chore: fix PyYAML version

Co-authored-by: Jared Rodriguez <jared@blacknode.net>

.dockerignore

@@ -1,3 +1,5 @@
 dist/
 !dist/traefik
 site/
+vendor/
+/traefik

.gitattributes

@@ -1 +1 @@
-# vendor/github.com/xenolf/lego/providers/dns/cloudxns/cloudxns.go eol=crlf
+# vendor/github.com/go-acme/lego/providers/dns/cloudxns/cloudxns.go eol=crlf

.github/CODEOWNERS

@@ -1,24 +0,0 @@
-provider/kubernetes/**  @containous/kubernetes
-provider/rancher/**     @containous/rancher
-provider/marathon/**    @containous/marathon
-provider/docker/**      @containous/docker
-
-docs/user-guide/kubernetes.md       @containous/kubernetes
-docs/user-guide/marathon.md         @containous/marathon
-docs/user-guide/swarm.md            @containous/docker
-docs/user-guide/swarm-mode.md       @containous/docker
-
-docs/configuration/backends/docker.md       @containous/docker
-docs/configuration/backends/kubernetes.md   @containous/kubernetes
-docs/configuration/backends/marathon.md     @containous/marathon
-docs/configuration/backends/rancher.md      @containous/rancher
-
-examples/k8s/                   @containous/kubernetes
-examples/compose-k8s.yaml       @containous/kubernetes
-examples/k8s.namespace.yaml     @containous/kubernetes
-examples/compose-rancher.yml    @containous/rancher
-examples/compose-marathon.yml   @containous/marathon
-
-vendor/github.com/gambol99/go-marathon  @containous/marathon
-vendor/github.com/rancher               @containous/rancher
-vendor/k8s.io/                          @containous/kubernetes

.github/PULL_REQUEST_TEMPLATE.md

@@ -12,7 +12,7 @@ HOW TO WRITE A GOOD PULL REQUEST?
 - Write useful descriptions and titles.
 - Address review comments in terms of additional commits.
 - Do not amend/squash existing ones unless the PR is trivial.
-- Read the contributing guide: https://github.com/containous/traefik/blob/master/CONTRIBUTING.md.
+- Read the contributing guide: https://github.com/traefik/traefik/blob/master/CONTRIBUTING.md.
 
 -->
 

.github/workflows/build.yaml

@@ -0,0 +1,95 @@
+name: Build Binaries
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: 1.16
+  CGO_ENABLED: 0
+  PRE_TARGET: ""
+
+jobs:
+
+  build-webui:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Build webui
+        env:
+          DOCKER_RUN_TRAEFIK: ""
+        run: |
+          make generate-webui
+          tar czvf webui.tar.gz ./static/
+
+      - name: Artifact webui
+        uses: actions/upload-artifact@v2
+        with:
+          name: webui.tar.gz
+          path: webui.tar.gz
+
+  build:
+    runs-on: ubuntu-20.04
+    needs:
+      - build-webui
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+            ~/Library/Caches/go-build
+            '%LocalAppData%\go-build'
+          key: ${{ runner.os }}-build-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-build-go-
+
+      - name: Install gobindata
+        run: |
+          curl -fsSL -o $(go env GOPATH)/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata
+          chmod +x $(go env GOPATH)/bin/go-bindata
+
+      - name: Artifact webui
+        uses: actions/download-artifact@v2
+        with:
+          name: webui.tar.gz
+          path: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+      - name: Untar webui
+        run: tar xvf webui.tar.gz
+
+      - name: Build for darwin
+        env:
+          DOCKER_RUN_TRAEFIK: ""
+        run: GOOS=darwin GOARCH=amd64 make binary
+
+      - name: Build for linux
+        env:
+          DOCKER_RUN_TRAEFIK: ""
+        run: GOOS=linux GOARCH=amd64 make binary
+
+      - name: Build for windows
+        env:
+          DOCKER_RUN_TRAEFIK: ""
+        run: GOOS=windows GOARCH=amd64 make binary

.github/workflows/check_doc.yaml

@@ -0,0 +1,21 @@
+name: Check Documentation
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+
+  docs:
+    name: Check, verify and build documentation
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Check documentation
+        run: make docs-verify

.github/workflows/documentation.yaml

@@ -0,0 +1,52 @@
+name: Build and Publish Documentation
+
+on:
+  push:
+    branches:
+      - master
+      - v*
+
+env:
+  STRUCTOR_VERSION: v1.11.2
+  MIXTUS_VERSION: v0.4.1
+
+jobs:
+
+  docs:
+    name: Doc Process
+    runs-on: ubuntu-20.04
+    if: github.repository == 'traefik/traefik'
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Install Structor ${{ env.STRUCTOR_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/structor/master/godownloader.sh | sh -s -- -b $HOME/bin ${STRUCTOR_VERSION}
+
+      - name: Install Seo-doc
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/seo-doc/master/godownloader.sh | sh -s -- -b "${HOME}/bin"
+
+      - name: Install Mixtus ${{ env.MIXTUS_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}
+
+      - name: Build documentation
+        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
+        env:
+          STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}
+
+      - name: Apply seo
+        run: $HOME/bin/seo -path=./site
+
+      - name: Publish documentation
+        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=traefik --src-repo-name=traefik
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_REPO }}

.github/workflows/experimental.yaml

@@ -0,0 +1,37 @@
+name: Build experimental image on branch
+
+on:
+  push:
+    branches:
+      - master
+      - v*
+
+jobs:
+
+  experimental:
+    if: github.repository == 'traefik/traefik'
+    name: Build experimental image on branch
+    runs-on: ubuntu-20.04
+
+    steps:
+
+      # https://github.com/marketplace/actions/checkout
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Branch name
+        run: echo ${GITHUB_REF##*/}
+
+      - name: Build docker experimental image
+        run: docker build -t traefik/traefik:experimental-${GITHUB_REF##*/} -f exp.Dockerfile .
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Push to Docker Hub
+        run: docker push traefik/traefik:experimental-${GITHUB_REF##*/}

.github/workflows/test-unit.yaml

@@ -0,0 +1,53 @@
+name: Test Unit
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: 1.16
+  PRE_TARGET: ""
+
+jobs:
+
+  test-unit:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-test-unit-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-test-unit-go-
+
+      - name: Install gobindata
+        run: |
+          curl -fsSL -o $(go env GOPATH)/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata
+          chmod +x $(go env GOPATH)/bin/go-bindata
+
+      - name: Avoid generating webui
+        run: mkdir -p webui/static && touch webui/static/index.html
+
+      - name: Tests
+        env:
+          DOCKER_RUN_TRAEFIK: ""
+        run: make test-unit

.github/workflows/validate.yaml

@@ -0,0 +1,102 @@
+name: Validate
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: 1.16
+  MISSSPELL_VERSION: v0.3.4
+  PRE_TARGET: ""
+
+jobs:
+
+  validate:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-validate-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-validate-go-
+
+      - name: Install golint
+        run: go install golang.org/x/lint/golint@latest
+
+      - name: Install missspell ${{ env.MISSSPELL_VERSION }}
+        run: curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}
+
+      - name: Install gobindata
+        run: |
+          curl -fsSL -o $(go env GOPATH)/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata
+          chmod +x $(go env GOPATH)/bin/go-bindata
+
+      - name: Avoid generating webui
+        run: mkdir -p webui/static && touch webui/static/index.html
+
+      - name: Validate
+        env:
+          DOCKER_RUN_TRAEFIK: ""
+        run: make validate
+
+  validate-generate:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-validate-generate-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-validate-generate-go-
+
+      - name: Install gobindata
+        run: |
+          curl -fsSL -o $(go env GOPATH)/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata
+          chmod +x $(go env GOPATH)/bin/go-bindata
+
+      - name: go generate
+        run: |
+          go generate
+          git diff --exit-code
+      - name: go mod tidy
+        run: |
+          go mod tidy
+          git diff --exit-code

.gitignore

@@ -1,15 +1,21 @@
-/dist
-/autogen/genstatic/gen.go
 .idea/
 .intellij/
 *.iml
-/traefik
-/traefik.toml
-/static/
-/webui/.tmp/
 .vscode/
+.DS_Store
+/static/
+/autogen/genstatic/gen.go
+/webui/.tmp/
+/examples/acme/acme.json
 /site/
+/docs/site/
+/traefik.toml
+/traefik.yml
+/dist
+/traefik
 *.log
 *.exe
-.DS_Store
-/examples/acme/acme.json
+cover.out
+vendor/
+plugins-storage/
+traefik_changelog.md

.gometalinter.json

@@ -1,42 +0,0 @@
-{
-  "Vendor": true,
-  "Sort": [
-    "path",
-    "line",
-    "column",
-    "severity",
-    "linter"
-  ],
-  "Test": true,
-  "Cyclo": 15,
-  "Enable": [
-    "gotypex",
-    "nakedret",
-    "vet",
-    "goimports",
-    "golint",
-    "ineffassign",
-    "gotype",
-    "misspell",
-    "structcheck",
-    "gosimple",
-    "unconvert",
-    "varcheck",
-    "errcheck",
-    "unused",
-    "deadcode",
-    "staticcheck"
-  ],
-  "Disable": [
-    "gas",
-    "maligned",
-    "interfacer",
-    "goconst",
-    "gocyclo",
-    "vetshadow"
-  ],
-  "Exclude": [
-    "autogen/.*"
-  ],
-  "Deadline": "5m"
-}

.semaphore/semaphore.yml

@@ -0,0 +1,106 @@
+version: v1.0
+name: Traefik
+agent:
+  machine:
+    type: e1-standard-4
+    os_image: ubuntu1804
+
+fail_fast:
+  stop:
+    when: "branch != 'master'"
+
+auto_cancel:
+  queued:
+    when: "branch != 'master'"
+  running:
+    when: "branch != 'master'"
+
+global_job_config:
+  prologue:
+    commands:
+      - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
+      - sudo semgo go1.16
+      - export "GOPATH=$(go env GOPATH)"
+      - export "GOROOT=$(go env GOROOT)"
+      - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
+      - export "PATH=${GOPATH}/bin:${GOROOT}/bin:${PATH}"
+      - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
+      - curl -fsSL -o ${GOPATH}/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata
+      - chmod +x ${GOPATH}/bin/go-bindata
+      - export GOPROXY=https://proxy.golang.org,direct
+      - checkout
+      - cache restore traefik-$(checksum go.sum)
+
+blocks:
+  - name: Test Integration Container
+    dependencies: []
+    run:
+      when: "branch =~ '.*' OR pull_request =~'.*'"
+    task:
+      env_vars:
+        - name: DOCKER_RUN_TRAEFIK
+          value: ""
+        - name: TEST_CONTAINER
+          value: "1"
+      jobs:
+        - name: Test Integration Container
+          commands:
+            - make pull-images
+            - mkdir -p webui/static && touch webui/static/index.html # Avoid generating webui
+            - make binary-with-no-ui
+            - sudo CONTAINER=DOCKER DOCKER_RUN_TRAEFIK="" TEST_CONTAINER=1 make test-integration-container
+            - df -h
+      epilogue:
+        always:
+          commands:
+            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
+
+  - name: Test Integration Host
+    dependencies: []
+    run:
+      when: "branch =~ '.*' OR pull_request =~'.*'"
+    task:
+      env_vars:
+        - name: DOCKER_RUN_TRAEFIK
+          value: ""
+      jobs:
+        - name: Test Integration Host
+          commands:
+            - mkdir -p webui/static && touch webui/static/index.html # Avoid generating webui
+            - make binary-with-no-ui
+            - sudo DOCKER_RUN_TRAEFIK="" TEST_HOST=1 make test-integration-host
+      epilogue:
+        always:
+          commands:
+            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
+
+  - name: Release
+    dependencies: []
+    run:
+      when: "tag =~ '.*'"
+    task:
+      agent:
+        machine:
+          type: e1-standard-8
+          os_image: ubuntu1804
+      secrets:
+        - name: traefik
+      env_vars:
+        - name: GH_VERSION
+          value: 1.12.1
+        - name: CODENAME
+          value: "maroilles"
+        - name: DOCKER_RUN_TRAEFIK
+          value: ""
+      prologue:
+        commands:
+          - export VERSION=${SEMAPHORE_GIT_TAG_NAME}
+          - curl -sSL -o /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz
+          - tar -zxvf /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz -C /tmp
+          - sudo mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/gh
+      jobs:
+        - name: Release
+          commands:
+            - make crossbinary-parallel
+            - gh release create ${SEMAPHORE_GIT_TAG_NAME} ./dist/traefik* --repo traefik/traefik --title ${SEMAPHORE_GIT_TAG_NAME} --notes ${SEMAPHORE_GIT_TAG_NAME}
+            - ./script/deploy.sh

.semaphoreci/cleanup.sh

@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-sudo rm -rf static

.semaphoreci/job1.sh

@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make pull-images; fi
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make test-integration; fi

.semaphoreci/job2.sh

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-ci_retry make validate
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make test-unit; fi
-
-if [ -n "$SHOULD_TEST" ]; then make -j${N_MAKE_JOBS} crossbinary-default-parallel; fi

.semaphoreci/setup.sh

@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-export DOCKER_VERSION=17.03.1
-
-source .semaphoreci/vars
-
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R); fi
-
-if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
-
-if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
-
-if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
-
-if [ -n "$SHOULD_TEST" ]; then  docker version; fi

.semaphoreci/vars

@@ -1,37 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-export REPO='containous/traefik'
-
-if VERSION=$(git describe --exact-match --abbrev=0 --tags);
-then
-  export VERSION
-else
-  export VERSION=''
-fi
-
-export CODENAME=maroilles
-
-export N_MAKE_JOBS=2
-
-
-function ci_retry {
-
-    local NRETRY=3
-    local NSLEEP=5
-    local n=0
-
-    until [ $n -ge $NRETRY ]
-    do
-        "$@" && break
-        n=$[$n+1]
-        echo "$@ failed, attempt ${n}/${NRETRY}"
-        sleep $NSLEEP
-    done
-
-    [ $n -lt $NRETRY ]
-
-}
-
-export -f ci_retry
-

.travis.yml

@@ -1,64 +0,0 @@
-sudo: required
-dist: trusty
-
-git:
-  depth: false
-
-services:
-  - docker
-
-env:
-  global:
-    - REPO: $TRAVIS_REPO_SLUG
-    - VERSION: $TRAVIS_TAG
-    - CODENAME: maroilles
-    - N_MAKE_JOBS: 2
-
-script:
-- echo "Skipping tests... (Tests are executed on SemaphoreCI)"
-- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make docs-verify; fi
-
-before_deploy:
-  - >
-    if ! [ "$BEFORE_DEPLOY_RUN" ]; then
-      export BEFORE_DEPLOY_RUN=1;
-      sudo -E apt-get -yq update;
-      sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*;
-      docker version;
-      make image;
-      if [ "$TRAVIS_TAG" ]; then
-        make -j${N_MAKE_JOBS} crossbinary-parallel;
-        tar cfz dist/traefik-${VERSION}.src.tar.gz --exclude-vcs --exclude dist .;
-      fi;
-      curl -sI https://github.com/containous/structor/releases/latest | grep -Fi Location  | tr -d '\r' | sed "s/tag/download/g" | awk -F " " '{ print $2 "/structor_linux-amd64"}' | wget --output-document=$GOPATH/bin/structor -i -;
-      chmod +x $GOPATH/bin/structor;
-      structor -o containous -r traefik --dockerfile-url="https://raw.githubusercontent.com/containous/traefik/master/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/containous/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/containous/structor/master/requirements-override.txt" --exp-branch=master --debug;
-    fi
-deploy:
-  - provider: releases
-    api_key: ${GITHUB_TOKEN}
-    file: dist/traefik*
-    skip_cleanup: true
-    file_glob: true
-    on:
-      repo: containous/traefik
-      tags: true
-  - provider: script
-    script: sh script/deploy.sh
-    skip_cleanup: true
-    on:
-      repo: containous/traefik
-      tags: true
-  - provider: script
-    script: sh script/deploy-docker.sh
-    skip_cleanup: true
-    on:
-      repo: containous/traefik
-  - provider: pages
-    edge: false
-    github_token: ${GITHUB_TOKEN}
-    local_dir: site
-    skip_cleanup: true
-    on:
-      repo: containous/traefik
-      all_branches: true

CODE_OF_CONDUCT.md

@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at contact@containo.us
+reported by contacting the project team at contact@traefik.io
 All complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

CONTRIBUTING.md

@@ -13,11 +13,11 @@ You need to run the `binary` target. This will create binaries for Linux platfor
 $ make binary
 docker build -t "traefik-dev:no-more-godep-ever" -f build.Dockerfile .
 Sending build context to Docker daemon 295.3 MB
-Step 0 : FROM golang:1.11-alpine
+Step 0 : FROM golang:1.14-alpine
  ---> 8c6473912976
 Step 1 : RUN go get github.com/golang/dep/cmd/dep
 [...]
-docker run --rm  -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:no-more-godep-ever" ./script/make.sh generate binary
+docker run --rm  -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github.com/traefik/traefik/"dist":/go/src/github.com/traefik/traefik/"dist"" "traefik-dev:no-more-godep-ever" ./script/make.sh generate binary
 ---> Making bundle: generate (in .)
 removed 'gen.go'
 
@@ -32,7 +32,7 @@ traefik*
 ##### Setting up your `go` environment
 
 - You need `go` v1.9+
-- It is recommended you clone Traefik into a directory like `~/go/src/github.com/containous/traefik` (This is the official golang workspace hierarchy, and will allow dependencies to resolve properly)
+- It is recommended you clone Traefik into a directory like `~/go/src/github.com/traefik/traefik` (This is the official golang workspace hierarchy, and will allow dependencies to resolve properly)
 - Set your `GOPATH` and `PATH` variable to be set to `~/go` via:
 
 ```bash
@@ -61,7 +61,7 @@ GORACE=""
 Once your environment is set up and the Traefik repository cloned you can build Traefik. You need get `go-bindata` once to be able to use `go generate` command as part of the build.  The steps to build are:
 
 ```bash
-cd ~/go/src/github.com/containous/traefik
+cd ~/go/src/github.com/traefik/traefik
 
 # Get go-bindata. Please note, the ellipses are required
 go get github.com/containous/go-bindata/...
@@ -77,7 +77,7 @@ go build ./cmd/traefik
 # run other commands like tests
 ```
 
-You will find the Traefik executable in the `~/go/src/github.com/containous/traefik` folder as `traefik`.
+You will find the Traefik executable in the `~/go/src/github.com/traefik/traefik` folder as `traefik`.
 
 ### Updating the templates
 
@@ -87,7 +87,7 @@ If you happen to update the provider templates (in `/templates`), you need to ru
 
 [dep](https://github.com/golang/dep) is not required for building; however, it is necessary to modify dependencies (i.e., add, update, or remove third-party packages)
 
-You need to use [dep](https://github.com/golang/dep) >= 0.4.1 and < 0.5.0.
+You need to use [dep](https://github.com/golang/dep) >= 0.5.0.
 
 If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively).
 
@@ -117,13 +117,13 @@ integration test using the `test-integration` target.
 $ make test-unit
 docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
 # […]
-docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
+docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/traefik/traefik/dist:/go/src/github.com/traefik/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
 ---> Making bundle: generate (in .)
 removed 'gen.go'
 
 ---> Making bundle: test-unit (in .)
 + go test -cover -coverprofile=cover.out .
-ok      github.com/containous/traefik   0.005s  coverage: 4.1% of statements
+ok      github.com/traefik/traefik   0.005s  coverage: 4.1% of statements
 
 Test success
 ```
@@ -151,14 +151,14 @@ More: https://labix.org/gocheck
 Unit tests can be run from the cloned directory by `$ go test ./...` which should return `ok` similar to:
 
 ```
-ok      _/home/user/go/src/github/containous/traefik    0.004s
+ok      _/home/user/go/src/github/traefik/traefik    0.004s
 ```
 
 Integration tests must be run from the `integration/` directory and require the `-integration` switch to be passed like this: `$ cd integration && go test -integration ./...`.
 
