breakers
-
 A circuit breaker can also be applied to a backend, preventing high loads on failing servers.
 Initial state is Standby. CB observes the statistics and does not modify the request.
 In case the condition matches, CB enters Tripped state, where it responds with predefined code or redirects to another frontend.
@@ -394,26 +347,6 @@ For example:
 - `LatencyAtQuantileMS(50.0) > 50`:  watch latency at quantile in milliseconds.
 - `ResponseCodeRatio(500, 600, 0, 600) > 0.5`: ratio of response codes in ranges [500-600) and [0-600).
 
-Here is an example of backends and servers definition:
-
-```toml
-[backends]
-  [backends.backend1]
-    [backends.backend1.circuitbreaker]
-    expression = "NetworkErrorRatio() > 0.5"
-    [backends.backend1.servers.server1]
-    url = "http://172.17.0.2:80"
-    weight = 10
-    [backends.backend1.servers.server2]
-    url = "http://172.17.0.3:80"
-    weight = 1
-```
-
-- `backend1` will forward the traffic to two servers: `http://172.17.0.2:80"` with weight `10` and `http://172.17.0.3:80` with weight `1` using default `wrr` load-balancing strategy.
-- a circuit breaker is added on `backend1` using the expression `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window
-
-#### Maximum connections
-
 To proactively prevent backends from being overwhelmed with high load, a maximum connection limit can also be applied to each backend.
 
 Maximum connections can be configured by specifying an integer value for `maxconn.amount` and `maxconn.extractorfunc` which is a strategy used to determine how to categorize requests in order to evaluate the maximum connections.
@@ -425,14 +358,13 @@ For example:
     [backends.backend1.maxconn]
        amount = 10
        extractorfunc = "request.host"
-   # ...
 ```
 
 - `backend1` will return `HTTP code 429 Too Many Requests` if there are already 10 requests in progress for the same Host header.
 - Another possible value for `extractorfunc` is `client.ip` which will categorize requests based on client source ip.
 - Lastly `extractorfunc` can take the value of `request.header.ANY_HEADER` which will categorize requests based on `ANY_HEADER` that you provide.
 
-#### Sticky sessions
+### Sticky sessions
 
 Sticky sessions are supported with both load balancers.  
 When sticky sessions are enabled, a cookie is set on the initial request.
@@ -440,6 +372,7 @@ The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).
 On subsequent requests, the client will be directed to the backend stored in the cookie if it is still healthy.
 If not, a new backend will be assigned.
 
+
 ```toml
 [backends]
   [backends.backend1]
@@ -452,27 +385,6 @@ If not, a new backend will be assigned.
     # Default: a sha1 (6 chars)
     #
     #  cookieName = "my_cookie"
-
-    # Customize secure option
-    #
-    # Optional
-    # Default: false
-    #
-    #  secure = true
-
-    # Customize http only option
-    #
-    # Optional
-    # Default: false
-    #
-    #  httpOnly = true
-
-    # Customize same site option.
-    # Can be: "none", "lax", "strict"
-    #
-    # Optional
-    #
-    #  sameSite = "none"
 ```
 
 The deprecated way:
@@ -484,14 +396,15 @@ The deprecated way:
       sticky = true
 ```
 
-#### Health Check
+### Health Check
 
-A health check can be configured in order to remove a backend from LB rotation as long as it keeps returning HTTP status codes other than `2xx` or `3xx` to HTTP GET requests periodically carried out by Traefik.  
-The check is defined by a path appended to the backend URL and an interval (given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)) specifying how often the health check should be executed (the default being 30 seconds).
+A health check can be configured in order to remove a backend from LB rotation as long as it keeps returning HTTP status codes other than `200 OK` to HTTP GET requests periodically carried out by Traefik.  
+The check is defined by a pathappended to the backend URL and an interval (given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)) specifying how often the health check should be executed (the default being 30 seconds).
 Each backend must respond to the health check within 5 seconds.  
 By default, the port of the backend server is used, however, this may be overridden.
 
-A recovering backend returning `2xx` or `3xx` responses again is being returned to the LB rotation pool.
+A recovering backend returning 200 OK responses again is being returned to the
+LB rotation pool.
 
 For example:
 ```toml
@@ -502,7 +415,7 @@ For example:
     interval = "10s"
 ```
 
-To use a different port for the health check:
+To use a different port for the healthcheck:
 ```toml
 [backends]
   [backends.backend1]
@@ -512,43 +425,55 @@ To use a different port for the health check:
     port = 8080
 ```
 
+### Servers
+
+Servers are simply defined using a `url`. You can also apply a custom `weight` to each server (this will be used by load-balancing).
+
+!!! note
+    Paths in `url` are ignored. Use `Modifier` to specify paths instead.
+
+Here is an example of backends and servers definition:
 
-To use a different scheme for the health check:
 ```toml
 [backends]
   [backends.backend1]
-    [backends.backend1.healthcheck]
-    path = "/health"
-    interval = "10s"
-    scheme = "http"
+    [backends.backend1.circuitbreaker]
+    expression = "NetworkErrorRatio() > 0.5"
+    [backends.backend1.servers.server1]
+    url = "http://172.17.0.2:80"
+    weight = 10
+    [backends.backend1.servers.server2]
+    url = "http://172.17.0.3:80"
+    weight = 1
+  [backends.backend2]
+    [backends.backend2.LoadBalancer]
+    method = "drr"
+    [backends.backend2.servers.server1]
+    url = "http://172.17.0.4:80"
+    weight = 1
+    [backends.backend2.servers.server2]
+    url = "http://172.17.0.5:80"
+    weight = 2
 ```
 
-Additional http headers and hostname to health check request can be specified, for instance:
-```toml
-[backends]
-  [backends.backend1]
-    [backends.backend1.healthcheck]
-    path = "/health"
-    interval = "10s"
-    hostname = "myhost.com"
-    port = 8080
-      [backends.backend1.healthcheck.headers]
-      My-Custom-Header = "foo"
-      My-Header = "bar"
-```
+- Two backends are defined: `backend1` and `backend2`
+- `backend1` will forward the traffic to two servers: `http://172.17.0.2:80"` with weight `10` and `http://172.17.0.3:80` with weight `1` using default `wrr` load-balancing strategy.
+- `backend2` will forward the traffic to two servers: `http://172.17.0.4:80"` with weight `1` and `http://172.17.0.5:80` with weight `2` using `drr` load-balancing strategy.
+- a circuit breaker is added on `backend1` using the expression `NetworkErrorRatio() > 0.5`: watch error ratio over 10 second sliding window
+
 
 ## Configuration
 
-Traefik's configuration has two parts:
+Træfik's configuration has two parts:
 
-- The [static Traefik configuration](/basics#static-traefik-configuration) which is loaded only at the beginning.
-- The [dynamic Traefik configuration](/basics#dynamic-traefik-configuration) which can be hot-reloaded (no need to restart the process).
+- The [static Træfik configuration](/basics#static-trfik-configuration) which is loaded only at the beginning.
+- The [dynamic Træfik configuration](/basics#dynamic-trfik-configuration) which can be hot-reloaded (no need to restart the process).
 
-### Static Traefik configuration
+### Static Træfik configuration
 
 The static configuration is the global configuration which is setting up connections to configuration backends and entrypoints.
 
-Traefik can be configured using many configuration sources with the following precedence order.
+Træfik can be configured using many configuration sources with the following precedence order.
 Each item takes precedence over the item below it:
 
 - [Key-value store](/basics/#key-value-stores)
@@ -558,13 +483,13 @@ Each item takes precedence over the item below it:
 
 It means that arguments override configuration file, and key-value store overrides arguments.
 
-!!! note
+!!! note 
     the provider-enabling argument parameters (e.g., `--docker`) set all default values for the specific provider.  
     It must not be used if a configuration source with less precedence wants to set a non-default provider value.
 
 #### Configuration file
 
-By default, Traefik will try to find a `traefik.toml` in the following places:
+By default, Træfik will try to find a `traefik.toml` in the following places:
 
 - `/etc/traefik/`
 - `$HOME/.traefik/`
@@ -590,7 +515,7 @@ Note that all default values will be displayed as well.
 
 #### Key-value stores
 
-Traefik supports several Key-value stores:
+Træfik supports several Key-value stores:
 
 - [Consul](https://consul.io)
 - [etcd](https://coreos.com/etcd/)
@@ -599,7 +524,7 @@ Traefik supports several Key-value stores:
 
 Please refer to the [User Guide Key-value store configuration](/user-guide/kv-config/) section to get documentation on it.
 
-### Dynamic Traefik configuration
+### Dynamic Træfik configuration
 
 The dynamic configuration concerns :
 
@@ -608,9 +533,9 @@ The dynamic configuration concerns :
 - [Servers](/basics/#servers)
 - HTTPS Certificates
 
-Traefik can hot-reload those rules which could be provided by [multiple configuration backends](/configuration/commons).
+Træfik can hot-reload those rules which could be provided by [multiple configuration backends](/configuration/commons).
 
-We only need to enable `watch` option to make Traefik watch configuration backend changes and generate its configuration automatically.
+We only need to enable `watch` option to make Træfik watch configuration backend changes and generate its configuration automatically.
 Routes to services will be created and updated instantly at any changes.
 
 Please refer to the [configuration backends](/configuration/commons) section to get documentation on it.
@@ -624,10 +549,10 @@ Usage:
 traefik [command] [--flag=flag_argument]
 ```
 
-List of Traefik available commands with description :
+List of Træfik available commands with description :
 
 - `version` : Print version
-- `storeconfig` : Store the static Traefik configuration into a Key-value stores. Please refer to the [Store Traefik configuration](/user-guide/kv-config/#store-configuration-in-key-value-store) section to get documentation on it.
+- `storeconfig` : Store the static Traefik configuration into a Key-value stores. Please refer to the [Store Træfik configuration](/user-guide/kv-config/#store-configuration-in-key-value-store) section to get documentation on it.
 - `bug`: The easiest way to submit a pre-filled issue.
 - `healthcheck`: Calls Traefik `/ping` to check health.
 
@@ -652,7 +577,7 @@ docker run traefik[:version] --help
 
 ### Command: bug
 
-Here is the easiest way to submit a pre-filled issue on [Traefik GitHub](https://github.com/traefik/traefik).
+Here is the easiest way to submit a pre-filled issue on [Træfik GitHub](https://github.com/containous/traefik).
 
 ```bash
 traefik bug
@@ -681,18 +606,18 @@ OK: http://:8082/ping
 
 **This feature is disabled by default.**
 
-You can read the public proposal on this topic [here](https://github.com/traefik/traefik/issues/2369).
+You can read the public proposal on this topic [here](https://github.com/containous/traefik/issues/2369).
 
 ### Why ?
 
-In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
+In order to help us learn more about how Træfik is being used and improve it, we collect anonymous usage statistics from running instances.
 Those data help us prioritize our developments and focus on what's more important (for example, which configuration backend is used and which is not used).
 
 ### What ?
 
-Once a day (the first call begins 10 minutes after the start of Traefik), we collect:
+Once a day (the first call begins 10 minutes after the start of Træfik), we collect:
 
-- the Traefik version
+- the Træfik version
 - a hash of the configuration
 - an **anonymous version** of the static configuration:
     - token, user name, password, URL, IP, domain, email, etc, are removed
@@ -721,18 +646,18 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
   swarmMode = true
 
   [Docker.TLS]
-    ca = "dockerCA"
-    cert = "dockerCert"
-    key = "dockerKey"
-    insecureSkipVerify = true
+    CA = "dockerCA"
+    Cert = "dockerCert"
+    Key = "dockerKey"
+    InsecureSkipVerify = true
 
 [ECS]
-  domain = "foo.bar"
-  exposedByDefault = true
-  clusters = ["foo-bar"]
-  region = "us-west-2"
-  accessKeyID = "AccessKeyID"
-  secretAccessKey = "SecretAccessKey"
+  Domain = "foo.bar"
+  ExposedByDefault = true
+  Clusters = ["foo-bar"]
+  Region = "us-west-2"
+  AccessKeyID = "AccessKeyID"
+  SecretAccessKey = "SecretAccessKey"
 ```
 
 - Obfuscated and anonymous configuration:
@@ -745,32 +670,34 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
 [api]
 
 [Docker]
-  endpoint = "xxxx"
-  domain = "xxxx"
-  exposedByDefault = true
-  swarmMode = true
+  Endpoint = "xxxx"
+  Domain = "xxxx"
+  ExposedByDefault = true
+  SwarmMode = true
 
   [Docker.TLS]
-    ca = "xxxx"
-    cert = "xxxx"
-    key = "xxxx"
-    insecureSkipVerify = false
+    CA = "xxxx"
+    Cert = "xxxx"
+    Key = "xxxx"
+    InsecureSkipVerify = false
 
 [ECS]
-  domain = "xxxx"
-  exposedByDefault = true
-  clusters = []
-  region = "us-west-2"
-  accessKeyID = "xxxx"
-  secretAccessKey = "xxxx"
+  Domain = "xxxx"
+  ExposedByDefault = true
+  Clusters = []
+  Region = "us-west-2"
+  AccessKeyID = "xxxx"
+  SecretAccessKey = "xxxx"
 ```
 
 ### Show me the code !
 
-If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/traefik/traefik/blob/v1.7/collector/collector.go)
+If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/collector/collector.go)
 
 By default we anonymize all configuration fields, except fields tagged with `export=true`.
 
+You can check all fields in the [godoc](https://godoc.org/github.com/containous/traefik/configuration#GlobalConfiguration).
+
 ### How to enable this ?
 
 You can enable the collecting system by:

docs/benchmarks.md

@@ -15,7 +15,7 @@ I used 4 VMs for the tests with the following configuration:
 
 1. One VM used to launch the benchmarking tool [wrk](https://github.com/wg/wrk)
 2. One VM for Traefik (v1.0.0-beta.416) / nginx (v1.4.6)
-3. Two VMs for 2 backend servers in go [whoami](https://github.com/traefik/whoami/)
+3. Two VMs for 2 backend servers in go [whoami](https://github.com/emilevauge/whoamI/)
 
 Each VM has been tuned using the following limits:
 
@@ -118,7 +118,7 @@ server {
 Here is the `traefik.toml` file used:
 
 ```toml
-maxIdleConnsPerHost = 100000
+MaxIdleConnsPerHost = 100000
 defaultEntryPoints = ["http"]
 
 [entryPoints]

docs/configuration/acme.md

@@ -1,6 +1,6 @@
-# ACME (Let's Encrypt) Configuration
+# ACME (Let's Encrypt) configuration
 
-See [Let's Encrypt examples](/user-guide/examples/#lets-encrypt-support) and [Docker & Let's Encrypt user guide](/user-guide/docker-and-lets-encrypt) as well.
+See also [Let's Encrypt examples](/user-guide/examples/#lets-encrypt-support) and [Docker & Let's Encrypt user guide](/user-guide/docker-and-lets-encrypt).
 
 ## Configuration
 
@@ -38,20 +38,23 @@ storage = "acme.json"
 # or `storage = "traefik/acme/account"` if using KV store.
 
 # Entrypoint to proxy acme apply certificates to.
+# WARNING, if the TLS-SNI-01 challenge is used, it must point to an entrypoint on port 443
 #
 # Required
 #
 entryPoint = "https"
 
-# Deprecated, replaced by [acme.dnsChallenge].
+# Use a DNS-01 acme challenge rather than TLS-SNI-01 challenge
 #
-# Optional.
+# Optional (Deprecated, replaced by [acme.dnsChallenge])
 #
 # dnsProvider = "digitalocean"
 
-# Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck].
+# By default, the dnsProvider will verify the TXT DNS challenge record before letting ACME verify.
+# If delayDontCheckDNS is greater than zero, avoid this & instead just wait so many seconds.
+# Useful if internal networks block external DNS queries.
 #
-# Optional
+# Optional (Deprecated, replaced by [acme.dnsChallenge])
 # Default: 0
 #
 # delayDontCheckDNS = 0
@@ -63,21 +66,14 @@ entryPoint = "https"
 #
 # acmeLogging = true
 
-# If true, override certificates in key-value store when using storeconfig.
+# Enable on demand certificate generation.
 #
-# Optional
-# Default: false
-#
-# overrideCertificates = true
-
-# Deprecated. Enable on demand certificate generation.
-#
-# Optional
+# Optional (Deprecated)
 # Default: false
 #
 # onDemand = true
 
-# Enable certificate generation on frontends host rules.
+# Enable certificate generation on frontends Host rules.
 #
 # Optional
 # Default: false
@@ -85,129 +81,154 @@ entryPoint = "https"
 # onHostRule = true
 
 # CA server to use.
-# Uncomment the line to use Let's Encrypt's staging server,
-# leave commented to go to prod.
+# - Uncomment the line to run on the staging let's encrypt server.
+# - Leave comment to go to prod.
 #
 # Optional
-# Default: "https://acme-v02.api.letsencrypt.org/directory"
+# Default: "https://acme-v01.api.letsencrypt.org/directory"
 #
-# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
-
-# KeyType to use.
-#
-# Optional
-# Default: "RSA4096"
-#
-# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
-#
-# KeyType = "RSA4096"
-
-# Use a TLS-ALPN-01 ACME challenge.
-#
-# Optional (but recommended)
-#
-[acme.tlsChallenge]
-
-# Use a HTTP-01 ACME challenge.
-#
-# Optional
-#
-# [acme.httpChallenge]
-
-  # EntryPoint to use for the HTTP-01 challenges.
-  #
-  # Required
-  #
-  # entryPoint = "http"
-
-# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
-# Note: mandatory for wildcard certificate generation.
-#
-# Optional
-#
-# [acme.dnsChallenge]
-
-  # DNS provider used.
-  #
-  # Required
-  #
-  # provider = "digitalocean"
-
-  # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
-  # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
-  # Useful if internal networks block external DNS queries.
-  #
-  # Optional
-  # Default: 0
-  #
-  # delayBeforeCheck = 0
-
-  # Use following DNS servers to resolve the FQDN authority.
-  #
-  # Optional
-  # Default: empty
-  #
-  # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
-
-  # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
-  #
-  # NOT RECOMMENDED:
-  # Increase the risk of reaching Let's Encrypt's rate limits.
-  #
-  # Optional
-  # Default: false
-  #
-  # disablePropagationCheck = true
+# caServer = "https://acme-staging.api.letsencrypt.org/directory"
 
 # Domains list.
-# Only domains defined here can generate wildcard certificates.
-# The certificates for these domains are negotiated at traefik startup only.
 #
 # [[acme.domains]]
 #   main = "local1.com"
 #   sans = ["test1.local1.com", "test2.local1.com"]
 # [[acme.domains]]
 #   main = "local2.com"
+#   sans = ["test1.local2.com", "test2.local2.com"]
 # [[acme.domains]]
-#   main = "*.local3.com"
-#   sans = ["local3.com", "test1.test1.local3.com"]
-```
+#   main = "local3.com"
+# [[acme.domains]]
+#   main = "local4.com"
 
-### `caServer`
+# Use a HTTP-01 acme challenge rather than TLS-SNI-01 challenge
+#
+# Optional but recommend
+#
+[acme.httpChallenge]
 
-The CA server to use.
+  # EntryPoint to use for the challenges.
+  #
+  # Required
+  #
+  entryPoint = "http"
 
-This example shows the usage of Let's Encrypt's staging server:
+# Use a DNS-01 acme challenge rather than TLS-SNI-01 challenge
+#
+# Optional
+#
+# [acme.dnsChallenge]
 
-```toml
-[acme]
-# ...
-caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
-# ...
-```
+  # Provider used.
+  #
+  # Required
+  #
+  # provider = "digitalocean"
 
-### ACME Challenge
-
-#### `tlsChallenge`
-
-Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate.
-
-```toml
-[acme]
-# ...
-entryPoint = "https"
-[acme.tlsChallenge]
+  # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
+  # If delayBeforeCheck is greater than zero, avoid this & instead just wait so many seconds.
+  # Useful if internal networks block external DNS queries.
+  #
+  # Optional
+  # Default: 0
+  #
+  # delayBeforeCheck = 0
 ```
 
 !!! note
-    If the `TLS-ALPN-01` challenge is used, `acme.entryPoint` has to be reachable by Let's Encrypt through port 443.
-    This is a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
+    Even if `TLS-SNI-01` challenge is [disabled](https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188) for the moment, it stays the _by default_ ACME Challenge in Træfik.
+    If `TLS-SNI-01` challenge is not re-enabled in the future, it we will be removed from Træfik.
 
-#### `httpChallenge`
+!!! note
+    If `TLS-SNI-01` challenge is used, `acme.entryPoint` has to be reachable by Let's Encrypt through the port 443.
+    If `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through the port 80.
+    These are Let's Encrypt limitations as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
 
-Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning a HTTP resource under a well-known URI.
+### Let's Encrypt downtime
 
-Redirection is fully compatible with the `HTTP-01` challenge.
+Let's Encrypt functionality will be limited until Træfik is restarted.
+
+If Let's Encrypt is not reachable, these certificates will be used :
+
+  - ACME certificates already generated before downtime
+  - Expired ACME certificates
+  - Provided certificates
+
+!!! note
+    Default Træfik certificate will be used instead of ACME certificates for new (sub)domains (which need Let's Encrypt challenge).
+
+### `storage`
+
+```toml
+[acme]
+# ...
+storage = "acme.json"
+# ...
+```
+
+The `storage` option sets where are stored your ACME certificates.
+
+There are two kind of `storage` :
+
+- a JSON file,
+- a KV store entry.
+
+!!! danger "DEPRECATED"
+    `storage` replaces `storageFile` which is deprecated.
+
+!!! note
+    During Træfik configuration migration from a configuration file to a KV store (thanks to `storeconfig` subcommand as described [here](/user-guide/kv-config/#store-configuration-in-key-value-store)), if ACME certificates have to be migrated too, use both `storageFile` and `storage`.
+
+    - `storageFile` will contain the path to the `acme.json` file to migrate.
+    - `storage` will contain the key where the certificates will be stored.
+
+#### Store data in a file
+
+ACME certificates can be stored in a JSON file which with the `600` right mode.
+
+There are two ways to store ACME certificates in a file from Docker:
+
+- create a file on your host and mount it as a volume:
+```toml
+storage = "acme.json"
+```
+```bash
+docker run -v "/my/host/acme.json:acme.json" traefik
+```
+- mount the folder containing the file as a volume
+```toml
+storage = "/etc/traefik/acme/acme.json"
+```
+```bash
+docker run -v "/my/host/acme:/etc/traefik/acme" traefik
+```
+
+!!! warning
+    This file cannot be shared per many instances of Træfik at the same time.
+    If you have to use Træfik cluster mode, please use [a KV Store entry](/configuration/acme/#storage-kv-entry).
+
+#### Store data in a KV store entry
+
+ACME certificates can be stored in a KV Store entry.
+
+```toml
+storage = "traefik/acme/account"
+```
+
+**This kind of storage is mandatory in cluster mode.**
+
+Because KV stores (like Consul) have limited entries size, the certificates list is compressed before to be set in a KV store entry.
+
+!!! note
+    It's possible to store up to approximately 100 ACME certificates in Consul.
+
+### `acme.httpChallenge`
+
+Use `HTTP-01` challenge to generate/renew ACME certificates.
+
+The redirection is fully compatible with the HTTP-01 challenge.
+You can use redirection with HTTP-01 challenge without problem.
 
 ```toml
 [acme]
@@ -217,11 +238,7 @@ entryPoint = "https"
   entryPoint = "http"
 ```
 
-!!! note
-    If the `HTTP-01` challenge is used, `acme.httpChallenge.entryPoint` has to be defined and reachable by Let's Encrypt through port 80.
-    This is a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
-
-##### `entryPoint`
+#### `entryPoint`
 
 Specify the entryPoint to use during the challenges.
 
@@ -244,11 +261,12 @@ defaultEntryPoints = ["http", "https"]
 ```
 
 !!! note
-    `acme.httpChallenge.entryPoint` has to be reachable through port 80. It's a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
+    `acme.httpChallenge.entryPoint` has to be reachable by Let's Encrypt through the port 80.
+    It's a Let's Encrypt limitation as described on the [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72).
 
-#### `dnsChallenge`
+### `acme.dnsChallenge`
 
-Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
+Use `DNS-01` challenge to generate/renew ACME certificates.
 
 ```toml
 [acme]
@@ -259,151 +277,45 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 # ...
 ```
 
-##### `delayBeforeCheck`
+#### `provider`
 
-By default, the `provider` will verify the TXT DNS challenge record before letting ACME verify.
-If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds.
+Select the provider that matches the DNS domain that will host the challenge TXT record, and provide environment variables to enable setting it:
+
+| Provider Name                                          | Provider code  | Configuration                                                                                                             |
+|--------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------|
+| [Auroradns](https://www.pcextreme.com/aurora/dns)      | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                         |
+| [Azure](https://azure.microsoft.com/services/dns/)     | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`              |
+| [Cloudflare](https://www.cloudflare.com)               | `cloudflare`   | `CLOUDFLARE_EMAIL`, `CLOUDFLARE_API_KEY` - The Cloudflare `Global API Key` needs to be used and not the `Origin CA Key`   |
+| [DigitalOcean](https://www.digitalocean.com)           | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                           |
+| [DNSimple](https://dnsimple.com)                       | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                               |
+| [DNS Made Easy](https://dnsmadeeasy.com)               | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                    |
+| [DNSPod](http://www.dnspod.net/)                       | `dnspod`       | `DNSPOD_API_KEY`                                                                                                          |
+| [Dyn](https://dyn.com)                                 | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                      |
+| [Exoscale](https://www.exoscale.ch)                    | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                            |
+| [Gandi](https://www.gandi.net)                         | `gandi`        | `GANDI_API_KEY`                                                                                                           |
+| [GoDaddy](https://godaddy.com/domains)                 | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                   |
+| [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud`       | `GCE_PROJECT`, `GCE_SERVICE_ACCOUNT_FILE`                                                                                 |
+| [Linode](https://www.linode.com)                       | `linode`       | `LINODE_API_KEY`                                                                                                          |
+| manual                                                 | -              | none, but run Træfik interactively & turn on `acmeLogging` to see instructions & press <kbd>Enter</kbd>.                  |
+| [Namecheap](https://www.namecheap.com)                 | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                 |
+| [Ns1](https://ns1.com/)                                | `ns1`          | `NS1_API_KEY`                                                                                                             |
+| [Open Telekom Cloud](https://cloud.telekom.de/en/)     | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                           |
+| [OVH](https://www.ovh.com)                             | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                       |
+| [PowerDNS](https://www.powerdns.com)                   | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                            |
+| [Rackspace](https://www.rackspace.com/cloud/dns)       | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                     |
+| [RFC2136](https://tools.ietf.org/html/rfc2136)         | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                 |
+| [Route 53](https://aws.amazon.com/route53/)            | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_HOSTED_ZONE_ID` or configured user/instance IAM profile. |
+| [VULTR](https://www.vultr.com)                         | `vultr`        | `VULTR_API_KEY`                                                                                                           |
+
+#### `delayBeforeCheck`
+
+By default, the `provider` will verify the TXT DNS challenge record before letting ACME verify.  
+If `delayBeforeCheck` is greater than zero, avoid this & instead just wait so many seconds.
 
 Useful if internal networks block external DNS queries.
 
 !!! note
-    A `provider` is mandatory.
-
-##### `provider`
-
-Here is a list of supported `provider`s, that can automate the DNS verification, along with the required environment variables and their [wildcard & root domain support](/configuration/acme/#wildcard-domains) for each.
-Do not hesitate to complete it.
-Every lego environment variable can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
-For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email`.
-
-| Provider Name                                               | Provider Code  | Environment Variables                                                                                                                       | Wildcard & Root Domain Support |
-|-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
-| [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | Not tested yet                 |
-| [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | Not tested yet                 |
-| [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | Not tested yet                 |
-| [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | Not tested yet                 |
-| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | YES                            |
-| [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | Not tested yet                 |
-| [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | YES                            |
-| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key`                                               | YES                            |
-| [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | Not tested yet                 |
-| [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | YES                            |
-| [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | YES                            |
-| [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | YES                            |
-| [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | Not tested yet                 |
-| [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | Not tested yet                 |
-| [Domain Offensive (do.de)](https://www.do.de/)              | `dode`         | `DODE_TOKEN`                                                                                                                                | YES                            |
-| [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | YES                            |
-| [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | YES                            |
-| [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | Not tested yet                 |
-| [EasyDNS](https://easydns.com/)                             | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | YES                            |
-| External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | YES                            |
-| [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | YES                            |
-| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | YES                            |
-| [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                             | Not tested yet                 |
-| [Gandi v5](http://doc.livedns.gandi.net)                    | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | YES                            |
-| [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | Not tested yet                 |
-| [GoDaddy](https://godaddy.com/domains)                      | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | Not tested yet                 |
-| [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials (2) (3), [`GCE_SERVICE_ACCOUNT_FILE`]                                                        | YES                            |
-| [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | YES                            |
-| HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` (1)                                                              | YES                            |
-| [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | Not tested yet                 |
-| [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | YES                            |
-| [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                       | YES                            |
-| [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | Not tested yet                 |
-| [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | Not tested yet                 |
-| [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | Not tested yet                 |
-| manual                                                      | `manual`       | none, but you need to run Traefik interactively, turn on `acmeLogging` to see instructions and press <kbd>Enter</kbd>.                      | YES                            |
-| [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | YES                            |
-| [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | YES                            |
-| [Namesilo](https://www.namesilo.com/)                       | `namesilo`     | `NAMESILO_API_KEY`                                                                                                                          | YES                            |
-| [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | Not tested yet                 |
-| [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | Not tested yet                 |
-| [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | Not tested yet                 |
-| [Ns1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | Not tested yet                 |
-| [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | Not tested yet                 |
-| [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | YES                            |
-| [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | YES                            |
-| [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | YES                            |
-| [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | Not tested yet                 |
-| [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | Not tested yet                 |
-| [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | Not tested yet                 |
-| [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | YES                            |
-| [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | Not tested yet                 |
-| [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | YES                            |
-| [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | Not tested yet                 |
-| [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | YES                            |
-| [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | Not tested yet                 |
-| [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | YES                            |
-| [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | YES                            |
-| [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | YES                            |
-| [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | YES                            |
-
-- (1): more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
-- (2): https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
-- (3): https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76
-
-#### `resolvers`
-
-Use custom DNS servers to resolve the FQDN authority.
-
-```toml
-[acme]
-# ...
-[acme.dnsChallenge]
-  # ...
-  resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
-```
-
-### `domains`
-
-You can provide SANs (alternative domains) to each main domain.
-All domains must have A/AAAA records pointing to Traefik.
-Each domain & SAN will lead to a certificate request.
-
-!!! note
-    The certificates for the domains listed in `acme.domains` are negotiated at traefik startup only.
-
-```toml
-[acme]
-# ...
-[[acme.domains]]
-  main = "local1.com"
-  sans = ["test1.local1.com", "test2.local1.com"]
-[[acme.domains]]
-  main = "local2.com"
-[[acme.domains]]
-  main = "*.local3.com"
-  sans = ["local3.com", "test1.test1.local3.com"]
-# ...
-```
-
-!!! warning
-    Take note that Let's Encrypt applies [rate limiting](https://letsencrypt.org/docs/rate-limits).
-
-!!! note
-    Wildcard certificates can only be verified through a `DNS-01` challenge.
-
-#### Wildcard Domains
-
-[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) allows wildcard certificate support.
-As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](/configuration/acme/#dnschallenge).
-
-```toml
-[acme]
-# ...
-[[acme.domains]]
-  main = "*.local1.com"
-  sans = ["local1.com"]
-# ...
-```
-
-It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
-Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
-In this case the generated DNS TXT record for both domains is the same.
-Even though this behaviour is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant, it can lead to problems as all DNS providers keep DNS records cached for a certain time (TTL) and this TTL can be superior to the challenge timeout making the `DNS-01` challenge fail.
-The Traefik ACME client library [LEGO](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue.
-The [`provider` table](/configuration/acme/#provider) indicates if they allow generating certificates for a wildcard domain and its root domain.
+    This field has no sense if a `provider` is not defined.
 
 ### `onDemand` (Deprecated)
 
@@ -417,15 +329,15 @@ onDemand = true
 # ...
 ```
 
-Enable on demand certificate generation.
+Enable on demand certificate.
 