 ## Documentation
 
-The [documentation site](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/)
+The [documentation site](https://doc.traefik.io/traefik/v1.7/) is built with [mkdocs](https://mkdocs.org/)
 
 ### Building Documentation
 
@@ -170,7 +170,7 @@ You can build the documentation and serve it locally with livereloading, using t
 $ make docs
 docker build -t traefik-docs -f docs.Dockerfile .
 # […]
-docker run  --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
+docker run  --rm -v /home/user/go/github/traefik/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
 # […]
 [I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000
 [I 170828 20:47:48 handlers:60] Start watching changes
@@ -224,7 +224,7 @@ You can verify that the documentation meets some expectations, as checking for d
 $ make docs-verify
 docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image
 ...
-docker run --rm -v /home/travis/build/containous/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
+docker run --rm -v /home/travis/build/traefik/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
 === Checking HTML content...
 Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html...
 ```

Gopkg.toml

@@ -1,266 +0,0 @@
-# Gopkg.toml example
-#
-# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
-# for detailed Gopkg.toml documentation.
-#
-# required = ["github.com/user/thing/cmd/thing"]
-# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
-#
-# [[constraint]]
-#   name = "github.com/user/project"
-#   version = "1.0.0"
-#
-# [[constraint]]
-#   name = "github.com/user/project2"
-#   branch = "dev"
-#   source = "github.com/myfork/project2"
-#
-# [[override]]
-#  name = "github.com/x/y"
-#  version = "2.4.0"
-
-[prune]
-  non-go = true
-  go-tests = true
-  unused-packages = true
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/ArthurHlt/go-eureka-client"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/BurntSushi/toml"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/BurntSushi/ty"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/NYTimes/gziphandler"
-
-[[constraint]]
-  branch = "containous-fork"
-  name = "github.com/abbot/go-http-auth"
-  source = "github.com/containous/go-http-auth"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/armon/go-proxyproto"
-
-[[constraint]]
-  name = "github.com/aws/aws-sdk-go"
-  version = "1.13.11"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/cenk/backoff"
-
-[[constraint]]
-  name = "github.com/containous/flaeg"
-  version = "1.4.1"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/containous/mux"
-
-[[constraint]]
-  name = "github.com/containous/staert"
-  version = "3.1.1"
-
-[[constraint]]
-  name = "github.com/containous/traefik-extra-service-fabric"
-  version = "1.4.0"
-
-[[constraint]]
-  name = "github.com/coreos/go-systemd"
-  version = "14.0.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/docker/leadership"
-  source = "github.com/containous/leadership"
-
-[[constraint]]
-  name = "github.com/eapache/channels"
-  version = "1.1.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/elazarl/go-bindata-assetfs"
-
-[[constraint]]
-  branch = "fork-containous"
-  name = "github.com/go-check/check"
-  source = "github.com/containous/check"
-
-[[override]]
-  branch = "fork-containous"
-  name = "github.com/go-check/check"
-  source = "github.com/containous/check"
-
-[[constraint]]
-  name = "github.com/go-kit/kit"
-  version = "0.7.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/gorilla/websocket"
-
-[[constraint]]
-  name = "github.com/hashicorp/consul"
-  version = "1.0.6"
-
-[[constraint]]
-  name = "github.com/influxdata/influxdb"
-  version = "1.3.7"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/jjcollinge/servicefabric"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/abronan/valkeyrie"
-
-[[constraint]]
-  name = "github.com/mesosphere/mesos-dns"
-  source = "https://github.com/containous/mesos-dns.git"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/mitchellh/copystructure"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/mitchellh/hashstructure"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/mitchellh/mapstructure"
-
-[[constraint]]
-  name = "github.com/opentracing/opentracing-go"
-  version = "1.0.2"
-
-[[constraint]]
-  branch = "containous-fork"
-  name = "github.com/rancher/go-rancher-metadata"
-  source = "github.com/containous/go-rancher-metadata"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/ryanuber/go-glob"
-
-[[constraint]]
-  name = "github.com/satori/go.uuid"
-  version = "1.1.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/stvp/go-udp-testing"
-
-[[constraint]]
-  name = "github.com/stretchr/testify"
-  version = "1.2.1"
-
-[[constraint]]
-  name = "github.com/uber/jaeger-client-go"
-  version = "2.15.0"
-
-[[constraint]]
-  name = "github.com/uber/jaeger-lib"
-  version = "1.1.0"
-
-[[constraint]]
-  branch = "v1"
-  name = "github.com/unrolled/secure"
-
-[[constraint]]
-  name = "github.com/vdemeester/shakers"
-  version = "0.1.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/vulcand/oxy"
-
-[[constraint]]
-#  branch = "master"
-  name = "github.com/xenolf/lego"
-  version = "2.0.1"
-
-[[constraint]]
-  name = "google.golang.org/grpc"
-  version = "1.5.2"
-
-[[constraint]]
-  name = "gopkg.in/fsnotify.v1"
-  source = "github.com/fsnotify/fsnotify"
-  version = "1.4.2"
-
-[[constraint]]
-  name = "k8s.io/client-go"
-  version = "6.0.0"
-
-[[constraint]]
-  name = "k8s.io/api"
-  version = "kubernetes-1.9.0"
-
-[[constraint]]
-  name = "k8s.io/apimachinery"
-  version = "kubernetes-1.9.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/libkermit/docker"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/libkermit/docker-check"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/libkermit/compose"
-
-[[constraint]]
- name = "github.com/docker/docker"
- revision = "7848b8beb9d38a98a78b75f78e05f8d2255f9dfe"
-
-[[override]]
- name = "github.com/docker/docker"
- revision = "7848b8beb9d38a98a78b75f78e05f8d2255f9dfe"
-
-[[override]]
- name = "github.com/docker/cli"
- revision = "6b63d7b96a41055baddc3fa71f381c7f60bd5d8e"
-
-[[override]]
- name = "github.com/docker/distribution"
- revision = "edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c"
-
-[[override]]
-  branch = "master"
-  name = "github.com/docker/libcompose"
-
-[[override]]
-  name = "github.com/Nvveen/Gotty"
-  revision = "a8b993ba6abdb0e0c12b0125c603323a71c7790c"
-  source = "github.com/ijc25/Gotty"
-
-[[override]]
-  # ALWAYS keep this override
-  name = "github.com/mailgun/timetools"
-  revision = "7e6055773c5137efbeb3bd2410d705fe10ab6bfd"
-
-[[override]]
-  version = "v1.1.1"
-  name = "github.com/miekg/dns"
-
-[[constraint]]
-  name = "github.com/patrickmn/go-cache"
-  version = "2.1.0"
-
-[[constraint]]
-  name = "gopkg.in/DataDog/dd-trace-go.v1"
-  version = "1.7.0"

LICENSE.md

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016-2018 Containous SAS
+Copyright (c) 2016-2018 Containous SAS; 2020-2022 Traefik Labs
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

MAINTAINER.md

@@ -27,7 +27,7 @@ We use [PRM](https://github.com/ldez/prm) to manage locally pull requests.
 
 ## Bots
 
-### [Myrmica Lobicornis](https://github.com/containous/lobicornis/)
+### [Myrmica Lobicornis](https://github.com/traefik/lobicornis/)
 
 **Update and Merge Pull Request**
 
@@ -51,13 +51,13 @@ This label is used when:
 - Preparing the release
 
 
-### [Myrmica Bibikoffi](https://github.com/containous/bibikoffi/)
+### [Myrmica Bibikoffi](https://github.com/traefik/bibikoffi/)
 
 * closes stale issues [cron]
     * use some criterion as number of days between creation, last update, labels, ...
 
 
-### [Myrmica Aloba](https://github.com/containous/aloba)
+### [Myrmica Aloba](https://github.com/traefik/aloba)
 
 **Manage GitHub labels**
 

Makefile

@@ -14,12 +14,12 @@ TRAEFIK_ENVS := \
 SRCS = $(shell git ls-files '*.go' | grep -v '^vendor/')
 
 BIND_DIR := "dist"
-TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/containous/traefik/$(BIND_DIR)"
+TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/traefik/traefik/$(BIND_DIR)"
 
 GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
 TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
-TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
+TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"traefik/traefik")
 INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
 TRAEFIK_DOC_IMAGE := traefik-docs
 TRAEFIK_DOC_VERIFY_IMAGE := $(TRAEFIK_DOC_IMAGE)-verify
@@ -27,7 +27,7 @@ DOCS_VERIFY_SKIP ?= false
 
 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
-DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) -it $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK ?= docker run $(INTEGRATION_OPTS) -it $(DOCKER_RUN_OPTS)
 DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) -i $(DOCKER_RUN_OPTS)
 DOCKER_RUN_DOC_PORT := 8000
 DOCKER_RUN_DOC_MOUNT := -v $(CURDIR):/mkdocs
@@ -44,6 +44,9 @@ all: generate-webui build ## validate all checks, build linux binary, run all te
 binary: generate-webui build ## build the linux binary
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate binary
 
+binary-with-no-ui: ## build the linux binary without the ui generation
+	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate binary
+
 crossbinary: generate-webui build ## cross build the non-linux binaries
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate crossbinary
 
@@ -75,8 +78,14 @@ test-integration: build ## run the integration tests
 	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate binary test-integration
 	TEST_HOST=1 ./script/make.sh test-integration
 
+test-integration-container: build ## Run the container integration tests
+	$(DOCKER_RUN_TRAEFIK) ./script/make.sh test-integration
+
+test-integration-host: build ## Run the host integration tests
+	TEST_HOST=1 ./script/make.sh test-integration
+
 validate: build  ## validate code, vendor and autogen
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-gofmt validate-govet validate-golint validate-misspell validate-vendor validate-autogen
+	$(DOCKER_RUN_TRAEFIK) ./script/make.sh validate-gofmt validate-golint validate-misspell validate-vendor validate-autogen
 
 build: dist
 	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
@@ -133,7 +142,7 @@ generate-webui: build-webui
 	if [ ! -d "static" ]; then \
 		mkdir -p static; \
 		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build; \
-		echo 'For more informations show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
+		echo 'For more information show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
 	fi
 
 lint:
@@ -145,12 +154,5 @@ fmt:
 pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq  | xargs -P 6 -n 1 docker pull
 
-dep-ensure:
-	dep ensure -v
-	./script/prune-dep.sh
-
-dep-prune:
-	./script/prune-dep.sh
-
 help: ## this help
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)

README.md

@@ -4,10 +4,10 @@
 </p>
 
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
-[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
-[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](http://goreportcard.com/report/containous/traefik)
+[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik/v1.7)
+[![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](http://goreportcard.com/report/traefik/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
-[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
 [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
 
@@ -70,22 +70,22 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 ## Supported Backends
 
-- [Docker](https://docs.traefik.io/configuration/backends/docker) / [Swarm mode](https://docs.traefik.io/configuration/backends/docker#docker-swarm-mode)
-- [Kubernetes](https://docs.traefik.io/configuration/backends/kubernetes)
-- [Mesos](https://docs.traefik.io/configuration/backends/mesos) / [Marathon](https://docs.traefik.io/configuration/backends/marathon)
-- [Rancher](https://docs.traefik.io/configuration/backends/rancher) (API, Metadata)
-- [Azure Service Fabric](https://docs.traefik.io/configuration/backends/servicefabric)
-- [Consul Catalog](https://docs.traefik.io/configuration/backends/consulcatalog)
-- [Consul](https://docs.traefik.io/configuration/backends/consul) / [Etcd](https://docs.traefik.io/configuration/backends/etcd) / [Zookeeper](https://docs.traefik.io/configuration/backends/zookeeper) / [BoltDB](https://docs.traefik.io/configuration/backends/boltdb)
-- [Eureka](https://docs.traefik.io/configuration/backends/eureka)
-- [Amazon ECS](https://docs.traefik.io/configuration/backends/ecs)
-- [Amazon DynamoDB](https://docs.traefik.io/configuration/backends/dynamodb)
-- [File](https://docs.traefik.io/configuration/backends/file)
-- [Rest](https://docs.traefik.io/configuration/backends/rest)
+- [Docker](https://doc.traefik.io/traefik/v1.7/configuration/backends/docker) / [Swarm mode](https://doc.traefik.io/traefik/v1.7/configuration/backends/docker#docker-swarm-mode)
+- [Kubernetes](https://doc.traefik.io/traefik/v1.7/configuration/backends/kubernetes)
+- [Mesos](https://doc.traefik.io/traefik/v1.7/configuration/backends/mesos) / [Marathon](https://doc.traefik.io/traefik/v1.7/configuration/backends/marathon)
+- [Rancher](https://doc.traefik.io/traefik/v1.7/configuration/backends/rancher) (API, Metadata)
+- [Azure Service Fabric](https://doc.traefik.io/traefik/v1.7/configuration/backends/servicefabric)
+- [Consul Catalog](https://doc.traefik.io/traefik/v1.7/configuration/backends/consulcatalog)
+- [Consul](https://doc.traefik.io/traefik/v1.7/configuration/backends/consul) / [Etcd](https://doc.traefik.io/traefik/v1.7/configuration/backends/etcd) / [Zookeeper](https://doc.traefik.io/traefik/v1.7/configuration/backends/zookeeper) / [BoltDB](https://doc.traefik.io/traefik/v1.7/configuration/backends/boltdb)
+- [Eureka](https://doc.traefik.io/traefik/v1.7/configuration/backends/eureka)
+- [Amazon ECS](https://doc.traefik.io/traefik/v1.7/configuration/backends/ecs)
+- [Amazon DynamoDB](https://doc.traefik.io/traefik/v1.7/configuration/backends/dynamodb)
+- [File](https://doc.traefik.io/traefik/v1.7/configuration/backends/file)
+- [Rest](https://doc.traefik.io/traefik/v1.7/configuration/backends/rest)
 
 ## Quickstart
 
-To get your hands on Traefik, you can use the [5-Minute Quickstart](http://docs.traefik.io/#the-traefik-quickstart-using-docker) in our documentation (you will need Docker).
+To get your hands on Traefik, you can use the [5-Minute Quickstart](http://doc.traefik.io/traefik/v1.7/#the-traefik-quickstart-using-docker) in our documentation (you will need Docker).
 
 Alternatively, if you don't want to install anything on your computer, you can try Traefik online in this great [Katacoda tutorial](https://www.katacoda.com/courses/traefik/deploy-load-balancer) that shows how to load balance requests between multiple Docker containers. 
 
@@ -100,7 +100,7 @@ You can access the simple HTML frontend of Traefik.
 
 ## Documentation
 
-You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
+You can find the complete documentation at [https://doc.traefik.io/traefik/v1.7](https://doc.traefik.io/traefik/v1.7).
 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
 ## Support
@@ -109,17 +109,17 @@ To get community support, you can:
 - join the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
 - use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
 
-If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
+If you need commercial support, please contact [Traefik.io](https://traefik.io) by mail: <mailto:support@traefik.io>.
 
 ## Download
 
-- Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+- Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/v1.7/traefik.sample.toml):
 
 ```shell
 ./traefik --configFile=traefik.toml
 ```
 
-- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/v1.7/traefik.sample.toml):
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
@@ -128,7 +128,7 @@ docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.to
 - Or get the sources:
 
 ```shell
-git clone https://github.com/containous/traefik
+git clone https://github.com/traefik/traefik
 ```
 
 ## Introductory Videos

acme/account.go

@@ -14,11 +14,11 @@ import (
 	"sync"
 	"time"
 
-	"github.com/containous/traefik/log"
-	acmeprovider "github.com/containous/traefik/provider/acme"
-	"github.com/containous/traefik/types"
-	"github.com/xenolf/lego/certcrypto"
-	"github.com/xenolf/lego/registration"
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/registration"
+	"github.com/traefik/traefik/log"
+	acmeprovider "github.com/traefik/traefik/provider/acme"
+	"github.com/traefik/traefik/types"
 )
 
 // Account is used to store lets encrypt registration info
@@ -111,7 +111,12 @@ func (a *Account) GetPrivateKey() crypto.PrivateKey {
 		return privateKey
 	}
 
-	log.Errorf("Cannot unmarshall private key %+v", a.PrivateKey)
+	keySnippet := ""
+	if len(a.PrivateKey) >= 16 {
+		keySnippet = string(a.PrivateKey[:16])
+	}
+
+	log.Errorf("Cannot unmarshall private key beginning with %s", keySnippet)
 	return nil
 }
 

acme/acme.go

@@ -20,32 +20,33 @@ import (
 	"github.com/containous/flaeg"
 	"github.com/containous/mux"
 	"github.com/containous/staert"
-	"github.com/containous/traefik/cluster"
-	"github.com/containous/traefik/log"
-	acmeprovider "github.com/containous/traefik/provider/acme"
-	"github.com/containous/traefik/safe"
-	"github.com/containous/traefik/types"
-	"github.com/containous/traefik/version"
 	"github.com/eapache/channels"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/challenge/http01"
+	"github.com/go-acme/lego/v4/lego"
+	legolog "github.com/go-acme/lego/v4/log"
+	"github.com/go-acme/lego/v4/providers/dns"
+	"github.com/go-acme/lego/v4/registration"
 	"github.com/sirupsen/logrus"
-	"github.com/xenolf/lego/certificate"
-	"github.com/xenolf/lego/challenge"
-	"github.com/xenolf/lego/challenge/dns01"
-	"github.com/xenolf/lego/challenge/http01"
-	"github.com/xenolf/lego/lego"
-	legolog "github.com/xenolf/lego/log"
-	"github.com/xenolf/lego/providers/dns"
-	"github.com/xenolf/lego/registration"
+	"github.com/traefik/traefik/cluster"
+	"github.com/traefik/traefik/log"
+	acmeprovider "github.com/traefik/traefik/provider/acme"
+	"github.com/traefik/traefik/safe"
+	"github.com/traefik/traefik/types"
+	"github.com/traefik/traefik/version"
 )
 
 var (
-	// OSCPMustStaple enables OSCP stapling as from https://github.com/xenolf/lego/issues/270
+	// OSCPMustStaple enables OSCP stapling as from https://github.com/go-acme/lego/issues/270
 	OSCPMustStaple = false
 )
 
 // ACME allows to connect to lets encrypt and retrieve certs
 // Deprecated Please use provider/acme/Provider
 type ACME struct {
+	PreferredChain        string                      `description:"Preferred chain to use."`
 	Email                 string                      `description:"Email address used for registration"`
 	Domains               []types.Domain              `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"`
 	Storage               string                      `description:"File or key used for certificates storage."`
@@ -68,7 +69,7 @@ type ACME struct {
 	challengeTLSProvider  *challengeTLSProvider
 	checkOnDemandDomain   func(domain string) bool
 	jobs                  *channels.InfiniteChannel
-	TLSConfig             *tls.Config `description:"TLS config in case wildcard certs are used"`
+	TLSConfig             *tls.Config `description:"TLS config in case wildcard certs are used" hash:"-"`
 	dynamicCerts          *safe.Safe
 	resolvingDomains      map[string]struct{}
 	resolvingDomainsMutex sync.RWMutex
@@ -376,11 +377,13 @@ func (a *ACME) renewACMECertificate(certificateResource *DomainsCertificate) (*C
 		CertStableURL: certificateResource.Certificate.CertStableURL,
 		PrivateKey:    certificateResource.Certificate.PrivateKey,
 		Certificate:   certificateResource.Certificate.Certificate,
-	}, true, OSCPMustStaple)
+	}, true, OSCPMustStaple, a.PreferredChain)
 	if err != nil {
 		return nil, err
 	}
+
 	log.Infof("Renewed certificate from  LE: %+v", certificateResource.Domains)
+
 	return &Certificate{
 		Domain:        renewedCert.Domain,
 		CertURL:       renewedCert.CertURL,
@@ -448,14 +451,18 @@ func (a *ACME) buildACMEClient(account *Account) (*lego.Client, error) {
 
 		err = client.Challenge.SetDNS01Provider(provider,
 			dns01.CondOption(len(a.DNSChallenge.Resolvers) > 0, dns01.AddRecursiveNameservers(a.DNSChallenge.Resolvers)),
-			dns01.CondOption(a.DNSChallenge.DisablePropagationCheck || a.DNSChallenge.DelayBeforeCheck > 0,
-				dns01.AddPreCheck(func(_, _ string) (bool, error) {
-					if a.DNSChallenge.DelayBeforeCheck > 0 {
-						log.Debugf("Delaying %d rather than validating DNS propagation now.", a.DNSChallenge.DelayBeforeCheck)
-						time.Sleep(time.Duration(a.DNSChallenge.DelayBeforeCheck))
-					}
+			dns01.WrapPreCheck(func(domain, fqdn, value string, check dns01.PreCheckFunc) (bool, error) {
+				if a.DNSChallenge.DelayBeforeCheck > 0 {
+					log.Debugf("Delaying %d rather than validating DNS propagation now.", a.DNSChallenge.DelayBeforeCheck)
+					time.Sleep(time.Duration(a.DNSChallenge.DelayBeforeCheck))
+				}
+
+				if a.DNSChallenge.DisablePropagationCheck {
 					return true, nil
-				})),
+				}
+
+				return check(fqdn, value)
+			}),
 		)
 		return client, err
 	}
@@ -703,9 +710,10 @@ func (a *ACME) getDomainsCertificates(domains []string) (*Certificate, error) {
 	bundle := true
 
 	request := certificate.ObtainRequest{
-		Domains:    cleanDomains,
-		Bundle:     bundle,
-		MustStaple: OSCPMustStaple,
+		Domains:        cleanDomains,
+		Bundle:         bundle,
+		MustStaple:     OSCPMustStaple,
+		PreferredChain: a.PreferredChain,
 	}
 
 	cert, err := a.client.Certificate.Obtain(request)
@@ -751,12 +759,6 @@ func (a *ACME) getValidDomains(domains []string, wildcardAllowed bool) ([]string
 			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q : ACME does not allow '*.*' wildcard domain", strings.Join(domains, ","))
 		}
 	}
-	for _, san := range domains[1:] {
-		if strings.HasPrefix(san, "*") {
-			return nil, fmt.Errorf("unable to generate a certificate for domains %q: SANs can not be a wildcard domain", strings.Join(domains, ","))
-
-		}
-	}
 
 	domains = fun.Map(types.CanonicalDomain, domains).([]string)
 	return domains, nil

acme/acme_test.go

@@ -11,10 +11,10 @@ import (
 	"testing"
 	"time"
 
-	acmeprovider "github.com/containous/traefik/provider/acme"
-	"github.com/containous/traefik/tls/generate"
-	"github.com/containous/traefik/types"
 	"github.com/stretchr/testify/assert"
+	acmeprovider "github.com/traefik/traefik/provider/acme"
+	"github.com/traefik/traefik/tls/generate"
+	"github.com/traefik/traefik/types"
 )
 
 func TestDomainsSet(t *testing.T) {
@@ -419,12 +419,12 @@ func TestAcme_getValidDomain(t *testing.T) {
 			expectedDomains: []string{"*.traefik.wtf", "traefik.wtf"},
 		},
 		{
-			desc:            "unexpected SANs",
+			desc:            "wildcard SANs",
 			domains:         []string{"*.traefik.wtf", "*.acme.wtf"},
 			dnsChallenge:    &acmeprovider.DNSChallenge{},
 			wildcardAllowed: true,
-			expectedErr:     "unable to generate a certificate for domains \"*.traefik.wtf,*.acme.wtf\": SANs can not be a wildcard domain",
-			expectedDomains: nil,
+			expectedErr:     "",
+			expectedDomains: []string{"*.traefik.wtf", "*.acme.wtf"},
 		},
 	}
 	for _, test := range testCases {

acme/challenge_http_provider.go

@@ -6,10 +6,10 @@ import (
 	"time"
 
 	"github.com/cenk/backoff"
-	"github.com/containous/traefik/cluster"
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/safe"
-	"github.com/xenolf/lego/challenge"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/traefik/traefik/cluster"
+	"github.com/traefik/traefik/log"
+	"github.com/traefik/traefik/safe"
 )
 
 var _ challenge.ProviderTimeout = (*challengeHTTPProvider)(nil)

acme/challenge_tls_provider.go

@@ -8,11 +8,11 @@ import (
 	"time"
 
 	"github.com/cenk/backoff"
-	"github.com/containous/traefik/cluster"
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/safe"
-	"github.com/xenolf/lego/challenge"
-	"github.com/xenolf/lego/challenge/tlsalpn01"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/tlsalpn01"
+	"github.com/traefik/traefik/cluster"
+	"github.com/traefik/traefik/log"
+	"github.com/traefik/traefik/safe"
 )
 
 var _ challenge.ProviderTimeout = (*challengeTLSProvider)(nil)

acme/localStore.go

@@ -5,8 +5,8 @@ import (
 	"io/ioutil"
 	"os"
 
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/provider/acme"
+	"github.com/traefik/traefik/log"
+	"github.com/traefik/traefik/provider/acme"
 )
 
 // LocalStore is a store using a file as storage

anonymize/anonymize_config_test.go

@@ -7,32 +7,32 @@ import (
 	"time"
 
 	"github.com/containous/flaeg"
-	"github.com/containous/traefik/acme"
-	"github.com/containous/traefik/api"
-	"github.com/containous/traefik/configuration"
-	"github.com/containous/traefik/middlewares"
-	"github.com/containous/traefik/provider"
-	acmeprovider "github.com/containous/traefik/provider/acme"
-	"github.com/containous/traefik/provider/boltdb"
-	"github.com/containous/traefik/provider/consul"
-	"github.com/containous/traefik/provider/consulcatalog"
-	"github.com/containous/traefik/provider/docker"
-	"github.com/containous/traefik/provider/dynamodb"
-	"github.com/containous/traefik/provider/ecs"
-	"github.com/containous/traefik/provider/etcd"
-	"github.com/containous/traefik/provider/eureka"
-	"github.com/containous/traefik/provider/file"
-	"github.com/containous/traefik/provider/kubernetes"
-	"github.com/containous/traefik/provider/kv"
-	"github.com/containous/traefik/provider/marathon"
-	"github.com/containous/traefik/provider/mesos"
-	"github.com/containous/traefik/provider/rancher"
-	"github.com/containous/traefik/provider/zk"
-	"github.com/containous/traefik/safe"
-	traefiktls "github.com/containous/traefik/tls"
-	"github.com/containous/traefik/types"
-	"github.com/elazarl/go-bindata-assetfs"
+	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/thoas/stats"
+	"github.com/traefik/traefik/acme"
+	"github.com/traefik/traefik/api"
+	"github.com/traefik/traefik/configuration"
+	"github.com/traefik/traefik/middlewares"
+	"github.com/traefik/traefik/provider"
+	acmeprovider "github.com/traefik/traefik/provider/acme"
+	"github.com/traefik/traefik/provider/boltdb"
+	"github.com/traefik/traefik/provider/consul"
+	"github.com/traefik/traefik/provider/consulcatalog"
+	"github.com/traefik/traefik/provider/docker"
+	"github.com/traefik/traefik/provider/dynamodb"
+	"github.com/traefik/traefik/provider/ecs"
+	"github.com/traefik/traefik/provider/etcd"
+	"github.com/traefik/traefik/provider/eureka"
+	"github.com/traefik/traefik/provider/file"
+	"github.com/traefik/traefik/provider/kubernetes"
+	"github.com/traefik/traefik/provider/kv"
+	"github.com/traefik/traefik/provider/marathon"
+	"github.com/traefik/traefik/provider/mesos"
+	"github.com/traefik/traefik/provider/rancher"
+	"github.com/traefik/traefik/provider/zk"
+	"github.com/traefik/traefik/safe"
+	traefiktls "github.com/traefik/traefik/tls"
+	"github.com/traefik/traefik/types"
 )
 
 func TestDo_globalConfiguration(t *testing.T) {

api/dashboard.go

@@ -2,10 +2,11 @@ package api
 
 import (
 	"net/http"
+	"net/url"
 
 	"github.com/containous/mux"
-	"github.com/containous/traefik/log"
-	"github.com/elazarl/go-bindata-assetfs"
+	assetfs "github.com/elazarl/go-bindata-assetfs"
+	"github.com/traefik/traefik/log"
 )
 
 // DashboardHandler expose dashboard routes
@@ -23,17 +24,35 @@ func (g DashboardHandler) AddRoutes(router *mux.Router) {
 	// Expose dashboard
 	router.Methods(http.MethodGet).
 		Path("/").
-		HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
-			http.Redirect(response, request, request.Header.Get("X-Forwarded-Prefix")+"/dashboard/", 302)
+		HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
+			http.Redirect(resp, req, safePrefix(req)+"/dashboard/", 302)
 		})
 
 	router.Methods(http.MethodGet).
 		Path("/dashboard/status").
-		HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
-			http.Redirect(response, request, "/dashboard/", 302)
+		HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
+			http.Redirect(resp, req, "/dashboard/", 302)
 		})
 
 	router.Methods(http.MethodGet).
 		PathPrefix("/dashboard/").
 		Handler(http.StripPrefix("/dashboard/", http.FileServer(g.Assets)))
 }
+
+func safePrefix(req *http.Request) string {
+	prefix := req.Header.Get("X-Forwarded-Prefix")
+	if prefix == "" {
+		return ""
+	}
+
+	parse, err := url.Parse(prefix)
+	if err != nil {
+		return ""
+	}
+
+	if parse.Host != "" {
+		return ""
+	}
+
+	return parse.Path
+}

api/dashboard_test.go

@@ -0,0 +1,54 @@
+package api
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_safePrefix(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		value    string
+		expected string
+	}{
+		{
+			desc:     "host",
+			value:    "https://example.com",
+			expected: "",
+		},
+		{
+			desc:     "host with path",
+			value:    "https://example.com/foo/bar?test",
+			expected: "",
+		},
+		{
+			desc:     "path",
+			value:    "/foo/bar",
+			expected: "/foo/bar",
+		},
+		{
+			desc:     "path without leading slash",
+			value:    "foo/bar",
+			expected: "foo/bar",
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			req, err := http.NewRequest(http.MethodGet, "http://localhost", nil)
+			require.NoError(t, err)
+
+			req.Header.Set("X-Forwarded-Prefix", test.value)
+
+			prefix := safePrefix(req)
+
+			assert.Equal(t, test.expected, prefix)
+		})
+	}
+}

api/handler.go

@@ -4,13 +4,13 @@ import (
 	"net/http"
 
 	"github.com/containous/mux"
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/middlewares"
-	"github.com/containous/traefik/safe"
-	"github.com/containous/traefik/types"
-	"github.com/containous/traefik/version"
-	"github.com/elazarl/go-bindata-assetfs"
+	assetfs "github.com/elazarl/go-bindata-assetfs"
 	thoas_stats "github.com/thoas/stats"
+	"github.com/traefik/traefik/log"
+	"github.com/traefik/traefik/middlewares"
+	"github.com/traefik/traefik/safe"
+	"github.com/traefik/traefik/types"
+	"github.com/traefik/traefik/version"
 	"github.com/unrolled/render"
 )
 
@@ -21,9 +21,9 @@ type Handler struct {
 	Debug                 bool   `export:"true"`
 	CurrentConfigurations *safe.Safe
 	Statistics            *types.Statistics          `description:"Enable more detailed statistics" export:"true"`
-	Stats                 *thoas_stats.Stats         `json:"-"`
-	StatsRecorder         *middlewares.StatsRecorder `json:"-"`
-	DashboardAssets       *assetfs.AssetFS           `json:"-"`
+	Stats                 *thoas_stats.Stats         `json:"-" hash:"-"`
+	StatsRecorder         *middlewares.StatsRecorder `json:"-" hash:"-"`
+	DashboardAssets       *assetfs.AssetFS           `json:"-" hash:"-"`
 }
 
 var (

autogen/gentemplates/gen.go

@@ -159,6 +159,9 @@ var _templatesConsul_catalogTmpl = []byte(`[backends]
     {{if $loadBalancer.Stickiness }}
     [backends."backend-{{ $backendName }}".loadBalancer.stickiness]
       cookieName = "{{ $loadBalancer.Stickiness.CookieName }}"
+      secure = {{ $loadBalancer.Stickiness.Secure }}
+      httpOnly = {{ $loadBalancer.Stickiness.HTTPOnly }}
+      sameSite = "{{ $loadBalancer.Stickiness.SameSite }}"
     {{end}}
   {{end}}
 
@@ -654,6 +657,9 @@ var _templatesDockerTmpl = []byte(`{{$backendServers := .Servers}}
       {{if $loadBalancer.Stickiness }}
       [backends."backend-{{ $backendName }}".loadBalancer.stickiness]
         cookieName = "{{ $loadBalancer.Stickiness.CookieName }}"
+        secure = {{ $loadBalancer.Stickiness.Secure }}
+        httpOnly = {{ $loadBalancer.Stickiness.HTTPOnly }}
+        sameSite = "{{ $loadBalancer.Stickiness.SameSite }}"
       {{end}}
   {{end}}
 
@@ -1000,6 +1006,9 @@ var _templatesEcsTmpl = []byte(`[backends]
     {{if $loadBalancer.Stickiness }}
     [backends."backend-{{ $serviceName }}".loadBalancer.stickiness]
       cookieName = "{{ $loadBalancer.Stickiness.CookieName }}"
+      secure = {{ $loadBalancer.Stickiness.Secure }}
+      httpOnly = {{ $loadBalancer.Stickiness.HTTPOnly }}
+      sameSite = "{{ $loadBalancer.Stickiness.SameSite }}"
     {{end}}
   {{end}}
 
@@ -1316,7 +1325,7 @@ var _templatesKubernetesTmpl = []byte(`[backends]
 
     {{if $backend.ResponseForwarding }}
     [backends."{{ $backendName }}".responseForwarding]
-      flushInterval = "{{ $backend.responseForwarding.FlushInterval }}"
+      flushInterval = "{{ $backend.ResponseForwarding.FlushInterval }}"
     {{end}}
 
     [backends."{{ $backendName }}".loadBalancer]
@@ -1325,6 +1334,9 @@ var _templatesKubernetesTmpl = []byte(`[backends]
       {{if $backend.LoadBalancer.Stickiness }}
       [backends."{{ $backendName }}".loadBalancer.stickiness]
         cookieName = "{{ $backend.LoadBalancer.Stickiness.CookieName }}"
+        secure = {{ $backend.LoadBalancer.Stickiness.Secure }}
+        httpOnly = {{ $backend.LoadBalancer.Stickiness.HTTPOnly }}
+        sameSite = "{{ $backend.LoadBalancer.Stickiness.SameSite }}"
       {{end}}
 
     {{if $backend.MaxConn }}
@@ -1365,7 +1377,9 @@ var _templatesKubernetesTmpl = []byte(`[backends]
 
     {{if $frontend.Auth }}
     [frontends."{{ $frontendName }}".auth]
-      headerField = "X-WebAuth-User"
+      {{if $frontend.Auth.HeaderField }}
+      headerField = "{{ $frontend.Auth.HeaderField }}"
+      {{end}}
 
       {{if $frontend.Auth.Basic }}
       [frontends."{{ $frontendName }}".auth.basic]
@@ -1580,6 +1594,9 @@ var _templatesKvTmpl = []byte(`[backends]
       {{if $loadBalancer.Stickiness }}
       [backends."{{ $backendName }}".loadBalancer.stickiness]
         cookieName = "{{ $loadBalancer.Stickiness.CookieName }}"
+        secure = {{ $loadBalancer.Stickiness.Secure }}
+        httpOnly = {{ $loadBalancer.Stickiness.HTTPOnly }}
+        sameSite = "{{ $loadBalancer.Stickiness.SameSite }}"
       {{end}}
   {{end}}
 
@@ -1968,6 +1985,9 @@ var _templatesMarathonTmpl = []byte(`{{ $apps := .Applications }}
       {{if $loadBalancer.Stickiness }}
       [backends."{{ $backendName }}".loadBalancer.stickiness]
         cookieName = "{{ $loadBalancer.Stickiness.CookieName }}"
+        secure = {{ $loadBalancer.Stickiness.Secure }}
+        httpOnly = {{ $loadBalancer.Stickiness.HTTPOnly }}
+        sameSite = "{{ $loadBalancer.Stickiness.SameSite }}"
       {{end}}
     {{end}}
 
@@ -2300,6 +2320,9 @@ var _templatesMesosTmpl = []byte(`[backends]
       {{if $loadBalancer.Stickiness }}
       [backends."backend-{{ $backendName }}".loadBalancer.stickiness]
         cookieName = "{{ $loadBalancer.Stickiness.CookieName }}"
+        secure = {{ $loadBalancer.Stickiness.Secure }}
+        httpOnly = {{ $loadBalancer.Stickiness.HTTPOnly }}
+        sameSite = "{{ $loadBalancer.Stickiness.SameSite }}"
       {{end}}
   {{end}}
 
@@ -2686,6 +2709,9 @@ var _templatesRancherTmpl = []byte(`{{ $backendServers := .Backends }}
       {{if $loadBalancer.Stickiness }}
       [backends."backend-{{ $backendName }}".loadBalancer.stickiness]
         cookieName = "{{ $loadBalancer.Stickiness.CookieName }}"
+        secure = {{ $loadBalancer.Stickiness.Secure }}
+        httpOnly = {{ $loadBalancer.Stickiness.HTTPOnly }}
+        sameSite = "{{ $loadBalancer.Stickiness.SameSite }}"
       {{end}}
   {{end}}
 

build.Dockerfile

@@ -1,31 +1,34 @@
-FROM golang:1.11-alpine
+FROM golang:1.16-alpine
 
 RUN apk --update upgrade \
-&& apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar \
-&& rm -rf /var/cache/apk/*
+    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
+    && update-ca-certificates \
+    && rm -rf /var/cache/apk/*
 
 RUN go get golang.org/x/lint/golint \
-&& go get github.com/kisielk/errcheck \
 && go get github.com/client9/misspell/cmd/misspell
 
 # Which docker version to test on
-ARG DOCKER_VERSION=17.03.2
-ARG DEP_VERSION=0.4.1
+ARG DOCKER_VERSION=18.09.7
+
+# Download docker
+RUN mkdir -p /usr/local/bin \
+    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz \
+    | tar -xzC /usr/local/bin --transform 's#^.+/##x'
 
 # Download go-bindata binary to bin folder in $GOPATH
 RUN mkdir -p /usr/local/bin \
     && curl -fsSL -o /usr/local/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata \
     && chmod +x /usr/local/bin/go-bindata
 
-# Download dep binary to bin folder in $GOPATH
-RUN mkdir -p /usr/local/bin \
-    && curl -fsSL -o /usr/local/bin/dep https://github.com/golang/dep/releases/download/v${DEP_VERSION}/dep-linux-amd64 \
-    && chmod +x /usr/local/bin/dep
+# Download misspell binary to bin folder in $GOPATH
+RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
 
-# Download docker
-RUN mkdir -p /usr/local/bin \
-    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}-ce.tgz \
-    | tar -xzC /usr/local/bin --transform 's#^.+/##x'
+WORKDIR /go/src/github.com/traefik/traefik
 
-WORKDIR /go/src/github.com/containous/traefik
-COPY . /go/src/github.com/containous/traefik
+# Download go modules
+COPY go.mod .
+COPY go.sum .
+RUN GO111MODULE=on GOPROXY=https://proxy.golang.org go mod download
+
+COPY . /go/src/github.com/traefik/traefik

cluster/datastore.go

@@ -10,10 +10,10 @@ import (
 	"github.com/abronan/valkeyrie/store"
 	"github.com/cenk/backoff"
 	"github.com/containous/staert"
-	"github.com/containous/traefik/job"
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/safe"
-	"github.com/satori/go.uuid"
+	"github.com/google/uuid"
+	"github.com/traefik/traefik/job"
+	"github.com/traefik/traefik/log"
+	"github.com/traefik/traefik/safe"
 )
 
 // Metadata stores Object plus metadata
@@ -125,7 +125,7 @@ func (d *Datastore) reload() error {
 
 // Begin creates a transaction with the KV store.
 func (d *Datastore) Begin() (Transaction, Object, error) {
-	id := uuid.NewV4().String()
+	id := uuid.New().String()
 	log.Debugf("Transaction %s begins", id)
 	remoteLock, err := d.kv.NewLock(d.lockKey, &store.LockOptions{TTL: 20 * time.Second, Value: []byte(id)})
 	if err != nil {

cluster/leadership.go

@@ -7,10 +7,10 @@ import (
 
 	"github.com/cenk/backoff"
 	"github.com/containous/mux"
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/safe"
-	"github.com/containous/traefik/types"
 	"github.com/docker/leadership"
+	"github.com/traefik/traefik/log"
+	"github.com/traefik/traefik/safe"
+	"github.com/traefik/traefik/types"
 	"github.com/unrolled/render"
 )
 

cmd/bug/bug.go

@@ -9,13 +9,13 @@ import (
 	"text/template"
 
 	"github.com/containous/flaeg"
-	"github.com/containous/traefik/anonymize"
-	"github.com/containous/traefik/cmd"
-	"github.com/containous/traefik/cmd/version"
+	"github.com/traefik/traefik/anonymize"
+	"github.com/traefik/traefik/cmd"
+	"github.com/traefik/traefik/cmd/version"
 )
 
 const (
-	bugTracker  = "https://github.com/containous/traefik/issues/new"
+	bugTracker  = "https://github.com/traefik/traefik/issues/new"
 	bugTemplate = `<!--
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 

cmd/bug/bug_test.go

@@ -3,13 +3,13 @@ package bug
 import (
 	"testing"
 
-	"github.com/containous/traefik/anonymize"
-	"github.com/containous/traefik/cmd"
-	"github.com/containous/traefik/configuration"
-	"github.com/containous/traefik/provider/file"
-	"github.com/containous/traefik/tls"
-	"github.com/containous/traefik/types"
 	"github.com/stretchr/testify/assert"
+	"github.com/traefik/traefik/anonymize"
+	"github.com/traefik/traefik/cmd"
+	"github.com/traefik/traefik/configuration"
+	"github.com/traefik/traefik/provider/file"
+	"github.com/traefik/traefik/tls"
+	"github.com/traefik/traefik/types"
 )
 
 func Test_createReport(t *testing.T) {

cmd/configuration.go

@@ -4,32 +4,32 @@ import (
 	"time"
 
 	"github.com/containous/flaeg"
-	"github.com/containous/traefik-extra-service-fabric"
-	"github.com/containous/traefik/api"
-	"github.com/containous/traefik/configuration"
-	"github.com/containous/traefik/middlewares/accesslog"
-	"github.com/containous/traefik/middlewares/tracing"
-	"github.com/containous/traefik/middlewares/tracing/datadog"
-	"github.com/containous/traefik/middlewares/tracing/jaeger"
-	"github.com/containous/traefik/middlewares/tracing/zipkin"
-	"github.com/containous/traefik/ping"
-	"github.com/containous/traefik/provider/boltdb"
-	"github.com/containous/traefik/provider/consul"
-	"github.com/containous/traefik/provider/consulcatalog"
-	"github.com/containous/traefik/provider/docker"
-	"github.com/containous/traefik/provider/dynamodb"
-	"github.com/containous/traefik/provider/ecs"
-	"github.com/containous/traefik/provider/etcd"
-	"github.com/containous/traefik/provider/eureka"
-	"github.com/containous/traefik/provider/file"
-	"github.com/containous/traefik/provider/kubernetes"
-	"github.com/containous/traefik/provider/marathon"
-	"github.com/containous/traefik/provider/mesos"
-	"github.com/containous/traefik/provider/rancher"
-	"github.com/containous/traefik/provider/rest"
-	"github.com/containous/traefik/provider/zk"
-	"github.com/containous/traefik/types"
+	servicefabric "github.com/containous/traefik-extra-service-fabric"
 	sf "github.com/jjcollinge/servicefabric"
+	"github.com/traefik/traefik/api"
+	"github.com/traefik/traefik/configuration"
+	"github.com/traefik/traefik/middlewares/accesslog"
+	"github.com/traefik/traefik/middlewares/tracing"
+	"github.com/traefik/traefik/middlewares/tracing/datadog"
+	"github.com/traefik/traefik/middlewares/tracing/jaeger"
+	"github.com/traefik/traefik/middlewares/tracing/zipkin"
+	"github.com/traefik/traefik/ping"
+	"github.com/traefik/traefik/provider/boltdb"
+	"github.com/traefik/traefik/provider/consul"
+	"github.com/traefik/traefik/provider/consulcatalog"
+	"github.com/traefik/traefik/provider/docker"
+	"github.com/traefik/traefik/provider/dynamodb"
+	"github.com/traefik/traefik/provider/ecs"
+	"github.com/traefik/traefik/provider/etcd"
+	"github.com/traefik/traefik/provider/eureka"
+	"github.com/traefik/traefik/provider/file"
+	"github.com/traefik/traefik/provider/kubernetes"
+	"github.com/traefik/traefik/provider/marathon"
+	"github.com/traefik/traefik/provider/mesos"
+	"github.com/traefik/traefik/provider/rancher"
+	"github.com/traefik/traefik/provider/rest"
+	"github.com/traefik/traefik/provider/zk"
+	"github.com/traefik/traefik/types"
 )
 
 // TraefikConfiguration holds GlobalConfiguration and other stuff
@@ -111,6 +111,7 @@ func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
 	defaultConsulCatalog.Prefix = "traefik"
 	defaultConsulCatalog.FrontEndRule = "Host:{{.ServiceName}}.{{.Domain}}"
 	defaultConsulCatalog.Stale = false
+	defaultConsulCatalog.StrictChecks = true
 
 	// default Etcd
 	var defaultEtcd etcd.Provider

cmd/healthcheck/healthcheck.go

@@ -9,8 +9,8 @@ import (
 	"time"
 
 	"github.com/containous/flaeg"
-	"github.com/containous/traefik/cmd"
-	"github.com/containous/traefik/configuration"
+	"github.com/traefik/traefik/cmd"
+	"github.com/traefik/traefik/configuration"
 )
 
 // NewCmd builds a new HealthCheck command

cmd/storeconfig/storeconfig.go

@@ -10,10 +10,10 @@ import (
 	"github.com/abronan/valkeyrie/store"
 	"github.com/containous/flaeg"
 	"github.com/containous/staert"
-	"github.com/containous/traefik/acme"
-	"github.com/containous/traefik/cluster"
-	"github.com/containous/traefik/cmd"
-	"github.com/containous/traefik/log"
+	"github.com/traefik/traefik/acme"
+	"github.com/traefik/traefik/cluster"
+	"github.com/traefik/traefik/cmd"
+	"github.com/traefik/traefik/log"
 )
 
 // NewCmd builds a new StoreConfig command

cmd/traefik/traefik.go

@@ -14,29 +14,29 @@ import (
 	"github.com/cenk/backoff"
 	"github.com/containous/flaeg"
 	"github.com/containous/staert"
-	"github.com/containous/traefik/autogen/genstatic"
-	"github.com/containous/traefik/cmd"
-	"github.com/containous/traefik/cmd/bug"
-	"github.com/containous/traefik/cmd/healthcheck"
-	"github.com/containous/traefik/cmd/storeconfig"
-	cmdVersion "github.com/containous/traefik/cmd/version"
-	"github.com/containous/traefik/collector"
-	"github.com/containous/traefik/configuration"
-	"github.com/containous/traefik/configuration/router"
-	"github.com/containous/traefik/job"
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/provider/ecs"
-	"github.com/containous/traefik/provider/kubernetes"
-	"github.com/containous/traefik/safe"
-	"github.com/containous/traefik/server"
-	"github.com/containous/traefik/server/uuid"
-	traefiktls "github.com/containous/traefik/tls"
-	"github.com/containous/traefik/types"
-	"github.com/containous/traefik/version"
 	"github.com/coreos/go-systemd/daemon"
-	"github.com/elazarl/go-bindata-assetfs"
+	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/ogier/pflag"
 	"github.com/sirupsen/logrus"
+	"github.com/traefik/traefik/autogen/genstatic"
+	"github.com/traefik/traefik/cmd"
+	"github.com/traefik/traefik/cmd/bug"
+	"github.com/traefik/traefik/cmd/healthcheck"
+	"github.com/traefik/traefik/cmd/storeconfig"
+	cmdVersion "github.com/traefik/traefik/cmd/version"
+	"github.com/traefik/traefik/collector"
+	"github.com/traefik/traefik/configuration"
+	"github.com/traefik/traefik/configuration/router"
+	"github.com/traefik/traefik/job"
+	"github.com/traefik/traefik/log"
+	"github.com/traefik/traefik/provider/ecs"
+	"github.com/traefik/traefik/provider/kubernetes"
+	"github.com/traefik/traefik/safe"
+	"github.com/traefik/traefik/server"
+	"github.com/traefik/traefik/server/uuid"
+	traefiktls "github.com/traefik/traefik/tls"
+	"github.com/traefik/traefik/types"
+	"github.com/traefik/traefik/version"
 	"github.com/vulcand/oxy/roundrobin"
 )
 
@@ -352,14 +352,14 @@ func stats(globalConfiguration *configuration.GlobalConfiguration) {
 Stats collection is enabled.
 Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.
 Help us improve Traefik by leaving this feature on :)
-More details on: https://docs.traefik.io/basics/#collected-data
+More details on: https://doc.traefik.io/traefik/v1.7/basics/#collected-data
 `)
 		collect(globalConfiguration)
 	} else {
 		log.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
-More details on: https://docs.traefik.io/basics/#collected-data
+More details on: https://doc.traefik.io/traefik/v1.7/basics/#collected-data
 `)
 	}
 }

cmd/version/version.go

@@ -8,7 +8,7 @@ import (
 	"text/template"
 
 	"github.com/containous/flaeg"
-	"github.com/containous/traefik/version"
+	"github.com/traefik/traefik/version"
 )
 
 var versionTemplate = `Version:      {{.Version}}

collector/collector.go

@@ -9,11 +9,11 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/containous/traefik/anonymize"
-	"github.com/containous/traefik/configuration"
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/version"
 	"github.com/mitchellh/hashstructure"
+	"github.com/traefik/traefik/anonymize"
+	"github.com/traefik/traefik/configuration"
+	"github.com/traefik/traefik/log"
+	"github.com/traefik/traefik/version"
 )
 
 // collectorURL URL where the stats are send

configuration/configuration.go

@@ -1,41 +1,41 @@
 package configuration
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 	"time"
 
 	"github.com/containous/flaeg"
-	"github.com/containous/traefik-extra-service-fabric"
-	"github.com/containous/traefik/acme"
-	"github.com/containous/traefik/api"
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/middlewares/tracing"
-	"github.com/containous/traefik/middlewares/tracing/datadog"
-	"github.com/containous/traefik/middlewares/tracing/jaeger"
-	"github.com/containous/traefik/middlewares/tracing/zipkin"
-	"github.com/containous/traefik/ping"
-	acmeprovider "github.com/containous/traefik/provider/acme"
-	"github.com/containous/traefik/provider/boltdb"
-	"github.com/containous/traefik/provider/consul"
-	"github.com/containous/traefik/provider/consulcatalog"
-	"github.com/containous/traefik/provider/docker"
-	"github.com/containous/traefik/provider/dynamodb"
-	"github.com/containous/traefik/provider/ecs"
-	"github.com/containous/traefik/provider/etcd"
-	"github.com/containous/traefik/provider/eureka"
-	"github.com/containous/traefik/provider/file"
-	"github.com/containous/traefik/provider/kubernetes"
-	"github.com/containous/traefik/provider/marathon"
-	"github.com/containous/traefik/provider/mesos"
-	"github.com/containous/traefik/provider/rancher"
-	"github.com/containous/traefik/provider/rest"
-	"github.com/containous/traefik/provider/zk"
-	"github.com/containous/traefik/tls"
-	"github.com/containous/traefik/types"
-	"github.com/pkg/errors"
+	servicefabric "github.com/containous/traefik-extra-service-fabric"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/traefik/traefik/acme"
+	"github.com/traefik/traefik/api"
+	"github.com/traefik/traefik/log"
+	"github.com/traefik/traefik/middlewares/tracing"
+	"github.com/traefik/traefik/middlewares/tracing/datadog"
+	"github.com/traefik/traefik/middlewares/tracing/jaeger"
+	"github.com/traefik/traefik/middlewares/tracing/zipkin"
+	"github.com/traefik/traefik/ping"
+	acmeprovider "github.com/traefik/traefik/provider/acme"
+	"github.com/traefik/traefik/provider/boltdb"
+	"github.com/traefik/traefik/provider/consul"
+	"github.com/traefik/traefik/provider/consulcatalog"
+	"github.com/traefik/traefik/provider/docker"
+	"github.com/traefik/traefik/provider/dynamodb"
+	"github.com/traefik/traefik/provider/ecs"
+	"github.com/traefik/traefik/provider/etcd"
+	"github.com/traefik/traefik/provider/eureka"
+	"github.com/traefik/traefik/provider/file"
+	"github.com/traefik/traefik/provider/kubernetes"
+	"github.com/traefik/traefik/provider/marathon"
+	"github.com/traefik/traefik/provider/mesos"
+	"github.com/traefik/traefik/provider/rancher"
+	"github.com/traefik/traefik/provider/rest"
+	"github.com/traefik/traefik/provider/zk"
+	"github.com/traefik/traefik/tls"
+	"github.com/traefik/traefik/types"
 	jaegercli "github.com/uber/jaeger-client-go"
-	"github.com/xenolf/lego/challenge/dns01"
 )
 
 const (
@@ -452,18 +452,19 @@ func (gc *GlobalConfiguration) InitACMEProvider() (*acmeprovider.Provider, error
 		if gc.Cluster == nil {
 			provider := &acmeprovider.Provider{}
 			provider.Configuration = &acmeprovider.Configuration{
-				KeyType:       gc.ACME.KeyType,
-				OnHostRule:    gc.ACME.OnHostRule,
-				OnDemand:      gc.ACME.OnDemand,
-				Email:         gc.ACME.Email,
-				Storage:       gc.ACME.Storage,
-				HTTPChallenge: gc.ACME.HTTPChallenge,
-				DNSChallenge:  gc.ACME.DNSChallenge,
-				TLSChallenge:  gc.ACME.TLSChallenge,
-				Domains:       gc.ACME.Domains,
-				ACMELogging:   gc.ACME.ACMELogging,
-				CAServer:      gc.ACME.CAServer,
-				EntryPoint:    gc.ACME.EntryPoint,
+				KeyType:        gc.ACME.KeyType,
+				OnHostRule:     gc.ACME.OnHostRule,
+				OnDemand:       gc.ACME.OnDemand,
+				Email:          gc.ACME.Email,
+				PreferredChain: gc.ACME.PreferredChain,
+				Storage:        gc.ACME.Storage,
+				HTTPChallenge:  gc.ACME.HTTPChallenge,
+				DNSChallenge:   gc.ACME.DNSChallenge,
+				TLSChallenge:   gc.ACME.TLSChallenge,
+				Domains:        gc.ACME.Domains,
+				ACMELogging:    gc.ACME.ACMELogging,
+				CAServer:       gc.ACME.CAServer,
+				EntryPoint:     gc.ACME.EntryPoint,
 			}
 
 			store := acmeprovider.NewLocalStore(provider.Storage)

configuration/configuration_test.go

@@ -5,14 +5,15 @@ import (
 	"time"
 
 	"github.com/containous/flaeg"
-	"github.com/containous/traefik/acme"
-	"github.com/containous/traefik/middlewares/tracing"
-	"github.com/containous/traefik/middlewares/tracing/jaeger"
-	"github.com/containous/traefik/middlewares/tracing/zipkin"
-	"github.com/containous/traefik/provider"
-	acmeprovider "github.com/containous/traefik/provider/acme"
-	"github.com/containous/traefik/provider/file"
 	"github.com/stretchr/testify/assert"
+	"github.com/traefik/traefik/acme"
+	"github.com/traefik/traefik/middlewares/tracing"
+	"github.com/traefik/traefik/middlewares/tracing/jaeger"
+	"github.com/traefik/traefik/middlewares/tracing/zipkin"
+	"github.com/traefik/traefik/provider"
+	acmeprovider "github.com/traefik/traefik/provider/acme"
+	"github.com/traefik/traefik/provider/file"
+	"github.com/traefik/traefik/tls"
 )
 
 const defaultConfigFile = "traefik.toml"
@@ -269,3 +270,67 @@ func TestInitACMEProvider(t *testing.T) {
 		})
 	}
 }
+
+func TestSetEffectiveConfigurationTLSMinVersion(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		provided EntryPoint
+		expected EntryPoint
+	}{
+		{
+			desc: "Entrypoint with no TLS",
+			provided: EntryPoint{
+				Address: ":80",
+			},
+			expected: EntryPoint{
+				Address:          ":80",
+				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+			},
+		},
+		{
+			desc: "Entrypoint with TLS Specifying MinVersion",
+			provided: EntryPoint{
+				Address: ":443",
+				TLS: &tls.TLS{
+					MinVersion: "VersionTLS12",
+				},
+			},
+			expected: EntryPoint{
+				Address:          ":443",
+				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+				TLS: &tls.TLS{
+					MinVersion: "VersionTLS12",
+				},
+			},
+		},
+		{
+			desc: "Entrypoint with TLS without Specifying MinVersion",
+			provided: EntryPoint{
+				Address: ":443",
+				TLS:     &tls.TLS{},
+			},
+			expected: EntryPoint{
+				Address:          ":443",
+				ForwardedHeaders: &ForwardedHeaders{Insecure: true},
+				TLS:              &tls.TLS{},
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			gc := &GlobalConfiguration{
+				EntryPoints: map[string]*EntryPoint{
+					"foo": &test.provided,
+				},
+			}
+
+			gc.SetEffectiveConfiguration(defaultConfigFile)
+
+			assert.Equal(t, &test.expected, gc.EntryPoints["foo"])
+		})
+	}
+}

configuration/entrypoints.go

@@ -4,9 +4,9 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/tls"
-	"github.com/containous/traefik/types"
+	"github.com/traefik/traefik/log"
+	"github.com/traefik/traefik/tls"
+	"github.com/traefik/traefik/types"
 )
 
 // EntryPoint holds an entry point configuration of the reverse proxy (ip, port, TLS...)

configuration/entrypoints_test.go

@@ -3,10 +3,10 @@ package configuration
 import (
 	"testing"
 
-	"github.com/containous/traefik/tls"
-	"github.com/containous/traefik/types"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/traefik/traefik/tls"
+	"github.com/traefik/traefik/types"
 )
 
 func Test_parseEntryPointsConfiguration(t *testing.T) {

configuration/provider_aggregator.go

@@ -3,10 +3,10 @@ package configuration
 import (
 	"encoding/json"
 
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/provider"
-	"github.com/containous/traefik/safe"
-	"github.com/containous/traefik/types"
+	"github.com/traefik/traefik/log"
+	"github.com/traefik/traefik/provider"
+	"github.com/traefik/traefik/safe"
+	"github.com/traefik/traefik/types"
 )
 
 // ProviderAggregator aggregate providers

configuration/router/internal_router.go

@@ -2,12 +2,12 @@ package router
 
 import (
 	"github.com/containous/mux"
-	"github.com/containous/traefik/configuration"
-	"github.com/containous/traefik/log"
-	"github.com/containous/traefik/metrics"
-	"github.com/containous/traefik/middlewares"
-	mauth "github.com/containous/traefik/middlewares/auth"
-	"github.com/containous/traefik/types"
+	"github.com/traefik/traefik/configuration"
+	"github.com/traefik/traefik/log"
+	"github.com/traefik/traefik/metrics"
+	"github.com/traefik/traefik/middlewares"
+	mauth "github.com/traefik/traefik/middlewares/auth"
+	"github.com/traefik/traefik/types"
 	"github.com/urfave/negroni"
 )
 

configuration/router/internal_router_test.go

@@ -6,14 +6,14 @@ import (
 	"testing"
 
 	"github.com/containous/mux"
-	"github.com/containous/traefik/acme"
-	"github.com/containous/traefik/api"
-	"github.com/containous/traefik/configuration"
-	"github.com/containous/traefik/ping"
-	acmeprovider "github.com/containous/traefik/provider/acme"
-	"github.com/containous/traefik/safe"
-	"github.com/containous/traefik/types"
 	"github.com/stretchr/testify/assert"
+	"github.com/traefik/traefik/acme"
+	"github.com/traefik/traefik/api"
+	"github.com/traefik/traefik/configuration"
+	"github.com/traefik/traefik/ping"
+	acmeprovider "github.com/traefik/traefik/provider/acme"
+	"github.com/traefik/traefik/safe"
+	"github.com/traefik/traefik/types"
 	"github.com/urfave/negroni"
 )
 

contrib/systemd/traefik.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Traefik
-Documentation=https://docs.traefik.io
+Documentation=https://doc.traefik.io/traefik/v1.7
 #After=network-online.target
 #AssertFileIsExecutable=/usr/bin/traefik
 #AssertPathExists=/etc/traefik/traefik.toml

docs.Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.7
+FROM alpine:3.14
 
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/.local/bin
 
@@ -6,5 +6,5 @@ COPY requirements.txt /mkdocs/
 WORKDIR /mkdocs
 VOLUME /mkdocs
 
-RUN apk --no-cache --no-progress add py-pip \
-  && pip install --user -r requirements.txt
+RUN apk --no-cache --no-progress add py3-pip gcc musl-dev python3-dev \
+  && pip3 install --user -r requirements.txt

docs/CNAME

@@ -1 +0,0 @@
-docs.traefik.io

docs/basics.md

@@ -72,7 +72,7 @@ And here is another example with client certificate authentication:
 
 - We enable SSL on `https` by giving a certificate and a key.
 - One or several files containing Certificate Authorities in PEM format are added.
-- It is possible to have multiple CA:s in the same file or keep them in separate files.
+- It is possible to have multiple CA's in the same file or keep them in separate files.
 
 ### Frontends
 
@@ -452,6 +452,27 @@ If not, a new backend will be assigned.
     # Default: a sha1 (6 chars)
     #
     #  cookieName = "my_cookie"
+
+    # Customize secure option
+    #
+    # Optional
+    # Default: false
+    #
+    #  secure = true
+
+    # Customize http only option
+    #
+    # Optional
+    # Default: false
+    #
+    #  httpOnly = true
+
+    # Customize same site option.
+    # Can be: "none", "lax", "strict"
+    #
+    # Optional
+    #
+    #  sameSite = "none"
 ```
 