-This will request certificates from Let's Encrypt during the first TLS handshake for host names that do not yet have certificates.
+This will request a certificate from Let's Encrypt during the first TLS handshake for a host name that does not yet have a certificate.
 
 !!! warning
-    TLS handshakes are slow when requesting a host name certificate for the first time. This can lead to DoS attacks!
+    TLS handshakes will be slow when requesting a host name certificate for the first time, this can lead to DoS attacks.
 
 !!! warning
-    Take note that Let's Encrypt applies [rate limiting](https://letsencrypt.org/docs/rate-limits).
+    Take note that Let's Encrypt have [rate limiting](https://letsencrypt.org/docs/rate-limits).
 
 ### `onHostRule`
 
@@ -436,94 +348,58 @@ onHostRule = true
 # ...
 ```
 
-Enable certificate generation on frontend `Host` rules (for frontends wired to the `acme.entryPoint`).
+Enable certificate generation on frontends `Host` rules (for frontends wired on the `acme.entryPoint`).
 
 This will request a certificate from Let's Encrypt for each frontend with a Host rule.
 
-For example, the rule `Host:test1.traefik.io,test2.traefik.io` will request a certificate with main domain `test1.traefik.io` and SAN `test2.traefik.io`.
+For example, a rule `Host:test1.traefik.io,test2.traefik.io` will request a certificate with main domain `test1.traefik.io` and SAN `test2.traefik.io`.
 
-!!! warning
-    `onHostRule` option can not be used to generate wildcard certificates.
-    Refer to [wildcard generation](/configuration/acme/#wildcard-domains) for further information.
-
-### `storage`
-
-The `storage` option sets the location where your ACME certificates are saved to.
+### `caServer`
 
 ```toml
 [acme]
 # ...
-storage = "acme.json"
+caServer = "https://acme-staging.api.letsencrypt.org/directory"
 # ...
 ```
 
-The value can refer to two kinds of storage:
+CA server to use.
 
-- a JSON file
-- a KV store entry
+- Uncomment the line to run on the staging Let's Encrypt server.
+- Leave comment to go to prod.
 
-!!! danger "DEPRECATED"
-    `storage` replaces `storageFile` which is deprecated.
-
-!!! note
-    During migration to a KV store use both `storageFile` and `storage` to migrate ACME certificates too. See [`storeconfig` subcommand](/user-guide/kv-config/#store-configuration-in-key-value-store) for further information.
-
-#### As a File
-
-ACME certificates can be stored in a JSON file that needs to have file mode `600`.
-
-In Docker you can either mount the JSON file or the folder containing it:
-
-```bash
-docker run -v "/my/host/acme.json:acme.json" traefik
-```
-```bash
-docker run -v "/my/host/acme:/etc/traefik/acme" traefik
-```
-
-!!! warning
-    This file cannot be shared across multiple instances of Traefik at the same time. Please use a [KV Store entry](/configuration/acme/#as-a-key-value-store-entry) instead.
-
-#### As a Key Value Store Entry
-
-ACME certificates can be stored in a KV Store entry. This kind of storage is **mandatory in cluster mode**.
+### `acme.domains`
 
 ```toml
-storage = "traefik/acme/account"
+[acme]
+# ...
+[[acme.domains]]
+  main = "local1.com"
+  sans = ["test1.local1.com", "test2.local1.com"]
+[[acme.domains]]
+  main = "local2.com"
+  sans = ["test1.local2.com", "test2.local2.com"]
+[[acme.domains]]
+  main = "local3.com"
+[[acme.domains]]
+  main = "local4.com"
+# ...
 ```
 
-Because KV stores (like Consul) have limited entry size the certificates list is compressed before it is saved as KV store entry.
+You can provide SANs (alternative domains) to each main domain.
+All domains must have A/AAAA records pointing to Træfik.
 
-!!! note
-    It is possible to store up to approximately 100 ACME certificates in Consul.
+!!! warning
+    Take note that Let's Encrypt have [rate limiting](https://letsencrypt.org/docs/rate-limits).
 
-#### ACME v2 Migration
-
-During migration from ACME v1 to ACME v2, using a storage file, a backup of the original file is created in the same place as the latter (with a `.bak` extension).
-
-For example: if `acme.storage`'s value is `/etc/traefik/acme/acme.json`, the backup file will be `/etc/traefik/acme/acme.json.bak`.
-
-!!! note
-    When Traefik is launched in a container, the storage file's parent directory needs to be mounted to be able to access the backup file on the host.
-    Otherwise the backup file will be deleted when the container is stopped. Traefik will only generate it once!
+Each domain & SANs will lead to a certificate request.
 
 ### `dnsProvider` (Deprecated)
 
 !!! danger "DEPRECATED"
-    This option is deprecated. Please use [dnsChallenge.provider](/configuration/acme/#provider) instead.
+    This option is deprecated, use [dnsChallenge.provider](/configuration/acme/#acmednschallenge) instead.
 
 ### `delayDontCheckDNS` (Deprecated)
 
 !!! danger "DEPRECATED"
-    This option is deprecated. Please use [dnsChallenge.delayBeforeCheck](/configuration/acme/#dnschallenge) instead.
-
-## Fallbacks
-
-If Let's Encrypt is not reachable, these certificates will be used:
-
-  1. ACME certificates already generated before downtime
-  1. Expired ACME certificates
-  1. Provided certificates
-
-!!! note
-    For new (sub)domains which need Let's Encrypt authentification, the default Traefik certificate will be used until Traefik is restarted.
+    This option is deprecated, use [dnsChallenge.delayBeforeCheck](/configuration/acme/#acmednschallenge) instead.

docs/configuration/api.md

@@ -4,9 +4,6 @@
 
 ```toml
 # API definition
-# Warning: Enabling API will expose Traefik's configuration.
-# It is not recommended in production,
-# unless secured by authentication and authorizations
 [api]
   # Name of the related entry point
   #
@@ -15,7 +12,7 @@
   #
   entryPoint = "traefik"
 
-  # Enable Dashboard
+  # Enabled Dashboard
   #
   # Optional
   # Default: true
@@ -24,7 +21,7 @@
 
   # Enable debug mode.
   # This will install HTTP handlers to expose Go expvars under /debug/vars and
-  # pprof profiling data under /debug/pprof/.
+  # pprof profiling data under /debug/pprof.
   # Additionally, the log level will be set to DEBUG.
   #
   # Optional
@@ -33,36 +30,19 @@
   debug = true
 ```
 
-For more customization, see [entry points](/configuration/entrypoints/) documentation and the examples below.
+For more customization, see [entry points](/configuration/entrypoints/) documentation and [examples](/user-guide/examples/#ping-health-check).
 
-## Dashboard (Web UI)
+## Web UI
 
 ![Web UI Providers](/img/web.frontend.png)
 
 ![Web UI Health](/img/traefik-health.png)
 
-## Security
-
-Enabling the API will expose all configuration elements,
-including sensitive data.
-
-It is not recommended in production,
-unless secured by authentication and authorizations.
-
-A good sane default (but not exhaustive) set of recommendations
-would be to apply the following protection mechanism:
-
-* _At application level:_ enabling HTTP [Basic Authentication](#authentication)
-* _At transport level:_ NOT exposing publicly the API's port,
-keeping it restricted over internal networks
-(restricted networks as in https://en.wikipedia.org/wiki/Principle_of_least_privilege).
-
 ## API
 
 | Path                                                            | Method           | Description                               |
 |-----------------------------------------------------------------|------------------|-------------------------------------------|
-| `/`                                                             |     `GET`        | Provides a simple HTML frontend of Traefik |
-| `/cluster/leader`                                               |     `GET`        | JSON leader true/false response           |
+| `/`                                                             |     `GET`        | Provides a simple HTML frontend of Træfik |
 | `/health`                                                       |     `GET`        | JSON health metrics                       |
 | `/api`                                                          |     `GET`        | Configuration for all providers           |
 | `/api/providers`                                                |     `GET`        | Providers                                 |
@@ -106,10 +86,10 @@ entryPoint = "foo"
 entryPoint = "bar"
 ```
 
-In the above example, you would access a regular path, dashboard, and health-check as follows:
+In the above example, you would access a regular path, administration panel, and health-check as follows:
 
 * Regular path: `http://hostname:80/path`
-* Dashboard: `http://hostname:8083/`
+* Admin Panel: `http://hostname:8083/`
 * Ping URL: `http://hostname:8082/ping`
 
 In the above example, it is _very_ important to create a named dedicated entry point, and do **not** include it in `defaultEntryPoints`.
@@ -242,25 +222,6 @@ curl -s "http://localhost:8080/api" | jq .
 }
 ```
 
-### Cluster Leadership
-
-```shell
-curl -s "http://localhost:8080/cluster/leader" | jq .
-```
-```shell
-< HTTP/1.1 200 OK
-< Content-Type: application/json; charset=UTF-8
-< Date: xxx
-< Content-Length: 15
-```
-If the given node is not a cluster leader, an HTTP status of `429-Too-Many-Requests` will be returned.
-```json
-{
-  // current leadership status of the queried node
-  "leader": true
-}
-```
-
 ### Health
 
 ```shell
@@ -268,11 +229,11 @@ curl -s "http://localhost:8080/health" | jq .
 ```
 ```json
 {
-  // Traefik PID
+  // Træfik PID
   "pid": 2458,
-  // Traefik server uptime (formated time)
+  // Træfik server uptime (formated time)
   "uptime": "39m6.885931127s",
-  //  Traefik server uptime in seconds
+  //  Træfik server uptime in seconds
   "uptime_sec": 2346.885931127,
   // current server date
   "time": "2015-10-07 18:32:24.362238909 +0200 CEST",
@@ -282,7 +243,7 @@ curl -s "http://localhost:8080/health" | jq .
   "status_code_count": {
     "502": 1
   },
-  // count HTTP response status code since Traefik started
+  // count HTTP response status code since Træfik started
   "total_status_code_count": {
     "200": 7,
     "404": 21,
@@ -301,7 +262,7 @@ curl -s "http://localhost:8080/health" | jq .
   // average response time in seconds
   "average_response_time_sec": 0.8648016000000001,
 
-  // request statistics [requires --api.statistics to be set]
+  // request statistics [requires --statistics to be set]
   // ten most recent requests with 4xx and 5xx status codes
   "recent_errors": [
     {
@@ -322,12 +283,9 @@ curl -s "http://localhost:8080/health" | jq .
 }
 ```
 
-## Dashboard Statistics
+## Metrics
 
-You can control how the Traefik's internal metrics are shown in the Dashboard.
-
-If you want to export internal metrics to different monitoring systems,
-please check the page [Metrics](./metrics.md).
+You can enable Traefik to export internal metrics to different monitoring systems.
 
 ```toml
 [api]

docs/configuration/backends/boltdb.md

@@ -1,13 +1,13 @@
-# BoltDB Provider
+# BoltDB Backend
 
-Traefik can be configured to use BoltDB as a provider.
+Træfik can be configured to use BoltDB as a backend configuration.
 
 ```toml
 ################################################################
-# BoltDB Provider
+# BoltDB configuration backend
 ################################################################
 
-# Enable BoltDB Provider.
+# Enable BoltDB configuration backend.
 [boltdb]
 
 # BoltDB file.
@@ -53,7 +53,7 @@ filename = "boltdb.tmpl"
 #    ca = "/etc/ssl/ca.crt"
 #    cert = "/etc/ssl/boltdb.crt"
 #    key = "/etc/ssl/boltdb.key"
-#    insecureSkipVerify = true
+#    insecureskipverify = true
 ```
 
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
+To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).

docs/configuration/backends/consul.md

@@ -1,13 +1,13 @@
-# Consul Key-Value Provider
+# Consul Key-Value backend
 
-Traefik can be configured to use Consul as a provider.
+Træfik can be configured to use Consul as a backend configuration.
 
 ```toml
 ################################################################
-# Consul KV Provider
+# Consul KV configuration backend
 ################################################################
 
-# Enable Consul KV Provider.
+# Enable Consul KV configuration backend.
 [consul]
 
 # Consul server endpoint.
@@ -53,9 +53,9 @@ prefix = "traefik"
 #    ca = "/etc/ssl/ca.crt"
 #    cert = "/etc/ssl/consul.crt"
 #    key = "/etc/ssl/consul.key"
-#    insecureSkipVerify = true
+#    insecureskipverify = true
 ```
 
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
+To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
 
 Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on Traefik KV structure.

docs/configuration/backends/consulcatalog.md

@@ -1,13 +1,13 @@
-# Consul Catalog Provider
+# Consul Catalog backend
 
-Traefik can be configured to use service discovery catalog of Consul as a provider.
+Træfik can be configured to use service discovery catalog of Consul as a backend configuration.
 
 ```toml
 ################################################################
-# Consul Catalog Provider
+# Consul Catalog configuration backend
 ################################################################
 
-# Enable Consul Catalog Provider.
+# Enable Consul Catalog configuration backend.
 [consulCatalog]
 
 # Consul server endpoint.
@@ -24,28 +24,12 @@ endpoint = "127.0.0.1:8500"
 #
 exposedByDefault = false
 
-# Allow Consul server to serve the catalog reads regardless of whether it is the leader.
-#
-# Optional
-# Default: false
-#
-stale = false
-
-# Default base domain used for the frontend rules.
+# Default domain used.
 #
 # Optional
 #
 domain = "consul.localhost"
 
-# Keep a Consul node only if all checks status are passing
-# If true, only the Consul nodes with checks status 'passing' will be kept.
-# if false, only the Consul nodes with checks status 'passing' or 'warning' will be kept.
-#
-# Optional
-# Default: true
-#
-strictChecks = true
-
 # Prefix for Consul catalog tags.
 #
 # Optional
@@ -64,189 +48,46 @@ prefix = "traefik"
 # Default: "Host:{{.ServiceName}}.{{.Domain}}"
 #
 #frontEndRule = "Host:{{.ServiceName}}.{{.Domain}}"
-
-# Enable Consul catalog TLS connection.
-#
-# Optional
-#
-#    [consulCatalog.tls]
-#    ca = "/etc/ssl/ca.crt"
-#    cert = "/etc/ssl/consul.crt"
-#    key = "/etc/ssl/consul.key"
-#    insecureSkipVerify = true
-
-# Override default configuration template.
-# For advanced users :)
-#
-# Optional
-#
-# filename = "consulcatalog.tmpl"
-
-# Override template version
-# For advanced users :)
-#
-# Optional
-# - "1": previous template version (must be used only with older custom templates, see "filename")
-# - "2": current template version (must be used to force template version when "filename" is used)
-#
-# templateVersion = 2
 ```
 
-This provider will create routes matching on hostname based on the service name used in Consul.
+This backend will create routes matching on hostname based on the service name used in Consul.
 
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
+To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
 
-## Tags
+### Tags
 
 Additional settings can be defined using Consul Catalog tags.
 
-!!! note
-    The default prefix is `traefik`.
-
-| Label                                                                    | Description                                                                                                                                                                                                                   |
-|--------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `<prefix>.enable=false`                                                  | Disables this container in Traefik.                                                                                                                                                                                           |
-| `<prefix>.protocol=https`                                                | Overrides the default `http` protocol.                                                                                                                                                                                        |
-| `<prefix>.weight=10`                                                     | Assigns this weight to the container.                                                                                                                                                                                         |
-| `traefik.backend.buffering.maxRequestBodyBytes=0`                        | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.maxResponseBodyBytes=0`                       | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.memRequestBodyBytes=0`                        | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.memResponseBodyBytes=0`                       | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.retryExpression=EXPR`                         | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `<prefix>.backend.circuitbreaker.expression=EXPR`                        | Creates a [circuit breaker](/basics/#backends) to be used against the backend. ex: `NetworkErrorRatio() > 0.`                                                                                                                 |
-| `<prefix>.backend.responseForwarding.flushInterval=10ms`                 | Defines the interval between two flushes when forwarding response from backend to client.                                                                                                                                     |
-| `<prefix>.backend.healthcheck.path=/health`                              | Enables health check for the backend, hitting the container at `path`.                                                                                                                                                        |
-| `<prefix>.backend.healthcheck.interval=1s`                               | Defines the health check interval.                                                                                                                                                                                            |
-| `<prefix>.backend.healthcheck.port=8080`                                 | Sets a different port for the health check.                                                                                                                                                                                   |
-| `traefik.backend.healthcheck.scheme=http`                                | Overrides the server URL scheme.                                                                                                                                                                                              |
-| `<prefix>.backend.healthcheck.hostname=foobar.com`                       | Defines the health check hostname.                                                                                                                                                                                            |
-| `<prefix>.backend.healthcheck.headers=EXPR`                              | Defines the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                     |
-| `<prefix>.backend.loadbalancer.method=drr`                               | Overrides the default `wrr` load balancer algorithm.                                                                                                                                                                          |
-| `<prefix>.backend.loadbalancer.stickiness=true`                          | Enables backend sticky sessions.                                                                                                                                                                                              |
-| `<prefix>.backend.loadbalancer.stickiness.cookieName=NAME`               | Sets the cookie name manually for sticky sessions.                                                                                                                                                                            |
-| `<prefix>.backend.loadbalancer.stickiness.secure=true`                   | Sets secure cookie option for sticky sessions.                                                                                                                                                                                |
-| `<prefix>.backend.loadbalancer.stickiness.httpOnly=true`                 | Sets http only cookie option for sticky sessions.                                                                                                                                                                             |
-| `<prefix>.backend.loadbalancer.stickiness.sameSite=none`                 | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                                   |
-| `<prefix>.backend.loadbalancer.sticky=true`                              | Enables backend sticky sessions. (DEPRECATED)                                                                                                                                                                                 |
-| `<prefix>.backend.maxconn.amount=10`                                     | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                      |
-| `<prefix>.backend.maxconn.extractorfunc=client.ip`                       | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                        |
-| `<prefix>.frontend.auth.basic=EXPR`                                      | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED).                                                                                                                                 |
-| `<prefix>.frontend.auth.basic.removeHeader=true`                         | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
-| `<prefix>.frontend.auth.basic.users=EXPR`                                | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`.                                                                                                                                              |
-| `<prefix>.frontend.auth.basic.usersFile=/path/.htpasswd`                 | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                         |
-| `<prefix>.frontend.auth.digest.removeHeader=true`                        | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
-| `<prefix>.frontend.auth.digest.users=EXPR`                               | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                 |
-| `<prefix>.frontend.auth.digest.usersFile=/path/.htdigest`                | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
-| `<prefix>.frontend.auth.forward.address=https://example.com`             | Sets the URL of the authentication server.                                                                                                                                                                                    |
-| `<prefix>.frontend.auth.forward.authResponseHeaders=EXPR`                | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header`                                                                                                                                |
-| `<prefix>.frontend.auth.forward.tls.ca=/path/ca.pem`                     | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                    |
-| `<prefix>.frontend.auth.forward.tls.caOptional=true`                     | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA).                                                                                                                   |
-| `<prefix>.frontend.auth.forward.tls.cert=/path/server.pem`               | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
-| `<prefix>.frontend.auth.forward.tls.insecureSkipVerify=true`             | If set to true invalid SSL certificates are accepted.                                                                                                                                                                         |
-| `<prefix>.frontend.auth.forward.tls.key=/path/server.key`                | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
-| `<prefix>.frontend.auth.forward.trustForwardHeader=true`                 | Trusts X-Forwarded-* headers.                                                                                                                                                                                                 |
-| `<prefix>.frontend.auth.headerField=X-WebAuth-User`                      | Sets the header used to pass the authenticated user to the application.                                                                                                                                                       |
-| `<prefix>.frontend.entryPoints=http,https`                               | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                   |
-| `<prefix>.frontend.errors.<name>.backend=NAME`                           | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
-| `<prefix>.frontend.errors.<name>.query=PATH`                             | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
-| `<prefix>.frontend.errors.<name>.status=RANGE`                           | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
-| `<prefix>.frontend.passHostHeader=true`                                  | Forwards client `Host` header to the backend.                                                                                                                                                                                 |
-| `<prefix>.frontend.passTLSClientCert.infos.issuer.commonName=true`       | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                  |
-| `<prefix>.frontend.passTLSClientCert.infos.issuer.country=true`          | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                     |
-| `<prefix>.frontend.passTLSClientCert.infos.issuer.domainComponent=true`  | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                             |
-| `<prefix>.frontend.passTLSClientCert.infos.issuer.locality=true`         | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `<prefix>.frontend.passTLSClientCert.infos.issuer.organization=true`     | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                |
-| `<prefix>.frontend.passTLSClientCert.infos.issuer.province=true`         | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `<prefix>.frontend.passTLSClientCert.infos.issuer.serialNumber=true`     | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                               |
-| `<prefix>.frontend.passTLSClientCert.infos.notAfter=true`                | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                            |
-| `<prefix>.frontend.passTLSClientCert.infos.notBefore=true`               | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                           |
-| `<prefix>.frontend.passTLSClientCert.infos.sans=true`                    | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                               |
-| `<prefix>.frontend.passTLSClientCert.infos.subject.commonName=true`      | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                 |
-| `<prefix>.frontend.passTLSClientCert.infos.subject.country=true`         | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `<prefix>.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                            |
-| `<prefix>.frontend.passTLSClientCert.infos.subject.locality=true`        | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                   |
-| `<prefix>.frontend.passTLSClientCert.infos.subject.organization=true`    | Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                               |
-| `<prefix>.frontend.passTLSClientCert.infos.subject.province=true`        | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                   |
-| `<prefix>.frontend.passTLSClientCert.infos.subject.serialNumber=true`    | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                               |
-| `<prefix>.frontend.passTLSClientCert.pem=true`                           | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header.                                                                                                                                                             |
-| `<prefix>.frontend.passTLSCert=true`                                     | Forwards TLS Client certificates to the backend.                                                                                                                                                                              |
-| `<prefix>.frontend.priority=10`                                          | Overrides default frontend priority.                                                                                                                                                                                          |
-| `<prefix>.frontend.rateLimit.extractorFunc=EXP`                          | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `<prefix>.frontend.rateLimit.rateSet.<name>.period=6`                    | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `<prefix>.frontend.rateLimit.rateSet.<name>.average=6`                   | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `<prefix>.frontend.rateLimit.rateSet.<name>.burst=6`                     | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `<prefix>.frontend.redirect.entryPoint=https`                            | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS).                                                                                                                                                         |
-| `<prefix>.frontend.redirect.regex=^http://localhost/(.*)`                | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                       |
-| `<prefix>.frontend.redirect.replacement=http://mydomain/$1`              | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                             |
-| `<prefix>.frontend.redirect.permanent=true`                              | Returns 301 instead of 302.                                                                                                                                                                                                   |
-| `<prefix>.frontend.rule=EXPR`                                            | Overrides the default frontend rule. Default: `Host:{{.ServiceName}}.{{.Domain}}`.                                                                                                                                            |
-| `<prefix>.frontend.whiteList.sourceRange=RANGE`                          | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `<prefix>.frontend.whiteList.useXForwardedFor=true`                      | Uses `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                       |
-
-### Multiple frontends for a single service
-
-If you need to support multiple frontends for a service, for example when having multiple `rules` that can't be combined, specify them as follows:
-
-```
-<prefix>.frontends.A.rule=Host:A:PathPrefix:/A
-<prefix>.frontends.B.rule=Host:B:PathPrefix:/
-```
-
-`A` and `B` here are just arbitrary names, they can be anything. You can use any setting that applies to `<prefix>.frontend` from the table above.
-
-### Custom Headers
-
-!!! note
-    The default prefix is `traefik`.
-
-| Label                                                  | Description                                                                                                                                                                         |
-|--------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `<prefix>.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
-| `<prefix>.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
-
-### Security Headers
-
-!!! note
-    The default prefix is `traefik`.
-
-| Label                                                     | Description                                                                                                                                                                                         |
-|-----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `<prefix>.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
-| `<prefix>.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
-| `<prefix>.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
-| `<prefix>.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
-| `<prefix>.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
-| `<prefix>.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
-| `<prefix>.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
-| `<prefix>.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
-| `<prefix>.frontend.headers.hostsProxyHeaders=EXPR`        | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
-| `<prefix>.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
-| `<prefix>.frontend.headers.publicKey=VALUE`               | Adds HPKP header.                                                                                                                                                                                   |
-| `<prefix>.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
-| `<prefix>.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
-| `<prefix>.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
-| `<prefix>.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
-| `<prefix>.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `<prefix>.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
-| `<prefix>.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
-| `<prefix>.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
-| `<prefix>.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
-
+| Tag                                                       | Description                                                                                                                                                                        |
+|-----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.enable=false`                                    | Disable this container in Træfik                                                                                                                                                   |
+| `traefik.protocol=https`                                  | Override the default `http` protocol                                                                                                                                               |
+| `traefik.backend.weight=10`                               | Assign this weight to the container                                                                                                                                                |
+| `traefik.backend.circuitbreaker=EXPR`                     | Create a [circuit breaker](/basics/#backends) to be used against the backend, ex: `NetworkErrorRatio() > 0.`                                                                       |
+| `traefik.backend.maxconn.amount=10`                       | Set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                               |
+| `traefik.backend.maxconn.extractorfunc=client.ip`         | Set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect. |
+| `traefik.frontend.rule=Host:test.traefik.io`              | Override the default frontend rule (Default: `Host:{{.ServiceName}}.{{.Domain}}`).                                                                                                 |
+| `traefik.frontend.passHostHeader=true`                    | Forward client `Host` header to the backend.                                                                                                                                       |
+| `traefik.frontend.priority=10`                            | Override default frontend priority                                                                                                                                                 |
+| `traefik.frontend.entryPoints=http,https`                 | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.                                                                                           |
+| `traefik.frontend.auth.basic=EXPR`                        | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                   |
+| `traefik.backend.loadbalancer=drr`                        | override the default `wrr` load balancer algorithm                                                                                                                                 |
+| `traefik.backend.loadbalancer.stickiness=true`            | enable backend sticky sessions                                                                                                                                                     |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Manually set the cookie name for sticky sessions                                                                                                                                   |
+| `traefik.backend.loadbalancer.sticky=true`                | enable backend sticky sessions (DEPRECATED)                                                                                                                                        |
 
 ### Examples
 
-If you want that Traefik uses Consul tags correctly you need to defined them like that:
-
-```js
+If you want that Træfik uses Consul tags correctly you need to defined them like that:
+```json
 traefik.enable=true
 traefik.tags=api
 traefik.tags=external
 ```
 
-If the prefix defined in Traefik configuration is `bla`, tags need to be defined like that:
-
-```js
+If the prefix defined in Træfik configuration is `bla`, tags need to be defined like that:
+```json
 bla.enable=true
 bla.tags=api
 bla.tags=external
-```
+```

docs/configuration/backends/docker.md

@@ -1,16 +1,16 @@
 
-# Docker Provider
+# Docker Backend
 
-Traefik can be configured to use Docker as a provider.
+Træfik can be configured to use Docker as a backend configuration.
 
 ## Docker
 
 ```toml
 ################################################################
-# Docker Provider
+# Docker configuration backend
 ################################################################
 
-# Enable Docker Provider.
+# Enable Docker configuration backend.
 [docker]
 
 # Docker server endpoint. Can be a tcp or a unix socket endpoint.
@@ -19,10 +19,10 @@ Traefik can be configured to use Docker as a provider.
 #
 endpoint = "unix:///var/run/docker.sock"
 
-# Default base domain used for the frontend rules.
+# Default domain used.
 # Can be overridden by setting the "traefik.domain" label on a container.
 #
-# Optional
+# Required
 #
 domain = "docker.localhost"
 
@@ -39,27 +39,16 @@ watch = true
 #
 # filename = "docker.tmpl"
 
-# Override template version
-# For advanced users :)
-#
-# Optional
-# - "1": previous template version (must be used only with older custom templates, see "filename")
-# - "2": current template version (must be used to force template version when "filename" is used)
-#
-# templateVersion = 2
-
 # Expose containers by default in Traefik.
 # If set to false, containers that don't have `traefik.enable=true` will be ignored.
 #
 # Optional
 # Default: true
 #
-exposedByDefault = true
+exposedbydefault = true
 
 # Use the IP address from the binded port instead of the inner network one.
-#
-# In case no IP address is attached to the binded port (or in case 
-# there is no bind), the inner network one will be used as a fallback.     
+# For specific use-case :)
 #
 # Optional
 # Default: false
@@ -71,21 +60,7 @@ usebindportip = true
 # Optional
 # Default: false
 #
-swarmMode = false
-
-# Polling interval (in seconds) for Swarm Mode.
-#
-# Optional
-# Default: 15
-#
-swarmModeRefreshSeconds = 15
-
-# Define a default docker network to use for connections to all containers.
-# Can be overridden by the traefik.docker.network label.
-#
-# Optional
-#
-network = "web"
+swarmmode = false
 
 # Enable docker TLS connection.
 #
@@ -95,19 +70,20 @@ network = "web"
 #  ca = "/etc/ssl/ca.crt"
 #  cert = "/etc/ssl/docker.crt"
 #  key = "/etc/ssl/docker.key"
-#  insecureSkipVerify = true
+#  insecureskipverify = true
 ```
 
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
+To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
+
 
 ## Docker Swarm Mode
 
 ```toml
 ################################################################
-# Docker Swarm Mode Provider
+# Docker Swarmmode configuration backend
 ################################################################
 
-# Enable Docker Provider.
+# Enable Docker configuration backend.
 [docker]
 
 # Docker server endpoint.
@@ -116,12 +92,9 @@ To enable constraints see [provider-specific constraints section](/configuration
 # Required
 # Default: "unix:///var/run/docker.sock"
 #
-# swarm classic (1.12-)
-# endpoint = "tcp://127.0.0.1:2375"
-# docker swarm mode (1.12+)
-endpoint = "tcp://127.0.0.1:2377"
+endpoint = "tcp://127.0.0.1:2375"
 
-# Default base domain used for the frontend rules.
+# Default domain used.
 # Can be overridden by setting the "traefik.domain" label on a services.
 #
 # Optional
@@ -141,14 +114,7 @@ watch = true
 # Optional
 # Default: false
 #
-swarmMode = true
-
-# Define a default docker network to use for connections to all containers.
-# Can be overridden by the traefik.docker.network label.
-#
-# Optional
-#
-network = "web"
+swarmmode = true
 
 # Override default configuration template.
 # For advanced users :)
@@ -157,21 +123,12 @@ network = "web"
 #
 # filename = "docker.tmpl"
 
-# Override template version
-# For advanced users :)
-#
-# Optional
-# - "1": previous template version (must be used only with older custom templates, see "filename")
-# - "2": current template version (must be used to force template version when "filename" is used)
-#
-# templateVersion = 2
-
 # Expose services by default in Traefik.
 #
 # Optional
 # Default: true
 #
-exposedByDefault = false
+exposedbydefault = false
 
 # Enable docker TLS connection.
 #
@@ -181,69 +138,14 @@ exposedByDefault = false
 #  ca = "/etc/ssl/ca.crt"
 #  cert = "/etc/ssl/docker.crt"
 #  key = "/etc/ssl/docker.key"
-#  insecureSkipVerify = true
+#  insecureskipverify = true
 ```
 
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
+To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
 
-## Security Considerations
+## Labels: overriding default behaviour
 
-### Security Challenge with the Docker Socket
-
-Traefik requires access to the docker socket to get its dynamic configuration,
-by watching the Docker API through this socket.
-
-!!! important
-    Depending on your context and your usage, accessing the Docker API without any restriction might be a security concern.
-
-As explained on the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)):
-
-`[...] only **trusted** users should be allowed to control your Docker daemon [...]`
-
-If the Traefik processes (handling requests from the outside world) is attacked,
-then the attacker can access the Docker (or Swarm Mode) backend.
-
-Also, when using Swarm Mode, it is mandatory to schedule Traefik's containers on the Swarm manager nodes,
-to let Traefik accessing the Docker Socket of the Swarm manager node.
-
-More information about Docker's security:
-
-- [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
-- [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html)
-- [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
-- [To Dind or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
-
-### Workarounds
-
-!!! note "Improved Security"
-
-    [Traefik Enterprise](https://traefik.io/traefik-enterprise/) solves this problem by separating the control plane (connected to Docker) and the data plane (handling the requests).
-
-Another possible workaround is to expose the Docker socket over TCP, instead of the default Unix socket file.
-It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
-
-- Authentication with Client Certificates as described in [the "Protect the Docker daemon socket" page of Docker's documentation](https://docs.docker.com/engine/security/https/)
-
-- Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/)
-
-- Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
-
-- Accounting at container level, by exposing the socket on a another container than Traefik's.
-  With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
-
-- Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux),
-  to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
-
-Use the following ressources to get started:
-
-- [Traefik issue GH-4174 about security with Docker socket](https://github.com/traefik/traefik/issues/4174)
-- [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
-- [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
-- [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
-
-## Labels: overriding default behavior
-
-### Using Docker with Swarm Mode
+#### Using Docker with Swarm Mode
 
 If you use a compose file with the Swarm mode, labels should be defined in the `deploy` part of your service.
 This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)).
@@ -257,23 +159,9 @@ services:
         traefik.docker.network: traefik
 ```
 
-Required labels:
+#### Using Docker Compose
 
-- `traefik.frontend.rule`
-- `traefik.port` - Without this the debug logs will show this service is deliberately filtered out.
-- `traefik.docker.network` - Without this a 504 may occur.
-
-#### Troubleshooting
-
-If service doesn't show up in the dashboard, check the debug logs to see if the port is missing:
-`Filtering container without port, <SERVICE_NAME>: port label is missing, ...')`
-
-If `504 Gateway Timeout` occurs and there are networks used, ensure that `traefik.docker.network` is defined. 
-The complete name is required, meaning if the network is internal the name needs to be `<project_name>_<network_name>`.
-
-### Using Docker Compose
-
-If you are intending to use only Docker Compose commands (e.g. `docker-compose up --scale whoami=2 -d`), labels should be under your service, otherwise they will be ignored.
+If you are intending to use only Docker Compose commands (e.g. `docker-compose up --scale whoami=2 -d`), labels should be under your service, otherwise they will be ignored. 
 
 ```yaml
 version: "3"
@@ -285,271 +173,93 @@ services:
 
 ### On Containers
 
-Labels can be used on containers to override default behavior.
+Labels can be used on containers to override default behaviour.
 
-| Label                                                                   | Description                                                                                                                                                                                                                      |
-|-------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.docker.network`                                                | Overrides the default docker network to use for connections to the container. [1]                                                                                                                                                |
-| `traefik.domain`                                                        | Sets the default base domain for the frontend rules. For more information, check the [Container Labels section's of the user guide "Let's Encrypt & Docker"](/user-guide/docker-and-lets-encrypt/#container-labels)              |
-| `traefik.enable=false`                                                  | Disables this container in Traefik.                                                                                                                                                                                              |
-| `traefik.port=80`                                                       | Registers this port. Useful when the container exposes multiples ports.                                                                                                                                                          |
-| `traefik.tags=foo,bar,myTag`                                            | Adds Traefik tags to the Docker container/service to be used in [constraints](/configuration/commons/#constraints).                                                                                                              |
-| `traefik.protocol=https`                                                | Overrides the default `http` protocol                                                                                                                                                                                            |
-| `traefik.weight=10`                                                     | Assigns this weight to the container                                                                                                                                                                                             |
-| `traefik.backend=foo`                                                   | Overrides the container name by `foo` in the generated name of the backend.                                                                                                                                                      |
-| `traefik.backend.buffering.maxRequestBodyBytes=0`                       | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
-| `traefik.backend.buffering.maxResponseBodyBytes=0`                      | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
-| `traefik.backend.buffering.memRequestBodyBytes=0`                       | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
-| `traefik.backend.buffering.memResponseBodyBytes=0`                      | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
-| `traefik.backend.buffering.retryExpression=EXPR`                        | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
-| `traefik.backend.circuitbreaker.expression=EXPR`                        | Creates a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                    |
-| `traefik.backend.responseForwarding.flushInterval=10ms`                 | Defines the interval between two flushes when forwarding response from backend to client.                                                                                                                                        |
-| `traefik.backend.healthcheck.path=/health`                              | Enables health check for the backend, hitting the container at `path`.                                                                                                                                                           |
-| `traefik.backend.healthcheck.interval=1s`                               | Defines the health check interval.                                                                                                                                                                                               |
-| `traefik.backend.healthcheck.port=8080`                                 | Sets a different port for the health check.                                                                                                                                                                                      |
-| `traefik.backend.healthcheck.scheme=http`                               | Overrides the server URL scheme.                                                                                                                                                                                                 |
-| `traefik.backend.healthcheck.hostname=foobar.com`                       | Defines the health check hostname.                                                                                                                                                                                               |
-| `traefik.backend.healthcheck.headers=EXPR`                              | Defines the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                        |
-| `traefik.backend.loadbalancer.method=drr`                               | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                              |
-| `traefik.backend.loadbalancer.stickiness=true`                          | Enables backend sticky sessions                                                                                                                                                                                                  |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`               | Sets the cookie name manually for sticky sessions                                                                                                                                                                                |
-| `traefik.backend.loadbalancer.stickiness.secure=true`                   | Sets secure cookie option for sticky sessions.                                                                                                                                                                                   |
-| `traefik.backend.loadbalancer.stickiness.httpOnly=true`                 | Sets http only cookie option for sticky sessions.                                                                                                                                                                                |
-| `traefik.backend.loadbalancer.stickiness.sameSite=none`                 | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                                      |
-| `traefik.backend.loadbalancer.sticky=true`                              | Enables backend sticky sessions (DEPRECATED)                                                                                                                                                                                     |
-| `traefik.backend.loadbalancer.swarm=true`                               | Uses Swarm's inbuilt load balancer (only relevant under Swarm Mode) [3].                                                                                                                                                         |
-| `traefik.backend.maxconn.amount=10`                                     | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                         |
-| `traefik.backend.maxconn.extractorfunc=client.ip`                       | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                           |
-| `traefik.frontend.auth.basic=EXPR`                                      | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` [2] (DEPRECATED).                                                                                                                            |
-| `traefik.frontend.auth.basic.removeHeader=true`                         | If set to `true`, removes the `Authorization` header.                                                                                                                                                                            |
-| `traefik.frontend.auth.basic.users=EXPR`                                | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` [2].                                                                                                                                         |
-| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd`                 | Sets the basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
-| `traefik.frontend.auth.digest.removeHeader=true`                        | If set to `true`, removes the `Authorization` header.                                                                                                                                                                            |
-| `traefik.frontend.auth.digest.users=EXPR`                               | Sets the digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                |
-| `traefik.frontend.auth.digest.usersFile=/path/.htdigest`                | Sets the digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                       |
-| `traefik.frontend.auth.forward.address=https://example.com`             | Sets the URL of the authentication server.                                                                                                                                                                                       |
-| `traefik.frontend.auth.forward.authResponseHeaders=EXPR`                | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header`                                                                                                                                   |
-| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem`                     | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                       |
-| `traefik.frontend.auth.forward.tls.caOptional=true`                     | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA).                                                                                                                      |
-| `traefik.frontend.auth.forward.tls.cert=/path/server.pem`               | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                      |
-| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true`             | If set to true invalid SSL certificates are accepted.                                                                                                                                                                            |
-| `traefik.frontend.auth.forward.tls.key=/path/server.key`                | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                      |
-| `traefik.frontend.auth.forward.trustForwardHeader=true`                 | Trusts X-Forwarded-* headers.                                                                                                                                                                                                    |
-| `traefik.frontend.auth.headerField=X-WebAuth-User`                      | Sets the header user to pass the authenticated user to the application.                                                                                                                                                          |
-| `traefik.frontend.entryPoints=http,https`                               | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                      |
-| `traefik.frontend.errors.<name>.backend=NAME`                           | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                    |
-| `traefik.frontend.errors.<name>.query=PATH`                             | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                    |
-| `traefik.frontend.errors.<name>.status=RANGE`                           | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                    |
-| `traefik.frontend.passHostHeader=true`                                  | Forwards client `Host` header to the backend.                                                                                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true`       | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                     |
-| `traefik.frontend.passTLSClientCert.infos.issuer.country=true`          | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                        |
-| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true`  | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                |
-| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true`         | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                       |
-| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true`     | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                   |
-| `traefik.frontend.passTLSClientCert.infos.issuer.province=true`         | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                       |
-| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true`     | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                   |
-| `traefik.frontend.passTLSClientCert.infos.notAfter=true`                | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                               |
-| `traefik.frontend.passTLSClientCert.infos.notBefore=true`               | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                              |
-| `traefik.frontend.passTLSClientCert.infos.sans=true`                    | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                                  |
-| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true`      | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.subject.country=true`         | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                       |
-| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                               |
-| `traefik.frontend.passTLSClientCert.infos.subject.locality=true`        | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                      |
-| `traefik.frontend.passTLSClientCert.infos.subject.organization=true`    | Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                  |
-| `traefik.frontend.passTLSClientCert.infos.subject.province=true`        | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                      |
-| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true`    | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                  |
-| `traefik.frontend.passTLSClientCert.pem=true`                           | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header.                                                                                                                                                                |
-| `traefik.frontend.passTLSCert=true`                                     | Forwards TLS Client certificates to the backend (DEPRECATED).                                                                                                                                                                    |
-| `traefik.frontend.priority=10`                                          | Overrides default frontend priority                                                                                                                                                                                              |
-| `traefik.frontend.rateLimit.extractorFunc=EXP`                          | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
-| `traefik.frontend.rateLimit.rateSet.<name>.period=6`                    | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
-| `traefik.frontend.rateLimit.rateSet.<name>.average=6`                   | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
-| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`                     | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
-| `traefik.frontend.redirect.entryPoint=https`                            | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS)                                                                                                                                                             |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)`                | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                          |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1`              | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                                |
-| `traefik.frontend.redirect.permanent=true`                              | Returns 301 instead of 302.                                                                                                                                                                                                      |
-| `traefik.frontend.rule=EXPR`                                            | Overrides the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`.                                                                     |
-| `traefik.frontend.whiteList.sourceRange=RANGE`                          | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.useXForwardedFor=true`                      | Uses `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                          |
+| Label                                                      | Description                                                                                                                                                                                                         |
+|------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.backend=foo`                                      | Give the name `foo` to the generated backend for this container.                                                                                                                                                    |
+| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                                                                |
+| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect.                                  |
+| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                  |
+| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                      |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                    |
+| `traefik.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                         |
+| `traefik.backend.loadbalancer.swarm=true`                  | Use Swarm's inbuilt load balancer (only relevant under Swarm Mode).                                                                                                                                                 |
+| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                        |
+| `traefik.port=80`                                          | Register this port. Useful when the container exposes multiples ports.                                                                                                                                              |
+| `traefik.protocol=https`                                   | Override the default `http` protocol                                                                                                                                                                                |
+| `traefik.weight=10`                                        | Assign this weight to the container                                                                                                                                                                                 |
+| `traefik.enable=false`                                     | Disable this container in Træfik                                                                                                                                                                                    |
+| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`.                                                         |
+| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                        |
+| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                  |
+| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`                                                                                                                             |
+| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                    |
+| `traefik.frontend.whitelistSourceRange:RANGE`              | List of IP-Ranges which are allowed to access. An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.docker.network`                                   | Set the docker network to use for connections to this container. [1]                                                                                                                                                |
+| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                               |
+| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend. Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                |
+| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend. Must be set with `traefik.frontend.redirect.regex`.                                                                                                                      |
 
-[1] `traefik.docker.network`:  
-If a container is linked to several networks, be sure to set the proper network name (you can check with `docker inspect <container_id>`) otherwise it will randomly pick one (depending on how docker is returning them).  
+[1] `traefik.docker.network`:
+If a container is linked to several networks, be sure to set the proper network name (you can check with `docker inspect <container_id>`) otherwise it will randomly pick one (depending on how docker is returning them).
 For instance when deploying docker `stack` from compose files, the compose defined networks will be prefixed with the `stack` name.
 Or if your service references external network use it's name instead.
 
-[2] `traefik.frontend.auth.basic.users=EXPR`:  
-To create `user:password` pair, it's possible to use this command:  
-`echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g`.  
-The result will be `user:$$apr1$$9Cv/OMGj$$ZomWQzuQbL.3TRCS81A1g/`, note additional symbol `$` makes escaping.
-
-[3] `traefik.backend.loadbalancer.swarm`:  
-If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs.
-Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm.  
-It also means that Traefik will manipulate only one backend, not one backend per container.
-
-#### Custom Headers
-
-| Label                                                 | Description                                                                                                                                                                         |
-|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.customRequestHeaders=EXPR`  | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
-| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
-
 #### Security Headers
 
 | Label                                                    | Description                                                                                                                                                                                         |
 |----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
-| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
-| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
-| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
-| `traefik.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
-| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
-| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
-| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
-| `traefik.frontend.headers.hostsProxyHeaders=EXPR`        | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
-| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
-| `traefik.frontend.headers.publicKey=VALUE`               | Adds HPKP header.                                                                                                                                                                                   |
-| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
+| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed. Format: `Host1,Host2`                                                                                                             |
+| `traefik.frontend.headers.customRequestHeaders=EXPR `    | Provides the container with custom request headers that will be appended to each request forwarded to the container. Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>                    |
+| `traefik.frontend.headers.customResponseHeaders=EXPR`    | Appends the headers to each response returned by the container, before forwarding the response to the client. Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>                           |
+| `traefik.frontend.headers.hostsProxyHeaders=EXPR `       | Provides a list of headers that the proxied hostname may be stored. Format:  `HEADER1,HEADER2`                                                                                                      |
 | `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
 | `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
-| `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`). Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                         |
 | `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
 | `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
+| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
+| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
+| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
+| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
+| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
+| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
+| `traefik.frontend.headers.publicKey=VALUE`               | Adds pinned HTST public key header.                                                                                                                                                                 |
+| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
+| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
 
-### On containers with Multiple Ports (segment labels)
+### On Service
 
-Segment labels are used to define routes to a container exposing multiple ports.
-A segment is a group of labels that apply to a port exposed by a container.
-You can define as many segments as ports exposed in a container.
+Services labels can be used for overriding default behaviour
 
-Segment labels override the default behavior.
+| Label                                                                     | Description                                                                                      |
+|---------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------|
+| `traefik.<service-name>.port=PORT`                                        | Overrides `traefik.port`. If several ports need to be exposed, the service labels could be used. |
+| `traefik.<service-name>.protocol`                                         | Overrides `traefik.protocol`.                                                                    |
+| `traefik.<service-name>.weight`                                           | Assign this service weight. Overrides `traefik.weight`.                                          |
+| `traefik.<service-name>.frontend.backend=BACKEND`                         | Assign this service frontend to `BACKEND`. Default is to assign to the service backend.          |
+| `traefik.<service-name>.frontend.entryPoints`                             | Overrides `traefik.frontend.entrypoints`                                                         |
+| `traefik.<service-name>.frontend.auth.basic`                              | Sets a Basic Auth for that frontend                                                              |
+| `traefik.<service-name>.frontend.passHostHeader`                          | Overrides `traefik.frontend.passHostHeader`.                                                     |
+| `traefik.<service-name>.frontend.priority`                                | Overrides `traefik.frontend.priority`.                                                           |
+| `traefik.<service-name>.frontend.rule`                                    | Overrides `traefik.frontend.rule`.                                                               |
+| `traefik.<service-name>.frontend.redirect`                                | Overrides `traefik.frontend.redirect`.                                                           |
+| `traefik.<service-name>.frontend.redirect.entryPoint=https`               | Overrides `traefik.frontend.redirect.entryPoint`.                                                |
+| `traefik.<service-name>.frontend.redirect.regex=^http://localhost/(.*)`   | Overrides `traefik.frontend.redirect.regex`.                                                     |
+| `traefik.<service-name>.frontend.redirect.replacement=http://mydomain/$1` | Overrides `traefik.frontend.redirect.replacement`.                                               |
 
-| Label                                                                                  | Description                                                                |
-|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------|
-| `traefik.<segment_name>.backend=BACKEND`                                               | Same as `traefik.backend`                                                  |
-| `traefik.<segment_name>.domain=DOMAIN`                                                 | Same as `traefik.domain`                                                   |
-| `traefik.<segment_name>.port=PORT`                                                     | Same as `traefik.port`                                                     |
-| `traefik.<segment_name>.protocol=http`                                                 | Same as `traefik.protocol`                                                 |
-| `traefik.<segment_name>.weight=10`                                                     | Same as `traefik.weight`                                                   |
-| `traefik.<segment_name>.frontend.auth.basic=EXPR`                                      | Same as `traefik.frontend.auth.basic`                                      |
-| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true`                         | Same as `traefik.frontend.auth.basic.removeHeader`                         |
-| `traefik.<segment_name>.frontend.auth.basic.users=EXPR`                                | Same as `traefik.frontend.auth.basic.users`                                |
-| `traefik.<segment_name>.frontend.auth.basic.usersFile=/path/.htpasswd`                 | Same as `traefik.frontend.auth.basic.usersFile`                            |
-| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true`                        | Same as `traefik.frontend.auth.digest.removeHeader`                        |
-| `traefik.<segment_name>.frontend.auth.digest.users=EXPR`                               | Same as `traefik.frontend.auth.digest.users`                               |
-| `traefik.<segment_name>.frontend.auth.digest.usersFile=/path/.htdigest`                | Same as `traefik.frontend.auth.digest.usersFile`                           |
-| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com`             | Same as `traefik.frontend.auth.forward.address`                            |
-| `traefik.<segment_name>.frontend.auth.forward.authResponseHeaders=EXPR`                | Same as `traefik.frontend.auth.forward.authResponseHeaders`                |
-| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem`                     | Same as `traefik.frontend.auth.forward.tls.ca`                             |
-| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true`                     | Same as `traefik.frontend.auth.forward.tls.caOptional`                     |
-| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem`               | Same as `traefik.frontend.auth.forward.tls.cert`                           |
-| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true`             | Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify`             |
-| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key`                | Same as `traefik.frontend.auth.forward.tls.key`                            |
-| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true`                 | Same as `traefik.frontend.auth.forward.trustForwardHeader`                 |
-| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User`                      | Same as `traefik.frontend.auth.headerField`                                |
-| `traefik.<segment_name>.frontend.entryPoints=https`                                    | Same as `traefik.frontend.entryPoints`                                     |
-| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`                           | Same as `traefik.frontend.errors.<name>.backend`                           |
-| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                             | Same as `traefik.frontend.errors.<name>.query`                             |
-| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`                           | Same as `traefik.frontend.errors.<name>.status`                            |
-| `traefik.<segment_name>.frontend.passHostHeader=true`                                  | Same as `traefik.frontend.passHostHeader`                                  |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.commonName=true`       | Same as `traefik.frontend.passTLSClientCert.infos.issuer.commonName`       |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.country=true`          | Same as `traefik.frontend.passTLSClientCert.infos.issuer.country`          |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.domainComponent=true`  | Same as `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent`  |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.locality=true`         | Same as `traefik.frontend.passTLSClientCert.infos.issuer.locality`         |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.organization=true`     | Same as `traefik.frontend.passTLSClientCert.infos.issuer.organization`     |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.province=true`         | Same as `traefik.frontend.passTLSClientCert.infos.issuer.province`         |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.serialNumber=true`     | Same as `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber`     |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notAfter=true`                | Same as `traefik.frontend.passTLSClientCert.infos.notAfter`                |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notBefore=true`               | Same as `traefik.frontend.passTLSClientCert.infos.notBefore`               |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.sans=true`                    | Same as `traefik.frontend.passTLSClientCert.infos.sans`                    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.commonName=true`      | Same as `traefik.frontend.passTLSClientCert.infos.subject.commonName`      |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.country=true`         | Same as `traefik.frontend.passTLSClientCert.infos.subject.country`         |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.domainComponent` |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.locality=true`        | Same as `traefik.frontend.passTLSClientCert.infos.subject.locality`        |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.organization=true`    | Same as `traefik.frontend.passTLSClientCert.infos.subject.organization`    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.province=true`        | Same as `traefik.frontend.passTLSClientCert.infos.subject.province`        |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.serialNumber=true`    | Same as `traefik.frontend.passTLSClientCert.infos.subject.serialNumber`    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.pem=true`                           | Same as `traefik.frontend.passTLSClientCert.infos.pem`                     |
-| `traefik.<segment_name>.frontend.passTLSCert=true`                                     | Same as `traefik.frontend.passTLSCert`                                     |
-| `traefik.<segment_name>.frontend.priority=10`                                          | Same as `traefik.frontend.priority`                                        |
-| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`                          | Same as `traefik.frontend.rateLimit.extractorFunc`                         |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`                    | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`                 |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`                   | Same as `traefik.frontend.rateLimit.rateSet.<name>.average`                |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`                     | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`                  |
-| `traefik.<segment_name>.frontend.redirect.entryPoint=https`                            | Same as `traefik.frontend.redirect.entryPoint`                             |
-| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`                | Same as `traefik.frontend.redirect.regex`                                  |
-| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1`              | Same as `traefik.frontend.redirect.replacement`                            |
-| `traefik.<segment_name>.frontend.redirect.permanent=true`                              | Same as `traefik.frontend.redirect.permanent`                              |
-| `traefik.<segment_name>.frontend.rule=EXP`                                             | Same as `traefik.frontend.rule`                                            |
-| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`                          | Same as `traefik.frontend.whiteList.sourceRange`                           |
-| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`                      | Same as `traefik.frontend.whiteList.useXForwardedFor`                      |
-
-#### Custom Headers
-
-| Label                                                                | Description                                              |
-|----------------------------------------------------------------------|----------------------------------------------------------|
-| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR`  | Same as `traefik.frontend.headers.customRequestHeaders`  |
-| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` |
-
-#### Security Headers
-
-| Label                                                                   | Description                                                  |
-|-------------------------------------------------------------------------|--------------------------------------------------------------|
-| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR`             | Same as `traefik.frontend.headers.allowedHosts`              |
-| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true`         | Same as `traefik.frontend.headers.browserXSSFilter`          |
-| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE`   | Same as `traefik.frontend.headers.contentSecurityPolicy`     |
-| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true`       | Same as `traefik.frontend.headers.contentTypeNosniff`        |
-| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE`   | Same as `traefik.frontend.headers.customBrowserXSSValue`     |
-| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue`   |
-| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false`          | Same as `traefik.frontend.headers.forceSTSHeader`            |
-| `traefik.<segment_name>.frontend.headers.frameDeny=false`               | Same as `traefik.frontend.headers.frameDeny`                 |
-| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR`        | Same as `traefik.frontend.headers.hostsProxyHeaders`         |
-| `traefik.<segment_name>.frontend.headers.isDevelopment=false`           | Same as `traefik.frontend.headers.isDevelopment`             |
-| `traefik.<segment_name>.frontend.headers.publicKey=VALUE`               | Same as `traefik.frontend.headers.publicKey`                 |
-| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE`          | Same as `traefik.frontend.headers.referrerPolicy`            |
-| `traefik.<segment_name>.frontend.headers.SSLRedirect=true`              | Same as `traefik.frontend.headers.SSLRedirect`               |
-| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true`     | Same as `traefik.frontend.headers.SSLTemporaryRedirect`      |
-| `traefik.<segment_name>.frontend.headers.SSLHost=HOST`                  | Same as `traefik.frontend.headers.SSLHost`                   |
-| `traefik.<segment_name>.frontend.headers.SSLForceHost=true`             | Same as `traefik.frontend.headers.SSLForceHost`              |
-| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR`          | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR`      |
-| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000`          | Same as `traefik.frontend.headers.STSSeconds=315360000`      |
-| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true`     | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |
-| `traefik.<segment_name>.frontend.headers.STSPreload=true`               | Same as `traefik.frontend.headers.STSPreload=true`           |
 
 !!! note
-    If a label is defined both as a `container label` and a `segment label` (for example `traefik.<segment_name>.port=PORT` and `traefik.port=PORT` ), the `segment label` is used to defined the `<segment_name>` property (`port` in the example).
+    If a label is defined both as a `container label` and a `service label` (for example `traefik.<service-name>.port=PORT` and `traefik.port=PORT` ), the `service label` is used to defined the `<service-name>` property (`port` in the example).
 
-    It's possible to mix `container labels` and `segment labels`, in this case `container labels` are used as default value for missing `segment labels` but no frontends are going to be created with the `container labels`.
+    It's possible to mix `container labels` and `service labels`, in this case `container labels` are used as default value for missing `service labels` but no frontends are going to be created with the `container labels`.
 
     More details in this [example](/user-guide/docker-and-lets-encrypt/#labels).
 
 !!! warning
-    When running inside a container, Traefik will need network access through:
+    When running inside a container, Træfik will need network access through:
 
     `docker network connect <network> <traefik-container>`
-
-## usebindportip
-
-The default behavior of Traefik is to route requests to the IP/Port of the matching container.
-When setting `usebindportip` to true, you tell Traefik to use the IP/Port attached to the container's binding instead of the inner network IP/Port.
-
-When used in conjunction with the `traefik.port` label (that tells Traefik to route requests to a specific port), Traefik tries to find a binding with `traefik.port` port to select the container. If it can't find such a binding, Traefik falls back on the internal network IP of the container, but still uses the `traefik.port` that is set in the label.
-
-Below is a recap of the behavior of `usebindportip` in different situations.
-
-| traefik.port label | Container's binding                                | Routes to      |
-|--------------------|----------------------------------------------------|----------------|
-|          -         |           -                                        | IntIP:IntPort  |
-|          -         | ExtPort:IntPort                                    | IntIP:IntPort  |
-|          -         | ExtIp:ExtPort:IntPort                              | ExtIp:ExtPort  |
-| LblPort            |           -                                        | IntIp:LblPort  |
-| LblPort            | ExtIp:ExtPort:LblPort                              | ExtIp:ExtPort  |
-| LblPort            | ExtIp:ExtPort:OtherPort                            | IntIp:LblPort  |
-| LblPort            | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
-
-!!! note
-    In the above table, ExtIp stands for "external IP found in the binding", IntIp stands for "internal network container's IP", ExtPort stands for "external Port found in the binding", and IntPort stands for "internal network container's port."

docs/configuration/backends/dynamodb.md

@@ -1,15 +1,15 @@
-# DynamoDB Provider
+# DynamoDB Backend
 
-Traefik can be configured to use Amazon DynamoDB as a provider.
+Træfik can be configured to use Amazon DynamoDB as a backend configuration.
 
 ## Configuration
 