 The deprecated way:
@@ -631,7 +652,7 @@ docker run traefik[:version] --help
 
 ### Command: bug
 
-Here is the easiest way to submit a pre-filled issue on [Traefik GitHub](https://github.com/containous/traefik).
+Here is the easiest way to submit a pre-filled issue on [Traefik GitHub](https://github.com/traefik/traefik).
 
 ```bash
 traefik bug
@@ -660,7 +681,7 @@ OK: http://:8082/ping
 
 **This feature is disabled by default.**
 
-You can read the public proposal on this topic [here](https://github.com/containous/traefik/issues/2369).
+You can read the public proposal on this topic [here](https://github.com/traefik/traefik/issues/2369).
 
 ### Why ?
 
@@ -746,7 +767,7 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
 
 ### Show me the code !
 
-If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/collector/collector.go)
+If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/traefik/traefik/blob/v1.7/collector/collector.go)
 
 By default we anonymize all configuration fields, except fields tagged with `export=true`.
 

docs/benchmarks.md

@@ -15,7 +15,7 @@ I used 4 VMs for the tests with the following configuration:
 
 1. One VM used to launch the benchmarking tool [wrk](https://github.com/wg/wrk)
 2. One VM for Traefik (v1.0.0-beta.416) / nginx (v1.4.6)
-3. Two VMs for 2 backend servers in go [whoami](https://github.com/containous/whoami/)
+3. Two VMs for 2 backend servers in go [whoami](https://github.com/traefik/whoami/)
 
 Each VM has been tuned using the following limits:
 

docs/configuration/acme.md

@@ -93,6 +93,13 @@ entryPoint = "https"
 #
 # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
 
+# Preferred chain to use.
+#
+# Optional
+# Default: empty
+#
+preferredChain = "ISRG Root X1"
+
 # KeyType to use.
 #
 # Optional
@@ -186,6 +193,17 @@ caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
 # ...
 ```
 
+### `preferredChain`
+
+Preferred chain to use.
+
+```toml
+[acme]
+# ...
+preferredChain = "ISRG Root X1"
+# ...
+```
+
 ### ACME Challenge
 
 #### `tlsChallenge`
@@ -273,63 +291,73 @@ Useful if internal networks block external DNS queries.
 
 Here is a list of supported `provider`s, that can automate the DNS verification, along with the required environment variables and their [wildcard & root domain support](/configuration/acme/#wildcard-domains) for each.
 Do not hesitate to complete it.
+Every lego environment variable can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
+For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email`.
 