 ```toml
 ################################################################
-# DynamoDB Provider
+# DynamoDB configuration backend
 ################################################################
 
-# Enable DynamoDB Provider.
+# Enable DynamoDB configuration backend.
 [dynamodb]
 
 # Region to use when connecting to AWS.
@@ -39,13 +39,13 @@ watch = true
 #
 refreshSeconds = 15
 
-# Access Key ID to use when connecting to AWS.
+# AccessKeyID to use when connecting to AWS.
 #
 # Optional
 #
 accessKeyID = "abc"
 
-# Secret Access Key to use when connecting to AWS.
+# SecretAccessKey to use when connecting to AWS.
 #
 # Optional
 #
@@ -68,3 +68,4 @@ Items in the `dynamodb` table must have three attributes:
     See `types/types.go` for details.  
     The presence or absence of this attribute determines its type.
     So an item should never have both a `frontend` and a `backend` attribute.
+

docs/configuration/backends/ecs.md

@@ -1,15 +1,15 @@
-# ECS Provider
+# ECS Backend
 
-Traefik can be configured to use Amazon ECS as a provider.
+Træfik can be configured to use Amazon ECS as a backend configuration.
 
 ## Configuration
 
 ```toml
 ################################################################
-# ECS Provider
+# ECS configuration backend
 ################################################################
 
-# Enable ECS Provider.
+# Enable ECS configuration backend.
 [ecs]
 
 # ECS Cluster Name.
@@ -32,8 +32,7 @@ clusters = ["default"]
 #
 watch = true
 
-# Default base domain used for the frontend rules.
-# Can be overridden by setting the "traefik.domain" label.
+# Default domain used.
 #
 # Optional
 # Default: ""
@@ -67,13 +66,13 @@ exposedByDefault = false
 #
 region = "us-east-1"
 
-# Access Key ID to use when connecting to AWS.
+# AccessKeyID to use when connecting to AWS.
 #
 # Optional
 #
 accessKeyID = "abc"
 
-# Secret Access Key to use when connecting to AWS.
+# SecretAccessKey to use when connecting to AWS.
 #
 # Optional
 #
@@ -85,28 +84,17 @@ secretAccessKey = "123"
 # Optional
 #
 # filename = "ecs.tmpl"
-
-# Override template version
-# For advanced users :)
-#
-# Optional
-# - "1": previous template version (must be used only with older custom templates, see "filename")
-# - "2": current template version (must be used to force template version when "filename" is used)
-#
-# templateVersion = 2
 ```
 
-If `accessKeyID`/`secretAccessKey` is not given credentials will be resolved in the following order:
+If `AccessKeyID`/`SecretAccessKey` is not given credentials will be resolved in the following order:
 
 - From environment variables; `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
 - Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.
 - EC2 instance role or ECS task role
 
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
-
 ## Policy
 
-Traefik needs the following policy to read ECS information:
+Træfik needs the following policy to read ECS information:
 
 ```json
 {
@@ -136,219 +124,20 @@ Traefik needs the following policy to read ECS information:
 
 Labels can be used on task containers to override default behaviour:
 
-| Label                                                                   | Description                                                                                                                                                                                                                   |
-|-------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.domain`                                                        | Sets the default base domain for frontend rules.                                                                                                                                                                              |
-| `traefik.enable=false`                                                  | Disables this container in Traefik.                                                                                                                                                                                           |
-| `traefik.port=80`                                                       | Overrides the default `port` value. Overrides `NetworkBindings` from Docker Container                                                                                                                                         |
-| `traefik.protocol=https`                                                | Overrides the default `http` protocol                                                                                                                                                                                         |
-| `traefik.weight=10`                                                     | Assigns this weight to the container                                                                                                                                                                                          |
-| `traefik.backend=foo`                                                   | Overrides the service name by `foo` in the generated name of the backend.                                                                                                                                                     |
-| `traefik.backend.buffering.maxRequestBodyBytes=0`                       | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.maxResponseBodyBytes=0`                      | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.memRequestBodyBytes=0`                       | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.memResponseBodyBytes=0`                      | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.retryExpression=EXPR`                        | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.circuitbreaker.expression=EXPR`                        | Creates a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                 |
-| `traefik.backend.responseForwarding.flushInterval=10ms`                 | Defines the interval between two flushes when forwarding response from backend to client.                                                                                                                                     |
-| `traefik.backend.healthcheck.path=/health`                              | Enables health check for the backend, hitting the container at `path`.                                                                                                                                                        |
-| `traefik.backend.healthcheck.interval=1s`                               | Defines the health check interval. (Default: 30s)                                                                                                                                                                             |
-| `traefik.backend.healthcheck.scheme=http`                               | Overrides the server URL scheme.                                                                                                                                                                                              |
-| `traefik.backend.healthcheck.port=8080`                                 | Sets a different port for the health check.                                                                                                                                                                                   |
-| `traefik.backend.healthcheck.hostname=foobar.com`                       | Defines the health check hostname.                                                                                                                                                                                            |
-| `traefik.backend.healthcheck.headers=EXPR`                              | Defines the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                     |
-| `traefik.backend.loadbalancer.method=drr`                               | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                           |
-| `traefik.backend.loadbalancer.stickiness=true`                          | Enables backend sticky sessions                                                                                                                                                                                               |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`               | Sets the cookie manually  name for sticky sessions                                                                                                                                                                            |
-| `traefik.backend.loadbalancer.stickiness.secure=true`                   | Sets secure cookie option for sticky sessions.                                                                                                                                                                                |
-| `traefik.backend.loadbalancer.stickiness.httpOnly=true`                 | Sets http only cookie option for sticky sessions.                                                                                                                                                                             |
-| `traefik.backend.loadbalancer.stickiness.sameSite=none`                 | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                                   |
-| `traefik.backend.loadbalancer.sticky=true`                              | Enables backend sticky sessions (DEPRECATED)                                                                                                                                                                                  |
-| `traefik.backend.maxconn.amount=10`                                     | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                      |
-| `traefik.backend.maxconn.extractorfunc=client.ip`                       | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                        |
-| `traefik.frontend.auth.basic=EXPR`                                      | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED).                                                                                                                                 |
-| `traefik.frontend.auth.basic.removeHeader=true`                         | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
-| `traefik.frontend.auth.basic.users=EXPR`                                | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`.                                                                                                                                              |
-| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd`                 | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                         |
-| `traefik.frontend.auth.digest.removeHeader=true`                        | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
-| `traefik.frontend.auth.digest.users=EXPR`                               | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                 |
-| `traefik.frontend.auth.digest.usersFile=/path/.htdigest`                | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
-| `traefik.frontend.auth.forward.address=https://example.com`             | Sets the URL of the authentication server.                                                                                                                                                                                    |
-| `traefik.frontend.auth.forward.authResponseHeaders=EXPR`                | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header`                                                                                                                                |
-| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem`                     | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                    |
-| `traefik.frontend.auth.forward.tls.caOptional=true`                     | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA).                                                                                                                   |
-| `traefik.frontend.auth.forward.tls.cert=/path/server.pem`               | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
-| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true`             | If set to true invalid SSL certificates are accepted.                                                                                                                                                                         |
-| `traefik.frontend.auth.forward.tls.key=/path/server.key`                | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
-| `traefik.frontend.auth.forward.trustForwardHeader=true`                 | Trusts X-Forwarded-* headers.                                                                                                                                                                                                 |
-| `traefik.frontend.auth.headerField=X-WebAuth-User`                      | Sets the header used to pass the authenticated user to the application.                                                                                                                                                       |
-| `traefik.frontend.auth.removeHeader=true`                               | If set to true, removes the Authorization header.                                                                                                                                                                             |
-| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true`       | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                  |
-| `traefik.frontend.passTLSClientCert.infos.issuer.country=true`          | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                     |
-| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true`  | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                            |
-| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true`         | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true`     | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                |
-| `traefik.frontend.passTLSClientCert.infos.issuer.province=true`         | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true`     | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                |
-| `traefik.frontend.passTLSClientCert.infos.notAfter=true`                | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                            |
-| `traefik.frontend.passTLSClientCert.infos.notBefore=true`               | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                           |
-| `traefik.frontend.passTLSClientCert.infos.sans=true`                    | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                               |
-| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true`      | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                 |
-| `traefik.frontend.passTLSClientCert.infos.subject.country=true`         | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                           |
-| `traefik.frontend.passTLSClientCert.infos.subject.locality=true`        | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                   |
-| `traefik.frontend.passTLSClientCert.infos.subject.organization=true`    | Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                               |
-| `traefik.frontend.passTLSClientCert.infos.subject.province=true`        | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                   |
-| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true`    | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                               |
-| `traefik.frontend.passTLSClientCert.pem=true`                           | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header.                                                                                                                                                             |
-| `traefik.frontend.entryPoints=http,https`                               | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                   |
-| `traefik.frontend.errors.<name>.backend=NAME`                           | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
-| `traefik.frontend.errors.<name>.query=PATH`                             | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
-| `traefik.frontend.errors.<name>.status=RANGE`                           | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
-| `traefik.frontend.passHostHeader=true`                                  | Forwards client `Host` header to the backend.                                                                                                                                                                                 |
-| `traefik.frontend.passTLSCert=true`                                     | Forwards TLS Client certificates to the backend.                                                                                                                                                                              |
-| `traefik.frontend.priority=10`                                          | Overrides default frontend priority                                                                                                                                                                                           |
-| `traefik.frontend.rateLimit.extractorFunc=EXP`                          | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `traefik.frontend.rateLimit.rateSet.<name>.period=6`                    | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `traefik.frontend.rateLimit.rateSet.<name>.average=6`                   | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`                     | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `traefik.frontend.redirect.entryPoint=https`                            | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS)                                                                                                                                                          |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)`                | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                       |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1`              | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                             |
-| `traefik.frontend.redirect.permanent=true`                              | Returns 301 instead of 302.                                                                                                                                                                                                   |
-| `traefik.frontend.rule=EXPR`                                            | Overrides the default frontend rule. Default: `Host:{instance_name}.{domain}`.                                                                                                                                                |
-| `traefik.frontend.whiteList.sourceRange=RANGE`                          | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.useXForwardedFor=true`                      | Uses `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                       |
-
-### Custom Headers
-
-| Label                                                 | Description                                                                                                                                                                         |
-|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
-| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
-
-### Security Headers
-
-| Label                                                    | Description                                                                                                                                                                                         |
-|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
-| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
-| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
-| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
-| `traefik.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
-| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
-| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
-| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
-| `traefik.frontend.headers.hostsProxyHeaders=EXPR `       | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
-| `traefik.frontend.headers.publicKey=VALUE`               | Adds HPKP header.                                                                                                                                                                                   |
-| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
-| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
-| `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
-| `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
-| `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
-| `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
-| `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
-| `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
-| `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
-
-### Containers with Multiple Ports (segment labels)
-
-Segment labels are used to define routes to an application exposing multiple ports.
-A segment is a group of labels that apply to a port exposed by an application.
-You can define as many segments as ports exposed in an application.
-
-Segment labels override the default behavior.
-
-| Label                                                                                  | Description                                                                |
-|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------|
-| `traefik.<segment_name>.backend=BACKEND`                                               | Same as `traefik.backend`                                                  |
-| `traefik.<segment_name>.domain=DOMAIN`                                                 | Same as `traefik.domain`                                                   |
-| `traefik.<segment_name>.port=PORT`                                                     | Same as `traefik.port`                                                     |
-| `traefik.<segment_name>.protocol=http`                                                 | Same as `traefik.protocol`                                                 |
-| `traefik.<segment_name>.weight=10`                                                     | Same as `traefik.weight`                                                   |
-| `traefik.<segment_name>.frontend.auth.basic=EXPR`                                      | Same as `traefik.frontend.auth.basic`                                      |
-| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true`                         | Same as `traefik.frontend.auth.basic.removeHeader`                         |
-| `traefik.<segment_name>.frontend.auth.basic.users=EXPR`                                | Same as `traefik.frontend.auth.basic.users`                                |
-| `traefik.<segment_name>.frontend.auth.basic.usersFile=/path/.htpasswd`                 | Same as `traefik.frontend.auth.basic.usersFile`                            |
-| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true`                        | Same as `traefik.frontend.auth.digest.removeHeader`                        |
-| `traefik.<segment_name>.frontend.auth.digest.users=EXPR`                               | Same as `traefik.frontend.auth.digest.users`                               |
-| `traefik.<segment_name>.frontend.auth.digest.usersFile=/path/.htdigest`                | Same as `traefik.frontend.auth.digest.usersFile`                           |
-| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com`             | Same as `traefik.frontend.auth.forward.address`                            |
-| `traefik.<segment_name>.frontend.auth.forward.authResponseHeaders=EXPR`                | Same as `traefik.frontend.auth.forward.authResponseHeaders`                |
-| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem`                     | Same as `traefik.frontend.auth.forward.tls.ca`                             |
-| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true`                     | Same as `traefik.frontend.auth.forward.tls.caOptional`                     |
-| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem`               | Same as `traefik.frontend.auth.forward.tls.cert`                           |
-| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true`             | Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify`             |
-| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key`                | Same as `traefik.frontend.auth.forward.tls.key`                            |
-| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true`                 | Same as `traefik.frontend.auth.forward.trustForwardHeader`                 |
-| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User`                      | Same as `traefik.frontend.auth.headerField`                                |
-| `traefik.<segment_name>.frontend.auth.removeHeader=true`                               | Same as `traefik.frontend.auth.removeHeader`                               |
-| `traefik.<segment_name>.frontend.entryPoints=https`                                    | Same as `traefik.frontend.entryPoints`                                     |
-| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`                           | Same as `traefik.frontend.errors.<name>.backend`                           |
-| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                             | Same as `traefik.frontend.errors.<name>.query`                             |
-| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`                           | Same as `traefik.frontend.errors.<name>.status`                            |
-| `traefik.<segment_name>.frontend.passHostHeader=true`                                  | Same as `traefik.frontend.passHostHeader`                                  |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.commonName=true`       | Same as `traefik.frontend.passTLSClientCert.infos.issuer.commonName`       |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.country=true`          | Same as `traefik.frontend.passTLSClientCert.infos.issuer.country`          |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.domainComponent=true`  | Same as `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent`  |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.locality=true`         | Same as `traefik.frontend.passTLSClientCert.infos.issuer.locality`         |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.organization=true`     | Same as `traefik.frontend.passTLSClientCert.infos.issuer.organization`     |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.province=true`         | Same as `traefik.frontend.passTLSClientCert.infos.issuer.province`         |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.serialNumber=true`     | Same as `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber`     |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notAfter=true`                | Same as `traefik.frontend.passTLSClientCert.infos.notAfter`                |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notBefore=true`               | Same as `traefik.frontend.passTLSClientCert.infos.notBefore`               |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.sans=true`                    | Same as `traefik.frontend.passTLSClientCert.infos.sans`                    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.commonName=true`      | Same as `traefik.frontend.passTLSClientCert.infos.subject.commonName`      |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.country=true`         | Same as `traefik.frontend.passTLSClientCert.infos.subject.country`         |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.domainComponent` |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.locality=true`        | Same as `traefik.frontend.passTLSClientCert.infos.subject.locality`        |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.organization=true`    | Same as `traefik.frontend.passTLSClientCert.infos.subject.organization`    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.province=true`        | Same as `traefik.frontend.passTLSClientCert.infos.subject.province`        |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.serialNumber=true`    | Same as `traefik.frontend.passTLSClientCert.infos.subject.serialNumber`    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.pem=true`                           | Same as `traefik.frontend.passTLSClientCert.infos.pem`                     |
-| `traefik.<segment_name>.frontend.passTLSCert=true`                                     | Same as `traefik.frontend.passTLSCert`                                     |
-| `traefik.<segment_name>.frontend.priority=10`                                          | Same as `traefik.frontend.priority`                                        |
-| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`                          | Same as `traefik.frontend.rateLimit.extractorFunc`                         |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`                    | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`                 |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`                   | Same as `traefik.frontend.rateLimit.rateSet.<name>.average`                |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`                     | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`                  |
-| `traefik.<segment_name>.frontend.redirect.entryPoint=https`                            | Same as `traefik.frontend.redirect.entryPoint`                             |
-| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`                | Same as `traefik.frontend.redirect.regex`                                  |
-| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1`              | Same as `traefik.frontend.redirect.replacement`                            |
-| `traefik.<segment_name>.frontend.redirect.permanent=true`                              | Same as `traefik.frontend.redirect.permanent`                              |
-| `traefik.<segment_name>.frontend.rule=EXP`                                             | Same as `traefik.frontend.rule`                                            |
-| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`                          | Same as `traefik.frontend.whiteList.sourceRange`                           |
-| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`                      | Same as `traefik.frontend.whiteList.useXForwardedFor`                      |
-
-#### Custom Headers
-
-| Label                                                                | Description                                              |
-|----------------------------------------------------------------------|----------------------------------------------------------|
-| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR ` | Same as `traefik.frontend.headers.customRequestHeaders`  |
-| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` |
-
-#### Security Headers
-
-| Label                                                                   | Description                                                  |
-|-------------------------------------------------------------------------|--------------------------------------------------------------|
-| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR`             | Same as `traefik.frontend.headers.allowedHosts`              |
-| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true`         | Same as `traefik.frontend.headers.browserXSSFilter`          |
-| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE`   | Same as `traefik.frontend.headers.contentSecurityPolicy`     |
-| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true`       | Same as `traefik.frontend.headers.contentTypeNosniff`        |
-| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE`   | Same as `traefik.frontend.headers.customBrowserXSSValue`     |
-| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue`   |
-| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false`          | Same as `traefik.frontend.headers.forceSTSHeader`            |
-| `traefik.<segment_name>.frontend.headers.frameDeny=false`               | Same as `traefik.frontend.headers.frameDeny`                 |
-| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR`        | Same as `traefik.frontend.headers.hostsProxyHeaders`         |
-| `traefik.<segment_name>.frontend.headers.isDevelopment=false`           | Same as `traefik.frontend.headers.isDevelopment`             |
-| `traefik.<segment_name>.frontend.headers.publicKey=VALUE`               | Same as `traefik.frontend.headers.publicKey`                 |
-| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE`          | Same as `traefik.frontend.headers.referrerPolicy`            |
-| `traefik.<segment_name>.frontend.headers.SSLRedirect=true`              | Same as `traefik.frontend.headers.SSLRedirect`               |
-| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true`     | Same as `traefik.frontend.headers.SSLTemporaryRedirect`      |
-| `traefik.<segment_name>.frontend.headers.SSLHost=HOST`                  | Same as `traefik.frontend.headers.SSLHost`                   |
-| `traefik.<segment_name>.frontend.headers.SSLForceHost=true`             | Same as `traefik.frontend.headers.SSLForceHost`              |
-| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR`          | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR`      |
-| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000`          | Same as `traefik.frontend.headers.STSSeconds=315360000`      |
-| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true`     | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |
-| `traefik.<segment_name>.frontend.headers.STSPreload=true`               | Same as `traefik.frontend.headers.STSPreload=true`           |
+| Label                                                     | Description                                                                              |
+|-----------------------------------------------------------|------------------------------------------------------------------------------------------|
+| `traefik.protocol=https`                                  | override the default `http` protocol                                                     |
+| `traefik.weight=10`                                       | assign this weight to the container                                                      |
+| `traefik.enable=false`                                    | disable this container in Træfik                                                         |
+| `traefik.port=80`                                         | override the default `port` value. Overrides `NetworkBindings` from Docker Container     |
+| `traefik.backend.loadbalancer.method=drr`                 | override the default `wrr` load balancer algorithm                                       |
+| `traefik.backend.loadbalancer.stickiness=true`            | enable backend sticky sessions                                                           |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Manually set the cookie name for sticky sessions                                         |
+| `traefik.backend.loadbalancer.sticky=true`                | enable backend sticky sessions (DEPRECATED)                                              |
+| `traefik.backend.healthcheck.path=/health`                | enable health checks for the backend, hitting the container at `path`                    |
+| `traefik.backend.healthcheck.interval=1s`                 | configure the health check interval                                                      |
+| `traefik.frontend.rule=Host:test.traefik.io`              | override the default frontend rule (Default: `Host:{containerName}.{domain}`).           |
+| `traefik.frontend.passHostHeader=true`                    | forward client `Host` header to the backend.                                             |
+| `traefik.frontend.priority=10`                            | override default frontend priority                                                       |
+| `traefik.frontend.entryPoints=http,https`                 | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. |
+| `traefik.frontend.auth.basic=EXPR`                        | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`         |

docs/configuration/backends/etcd.md

@@ -1,13 +1,13 @@
-# Etcd Provider
+# Etcd Backend
 
-Traefik can be configured to use Etcd as a provider.
+Træfik can be configured to use Etcd as a backend configuration.
 
 ```toml
 ################################################################
-# Etcd Provider
+# Etcd configuration backend
 ################################################################
 
-# Enable Etcd Provider.
+# Enable Etcd configuration backend.
 [etcd]
 
 # Etcd server endpoint.
@@ -63,10 +63,10 @@ useAPIV3 = true
 #    ca = "/etc/ssl/ca.crt"
 #    cert = "/etc/ssl/etcd.crt"
 #    key = "/etc/ssl/etcd.key"
-#    insecureSkipVerify = true
+#    insecureskipverify = true
 ```
 
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
+To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
 
 Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on Traefik KV structure.
 

docs/configuration/backends/eureka.md

@@ -1,13 +1,13 @@
-# Eureka Provider
+# Eureka Backend
 
-Traefik can be configured to use Eureka as a provider.
+Træfik can be configured to use Eureka as a backend configuration.
 
 ```toml
 ################################################################
-# Eureka Provider
+# Eureka configuration backend
 ################################################################
 
-# Enable Eureka Provider.
+# Enable Eureka configuration backend.
 [eureka]
 
 # Eureka server endpoint.
@@ -21,7 +21,7 @@ endpoint = "http://my.eureka.server/eureka"
 # Optional
 # Default: 30s
 #
-refreshSeconds = "1m"
+delay = "1m"
 
 # Override default configuration template.
 # For advanced users :)

docs/configuration/backends/file.md

@@ -1,6 +1,6 @@
-# File Provider
+# File Backends
 
-Traefik can be configured with a file.
+Træfik can be configured with a file.
 
 ## Reference
 
@@ -23,17 +23,11 @@ Traefik can be configured with a file.
 
     [backends.backend1.circuitBreaker]
       expression = "NetworkErrorRatio() > 0.5"
-      
-    [backends.backend1.responseForwarding]
-      flushInterval = "10ms"
 
     [backends.backend1.loadBalancer]
       method = "drr"
       [backends.backend1.loadBalancer.stickiness]
         cookieName = "foobar"
-        secure = true
-        httpOnly = true
-        sameSite = "foobar"
 
     [backends.backend1.maxConn]
       amount = 10
@@ -43,11 +37,6 @@ Traefik can be configured with a file.
       path = "/health"
       port = 88
       interval = "30s"
-      scheme = "http"
-      hostname = "myhost.com"
-      [backends.backend1.healthcheck.headers]
-        My-Custom-Header = "foo"
-        My-Header = "bar"
 
   [backends.backend2]
     # ...
@@ -59,64 +48,13 @@ Traefik can be configured with a file.
     entryPoints = ["http", "https"]
     backend = "backend1"
     passHostHeader = true
+    passTLSCert = true
     priority = 42
-
-    # Use frontends.frontend1.auth.basic below instead
     basicAuth = [
       "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
       "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
     ]
-    [frontends.frontend1.passTLSClientCert]
-        pem = true
-        [frontends.frontend1.passTLSClientCert.infos]
-            notBefore = true
-            notAfter = true
-            [frontends.frontend1.passTLSClientCert.infos.subject]
-                country = true
-                domainComponent = true
-                province = true
-                locality = true
-                organization = true
-                commonName = true
-                serialNumber = true
-            [frontends.frontend1.passTLSClientCert.infos.issuer]
-                country = true
-                domainComponent = true
-                province = true
-                locality = true
-                organization = true
-                commonName = true
-                serialNumber = true
-    [frontends.frontend1.auth]
-      headerField = "X-WebAuth-User"
-      [frontends.frontend1.auth.basic]
-        removeHeader = true
-        users = [
-          "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-          "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-        ]
-        usersFile = "/path/to/.htpasswd"
-      [frontends.frontend1.auth.digest]
-        removeHeader = true
-        users = [
-          "test:traefik:a2688e031edb4be6a3797f3882655c05",
-          "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
-        ]
-        usersFile = "/path/to/.htdigest"
-      [frontends.frontend1.auth.forward]
-        address = "https://authserver.com/auth"
-        trustForwardHeader = true
-        authResponseHeaders = ["X-Auth-User"]
-        [frontends.frontend1.auth.forward.tls]
-          ca = "path/to/local.crt"
-          caOptional = true
-          cert = "path/to/foo.cert"
-          key = "path/to/foo.key"
-          insecureSkipVerify = true
-
-    [frontends.frontend1.whiteList]
-      sourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
-      useXForwardedFor = true
+    whitelistSourceRange = ["10.42.0.0/16", "152.89.1.33/32", "afed:be44::/16"]
 
     [frontends.frontend1.routes]
       [frontends.frontend1.routes.route0]
@@ -183,7 +121,6 @@ Traefik can be configured with a file.
       entryPoint = "https"
       regex = "^http://localhost/(.*)"
       replacement = "http://mydomain/$1"
-      permanent = true
 
   [frontends.frontend2]
     # ...
@@ -199,20 +136,19 @@ Traefik can be configured with a file.
   # ...
 ```
 
-## Configuration Mode
+## Configuration mode
 
-You have two choices:
+You have three choices:
 
-- [Rules in Traefik configuration file](/configuration/backends/file/#rules-in-traefik-configuration-file)
-- [Rules in dedicated files](/configuration/backends/file/#rules-in-dedicated-files)
+- [Simple](/configuration/backends/file/#simple)
+- [Rules in a Separate File](/configuration/backends/file/#rules-in-a-separate-file)
+- [Multiple `.toml` Files](/configuration/backends/file/#multiple-toml-files)
 
-To enable the file backend, you must either pass the `--file` option to the Traefik binary or put the `[file]` section (with or without inner settings) in the configuration file.
+To enable the file backend, you must either pass the `--file` option to the Træfik binary or put the `[file]` section (with or without inner settings) in the configuration file.
 
-The configuration file allows managing both backends/frontends and HTTPS certificates (which are not [Let's Encrypt](https://letsencrypt.org) certificates generated through Traefik).
+The configuration file allows managing both backends/frontends and HTTPS certificates (which are not [Let's Encrypt](https://letsencrypt.org) certificates generated through Træfik).
 
-TOML templating can be used if rules are not defined in the Traefik configuration file.
-
-### Rules in Traefik Configuration File
+### Simple
 
 Add your configuration at the end of the global configuration file `traefik.toml`:
 
@@ -251,22 +187,12 @@ defaultEntryPoints = ["http", "https"]
 ```
 
 !!! note
-    If `tls.entryPoints` is not defined, the certificate is attached to all the `defaultEntryPoints` with a TLS configuration.
-
-!!! note
-    Adding certificates directly to the entryPoint is still maintained but certificates declared in this way cannot be managed dynamically.
+    adding certificates directly to the entrypoint is still maintained but certificates declared in this way cannot be managed dynamically.
     It's recommended to use the file provider to declare certificates.
 
-!!! warning
-    TOML templating cannot be used if rules are defined in the Traefik configuration file.
+### Rules in a Separate File
 
-### Rules in Dedicated Files
-
-Traefik allows defining rules in one or more separate files.
-
-#### One Separate File
-
-You have to specify the file path in the `file.filename` option.
+Put your rules in a separate file, for example `rules.toml`:
 
 ```toml
 # traefik.toml
@@ -280,31 +206,8 @@ defaultEntryPoints = ["http", "https"]
 
 [file]
   filename = "rules.toml"
-  watch = true
 ```
 
-The option `file.watch` allows Traefik to watch file changes automatically.
-
-#### Multiple Separated Files
-
-You could have multiple `.toml` files in a directory (and recursively in its sub-directories):
-
-```toml
-[file]
-  directory = "/path/to/config/"
-  watch = true
-```
-
-The option `file.watch` allows Traefik to watch file changes automatically.
-
-#### Separate Files Content
-
-If you are defining rules in one or more separate files, you can use two formats.
-
-##### Simple Format
-
-Backends, Frontends and TLS certificates are defined one at time, as described in the file `rules.toml`:
-
 ```toml
 # rules.toml
 [backends]
@@ -329,34 +232,18 @@ Backends, Frontends and TLS certificates are defined one at time, as described i
   # ...
 ```
 
-##### TOML Templating
+### Multiple `.toml` Files
 
-!!! warning
-    TOML templating can only be used **if rules are defined in one or more separate files**.
-    Templating will not work in the Traefik configuration file.
-
-Traefik allows using TOML templating.
-
-Thus, it's possible to define easily lot of Backends, Frontends and TLS certificates as described in the file `template-rules.toml` :
+You could have multiple `.toml` files in a directory (and recursively in its sub-directories):
 
 ```toml
-# template-rules.toml
-[backends]
-{{ range $i, $e := until 100 }}
-  [backends.backend{{ $e }}]
-    #...
-{{ end }}
-
-[frontends]
-{{ range $i, $e := until 100 }}
-  [frontends.frontend{{ $e }}]
-    #...
-{{ end }}
-
-
-# HTTPS certificate
-{{ range $i, $e := until 100 }}
-[[tls]]
-    #...
-{{ end }}
+[file]
+  directory = "/path/to/config/"
+```
+
+If you want Træfik to watch file changes automatically, just add:
+
+```toml
+[file]
+  watch = true
 ```

docs/configuration/backends/kubernetes.md

@@ -1,6 +1,6 @@
-# Kubernetes Ingress Provider
+# Kubernetes Ingress Backend
 
-Traefik can be configured to use Kubernetes Ingress as a provider.
+Træfik can be configured to use Kubernetes Ingress as a backend configuration.
 
 See also [Kubernetes user guide](/user-guide/kubernetes).
 
@@ -8,10 +8,10 @@ See also [Kubernetes user guide](/user-guide/kubernetes).
 
 ```toml
 ################################################################
-# Kubernetes Ingress Provider
+# Kubernetes Ingress configuration backend
 ################################################################
 
-# Enable Kubernetes Ingress Provider.
+# Enable Kubernetes Ingress configuration backend.
 [kubernetes]
 
 # Kubernetes server endpoint.
@@ -50,15 +50,6 @@ See also [Kubernetes user guide](/user-guide/kubernetes).
 #
 # labelselector = "A and not B"
 
-# Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
-# If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
-# Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
-#
-# Optional
-# Default: empty
-#
-# ingressClass = "traefik-internal"
-
 # Disable PassHost Headers.
 #
 # Optional
@@ -73,34 +64,12 @@ See also [Kubernetes user guide](/user-guide/kubernetes).
 #
 # enablePassTLSCert = true
 
-# Throttle how frequently we refresh our configuration from Ingresses when there
-# are frequent changes.
-#
-# Optional
-# Default: 0 (no throttling)
-#
-# throttleDuration = 10s
-
 # Override default configuration template.
 #
 # Optional
 # Default: <built-in template>
 #
 # filename = "kubernetes.tmpl"
-
-# Enable IngressEndpoint configuration.
-# This will allow Traefik to update the status section of ingress objects, if desired.
-#
-# Optional
-#
-# [kubernetes.ingressEndpoint]
-#
-# At least one must be configured.
-# `publishedservice` will override the `hostname` and `ip` settings if configured.
-#
-# hostname = "localhost"
-# ip = "127.0.0.1"
-# publishedService = "namespace/servicename"
 ```
 
 ### `endpoint`
@@ -116,7 +85,7 @@ The endpoint may be specified to override the environment variable values inside
 
 When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
 In this case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted autentication and authorization of the associated kubeconfig.
 
 ### `labelselector`
 
@@ -125,275 +94,98 @@ A label selector can be defined to filter on specific Ingress objects only.
 
 See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
 
-### `ingressEndpoint`
-
-You can configure a static hostname or IP address that Traefik will add to the status section of Ingress objects that it manages.
-If you prefer, you can provide a service, which traefik will copy the status spec from.
-This will give more flexibility in cloud/dynamic environments.
-
 ### TLS communication between Traefik and backend pods
 
 Traefik automatically requests endpoint information based on the service provided in the ingress spec.
 Although traefik will connect directly to the endpoints (pods), it still checks the service port to see if TLS communication is required.
-
-There are 3 ways to configure Traefik to use https to communicate with backend pods:
-
-1. If the service port defined in the ingress spec is 443 (note that you can still use `targetPort` to use a different port on your pod).
-2. If the service port defined in the ingress spec has a name that starts with `https` (such as `https-api`, `https-web` or just `https`).
-3. If the ingress spec includes the annotation `ingress.kubernetes.io/protocol: https`.
-
-If either of those configuration options exist, then the backend communication protocol is assumed to be TLS, and will connect via TLS automatically.
+If the service port defined in the ingress spec is 443, then the backend communication protocol is assumed to be TLS, and will connect via TLS automatically.
 
 !!! note
-    Please note that by enabling TLS communication between traefik and your pods, you will have to have trusted certificates that have the proper trust chain and IP subject name.
+    Please note that by enabling TLS communication between traefik and your pods, you will have to have trusted certificates that have the proper trust chain and IP subject name. 
     If this is not an option, you may need to skip TLS certificate verification.
-    See the [insecureSkipVerify](/configuration/commons/#main-section) setting for more details.
-
+    See the [InsecureSkipVerify](/configuration/commons/#main-section) setting for more details.
+    
 ## Annotations
 
 ### General annotations
 
 The following general annotations are applicable on the Ingress object:
 
-| Annotation                                                                      | Description                                                                                                                                                                                |
-|---------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.ingress.kubernetes.io/app-root: "/index.html"`                         | Redirects all requests for `/` to the defined path. (1)                                                                                                                                    |
-| `traefik.ingress.kubernetes.io/error-pages: <YML>`                              | See [custom error pages](/configuration/commons/#custom-error-pages) section. (2)                                                                                                          |
-| `traefik.ingress.kubernetes.io/frontend-entry-points: http,https`               | Override the default frontend endpoints.                                                                                                                                                   |
-| `traefik.ingress.kubernetes.io/pass-client-tls-cert: <YML>`                     | Forward the client certificate following the configuration in YAML. (3)                                                                                                                    |
-| `traefik.ingress.kubernetes.io/pass-tls-cert: "true"`                           | Override the default frontend PassTLSCert value. Default: `false`.(DEPRECATED)                                                                                                             |
-| `traefik.ingress.kubernetes.io/preserve-host: "true"`                           | Forward client `Host` header to the backend.                                                                                                                                               |
-| `traefik.ingress.kubernetes.io/priority: "3"`                                   | Override the default frontend rule priority.                                                                                                                                               |
-| `traefik.ingress.kubernetes.io/rate-limit: <YML>`                               | See [rate limiting](/configuration/commons/#rate-limiting) section. (4)                                                                                                                    |
-| `traefik.ingress.kubernetes.io/redirect-entry-point: https`                     | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS).                                                                                                                     |
-| `traefik.ingress.kubernetes.io/redirect-permanent: "true"`                      | Return 301 instead of 302.                                                                                                                                                                 |
-| `traefik.ingress.kubernetes.io/redirect-regex: ^http://localhost/(.*)`          | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-replacement`.                                                                          |
-| `traefik.ingress.kubernetes.io/redirect-replacement: http://mydomain/$1`        | Redirect to another URL for that frontend. Must be set with `traefik.ingress.kubernetes.io/redirect-regex`.                                                                                |
-| `traefik.ingress.kubernetes.io/request-modifier: AddPrefix: /users`             | Adds a [request modifier](/basics/#modifiers) to the backend request.                                                                                                                      |
-| `traefik.ingress.kubernetes.io/rewrite-target: /users`                          | Replaces each matched Ingress path with the specified one, and adds the old path to the `X-Replaced-Path` header.                                                                          |
-| `traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip`                      | Overrides the default frontend rule type. Only path-related matchers can be specified [(`Path`, `PathPrefix`, `PathStrip`, `PathPrefixStrip`)](/basics/#path-matcher-usage-guidelines).(5) |
-| `traefik.ingress.kubernetes.io/service-weights: <YML>`                          | Set ingress backend weights specified as percentage or decimal numbers in YAML. (6)                                                                                                        |
-| `traefik.ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"` | A comma-separated list of IP ranges permitted for access (7).                                                                                                                              |
-| `ingress.kubernetes.io/whitelist-x-forwarded-for: "true"`                       | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                     |
-| `ingress.kubernetes.io/protocol:<NAME>`                                | Set the protocol Traefik will use to communicate with pods. Acceptable protocols: http,https,h2c                                                                                                                        |
-
-<1> `traefik.ingress.kubernetes.io/app-root`:
-Non-root paths will not be affected by this annotation and handled normally.
-This annotation may not be combined with other redirect annotations.
-Trying to do so will result in the other redirects being ignored.
-This annotation can be used in combination with `traefik.ingress.kubernetes.io/redirect-permanent` to configure whether the `app-root` redirect is a 301 or a 302.
-
-<2> `traefik.ingress.kubernetes.io/error-pages` example:
-
-```yaml
-foo:
-  status:
-  - "404"
-  backend: bar
-  query: /bar
-fii:
-  status:
-  - "503"
-  - "500"
-  backend: bar
-  query: /bir
-```
-
-<3> `traefik.ingress.kubernetes.io/pass-client-tls-cert` example:
-
-```yaml
-# add escaped pem in the `X-Forwarded-Tls-Client-Cert` header
-pem: true
-# add escaped certificate following infos in the `X-Forwarded-Tls-Client-Cert-Infos` header
-infos:
-  notafter: true
-  notbefore: true
-  sans: true
-  subject:
-    country: true
-    province: true
-    locality: true
-    organization: true
-    commonname: true
-    serialnumber: true
-```
-
-If `pem` is set, it will add a `X-Forwarded-Tls-Client-Cert` header that contains the escaped pem as value.
-If at least one flag of the `infos` part is set, it will add a `X-Forwarded-Tls-Client-Cert-Infos` header that contains an escaped string composed of the client certificate data selected by the infos flags.
-This infos part is composed like the following example (not escaped):
-```
-Subject="C=FR,ST=SomeState,L=Lyon,O=Cheese,CN=*.cheese.org",NB=1531900816,NA=1563436816,SAN=*.cheese.org,*.cheese.net,cheese.in,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
-```
-
-Note these options work only with certificates issued by CAs included in the applicable [EntryPoint ClientCA section](/configuration/entrypoints/#tls-mutual-authentication); certificates from other CAs are not parsed or passed through as-is.
-
-<4> `traefik.ingress.kubernetes.io/rate-limit` example:
-
-```yaml
-extractorfunc: client.ip
-rateset:
-  bar:
-    period: 3s
-    average: 6
-    burst: 9
-  foo:
-    period: 6s
-    average: 12
-    burst: 18
-```
-
-<5> `traefik.ingress.kubernetes.io/rule-type`
-Note: `ReplacePath` is deprecated in this annotation, use the `traefik.ingress.kubernetes.io/request-modifier` annotation instead. Default: `PathPrefix`.
-
-<6> `traefik.ingress.kubernetes.io/service-weights`:
-Service weights enable to split traffic across multiple backing services in a fine-grained manner.
-
-Example:
-
-```yaml
-service_backend1: 12.50%
-service_backend2: 12.50%
-service_backend3: 75 # Same as 75%, the percentage sign is optional
-```
-
-A single service backend definition may be omitted; in this case, Traefik auto-completes that service backend to 100% automatically.
-Conveniently, users need not bother to compute the percentage remainder for a main service backend.
-For instance, in the example above `service_backend3` does not need to be specified to be assigned 75%.
+- `traefik.frontend.rule.type: PathPrefixStrip`
+    Override the default frontend rule type. Default: `PathPrefix`.
+- `traefik.frontend.priority: "3"`
+    Override the default frontend rule priority.
+- `traefik.frontend.redirect.entryPoint: https`:
+    Enables Redirect to another entryPoint for that frontend (e.g. HTTPS).
+- `traefik.frontend.redirect.regex: ^http://localhost/(.*)`:
+    Redirect to another URL for that frontend. Must be set with `traefik.frontend.redirect.replacement`.
+- `traefik.frontend.redirect.replacement: http://mydomain/$1`:
+    Redirect to another URL for that frontend. Must be set with `traefik.frontend.redirect.regex`.
+- `traefik.frontend.entryPoints: http,https`
+    Override the default frontend endpoints.
+- `traefik.frontend.passTLSCert: true`
+    Override the default frontend PassTLSCert value. Default: `false`.
+- `ingress.kubernetes.io/rewrite-target: /users`
+    Replaces each matched Ingress path with the specified one, and adds the old path to the `X-Replaced-Path` header.
+- `ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"`
+    A comma-separated list of IP ranges permitted for access. all source IPs are permitted if the list is empty or a single range is ill-formatted.
 
 !!! note
-    For each service weight given, the Ingress specification must include a backend item with the corresponding `serviceName` and (if given) matching path.
-
-Currently, 3 decimal places for the weight are supported.
-An attempt to exceed the precision should be avoided as it may lead to percentage computation flaws and, in consequence, Ingress parsing errors.
-
-For each path definition, this annotation will fail if:
-
-- the sum of backend weights exceeds 100% or
-- the sum of backend weights is less than 100% without one or more omitted backends
-
-See also the [user guide section traffic splitting](/user-guide/kubernetes/#traffic-splitting).
-
-<7> `traefik.ingress.kubernetes.io/whitelist-source-range`:
-All source IPs are permitted if the list is empty or a single range is ill-formatted.
-Please note, you may have to set `service.spec.externalTrafficPolicy` to the value `Local` to preserve the source IP of the request for filtering.
-Please see [this link](https://kubernetes.io/docs/tutorials/services/source-ip/) for more information.
-
-
-!!! note
-    Please note that `traefik.ingress.kubernetes.io/redirect-regex` and `traefik.ingress.kubernetes.io/redirect-replacement` do not have to be set if `traefik.ingress.kubernetes.io/redirect-entry-point` is defined for the redirection (they will not be used in this case).
+    Please note that `traefik.frontend.redirect.regex` and `traefik.frontend.redirect.replacement` do not have to be set if `traefik.frontend.redirect.entryPoint` is defined for the redirection (they will not be used in this case).
 
 The following annotations are applicable on the Service object associated with a particular Ingress object:
 
-| Annotation                                                               | Description                                                                                                                                                                           |
-|--------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.ingress.kubernetes.io/buffering: <YML>`                         | (1) See the [buffering](/configuration/commons/#buffering) section.                                                                                                                   |
-| `traefik.backend.loadbalancer.sticky: "true"`                            | Enable backend sticky sessions (DEPRECATED).                                                                                                                                          |
-| `traefik.ingress.kubernetes.io/affinity: "true"`                         | Enable backend sticky sessions.                                                                                                                                                       |
-| `traefik.ingress.kubernetes.io/circuit-breaker-expression: <expression>` | Set the circuit breaker expression for the backend.                                                                                                                                   |
-| `traefik.ingress.kubernetes.io/responseforwarding-flushinterval: "10ms`  | Defines the interval between two flushes when forwarding response from backend to client.                                                                                             |
-| `traefik.ingress.kubernetes.io/load-balancer-method: drr`                | Override the default `wrr` load balancer algorithm.                                                                                                                                   |
-| `traefik.ingress.kubernetes.io/max-conn-amount: "10"`                    | Sets the maximum number of simultaneous connections to the backend.<br>Must be used in conjunction with the label below to take effect.                                               |
-| `traefik.ingress.kubernetes.io/max-conn-extractor-func: client.ip`       | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect. |
-| `traefik.ingress.kubernetes.io/session-cookie-name: <NAME>`              | Manually set the cookie name for sticky sessions.                                                                                                                                     |
+- `traefik.backend.loadbalancer.method=drr`
+    Override the default `wrr` load balancer algorithm.
+- `traefik.backend.loadbalancer.stickiness=true`
+    Enable backend sticky sessions.
+- `traefik.backend.loadbalancer.stickiness.cookieName=NAME`
+    Manually set the cookie name for sticky sessions.
+- `traefik.backend.loadbalancer.sticky=true`
+    Enable backend sticky sessions (DEPRECATED).
+- `traefik.backend.circuitbreaker: <expression>`
+    Set the circuit breaker expression for the backend.
 
-<1> `traefik.ingress.kubernetes.io/buffering` example:
-
-```yaml
-maxrequestbodybytes: 10485760
-memrequestbodybytes: 2097153
-maxresponsebodybytes: 10485761
-memresponsebodybytes: 2097152
-retryexpression: IsNetworkError() && Attempts() <= 2
-```
-
-!!! note
-    `traefik.ingress.kubernetes.io/` and `ingress.kubernetes.io/` are supported prefixes.
-
-### Custom Headers Annotations
-
-|                        Annotation                     |                                                                                             Description                                                                          |
-| ------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `ingress.kubernetes.io/custom-request-headers: EXPR`  | Provides the container with custom request headers that will be appended to each request forwarded to the container. Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
-| `ingress.kubernetes.io/custom-response-headers: EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client. Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
-
-### Security Headers Annotations
+### Security annotations
 
 The following security annotations are applicable on the Ingress object:
 
-|                        Annotation                         |                                                                                             Description                                                                                             |
-| ----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `ingress.kubernetes.io/allowed-hosts: EXPR`               | Provides a list of allowed hosts that requests will be processed. Format: `Host1,Host2`                                                                                                             |
-| `ingress.kubernetes.io/browser-xss-filter: "true"`        | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
-| `ingress.kubernetes.io/content-security-policy: VALUE`    | Adds CSP Header with the custom value.                                                                                                                                                              |
-| `ingress.kubernetes.io/content-type-nosniff: "true"`      | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
-| `ingress.kubernetes.io/custom-browser-xss-value: VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
-| `ingress.kubernetes.io/custom-frame-options-value: VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
-| `ingress.kubernetes.io/force-hsts: "false"`               | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
-| `ingress.kubernetes.io/frame-deny: "true"`                | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
-| `ingress.kubernetes.io/hsts-max-age: "315360000"`         | Sets the max-age of the HSTS header.                                                                                                                                                                |
-| `ingress.kubernetes.io/hsts-include-subdomains: "true"`   | Adds the IncludeSubdomains section of the STS  header.                                                                                                                                              |
-| `ingress.kubernetes.io/hsts-preload: "true"`              | Adds the preload flag to the HSTS  header.                                                                                                                                                          |
-| `ingress.kubernetes.io/is-development: "false"`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
-| `ingress.kubernetes.io/proxy-headers: EXPR`               | Provides a list of headers that the proxied hostname may be stored. Format:  `HEADER1,HEADER2`                                                                                                      |
-| `ingress.kubernetes.io/public-key: VALUE`                 | Adds HPKP header.                                                                                                                                                                                   |
-| `ingress.kubernetes.io/referrer-policy: VALUE`            | Adds referrer policy  header.                                                                                                                                                                       |
-| `ingress.kubernetes.io/ssl-redirect: "true"`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
-| `ingress.kubernetes.io/ssl-temporary-redirect: "true"`    | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
-| `ingress.kubernetes.io/ssl-host: HOST`                    | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
-| `ingress.kubernetes.io/ssl-force-host: "true"`            | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `ingress.kubernetes.io/ssl-proxy-headers: EXPR`           | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`). Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                          |
+|                        Annotation                        |                                                                                             Description                                                                                             |
+| -------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `ingress.kubernetes.io/allowed-hosts:EXPR`               | Provides a list of allowed hosts that requests will be processed. Format: `Host1,Host2`                                                                                                             |
+| `ingress.kubernetes.io/custom-request-headers:EXPR`      | Provides the container with custom request headers that will be appended to each request forwarded to the container. Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>                    |
+| `ingress.kubernetes.io/custom-response-headers:EXPR`     | Appends the headers to each response returned by the container, before forwarding the response to the client. Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>                           |
+| `ingress.kubernetes.io/proxy-headers:EXPR`               | Provides a list of headers that the proxied hostname may be stored. Format:  `HEADER1,HEADER2`                                                                                                      |
+| `ingress.kubernetes.io/ssl-redirect:true`                | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
+| `ingress.kubernetes.io/ssl-temporary-redirect:true`      | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
+| `ingress.kubernetes.io/ssl-host:HOST`                    | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
+| `ingress.kubernetes.io/ssl-proxy-headers:EXPR`           | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`). Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                          |
+| `ingress.kubernetes.io/hsts-max-age:315360000`           | Sets the max-age of the HSTS header.                                                                                                                                                                |
+| `ingress.kubernetes.io/hsts-include-subdomains:true`      | Adds the IncludeSubdomains section of the STS  header.                                                                                                                                              |
+| `ingress.kubernetes.io/hsts-preload:true`                | Adds the preload flag to the HSTS  header.                                                                                                                                                          |
+| `ingress.kubernetes.io/force-hsts:false`                 | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
+| `ingress.kubernetes.io/frame-deny:false`                 | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
+| `ingress.kubernetes.io/custom-frame-options-value:VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
+| `ingress.kubernetes.io/content-type-nosniff:true`        | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
+| `ingress.kubernetes.io/browser-xss-filter:true`          | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
+| `ingress.kubernetes.io/content-security-policy:VALUE`    | Adds CSP Header with the custom value.                                                                                                                                                              |
+| `ingress.kubernetes.io/public-key:VALUE`                 | Adds pinned HTST public key header.                                                                                                                                                                 |
+| `ingress.kubernetes.io/referrer-policy:VALUE`            | Adds referrer policy  header.                                                                                                                                                                       |
+| `ingress.kubernetes.io/is-development:false`             | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
 
 ### Authentication
 
-Additional authentication annotations can be added to the Ingress object.
+Is possible to add additional authentication annotations to the Ingress object.
 The source of the authentication is a Secret object that contains the credentials.
 
-| Annotation                                                           | basic | digest | forward | Description                                                                                                 |
-|----------------------------------------------------------------------|-------|--------|---------|-------------------------------------------------------------------------------------------------------------|
-| `ingress.kubernetes.io/auth-type: basic`                             |   x   |   x    |    x    | Contains the authentication type: `basic`, `digest`, `forward`.                                             |
-| `ingress.kubernetes.io/auth-secret: mysecret`                        |   x   |   x    |         | Name of Secret containing the username and password with access to the paths defined in the Ingress object. |
-| `ingress.kubernetes.io/auth-remove-header: true`                     |   x   |   x    |         | If set to `true` removes the `Authorization` header.                                                        |
-| `ingress.kubernetes.io/auth-header-field: X-WebAuth-User`            |   x   |   x    |         | Pass Authenticated user to application via headers.                                                         |
-| `ingress.kubernetes.io/auth-url: https://example.com`                |       |        |    x    | [The URL of the authentication server](/configuration/entrypoints/#forward-authentication).                 |
-| `ingress.kubernetes.io/auth-trust-headers: false`                    |       |        |    x    | Trust `X-Forwarded-*` headers.                                                                              |
-| `ingress.kubernetes.io/auth-response-headers: X-Auth-User, X-Secret` |       |        |    x    | Copy headers from the authentication server to the request.                                                 |
-| `ingress.kubernetes.io/auth-tls-secret: secret`                      |       |        |    x    | Name of Secret containing the certificate and key for the forward auth.                                     |
-| `ingress.kubernetes.io/auth-tls-insecure`                            |       |        |    x    | If set to `true` invalid SSL certificates are accepted.                                                     |
+- `ingress.kubernetes.io/auth-type`: `basic`
+    Contains the authentication type. The only permitted type is `basic`.
+- `ingress.kubernetes.io/auth-secret`: `mysecret`
+    Contains the username and password with access to the paths defined in the Ingress object.
 