-| Provider Name                                               | Provider Code  | Environment Variables                                                                                                                     | Wildcard & Root Domain Support |
-|-------------------------------------------------------------|----------------|-------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
-| [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                              | Not tested yet                 |
-| [Alibaba Cloud](https://www.vultr.com)                      | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                        | Not tested yet                 |
-| [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                         | Not tested yet                 |
-| [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]` | Not tested yet                 |
-| [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                  | Not tested yet                 |
-| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key`                                             | YES                            |
-| [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                 | Not tested yet                 |
-| [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                          | YES                            |
-| [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                           | YES                            |
-| [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                               | YES                            |
-| [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                    | Not tested yet                 |
-| [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                          | Not tested yet                 |
-| [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                       | YES                            |
-| [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                           | YES                            |
-| [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                      | Not tested yet                 |
-| External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                               | YES                            |
-| [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                            | YES                            |
-| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                    | YES                            |
-| [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                           | Not tested yet                 |
-| [Gandi v5](http://doc.livedns.gandi.net)                    | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                         | YES                            |
-| [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                      | Not tested yet                 |
-| [GoDaddy](https://godaddy.com/domains)                      | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                   | Not tested yet                 |
-| [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials (2) (3), [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | YES                            |
-| [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                | Not tested yet                 |
-| HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` (1)                                                            | YES                            |
-| [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                         | Not tested yet                 |
-| [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                          | YES                            |
-| [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                  | Not tested yet                 |
-| [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                          | Not tested yet                 |
-| [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                            | Not tested yet                 |
-| manual                                                      | -              | none, but you need to run Traefik interactively, turn on `acmeLogging` to see instructions and press <kbd>Enter</kbd>.                    | YES                            |
-| [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                   | YES                            |
-| [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                 | YES                            |
-| [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                 | Not tested yet                 |
-| [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                         | Not tested yet                 |
-| [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                    | Not tested yet                 |
-| [Ns1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                             | Not tested yet                 |
-| [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                           | Not tested yet                 |
-| [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                       | YES                            |
-| [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                           | YES                            |
-| [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                            | Not tested yet                 |
-| [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                     | Not tested yet                 |
-| [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                 | Not tested yet                 |
-| [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.           | YES                            |
-| [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                             | Not tested yet                 |
-| [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                      | YES                            |
-| [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                    | Not tested yet                 |
-| [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                        | YES                            |
-| [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                              | Not tested yet                 |
-| [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                        | YES                            |
-| [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                           | Not tested yet                 |
-| [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                       | YES                            |
+| Provider Name                                               | Provider Code  | Environment Variables                                                                                                                       | Wildcard & Root Domain Support |
+|-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
+| [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | Not tested yet                 |
+| [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | Not tested yet                 |
+| [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | Not tested yet                 |
+| [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | Not tested yet                 |
+| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | YES                            |
+| [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | Not tested yet                 |
+| [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | YES                            |
+| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key`                                               | YES                            |
+| [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | Not tested yet                 |
+| [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | YES                            |
+| [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | YES                            |
+| [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | YES                            |
+| [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | Not tested yet                 |
+| [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | Not tested yet                 |
+| [Domain Offensive (do.de)](https://www.do.de/)              | `dode`         | `DODE_TOKEN`                                                                                                                                | YES                            |
+| [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | YES                            |
+| [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | YES                            |
+| [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | Not tested yet                 |
+| [EasyDNS](https://easydns.com/)                             | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | YES                            |
+| External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | YES                            |
+| [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | YES                            |
+| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | YES                            |
+| [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                             | Not tested yet                 |
+| [Gandi v5](http://doc.livedns.gandi.net)                    | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | YES                            |
+| [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | Not tested yet                 |
+| [GoDaddy](https://godaddy.com/domains)                      | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | Not tested yet                 |
+| [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials (2) (3), [`GCE_SERVICE_ACCOUNT_FILE`]                                                        | YES                            |
+| [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | YES                            |
+| HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` (1)                                                              | YES                            |
+| [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | Not tested yet                 |
+| [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | YES                            |
+| [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                       | YES                            |
+| [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | Not tested yet                 |
+| [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | Not tested yet                 |
+| [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | Not tested yet                 |
+| manual                                                      | `manual`       | none, but you need to run Traefik interactively, turn on `acmeLogging` to see instructions and press <kbd>Enter</kbd>.                      | YES                            |
+| [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | YES                            |
+| [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | YES                            |
+| [Namesilo](https://www.namesilo.com/)                       | `namesilo`     | `NAMESILO_API_KEY`                                                                                                                          | YES                            |
+| [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | Not tested yet                 |
+| [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | Not tested yet                 |
+| [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | Not tested yet                 |
+| [Ns1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | Not tested yet                 |
+| [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | Not tested yet                 |
+| [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | YES                            |
+| [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | YES                            |
+| [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | YES                            |
+| [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | Not tested yet                 |
+| [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | Not tested yet                 |
+| [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | Not tested yet                 |
+| [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | YES                            |
+| [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | Not tested yet                 |
+| [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | YES                            |
+| [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | Not tested yet                 |
+| [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | YES                            |
+| [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | Not tested yet                 |
+| [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | YES                            |
+| [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | YES                            |
+| [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | YES                            |
+| [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | YES                            |
 
-- (1): more information about the HTTP message format can be found [here](https://github.com/xenolf/lego/blob/master/providers/dns/httpreq/readme.md)
+- (1): more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
 - (2): https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
 - (3): https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76
 
@@ -389,11 +417,10 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
 ```
 
 It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
-Due to ACME limitation it is not possible to define wildcards in SANs (alternative domains). Thus, the wildcard domain has to be defined as a main domain.
 Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
 In this case the generated DNS TXT record for both domains is the same.
 Even though this behaviour is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant, it can lead to problems as all DNS providers keep DNS records cached for a certain time (TTL) and this TTL can be superior to the challenge timeout making the `DNS-01` challenge fail.
-The Traefik ACME client library [LEGO](https://github.com/xenolf/lego) supports some but not all DNS providers to work around this issue.
+The Traefik ACME client library [LEGO](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue.
 The [`provider` table](/configuration/acme/#provider) indicates if they allow generating certificates for a wildcard domain and its root domain.
 
 ### `onDemand` (Deprecated)

docs/configuration/api.md

@@ -35,7 +35,7 @@
 
 For more customization, see [entry points](/configuration/entrypoints/) documentation and the examples below.
 
-## Web UI
+## Dashboard (Web UI)
 
 ![Web UI Providers](/img/web.frontend.png)
 
@@ -322,9 +322,12 @@ curl -s "http://localhost:8080/health" | jq .
 }
 ```
 
-## Metrics
+## Dashboard Statistics
 
-You can enable Traefik to export internal metrics to different monitoring systems.
+You can control how the Traefik's internal metrics are shown in the Dashboard.
+
+If you want to export internal metrics to different monitoring systems,
+please check the page [Metrics](./metrics.md).
 
 ```toml
 [api]

docs/configuration/backends/consulcatalog.md

@@ -37,6 +37,15 @@ stale = false
 #
 domain = "consul.localhost"
 
+# Keep a Consul node only if all checks status are passing
+# If true, only the Consul nodes with checks status 'passing' will be kept.
+# if false, only the Consul nodes with checks status 'passing' or 'warning' will be kept.
+#
+# Optional
+# Default: true
+#
+strictChecks = true
+
 # Prefix for Consul catalog tags.
 #
 # Optional
@@ -115,16 +124,19 @@ Additional settings can be defined using Consul Catalog tags.
 | `<prefix>.backend.loadbalancer.method=drr`                               | Overrides the default `wrr` load balancer algorithm.                                                                                                                                                                          |
 | `<prefix>.backend.loadbalancer.stickiness=true`                          | Enables backend sticky sessions.                                                                                                                                                                                              |
 | `<prefix>.backend.loadbalancer.stickiness.cookieName=NAME`               | Sets the cookie name manually for sticky sessions.                                                                                                                                                                            |
+| `<prefix>.backend.loadbalancer.stickiness.secure=true`                   | Sets secure cookie option for sticky sessions.                                                                                                                                                                                |
+| `<prefix>.backend.loadbalancer.stickiness.httpOnly=true`                 | Sets http only cookie option for sticky sessions.                                                                                                                                                                             |
+| `<prefix>.backend.loadbalancer.stickiness.sameSite=none`                 | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                                   |
 | `<prefix>.backend.loadbalancer.sticky=true`                              | Enables backend sticky sessions. (DEPRECATED)                                                                                                                                                                                 |
 | `<prefix>.backend.maxconn.amount=10`                                     | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                      |
 | `<prefix>.backend.maxconn.extractorfunc=client.ip`                       | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                        |
 | `<prefix>.frontend.auth.basic=EXPR`                                      | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED).                                                                                                                                 |
 | `<prefix>.frontend.auth.basic.removeHeader=true`                         | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
 | `<prefix>.frontend.auth.basic.users=EXPR`                                | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash`.                                                                                                                                              |
-| `<prefix>.frontend.auth.basic.usersfile=/path/.htpasswd`                 | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                         |
+| `<prefix>.frontend.auth.basic.usersFile=/path/.htpasswd`                 | Sets basic authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                         |
 | `<prefix>.frontend.auth.digest.removeHeader=true`                        | If set to `true`, removes the `Authorization` header.                                                                                                                                                                         |
 | `<prefix>.frontend.auth.digest.users=EXPR`                               | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`.                                                                                                                                 |
-| `<prefix>.frontend.auth.digest.usersfile=/path/.htdigest`                | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
+| `<prefix>.frontend.auth.digest.usersFile=/path/.htdigest`                | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence.                                                                        |
 | `<prefix>.frontend.auth.forward.address=https://example.com`             | Sets the URL of the authentication server.                                                                                                                                                                                    |
 | `<prefix>.frontend.auth.forward.authResponseHeaders=EXPR`                | Sets the forward authentication authResponseHeaders in CSV format: `X-Auth-User,X-Auth-Header`                                                                                                                                |
 | `<prefix>.frontend.auth.forward.tls.ca=/path/ca.pem`                     | Sets the Certificate Authority (CA) for the TLS connection with the authentication server.                                                                                                                                    |
@@ -215,7 +227,7 @@ If you need to support multiple frontends for a service, for example when having
 | `<prefix>.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `<prefix>.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
 | `<prefix>.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `<prefix>.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `<prefix>.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
 | `<prefix>.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `<prefix>.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
 | `<prefix>.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |

docs/configuration/backends/docker.md

@@ -196,7 +196,7 @@ by watching the Docker API through this socket.
 !!! important
     Depending on your context and your usage, accessing the Docker API without any restriction might be a security concern.
 
-As explained on the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)):
+As explained on the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/#docker-daemon-attack-surface)):
 
 `[...] only **trusted** users should be allowed to control your Docker daemon [...]`
 
@@ -209,13 +209,17 @@ to let Traefik accessing the Docker Socket of the Swarm manager node.
 More information about Docker's security:
 
 - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
-- [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html)
+- [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
 - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
 - [To Dind or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
 
-### Security Compensation
+### Workarounds
 
-The main security compensation is to expose the Docker socket over TCP, instead of the default Unix socket file.
+!!! note "Improved Security"
+
+    [Traefik Enterprise](https://traefik.io/traefik-enterprise/) solves this problem by separating the control plane (connected to Docker) and the data plane (handling the requests).
+
+Another possible workaround is to expose the Docker socket over TCP, instead of the default Unix socket file.
 It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
 
 - Authentication with Client Certificates as described in [the "Protect the Docker daemon socket" page of Docker's documentation](https://docs.docker.com/engine/security/https/)
@@ -232,7 +236,7 @@ It allows different implementation levels of the [AAA (Authentication, Authoriza
 
 Use the following ressources to get started:
 
-- [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174)
+- [Traefik issue GH-4174 about security with Docker socket](https://github.com/traefik/traefik/issues/4174)
 - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
 - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
 - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
@@ -242,7 +246,7 @@ Use the following ressources to get started:
 ### Using Docker with Swarm Mode
 
 If you use a compose file with the Swarm mode, labels should be defined in the `deploy` part of your service.
-This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)).
+This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/compose-file-v3/#labels-2)).
 
 ```yaml
 version: "3"
@@ -253,6 +257,20 @@ services:
         traefik.docker.network: traefik
 ```
 
+Required labels:
+
+- `traefik.frontend.rule`
+- `traefik.port` - Without this the debug logs will show this service is deliberately filtered out.
+- `traefik.docker.network` - Without this a 504 may occur.
+
+#### Troubleshooting
+
+If service doesn't show up in the dashboard, check the debug logs to see if the port is missing:
+`Filtering container without port, <SERVICE_NAME>: port label is missing, ...')`
+
+If `504 Gateway Timeout` occurs and there are networks used, ensure that `traefik.docker.network` is defined. 
+The complete name is required, meaning if the network is internal the name needs to be `<project_name>_<network_name>`.
+
 ### Using Docker Compose
 
 If you are intending to use only Docker Compose commands (e.g. `docker-compose up --scale whoami=2 -d`), labels should be under your service, otherwise they will be ignored.
@@ -295,6 +313,9 @@ Labels can be used on containers to override default behavior.
 | `traefik.backend.loadbalancer.method=drr`                               | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                              |
 | `traefik.backend.loadbalancer.stickiness=true`                          | Enables backend sticky sessions                                                                                                                                                                                                  |
 | `traefik.backend.loadbalancer.stickiness.cookieName=NAME`               | Sets the cookie name manually for sticky sessions                                                                                                                                                                                |
+| `traefik.backend.loadbalancer.stickiness.secure=true`                   | Sets secure cookie option for sticky sessions.                                                                                                                                                                                   |
+| `traefik.backend.loadbalancer.stickiness.httpOnly=true`                 | Sets http only cookie option for sticky sessions.                                                                                                                                                                                |
+| `traefik.backend.loadbalancer.stickiness.sameSite=none`                 | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                                      |
 | `traefik.backend.loadbalancer.sticky=true`                              | Enables backend sticky sessions (DEPRECATED)                                                                                                                                                                                     |
 | `traefik.backend.loadbalancer.swarm=true`                               | Uses Swarm's inbuilt load balancer (only relevant under Swarm Mode) [3].                                                                                                                                                         |
 | `traefik.backend.maxconn.amount=10`                                     | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                         |
@@ -394,7 +415,7 @@ It also means that Traefik will manipulate only one backend, not one backend per
 | `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
 | `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
 | `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
 | `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |

docs/configuration/backends/ecs.md

@@ -160,6 +160,9 @@ Labels can be used on task containers to override default behaviour:
 | `traefik.backend.loadbalancer.method=drr`                               | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                           |
 | `traefik.backend.loadbalancer.stickiness=true`                          | Enables backend sticky sessions                                                                                                                                                                                               |
 | `traefik.backend.loadbalancer.stickiness.cookieName=NAME`               | Sets the cookie manually  name for sticky sessions                                                                                                                                                                            |
+| `traefik.backend.loadbalancer.stickiness.secure=true`                   | Sets secure cookie option for sticky sessions.                                                                                                                                                                                |
+| `traefik.backend.loadbalancer.stickiness.httpOnly=true`                 | Sets http only cookie option for sticky sessions.                                                                                                                                                                             |
+| `traefik.backend.loadbalancer.stickiness.sameSite=none`                 | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                                   |
 | `traefik.backend.loadbalancer.sticky=true`                              | Enables backend sticky sessions (DEPRECATED)                                                                                                                                                                                  |
 | `traefik.backend.maxconn.amount=10`                                     | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                      |
 | `traefik.backend.maxconn.extractorfunc=client.ip`                       | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                        |

docs/configuration/backends/file.md

@@ -31,6 +31,9 @@ Traefik can be configured with a file.
       method = "drr"
       [backends.backend1.loadBalancer.stickiness]
         cookieName = "foobar"
+        secure = true
+        httpOnly = true
+        sameSite = "foobar"
 
     [backends.backend1.maxConn]
       amount = 10

docs/configuration/backends/kubernetes.md

@@ -73,6 +73,14 @@ See also [Kubernetes user guide](/user-guide/kubernetes).
 #
 # enablePassTLSCert = true
 
+# Throttle how frequently we refresh our configuration from Ingresses when there
+# are frequent changes.
+#
+# Optional
+# Default: 0 (no throttling)
+#
+# throttleDuration = 10s
+
 # Override default configuration template.
 #
 # Optional
@@ -210,10 +218,14 @@ infos:
     serialnumber: true
 ```
 
-If `pem` is set, it will add a `X-Forwarded-Tls-Client-Cert` header that contains the escaped pem as value.  
+If `pem` is set, it will add a `X-Forwarded-Tls-Client-Cert` header that contains the escaped pem as value.
 If at least one flag of the `infos` part is set, it will add a `X-Forwarded-Tls-Client-Cert-Infos` header that contains an escaped string composed of the client certificate data selected by the infos flags.
 This infos part is composed like the following example (not escaped):
-```Subject="C=FR,ST=SomeState,L=Lyon,O=Cheese,CN=*.cheese.org",NB=1531900816,NA=1563436816,SAN=*.cheese.org,*.cheese.net,cheese.in,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2```
+```
+Subject="C=FR,ST=SomeState,L=Lyon,O=Cheese,CN=*.cheese.org",NB=1531900816,NA=1563436816,SAN=*.cheese.org,*.cheese.net,cheese.in,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
+```
+
+Note these options work only with certificates issued by CAs included in the applicable [EntryPoint ClientCA section](/configuration/entrypoints/#tls-mutual-authentication); certificates from other CAs are not parsed or passed through as-is.
 
 <4> `traefik.ingress.kubernetes.io/rate-limit` example:
 
@@ -231,7 +243,7 @@ rateset:
 ```
 
 <5> `traefik.ingress.kubernetes.io/rule-type`
-Note: `ReplacePath` is deprecated in this annotation, use the `traefik.ingress.kubernetes.io/request-modifier` annotation instead. Default: `PathPrefix`. 
+Note: `ReplacePath` is deprecated in this annotation, use the `traefik.ingress.kubernetes.io/request-modifier` annotation instead. Default: `PathPrefix`.
 
 <6> `traefik.ingress.kubernetes.io/service-weights`:
 Service weights enable to split traffic across multiple backing services in a fine-grained manner.
@@ -329,7 +341,7 @@ The following security annotations are applicable on the Ingress object:
 | `ingress.kubernetes.io/ssl-temporary-redirect: "true"`    | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `ingress.kubernetes.io/ssl-host: HOST`                    | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
 | `ingress.kubernetes.io/ssl-force-host: "true"`            | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `ingress.kubernetes.io/ssl-proxy-headers: EXPR`           | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`). Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                          |
+| `ingress.kubernetes.io/ssl-proxy-headers: EXPR`           | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`). Format: <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                          |
 
 ### Authentication
 

docs/configuration/backends/marathon.md

@@ -218,6 +218,9 @@ The following labels can be defined on Marathon applications. They adjust the be
 | `traefik.backend.loadbalancer.method=drr`                               | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                           |
 | `traefik.backend.loadbalancer.stickiness=true`                          | Enables backend sticky sessions                                                                                                                                                                                               |
 | `traefik.backend.loadbalancer.stickiness.cookieName=NAME`               | Sets the cookie name manually for sticky sessions                                                                                                                                                                             |
+| `traefik.backend.loadbalancer.stickiness.secure=true`                   | Sets secure cookie option for sticky sessions.                                                                                                                                                                                |
+| `traefik.backend.loadbalancer.stickiness.httpOnly=true`                 | Sets http only cookie option for sticky sessions.                                                                                                                                                                             |
+| `traefik.backend.loadbalancer.stickiness.sameSite=none`                 | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                                   |
 | `traefik.backend.loadbalancer.sticky=true`                              | Enables backend sticky sessions (DEPRECATED)                                                                                                                                                                                  |
 | `traefik.backend.maxconn.amount=10`                                     | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                      |
 | `traefik.backend.maxconn.extractorfunc=client.ip`                       | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                        |
@@ -303,7 +306,7 @@ The following labels can be defined on Marathon applications. They adjust the be
 | `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
 | `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
 | `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
 | `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |

docs/configuration/backends/mesos.md

@@ -132,6 +132,9 @@ The following labels can be defined on Mesos tasks. They adjust the behavior for
 | `traefik.backend.loadbalancer.method=drr`                               | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                           |
 | `traefik.backend.loadbalancer.stickiness=true`                          | Enables backend sticky sessions                                                                                                                                                                                               |
 | `traefik.backend.loadbalancer.stickiness.cookieName=NAME`               | Sets the cookie manually name for sticky sessions                                                                                                                                                                             |
+| `traefik.backend.loadbalancer.stickiness.secure=true`                   | Sets secure cookie option for sticky sessions.                                                                                                                                                                                |
+| `traefik.backend.loadbalancer.stickiness.httpOnly=true`                 | Sets http only cookie option for sticky sessions.                                                                                                                                                                             |
+| `traefik.backend.loadbalancer.stickiness.sameSite=none`                 | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                                   |
 | `traefik.backend.maxconn.amount=10`                                     | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                      |
 | `traefik.backend.maxconn.extractorfunc=client.ip`                       | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                        |
 | `traefik.frontend.auth.basic=EXPR`                                      | Sets basic authentication to this frontend in CSV format: `User:Hash,User:Hash` (DEPRECATED).                                                                                                                                 |
@@ -215,7 +218,7 @@ The following labels can be defined on Mesos tasks. They adjust the behavior for
 | `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
 | `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
 | `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
 | `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |

docs/configuration/backends/rancher.md

@@ -2,6 +2,11 @@
 
 Traefik can be configured to use Rancher as a provider.
 
+!!! important
+    This provider is specific to Rancher 1.x.
+    Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
+    As such, Rancher 2.x users should utilize the [Kubernetes provider](./kubernetes.md) directly.
+
 ## Global Configuration
 