 The secret must be created in the same namespace as the Ingress object.
 
-The following limitations hold for basic/digest auth:
+The following limitations hold:
 
 - The realm is not configurable; the only supported (and default) value is `traefik`.
 - The Secret must contain a single file only.
-
-### TLS certificates management
-
-TLS certificates can be managed in Secrets objects.
-More information are available in the  [User Guide](/user-guide/kubernetes/#add-a-tls-certificate-to-the-ingress).
-
-!!! note
-    Only TLS certificates provided by users can be stored in Kubernetes Secrets.
-    [Let's Encrypt](https://letsencrypt.org) certificates cannot be managed in Kubernets Secrets yet.
-
-### Global Default Backend Ingresses
-
-Ingresses can be created that look like the following:
-
-```yaml
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: cheese
-spec:
-  backend:
-    serviceName: stilton
-    servicePort: 80
-```
-
-This ingress follows the [Global Default Backend](https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource) property of ingresses.
-This will allow users to create a "default backend" that will match all unmatched requests.
-
-!!! note
-    Due to Traefik's use of priorities, you may have to set this ingress priority lower than other ingresses in your environment, to avoid this global ingress from satisfying requests that _could_ match other ingresses.
-    To do this, use the `traefik.ingress.kubernetes.io/priority` annotation (as seen in [General Annotations](/configuration/backends/kubernetes/#general-annotations)) on your ingresses accordingly.

docs/configuration/backends/marathon.md

@@ -1,18 +1,18 @@
-# Marathon Provider
+# Marathon Backend
 
-Traefik can be configured to use Marathon as a provider.
+Træfik can be configured to use Marathon as a backend configuration.
 
 See also [Marathon user guide](/user-guide/marathon).
-
+ 
 
 ## Configuration
 
 ```toml
 ################################################################
-# Mesos/Marathon Provider
+# Mesos/Marathon configuration backend
 ################################################################
 
-# Enable Marathon Provider.
+# Enable Marathon configuration backend.
 [marathon]
 
 # Marathon server endpoint.
@@ -31,7 +31,7 @@ endpoint = "http://127.0.0.1:8080"
 #
 watch = true
 
-# Default base domain used for the frontend rules.
+# Default domain used.
 # Can be overridden by setting the "traefik.domain" label on an application.
 #
 # Required
@@ -45,15 +45,6 @@ domain = "marathon.localhost"
 #
 # filename = "marathon.tmpl"
 
-# Override template version
-# For advanced users :)
-#
-# Optional
-# - "1": previous template version (must be used only with older custom templates, see "filename")
-# - "2": current template version (must be used to force template version when "filename" is used)
-#
-# templateVersion = 2
-
 # Expose Marathon apps by default in Traefik.
 #
 # Optional
@@ -79,7 +70,7 @@ domain = "marathon.localhost"
 
 # Enable filtering using Marathon constraints..
 # If enabled, Traefik will read Marathon constraints, as defined in https://mesosphere.github.io/marathon/docs/constraints.html
-# Each individual constraint will be treated as a verbatim compounded tag.
+# Each individual constraint will be treated as a verbatim compounded tag. 
 # i.e. "rack_id:CLUSTER:rack-1", with all constraint groups concatenated together using ":"
 #
 # Optional
@@ -103,7 +94,7 @@ domain = "marathon.localhost"
 #    CA = "/etc/ssl/ca.crt"
 #    Cert = "/etc/ssl/marathon.cert"
 #    Key = "/etc/ssl/marathon.key"
-#    insecureSkipVerify = true
+#    InsecureSkipVerify = true
 
 # DCOSToken for DCOS environment.
 # This will override the Authorization header.
@@ -120,33 +111,9 @@ domain = "marathon.localhost"
 # If no units are provided, the value is parsed assuming seconds.
 #
 # Optional
-# Default: "5s"
-#
-# dialerTimeout = "5s"
-
-# Override ResponseHeaderTimeout.
-# Amount of time to allow the Marathon provider to wait until the first response
-# header from the Marathon master is received.
-# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
-# values (digits).
-# If no units are provided, the value is parsed assuming seconds.
-#
-# Optional
 # Default: "60s"
 #
-# responseHeaderTimeout = "60s"
-
-# Override TLSHandshakeTimeout.
-# Amount of time to allow the Marathon provider to wait until the TLS
-# handshake completes.
-# Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
-# values (digits).
-# If no units are provided, the value is parsed assuming seconds.
-#
-# Optional
-# Default: "5s"
-#
-# TLSHandshakeTimeout = "5s"
+# dialerTimeout = "60s"
 
 # Set the TCP Keep Alive interval for the Marathon HTTP Client.
 # Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw
@@ -181,234 +148,54 @@ domain = "marathon.localhost"
 # respectReadinessChecks = true
 ```
 
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
+To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
 
-## Labels: overriding default behavior
+## Labels: overriding default behaviour
 
-Marathon labels may be used to dynamically change the routing and forwarding behavior.
+Marathon labels may be used to dynamically change the routing and forwarding behaviour.
 
 They may be specified on one of two levels: Application or service.
 
 ### Application Level
 
-The following labels can be defined on Marathon applications. They adjust the behavior for the entire application.
+The following labels can be defined on Marathon applications. They adjust the behaviour for the entire application.
 
-| Label                                                                   | Description                                                                                                                                                                                                                   |
-|-------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.domain`                                                        | Sets the default base domain used for the frontend rules.                                                                                                                                                                     |
-| `traefik.enable=false`                                                  | Disables this container in Traefik.                                                                                                                                                                                           |
-| `traefik.port=80`                                                       | Registers this port. Useful when the container exposes multiples ports.                                                                                                                                                       |
-| `traefik.portIndex=1`                                                   | Registers port by index in the application's ports array. Useful when the application exposes multiple ports.                                                                                                                 |
-| `traefik.protocol=https`                                                | Overrides the default `http` protocol.                                                                                                                                                                                        |
-| `traefik.weight=10`                                                     | Assigns this weight to the container.                                                                                                                                                                                         |
-| `traefik.backend=foo`                                                   | Overrides the application name by `foo` in the generated name of the backend.                                                                                                                                                 |
-| `traefik.backend.buffering.maxRequestBodyBytes=0`                       | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.maxResponseBodyBytes=0`                      | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.memRequestBodyBytes=0`                       | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.memResponseBodyBytes=0`                      | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.retryExpression=EXPR`                        | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.circuitbreaker.expression=EXPR`                        | Creates a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                 |
-| `traefik.backend.responseForwarding.flushInterval=10ms`                 | Defines the interval between two flushes when forwarding response from backend to client.                                                                                                                                     |
-| `traefik.backend.healthcheck.path=/health`                              | Enables health check for the backend, hitting the container at `path`.                                                                                                                                                        |
-| `traefik.backend.healthcheck.interval=1s`                               | Defines the health check interval. (Default: 30s)                                                                                                                                                                             |
-| `traefik.backend.healthcheck.port=8080`                                 | Sets a different port for the health check.                                                                                                                                                                                   |
-| `traefik.backend.healthcheck.scheme=http`                               | Overrides the server URL scheme.                                                                                                                                                                                              |
-| `traefik.backend.healthcheck.hostname=foobar.com`                       | Defines the health check hostname.                                                                                                                                                                                            |
-| `traefik.backend.healthcheck.headers=EXPR`                              | Defines the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                     |
-| `traefik.backend.loadbalancer.method=drr`                               | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                           |
-| `traefik.backend.loadbalancer.stickiness=true`                          | Enables backend sticky sessions                                                                                                                                                                                               |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`               | Sets the cookie name manually for sticky sessions                                                                                                                                                                             |
-| `traefik.backend.loadbalancer.stickiness.secure=true`                   | Sets secure cookie option for sticky sessions.                                                                                                                                                                                |
-| `traefik.backend.loadbalancer.stickiness.httpOnly=true`                 | Sets http only cookie option for sticky sessions.                                                                                                                                                                             |
-| `traefik.backend.loadbalancer.stickiness.sameSite=none`                 | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                                   |
-| `traefik.backend.loadbalancer.sticky=true`                              | Enables backend sticky sessions (DEPRECATED)                                                                                                                                                                                  |
-| `traefik.backend.maxconn.amount=10`                                     | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                      |
-| `traefik.backend.maxconn.extractorfunc=client.ip`                       | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                        |
-| `traefik.frontend.auth.basic=EXPR`                                      | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED).                                                                                                                                 |
-| `traefik.frontend.auth.basic.removeHeader=true`                         | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
-| `traefik.frontend.auth.basic.users=EXPR`                                | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`.                                                                                                                                              |
-| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd`                 | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                         |
-| `traefik.frontend.auth.digest.removeHeader=true`                        | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
-| `traefik.frontend.auth.digest.users=EXPR`                               | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                 |
-| `traefik.frontend.auth.digest.usersFile=/path/.htdigest`                | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
-| `traefik.frontend.auth.forward.address=https://example.com`             | Sets the URL of the authentication server.                                                                                                                                                                                    |
-| `traefik.frontend.auth.forward.authResponseHeaders=EXPR`                | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header`                                                                                                                                |
-| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem`                     | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                    |
-| `traefik.frontend.auth.forward.tls.caOptional=true`                     | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA).                                                                                                                   |
-| `traefik.frontend.auth.forward.tls.cert=/path/server.pem`               | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
-| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true`             | If set to true invalid SSL certificates are accepted.                                                                                                                                                                         |
-| `traefik.frontend.auth.forward.tls.key=/path/server.key`                | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
-| `traefik.frontend.auth.forward.trustForwardHeader=true`                 | Trusts X-Forwarded-* headers.                                                                                                                                                                                                 |
-| `traefik.frontend.auth.headerField=X-WebAuth-User`                      | Sets the header used to pass the authenticated user to the application.                                                                                                                                                       |
-| `traefik.frontend.auth.removeHeader=true`                               | If set to true, removes the Authorization header.                                                                                                                                                                             |
-| `traefik.frontend.entryPoints=http,https`                               | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                   |
-| `traefik.frontend.errors.<name>.backend=NAME`                           | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
-| `traefik.frontend.errors.<name>.query=PATH`                             | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
-| `traefik.frontend.errors.<name>.status=RANGE`                           | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
-| `traefik.frontend.passHostHeader=true`                                  | Forwards client `Host` header to the backend.                                                                                                                                                                                 |
-| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true`       | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                  |
-| `traefik.frontend.passTLSClientCert.infos.issuer.country=true`          | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                     |
-| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true`  | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                             |
-| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true`         | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true`     | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                |
-| `traefik.frontend.passTLSClientCert.infos.issuer.province=true`         | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true`     | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                |
-| `traefik.frontend.passTLSClientCert.infos.notAfter=true`                | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                            |
-| `traefik.frontend.passTLSClientCert.infos.notBefore=true`               | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                           |
-| `traefik.frontend.passTLSClientCert.infos.sans=true`                    | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                               |
-| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true`      | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                 |
-| `traefik.frontend.passTLSClientCert.infos.subject.country=true`         | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                            |
-| `traefik.frontend.passTLSClientCert.infos.subject.locality=true`        | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                   |
-| `traefik.frontend.passTLSClientCert.infos.subject.organization=true`    | Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                               |
-| `traefik.frontend.passTLSClientCert.infos.subject.province=true`        | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                   |
-| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true`    | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                               |
-| `traefik.frontend.passTLSClientCert.pem=true`                           | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header.                                                                                                                                                             |
-| `traefik.frontend.passTLSCert=true`                                     | Forwards TLS Client certificates to the backend.                                                                                                                                                                              |
-| `traefik.frontend.priority=10`                                          | Overrides default frontend priority                                                                                                                                                                                           |
-| `traefik.frontend.rateLimit.extractorFunc=EXP`                          | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `traefik.frontend.rateLimit.rateSet.<name>.period=6`                    | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `traefik.frontend.rateLimit.rateSet.<name>.average=6`                   | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`                     | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `traefik.frontend.redirect.entryPoint=https`                            | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS)                                                                                                                                                          |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)`                | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                       |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1`              | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                             |
-| `traefik.frontend.redirect.permanent=true`                              | Returns 301 instead of 302.                                                                                                                                                                                                   |
-| `traefik.frontend.rule=EXPR`                                            | Overrides the default frontend rule. Default: `Host:{sub_domain}.{domain}`.                                                                                                                                                   |
-| `traefik.frontend.whiteList.sourceRange=RANGE`                          | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.useXForwardedFor=true`                      | Uses `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                       |
+| Label                                                                 | Description                                                                                                                                                                        |
+|-----------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.backend=foo`                                                 | assign the application to `foo` backend                                                                                                                                            |
+| `traefik.backend.maxconn.amount=10`                                   | set a maximum number of connections to the backend. Must be used in conjunction with the below label to take effect.                                                               |
+| `traefik.backend.maxconn.extractorfunc=client.ip`                     | set the function to be used against the request to determine what to limit maximum connections to the backend by. Must be used in conjunction with the above label to take effect. |
+| `traefik.backend.loadbalancer.method=drr`                             | override the default `wrr` load balancer algorithm                                                                                                                                 |
+| `traefik.backend.loadbalancer.sticky=true`                            | enable backend sticky sessions (DEPRECATED)                                                                                                                                        |
+| `traefik.backend.loadbalancer.stickiness=true`                        | enable backend sticky sessions                                                                                                                                                     |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`             | Manually set the cookie name for sticky sessions                                                                                                                                   |
+| `traefik.backend.circuitbreaker.expression=NetworkErrorRatio() > 0.5` | create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                       |
+| `traefik.backend.healthcheck.path=/health`                            | set the Traefik health check path [default: no health checks]                                                                                                                      |
+| `traefik.backend.healthcheck.interval=5s`                             | sets a custom health check interval in Go-parseable (`time.ParseDuration`) format [default: 30s]                                                                                   |
+| `traefik.portIndex=1`                                                 | register port by index in the application's ports array. Useful when the application exposes multiple ports.                                                                       |
+| `traefik.port=80`                                                     | register the explicit application port value. Cannot be used alongside `traefik.portIndex`.                                                                                        |
+| `traefik.protocol=https`                                              | override the default `http` protocol                                                                                                                                               |
+| `traefik.weight=10`                                                   | assign this weight to the application                                                                                                                                              |
+| `traefik.enable=false`                                                | disable this application in Træfik                                                                                                                                                 |
+| `traefik.frontend.rule=Host:test.traefik.io`                          | override the default frontend rule (Default: `Host:{containerName}.{domain}`).                                                                                                     |
+| `traefik.frontend.passHostHeader=true`                                | forward client `Host` header to the backend.                                                                                                                                       |
+| `traefik.frontend.priority=10`                                        | override default frontend priority                                                                                                                                                 |
+| `traefik.frontend.entryPoints=http,https`                             | assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.                                                                                           |
+| `traefik.frontend.auth.basic=EXPR`                                    | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`.                                                                                                  |
 
-#### Custom Headers
+### Service Level
 
-| Label                                                 | Description                                                                                                                                                                         |
-|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
-| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
-|
+For applications that expose multiple ports, specific labels can be used to extract one frontend/backend configuration pair per port. Each such pair is called a _service_. The (freely choosable) name of the service is an integral part of the service label name.
 
-#### Security Headers
-
-| Label                                                    | Description                                                                                                                                                                                         |
-|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
-| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
-| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
-| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
-| `traefik.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
-| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
-| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
-| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
-| `traefik.frontend.headers.hostsProxyHeaders=EXPR `       | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
-| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
-| `traefik.frontend.headers.publicKey=VALUE`               | Adds HPKP header.                                                                                                                                                                                   |
-| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
-| `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
-| `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
-| `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
-| `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
-| `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
-| `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
-| `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
-
-### Applications with Multiple Ports (segment labels)
-
-Segment labels are used to define routes to an application exposing multiple ports.
-A segment is a group of labels that apply to a port exposed by an application.
-You can define as many segments as ports exposed in an application.
-
-Segment labels override the default behavior.
-
-| Label                                                                                  | Description                                                                |
-|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------|
-| `traefik.<segment_name>.backend=BACKEND`                                               | Same as `traefik.backend`                                                  |
-| `traefik.<segment_name>.domain=DOMAIN`                                                 | Same as `traefik.domain`                                                   |
-| `traefik.<segment_name>.portIndex=1`                                                   | Same as `traefik.portIndex`                                                |
-| `traefik.<segment_name>.port=PORT`                                                     | Same as `traefik.port`                                                     |
-| `traefik.<segment_name>.protocol=http`                                                 | Same as `traefik.protocol`                                                 |
-| `traefik.<segment_name>.weight=10`                                                     | Same as `traefik.weight`                                                   |
-| `traefik.<segment_name>.frontend.auth.basic=EXPR`                                      | Same as `traefik.frontend.auth.basic`                                      |
-| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true`                         | Same as `traefik.frontend.auth.basic.removeHeader`                         |
-| `traefik.<segment_name>.frontend.auth.basic.users=EXPR`                                | Same as `traefik.frontend.auth.basic.users`                                |
-| `traefik.<segment_name>.frontend.auth.basic.usersFile=/path/.htpasswd`                 | Same as `traefik.frontend.auth.basic.usersFile`                            |
-| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true`                        | Same as `traefik.frontend.auth.digest.removeHeader`                        |
-| `traefik.<segment_name>.frontend.auth.digest.users=EXPR`                               | Same as `traefik.frontend.auth.digest.users`                               |
-| `traefik.<segment_name>.frontend.auth.digest.usersFile=/path/.htdigest`                | Same as `traefik.frontend.auth.digest.usersFile`                           |
-| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com`             | Same as `traefik.frontend.auth.forward.address`                            |
-| `traefik.<segment_name>.frontend.auth.forward.authResponseHeaders=EXPR`                | Same as `traefik.frontend.auth.forward.authResponseHeaders`                |
-| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem`                     | Same as `traefik.frontend.auth.forward.tls.ca`                             |
-| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true`                     | Same as `traefik.frontend.auth.forward.tls.caOptional`                     |
-| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem`               | Same as `traefik.frontend.auth.forward.tls.cert`                           |
-| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true`             | Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify`             |
-| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key`                | Same as `traefik.frontend.auth.forward.tls.key`                            |
-| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true`                 | Same as `traefik.frontend.auth.forward.trustForwardHeader`                 |
-| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User`                      | Same as `traefik.frontend.auth.headerField`                                |
-| `traefik.<segment_name>.frontend.auth.removeHeader=true`                               | Same as `traefik.frontend.auth.removeHeader`                               |
-| `traefik.<segment_name>.frontend.entryPoints=https`                                    | Same as `traefik.frontend.entryPoints`                                     |
-| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`                           | Same as `traefik.frontend.errors.<name>.backend`                           |
-| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                             | Same as `traefik.frontend.errors.<name>.query`                             |
-| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`                           | Same as `traefik.frontend.errors.<name>.status`                            |
-| `traefik.<segment_name>.frontend.passHostHeader=true`                                  | Same as `traefik.frontend.passHostHeader`                                  |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.commonName=true`       | Same as `traefik.frontend.passTLSClientCert.infos.issuer.commonName`       |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.domainComponent=true`  | Same as `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent`  |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.country=true`          | Same as `traefik.frontend.passTLSClientCert.infos.issuer.country`          |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.locality=true`         | Same as `traefik.frontend.passTLSClientCert.infos.issuer.locality`         |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.organization=true`     | Same as `traefik.frontend.passTLSClientCert.infos.issuer.organization`     |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.province=true`         | Same as `traefik.frontend.passTLSClientCert.infos.issuer.province`         |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.serialNumber=true`     | Same as `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber`     |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notAfter=true`                | Same as `traefik.frontend.passTLSClientCert.infos.notAfter`                |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notBefore=true`               | Same as `traefik.frontend.passTLSClientCert.infos.notBefore`               |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.sans=true`                    | Same as `traefik.frontend.passTLSClientCert.infos.sans`                    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.commonName=true`      | Same as `traefik.frontend.passTLSClientCert.infos.subject.commonName`      |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.domainComponent` |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.country=true`         | Same as `traefik.frontend.passTLSClientCert.infos.subject.country`         |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.locality=true`        | Same as `traefik.frontend.passTLSClientCert.infos.subject.locality`        |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.organization=true`    | Same as `traefik.frontend.passTLSClientCert.infos.subject.organization`    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.province=true`        | Same as `traefik.frontend.passTLSClientCert.infos.subject.province`        |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.serialNumber=true`    | Same as `traefik.frontend.passTLSClientCert.infos.subject.serialNumber`    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.pem=true`                           | Same as `traefik.frontend.passTLSClientCert.infos.pem`                     |
-| `traefik.<segment_name>.frontend.passTLSCert=true`                                     | Same as `traefik.frontend.passTLSCert`                                     |
-| `traefik.<segment_name>.frontend.priority=10`                                          | Same as `traefik.frontend.priority`                                        |
-| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`                          | Same as `traefik.frontend.rateLimit.extractorFunc`                         |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`                    | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`                 |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`                   | Same as `traefik.frontend.rateLimit.rateSet.<name>.average`                |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`                     | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`                  |
-| `traefik.<segment_name>.frontend.redirect.entryPoint=https`                            | Same as `traefik.frontend.redirect.entryPoint`                             |
-| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`                | Same as `traefik.frontend.redirect.regex`                                  |
-| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1`              | Same as `traefik.frontend.redirect.replacement`                            |
-| `traefik.<segment_name>.frontend.redirect.permanent=true`                              | Same as `traefik.frontend.redirect.permanent`                              |
-| `traefik.<segment_name>.frontend.rule=EXP`                                             | Same as `traefik.frontend.rule`                                            |
-| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`                          | Same as `traefik.frontend.whiteList.sourceRange`                           |
-| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`                      | Same as `traefik.frontend.whiteList.useXForwardedFor`                      |
-
-#### Custom Headers
-
-| Label                                                                | Description                                              |
-|----------------------------------------------------------------------|----------------------------------------------------------|
-| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR ` | Same as `traefik.frontend.headers.customRequestHeaders`  |
-| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` |
-
-#### Security Headers
-
-| Label                                                                   | Description                                                  |
-|-------------------------------------------------------------------------|--------------------------------------------------------------|
-| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR`             | Same as `traefik.frontend.headers.allowedHosts`              |
-| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true`         | Same as `traefik.frontend.headers.browserXSSFilter`          |
-| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE`   | Same as `traefik.frontend.headers.contentSecurityPolicy`     |
-| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true`       | Same as `traefik.frontend.headers.contentTypeNosniff`        |
-| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE`   | Same as `traefik.frontend.headers.customBrowserXSSValue`     |
-| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue`   |
-| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false`          | Same as `traefik.frontend.headers.forceSTSHeader`            |
-| `traefik.<segment_name>.frontend.headers.frameDeny=false`               | Same as `traefik.frontend.headers.frameDeny`                 |
-| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR`        | Same as `traefik.frontend.headers.hostsProxyHeaders`         |
-| `traefik.<segment_name>.frontend.headers.isDevelopment=false`           | Same as `traefik.frontend.headers.isDevelopment`             |
-| `traefik.<segment_name>.frontend.headers.publicKey=VALUE`               | Same as `traefik.frontend.headers.publicKey`                 |
-| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE`          | Same as `traefik.frontend.headers.referrerPolicy`            |
-| `traefik.<segment_name>.frontend.headers.SSLRedirect=true`              | Same as `traefik.frontend.headers.SSLRedirect`               |
-| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true`     | Same as `traefik.frontend.headers.SSLTemporaryRedirect`      |
-| `traefik.<segment_name>.frontend.headers.SSLHost=HOST`                  | Same as `traefik.frontend.headers.SSLHost`                   |
-| `traefik.<segment_name>.frontend.headers.SSLForceHost=true`             | Same as `traefik.frontend.headers.SSLForceHost`              |
-| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR`          | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR`      |
-| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000`          | Same as `traefik.frontend.headers.STSSeconds=315360000`      |
-| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true`     | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |
-| `traefik.<segment_name>.frontend.headers.STSPreload=true`               | Same as `traefik.frontend.headers.STSPreload=true`           |
+| Label                                                  | Description                                                                                          |
+|--------------------------------------------------------|------------------------------------------------------------------------------------------------------|
+| `traefik.<service-name>.port=443`                      | create a service binding with frontend/backend using this port. Overrides `traefik.port`.            |
+| `traefik.<service-name>.portIndex=1`                   | create a service binding with frontend/backend using this port index. Overrides `traefik.portIndex`. |
+| `traefik.<service-name>.protocol=https`                | assign `https` protocol. Overrides `traefik.protocol`.                                               |
+| `traefik.<service-name>.weight=10`                     | assign this service weight. Overrides `traefik.weight`.                                              |
+| `traefik.<service-name>.frontend.backend=fooBackend`   | assign this service frontend to `foobackend`. Default is to assign to the service backend.           |
+| `traefik.<service-name>.frontend.entryPoints=http`     | assign this service entrypoints. Overrides `traefik.frontend.entrypoints`.                           |
+| `traefik.<service-name>.frontend.auth.basic=test:EXPR` | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                     |
+| `traefik.<service-name>.frontend.passHostHeader=true`  | Forward client `Host` header to the backend. Overrides `traefik.frontend.passHostHeader`.            |
+| `traefik.<service-name>.frontend.priority=10`          | assign the service frontend priority. Overrides `traefik.frontend.priority`.                         |
+| `traefik.<service-name>.frontend.rule=Path:/foo`       | assign the service frontend rule. Overrides `traefik.frontend.rule`.                                 |

docs/configuration/backends/mesos.md

@@ -1,13 +1,13 @@
-# Mesos Generic Provider
+# Mesos Generic Backend
 
-Traefik can be configured to use Mesos as a provider.
+Træfik can be configured to use Mesos as a backend configuration.
 
 ```toml
 ################################################################
-# Mesos Provider
+# Mesos configuration backend
 ################################################################
 
-# Enable Mesos Provider.
+# Enable Mesos configuration backend.
 [mesos]
 
 # Mesos server endpoint.
@@ -27,20 +27,13 @@ endpoint = "http://127.0.0.1:8080"
 #
 watch = true
 
-# Default base domain used for the frontend rules.
+# Default domain used.
 # Can be overridden by setting the "traefik.domain" label on an application.
 #
 # Required
 #
 domain = "mesos.localhost"
 
-# Expose Mesos apps by default in Traefik.
-#
-# Optional
-# Default: true
-#
-# exposedByDefault = false
-
 # Override default configuration template.
 # For advanced users :)
 #
@@ -48,48 +41,46 @@ domain = "mesos.localhost"
 #
 # filename = "mesos.tmpl"
 
-# Override template version
-# For advanced users :)
+# Expose Mesos apps by default in Traefik.
 #
 # Optional
-# - "1": previous template version (must be used only with older custom templates, see "filename")
-# - "2": current template version (must be used to force template version when "filename" is used)
+# Default: true
 #
-# templateVersion = 2
+# ExposedByDefault = false
 
 # TLS client configuration. https://golang.org/pkg/crypto/tls/#Config
 #
 # Optional
 #
 # [mesos.TLS]
-# insecureSkipVerify = true
+# InsecureSkipVerify = true
 
 # Zookeeper timeout (in seconds).
 #
 # Optional
 # Default: 30
 #
-# zkDetectionTimeout = 30
+# ZkDetectionTimeout = 30
 
 # Polling interval (in seconds).
 #
 # Optional
 # Default: 30
 #
-# refreshSeconds = 30
+# RefreshSeconds = 30
 
-# IP sources (e.g. host, docker, mesos, netinfo).
+# IP sources (e.g. host, docker, mesos, rkt).
 #
 # Optional
 #
-# ipSources = "host"
+# IPSources = "host"
 
 # HTTP Timeout (in seconds).
 #
 # Optional
 # Default: 30
 #
-# stateTimeoutSecond = "30"
+# StateTimeoutSecond = "30"
 
 # Convert groups to subdomains.
 # Default behavior: /foo/bar/myapp => foo-bar-myapp.{defaultDomain}
@@ -99,223 +90,4 @@ domain = "mesos.localhost"
 # Default: false
 #
 # groupsAsSubDomains = true
-
 ```
-
-## Labels: overriding default behavior
-
-The following labels can be defined on Mesos tasks. They adjust the behavior for the entire application.
-
-| Label                                                                   | Description                                                                                                                                                                                                                   |
-|-------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.domain`                                                        | Sets the default base domain for the frontend rules.                                                                                                                                                                          |
-| `traefik.enable=false`                                                  | Disables this container in Traefik.                                                                                                                                                                                           |
-| `traefik.port=80`                                                       | Registers this port. Useful when the application exposes multiple ports.                                                                                                                                                      |
-| `traefik.portName=web`                                                  | Registers port by name in the application's ports array. Useful when the application exposes multiple ports.                                                                                                                  |
-| `traefik.portIndex=1`                                                   | Registers port by index in the application's ports array. Useful when the application exposes multiple ports.                                                                                                                 |
-| `traefik.protocol=https`                                                | Overrides the default `http` protocol                                                                                                                                                                                         |
-| `traefik.weight=10`                                                     | Assigns this weight to the container                                                                                                                                                                                          |
-| `traefik.backend=foo`                                                   | Overrides the task name by `foo` in the generated name of the backend.                                                                                                                                                        |
-| `traefik.backend.buffering.maxRequestBodyBytes=0`                       | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.maxResponseBodyBytes=0`                      | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.memRequestBodyBytes=0`                       | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.memResponseBodyBytes=0`                      | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.buffering.retryExpression=EXPR`                        | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                   |
-| `traefik.backend.circuitbreaker.expression=EXPR`                        | Creates a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                 |
-| `traefik.backend.responseForwarding.flushInterval=10ms`                 | Defines the interval between two flushes when forwarding response from backend to client.                                                                                                                                     |
-| `traefik.backend.healthcheck.path=/health`                              | Enables health check for the backend, hitting the container at `path`.                                                                                                                                                        |
-| `traefik.backend.healthcheck.interval=1s`                               | Defines the health check interval. (Default: 30s)                                                                                                                                                                             |
-| `traefik.backend.healthcheck.scheme=http`                               | Overrides the server URL scheme.                                                                                                                                                                                              |
-| `traefik.backend.healthcheck.port=8080`                                 | Sets a different port for the health check.                                                                                                                                                                                   |
-| `traefik.backend.healthcheck.hostname=foobar.com`                       | Defines the health check hostname.                                                                                                                                                                                            |
-| `traefik.backend.healthcheck.headers=EXPR`                              | Defines the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                     |
-| `traefik.backend.loadbalancer.method=drr`                               | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                           |
-| `traefik.backend.loadbalancer.stickiness=true`                          | Enables backend sticky sessions                                                                                                                                                                                               |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`               | Sets the cookie manually name for sticky sessions                                                                                                                                                                             |
-| `traefik.backend.loadbalancer.stickiness.secure=true`                   | Sets secure cookie option for sticky sessions.                                                                                                                                                                                |
-| `traefik.backend.loadbalancer.stickiness.httpOnly=true`                 | Sets http only cookie option for sticky sessions.                                                                                                                                                                             |
-| `traefik.backend.loadbalancer.stickiness.sameSite=none`                 | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                                   |
-| `traefik.backend.maxconn.amount=10`                                     | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                      |
-| `traefik.backend.maxconn.extractorfunc=client.ip`                       | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                        |
-| `traefik.frontend.auth.basic=EXPR`                                      | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED).                                                                                                                                 |
-| `traefik.frontend.auth.basic.users=EXPR`                                | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`.                                                                                                                                              |
-| `traefik.frontend.auth.basic.removeHeader=true`                         | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
-| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd`                 | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                         |
-| `traefik.frontend.auth.digest.removeHeader=true`                        | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
-| `traefik.frontend.auth.digest.users=EXPR`                               | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                 |
-| `traefik.frontend.auth.digest.usersFile=/path/.htdigest`                | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
-| `traefik.frontend.auth.forward.address=https://example.com`             | Sets the URL of the authentication server.                                                                                                                                                                                    |
-| `traefik.frontend.auth.forward.authResponseHeaders=EXPR`                | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header`                                                                                                                                |
-| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem`                     | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                    |
-| `traefik.frontend.auth.forward.tls.caOptional=true`                     | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA).                                                                                                                   |
-| `traefik.frontend.auth.forward.tls.cert=/path/server.pem`               | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
-| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true`             | If set to true invalid SSL certificates are accepted.                                                                                                                                                                         |
-| `traefik.frontend.auth.forward.tls.key=/path/server.key`                | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                   |
-| `traefik.frontend.auth.forward.trustForwardHeader=true`                 | Trusts X-Forwarded-* headers.                                                                                                                                                                                                 |
-| `traefik.frontend.auth.headerField=X-WebAuth-User`                      | Sets the header used to pass the authenticated user to the application.                                                                                                                                                       |
-| `traefik.frontend.auth.removeHeader=true`                               | If set to true, removes the Authorization header.                                                                                                                                                                             |
-| `traefik.frontend.entryPoints=http,https`                               | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                   |
-| `traefik.frontend.errors.<name>.backend=NAME`                           | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
-| `traefik.frontend.errors.<name>.query=PATH`                             | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
-| `traefik.frontend.errors.<name>.status=RANGE`                           | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                 |
-| `traefik.frontend.passHostHeader=true`                                  | Forwards client `Host` header to the backend.                                                                                                                                                                                 |
-| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true`       | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                  |
-| `traefik.frontend.passTLSClientCert.infos.issuer.country=true`          | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                     |
-| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true`  | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                             |
-| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true`         | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true`     | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                |
-| `traefik.frontend.passTLSClientCert.infos.issuer.province=true`         | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true`     | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                |
-| `traefik.frontend.passTLSClientCert.infos.notAfter=true`                | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                            |
-| `traefik.frontend.passTLSClientCert.infos.notBefore=true`               | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                           |
-| `traefik.frontend.passTLSClientCert.infos.sans=true`                    | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                               |
-| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true`      | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                 |
-| `traefik.frontend.passTLSClientCert.infos.subject.country=true`         | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                            |
-| `traefik.frontend.passTLSClientCert.infos.subject.locality=true`        | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                   |
-| `traefik.frontend.passTLSClientCert.infos.subject.organization=true`    | Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                               |
-| `traefik.frontend.passTLSClientCert.infos.subject.province=true`        | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                   |
-| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true`    | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                               |
-| `traefik.frontend.passTLSClientCert.pem=true`                           | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header.                                                                                                                                                             |
-| `traefik.frontend.passTLSCert=true`                                     | Forwards TLS Client certificates to the backend.                                                                                                                                                                              |
-| `traefik.frontend.priority=10`                                          | Overrides default frontend priority                                                                                                                                                                                           |
-| `traefik.frontend.rateLimit.extractorFunc=EXP`                          | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `traefik.frontend.rateLimit.rateSet.<name>.period=6`                    | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `traefik.frontend.rateLimit.rateSet.<name>.average=6`                   | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`                     | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                           |
-| `traefik.frontend.redirect.entryPoint=https`                            | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS)                                                                                                                                                          |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)`                | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                       |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1`              | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                             |
-| `traefik.frontend.redirect.permanent=true`                              | Returns 301 instead of 302.                                                                                                                                                                                                   |
-| `traefik.frontend.rule=EXPR`                                            | Overrides the default frontend rule. Default: `Host:{discovery_name}.{domain}`.                                                                                                                                               |
-| `traefik.frontend.whiteList.sourceRange=RANGE`                          | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.useXForwardedFor=true`                      | Uses `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                       |
-
-### Custom Headers
-
-| Label                                                 | Description                                                                                                                                                                         |
-|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
-| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
-
-### Security Headers
-
-| Label                                                    | Description                                                                                                                                                                                         |
-|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
-| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
-| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
-| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
-| `traefik.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
-| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
-| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
-| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
-| `traefik.frontend.headers.hostsProxyHeaders=EXPR `       | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
-| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
-| `traefik.frontend.headers.publicKey=VALUE`               | Adds HPKP header.                                                                                                                                                                                   |
-| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
-| `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
-| `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
-| `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
-| `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
-| `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
-| `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
-| `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
-
-### Applications with Multiple Ports (segment labels)
-
-Segment labels are used to define routes to an application exposing multiple ports.
-A segment is a group of labels that apply to a port exposed by an application.
-You can define as many segments as ports exposed in an application.
-
-Additionally, if a segment name matches a named port, that port will be used unless `portIndex`, `portName`, or `port` labels are specified for that segment.
-
-Segment labels override the default behavior.
-
-| Label                                                                              | Description                                                            |
-|------------------------------------------------------------------------------------|------------------------------------------------------------------------|
-| `traefik.<segment_name>.backend=BACKEND`                                           | Same as `traefik.backend`                                              |
-| `traefik.<segment_name>.domain=DOMAIN`                                             | Same as `traefik.domain`                                               |
-| `traefik.<segment_name>.portIndex=1`                                               | Same as `traefik.portIndex`                                            |
-| `traefik.<segment_name>.portName=web`                                              | Same as `traefik.portName`                                             |
-| `traefik.<segment_name>.port=PORT`                                                 | Same as `traefik.port`                                                 |
-| `traefik.<segment_name>.protocol=http`                                             | Same as `traefik.protocol`                                             |
-| `traefik.<segment_name>.weight=10`                                                 | Same as `traefik.weight`                                               |
-| `traefik.<segment_name>.frontend.auth.basic=EXPR`                                  | Same as `traefik.frontend.auth.basic`                                  |
-| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true`                     | Same as `traefik.frontend.auth.basic.removeHeader`                     |
-| `traefik.<segment_name>.frontend.auth.basic.users=EXPR`                            | Same as `traefik.frontend.auth.basic.users`                            |
-| `traefik.<segment_name>.frontend.auth.basic.usersFile=/path/.htpasswd`             | Same as `traefik.frontend.auth.basic.usersFile`                        |
-| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true`                    | Same as `traefik.frontend.auth.digest.removeHeader`                    |
-| `traefik.<segment_name>.frontend.auth.digest.users=EXPR`                           | Same as `traefik.frontend.auth.digest.users`                           |
-| `traefik.<segment_name>.frontend.auth.digest.usersFile=/path/.htdigest`            | Same as `traefik.frontend.auth.digest.usersFile`                       |
-| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com`         | Same as `traefik.frontend.auth.forward.address`                        |
-| `traefik.<segment_name>.frontend.auth.forward.authResponseHeaders=EXPR`            | Same as `traefik.frontend.auth.forward.authResponseHeaders`            |
-| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem`                 | Same as `traefik.frontend.auth.forward.tls.ca`                         |
-| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true`                 | Same as `traefik.frontend.auth.forward.tls.caOptional`                 |
-| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem`           | Same as `traefik.frontend.auth.forward.tls.cert`                       |
-| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true`         | Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify`         |
-| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key`            | Same as `traefik.frontend.auth.forward.tls.key`                        |
-| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true`             | Same as `traefik.frontend.auth.forward.trustForwardHeader`             |
-| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User`                  | Same as `traefik.frontend.auth.headerField`                            |
-| `traefik.<segment_name>.frontend.auth.removeHeader=true`                           | Same as `traefik.frontend.auth.removeHeader`                           |
-| `traefik.<segment_name>.frontend.entryPoints=https`                                | Same as `traefik.frontend.entryPoints`                                 |
-| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`                       | Same as `traefik.frontend.errors.<name>.backend`                       |
-| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                         | Same as `traefik.frontend.errors.<name>.query`                         |
-| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`                       | Same as `traefik.frontend.errors.<name>.status`                        |
-| `traefik.<segment_name>.frontend.passHostHeader=true`                              | Same as `traefik.frontend.passHostHeader`                              |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notAfter=true`            | Same as `traefik.frontend.passTLSClientCert.infos.notAfter`            |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notBefore=true`           | Same as `traefik.frontend.passTLSClientCert.infos.notBefore`           |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.sans=true`                | Same as `traefik.frontend.passTLSClientCert.infos.sans`                |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.commonName=true`  | Same as `traefik.frontend.passTLSClientCert.infos.subject.commonName`  |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.country=true`     | Same as `traefik.frontend.passTLSClientCert.infos.subject.country`     |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.locality=true`    | Same as `traefik.frontend.passTLSClientCert.infos.subject.locality`    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.organization=true`| Same as `traefik.frontend.passTLSClientCert.infos.subject.organization`|
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.province=true`    | Same as `traefik.frontend.passTLSClientCert.infos.subject.province`    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.serialNumber=true`| Same as `traefik.frontend.passTLSClientCert.infos.subject.serialNumber`|
-| `traefik.<segment_name>.frontend.passTLSClientCert.pem=true`                       | Same as `traefik.frontend.passTLSClientCert.infos.pem`                 |
-| `traefik.<segment_name>.frontend.passTLSCert=true`                                 | Same as `traefik.frontend.passTLSCert`                                 |
-| `traefik.<segment_name>.frontend.priority=10`                                      | Same as `traefik.frontend.priority`                                    |
-| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`                      | Same as `traefik.frontend.rateLimit.extractorFunc`                     |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`                | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`             |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`               | Same as `traefik.frontend.rateLimit.rateSet.<name>.average`            |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`                 | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`              |
-| `traefik.<segment_name>.frontend.redirect.entryPoint=https`                        | Same as `traefik.frontend.redirect.entryPoint`                         |
-| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`            | Same as `traefik.frontend.redirect.regex`                              |
-| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1`          | Same as `traefik.frontend.redirect.replacement`                        |
-| `traefik.<segment_name>.frontend.redirect.permanent=true`                          | Same as `traefik.frontend.redirect.permanent`                          |
-| `traefik.<segment_name>.frontend.rule=EXP`                                         | Same as `traefik.frontend.rule`                                        |
-| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`                      | Same as `traefik.frontend.whiteList.sourceRange`                       |
-| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`                  | Same as `traefik.frontend.whiteList.useXForwardedFor`                  |
-
-#### Custom Headers
-
-| Label                                                                | Description                                              |
-|----------------------------------------------------------------------|----------------------------------------------------------|
-| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR ` | Same as `traefik.frontend.headers.customRequestHeaders`  |
-| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | Same as `traefik.frontend.headers.customResponseHeaders` |
-
-#### Security Headers
-
-| Label                                                                   | Description                                                  |
-|-------------------------------------------------------------------------|--------------------------------------------------------------|
-| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR`             | Same as `traefik.frontend.headers.allowedHosts`              |
-| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true`         | Same as `traefik.frontend.headers.browserXSSFilter`          |
-| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE`   | Same as `traefik.frontend.headers.contentSecurityPolicy`     |
-| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true`       | Same as `traefik.frontend.headers.contentTypeNosniff`        |
-| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE`   | Same as `traefik.frontend.headers.customBrowserXSSValue`     |
-| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | Same as `traefik.frontend.headers.customFrameOptionsValue`   |
-| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false`          | Same as `traefik.frontend.headers.forceSTSHeader`            |
-| `traefik.<segment_name>.frontend.headers.frameDeny=false`               | Same as `traefik.frontend.headers.frameDeny`                 |
-| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR`        | Same as `traefik.frontend.headers.hostsProxyHeaders`         |
-| `traefik.<segment_name>.frontend.headers.isDevelopment=false`           | Same as `traefik.frontend.headers.isDevelopment`             |
-| `traefik.<segment_name>.frontend.headers.publicKey=VALUE`               | Same as `traefik.frontend.headers.publicKey`                 |
-| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE`          | Same as `traefik.frontend.headers.referrerPolicy`            |
-| `traefik.<segment_name>.frontend.headers.SSLRedirect=true`              | Same as `traefik.frontend.headers.SSLRedirect`               |
-| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true`     | Same as `traefik.frontend.headers.SSLTemporaryRedirect`      |
-| `traefik.<segment_name>.frontend.headers.SSLHost=HOST`                  | Same as `traefik.frontend.headers.SSLHost`                   |
-| `traefik.<segment_name>.frontend.headers.SSLForceHost=true`             | Same as `traefik.frontend.headers.SSLForceHost`              |
-| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR`          | Same as `traefik.frontend.headers.SSLProxyHeaders=EXPR`      |
-| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000`          | Same as `traefik.frontend.headers.STSSeconds=315360000`      |
-| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true`     | Same as `traefik.frontend.headers.STSIncludeSubdomains=true` |
-| `traefik.<segment_name>.frontend.headers.STSPreload=true`               | Same as `traefik.frontend.headers.STSPreload=true`           |

docs/configuration/backends/rancher.md

@@ -1,23 +1,18 @@
-# Rancher Provider
+# Rancher Backend
 
-Traefik can be configured to use Rancher as a provider.
-
-!!! important
-    This provider is specific to Rancher 1.x.
-    Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
-    As such, Rancher 2.x users should utilize the [Kubernetes provider](./kubernetes.md) directly.
+Træfik can be configured to use Rancher as a backend configuration.
 
 ## Global Configuration
 
 ```toml
 ################################################################
-# Rancher Provider
+# Rancher configuration backend
 ################################################################
 
-# Enable Rancher Provider.
+# Enable Rancher configuration backend.
 [rancher]
 
-# Default base domain used for the frontend rules.
+# Default domain used.
 # Can be overridden by setting the "traefik.domain" label on an service.
 #
 # Required
@@ -51,38 +46,22 @@ exposedByDefault = false
 # Default: false
 #
 enableServiceHealthFilter = true
-
-# Override default configuration template.
-# For advanced users :)
-#
-# Optional
-#
-# filename = "rancher.tmpl"
-
-# Override template version
-# For advanced users :)
-#
-# Optional
-# - "1": previous template version (must be used only with older custom templates, see "filename")
-# - "2": current template version (must be used to force template version when "filename" is used)
-#
-# templateVersion = 2
 ```
 
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
+To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
 
 ## Rancher Metadata Service
 
 ```toml
-# Enable Rancher metadata service provider instead of the API
-# provider.
+# Enable Rancher metadata service configuration backend instead of the API
+# configuration backend.
 #
 # Optional
 # Default: false
 #
 [rancher.metadata]
 
-# Poll the Rancher metadata service for changes every `rancher.refreshSeconds`.
+# Poll the Rancher metadata service for changes every `rancher.RefreshSeconds`.
 # NOTE: this is less accurate than the default long polling technique which
 # will provide near instantaneous updates to Traefik
 #
@@ -102,7 +81,7 @@ prefix = "/2016-07-29"
 ## Rancher API
 
 ```toml
-# Enable Rancher API provider.
+# Enable Rancher API configuration backend.
 #
 # Optional
 # Default: true
@@ -137,223 +116,25 @@ secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
     io.rancher.container.create_agent: true
     ```
 
-## Labels: overriding default behavior
+## Labels: overriding default behaviour
 
-### On Containers
+Labels can be used on task containers to override default behaviour:
 