 ```toml
@@ -162,6 +167,9 @@ Labels can be used on task containers to override default behavior:
 | `traefik.backend.loadbalancer.method=drr`                               | Overrides the default `wrr` load balancer algorithm                                                                                                                                                                              |
 | `traefik.backend.loadbalancer.stickiness=true`                          | Enables backend sticky sessions                                                                                                                                                                                                  |
 | `traefik.backend.loadbalancer.stickiness.cookieName=NAME`               | Sets the cookie name manually for sticky sessions                                                                                                                                                                                |
+| `traefik.backend.loadbalancer.stickiness.secure=true`                   | Sets secure cookie option for sticky sessions.                                                                                                                                                                                   |
+| `traefik.backend.loadbalancer.stickiness.httpOnly=true`                 | Sets http only cookie option for sticky sessions.                                                                                                                                                                                |
+| `traefik.backend.loadbalancer.stickiness.sameSite=none`                 | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                                      |
 | `traefik.backend.loadbalancer.sticky=true`                              | Enables backend sticky sessions (DEPRECATED)                                                                                                                                                                                     |
 | `traefik.backend.maxconn.amount=10`                                     | Sets a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                         |
 | `traefik.backend.maxconn.extractorfunc=client.ip`                       | Sets the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                           |
@@ -245,7 +253,7 @@ Labels can be used on task containers to override default behavior:
 | `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
 | `traefik.frontend.headers.SSLForceHost=true`             | If `SSLForceHost` is `true` and `SSLHost` is set, requests will be forced to use `SSLHost` even the ones that are already using SSL. Default is false.                                              |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
 | `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
 | `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |

docs/configuration/backends/servicefabric.md

@@ -69,6 +69,8 @@ Here is an example of an extension setting Traefik labels:
 </StatelessServiceType>
 ```
 
+> **Note**: The `Label` tag and its `Key` attribute are case sensitive. That is, if you use `label` instead of `Label` or `key` instead of `Key`, they will be silently ignored.
+
 #### Property Manager
 
 Set Labels with the property manager API to overwrite and add labels, while your service is running.
@@ -110,6 +112,9 @@ Labels, set through extensions or the property manager, can be used on services
 | `traefik.backend.loadbalancer.method=drr`                  | Override the default `wrr` load balancer algorithm                                                                                                                                                                        |
 | `traefik.backend.loadbalancer.stickiness=true`             | Enable backend sticky sessions                                                                                                                                                                                            |
 | `traefik.backend.loadbalancer.stickiness.cookieName=NAME`  | Manually set the cookie name for sticky sessions                                                                                                                                                                          |
+| `traefik.backend.loadbalancer.stickiness.secure=true`      | Sets secure cookie option for sticky sessions.                                                                                                                                                                            |
+| `traefik.backend.loadbalancer.stickiness.httpOnly=true`    | Sets http only cookie option for sticky sessions                                                                                                                                                                          |
+| `traefik.backend.loadbalancer.stickiness.sameSite=none`    | Sets same site cookie option for sticky sessions. (`none`, `lax`, `strict`)                                                                                                                                               |
 | `traefik.backend.loadbalancer.sticky=true`                 | Enable backend sticky sessions (DEPRECATED)                                                                                                                                                                               |
 | `traefik.backend.maxconn.amount=10`                        | Set a maximum number of connections to the backend.<br>Must be used in conjunction with the below label to take effect.                                                                                                   |
 | `traefik.backend.maxconn.extractorfunc=client.ip`          | Set the function to be used against the request to determine what to limit maximum connections to the backend by.<br>Must be used in conjunction with the above label to take effect.                                     |
@@ -143,7 +148,7 @@ Labels, set through extensions or the property manager, can be used on services
 | `traefik.frontend.headers.SSLRedirect=true`              | Forces the frontend to redirect to SSL if a non-SSL request is sent.                                                                                                                                |
 | `traefik.frontend.headers.SSLTemporaryRedirect=true`     | Forces the frontend to redirect to SSL if a non-SSL request is sent, but by sending a 302 instead of a 301.                                                                                         |
 | `traefik.frontend.headers.SSLHost=HOST`                  | This setting configures the hostname that redirects will be based on. Default is "", which is the same host as the request.                                                                         |
-| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-For:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
+| `traefik.frontend.headers.SSLProxyHeaders=EXPR`          | Header combinations that would signify a proper SSL Request (Such as `X-Forwarded-Proto:https`).<br>Format:  <code>HEADER:value&vert;&vert;HEADER2:value2</code>                                      |
 | `traefik.frontend.headers.STSSeconds=315360000`          | Sets the max-age of the STS header.                                                                                                                                                                 |
 | `traefik.frontend.headers.STSIncludeSubdomains=true`     | Adds the `IncludeSubdomains` section of the STS  header.                                                                                                                                            |
 | `traefik.frontend.headers.STSPreload=true`               | Adds the preload flag to the STS  header.                                                                                                                                                           |

docs/configuration/commons.md

@@ -249,8 +249,14 @@ Multiple sets of rates can be added to each frontend, but the time periods must
 ```
 
 In the above example, frontend1 is configured to limit requests by the client's ip address.  
-An average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.  
-These can "burst" up to 10 and 200 in each period respectively. 
+A sustained rate of 100 requests every 10 seconds (10 req/s) is allowed for rateset1, and 5 requests every 3 seconds (~1.67 req/s) for rateset2.  
+In addition, these can "burst" up to 200 and 10 in each period respectively.
+
+Another way to describe the above parameters, is to use the [leaky bucket](https://en.wikipedia.org/wiki/Leaky_bucket) analogy:
+for rateset1, the size of the bucket is 200 drops, and it is leaking at a rate of 10 drop/s.
+If the incoming rate of drops falling into the bucket gets high enough that the bucket gets filled,
+any subsequent drop overflows out of the bucket (i.e. the request is discarded).
+This situation holds until the incoming rate gets low enough again, and remains that way, for the water level in the bucket to go down.
 
 Valid values for `extractorfunc` are:
   * `client.ip`

docs/configuration/entrypoints.md

@@ -97,7 +97,7 @@ In compose file the entrypoint syntax is different. Notice how quotes are used:
 
 ```yaml
 traefik:
-    image: traefik
+    image: traefik:v1.7
     command:
         - --defaultentrypoints=powpow
         - "--entryPoints=Name:powpow Address::42 Compress:true"
@@ -105,7 +105,7 @@ traefik:
 or
 ```yaml
 traefik:
-    image: traefik
+    image: traefik:v1.7
     command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true'
 ```
 
@@ -235,13 +235,18 @@ If you need to add or remove TLS certificates while Traefik is started, Dynamic
 ## TLS Mutual Authentication
 
 TLS Mutual Authentication can be `optional` or not.
-If it's `optional`, Traefik will authorize connection with certificates not signed by a specified Certificate Authority (CA).
-Otherwise, Traefik will only accept clients that present a certificate signed by a specified Certificate Authority (CA).
+
+* If `optional = true`, if a certificate is provided, verifies if it is signed by a specified Certificate Authority (CA). Otherwise proceeds without any certificate.
+* If `optional = false`, Traefik will only accept clients that present a certificate signed by a specified Certificate Authority (CA).
+
+!!! warning
+    While the TLS [1.1](https://tools.ietf.org/html/rfc4346#section-7.4.6) and [1.2](https://tools.ietf.org/html/rfc5246#section-7.4.6) RFCs specify that clients should proceed with handshaking by sending an empty list should they have no certs for the CAs specified by the server, not all do so in practice.
+    Use this feature with caution should you require maximum compatibility with a wide variety of client user agents which may not strictly implement these specs.
+
 `ClientCAFiles` can be configured with multiple `CA:s` in the same file or use multiple files containing one or several `CA:s`.
 The `CA:s` has to be in PEM format.
 
-By default, `ClientCAFiles` is not optional, all clients will be required to present a valid cert.
-The requirement will apply to all server certs in the entrypoint.
+By default, `ClientCAFiles` is not optional, all clients will be required to present a valid cert. The requirement will apply to all server certs in the entrypoint.
 
 In the example below both `snitest.com` and `snitest.org` will require client certs
 
@@ -480,6 +485,13 @@ To enable IP white listing at the entry point level.
       # useXForwardedFor = true
 ```
 
+By setting the `useXForwardedFor` option, the `sourceRange` addresses will be matched against the request header `X-Forwarded-For` address list, from left to right.
+
+!!! danger
+    When using Traefik behind another load-balancer, its own internal address will be appended in the `X-Forwarded-For` header.
+    Be sure to carefully configure the `sourceRange` as adding the internal network CIDR,
+    or the load-balancer address directly, will cause all requests coming from it to pass through.
+
 ## ProxyProtocol
 
 To enable [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support.

docs/configuration/logs.md

@@ -39,7 +39,7 @@ logLevel = "INFO"
 
 For more information about the CLI, see the documentation about [Traefik command](/basics/#traefik).
 
-```shell
+```bash
 --logLevel="DEBUG"
 --traefikLog.filePath="/path/to/traefik.log"
 --traefikLog.format="json"
@@ -54,7 +54,6 @@ For more information about the CLI, see the documentation about [Traefik command
 --accessLog.fields.headers.names="User-Agent=redact Authorization=drop Content-Type=keep"
 ```
 
-
 ## Traefik Logs
 
 By default the Traefik log is written to stdout in text format.
@@ -66,7 +65,7 @@ To write the logs into a log file specify the `filePath`:
   filePath = "/path/to/traefik.log"
 ```
 
-To write JSON format logs, specify `json` as the format:
+To switch to JSON format instead of standard format (`common`), specify `json` as the format:
 
 ```toml
 [traefikLog]
@@ -74,7 +73,6 @@ To write JSON format logs, specify `json` as the format:
   format   = "json"
 ```
 
-
 Deprecated way (before 1.4):
 
 !!! danger "DEPRECATED"
@@ -105,13 +103,12 @@ To customize the log level:
 logLevel = "ERROR"
 ```
 
-
 ## Access Logs
 
-Access logs are written when `[accessLog]` is defined.
-By default it will write to stdout and produce logs in the textual Common Log Format (CLF), extended with additional fields.
+Access logs are written when the entry `[accessLog]` is defined (or the command line flag `--accesslog`).
+By default it writes to stdout and produces logs in the textual [Common Log Format (CLF)](#clf-common-log-format), extended with additional fields.
 
-To enable access logs using the default settings just add the `[accessLog]` entry:
+To enable access logs using the default settings, add the `[accessLog]` entry in your `traefik.toml` configuration file:
 
 ```toml
 [accessLog]
@@ -124,12 +121,12 @@ To write the logs into a log file specify the `filePath`:
 filePath = "/path/to/access.log"
 ```
 
-To write JSON format logs, specify `json` as the format:
+To switch to JSON format instead of [Common Log Format (CLF)](#clf-common-log-format), specify `json` as the format:
 
 ```toml
 [accessLog]
 filePath = "/path/to/access.log"
-format = "json"
+format = "json"  # Default: "common"
 ```
 
 To write the logs in async, specify `bufferingSize` as the format (must be >0):
@@ -152,7 +149,7 @@ To filter logs you can specify a set of filters which are logically "OR-connecte
 ```toml
 [accessLog]
 filePath = "/path/to/access.log"
-format = "json"
+format = "json"  # Default: "common"
 
   [accessLog.filters]
 
@@ -178,22 +175,42 @@ format = "json"
   minDuration = "10ms"
 ```
 
-To customize logs format:
+### CLF - Common Log Format
+
+By default, Traefik use the CLF (`common`) as access log format.
+
+```html
+<remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms
+```
+
+### Customize Fields
+
+You can customize the fields written in the access logs.
+The list of available fields is found below: [List of All Available Fields](#list-of-all-available-fields).
+
+Each field has a "mode" which defines if it is written or not in the access log lines.
+The possible values for the mode are:
+
+* `keep`: the field and its value are written on the access log line. This is the default behavior.
+* `drop`: the field is not written at all on the access log.
+
+To customize the fields, you must:
+
+* Switch to the JSON format (mandatory)
+* Define the "default mode" for all fields (default is `keep`)
+* OR Define the fields which does not follow the default mode
 
 ```toml
 [accessLog]
-filePath = "/path/to/access.log"
+# Access Log Format
+#
+# Optional
+# Default: "common"
+#
+# Accepted values "common", "json"
+#
 format = "json"
 
-  [accessLog.filters]
-
-  # statusCodes keep only access logs with status codes in the specified range
-  #
-  # Optional
-  # Default: []
-  #
-  statusCodes = ["200", "300-302"]
-
   [accessLog.fields]
 
   # defaultMode
@@ -209,6 +226,43 @@ format = "json"
   [accessLog.fields.names]
     "ClientUsername" = "drop"
     # ...
+```
+
+### Customize Headers
+
+Access logs prints the headers of each request, as fields of the access log line.
+You can customize which and how the headers are printed, likewise the other fields (see ["Customize Fields" section](#customize-fields)).
+
+Each header has a "mode" which defines how it is written in the access log lines.
+The possible values for the mode are:
+
+* `keep`: the header and its value are written on the access log line. This is the default behavior.
+* `drop`: the header is not written at all on the access log.
+* `redacted`: the header is written, but its value is redacted to avoid leaking sensitive information.
+
+To customize the headers, you must:
+
+* Switch to the JSON format (mandatory)
+* Define the "default mode" for all headers (default is `keep`)
+* OR Define the headers which does not follow the default mode
+
+!!! important
+    The headers are written with the prefix `request_` in the access log.
+    This prefix must not be included when specifying a header in the TOML configuration.
+
+    * Do: `"User-Agent" = "drop"`
+    * Don't: `"redacted_User-Agent" = "drop"`
+
+```toml
+[accessLog]
+# Access Log Format
+#
+# Optional
+# Default: "common"
+#
+# Accepted values "common", "json"
+#
+format = "json"
 
   [accessLog.fields.headers]
     # defaultMode
@@ -227,41 +281,42 @@ format = "json"
       # ...
 ```
 
+### List of All Available Fields
 
-### List of all available fields
+| Field                   | Description                                                                                                                                                         |
+|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `StartUTC`              | The time at which request processing started.                                                                                                                       |
+| `StartLocal`            | The local time at which request processing started.                                                                                                                 |
+| `Duration`              | The total time taken by processing the response, including the origin server's time but not the log writing time.                                                   |
+| `FrontendName`          | The name of the Traefik frontend.                                                                                                                                   |
+| `BackendName`           | The name of the Traefik backend.                                                                                                                                    |
+| `BackendURL`            | The URL of the Traefik backend.                                                                                                                                     |
+| `BackendAddr`           | The IP:port of the Traefik backend (extracted from `BackendURL`)                                                                                                    |
+| `ClientAddr`            | The remote address in its original form (usually IP:port).                                                                                                          |
+| `ClientHost`            | The remote IP address from which the client request was received.                                                                                                   |
+| `ClientPort`            | The remote TCP port from which the client request was received.                                                                                                     |
+| `ClientUsername`        | The username provided in the URL, if present.                                                                                                                       |
+| `RequestAddr`           | The HTTP Host header (usually IP:port). This is treated as not a header by the Go API.                                                                              |
+| `RequestHost`           | The HTTP Host server name (not including port).                                                                                                                     |
+| `RequestPort`           | The TCP port from the HTTP Host.                                                                                                                                    |
+| `RequestMethod`         | The HTTP method.                                                                                                                                                    |
+| `RequestPath`           | The HTTP request URI, not including the scheme, host or port.                                                                                                       |
+| `RequestProtocol`       | The version of HTTP requested.                                                                                                                                      |
+| `RequestLine`           | `RequestMethod` + `RequestPath` + `RequestProtocol`                                                                                                                 |
+| `RequestContentSize`    | The number of bytes in the request entity (a.k.a. body) sent by the client.                                                                                         |
+| `OriginDuration`        | The time taken by the origin server ('upstream') to return its response.                                                                                            |
+| `OriginContentSize`     | The content length specified by the origin server, or 0 if unspecified.                                                                                             |
+| `OriginStatus`          | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent.     |
+| `OriginStatusLine`      | `OriginStatus` + Status code explanation                                                                                                                            |
+| `DownstreamStatus`      | The HTTP status code returned to the client.                                                                                                                        |
+| `DownstreamStatusLine`  | `DownstreamStatus` + Status code explanation                                                                                                                        |
+| `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
+| `RequestCount`          | The number of requests received since the Traefik instance started.                                                                                                 |
+| `GzipRatio`             | The response body compression ratio achieved.                                                                                                                       |
+| `Overhead`              | The processing time overhead caused by Traefik.                                                                                                                     |
+| `RetryAttempts`         | The amount of attempts the request was retried.                                                                                                                     |
 
-```ini
-StartUTC
-StartLocal
-Duration
-FrontendName
-BackendName
-BackendURL
-BackendAddr
-ClientAddr
-ClientHost
-ClientPort
-ClientUsername
-RequestAddr
-RequestHost
-RequestPort
-RequestMethod
-RequestPath
-RequestProtocol
-RequestLine
-RequestContentSize
-OriginDuration
-OriginContentSize
-OriginStatus
-OriginStatusLine
-DownstreamStatus
-DownstreamStatusLine
-DownstreamContentSize
-RequestCount
-GzipRatio
-Overhead
-RetryAttempts
-```
+### Depreciation Notice
 
 Deprecated way (before 1.4):
 
@@ -276,15 +331,6 @@ Deprecated way (before 1.4):
 accessLogsFile = "log/access.log"
 ```
 
-### CLF - Common Log Format
-
-By default, Traefik use the CLF (`common`) as access log format.
-
-```html
-<remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms 
-```
-
-
 ## Log Rotation
 
 Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
@@ -292,3 +338,34 @@ This allows the logs to be rotated and processed by an external program, such as
 
 !!! note
     This does not work on Windows due to the lack of USR signals.
+
+## Time Zones
+
+The timestamp of each log line is in UTC time by default.
+
+If you want to use local timezone, you need to ensure the 3 following elements:
+
+1. Provide the timezone data into /usr/share/zoneinfo
+2. Set the environement variable TZ to the timezone to be used
+3. Specify the field StartLocal instead of StartUTC (works on default Common Log Format (CLF) as well as JSON)
+
+Example using docker-compose:
+
+```yml
+version: '3'
+
+services:
+  traefik:
+    image: traefik/traefik:[latest stable version]
+    ports:
+      - "80:80"
+    environment:
+      - "TZ=US/Alaska"
+    command:
+      - --docker
+      - --accesslog
+      - --accesslog.fields.names="StartUTC=drop"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+      - "/usr/share/zoneinfo:/usr/share/zoneinfo:ro"
+```

docs/index.md

@@ -4,9 +4,9 @@
 
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](/)
-[![Go Report Card](https://goreportcard.com/badge/github.com/containous/traefik)](https://goreportcard.com/report/github.com/containous/traefik)
-[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
-[![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
+[![Go Report Card](https://goreportcard.com/badge/github.com/traefik/traefik)](https://goreportcard.com/report/github.com/traefik/traefik)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
+[![Join the community support forum at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
 
 
@@ -66,7 +66,7 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 In this quickstart, we'll use [Docker compose](https://docs.docker.com/compose) to create our demo infrastructure.
 
-To save some time, you can clone [Traefik's repository](https://github.com/containous/traefik) and use the quickstart files located in the [examples/quickstart](https://github.com/containous/traefik/tree/master/examples/quickstart/) directory.
+To save some time, you can clone [Traefik's repository](https://github.com/traefik/traefik) and use the quickstart files located in the [examples/quickstart](https://github.com/traefik/traefik/tree/v1.7/examples/quickstart/) directory.
 
 ### 1 — Launch Traefik — Tell It to Listen to Docker
 
@@ -77,7 +77,7 @@ version: '3'
 
 services:
   reverse-proxy:
-    image: traefik # The official Traefik docker image
+    image: traefik:v1.7 # The official Traefik docker image
     command: --api --docker # Enables the web UI and tells Traefik to listen to docker
     ports:
       - "80:80"     # The HTTP port
@@ -109,7 +109,7 @@ Edit your `docker-compose.yml` file and add the following at the end of your fil
 ```yaml
 # ...
   whoami:
-    image: containous/whoami # A container that exposes an API to show its IP address
+    image: traefik/whoami # A container that exposes an API to show its IP address
     labels:
       - "traefik.frontend.rule=Host:whoami.docker.localhost"
 ```
@@ -190,7 +190,7 @@ You will learn fundamental Traefik features and see some demos with Kubernetes.
 
 ### The Official Binary File
 
-You can grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and just run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+You can grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page and just run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/v1.7/traefik.sample.toml):
 
 ```shell
 ./traefik -c traefik.toml

docs/theme/partials/footer.html

@@ -88,9 +88,9 @@
                 </div>
                 {% endif %}
                 powered by
-                <a href="http://www.mkdocs.org" title="MkDocs">MkDocs</a>
+                <a href="https://www.mkdocs.org" title="MkDocs">MkDocs</a>
                 and
-                <a href="http://squidfunk.github.io/mkdocs-material/"
+                <a href="https://squidfunk.github.io/mkdocs-material/"
                    title="Material for MkDocs">
                     Material for MkDocs</a>
             </div>

docs/theme/partials/integrations/analytics.html

@@ -0,0 +1,7 @@
+<!-- Google Tag Manager -->
+<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+      new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+    j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+    'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
+  })(window,document,'script','dataLayer','GTM-NMWC63S');</script>
+<!-- End Google Tag Manager -->

docs/user-guide/cluster-docker-consul.md

@@ -9,7 +9,7 @@ If you want to use Let's Encrypt with Traefik, sharing configuration or TLS cert
 Ok, could we mount a shared volume used by all my instances? Yes, you can, but it will not work.
 When you use Let's Encrypt, you need to store certificates, but not only.
 When Traefik generates a new certificate, it configures a challenge and once Let's Encrypt will verify the ownership of the domain, it will ping back the challenge.
-If the challenge is not known by other Traefik instances, the validation will fail.
+If the challenge is not recognized by other Traefik instances, the validation will fail.
 
 For more information about the challenge: [Automatic Certificate Management Environment (ACME)](https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md#http-challenge)
 
@@ -91,7 +91,7 @@ To watch docker events, add `--docker.watch`.
 version: "3"
 services:
   traefik:
-    image: traefik:1.5
+    image: traefik:<stable v1.7 from https://hub.docker.com/_/traefik>
     command:
       - "--api"
       - "--entrypoints=Name:http Address::80 Redirect.EntryPoint:https"
@@ -156,7 +156,7 @@ The initializer in a docker-compose file will be:
 
 ```yaml
   traefik_init:
-    image: traefik:1.5
+    image: traefik:<stable v1.7 from https://hub.docker.com/_/traefik>
     command:
       - "storeconfig"
       - "--api"
@@ -177,7 +177,7 @@ And now, the Traefik part will only have the Consul configuration.
 
 ```yaml
   traefik:
-    image: traefik:1.5
+    image: traefik:<stable v1.7 from https://hub.docker.com/_/traefik>
     depends_on:
       - traefik_init
       - consul
@@ -200,7 +200,7 @@ The new configuration will be stored in Consul, and you need to restart the Trae
 version: "3.4"
 services:
   traefik_init:
-    image: traefik:1.5
+    image: traefik:<stable v1.7 from https://hub.docker.com/_/traefik>
     command:
       - "storeconfig"
       - "--api"
@@ -229,7 +229,7 @@ services:
     depends_on:
       - consul
   traefik:
-    image: traefik:1.5
+    image: traefik:<stable v1.7 from https://hub.docker.com/_/traefik>
     depends_on:
       - traefik_init
       - consul

docs/user-guide/docker-and-lets-encrypt.md

@@ -50,7 +50,7 @@ version: '2'
 
 services:
   traefik:
-    image: traefik:1.5.4
+    image: traefik:<stable v1.7 from https://hub.docker.com/_/traefik>
     restart: always
     ports:
       - 80:80
@@ -108,6 +108,28 @@ onHostRule = true
 entryPoint = "http"
 ```
 
+Alternatively, the `TOML` file above can also be translated into command line switches. 
+This is the `command` value of the `traefik` service in the `docker-compose.yml` manifest:
+
+```yaml
+command:
+  - --debug=false
+  - --logLevel=ERROR
+  - --defaultentrypoints=https,http
+  - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
+  - --entryPoints=Name:https Address::443 TLS
+  - --retry
+  - --docker.endpoint=unix:///var/run/docker.sock
+  - --docker.domain=my-awesome-app.org
+  - --docker.watch=true
+  - --docker.exposedbydefault=false
+  - --acme.email=your-email-here@my-awesome-app.org
+  - --acme.storage=acme.json
+  - --acme.entryPoint=https
+  - --acme.onHostRule=true
+  - --acme.httpchallenge.entrypoint=http
+```
+
 This is the minimum configuration required to do the following:
 
 - Log `ERROR`-level messages (or more severe) to the console, but silence `DEBUG`-level messages
@@ -213,13 +235,11 @@ Let's take a look at the labels themselves for the `app` service, which is a HTT
 - "traefik.admin.port=9443"
 ```
 
-We use both `container labels` and `service labels`.
+We use both `container labels` and `segment labels`.
 
 #### Container labels
 
-First, we specify the `backend` name which corresponds to the actual service we're routing **to**.
-
-We also tell Traefik to use the `web` network to route HTTP traffic to this container.
+We tell Traefik to use the `web` network to route HTTP traffic to this container.
 With the `traefik.enable` label, we tell Traefik to include this container in its internal configuration.
 
 With the `frontend.rule` label, we tell Traefik that we want to route to this container if the incoming HTTP request contains the `Host` `app.my-awesome-app.org`.
@@ -227,20 +247,20 @@ Essentially, this is the actual rule used for Layer-7 load balancing.
 
 Finally but not unimportantly, we tell Traefik to route **to** port `9000`, since that is the actual TCP/IP port the container actually listens on.
 
-### Service labels
+#### Segment labels
 
-`Service labels` allow managing many routes for the same container.
+`Segment labels` allow managing many routes for the same container.
 
-When both `container labels` and `service labels` are defined, `container labels` are just used as default values for missing `service labels` but no frontend/backend are going to be defined only with these labels.
-Obviously, labels `traefik.frontend.rule` and `traefik.port` described above, will only be used to complete information set in `service labels` during the container frontends/backends creation.
+When both `container labels` and `segment labels` are defined, `container labels` are just used as default values for missing `segment labels` but no frontend/backend are going to be defined only with these labels.
+Obviously, labels `traefik.frontend.rule` and `traefik.port` described above, will only be used to complete information set in `segment labels` during the container frontends/backends creation.
 
-In the example, two service names are defined : `basic` and `admin`.
+In the example, two segment names are defined : `basic` and `admin`.
 They allow creating two frontends and two backends.
 
-- `basic` has only one `service label` : `traefik.basic.protocol`.
+- `basic` has only one `segment label` : `traefik.basic.protocol`.
 Traefik will use values set in `traefik.frontend.rule` and `traefik.port` to create the `basic` frontend and backend.
 The frontend listens to incoming HTTP requests which contain the `Host` `app.my-awesome-app.org` and redirect them in `HTTP` to the port `9000` of the backend.
-- `admin` has all the `services labels` needed to create the `admin` frontend and backend (`traefik.admin.frontend.rule`, `traefik.admin.protocol`, `traefik.admin.port`).
+- `admin` has all the `segment labels` needed to create the `admin` frontend and backend (`traefik.admin.frontend.rule`, `traefik.admin.protocol`, `traefik.admin.port`).
 Traefik will create a frontend to listen to incoming HTTP requests which contain the `Host` `admin-app.my-awesome-app.org` and redirect them in `HTTPS` to the port `9443` of the backend.
 
 #### Gotchas and tips

docs/user-guide/examples.md

@@ -336,80 +336,80 @@ Pay attention to the **labels** section:
 
 ```
 home:
-image: abiosoft/caddy:0.10.14
-networks:
-  - ntw_front
-volumes:
-  - ./www/home/srv/:/srv/
-deploy:
-  mode: replicated
-  replicas: 2
-  #placement:
-  #  constraints: [node.role==manager]
-  restart_policy:
-    condition: on-failure
-    max_attempts: 5
-  resources:
-    limits:
-      cpus: '0.20'
-      memory: 9M
-    reservations:
-      cpus: '0.05'
-      memory: 9M
-  labels:
-  - "traefik.frontend.rule=PathPrefixStrip:/"
-  - "traefik.backend=home"
-  - "traefik.port=2015"
-  - "traefik.weight=10"
-  - "traefik.enable=true"
-  - "traefik.passHostHeader=true"
-  - "traefik.docker.network=ntw_front"
-  - "traefik.frontend.entryPoints=http"
-  - "traefik.backend.loadbalancer.swarm=true"
-  - "traefik.backend.loadbalancer.method=drr"
+  image: abiosoft/caddy:0.10.14
+  networks:
+    - ntw_front
+  volumes:
+    - ./www/home/srv/:/srv/
+  deploy:
+    mode: replicated
+    replicas: 2
+    #placement:
+    #  constraints: [node.role==manager]
+    restart_policy:
+      condition: on-failure
+      max_attempts: 5
+    resources:
+      limits:
+        cpus: '0.20'
+        memory: 9M
+      reservations:
+        cpus: '0.05'
+        memory: 9M
+    labels:
+      - "traefik.frontend.rule=PathPrefixStrip:/"
+      - "traefik.backend=home"
+      - "traefik.port=2015"
+      - "traefik.weight=10"
+      - "traefik.enable=true"
+      - "traefik.passHostHeader=true"
+      - "traefik.docker.network=ntw_front"
+      - "traefik.frontend.entryPoints=http"
+      - "traefik.backend.loadbalancer.swarm=true"
+      - "traefik.backend.loadbalancer.method=drr"
 ```
 
 Something more tricky using `regex`.
 
-In this case a slash is added to `siteexample.io/portainer` and redirect to `siteexample.io/portainer/`. For more details: https://github.com/containous/traefik/issues/563
+In this case a slash is added to `siteexample.io/portainer` and redirect to `siteexample.io/portainer/`. For more details: https://github.com/traefik/traefik/issues/563
 
-The double sign `$$` are variables managed by the docker compose file ([documentation](https://docs.docker.com/compose/compose-file/#variable-substitution)). 
+The double sign `$$` are variables managed by the docker compose file ([documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#variable-substitution)). 
 
 ```
 portainer:
-image: portainer/portainer:1.16.5
-networks:
-  - ntw_front
-volumes:
-  - /var/run/docker.sock:/var/run/docker.sock
-deploy:
-  mode: replicated
-  replicas: 1
-  placement:
-    constraints: [node.role==manager]
-  restart_policy:
-    condition: on-failure
-    max_attempts: 5
-  resources:
-    limits:
-      cpus: '0.33'
-      memory: 20M
-    reservations:
-      cpus: '0.05'
-      memory: 10M
-  labels:
-    - "traefik.frontend.rule=PathPrefixStrip:/portainer"
-    - "traefik.backend=portainer"
-    - "traefik.port=9000"
-    - "traefik.weight=10"
-    - "traefik.enable=true"
-    - "traefik.passHostHeader=true"
-    - "traefik.docker.network=ntw_front"
-    - "traefik.frontend.entryPoints=http"
-    - "traefik.backend.loadbalancer.swarm=true"
-    - "traefik.backend.loadbalancer.method=drr"
-    # https://github.com/containous/traefik/issues/563#issuecomment-421360934
-    - "traefik.frontend.redirect.regex=^(.*)/portainer$$"
-    - "traefik.frontend.redirect.replacement=$$1/portainer/"
-    - "traefik.frontend.rule=PathPrefix:/portainer;ReplacePathRegex: ^/portainer/(.*) /$$1"
+  image: portainer/portainer:1.16.5
+  networks:
+    - ntw_front
+  volumes:
+    - /var/run/docker.sock:/var/run/docker.sock
+  deploy:
+    mode: replicated
+    replicas: 1
+    placement:
+      constraints: [node.role==manager]
+    restart_policy:
+      condition: on-failure
+      max_attempts: 5
+    resources:
+      limits:
+        cpus: '0.33'
+        memory: 20M
+      reservations:
+        cpus: '0.05'
+        memory: 10M
+    labels:
+      - "traefik.frontend.rule=PathPrefixStrip:/portainer"
+      - "traefik.backend=portainer"
+      - "traefik.port=9000"
+      - "traefik.weight=10"
+      - "traefik.enable=true"
+      - "traefik.passHostHeader=true"
+      - "traefik.docker.network=ntw_front"
+      - "traefik.frontend.entryPoints=http"
+      - "traefik.backend.loadbalancer.swarm=true"
+      - "traefik.backend.loadbalancer.method=drr"
+      # https://github.com/traefik/traefik/issues/563#issuecomment-421360934
+      - "traefik.frontend.redirect.regex=^(.*)/portainer$$"
+      - "traefik.frontend.redirect.replacement=$$1/portainer/"
+      - "traefik.frontend.rule=PathPrefix:/portainer;ReplacePathRegex: ^/portainer/(.*) /$$1"
 ```

docs/user-guide/kubernetes.md

@@ -4,16 +4,20 @@ This guide explains how to use Traefik as an Ingress controller for a Kubernetes
 
 If you are not familiar with Ingresses in Kubernetes you might want to read the [Kubernetes user guide](https://kubernetes.io/docs/concepts/services-networking/ingress/)
 
-The config files used in this guide can be found in the [examples directory](https://github.com/containous/traefik/tree/master/examples/k8s)
+The config files used in this guide can be found in the [examples directory](https://github.com/traefik/traefik/tree/v1.7/examples/k8s)
 
 ## Prerequisites
 
 1. A working Kubernetes cluster. If you want to follow along with this guide, you should setup [minikube](https://kubernetes.io/docs/getting-started-guides/minikube/) on your machine, as it is the quickest way to get a local Kubernetes cluster setup for experimentation and development.
 
+2. Setup ingress as an add-on. It can be enabled by the following command:
+
+    `minikube addons enable ingress`
+
 !!! note
     The guide is likely not fully adequate for a production-ready setup.
 
-2. The `kubectl` binary should be [installed on your workstation](https://kubernetes.io/docs/getting-started-guides/minikube/#download-kubectl).
+3. The `kubectl` binary should be [installed on your workstation](https://kubernetes.io/docs/getting-started-guides/minikube/#download-kubectl).
 
 ### Role Based Access Control configuration (Kubernetes 1.6+ only)
 
@@ -53,6 +57,12 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+    - extensions
+    resources:
+    - ingresses/status
+    verbs:
+    - update
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -68,10 +78,10 @@ subjects:
   namespace: kube-system
 ```
 
-[examples/k8s/traefik-rbac.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/traefik-rbac.yaml)
+[examples/k8s/traefik-rbac.yaml](https://github.com/traefik/traefik/tree/v1.7/examples/k8s/traefik-rbac.yaml)
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v1.7/examples/k8s/traefik-rbac.yaml
 ```
 
 For namespaced restrictions, one RoleBinding is required per watched namespace along with a corresponding configuration of Traefik's `kubernetes.namespaces` parameter.
@@ -98,7 +108,7 @@ metadata:
   namespace: kube-system
 ---
 kind: Deployment
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 metadata:
   name: traefik-ingress-controller
   namespace: kube-system
@@ -118,7 +128,7 @@ spec:
       serviceAccountName: traefik-ingress-controller
       terminationGracePeriodSeconds: 60
       containers:
-      - image: traefik
+      - image: traefik:v1.7
         name: traefik-ingress-lb
         ports:
         - name: http
@@ -148,7 +158,7 @@ spec:
   type: NodePort
 ```
 
-[examples/k8s/traefik-deployment.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/traefik-deployment.yaml)
+[examples/k8s/traefik-deployment.yaml](https://github.com/traefik/traefik/tree/v1.7/examples/k8s/traefik-deployment.yaml)
 
 !!! note
     The Service will expose two NodePorts which allow access to the ingress and the web interface.
@@ -164,13 +174,17 @@ metadata:
   namespace: kube-system
 ---
 kind: DaemonSet
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 metadata:
   name: traefik-ingress-controller
   namespace: kube-system
   labels:
     k8s-app: traefik-ingress-lb
 spec:
+  selector:
+    matchLabels:
+      k8s-app: traefik-ingress-lb
+      name: traefik-ingress-lb
   template:
     metadata:
       labels:
@@ -180,7 +194,7 @@ spec:
       serviceAccountName: traefik-ingress-controller
       terminationGracePeriodSeconds: 60
       containers:
-      - image: traefik
+      - image: traefik:v1.7
         name: traefik-ingress-lb
         ports:
         - name: http
@@ -188,6 +202,7 @@ spec:
           hostPort: 80
         - name: admin
           containerPort: 8080
+          hostPort: 8080
         securityContext:
           capabilities:
             drop:
@@ -216,7 +231,7 @@ spec:
       name: admin
 ```
 
-[examples/k8s/traefik-ds.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/traefik-ds.yaml)
+[examples/k8s/traefik-ds.yaml](https://github.com/traefik/traefik/tree/v1.7/examples/k8s/traefik-ds.yaml)
 
 !!! note
     This will create a Daemonset that uses privileged ports 80/8080 on the host. This may not work on all providers, but illustrates the static (non-NodePort) hostPort binding. The `traefik-ingress-service` can still be used inside the cluster to access the DaemonSet pods.
@@ -224,11 +239,11 @@ spec:
 To deploy Traefik to your cluster start by submitting one of the YAML files to the cluster with `kubectl`:
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-deployment.yaml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v1.7/examples/k8s/traefik-deployment.yaml
 ```
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-ds.yaml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v1.7/examples/k8s/traefik-ds.yaml
 ```
 
 There are some significant differences between using Deployments and DaemonSets:
@@ -320,7 +335,7 @@ For more information, check out [the documentation](https://github.com/kubernete
 
 ## Submitting an Ingress to the Cluster
 
-Lets start by creating a Service and an Ingress that will expose the [Traefik Web UI](https://github.com/containous/traefik#web-ui).
+Lets start by creating a Service and an Ingress that will expose the [Traefik Web UI](https://github.com/traefik/traefik#web-ui).
 
 ```yaml
 apiVersion: v1
@@ -352,13 +367,13 @@ spec:
           servicePort: web
 ```
 
-[examples/k8s/ui.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/ui.yaml)
+[examples/k8s/ui.yaml](https://github.com/traefik/traefik/tree/v1.7/examples/k8s/ui.yaml)
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/ui.yaml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v1.7/examples/k8s/ui.yaml
 ```
 
-Now lets setup an entry in our `/etc/hosts` file to route `traefik-ui.minikube` to our cluster.
+Now let's setup an entry in our `/etc/hosts` file to route `traefik-ui.minikube` to our cluster.
 
 In production you would want to set up real DNS entries.
 You can get the IP address of your minikube instance by running `minikube ip`:
@@ -382,6 +397,23 @@ You can add a TLS entrypoint by adding the following `args` to the container spe
  --entrypoints=Name:https Address::443 TLS
  --entrypoints=Name:http Address::80
 ```
+
+Now let's add the TLS port either to the deployment: 
+
+```
+ports:
+- name: https
+  containerPort: 443
+```
+
+or to the daemon set:
+
+```
+ports:
+- name: https
+  containerPort: 443
+  hostPort: 443
+```
     
 To setup an HTTPS-protected ingress, you can leverage the TLS feature of the ingress resource.
 
@@ -503,7 +535,7 @@ First lets start by launching the pods for the cheese websites.
 ```yaml
 ---
 kind: Deployment
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 metadata:
   name: stilton
   labels:
@@ -529,7 +561,7 @@ spec:
         - containerPort: 80
 ---
 kind: Deployment
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 metadata:
   name: cheddar
   labels:
@@ -555,7 +587,7 @@ spec:
         - containerPort: 80
 ---
 kind: Deployment
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 metadata:
   name: wensleydale
   labels:
@@ -581,10 +613,10 @@ spec:
         - containerPort: 80
 ```
 
-[examples/k8s/cheese-deployments.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/cheese-deployments.yaml)
+[examples/k8s/cheese-deployments.yaml](https://github.com/traefik/traefik/tree/v1.7/examples/k8s/cheese-deployments.yaml)
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-deployments.yaml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v1.7/examples/k8s/cheese-deployments.yaml
 ```
 
 Next we need to setup a Service for each of the cheese pods.
@@ -636,10 +668,10 @@ spec:
 !!! note
     We also set a [circuit breaker expression](/basics/#backends) for one of the backends by setting the `traefik.backend.circuitbreaker` annotation on the service.
 
-[examples/k8s/cheese-services.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/cheese-services.yaml)
+[examples/k8s/cheese-services.yaml](https://github.com/traefik/traefik/tree/v1.7/examples/k8s/cheese-services.yaml)
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-services.yaml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v1.7/examples/k8s/cheese-services.yaml
 ```
 
 Now we can submit an ingress for the cheese websites.
@@ -676,13 +708,13 @@ spec:
           servicePort: http
 ```
 
-[examples/k8s/cheese-ingress.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/cheese-ingress.yaml)
+[examples/k8s/cheese-ingress.yaml](https://github.com/traefik/traefik/tree/v1.7/examples/k8s/cheese-ingress.yaml)
 
 !!! note
     We list each hostname, and add a backend service.
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheese-ingress.yaml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v1.7/examples/k8s/cheese-ingress.yaml
 ```
 
 Now visit the [Traefik dashboard](http://traefik-ui.minikube/) and you should see a frontend for each host.
@@ -731,13 +763,13 @@ spec:
           servicePort: http
 ```
 
-[examples/k8s/cheeses-ingress.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/cheeses-ingress.yaml)
+[examples/k8s/cheeses-ingress.yaml](https://github.com/traefik/traefik/tree/v1.7/examples/k8s/cheeses-ingress.yaml)
 
 !!! note
     We are configuring Traefik to strip the prefix from the url path with the `traefik.frontend.rule.type` annotation so that we can use the containers from the previous example without modification.
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/cheeses-ingress.yaml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v1.7/examples/k8s/cheeses-ingress.yaml
 ```
 
 ```shell

docs/user-guide/kv-config.md

@@ -24,7 +24,7 @@ The Traefik global configuration will be retrieved from a [Consul](https://consu
 
 First we have to launch Consul in a container.
 