-Labels can be used on task containers to override default behavior:
-
-| Label                                                                   | Description                                                                                                                                                                                                                      |
-|-------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.domain`                                                        | Sets the default base domain for the frontend rules.                                                                                                                                                                             |
-| `traefik.enable=false`                                                  | Disables this container in Traefik.                                                                                                                                                                                              |
-| `traefik.port=80`                                                       | Registers this port. Useful when the container exposes multiple ports.                                                                                                                                                           |
-| `traefik.protocol=https`                                                | Overrides the default `http` protocol.                                                                                                                                                                                           |
-| `traefik.weight=10`                                                     | Assigns this weight to the container.                                                                                                                                                                                            |
-| `traefik.backend=foo`                                                   | Overrides the service name by `foo` in the generated name of the backend.                                                                                                                                                        |
-| `traefik.backend.buffering.maxRequestBodyBytes=0`                       | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
-| `traefik.backend.buffering.maxResponseBodyBytes=0`                      | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
-| `traefik.backend.buffering.memRequestBodyBytes=0`                       | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
-| `traefik.backend.buffering.memResponseBodyBytes=0`                      | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
-| `traefik.backend.buffering.retryExpression=EXPR`                        | See [buffering](/configuration/commons/#buffering) section.                                                                                                                                                                      |
-| `traefik.backend.circuitbreaker.expression=EXPR`                        | Creates a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                                    |
-| `traefik.backend.responseForwarding.flushInterval=10ms`                 | Defines the interval between two flushes when forwarding response from backend to client.                                                                                                                                        |
-| `traefik.backend.healthcheck.path=/health`                              | Enables health check for the backend, hitting the container at `path`.                                                                                                                                                           |
-| `traefik.backend.healthcheck.interval=1s`                               | Defines the health check interval.                                                                                                                                                                                               |
-| `traefik.backend.healthcheck.port=8080`                                 | Sets a different port for the health check.                                                                                                                                                                                      |
-| `traefik.backend.healthcheck.scheme=http`                               | Overrides the server URL scheme.                                                                                                                                                                                                 |
-| `traefik.backend.healthcheck.hostname=foobar.com`                       | Defines the health check hostname.                                                                                                                                                                                               |
-| `traefik.backend.healthcheck.headers=EXPR`                              | Defines the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                        |
-| `traefik.backend.loadbalancer.method=drr`                               | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                              |
-| `traefik.backend.loadbalancer.stickiness=true`                          | Enables backend sticky sessions                                                                                                                                                                                                  |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`               | Sets the cookie name manually for sticky sessions                                                                                                                                                                                |
-| `traefik.backend.loadbalancer.stickiness.secure=true`                   | Sets secure cookie option for sticky sessions.                                                                                                                                                                                   |
-| `traefik.backend.loadbalancer.stickiness.httpOnly=true`                 | Sets http only cookie option for sticky sessions.                                                                                                                                                                                |
-| `traefik.backend.loadbalancer.stickiness.sameSite=none`                 | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                                      |
-| `traefik.backend.loadbalancer.sticky=true`                              | Enables backend sticky sessions (DEPRECATED)                                                                                                                                                                                     |
-| `traefik.backend.maxconn.amount=10`                                     | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                         |
-| `traefik.backend.maxconn.extractorfunc=client.ip`                       | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                           |
-| `traefik.frontend.auth.basic=EXPR`                                      | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED).                                                                                                                                |
-| `traefik.frontend.auth.basic.removeHeader=true`                         | If set to `true`, removes the `Authorization` header.                                                                                                                                                                            |
-| `traefik.frontend.auth.basic.users=EXPR`                                | Sets the basic authentication to this frontend in CSV format: `User:Hash,User:Hash` .                                                                                                                                            |
-| `traefik.frontend.auth.basic.usersFile=/path/.htpasswd`                 | Sets the basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
-| `traefik.frontend.auth.digest.removeHeader=true`                        | If set to `true`, removes the `Authorization` header.                                                                                                                                                                            |
-| `traefik.frontend.auth.digest.users=EXPR`                               | Sets the digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                |
-| `traefik.frontend.auth.digest.usersFile=/path/.htdigest`                | Sets the digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                       |
-| `traefik.frontend.auth.forward.address=https://example.com`             | Sets the URL of the authentication server.                                                                                                                                                                                       |
-| `traefik.frontend.auth.forward.authResponseHeaders=EXPR`                | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header`                                                                                                                                   |
-| `traefik.frontend.auth.forward.tls.ca=/path/ca.pem`                     | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                       |
-| `traefik.frontend.auth.forward.tls.caOptional=true`                     | Checks the certificates if present but do not force to be signed by a specified Certificate Authority (CA).                                                                                                                      |
-| `traefik.frontend.auth.forward.tls.cert=/path/server.pem`               | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                      |
-| `traefik.frontend.auth.forward.tls.insecureSkipVerify=true`             | If set to true invalid SSL certificates are accepted.                                                                                                                                                                            |
-| `traefik.frontend.auth.forward.tls.key=/path/server.key`                | Sets the Certificate for the TLS connection with the authentication server.                                                                                                                                                      |
-| `traefik.frontend.auth.forward.trustForwardHeader=true`                 | Trusts X-Forwarded-* headers.                                                                                                                                                                                                    |
-| `traefik.frontend.auth.headerField=X-WebAuth-User`                      | Sets the header used to pass the authenticated user to the application.                                                                                                                                                          |
-| `traefik.frontend.entryPoints=http,https`                               | Assigns this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                      |
-| `traefik.frontend.errors.<name>.backend=NAME`                           | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                    |
-| `traefik.frontend.errors.<name>.query=PATH`                             | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                    |
-| `traefik.frontend.errors.<name>.status=RANGE`                           | See [custom error pages](/configuration/commons/#custom-error-pages) section.                                                                                                                                                    |
-| `traefik.frontend.passHostHeader=true`                                  | Forwards client `Host` header to the backend.                                                                                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.issuer.commonName=true`       | Add the issuer.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                     |
-| `traefik.frontend.passTLSClientCert.infos.issuer.country=true`          | Add the issuer.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                        |
-| `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent=true`  | Add the issuer.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                |
-| `traefik.frontend.passTLSClientCert.infos.issuer.locality=true`         | Add the issuer.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                       |
-| `traefik.frontend.passTLSClientCert.infos.issuer.organization=true`     | Add the issuer.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                   |
-| `traefik.frontend.passTLSClientCert.infos.issuer.province=true`         | Add the issuer.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                       |
-| `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber=true`     | Add the issuer.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                   |
-| `traefik.frontend.passTLSClientCert.infos.notAfter=true`                | Add the noAfter field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                               |
-| `traefik.frontend.passTLSClientCert.infos.notBefore=true`               | Add the noBefore field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                              |
-| `traefik.frontend.passTLSClientCert.infos.sans=true`                    | Add the sans field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                                  |
-| `traefik.frontend.passTLSClientCert.infos.subject.commonName=true`      | Add the subject.commonName field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                    |
-| `traefik.frontend.passTLSClientCert.infos.subject.country=true`         | Add the subject.country field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                       |
-| `traefik.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Add the subject.domainComponent field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                               |
-| `traefik.frontend.passTLSClientCert.infos.subject.locality=true`        | Add the subject.locality field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                      |
-| `traefik.frontend.passTLSClientCert.infos.subject.organization=true`    | Add the subject.organization field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                  |
-| `traefik.frontend.passTLSClientCert.infos.subject.province=true`        | Add the subject.province field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                      |
-| `traefik.frontend.passTLSClientCert.infos.subject.serialNumber=true`    | Add the subject.serialNumber field in a escaped client infos in the `X-Forwarded-Ssl-Client-Cert-Infos` header.                                                                                                                  |
-| `traefik.frontend.passTLSClientCert.pem=true`                           | Pass the escaped pem in the `X-Forwarded-Ssl-Client-Cert` header.                                                                                                                                                                |
-| `traefik.frontend.passTLSCert=true`                                     | Forwards TLS Client certificates to the backend.                                                                                                                                                                                 |
-| `traefik.frontend.priority=10`                                          | Overrides default frontend priority                                                                                                                                                                                              |
-| `traefik.frontend.rateLimit.extractorFunc=EXP`                          | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
-| `traefik.frontend.rateLimit.rateSet.<name>.period=6`                    | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
-| `traefik.frontend.rateLimit.rateSet.<name>.average=6`                   | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
-| `traefik.frontend.rateLimit.rateSet.<name>.burst=6`                     | See [rate limiting](/configuration/commons/#rate-limiting) section.                                                                                                                                                              |
-| `traefik.frontend.redirect.entryPoint=https`                            | Enables Redirect to another entryPoint to this frontend (e.g. HTTPS)                                                                                                                                                             |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)`                | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                          |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1`              | Redirects to another URL to this frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                                |
-| `traefik.frontend.redirect.permanent=true`                              | Returns 301 instead of 302.                                                                                                                                                                                                      |
-| `traefik.frontend.rule=EXPR`                                            | Overrides the default frontend rule. Default: `Host:{containerName}.{domain}` or `Host:{service}.{project_name}.{domain}` if you are using `docker-compose`.                                                                     |
-| `traefik.frontend.whiteList.sourceRange=RANGE`                          | Sets a list of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.useXForwardedFor=true`                      | Uses `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                          |
-
-#### Custom Headers
-
-| Label                                                 | Description                                                                                                                                                                         |
-|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
-| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
-
-#### Security Headers
-
-| Label                                                    | Description                                                                                                                                                                                         |
-|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
-| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
-| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
-| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
-| `traefik.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
-| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
-| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
-| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
-| `traefik.frontend.headers.hostsProxyHeaders=EXPR `       | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
-| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
-| `traefik.frontend.headers.publicKey=VALUE`               | Adds HPKP header.                                                                                                                                                                                   |
-| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
-| `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
-| `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
-| `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
-| `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
-| `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
-| `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
-| `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
-
-### On containers with Multiple Ports (segment labels)
-
-Segment labels are used to define routes to a container exposing multiple ports.
-A segment is a group of labels that apply to a port exposed by a container.
-You can define as many segments as ports exposed in a container.
-
-Segment labels override the default behavior.
-
-| Label                                                                                  | Description                                                                |
-|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------|
-| `traefik.<segment_name>.backend=BACKEND`                                               | Same as `traefik.backend`                                                  |
-| `traefik.<segment_name>.domain=DOMAIN`                                                 | Same as `traefik.domain`                                                   |
-| `traefik.<segment_name>.port=PORT`                                                     | Same as `traefik.port`                                                     |
-| `traefik.<segment_name>.protocol=http`                                                 | Same as `traefik.protocol`                                                 |
-| `traefik.<segment_name>.weight=10`                                                     | Same as `traefik.weight`                                                   |
-| `traefik.<segment_name>.frontend.auth.basic=EXPR`                                      | Same as `traefik.frontend.auth.basic`                                      |
-| `traefik.<segment_name>.frontend.auth.basic.removeHeader=true`                         | Same as `traefik.frontend.auth.basic.removeHeader`                         |
-| `traefik.<segment_name>.frontend.auth.basic.users=EXPR`                                | Same as `traefik.frontend.auth.basic.users`                                |
-| `traefik.<segment_name>.frontend.auth.basic.usersFile=/path/.htpasswd`                 | Same as `traefik.frontend.auth.basic.usersFile`                            |
-| `traefik.<segment_name>.frontend.auth.digest.removeHeader=true`                        | Same as `traefik.frontend.auth.digest.removeHeader`                        |
-| `traefik.<segment_name>.frontend.auth.digest.users=EXPR`                               | Same as `traefik.frontend.auth.digest.users`                               |
-| `traefik.<segment_name>.frontend.auth.digest.usersFile=/path/.htdigest`                | Same as `traefik.frontend.auth.digest.usersFile`                           |
-| `traefik.<segment_name>.frontend.auth.forward.address=https://example.com`             | Same as `traefik.frontend.auth.forward.address`                            |
-| `traefik.<segment_name>.frontend.auth.forward.authResponseHeaders=EXPR`                | Same as `traefik.frontend.auth.forward.authResponseHeaders`                |
-| `traefik.<segment_name>.frontend.auth.forward.tls.ca=/path/ca.pem`                     | Same as `traefik.frontend.auth.forward.tls.ca`                             |
-| `traefik.<segment_name>.frontend.auth.forward.tls.caOptional=true`                     | Same as `traefik.frontend.auth.forward.tls.caOptional`                     |
-| `traefik.<segment_name>.frontend.auth.forward.tls.cert=/path/server.pem`               | Same as `traefik.frontend.auth.forward.tls.cert`                           |
-| `traefik.<segment_name>.frontend.auth.forward.tls.insecureSkipVerify=true`             | Same as `traefik.frontend.auth.forward.tls.insecureSkipVerify`             |
-| `traefik.<segment_name>.frontend.auth.forward.tls.key=/path/server.key`                | Same as `traefik.frontend.auth.forward.tls.key`                            |
-| `traefik.<segment_name>.frontend.auth.forward.trustForwardHeader=true`                 | Same as `traefik.frontend.auth.forward.trustForwardHeader`                 |
-| `traefik.<segment_name>.frontend.auth.headerField=X-WebAuth-User`                      | Same as `traefik.frontend.auth.headerField`                                |
-| `traefik.<segment_name>.frontend.entryPoints=https`                                    | Same as `traefik.frontend.entryPoints`                                     |
-| `traefik.<segment_name>.frontend.errors.<name>.backend=NAME`                           | Same as `traefik.frontend.errors.<name>.backend`                           |
-| `traefik.<segment_name>.frontend.errors.<name>.query=PATH`                             | Same as `traefik.frontend.errors.<name>.query`                             |
-| `traefik.<segment_name>.frontend.errors.<name>.status=RANGE`                           | Same as `traefik.frontend.errors.<name>.status`                            |
-| `traefik.<segment_name>.frontend.passHostHeader=true`                                  | Same as `traefik.frontend.passHostHeader`                                  |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.commonName=true`       | Same as `traefik.frontend.passTLSClientCert.infos.issuer.commonName`       |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.country=true`          | Same as `traefik.frontend.passTLSClientCert.infos.issuer.country`          |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.domainComponent=true`  | Same as `traefik.frontend.passTLSClientCert.infos.issuer.domainComponent`  |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.locality=true`         | Same as `traefik.frontend.passTLSClientCert.infos.issuer.locality`         |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.organization=true`     | Same as `traefik.frontend.passTLSClientCert.infos.issuer.organization`     |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.province=true`         | Same as `traefik.frontend.passTLSClientCert.infos.issuer.province`         |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.issuer.serialNumber=true`     | Same as `traefik.frontend.passTLSClientCert.infos.issuer.serialNumber`     |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notAfter=true`                | Same as `traefik.frontend.passTLSClientCert.infos.notAfter`                |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.notBefore=true`               | Same as `traefik.frontend.passTLSClientCert.infos.notBefore`               |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.sans=true`                    | Same as `traefik.frontend.passTLSClientCert.infos.sans`                    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.commonName=true`      | Same as `traefik.frontend.passTLSClientCert.infos.subject.commonName`      |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.country=true`         | Same as `traefik.frontend.passTLSClientCert.infos.subject.country`         |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.domainComponent=true` | Same as `traefik.frontend.passTLSClientCert.infos.subject.domainComponent` |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.locality=true`        | Same as `traefik.frontend.passTLSClientCert.infos.subject.locality`        |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.organization=true`    | Same as `traefik.frontend.passTLSClientCert.infos.subject.organization`    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.province=true`        | Same as `traefik.frontend.passTLSClientCert.infos.subject.province`        |
-| `traefik.<segment_name>.frontend.passTLSClientCert.infos.subject.serialNumber=true`    | Same as `traefik.frontend.passTLSClientCert.infos.subject.serialNumber`    |
-| `traefik.<segment_name>.frontend.passTLSClientCert.pem=true`                           | Same as `traefik.frontend.passTLSClientCert.infos.pem`                     |
-| `traefik.<segment_name>.frontend.passTLSCert=true`                                     | Same as `traefik.frontend.passTLSCert`                                     |
-| `traefik.<segment_name>.frontend.priority=10`                                          | Same as `traefik.frontend.priority`                                        |
-| `traefik.<segment_name>.frontend.rateLimit.extractorFunc=EXP`                          | Same as `traefik.frontend.rateLimit.extractorFunc`                         |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.period=6`                    | Same as `traefik.frontend.rateLimit.rateSet.<name>.period`                 |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.average=6`                   | Same as `traefik.frontend.rateLimit.rateSet.<name>.average`                |
-| `traefik.<segment_name>.frontend.rateLimit.rateSet.<name>.burst=6`                     | Same as `traefik.frontend.rateLimit.rateSet.<name>.burst`                  |
-| `traefik.<segment_name>.frontend.redirect.entryPoint=https`                            | Same as `traefik.frontend.redirect.entryPoint`                             |
-| `traefik.<segment_name>.frontend.redirect.regex=^http://localhost/(.*)`                | Same as `traefik.frontend.redirect.regex`                                  |
-| `traefik.<segment_name>.frontend.redirect.replacement=http://mydomain/$1`              | Same as `traefik.frontend.redirect.replacement`                            |
-| `traefik.<segment_name>.frontend.redirect.permanent=true`                              | Same as `traefik.frontend.redirect.permanent`                              |
-| `traefik.<segment_name>.frontend.rule=EXP`                                             | Same as `traefik.frontend.rule`                                            |
-| `traefik.<segment_name>.frontend.whiteList.sourceRange=RANGE`                          | Same as `traefik.frontend.whiteList.sourceRange`                           |
-| `traefik.<segment_name>.frontend.whiteList.useXForwardedFor=true`                      | Same as `traefik.frontend.whiteList.useXForwardedFor`                      |
-
-#### Custom Headers
-
-| Label                                                                | Description                                                |
-|----------------------------------------------------------------------|------------------------------------------------------------|
-| `traefik.<segment_name>.frontend.headers.customRequestHeaders=EXPR ` | overrides `traefik.frontend.headers.customRequestHeaders`  |
-| `traefik.<segment_name>.frontend.headers.customResponseHeaders=EXPR` | overrides `traefik.frontend.headers.customResponseHeaders` |
-
-#### Security Headers
-
-| Label                                                                   | Description                                                  |
-|-------------------------------------------------------------------------|--------------------------------------------------------------|
-| `traefik.<segment_name>.frontend.headers.allowedHosts=EXPR`             | overrides `traefik.frontend.headers.allowedHosts`            |
-| `traefik.<segment_name>.frontend.headers.browserXSSFilter=true`         | overrides `traefik.frontend.headers.browserXSSFilter`        |
-| `traefik.<segment_name>.frontend.headers.contentSecurityPolicy=VALUE`   | overrides `traefik.frontend.headers.contentSecurityPolicy`   |
-| `traefik.<segment_name>.frontend.headers.contentTypeNosniff=true`       | overrides `traefik.frontend.headers.contentTypeNosniff`      |
-| `traefik.<segment_name>.frontend.headers.customBrowserXSSValue=VALUE`   | overrides `traefik.frontend.headers.customBrowserXSSValue`   |
-| `traefik.<segment_name>.frontend.headers.customFrameOptionsValue=VALUE` | overrides `traefik.frontend.headers.customFrameOptionsValue` |
-| `traefik.<segment_name>.frontend.headers.forceSTSHeader=false`          | overrides `traefik.frontend.headers.forceSTSHeader`          |
-| `traefik.<segment_name>.frontend.headers.frameDeny=false`               | overrides `traefik.frontend.headers.frameDeny`               |
-| `traefik.<segment_name>.frontend.headers.hostsProxyHeaders=EXPR`        | overrides `traefik.frontend.headers.hostsProxyHeaders`       |
-| `traefik.<segment_name>.frontend.headers.isDevelopment=false`           | overrides `traefik.frontend.headers.isDevelopment`           |
-| `traefik.<segment_name>.frontend.headers.publicKey=VALUE`               | overrides `traefik.frontend.headers.publicKey`               |
-| `traefik.<segment_name>.frontend.headers.referrerPolicy=VALUE`          | overrides `traefik.frontend.headers.referrerPolicy`          |
-| `traefik.<segment_name>.frontend.headers.SSLRedirect=true`              | overrides `traefik.frontend.headers.SSLRedirect`             |
-| `traefik.<segment_name>.frontend.headers.SSLTemporaryRedirect=true`     | overrides `traefik.frontend.headers.SSLTemporaryRedirect`    |
-| `traefik.<segment_name>.frontend.headers.SSLHost=HOST`                  | overrides `traefik.frontend.headers.SSLHost`                 |
-| `traefik.<segment_name>.frontend.headers.SSLForceHost=true`             | overrides `traefik.frontend.headers.SSLForceHost`            |
-| `traefik.<segment_name>.frontend.headers.SSLProxyHeaders=EXPR`          | overrides `traefik.frontend.headers.SSLProxyHeaders`         |
-| `traefik.<segment_name>.frontend.headers.STSSeconds=315360000`          | overrides `traefik.frontend.headers.STSSeconds`              |
-| `traefik.<segment_name>.frontend.headers.STSIncludeSubdomains=true`     | overrides `traefik.frontend.headers.STSIncludeSubdomains`    |
-| `traefik.<segment_name>.frontend.headers.STSPreload=true`               | overrides `traefik.frontend.headers.STSPreload`              |
+| Label                                                                 | Description                                                                                             |
+|-----------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
+| `traefik.protocol=https`                                              | Override the default `http` protocol                                                                    |
+| `traefik.weight=10`                                                   | Assign this weight to the container                                                                     |
+| `traefik.enable=false`                                                | Disable this container in Træfik                                                                        |
+| `traefik.frontend.rule=Host:test.traefik.io`                          | Override the default frontend rule (Default: `Host:{containerName}.{domain}`).                          |
+| `traefik.frontend.passHostHeader=true`                                | Forward client `Host` header to the backend.                                                            |
+| `traefik.frontend.priority=10`                                        | Override default frontend priority                                                                      |
+| `traefik.frontend.entryPoints=http,https`                             | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`.                |
+| `traefik.frontend.auth.basic=EXPR`                                    | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`.                       |
+| `traefik.frontend.redirect.entryPoint=https`                          | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                   |
+| `traefik.frontend.redirect.regex: ^http://localhost/(.*)`             | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`. |
+| `traefik.frontend.redirect.replacement: http://mydomain/$1`           | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.       |
+| `traefik.backend.circuitbreaker.expression=NetworkErrorRatio() > 0.5` | Create a [circuit breaker](/basics/#backends) to be used against the backend                            |
+| `traefik.backend.loadbalancer.method=drr`                             | Override the default `wrr` load balancer algorithm                                                      |
+| `traefik.backend.loadbalancer.stickiness=true`                        | Enable backend sticky sessions                                                                          |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`             | Manually set the cookie name for sticky sessions                                                        |
+| `traefik.backend.loadbalancer.sticky=true`                            | Enable backend sticky sessions (DEPRECATED)                                                             |

docs/configuration/backends/rest.md

@@ -1,13 +1,13 @@
-# Rest Provider
+# Rest Backend
 
-Traefik can be configured:
+Træfik can be configured:
 
 - using a RESTful api.
 
 ## Configuration
 
 ```toml
-# Enable REST Provider.
+# Enable rest backend.
 [rest]
   # Name of the related entry point
   #
@@ -29,7 +29,7 @@ Traefik can be configured:
 
 
 ```shell
-curl -XPUT -d @file "http://localhost:8080/api/providers/rest"
+curl -XPUT @file "http://localhost:8080/api/providers/rest"
 ```
 
 with `@file`:

docs/configuration/backends/servicefabric.md

@@ -1,6 +1,6 @@
-# Azure Service Fabric Provider
+# Azure Service Fabric Backend
 
-Traefik can be configured to use Azure Service Fabric as a provider.
+Træfik can be configured to use Azure Service Fabric as a backend configuration.
 
 See [this repository for an example deployment package and further documentation.](https://aka.ms/traefikonsf)
 
@@ -8,10 +8,10 @@ See [this repository for an example deployment package and further documentation
 
 ```toml
 ################################################################
-# Azure Service Fabric Provider
+# Azure Service Fabric provider
 ################################################################
 
-# Enable Azure Service Fabric Provider
+# Enable Azure Service Fabric configuration backend
 [serviceFabric]
 
 # Azure Service Fabric Management Endpoint
@@ -42,18 +42,18 @@ refreshSeconds = 10
 #   ca = "/etc/ssl/ca.crt"
 #   cert = "/etc/ssl/servicefabric.crt"
 #   key = "/etc/ssl/servicefabric.key"
-#   insecureSkipVerify = true
+#   insecureskipverify = true
 ```
 
 ## Labels
 
-The provider uses labels to configure how services are exposed through Traefik.
+The provider uses labels to configure how services are exposed through Træfik.
 These can be set using Extensions and the Property Manager API
 
 #### Extensions
 
 Set labels with extensions through the services `ServiceManifest.xml` file.
-Here is an example of an extension setting Traefik labels:
+Here is an example of an extension setting Træfik labels:
 
 ```xml
 <StatelessServiceType ServiceTypeName="WebServiceType">
@@ -61,7 +61,7 @@ Here is an example of an extension setting Traefik labels:
       <Extension Name="Traefik">
         <Labels xmlns="http://schemas.microsoft.com/2015/03/fabact-no-schema">
           <Label Key="traefik.frontend.rule.example2">PathPrefixStrip: /a/path/to/strip</Label>
-          <Label Key="traefik.enable">true</Label>
+          <Label Key="traefik.expose">true</Label>
           <Label Key="traefik.frontend.passHostHeader">true</Label>
         </Labels>
       </Extension>
@@ -69,12 +69,10 @@ Here is an example of an extension setting Traefik labels:
 </StatelessServiceType>
 ```
 
-> **Note**: The `Label` tag and its `Key` attribute are case sensitive. That is, if you use `label` instead of `Label` or `key` instead of `Key`, they will be silently ignored.
-
-#### Property Manager
+#### Property Manager 
 
 Set Labels with the property manager API to overwrite and add labels, while your service is running.
-Here is an example of adding a frontend rule using the property manager API.
+Here is an example of adding a frontend rule using the property manager API. 
 
 ```shell
 curl -X PUT \
@@ -94,71 +92,23 @@ curl -X PUT \
 
 ## Available Labels
 
-Labels, set through extensions or the property manager, can be used on services to override default behavior.
+Labels, set through extensions or the property manager, can be used on services to override default behaviour.
 
-| Label                                                      | Description                                                                                                                                                                                                               |
-|------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.enable=false`                                     | Disable this container in Traefik                                                                                                                                                                                         |
-| `traefik.backend.circuitbreaker.expression=EXPR`           | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                              |
-| `traefik.servicefabric.groupname`                          | Group all services with the same name into a single backend in Traefik                                                                                                                                                    |
-| `traefik.servicefabric.groupweight`                        | Set the weighting of the current services nodes in the backend group                                                                                                                                                      |
-| `traefik.servicefabric.enablelabeloverrides`               | Toggle whether labels can be overridden using the Service Fabric Property Manager API                                                                                                                                     |
-| `traefik.servicefabric.endpointname`                       | Specify the name of the endpoint                                                                                                                                                                                          |
-| `traefik.backend.healthcheck.path=/health`                 | Enable health check for the backend, hitting the container at `path`.                                                                                                                                                     |
-| `traefik.backend.healthcheck.port=8080`                    | Allow to use a different port for the health check.                                                                                                                                                                       |
-| `traefik.backend.healthcheck.interval=1s`                  | Define the health check interval.                                                                                                                                                                                         |
-| `traefik.backend.healthcheck.hostname=foobar.com`          | Define the health check hostname.                                                                                                                                                                                         |
-| `traefik.backend.healthcheck.headers=EXPR`                 | Define the health check request headers <br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                                                                                                  |
-| `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                        |
-| `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                            |
-| `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                          |
-| `traefik.backend.loadbalancer.stickiness.secure=true`      | Sets secure cookie option for sticky sessions.                                                                                                                                                                            |
-| `traefik.backend.loadbalancer.stickiness.httpOnly=true`    | Sets http only cookie option for sticky sessions                                                                                                                                                                          |
-| `traefik.backend.loadbalancer.stickiness.sameSite=none`    | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                               |
-| `traefik.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                               |
-| `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                   |
-| `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                     |
-| `traefik.backend.weight=10`                                | Assign this weight to the container                                                                                                                                                                                       |
-| `traefik.frontend.auth.basic=EXPR`                         | Sets basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                          |
-| `traefik.frontend.entryPoints=http,https`                  | Assign this frontend to entry points `http` and `https`.<br>Overrides `defaultEntryPoints`                                                                                                                                |
-| `traefik.frontend.passHostHeader=true`                     | Forward client `Host` header to the backend.                                                                                                                                                                              |
-| `traefik.frontend.passTLSCert=true`                        | Forward TLS Client certificates to the backend.                                                                                                                                                                           |
-| `traefik.frontend.priority=10`                             | Override default frontend priority                                                                                                                                                                                        |
-| `traefik.frontend.redirect.entryPoint=https`               | Enables Redirect to another entryPoint for that frontend (e.g. HTTPS)                                                                                                                                                     |
-| `traefik.frontend.redirect.regex=^http://localhost/(.*)`   | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.replacement`.                                                                                                                   |
-| `traefik.frontend.redirect.replacement=http://mydomain/$1` | Redirect to another URL for that frontend.<br>Must be set with `traefik.frontend.redirect.regex`.                                                                                                                         |
-| `traefik.frontend.redirect.permanent=true`                 | Return 301 instead of 302.                                                                                                                                                                                                |
-| `traefik.frontend.rule=EXPR`                               | Override the default frontend rule. Defaults to SF address.                                                                                                                                                               |
-| `traefik.frontend.whiteList.sourceRange=RANGE`             | List of IP-Ranges which are allowed to access.<br>An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
-| `traefik.frontend.whiteList.useXForwardedFor=true`         | Use `X-Forwarded-For` header as valid source of IP for the white list.                                                                                                                                                    |
-
-### Custom Headers
-
-| Label                                                 | Description                                                                                                                                                                         |
-|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.customRequestHeaders=EXPR ` | Provides the container with custom request headers that will be appended to each request forwarded to the container.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code> |
-| `traefik.frontend.headers.customResponseHeaders=EXPR` | Appends the headers to each response returned by the container, before forwarding the response to the client.<br>Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>        |
-
-### Security Headers
-
-| Label                                                    | Description                                                                                                                                                                                         |
-|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `traefik.frontend.headers.allowedHosts=EXPR`             | Provides a list of allowed hosts that requests will be processed.<br>Format: `Host1,Host2`                                                                                                          |
-| `traefik.frontend.headers.hostsProxyHeaders=EXPR `       | Provides a list of headers that the proxied hostname may be stored.<br>Format: `HEADER1,HEADER2`                                                                                                    |
-| `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
-| `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
-| `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
-| `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
-| `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
-| `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |
-| `traefik.frontend.headers.forceSTSHeader=false`          | Adds the STS  header to non-SSL requests.                                                                                                                                                           |
-| `traefik.frontend.headers.frameDeny=false`               | Adds the `X-Frame-Options` header with the value of `DENY`.                                                                                                                                         |
-| `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value.                                                                                                                                       |
-| `traefik.frontend.headers.contentTypeNosniff=true`       | Adds the `X-Content-Type-Options` header with the value `nosniff`.                                                                                                                                  |
-| `traefik.frontend.headers.browserXSSFilter=true`         | Adds the X-XSS-Protection header with the value `1; mode=block`.                                                                                                                                    |
-| `traefik.frontend.headers.customBrowserXSSValue=VALUE`   | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option.                                                                                                           |
-| `traefik.frontend.headers.contentSecurityPolicy=VALUE`   | Adds CSP Header with the custom value.                                                                                                                                                              |
-| `traefik.frontend.headers.publicKey=VALUE`               | Adds HPKP header.                                                                                                                                                                                   |
-| `traefik.frontend.headers.referrerPolicy=VALUE`          | Adds referrer policy  header.                                                                                                                                                                       |
-| `traefik.frontend.headers.isDevelopment=false`           | This will cause the `AllowedHosts`, `SSLRedirect`, and `STSSeconds`/`STSIncludeSubdomains` options to be ignored during development.<br>When deploying to production, be sure to set this to false. |
+| Label                                                     | Description                                                                                                                                                                                                            |
+|-----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `traefik.backend.maxconn.amount=10`                       | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                   |
+| `traefik.backend.maxconn.extractorfunc=client.ip`         | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                  |
+| `traefik.backend.loadbalancer.method=drr`                 | Override the default `wrr` load balancer algorithm                                                                                                                                                                     |
+| `traefik.backend.loadbalancer.stickiness=true`            | Enable backend sticky sessions                                                                                                                                                                                         |
+| `traefik.backend.loadbalancer.stickiness.cookieName=NAME` | Manually set the cookie name for sticky sessions                                                                                                                                                                       |
+| `traefik.backend.circuitbreaker.expression=EXPR`          | Create a [circuit breaker](/basics/#backends) to be used against the backend                                                                                                                                           |
+| `traefik.backend.weight=10`                               | Assign this weight to the container                                                                                                                                                                                    |
+| `traefik.expose=true`                                     | Expose this service using træfik                                                                                                                                                                                      |
+| `traefik.frontend.rule=EXPR`                              | Override the default frontend rule. Defaults to SF address.                                                                                                                                                            |
+| `traefik.frontend.passHostHeader=true`                    | Forward client `Host` header to the backend.                                                                                                                                                                           |
+| `traefik.frontend.priority=10`                            | Override default frontend priority                                                                                                                                                                                     |
+| `traefik.frontend.entryPoints=http,https`                 | Assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`                                                                                                                                |
+| `traefik.frontend.auth.basic=EXPR`                        | Set basic authentication for that frontend in CSV format: `User:Hash,User:Hash`                                                                                                                                       |
+| `traefik.frontend.whitelistSourceRange:RANGE`             | List of IP-Ranges which are allowed to access. An unset or empty list allows all Source-IPs to access.<br>If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access. |
+| `traefik.backend.group.name`                              | Group all services with the same name into a single backend in Træfik                                                                                                                                                |
+| `traefik.backend.group.weight`                            | Set the weighting of the current services nodes in the backend group                                                                                                                                                  |

docs/configuration/backends/web.md

@@ -1,9 +1,9 @@
-# Web Provider
+# Web Backend
 
 !!! danger "DEPRECATED"
     The web provider is deprecated, please use the [api](/configuration/api.md), the [ping](/configuration/ping.md), the [metrics](/configuration/metrics) and the [rest](/configuration/backends/rest.md) provider.
 
-Traefik can be configured:
+Træfik can be configured:
 
 - using a RESTful api.
 - to use a monitoring system (like Prometheus, DataDog or StatD, ...).
@@ -12,7 +12,7 @@ Traefik can be configured:
 ## Configuration
 
 ```toml
-# Enable Web Provider.
+# Enable web backend.
 [web]
 
 # Web administration port.
@@ -97,7 +97,7 @@ usersFile = "/path/to/.htdigest"
 
 ## Metrics
 
-You can enable Traefik to export internal metrics to different monitoring systems.
+You can enable Træfik to export internal metrics to different monitoring systems.
 
 ### Prometheus
 
@@ -185,13 +185,6 @@ pushinterval = "10s"
 #
 address = "localhost:8089"
 
-# InfluxDB's address protocol (udp or http)
-#
-# Required
-# Default: "udp"
-#
-protocol = "udp"
-
 # InfluxDB push interval
 #
 # Optional
@@ -199,20 +192,6 @@ protocol = "udp"
 #
 pushinterval = "10s"
 
-# InfluxDB database used when protocol is http
-#
-# Optional
-# Default: ""
-#
-database = ""
-
-# InfluxDB retention policy used when protocol is http
-#
-# Optional
-# Default: ""
-#
-retentionpolicy = ""
-
 # ...
 ```
 
@@ -239,8 +218,8 @@ recentErrors = 10
 
 | Path                                                            |     Method    | Description                                                                                        |
 |-----------------------------------------------------------------|:-------------:|----------------------------------------------------------------------------------------------------|
-| `/`                                                             |     `GET`     | Provides a simple HTML frontend of Traefik                                                          |
-| `/ping`                                                         | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
+| `/`                                                             |     `GET`     | Provides a simple HTML frontend of Træfik                                                          |
+| `/ping`                                                         | `GET`, `HEAD` | A simple endpoint to check for Træfik process liveness. Return a code `200` with the content: `OK` |
 | `/health`                                                       |     `GET`     | JSON health metrics                                                                                |
 | `/api`                                                          |     `GET`     | Configuration for all providers                                                                    |
 | `/api/providers`                                                |     `GET`     | Providers                                                                                          |
@@ -286,11 +265,11 @@ curl -s "http://localhost:8080/health" | jq .
 ```
 ```json
 {
-  // Traefik PID
+  // Træfik PID
   "pid": 2458,
-  // Traefik server uptime (formated time)
+  // Træfik server uptime (formated time)
   "uptime": "39m6.885931127s",
-  //  Traefik server uptime in seconds
+  //  Træfik server uptime in seconds
   "uptime_sec": 2346.885931127,
   // current server date
   "time": "2015-10-07 18:32:24.362238909 +0200 CEST",
@@ -300,7 +279,7 @@ curl -s "http://localhost:8080/health" | jq .
   "status_code_count": {
     "502": 1
   },
-  // count HTTP response status code since Traefik started
+  // count HTTP response status code since Træfik started
   "total_status_code_count": {
     "200": 7,
     "404": 21,

docs/configuration/backends/zookeeper.md

@@ -1,13 +1,13 @@
-# Zookeeper Provider
+# Zookeeper Backend
 
-Traefik can be configured to use Zookeeper as a provider.
+Træfik can be configured to use Zookeeper as a backend configuration.
 
 ```toml
 ################################################################
-# Zookeeper Provider
+# Zookeeper configuration backend
 ################################################################
 
-# Enable Zookeeper Provider.
+# Enable Zookeeperconfiguration backend.
 [zookeeper]
 
 # Zookeeper server endpoint.
@@ -53,9 +53,9 @@ prefix = "traefik"
 #    ca = "/etc/ssl/ca.crt"
 #    cert = "/etc/ssl/zookeeper.crt"
 #    key = "/etc/ssl/zookeeper.key"
-#    insecureSkipVerify = true
+#    insecureskipverify = true
 ```
 
-To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
+To enable constraints see [backend-specific constraints section](/configuration/commons/#backend-specific).
 
 Please refer to the [Key Value storage structure](/user-guide/kv-config/#key-value-storage-structure) section to get documentation on Traefik KV structure.