-The [docker-compose file](https://docs.docker.com/compose/compose-file/) allows us to launch Consul and four instances of the trivial app [containous/whoami](https://github.com/containous/whoami) :
+The [docker-compose file](https://docs.docker.com/compose/compose-file/) allows us to launch Consul and four instances of the trivial app [traefik/whoami](https://github.com/traefik/whoami) :
 
 ```yaml
 consul:
@@ -42,16 +42,16 @@ consul:
     - "8302/udp"
 
 whoami1:
-  image: containous/whoami
+  image: traefik/whoami
 
 whoami2:
-  image: containous/whoami
+  image: traefik/whoami
 
 whoami3:
-  image: containous/whoami
+  image: traefik/whoami
 
 whoami4:
-  image: containous/whoami
+  image: traefik/whoami
 ```
 
 ### Upload the configuration in the Key-value store
@@ -139,7 +139,7 @@ Here is the [docker-compose file](https://docs.docker.com/compose/compose-file/)
 
 ```yaml
 traefik:
-  image: traefik
+  image: traefik:<stable v1.7 from https://hub.docker.com/_/traefik>
   command: --consul --consul.endpoint=127.0.0.1:8500
   ports:
     - "80:80"

docs/user-guide/marathon.md

@@ -129,7 +129,7 @@ As such, there is no way to handle this situation deterministically.
 
 Finally, Marathon health checks are not mandatory (the default is to use the task state as reported by Mesos), so requiring them for Traefik would raise the entry barrier for Marathon users.
 
-Traefik used to use the health check results as a strict requirement but moved away from it as [users reported the dramatic consequences](https://github.com/containous/traefik/issues/653).
+Traefik used to use the health check results as a strict requirement but moved away from it as [users reported the dramatic consequences](https://github.com/traefik/traefik/issues/653).
 
 #### Draining
 
@@ -141,4 +141,4 @@ However, implementing this fully within Traefik seems like a non-trivial underta
 
 Additionally, the approach is less flexible compared to a custom termination handler since only the latter allows for the implementation of custom termination sequences that go beyond simple request draining (e.g., persisting a snapshot state to disk prior to terminating).
 
-The feature is currently not implemented; a request for draining in general is at [issue 41](https://github.com/containous/traefik/issues/41).
+The feature is currently not implemented; a request for draining in general is at [issue 41](https://github.com/traefik/traefik/issues/41).

docs/user-guide/swarm-mode.md

@@ -85,7 +85,7 @@ docker-machine ssh manager "docker service create \
 	--publish 80:80 --publish 8080:8080 \
 	--mount	type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
 	--network traefik-net \
-	traefik \
+	traefik:<stable version from https://hub.docker.com/_/traefik> \
 	--docker \
 	--docker.swarmMode \
 	--docker.domain=traefik \
@@ -107,7 +107,7 @@ Let's explain this command:
 
 ## Deploy your apps
 
-We can now deploy our app on the cluster, here [whoami](https://github.com/containous/whoami), a simple web server in Go.
+We can now deploy our app on the cluster, here [whoami](https://github.com/traefik/whoami), a simple web server in Go.
 We start 2 services, on the `traefik-net` network.
 
 ```shell
@@ -115,14 +115,14 @@ docker-machine ssh manager "docker service create \
 	--name whoami0 \
 	--label traefik.port=80 \
 	--network traefik-net \
-	containous/whoami"
+	traefik/whoami"
 
 docker-machine ssh manager "docker service create \
 	--name whoami1 \
 	--label traefik.port=80 \
 	--network traefik-net \
 	--label traefik.backend.loadbalancer.sticky=true \
-	containous/whoami"
+	traefik/whoami"
 ```
 
 !!! note
@@ -130,7 +130,7 @@ docker-machine ssh manager "docker service create \
     We'll demonstrate that later.
 
 !!! note
-    If using `docker stack deploy`, there is [a specific way that the labels must be defined in the docker-compose file](https://github.com/containous/traefik/issues/994#issuecomment-269095109).
+    If using `docker stack deploy`, there is [a specific way that the labels must be defined in the docker-compose file](https://github.com/traefik/traefik/issues/994#issuecomment-269095109).
 
 Check that everything is scheduled and started:
 
@@ -140,8 +140,8 @@ docker-machine ssh manager "docker service ls"
 ```
 ID            NAME     MODE        REPLICAS  IMAGE                     PORTS
 moq3dq4xqv6t  traefik  replicated  1/1       traefik:latest            *:80->80/tcp,*:8080->8080/tcp
-ysil6oto1wim  whoami0  replicated  1/1       containous/whoami:latest
-z9re2mnl34k4  whoami1  replicated  1/1       containous/whoami:latest
+ysil6oto1wim  whoami0  replicated  1/1       traefik/whoami:latest
+z9re2mnl34k4  whoami1  replicated  1/1       traefik/whoami:latest
 ```
 
 
@@ -243,8 +243,8 @@ docker-machine ssh manager "docker service ls"
 ```
 ID            NAME     MODE        REPLICAS  IMAGE                     PORTS
 moq3dq4xqv6t  traefik  replicated  1/1       traefik:latest            *:80->80/tcp,*:8080->8080/tcp
-ysil6oto1wim  whoami0  replicated  5/5       containous/whoami:latest
-z9re2mnl34k4  whoami1  replicated  5/5       containous/whoami:latest
+ysil6oto1wim  whoami0  replicated  5/5       traefik/whoami:latest
+z9re2mnl34k4  whoami1  replicated  5/5       traefik/whoami:latest
 ```
 
 ## Access to your `whoami0` through Traefik multiple times.

docs/user-guide/swarm.md

@@ -81,7 +81,7 @@ docker $(docker-machine config mhs-demo0) run \
     -p 80:80 -p 8080:8080 \
     --net=my-net \
     -v /var/lib/boot2docker/:/ssl \
-    traefik \
+    traefik:<stable version from https://hub.docker.com/_/traefik> \
     -l DEBUG \
     -c /dev/null \
     --docker \
@@ -112,12 +112,12 @@ Let's explain this command:
 
 ## Deploy your apps
 
-We can now deploy our app on the cluster, here [whoami](https://github.com/containous/whoami), a simple web server in GO, on the network `my-net`:
+We can now deploy our app on the cluster, here [whoami](https://github.com/traefik/whoami), a simple web server in GO, on the network `my-net`:
 
 ```shell
 eval $(docker-machine env --swarm mhs-demo0)
-docker run -d --name=whoami0 --net=my-net --env="constraint:node==mhs-demo0" containous/whoami
-docker run -d --name=whoami1 --net=my-net --env="constraint:node==mhs-demo1" containous/whoami
+docker run -d --name=whoami0 --net=my-net --env="constraint:node==mhs-demo0" traefik/whoami
+docker run -d --name=whoami1 --net=my-net --env="constraint:node==mhs-demo1" traefik/whoami
 ```
 
 Check that everything is started:
@@ -127,8 +127,8 @@ docker ps
 ```
 ```
 CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                                                      NAMES
-ba2c21488299        containous/whoami   "/whoamI"                8 seconds ago       Up 9 seconds        80/tcp                                                     mhs-demo1/whoami1
-8147a7746e7a        containous/whoami   "/whoamI"                19 seconds ago      Up 20 seconds       80/tcp                                                     mhs-demo0/whoami0
+ba2c21488299        traefik/whoami   "/whoamI"                8 seconds ago       Up 9 seconds        80/tcp                                                     mhs-demo1/whoami1
+8147a7746e7a        traefik/whoami   "/whoamI"                19 seconds ago      Up 20 seconds       80/tcp                                                     mhs-demo0/whoami0
 8fbc39271b4c        traefik             "/traefik -l DEBUG -c"   36 seconds ago      Up 37 seconds       192.168.99.101:80->80/tcp, 192.168.99.101:8080->8080/tcp   mhs-demo0/serene_bhabha
 ```
 

examples/acme/docker-compose.yml

@@ -72,7 +72,7 @@ services :
   traefik:
     build:
       context: ../..
-    image: containous/traefik:latest
+    image: traefik/traefik:latest
     command: --configFile=/etc/traefik/conf/acme.toml
     restart: unless-stopped
     extra_hosts:

examples/cluster/docker-compose.yml

@@ -119,7 +119,7 @@ services:
   storeconfig:
     build:
       context: ../..
-    image: containous/traefik
+    image: traefik/traefik
     volumes:
       - "./traefik.toml:/traefik.toml:ro"
     command: storeconfig --debug
@@ -129,7 +129,7 @@ services:
   traefik01:
     build:
       context: ../..
-    image: containous/traefik
+    image: traefik/traefik
     command: ${TRAEFIK_CMD}
     extra_hosts:
       - traefik.boulder.com:172.17.0.1
@@ -152,7 +152,7 @@ services:
   traefik02:
     build:
       context: ../..
-    image: containous/traefik
+    image: traefik/traefik
     command: ${TRAEFIK_CMD}
     extra_hosts:
       - traefik.boulder.com:172.17.0.1

examples/compose-rancher.yml

@@ -1,5 +1,5 @@
 traefik:
-  image: traefik
+  image: traefik:v1.7
   command: --api --rancher --rancher.domain=rancher.localhost --rancher.endpoint=http://example.com --rancher.accesskey=XXXXXXX --rancher.secretkey=YYYYYY --logLevel=DEBUG
   ports:
     - "80:80"

examples/compose-traefik.yml

@@ -1,5 +1,5 @@
 traefik:
-  image: traefik
+  image: traefik:v1.7
   command: -c /dev/null --api --docker --docker.domain=docker.localhost --logLevel=DEBUG
   ports:
     - "80:80"

examples/k8s/cheese-deployments.yaml

@@ -1,6 +1,6 @@
 ---
 kind: Deployment
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 metadata:
   name: stilton
   labels:
@@ -33,7 +33,7 @@ spec:
         - containerPort: 80
 ---
 kind: Deployment
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 metadata:
   name: cheddar
   labels:
@@ -66,7 +66,7 @@ spec:
         - containerPort: 80
 ---
 kind: Deployment
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 metadata:
   name: wensleydale
   labels:

examples/k8s/traefik-deployment.yaml

@@ -6,7 +6,7 @@ metadata:
   namespace: kube-system
 ---
 kind: Deployment
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 metadata:
   name: traefik-ingress-controller
   namespace: kube-system
@@ -26,7 +26,7 @@ spec:
       serviceAccountName: traefik-ingress-controller
       terminationGracePeriodSeconds: 60
       containers:
-      - image: traefik
+      - image: traefik:v1.7
         name: traefik-ingress-lb
         ports:
         - name: http

examples/k8s/traefik-ds.yaml

@@ -6,13 +6,17 @@ metadata:
   namespace: kube-system
 ---
 kind: DaemonSet
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 metadata:
   name: traefik-ingress-controller
   namespace: kube-system
   labels:
     k8s-app: traefik-ingress-lb
 spec:
+  selector:
+    matchLabels:
+      k8s-app: traefik-ingress-lb
+      name: traefik-ingress-lb
   template:
     metadata:
       labels:
@@ -22,7 +26,7 @@ spec:
       serviceAccountName: traefik-ingress-controller
       terminationGracePeriodSeconds: 60
       containers:
-      - image: traefik
+      - image: traefik:v1.7
         name: traefik-ingress-lb
         ports:
         - name: http

examples/quickstart/README.md

@@ -2,7 +2,7 @@
 
 In this quickstart, we'll use [Docker compose](https://docs.docker.com/compose) to create our demo infrastructure.
 
-To save some time, you can clone [Traefik's repository](https://github.com/containous/traefik) and use the quickstart files located in the [examples/quickstart](https://github.com/containous/traefik/tree/master/examples/quickstart/) directory.
+To save some time, you can clone [Traefik's repository](https://github.com/traefik/traefik) and use the quickstart files located in the [examples/quickstart](https://github.com/traefik/traefik/tree/v1.7/examples/quickstart/) directory.
 
 ### 1 — Launch Traefik — Tell It to Listen to Docker
 
@@ -13,7 +13,7 @@ version: '3'
 
 services:
   reverse-proxy:
-    image: traefik # The official Traefik docker image
+    image: traefik:v1.7 # The official Traefik docker image
     command: --api --docker # Enables the web UI and tells Traefik to listen to docker
     ports:
       - "80:80"     # The HTTP port
@@ -101,7 +101,7 @@ IP: 172.27.0.4
 
 ### 4 — Enjoy Traefik's Magic
 
-Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it might be time to dive into [the documentation](https://docs.traefik.io/) and let Traefik work for you!
-Whatever your infrastructure is, there is probably [an available Traefik backend](https://docs.traefik.io/#supported-backends) that will do the job.
+Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it might be time to dive into [the documentation](https://doc.traefik.io/traefik/v1.7/) and let Traefik work for you!
+Whatever your infrastructure is, there is probably [an available Traefik backend](https://doc.traefik.io/traefik/v1.7/#supported-backends) that will do the job.
 
-Our recommendation would be to see for yourself how simple it is to enable HTTPS with [Traefik's let's encrypt integration](https://docs.traefik.io/user-guide/examples/#lets-encrypt-support) using the dedicated [user guide](https://docs.traefik.io/user-guide/docker-and-lets-encrypt/).
+Our recommendation would be to see for yourself how simple it is to enable HTTPS with [Traefik's let's encrypt integration](https://doc.traefik.io/traefik/v1.7/user-guide/examples/#lets-encrypt-support) using the dedicated [user guide](https://doc.traefik.io/traefik/v1.7/user-guide/docker-and-lets-encrypt/).

examples/quickstart/docker-compose.yml

@@ -3,7 +3,7 @@ version: '3'
 services:
   # The reverse proxy service (Traefik)
   reverse-proxy:
-    image: traefik  # The official Traefik docker image
+    image: traefik:v1.7  # The official Traefik docker image
     command: --api --docker  # Enables the web UI and tells Traefik to listen to docker
     ports:
       - "80:80"      # The HTTP port

exp.Dockerfile

@@ -0,0 +1,50 @@
+# WEBUI
+FROM node:8.15.0 as webui
+
+ENV WEBUI_DIR /src/webui
+RUN mkdir -p $WEBUI_DIR
+
+COPY ./webui/ $WEBUI_DIR/
+
+WORKDIR $WEBUI_DIR
+
+RUN yarn install
+RUN npm run build
+
+# BUILD
+FROM golang:1.16-alpine as gobuild
+
+RUN apk --update upgrade \
+    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
+    && update-ca-certificates \
+    && rm -rf /var/cache/apk/*
+
+RUN mkdir -p /usr/local/bin \
+    && curl -fsSL -o /usr/local/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata \
+    && chmod +x /usr/local/bin/go-bindata
+
+WORKDIR /go/src/github.com/traefik/traefik
+
+# Download go modules
+COPY go.mod .
+COPY go.sum .
+RUN GO111MODULE=on GOPROXY=https://proxy.golang.org go mod download
+
+COPY . /go/src/github.com/traefik/traefik
+
+RUN rm -rf /go/src/github.com/traefik/traefik/static/
+COPY --from=webui /src/static/ /go/src/github.com/traefik/traefik/static/
+
+RUN ./script/make.sh generate binary
+
+## IMAGE
+FROM scratch
+
+COPY --from=gobuild /usr/share/zoneinfo /usr/share/zoneinfo
+COPY --from=gobuild /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=gobuild /go/src/github.com/traefik/traefik/dist/traefik /
+
+EXPOSE 80
+VOLUME ["/tmp"]
+
+ENTRYPOINT ["/traefik"]

go.mod

@@ -0,0 +1,118 @@
+module github.com/traefik/traefik
+
+go 1.16
+
+require (
+	github.com/ArthurHlt/go-eureka-client v0.0.0-20170403140305-9d0a49cbd39a
+	github.com/ArthurHlt/gominlog v0.0.0-20170402142412-72eebf980f46 // indirect
+	github.com/Azure/azure-sdk-for-go v40.3.0+incompatible // indirect
+	github.com/BurntSushi/toml v0.3.1
+	github.com/BurntSushi/ty v0.0.0-20140213233908-6add9cd6ad42
+	github.com/Masterminds/sprig v2.19.0+incompatible
+	github.com/Microsoft/go-winio v0.4.3 // indirect
+	github.com/NYTimes/gziphandler v1.0.1
+	github.com/Shopify/sarama v1.30.0 // indirect
+	github.com/VividCortex/gohistogram v1.0.0 // indirect
+	github.com/abbot/go-http-auth v0.0.0-00010101000000-000000000000
+	github.com/abronan/valkeyrie v0.2.0
+	github.com/apache/thrift v0.12.0 // indirect
+	github.com/armon/go-metrics v0.3.8 // indirect
+	github.com/armon/go-proxyproto v0.0.0-20170620220930-48572f11356f
+	github.com/aws/aws-sdk-go v1.39.0
+	github.com/cenk/backoff v2.1.1+incompatible
+	github.com/codahale/hdrhistogram v0.9.0 // indirect
+	github.com/containous/flaeg v1.4.1
+	github.com/containous/mux v0.0.0-20181024131434-c33f32e26898
+	github.com/containous/staert v3.1.2+incompatible
+	github.com/containous/traefik-extra-service-fabric v1.7.1-0.20210227093100-8dcd57b609a8
+	github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e
+	github.com/davecgh/go-spew v1.1.1
+	github.com/docker/docker v1.4.2-0.20171023200535-7848b8beb9d3
+	github.com/docker/go-connections v0.3.0
+	github.com/docker/leadership v0.0.0-00010101000000-000000000000
+	github.com/docker/libcompose v0.4.1-0.20190808084053-143e0f3f1ab9 // indirect
+	github.com/donovanhide/eventsource v0.0.0-20170630084216-b8f31a59085e // indirect
+	github.com/eapache/channels v1.1.0
+	github.com/eknkc/amber v0.0.0-20171010120322-cdade1c07385 // indirect
+	github.com/elazarl/go-bindata-assetfs v1.0.0
+	github.com/gambol99/go-marathon v0.7.2-0.20180614232016-99a156b96fb2
+	github.com/go-acme/lego/v4 v4.5.3
+	github.com/go-check/check v0.0.0-00010101000000-000000000000
+	github.com/go-kit/kit v0.9.0
+	github.com/golang/protobuf v1.5.2
+	github.com/google/go-github v9.0.0+incompatible
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.1.2
+	github.com/gorilla/websocket v1.4.2
+	github.com/gravitational/trace v1.1.3 // indirect
+	github.com/hashicorp/consul/api v1.9.1
+	github.com/hashicorp/go-hclog v0.14.1 // indirect
+	github.com/hashicorp/go-immutable-radix v1.3.0 // indirect
+	github.com/hashicorp/go-msgpack v1.1.5 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+	github.com/hashicorp/go-version v1.2.1
+	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/hashicorp/memberlist v0.2.4 // indirect
+	github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab
+	github.com/jjcollinge/servicefabric v0.0.2-0.20180125130438-8eebe170fa1b
+	github.com/libkermit/compose v0.0.0-20171122111507-c04e39c026ad
+	github.com/libkermit/docker v0.0.0-20171122101128-e6674d32b807
+	github.com/libkermit/docker-check v0.0.0-20171122104347-1113af38e591
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/mesos/mesos-go v0.0.3-0.20150930144802-068d5470506e
+	github.com/mesosphere/mesos-dns v0.0.0-00010101000000-000000000000
+	github.com/miekg/dns v1.1.43
+	github.com/mitchellh/copystructure v1.0.0
+	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
+	github.com/mitchellh/hashstructure v1.0.0
+	github.com/mitchellh/mapstructure v1.4.1
+	github.com/mitchellh/reflectwalk v1.0.1 // indirect
+	github.com/mvdan/xurls v1.1.1-0.20170309204242-db96455566f0
+	github.com/ogier/pflag v0.0.2-0.20160129220114-45c278ab3607
+	github.com/opencontainers/image-spec v1.0.0-rc5.0.20170515205857-f03dbe35d449 // indirect
+	github.com/opencontainers/runc v1.0.0-rc3.0.20170425215914-b6b70e534517 // indirect
+	github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492 // indirect
+	github.com/opentracing/opentracing-go v1.0.2
+	github.com/openzipkin-contrib/zipkin-go-opentracing v0.3.5
+	github.com/patrickmn/go-cache v2.1.0+incompatible
+	github.com/philhofer/fwd v1.0.0 // indirect
+	github.com/prometheus/client_golang v1.11.0
+	github.com/prometheus/client_model v0.2.0
+	github.com/rancher/go-rancher v0.1.1-0.20171004213057-52e2f4895340
+	github.com/rancher/go-rancher-metadata v0.0.0-00010101000000-000000000000
+	github.com/ryanuber/go-glob v1.0.0
+	github.com/shopspring/decimal v1.1.1-0.20191009025716-f1972eb1d1f5
+	github.com/sirupsen/logrus v1.8.1
+	github.com/stretchr/testify v1.7.0
+	github.com/stvp/go-udp-testing v0.0.0-20171104055251-c4434f09ec13
+	github.com/thoas/stats v0.0.0-20190104110215-4975baf6a358
+	github.com/tinylib/msgp v1.0.2 // indirect
+	github.com/tv42/zbase32 v0.0.0-20150911225513-03389da7e0bf // indirect
+	github.com/uber/jaeger-client-go v2.15.0+incompatible
+	github.com/uber/jaeger-lib v1.5.0
+	github.com/unrolled/render v0.0.0-20170109143244-50716a0a8537
+	github.com/unrolled/secure v1.0.5
+	github.com/urfave/negroni v0.2.1-0.20170426175938-490e6a555d47
+	github.com/vdemeester/shakers v0.1.0
+	github.com/vulcand/oxy v1.2.0
+	go.etcd.io/bbolt v1.3.5 // indirect
+	golang.org/x/net v0.0.0-20210917221730-978cfadd31cf
+	google.golang.org/grpc v1.38.0
+	gopkg.in/DataDog/dd-trace-go.v1 v1.13.0
+	gopkg.in/fsnotify.v1 v1.4.7
+	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/api v0.21.0
+	k8s.io/apimachinery v0.21.0
+	k8s.io/client-go v0.21.0
+	k8s.io/utils v0.0.0-20210709001253-0e1f9d693477 // indirect
+)
+
+replace (
+	github.com/abbot/go-http-auth => github.com/containous/go-http-auth v0.4.1-0.20180112153951-65b0cdae8d7f
+	github.com/docker/docker => github.com/docker/engine v0.0.0-20190725163905-fa8dd90ceb7b
+	github.com/docker/leadership => github.com/containous/leadership v0.1.1-0.20180123135645-a2e096d9fe0a
+	github.com/go-check/check => github.com/containous/check v0.0.0-20170915194414-ca0bf163426a
+	github.com/mesosphere/mesos-dns => github.com/containous/mesos-dns v0.5.3-rc1.0.20160623212649-b47dc4c19f21
+	github.com/rancher/go-rancher-metadata => github.com/containous/go-rancher-metadata v0.0.0-20180116133453-e937e8308985
+	gopkg.in/fsnotify.v1 => github.com/fsnotify/fsnotify v1.4.2
+)